Project Risk Management
Download
Report
Transcript Project Risk Management
Project Risk Management
Presenter: Phil Harman, PMP
Executive Director for ZCS Internal PMO and
Enterprise Project Management (EPM) Practice Manager
September 2007
Agenda
Project Risk Management - What the Text Book says
– Core Processes, Techniques, and Outputs
Project Risk Management - In Practice
– Project Risk Identification > The Questionnaire
– Project Risk Management Plan > The Project Risk Log
– Risk Monitor and Control > Risk applied to the Project Plan with
assigned ownership
Page 2
Theory and Practice
Text Book Definition: Risk Management is the systematic
process of identifying, analyzing, and responding to project
risk. It includes maximizing the probability and
consequences of positive events and minimizing the
probability and consequences of adverse events to project
objectives.
Simple Terminology: Risk Management is the identification
of an unborn issue (a risk) that will have a negative impact
on the project that must be eliminated with proactive
planning, monitoring, and activities or tasks.
Page 3
Text Book - Risk Management Processes
Risk Identification
Risk Assessment
Risk Analysis
Risk Prioritization
Risk
Management
Risk Mgmt Planning
Risk Control
Risk Resolution
Risk Monitoring
Page 4
Text Book - Risk Management Planning
DEFINITION: The process of deciding how to approach
and plan the risk management activities for a project.
Inputs
1.
2.
3.
4.
5.
Project Charter
Organizations Risk Mgmt Policy
Defined Roles & Responsibilities
Stakeholder Risk Tolerances
Template for the Organizations risk
management plan
6. Work breakdown structure
•
•
•
•
Output
• Risk Management Plan
Tools & Techniques
• Planning Meetings
Organizational Risk Management Policy: Predefined approaches to risk analysis
and resolution that needs tailoring to a particular project.
Defined roles and responsibilities: Predefined roles, responsibilities, and authority
levels for decision making will influence planning.
Stakeholder Risk Tolerance: Different organizations and different individuals have
different tolerances for risk. Policies or historical actions may communicate this.
Planning Meetings: Project teams hold risk management planning meetings to
develop the plan.
Page 5
Text Book - Risk Management Plan
Risk Management Planning output is the “Risk
Management Plan”
The plan describes how risk identification, qualitative and quantitative
analysis, resolution planning, monitoring, and control will be
structured and performed during the project life cycle.
The plan may include:
Methodology
Roles & Responsibilities
Budgeting
Timing
Scoring and interpretation
Thresholds
Reporting formats
Tracking
Page 6
Text Book - Risk Identification
DEFINITION: The process of determining which risks might
affect the project and document the characteristics.
** Risk identification is an iterative process **
Inputs
1.
2.
3.
4.
Risk management plan
Project planning outputs
Risk categories
Historical information
Output
1. Risks
2. Triggers
3. Inputs to other processes
Tools & Techniques
1.
2.
3.
4.
5.
6.
Documentation reviews
Information gathering
techniques
Checklists
Assumption analysis
Diagramming techniques
INPUTS
Risk Management Plan: See previous slide
Project Planning Outputs: Items to be reviewed, but not limited to: project charter, WBS, product description,
schedule and cost estimates, resource plan, procurement plan, assumption and constraints.
Risk Categories: Risks that may affect a project for better or worse can be identified and organized into risk
categories. Categories include:
Technical, quality, and performance risks
Project Management risks
Organizational Risks – cost, time, and scope
External risks – shifting legal or regulatory environment, labor issues, natural events.
Historical Information: Information on prior projects may be available to help leverage lessons learned.
Page 7
Risk Identification- Tools/Techniques and Outputs
Outputs
Risks: Yep! This an output!
Triggers: Sometimes called risk assumptions or warning signs, these are indications
that a risk has occurred or is about to occur.
Inputs to other processes: Risk identification may identify a need for a further action in
another area or to other projects.
Tools and Techniques
Documentation Reviews: Performing a structured review of the project plans and
assumptions.
