1. 1
HANDLING RISK ON HIGH
TECHNOLOGY PROGRAMS
Without metrics, you’re just another guy with an opinion.
Niwot Ridge LLC — Stephan Leschka, Hewlett Packard
2. Agenda for the Next 4 Hours
2
Review the five principles of Risk Management.
Introduce SEI’s Continuous Risk Management (CRM).
Illustrate each CRM process area with example artifacts or
outcomes.
Familiarize all participants with the concept of Risk
Management and their contributions to the 1st step –
Identifying Risk.
Understand what data needs to be gathered, so the 1st cut
at a measure of program risk can be constructed.
3. But, Before we Start,
Let’s Understand our Role Here …
3
Risk Management is a profession.
Risk Management is Program Management.
Risk Management is how adults manage projects.
Managing risks goes hand-in-glove with managing
work, people, processes, vendors, and the client.
5. But we can’t make decisions until we
get the right information, right?
5
6. Risks are part of the project, handled the same
way all other work is handled – with a plan
6
7. Five
Easy Pieces
of
Risk Management
Risk Management is more
than the processes called out
in PMBOK® (Chapter 11)
Risk Management
IS
Project Management
7
8. 1. Hope is not a strategy
2. No single point estimate of cost or schedule can be correct
3. Cost, Schedule, and Technical Performance are inseparable
4. Risk management requires adherence to a well defined process
5. Communication is the Number One success factor 8
9. A Ship on the Beach is a Lighthouse to the Sea – Dutch Proverb
I
Hope is Not a Strategy 9
10. No Point
Estimate
By Itself
Can Be
Correct
II 10
13. Risk
Management
Demands Direct
Communication
Between All
Parties
V 13
14. The Project Train Wrecks Starts When There is…
Inattention to Lack of predictive
budgetary variance analysis
responsibilities Untimely and unrealistic
Work authorizations Latest Revised Estimates
that are not always (LRE)
followed Progress not monitored
Issues with Budget and in a regular and
data reconciliation consistent manner
Lack of an integrated Lack of vertical and
management system horizontal traceability
Baseline fluctuations cost and schedule data
and frequent replanning for corrective action
Current period and Lack of internal
retroactive changes surveillance and
Improper use of controls
management reserve Managerial actions not Mary K. Evans Picture Library
EV techniques that do demonstrated using
not reflect actual Earned Value
performance 14
16. Principles and Practices are not the
same
16
In theory there is no difference
between theory and practice. In
practice there is.
17. Three Conditions of Risk
17
The potential for loss must exist.
Uncertainty with respect to the eventual outcome
must be present.
Some choice or decision is required to deal with the
uncertainty and potential for loss.
18. Mission-Oriented Success Analysis and
Improvement Criteria (MOSAIC)
18
Establish and maintain confidence that objectives
will be achieved successfully
A suite of risk–based methods for assessing and
managing complex projects and processes.
Produces a broad overview of the current state of
risk and opportunity for a project or process.
19. Mission Work Processes Constraints
Tasking, Orders, and Plans Operational Processes Resources
Stability Validity Formality Familiarity Schedule Budget
Completeness Feasibility Suitability Product Control Staff Facilities
Clarity Precedent Process Tools
Timeliness Control
Mission Execution Maintenance Process Policies
Efficiency Timeliness Formality Familiarity Laws and Restrictions
Effectiveness Safety Suitability Service Quality Regulations Contractual
Complexity Process Constraints
Control
Product and Service Management Processes Interfaces
Usability Accuracy Planning Management Customer / Senior
Effectiveness Correctness Organization Experience User Leadership
Timeliness Operational Program Community Vendors
Systems Interfaces Associate Politics
Agencies
Contractors
Operational Systems Management Methods
Throughput Security Monitoring Quality
Suitability Inventory Personnel Assurance
Usability Installations Management Configuration
Familiarity System Management
Reliability Support
Work Environment
Quality Attitude Communication
19
Cooperation Morale
20. An Introduction to
20
Continuous Risk Management (CRM)
CRM is the Software Engineering Institute’s
framework for managing risk in the context of
system integration, technology based product
development, and the management of these
activities.
22. Continuous Risk Management
22
Stage Actionable Steps
Identify Continually ask, “what could go wrong?”
Continually ask, “which risks are most critical to
Analyze
mitigate?”
Plan Develop mitigation approaches for the most critical risks
Track Track the mitigation plan and the risk
Control Make decisions based on data
Communicate Ensure a free-flow of information throughout the project
23. Putting Continuous Risk Management
Together
23
Subproject and partner
data/constraints, hazard
analysis, FMEA, FTA, etc.
Identify Statement of risk
Identify Risk Issues and Concerns
Risk data: test data, expert
Risk classification, Likelihood
opinion, hazard analysis, FMEA,
FTA, lessons learned, technical Analyze Consequence, Timeframe
Risk prioritization
analysis
Evaluate, classify, and prioritize
risks
Resources Research, Watch (tracking requirements)
Replan Mitigation
Plan Acceptance Rationale, Mitigation Plans
Decide what should be done
about risks
Risk status reports on:
Program/project data
(metrics information) Track Risks
Risk Mitigation Plans
Monitor risk metrics and
verify/validate mitigations
Close or Accept Risks
Control Invoke contingency plans
Continue to track
Make risk decisions
24. Four (4) Steps to Deploying CRM
24
Step Action
Establish an enterprise risk SEU CRM Process with Mitre Risk
1
management process Registry
Establish Risk Process owner and Org chart Risk Manager
2 document the process established, Risk owners for
deliverables are next
Provide training in the standard Engage risk owners
3
risk management process
Monitor and enforce the Weekly risk board meeting
4 implementation of Risk
Management
25. Search for and locate risks before they become issues or problems. Capture statements of
risk and context.
