SlideShare a Scribd company logo

Programmatic risk management

Glen Alleman, profile picture
Glen Alleman

This document discusses key concepts for effective risk management on projects. It outlines 5 concepts: 1) hoping is not a strategy, plans with goals and metrics are needed, 2) single point estimates are inaccurate, probabilistic estimates using distributions like triangles are better, 3) integrating cost, schedule, and technical performance is essential, 4) a formal risk management process and model is required, and 5) risk communication is critical. It emphasizes that identifying risks is not enough, plans for mitigating risks must be developed and risks must be retired over time according to the plan.

BusinessEconomy & Finance
1 of 6
Downloaded 81 times
1
2
3
4
5
6
Programmatic Risk Management Risk Management is How Adults Manage Projects Glen B. Alleman Niwot Ridge, LLC glen.alleman@niwotridge.com
March Risk Management is How Adults Manage Projects† 2008 1 Risk management is essential for the success of any significant project. Information about key project cost, performance, and schedule attributes is often unknown until the project is underway. Risks identified early in the project that impacts the project later are often termed “known unknowns.” These risks can be mitigated, reduced, or retired with a risk management process. For risks that are beyond the vision of the project team, a properly implemented risk management process can also rapidly quantify the risks impact and provide sound plans for mitigating their affects. Risk management is concerned with the outcome of a future event. Events whose impacts are unknown. Risk management is about dealing with this uncertainty. Outcomes are categorized as favorable or unfavorable. Risk management is the art and science of planning, assessing, handling, and monitoring future events to ensure favorable outcomes. A good risk management process is proactive and fundamentally different than reactive issue management or problem solving. This paper describes the fundamentals of Risk Management with 5 simple concepts: 1. Hope is not a strategy – Hoping that something positive happens or something negative will not happen does not lead to success. Preparing for success is the basis of success. 2. All single point estimates are wrong – Single point estimates of cost, schedule, and technical performance are no better than 50/50 guesses in the absence of knowledge about the variances of the underlying distribution. 3. Without integrating Cost, Schedule, and Technical Performance, you are driving in the rearview mirror. The effort to produce the product or service and the resulting value cannot be made without making these connections. 4. Without a model for risk management, you are driving in the dark with the headlights off – Risk management is not an ad hoc process that you can make up as you go. A formal foundation for risk management is needed. Choose one that has worked in high-risk domains – defense, nuclear power, manned spaceflight, or examples. 5. Risk Communication is everything – Identifying risks without communicating them is a waste of time for all the participants. Risk management is an important skill that can be applied to a wide variety of projects. In an era of downsizing, consolidation, shrinking budgets, increasing technological sophistication, and shorter development times, risk management provides valuable insight to help key project personnel plan for risks. It alerts them to potential risk issues, which can then be analyzed, and plans develop, implemented, and monitored to address risks before they surface as issues and adversely affect project cost, performance, and schedule. Hope is Not a Strategy Hoping that the project will proceed as planned is not a strategy for success. Project managers who constantly seek ways to eliminate or control risk, variance and uncertainly are engaging in a hopeless pursuit. Managing “in the presence” of risk, variance, and uncertainty is the key to success. Some projects have few uncertainties –only the complexity of tasks and relationships is important – but most projects are characterized by several types of uncertainty. Although each uncertainty type is distinct, a single project may encounter some 2 combination of four types: 1. Variation – comes from many small influences and yields a range of values in a particular activity. Attempting to control these variances outside their natural boundaries is a waste of time. 2. Foreseen Uncertainties – are identifiable and understood influences that the team cannot be sure will occur. There needs to be a mitigation plan for these foreseen uncertainties. 3. Unforeseen Uncertainties – can’t be identified during project planning. When these occur, a new plan is needed. 4. Chaos – appears in the presence of “unknown unknowns” and must be addressed through a replanning process. 1 “Risk Management during Requirements,” Tom DeMarco and Tim Lister, IEEE Software, September/October, 2003 2 “Managing Project Uncertainty: From Variation to Chaos,” Arnoud De Meyer, Christoph H. Loch and Michael T. Pich, MIT Sloan Management Review, Winter 2002 † “How Much Risk is Too Much Risk,” Tim Lister, Boston SPIN, 20 January 2004 2 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503
March Risk Management is How Adults Manage Projects† 2008 Plans are strategies for the successful completion of the project. Plans are different than schedules. Schedules show “how” the project will be executed. Plans show “what” accomplishments must be performed and the success criteria for these accomplishments along the way to completion. The Plan describes the increasing maturity of the project through assessment points. The unit of measure for this maturity must be meaningful to the stakeholders. Something that can be connected to the investment they have made in the project. When we speak the word “Hope,” it lays the foundation for failure. In the use of Hope, we really mean “success is possible but not probable.” When we speak the word Figure 1 – The Plan for the project must assure risk is being “Plan,” it does not assure success, but success is a probable reduced in proportion to the project’s tolerance for risk outcome. It is the definition of the probability of success P(s), that is the foundation of the Plan. Having a Plan–A, Plan–B, and possibly a Plan–C exposes risk, assigns 3 mitigations, and measures the probability of success. The idea of a Plan as a Strategy is critical to making changes in the behavior of the project teams that can lead to “risk adjusted project management.” Without a Plan, the schedule is simply a list of activities to be performed. The reason for their performance may be understood, but it is unlikely these