Risk Management. 2 What is Risk? Websters (Risk) – The possibility of suffering harm or loss;...
-
Upload
allison-mcknight -
Category
Documents
-
view
227 -
download
0
Transcript of Risk Management. 2 What is Risk? Websters (Risk) – The possibility of suffering harm or loss;...
Risk Management
2
What is Risk?
Webster’s (Risk) – The possibility of suffering harm or loss; danger.
The different types of risk
• Personal risk - How will this risk effect the individual i.e. loss of job, health, family life, and their ability to identify and address risk
• Professional risk – Will people have the courage to identify and response to risk i.e. peer and or management pressure. What is the culture of your team, program, company?
• Program risk – Is the risk process so narrow that suboptimum program decisions are made to the detriment of business areas or company goals
• Company risk – Do you think of things short term or long term, do you look at the impact across the business (car versus horse drawn carriage, great for my program but hurts other business areas)
• Community risk – How do your decisions impact the community around you locally, regionally, nationally, planet earth (Enron, Mortgage crisis)
Identification of the different types of risk may make the difference between success and failure for you, the team, the company, or even the nation in some cases
3
Consequences of Risk
Negative
• Personal
– Loss of job
– Lack of Promotion
– Pay freezes
– Emotionally destructive (fear, anxiety, passive)
• Company
– Loss of business
– Lower profits
– Lower stock price
– Reduced company viability
• Country (US – Oil no refiners, or alternate sources of energy)
– Lack of vision
– Short term focus
Positive
• Personal
– Increased opportunities
– Promotions
– Pay increases
– Emotionally lifting (initiative, innovative, courage)
• Company
– Increased business
– Higher profits
– Stock price
– Increased market share/new markets
• Country (Canada – Oil tar sands, Dutch wind)
– Vision
– Long Term Focus
You create a need for it!!
If Risk Management is important, how do we sell Risk Management to management?
5
Program Performance Assessment
Performance Assessment:
9 = excellence in addressing key characteristics3 = fair performance in addressing key characteristics1 = poor performance in addressing key characteristics
198 Program Attributes Assessed from Pre-Proposal thru Contract Completion
SurveyTool
Program Phases:
• Pre-Proposal
• Proposal
• Pricing delegation
• Contract requirements
• Technical performance
• Contract execution
• Contract change
DatabaseEstablished
6
Risk Management Key to Success
Risk Management
Area 2
Area 3
Area 4
Good program identified risk, assessment performed, integrated into program plan & tracked throughout life of program
2 areas
3 areas
5 areas
What Was Done Well on Programs That Performed Well That Was Missing on Programs That Performed Poorly?
7
Consistently Do Poorly on Problem Programs
Pre-Proposal• Risk & requirements understood• 4 other areasProposal• Risk mitigation plan in place• 3 other areasDelegation• 1 other area• Risk mitigation plan in place• 1 other area
Contract Change• 4 other areas
Contract Execution & Technical Performance• 11 other areas• Risk analysis & mitigation plan• 4 other areas
Score of <4, Scale of 1-3-9Perceived as Areas of General ATK Weakness
8
Program Management Survey Results
•PMs that incorporate Risk Management Plan into their program – 78%
•Regularly use or implement risk management (monthly or less) – 50%
•PM’s that can find examples of previous program plans, risk analyses, schedules, etc.. to help me do my job – 44%
9
Program Management Process Rating
Q11) Which of the following items have you incorporated into your program(s)? (Check all that apply.)
