Risk Management Primer

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Risk Management Primer"

Transcription

1 Risk Management Primer Purpose: To obtain strong project outcomes by implementing an appropriate risk management process Audience: Project managers, project sponsors, team members and other key stakeholders Learning Objectives: Understand benefits of risk management Learn to design & implement the right risk management process Distinguish between issues & risks Examine potential risk categories Establish appropriate risk response strategies & action plans Implement monitoring & control processes Understand CommonWay Risk Templates Timeframe: 21 Minutes 1of 9 Course: Risk Management Primer Purpose: To obtain better project outcomes (including: budget, schedule and operational performance) by implementing an appropriate risk management process Audience: Project managers, project sponsors, team members and other key stakeholders Learning Objectives: Understand the benefits of good risk management Learn to design & implement the right risk management process Distinguish between issues and risks Examine potential categories of risk Establish appropriate risk response strategies and action plans Understand CommonWay Risk Templates Risk management is a complex topic with countless published sources for reference. This course is a primer on Risk Management. More advanced coverage of risk management topics is out-ofscope for this course. Additional sources have been identified on the CommonWay Wiki under the Reference Library. 1

2 Risk Management Process Overview 2of 9 Risk Management Process Overview The purpose of risk management is to secure better project results by proactively identifying, assessing, and controlling undesired outcomes. Risk management helps project managers: determine priorities, allocate resources and implement processes and actions that reduce the risk of the project not reaching its goals & objectives. Risk management is a four-step process with integrated monitoring and control feedback mechanisms. The process is initiated when the project is launched and continues through the life of the project. Risk management is not a stand-alone process; but rather integrated with other key project management processes, including: issues, schedule, change and scope management. Risk management is the responsibility of all stakeholders. The risk management process steps are: 1. Establish the process framework 2. Identify Risks 3. Analyze & Rank Risks 4. Develop & Implement Risk Response Strategies & Action Plans All projects, regardless of size or complexity, have inherent risks and can benefit from a formal risk management process. Remember, good risk management takes time. Given this, it is essential that the project manager adopts a process that is appropriate for the complexity of the project. The benefit gained from a well defined and orchestrated risk management process outweighs the costs. These benefits include: an enhanced understanding of the project; a more thorough understanding of potential risks, their impact, and the assignment of risks to team members best equipped to manage each risk. The net result of risk management is a more realistic schedule, budget, and project plan and a less reactive project environment.

3 Risk vs. Issues Risks Issues Threats or opportunities Uncertainty linked to objectives Potential material consequences (loss/gain) Occurred or imminent Requires prompt resolution Loss/impact certain 3of 9 Risks vs. Issues Before examining the risk management process, we will review differences between issues and risks. Project risks are uncertainties that could impact a project s objectives. Risks can be threats that disrupt the project and create losses or opportunities that benefit the project. If the project s objectives are not clearly defined, it will be difficult to identify, analyze, rank and manage those risks that could have the greatest impact. Risks left unmanaged can morph into significant issues with considerable impacts. Conversely, issues are events that have already occurred, are in dispute or are unsettled and require immediate attention and resolution. Let s clarify the differences through an example. Your project is dependent on the latest version of Microsoft SharePoint Services. The vendor has assured the market the release will be available in January. Your plan reflects a March installation date. Given the vendor s history, there is a possibility the date could slip. This is a risk that should be reflected in the Risk Register with: probability and impact ratings, a risk action plan and owner. By identifying this risk early, the team has an opportunity to proactively address it. For example, select another product and eliminate the risk or plan to upgrade at a later date. If the release is delayed and SharePoint is still the product of choice, the team implements the action plan to upgrade at a later date. If the risk had not been identified early on, the team would be contending with an issue that could impact the scope, schedule and budget. Next, let s look at the risk management process at a high level.

