Demystifying Project Risk Management: Practical Tips for Practitioners, Dr David Hillson
1 like1,163 views
The document summarizes a presentation on demystifying project risk management. It discusses practical tips for project risk practitioners, including how to determine the appropriate level of risk management for a project based on its size and riskiness. It also covers managing both threats and opportunities, setting risk thresholds, regularly updating the risk assessment, and concluding risk management after project completion with a lessons learned review. The goal is to provide a scalable and iterative approach to risk management called ATOM.
![© 2010-23 David Hillson/The Risk Doctor Partnership, Slide 7
Define project riskiness
[Example Project Sizing Tool]
CRITERION Criterion Value = 2 Criterion Value = 4 Criterion Value = 8 Criterion Value = 16 Criterion
Score
Strategic importance Minor contribution to business
objectives
Significant contribution to
business objectives
Major contribution to business
objectives
Critical to business success
Commercial /
contractual complexity
No unusual commercial
arrangements or conditions
Minor deviation from existing
commercial practices
Novel commercial practices, new
to at least one party
Ground-breaking commercial
practices
External constraints
and dependencies
None Some external influence on
elements of the project
Key project objectives depend on
external factors
Overall project success depends
on external factors
Requirement stability Clear fully-defined agreed
objectives
Some requirement uncertainty,
minor changes during project
Major requirement uncertainty,
major changes during project
Requirements not finalised and
subject to negotiation
Technical complexity Routine repeat business, no new
technology
Enhancement of existing
product/service
Novel product/project with some
innovation
Ground-breaking project with
high innovation
Market sector regulatory
characteristics
No regulatory requirements Standard regulatory framework Challenging regulatory
requirements
Highly regulated or novel sector
Project value Small project value
(<$250K)
Significant project value
($250K-1M)
Major project value
($1-3M)
Large project value
(>$3M)
Project duration Duration <3 months Duration 3-12 months Duration 1-3 years Duration >3 years
Project resources Small in-house project team Medium in-house project team Large project team including
external contractors
International project team or
joint venture
Post-project liabilities None Acceptable exposure Significant exposure Punitive exposure
OVERALL PROJECT SCORE
PROJECT SCORE: <35 = Small; 35-74 = Medium; ≥75 = Large
Shortcuts: Project Value <$50K = Small; >$5M = Large](https://image.slidesharecdn.com/230418demystifyingprm-hillsonpresentationslides1-per-page-230421081951-d137e093/85/Demystifying-Project-Risk-Management-Practical-Tips-for-Practitioners-Dr-David-Hillson-7-320.jpg)
![© 2010-23 David Hillson/The Risk Doctor Partnership, Slide 25
Risk reviews
Risk review should:
address status of existing risks [all or top-priority only]
identify whether new risks have arisen
confirm risk ownership
consider effectiveness of planned responses
identify new responses where needed
[assess secondary risks]
[check effectiveness of risk process]
[assess implications of any change in project context]
Hold dedicated review workshop or use existing meeting
Remember the risk process is iterative and scaleable](https://image.slidesharecdn.com/230418demystifyingprm-hillsonpresentationslides1-per-page-230421081951-d137e093/85/Demystifying-Project-Risk-Management-Practical-Tips-for-Practitioners-Dr-David-Hillson-25-320.jpg)
Demystifying Project Risk Management: Practical Tips for Practitioners, Dr David Hillson
- 1. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 1 DEMYSTIFYING PROJECT RISK MANAGEMENT Practical tips for practitioners Presented by Dr David Hillson HonFAPM, PMI Fellow, CFIRM at APM SWWE Branch meeting, BAWA Bristol, 18 April 2023 The Risk Doctor The Risk Doctor Partnership david@risk-doctor.com www.risk-doctor.com
- 2. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 2 Topics How much risk management do I need to do? What about upside risk? How much risk is too much? How to stay up to date? When does risk management end? …but first…
- 3. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 3 Why manage risk on projects? The most important thing! All projects are risky Risks drive us off plan Risk management effectiveness Project success Risk can (should/must) be managed proactively RISK MANAGEMENT PRIORITY
- 4. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 4
- 5. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 5 1. How much risk management? All projects are risky, but… Risk process must be scaleable Ensure level, type & visibility of process match: riskiness of project importance of project to organisation Affects methodology, tools & techniques organisation & staffing reporting requirements etc. Document decisions in Risk Management Plan