Information gathering techniques: Examples of information gathering include:
Brainstorming – most common
Delphi technique – Consensus of experts on a subject area
Interviewing – Seek input from project managers or subject matter experts
Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis
Checklist: Using historical information and knowledge is a quick and simple way to
identify risk.
.
Assumption analysis: Every project is conceived and developed based on a set of
hypotheses, scenarios, or assumptions.
Diagram techniques: Cause-and-effect, System or process flow charts, and Influence
diagrams
Page 8
Text Book - Risk Analysis
Quantitative: The process of measuring the
probability and consequences of risks and estimating
their implications for project objectives.
– Determine the probability of achieving a specific project
objective.
– Quantify the risk exposure for the project, and determine the
cost and schedule contingency reserves that may be needed.
– Identify risks requiring the most attention by quantifying their
relative contribution to project risks.
– Identify realistic and achievable cost, schedule, and scope
targets.
Qualitative: The process of performing a qualitative
analysis of risks and conditions to prioritize their
effects on project objectives.
Page 9
Qualitative Risk - Tools and Techniques
Risk probability and consequences: This is generally described in
qualitative terms such as VERY HIGH, HIGH, MODERATE, LOW, VERY
LOW.
•
•
Risk Probability is the likelihood a risk will occur.
Risk Consequences is the effect on the project objectives if the risk event occurs.
Probability/impact risk rating matrix: The use of risk’s probability scale and
risk’s impact scale is generally used.
•
Risk scale falls between 0.0 (no probability) and 1.0 (certainty) – See next slide
•
Risk impact scale reflects the severity of its effect on the project objective.
Page 10
Rating Impacts for a Risk
Evaluating Impact of a Risk during Major Project Milestones
Project
Objective
Cost
Very Low
.05
Insignificant
Cost Increase
Schedule
Insignificant
Schedule Slippage
Scope
Scope Reduction
Quality
Quality
Degradation small
Low
.1
<5%
Increase
Moderate
.2
5-10%
Increase
High
.4
10 – 20%
Increase
Very High
.8
>20%
Increase
Schedule Slip Overall Prj Slip Overall Prj Slip Overall Prj Slip
<5%
5-10%
10-20%
Slips>20%
Minor areas of
scope affected
Major Areas
of scope affected
Scope Reduction
unacceptable to
client
Project end item
is not meeting
business need
Only very
demanding Apps
affected
Quality Reduction Quality Reduction
requires client
unacceptable to
approval
client
Project end item
is useless
Page 11
Qualitative and Quantitative Risk Outputs
Qualitative
Overall risk rating for the project: Risk ranking is used to rank the risk of the project under
evaluation against other projects.
List of prioritized risks: Risk can generally ranked as low, moderate, or high.
List of risks for additional analysis and management: Risk categorized as moderate or high
would be prime candidates for more analysis, including quantitative risk analysis, and for risk
management.
Trends in qualitative risk analysis results: As the analysis is repeated, a trend of results may
become apparent, and can make risk resolution or further analysis more or less urgent and
important.
Quantitative
Prioritized list of quantified risks: This list of risks include those that pose the greatest risk
threat or present the greatest opportunity to the project together with a measure of their impact.
Probabilistic analysis of the project: Forecasts or potential project schedule and cost results
listing the possible completion dates or project duration and costs with their associated
confidence levels.
Probability of achieving the cost and time objectives: The probability of achieving the
project objectives under the current plan and with the current knowledge of the risks facing the
project.
Page 12
Text Book - Risk Resolution
DEFINITION: The process of developing procedures and
techniques to reduce threats to the project objectives.
Inputs
1.
2.
3.
4.
5.
6.
Risk Management Plan
List of prioritized risks
Risk ranking of the project
Prioritized list of quantified risks
Probabilistic analysis of the project
Probability of achieving the cost and time
objectives
7. List of potential resolutions
8. Risk thresholds
9. Risk owners
10.Common risk causes
11.Trends in qualitative and quantitative risk
analysis results
Output
1.
2.
3.
4.
5.
Risk resolution plan
Residual risks
Secondary risks
Contractual agreements
Contingency reserve
amounts needed
6. Inputs to other processes
7. Inputs to a revised project
plan
Page 13
Tools & Techniques
1.