4 Establish Process Framework Project Size & Complexity Level Technological Innovations Procurement, Suppliers Vendor Relationships & Contracts Organization s Risk Tolerance Level Risk Management Process Preliminary Risk Identification Sessions Conducted Risk Categories Defined Risk Response Strategies & Action Plans Defined Risk Review Frequency Specified On-going Risk Identification Sessions Scheduled Roles & Responsibilities Risk Monitoring Determined & Control Functions Defined Escalation Processes Defined High Priority Risks with Risk Response Strategies, Action Plans, Risk & Action Owners Resources Environmental, Legal, Regulatory Factors Current Risk Plan & Risk Register Risk Response Strategies & Action Plans Implemented Standard Monitoring, Control & Reporting Processes Implemented Customer Expectations schedule, budget, quality Reputation, Politics - Dashboard Reporting 4of 9 Establish Process Framework & Logistics To help define the process, participants must understand key risk management concepts and tools. To build this awareness, review: how to define a risk event; the meaning of probability and impact ratings; appropriate risk response strategies; the risk management plan; the risk register and any other organizational specific tools that will be used to support the risk management process. It is essential that the team secures a briefing on the fundamentals of the project. This includes: project objectives, key features, functions and technologies; financial structures; who will be involved in the design, development, testing, implementation and support of the product (vendors & internal staff); customer expectations; impacts on business processes; and how the product will be deployed and supported. Once a shared understanding of both the process and project are established, work with the team to develop a list of risk categories. Risk categories provide a structure to systematically identify risks. Common risk categories include: new technology, complexity with interfaces, performance and reliability, procurement, suppliers, regulations, resources, requirements, funding, estimating, and environmental. Risk categories must be customized to suit the specific needs of the project. The final step is to determine the risk management framework. This includes: the process which the team will follow to identify risks (e.g. brainstorming) and classify risks (e.g. probability and impact); how risks will be monitored and controlled; how risks will be reviewed; escalation processes; roles and responsibilities; and frequency of risk scanning and review sessions. Factors important in structuring the process includes the project s complexity level and the organizations risk tolerance level. Project s with high complexity and/or low risk tolerance will require more sophisticated risk management. Consequently, the team will devote more time to risk management and control. Projects with a complexity level of 2 or 3 should not exit the planning stage without a clearly defined risk management plan. The plan must describe the process including: risk identification sessions, monitoring and control functions, the review of major risks with their respective steering committees and executive management. All projects, regardless of complexity level should start the risk register during the planning stage. This risk register is also input into Dashboard Reporting for executive management. The risk management plan, the risk register and implementation of the risk processes are key controls that will be evaluated during an Independent Verification and Validation (IV&V) process.

5 Identify Risks 5of 9 Identify Risks The purpose of the risk identification process is to identify a comprehensive list of potential risks that could impact the project. Risk Identification must account for both internal and external factors. Risk identification is an iterative process that begins during the planning stage and continues through the project s life-cycle. At the outset of a project, the project manager should conduct one or more identifications sessions with key stakeholders. For large, complex projects, several days of workshops may be required. For smaller, less complex projects, a couple of hours may suffice. After the initial identification sessions are held, regular risk scanning sessions are planned and conducted to determine whether the risk landscape has changed. These are typically abridged versions of the risk identification sessions held at the start of the project. The classic forum to identify risks is a brainstorming session. To orchestrate an effective session: assemble a diverse team of stakeholders with different perspectives; be prepared to balance exceedingly pessimistic or optimistic views; establish an environment that fosters creative thinking; and ensure that the facilitator (usually the project manager) is independent and has a comprehensive understanding of the risk process. During these workshops, the project manager must be adept at separating issues from risks. There are several techniques the project manager can use to solicit risks, including but not limited to: 1) Force Field Analysis; 2) Constraint Analysis; 3) SWOT Analysis (Strengths, Weaknesses, Opportunities, Threats); 4) Asking probing questions related to the triple constraints scope, cost, schedule; 5) Reviewing risk events from similar projects to determine whether they can happen again. Application of specific techniques are out of scope for this course. The CommonWay Wiki Reference Library contains links to articles on these techniques. At the conclusion of the risk identification session, the team will have generated a long list of potential risks. Some teams choose to stop here and manage all the risks identified. This is a mistake because not all risks are relevant. It is essential to hone this list through the analysis and ranking stages in order to focus the team on managing the most significant risks.