- 6. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 6 Define project riskiness Yes, but how? Define meaningful “size” criteria for this project (~10) Determine threshold levels for each criteria Score project Use overall score to define project as Small/Medium/Large Allow shortcuts for “obviously Small/Large” Scope risk process to match project risk challenge define /dI’fam/ v.t. state precise meaning of; describe scope of; outline; mark out (limits, boundary). dI’fa scribe
- 7. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 7 Define project riskiness [Example Project Sizing Tool] CRITERION Criterion Value = 2 Criterion Value = 4 Criterion Value = 8 Criterion Value = 16 Criterion Score Strategic importance Minor contribution to business objectives Significant contribution to business objectives Major contribution to business objectives Critical to business success Commercial / contractual complexity No unusual commercial arrangements or conditions Minor deviation from existing commercial practices Novel commercial practices, new to at least one party Ground-breaking commercial practices External constraints and dependencies None Some external influence on elements of the project Key project objectives depend on external factors Overall project success depends on external factors Requirement stability Clear fully-defined agreed objectives Some requirement uncertainty, minor changes during project Major requirement uncertainty, major changes during project Requirements not finalised and subject to negotiation Technical complexity Routine repeat business, no new technology Enhancement of existing product/service Novel product/project with some innovation Ground-breaking project with high innovation Market sector regulatory characteristics No regulatory requirements Standard regulatory framework Challenging regulatory requirements Highly regulated or novel sector Project value Small project value (<$250K) Significant project value ($250K-1M) Major project value ($1-3M) Large project value (>$3M) Project duration Duration <3 months Duration 3-12 months Duration 1-3 years Duration >3 years Project resources Small in-house project team Medium in-house project team Large project team including external contractors International project team or joint venture Post-project liabilities None Acceptable exposure Significant exposure Punitive exposure OVERALL PROJECT SCORE PROJECT SCORE: <35 = Small; 35-74 = Medium; ≥75 = Large Shortcuts: Project Value <$50K = Small; >$5M = Large
- 8. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 8 Scaleable risk process Small projects = lower risk challenge = simplified risk process Medium projects = average risk challenge = typical risk process Large projects = higher risk challenge = enhanced risk process
- 9. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 9 Scaleable risk process Yes, but how? Small projects/simplified risk process Still include all process steps, but… Involve fewer people, use existing project meetings, use fewer/simpler techniques, less detailed updates, simple reporting… Medium projects/typical risk process No changes! Large projects/enhanced risk process Involve more people, dedicated workshops, use more in-depth techniques, deeper updates, tailored reporting… Consider quantitative risk analysis
- 10. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 10 Risk = Uncertainty True or False ? Risk = Uncertainty that matters (i.e. can affect objectives) 2. What about upside risk? What is risk? ≠
- 11. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 11 Risk connects uncertainty with objectives ISO 31000:2018 “The effect of uncertainty on objectives” What is risk? Risk includes both opportunities & threats “An effect is a deviation from the expected. It can be positive, negative or both…”
- 12. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 12 Which impacts matter? Uncertainties that help as well as uncertainties that harm Both need managing proactively Managing risk means… …not only preventing potential problems “Stop things going wrong” …but also finding potential benefits “Help things go right”
- 13. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 13 Goals of risk management Minimise threats Maximise opportunities Optimise achievement of objectives
- 14. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 14 Managing opportunities matters Yes, but how? Same risk process Extended techniques for opportunities risk identification (find positive uncertainties) two-dimensional techniques risk assessment & prioritisation (pick best ones) Double P-I Matrix risk responses (make happen, or maximise) equivalent strategies
- 15. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 15 Two-dimensional risk identification techniques SWOT Analysis “We’re good/bad at… So what?” Assumptions/Constraints Analysis “What if…? What if not…?” Fault/Benefit Tree Analysis “Yes, but how…?”
- 16. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 16 VHI HI MED LO VLO POSITIVE IMPACT (Opportunities) VHI HI MED LO VLO PROBABILITY NEGATIVE IMPACT (Threats) VHI HI MED LO VLO VLO LO MED HI VHI PROBABILITY Prioritising opportunities 1 QUICK WINS: EASY TO GET & BIG BENEFIT 3 CONSIDER IMPROVING: EASY BUT LOWER BENEFIT 2 WORTH EXPLORING: HARDER TO GET BUT BIG BENEFIT 4 DON’T BOTHER!
