comprehensive overview of risk management
DESCRIPTION
A comprehensive overview of project risk management. Assumes a familiarity with fundamental concepts of project management.TRANSCRIPT
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
11
Risk Management Risk Management
Andrew P. Valenti, Principal ConsultantValenti Partners
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
22
Risk Management and Product Risk Management and Product DevelopmentDevelopment
The list of Risks:The list of Risks:1.1. Risk management is Risk management is
an integral part of an integral part of project management project management
2.2. Product development Product development requires project requires project managementmanagement
3.3. Therefore, managing Therefore, managing risk should be as risk should be as natural as managing natural as managing the schedule (but it the schedule (but it isn’t)isn’t)
Key Idea
++
== Risk Management Methodology Risk Management Methodology
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
33
What is Risk?What is Risk?
Risk is the possibility:Risk is the possibility: Of being hurt. A lot of the time, Of being hurt. A lot of the time,
people say people say riskrisk, but are actually , but are actually talking about talking about probabilityprobability, which , which is how likely something is to is how likely something is to happen. To people who have happen. To people who have jobs in judging risks, "risk" is not jobs in judging risks, "risk" is not only how likely something bad is only how likely something bad is to happen, but also how bad it to happen, but also how bad it could be. (From Wikipedia).could be. (From Wikipedia).
That an undesired outcome (or That an undesired outcome (or lack of a desired outcome) lack of a desired outcome) disrupts your project. disrupts your project.
Risk management is the activity Risk management is the activity of identifying and controlling of identifying and controlling undesired project outcomesundesired project outcomes
Definition
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
44
What is Risk?What is Risk?
When you are dealing with When you are dealing with risk there are always risk there are always uncertaintiesuncertainties
You can narrow, but not You can narrow, but not eliminate, the uncertainty, eliminate, the uncertainty, by:by:
• Clarifying the probability Clarifying the probability • Understanding the Understanding the
consequences or consequences or alternativesalternatives
• Determining what drives the Determining what drives the risk risk
Risk management helps you Risk management helps you understand these factors understand these factors and consistently sway them and consistently sway them in your favorin your favor
The more precisely the position is determined, the less precisely the momentum is known in this instant, and vice versa. --Heisenberg, uncertainty paper, 1927
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
55
Risk vs. IssuesRisk vs. Issues
1.1. Events that are Events that are certain to occur are certain to occur are issuesissues
2.2. Issues arise while Issues arise while identifying risks, but identifying risks, but they proceed on a they proceed on a different action-different action-planning track.planning track.
Key Idea
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
66
Time componentTime component
1.1. For every project risk, For every project risk, there is a time when it no there is a time when it no longer existslonger exists
2.2. It is important to know It is important to know when this termination when this termination time arrives so the risk time arrives so the risk can be removedcan be removed
3.3. In some cases, In some cases, termination time is termination time is distinct, in others it is distinct, in others it is ongoing.ongoing.
4.4. Sometimes, the “time Sometimes, the “time component” is manifest as component” is manifest as a condition instead of a condition instead of time.time.
Risk always involves the Risk always involves the possibility of some kind of losspossibility of some kind of loss
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
77
Determining a Risk CandidateDetermining a Risk Candidate
Candidate Uncertain? Loss Possible? Time Component? Risk
Yes Yes Yes Yes
No No No
Issue No Impact Irresolvable
The three components of a risk, which determine our ability to manage it.
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
88
Why Companies Fail in Managing Why Companies Fail in Managing RiskRisk
Failure to address:Failure to address: Cross-Cross-
functionalityfunctionality Pro-activenessPro-activeness
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
99
Why Companies Fail in Managing Why Companies Fail in Managing RiskRisk
Cross functionalityCross functionality• Unique, superior, Unique, superior,
differentiated productsdifferentiated products• Strong market Strong market
orientationorientation• Sharp, early fact-based Sharp, early fact-based
product definitionproduct definition• Solid market & Solid market &
technical researchtechnical research• Cross-functional teamsCross-functional teams• Built on core-strengthsBuilt on core-strengths• Market attractivenessMarket attractiveness• Quality launch Quality launch
processesprocesses• Technical competenceTechnical competence
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
1010
Why Companies Fail in Managing Why Companies Fail in Managing RiskRisk
Proactiveness:Proactiveness:1.1. Wait until late in Wait until late in
the project when the project when many risks start many risks start occurringoccurring
2.2. Let risk Let risk management management lapselapse
“Eighty percent of success is showing up.”
