Date post: | 20-May-2015 |
Category: |
Business |
Upload: | glen-alleman |
View: | 912 times |
Download: | 3 times |
HANDLING RISK ON HIGH TECHNOLOGY PROGRAMS Without metrics, you’re just another guy with an opinion.
— Stephan Leschka, Hewlett Packard
1
Niwot Ridge LLC
Agenda for the Next 4 Hours 2
Review the five principles of Risk Management.
Introduce SEI’s Continuous Risk Management (CRM).
Illustrate each CRM process area with example artifacts or
outcomes.
Familiarize all participants with the concept of Risk
Management and their contributions to the 1st step –
Identifying Risk.
Understand what data needs to be gathered, so the 1st cut
at a measure of program risk can be constructed.
But, Before we Start, Let’s Understand our Role Here …
3
Risk Management is a profession.
Risk Management is Program Management.
Risk Management is how adults manage projects.
Managing risks goes hand-in-glove with managing
work, people, processes, vendors, and the client.
What’s Risk Management All About?
4
But we can’t make decisions until we get the right information, right?
5
Risks are part of the project, handled the same way all other work is handled – with a plan
6
Five Easy Pieces
of Risk Management
Risk Management is more than the processes called out
in PMBOK® (Chapter 11)
Risk Management
IS
Project Management
7
1. Hope is not a strategy 2. No single point estimate of cost or schedule can be correct 3. Cost, Schedule, and Technical Performance are inseparable 4. Risk management requires adherence to a well defined process 5. Communication is the Number One success factor
8
Hope is Not a Strategy
A Ship on the Beach is a Lighthouse to the Sea – Dutch Proverb
9 I
II
No Point Estimate By Itself Can Be Correct
10
Cost, Schedule, & Technical Performance are Inseparable
11 III
Risk Management Demands a Well Defined Process
12 IV
V
Risk Management
Demands Direct Communication
Between All Parties
13
Lack of predictive variance analysis
Untimely and unrealistic Latest Revised Estimates (LRE)
Progress not monitored in a regular and consistent manner
Lack of vertical and horizontal traceability cost and schedule data for corrective action
Lack of internal surveillance and controls
Managerial actions not demonstrated using Earned Value
Inattention to budgetary responsibilities
Work authorizations that are not always followed
Issues with Budget and data reconciliation
Lack of an integrated management system
Baseline fluctuations and frequent replanning
Current period and retroactive changes
Improper use of management reserve
EV techniques that do not reflect actual performance
The Project Train Wrecks Starts When There is…
14
Mary K. Evans Picture Library
Putting these Principles into Practice 15
Principles and Practices are not the same
16
In theory there is no difference
between theory and practice. In
practice there is.
Three Conditions of Risk 17
The potential for loss must exist.
Uncertainty with respect to the eventual outcome
must be present.
Some choice or decision is required to deal with the
uncertainty and potential for loss.
Mission-Oriented Success Analysis and Improvement Criteria (MOSAIC)
18
Establish and maintain confidence that objectives
will be achieved successfully
A suite of risk–based methods for assessing and
managing complex projects and processes.
Produces a broad overview of the current state of
risk and opportunity for a project or process.
19
Mission Work Processes Constraints
Tasking, Orders, and Plans Operational Processes Resources
Stability
Completeness
Clarity
Validity
Feasibility
Precedent
Timeliness
Formality
Suitability
Process
Control
Familiarity
Product Control
Schedule
Staff
Budget
Facilities
Tools
Mission Execution Maintenance Process Policies
Efficiency
Effectiveness
Complexity
Timeliness
Safety
Formality
Suitability
Process
Control
Familiarity
Service Quality
Laws and
Regulations
Restrictions
Contractual
Constraints
Product and Service Management Processes Interfaces
Usability
Effectiveness
Timeliness
Accuracy
Correctness
Operational
Systems
Planning
Organization
Management
Experience
Program
Interfaces
Customer /
User
Community
Associate
Agencies
Contractors
Senior
Leadership
Vendors
Politics
Operational Systems Management Methods
Throughput
Suitability
Usability
Familiarity
Reliability
Security
Inventory
Installations
System
Support
Monitoring
Personnel
Management
Quality
Assurance
Configuration
Management
Work Environment
Quality Attitude
Cooperation
Communication
Morale
CRM is the Software Engineering Institute’s
framework for managing risk in the context of
system integration, technology based product
development, and the management of these
activities.
An Introduction to Continuous Risk Management (CRM)
20
21
Continuous Risk Management has Six Components
Continuous Risk Management 22
Stage Actionable Steps
Identify Continually ask, “what could go wrong?”
Analyze Continually ask, “which risks are most critical to
mitigate?”
Plan Develop mitigation approaches for the most critical risks
Track Track the mitigation plan and the risk
Control Make decisions based on data
Communicate Ensure a free-flow of information throughout the project
Putting Continuous Risk Management Together
23
Identify
Analyze
Plan
Track
Control
Identify Risk Issues and Concerns
Evaluate, classify, and prioritize
risks
Decide what should be done
about risks
Monitor risk metrics and
verify/validate mitigations
Make risk decisions
Subproject and partner
data/constraints, hazard
analysis, FMEA, FTA, etc.
