This document discusses managing risk through continuous risk management (CRM). It introduces the five principles of risk management and outlines the CRM process, which includes identifying risks, analyzing and prioritizing them, planning mitigations, tracking mitigation progress and risks, making decisions based on risk data, and communicating throughout the project. The presentation provides examples of risk statements, evaluation criteria, classification approaches, and integrating risks and mitigation plans into project schedules. The goal of CRM is to continually identify, assess, and mitigate risks to improve project outcomes.
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Managing risk with deliverables planning
1. MANAGING RISK WITH
DELIVERABLES PLANNING
Without metrics, you’re just another guy with an opinion.
— Stephan Leschka, Hewlett Packard
1
2. Agenda for the Next 4 Hours
¨ Review the five principles of Risk Management
¨ Introduce of the Continuous Risk Management (CRM)
¨ Illustrate each CRM process area with example
artifacts or outcomes
¨ Familiarize all participants with the concept of Risk
Management and their contributions to the 1st step
– Identifying Risk
¨ Understand what data needs to be gathered, so the
1st cut at a measure of program risk can be
constructed.
2
3. But, Before we Start, Let’s Understand our Role
Here …
¨ Risk Management is a profession
¨ Risk Management is Program Management
¨ Risk Management is how adults manage projects
¨ Managing risks goes hand-in-glove with managing
work, people, processes, vendors, and the client
3
5. But we can’t make decisions until we get the right
information, right?
5
6. Risks are part of the project, handled the same
way all other work is handled – with a plan
6
7. Five
Easy Pieces
of
Risk Management
Risk Management is more
than the processes called
out in PMBOK® (Chapter 11)
Risk Management
IS
Project Management
Glen B. Alleman
Lewis and Fowler
www.lewisandfowler.com
galleman@lewisandfowler.com
7
8. 1. Hope is not a strategy
2. No single point estimate of cost or schedule can be correct
3. Cost, Schedule, and Technical Performance are inseparable
4. Risk management requires adherence to a well defined process
5. Communication is the Number One success factor 8
9. Hope is Not a Strategy
A Ship on the Beach is a Lighthouse to the Sea – Dutch Proverb
I 9
14. § Lack of predictive
variance analysis
§ Untimely and unrealistic
Latest Revised Estimates
(LRE)
§ Progress not monitored
in a regular and
consistent manner
§ Lack of vertical and
horizontal traceability
cost and schedule data
for corrective action
§ Lack of internal
surveillance and
controls
§ Managerial actions not
demonstrated using
Earned Value
§ Inattention to
budgetary
responsibilities
§ Work authorizations
that are not always
followed
§ Issues with Budget and
data reconciliation
§ Lack of an integrated
management system
§ Baseline fluctuations
and frequent replanning
§ Current period and
retroactive changes
§ Improper use of
management reserve
§ EV techniques that do
not reflect actual
performance
The Project Train Wrecks Starts When There is…
Mary K. Evans Picture Library
14
16. Principles and Practices are not the same
In theory there is no difference between theory
and practice. In practice there is.
16
17. Three Conditions of Risk
¨ The potential for loss must exist.
¨ Uncertainty with respect to the eventual outcome
must be present.
¨ Some choice or decision is required to deal with the
uncertainty and potential for loss.
17
18. Mission-Oriented Success Analysis and
Improvement Criteria (MOSAIC)
¨ Establish and maintain confidence that objectives
will be achieved successfully
¨ A suite of risk–based methods for assessing and
managing complex projects and processes.
¨ Produces a broad overview of the current state of
risk and opportunity for a project or process.
