x point international ltd © 2002 ‘managing risk, space invaders and your friendly, neighbourhood...

X Point International Ltd © 2002

‘Managing Risk, Space Invaders and your friendly, neighbourhood Burglar

an introduction to an assumptions-based approachto project Risk Management

presentation to Kingston and Croydon branch of the BCS

14-Jan-2003

David Galley


Introduction

Basic approach to project risk management Proactive + Devolved + Simple to understand

Presentation Content Risk Risk Management (vs Project Management) Assumptions-based approach Identifying Assumptions Registers Risk Evaluation & Prioritisation Risk Plans Roles & Responsibilities Execution

Questions


impact ifhazard occurs

likelihood ofhazard occurring

lowrisk

highrisk

Risk combines notions of hazard and uncertainty

contours of equalrisk exposure.

likelihoodof hazardoccurring

impact ofhazard

occurringrisk = *


Relative risk exposure can be represented on a 4*4 ‘risk grid’

A B C D

A

B

C

D

impact if hazard occurs

likelihood ofhazard

occurring

high risk

low risk

intermediaterisk


Risk Management is an integral part of Project Mgt…but different

(rest of) project mgt.•project definition•project structuring•planning•cost/schedule statusing•project control

…in what way is Risk Mgt different?

risk management


Need for Risk Management arises from uncertainty

(rest of)project management

risk management

certain

impossible

obstaclelikelihood


Assumptions based approach is proposed

Risk Evaluation& Prioritisation

Monitoring Risks & Assumptions

Risk Planning

Risk PlanExecution

Risk

Mgt

Roles

AssumptionsRegister

•Requirement•Issues•Hazard checklist•….

Risk Register

Risk Plans

•Work Plan & Budget•External threats•Internal weaknesses•….


Projects are exposed to the risk of assumption failure

Decisions are made based on limited information

Working assumptions Conscious/Explicit Unconscious/Implicit (become evident later, or remain hidden)

Working assumptions proven to be: True – will not disturb the project False – will disturb the project

For every assumption the project makes there is an inherent risk that the assumption will not be true


If hazard is project assumption failure, the risk grid axes become project sensitivity, assumption instability

A B C D

A

B

C

D

project sensitivityto assumption failure

assumptioninstability


First catch your assumptions… ...then assess the associated risk

Broad search

What could go wrong?

Capture working assumptions

Assess associated risk exposure

Requirement Spec.

Open Issues

Hazard checklists

Workplan

Budget

External threats

Internal weaknesses

External dependencies

Stakeholders

Business Case


Project Mgt.

Risk Mgt.

assumptions

risks

Project Assumptions and Project Risks need to be recorded in consolidated registers


Document assumptions in an Assumptions Register

Assumption Identifier Project, Assumption Title & No.

Assumption Description Sufficient to explain the nature of

the assumption

Associations Key Dependents, Associated

Assumptions, References, Associated Risk No

Registration Registration Date, Registered By,

Project Mgr

Closure Closure Comment, Closure Date,

Closed By, Project Mgr

assumptiondescription

associations

closure

assumptionidentifier

registration


Document risks in a Risk Register

Risk Identifier & associations Project, Risk No., Assumption Title &

No., Associated Risk Nos., Refs.

Project Sensitivity (initial registration & subsequent re-evaluation) Explanation of the project’s sensitivity

incl. the expected impact date, A-D score, Comment, Date, Risk Owner, Risk Mgr, Project Mgr.

Assumption Instability Similar to ‘Project Sensitivity’

Closure Closure Comment, Closure Date,

Closed By, Project Mgr

projectsensitivity


closure

risk identifier& associations


Having identified your risks, you need to manage them

too many risks......which one first?

risk plan...what’s that?

...what do I do?

...what do I do?

Risk Prioritisation

Risk Plans

Roles & Responsibilities

Execution & Monitoring


Risk Management is a bit like playing ‘space invaders’ (Hugh Lake)

Threats of different size approach closer and closer

Aim is to defend your patch… but with limited ammo

Which one to attack next?


Deciding which risks to ‘attack’ is a complex decision

So many risks… which should I attack? consider size, ie. risk exposure consider timing… when will it ‘hit’?

How effective would an attack be? how will I deal with each risk? what chance that it’ll work? how much residual risk exposure?

What about the cost? Will attacking a risk be worth the cost? Can I afford to attack a particular risk? Can I afford not to attack that risk?

How do we ‘attack’ risks?


Risk Handling Techniques – four main categories

m odify objec tives orperform ance targetsm odify approach

risk avoidance

reduce likelihoodreduce im pact

risk m itigation

con trac tinsu rancepartnersh ips /join t ven tu res

risk transfer

con tingency fundscon tingency plansf ix-on -failc ris is m anagem en t

risk retention

R isk HandlingTechniques

proactiveRisk Plans

reactiveRisk Plans


Risk mitigation is based on two basic strategies

• Basic strategies• stabilise the assumption• de-sensitise the project

• Recommend developing at least two candidate risk plans

• Risk plan might combine assumption stabilisation and project de-sensitisation

A B C D

A

B

C

D

project sensitivity


action requiredto de-sensitise

action requiredto stabilise


Exercise: Risk Management applied to House Burglary

Background You’ve just moved to a new town and you’ve a 1001 things to sort out You learn that a number of burglaries have taken place in your new

neighbourhood.

