You are on page 1of 41

Self Assignment

Risk Management

By Amit Agarwal
OVERVIEW
1. WHAT IS RISK

2. WHAT IS RISK MANAGEMENT

3. INTEGRATED RISK MANAGEMENT

4. PRINCIPLES & CHARACTERISTICS

5. LIFE CYCLE

6. PROCESS CHART

7. CHALLENGES & BARRIERS


8. KEY CONTRIBUTION FACTORS
9. SUMMARY
What Is “Risk”?

• “Risk is a condition in which there is a possibility of an


adverse deviation from a desired outcome that is
expected … .” (Vaughn)

• “… the threat that any event or action will adversely


affect an organization’s ability to achieve its business
objectives and execute its strategies.” (Kloman)
What Is “Risk”?

• RISK = potential loss from inability to achieve a


project’s objectives
– caused by people, process, system, or external factors

• Risks can result from any combination of factors


– people, process, systems, technology, science, or
external events
Risk is…

• “….a measure of future uncertainties in achieving project performance goals


and objectives within defined cost, schedule, and performance constraints.”

• “...an uncertain event or condition that, if it occurs, has a positive or negative


effect on a project objective.”

Likelihood of an event occurring. The consequence if such event occurs.


Applicability

Risk Management is applicable to all industries and complex efforts

• Financial, Market, Investment, Credit

• Health

• Environmental

• Business Compliance GOAL:

• Safety IDENTIFY / ASSESS THREAT


• Project (Types of Project)
MINIMIZE / PREVENT LOSS
• Security (Cyber, Physical)
TAKE ACTION
• Mission Assurance

Supports Decision Analysis


Resource Allocation
Risk Management is…

¾ …the process of defining and analyzing risk, and then deciding on


the appropriate course of action in order to minimize risk, whilst still
achieving business goals

¾ …he optimal allocation of resources to arrive at cost affective


investment in defensive measures within an organization .It minimizes both
cost and risk

¾ …a variety of activities undertaken by an organization to control and


minimize threats to the continuing efficiency, profitability, and success of its
operations.

¾ …the process of determining the maximum acceptable level of


overall risk to and from a proposed activity, then using risk assessment
techniques to determine the initial level of risk , if this is excessive,
developing a strategy to mitigate appropriate individual risks until the overall
level of risk is reduced to an acceptable level.
Risk Management is…

• The systematic application of management policies, standards,


procedures, and practices to the tasks of identifying, assessing,
prioritizing, responding to, and monitoring risk
– A structured, iterative process with defined scope and objectives
– Proactive and anticipatory
– Objective is to decrease the probability and/or impact of negative events OR
increase the probability and/or impact of positive events

Risk Management needs to be integrated into an organization’s decision making process


Integrated Risk Management

• Integrate per Webster’s Dictionary: to form, coordinate, or blend into a


functioning or unified whole

• Integrated risk management is a continuous, proactive and systematic


process to understand, manage and communicate risk from an
organization-wide perspective. It is about making strategic decisions that
contribute to the achievement of an organization's overall corporate
objectives.

• Integrated risk management process includes all disciplines required to


support the life cycle of their system (e.g., systems safety, logistics,
engineering, producibility, in-service support, contracts, test, earned value
management, finance).”
Providing insights into three key areas
Project Performance
– Combines previously disparate project analysis and execution into an
actionable framework for the project manager
– Requires dialog and collaboration between engineering, scheduling and
management groups
– Creates a “total risk profile” for projects to fully assess potential delays to
delivery and increases in cost

Project Investment
– Provides a framework to develop detailed plans for risk mitigation and
identify associated costs
– Tracks progress of investment against specific mitigation activities
– Assists decision makers in prioritizing investment against high impact risks
and effects
Providing insights into three key areas

