Risk Management Primer



Similar documents
PROJECT RISK MANAGEMENT

Risk Workshop Overview. MOX Safety Fuels the Future

The purpose of this course is to provide practical assistance for defining and managing project scope.

PMI Risk Management Professional (PMI-RMP) Exam Content Outline

Project Risk Management

Risk Management approach for Cultural Heritage Projects Based on Project Management Body of Knowledge

Incorporating Risk Assessment into Project Forecasting

Negative Risk. Risk Can Be Positive. The Importance of Project Risk Management

Creating A Risk Management Plan

Computing Services Network Project Methodology

DRAFT RESEARCH SUPPORT BUILDING AND INFRASTRUCTURE MODERNIZATION RISK MANAGEMENT PLAN. April 2009 SLAC I

RISK MANAGEMENT OVERVIEW - APM Project Pathway (Draft) RISK MANAGEMENT JUST A PART OF PROJECT MANAGEMENT

P3M3 Portfolio Management Self-Assessment

CPM -100: Principles of Project Management

Gilead Clinical Operations Risk Management Program

Develop Project Charter. Develop Project Management Plan

QUALITY RISK MANAGEMENT (QRM): A REVIEW

PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE:

Risk and Contingency Planning. Today s Topics. Key Terms. A Vital Component of Your ICD-10 Program

Program Management Professional (PgMP) Examination Content Outline

1.20 Appendix A Generic Risk Management Process and Tasks

PMI Risk Management Professional (PMI-RMP ) - Practice Standard and Certification Overview

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Risk Management Plan template <TEMPLATE> RISK MANAGEMENT PLAN FOR THE <PROJECT-NAME> PROJECT

pm4dev, 2007 management for development series The Project Management Processes PROJECT MANAGEMENT FOR DEVELOPMENT ORGANIZATIONS

PRINCE2:2009 Glossary of Terms (English)

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

FUNBIO PROJECT RISK MANAGEMENT GUIDELINES

CDC UNIFIED PROCESS PRACTICES GUIDE

Risk, Risk Assessments and Risk Management. Christopher Bowler CPA, CISA August 10, 2015

Project Management Body of Knowledge (PMBOK) (An Overview of the Knowledge Areas)

Policy : Enterprise Risk Management Policy

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

21. Earned Value deals with: a. EV Scope b. PV Time c. AC Cost 22. Portfolios are organized around business goals. 23. Take stern action against

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

Project Management Office (PMO)

PROJECT MANAGEMENT PLAN CHECKLIST

RETTEW Associates, Inc. RISK MANAGEMENT PLAN. for. (client project/rfp number) (date of proposal submission)

The PNC Financial Services Group, Inc. Business Continuity Program

Introduction to the ITS Project Management Methodology

Program Lifecycle Methodology Version 1.7

Appendix V Risk Management Plan Template

Enterprise Risk Management

ERM Program. Enterprise Risk Management Guideline

Risk Management. Software SIG. Alfred (Al) Florence. The MITRE. February 26, MITRE Corporation

Knowledge Area Inputs, Tools, and Outputs. Knowledge area Process group/process Inputs Tools Outputs

Project Management Frequently Asked Questions:

Program Prioritization

Step by Step Project Planning

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

A Risk Management Standard

Digital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager

Change Management Trends in Governance Structures

Risk Management Framework

Project Management Plan for

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Understand why, when and how-to to formally close a project

Risk Management & Business Continuity Manual

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

California Department of Mental Health Information Technology Attention: MHSA-IT th Street, Room 141 Sacramento, CA 95814

Essential Elements for Any Successful Project

The purpose of Capacity and Availability Management (CAM) is to plan and monitor the effective provision of resources to support service requirements.