- 17. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 17 Avoid Reduce Transfer Accept THREAT GENERIC STRATEGY OPPORTUNITY ELIMINATE UNCERTAINTY CHANGE SIZE INVOLVE OTHERS TAKE THE RISK Exploit Enhance Share Accept Responding to opportunities
- 18. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 18 3. How much risk is too much risk? “It depends”… on… … project objectives … stakeholder risk appetite … organisational risk thresholds One person’s “Critical” is another’s “Who cares?” Define impact scales (VHI)/HI/MED/LO/(VLO) Who defines? Project sponsor with other key stakeholders Record in Project Charter, business case or Risk Management Plan
- 19. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 19 Each risk has one probability of occurrence and at least one impact Example of project-specific scales RANK PROB IMPACT ON PROJECT OBJECTIVES (+ or -) TIME COST PERFORMANCE VHI 71-99% >12 weeks >$1000K Effect on overall functionality HI 51-70% 7-12 weeks $500-1000K Major effect on key parameters MED 31-50% 3 - 6 weeks $250-500K Minor effect on key parameters LO 11-30% 1 - 2 weeks $100-250K Effect on >1 minor parameters VLO 1-10% < 1 week < $100K Effect on 1 minor parameter NIL - No change No change No change in performance
- 20. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 20 Defining HI/MED/LO impacts Impact = different for each objective Assume 5-point scale (could be 3 or 4): For threats: VHI = intolerable, unacceptable, “Oh no!” VLO = negligible, insignificant, “Who cares?” Other points spread between For opportunities: VHI = essential, “Can’t miss”, “Must have” VLO = insignificant, “Who cares?” Often same as threat scales, could differ define /dI’fam/ v.t. state precise meaning of; describe scope of; outline; mark out (limits, boundary). dI’fa scribe
- 21. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 21 Threat Impacts Opportunity Impacts Step 1 – Define VHI Step 2 – Define VLO Step 3 – Set intermediate values Step 4 – Define VHI Step 5 – Define VLO Step 6 – Set intermediate values Time Cost Time Cost Time Cost Time Cost Time Cost Time Cost VHI >8 wks >$1m >4 wks >$500k HI 4-8 wks $500k-1m 3-4 wks $250k- 500k MED 2-4 wks $100k- 500k 2-3 wks $80-$250k LO 1-2 wks $10k-100k 1-2 wks $10k-80k VLO <1 wk <$10k <1 wk <$10k Worked example Project objective: Release new product to market Planned timeline = 10 months; project budget = $4M Delivery >2 months late would miss market window; cost growth to >$5M means cancellation Earliest feasible delivery date to meet market requirements = 4 weeks early Cost savings of >$500K would double profit margin Schedule/budget variation of ±10% is acceptable
- 22. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 22 4. How to stay up to date? Essential because risk changes: risks happen (opportunities & threats) risks are resolved risks time-out risks get better or worse new risks emerge Repeat the entire process? or Review/update risk exposure regularly?
- 23. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 23 The ATOM solution INITIATE ATOM PROCESS FIRST RISK ASSESSMENT Identify risks Assess risks Plan responses RISK CONTROL Implement responses Risk reporting RISK UPDATE Risk reviews REPEAT REGULARLY REPEAT FOR NEW PHASE OR ON MAJOR SCOPE CHANGE MAJOR REVIEW MINOR REVIEW
- 24. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 24 The ATOM solution Major Review and Minor Review Major At key lifecycle points (milestones/phases/gates) & on major scope change Full reassessment of risk exposure – repeat steps in First Risk Assessment Minor At regular intervals (to fit project rhythm) Update existing risk assessment and responses Scaleable feature Large projects: more Major Reviews, deeper reassessment Small projects: mostly Minor Reviews, higher-level
- 25. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 25 Risk reviews Risk review should: address status of existing risks [all or top-priority only] identify whether new risks have arisen confirm risk ownership consider effectiveness of planned responses identify new responses where needed [assess secondary risks] [check effectiveness of risk process] [assess implications of any change in project context] Hold dedicated review workshop or use existing meeting Remember the risk process is iterative and scaleable
- 26. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 26 5. When does risk management end? Most risk processes appear to be endless! ISO 31000:2018 Risk Management – Guidelines Standard for Risk Management (2017) PRAM Guide, Second edition (2004/2010) Management of Risk, Fourth Edition (2022)
- 27. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 27 5. When does risk management end? Most risk processes appear to be endless! No project risks exist at project completion Note: There are still risks to handover, execution, maintenance, disposal… Risk management should end when project ends Yes, but how?
- 28. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 28 The ATOM solution INITIATE ATOM PROCESS FIRST RISK ASSESSMENT Identify risks Assess risks Plan responses RISK CONTROL Implement responses Risk reporting RISK UPDATE Risk reviews POST-PROJECT RISK REVIEW REPEAT REGULARLY REPEAT FOR NEW PHASE OR ON MAJOR SCOPE CHANGE MAJOR REVIEW MINOR REVIEW
- 29. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 29 Purpose of post-project risk review Learn from experience “Capture risk-related knowledge and experience in a form that can be used by future similar projects” “Lessons-learned” Part of post-project review, or dedicated meeting Ask open questions: What risks were identified? Any generic? What threats happened, what opportunities were missed? Which responses worked & which didn’t? What did we do well, and what could have been better? How much effort was spent on RM? Possible efficiencies? “Lessons-to-be-learned”
- 30. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 30 Lessons-to-be-learned (L2BL) Not learned until implemented Consider L2BL Register
- 31. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 31 Final thoughts
- 32. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 32 For further information Dr David Hillson The Risk Doctor +44(0)7717.665222 david@risk-doctor.com www.risk-doctor.com www.atom-risk.com YouTube.com/RiskDoctorVideo