Risk data: test data, expert
opinion, hazard analysis, FMEA,
FTA, lessons learned, technical
analysis
Resources
Replan Mitigation
Program/project data
(metrics information)
Statement of risk
Risk classification, Likelihood
Consequence, Timeframe
Risk prioritization
Research, Watch (tracking requirements)
Acceptance Rationale, Mitigation Plans
Risk status reports on:
Risks
Risk Mitigation Plans
Close or Accept Risks
Invoke contingency plans
Continue to track
Four (4) Steps to Deploying CRM 24
Step Action
1 Establish an enterprise risk
management process
SEU CRM Process with Mitre Risk
Registry
2
Establish Risk Process owner and
document the process
Org chart Risk Manager
established, Risk owners for
deliverables are next
3 Provide training in the standard
risk management process
Engage risk owners
4
Monitor and enforce the
implementation of Risk
Management
Weekly risk board meeting
25
Search for and locate risks before they become issues or problems. Capture statements of risk and context.
Capture a Statement of Risk 26
Consider and record the conditions that are causing
concern
Create a statement of the risk in a concise
description, which can be understood and acted on
Condition: a single phrase describing the circumstances
Consequences: a single phrase describing the key,
possible negative outcome(s)
Capture the Context of a Risk 27
A brief, concise description of the conditions and
consequences of the risk
Provide enough information to ensure the original
intent of the risk can be understood, especially
after some time has passed
28
Transform risk data into decision making information. Risk analysis is performed to determine what is important to the project and to set priorities.
Evaluating Attributes of Risks 29
Impact: the loss or effect on the project if the risk
occurs
Probability: the likelihood the risk will occur
Timeframe: the period when action is required in
order to mitigate or retire the risk
Sample Risk Evaluation 30
A B C D E
Negligible Minor Moderate Significant Severe
E Very Likely Low Med Medium Med Hi High High
D Likely Low Low Med Medium Med Hi High
C Possible Low Low Med Medium Med Hi Med Hi
B Unlikely Low Low Med Low Med Medium Med Hi
A Very Unlikely Low Low Low Med Medium Medium
Classifying Risks 31
Grouping risks based on shared characteristics
Identify duplicate risks
Risk Evaluation Classification 32
Probability Risk Rating
> 70% E: Very Likely
40% to 70% D: Likely
10% to 40% C: Possible
1% to 40% B: Unlikely
< 1% A: Very Unlikely
Budget Over Run Impact Rating
> 15% of budget E: Severe
10% to 15% of budget D: Significant
6% to 10% of budget C: Moderate
2% to 6% of budget B: Minor
< 2% of budget A: Negligible
Prioritizing Risks 33
Partitioning risks or groups of risks based on the
Borda “vital few” scale
Ranking the risks based on a criteria
Separate risk to be dealt with first (the vital few)
when allocating resources
The Borda Rank 34
Which risk of more critical?
Where should resources be allocated to
eliminate the most troublesome areas in the
program?
Using this approach – ties for “the most
important – often result.
Borda Ranking deals with this result, which
ranks risks according to their probability of
occurrence and their impact
i ik
k
b N r “Risk Matrix: An Approach for Identifying, Assessing, and Ranking Program Risks,” Paul Garvey
and Zachary Lansdowne, Air Force of Logistics, Vol XXII, Number 1
35
Translate risk information into decisions and mitigating actions and implement those actions. Produce plans for mitigating risks.
Assign Responsibility 36
Three choices for assigning responsibility
Keep the risk
Transfer the risk upward in the organization or to
another organization
Delegate the risk within the organization
Determine the Approach 37
Accept the risk – do nothing
Mitigate the risk – eliminate or reduce
Watch the risk – monitor for critical changes
Define Scope and Actions 38
Action Item List for less complex mitigations
A simple means of documenting and tracking risk
mitigations
Task Plans with schedules and budgets for complex
mitigations
These plans must be embedded in the Integrated
Master Schedule
39
Monitor risk indicators and mitigation plans. Indicators and trends provide information to activate plans and contingencies. Review these plans periodically to measure progress and identify new risks.
The Risk Registry 40
Integrate Risk with the Master Schedule
41
Budget and resources assigned from Risk
Management reserve.
Activation of risk activities through the Risk
Management Board.
Adjustments to Performance Measurement Baseline
reflect Risk activities.
Measure risk activities in the same way as other
planned activities.
42
Correct for deviations from the risk mitigation plans. Actions can lead to corrections in products or processes. Changes to risks, risks that become problems, or faulty plans require adjustments in plans or actions.
Analyze Risks 43
Examine risks for trends, deviations, and anomalies.
Achieve a clear understanding of the current status
of each risk and mitigation plan.
Decide 44
Replan
Close the risk
Invoke the contingency plan
Continue tracking and executing the current plan
Execute 45
If a planned action is made, open the Work
Packages for the mitigation or retirement activities.
If it decided to continue tracking, the risk remains in
the tracking state until the next review.
46
Provide information and feedback to the project on the risk activities, current risks, and emerging risks.
Risk Communication Process 47
Risk Management Processes and their Communication to the Program Team
Determine sources and categories Define parameters to analyze and categorize risks
Define parameters used to control the risk
management effort
Establish and maintain a strategy for risk
management
Identify and document risks
Evaluate and categorize each identified risk using
defined categories and parameters and determine
relative priority
Develop risk Handling Plan for important risks as
defined by the risk management strategy
Monitor status of risk periodically and implement risk
handling plan as appropriate
Establish and maintain organizational policy for
planning and performing risk management
Provide adequate resources for performing risk
management, developing work products and
providing services
Assign responsibility and authority for performing the
process Train staff in support of risk management processes
Place designated work products under appropriate
configuration management Identify and involve relevant stakeholders
Monitor and control risk management processes Objectively evaluate adherence to risk management
processes
48
Glen B. Alleman
4347 Pebble Beach Drive
Niwot, Colorado 80503
+1.303.241.9633