activities fit in any cohesive Strategy. Strategies have goals, critical success factors, and key performance indicators. Project Strategies – the Master Plan – must also contain goals, critical success factors, and key performance indicators that assure the project is making physical progress in the presence of uncertainty in cost, schedule, and technical performance. No Single Point Estimate of Cost, Schedule or Technical Performance Can Correct How long will this take? How much is it going to cost? Will the product or service meet the requirements that are defined for any specific point in time? What is the confidence in those numbers? These are three questions that must be answered for the project team to have a credible discussion with the stakeholders about success. Deciding what accuracy is needed to provide a credible answer is a starting point. But that does not address the question – “how can that accuracy be obtained.” There are many checklists for estimating cost and schedule, with simple guidance on how to build estimates. Most of this advice is wrong in a fundamental way. The numbers produced by the estimating process do not have their variance defined in any statistically sound manner. By statistically sound it means that the underlying probability distributions are known. If they are not known, then some form of estimating taking this unknown into account must be used. The Project Management Institute (PMI) advices producing three estimates – optimistic, most likely, pessimistic. But these numbers are fraught with error. We can’t tell how these numbers were arrived at? Are they based on best engineering judgment? Based in historical data? What is nd the variance on the variance of this distribution – the 2 standard deviation? In the absence of this information, they are of little use in estimating risk. The use of point estimates for duration and cost is the first approach in an organization low on the project management maturity scale. Understanding that cost and durations are actually “random variables,” drawn from an underlying distribution of possible value is the starting point for managing in the presence of uncertainty. Figure 2 – triangle distributions are useful when there is limited information about the characteristics of the random variables are all that is available. 3 “Probability of Success Operations Guide, Acquisition, Logistics & Technology Enterprise Systems & Services, Office of the Assistant Security of the Army for Acquisition 3 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503
March Risk Management is How Adults Manage Projects† 2008 In probability theory, every random variable is attributed to a probability distribution. The probability distribution associated with cost or duration describes the variance of these random variables. A common distribution of probabilistic estimates for cost and schedule is the Triangle Distribution. The Triangle Distribution in Figure 2 can be used as a subjective description of a population for which there is only limited sample data, and especially where the relationship between variables is known but data is scarce. It is based on the knowledge of the minimum and maximum and a “best guess” of the modal value (the Most Likely). Using the Triangle Distribution for cost and duration, a Monte Carlo simulation of the network of activities and their costs can be performed. In technical terms, Monte Carlo methods numerically transform and integrate the posterior quantitative risk assessment into a confidence interval. The result is a “confidence” model for the cost and completion times for the project based on the upper and lower bounds of each distribution assigned to the duration and cost. Integrating Cost, Schedule, and Technical Performance In many project management methods – cost, schedule, and quality are described as an “Iron Triangle.” Change one and the other two must change. This is too narrow a view of what's happening on a project. It’s the Technical Performance Measurement that replaces Quality. Quality is one Technical Performance measure. Cost and Schedule are obvious elements of the project. Technical Performance Measures (TPM) describes the status of technical achievement of the project at any point in time. The planned technical achievement is part of the Performance Measurement Baseline (PMB). The Technical Performance Measurement System (TPMS) uses the Figure 3 – the “new” triangle must be used. techniques of risk analysis and probability to provide project managers One where cost, schedule, and technical with the early warnings needed to avoid unplanned costs and slippage performance are interconnected. in schedule. Systems engineering uses technical performance measurements to balance cost, schedule, and performance throughout the project life cycle. Connecting Cost, Schedule, and Technical Performance Measures closes the loop on how well a project is achieving its technical performance requirements while maintaining its cost and schedule goals. IEEE 1220, EIA 632, and "A Guide to the Project Management Body of Knowledge“all provide guidance for TPM planning and 4 measurement and for integrating TPM with cost and schedule performance measures (Earned Value). Technical performance measurements compare actual versus planned technical development and design. They report the degree to which system requirements are met in terms of performance, cost, schedule, and progress in implementing risk retirement. Technical Performance Measures are traceable to user–defined capabilities. Integrating these three attributes produce a Performance Measurement Baseline that:  Is a plan driven by product quality requirements rather than work or effort requirements?  Focuses on technical maturity and quality, in addition to cost and schedule.  Focuses on progress toward meeting success criteria of technical reviews.  Enables insightful variance analysis.  Ensures a lean and cost–effective approach to project planning and controls.  Enables scalable scope and complexity depending on risk.  Integrates risk management activities with the performance measurement baseline.  Integrates risk management outcomes into the Estimate at Completion. The Cost and Schedule “measures” are straightforward in most cases. The measures of Technical Performance involve measures Effectiveness and Performance. Measures of Effectiveness (MOE) are the operational mission success factor defined by the customer. These are: 4 Performance Based Earned Value, Paul Solomon and Ralph Young, John Wiley & Sons, 2006. 4 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503
