Project Risk Management:“Getting it Before it Gets You”

Conceptual

Planning

Alternatives

AnalysisConstruction

Final

DesignBid

Preliminary

Engineering

Most LikelyCost

Most LikelyCost

Most LikelyCost

ActualCost

Cost range

Project Cost and Uncertainty Over Time

What Went Wrong?KPMG, a large consulting firm, published a study in 1995 found that 55 percent of runaway projects (with significant cost or schedule overruns) did no risk management at all; 38 percent did some (but half of them did not use their risk findings after the project was underway); and 7 percent did not know whether they did risk management or not

The timing of risk management is also an important consideration

Risk Management ProcessRisk Management Process

RiskRiskUncertain or chance events that planning can not Uncertain or chance events that planning can not overcome or control.overcome or control.

Risk ManagementRisk ManagementA proactive attempt to recognize and manage A proactive attempt to recognize and manage internal events and external threats that affect the internal events and external threats that affect the likelihood of a project’s success.likelihood of a project’s success.What can go wrong (risk event/problems).What can go wrong (risk event/problems).

What can be done before an event occurs (anticipation of What can be done before an event occurs (anticipation of Alternatives) Alternatives)

How to minimize the risk event’s impact (consequences).How to minimize the risk event’s impact (consequences).

What to do when an event occurs (contingency plans).What to do when an event occurs (contingency plans).

REAL REASON WE NEED TO DO RISK MANAGEMENTREAL REASON WE NEED TO DO RISK MANAGEMENTIS IS NOT TO AVOID RISKSNOT TO AVOID RISKS

BUT TO ENABLE AGGRESSIVE RISK TAKINGBUT TO ENABLE AGGRESSIVE RISK TAKING

REAL REASON WE NEED TO DO RISK MANAGEMENTREAL REASON WE NEED TO DO RISK MANAGEMENTIS IS NOT TO AVOID RISKSNOT TO AVOID RISKS

BUT TO ENABLE AGGRESSIVE RISK TAKINGBUT TO ENABLE AGGRESSIVE RISK TAKING

What is Project Risk?Definition:

An event that, if it occurs, causes either a positive or negative impact on a project

Risk is a measure of future uncertainties in achieving program performance goals and objectives within defined cost, schedule, and performance constraints.

Keys attributes of RiskUncertainty

Positive and Negative

Cause and Consequence

Known v Unknown Risks

Risk Reward Analysis

What is Risk Management (by PMI)?“The systematic application of management policies, standards, procedures, and practices to the tasks of identifying, assessing/analyzing, responding to, and monitoring to project risk”

A structured, iterative process with defined scope and objectives

Proactive and anticipatory

Objective is to decrease the probability and/or impact of negative events OR increase the probability and/or impact of positive events

Risk Management needs to be integrated into an organization’s decision making process

How can we stay ahead?

Identify and Manage the Risks to the project Formal methods

Determined by Industry, Regulatory, or Corporate standards

Templates, processes, audits Informal methods

Use what works for you at the time Use “Lessons Learned” in Project Post-Mortems to

learn from past mistakes

Risk management Steps by PMI Risk Management Planning Risk Identification Qualitative/Quantitative Risk Analysis for Risk

Assessment Risk Response Planning/ Contingency planning Risk Monitoring & Control

The Risk Management Process

1. Risk Management Planning

What should it include?How you will identify, quantify or qualify riskMethods and tools

Budget…(including contingency funding)

Who is doing what

How often

When a risk is really a risk

Reporting requirements- Who, when, how often, what, etc

Monitoring, tracking and documenting strategiesMake sure you are not OVER Planning

Risk Management PlanningThe main output of risk management planning is a risk management plan—a plan that documents the procedures for managing risk throughout a project

The project team should review project documents and understand the organization’s and the sponsor’s approaches to risk

The level of detail will vary with the needs of the project

2. Identifying RiskContinuous, Iterative Process

What is it and what does it look like- Different for each project and person consulted.