Oversight
– Responds to government policy guidance and industry best practices in risk
management
– Provides auditable trail of risks, cost changes and schedule progress for
industry and government clients
– Creates transparency in developing project budget and reserve
requirements when used prior to project start date
Risk Management Objectives

Post-Loss Objectives Pre-Loss Objectives

Survival Economic Efficiency


Continuity of Operations Reduction in Anxiety
Earnings Stability Meeting Externally
Continued Growth Imposed Obligations
Social Responsibility Social Responsibility
Principles

Risk Management Should…

…create Value
…be an integral Part of Organizational processes
…be a part of decision making
…explicitly address uncertainty
…be systematic & structured
…based on best available information
…be tailored / customized
…take into account human factors
…be transparent & inclusive
…be dynamic, iterative & responsive to change
…be capable of continual improvement & enhancement
Characteristics

Characteristics

A clear and consistent Risk Management champion


Requirements supported by leadership and stakeholders
A close partnership with users and stakeholders
Mature risk management processes
Established thresholds and criteria for proactively implementing defined
risk mitigation plans
Resourced risk mitigation plans
Periodic risk assessments
Integrated data environments that maximize participation
Approaches

Successful Approach

A documented and mature risk management process


Quantitative assessments of risk impacts estimated against cost and
schedule baselines
Defined risk filtration criteria
Risk reduction at the lowest level of the organization
A defined set of risk consequence definitions for performance, schedule,
and cost
Structured approached for communicating risk across multiple
programs/organizational levels
Stages in Risk Management Life Cycle

Stages Activity
Risk Management Planning Deciding how to approach & plan the risk
management activities for the project

Risk Identification Determining which risks are likely to affect a


project & documenting their characteristics
Qualitative Risk Analysis Characterization & analyzing risks & prioritizing
their effects on project objectives
Quantitative Risk Analysis Measuring the probability & consequences of
risks
Risk Response Planning Taking steps to enhance opportunities & reduce
threats to meeting project objectives
Risk Monitoring & Control Monitoring known Risks, Identifying new risks,
reducing risks & evaluating the effectiveness of
risk reduction
Risk Management Lifecycle
The risk lifecycle applies across all parts of a program or project. .

Execution
Components
Department
Operations Managing Risk
Programs
IT Investments
1. 2. 3. 4. 5. Monitor,
Procurement Identify Assess & Respond to Design & Assure &
Legislature Risks Measure Risks Test Escalate
Risks Controls
Strategic Planning
Risk Management
Human Capital

Governance Technology Strategic Operational Hazard


People Process Compliance Financial

Foundational Risk Areas


Elements
Risk Identification
Hundreds of insignificant risks can easily distract from a few critical.
Identified Risks Rank Identified Risks Rank

Inter-Agency / Department Budget and Funding Issues


Actions 1
Grants Management
Changing Design Requirements 2 Scientific Integrity and Agency
Cost estimating techniques Reputation
3
Third Party Strategy /
Legal / Regulatory / Ethics Identified Risks Rank Execution / Integration
Investigations and Audits Financial Management Environmental liabilities /
concerns
Contractor stability / quality 4 Hazardous materials handling 5
Value for cost (value to
Natural Disasters taxpayers)
Technology
Roles of gov’t and contractor Stakeholder Demand /
defined Terrorism and Emerging Preference Changes
Diseases 6
Seasonality/Cyclicality Political Issues 8
Capability Advancement
Insurance Coverage
Identify the Top (relevant) Risks
Labor Disputes / Actions

Personnel and HR Issues 7


Risk Identification

Techniques

Document Reviews
Brain Storming
Delphi Technique / Interviewing
SWOT Analysis
Checklists
Assumption Analysis
Flow Charting
Qualitative & Quantitative Risk Analysis
Evaluate each risk and its impact on cost, scope, and schedule.
major weather event
Natural Environ.
External Risks

dominate party change


Political
constituent priority shift
Social
technology
Technological
innovation
reorganization
Inter-Dept/Agency
Objective:
Complete entire
Project by 2010
within budget

Infrastructure
Internal Risks

Personnel

Process

Technology
Qualitative & Quantitative Risk Analysis

Techniques

Qualitative :
Probability Impact Matrix
Ordinal & cardinal Ranking
SWOT Analysis
Force Field Analysis
Quantitative:
Sensitivity Analysis
Expected Monetary Value
Decision Tree Analysis
Simulation
Program Evaluation & Review Technique (PERT)
Risk Response
Choose the corrective actions, execute, and evaluate effectiveness.

