Risk management 4th in a series
Download as DOCX, PDF0 likes223 views
Risk management is essential for project success and involves dealing with uncertainty through identifying and mitigating risks. A good risk management process is proactive and connects risk, cost, schedule, and technical performance. It should follow a defined methodology like the Department of Defense process and communicate risks and mitigation plans. Effective risk management integrates risks into project schedules and estimates to allow monitoring and response if risks become issues.
Risk management 4th in a series
- 1. Risk Management is How Adults Manage Projects March 2010 1 Niwot Ridge Consulting 4347 PebbleBeach Drive Niwot, Colorado 80503 : 303.241.9633 : glen.alleman@niwotridge.com Risk management is essential for the success of any significantproject. 1 Information aboutkey projectcost, performance, and scheduleattributes is often unknown until the projectis underway. Risks that can be identified early in the project that impacts the projectlater are often termed “known unknowns.” These risks can be mitigated, reduced, or retired with a risk management process.For risks thatare beyond the vision of the project team a properly implemented risk management process can also rapidly quantify therisks impactand provide sound plans for mitigatingits affect. Risk management is concerned with the outcomes of a future event. Events whose impacts areunknown. Risk management is aboutdealingwith this uncertainty.Outcomes are categorized as favorableor unfavorable.Risk management is the artand science of planning,assessing,handling,and monitoringfuture events to ensure favorableoutcomes. A good risk management process is proactiveand fundamentally differentthan reactive issue management or problem solving. This paper describes the fundamentals of Risk Management with 5 simpleconcepts: 1. Hope is not a strategy – Hoping that something positive happens will notlead to success.Preparingfor success is thebasis of success. 2. All singlepointestimates arewrong – Single pointestimates of cost, scheduleand technical performance are no better than 50/50 guesses in the absence of knowledge about the variances of the underlying distribution. 3. Without integratingCost, Schedule and Technical Performanceyou are drivingin the rearview mirror.The effort to produce the productor serviceand the resultingvaluecannotbe made without makingthese connections. 4. Without a model for risk management, you are drivingin the dark with the headlights turned off – Risk management is not an ad hoc process that you can make up as you go. A formal foundation for risk management is needed. Choose one that has worked in high risk domains –defense, nuclear power, manned spaceflight. 5. Risk Communication is everything – Identifyingrisks without communicating them is a waste of time. Risk management is an importantskill thatcan be applied to a wide variety of projects.In an era of downsizing, consolidation,shrinkingbudgets, increasingtechnological sophistication,and shorter development times, risk management provides valuableinsights to help key projectpersonnel plan for risks.It alerts them to potential risk issues,which can then be analyzed,and plans develop, implemented, and monitored to address risks beforethey surfaceas issues and adversely affect projectcost,performance, and schedule. Hope is Not a Risk Handling Strategy Hoping that the project will proceed as planned is not a strategy for success.These same project managers who constantly seek ways to eliminateor control risk,varianceand uncertainly.This isa hopeless pursuit. Managing“in the presence” of risk,varianceand uncertainty is the key to success.Some projects have few uncertainties –only the complexity of tasks and relationshipsis important –but most projects are characterized by several types of uncertainty. Although each uncertainty type is distinct,a singleprojectmay encounter some combination of four types: 2 1. Variation – comes from many small influences and yields a rangeof values on a particularactivity. Attempting to control these variances outsidetheir natural boundaries isa wasteof time. 2. Foreseen Uncertainty – are uncertainties identifiableand understood influences that the team cannot be sure will occur.There needs to be a mitigation plan for these foreseen uncertainties. 3. Unforeseen Uncertainty – is uncertainty that can’t be identified duringproject planning.When these occur, a new plan is needed. 4. Chaos – appears in the presence of “unknown unknowns” 1 “Risk Management during Requirements,” TomDeMarco and TimLister, IEEESoftware, September/October,2003 2 “Managing ProjectUncertainty: From Variation to Chaos,”Arnoud DeMeyer, ChristophH. Loch andMichaelT. Pich, MIT Sloan Management Review, Winter 2002
- 2. Risk Management is How Adults Manage Projects March 2010 2 Niwot Ridge Consulting 4347 PebbleBeach Drive Niwot, Colorado 80503 : 303.241.9633 : glen.alleman@niwotridge.com Plans arestrategies for the successful completion of the project. Plans aredifferent than schedules.Schedules show “how” the projectwill be executed. Plans show“what” accomplishments mustbe performed and the success criteria for these accomplishments alongthe way to completion. The Plan describes the increasingmaturity of the project through “maturity assessment” points.The unit of measure for this maturity must be meaningful to the stakeholders. Something that can be connected to the investment they have made in the project. When we speak the word “Hope,” itlays the foundation for failure.In the use of Hope we really mean “success is possiblebutnot probable.” When we speak the word “Plan,” itdoes not assuresuccess,butsuccess isa probable outcome. It is the definition of the probability of success P(s), that is the foundation of the Plan. Havinga Plan–A, Plan–Band possibly a Plan–C exposes risk,assigns mitigations and measures the probability of success. The idea of a Plan as a Strategy is critical to makingchanges in the behavior of the project teams that can lead to “risk adjusted projectmanagement.” Without a Plan,the schedule is simply a listof activitiesto be performed. The reason for their performance may be understood, but itis unlikely theseactivities