basic risk management presentation 17th june 2015
TRANSCRIPT
www.babcockinternational.com
Strictly Private and Confidential
2
About us
Applied Analytics Integrator providing
information management & analytics services for
Asset and Enterprise Performance Management
200+ people across 3 key locations and numerous
customer sites
We help our customers do more with their data –
enabling better decisions
Working with asset intensive and mission
critical industries including Defence, Energy, Rail,
Infrastructure, Transport and Utilities
Babcock Analytic Solutions
www.babcockinternational.com
Strictly Private and Confidential
Footer 3
Definitions
Risk
APM PRAM: “A risk event is an uncertain event or set of circumstances
that, should it occur, will have an effect on achievement of one or more of
the project’s objectives.”
Uncertainty
APM BOK: “Uncertainty is the inherent variability that it is impossible to
predict how long an activity will take.”
Issue
APM BOK: “An issue is a threat to project objectives that cannot be
resolved by the project manager. Issues have already occurred and are
therefore certain.”
www.babcockinternational.com
Strictly Private and Confidential
Footer 4
Project Risk Management
The purpose of risk management is to manage a project’s exposure to
risk (Impact and Probability).
Projects need to take risks to be profitable and maximise benefits.
Good risk management goes unnoticed.
www.babcockinternational.com
Strictly Private and Confidential
Footer 5
APM Risk Process
Initiate
Identify
Assess
Plan Responses
Implement Responses
Manage P
rocess
www.babcockinternational.com
Strictly Private and Confidential
Footer 6
Establish the Context (Initiate)
Outputs
An understanding of the project.
Assumptions.
Risk scoring scheme.
What risk information is required?
To what detail is this information required?
Is a risk register required?
Is a risk register tool required?
www.babcockinternational.com
Strictly Private and Confidential
Footer 7
Establish the Context Understanding the project
What are the projects objectives/benefits?
How does this project affect the customer and the company delivering it?
How big will the project be?
• Scope
• Cost
• Resource
What assumptions have been made so far?
Not understanding the context will result in poor risk data.
Project
Company
Company's
Environment
Customer
Customer’s
Environment
www.babcockinternational.com
Strictly Private and Confidential
Footer 8
Establish Context
Risk Requirements
Clear set of objectives.
• Defines risk appetite
Each project requires an agreed risk scoring scheme.
• Qualitative risk scoring
Each project may require a different scoring scheme.
• How many risks will be recorded and in how much detail?
‒ Is a risk register required?
– Is a specific risk tool required?
Management understanding and buy in.
Very
High 5 10 15 20 25
High 4 8 12 16 20
Mod
erate 3 6 9 12 15
Low 2 4 6 8 10
Very
Low 1 2 3 4 5
Very
Low
Low Moder
ate
High Very
High
Impact
Pro
bab
ilit
y
www.babcockinternational.com
Strictly Private and Confidential
Footer 9
Risk Identification 1
This will take more than a one hour meeting!
Output
Risk statements with a cause and an effect.
A list of uncertainties to the project.
At the bidding phase or start of the project a top down approach to risk identification allows for a better structure.
Pitfalls
Dominant personalities
Work owners being offended by risk
Group think
Identifying non-risks (issues)
Competition to identify the most risks.
Trying to identify risk with no context.
www.babcockinternational.com
Strictly Private and Confidential
Footer 10
Risk Identification 2
There are two types of risk:
Uncertainty
This is the inherent variability that it is impossible to predict how long an
activity will take. 3 point estimates (Minimum, Most likely and Maximum)
are used for activity durations and costs.
Risk Events
Discrete events that are separate from an activity. These are contained
within the Risk register.
Uncertainty + Risk Events = Total Risk Exposure
www.babcockinternational.com
Strictly Private and Confidential
Footer 11
Risk Identification 3
Identification Techniques
Review of WBS
for potential inconsistencies
Checklists
One-to-one Interviews
Systematic Searches
Review Assumptions
Learning from Experience
(LFE)
Prompt Lists
Brainstorming
www.babcockinternational.com
Strictly Private and Confidential
Footer 12
Risk Identification 4
Cause
• A tangible and concise explanation of a definitive event or set of
circumstances that exist in the project or its environment.
• Due to / Caused by………..
Risk Description / Uncertainty
• A description of the actual uncertainty describing what may / could occur.
• There is a risk that……………….
Effect
• (Threat) The unplanned variations from project objectives that will arise as
a result of the risk occurring/impacting.
• (Opportunity) The currently unplanned alterations to the project to increase
the likelihood of achieving the project objectives.