Identify corrective actions Monitor effectiveness of


actions
Corrective Actions Inter-Agency Technology Risk N
Policies and Procedures
Management Review & Approvals 9 9
Scenario Planning 9 9
Contingency Planning 9 9
Training and rehearsals
Physical and Cyber Security
Equipment Performance & Design 9
Documentation 9 9
Communications plans 9
Performance Indicators 9 9
System Controls / Monitoring 9
Physical Controls / Monitoring
Inspections / Audit
Other
Contd…
Corrective actions result in mitigated risk, but come with a cost.
Sample risk: Technology advances and innovation require design changes.
1. Evaluate potential benefits of new technology. RKS Quarterly Conduct workshops, seek input
2. Involve key stakeholders that are Identify stakeholder liaison responsible
AKH On-going
knowledgeable about technology innovation. for maintaining buy-in
3. Refine communications approach and Appoint communications coordinator to
VM Monthly
execution to address on-going findings. maintain channels
4. Update long-term roadmap for incorporation of Bi- Conduct routine roadmap updates to
RNS
key annually maintain buy-in

#1
Very High
Corrective Actions

Incremental Mitigated Risk

Residual Risk
High
#2,3

(Perform Cost/Benefit Analysis) Medium

#2,3,4

#2,3 Low

#2,3,4 Planned Actual


Very Low
Q1 ‘09 Q2 ‘09 Q3 ‘09 Q4 ‘09 Q1 ‘10 Q2 ‘10 Q3 ‘10
Monitoring & Control
Complete set of risks must be considered to understand the risk profile.
Very Corrective Action Status
High 5 6
10 Risk reduced to an acceptable level
1 33
Inherent (Gross) Risk

Risk reduction occurring, not complete


8
7 Further action required
2

4 9
Example Risks:
1) Technology Innovation
2) Departmental Reorganization
Very Very
Low Current Residual (Net) Risk High

Inherent (Gross) Risk (without mitigation/controls) Residual (Net) Risk (without mitigation/controls)
> 5 days disruption of core operational activities; long term No viable mitigation plan in place, the risk event would likely
Very High
impact to reputation; may result in government investigation overwhelm the agency
3 to 5 days disruption of core operational activities; concern Heroic efforts would be needed to manage the event
High
that could result in an action; may result in official inquiry
Between 1 and 2 days disruption of core operational activities; Fairly well-prepared – base mitigation plans are in place;
Medium
unfavorable media coverage organization has talent/resources to manage through the event
Between 2 and 8 hours disruption of core operational Mitigation responses, contingency plans and programmed
Low
activities; brief unfavorable media coverage responses have been or are being established
Less than 2 hours of disruption of core operational activities; Mitigation responses, contingency plans and programmed
Very Low no media coverage, unlikely to have an impact on the NIH responses are established, rehearsed on a periodic basis and
appropriation revised as conditions change
Risk Response, Monitoring & Control
Techniques

Response
Avoidance
Transference of Deflect
Mitigation
Acceptance
Contingency
Reserves
Fallback Plan
Monitoring & Control
Workarounds
Change Requests
Feedback into Risk Management Plan
Traditional Approach
Integrated Risk Management extracts actionable information from traditionally
stove-piped data streams

Risk
Exposure?
Impact
Relationships?
Goals Too
Risky?
Which Design?
More
Reserves?
Major Drivers?
Adequately
Mitigated?
Enables critical decision making
Integrated Approach