6 Analyze & Rank Risks 6of 9 Analyze and Rank Risks Now the team must determine which risks are significant enough to warrant active management. This is accomplished through an analysis and ranking process that leverages the Risk Register. The Risk Register is the CommonWay tool for tracking, prioritizing and managing project risks. Here are the process steps. First, describe each risk, including the factors that could cause the risk to occur and its potential impacts on the project. The Risk Impact can be positive or negative and should quantify and/or qualify the costs or opportunities of the risk occurring. Next assign each risk a Probability Rating and Impact Rating. The Probability Rating indicates the likelihood the risk will occur; while the Impact Rating specifies level of impact to the project should the risk occur. The CommonWay risk register uses a simple: high, medium, low scale for both Probability and Impact Ratings and then calculates a Priority Score and Priority Rating based on the selected Probability and Impact ratings. The risks with the highest Priority Score and Priority Rating should be managed most closely. Ensure each risk has a risk owner. The final step in the risk analysis and ranking process is to evaluate the interdependencies between risks. There can be a cascading effect across risks - one risk occurs triggering another risk which triggers another risk. Carefully note any risks that can trigger other risks and consider increasing their Priority Score to reflect this interdependencies. Note: there are sophisticated quantitative and qualitative approaches for risk analysis and risk ranking (e.g. Monte Carlo Simulation, Decision Trees, Sensitivity Analysis, Failure Mode Effect Analysis (FMEA)). These methods are out-of-scope for this course. At the conclusion of this step in the process, the team will have filtered out minor issues and created a prioritized list of risks that require some type of treatment.

7 Risk Response Strategies & Action Plans 7of 9 Risk Response Strategies & Action Plans During this stage, the risk owners collaborate with the project manager to develop a risk action plan or treatment plan for each risk. Strategies should be developed for risks that present the most significant consequences or best opportunities. Do not forget opportunities! Exploitation of opportunities is a key component of the risk management process. The continuum of potential strategies is highlighted below. To be effective, each strategy must: be manageable; reduce negative impacts or increase opportunity; leverage available resources; and be cost-effective. Avoidance requires elimination on both the probability and impact of the risk from occurring. This is the best risk response strategy because the root cause of the risk is addressed. Acceptance implies no active response strategy is adopted because nothing is possible or alternatives are too expensive to implement. This is the least optimal strategy. If selected, a contingency plan should be developed to address the fallout should the risk occur. Mitigation requires reducing either the impact or probability of the risk from occurring. Transfer shifts the risk to a third party better equipped to handle the risk. The risk is not eliminated. Transfer strategies include shifting the work to vendors or securing insurance to cover the cost of the risk should it occur. Enhance is a response to an opportunity that increases either the probability or impact of the opportunity occurring. Exploit is a response to an opportunity that guarantees the opportunity will occur. This is the most effective strategy for realizing opportunities. Although multiple strategies may be suitable for managing a given risk, the risk owner must select the most appropriate strategy. If the selected strategy proves to be ineffective, it can be replaced with a different strategy. After the strategy has been selected, the risk owner must develop an action plan and assign an action owner with the proper skills. A solid action plan should include risk triggers to caution the team of imminent risk events. Since the goal of the risk response strategy is to mitigate/eliminate a risk or enhance/exploit an opportunity, the risk manager must reevaluate the probability and impact of the risk occurring in light of the risk response strategy developed. If the risk strategy is not effective in reducing the risk or increasing the opportunity, an alternative strategy and action plan should be developed. Finally, the risk owner has to determine whether the proposed strategy introduces new secondary or residual risks and whether these secondary risks are acceptable. If acceptable, the residual risks should be added to the risk register and managed through the standard risk management process. If threats introduced by the secondary risks are too severe, the risk response strategy and action plan should be reworked. Once an acceptable approach is developed, the project manager records the: risk strategy, action plan, post-implementation risk strategy assessment, action owners in this Risk Register. The Risk Owner is responsible for implementing the risk strategies and action plans. Sometimes the risk owner requires assistance from others to implement action plans (for example, technical staff). In these instances the action owner will be different from the risk owner. Risk actions plans should be implemented immediately after they are defined. The project schedule and project management processes should be updated to include: risk monitoring and control sessions; risk response action planning activities and risk progress reporting. Remember proper risk management takes time and must be accounted for in your plans.

