Presentation from March 7, 2007 Dinner Meeting

8/9/2019 Presentation from March 7, 2007 Dinner Meeting

1/32

Chip Justice and Courtney Lane7 March 2007

Communicating and Managing Risks


2/32

2Communicating and Managing Risks

Agenda

Defining Risk Management Chip

Programmatic Development Courtney

Identifying Managing Risks Courtney

Changing A Culture Chip

Applying Risk Management to your

organization Chip


3/32


Agenda


Industry Definition vs the customers definition

Purpose & Goals

Value of Risk Management

Opportunities & Issues


Identifying and Managing Risks Courtney


Applying Risk Management to your organization Chip


4/32


What is a Risk?

A threat or obstacle that prevents an organization from achieving itsobjectives

A hazard

The future chance or probability of loss


5/32


Lets take a look how Industry defines RiskRisk

The potential inability to achieve overall program objectives within defined cost, schedule,and technical constraints and has two components

(1) the probability/likelihood of failing to achieve a particular outcome, and

(2) the consequences/impacts offailing to achieve that outcome. [1]

...an uncertain event or condition that, if it occurs, has a positive or negative effect on a

project objective. [2]

RISK (risk) n. [Fr. risqu < Ital. risco.] 1. Possibility of suffering harm or loss: DANGER. 2.

A factor, course, or element involving uncertain danger: HAZARD. 3. a. The danger of

probability of loss to an insurer. b. The amount that an insurance company stands to lose.

c. One considered with respect to the possibility of loss to an insurer . [3]

[1] Risk Management Guide for DoD Acquisition, Fourth Edition DoD, DAU, DSMC, February 2001

[2] Project Management Institute PMBOK, 2001 Edition[3] Websters II University Dictionary


6/326Communicating and Managing Risks

Our customer tends to define risk much like that of the DAU butfurther breaks it down into three categories

RiskThe potential inability to achieve objectives

Opportunity

The potential ability to exceed objectives

Issue

An unfavorable circumstance that is certain to affect achievement of objectives



How do you communicate your risks?


8/32 8Communicating and Managing Risks

Process

Define a risk management process

based on the ERM process Introduce risk management

process documents into theEnterprise Configuration Control

Board (ECCB) Recommend process

improvements Decision making process /

Decision point (Requirements,

spending)

Our customer communicates their risks through standardizedprocesses utilizing People, Processes, and Technologies

People

Process Technology

People

Promote a risk management culture

that is supported and championed by

leadership across the Enterprise Communicate the standup of the risk

management process through known

and established communication channels Provide training through established

workshops

Technology

Promote the use of the web-based Risk, Issue, and Opportunity Tool (RIOT) to

capture and report information regarding risks, issues and opportunities

At Booz Allen Hamilton, we focus on People, Process & Technology in their transformation initiatives



Understanding your risk management process and the outcomeyou desire is the key to defining your purpose & goals

Purpose & Goals

Identify your customers/firm/organizations Top Risks so that Leadership can directthe right amount of resources, at the right time, to implement the right solution

Ensure that all involved understand the identified risk with a mitigation plan that iscreated from a common frame of reference

Create a bottom-up and top-down approach to Enterprise Risk Management

Track overarching or summary level risks and use that information to assist withstrategic decisions

Instill the belief in the workforce that communicating risks is a positive, not negative,process that is rewarded, not punished



The value of risk management is that it is inline with Industry bestpractices and coincides with your organizations mission

Process compliant with industry standards

Unified risk management process

Web-based risk management tool

Improved participation and communication throughout your organization

Increase visibility with all stakeholders

Achievement of organizational objectives

Defining the value of the ERM process is different for every organization, the key isunderstanding how you define Value



So why implement a Enterprise Risk Management (ERM) program?

