Project Risk Management: Getting it Before it Gets You

Project Cost and Uncertainty Over Time

Most Likely Cost Most Likely Cost Most Likely Cost Actual Cost

Cost range

Conceptual Planning

Alternatives Analysis

Preliminary Engineering

Final Design

Bid

Construction

What Went Wrong?

KPMG, a large consulting firm, published a study in 1995 found that 55 percent of runaway projects (with significant cost or schedule overruns) did no risk management at all; 38 percent did some (but half of them did not use their risk findings after the project was underway); and 7 percent did not know whether they did risk management or not The timing of risk management is also an important consideration

Risk Management Process

Risk
Uncertain or chance events that planning can not overcome or control.

Risk Management
A proactive attempt to recognize and manage internal events and external threats that affect REAL REASON WE NEEDprojects success. the likelihood of a TO DO RISK MANAGEMENT
What can go wrong (risk event/problems). BUT TOWhat can be done before an event occurs (anticipation of ENABLE AGGRESSIVE RISK TAKING Alternatives)

IS NOT TO AVOID RISKS

How to minimize the risk events impact (consequences).

What to do when an event occurs (contingency plans).

What is Project Risk?

Definition:
An event that, if it occurs, causes either a positive or negative impact on a project Risk is a measure of future uncertainties in achieving program performance goals and objectives within defined cost, schedule, and performance constraints.

Keys attributes of Risk

Uncertainty Positive and Negative Cause and Consequence Known v Unknown Risks Risk Reward Analysis

What is Risk Management (by PMI)?

The systematic application of management policies, standards, procedures, and practices to the tasks of identifying, assessing/analyzing, responding to, and monitoring to project risk
A structured, iterative process with defined scope and objectives Proactive and anticipatory Objective is to decrease the probability and/or impact of negative events OR increase the probability and/or impact of positive events
Risk Management needs to be integrated into an organizations decision making process

How can we stay ahead?

Identify and Manage the Risks to the project
Formal methods
Determined by Industry, Regulatory, or Corporate standards Templates, processes, audits

Informal methods
Use what works for you at the time Use Lessons Learned in Project Post-Mortems to learn from past mistakes

Risk management Steps by PMI

Risk Management Planning Risk Identification Qualitative/Quantitative Risk Analysis for Risk Assessment Risk Response Planning/ Contingency planning Risk Monitoring & Control

The Risk Management Process

1. Risk Management Planning

What should it include?
How you will identify, quantify or qualify risk
Methods and tools

Budget(including contingency funding) Who is doing what How often When a risk is really a risk Reporting requirements- Who, when, how often, what, etc Monitoring, tracking and documenting strategies
Make sure you are not OVER Planning

Risk Management Planning

The main output of risk management planning is a risk management plana plan that documents the procedures for managing risk throughout a project The project team should review project documents and understand the organizations and the sponsors approaches to risk The level of detail will vary with the needs of the project

2. Identifying Risk
Continuous, Iterative Process What is it and what does it look like- Different for each project and person consulted. The sooner it is identified the better it is for project The more the involvement of stakeholders the better the process outcome A fact is not a risk- If you know something is going to occur
then you plan for it not the risk of it. RISK vs PROBLEM

Be specific- identify the risk and a trigger/cause of the risk Dont try to do everything at once- qualify, quantify, or
remedy

Identification Techniques
Brainstorming Checklists- Lists developed to aid in identifying risks Interviewing SWOT Analysis Delphi Technique Diagramming Techniques
Cause & effect Ishikawa or Fishbone Flow Charts etc.

Risk Identification: Classifications

Schedule/Cost Risks Requirement/Expectation Risks Technical Risks

3. Risk Assessment
This information should be developed for each risk: Description of risk All the possible outcomes of the risk The magnitude or severity of the outcomes Likelihood (probability) of the risk occurring, and likelihood of each possible outcome When the risk might occur during the project Interaction of the risk outcomes with other parts of this project or other projects

Risk Analysis Tools

Probability analysis Decision tree analysis PERT analysis Sensitivity analysis Expected value analysis Scenario analysis Risk assessment matrix / risk severity matrix Failure Mode and Effects Analysis (FMEA) Monte Carlo simulation analysis Delphi techniques for consensus etc.

Analyzing Risk - Qualitative

Subjective & Educated Guess
High, Medium, Low Red, Yellow, Green 1-10

Prioritized/Ranked list of ALL identified risks First step in risk analysis!

