1/18 CMMI Risk Management Jense Seurynck Daan Van Britsom Risk Management.
Risk Management 1
-
Upload
amit-agarwal -
Category
Documents
-
view
144 -
download
2
description
Transcript of Risk Management 1
Self Assignment
Risk Management
By Amit Agarwal
OVERVIEW
1. WHAT IS RISK
2. WHAT IS RISK MANAGEMENT
3. INTEGRATED RISK MANAGEMENT
4. PRINCIPLES & CHARACTERISTICS
5. LIFE CYCLE
6. PROCESS CHART
7. CHALLENGES & BARRIERS
9. SUMMARY
8. KEY CONTRIBUTION FACTORS
What Is “Risk”?
• “Risk is a condition in which there is a possibility of an adverse deviation from a desired outcome that is expected … .” (Vaughn)
• “… the threat that any event or action will adversely affect an organization’s ability to achieve its business objectives and execute its strategies.” (Kloman)
• RISK = potential loss from inability to achieve a project’s objectives– caused by people, process, system, or external factors
• Risks can result from any combination of factors– people, process, systems, technology, science, or
external events
What Is “Risk”?
Likelihood of an event occurring. The consequence if such event occurs.
• “….a measure of future uncertainties in achieving project performance goals and objectives within defined cost, schedule, and performance constraints.”
• “...an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective.”
Risk is…
Applicability
• Financial, Market, Investment, Credit
• Health
• Environmental
• Business Compliance
• Safety
• Project (Types of Project)
• Security (Cyber, Physical)
• Mission Assurance
GOAL:
IDENTIFY / ASSESS THREAT
MINIMIZE / PREVENT LOSS
TAKE ACTION
Risk Management is applicable to all industries and complex efforts
Supports Decision Analysis Resource Allocation
…the process of defining and analyzing risk, and then deciding on the appropriate course of action in order to minimize risk, whilst still achieving business goals
…he optimal allocation of resources to arrive at cost affective investment in defensive measures within an organization .It minimizes both cost and risk
…a variety of activities undertaken by an organization to control and minimize threats to the continuing efficiency, profitability, and success of its operations.
…the process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk , if this is excessive, developing a strategy to mitigate appropriate individual risks until the overall level of risk is reduced to an acceptable level.
Risk Management is…
• The systematic application of management policies, standards, procedures, and practices to the tasks of identifying, assessing, prioritizing, responding to, and monitoring risk– A structured, iterative process with defined scope and objectives– Proactive and anticipatory – Objective is to decrease the probability and/or impact of negative events OR
increase the probability and/or impact of positive events
Risk Management is…
Risk Management needs to be integrated into an organization’s decision making process
Integrated Risk Management
• Integrate per Webster’s Dictionary: to form, coordinate, or blend into a functioning or unified whole
• Integrated risk management is a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It is about making strategic decisions that contribute to the achievement of an organization's overall corporate objectives.
• Integrated risk management process includes all disciplines required to support the life cycle of their system (e.g., systems safety, logistics, engineering, producibility, in-service support, contracts, test, earned value management, finance).”
Providing insights into three key areas
Project Performance– Combines previously disparate project analysis and execution into an
actionable framework for the project manager– Requires dialog and collaboration between engineering, scheduling and
management groups– Creates a “total risk profile” for projects to fully assess potential delays to
delivery and increases in cost
Project Investment– Provides a framework to develop detailed plans for risk mitigation and
identify associated costs– Tracks progress of investment against specific mitigation activities– Assists decision makers in prioritizing investment against high impact risks
and effects
Oversight– Responds to government policy guidance and industry best practices in risk
management– Provides auditable trail of risks, cost changes and schedule progress for
industry and government clients– Creates transparency in developing project budget and reserve
requirements when used prior to project start date
Providing insights into three key areas
Risk Management Objectives
Post-Loss Objectives Pre-Loss Objectives
Survival Economic Efficiency
Continuity of Operations Reduction in Anxiety
Earnings Stability Meeting Externally
Continued Growth Imposed Obligations
Social Responsibility Social Responsibility
…create Value
…be an integral Part of Organizational processes
…be a part of decision making
…explicitly address uncertainty
…be systematic & structured
…based on best available information
…be tailored / customized
…take into account human factors
…be transparent & inclusive
…be dynamic, iterative & responsive to change
…be capable of continual improvement & enhancement
Principles
Risk Management Should…
A clear and consistent Risk Management champion
Requirements supported by leadership and stakeholders
A close partnership with users and stakeholders
Mature risk management processes
Established thresholds and criteria for proactively implementing defined risk mitigation plans
Resourced risk mitigation plans
Periodic risk assessments
Integrated data environments that maximize participation
Characteristics
Characteristics
A documented and mature risk management process
Quantitative assessments of risk impacts estimated against cost and schedule baselines
Defined risk filtration criteria
Risk reduction at the lowest level of the organization
A defined set of risk consequence definitions for performance, schedule, and cost
Structured approached for communicating risk across multiple programs/organizational levels
Approaches
Successful Approach
Stages in Risk Management Life Cycle
Stages Activity
Risk Management Planning Deciding how to approach & plan the risk management activities for the project
Risk Identification Determining which risks are likely to affect a project & documenting their characteristics
Qualitative Risk Analysis Characterization & analyzing risks & prioritizing their effects on project objectives
Quantitative Risk Analysis Measuring the probability & consequences of risks
Risk Response Planning Taking steps to enhance opportunities & reduce threats to meeting project objectives
Risk Monitoring & Control Monitoring known Risks, Identifying new risks, reducing risks & evaluating the effectiveness of risk reduction
Risk Management LifecycleThe risk lifecycle applies across all parts of a program or project. .