Q11
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
1. Program Plan
2. Risk Management Plan
3. Integrated Master Schedule
4. Cost/Schedule Status Tracking System (EVMS)
5. Program Action Register
6. Program Change Request (PCR)
7. Make / Buy Plan
8. Program Organization Chart
9. Configuration Management Plan
10. Configuration Control Board (CCB) Memo / Directive
11. Quality Program Plan
12. Material Review Board (MRB) Directive / Memo
13. Design Plan
14. Design Review (third party)
15. Safety Reviews (third party)
16. Required Record Checklist (for design control)
17. Build Memo / Directive
18. Build Readiness Review (BRR)
19. Process Change Control Board (PCCB) Memo / Directive
20. Master Test Plan
21. Test Readiness Review (TRR)
22. DFSS / 6 Sigma / Lean Improvement Projects
% Responses
Yes
No
Many key elements of a Design Plan and Program Plan not applied to programs
10
Program Management Process Rating
Q12) How Regularly do you use or implement these items? (Check all that apply.)
0
10
20
30
40
50
60
70
80
90
100
1. Program
Plan
2. Risk M
anagement P
lan
3. Integrated Master S
chedule
4. Cost/S
chedule Status T
racking System
(EV
MS
)
5. Program
Action R
egister
6. Program
Change R
equest (PC
R)
7. Make / B
uy Plan
8. Program
Organization C
hart
9. Configuration M
anagement P
lan
10. Configuration C
ontrol Board (C
CB
) Mem
o / Directive
11. Quality P
rogram P
lan
12. Material R
eview B
oard (MR
B) D
irective / Mem
o
13. Design P
lan
14. Design R
eview (third party)
15. Safety R
eviews (third party)
16. Required R
ecord Checklist (for design control)
17. Build M
emo / D
irective
18. Build R
eadiness Review
(BR
R)
19. Process C
hange Control B
oard (PC
CB
) Mem
o /D
irective
20. Master T
est Plan
21. Test R
eadiness Review
(TR
R)
22. DF
SS
/ 6 Sigm
a / Lean Improvem
ent Projects
% o
f R
es
po
ns
es
Never Weekly Monthly Quarterly
11
What is Risk Management?
Definition of Risk Management:
Risk management is concerned with the outcome of future events, whose exact outcome is unknown, and with how to deal with these uncertainties, i.e., a range of possible outcomes. In general, outcomes are categorized as favorable or unfavorable, and risk management is the art and science of planning, assessing, and handling future events to ensure favorable outcomes. The alternative to risk management is crisis management, a resource-intensive process that is normally constrained by a restricted set of available options.
• “ Risk Management Guide for DoD Acquisition, fifth edition, version 2, June 2003”
12
What is Risk Management?
Types of Risk Management:
Hardware
– Feasible, stable, and well-understood user requirements and threat;
– A close relationship with user, industry, and other appropriate participants;
– A planned and structured risk management process, integral to the acquisition process;
– An acquisition strategy consistent with risk level and risk-handling strategies;
– Continual reassessment of program and associated risks;
– A defined set of success criteria for all cost, schedule, and performance elements, e.g.,
– Acquisition Program Baseline (APB) thresholds;
– Metrics to monitor effectiveness of risk handling strategies;
– Effective Test and Evaluation Program; and
– Formal documentation
13
What is Risk Management?
Types of Risk Management:
Software Risk Management
– Identify software risk.
– Estimate the time and resources required to develop new software, resulting in potential risks in cost and schedule.
– Test software completely because of the number of paths that can be followed in the logic of the software.
– Develop new programs because of the rapid changes in information technology and an
– ever-increasing demand for quality software personnel.
People
– Needs/Desires
– Determine relationships
– Relative power/influence
– Trust
What is the Risk Management Process
15
Defenses are Never Perfect
Source: James Reason, Managing the Risks of Organizational Accidents, 1997, p. 9
Potential losses (people and assets) But the reality is
more like this.
Mishap
We perceive our ideal system of defenses like this.
