Post on 09-May-2015
transcript
Risk Integration
Understand the difference of risk management on project and program level and be able to manage
risks appropriately on each level while integrating the view on risk management for the organization
Thomas Walenta, PMPthwalenta@online.de
2
Why should we look at integrative risk management for an organization?
What are the different vertical risk management areas?
How is IBM managing risk on the program/project level?
Why can Business Resilience help to reduce implementation risk?
33
77% Increase in Risk Exposure
Source: IBM Institute for Business Value - Risk Management Study 2011
IBM Risk Study 2011: 77% of executives feel that risk exposure has increased. Not a single respondent said risk is decreasing.
“The priority now is to connect the top-down and bottom-up views so that our risk management framework will be a truly holistic business resilience strategy.”
Jean-Pierre Bourbonnais, CIO/VPInformation Technologies
Bombardier Aerospace
44Source: IBM Institute for Business Value - Risk Management Study 2011
IBM Risk Study 2011: Risk Silos are considered one of the most important barriers to improve risk management
Functional concentration within the organization (silos)— 28%
Lack of C-level vision and commitment — 14%
Lack of emerging technologies— 12%
Lack of best practices— 9%
Inability to predict ROI from improvements — 37%
“My selling pitch to them (CEO and the board) is that a robust risk management capability is a competitive advantage.”
Yousef Valine, Chief Risk Officer,First Horizon National Corporation
55
48%30%
23%
For the most part, risk planning happens in silos
We take a reactive rather than a proactive approach
to risk planning
38%27%
35%
We do not have a formal risk management department
41%13%
46%
We do not have a well-crafted business continuity strategy
13%28%
54%
IBM 2010 IT Risk Study: Major area for improvement to attain a higher level of risk maturity: 'Risk Planning happens in silos'
Risk maturity
From a staffing perspective, we are ill prepared to handle the
changing risk landscape
13%34%
51%
Low
Low
Medium
Medium-High
Medium-High
Agree/strongly agree Neither agree nor disagree Disagree/strongly disagree
Risk management issues
Source: IBM IT Risk Study 2010
6
Why should we look at integrative risk management for an organization?
What are the different vertical risk management areas?
How is IBM managing risk on the program/project level?
Why can Business Resilience help to reduce implementation risk?
7
Project
Vertical Silo's: different levels of the organization look at risks in different ways – examples of questions per level
Strategy
Operations
Portfolio
Program
Enterprise Risk Management
Implementation Risk Management
Delivery
Design
Do we select the right long-term vision & goals? What is happening on the market?
Are we compliant? Are profits, revenue & growth on target? Any structural risks?
Do we have optimal alignment of resources to initiatives? Right mix of initiatives?
Is the goal on target? Are benefits achieved? Are Stakeholders satisfied?
Are requirements understood, is feasibility proven?
Are changes managed, cost & milestones in line?
