www.onlyforward.org | russell@onlyforward.org 1 of 17

Risk Managementfor Projects & Programmes

www.onlyforward.org | russell@onlyforward.org 2 of 17

What is Risk?

We know that plans are unlikely to be a precise prediction of the future.

Plans are a model of interconnected tasks believed certain to be required to achieve an objective.

There are also events which are less than certain, but if they happen, would impact the plan.

A risk is a significant, uncertain event that, if it occurs, has an effect on at least one task.

A risk can have detrimental or beneficiary effects:• A risk with a detrimental effect is a threat• A risk with a beneficial effect is an opportunity

Patsy, Monty Python and the Holy Grail, 1975

www.onlyforward.org | russell@onlyforward.org 3 of 17

What is Risk Management?

Risk Management is how we act to manage significant uncertainty.

Uncertain events will always be part of any plan for the future.

Risk Management is a core PM competence.

“There are known knowns; there are things that we know that we know.There are known unknowns; that is to say, there are things that we know that we don’t know.But there are also unknown unknowns – there are things that we do not know we don’t know.”

Donald Rumsfeld, US Secretary of Defence, 2002

Project Management

Planning & Scheduling

RiskManagement

Context & Assumptions

significant insignificant

UncertainEvents

CertainEvents

www.onlyforward.org | russell@onlyforward.org 4 of 17

Why do Risk Management?

Good Risk Management will Lead to more realistic plans Help to set expectations appropriate to value, risk and complexity Inform bid/no bid decisions Help in selecting the most appropriate contract type Inform PM selection, matching PM competence to value, risk and complexity Help set project level contingencies, rather than task level or a fixed amount Enable greater honesty, openness and understanding Reduce uncertainty by implementing responses to risk Enable simpler, more transparent reporting Reduce stress and reliance on a hero culture Significantly increase the likelihood of meeting time, cost and quality objectives

Cautions! Risk Management will not guarantee meeting time, cost and quality objectives! If undertaken as a tick box exercise, or only at bid time, the full value will not be realised! The effort invested should be proportional to value, risk and complexity

www.onlyforward.org | russell@onlyforward.org 5 of 17

International Standards OrganisationISO 31000 [2009] Risk Management Principles & Guidelines ISO IEC 31010 [2009] Risk Management Risk Assessment Techniques ISO Guide 73 [2009] Risk Management Vocabulary

British StandardsBS 6079-3 [2000] Guide to the Management of Business Related Project Risk

Association for Project ManagementPRAM: Project Risk Analysis and Management Guide, 2nd Edition [2010] Interfacing Risk and Earned Value Management [2008] Prioritising Project Risks [2008]

Project Management InstitutePractice Standard for Project Risk Management [2009]

The Institute of Risk ManagementPublications that primarily deal with enterprise risk management

UK GovernmentThe Orange Book: Management of Risk, Principles and Concepts [2004]

Management of Risk, Guidance for Practitioners, 3rd edition [2010, Axelos]

Ministry of Defence Acquisition Operating Framework: Risk Management [v4.2.2]

Risk Management Best Practice Guidance

www.onlyforward.org | russell@onlyforward.org 6 of 17

Risk Management TrainingCertification Valid Renewal Acquisition Pre-requisite

Association forProject Management

Risk CertificateLevel 1

- - 1 hour multiple choice exam: 60 questions, pass ≥60%

Confirms knowledge sufficient to allow contribution to risk management within a project.Can be taken as a 2 day course, cost £1,100 (inc. exam fee). Open exam fee £164 (£146 for APM members).

Risk CertificateLevel 2

- -3.25 hour exam: section A, 100 marks;section B, 100 marks, 2 from 4 questions, 2 relate to case study, pass ≥60%

Risk Certificate Level 1 knowledge (not certification)

Confirms knowledge, understanding and capability, sufficient to undertake project risk management.Can be taken as a 2 day course, cost £1,100 (inc. exam fee). Open exam fee £430 (£310 for APM members).

Combined Risk Levels 1 & 2 Open exam fee £558 (£384 for APM members).