Risk Assessment: A Simple Classification & Tracking Method

Probability of Occurrence vs Impact
Higher Impact

Risk #1

1 to 5 Scale

Priorities
Red - High Yellow - Med Green - Low
Impact

Risk #4

Risk #3
Lower Impact

Risk #2

Review/Present Chart Periodically

Lower Probability

Risk #5

Higher Probability

Probability of Occurrance

RISK SEVERITY MATRIX

Risk Assessment Form

In 1-10 scale

Probability/Impact Chart Showing High-, Medium-, and Low-Risk

Probability/Impact Matrix
A probability/impact matrix or chart lists the relative probability of a risk occurring on one side of a matrix or axis on a chart and the relative impact of the risk occurring on the other List the risks and then label each one as high, medium, or low in terms of its probability of occurrence and its impact if it did occur Can also calculate risk factors Numbers that represent the overall risk of specific events based on their probability of occurring and the consequences to the project if they do occur

Probability & Impact Analysis

Risk Probability
Impact Expected Value

1 2

25% 50%

$45,000

$11,250 $1,000 $30,000

$2,000
$100,000

30%

The biggest risk isnt always the biggest risk!

Decision Trees and Expected Monetary Value (EMV)

A decision tree is a diagramming analysis technique used to help select the best course of action in situations in which future outcomes are uncertain Estimated monetary value (EMV) is the product of a risk event probability and the risk events monetary value You can draw a decision tree to help find the EMV

Decision Tree Analysis

Decision Definition Decision Node Cost of the Decision Chance Node Probability Impact Prob x Impact Net Impact Cost + Total EV Early 10% Develop In House ($20,000) On Time 20% Delayed 70% Develop In House or Contract? Early 10% Contract ($30,000) On Time 70% Delayed 20% $1,500 +$15,000 $0 $0 ($14,000) -$20,000 TOTAL ($12,500) ($32,500)

$1,500 +$15,000 $0 $0 ($3,000) -$15000 TOTAL ($1,500) ($31,500)

Simulation
Simulation uses a representation or model of a system to analyze the expected behavior or performance of the system Monte Carlo analysis simulates a models outcome many times to provide a statistical distribution of the calculated results

Sensitivity Analysis
Sensitivity analysis is a technique used to show the effects of changing one or more variables on an outcome

4. Risk Response Planning

What are we going to do about it? Techniques/Strategies: Mitigating Risk Transferring Avoiding Risk Sharing Risk Retaining Risk Strategy should be commensurate with risk Hint: Dont spend more money preventing the risk than the impact of the risk would be if it occurs The Risk Response Plan/Risk Response Register

4. Risk Response Planning Techniques

Mitigating Risk- Conducting more tests, add resources or time to project, Designing redundancy into a system
Reducing the likelihood an adverse event will occur.

Reducing impact of adverse event.

Transferring Risk- Insurance, performance bonds, warranties, guarantees

Paying a premium to pass the risk to another party.

Avoiding Risk: Changing the project plan to eliminate the risk or condition

Retaining Risk: Making a conscious decision to accept the risk.

Sharing Risk: Allocating risk to different parties

Risk Register
The main output of the risk identification process is a list of identified risks and other information needed to begin creating a risk register A risk register is:
A document that contains the results of various risk management processes and that is often displayed in a table or spreadsheet format

Risk Register Contents

An identification number for each risk event A rank for each risk event The name of each risk event A description of each risk event The category under which each risk event falls The root cause of each risk Triggers for each risk; triggers are indicators or symptoms of actual risk events Potential responses to each risk The risk owner or person who will own or take responsibility for each risk The probability and impact of each risk occurring The status of each risk

Sample Risk Register

Example of Risk Register

RISK REGISTER
Project Component Risk ID Risk/Opportunity Description of Issue and Potential Management Action Affected Project Activities1 Probability of Occurrence Change in Cost ($000) Change in Duration/ Schedule (months)

1. Right-of-Way
R1 Right-of-Way costs and/or schedule greater than anticipated ; includes: uncertainty in amount of ROW unit prices excessive condemnation relocation, demolition business mitigation City waterline project not completed as planned City sewer project not completed as planned City vaults not completed as planned Private utility relocations not completed as planned (utility company fails to move on time) Delay in obtaining agreement between grantee and private utilities Projects adjustment budget for private utilities is too low Encounter unexpected utilities during construction Row-of-way cost and quantity estimates are out of date and not based upon the latest design drawings; additional takes affect businesses in Line Section 3. Risks affect project cost estimate and start of construction in certain line sections. Delay causes project delay and increased overhead costs for project Delay causes project delay and increased overhead costs for project Delay causes project delay and increased overhead costs for project Delay causes project delay and increased overhead costs for project All construction line sections; components, 01-10 .5 (.5) $2,000.0 ($0) 6 (0)