What we don’t Know or don’t Believe Can and Will Hurt Us
16
People
Facilities
Materials
When Events Line Up, the Consequences Can Be Devastating
Adapted from : James Reason, Managing the Risks of Organizational Accidents, 1997, p. 12
MishapMishap
Process Design
Product Design
Defenses in depth
Program Plan
EventEventss
A Hole is a Risk – A WeaknessIn a Plan – Any Plan
Requirements (unspoken & spoken)
17
Requirements
Design
Engineering and Process Design Close Holes
• Voice of Customer (VOC)
• Requirements Definition
• Product Design
• Process Design
• Design FMEA / FTA
• Manufacturing Process FMEA
• Systems Engineering
• Process Control
• Peer Review
Manufacturing
Engineering and Process Design Have
High Leverage
Product Inspections
Only Close Small Holes
Defensive Barrier
Ham and Swiss on Rye
“Process” = ALLProcesses, not justHardware/Manufacturing
To Close a HoleREQUIRES a Change – The RightChange at the Right Time
18
Where are the Holes?
The Essence of Mission Assurance
• Eliminate the Holes
• Shrink the Holes
• Make sure the Holes don’t Line up
The Essence of Risk Management
• Find/Define the Holes
So That We Can …
• Eliminate, Shrink, etc…
The Result is Mission Success
19
Risk Management Model
Plan
Manage Risk
ManageIncidents
Target Condition
Manage Risk
Plan
IncidentManagement
Current Condition
20
Risk Management
• If I know the risks I face, I can make better decisions
• If I know the risks up front, I can apply my resources in a planned manner rather than just reacting to problems with scarce resources
– A Key Role of a Leader is to Apply Resources at the DECISIVE Point and Time to Achieve Victory
• If I know the risks & appropriately mitigate the risks, I have more confidence that I will achieve Mission Success – I plug the holes in the Swiss Cheese
21
What Happened
• We found many Risk Management Tools
• We found no inclusive and defined Process
– “How to Identify the Risks” was Missing
– Applies @ All Levels, All People, Simple & Complex
• We defined the Principles
• We defined the Process
– Based on and consistent with the Principles
• We designed a simple tool to support the process
22
Emerging Risk Management Principles
• Have a Plan• IMP/IMS, Product/Process Design, Material Plan, etc.• Actions to Mitigate Risks get Rolled Back into the Plan
• Understand the Plan/Process• Look at each step/item in a methodical fashion
• Include the Right People• Can be Very Difficult, but is Critical to Success• Thorough Discussion and Review• Risk Management is an Individual Behavior
• Control Change – Make Changes Proactively• There is a Cost for every Mitigation – Plan The Resources
• Solid Cost/Benefit Decisions are Necessary• Planned Use of Resources vs. Ad Hoc “Head in the Sand”
• Take Planned Action – Plan And Make Change• Plan the work, work the plan
• Follow up• Hold teams and individuals accountable
23
Risk Management Process Flow
Given a current condition and
desired end state
Evaluate risks for probability of occurrence and severity of consequence
Risk Requires Action?
Risk Tracker
Risk Tracker
Perform Actions (Work the Plan)
Update Process or Plan
Periodic Program Risk
Review
Identify and Assess Risks to the Plan
Communicate the Risks(Reviews, Boards, Change Control, etc.)
Risk Identification
No
Yes
Risk –An event that could happen to prevent me from reaching my goal.Condition –The reason this risk makes you uncomfortable. Consequence –The result if the risk event happens.Severity –The measure of the magnitude of the effect of the risk event (consequence) on Cost, Schedule, Technical Performance, AUPC, & Safety.Likelihood –The subjective measure of probability that the risk event will occur.
For each step -feature, define 6 M’s, 3 W’s & Success Criteria
Brainstorm potential risks for each step-feature with multi-disciplinary team
Plan actions to reduce probability,
reduce severity, plan contingencies
or further understand risk
Map/Define the process –
ID critical features ***
FMEA, PFMEA, FMECA-type methodology
*** The “Map/Define” step can use a number of tools such as process flow charts, program plans, Integrated Master Plans, Design Trees, etc, to guide the risk identification effort.