UK Cabinet OfficeAxelos

M_o_RFoundation

- - 1 hour multiple choice exam: 75 questions of which 70 count, pass ≥50% (35/70)

Confirms sufficient knowledge and understanding to contribute to the identification, assessment and control of risks across any organization.

M_o_RPractitioner

5years

1hr exam,pass ≥55%

3 hour exam: 4 questions, 20 marks each, open book (specified M_o_R books only), pass ≥50% (40/80) M_o_R Foundation

Confirms sufficient understanding of how to apply and tailor M_o_R in a scenario situation.

M_o_R Foundation and Practitioner can be taken together in a 5 day course, cost £2,300.

Project Management Institute

PMI-RMPPMIRiskManagementProfessional

3years

30 PDUsover 3 years

3.5 hour multiple choice exam: 170 questions, 150 scoring, 'Modified Angoff Method' to determine pass

Degree, 2 years’ project risk management experience and 30 hours formal project risk management training

Recognises competence in assessing and identifying project risks, mitigating threats and capitalizing on opportunities, while still possessing a core knowledge and practical application in all areas of project management.2008 launch, 2,033 credential holders worldwide by 30 April 2013. Certification fee $670 ($520 for PMI members).

Project Risk Management is also covered in general PM certificationsAPM: APMP, PQ, RPP Axelos (OGC): PRINCE2 PMI: PMP

www.onlyforward.org | russell@onlyforward.org 7 of 17

Context is the environment in which an organisation seeks to achieve its objectives.As the context changes, it may be necessary to adjust the approach to Risk Management.

Risk Management principles are the same at all levels – strategic, change & operational.

At the strategic level Risk Management is a significant part of corporate governance. How risk is to be managed across an organisation taking into account external factors such as legislation, government policy, market, domain and internal factors such as the organisation’s size, complexity and culture as well as the strategic vision, balance of risk across the organization, conflict resolution, risk appetite and lessons learned, may be described in a Risk Management Strategy. The RMS may be a single document or a number of documents, e.g. Policy, Process and Guidance.

Operational Risk Management covers day-to-day business functions such as health & safety, people, information security and business continuity.

Change is what projects and programmes deliver.Apply Risk Management through all project delivery phases – in a manner proportional to the value, risk and complexity at each phase.The nature and degree of freedom for responding to risk will change at different project phases, e.g. in the concept phase there will be a greater chance to adjust the scope and set budgets to manage risk.

Risk Management Context

www.onlyforward.org | russell@onlyforward.org 8 of 17

Risk Management Process

Iterate to keep the Risk Exposure(the impact of risk on objective attainment),within the Risk Appetite(an agreed, acceptable level of risk),in a cost-effective manner.

Identify

Assess

Plan

Implement

Identify Risks: Experience, Checklist, SWOT, InterviewsCategorise

Probability & ImpactPrioritiseQualitativeQuantitative

Define Risk Response: Exploit/Avoid, Share/Transfer,Enhance/Mitigate, Realise/AcceptDefine Contingencies

Iterative

ImplementReview

CommunicateManage Stakeholders

Lessons Learned

www.onlyforward.org | russell@onlyforward.org 9 of 17

Identify, Assess, Plan, Implement

Identify: What could happenIdentify & List Risks: Experience, Checklist, SWOT, PESTLE, Interviews, QuestionnairesCategorise: By project phase, system element, or other suitable risk event source breakdown

Assess: Understand consequencesQualitative assessment: Probability of the risk occurring and the size of the Impact on objectivesPrioritise: Rank the risks – focus on those with highest probability and impactTiming: Understand when the risk may occurQuantitative analysis: modelling, confidence levels, sensitivity

Plan: Define appropriate responsesExploit/Avoid, Share/Transfer, Enhance/MitigateDefine ContingenciesIgnore, Realise/AcceptResidual Risk: Risk that remains after taking enhancement/mitigation measuresSecondary Risk: Risk that arises as a result of taking enhancement/mitigation measures

Implement: Monitor and control the risksReview: Risk triggers, responses, add new risks, close dead risks & release risk potCommunicate: Key risksManage Stakeholders

www.onlyforward.org | russell@onlyforward.org 10 of 17

Plan: Define appropriate responses

Allocate ownership to manage risk optimallyInsure (internally by pooling or externally)Reduce the uncertainty – if cost effective to do soFall-back, should the risk occur/not occur despite mitigation/enhancementRisk or Residual Risk after enhancement/mitigationMay also choose to treat as Risks and define a response etc.

