‘Managing Risk, Space Invaders and your friendly, neighbourhood Burglaran introduction to an assumptions-based approachto project Risk Management presentation to Kingston and Croydon branch of the BCS 14-Jan-2003 David Galley
Introduction • Basic approach to project risk management • Proactive + Devolved + Simple to understand • Presentation Content • Risk • Risk Management (vs Project Management) • Assumptions-based approach • Identifying Assumptions • Registers • Risk Evaluation & Prioritisation • Risk Plans • Roles & Responsibilities • Execution • Questions
impact of hazard occurring likelihood of hazard occurring * risk = Risk combines notions of hazard and uncertainty likelihood of hazard occurring high risk low risk impact if hazard occurs contours of equal risk exposure.
Relative risk exposure can be represented on a 4*4 ‘risk grid’ likelihood of hazard occurring intermediate risk high risk D C B A A B C D low risk impact if hazard occurs
Risk Management is an integral part of Project Mgt …but different Project Management (rest of) project mgt. • project definition • project structuring • planning • cost/schedule statusing • project control risk management …in what way is Risk Mgt different?
Need for Risk Management arises from uncertainty Project Management (rest of) project management certain obstacle likelihood risk management impossible
Assumptions Register Risk Register Risk Plans Assumptions based approach is proposed • Requirement • Issues • Hazard checklist • …. • Work Plan & Budget • External threats • Internal weaknesses • …. Risk Evaluation & Prioritisation Monitoring Risks & Assumptions Risk Mgt Roles Risk Planning Risk Plan Execution
Projects are exposed to the risk of assumption failure • Decisions are made based on limited information • Working assumptions • Conscious/Explicit • Unconscious/Implicit (become evident later, or remain hidden) • Working assumptions proven to be: • True – will not disturb the project • False – will disturb the project • For every assumption the project makes there is an inherent risk that the assumption will not be true
If hazard is project assumption failure, the risk grid axes become project sensitivity, assumption instability assumption instability D C B A A B C D project sensitivity to assumption failure
Broad search What could go wrong? Capture working assumptions Assess associated risk exposure First catch your assumptions… ...then assess the associated risk Hazard checklists Business Case Internal weaknesses Open Issues Budget Requirement Spec. Workplan External dependencies External threats Stakeholders
Project Assumptions and Project Risks need to be recorded in consolidated registers Project Mgt. assumptions risks Risk Mgt.
Assumption Identifier Project, Assumption Title & No. Assumption Description Sufficient to explain the nature of the assumption Associations Key Dependents, Associated Assumptions, References, Associated Risk No Registration Registration Date, Registered By, Project Mgr Closure Closure Comment, Closure Date, Closed By, Project Mgr Document assumptions in an Assumptions Register assumption identifier assumption description associations registration closure
Risk Identifier & associations Project, Risk No., Assumption Title & No., Associated Risk Nos., Refs. Project Sensitivity (initial registration & subsequent re-evaluation) Explanation of the project’s sensitivity incl. the expected impact date, A-D score, Comment, Date, Risk Owner, Risk Mgr, Project Mgr. Assumption Instability Similar to ‘Project Sensitivity’ Closure Closure Comment, Closure Date, Closed By, Project Mgr Document risks in a Risk Register risk identifier & associations project sensitivity assumption instability closure
Risk Prioritisation Risk Plans Roles & Responsibilities Execution & Monitoring Having identified your risks, you need to manage them too many risks... ...which one first? ...what do I do? ...what do I do? risk plan ...what’s that?
Threats of different size approach closer and closer Aim is to defend your patch… but with limited ammo Which one to attack next? Risk Management is a bit like playing ‘space invaders’ (Hugh Lake)
Deciding which risks to ‘attack’ is a complex decision • So many risks… which should I attack? • consider size, ie. risk exposure • consider timing… when will it ‘hit’? • How effective would an attack be? • how will I deal with each risk? • what chance that it’ll work? • how much residual risk exposure? • What about the cost? • Will attacking a risk be worth the cost? • Can I afford to attack a particular risk? • Can I afford not to attack that risk? • How do we ‘attack’ risks?
Risk Handling Techniques – four main categories reactive Risk Plans proactive Risk Plans
Basic strategies stabilise the assumption de-sensitise the project Recommend developing at least two candidate risk plans Risk plan might combine assumption stabilisation and project de-sensitisation Risk mitigation is based on two basic strategies assumption instability D action required to de-sensitise C B action required to stabilise A A B C D project sensitivity
Background You’ve just moved to a new town and you’ve a 1001 things to sort out You learn that a number of burglaries have taken place in your new neighbourhood. Exercise: Risk Management applied to House Burglary • Do you lock your self in, and refuse leave your house? – No. You’ve got a life to lead! • What is your working assumption?