2. Utilities
U1 U2 U3 U4 Components 02-05 Components 02-05 Components 02-05 All construction line sections, components 01-10 Components 01-10 Components 01-10 Components 01-10 .25 .25 .25 .25 .9 T=.1 T=.5 T=.9 .8 .2 .5 .1 .5 TBD TBD TBD TBD TBD TBD TBD TBD $2,000.0 $3,000.0 $500.0 6 12 6 12 4 2 4 6 2 3 0 0 1

U5 U6 U7

Delays FFGA/grant award and potentially start of construction Cost increase to grantee for payment of additional relocation costs Change order claim by contractor results; cost and schedule impacts

3. Environmental, Permitting, and Agreements

E1 ETC. Delay in gaining signoff on programmatic agreements Delay in issuing bid documents and subsequent construction delayed Components 05, 06 .5 .25 TBD TBD 1 2

Contingency Planning
A contingency plan is an alternative plan used if a risk event or condition occurs. Examples: Having a backup supplier for a key material Carrying a safety stock for a key part Having an alternate distribution channel to send products (air instead of boat) Having hurricane/flood/earthquake/cyclone evacuation plans

Risk Response Matrix

Risk and Contingency Planning

Technical Risks Backup strategies if chosen technology fails. Assessing whether technical uncertainties can be resolved. Schedule Risks Use of slack increases the risk of a late project finish. Imposed duration dates (absolute project finish date) Compression of project schedules due to a shortened project duration date.

Risk and Contingency Planning

Costs Risks
Time/cost dependency links: costs increase when problems take longer to solve than expected. Deciding to use the schedule to solve cash flow problems should be avoided. Price protection risks (a rise in input costs) increase if the duration of a project is increased. Funding Risks Changes in the supply of funds for the project can dramatically affect the likelihood of implementation or successful completion of a project.

General Risk Mitigation Strategies for Technical, Cost, and Schedule Risks

Contingency Funding & Time Buffers

Contingency Funds Funds to cover project risksidentified and unknown. Size of funds reflects overall risk of a project Budget reserves Are linked to the identified risks of specific work packages. Management reserves Are large funds to be used to cover major unforeseen risks (e.g., change in project scope) of the total project. Time Buffers Amounts of time used to compensate for unplanned delays in the project schedule.

Time and Cost Padding

Padding is a commonly used approach to address risks, since it is very easy to implement and since it protects against most minor risks Padding refers to inflating the original time or cost estimates for activities or for the project Unfortunately, this leads to longer project durations and higher costs

Time and Cost Padding

People will generally use up as much time and money as they are allowed (if you dont use it you lose it!) Student syndrome if extra padding is built into activity time estimates, some people are likely to procrastinate getting started, and then the protection against risk is lost Although padding can be useful in reducing the severity of risk, it can also lead to inefficiencies and waste

5. Risk Monitoring & Control

Continuous, Iterative Process Done right the risk should NEVER occur Someone IS responsible Watch for risk triggers CommunicateCommunicateCommunicate Take corrective action - Execute Re-evaluate and look for new risk constantly Tools: Risk Reviews- regular meeting where the risk team evaluates the risk register for any necessary additions, deletions, or changes to prioritization due to probability or impact changes. Risk Audits- review by outside person of risk response plan and how it is being implemented. Good for future use on projects

Tools & Tricks

Risk Identification Spreadsheet Qualitative Risk Spreadsheet Templates Checklists Make your own depending on your project

Change Management Control

Sources of Change
Project scope changes Implementation of contingency plans Improvement changes

Change Management Control

The Change Control Process Identify proposed changes. List expected effects of proposed changes on schedule and budget. Review, evaluate, and approve or disapprove of changes formally. Negotiate and resolve conflicts of change, condition, and cost. Communicate changes to parties affected. Assign responsibility for implementing change. Adjust master schedule and budget. Track all changes that are to be implemented

The Change Control Process

Benefits of a Change Control System

1. Inconsequential changes are discouraged by the formal process. 2. Costs of changes are maintained in a log. 3. Integrity of the WBS and performance measures is maintained. 4. Allocation and use of budget and management reserve funds are tracked. 5. Responsibility for implementation is clarified. 6. Effect of changes is visible to all parties involved. 7. Implementation of change is monitored. 8. Scope changes will be quickly reflected in baseline and performance measures.