8
Risk integration across the organization
Strategy
Operations
Portfolio
Program
ProjectProject Risk
Program Risk
Operational Risk
Portfolio Risk
Strategic Risk
Enterprise Risk Management
Implementation Risk Management
Delivery
Design
9
Attributes of Risk levels typically show different focus on time, attitude, stakeholders and signs of risk
Project Risk
Program Risk
Operational Risk
Portfolio Risk
Strategic Risk
Orientation Stakeholders Key risk indicators
Future (3-5 yrs+)Sustainability
Shareholders, Marketcapabilities
Market changeCompetitionStock value
Midterm (6-18 months)Right mix of initiatives, Best use of resources
C-Suite, division leaders
Resource constraints
Past, Quarterly viewCompliance, resilience
regulation, auditors Audit results (SOX)Profit, Growth, Revenue
Present and FutureGoals & benefitsOpportunities
Strategic Goal OwnersBusiness LinesProduct Owners
Benefits achievementStakeholder acceptance
PresentRisk avoidance
Program ManagersSponsorsClients, Project Team
Earned value – cost & timeScope, quality, featuresrequirements match
10
Program Risk Project Risk
Categories (*) Typical Areas of concern
Environmental Risks Portfolio, Stakeholders, Politics, Compliance
Program-Level Risk Starting and Running the program
Project Risks Escalated from Projects
Operational-level Risks Transition, Change management, Benefits realization
Portfolio-related Risks Resources, interdependencies
Benefits-related Risks Synergy, systemic views, architectural
Categories (*) Typical Areas of concern
Stakeholder expectations
Funding, major influencers
Requirements Conflicts, needs vs. wants
Scope Boundaries, level of detail
Cost Estimation, contingency
Time Dependencies
Resources Availability, skills, boarding effort
Quality Features, testing
Feasibility Architecture, technical risks
(*) Source: PMI's Standards for Project, Program and Portfolio Mgmt
11
Portfolio Risk Component Risk
Categories (*) Typical Areas of concern
Structural Risk Portfolio composition, interactions, resources
Component Risk Escalated from projects and programs within the portfolio
Overall Risk Management maturity, governance
Project Risk
Program Risk
Project Portfolio Risk looks at finding the optimal mix of initiatives to achieve the organizations strategy
(*) Source: PMI's Standards for Project, Program and Portfolio Mgmt
12
Program Risk Project Risk
PlanControl Deliver
Scope
TimeCost
UnderstandCreate
Achieve
Benefits
GovernanceStakeholders
Program Management is outward focussed while Project Management mainly deals with project internals
1313
Process
ISO 31000:2009 provides principles and guidelines for risk management in order to give a framework for risk integration
11 Principles Framework
Context
Identify
Analyze
Evaluate
Treat
Co
mm
unica te & C
onsul t
Monitor &
Review
Mandate
Design
Monitor
ImplementImprove
• creates and protects value.• integral part of organisational processes• part of decision making.• explicitly addresses uncertainty.• systematic, structured and timely.• based on the best available information.• tailored.• takes human / cultural factors into
account. • transparent and inclusive.• dynamic, iterative, responsive to change.• continual improvement of the
organization.
Assess
14
Similar risk management frameworks for risk management on implementation (PMI) and enterprise (COSO) levels
Identify
Develop Responses
Analyze
Monitor & Control
Plan Risk Mgmt
PMI … … COSO provides an ERM Framework
Monitoring Monitors effectiveness of ERM activities
Information & Communication Identifies, captures, and communicates pertinent information
Risk Response Identifies and evaluates possible responses to risk
Risk Assessment Assesses the extent to which potential events might impact
objectives
Event Identification Differentiates risks and opportunities
Objective Setting Considers risk strategy in the setting of objectives, and forms
the risk appetite of the entity
Internal Environment Establishes the entity’s risk strategy and culture
Control Activities Creates policies and procedures to help ensure that the risk
responses are carried out
Source: Committee of Sponsoring Organizations of the Treadway Commission (2004)
15
Why should we look at integrative risk management for an organization?
What are the different vertical risk management areas?
How is IBM managing risk on the program/project level?
Why can Business Resilience help to reduce implementation risk?
1616
Integration between Program and Project levels: IBM's standard regular risk assessment method '7 keys' is covering both areas
IBM's 'seven keys to success' methodology is used and enhanced since more than 10 years and incorporated into IBM's
Risk Management Tools.
1717
Seven Keys are detailed by checklists and incorporated in tools
Key Area: Project Program
Stakeholders committed internal external
Business benefits realized x
Work & Schedule predictable x
Scope realistic & managed x
Team is high performing x
Risks being mitigated x x
Delivery organizations benefits realized x
18
Common Risk Management Tool
Risk integration is achieved across the organization by defining and using Risk Management on implementation level, analysing risk data to
make strategic choices and adapt policies and processes
Project Risk
Program Risk
Operational Risk
Portfolio
Strategy
Policies, processes
Strategy
Portfolio
Resilience – helps to reduce
impact on operation risk
Data Analysis
19
Why should we look at integrative risk management for an organization?
What are the different vertical risk management areas?
How is IBM managing risk on the program/project level?