Background You’ve just moved to a new town and you’ve a 1001 things to sort out You learn that a number of burglaries have taken place in your new neighbourhood. Exercise: Risk Management applied to House Burglary • Do you lock your self in, and refuse leave your house? – No. You’ve got a life to lead! • The principal working assumption is an implicit assertion ‘We will not get burgled today’. • The assumption wasn’t ‘I might get burgled’ That isn’t an assumption, it’s an infallible truism. • But your working assumption might be wrong! • Failure of that working assumption constitutes the hazard. You’ve identified a risk. • How are you going to manage it?
Risk avoidance … … Risk mitigation (stabilise the assumption) … … Risk mitigation (de-sensitise impact) … … Risk transfer … … Risk retention … … Here’s a heap of ‘risk plans’…assign each to a category of risk handling technique • keep stock of glass, timber to repair windows • store valuable items in a safe, or at bank • adopt non-materialistic philosophy • arrange house contents insurance • install extra high-security locks • take any burglary ‘on the chin’ • move away to safer district • install a burglar alarm • buy a big, noisy dog • buy a quiet crocodile …what else?
Risk avoidance move away to safer district adopt non-materialistic philosophy Risk mitigation (stabilise the assumption) install extra high-security locks install a burglar alarm buy a big, noisy dog Risk mitigation (de-sensitise impact) store valuable items in a safe, or at bank buy a quiet crocodile Risk transfer arrange house contents insurance Risk retention keep stock of glass, timber to repair windows take any burglary ‘on the chin’ Categorised Risk Plans
Risk Management places extra responsibilities on the Steering Committee and Project Mgr Steering Committee/senior management • Reports critical risks • Reports results • Accounts for risk budget • Risk budget • Ensure risks identified/captured • Assumption & risk registers • Agree monitoring • Approve plans & allocate resources • Monitor progress • Approve closure Project Manager
RM places responsibilities on the Steering Committee and Project Mgr and introduces two new roles: Risk Managers and Risk Owners Steering Committee/senior management • Identify & appoint external • Risk Owners & Risk Mgrs • Reports critical risks • Reports results • Accounts for risk budget • Risk budget • Ensure risks identified/captured • Assumption & risk registers • Agree monitoring • Appoint Risk Owners • Approve plans & allocate resources • Monitor progress • Approve closure • Appoint & empower Risk Mgrs Project Manager report report delegation & empowerment • Confirm/review risks • Agree the aim • Monitor plans • Stop plans • Draw up plans • Run the plan • Close plan Risk Owner Risk Manager agree
What happens after you have prioritised the risks and selected the risk plans? Prioritising Risks Kicking-off Risk Plans Monitoring Assumptions & Risks Developing & Selecting Risk Plans Running the Risk Plan Closing Risk Plans
Summary • Risk as a product of hazard likelihood and hazard impact • Risk Management relative to Project Management • Proactive, Assumptions-based approach • Assumption-failure as the source of project risk • Integrated assumption & risk registers • Complexity of deciding what risks to attack • Risk handling: avoidance, mitigation, transfer, retention • Devolved Risk Management organisation - responsibility and ownership devolved throughout, and outside, the project team • Questions
Many stakeholders interdependent network of objectives failure doesn’t stay put Know your stakeholders identify them understand their objectives what is success/failure for them? Projects have many stakeholders… …with interlinked objectives Executives Customers Vendors Users project Finance Community Employees
What happens after you have prioritised the risks and selected the risk plans Prioritising Risks Kicking-off Risk Plans Monitoring Assumptions & Risks Developing & Selecting Risk Plans Running the Risk Plan • Project Manager has to ensure that: • Budget is agreed with the Risk Manager • Success and closure criteria are agreed in advance with the Risk Owner and Risk Manager • Roles & Responsibilities are agreed and published for all personnel involved in the risk plan • Commitment of external owners, points of contact and champions, is agreed in advance. Closing Risk Plans
Developing & Selecting Risk Plans What happens after you have prioritised the risks and selected the risk plans Prioritising Risks Kicking-off Risk Plans • Nominated Risk Manager: • Manages execution of the risk plan • Agrees with the Risk Owner progress against the plan • Reports progress using the monitoring system agreed with the Project Manager Monitoring Assumptions & Risks Running the Risk Plan Closing Risk Plans
Monitoring Assumptions & Risks Developing & Selecting Risk Plans What happens after you have prioritised the risks and selected the risk plans Prioritising Risks Kicking-off Risk Plans • A risk plan must be stopped & closed when: • it has achieved its objectives • it is seen to be failing, or it has failed • it is no longer necessary • Closing is relatively easy if, when launched, the plan has clear objectives and clear success criteria Running the Risk Plan Closing Risk Plans
Developing & Selecting Risk Plans What happens after you have prioritised the risks and selected the risk plans Prioritising Risks Kicking-off Risk Plans • The lists of assumptions and risks need to be reviewed regularly. Are any changes occurring • internally, or • externally to the project • which could alter • project’s sensitivity to the assumption • stability of the assumption • expected hazard impact date Monitoring Assumptions & Risks Running the Risk Plan Closing Risk Plans