RiskManagementMaturityImprovingtheEffec8venessandMaturityofRiskManagementProcesses
Ge=ngBe?erProjectandBusinessPerformancefromYourManagementofRisks
KevinRaumTimBoatwright
WelcomeTimBoatwright
• PrincipalConsultantwithTenSix
• PMP,EVP&ITILCer8fied
• ProjectControlsexpertwith20yearsinDoD,
Energy,BiotechandITexperience
• FormerEVPCer8fica8onBoardLeadforAACEi
• PrincipalConsultantwithTenSix
• Projectandriskmanagementsystems,process,
toolsimplementa8onexpertwith30+yearsin
Biotech,IT,DoD,state-local-federalgovernment
andinterna8onalexperience
• Cer8fiedmediator
KevinRaum
AboutTenSix• SpecialistsinenterpriseProjectPorUolioManagementandEarnedValueManagement
– Globalcustomerlist
– OfficesinUSA&UK
– Experiencedstaff–average25+years– ExpertsinOraclePrimaveraP6&Deltektoolsuites
– Uniqueconsul8ng&trainingservices
LearningObjec=ve• Provideyouwithamodelofbestprac8ceriskmanagementthatcanhelpyoutodeterminewheretofocusa?en8ontoimproveriskmanagement
• Shareourexperiencesandlessonsfromthesuccessfulimplementa8onofriskmanagementframeworktoimproveprojectriskmanagementmaturity
WhyThisTopic• Manyprojectfailurescanbelinkedto
ineffec8veriskmanagement
• Riskmanagementmaturityisnotwell
understood
• Riskmanagementdeservestobeconsidered
asanimprovableprocesswithstandards,asis
PM,PgM,so_waredevelopment,etal
RiskConcepts• Risk:Thelikelihoodthataprojectwillfailtomeetitsobjec8vesbecauseofaneventorcondi8on
• RiskManagement:isaimedatreducingtheuncertaintyofoutcomes(businessdecisions,projectdecisions,workdonebytheteamandsuppliers,etc.)and/ortheimpactofariskevent
RiskManagementProcess
RiskManagementPlanning
RiskIden=fica=on
RiskAnalysisRisk
ResponsePlanning
RiskMonitoring&
Control
Theriskmanagementprocessiscarriedoutitera=velyinallphases(Pre-ini=a=ontoProjectCloseout)
BenefitsoftheRMprocess–whendonewell: • Increasesthelikelihoodofprojectsuccess• Iden8fiesthreatsaswellasopportuni8es• Specifiesac8onstoreducetheprobability
orimpactofthosethreatstotheproject.• Promotesdialogandunderstandingof
theprogrambetweenallstakeholders
• Canbecon=nuouslyimproved
ExamplesofRiskManagementFailures
• Example1:$500KFFPA&EACofEprojectislateandoverbudgetbecausenooneaskedtheteamwhatrisksexistedintheirWBSlegsduringtheplanningprocess
• Example2:Construc8onprojectfailedbecauseofpressuretopursuelowprojectcosttargets,eventhoughriskmanagementprocesseswereinplace–pressuredteamtounderstateprojectriskexposure;costoverrunswerecaughtlateandwereanembarrassment
• Example3:Riskplansandprocessesinplace,butpoorqualityschedulesandpoorrela8onshipwithcustomerresultedinundersta8ngfullriskexposure;jeopardizingprogramsuccess;onlybyreplacingmanagementvianewcontractorbroughtprogrambackundercontrol
WhoBenefitsfromRiskManagement?
RiskManagement
Execu=veLeadership
Team
ProjectMangerCustomer
Suppliers
ViewofRisksVaryWithRole
• Sponsors/Management:Growth,ROI,CAPEX,OPEX,reputa8on,dates,safety….
• Customer:financialoutlay,deliverydates,reputa8on,poli8cal….
• Program/ProjectManager:schedule,costs,quality,resources,safety….
• TeamMembers:mywork,other’sworkthataffectsme,safety….
• Suppliers/Subcontractors:schedule,demand,reputa8on,safety….