fitin any cohesiveStrategy. Strategies have goals,critical successfactors,and key performance indicators. No Single Point Estimate of Cost, Schedule or Technical Performance Can Correct How longwill this take? How much is itgoingto cost? What is the confidencein those two numbers? These are three questions that must be answered for the project team to have a crediblediscussion with the stakeholders about success. Decidingwhataccuracy is needed to provide a credibleanswer is a startingpoint. But that does not address the question – “how can that accuracy beobtained.” There are many check lists for estimating costand schedule, with simpleguidanceon how to build estimates.Most of this adviceis wrongin a fundamental way. The numbers produced by the estimatingprocess do not have their variancedefined in any statistically sound manner.By statistically sound itmeans that the underlyingprobability distributionsareknown. If they areno known, then some form of estimatingtakingthis unknown into account must be used. The Project Management Institute(PMI) advices producingthree estimates – optimistic,mostlikely,pessimistic. But these numbers are fraught with error. We can’t tell how these numbers were arrived at? Are they based on best engineering judgment? Based in historical data? Whatis the varianceon the variance of this distribution –the 2nd standard deviation? In the absence of this information,they are of littleusein estimating risk. The use of point estimates for duration and cost is the first approach in an organization lowon the project management maturity scale.Understanding that costand durations are actually “randomvariables,”drawn from an underlying distribution of possiblevalueis thestartingpointfor managing in the presence of uncertainty. In probability theory,every random variableis attributed to a probability distribution.Theprobability distribution associated with costor duration describes the varianceof these random variables.A common distribution of probabilisticestimates for costand scheduleis the TriangleDistribution. The TriangleDistribution in Figure 2 can be used as a subjectivedescription of a population for which there is only limited sampledata, and especially wherethe relationship between variablesis known but data is scarce.Itis based on Figure 1 –The Plan for the project mustassure risk is being reduced inproportion totheproject’s tolerancefor risk Figure 2 –triangle distributions areusefulwhen there is limitedinformationaboutthecharacteristics ofthe random variables areallthat is available.
- 3. Risk Management is How Adults Manage Projects March 2010 3 Niwot Ridge Consulting 4347 PebbleBeach Drive Niwot, Colorado 80503 : 303.241.9633 : glen.alleman@niwotridge.com the knowledge of the minimum and maximum and a “best guess” of the modal value(the Most Likely). Usingthe TriangleDistribution for costand duration,a Monte Carlo simulation of the network of activities and their costs can be performed. In technical terms, Monte Carlo methods numerically transformand integrate the posterior quantitativerisk assessmentinto a confidence interval.The resultis a “confidence” model for the cost and completion times for the project based on the upper and lower bounds of each distribution assigned to the duration and cost. Integrating Cost, Schedule, and Technical Performance In many project management methods – cost, scheduleand quality are described as an “Iron Triangle.”Change one and the other two must change. This is too narrowa view of what's happeningon a project. It’s the Technical PerformanceMeasurement that replaces Quality.Quality is one Technical Performancemeasure. Cost and Schedule are obvious elements of the project. Technical Performance Measures (TPM) describes the status of technical achievement of the project at any point in time. The planned technical achievement is partof the Performance Measurement Baseline (PMB). The Technical PerformanceMeasurement System (TPMS) uses the techniques of risk analysisand probability to provideproject managers with the early warnings needed to avoid unplanned costs and slippage in schedule. Systems engineering uses technical performance measurements to balancecost,schedule,and performance throughout the project lifecycle. Connecting Cost, Schedule, and Technical Performance Measures closes the loop on how well a project is achieving its technical performancerequirements whilemaintainingits costand schedulegoals.IEEE 1220,EIA 632 and "A Guide to the ProjectManagement Body of Knowledge“ all provideguidancefor TPM planningand measurement and for integrating TPM with cost and scheduleperformance measures (Earned Value). 3 Technical performancemeasurements compare actual versus planned technical development and design. They report the degree to which system requirements are met in terms of performance, cost, schedule,and progress in implementing risk retirement. Technical PerformanceMeasures are traceableto user–defined capabilities. Integrating these three attributes produces a Performance Measurement Baselinethat: Is a plan driven by product quality requirements rather than work or effort requirements? Focuses on technical maturity and quality,in addition to costand schedule. Focuses on progress toward meeting success criteria of technical reviews. Enables insightful varianceanalysis. Ensures a lean and cost–effective approach to project planningand controls. Enables scalablescopeand complexity depending on risk. Integrates risk management activities with the performance measurement baseline. Integrates risk management outcomes into the Estimate at Completion. The Cost and Schedule “measures” are straightforward in mostcases.The measures of Technical Performance involvemeasures Effectiveness and Performance. Measures of Effectiveness (MoE) arethe operational mission successfactor defined by the customer. These are: 1. Stated from the customer point of view. 2. Focused on the most critical mission performanceneeds. 3. Independent of any particular solution. 4. Actual measures at the end of development. 3 Performance Based Earned Value, Paul SolomonandRalphYoung,John Wiley & Sons, 2006. Figure 3 –the “new” trianglemust beused. One where cost, schedule, andtechnical performanceareinterconnected.