March Risk Management is How Adults Manage Projects† 2008 1. Stated from the customer point of view 2. Focused on the most critical mission performance needs 3. Independent of any particular solution 4. Actual measures at the end of development Measures of Performance (MOP) characterize physical or functional attributes relating to the system operation: 5. Supplier’s point of view 6. Measured under specified testing or operational conditions 7. Assesses delivered solution performance against critical system level specified requirements 8. Risk indicators that are monitored progressively Programmatic Risk Must Follow a Well Defined Process Using an ad hoc risk management process is its self risky. The first place to start to look for risk management processes is where managing risk is mandatory – aerospace, defense, and mission critical projects and projects. These also include ERP and Enterprise IT projects. Technical performance is a concept absent from the traditional approaches to risk management. Yet it is the primary driver of risk in many technology intensive projects. Cost growth and schedule slippage often occur when unrealistically high levels of performance are required and little flexibility is provided to degrade performance during the course of the project. Quality is Figure 4 – this risk management process is the “gold standard.” Anything less is inviting additional risk. often a cause rather than an impact to the project and can generally be broken down into Cost, Performance, and Schedule components. The framework shown in Figure 4 provides guidance for:  Risk management policy  Risk management structure  Risk Management Process Model  Organizational and behavioral considerations for implementing risk management  The performance dimension of consequence of occurrence  The performance dimension of Monte Carlo simulation modeling  A structured approach for developing a risk handling strategy Risk Communication To be effective the activities of risk management must properly communicate risk to all the participants. Risk is usually a term to be avoided in normal business. Being in the risk management business is not desirable in most businesses – except insurance. It is common to “avoid” the discussion of risk. Communicating risk is the first step in managing risk. Listing the risks and making them public is necessary but far from sufficient. Risk communication is the basis of risk mitigation and retirement. It serves no purpose to have a risk management plan and the defined mitigations in the absence of a risk communication. The Risk Management Plan must address:  Executive summary – a short summary of the project and the risks associated with the activities of the project. Each risk needs an ordinal rank, a planned mitigation is the risk is active (a risk approved by the Risk Board), and the mitigations shown in the schedule with associated costs.  Project description – a detailed description of the project and the risk associated with each of the deliverables.  Risk reduction activities by phase – using some formal risk management process that connects risk, mitigation and the IMS. The efforts for mitigation need to be in the schedule. 5 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503
March Risk Management is How Adults Manage Projects† 2008 5  Risk management methodology – using the DoD Risk Management process is a good start. This approach is proven and approved by high risk, high reward projects. The steps in the processes are not optional and should be executed for ALL risk processes. In order to communicate risk, a clear and concise language is needed. English is not the best choice. Ambiguity and interpretation are two issues. Communicating in mathematical terms is also a problem, since the symbols and units of measure may be confusing. 6 Figure 5 is from the Active Risk Manager tool that connects risk management with the scheduling system. ARM is a proprietary risk management system, but illustrates how risk is retired over time in accordance with a plan. The concept shows explicitly when each risk will be “bought down” or “retired” during the project execution. The Risk Registry and the Integrated Master Schedule must be connected in some way. Without this connection, there is no Risk Management process that can be used to forecast impacts on cost or schedule. Figure 5 – this risk retirement waterfall shows where in the plan risk will be mitigated or retired. At each project maturity point, current risks, the planned retirements of these risks, and the impact of the project must be visible in the schedule. With these connections, project managers can then answer the questions:  What happens if this risk is not retired?  What effort is needed to retire this risk before a specific point in time?  If this risk becomes an issue, what is Plan-B? How much will Plan-B cost? What is the impact of Plan-B on the deliverables?  What cost and schedule reserve is needed to cover all the currently active risks? Wrap Up Once cost, schedule, and techncial performance are integrated into the Performance Measurement Baseline, risk management can be applied to all three elements. With these connections in place, the project management team can say with confidence – “we are doing risk management on this project.” The final reminder is to make sure all five elements of risk management are present. Leaving one out not only reduces the effectiveness of the risk management process, but increases in the risk to the project. Project risk management is a Practice. The theory of Project Risk Management is important, but the Practice is how project risk gets managed. Risk Management Process Without identifying all risk, providing mitigations and retirement plans, and having Hope is not a strategy Plan-B’s for all risks, hope is the only result Each value for cost, duration, and technical performance is actually a random variable. Single point estimates are wrong Knowing the underlying probability distribution is the start of understanding the impact of this randomness on the success of the project Integrate Cost, Schedule, and Managing the tradeoffs between these three dependent variables is the role of project Technical Performance management in the presence of uncertainty Use a Formal Risk Management Following the guidance of proven methods is simply good project management. Go it Process alone, or making it up as you go is simply poor project management In order to “manage in the presence of uncertainty” all participates must be on the Risk Communication is everything same page. Communication is the glue that engages all the participants in the conversation about managing in the presence of risk. 5 Risk Management Guide for DoD Acquisition 2003 (Fifth Edition, Version 2.0), www.dau.mil/pubs/gbbks/risk_management.asp 6 www.strategicthought.com 6 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503