FoundationalElements
HazardStrategicFinancial
Operational
Risk Areas
Governance
Programs
IT Investments
Procurement
Legislature
Strategic Planning
Risk Management
Human Capital
Department
Operations
PeopleTechnology
Process
5. Monitor, Assure & Escalate
4. Design &
Test Controls
3.Respond to
Risks
2.Assess & Measure
Risks
1. IdentifyRisks
Compliance
ExecutionComponents
Managing Risk
Risk Identification
Identified Risks Rank
Inter-Agency / Department Actions 1
Changing Design Requirements 2
Cost estimating techniques 3
Legal / Regulatory / Ethics
Investigations and Audits
Contractor stability / quality 4
Natural Disasters
Roles of gov’t and contractor defined
Seasonality/Cyclicality
Identified Risks Rank
Budget and Funding Issues
Grants Management
Scientific Integrity and Agency ReputationThird Party Strategy / Execution / IntegrationEnvironmental liabilities / concernsValue for cost (value to taxpayers)Stakeholder Demand / Preference Changes
Political Issues 8
Hundreds of insignificant risks can easily distract from a few critical.
Identified Risks Rank
Financial Management
Hazardous materials handling 5
Technology
Terrorism and Emerging Diseases 6Capability Advancement
Insurance Coverage
Labor Disputes / Actions
Personnel and HR Issues 7
Identify the Top (relevant) Risks
Risk Identification
Document Reviews
Brain Storming
Delphi Technique / Interviewing
SWOT Analysis
Checklists
Assumption Analysis
Flow Charting
Techniques
Qualitative & Quantitative Risk AnalysisEvaluate each risk and its impact on cost, scope, and schedule.
Objective: Complete entire Project by 2010 within budget
Natural Environ.
Political
Social
Technological
Inter-Dept/Agency
Infrastructure
Personnel
Process
Technology
major weather event
dominate party change
constituent priority shift
technology innovationreorganization
Inte
rnal
Ris
ksEx
tern
al R
isks
Qualitative :Probability Impact Matrix
Ordinal & cardinal Ranking
SWOT Analysis
Force Field Analysis
Quantitative:Sensitivity Analysis
Expected Monetary Value
Decision Tree Analysis
Simulation
Program Evaluation & Review Technique (PERT)
Techniques
Qualitative & Quantitative Risk Analysis
Risk Response
Corrective Actions Inter-Agency Technology Risk NPolicies and ProceduresManagement Review & ApprovalsScenario PlanningContingency PlanningTraining and rehearsalsPhysical and Cyber SecurityEquipment Performance & DesignDocumentationCommunications plansPerformance IndicatorsSystem Controls / MonitoringPhysical Controls / MonitoringInspections / Audit Other
Choose the corrective actions, execute, and evaluate effectiveness.
Identify corrective actions Monitor effectiveness of actions
Sample risk: Technology advances and innovation require design changes.1. Evaluate potential benefits of new technology. RKS Quarterly Conduct workshops, seek input2. Involve key stakeholders that are knowledgeable about technology innovation. AKH On-going Identify stakeholder liaison responsible
for maintaining buy-in3. Refine communications approach and execution to address on-going findings. VM Monthly Appoint communications coordinator to
maintain channels4. Update long-term roadmap for incorporation of key RNS Bi-
annuallyConduct routine roadmap updates to maintain buy-in
Q1 ‘09 Q2 ‘09 Q3 ‘09 Q4 ‘09 Q1 ‘10 Q2 ‘10 Q3 ‘10
Very High
High
Medium
Low
Very Low
# 1
#2,3
#2,3,4
#2,3
#2,3,4 Planned Actual
Incremental Mitigated Risk(Perform Cost/Benefit Analysis)
Corrective actions result in mitigated risk, but come with a cost.