It can almost be thought of as situational awareness and capital improvement all inone

By identifying risks, executive leadership and mid level management can make a

decision that is based on solid information with a strategy to mitigate the risk at hand

Management can look to see which are the most critical risks within the organization

and then define the appropriate resources to resolve the issue

If implemented correctly, the entire enterprise will benefit from understanding the

most important issues and the biggest challenges



Agenda



Our Risk Management Process

Implementation at the Program Level



Applying Risk Management to your organization Chip



An enterprise risk management process should be documented toensure standardization

Process documentation contains the following information: Tasks required to implement the ERM process

Entry and exit criteria

Inputs and outputs

Roles and responsibilities

Required measures

Templates and training materials should be made available

Risk management plan templates

Briefing templates

Enterprise risk management training package



Projects and programs should tailor the ERM process to meet theirneeds

The following elements of the ERM process can be tailored by projects andprograms:

Stakeholders

Probability and consequence definitions

Risk tolerance thresholds

Roles and responsibilities

Communication plan

Measures

Each project and program should document their risk management process in a risk

management plan



Risk management should be an iterative, tailorable process

Source: Adapted from the Software Engineering InstitutesContinuous Risk Management Guidebook

Lessons

learned

Validated risks,

issues,opportunities

Classification

Rating

HandlingPriority

Mitigation Plans

Contingency Plans

TriggersStatus

reports

Communication

Project Kick-Off

ERM 03

Analyze

ERM 04

Plan

ERM 05

Monitor

ERM 06

Control

ERM 02

Identify

ERM 01

DevelopStrategy


16/32


Agenda




Identifying Risks Analysis and Planning

Monitor and Control


Applying Risk Management to other Organizations Chip


17/32


There are four elements to risk identification

Title Captures the so-what

Statement For risks and opportunities: If [concern], then [consequence orbenefit]

For issues: [Statement of concern]; thus, [consequence]

ContextFacts only (who, what, when, where, why)

Avoid assumptions

Do not introduce new risks

Avoid blame

Closure Criteria Must alleviate the concern in the statement to an acceptable level

Must be specific, actionable, and measurable

4

2

1

3


18/32


Risks are analyzed and handled using the appropriate method

Qualitative analysis is performed to determine:

The level of cost, schedule, and performance impacts

The probability of occurrence (probability is 100% if it is an issue)

Results are mapped on a probability impact diagram to

determine the risk level

A handling method is chosen depending on the type of risk:

Mitigate, Resolve, Exploit

Watch

Transfer

Assume

Plans for reducing the probability of occurrence or severity

of consequence if the risk occurs are developed

Probability Impact Diagram

Probability

ofOccurrence

Consequence Level

Negligible Marginal Significant Catastrophic

0-19%

Highly Unlikely

20-39%Unlikely

40-59%

Likely

60-79%

Highly Likely

80-99%

Near Certain

100%

Issue

Critical


19/32


Risks and progress on their plans must be monitored andcontrolled

Monitoring risks is extremely important

New programs are created

Resource levels change

Funding status changes

New supporting information is discovered

Risks should be updated to reflect any changes found in the Monitor step

Controls (risk boards) are in place at every level of our customers organization to monitor risks.These boards can make several decisions about each risk:

Reject (need more information or rework)

Accept

Escalate

Return for status

Close


20/32


Risk Controls boards/groups

Directorate 3Directorate 1 Directorate 2

Program 1 Program 3Program 2

Key Component Risk, Issue, and OpportunityManagement Board

(KC-ROMB)

Risk Management Core Team

(RMCT)

ELG

Strategic Risks

Enterprise Risks

Directorate

Level Risks

Program Risks

Joint RiskProcess


21/32


Agenda


Programmatic Development Chip



Obtaining Buy-in & Support

Risk & Reward vs. Exposure & Condemnation

Defining a Concept of Operations (ConOps)/ Risk Management Plan



22/32


Where do you stand with the evolution of risk management?

Problem Stage

Im too busy to

apply a formal risk

management

practice.

Risk identification

not seen as positive.

What went wrong?

Mitigation Stage

Risk Management

is What Managers

Have to Do

Aware of risks but

not sure how to

communicate them

What can go wrong

and what are the

consequences?

Prevention Stage

Risk Management

is everybodys

responsibility.

Risk management is

viewed as a teamactivity

Identification and

elimination of root

causes

What caused the

risk?