-Woody Allen
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
1111
Why Companies Fail in Managing Why Companies Fail in Managing RiskRisk
Wait until late in the project Wait until late in the project when many risks start when many risks start occurring:occurring:
Late attention to risks Late attention to risks often leads to expensive often leads to expensive workaroundsworkarounds
Late discovery of potential Late discovery of potential problems precludes problems precludes solutions that would have solutions that would have been available earlierbeen available earlier
Late surprises are more Late surprises are more disruptive to the scheduledisruptive to the schedule
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
1212
Why Companies Fail in Managing Why Companies Fail in Managing RiskRisk
Let risk management Let risk management lapselapse
The team does The team does deliver a list of deliver a list of risks, but gets on risks, but gets on with the “real” with the “real” work of the projectwork of the project
When risks occur, When risks occur, they are just as they are just as unprepared, but unprepared, but more more embarrassed!embarrassed!
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
1313
The Antithesis of Risk The Antithesis of Risk Management: FirefightingManagement: Firefighting
A type of management A type of management behavior, often behavior, often reinforcedreinforced
A corporate firefighter A corporate firefighter is so involved in is so involved in fighting the last fire fighting the last fire that they let the next that they let the next one smolderone smolder
Then this person pulls Then this person pulls the new problem out the new problem out of the fire and is of the fire and is regarded as a heroregarded as a hero
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
1414
How Much Risk Management?How Much Risk Management? The more risks you The more risks you
identify, analyze, identify, analyze, and monitor, the and monitor, the more it will cost.more it will cost.
Good risk Good risk management management requires explicit requires explicit choices and choices and decisions that are decisions that are reviewed regularlyreviewed regularly
Consider each risk Consider each risk in terms of what it in terms of what it can do for you as can do for you as well as the harmwell as the harm
Remember: project Remember: project management is risk management is risk management!management!
Hurricane Katrina: Three men use makeshift oars to paddle a damaged boat.
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
1515
Using Project Risk Using Project Risk ModelsModels
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
1616
IntroductionIntroduction
The Risk Management The Risk Management methodology methodology depends on the depends on the model:model:
1.1. Helps quantify the Helps quantify the magnitude of a risk magnitude of a risk for comparison for comparison purposespurposes
2.2. Points to root causes Points to root causes for risk resolutionfor risk resolution
Credit Risk Model
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
1717
Risk ModelsRisk Models
Models:Models:1.1. Ground us in a Ground us in a
common viewpoint common viewpoint so that we can so that we can communicate with communicate with othersothers
2.2. Form a common Form a common basis for analyzing a basis for analyzing a risk situationrisk situation
3.3. Provides a Provides a systematic way of systematic way of dealing with riskdealing with risk
Key Idea
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
1818
Standard Risk ModelStandard Risk Model
Seven Components:Seven Components:1.1. Risk EventRisk Event: The state that : The state that
triggers a losstriggers a loss2.2. Risk event driverRisk event driver: Something in : Something in
the project environment can the project environment can cause a risk to occurcause a risk to occur
3.3. Probability of risk eventProbability of risk event: : Likelihood of a risk eventLikelihood of a risk event
4.4. ImpactImpact: Consequence or : Consequence or potential losspotential loss
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
1919
Standard Risk ModelStandard Risk Model
Seven Components cont.:Seven Components cont.:5.5. Impact driverImpact driver: Something in the : Something in the
project environment can cause an project environment can cause an impactimpact
6.6. Probability of impactProbability of impact: Likelihood of : Likelihood of an impact, given that the risk an impact, given that the risk occursoccurs
7.7. Total lossTotal loss: Magnitude of the actual : Magnitude of the actual loss accrued when a risk event loss accrued when a risk event occursoccurs
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
2020
The Standard Risk ModelThe Standard Risk Model
Probability of risk event (Pe)
Probability of impact (Pi)
Risk event driver(s)
Impact drivers
Risk Event Impact Total loss (Lt)
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
2121
Simple Risk ModelSimple Risk Model
Simple Risk Model. Combines the risk event and impact into a single entity along with the risk’s probability of occurrence.