8 Monitor & Control Risks, Archive History 8of 9 Monitor & Control Risks, Archive History Known risks identified during the risk identification process and new risks that surface must be monitored and controlled to ensure prompt action is taken when appropriate. Since risks can evolve overtime, monitoring requires both reporting how the team is doing against risk action plans as well as any adjustments to strategies and the action plans to address changes in risk characteristics. The project manager should immediately implement standard risk action plan reviews and mini risk identification sessions to scan for new risks. Team members should understand project risks and impacts. High impact risks should be reported regularly to the steering and executive committees so they are aware of the potential impacts. If a risk occurs, escalation procedures and contingency plans should be executed at once. Money to support contingencies should be budgeted in a management reserve or contingency account during the budgeting process because contingencies to address risks almost always require additional funding. Contingency plans requiring significant changes to the budget, baseline schedule, scope or quality of the project must go through the formal change control process. The project manager is responsible for ensuring that risk documentation is current and archived during Closure so that the lessons learned can be shared with other project managers and teams.

9 Key Points Synopsis Establish a Risk Management Framework Identify Risks Analyze & Rank Risks Identify Risk Owners Develop Risk Response Strategies & Action Plans for all high risks Analyze Effectiveness of Risk Response Strategies Identify Residual risks. Adjusts strategies if necessary Assign Action Step Owners Update: Plan, Register, Budget, Schedule, RACI, Communication Plan Monitor, Control, Report on New & Existing Risks Archive/Share Risk Lessons Learned 9of 9 Key Points Synopsis Good project management requires implementation of an effective risk management process that begins at the start of the project and continues through the life of the project. A solid processes should include the following steps: Establish a Risk Management Framework Identify Risks Analyze & Rank Risks Identify Risk Owners Develop Risk Response Strategies & Action Plans for all high risks Analyze Effectiveness of Risk Response Strategies Identify Residual risks. Adjusts strategies if necessary Assign Action Step Owners Update: Risk Plan, Risk Register, Budget, Schedule, RACI, Communication Plan, Budget Monitor, Control Report on New & Existing Risks Archive/Share Risk Lessons Learned This concludes the risk management course.

Project Risk Management

Project Risk Management Project Risk Management For the PMP Exam using PMBOK Guide 5 th Edition PMI, PMP, PMBOK Guide are registered trade marks of Project Management Institute, Inc. 1 Contacts Name: Khaled El-Nakib, MSc, PMP,

More information

PROJECT RISK MANAGEMENT

PROJECT RISK MANAGEMENT PROJECT RISK MANAGEMENT DEFINITION OF A RISK OR RISK EVENT: A discrete occurrence that may affect the project for good or bad. DEFINITION OF A PROBLEM OR UNCERTAINTY: An uncommon state of nature, characterized

More information

Risk Workshop Overview. MOX Safety Fuels the Future

Risk Workshop Overview. MOX Safety Fuels the Future Risk Workshop Overview RISK MANAGEMENT PROGRAM SUMMARY CONTENTS: Control Account Element Definition ESUA Form Basis of Estimate Uncertainty Calculation Management Reserve 1. Overview 2. ESUA Qualification

More information

The purpose of this course is to provide practical assistance for defining and managing project scope.