More Related Content

PDF
Cancel Culture: You Can Run But You Can't Hide
Falcon.io
 
PDF
Microsoft to Acquire LinkedIn: Overview for Investors
Microsoft
 
PDF
The Science of Memorable Presentations
Ethos3
 
PDF
Top 10 lessons about brand experience marketing from Cannes Lions
Jack Morton Worldwide
 
PDF
The Ultimate Marketing Guide to Snapchat
Ross Simmonds
 
PDF
How to Audit Your Social Media Performance - Social Media Audit
Ashley Segura
 
PPTX
5W’s of social media
Tess Zevenbergen
 
PDF
Waze Pitch Deck
XavierRoss4
 
Cancel Culture: You Can Run But You Can't Hide
Falcon.io
 
Microsoft to Acquire LinkedIn: Overview for Investors
Microsoft
 
The Science of Memorable Presentations
Ethos3
 
Top 10 lessons about brand experience marketing from Cannes Lions
Jack Morton Worldwide
 
The Ultimate Marketing Guide to Snapchat
Ross Simmonds
 
How to Audit Your Social Media Performance - Social Media Audit
Ashley Segura
 
5W’s of social media
Tess Zevenbergen
 
Waze Pitch Deck
XavierRoss4
 

What's hot (16)

PPTX
Social Media Product Launch
BzzAgent
 
PDF
Social Media Presentation
Dakota Byard
 
PDF
Instagram Digital Marketing
GurleenKaur135
 
PPTX
Insights from our Workplace Learning Report
LinkedIn Learning Solutions
 
PPTX
10 Powerful Body Language Tips for your next Presentation
SOAP Presentations
 
PDF
IQ Work Hacks : Verbal communication
InterQuest Group
 
PPTX
Hashtags
harshit610
 
PDF
10 Things your Audience Hates About your Presentation
Stinson
 
PPTX
Social Media Marketing for Millennials and Gen Z
FIG or out
 
PPTX
How To Increase Social Media Reach
OmnePresent
 
PDF
It's a Slideshow About Nothing
Shahar Goldfinger
 
PDF
Social Media for Time-Strapped Entrepreneurs
We Are Social Singapore
 
PDF
Cowen Nikola Initiation Report
Hindenburg Research
 
PDF
Alibaba roadshow presentation
Pierre Poignant
 
PPTX
Teenage Suicide
Tauhid Iqbali
 
PDF
The Road to Financial Wellness
Experian_US
 
Social Media Product Launch
BzzAgent
 
Social Media Presentation
Dakota Byard
 
Instagram Digital Marketing
GurleenKaur135
 
Insights from our Workplace Learning Report
LinkedIn Learning Solutions
 
10 Powerful Body Language Tips for your next Presentation
SOAP Presentations
 
IQ Work Hacks : Verbal communication
InterQuest Group
 
Hashtags
harshit610
 
10 Things your Audience Hates About your Presentation
Stinson
 
Social Media Marketing for Millennials and Gen Z
FIG or out
 
How To Increase Social Media Reach
OmnePresent
 
It's a Slideshow About Nothing
Shahar Goldfinger
 
Social Media for Time-Strapped Entrepreneurs
We Are Social Singapore
 
Cowen Nikola Initiation Report
Hindenburg Research
 
Alibaba roadshow presentation
Pierre Poignant
 
Teenage Suicide
Tauhid Iqbali
 
The Road to Financial Wellness
Experian_US
 
Ad

Similar to Programmatic risk management (20)

PDF
Risk management (final review)
Glen Alleman
 
PDF
Risk management (final review)
Glen Alleman
 
DOCX
Risk management 4th in a series
Glen Alleman
 
DOCX
Table of Contents Project Outline. …………………………………………………………………….docx
MARRY7
 
PDF
Who would ever fore see risk identification? by Dr.Mahboob ali khan Phd
Healthcare consultant
 
PDF
Risk Management
Glen Alleman
 
PDF
Project Management C7 -risk_management
Izah Asmadi
 
PDF
Risky Business
3gamma
 
PDF
Software Project Risks Management (1).pdf
ShivareddyGangam
 
PPTX
Project Risk Management
Kaustubh Gupta
 
PDF
Project Risk Management
Kelvin Fredson
 
PPTX
Project risk management
Karishma Chaudhary
 
PDF
Immutable principles of project management
Glen Alleman
 
DOCX
Continuous Risk Management
Glen Alleman
 
PDF
Information Technology Project Management Providing Measurable Organizational...
bagangtutala
 
PDF
Conversations oneffectiveit management
Computer Aid, Inc
 
PDF
Project risk management
Marco Sampietro
 
PPT
Comprehensive Overview Of Risk Management
Andrew Valenti
 
PPT
Project Risk management
CMA (Dr.) Ashok Panigrahi
 
PDF
Ch_1_PRM.pdf
AronHailesellasieAbr
 
Risk management (final review)
Glen Alleman
 
Risk management (final review)
Glen Alleman
 
Risk management 4th in a series
Glen Alleman
 
Table of Contents Project Outline. …………………………………………………………………….docx
MARRY7
 
Who would ever fore see risk identification? by Dr.Mahboob ali khan Phd
Healthcare consultant
 