• This will lead to/ result in…………………
www.babcockinternational.com
Strictly Private and Confidential
Risk Assessment 1
Footer 13
Threat
• Schedule loss
• Cost increase
• Reduction in performance of product
Opportunity
• Schedule saving
• Cost saving
• Increase in performance of product
Outputs
The creation and justification of the impacts of the risk:
• Probability of occurrence
• Impact on the project’s objectives
• Recorded in 3 point estimates
Current (pre-mitigation) – can be done immediately
Target (post-mitigation) – can only be done once mitigation plans
have been identified and agreed
www.babcockinternational.com
Strictly Private and Confidential
Risk Assessment 2
Footer 14
Pitfalls
Estimating
• People’s personality and personal experience will be drivers at this
point in the process
• Humans are naturally poor at estimating
• Affect – substitution of what you feel when asked a difficult
question
• Availability – a mental shortcut that relies on immediate examples
that come to a given person's mind when evaluating a specific
topic, concept, method or decision
• Anchoring – a heavy reliance on the first piece of information
offered (the "anchor") when making decisions
www.babcockinternational.com
Strictly Private and Confidential
Risk Assessment 3
Footer 15
Threat
Scenario creation
Analysing plans
- Increase in work scope
- Delay to start dates
Analysing cost models
- Increase in costs
Analysing the product
- Decrease in benefits
Opportunity
Plan out and agree the benefits to
the programme.
Agree with Subject Matter Experts
(SMEs) and Suitably Qualified and
Experienced Personnel (SQEP)
- Reductions in schedule
- Cost savings
- Increase in benefits
Techniques
www.babcockinternational.com
Strictly Private and Confidential
Footer 16
Plan Responses (Threats)
Outputs
• Threat – a set of mitigation actions that reduce the impacts or the
probability of those impacts
Types of responses
• Mitigate – undertake specific actions to reduce probability and / or
impact
• Avoid – take a different course of action that stops the risk occurring
• Transfer – transfer of risk to another party better placed to manage the
threat
• Accept – accept the risk impact on the programme and establish a
fallback plan
• Fallback – strategy to be implemented if the risk materialises, to
overcome the impacts of the risk
www.babcockinternational.com
Strictly Private and Confidential
Footer 17
Plan Responses (Opportunities)
Outputs
• Opportunity – a set of actions that maximise the impacts or increase
the probability of realising the opportunity
Type of realisations:
• Exploit – Increase the probability of the opportunity occurring
• Enhance – Increase the positive effects of the opportunity
• Share – Share the opportunity with another party better placed to
manage the threat
• Accept – Being willing to take advantage of it if it comes along, but not
actively pursuing it
www.babcockinternational.com
Strictly Private and Confidential
Footer 18
Plan Responses 1
Responses and Realisations should be:
• Specific
• Measureable
• Action orientated
• Realistic
• Time-bound
Responses should also contain how they are going to affect the risks probability or impacts and by how much.
Once Mitigations have been agreed, the Target risk score can be calculated.
Pitfalls
• Decision around treatment strategy
• Cost benefit of strategy
• Try to mitigate everything and not focussed on the priorities
• Inconsistent use of the words “by” and “to” in mitigation actions
www.babcockinternational.com
Strictly Private and Confidential
Footer 19
Plan Responses 2 Very
High 5 10 15 20 25
High 4 8 12 16 20
Mod
erate 3 6 9 12 15
Low 2 4 6 8 10
Very
Low 1 2 3 4 5
Very
Low
Low Moder
ate
High Very
High
Very
High 5 10 15 20 25
High 4 8 12 16 20
Mod
erate 3 6 9 12 15
Low 2 4 6 8 10
Very
Low 1 2 3 4 5
Very
Low
Low Moder
ate
High Very
High
At the initial risk assessment
(before and responses were
identified) the risk was
qualitatively scored at 20.
Once responses have been
agreed and opened, the target
score can be reduced to the
sum of the reductions in the
mitigations.
www.babcockinternational.com
Strictly Private and Confidential
Footer 20
Implement Responses and Manage
Process 1
Outputs
• A risk set that is relevant and up to date
• High quality of data within the risks
• Reductions in threat exposure
• Increase in opportunity realisation
Techniques
• Pro-active approach to risk
• Regular risk reviews with the risk owners
• Reviewing status of proposed, ongoing mitigation plans and responses
• Reviewing, developing and approving new risks
www.babcockinternational.com
Strictly Private and Confidential
Footer 21
Implement Responses & Manage
Process 2
When Reviewing Risks
• Has the mitigation had the desired effect?
• Is the “real” current threat/opportunity impact still valid?
• Are there new mitigations responses?
• What effect will the late delivery of the Response have on the
Risk / Opportunity?
Pitfalls
• Reviewing everything with everyone
www.babcockinternational.com
Strictly Private and Confidential
Footer 22
Risk & Project Processes
The risk process must have close ties to the other processes being
utilised in the project.
The risk register holds the data that the other processes will use.
Integrating mitigations into the project.
Opportunity realisation
Threat realisation
Risk Change
Process Responses
Other
Project
Processes
www.babcockinternational.com
Strictly Private and Confidential
Footer 23
Cause Based or Risk Based
Multiple causes for a single risk statement. (Bow Tie method)
Multiple risk events due to
a single cause.
Multiple causes against multiple risk events, this is no long a risk! It is
UNCERTAINTY.
To give these methods the best chance of succeeding, the risk manager must
code the causes, effects and responses so it is obvious which response is
affecting which cause, effect or risk event.