Risk Analysis

Program Manager

Cost Analysis

Schedule Analysis
Decision
Risk Management Process
Step 1: Identify Step 3: Select Step 4: Handle
and Document Step 2: Analyze and Assess Handling Plan and Monitor
„ Identify „ Quantify Risk „ Risk „ Escalate?
Potential Risks – Cost, Schedule, Performance Management IPT „ Implement
„ Enter in Risk „ Event Analysis „ Establish Risk Handling
Register „ Relational analysis with existing
Risk Triggers Strategy
„ Assumption risks Exposure „ Handling „ Update IMS
Testing and open issues is High or Strategy „ Modification /
„ Data About the „ Cost / Schedule Moderate „ Contingency Change Order
Risk Impacts Plan „ Monitor Actions
„ Understand the „ Probability of „ Assign „ Reassess
Risk Occurrence (RP) Resources

Reassessment
„ Impact of
Occurrence (RI)

RIOM Board
Risk Revised
Handling Handling
Risk Exposure Replanning Plan
Database
is Low
Step 3b
Step 3a Step 5:
Program
and Risk Contingency Plan Handling
Management Risk Watch List
Tools Risk Has Been
Step 6: Closeout Handled
Step 7: Document
RIOM Board
Lessons Learned
Consensus
Key Planned Re-planning
Challenges

• Top 3 challenges in applying risk management


– Improving risk communication
– Political obstacles to risk-based resource allocation
– Lack of strategic thinking

• Lack of comprehensive risk management strategies that are well integrated


with program, budget, and investment decisions

• There have been attempts at acquisition reform to address the following


areas:
A. Decisions regarding which programs to keep
B. Developing approaches to better analyze and prioritize needs
C. Better management of development cycles
D. Establish knowledge-based cost and schedule estimates
E. Detailed systems engineering planning
Barriers to Integration
Barriers
Lack of a clear and consistent Risk Management champion
Unclear or non-existent Decision rights
Silos of analyses and reporting of different risk types
Maturity
 Technology, governance, process and people
Communication internal and external to the program/organization
Culture (How does the organization operate?)
Perception of a risk manager and roles/responsibilities
Every PM wants to do it their way
Organizational barriers regarding focal point of risk management
Decision Making

Defining decision rights are an important aspect of a comprehensive risk


management program

What are Decision Rights?


The underlying mechanics of how and
by whom decisions are truly made in
an organization

Clear Decision Rights Result in… Unclear Decision Rights Causes…


 Clear decision-making authority results  Unclear decision-making authority
in effective and efficient decision- results in senior management
making… involvement in too many issues…
– Places decision rights with those with
the knowledge and information to  …while lack of empowerment at the
make the best decision front-line can result in poor customer
– Reduces the risk of poor decisions service and reduced employee
satisfaction
– Reduces inefficient second-guessing
Decision Making

Tools & Techniques

Cost-benefit analysis
Evaluation of frequency/severity
After-tax net present value analysis
Risk Map
Total Cost of Risk
Ethical considerations
Legal Requirements
Commercial Requirements
“Do not risk more than you can afford”
“Do not risk a lot for a little”
Programs with mature risk management processes have
the following components
1. Structured process for risk identification
2. Comprehensive risk baseline and categories
3. Risk root cause analysis methodology
4. Quantitative risk likelihood and risk consequence definitions
5. An established risk management board or similar risk decision-making body
with robust participation
6. A strong, defined risk management lead or champion for the program

Risk Management Maturity Scale


• Calibrates the maturity of
individual program risk
processes
• Guides enhancements needed
to standardize approaches
Risk Management Maturity Scale