RiskManagementisimportantfromstrategy/visiontoprojectdelivery
EveryoneGainsIF:• Allonthesameteamwithsuccessasthegoal
• Risksareacknowledgedandunderstood• Riskmanagementprocessisrobust,knownand
understoodandconsistentlyappliedandimprovedfromtoptobo?omtheorganiza8on– Businessdecisionmaking
– Projects– Suppliers– Deliveryandopera8ons– Customersandotherstakeholders
• Riskisdealtwithexplicitly,effec8velyandefficiently
RiskManagementMaturityModel
RMM
SponsorandManagement
Iden=fyRisk
AnalyzeRisk
PlanRiskResponse
LinkPMSystems
Environment&Principles
RiskMaturityModel
Ad-hoc• Limitedifanyriskmanagement
• Manysurprises
• Frustra8on• Heroics
Basic• Rudimentaryriskprocesses–primarilyprojectfocused
• Inconsistentapplica8on
• Nopredic8ve• Someseniormanagement
• Someinforma8onavailable
Defined• Riskprocessesdocumented–some
pre-project
• Moreconsistent
applica8on
• Limitedpredic8vemodeling
• Moresenior
management
• Customerand
suppliersinvolved
• Basicinforma8onavailable
Improving• Riskmanagement
usedatearliest
stages
• Riskmanagement
isintegraltoproject
managementand
investmentstages
• Seniormanagement
ac8velyinvolvedthroughout
• Tailoredinforma8on
Op=mized• Riskmanagement
fullyintegrated
• Lessonslearnedandfedinto
upcomingprojects
6x5LevelRiskMaturityModel*Areaa Level1 Level2 Level3 Level4 Level5
SponsorandManagement
Noinvolvementorpolicy,little/noriskinformation,noconnectionwithexternalcustomer;norisksharingwithcustomerorsuppliers;endusersnotinvolved
Littleuseofriskinfo;limitedexposureofrisks,verylimitedcustomerinvolvement,unclearagrements,supplierriskinfolimited;poorcontracts&riskinsights,limitedenduserinvolvement
Somemanagementproactiveengagement,reportingrisksbutnotusedwell,constrainedriskinfotocustomer,skewedrisksharing,
Managementisproactive;usingriskinformationregularlywithsomegaps;risksharingismorebalancedwithsomeholes
Policyinplace;informationsoughtandprovidedregularly;RMintegraltoalldecisions;customerinvolvementintegraltoriskdecisions
IdentifyRisk
Risksareignoredoronlyoccassionallyidentified;nouseofformalmeanstoidentifyrisks;slowornoresponsetorisksthatarenewlyidentified;surprises
Risksmaybeidentifiedbutarecalledissues;term"risk"maybefrownedupon;somelimitedtopdownriskinfoconveyed;someformalriskidentificationmechanismsused;slowresponsewhenneewrisksIded
Upstreamrisksaresometimespassedalongfromupstream;risksidentifedusingmoreextensiveriskIDmechanisms;formalmeetingstoIDrisksused;PMstartingtoshowupinIdingrisk;risklogsmaybecreated
Risksarepasseddownandusedinprojectriskplanning;extensiveuseofidentificationtoolsandmethods;RMisexpectedaspartofPMteam'srole;RMIDmethodsareadjustedbasedonprojectlifecycle;
RiskIDdonefromearlieststagesofinvestmentdecisions;Riskinfopassedalongtoprojects;tools,experts,differentmethodsusedtoIDrisksasdictatedbyproject;newrisksarerapidlyaddressed;RMpartofeveryone'sjob
AnalyzeRisk
Vagueandunhelpfulriskdescriptions;Issuestracked,butnotrisks;informalandsubjectivebasisforprioritizingrisks;nocontingencyestimates;littleornoformalmitigation
Somebetterriskdesriptions;standardmayexistbutisnotconsistentlyapplied;probabilityandimpactsmaybedoneinformally;prioritzationpoor;limitedrisksynergy;informalowners