Share/Transfer:

Enhance/Mitigate:Contingencies:

Realise/Accept:Secondary Risk:

Planning & Scheduling

Change Scope

Opportunities Threats

AvoidExploit

AcceptRealise

Log / Monitor

MitigateEnhance TransferShare

Contingency

Impact and/or Probability

Impact and/or Probability

ResidualRisk

Ignore

ResidualRisk

Specification Partners PBS, WBS Supplierse.g. Requirements

Contingency

SecondaryRisk

SecondaryRisk

www.onlyforward.org | russell@onlyforward.org 11 of 17

Qualitative Assessment

Rank Risks by assessing risk probabilities and impacts having first adjusted to suit the project

Probability Impact DiagramMapping risks helps to decide wherebest to focus risk management effort.

Contingency SettingA Risk Register can calculate the totalContingency based on the entered data.This figure is at best a guideand must be subject to discussion.

Probability

VH

VH

Probability

H

H

M

M

L

L

VL

VL

VL L M H VH VH H M L VL

Negative Impact Positive Impact

Threats Opportunities

Focus effort onKey Risks

Very Low Low Medium High Very High

Schedule Impact < 2 weeks 2 weeks to < 1 month 1 to < 2 months 2 to < 4 months > 4 months

Cost Impact < 1% 1% to < 2% 2% to < 4% 4% to < 8% > 8%

Performance Impact

Minor shortfallin a secondary aspect

Multiple shortfallsin a secondary aspect

Minor shortfallsin one key aspect

Major shortfallin one key aspect

Major shortfallin multiple key aspects

Probability < 10% 10% to < 25% 25% to < 50% 50% to < 75% > 75%

www.onlyforward.org | russell@onlyforward.org 12 of 17

Optimism Bias, Concurrency & Estimation Uncertainty

Key project dates and costs are often too optimistic when uncertainty, especially estimation uncertainty, is not considered. Assumptions can be too positive, perhaps as a result of making a plan fit fixed targets. This is known as Optimism Bias.

Plans generally feature concurrent tasks with minimal float. Task effort estimates frequently use expert judgement, often given as single point, or deterministic, estimates.

The more concurrent tasks, the greater the impact on the project when, as is likely, some tasks finish later than estimated. Deterministic outcomes often have a very low probability.

Range EstimatesRange estimates are more realistic, with3 points (minimum, most likely, maximum) advised. Key project dates and costs then also become ranges along with a probability.

Typical plan analysis: Yellow line is the probability of achieving the Deterministic Cost

www.onlyforward.org | russell@onlyforward.org 13 of 17

Funding Estimation Uncertainty & Selective 4 Point Estimating

‘Most Likely’ means equally probable of being under or over, but estimates often have a negative bias such that most likely (ML) is not 50% probable.To avoid this negative bias, 4 points are recommended*, 3 point plus probability of the ‘most likely’ – just for the tasks that most impact the project, found by sensitivity analysis, as doing this for all tasks is typically not worthwhile.

Min ML P=50% Max

The business Risk Appetite can inform what probability to use across the business, e.g.:10% Team Target (likely risks do not occur)50% Best Estimate (as many risks occur as not)90% ‘Safe’ Estimate (several unlikely major risks occur)

One strategy is to use the cost difference between the project cost for the probability chosen according to the business Risk Appetite and the deterministic project cost as the main element of a ‘project risk pot’ to handle estimation uncertainty. Rewarding using as little of this risk pot as possible, whilst recognising that a proportion is likely to be required, encourages behaviour that enhances results whilst recognising uncertainty and setting realistic expectations.