Risk Management
Glen Alleman
 
Project Management C7 -risk_management
Izah Asmadi
 
Risky Business
3gamma
 
Software Project Risks Management (1).pdf
ShivareddyGangam
 
Project Risk Management
Kaustubh Gupta
 
Project Risk Management
Kelvin Fredson
 
Project risk management
Karishma Chaudhary
 
Immutable principles of project management
Glen Alleman
 
Continuous Risk Management
Glen Alleman
 
Information Technology Project Management Providing Measurable Organizational...
bagangtutala
 
Conversations oneffectiveit management
Computer Aid, Inc
 
Project risk management
Marco Sampietro
 
Comprehensive Overview Of Risk Management
Andrew Valenti
 
Project Risk management
CMA (Dr.) Ashok Panigrahi
 
Ch_1_PRM.pdf
AronHailesellasieAbr
 
Ad

More from Glen Alleman (20)

PDF
Managing risk with deliverables planning
Glen Alleman
 
PDF
A Gentle Introduction to the IMP/IMS
Glen Alleman
 
PDF
Increasing the Probability of Project Success
Glen Alleman
 
PDF
Process Flow and Narrative for Agile+PPM
Glen Alleman
 
PDF
Practices of risk management
Glen Alleman
 
PDF
Principles of Risk Management
Glen Alleman
 
PDF
Deliverables Based Planning, PMBOK® and 5 Immutable Principles of Project Suc...
Glen Alleman
 
PDF
From Principles to Strategies for Systems Engineering
Glen Alleman
 
PDF
NAVAIR Integrated Master Schedule Guide guide
Glen Alleman
 
PDF
Building a Credible Performance Measurement Baseline
Glen Alleman
 
PDF
Integrated master plan methodology (v2)
Glen Alleman
 
PDF
IMP / IMS Step by Step
Glen Alleman
 
PDF
DHS - Using functions points to estimate agile development programs (v2)
Glen Alleman
 
PDF
Making the impossible possible
Glen Alleman
 
PDF
Heliotropic Abundance
Glen Alleman
 
PDF
Capabilities based planning
Glen Alleman
 
PDF
Process Flow and Narrative for Agile
Glen Alleman
 
PDF
Building the Performance Measurement Baseline
Glen Alleman
 
PPTX
Program Management Office Lean Software Development and Six Sigma
Glen Alleman
 
PDF
Policy and Procedure Rollout
Glen Alleman
 
Managing risk with deliverables planning
Glen Alleman
 
A Gentle Introduction to the IMP/IMS
Glen Alleman
 
Increasing the Probability of Project Success
Glen Alleman
 
Process Flow and Narrative for Agile+PPM
Glen Alleman
 
Practices of risk management
Glen Alleman
 
Principles of Risk Management
Glen Alleman
 
Deliverables Based Planning, PMBOK® and 5 Immutable Principles of Project Suc...
Glen Alleman
 
From Principles to Strategies for Systems Engineering
Glen Alleman
 
NAVAIR Integrated Master Schedule Guide guide
Glen Alleman
 
Building a Credible Performance Measurement Baseline
Glen Alleman
 
Integrated master plan methodology (v2)
Glen Alleman
 
IMP / IMS Step by Step
Glen Alleman
 
DHS - Using functions points to estimate agile development programs (v2)
Glen Alleman
 
Making the impossible possible
Glen Alleman
 
Heliotropic Abundance
Glen Alleman
 
Capabilities based planning
Glen Alleman
 
Process Flow and Narrative for Agile
Glen Alleman
 
Building the Performance Measurement Baseline
Glen Alleman
 
Program Management Office Lean Software Development and Six Sigma
Glen Alleman
 
Policy and Procedure Rollout
Glen Alleman
 

Recently uploaded (20)

PDF
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
PDF
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
PPTX
Probability Distribution, binomial distribution, poisson distribution
gayusakktivel
 
PDF
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
PDF
Deliverable file - Regulatory guideline analysis.pdf
Quan Risk
 
DOCX
unit 1 COST ACCOUNTING AND COST SHEET
MANJU N
 
PDF
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
PPTX
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
PDF
SIMNET Inc – 2023’s Most Trusted IT Services & Solution Provider
sidnik500
 
PDF
DOC-20250806-WA0002._20250806_112011_0000.pdf
dhanusriss08
 
PDF
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
PDF
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
DOCX
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
PPT
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
PPT
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
PDF
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
PPTX
CkgxkgxydkydyldylydlydyldlyddolydyoyyU2.pptx
DSAISUBRAHMANYAAASHR
 
PDF
A Brief Introduction About Julia Allison
Julia Allison
 
PDF
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
PDF
IFRS Notes in your pocket for study all the time
jjj81507
 
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
Probability Distribution, binomial distribution, poisson distribution
gayusakktivel
 