Standardforrisksisusedbutsomegaps;probability&impactinuse;RYG;mitigationidentified;riskownersusuallyassigned;risksynergiesbeingidentifiedbutnotfullydeveloped;
Mostriskstandardsareinplace;synergyisimportanttoIDanddone;riskownersassignedandaccountable;RYGandothermechanismsusedtoanalyzerisks;riskimpactnearlyalwaysassessed
Risksstandardsareinplaceandconsistentlyapplied;synergiesarealwaysconsidered;differentviewsoftheriskinformationareconsidered;riskownersarealwaysidentifiedandaccountable
PlanRiskResponses
Riskresponseplanningispoorlydone,ifatall;noROI/CBAdonewhenconsideringresponses;nomonitoringofresponses;noprojectplanadjustment;nopre-orpostmitigationcomparisons
Riskresponseplanningisinformallydone;ROI/CBAmaybedonefromtimetotime;monitoringofreponsesislefttoindividualriskowners;maydosomepre-andpostmitigationanalysis
Riskreponseplanningisdonebutinconsitently;ROI/CBAdoneasrequested;monitoringdonebutnotrigorously;projectplansadjustedsomeitmes;pre-andpostmitigationanalysisdone
Riskresponseplanningisrequiredanddonethoroughlybutsomelapses;ROI/CBAintegralpartoftheanalysis;consistentandrigorousmonitoringdone;riskresponseplanningusuallypartofstakeholderdiscussions
Riskresponseplanningisdonewellandrigorouslyandconsistently;ROI/CBAisdoneforallrisksneedingit;risktriggers/monitoringareintegraltoriskmanagement;customer,suppliers,sponsorsarepartofthediscussions;plansareadjusted
LinkPMSystem
RMandPMaredisconnected;RMisonesizefitsall;nolinkageswithprojplans;RMis"extra"
RMandPMaresomewhatconnected;someRMplanningisdonewithprojectplanning;informalriskreviewsandreporting;weaklinkagestoschedules;nohistoricaldata
RM&PMareconnnected;RMisoftendoneonceandreflectedintheplansatprojectoutset;RMisadjustedandappliedintelligently;riskmodelingisdone;limitedhistoricaldata
RM&PMarestronglylinked;risksaremanagedacrossandbeyondprojectscopestandardreportingdone;modelingisdonewell;riskinformationiscapturedforusebutnotaccessed;RMrolesaredoneperstandards
RM&PMaredonewellandtostandard;RMisadaptedtoprojectdrivers;plansarefullyalignedandintegrated;riskmodelingisdonewell;reportingisdonebasedonroles/needs;archivedinfoused
Environment&Principles
Peoplearefearfultoidentifyrisksorstymiedintheirefforts;littletrustbetweenteamandstakeholders;RMmaybepenalizedbecauseitisconsidereddisruptive;RMinfoisseldomused;RMroleisnotsupported
ID-ingrisks;RMplansaredevelopedbutnotgenerallyavailable;RMroleweaklysupported;RMusedsporadicallyandadhoc;RMpracticesometimesrecognized
ID-ingrisksisisacceptedbutnotpromoted;RMplansaremadeavaiabletoteam;RMroleisdevelopedandrecognized;RMpracticeisacknkowledged;sometrustinplacebutnotconsistent
ID-ingrisksisexpectedandencouraged;RMplansareupdatedregularlyandbriefedtoteam;RMpracticeisrewarded;RMroleisexpectedaspartofeveryone'sjob;generallyhightrust
ID-ingrisksisactivelysoughtoutbyPM;RMplansareintegratedintorolesandprocesses;trustisstrongandcommunicationsisgood;RMprocessisseenassuportiveofprojectsuccess
Credit:TheProjectRiskMaturityModelbyMartyHopkinson
SPONSOR-MANAGEMENTINVOLVEMENT
• SeniorManagementisleadinginRM
• Managingup:sharingandrepor8nginforma8on
• Managingout:Externalcustomer
• Customerandsupplierrisksharing
• Expecta8onthatriskdataiscomplete
• Enduserinvolvementinrequirementsanduserisks