4 Point Estimates

* See separate presentation, “Estimation for Projects & Programmes”

CautionDon’t confuse uncertainty with a lack of knowledge.Large ranges generally indicate guessing – experience is required to estimate rather than guess.

www.onlyforward.org | russell@onlyforward.org 14 of 17

Risk Management for Projects & ProgrammesStrategy(Need)

Contingency

Opportunities

EnhancementTasks

SecondaryRisks

ProductBreakdownStructure

WorkBreakdownStructure

Work Packages& Tasks

Estimates

Zero Risk(Deterministic)

Cost

INFORM

Inform / Offset

ThreatsMitigationTasks

Programme& Project

Set-up

INFORM

Project Delivery Process,

PDP

Risk Register Tool, RRT

Risk Management Strategy, RMSRisk Management Plan, RMP

Held at Board level: Project, Programme or Business

Held at Project & Programme level

If cost effective

Contingency

ProjectRisk Pot

EstimationUncertainty

www.onlyforward.org | russell@onlyforward.org 15 of 17

Risk Management Strategy• How risk is to be managed across an organisation, the corporate strategy & policy.

Generally an in-feed for a programme or project but may also be defined at this level, possibly as a flow-down from an organisation RMS.

Risk Management Plan• How risk will be managed in a programme or project, tailored to that programme or project,

i.e. how the Risk Management Strategy will be delivered.

Risk Management Documents & Tools

Risk Register Tool• Central repository for Risk Events, i.e. risk data

• Opportunity & Threat Log and Analysis• Risk Owner• Risk Response• Probability Impact Diagram, PID• Risk Triggers & Timing

• Classification marking• Company Eyes Only option• Risk Response cost estimation• Contingency Estimation• Risk Exposure calculation

Quantitative Analysis ToolsQuantitative Analysis (uncertainty and probabilistic modelling – Monte Carlo analysis) is best done using purpose built tools, e.g. @Risk, or integrated scheduling and risk management tools, e.g. Oracle Primavera Risk Analysis.

www.onlyforward.org | russell@onlyforward.org 16 of 17

SummaryMost projects and programmes have to deal with risk, this presentation summarises best practice for visible, repeatable and consistent risk management. Whilst best practice guidance offers no single definition, it is broadly aligned.

Some level of risk is not only inevitable, but desirable for success.

Project Risk Management is a core PM competence and should be practiced on all projects and programmes, in a manner appropriate to the value, complexity and risk.

Projects which do not undertake Risk Management are more likely to fail.Estimation uncertainty alone can reduce the probability of on-time delivery to single digits.

Risk Management has many benefits, not least being a higher likelihood of delivery to time and budget.

www.onlyforward.org | russell@onlyforward.org 17 of 17

In my board role I led a team of 22 professional Project Managers and 5 Quality Engineers, and ensured Roke’s £79m project portfolio delivered better than budget profit. I set-up and ran a virtual PMO and created the Roke Engineering Process, REP, also managing the engineering tools to support it.

I created a project management competency framework and the PM Excellence Programme, which achieved APM corporate accreditation, scoring 24 out of a possible 25 points in the APM assessment.

I chaired a quarterly PM forum which shared best practice and built a supportive PM community – seven of the project managers I coached have achieved APM RPP, five have PQ, and all gained APMP.Together, these investments in PM professionalism led to a turn-around and annual improvement in project results across a typical portfolio of up to 400 projects a year and delivered an above budget performance in five consecutive years with profits totalling £7.9m above budget.I am a passionate advocate of PM professionalism, a Fellow of the APM and the IET, and author of articles published in Project and PM Today.

After 4 years as an electronics engineer for Siemens, achieving Chartered Engineer, I moved into project management for 14 years, at Siemens and Roke Manor Research. At Roke, my ability to successfully deliver the most challenging whole lifecycle product development projects on time and under budget led to a role as Projects Director and board member for 6 years. In 2013 I went back to hands-on project management, taking a Programme Director role at Cambridge Consultants, in the Cambridge Science Park.

Author Profile