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
Deliverable file - Regulatory guideline analysis.pdf
Quan Risk
 
unit 1 COST ACCOUNTING AND COST SHEET
MANJU N
 
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
SIMNET Inc – 2023’s Most Trusted IT Services & Solution Provider
sidnik500
 
DOC-20250806-WA0002._20250806_112011_0000.pdf
dhanusriss08
 
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
CkgxkgxydkydyldylydlydyldlyddolydyoyyU2.pptx
DSAISUBRAHMANYAAASHR
 
A Brief Introduction About Julia Allison
Julia Allison
 
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
IFRS Notes in your pocket for study all the time
jjj81507
 

Programmatic risk management

  • 1. Programmatic Risk Management Risk Management is How Adults Manage Projects Glen B. Alleman Niwot Ridge, LLC glen.alleman@niwotridge.com
  • 2. March Risk Management is How Adults Manage Projects† 2008 1 Risk management is essential for the success of any significant project. Information about key project cost, performance, and schedule attributes is often unknown until the project is underway. Risks identified early in the project that impacts the project later are often termed “known unknowns.” These risks can be mitigated, reduced, or retired with a risk management process. For risks that are beyond the vision of the project team, a properly implemented risk management process can also rapidly quantify the risks impact and provide sound plans for mitigating their affects. Risk management is concerned with the outcome of a future event. Events whose impacts are unknown. Risk management is about dealing with this uncertainty. Outcomes are categorized as favorable or unfavorable. Risk management is the art and science of planning, assessing, handling, and monitoring future events to ensure favorable outcomes. A good risk management process is proactive and fundamentally different than reactive issue management or problem solving. This paper describes the fundamentals of Risk Management with 5 simple concepts: 1. Hope is not a strategy – Hoping that something positive happens or something negative will not happen does not lead to success. Preparing for success is the basis of success. 2. All single point estimates are wrong – Single point estimates of cost, schedule, and technical performance are no better than 50/50 guesses in the absence of knowledge about the variances of the underlying distribution. 3. Without integrating Cost, Schedule, and Technical Performance, you are driving in the rearview mirror. The effort to produce the product or service and the resulting value cannot be made without making these connections. 4. Without a model for risk management, you are driving in the dark with the headlights off – Risk management is not an ad hoc process that you can make up as you go. A formal foundation for risk management is needed. Choose one that has worked in high-risk domains – defense, nuclear power, manned spaceflight, or examples. 5. Risk Communication is everything – Identifying risks without communicating them is a waste of time for all the participants. Risk management is an important skill that can be applied to a wide variety of projects. In an era of downsizing, consolidation, shrinking budgets, increasing technological sophistication, and shorter development times, risk management provides valuable insight to help key project personnel plan for risks. It alerts them to potential risk issues, which can then be analyzed, and plans develop, implemented, and monitored to address risks before they surface as issues and adversely affect project cost, performance, and schedule. Hope is Not a Strategy Hoping that the project will proceed as planned is not a strategy for success. Project managers who constantly seek ways to eliminate or control risk, variance and uncertainly are engaging in a hopeless pursuit. Managing “in the presence” of risk, variance, and uncertainty is the key to success. Some projects have few uncertainties –only the complexity of tasks and relationships is important – but most projects are characterized by several types of uncertainty. Although each uncertainty type is distinct, a single project may encounter some 2 combination of four types: 1. Variation – comes from many small influences and yields a range of values in a particular activity. Attempting to control these variances outside their natural boundaries is a waste of time. 2. Foreseen Uncertainties – are identifiable and understood influences that the team cannot be sure will occur. There needs to be a mitigation plan for these foreseen uncertainties. 3. Unforeseen Uncertainties – can’t be identified during project planning. When these occur, a new plan is needed. 4. Chaos – appears in the presence of “unknown unknowns” and must be addressed through a replanning process. 1 “Risk Management during Requirements,” Tom DeMarco and Tim Lister, IEEE Software, September/October, 2003 2 “Managing Project Uncertainty: From Variation to Chaos,” Arnoud De Meyer, Christoph H. Loch and Michael T. Pich, MIT Sloan Management Review, Winter 2002 † “How Much Risk is Too Much Risk,” Tim Lister, Boston SPIN, 20 January 2004 2 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503
  • 3. March Risk Management is How Adults Manage Projects† 2008 Plans are strategies for the successful completion of the project. Plans are different than schedules. Schedules show “how” the project will be executed. Plans show “what” accomplishments must be performed and the success criteria for these accomplishments along the way to completion. The Plan describes the increasing maturity of the project through assessment points. The unit of measure for this maturity must be meaningful to the stakeholders. Something that can be connected to the investment they have made in the project. When we speak the word “Hope,” it lays the foundation for failure. In the use of Hope, we really mean “success is possible but not probable.” When we speak the word Figure 1 – The Plan for the project must assure risk is being “Plan,” it does not assure success, but success is a probable reduced in proportion to the project’s tolerance for risk outcome. It is the definition of the probability of success P(s), that is the foundation of the Plan. Having a Plan–A, Plan–B, and possibly a Plan–C exposes risk, assigns 3 mitigations, and measures the probability of success. The idea of a Plan as a Strategy is critical to making changes in the behavior of the project teams that can lead to “risk adjusted project management.” Without a Plan, the schedule is simply a list of activities to be performed. The reason for their performance may be understood, but it is unlikely these activities fit in any cohesive Strategy. Strategies have