Probability of risk event & impact
(Pe and Pi)
Driver(s)
Risk event and impact
Total loss
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
2222
The Risk Management The Risk Management ProcessProcess
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
2323
The Risk Management ProcessThe Risk Management Process
Overview of the process:Overview of the process:1.1. Identify risks that Identify risks that
you could encounteryou could encounter2.2. Analyze risks to Analyze risks to
determine drivers, determine drivers, impact, and impact, and probabilityprobability
3.3. Prioritize and map Prioritize and map the risks to a short the risks to a short listlist
4.4. Plan how you will Plan how you will take actiontake action
5.5. Monitor progress on Monitor progress on a regular basisa regular basis
The Old Mill
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
2424
Risk events and impact
Drivers, probabilities and total loss
Subset of risks to be managed
Types of action plans: avoidance, transfer, redundancy and mitigation (prevention, contingency, reserves)
Assess status and closure of targeted risks; identify new risks
Step 1:Identify risks
Step 2:Analyze risks
Step 3: Prioritize and map risks
Step 4:Resolve risks
Step 5:Monitor risks
Reg
ula
r ch
eck f
or
new
pro
ject
risks
Reg
ula
r ch
eck f
or
new
pro
ject
risks
StepsSteps Critical informationCritical information
The Five-step Risk Management ProcessThe Five-step Risk Management Process
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
2525
Step1: Identifying Project RisksStep1: Identifying Project Risks
Criteria:Criteria:1.1. Need a facilitator Need a facilitator
without a stake in without a stake in the outcomethe outcome
2.2. A brainstorming A brainstorming activity: strive for activity: strive for quantityquantity
3.3. Define happening Define happening that could occur that could occur along with a time along with a time componentcomponent
4.4. Describe the impactDescribe the impact
Line up
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
2626
Step 2: Analyzing RisksStep 2: Analyzing Risks
Criteria:Criteria:1.1. Identify drivers for Identify drivers for
each risk eventeach risk event
2.2. Be as factual as Be as factual as possiblepossible
3.3. Identify probabilities Identify probabilities for risk and for its for risk and for its impactimpact
4.4. Use historical data Use historical data whenever possiblewhenever possible
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
2727
Step 2: Analyzing Risks cont.Step 2: Analyzing Risks cont.
Calculating expected Calculating expected loss:loss:
1.1. Decide on a small Decide on a small set of values for set of values for probabilities, e.g. probabilities, e.g. 10, 30, 50, 70, 10, 30, 50, 70, 90%90%
2.2. Expected loss is Expected loss is the mean loss the mean loss associated with associated with the riskthe risk
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
2828
Probability of risk event (Pe)
Probability of risk impact (Pi)
Total loss (Lt) Expected loss (Le)
Risk likelihoodRisk likelihood Total amount of Total amount of loss if risk occursloss if risk occurs
Answers question, Answers question, “How risky is it?”“How risky is it?”
Formula for calculating expected loss from its componentsFormula for calculating expected loss from its components
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
2929
Step 3: Prioritizing and Mapping Step 3: Prioritizing and Mapping RisksRisks
Techniques for Techniques for developing a developing a short list:short list:
1.1. Top 10 ListTop 10 List2.2. Risk map: total Risk map: total
loss vs. risk loss vs. risk likelihood (Plikelihood (Pee XX P Pii))
3.3. Consider Consider catastrophic risks catastrophic risks with low with low probabilityprobability
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
303055 1010 1515 2020 2525
1010
3030
5050
7070
9090
Ris
k lik
elih
ood
(P
Ris
k lik
elih
ood
(P
e
e X
PX
Pii) -
perc
en
t)
- p
erc
en
t
Total loss - workdaysTotal loss - workdays
Threshold line
Threshold line
Risk Risk 22
Risk Risk 11
Risk Risk 55
Risk Risk 1616
Risk Risk 1313
Risk Risk 44
Risk Risk 99
Risk Risk 1818
Risk Risk 77
Risk Risk 1010
Risk Map showing risks 1, 2, 5, 13, & 16 under active management and five more monitored candidates
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
3131
Step 4: Planning Resolution of Step 4: Planning Resolution of Targeted RisksTargeted Risks
An action plan has:An action plan has: An objectiveAn objective Means of measuring Means of measuring
when the objective when the objective has been achievedhas been achieved
A completion dateA completion date A responsible A responsible
individualindividual Adequate resources Adequate resources
allocated to allocated to complete the taskcomplete the task
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
3232
Step 5: Monitoring Project RisksStep 5: Monitoring Project Risks
Monitoring metrics:Monitoring metrics: Expected loss Expected loss
(should be (should be declining)declining)
Number of risks Number of risks preventedprevented
Number of Number of impacts mitigatedimpacts mitigated
New risks New risks appearingappearing
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
3333
Probability of risk event (Pe)
Probability of risk impact (Pi)
Total loss (Lt) Expected loss (Le)
Risk likelihoodRisk likelihood Total amount of Total amount of loss if risk occursloss if risk occurs
Answers question, Answers question, “How risky is it?”“How risky is it?”