Change Request Form

Integrated Risk Management extracts actionable information from traditionally stove-piped data streams

Risk Exposure? Impact Relationships? Goals Too Risky? Which Design? More Reserves? Major Drivers? Adequately Mitigated?

Enables critical decision making

Characteristics of Successful Risk Management Approaches

Characteristics A clear and consistent Risk Management champion Requirements supported by leadership and stakeholders A close partnership with users and stakeholders Mature risk management processes Established thresholds and criteria for proactively implementing defined risk mitigation plans Resourced risk mitigation plans Periodic risk assessments Integrated data environments that maximize participation Successful Approaches
A documented and mature risk

management process Quantitative assessments of risk impacts estimated against cost and schedule baselines Defined risk filtration criteria Risk reduction at the lowest level of the organization A defined set of risk consequence definitions for performance, schedule, and cost Structured approached for communicating risk across multiple programs/organizational levels

Different Organizational Levels Face Different Types of Risks

RISKS
- How does a risk to one program affect the delivery of other related programs? - Which external stakeholders have the ability to influence the success of one or more programs? - How can a successful risk mitigation strategy for one program be leveraged by other programs?

Enterprise Level

Program Level
- Is the project on track to meet or exceed its threshold requirements? - How do current risk levels impact the ability to meet critical schedule milestones? - Which design solution provides the optimal balance between capital and operating costs?

Project Level
- What are the technical performance risks associated with delivering a given requirement or capability? - How will assembly, integration, and test schedules be impacted by a given risk event? - What are the cost impacts of delays in subcontractor deliveries?

Subproject Level

Risks ultimately should be filtered to the lowest level possible for ownership and mitigation

Common risk factors

Risk factors
Lack of top management commitment to the project Failure to gain user commitment Misunderstanding the requirement Lack of adequate user involvement Failure to manage end user expectation Changing scope and objectives Lack of required knowledge/skill in the project personnel New technology Insufficient / inappropriate staffing Conflict between user departments

Key Contributors to Success

Risk Management promotes a clear value proposition Demonstrate how resources will be saved or more efficiently applied Demonstrate how information will be more widely shared

Integrate Cost, Schedule and Risk personnel

Creates understanding of information Defines linkages Establish working group or other forum Gather feedback prior to go-live Promotes buy-in

Program input actively sought for framework development.

A clear and consistent risk sponsor.

Sustains participation

COMMUNICATION

Risk Managements Benefits

A proactive rather than reactive approach.

Reduces surprises and negative consequences.

Prepares the project manager to take advantage of appropriate risks.

Provides better control over the future.

Improves chances of reaching project performance objectives within budget and on time.

Benefits from Software Risk Management Practices*

*Kulik, Peter and Catherine Weber, Software Risk Management Practices 2001, KLCI Research Group (August 2001).

What Went Wrong?

Many information technology projects fail because of technology risk. One project manager learned an important lesson on a large IT project: focus on business needs first, not technology. David Anderson, a project manager for Kaman Sciences Corp., shared his experience from a project failure in an article for CIO Enterprise Magazine. After spending two years and several hundred thousand dollars on a project to provide new client/server-based financial and human resources information systems for their company, Anderson and his team finally admitted they had a failure on their hands. Anderson revealed that he had been too enamored of the use of cutting-edge technology and had taken a highrisk approach on the project. He "ramrodded through" what the project team was going to do and then admitted that he was wrong. The company finally decided to switch to a more stable technology to meet the business needs of the company.

Hildebrand, Carol. If At First You Dont Succeed, CIO Enterprise Magazine, April 15, 1998

Regularly Heard Comments in Programs

.we need to focus on the technical risks.. I know what I am doing. I am applying risk management but I dont want to write anything down this activity is part of our normal way of doing business. There is no risk lets not make that risk red, we need to be careful what we report lets make that a risk, I want to poke the PM in the eye there is no cost risk, but I am not confident about the estimate. there is no schedule risk, lets just move that activity out a few weeks .why do I need to do thisespecially since the board doesnt have any money to help me this is not a development contract, we dont have any risks My favorite: .you are the risk manager, what are my risks?....