Determine root causes of the risk
Risk Assessment
Risk Handling10/16/06
voc
Risk Levels• Likelihood• Severity• Control
Alternatives• Identify options• Identify resources• Assess costs, benefits and impacts• Plan actions
Impacts• Cost• Schedule• Performance
Update the Plan• IMP/IMS• Design• Process• Budget
EACReviews
24
Consequence
Lik
elih
ood
Risk MatrixHighest
Risk
Lowest Risk Consequence
Lik
elih
ood
Risk MatrixHighest
Risk
Lowest Risk
FOR EACH STEP: FOR EACH STEP: ASK 6 M’s and 3 W’sASK 6 M’s and 3 W’s
ExampleDefinition
Given my hectic schedule there is a potential for missing out on eating breakfast, which could result in a lack of energy.
Given (root cause condition)there is a potential for (risk)which could result in (consequence).
Risk Statement
Missing BreakfastShort Description of RiskRisk Title
ExampleDefinition
Given my hectic schedule there is a potential for missing out on eating breakfast, which could result in a lack of energy.
Given (root cause condition)there is a potential for (risk)which could result in (consequence).
Risk Statement
Missing BreakfastShort Description of RiskRisk Titleachine
other Natureeasurement
aterialachine
other Natureeasurement
aterial
hy ?hen ?here ?
hy ?hen ?here ?
Level Probability
5 Near Certainty4 Highly Likely3 Likely2 Unlikely1 RemoteL
IKE
LIH
OO
D
8/30/06
1 2 3 4 5
Personnel
No injury or illness to public, crew or personnel
Minor first aid treatment (does not adversely affect safety or health)
Medical treatment for a minor injury or incapacitation
Serious injury or illness resulting in lost time
Death or permanent disability
Assets
Damage to minor asset
Minor loss or damage to facility, system, equipment, or f light hardw are
Moderate loss or damage to facility, system equipment, or f light hardw are
Major loss or damage to facility, system equipment, or f light hardw are
Total loss of f light hardw are or critical asset
Product
Minimal impact to requirements or design margins
Minor impact to requirements or design margins
Degraded performance. Won’t meet internal requirements
Failure to meet customer requirements
Cannot achieve technical goals (mission failure).
Process
Minimal or no impact to mission objectives or operations
Minor impact to operations – degraded performance w ithin all requirements
Moderate impact to operations -- Won’t meet internal requirements
Major impact to operations -- Failure to meet customer requirements
Cannot achieve mission objective
No impact on AUPC Minor impact on AUPC
Moderate impact on AUPC
Major impact on AUPC
Cannot achieve AUPC goals
Development Cost
CO
NS
EQ
UE
NC
E
AUPC
Level
Safety
Technical
Schedule
Minimal internal schedule slip, able to immediately recover
Key Program Milestone Slip
Key Program Milestone slip, or Program Critical Path impacted
Cannot achieve major program milestone (MS-C)
Internal schedule slip
Minimal budget impact w orkable by small adjustment in plans
Minor budget impact w orkable w ith signif icant adjustment in plans
Moderate budget impact
Major impact on budget, investment required
Major ibudget mpact
25
Planning & Resource Allocation
• Have a Plan, Work the Plan, Follow-up on the Plan
– Risk Management is Dependent on having a Plan
- The “Plan” is the “IMP/IMS” for a Program, the “Design” for a Product or Process, the “BOM” for Materials, etc.
- The process looks at each step in the plan to Identify Risks
– All Risk “Handling” Actions must be worked back into the Original Plan for application of Resources and Follow-up (IMP/IMS, Design, etc.)