The purpose of this course is to provide practical assistance for defining and managing project scope. Scope Definition and Scope Management Purpose - To provide practical assistance for defining and managing project scope. This course will focus on tips for creating a scope statement rather than a step-by-step

More information

Risk Management approach for Cultural Heritage Projects Based on Project Management Body of Knowledge

Risk Management approach for Cultural Heritage Projects Based on Project Management Body of Knowledge 1 Extreme Heritage, 2007 Australia, 19-21 July 2007, James Cook University, Cairns, Australia Theme 6: Heritage disasters and risk preparedness approach for Cultural Heritage Projects Based on Project

More information

1.20 Appendix A Generic Risk Management Process and Tasks

1.20 Appendix A Generic Risk Management Process and Tasks 1.20 Appendix A Generic Risk Management Process and Tasks The Project Manager shall undertake the following generic tasks during each stage of Project Development: A. Define the project context B. Identify

More information

Gilead Clinical Operations Risk Management Program

Gilead Clinical Operations Risk Management Program Gilead Clinical Operations Risk Management Program Brian J Nugent, Associate Director 1 Agenda Risk Management Risk Management Background, Benefits, Framework Risk Management Training and Culture Change

More information

Project Risk Management

Project Risk Management Project Risk Management Study Notes PMI, PMP, CAPM, PMBOK, PM Network and the PMI Registered Education Provider logo are registered marks of the Project Management Institute, Inc. Points to Note Please

More information

DRAFT RESEARCH SUPPORT BUILDING AND INFRASTRUCTURE MODERNIZATION RISK MANAGEMENT PLAN. April 2009 SLAC I 050 07010 002

DRAFT RESEARCH SUPPORT BUILDING AND INFRASTRUCTURE MODERNIZATION RISK MANAGEMENT PLAN. April 2009 SLAC I 050 07010 002 DRAFT RESEARCH SUPPORT BUILDING AND INFRASTRUCTURE MODERNIZATION RISK MANAGEMENT PLAN April 2009 SLAC I 050 07010 002 Risk Management Plan Contents 1.0 INTRODUCTION... 1 1.1 Scope... 1 2.0 MANAGEMENT

More information

Project Risk Management

Project Risk Management Project Risk Management Study Notes PMI, PMP, CAPM, PMBOK, PM Network and the PMI Registered Education Provider logo are registered marks of the Project Management Institute, Inc. Points to Note Risk Management

More information

IIS Project Management

IIS Project Management IIS Project Management Best Practices, Lessons Learned from the Field Katie Reed, MPA, PMP 2012 AIRA IIS Meeting 1 Copy right 2012 Hewlett-Packard Dev elopment Company, L.P. The inf ormation contained

More information

Negative Risk. Risk Can Be Positive. The Importance of Project Risk Management

Negative Risk. Risk Can Be Positive. The Importance of Project Risk Management The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding to risk throughout the life of a project and in the best interests t of

More information

CPM -100: Principles of Project Management

CPM -100: Principles of Project Management CPM -100: Principles of Project Management Lesson E: Risk and Procurement Management Presented by Sam Lane samlane@aol.com Ph: 703-883-7149 Presented at the IPM 2002 Fall Conference Prepared by the Washington,

More information

Creating A Risk Management Plan

Creating A Risk Management Plan Creating A Risk Management Plan A presentation based on the concepts taught in the Risk Management 1A course. Carlos Consulting Group Roseville, CA. (916) 521-2520 www.carlosconsulting.com 1 Objectives

More information

PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE:

PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE: PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE: Project Name Project Management Plan Document Information Document Title Version Author Owner Project Management Plan Amendment History

More information

PMI Risk Management Professional (PMI-RMP) Exam Content Outline

PMI Risk Management Professional (PMI-RMP) Exam Content Outline PMI Risk Management Professional (PMI-RMP) Exam Content Outline Project Management Institute PMI Risk Management Professional (PMI-RMP) Exam Content Outline Published by: Project Management Institute,