LeadingAge Maryland. QAPI: Quality Assurance Performance Improvement

PRIORITIZING CYBERSECURITY

Risk Management Basics - ISO Standard. Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company

44-76 mix 2. Exam Code:MB Exam Name: Managing Microsoft Dynamics Implementations Exam

Integrating Project Management and Service Management

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

Template for IT Project Plan. Template for IT Project Plan. [Project Acronym and Name]

IT strategy. What is an IT strategy? 3. Why do you need an IT strategy? 5. How do you write an IT strategy? 6. Conclusion 12. Further information 13

Government Communication Professional Competency Framework

Project Charter and Scope Statement

Project Risk Management. Presented by Stephen Smith

Internal Quality Assurance Arrangements

1

Business Continuity Planning. Presentation and. Direction

Risk Management for IT Projects

Crosswalk Between Current and New PMP Task Classifications

Risk/Issue Management Plan

The integrated leadership system. ILS support tools. Leadership pathway: Individual profile EL1

Risk Profiling Toolkit DEVELOPING A CORPORATE RISK PROFILE FOR YOUR ORGANIZATION

Risk Management and Internal Audit Specialized Training Course Audit Risk Assessment Methodology

Risk Management Procedure

Appendix 3: Project Management Substation Guidelines (General Process Flow Template)

How to achieve excellent enterprise risk management Why risk assessments fail

CDC UNIFIED PROCESS PRACTICES GUIDE

Job Description. Barnet Band & scale range. No. of staff responsible for 0 Budget responsibility ( ) Purpose of Job

Part One: Introduction to Partnerships Victoria contract management... 1

PMP Project Management Professional Study Guide, Third Edition

Information Technology Engineers Examination. Information Technology Service Manager Examination. (Level 4) Syllabus

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Project Management for Process Improvement Efforts. Jeanette M Lynch CLSSBB Missouri Quality Award Examiner Certified Facilitator

Space project management

Risk management and the transition of projects to business as usual

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Transcription:

Risk Management Primer Purpose: To obtain strong project outcomes by implementing an appropriate risk management process Audience: Project managers, project sponsors, team members and other key stakeholders Learning Objectives: Understand benefits of risk management Learn to design & implement the right risk management process Distinguish between issues & risks Examine potential risk categories Establish appropriate risk response strategies & action plans Implement monitoring & control processes Understand CommonWay Risk Templates Timeframe: 21 Minutes 1of 9 Course: Risk Management Primer Purpose: To obtain better project outcomes (including: budget, schedule and operational performance) by implementing an appropriate risk management process Audience: Project managers, project sponsors, team members and other key stakeholders Learning Objectives: Understand the benefits of good risk management Learn to design & implement the right risk management process Distinguish between issues and risks Examine potential categories of risk Establish appropriate risk response strategies and action plans Understand CommonWay Risk Templates Risk management is a complex topic with countless published sources for reference. This course is a primer on Risk Management. More advanced coverage of risk management topics is out-ofscope for this course. Additional sources have been identified on the CommonWay Wiki under the Reference Library. 1

Risk Management Process Overview 2of 9 Risk Management Process Overview The purpose of risk management is to secure better project results by proactively identifying, assessing, and controlling undesired outcomes. Risk management helps project managers: determine priorities, allocate resources and implement processes and actions that reduce the risk of the project not reaching its goals & objectives. Risk management is a four-step process with integrated monitoring and control feedback mechanisms. The process is initiated when the project is launched and continues through the life of the project. Risk management is not a stand-alone process; but rather integrated with other key project management processes, including: issues, schedule, change and scope management. Risk management is the responsibility of all stakeholders. The risk management process steps are: 1. Establish the process framework 2. Identify Risks 3. Analyze & Rank Risks 4. Develop & Implement Risk Response Strategies & Action Plans All projects, regardless of size or complexity, have inherent risks and can benefit from a formal risk management process. Remember, good risk management takes time. Given this, it is essential that the project manager adopts a process that is appropriate for the complexity of the project. The benefit gained from a well defined and orchestrated risk management process outweighs the costs. These benefits include: an enhanced understanding of the project; a more thorough understanding of potential risks, their impact, and the assignment of risks to team members best equipped to manage each risk. The net result of risk management is a more realistic schedule, budget, and project plan and a less reactive project environment.