• Planned Use of Resources is Critical to Effective Management of the Process
– Resources are Always Limited so Planning is necessary to Assure that Risk “Handling” Actions will actually be Implemented
– Leaders Allocate Resources – It is Inappropriate to merely bully subordinate and supporting organizations to implement Change without Allocating Sufficient Resources
26
The Process is Universal and Necessary
Risk Management is universally applicable toand necessary in all parts of our processes. Toooften it is only used at the Program level. People
Facilities
Materials
Adapted from : James Reason, Managing the Risks of Organizational Accidents, 1997, p. 12
MishapMishap
Process Design
Product Design
Defenses in depth
Program Plan
EventEventss
Requirements (unspoken & spoken)
27
Accountability From Bottom to Top
Program Manager
Executive Management
Functional Leadership
Teams
Individuals
ATK Customer
Customer
Supporting Organizations
BuildersDesigners
Functional TeamsIPT’s
Given a sound process and training, Risk Management is an individualbehavior. The process linked with the right behavior = Success.This individual behavior is the foundation of Risk Management.
Pull
28
View from the Top
How Leadership Views, Discusses and Responds to IdentifiedRisks will Determine the Effectiveness of Handling Plans andwill Determine Future Willingness to Identify Risks.
29
Risk Management Process Focus
Risk Management Process
– Implement a thorough risk management process
– Keep reporting simple
– Focus on reducing or eliminating risk through proactive risk management and initiating risk mitigation activities
– Minimize the temptation to “accept” risk
30
Risk Management Process & Responsibilities
Risk/OpportunityIdentification
Assess andPrioritize
HandlingPlans
HandlingApproval/Resources
Execution,Tracking and
Control
AssessHandlingResults
What could happen?• Internal — controllable- Personnel and staffing- Processes and teams- Design complexity- Suppliers- Test failures- Requirements creep
• External — less control- Economy/policy change- Industrial base- Scope changes
• Production transition• What about opportunities?
AACT on it!
How big is the risk?• Likelihood of occurrence• Possible consequences: technical performance, cost (NRE and TOC), schedule
• Expected value• Relative ranking• Display relative ranking
How to handle the risk?• Assume the risk/ opportunity level and continue on current plan
• Avoid the risk by eliminating its cause or consequence (i.e., change requirements)
• Control (mitigate risk/capture opportunity) cause or consqeuence
• Transfer the risk or opportunity
How are things going?• Reports
- Risk/opportunity register- Ranked list with E.V.s- PRO/OO x CRO/OOrelationships
- Handling plans vs.actuals
• Status, communication, and elevation- Within teams- Risk management board- PM and all stakeholders
Any Stakeholder
TD, RMIPT Leads
TD, RMIPT Leads
RMB, RMIPT Leads
RM, TDIPT Leads
RM, TDIPT Leads
31
Alliant Techsystems Proprietary
Weekly Inputs to Risk Assessment
RiskClarification & Clean up
Inclusion into Risk Tracker
Risk Management Board• RMB Co-chaired by xxx• RMB Members:• RMB Advisors:• RMB Facilitators:
Opportunity DataBase
DFM/DFA’sRequirements Walkthrough
Analysis
Design, Manufacturing
Capability Assessment
Program Office (continued)
Contracts Production TransitionFinance Quality Materials
ProgramOffice
SystemsEngineering
Electrical Mechanical
Systems Design Integration Test & Evaluation
GN&C / Aero/ SW / GPS
LessonsLearned
Trade Studies
32
The Benefits of a robust Risk Management Process
How can you make risk work for you
• It is a common trait of management to award people who put out fires more then they do the people who do things the right way such that you do not have fires.
– Unfortunately it is also true that the people who put out fires may have gathered the kindling and lit the match that started the fire in the first place through poor risk management or no risk management
• Good risk management helps give you visibility for doing the right things
– It highlights the risks
– It identifies the consequences
– It enables healthy discussion on strategies and actions for addressing risk
– It enables the individual to get the credit for doing the right things the first time
33
The Benefits of a robust Risk Management Process
Actual Benefits from following “Good Risk Management Practices”
• Schedule
– It highlights the critical path
– Identifies what is driving the critical path
– Gets people talking and addressing the risk
– It gives you time to address the risk
• Money
– It gives you a forum to discuss money in a non threatening manner
– It provides reasons for making money available
– It gives you time to address the risk
• Reference viewgraph 3