The sooner it is identified the better it is for project

The more the involvement of stakeholders the better the process outcome

A fact is not a risk- If you know something is going to occur then you plan for it not the risk of it. RISK vs PROBLEM

Be specific- identify the risk and a trigger/cause of the risk

Don’t try to do everything at once- qualify, quantify, or remedy

Identification Techniques

Brainstorming

Checklists- Lists developed to aid in identifying risks

Interviewing

SWOT Analysis

Delphi Technique

Diagramming TechniquesCause & effect – Ishikawa or Fishbone

Flow Charts etc.

Risk Identification: Classifications

Schedule/Cost Risks

Requirement/Expectation Risks

Technical Risks

3. Risk Assessment

This information should be developed for each risk:Description of riskAll the possible outcomes of the riskThe magnitude or severity of the outcomesLikelihood (probability) of the risk occurring, and likelihood of each possible outcomeWhen the risk might occur during the project Interaction of the risk outcomes with other parts of this project or other projects

Risk Analysis ToolsProbability analysis

Decision tree analysis

PERT analysis

Sensitivity analysis

Expected value analysis

Scenario analysis

Risk assessment matrix / risk severity matrix

Failure Mode and Effects Analysis (FMEA)

Monte Carlo simulation analysis

Delphi techniques for consensus etc.

Analyzing Risk - Qualitative

Subjective & Educated GuessHigh, Medium, Low

Red, Yellow, Green

1-10

Prioritized/Ranked list of ALL identified risks

First step in risk analysis!

Risk Assessment: A Simple Classification & Tracking Method

Probability of Occurrence vs Impact

1 to 5 Scale

PrioritiesRed - HighYellow - MedGreen - Low

Review/Present Chart Periodically

R isk #1

R isk #4

R isk #2R isk #3

R isk #5

Probability o f O ccurrance

Imp

act

H igher P robab ilityLow er P robab ility

Hig

her

Impa

ctLo

wer

Impa

ct

RISK SEVERITY MATRIX

Risk Assessment Form

In 1-10 scale

Probability/Impact Chart Showing High-, Medium-, and Low-Risk

Probability/Impact Matrix

A probability/impact matrix or chart lists the relative probability of a risk occurring on one side of a matrix or axis on a chart and the relative impact of the risk occurring on the other

List the risks and then label each one as high, medium, or low in terms of its probability of occurrence and its impact if it did occur

Can also calculate risk factors

Numbers that represent the overall risk of specific events based on their probability of occurring and the consequences to the project if they do occur

Probability & Impact Analysis

Risk Probability

1 25%

2 50%

3 30%

The biggest risk isn’t always the biggest risk!

Impact

$45,000

$2,000

$100,000

Expected Value

$11,250

$1,000

$30,000

Decision Trees andExpected Monetary Value (EMV)

A decision tree is a diagramming analysis technique used to help select the best course of action in situations in which future outcomes are uncertain

Estimated monetary value (EMV) is the product of a risk event probability and the risk event’s monetary value

You can draw a decision tree to help find the EMV

Decision Tree Analysis

Decision Definition Chance Node Net ImpactProbability Impact Cost + Total EV

Early10% +$15,000

Develop In House On Time ($32,500)($20,000) 20% $0

Delayed70% -$20,000

Develop In House or TOTAL ($12,500)Contract?

Early $1,50010% +$15,000

Contract On Time $0 ($31,500)($30,000) 70% $0

Delayed ($3,000)20% -$15000

TOTAL ($1,500)

$0

($14,000)

Decision NodeCost of the Decision

Prob x Impact

$1,500

SimulationSimulation uses a representation or model of a system to analyze the expected behavior or performance of the system

Monte Carlo analysis simulates a model’s outcome many times to provide a statistical distribution of the calculated results

Sensitivity Analysis

Sensitivity analysis is a technique used to show the effects of changing one or more variables on an outcome

4. Risk Response Planning“What are we going to do about it?”

Techniques/Strategies:

Mitigating Risk

Transferring

Avoiding Risk

Sharing Risk

Retaining Risk

Strategy should be commensurate with risk

Hint: Don’t spend more money preventing the risk than the impact of the risk would be if it occurs

The Risk Response Plan/Risk Response Register

4. Risk Response Planning Techniques

Mitigating Risk- Conducting more tests, add resources or time

to project, Designing redundancy into a systemReducing the likelihood an adverse event will occur.