25
26. Capture a Statement of Risk
26
Consider and record the conditions that are causing
concern
Create a statement of the risk in a concise
description, which can be understood and acted on
Condition: a single phrase describing the circumstances
Consequences: a single phrase describing the key,
possible negative outcome(s)
27. Capture the Context of a Risk
27
A brief, concise description of the conditions and
consequences of the risk
Provide enough information to ensure the original
intent of the risk can be understood, especially
after some time has passed
28. Transform risk data into decision making information. Risk analysis is performed to
determine what is important to the project and to set priorities.
28
29. Evaluating Attributes of Risks
29
Impact: the loss or effect on the project if the risk
occurs
Probability: the likelihood the risk will occur
Timeframe: the period when action is required in
order to mitigate or retire the risk
30. Sample Risk Evaluation
30
A B C D E
Negligible Minor Moderate Significant Severe
E Very Likely Low Med Medium Med Hi High High
D Likely Low Low Med Medium Med Hi High
C Possible Low Low Med Medium Med Hi Med Hi
B Unlikely Low Low Med Low Med Medium Med Hi
A Very Unlikely Low Low Low Med Medium Medium
31. Classifying Risks
31
Grouping risks based on shared characteristics
Identify duplicate risks
32. Risk Evaluation Classification
32
Probability Risk Rating Budget Over Run Impact Rating
> 70% E: Very Likely > 15% of budget E: Severe
40% to 70% D: Likely 10% to 15% of budget D: Significant
10% to 40% C: Possible 6% to 10% of budget C: Moderate
1% to 40% B: Unlikely 2% to 6% of budget B: Minor
< 1% A: Very Unlikely < 2% of budget A: Negligible
33. Prioritizing Risks
33
Partitioning risks or groups of risks based on the
Borda “vital few” scale
Ranking the risks based on a criteria
Separate risk to be dealt with first (the vital few)
when allocating resources
34. The Borda Rank
34
Which risk of more critical?
Where should resources be allocated to
eliminate the most troublesome areas in the
program?
Using this approach – ties for “the most
important – often result.
Borda Ranking deals with this result, which
ranks risks according to their probability of
bi N rik occurrence and their impact
k
“Risk Matrix: An Approach for Identifying, Assessing, and Ranking Program Risks,” Paul Garvey
and Zachary Lansdowne, Air Force of Logistics, Vol XXII, Number 1
35. Translate risk information into decisions and mitigating actions and implement those
actions. Produce plans for mitigating risks.
35
36. Assign Responsibility
36
Three choices for assigning responsibility
Keep the risk
Transfer the risk upward in the organization or to
another organization
Delegate the risk within the organization
37. Determine the Approach
37
Accept the risk – do nothing
Mitigate the risk – eliminate or reduce
Watch the risk – monitor for critical changes
38. Define Scope and Actions
38
Action Item List for less complex mitigations
A simple means of documenting and tracking risk
mitigations
Task Plans with schedules and budgets for complex
mitigations
Theseplans must be embedded in the Integrated
Master Schedule
39. Monitor risk indicators and mitigation plans. Indicators and trends provide information to
activate plans and contingencies. Review these plans periodically to measure progress and
identify new risks.
39
41. Integrate Risk with the Master Schedule
41
Budget and resources assigned from Risk
Management reserve.
Activation of risk activities through the Risk
Management Board.
Adjustments to Performance Measurement Baseline
reflect Risk activities.
Measure risk activities in the same way as other
planned activities.
42. Correct for deviations from the risk mitigation plans. Actions can lead to corrections in
products or processes. Changes to risks, risks that become problems, or faulty plans
require adjustments in plans or actions.
42
43. Analyze Risks
43
Examine risks for trends, deviations, and anomalies.
Achieve a clear understanding of the current status
of each risk and mitigation plan.
44. Decide
44
Replan
Close the risk
Invoke the contingency plan
Continue tracking and executing the current plan
45. Execute
45
If a planned action is made, open the Work
Packages for the mitigation or retirement activities.
If it decided to continue tracking, the risk remains in
the tracking state until the next review.
46. Provide information and feedback to the project on the risk activities, current risks, and
emerging risks.
46
47. Risk Communication Process
47
Risk Management Processes and their Communication to the Program Team
Determine sources and categories Define parameters to analyze and categorize risks
Define parameters used to control the risk Establish and maintain a strategy for risk
management effort management
Evaluate and categorize each identified risk using
Identify and document risks defined categories and parameters and determine
relative priority
Develop risk Handling Plan for important risks as Monitor status of risk periodically and implement risk
defined by the risk management strategy handling plan as appropriate
Provide adequate resources for performing risk
Establish and maintain organizational policy for
management, developing work products and
planning and performing risk management
providing services
Assign responsibility and authority for performing the
Train staff in support of risk management processes
process
Place designated work products under appropriate
Identify and involve relevant stakeholders
configuration management
Objectively evaluate adherence to risk management
Monitor and control risk management processes
processes