goals, critical success factors, and key performance indicators. Project Strategies – the Master Plan – must also contain goals, critical success factors, and key performance indicators that assure the project is making physical progress in the presence of uncertainty in cost, schedule, and technical performance. No Single Point Estimate of Cost, Schedule or Technical Performance Can Correct How long will this take? How much is it going to cost? Will the product or service meet the requirements that are defined for any specific point in time? What is the confidence in those numbers? These are three questions that must be answered for the project team to have a credible discussion with the stakeholders about success. Deciding what accuracy is needed to provide a credible answer is a starting point. But that does not address the question – “how can that accuracy be obtained.” There are many checklists for estimating cost and schedule, with simple guidance on how to build estimates. Most of this advice is wrong in a fundamental way. The numbers produced by the estimating process do not have their variance defined in any statistically sound manner. By statistically sound it means that the underlying probability distributions are known. If they are not known, then some form of estimating taking this unknown into account must be used. The Project Management Institute (PMI) advices producing three estimates – optimistic, most likely, pessimistic. But these numbers are fraught with error. We can’t tell how these numbers were arrived at? Are they based on best engineering judgment? Based in historical data? What is nd the variance on the variance of this distribution – the 2 standard deviation? In the absence of this information, they are of little use in estimating risk. The use of point estimates for duration and cost is the first approach in an organization low on the project management maturity scale. Understanding that cost and durations are actually “random variables,” drawn from an underlying distribution of possible value is the starting point for managing in the presence of uncertainty. Figure 2 – triangle distributions are useful when there is limited information about the characteristics of the random variables are all that is available. 3 “Probability of Success Operations Guide, Acquisition, Logistics & Technology Enterprise Systems & Services, Office of the Assistant Security of the Army for Acquisition 3 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503
  • 4. March Risk Management is How Adults Manage Projects† 2008 In probability theory, every random variable is attributed to a probability distribution. The probability distribution associated with cost or duration describes the variance of these random variables. A common distribution of probabilistic estimates for cost and schedule is the Triangle Distribution. The Triangle Distribution in Figure 2 can be used as a subjective description of a population for which there is only limited sample data, and especially where the relationship between variables is known but data is scarce. It is based on the knowledge of the minimum and maximum and a “best guess” of the modal value (the Most Likely). Using the Triangle Distribution for cost and duration, a Monte Carlo simulation of the network of activities and their costs can be performed. In technical terms, Monte Carlo methods numerically transform and integrate the posterior quantitative risk assessment into a confidence interval. The result is a “confidence” model for the cost and completion times for the project based on the upper and lower bounds of each distribution assigned to the duration and cost. Integrating Cost, Schedule, and Technical Performance In many project management methods – cost, schedule, and quality are described as an “Iron Triangle.” Change one and the other two must change. This is too narrow a view of what's happening on a project. It’s the Technical Performance Measurement that replaces Quality. Quality is one Technical Performance measure. Cost and Schedule are obvious elements of the project. Technical Performance Measures (TPM) describes the status of technical achievement of the project at any point in time. The planned technical achievement is part of the Performance Measurement Baseline (PMB). The Technical Performance Measurement System (TPMS) uses the Figure 3 – the “new” triangle must be used. techniques of risk analysis and probability to provide project managers One where cost, schedule, and technical with the early warnings needed to avoid unplanned costs and slippage performance are interconnected. in schedule. Systems engineering uses technical performance measurements to balance cost, schedule, and performance throughout the project life cycle. Connecting Cost, Schedule, and Technical Performance Measures closes the loop on how well a project is achieving its technical performance requirements while maintaining its cost and schedule goals. IEEE 1220, EIA 632, and "A Guide to the Project Management Body of Knowledge“all provide guidance for TPM planning and 4 measurement and for integrating TPM with cost and schedule performance measures (Earned Value). Technical performance measurements compare actual versus planned technical development and design. They report the degree to which system requirements are met in terms of performance, cost, schedule, and progress in implementing risk retirement. Technical Performance Measures are traceable to user–defined capabilities. Integrating these three attributes produce a Performance Measurement Baseline that:  Is a plan driven by product quality requirements rather than work or effort requirements?  Focuses on technical maturity and quality, in addition to cost and schedule.  Focuses on progress toward meeting success criteria of technical reviews.  Enables insightful variance analysis.  Ensures a lean and cost–effective approach to project planning and controls.  Enables scalable scope and complexity depending on risk.  Integrates risk management activities with the performance measurement baseline.  Integrates risk management outcomes into the Estimate at Completion. The Cost and Schedule “measures” are straightforward in most cases. The measures of Technical Performance involve measures Effectiveness and Performance. Measures of Effectiveness (MOE) are the operational mission success factor defined by the customer. These are: 4 Performance Based Earned Value, Paul Solomon and Ralph Young, John Wiley & Sons, 2006. 4 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503
