Risk Integration

Understand the difference of risk management on project and program level and be able to manage

risks appropriately on each level while integrating the view on risk management for the organization

Thomas Walenta, PMPthwalenta@online.de

2

Why should we look at integrative risk management for an organization?

What are the different vertical risk management areas?

How is IBM managing risk on the program/project level?

Why can Business Resilience help to reduce implementation risk?

33

77% Increase in Risk Exposure

Source: IBM Institute for Business Value - Risk Management Study 2011

IBM Risk Study 2011: 77% of executives feel that risk exposure has increased. Not a single respondent said risk is decreasing.

“The priority now is to connect the top-down and bottom-up views so that our risk management framework will be a truly holistic business resilience strategy.”

Jean-Pierre Bourbonnais, CIO/VPInformation Technologies

Bombardier Aerospace

44Source: IBM Institute for Business Value - Risk Management Study 2011

IBM Risk Study 2011: Risk Silos are considered one of the most important barriers to improve risk management

Functional concentration within the organization (silos)— 28%

Lack of C-level vision and commitment — 14%

Lack of emerging technologies— 12%

Lack of best practices— 9%

Inability to predict ROI from improvements — 37%

“My selling pitch to them (CEO and the board) is that a robust risk management capability is a competitive advantage.”

Yousef Valine, Chief Risk Officer,First Horizon National Corporation

55

48%30%

23%

For the most part, risk planning happens in silos

We take a reactive rather than a proactive approach

to risk planning

38%27%

35%

We do not have a formal risk management department

41%13%

46%

We do not have a well-crafted business continuity strategy

13%28%

54%

IBM 2010 IT Risk Study: Major area for improvement to attain a higher level of risk maturity: 'Risk Planning happens in silos'

Risk maturity

From a staffing perspective, we are ill prepared to handle the

changing risk landscape

13%34%

51%

Low

Low

Medium

Medium-High

Medium-High

Agree/strongly agree Neither agree nor disagree Disagree/strongly disagree

Risk management issues

Source: IBM IT Risk Study 2010

6

Why should we look at integrative risk management for an organization?

What are the different vertical risk management areas?

How is IBM managing risk on the program/project level?

Why can Business Resilience help to reduce implementation risk?

7

Project

Vertical Silo's: different levels of the organization look at risks in different ways – examples of questions per level

Strategy

Operations

Portfolio

Program

Enterprise Risk Management

Implementation Risk Management

Delivery

Design

Do we select the right long-term vision & goals? What is happening on the market?

Are we compliant? Are profits, revenue & growth on target? Any structural risks?

Do we have optimal alignment of resources to initiatives? Right mix of initiatives?

Is the goal on target? Are benefits achieved? Are Stakeholders satisfied?

Are requirements understood, is feasibility proven?

Are changes managed, cost & milestones in line?

8

Risk integration across the organization

Strategy

Operations

Portfolio

Program

ProjectProject Risk

Program Risk

Operational Risk

Portfolio Risk

Strategic Risk

Enterprise Risk Management

Implementation Risk Management

Delivery

Design

9

Attributes of Risk levels typically show different focus on time, attitude, stakeholders and signs of risk

