Risk Management Environment (RME)for Program and Portfolio

MCL Management GroupCheryl Wilson, PMP, RMP, CCEP & Paul Lohnes, PMP

risk@mclmg.com

2

Paul H. LohnesPMP, Managing Partner

Over 28 years Project Management experience

Own company for 24 years before starting MCLMG with Cheryl

Risk management, project rescuer, and project management consultant

Has delivered over 500 seminars to over 10,000 attendees worldwide

Cheryl A. WilsonPMP, PMI-RMP, CCEPSVP, Risk Management Division

Over 26 years project and risk management experience

Government, commercial, and non-profit organizations

Established two complete RME at the portfolio level in past 2 years

Compliance & ethics officer (SME)

MCLMG, LLC Alexandria, VA

3

IntroductionRisk Management Environment (RME) Solutions for P/PM

Questions1. What is a mature RME?2. How do you assess RME maturity?3. How do you determine organizational risk tolerance?4. How do you escalate risks between aggregates?5. What are some of the effective RME solutions?

Outcomes1. Understand RME solutions for your program/portfolio2. Place a value on your RME activities3. Take away short-term implementation solutions

4

Q1: What is a mature RME?

• Risk proactive: mitigate first, respond second• Proactive risk mitigation mindset: reduce impact

First and foremost:

PROACTIVE• Accountable means taking ownership• Accountable means being active not passiveBe accountable

• Responsible means taking positive actions• Responsible means being focused on solutionsBe responsible

• Transparent means accepting risk as part of PM• Transparent means identifying & managing risksBe transparent

• Ignoring risks, hoping they will go away• Thinking risks are bad and should NOT be

discussedMaturity is NOT

5

Risk Maturity Model (RMM™)

Assessing maturity of your RME

5 States of an RME’s maturity• State 1: Adolescence (lowest)• State 2: Transparent• State 3: Responsible• State 4: Accountable• State 5: Proactive (highest)

Similar to the SEI’s CMMI structure• Covers most project management activities – risk is project

invasive!• Does not require annual fees or membership

™ MCLMG, 2010

6

RMM™ Maturity States

• Risk ignorant, dismissive, ineffective• No risk perspective or mindset in organizationAdolescence

• Risk accepting, acknowledging, and progressive• Risk discovery, tracking, and monitoringTransparent

• Taking actions towards the risks before triggering• Beginning to instill a risk-friendly mindset in the PM activities

Responsible

• Taking ownership of risk mitigation actions• Seeking and obtaining Sr. Management supportAccountable

• Active and effective risk mitigation strategies : REV reductions!

• Tracking and costing risk program to a Return on Investment perspective

Proactive

REV = risk equivalent value; defined as REV = RCI * RPO (Slide 51)

7

MITIGATECharacteristics of a Proactive RME

M MatureI InquisitiveT ThoroughI Investment-Oriented

G Goal-seekingA ArticulatedT TransitionalE Effective

8

Q2: How do I Assess my RME?

Begin with understanding your As-Is• Where is the RME today?• Do we have an active RME in our

projects/programs/portfolios (aggregate levels)?

Be honest and up front• Everyone starts somewhere• Don’t over rate your own program

Be objective – use a definitive model (RMM™)

Use a checklist to ensure consistency

9

RME Maturity Assessment Checklist• Purpose

• Perform a self-assessment of the As-Is status• Provides a baseline for comparison

•Outcomes• Shows areas of strengths & weaknesses• Provides starting line for maturity planning• Starts RME maturity discussions• Begins risk maturity mindset changes

10

Determine the Status of Your RME

Where are the commonalities, differences?

What are the strengths & weaknesses at each aggregate level?

Which state is your RME at?Portfolio level Program level Project level

Using outcome of RMM State Checklist

11

Q3: How do you determine risk tolerance?Organizational Risk Tolerance (ORT™) Model

• Organizational Risk Tolerance• Risk characteristic or appetite of organization• Purpose: drives project management risk tolerance

ORT ™

• Mitigation: use of risk mitigation strategies• Maturity: level of risk understanding and acceptance

Based on two (2) independent

variables

• Risk Seeking High maturity High mitigation

• Risk Accepting High maturity Low mitigation• Risk Avoiding Low maturity High mitigation• Risk Rejecters Low maturity Low mitigation

Four types of organizationalrisk tolerance

12

ORT ™ States I

The ORT™ defines four very simple states of risk tolerance based on the intersection of two independent variables:1. Maturity (level from RMM)2. Mitigation (usage)

The ORT will impact the project’s risk tolerance in that a project can never be more risk tolerant than the organization that funds it.

13

ORT ™ States II

• High maturity, high mitigation

• Understands value of risk versus reward concept

Risk Seeker

• High maturity, low mitigation

• Accepts risk as normal, deals with issues instead

Risk Accepter

• Low maturity, low mitigation

• Ignores risks until issues, reactive

Risk Rejecter

• Low maturity, high mitigation

• Avoids risks as normal, proactive in transfer or converting risks

Risk Avoider

Mit

igati

on

Maturity

14

ORT Model Parameters

Participants• Several senior management (C-level)• Several senior PM managers (program/portfolio)• Any certified risk professionals• Sampling of project team members

Resources• Online survey• Off-line scoring

Created using two independent variables

• Maturity• Mitigation

15

What is your ORT?

Perform the ORT assessmentDo the assessment on your organizationBe objective, comprehensive, and focused

Perform the ORT

Do the assessment on

your organization Be objective

16

The ORT™ Solution Review

Which ORT state

describes your

organization?

No single organization

is characterized

in a single state

Organizations exhibit characteristics of several• Internal state• External state

Parameters can alter ORT State• Size of project/program

• Complexity of project/program

• Visibility of project/program

17

Q4: How do I Escalate Risks?

Risks should only be owned on single aggregate level

Risks can escalate across aggregate levels• Begin at project, grow into program level risk• Start as program risk, mitigated down to project

Escalation is a change in risk ownership• Need process/procedure to transfer ownership• Must be managed to prevent chaos

Portfolio level usually plays role of arbiter

18

Escalation Model

19

Upward Escalation

Normal escalation• From lower levels to higher• Growth of risk beyond

budget or schedule of lower level

Transfer of ownership• Project manager to

program manager• Project risk owner to

program risk owner

20

Downward Escalation

Abnormal escalation• Less frequent than upward• Requires more effort

Done for aged risks• Older risks less powerful• Older risks have lower

REVs

21

Escalation Hand-off Process

Begins with a risk review

Risk parameters have changed•REV growth•Risk impact zone growth

•Complexity of mitigation strategy

Agreement between transferring parties

Risk register data transfer

Re-assignment of ownership resources

22

Escalation Process Management

The oversight is done by non-involved party

• Project to program: oversight by portfolio

• Program to portfolio: oversight by director

• Risk manager always involved

Arbitration for escalation disputes

• Risk manager determines parameters of dispute

• Assigns a non-involved party as arbiter

• Arbitration is binding on transferring parties

Constraints should be reviewed

• Scope, time, cost, and quality constraints analysis

• Adjustments may be needed to handle REV / mitigation values upon transfer

23

Paul Lohnes, PMPManaging Partnerphl@mclmg.com

Cheryl Wilson, PMP, PMI-RMP, CCEPVP, Risk Divisioncaw@mclmg.com

MCLMG, LLC