Risk vs. Issues Risks Issues Threats or opportunities Uncertainty linked to objectives Potential material consequences (loss/gain) Occurred or imminent Requires prompt resolution Loss/impact certain 3of 9 Risks vs. Issues Before examining the risk management process, we will review differences between issues and risks. Project risks are uncertainties that could impact a project s objectives. Risks can be threats that disrupt the project and create losses or opportunities that benefit the project. If the project s objectives are not clearly defined, it will be difficult to identify, analyze, rank and manage those risks that could have the greatest impact. Risks left unmanaged can morph into significant issues with considerable impacts. Conversely, issues are events that have already occurred, are in dispute or are unsettled and require immediate attention and resolution. Let s clarify the differences through an example. Your project is dependent on the latest version of Microsoft SharePoint Services. The vendor has assured the market the release will be available in January. Your plan reflects a March installation date. Given the vendor s history, there is a possibility the date could slip. This is a risk that should be reflected in the Risk Register with: probability and impact ratings, a risk action plan and owner. By identifying this risk early, the team has an opportunity to proactively address it. For example, select another product and eliminate the risk or plan to upgrade at a later date. If the release is delayed and SharePoint is still the product of choice, the team implements the action plan to upgrade at a later date. If the risk had not been identified early on, the team would be contending with an issue that could impact the scope, schedule and budget. Next, let s look at the risk management process at a high level.

Establish Process Framework Project Size & Complexity Level Technological Innovations Procurement, Suppliers Vendor Relationships & Contracts Organization s Risk Tolerance Level Risk Management Process Preliminary Risk Identification Sessions Conducted Risk Categories Defined Risk Response Strategies & Action Plans Defined Risk Review Frequency Specified On-going Risk Identification Sessions Scheduled Roles & Responsibilities Risk Monitoring Determined & Control Functions Defined Escalation Processes Defined High Priority Risks with Risk Response Strategies, Action Plans, Risk & Action Owners Resources Environmental, Legal, Regulatory Factors Current Risk Plan & Risk Register Risk Response Strategies & Action Plans Implemented Standard Monitoring, Control & Reporting Processes Implemented Customer Expectations schedule, budget, quality Reputation, Politics - Dashboard Reporting 4of 9 Establish Process Framework & Logistics To help define the process, participants must understand key risk management concepts and tools. To build this awareness, review: how to define a risk event; the meaning of probability and impact ratings; appropriate risk response strategies; the risk management plan; the risk register and any other organizational specific tools that will be used to support the risk management process. It is essential that the team secures a briefing on the fundamentals of the project. This includes: project objectives, key features, functions and technologies; financial structures; who will be involved in the design, development, testing, implementation and support of the product (vendors & internal staff); customer expectations; impacts on business processes; and how the product will be deployed and supported. Once a shared understanding of both the process and project are established, work with the team to develop a list of risk categories. Risk categories provide a structure to systematically identify risks. Common risk categories include: new technology, complexity with interfaces, performance and reliability, procurement, suppliers, regulations, resources, requirements, funding, estimating, and environmental. Risk categories must be customized to suit the specific needs of the project. The final step is to determine the risk management framework. This includes: the process which the team will follow to identify risks (e.g. brainstorming) and classify risks (e.g. probability and impact); how risks will be monitored and controlled; how risks will be reviewed; escalation processes; roles and responsibilities; and frequency of risk scanning and review sessions. Factors important in structuring the process includes the project s complexity level and the organizations risk tolerance level. Project s with high complexity and/or low risk tolerance will require more sophisticated risk management. Consequently, the team will devote more time to risk management and control. Projects with a complexity level of 2 or 3 should not exit the planning stage without a clearly defined risk management plan. The plan must describe the process including: risk identification sessions, monitoring and control functions, the review of major risks with their respective steering committees and executive management. All projects, regardless of complexity level should start the risk register during the planning stage. This risk register is also input into Dashboard Reporting for executive management. The risk management plan, the risk register and implementation of the risk processes are key controls that will be evaluated during an Independent Verification and Validation (IV&V) process.