Cor
rect
ive
Act
ions
Res
idua
l Ris
k
Contd…
Monitoring & Control
Very Low Very
High
VeryHigh
Inhe
rent
(Gro
ss) R
isk
Current Residual (Net) Risk
310 Risk reduced to an acceptable levelRisk reduction occurring, not completeFurther action required
Corrective Action Status5 6
31
87
4 9
2
Inherent (Gross) Risk (without mitigation/controls) Residual (Net) Risk (without mitigation/controls)
Very High > 5 days disruption of core operational activities; long term impact to reputation; may result in government investigation
No viable mitigation plan in place, the risk event would likely overwhelm the agency
High 3 to 5 days disruption of core operational activities; concern that could result in an action; may result in official inquiry
Heroic efforts would be needed to manage the event
Medium Between 1 and 2 days disruption of core operational activities; unfavorable media coverage
Fairly well-prepared – base mitigation plans are in place; organization has talent/resources to manage through the event
Low Between 2 and 8 hours disruption of core operational activities; brief unfavorable media coverage
Mitigation responses, contingency plans and programmed responses have been or are being established
Very LowLess than 2 hours of disruption of core operational activities; no media coverage, unlikely to have an impact on the NIH appropriation
Mitigation responses, contingency plans and programmed responses are established, rehearsed on a periodic basis and revised as conditions change
Complete set of risks must be considered to understand the risk profile.
Example Risks:
1) Technology Innovation
2) Departmental Reorganization
ResponseAvoidance
Transference of Deflect
Mitigation
Acceptance
Contingency
Reserves
Fallback Plan
Monitoring & ControlWorkarounds
Change Requests
Feedback into Risk Management Plan
Techniques
Risk Response, Monitoring & Control
Integrated Risk Management extracts actionable information from traditionally stove-piped data streams
Enables critical decision making
Risk Exposure?
Impact Relationships?
Goals Too Risky?
Which Design?
More Reserves?
Major Drivers?
Adequately Mitigated?
Traditional Approach
Risk Analysis
Cost Analysis
Schedule Analysis
Program Manager
Decision
Integrated Approach
Risk Management Process
Quantify Risk– Cost, Schedule, PerformanceEvent AnalysisRelational analysis with existing risks and open issuesCost / Schedule ImpactsProbability ofOccurrence (RP)Impact of Occurrence (RI)
Identify Potential RisksEnter in Risk RegisterAssumption TestingData About the RiskUnderstand the Risk
Risk Exposureis High or Moderate
Risk Exposureis Low
Risk Management IPTEstablish Risk TriggersHandling StrategyContingency PlanAssign Resources
Escalate?Implement Handling StrategyUpdate IMSModification / Change OrderMonitor ActionsReassess
Risk Handling Replanning
Revised Handling Plan
Risk Has Been Handled
Risk Watch List
RIOM Board Consensus
Database
Program and Risk Management Tools
Contingency Plan
Step 1: Identify and Document Step 2: Analyze and Assess
Step 3: Select Handling Plan
Step 4: Handle and Monitor
Step 5:Handling
Step 3bStep 3a
Step 7: Document Step 6: Closeout
RIO
M B
oard
R
eass
essm
ent
Key Planned Re-planningLessons Learned
Challenges
• Top 3 challenges in applying risk management– Improving risk communication– Political obstacles to risk-based resource allocation– Lack of strategic thinking
• Lack of comprehensive risk management strategies that are well integrated with program, budget, and investment decisions
• There have been attempts at acquisition reform to address the following areas:
A. Decisions regarding which programs to keepB. Developing approaches to better analyze and prioritize needsC. Better management of development cyclesD. Establish knowledge-based cost and schedule estimatesE. Detailed systems engineering planning
Barriers to IntegrationBarriers
Lack of a clear and consistent Risk Management champion
Unclear or non-existent Decision rights
Silos of analyses and reporting of different risk types
Maturity
Technology, governance, process and people
Communication internal and external to the program/organization
Culture (How does the organization operate?)