Reducing impact of adverse event.

Transferring Risk- Insurance, performance bonds, warranties,

guarantees Paying a premium to pass the risk to another party.

Avoiding Risk: Changing the project plan to eliminate the risk

or condition

Retaining Risk: Making a conscious decision to accept the risk.

Sharing Risk: Allocating risk to different parties

Risk Register

The main output of the risk identification process is a list of identified risks and other information needed to begin creating a risk register

A risk register is:

A document that contains the results of various risk management processes and that is often displayed in a table or spreadsheet format

Risk Register ContentsAn identification number for each risk eventA rank for each risk eventThe name of each risk eventA description of each risk eventThe category under which each risk event fallsThe root cause of each riskTriggers for each risk; triggers are indicators or symptoms of actual risk eventsPotential responses to each riskThe risk owner or person who will own or take responsibility for each riskThe probability and impact of each risk occurringThe status of each risk

Sample Risk Register

RISK REGISTER

Project Component

Risk ID

Risk/Opportunity Description of Issue and Potential

Management Action Affected Project

Activities1

Probability of

Occurrence

Change in Cost

($000)

Change in Duration/ Schedule (months)

1. Right-of-Way R1 Right-of-Way costs and/or schedule

greater than anticipated ; includes: uncertainty in amount of ROW unit prices excessive condemnation relocation, demolition business mitigation

Row-of-way cost and quantity estimates are out of date and not based upon the latest design drawings; additional takes affect businesses in Line Section 3. Risks affect project cost estimate and start of construction in certain line sections.

All construction line sections; components,

01-10

.5 (.5)

$2,000.0 ($0)

6 (0)

2. Utilities U1 City waterline project not completed

as planned Delay causes project delay and increased overhead costs for project

Components 02-05

.25

.25 TBD 6

12 U2 City sewer project not completed as

planned Delay causes project delay and increased overhead costs for project

Components 02-05

.25

.25 TBD 6

12 U3 City vaults not completed as planned Delay causes project delay and increased

overhead costs for project Components

02-05 .9 TBD 4

U4 Private utility relocations not completed as planned (utility company fails to move on time)

Delay causes project delay and increased overhead costs for project

All construction line sections, components

01-10

T=.1 T=.5 T=.9

TBD TBD TBD

2 4 6

U5 Delay in obtaining agreement between grantee and private utilities

Delays FFGA/grant award and potentially start of construction

Components 01-10

.8

.2 TBD TBD

2 3

U6 Project’s adjustment budget for private utilities is too low

Cost increase to grantee for payment of additional relocation costs

Components 01-10

.5

.1 $2,000.0 $3,000.0

0 0

U7 Encounter unexpected utilities during construction

Change order claim by contractor results; cost and schedule impacts

Components 01-10

.5

$500.0 1

3. Environmental, Permitting, and

Agreements

E1 Delay in gaining signoff on programmatic agreements

Delay in issuing bid documents and subsequent construction delayed

Components 05, 06

.5 .25

TBD TBD

1 2

ETC.

Example of Risk Register

Contingency Planning

A contingency plan is an alternative plan used if a risk event or condition occurs.

Examples:

Having a backup supplier for a key material

Carrying a safety stock for a key part

Having an alternate distribution channel to send products (air instead of boat)

Having hurricane/flood/earthquake/cyclone evacuation plans

Risk Response Matrix

Risk and Contingency PlanningTechnical Risks

Backup strategies if chosen technology fails.

Assessing whether technical uncertainties can be resolved.

Schedule Risks

Use of slack increases the risk of a late project finish.

Imposed duration dates (absolute project finish date)

Compression of project schedules due to a shortened project duration date.

Risk and Contingency PlanningCosts Risks

Time/cost dependency links: costs increase when problems take longer to solve than expected.

Deciding to use the schedule to solve cash flow problems should be avoided.

Price protection risks (a rise in input costs) increase if the duration of a project is increased.

Funding Risks

Changes in the supply of funds for the project can dramatically affect the likelihood of implementation or successful completion of a project.