  • 5. March Risk Management is How Adults Manage Projects† 2008 1. Stated from the customer point of view 2. Focused on the most critical mission performance needs 3. Independent of any particular solution 4. Actual measures at the end of development Measures of Performance (MOP) characterize physical or functional attributes relating to the system operation: 5. Supplier’s point of view 6. Measured under specified testing or operational conditions 7. Assesses delivered solution performance against critical system level specified requirements 8. Risk indicators that are monitored progressively Programmatic Risk Must Follow a Well Defined Process Using an ad hoc risk management process is its self risky. The first place to start to look for risk management processes is where managing risk is mandatory – aerospace, defense, and mission critical projects and projects. These also include ERP and Enterprise IT projects. Technical performance is a concept absent from the traditional approaches to risk management. Yet it is the primary driver of risk in many technology intensive projects. Cost growth and schedule slippage often occur when unrealistically high levels of performance are required and little flexibility is provided to degrade performance during the course of the project. Quality is Figure 4 – this risk management process is the “gold standard.” Anything less is inviting additional risk. often a cause rather than an impact to the project and can generally be broken down into Cost, Performance, and Schedule components. The framework shown in Figure 4 provides guidance for:  Risk management policy  Risk management structure  Risk Management Process Model  Organizational and behavioral considerations for implementing risk management  The performance dimension of consequence of occurrence  The performance dimension of Monte Carlo simulation modeling  A structured approach for developing a risk handling strategy Risk Communication To be effective the activities of risk management must properly communicate risk to all the participants. Risk is usually a term to be avoided in normal business. Being in the risk management business is not desirable in most businesses – except insurance. It is common to “avoid” the discussion of risk. Communicating risk is the first step in managing risk. Listing the risks and making them public is necessary but far from sufficient. Risk communication is the basis of risk mitigation and retirement. It serves no purpose to have a risk management plan and the defined mitigations in the absence of a risk communication. The Risk Management Plan must address:  Executive summary – a short summary of the project and the risks associated with the activities of the project. Each risk needs an ordinal rank, a planned mitigation is the risk is active (a risk approved by the Risk Board), and the mitigations shown in the schedule with associated costs.  Project description – a detailed description of the project and the risk associated with each of the deliverables.  Risk reduction activities by phase – using some formal risk management process that connects risk, mitigation and the IMS. The efforts for mitigation need to be in the schedule. 5 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503
  • 6. March Risk Management is How Adults Manage Projects† 2008 5  Risk management methodology – using the DoD Risk Management process is a good start. This approach is proven and approved by high risk, high reward projects. The steps in the processes are not optional and should be executed for ALL risk processes. In order to communicate risk, a clear and concise language is needed. English is not the best choice. Ambiguity and interpretation are two issues. Communicating in mathematical terms is also a problem, since the symbols and units of measure may be confusing. 6 Figure 5 is from the Active Risk Manager tool that connects risk management with the scheduling system. ARM is a proprietary risk management system, but illustrates how risk is retired over time in accordance with a plan. The concept shows explicitly when each risk will be “bought down” or “retired” during the project execution. The Risk Registry and the Integrated Master Schedule must be connected in some way. Without this connection, there is no Risk Management process that can be used to forecast impacts on cost or schedule. Figure 5 – this risk retirement waterfall shows where in the plan risk will be mitigated or retired. At each project maturity point, current risks, the planned retirements of these risks, and the impact of the project must be visible in the schedule. With these connections, project managers can then answer the questions:  What happens if this risk is not retired?  What effort is needed to retire this risk before a specific point in time?  If this risk becomes an issue, what is Plan-B? How much will Plan-B cost? What is the impact of Plan-B on the deliverables?  What cost and schedule reserve is needed to cover all the currently active risks? Wrap Up Once cost, schedule, and techncial performance are integrated into the Performance Measurement Baseline, risk management can be applied to all three elements. With these connections in place, the project management team can say with confidence – “we are doing risk management on this project.” The final reminder is to make sure all five elements of risk management are present. Leaving one out not only reduces the effectiveness of the risk management process, but increases in the risk to the project. Project risk management is a Practice. The theory of Project Risk Management is important, but the Practice is how project risk gets managed. Risk Management Process Without identifying all risk, providing mitigations and retirement plans, and having Hope is not a strategy Plan-B’s for all risks, hope is the only result Each value for cost, duration, and technical performance is actually a random variable. Single point estimates are wrong Knowing the underlying probability distribution is the start of understanding the impact of this randomness on the success of the project Integrate Cost, Schedule, and Managing the tradeoffs between these three dependent variables is the role of project Technical Performance management in the presence of uncertainty Use a Formal Risk Management Following the guidance of proven methods is simply good project management. Go it Process alone, or making it up as you go is simply poor project management In order to “manage in the presence of uncertainty” all participates must be on the Risk Communication is everything same page. Communication is the glue that engages all the participants in the conversation about managing in the presence of risk. 5 Risk Management Guide for DoD Acquisition 2003 (Fifth Edition, Version 2.0), www.dau.mil/pubs/gbbks/risk_management.asp 6 www.strategicthought.com 6 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503