Project Risk

Program Risk

Operational Risk

Portfolio Risk

Strategic Risk

Orientation Stakeholders Key risk indicators

Future (3-5 yrs+)Sustainability

Shareholders, Marketcapabilities

Market changeCompetitionStock value

Midterm (6-18 months)Right mix of initiatives, Best use of resources

C-Suite, division leaders

Resource constraints

Past, Quarterly viewCompliance, resilience

regulation, auditors Audit results (SOX)Profit, Growth, Revenue

Present and FutureGoals & benefitsOpportunities

Strategic Goal OwnersBusiness LinesProduct Owners

Benefits achievementStakeholder acceptance

PresentRisk avoidance

Program ManagersSponsorsClients, Project Team

Earned value – cost & timeScope, quality, featuresrequirements match

10

Program Risk Project Risk

Categories (*) Typical Areas of concern

Environmental Risks Portfolio, Stakeholders, Politics, Compliance

Program-Level Risk Starting and Running the program

Project Risks Escalated from Projects

Operational-level Risks Transition, Change management, Benefits realization

Portfolio-related Risks Resources, interdependencies

Benefits-related Risks Synergy, systemic views, architectural

Categories (*) Typical Areas of concern

Stakeholder expectations

Funding, major influencers

Requirements Conflicts, needs vs. wants

Scope Boundaries, level of detail

Cost Estimation, contingency

Time Dependencies

Resources Availability, skills, boarding effort

Quality Features, testing

Feasibility Architecture, technical risks

(*) Source: PMI's Standards for Project, Program and Portfolio Mgmt

11

Portfolio Risk Component Risk

Categories (*) Typical Areas of concern

Structural Risk Portfolio composition, interactions, resources

Component Risk Escalated from projects and programs within the portfolio

Overall Risk Management maturity, governance

Project Risk

Program Risk

Project Portfolio Risk looks at finding the optimal mix of initiatives to achieve the organizations strategy

(*) Source: PMI's Standards for Project, Program and Portfolio Mgmt

12

Program Risk Project Risk

PlanControl Deliver

Scope

TimeCost

UnderstandCreate

Achieve

Benefits

GovernanceStakeholders

Program Management is outward focussed while Project Management mainly deals with project internals

1313

Process

ISO 31000:2009 provides principles and guidelines for risk management in order to give a framework for risk integration

11 Principles Framework

Context

Identify

Analyze

Evaluate

Treat

Co

mm

unica te & C

onsul t

Monitor &

Review

Mandate

Design

Monitor

ImplementImprove

• creates and protects value.• integral part of organisational processes• part of decision making.• explicitly addresses uncertainty.• systematic, structured and timely.• based on the best available information.• tailored.• takes human / cultural factors into

account. • transparent and inclusive.• dynamic, iterative, responsive to change.• continual improvement of the

organization.

Assess

14

Similar risk management frameworks for risk management on implementation (PMI) and enterprise (COSO) levels

Identify

Develop Responses

Analyze

Monitor & Control

Plan Risk Mgmt

PMI … … COSO provides an ERM Framework

Monitoring Monitors effectiveness of ERM activities

Information & Communication Identifies, captures, and communicates pertinent information

Risk Response Identifies and evaluates possible responses to risk

Risk Assessment Assesses the extent to which potential events might impact

objectives

Event Identification Differentiates risks and opportunities

Objective Setting Considers risk strategy in the setting of objectives, and forms

the risk appetite of the entity

Internal Environment Establishes the entity’s risk strategy and culture

Control Activities Creates policies and procedures to help ensure that the risk

responses are carried out

Source: Committee of Sponsoring Organizations of the Treadway Commission (2004)

15

Why should we look at integrative risk management for an organization?

What are the different vertical risk management areas?

How is IBM managing risk on the program/project level?

Why can Business Resilience help to reduce implementation risk?

1616

Integration between Program and Project levels: IBM's standard regular risk assessment method '7 keys' is covering both areas

IBM's 'seven keys to success' methodology is used and enhanced since more than 10 years and incorporated into IBM's

Risk Management Tools.

1717

Seven Keys are detailed by checklists and incorporated in tools

Key Area: Project Program

Stakeholders committed internal external

Business benefits realized x

Work & Schedule predictable x

Scope realistic & managed x

Team is high performing x

Risks being mitigated x x

Delivery organizations benefits realized x

18

Common Risk Management Tool

Risk integration is achieved across the organization by defining and using Risk Management on implementation level, analysing risk data to

make strategic choices and adapt policies and processes

Project Risk

Program Risk

Operational Risk

Portfolio

Strategy

Policies, processes

Strategy

Portfolio

Resilience – helps to reduce

impact on operation risk

Data Analysis

19

Why should we look at integrative risk management for an organization?

What are the different vertical risk management areas?

How is IBM managing risk on the program/project level?

Why can Business Resilience help to reduce implementation risk?