General Risk Mitigation Strategies for Technical, Cost, and Schedule Risks

Contingency Funding & Time BuffersContingency Funds

Funds to cover project risks—identified and unknown.Size of funds reflects overall risk of a project

Budget reservesAre linked to the identified risks of specific work packages.

Management reservesAre large funds to be used to cover major unforeseen risks

(e.g., change in project scope) of the total project.

Time Buffers

Amounts of time used to compensate for unplanned delays in the project schedule.

Time and Cost Padding

Padding is a commonly used approach to address risks, since it is very easy to implement and since it protects against most minor risks

Padding refers to inflating the original time or cost estimates for activities or for the project

Unfortunately, this leads to longer project durations and higher costs

Time and Cost Padding

People will generally use up as much time and money as they are allowed (if you don’t use it you lose it!)

Student syndrome if extra padding is built into activity time estimates, some people are likely to procrastinate getting started, and then the protection against risk is lost

Although padding can be useful in reducing the severity of risk, it can also lead to inefficiencies and waste

5. Risk Monitoring & ControlContinuous, Iterative ProcessDone right the risk should NEVER occur

Someone IS responsibleWatch for risk triggersCommunicate…Communicate…CommunicateTake corrective action - ExecuteRe-evaluate and look for new risk constantly

Tools:Risk Reviews- regular meeting where the risk team evaluates the risk register for any necessary additions, deletions, or changes to prioritization due to probability or impact changes.Risk Audits- review by outside person of risk response plan and how it is being implemented. Good for future use on projects

Tools & Tricks

Risk Identification Spreadsheet

Qualitative Risk Spreadsheet

Templates

Checklists

Make your own depending on your project

Microsoft Excel Worksheet

Microsoft Excel Worksheet

Microsoft Excel Worksheet

Risk Form

Risk Register II

Risk Checklist

Risk Progress Checklist

Risk Register Sample Risk Response

Action Plan

Risk Management Plan Template

CA Risk Mgmt Plan Outline

Change Management Control

Sources of Change

Project scope changes

Implementation of contingency plans

Improvement changes

Change Management Control

The Change Control Process

Identify proposed changes.

List expected effects of proposed changes on schedule and budget.

Review, evaluate, and approve or disapprove of changes formally.

Negotiate and resolve conflicts of change, condition, and cost.

Communicate changes to parties affected.

Assign responsibility for implementing change.

Adjust master schedule and budget.

Track all changes that are to be implemented

The Change Control Process

Benefits of a Change Control System

1. Inconsequential changes are discouraged by the formal process.

2. Costs of changes are maintained in a log.

3. Integrity of the WBS and performance measures is maintained.

4. Allocation and use of budget and management reserve funds are tracked.

5. Responsibility for implementation is clarified.

6. Effect of changes is visible to all parties involved.

7. Implementation of change is monitored.

8. Scope changes will be quickly reflected in baseline and performance measures.

Change Request Form

Integrated Risk Management extracts actionable information from traditionally stove-piped data streams

Enables critical decision makingEnables critical decision making

Risk Exposure?

Impact Relationships?

Goals Too Risky?

Which Design?

More Reserves?

Major Drivers?

Adequately Mitigated?

Characteristics of Successful Risk Management ApproachesCharacteristicsCharacteristics

A clear and consistent Risk Management champion

Requirements supported by leadership and stakeholders

A close partnership with users and stakeholders

Mature risk management processes

Established thresholds and criteria for proactively implementing defined risk mitigation plans

Resourced risk mitigation plans

Periodic risk assessments

Integrated data environments that maximize participation

A clear and consistent Risk Management champion

Requirements supported by leadership and stakeholders

A close partnership with users and stakeholders

Mature risk management processes

Established thresholds and criteria for proactively implementing defined risk mitigation plans

Resourced risk mitigation plans

Periodic risk assessments

Integrated data environments that maximize participation

Successful ApproachesSuccessful Approaches

A documented and mature risk management process

Quantitative assessments of risk impacts estimated against cost and schedule baselines

Defined risk filtration criteria

Risk reduction at the lowest level of the organization

A defined set of risk consequence definitions for performance, schedule, and cost

Structured approached for communicating risk across multiple programs/organizational levels

A documented and mature risk management process

Quantitative assessments of risk impacts estimated against cost and schedule baselines

Defined risk filtration criteria

Risk reduction at the lowest level of the organization

A defined set of risk consequence definitions for performance, schedule, and cost

Structured approached for communicating risk across multiple programs/organizational levels

Different Organizational Levels Face Different Types of Risks

- How does a risk to one program affect the delivery of other related programs?