2.
3.
4.
Avoidance
Transference
Mitigation
Acceptance
Risk Resolution – Outputs
Risk Resolution plan: This is also called “risk register” and should include some or all of
the following:
Identify risks, their description, the area(s) of the project effected, their causes, and how they may affect project objectives
Risk owners and assigned responsibilities
Results from the qualitative and quantitative risk analysis
Agreed to response including avoidance, transference, mitigation, acceptance for each risk in the risk resolution plan
The level of residual risk expected to be remaining after the strategy is implemented
Specific actions to implement the chosen resolution strategy
Budget and times for resolution
Contingency plans and fallback plans
Residual risk: Residual risk are those that remain after avoidance, transfer, or mitigation
resolutions have been taken. They also include minor risks that have been accepted and
addresses.
Secondary risks: These risks arise as a direct result of implementing a risk resolution.
Contractual agreements: Contractual agreements may be used to specify each party’s
responsibility for risks.
Contingency reserve amounts needed: Probabilistic analysis of the project and risk
thresholds help the project manager determine the amount of contingency needed to reduce
risk.
Inputs to other processes: Most resolutions to risk involve expenditure of additional time,
cost, or resources and require changes to project plans.
Inputs to a revised project plan: The results of the resolution planning process must be
incorporated into the project plan, to ensure that agreed actions are implemented and
monitored as part of the ongoing project.
Page 14
Risk Resolution –Tools/Techniques
Tools and Techniques
Avoidance: Risk avoidance is changing the project plan to eliminate the risk or
condition or to protect the project objectives from its impact.
Transference: Risk transference is seeking to shift the consequences of a risk to a
third party together with ownership of the resolution. (Financial risk is most
common)
Mitigation: Mitigation seeks to reduce the probability and or consequences of an
adverse risk event to an acceptable threshold.
Acceptance: This technique indicates that a project team has decided not to
change the project plan to deal with a risk. Developing a contingency plan is a way
to managing known risks. The contingency plan adopt contingency allowance or
reserve that includes:
Time
Money
Resources
Page 15
Text Book - Risk Monitoring & Control
DEFINITION: The process of monitoring residual risks, identifying new
risks, executing risk reduction plans, and evaluating their effectiveness
throughout the project life cycle.
The purpose of risk monitoring is to determine if:
•
•
•
•
•
•
•
Risk resolution have been implemented as planned
Risk resolution actions are as effective as expected, or if new resolutions should be developed
Project assumptions are still valid
Risk exposure has changed from its prior state, with analysis and trends
A risk trigger has occurred
Proper policies and procedures are followed
Risks have occurred or arisen that were not previously identified
Inputs
1. Risk Management Plan
2. Risk resolution plan
3. Project communication
4. Additional risk
identification and analysis
5. Scope Changes
Output
1.
2.
3.
4.
Workaround plans
Corrective action
Project change request
Updates to the task
resolution plan
5. Risk database
6. Updates to risk
identification checklist
Page 16
Tools & Techniques
1. Project Risk resolution
audits
2. Periodic project risk
reviews
3. Earned Value analysis
4. Technical performance
measurements
5. Additional risk resolution
planning
Project Risk Management (RM) - In Practice
Practice = Text Book
Identification
Risk Assessment
Quantification
Prioritization
Risk
Management
Risk Mgmt Plan and Log
Risk Monitor and
Control
Where the rubber
hits the road!