Why can Business Resilience help to reduce implementation risk?
20
Business resilience is the ability of an enterprise to rapidly adapt and respond to risks, in order to maintain continuous business operations, be a more trusted partner and enable growth (IBM).
21
Role of Resiliency(ability to mitigate)
Risk = (Probability x Consequence) - Resilience
Project / Program View
Organizational View
Business Resilience is an important mitigating factor for Implementation Risk
Influences overall organization performance
2222
Study Objectives Study Methodology
Understand what risk factors are top-of-mind with executives today, and what they are strategizing to alleviate the affects of risk on their enterprise performance
Identify their priorities and initiatives that they are investing in to mitigate and manage risk
Learn how they are organizationally governing these risk initiatives
On-line survey conducted by IBM Institute for Business Value
494 responses from individuals with a title of CxO, EVP, GM, Vice President, Director, Product/Functional Mgr.
Interviews with companies that have holistic programs and are monetizing risk to mitigate the effects and deliver value to the enterprise
Enterprise Risk Management: IBM surveyed 494 companies to better understand how risk factors are affecting their overall performance
(*) Source: IBM: Combating Risk with predictive analysis, June 2012
2323
Next 3 yearsUp to now
Develop communications or training program
Invest in new risk-related solutions
Respond to recent natural disasters by rethinking strategies
Engage external advisors
Discuss issues with supply-chain partners
Create a business continuity plan
Establish company-wide risk management team
Assign overall responsibility to a single executive
Develop integrated business resilience strategy
11
11
22
33
55
44
22
33
44
55
IBM Study: Which initiatives has your organization adopted / is most likely to adopt in the next three years?
(*) Source: IBM: Combating Risk with predictive analysis, June 2012
2424
Leaders are applying predictive analytics to increase business resilience
Other participantsLeaders
Value Achieved
+16%
brand reputation
51%32%
51%
44%35%
cost efficiencies
38%+24%
24%
51%48%
competitive advantage
38%+23%
23%
46%
growth
38%+21%
25%51%48%46%
Reduced Risk Effects
operational
59%44%
+15%44%
59%
environmental
65%38%
+38%
38%
65%
27%
(*) Source: IBM: Combating Risk with predictive analysis, June 2012
Leaders share these characteristics:
Risk management is significant and core to their business strategy
They have comprehensive, “mature” risk management programs with an established management system, top-down organization and network alignment
They achieve business value by applying intelligence to monitor, manage and mitigate risks
25
IBM uses a lifecycle methodology to help clients achieve sustainable improvements in business resilience.
Manage
Set objectives
Design
Deploy
Plan
Imp
leme n
t
ControlMonitor
Evaluate
Analyze
Resilience lifecycle
Ass
ess
Inputs: Business objectives, goals, priorities, policies and current capabilities
Information risk management
Regulatory compliance
Corporate governance
Business imperatives:
Outputs:Reduced risk, improved governance and facilitated compliance management
26
Why should we look at integrative risk management for an organization?
What are the different vertical risk management areas?
How is IBM managing risk on the program/project level?
Why can Business Resilience help to reduce implementation risk?
27
Risk Integration across the organisation is driven by overall business resilience improvement and establishment of a risk management standard
Strategy
Operations
Portfolio
Program
Enterprise Risk Management
Implementation Risk Management
Delivery
DesignProject
Business Resilience
Risk Mgmt Standard
Data
Pol
icy
28
How to obtain some more details? thwalenta@online.dehttp://de.linkedin.com/pub/thomas-walenta/0/3a6/732http://twitter.com/twtomm
IBM Institute for Business Value / Studieshttp://www-935.ibm.com/services/us/gbs/thoughtleadership/
2010 IT Risk Study2011 Resilience and Risk Studyhttp://www-935.ibm.com/services/us/gbs/bus/html/risk_study.html
2012 Reputational Risk and IT Studyhttp://www-935.ibm.com/services/us/gbs/bus/html/risk_study-2012-infographic.html
Business Resiliencehttp://www.ibmbusinesscontinuityindex.com/
.