- Which external stakeholders have the ability to influence the success of one or more programs?

- How can a successful risk mitigation strategy for one program be leveraged by other programs?

- How does a risk to one program affect the delivery of other related programs?

- Which external stakeholders have the ability to influence the success of one or more programs?

- How can a successful risk mitigation strategy for one program be leveraged by other programs?

- Is the project on track to meet or exceed its threshold requirements?

- How do current risk levels impact the ability to meet critical schedule milestones?

- Which design solution provides the optimal balance between capital and operating costs?

- Is the project on track to meet or exceed its threshold requirements?

- How do current risk levels impact the ability to meet critical schedule milestones?

- Which design solution provides the optimal balance between capital and operating costs?

- What are the technical performance risks associated with delivering a given requirement or capability?

- How will assembly, integration, and test schedules be impacted by a given risk event?

- What are the cost impacts of delays in subcontractor deliveries?

- What are the technical performance risks associated with delivering a given requirement or capability?

- How will assembly, integration, and test schedules be impacted by a given risk event?

- What are the cost impacts of delays in subcontractor deliveries?

Risks ultimately should be filtered to the lowest level possible for ownership and mitigation

Enterprise Level

Program Level

Project Level

Subproject Level

RISKS

Common risk factorsRisk factors

Lack of top management commitment to the project

Failure to gain user commitment

Misunderstanding the requirement

Lack of adequate user involvement

Failure to manage end user expectation

Changing scope and objectives

Lack of required knowledge/skill in the project personnel

New technology

Insufficient / inappropriate staffing

Conflict between user departments

Key Contributors to Success

Risk Management promotes a clear value proposition

Program input actively sought for framework development.

A clear and consistent risk sponsor.

• Demonstrate how resources will be saved or more efficiently applied

• Demonstrate how information will be more widely shared

• Establish working group or other forum

• Gather feedback prior to go-live

• Promotes buy-in

• Sustains participation

• Creates understanding of information

• Defines linkages

Integrate Cost, Schedule and Risk personnel

COMMUNICATION

Risk Management’s Benefits

A proactive rather than reactive approach.

Reduces surprises and negative consequences.

Prepares the project manager to take advantage of appropriate risks.

Provides better control over the future.

Improves chances of reaching project performance objectives within budget and on time.

Benefits from Software Risk Management Practices*

*Kulik, Peter and Catherine Weber, “Software Risk Management Practices – 2001,” KLCI Research Group (August 2001).

What Went Wrong?

Many information technology projects fail because of technology risk. One project manager learned an important lesson on a large IT project:

focus on business needs first, not technology. David Anderson, a project manager for Kaman Sciences Corp., shared his experience from

a project failure in an article for CIO Enterprise Magazine. After spending two years and several hundred thousand dollars on a project to

provide new client/server-based financial and human resources information systems for their company, Anderson and his team finally admitted they had a failure on their hands. Anderson revealed that he had been too enamored of the use of cutting-edge technology and had

taken a high-risk approach on the project. He "ramrodded through" what the project team was going to do and then admitted that he was

wrong. The company finally decided to switch to a more stable technology to meet the business needs of the company.

Hildebrand, Carol. “If At First You Don’t Succeed,” CIO Enterprise Magazine, April 15, 1998

Regularly Heard Comments in Programs

….we need to focus on the technical risks..

…I know what I am doing. I am applying risk management but I don’t want to write anything down…

…this activity is part of our normal way of doing business. There is no risk…

…let’s not make that risk red, we need to be careful what we report…

…let’s make that a risk, I want to poke the PM in the eye…

…there is no cost risk, but I am not confident about the estimate….

…there is no schedule risk, let’s just move that activity out a few weeks…

….why do I need to do this…especially since the board doesn’t have any money to help me…

…this is not a development contract, we don’t have any risks…

My favorite: ….you are the risk manager, what are my risks?....