18
19. Mission Work Processes Constraints
Tasking, Orders, and Plans Operational Processes Resources
§ Stability
§ Completeness
§ Clarity
§ Validity
§ Feasibility
§ Precedent
§ Timeliness
§ Formality
§ Suitability
§ Process
Control
§ Familiarity
§ Product Control
§ Schedule
§ Staff
§ Budget
§ Facilities
§ Tools
Mission Execution Maintenance Process Policies
§ Efficiency
§ Effectiveness
§ Complexity
§ Timeliness
§ Safety
§ Formality
§ Suitability
§ Process
Control
§ Familiarity
§ Service Quality
§ Laws and
Regulations
§ Restrictions
§ Contractual
Constraints
Product and Service Management Processes Interfaces
§ Usability
§ Effectiveness
§ Timeliness
§ Accuracy
§ Correctness
§ Operational
Systems
§ Planning
§ Organization
§ Management
Experience
§ Program
Interfaces
§ Customer /
User
Community
§ Associate
Agencies
§ Contractors
§ Senior
Leadership
§ Vendors
§ Politics
Operational Systems Management Methods
§ Throughput
§ Suitability
§ Usability
§ Familiarity
§ Reliability
§ Security
§ Inventory
§ Installations
§ System
Support
§ Monitoring
§ Personnel
Management
§ Quality
Assurance
§ Configuration
Management
Work Environment
§ Quality Attitude
§ Cooperation
§ Communication
§ Morale
19
20. AN INTRODUCTION TO
CONTINUOUS RISK MANAGEMENT
(CRM)
CRM is the Software Engineering Institute’s framework for managing risk in the
context of system integration, COTS based product development, and the
management of these activities.
20
22. Continuous Risk Management
Stage Actionable Steps
Identify Continually ask, “what could go wrong?”
Analyze Continually ask, “which risks are most critical to mitigate?”
Plan Develop mitigation approaches for the most critical risks
Track Track the mitigation plan and the risk
Control Make decisions based on data
Communicate Ensure a free-flow of information throughout the project
22
23. Putting Continuous Risk Management Together
Identify
Analyze
Plan
Track
Control
Identify Risk Issues and Concerns
Evaluate, classify, and prioritize
risks
Decide what should be done
about risks
Monitor risk metrics and
verify/validate mitigations
Make risk decisions
Subproject and partner
data/constraints, hazard
analysis, FMEA, FTA, etc.
Risk data: test data, expert
opinion, hazard analysis, FMEA,
FTA, lessons learned, technical
analysis
Resources
Replan Mitigation
Program/project data
(metrics information)
Statement of risk
Risk classification, Likelihood
Consequence, Timeframe
Risk prioritization
Research, Watch (tracking requirements)
Acceptance Rationale, Mitigation Plans
Risk status reports on:
Risks
Risk Mitigation Plans
Close or Accept Risks
Invoke contingency plans
Continue to track
23
24. Four (4) Steps to Deploying CRM
Step Action
1
Establish an enterprise risk
management process
SEI CRM Process with Mitre Risk
Registry is a start
2
Establish Risk Process owner and
document the process
Org chart Risk Manager
established, Risk owners for
deliverables are next
3
Provide training in the standard
risk management process
Engage risk owners
4
Monitor and enforce the
implementation of Risk
Management
Weekly risk board meeting
24
25. Search for and locate risks before they become issues or problems.
Capture statements of risk and context.
25
26. Capture a Statement of Risk
¨ Consider and record the conditions that are causing
concern
¨ Create a statement of the risk in a concise
description, which can be understood and acted on
¤ Condition: a single phrase describing the circumstances
¤ Consequences: a single phrase describing the key,
possible negative outcome(s)
26
27. Capture the Context of a Risk
¨ A brief, concise description of the conditions and
consequences of the risk
¨ Provide enough information to ensure the original
intent of the risk can be understood, especially
after some time has passed
27
28. Transform risk data into decision making information. Risk analysis is
performed to determine what is important to the project and to set
priorities. 28
29. Evaluating Attributes of Risks
¨ Impact: the loss or effect on the project if the risk
occurs
¨ Probability: the likelihood the risk will occur
¨ Timeframe: the period when action is required in
order to mitigate or retire the risk
29
30. Sample Risk Evaluation
A B C D E
Negligible Minor Moderate Significant Severe
E Very Likely Low Med Medium Med Hi High High
D Likely Low Low Med Medium Med Hi High
C Possible Low Low Med Medium Med Hi Med Hi
B Unlikely Low Low Med Low Med Medium Med Hi
A Very Unlikely Low Low Low Med Medium Medium
30
32. Risk Evaluation Classification
Probability Risk Rating
> 70% E: Very Likely
40% to 70% D: Likely
10% to 40% C: Possible
1% to 40% B: Unlikely
< 1% A: Very Unlikely
Budget Over Run Impact Rating
> 15% of budget E: Severe
10% to 15% of budget D: Significant
6% to 10% of budget C: Moderate
2% to 6% of budget B: Minor
< 2% of budget A: Negligible
32
33. Prioritizing Risks
¨ Partitioning risks or groups of risks based on the
Borda “vital few” scale
¨ Ranking the risks based on a criteria
¨ Separate risk to be dealt with first (the vital few)
when allocating resources
33
34. The Borda Rank
¨ Which risk of more critical?