SeniorManagement’sRole• WhyImportant:Setstheexpecta8onthatRMisimportant
• LowMaturity:Notoplevelriskpolicyinplace,managementisabsentinriskdomain;hardforPMtogetsupportforRM
• HighMaturity:RMisexpectedandsupportedfromoutsetofdecisionstoinvestinprojects;riskmanagementisbemanagedin/throughsubs,contracts,andusers
• Ac=ons/StepstoImprove:– Ifmanagement:setpolicyinplacerequireRMtobeimplemented;reinforce
withques8onsandexpecta8onsandlegalframeworksincontracts
– Ifnotmanagement:• Demonstratebydoingriskmanagement;
• Developprocessesandinvolvestakeholders,subcontractors,inreviews,decisions
• Benefits:– Setsexpecta8onsaboutriskmanagement
– Tightenslinkageofprojectstobusinessobjec8ves– Involvessubsetalinmanagingrisk
– Setsthestageforacultureofmanagingrisks
SharingRiskInforma=onwithSeniorManagement• WhyImportant:Informssponsorsandmanagementandassuresthem
thattheycaninfluenceevents
• LowMaturity:Noriskinforma8onsharing;managementindarkaboutrisks’impact;crisesareprevalent
• HighMaturity:ManagementinvolvedinRMandabletobeproac8ve
• Ac=ons/StepstoImprove:– Involvemanagementatkeypointsintheriskprocess
– Obtaininforma8onaboutbusinessinvestmentdecisionsrelatedtotheprojectandlinkprojectrisksinforma8on
– Speakin“language”ofdecisionmakers(management,customer,endusers)
• Benefits:– Movesorganiza8onindirec8onofsuppor8ngriskmanagement
– Fosterscommunica8onandtrust
– Givemanagementmeanstoengageproac8velyandintelligently
– Abletomanage“bad”newsbe?er
RiskManagementProcessExists• WhyImportant:Noprocess,nowaytoimprove
• LowMaturity:Noneorad-hocRMprocesses;sporadicallyapplied;limitedfocusandpoorriskinforma8on;crisesdriven
• HighMaturity:Processiswelldocumented;integralpartofprojectmanagementandhowbusinessisconducted
• Ac=ons/Steps:– Designanddeveloporadoptariskmanagementprocess
– Cra_riskmanagementplansforselect“test”projects
– GetanexpertinRMtoassist
• Benefits:– Usefulandusableproject– SupportsandissupportedbyRiskPolicy
Iden=fyingRisk
• Top-downriskiden8fica8on(Upstream–downstream)
• Riskiden8fica8ontechniques(methods,history,RBS,etc.)
• Methodicalandadaptedtostage/phase
• Responsivenesswhennewrisksiden8fied
• Usingprojectmanagement(e.g.EV)toiden8fyrisks
• RMasanintegralrole
RiskIden=fica=on–TopDown?• WhyImportant:Iden8fysourcesofrisk• LowMaturity:Haphazardifdoneatall• HighMaturity:Startsareoutsetofinvestmentdecision;lowerlevelrisksarelinkedtosources
• Ac=ons/Steps:– Ask:Whatarerequirementsandobjec8ves?Whatismostimportant?Whatistheprojectcontext?Whatwillhavegreatesteffectonprojectsuccess?
• Benefits:– Keepstheproject“outoftheweeds”andfocusedontheul8mategoal
– Engagessponsor,management,suppliers,PMandteam
RiskIden=fica=onMethods• WhyImportant:Needcompletelistofpoten8alrisks
• LowMaturity:Haphazard,narrowlyfocused;limited8mespent
• HighMaturity:Varietyofmethodsareused;facilitator/riskmanagermayexecutethis;expectedandendorsed
• Ac=ons/Steps:– Familiarizeyourselfwiththevariousmethods-techniques
– Conductformalriskiden8fica8onmee8ngs
– Usemul8-disciplinaryteams(includingexternalexperts)
– Talkwiththosewhohavecomebeforeyou
• Benefits:– Morecompletelistofrisks
– Engagesmoreoftheteam
RiskIden=fica=onObtainAllProposal
Ar8factsandContract(terms,
SOW,costs,etc.)