Do you lock your self in, and refuse leave your house? – No. You’ve got a life to lead!

What is your working assumption?


Exercise: Risk Management applied to House Burglary

Background You’ve just moved to a new town and you’ve a 1001 things to sort out You learn that a number of burglaries have taken place in your new

neighbourhood.

Do you lock your self in, and refuse leave your house? – No. You’ve got a life to lead!

The principal working assumption is an implicit assertion ‘We will not get burgled today’.

The assumption wasn’t ‘I might get burgled’ That isn’t an assumption, it’s an infallible truism.

But your working assumption might be wrong!

Failure of that working assumption constitutes the hazard. You’ve identified a risk.

How are you going to manage it?


Here’s a heap of ‘risk plans’…assign each to a category of risk handling technique

Risk avoidance … …

Risk mitigation (stabilise the assumption) … …

Risk mitigation (de-sensitise impact) … …

Risk transfer … …

Risk retention … …

keep stock of glass, timber to repair windows store valuable items in a safe, or at bank adopt non-materialistic philosophy arrange house contents insurance install extra high-security locks take any burglary ‘on the chin’ move away to safer district install a burglar alarm buy a big, noisy dog buy a quiet crocodile

…what else?


Categorised Risk Plans

Risk avoidance move away to safer district adopt non-materialistic philosophy

Risk mitigation (stabilise the assumption) install extra high-security locks install a burglar alarm buy a big, noisy dog

Risk mitigation (de-sensitise impact) store valuable items in a safe, or at bank buy a quiet crocodile

Risk transfer arrange house contents insurance

Risk retention keep stock of glass, timber to repair

windows take any burglary ‘on the chin’


Risk Management places extra responsibilities on the Steering Committee and Project Mgr

Steering Committee/senior management

Project Manager

•Approve plans & allocate resources•Monitor progress•Approve closure

•Ensure risks identified/captured•Assumption & risk registers

•Agree monitoring

•Reports critical risks•Reports results

•Accounts for risk budget •Risk budget


•Draw up plans•Run the plan•Close plan

RM places responsibilities on the Steering Committee and Project Mgr and introduces two new roles: Risk Managers and Risk Owners

Steering Committee/senior management

Project Manager

Risk Owner Risk Manager

•Approve plans & allocate resources•Monitor progress•Approve closure•Appoint & empower Risk Mgrs

•Ensure risks identified/captured•Assumption & risk registers

•Agree monitoring•Appoint Risk Owners

•Confirm/review risks•Agree the aim•Monitor plans

•Stop plans

•Reports critical risks•Reports results

•Accounts for risk budget

delegation&

empowerment

reportreport

•Risk budget

•Identify & appoint external Risk Owners & Risk Mgrs

agree


What happens after you have prioritised the risks and selected the risk plans?

MonitoringAssumptions

& Risks

Kicking-offRisk Plans

ClosingRisk Plans

Developing& SelectingRisk Plans

PrioritisingRisks

Runningthe

Risk Plan


Summary

Risk as a product of hazard likelihood and hazard impact

Risk Management relative to Project Management

Proactive, Assumptions-based approach Assumption-failure as the source of project risk Integrated assumption & risk registers Complexity of deciding what risks to attack Risk handling: avoidance, mitigation, transfer, retention Devolved Risk Management organisation - responsibility and

ownership devolved throughout, and outside, the project team

Questions


Annexe


Projects have many stakeholders… …with interlinked objectives

Many stakeholders interdependent network of objectives failure doesn’t stay put

Know your stakeholders identify them understand their objectives what is success/failure for

them?

Employees

Community

Vendors

Customers

Finance

Users

Executives

project


What happens after you have prioritised the risks and selected the risk plans


& Risks


ClosingRisk Plans


Runningthe

Risk Plan

PrioritisingRisks

Project Manager has to ensure that:•Budget is agreed with the Risk Manager•Success and closure criteria are agreed in advance with the Risk Owner and Risk Manager•Roles & Responsibilities are agreed and published for all personnel involved in the risk plan•Commitment of external owners, points of contact and champions, is agreed in advance.




& Risks


ClosingRisk Plans


Runningthe

Risk Plan

PrioritisingRisks

Nominated Risk Manager: •Manages execution of the risk plan

•Agrees with the Risk Owner progress against the plan

•Reports progress using the monitoring system agreed with the Project Manager




& Risks


ClosingRisk Plans


Runningthe

Risk Plan

PrioritisingRisks•A risk plan must be stopped & closed when:

- it has achieved its objectives- it is seen to be failing, or it has failed- it is no longer necessary

•Closing is relatively easy if, when launched, the plan has clear objectives and clear success criteria




& Risks


ClosingRisk Plans


Runningthe

Risk Plan

PrioritisingRisks

The lists of assumptions and risks need to be reviewed regularly. Are any changes occurring • internally, or• externally to the projectwhich could alter• project’s sensitivity to the assumption• stability of the assumption• expected hazard impact date

x point international ltd © 2002 ‘managing risk, space invaders and your friendly, neighbourhood...

Documents