More information

P3M3 Portfolio Management Self-Assessment

P3M3 Portfolio Management Self-Assessment Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Portfolio Management Self-Assessment P3M3 is a registered trade mark of AXELOS Limited Contents Introduction

More information

MGMT 4135 Project Management. Chapter-7 Managing Risk

MGMT 4135 Project Management. Chapter-7 Managing Risk MGMT 4135 Project Management Chapter-7 Introduction to Risk Management RISK is an uncertain event or condition that, if it occurs, has a positive or negative effect on the project objectives Project team

More information

Develop Project Charter. Develop Project Management Plan

Develop Project Charter. Develop Project Management Plan Develop Charter Develop Charter is the process of developing documentation that formally authorizes a project or a phase. The documentation includes initial requirements that satisfy stakeholder needs

More information

Synopsis of Document

Synopsis of Document Synopsis of Document The Orange Book: Management of Risk Principles and Concepts The Orange Book: Management of Risk Principles and Concepts, Her Majesty s Treasury on behalf of the Controller of Her Majesty

More information

CMMI for Development Quick Reference

CMMI for Development Quick Reference CAUSAL ANALYSIS AND RESOLUTION SUPPORT (ML5) The purpose of Causal Analysis and Resolution (CAR) is to identify causes of selected outcomes and take action to improve process performance. SG 1 Root causes

More information

Project Management Body of Knowledge (PMBOK) (An Overview of the Knowledge Areas)

Project Management Body of Knowledge (PMBOK) (An Overview of the Knowledge Areas) Project Management Body of Knowledge (PMBOK) (An Overview of the Knowledge Areas) Nutek, Inc. 3829 Quarton Road, Suite 102 Bloomfield Hills, Michigan 48302, USA. Phone: 248-540-4827, Email: Support@Nutek-us.com

More information

Computing Services Network Project Methodology

Computing Services Network Project Methodology Computing Services Network Project Prepared By: Todd Brindley, CSN Project Version # 1.0 Updated on 09/15/2008 Version 1.0 Page 1 MANAGEMENT PLANNING Project : Version Control Version Date Author Change

More information

Risk and Contingency Planning. Today s Topics. Key Terms. A Vital Component of Your ICD-10 Program

Risk and Contingency Planning. Today s Topics. Key Terms. A Vital Component of Your ICD-10 Program Risk and Planning A Vital Component of Your ICD-10 Program Today s Topics Key Terms Why is Risk Management Critical for ICD-10? Effective Risk Management and Best Concepts ICD-10 Risk Management Examples

More information

RISK MANAGEMENT OVERVIEW - APM Project Pathway (Draft) RISK MANAGEMENT JUST A PART OF PROJECT MANAGEMENT

RISK MANAGEMENT OVERVIEW - APM Project Pathway (Draft) RISK MANAGEMENT JUST A PART OF PROJECT MANAGEMENT RISK MANAGEMENT OVERVIEW - APM Project Pathway (Draft) Risk should be defined as An uncertain event that, should it occur, would have an effect (positive or negative) on the project or business objectives.

More information

Incorporating Risk Assessment into Project Forecasting

Incorporating Risk Assessment into Project Forecasting Incorporating Risk Assessment into Project Forecasting Author: Dione Palomino Conde Laratta, PMP Company: ICF International - USA Phone: +1 (858) 444-3969 Dione.laratta@icfi.com Subject Category: Project

More information

Appendix V Risk Management Plan Template

Appendix V Risk Management Plan Template Appendix V Risk Management Plan Template Version 2 March 7, 2005 This page is intentionally left blank. Version 2 March 7, 2005 Title Page Document Control Panel Table of Contents List of Acronyms Definitions

More information

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Project Management Self-Assessment Contents Introduction 3 User Guidance 4 P3M3 Self-Assessment Questionnaire

More information