¨ Where should resources be allocated to
eliminate the most troublesome areas in the
program?
¨ Using this approach – ties for “the most
important – often result.
¨ Borda Ranking deals with this result, which
ranks risks according to their probability of
occurrence and their impact
( )
i ik
k
b N r
= -
å
“Risk Matrix: An Approach for Identifying, Assessing, and Ranking Program Risks,” Paul Garvey
and Zachary Lansdowne, Air Force of Logistics, Vol XXII, Number 1
34
35. Translate risk information into decisions and mitigating actions and
implement those actions. Produce plans for mitigating risks.
35
36. Assign Responsibility
¨ Three choices for assigning responsibility
¤ Keep the risk
¤ Transfer the risk upward in the organization or to
another organization
¤ Delegate the risk within the organization
36
37. Determine the Approach
¨ Accept the risk – do nothing
¨ Mitigate the risk – eliminate or reduce
¨ Watch the risk – monitor for critical changes
37
38. Define Scope and Actions
¨ Action Item List for less complex mitigations
¤ A simple means of documenting and tracking risk
mitigations
¨ Task Plans with schedules and budgets for complex
mitigations
¤ These plans must be embedded in the Integrated
Master Schedule
38
39. Monitor risk indicators and mitigation plans. Indicators and trends
provide information to activate plans and contingencies. Review these
plans periodically to measure progress and identify new risks. 39
41. Integrate Risk with the Master Schedule
¨ Budget and resources assigned from Risk
Management reserve
¨ Activation of risk activities through the Risk
Management Board
¨ Adjustments to Performance Measurement Baseline
reflect Risk activities
¨ Measure risk activities in the same way as other
planned activities
41
42. Correct for deviations from the risk mitigation plans. Actions can lead
to corrections in products or processes. Changes to risks, risks that
become problems, or faulty plans require adjustments in plans or
actions. 42
43. Analyze Risks
¨ Examine risks for trends, deviations, and anomalies
¨ Achieve a clear understanding of the current status
of each risk and mitigation plan
43
44. Decide
¨ Replan
¨ Close the risk
¨ Invoke the contingency plan
¨ Continue tracking and executing the current plan
44
45. Execute
¨ If a planned action is made, open the Work
Packages for the mitigation or retirement activities
¨ If it decided to continue tracking, the risk remains in
the tracking state until the next review
45
46. Provide information and feedback to the project on the risk
activities, current risks, and emerging risks.
46
47. Risk Communication Process
Risk Management Processes and their Communication to the Program Team
Determine sources and categories Define parameters to analyze and categorize risks
Define parameters used to control the risk
management effort
Establish and maintain a strategy for risk
management
Identify and document risks
Evaluate and categorize each identified risk using
defined categories and parameters and determine
relative priority
Develop risk Handling Plan for important risks as
defined by the risk management strategy
Monitor status of risk periodically and implement risk
handling plan as appropriate
Establish and maintain organizational policy for
planning and performing risk management
Provide adequate resources for performing risk
management, developing work products and
providing services
Assign responsibility and authority for performing the
process
Train staff in support of risk management processes
Place designated work products under appropriate
configuration management
Identify and involve relevant stakeholders
Monitor and control risk management processes
Objectively evaluate adherence to risk management
processes
47
49. Linking Risks with the IMS
49
The situation What to do
Risk identified during the
program
planning phase (IMP)
§ Place risk mitigation tasks into IMS and
allocate resources
§ Do not duplicate risk mitigation tasks in risk
database
Risk threat to a task in the IMS
§ Enter risk mitigation actions into risk
database
Existing risk growing beyond the
current scope of a team but
within the scope of the program
§ Allocate management reserves
§ Place risk mitigation actions in risk
database
New risk beyond the current
scope of the program
§ Obtain additional resources
§ Develop plan and allocate resources
§ Place risk mitigation tasks in IMS