High: Integrated Enterprise


Risk Management

Comprehensive risk agenda


that exists throughout the
Low: Coordinated Risk entire organization
Management Risk management focus are
cross-risk / cross-functional
STILL NEED TO and aligned with strategic
ADDRESS: imperatives
– Common taxonomy – Linked to strategic
and operational
– Alignment of risk decision-making
MATURITY
categories
LEVEL Embedded in corporate
– Integrated toolset culture
– Clarity in criteria and Risks are assessed and
thresholds for integrated across technical
assessments and agency performance
– Ownership elements, cost, and
schedule
– Decision Making
Integrated tool set

TIME/EFFORT
Different Organizational Levels Face Different Types of Risks

- How does a risk to one program affect the delivery RISKS


of other related programs? Enterprise Level
- Which external stakeholders have the ability to
influence the success of one or more programs?
- How can a successful risk mitigation strategy for
one program be leveraged by other programs?

- Is the project on track to meet or exceed its Program Level


threshold requirements?
- How do current risk levels impact the ability to
meet critical schedule milestones?
- Which design solution provides the optimal
balance between capital and operating costs?

Project Level
- What are the technical performance risks
associated with delivering a given requirement or
capability?
- How will assembly, integration, and test schedules
be impacted by a given risk event?
- What are the cost impacts of delays in
subcontractor deliveries?

Subproject Level
Risks ultimately should be filtered to the lowest
level possible for ownership and mitigation
Risk Management can inform decision rights within an
organization
Questions

 What are most vulnerable areas of the


business/organization/acquisition/program/project/capability and what are the key
risks that these areas face?

 Is there a systematic and comprehensive approach for identifying and assessing


these risks and is it communicated?

 Is there a consistent and well defined approach to risk prioritization?

 Does the process add value to decision analysis or is it merely a reporting


mechanism?

 Are decision rights aligned appropriately with risk tolerance?


– Level of risk assessed can determine required level of decision-making within
the organization
Key Contributors to Success
• Demonstrate how resources will be
Risk Management promotes a saved or more efficiently applied
clear value proposition • Demonstrate how information will be
more widely shared

Integrate Cost, Schedule and • Creates understanding of information


Risk personnel • Defines linkages

• Establish working group or other


Program input actively sought for
forum
framework development.
• Gather feedback prior to go-live
• Promotes buy-in

A clear and consistent risk • Sustains participation


sponsor.

COMMUNICATION
What’s in it for me???
Leaders, managers, and staff alike benefit from risk management.
Management
Managers

•Higher impact programs


Program

•Better control of the overall portfolio


Top

•Stronger focus on long-term rather than short-term


•Time to focus on areas currently neglected
Management

•More predictable cost estimates


Middle

•Less chaotic days, that are more productive


•More visibility in project activities
•Fewer and simpler reporting requests
Managers
Front Line
Contractor

•Better client relationships


Engineer

•More predictable quality of life


•Mechanism to raise issues and have resolved
Project

•More follow-on work


Critical success factors…
Everyone has a role to play in making risk management part of the
culture.
Management
Managers

•Seek and maintain senior leadership sponsorship


Program

•Establish common language for risk management


Top

•Integrate risk management across programs


•Focus on changing the culture, not on executing the tactics
Management

•Assign ownership of risks as appropriate (gov’t, contr.)


Middle

•Coordinate risk management across project


•Focus on the value to all of managing risk, not the burden
Managers
Front Line
Contractor
Engineer

•Raise ALL risks identified “on the ground”


•Designate operational accountability for corrective actions
•Make risk management a priority
Project
Summary

¾ Executive sponsorship does not use risk management as a blunt


instrument

¾ Management team must be informed and committed

¾ Accurately size the risk management effort to the Project

¾ Do not bury the risk management functions in the bowels of the


organization—Private sector companies have a CRO

¾ Cost Estimators, Schedulers, and Risk Management personnel


collectively make up the risk management core team

¾ Communication within Risk Management Core Team


Tata Power

Thank You

Risk Mitigated

By Amit Agarwal