20

Business resilience is the ability of an enterprise to rapidly adapt and respond to risks, in order to maintain continuous business operations, be a more trusted partner and enable growth (IBM).

21

Role of Resiliency(ability to mitigate)

Risk = (Probability x Consequence) - Resilience

Project / Program View

Organizational View

Business Resilience is an important mitigating factor for Implementation Risk

Influences overall organization performance

2222

Study Objectives Study Methodology

Understand what risk factors are top-of-mind with executives today, and what they are strategizing to alleviate the affects of risk on their enterprise performance

Identify their priorities and initiatives that they are investing in to mitigate and manage risk

Learn how they are organizationally governing these risk initiatives

On-line survey conducted by IBM Institute for Business Value

494 responses from individuals with a title of CxO, EVP, GM, Vice President, Director, Product/Functional Mgr.

Interviews with companies that have holistic programs and are monetizing risk to mitigate the effects and deliver value to the enterprise

Enterprise Risk Management: IBM surveyed 494 companies to better understand how risk factors are affecting their overall performance

(*) Source: IBM: Combating Risk with predictive analysis, June 2012

2323

Next 3 yearsUp to now

Develop communications or training program

Invest in new risk-related solutions

Respond to recent natural disasters by rethinking strategies

Engage external advisors

Discuss issues with supply-chain partners

Create a business continuity plan

Establish company-wide risk management team

Assign overall responsibility to a single executive

Develop integrated business resilience strategy

11

11

22

33

55

44

22

33

44

55

IBM Study: Which initiatives has your organization adopted / is most likely to adopt in the next three years?

(*) Source: IBM: Combating Risk with predictive analysis, June 2012

2424

Leaders are applying predictive analytics to increase business resilience

Other participantsLeaders

Value Achieved

+16%

brand reputation

51%32%

51%

44%35%

cost efficiencies

38%+24%

24%

51%48%

competitive advantage

38%+23%

23%

46%

growth

38%+21%

25%51%48%46%

Reduced Risk Effects

operational

59%44%

+15%44%

59%

environmental

65%38%

+38%

38%

65%

27%

(*) Source: IBM: Combating Risk with predictive analysis, June 2012

Leaders share these characteristics:

Risk management is significant and core to their business strategy

They have comprehensive, “mature” risk management programs with an established management system, top-down organization and network alignment

They achieve business value by applying intelligence to monitor, manage and mitigate risks

25

IBM uses a lifecycle methodology to help clients achieve sustainable improvements in business resilience.

Manage

Set objectives

Design

Deploy

Plan

Imp

leme n

t

ControlMonitor

Evaluate

Analyze

Resilience lifecycle

Ass

ess

Inputs: Business objectives, goals, priorities, policies and current capabilities

Information risk management

Regulatory compliance

Corporate governance

Business imperatives:

Outputs:Reduced risk, improved governance and facilitated compliance management

26

Why should we look at integrative risk management for an organization?

What are the different vertical risk management areas?

How is IBM managing risk on the program/project level?

Why can Business Resilience help to reduce implementation risk?

27

Risk Integration across the organisation is driven by overall business resilience improvement and establishment of a risk management standard

Strategy

Operations

Portfolio

Program

Enterprise Risk Management

Implementation Risk Management

Delivery

DesignProject

Business Resilience

Risk Mgmt Standard

Data

Pol

icy

28

How to obtain some more details? thwalenta@online.dehttp://de.linkedin.com/pub/thomas-walenta/0/3a6/732http://twitter.com/twtomm

IBM Institute for Business Value / Studieshttp://www-935.ibm.com/services/us/gbs/thoughtleadership/

2010 IT Risk Study2011 Resilience and Risk Studyhttp://www-935.ibm.com/services/us/gbs/bus/html/risk_study.html

2012 Reputational Risk and IT Studyhttp://www-935.ibm.com/services/us/gbs/bus/html/risk_study-2012-infographic.html

Business Resiliencehttp://www.ibmbusinesscontinuityindex.com/

.