Identify Risks 5of 9 Identify Risks The purpose of the risk identification process is to identify a comprehensive list of potential risks that could impact the project. Risk Identification must account for both internal and external factors. Risk identification is an iterative process that begins during the planning stage and continues through the project s life-cycle. At the outset of a project, the project manager should conduct one or more identifications sessions with key stakeholders. For large, complex projects, several days of workshops may be required. For smaller, less complex projects, a couple of hours may suffice. After the initial identification sessions are held, regular risk scanning sessions are planned and conducted to determine whether the risk landscape has changed. These are typically abridged versions of the risk identification sessions held at the start of the project. The classic forum to identify risks is a brainstorming session. To orchestrate an effective session: assemble a diverse team of stakeholders with different perspectives; be prepared to balance exceedingly pessimistic or optimistic views; establish an environment that fosters creative thinking; and ensure that the facilitator (usually the project manager) is independent and has a comprehensive understanding of the risk process. During these workshops, the project manager must be adept at separating issues from risks. There are several techniques the project manager can use to solicit risks, including but not limited to: 1) Force Field Analysis; 2) Constraint Analysis; 3) SWOT Analysis (Strengths, Weaknesses, Opportunities, Threats); 4) Asking probing questions related to the triple constraints scope, cost, schedule; 5) Reviewing risk events from similar projects to determine whether they can happen again. Application of specific techniques are out of scope for this course. The CommonWay Wiki Reference Library contains links to articles on these techniques. At the conclusion of the risk identification session, the team will have generated a long list of potential risks. Some teams choose to stop here and manage all the risks identified. This is a mistake because not all risks are relevant. It is essential to hone this list through the analysis and ranking stages in order to focus the team on managing the most significant risks.

Analyze & Rank Risks 6of 9 Analyze and Rank Risks Now the team must determine which risks are significant enough to warrant active management. This is accomplished through an analysis and ranking process that leverages the Risk Register. The Risk Register is the CommonWay tool for tracking, prioritizing and managing project risks. Here are the process steps. First, describe each risk, including the factors that could cause the risk to occur and its potential impacts on the project. The Risk Impact can be positive or negative and should quantify and/or qualify the costs or opportunities of the risk occurring. Next assign each risk a Probability Rating and Impact Rating. The Probability Rating indicates the likelihood the risk will occur; while the Impact Rating specifies level of impact to the project should the risk occur. The CommonWay risk register uses a simple: high, medium, low scale for both Probability and Impact Ratings and then calculates a Priority Score and Priority Rating based on the selected Probability and Impact ratings. The risks with the highest Priority Score and Priority Rating should be managed most closely. Ensure each risk has a risk owner. The final step in the risk analysis and ranking process is to evaluate the interdependencies between risks. There can be a cascading effect across risks - one risk occurs triggering another risk which triggers another risk. Carefully note any risks that can trigger other risks and consider increasing their Priority Score to reflect this interdependencies. Note: there are sophisticated quantitative and qualitative approaches for risk analysis and risk ranking (e.g. Monte Carlo Simulation, Decision Trees, Sensitivity Analysis, Failure Mode Effect Analysis (FMEA)). These methods are out-of-scope for this course. At the conclusion of this step in the process, the team will have filtered out minor issues and created a prioritized list of risks that require some type of treatment.