- 4. Risk Management is How Adults Manage Projects March 2010 4 Niwot Ridge Consulting 4347 PebbleBeach Drive Niwot, Colorado 80503 : 303.241.9633 : glen.alleman@niwotridge.com Measures of Performance (MOP) characterizephysical or functional attributes relatingto the system operation: 5. Supplier’s pointof view. 6. Measured under specified testing or operational conditions. 7. Assesses delivered solution performanceagainstcritical systemlevel specified requirements. 8. Risk indicatorsthataremonitored progressively. Programmatic Risk Must Follow a Well Defined Process Using an ad hoc risk management process is itself risky.The first placeto startto look for risk management processes is where managingrisk is mandatory – aerospace,defense, and mission critical projects and projects.These also includeERP and Enterprise IT projects. Technical performanceis a concept absentfrom the traditional approaches to risk management. Yet itis the primary driver of risk in many technology intensive projects.Cost growth and schedule slippageoften occur when unrealistically high levels of performance are required and littleflexibility is provided to degrade performance duringthe courseof the project. Quality is often a causerather than an impactto the projectand can generally be broken down into Cost, Performance, and Schedule components. The framework shown in Figure 4 provides guidancefor: Risk management policy Risk management structure Risk Management Process Model Organizational and behavioral considerationsfor implementingrisk management The performance dimension of consequence of occurrence The performance dimension of Monte Carlo simulation modeling A structured approach for developinga risk handlingstrategy Risk Communication To be effective the activities of risk management must properly communicate risk to all the participants.Risk is usually a term to be avoided in normal business.Beingin the risk management business is not desirablein most businesses –except insurance.Itis common to “avoid” the discussion of risk. Communicatingrisk is the firststep in managingrisk. Listingthe risks and makingthem public is necessary butfar from sufficient. Risk communication is the basis of risk mitigation and retirement. It serves no purpose to have a risk management plan and the defined mitigations in the absenceof a risk communication. The Risk Management Plan mustaddress: Executive summary – a short summary of the projectand the risks associated with the activities of the project. Each risk needs an ordinal rank,a planned mitigation is therisk is active(a risk approved by the Risk Board),and the mitigations shown in the schedulewith associated costs. Project description –a detailed description of the projectand the risk associated with each of the deliverables. Risk reduction activities by phase – usingsome formal risk management process that connects risk,mitigation and the IMS. The efforts for mitigation need to be in the schedule. Risk management methodology – usingthe DoD Risk Management process is a good start. 4 This approach is proven and approved by high risk,high reward projects.The steps in the processes arenot optional and should be executed for ALL risk processes. 4 Risk ManagementGuide for DoD Acquisition 2003(FifthEdition, Version2.0), www.dau.mil/pubs/gbbks/risk_management.asp Figure 4 –this risk management process is the“gold standard.” Anything less is inviting additional risk.
- 5. Risk Management is How Adults Manage Projects March 2010 5 Niwot Ridge Consulting 4347 PebbleBeach Drive Niwot, Colorado 80503 : 303.241.9633 : glen.alleman@niwotridge.com In order to communicate risk,a clear and conciselanguage is needed. English is notthe best choice.Ambiguity and interpretation aretwo issues.Communicatingin mathematical terms is also a problem,sincethe symbols and units of measure may be confusing. Figure 5 is from the Active Risk Manager 5 tool that connects risk management with the schedulingsystem. ARM is a proprietary risk management system, but illustrates howrisk is retired over time in accordancewith a plan. The concept shows explicitly when each risk will be“bought down” or “retired” duringthe project execution. The Risk Registry and the Integrated Master Schedule must be connected in some way. Without this connection, there is no Risk Management process thatcan be used to forecast impacts on costor schedule. At each project maturity point, current risks,the planned retirements of these risks,and the impact of the project must be visiblein the schedule. With these connections,project managers can then answer the questions: What happens if this risk is notmitigated? What effort is needed to retire this risk beforea specific pointin time? If this risk becomes an issue,what is Plan-B? How much will Plan-Bcost? Whatis the impactof Plan-Bon the deliverables? What costand schedulereserve is needed to cover all the currently activerisks? In the End Once cost, schedule,and techncial performanceare integrated into the Performance Measurement Baseline,risk management can be applied to all three elements. With these connections in place,the projectmanagement team can say with confidence – “we are doingrisk management on this project.” The final reminder is to make sureall fiveelements of risk management are present. Leaving one out not only reduces the effectiveness of the risk management process,but increases in the risk to the project. Project risk management is a Practice.The theory of ProjectRisk Management is important,but the Practiceis howproject risk gets managed. 5 www.strategicthought.com Figure 5 –this risk retirementwaterfallshows where in theplanrisk willbemitigatedor retired.