ReviewandPrepareforProposalDebrief
ConductProposalDebrief
ProposalReview
ProjectPlanning
Brainstorming,MindMap
Ishikawa/FishboneDiagram
Others:• DelphiTechnique
• OutsideExperts
• HistoryReview
ReviewScope,Contract,SOW,Assumptions,
etc.
CraftandLayinHighLevelWBS,TargetDates,onWBSElement(s)
ReviewWBSandDraftProjectSchedulewith
Team
UpdateWBS/DConduct1:1PlanningSessions
PrepareScheduleforeachWBSElement
PrepDraftRiskLog
IntegrateFragnetsintoDraftSchedule
ReviewScheduleWBS/D,RiskLog
withTeamOK?
NO
FinalDraftSchedule,WBS/
D,RiskLog
ProjectRiskManagementRiskIden=fica=on
The Risk Breakdown Structure (RBS) lists categories and sub-categories for project risk. The actual categories will vary across different types of projects.
PROJECTRBS
TECHNICAL EXTERNAL ORGANIZATIONAL PROJECTMANAGEMENT
REQUIREMENTS
TECHNOLOGY
COMPLEXITY &INTERFACES
PERFORMANCES& RELIABILITY
QUALITY
SUBCONTRACTORS & SUPPLIERS
REGULATORY
MARKET
CUSTOMER
WEATHER
PROJECTDEPENDENCIES
RESOURCES
FUNDING
PRIORITIZATION
ESTIMATING
PLANNING
CONTROLLING
COMMUNICATIONS
RiskDescrip=onsYieldUsefulInforma=on• WhyImportant:Clarity;capableofdevelopingadequateresponse
• LowMaturity:Verysuperficiale.g.“notenoughresources”
• HighMaturity:Followsstandardforclarity• Ac=ons/Steps:– Adoptastandardfordescribingrisks;requireallriskownerstoadheretothis
• Benefits:– Clarityandunderstandingwhatriskisabout
Analysis
• Riskdescrip8onsabidebyastandard
• Riskowners(assignedandaccountable)
• Riskimpactsdevelopedandassessed
• Risks’synergy(iden8fiedandevaluated)
• Risklikelihood(probabilityandimpact)
• Riskpriori8za8on(R,Y,G)
• "Goodness"ofriskes8mates
• Scheduleandcostdataisofsufficientquality
• Economicperformancemodeled(con8ngency)
• Risks’mi8ga8oniden8fiedandselectedintelligently
RiskImpactsareThoroughlyAssessed• WhyImportant:Understandwhatistheeffectoftheriskson8me,cost,quality
• LowMaturity:Limiteddevelopmentofimpacts
• HighMaturity:Rigorousandcomplete;calcula8onsprovided;impactlinkedtoprojectgoals;8mephased
• Ac=ons/Steps:– Chooseriskandobjec8veslinkage– Determinebestmeasurestousetoassessimpact;test
• Benefits:– Be?erabletodefenddecisionsaboutrespondingtorisks– Setsstageforcostandschedulecon8ngencycalcula8on
RisksarePriori=zed• WhyImportant:Keepsfocusonmostimportantrisksandareas
oftheproject
• LowMaturity:Laundrylistofrisksandissues• HighMaturity:Riskaregroupedandpriori8zedbasedon
management’sneeds
• Ac=ons/Steps:– Agreeonpriori8za8onscheme(e.g.5x5matrix)
– LeverageRBSandcombinetocreateusefulinforma8on
– Testanddecidewhatneedschanging• Benefits:
– Focusesleadershipandteamonmostimportantrisks
– Leveragestheresultsoftheprocessandshowsvalueoftheprocess
PlanRiskResponse
• Risk(proximity)triggers
• ROI/CBAused(toselect“best”riskresponse)
• Riskresponseplanquali8es(standard,used,keptuptodate)
• Riskresponsemonitoring(how’sitgoing)
• Riskmi8ga8onimplementa8on(adjus8ngprojectplansto“reality”)