Risk Response Strategies & Action Plans 7of 9 Risk Response Strategies & Action Plans During this stage, the risk owners collaborate with the project manager to develop a risk action plan or treatment plan for each risk. Strategies should be developed for risks that present the most significant consequences or best opportunities. Do not forget opportunities! Exploitation of opportunities is a key component of the risk management process. The continuum of potential strategies is highlighted below. To be effective, each strategy must: be manageable; reduce negative impacts or increase opportunity; leverage available resources; and be cost-effective. Avoidance requires elimination on both the probability and impact of the risk from occurring. This is the best risk response strategy because the root cause of the risk is addressed. Acceptance implies no active response strategy is adopted because nothing is possible or alternatives are too expensive to implement. This is the least optimal strategy. If selected, a contingency plan should be developed to address the fallout should the risk occur. Mitigation requires reducing either the impact or probability of the risk from occurring. Transfer shifts the risk to a third party better equipped to handle the risk. The risk is not eliminated. Transfer strategies include shifting the work to vendors or securing insurance to cover the cost of the risk should it occur. Enhance is a response to an opportunity that increases either the probability or impact of the opportunity occurring. Exploit is a response to an opportunity that guarantees the opportunity will occur. This is the most effective strategy for realizing opportunities. Although multiple strategies may be suitable for managing a given risk, the risk owner must select the most appropriate strategy. If the selected strategy proves to be ineffective, it can be replaced with a different strategy. After the strategy has been selected, the risk owner must develop an action plan and assign an action owner with the proper skills. A solid action plan should include risk triggers to caution the team of imminent risk events. Since the goal of the risk response strategy is to mitigate/eliminate a risk or enhance/exploit an opportunity, the risk manager must reevaluate the probability and impact of the risk occurring in light of the risk response strategy developed. If the risk strategy is not effective in reducing the risk or increasing the opportunity, an alternative strategy and action plan should be developed. Finally, the risk owner has to determine whether the proposed strategy introduces new secondary or residual risks and whether these secondary risks are acceptable. If acceptable, the residual risks should be added to the risk register and managed through the standard risk management process. If threats introduced by the secondary risks are too severe, the risk response strategy and action plan should be reworked. Once an acceptable approach is developed, the project manager records the: risk strategy, action plan, post-implementation risk strategy assessment, action owners in this Risk Register. The Risk Owner is responsible for implementing the risk strategies and action plans. Sometimes the risk owner requires assistance from others to implement action plans (for example, technical staff). In these instances the action owner will be different from the risk owner. Risk actions plans should be implemented immediately after they are defined. The project schedule and project management processes should be updated to include: risk monitoring and control sessions; risk response action planning activities and risk progress reporting. Remember proper risk management takes time and must be accounted for in your plans.

Monitor & Control Risks, Archive History 8of 9 Monitor & Control Risks, Archive History Known risks identified during the risk identification process and new risks that surface must be monitored and controlled to ensure prompt action is taken when appropriate. Since risks can evolve overtime, monitoring requires both reporting how the team is doing against risk action plans as well as any adjustments to strategies and the action plans to address changes in risk characteristics. The project manager should immediately implement standard risk action plan reviews and mini risk identification sessions to scan for new risks. Team members should understand project risks and impacts. High impact risks should be reported regularly to the steering and executive committees so they are aware of the potential impacts. If a risk occurs, escalation procedures and contingency plans should be executed at once. Money to support contingencies should be budgeted in a management reserve or contingency account during the budgeting process because contingencies to address risks almost always require additional funding. Contingency plans requiring significant changes to the budget, baseline schedule, scope or quality of the project must go through the formal change control process. The project manager is responsible for ensuring that risk documentation is current and archived during Closure so that the lessons learned can be shared with other project managers and teams.

Key Points Synopsis Establish a Risk Management Framework Identify Risks Analyze & Rank Risks Identify Risk Owners Develop Risk Response Strategies & Action Plans for all high risks Analyze Effectiveness of Risk Response Strategies Identify Residual risks. Adjusts strategies if necessary Assign Action Step Owners Update: Plan, Register, Budget, Schedule, RACI, Communication Plan Monitor, Control, Report on New & Existing Risks Archive/Share Risk Lessons Learned 9of 9 Key Points Synopsis Good project management requires implementation of an effective risk management process that begins at the start of the project and continues through the life of the project. A solid processes should include the following steps: Establish a Risk Management Framework Identify Risks Analyze & Rank Risks Identify Risk Owners Develop Risk Response Strategies & Action Plans for all high risks Analyze Effectiveness of Risk Response Strategies Identify Residual risks. Adjusts strategies if necessary Assign Action Step Owners Update: Risk Plan, Risk Register, Budget, Schedule, RACI, Communication Plan, Budget Monitor, Control Report on New & Existing Risks Archive/Share Risk Lessons Learned This concludes the risk management course.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information