Risks tracked in Project
WBS
Risk Ownership
Page 17
Project RM – In Practice
Project Risk Identification > Use a Questionnaire
Risk Monitor and Control
– Project Risk Management Plan = The Project Risk Log
•
•
•
•
•
•
•
•
Describes
Quantifies
Probability of Occurrence
Resolution
Prioritizes
Ownership
Status
Risk Ranking
– Project Schedule > Risk Items get put into project WBS (as contingency)
and Assigned Ownership
Page 18
Project RM – In Practice
Risk Identification Categories
Project Integration Management
Scope Management
Time Management
Cost Management
Human Resource Management
Communication Management
Procurement Management
Quality Management
Technology
Data Conversions
External Factors
Page 19
Risk Identification using a questionnaire
Risk Assessment Questionnaire
Completed By:________________________________________ Date:______________________
Project Size
Resource Hours
Total estimated resource hours:
<=5,000
> 5,000 and <=20,000
> 20,000
Low
Medium
High
Notes
Calendar Time
Estimated calendar duration:
<= 4 months
> 4 months and <=12 months
> 12 months
Low
Medium
High
Notes
Team Size
Maximum team size at any time during the
project:
<= 4 participants
> 4 and <= 12 participants
> 12 participants
Low
Medium
High
Notes
Page 20
Risk Identification using a questionnaire (cont’d)
Project Structure - Definition
Project Scope
The boundaries of the project are:
well defined and accepted
conceptually understood
ill defined
Low
Medium
High
Notes
Project Deliverables
The tangible information from the
project is:
well defined and accepted
named but not detailed
not identified
Low
Medium
High
Notes
New System Benefits
The benefit of doing the project is:
well defined and accepted, and/or of strategic
importance
generally understood, but not quantified
ill defined or not identified
Low
Medium
High
Notes
Page 21
Risk Identification using a questionnaire (cont’d)
Project Structure - Sponsorship & Commitment
Project Sponsorship
The project is sponsored by:
respected and enthusiastic business manager
passive business manager
unidentified, or I/S manager
Low
Medium
High
Notes
Commitment of Sponsor(s)
The sponsor is:
committed to the project (understands value and is
supportive)
involved, but not committed
skeptical or resistant
Low
Medium
High
Notes
Commitment of Sponsoring Business Area(s)
The sponsoring business area(s) are:
committed to the project (understands value and is
supportive)
involved, but not committed
skeptical or resistant
Low
Medium
High
Notes
Relation to Information Strategy Plan
The new system is:
included in or approved for addition
included, but not yet approved
not yet part of the plan
Low
Medium
High
Notes
Page 22
Risk Identification using a questionnaire (cont’d)
Page 23
Project Risk Management Plan and Log
Page 24
Managing the Risk Assessment Results
Risk Monitor and Control
The “No Surprise Approach” to Risk Management is accomplished by:
1. All identified risk items get put into the project work breakdown structure
(WBS)
2. All risk items have owners > including the executive sponsors and senior
management
3. Risks are reported to the senior and executive leadership in the project
dashboard
4. When a RISK EVENT does occur, becomes an issue, then a Project
Change Request (PCR) is immediately submitted …. No Surprise PCR
Page 25
Project WBS Example
Page 26
Project Dashboard
Page 27
Risk Summary Dashboard – Example 1
Highest Rating in
Category:
2A
GREEN
(Delivery)
Solution
Highest Rating in
Category:
1A
GREEN
(Delivery)
Management Process
Highest Rating in
Category:
2A
GREEN
(Delivery)
Work Plan
(Delivery)
Staffing
Highest Rating in
Category:
1A
GREEN
(Delivery)
Engagement Letter
Highest Rating in
Category:
3B
YELLOW
(Delivery)
Partners/3rd Parties
Highest Rating in
Category:
5B
1A
2B
RED
Client Relationship
Financial
Overall
Highest Rating in
Category:
Highest Rating in
Category:
Highest Rating in
Category:
1A
Aggregate Risk Summary
A
B
C
5
0%
4%
0%
4
0%
0%
0%
3
0%
4%
0%
2
11%
11%
0%
1
68%
4%
0%
79%
21%
0%
GREEN
GREEN
GREEN
Risk Level – on a scale of 1(low) to 5(high)
Examples indicate what would count as a low / med / high to clarify the question
and to improve consistency across the projects.
Mitigation Strategy Effectiveness – on a scale of:
A = successfully in place or not applicable
B = in place but needs monitoring
C = challenging or no mitigation strategy defined
Page 28
4%
0%
4%
21%
71%
100%
Aggregate Score:
1B
GREEN
20% of responses were above this risk score.
Risk Summary Dashboard – Example 2
Page 29