Factors entering into calculating expected loss, which is the prime criterion for prioritizing risks.
Calculate Expected LossCalculate Expected Loss
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
3434
Calculate Expected LossCalculate Expected Loss
ExampleExample Assume 50% chance (probability of risk event) that a Assume 50% chance (probability of risk event) that a
tool will be two weeks late (risk event)tool will be two weeks late (risk event) It will delay the next product build by two weeks which It will delay the next product build by two weeks which
has a 70% (probability of impact) chance of delaying has a 70% (probability of impact) chance of delaying the projectthe project
This results in a $500,000 (total loss) lost profit This results in a $500,000 (total loss) lost profit (impact)(impact)
PPee = 50%, P = 50%, Pii = 70%, L = 70%, Ltt = $500,000 = $500,000
.5 X .7 X $500,000 = $175,000 (expected loss).5 X .7 X $500,000 = $175,000 (expected loss)
Note: Expected loss is your primary means going forward of Note: Expected loss is your primary means going forward of comparing and prioritizing various identified risks.comparing and prioritizing various identified risks.
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
3535
Working with Differing Units and Working with Differing Units and Qualitative ScalesQualitative Scales
If the total loss cannot be If the total loss cannot be expressed numerically:expressed numerically:
Define labels such as Define labels such as “medium”, as specifically as “medium”, as specifically as possible by calibrating thempossible by calibrating them
Construct a calibration tableConstruct a calibration table Be sure to perform some Be sure to perform some
cross checkscross checks Alternative approach is to Alternative approach is to
use consequence factorsuse consequence factors
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
3636
Total Loss Schedule slip (workdays)
Target product cost overrun
Project budget overrun
Product performance (throughput, units/minute)
None 0 0 0 220
Low 1-5 <0.50 <150,000 205
Medium 6-15 0.50-1.20 150,000-500,000 190
High >15 >1.20 >500,000 180
Calibration values for total loss when using qualitative scales
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
3737
SummarySummary
Risk has many meanings, but we Risk has many meanings, but we define it in terms of:define it in terms of:
1.1. UncertaintyUncertainty
2.2. LossLoss
3.3. Time componentTime component Good project risk management Good project risk management
places an emphasis on being both places an emphasis on being both cross functional and proactivecross functional and proactive
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
3838
SummarySummary
It is the opposite of fire fighting It is the opposite of fire fighting which poses an organizational which poses an organizational challengechallenge
You cannot make risk management You cannot make risk management perfect; you can reach a point of perfect; you can reach a point of diminishing returnsdiminishing returns
Risks can be positive as well as Risks can be positive as well as negativenegative
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
3939
SummarySummary
The Standard Risk Model provides The Standard Risk Model provides the most effective risk management the most effective risk management for the effort expended in using itfor the effort expended in using it
Risk models provide a powerful tool Risk models provide a powerful tool to help visualize and understand riskto help visualize and understand risk
““All models are wrong. Some are All models are wrong. Some are useful.” – George Box, Statisticianuseful.” – George Box, Statistician
(c) 2010 Valenti Partners All Rights Reserv(c) 2010 Valenti Partners All Rights Reserveded
4040
SummarySummary
A five step program:A five step program:
1.1. Structured brainstormingStructured brainstorming
2.2. Analyze each risk according to a Analyze each risk according to a process to clarify the risks’ threatprocess to clarify the risks’ threat
3.3. Choose a risk set that you will Choose a risk set that you will managemanage
4.4. Create an action planCreate an action plan
5.5. Ongoing monitoring of risk pictureOngoing monitoring of risk picture