Anticipation Stage

We can focus on

the right priorities

Use of measures to

anticipate

predictable risks

Alternatives are

easy to compareusing a quantitative

approach

How can we

proactively attack

risks and assessalternatives?

Opportunity Stage

Where there is risk,

there is opportunity

Risks are a chance

to do better than

planned

Risk management is

used to innovate

and shape the future

Engineering

excellence

How can we take

advantage of risks?

Increasing levels of knowledge, commitment, communication, efficiency, and effectivenessenable transformation through each stage


23/32


Defining and utilizing the risk management process will notsucceed with just executive level support

The risk management process has to be embraced by the entire organization and

championed by Leadership

Obtain buy-in through:

Using checklist for standardization

Providing guidelines

Encouraging and welcoming open communications between individuals,departments, and organizations

Taking Surveys

Evaluating the upside and downside of the risk

Obtain commitment and resource from leadership. At this point, risk managementautomatically becomes a management priority and leadership becomes an advocate

of risk management and supports the process


24/32


Changing a culture is not easy, but a little praise could not hurt

The key is to understand that 'risk' exists and it can be managed and rewarded

Training, Training, and Training instilling Risk & Reward vs. Exposure &

Condemnation

Leadership Communications

Talking points

Brown bags

Define why holding risk information is not a benefit

Transition to a Risk Aware (Manage the Risk), not Risk Adverse culture


25/32


Defining a Risk Management Plan is a must if you want your ERMprogram to succeed

Identify, Evaluate and Manage the process for risks management

Develop Comprehensive Safety/Loss Control Programs Policies and Procedures

that is tailorable to specific risk

Establish a Catastrophic Business Continuation or COOP Program

Transfer Risk Whenever Economically Feasible through Insurance, Legal Contracts,and Avoidance

Analyze/Re-evaluate Your Risks on a reoccurring basis

Identify best practices

Benchmark and define standards/metrics


26/32


Agenda


Programmatic Development Chip


Changing a culture Chip


Lessons Learned

Best Practices


27/32


Communicating risks can be implemented better by understandingthe Lessons Learned from previous risks

Identify

Communicate

Learn


28/32


Implementing best practices assists in communicating effectively

Using a Risk Management process that is consistent with existing


29/32


PlanStandard

definitionsProcessesTeam training

PlanStandard

definitionsProcessesTeam training

Using a Risk Management process that is consistent with existinggovernment and industry best practices results in easier clientbuy-in, implementation and results

DAU Risk Management Community of Practice

IdentifySituationUncertaint

yImpactActions

IdentifySituationUncertaint

yImpactActions

ControlMitigationContingency

Plans

ControlMitigationContingency

Plans

AnalyizeProbabilityImpactOutcomes

AnalyizeProbabilityImpactOutcomes

MonitorMaintain historyMonitor plansPeriodic

updates

MonitorMaintain historyMonitor plansPeriodic

updates

One Firm delivering results that endure


30/32


How to Learn More

DAU

PMCoP (https://acc.dau.mil/CommunityBrowser.aspx)

New Risk Management Guide, Aug 2006 Acquisition Review Quarterly, Risk Special Edition, Spring 2003

PMI http://www.pmi.org/info/default.asp

PMBOK

Risk SIG

INCOSE https://www.incose.org

Risk Management Working Group

Prince2 Projects in controlled environments

http://www.tsoshop.co.uk

Read!
http://www.pmi.org/info/default.asphttps://www.incose.org/http://www.tsoshop.co.uk/http://www.tsoshop.co.uk/https://www.incose.org/http://www.pmi.org/info/default.asp


31/32


Closing Remarks

The Director of Central Intelligence Directive (DCID) 8/1, identifies risk management

as Balancing the goal of greater intelligence information sharing with the need toprotect sources and methods requires IC members to apply a risk management

methodology. This policy must be implemented in ways that balance the risk of

unauthorized disclosure of sources and methods against the imperative to provide

the most useful and responsive intelligence. The information needs of the customer

must be given important weight in this risk management determination.


32/32


Q&A

Presentation from March 7, 2007 Dinner Meeting

Documents

Transcript of Presentation from March 7, 2007 Dinner Meeting