Perception of a risk manager and roles/responsibilities
Every PM wants to do it their way
Organizational barriers regarding focal point of risk management
Defining decision rights are an important aspect of a comprehensive risk management program
Clear Decision Rights Result in…Clear decision-making authority results in effective and efficient decision-making…– Places decision rights with those with
the knowledge and information to make the best decision
– Reduces the risk of poor decisions– Reduces inefficient second-guessing
What are Decision Rights?The underlying mechanics of how and by whom decisions are truly made in an organization
Unclear Decision Rights Causes…Unclear decision-making authority results in senior management involvement in too many issues…
…while lack of empowerment at the front-line can result in poor customer service and reduced employee satisfaction
Decision Making
Cost-benefit analysis
Evaluation of frequency/severity
After-tax net present value analysis
Risk Map
Total Cost of Risk
Ethical considerations
Legal Requirements
Commercial Requirements
“Do not risk more than you can afford”
“Do not risk a lot for a little”
Tools & Techniques
Decision Making
Programs with mature risk management processes have the following components
1. Structured process for risk identification2. Comprehensive risk baseline and categories3. Risk root cause analysis methodology4. Quantitative risk likelihood and risk consequence definitions5. An established risk management board or similar risk decision-making body
with robust participation6. A strong, defined risk management lead or champion for the program
Risk Management Maturity Scale• Calibrates the maturity of
individual program risk processes
• Guides enhancements needed to standardize approaches
Risk Management Maturity Scale
Low: Coordinated Risk Management
STILL NEED TO ADDRESS:
– Common taxonomy– Alignment of risk
categories– Integrated toolset – Clarity in criteria and
thresholds for assessments
– Ownership– Decision Making
High: Integrated Enterprise Risk Management
Comprehensive risk agenda that exists throughout the entire organizationRisk management focus are cross-risk / cross-functional and aligned with strategic imperatives
– Linked to strategic and operational decision-making
Embedded in corporate cultureRisks are assessed and integrated across technical and agency performance elements, cost, and scheduleIntegrated tool set
MATURITY LEVEL
TIME/EFFORT
Different Organizational Levels Face Different Types of Risks
- How does a risk to one program affect the delivery of other related programs?- Which external stakeholders have the ability to influence the success of one or more programs?- How can a successful risk mitigation strategy for one program be leveraged by other programs?
- Is the project on track to meet or exceed its threshold requirements?- How do current risk levels impact the ability to meet critical schedule milestones?- Which design solution provides the optimal balance between capital and operating costs?
- What are the technical performance risks associated with delivering a given requirement or capability?- How will assembly, integration, and test schedules be impacted by a given risk event?- What are the cost impacts of delays in subcontractor deliveries?
Risks ultimately should be filtered to the lowest level possible for ownership and mitigation
Enterprise Level
Program Level
Project Level
Subproject Level
RISKS
Risk Management can inform decision rights within an organization
Questions
What are most vulnerable areas of the business/organization/acquisition/program/project/capability and what are the key risks that these areas face?
Is there a systematic and comprehensive approach for identifying and assessing these risks and is it communicated?
Is there a consistent and well defined approach to risk prioritization?
Does the process add value to decision analysis or is it merely a reporting mechanism?
Are decision rights aligned appropriately with risk tolerance? – Level of risk assessed can determine required level of decision-making within
the organization
Key Contributors to Success
Risk Management promotes a clear value proposition
Program input actively sought for framework development.
A clear and consistent risk sponsor.
• Demonstrate how resources will be saved or more efficiently applied
• Demonstrate how information will be more widely shared
• Establish working group or other forum
• Gather feedback prior to go-live• Promotes buy-in
• Sustains participation
• Creates understanding of information• Defines linkages
Integrate Cost, Schedule and Risk personnel
COMMUNICATION
What’s in it for me???C
ontr
acto
r Pr
ojec
t Man
ager
sFr
ont L
ine
Engi
neer
Prog
ram
M
anag
ers
Top
Man
agem
ent
Mid
dle
Man
agem
ent
Leaders, managers, and staff alike benefit from risk management.
•Higher impact programs•Better control of the overall portfolio•Stronger focus on long-term rather than short-term•Time to focus on areas currently neglected
•More predictable cost estimates•Less chaotic days, that are more productive•More visibility in project activities•Fewer and simpler reporting requests
•Better client relationships•More predictable quality of life•Mechanism to raise issues and have resolved•More follow-on work
Con
trac
tor
Proj
ect M
anag
ers
Fron
t Lin
e En
gine
erPr
ogra
m
Man
ager
sTo
pM
anag
emen
tM
iddl
eM
anag
emen
tCritical success factors…
•Seek and maintain senior leadership sponsorship•Establish common language for risk management•Integrate risk management across programs•Focus on changing the culture, not on executing the tactics
•Assign ownership of risks as appropriate (gov’t, contr.)•Coordinate risk management across project•Focus on the value to all of managing risk, not the burden
•Raise ALL risks identified “on the ground”•Designate operational accountability for corrective actions •Make risk management a priority
Everyone has a role to play in making risk management part of the culture.
Summary
Executive sponsorship does not use risk management as a blunt instrument
Management team must be informed and committed
Accurately size the risk management effort to the Project
Do not bury the risk management functions in the bowels of the organization—Private sector companies have a CRO
Cost Estimators, Schedulers, and Risk Management personnel collectively make up the risk management core team
Communication within Risk Management Core Team
Tata Power
Risk Mitigated
By Amit Agarwal
Thank You