• Preandpostriskmi8ga8oncomparisons(budgetandschedulecon8ngencysupport)
MonitorImplementa=onofRiskResponses• WhyImportant:Execu8onofriskresponseyieldsbenefitsofall
priorefforts
• LowMaturity:Haphazardorinconsistent;selfmonitoring
• HighMaturity:Partofriskreviewsandintegraltoprojectmanagementoversight
• Ac=ons/Steps:– Scheduleriskreviewsandconducttoastandardagenda– Emphasizestayingonmostimportantrisks
– Re8rerisksas/whenneeded• Benefits:
– Assuresthatriskmanagementisbeingcarriedout
– Enablesescala8onandac8onifneeded– Formalizesongoingprocessofiden8fyingnewrisks
UsePMSystemsandTools
• Riskmanagement“sized”withprojectimportance,complexity,size
• RMresponsibili8esareexecutedperstandard
• Lookingatrisksbeyondprojectdelivery
• RMandPMplansarealignedandintegrated
• Riskinforma8onandrepor8ng;riskreviewsandescala8ons
• Projectcostandscheduleforecas8ng(riskmodelinginschedules)
• Archivingriskinforma8onandassessingRM(con8nuousimprovement)
Integra=ngRiskwithProjectManagement• WhyImportant:Improveslikelihoodofprojectsuccess–mee8ng
objec8ves
• LowMaturity:Limitedintegra8onofRMwithprojectgoals;RMmaybedoneonceanddropped;surprisesandfrustra8on
• HighMaturity:Riskmanagementisintegrally8edtomanagingtowardsprojectgoals
• Ac=ons/Steps:– Formalizedmakingriskmanagementplanspartofprojectmanagement
plans
– Connectriskreviewswithprojectreviews– Updateriskinforma8onatkeymilestonesandmajorprojectchanges
• Benefits:– Ensuresallwhoarepartofprojectsuccesshavebe?erinsighttothe
challengesandop8onstobringaboutthissuccess
EnvironmentandPrinciples
• Peoplearefreetoiden8fyandproposerisks;trustRMprocess
• Teamandstakeholderstrusteachother
• Riskmanagementplansavailableandused
• RMusedearlyinoveralldecisionmakingandPMprocess
• GoodRMprac8cerecognizedandrewarded
RiskOwnersIden=fied&HeldAccountable• WhyImportant:Makesorganiza8onscommitmenttoriskmanagement
explicit
• LowMaturity:Ad-hocornotassigned• HighMaturity:Maybeaformalrole;allprojectteammembersare
expectedtobeac8veiniden8fyingandmanagingrisks;trainingprovided
• Ac=ons/Steps:– Prepareoutlineofrequiredknowledgeandskills– Brownbagsessionsini8ally,followedwithmoreformaltraining
– Acknowledgeroleand/orskillssets– Forindividualriskowners–PM/RMoverseestheireffortsandresults
• Benefits:– Setsthestageforchangingtheorganiza8on/projectculture(alongwithall
oftheotherareascovered
SUMMARY
HowDoYouGetBe?er?
1 1
2
1
2
1
5 5 5 5 5 5
0
1
2
3
4
5
Sponsor&Management
Iden=fyRisk AnlayzeRisk PlanRiskResponse
LinkPM/RMSystem
Environment&Principles
ImprovementApproach• Assessthegap
• Iden8fyneededimprovements
• Designplantobridgegap
• Getbuy-in
• Executeandmonitorprogress
• Educateandintegrate
Benefits• Fewersurprises
• Be?erawarenessand
understanding
• Improvedsponsor,customer,
team,suppliercollabora8on
• Be?erbusinessandproject
performance
• Capacitytotakeonmore
challengingopportuni8es
WrapUp• RiskMaturityQues8onnaire
• Copyoftheslides• PDU’sforthewebinar:
tensix.com/webinar