Risk management - A short course
73
RISK MANAGEMENT A Short Course
-
Upload
peartm -
Category
Engineering
-
view
92 -
download
2
Transcript of Risk management - A short course
RISK MANAGEMENT
A Short Course
Risk & Risk Management
• A risk is "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives."
• Risk management includes for identification of risks, assessment of risks in terms of likelihood and consequences / impacts, and defining responses to issues.
Project Risk
• An uncertain event or condition that if it occurs has a positive or negative effect on at least one project objective such as time, cost, scope, quality (safety).
• Risks have a cause and an impact.
“Risk Speak”
• As a result of:• a [DEFINITIVE CAUSE],• an [UNCERTAIN EVENT (Risk)] may
occur,• which would lead to [EFFECT/IMPACT
ON OBJECTIVES].
Project Management Areas
Risk is Perception
Risk is often in the eye of the beholder andis a personnel perception.This is linked to the following:• Attitude (which drives)• Behaviour (which leads to)• Consequences and the risk ‘appetite’ of a firm/individual
Risk Spectrum
Neutral
Reasonable Behavoiur
Extreme Behaviour
Risk Taker Risk Averse
Increasing Potential Profitability
Increasing Potential Liability
Fair' apportionment of risk
Risk Response and Comfort
ISO 31000/ ANZ Code
• Establish context• Identify• Analyse• Evaluate• Treat• PLUS Monitor, Review & Communicate
YES
What can happen?When & where?How & why?
TREAT RISKS
CO
MM
UN
ICA
TE &
CO
NS
ULT
MO
NIT
OR
& R
EV
IEW
Internal ContextExternal ContextRisk Management ContextDevelop CriteriaDefine Structure
ESTABLISH THE CONTEXT
IDENTIFY RISKS
ANALYSE RISKS
Compare against CriteriaSet Pririties
NO
Identify existing controls
Determine Consequences
Determine Likelihood
Determine Level of Risk
EVALUATE RISKS
Identify optionsAssess OptionsPrepare & Implement PlansAnalyse / evaluate residual risk
Treat Risks
Essential Questions
• WHAT• WHY• WHEN• HOW• WHERE• WHO
I keep six wise serving men.
(They taught me all I knew).
There names are What & Why & When, and How & Where & Who
(Rudyard Kipling 1902)
PMI Process GroupPLANNING
• Establishing the Context;• Deciding ‘how’ to approach & conduct risk
management.
RISK PLANNING - WHAT
• Enterprise Environmental Factors – structure, culture, resources, market conditions, PMIS
• Organisational Processes – Assets, Policies & Procedures.
• Scope & any legal regulatory, physical, time, constraints.• Consider business needs for the project.• WHYIdentifies who has to what and when and at what
cost (budget for risk required). Enables focused rational communication with others. Describes and approach to be made
RISK PLANNING -WHY
• Identifies who has to do what and when and at what cost (budget for risk required).
• Enables focused rational communication with others.
• Describes risk management and approach to be made
RISK PLANNING -WHEN
• Prior to commencement and ongoing as part of monitoring & control.
• New situations or changes during project.• Risk plan for formal risk review/risk
activities through project lifecycle.
RISK PLANNING -HOW
• Approach to be adopted – new, existing registers. Depends on size, complexity ‘newness’ of project and project team. Tools and techniques to be used.
• Definitions of probability and impact to be used in RM.
• Communication and consultation with Stakeholders.
PLANNING -WHERE
• Location of initial meetings, internal and external reviews.
• On or off site• Consider Client and contractors who either
input direct or through documents, joint workshops etc .depending on situation.
RISK PLANNING -WHO
• Participants required, stakeholders or stakeholder needs.
• Based on knowledge, experience, expertise,
• Client and contractors to either input direct or through documents, joint workshops etc.
RISK PLANNING - DELIVERABLES
• RISK MANAGEMENT PLAN• RISK BREAKDOWN STRUCTURE (RBS). • Definitions of probability (likelihood) and Impact
(consequences).• Risk Context :Client / Contractor / Consultant etc,
Internal / External • Risk categories : Technical, External, Organisational,
Project Management (Estimates of Time / Cost), Legal/Contract, Reputation, Safety, Quality, Environmental as per RBS.
• Organisation Risk Manual so set ‘policy’/ protocol/ organisation rules, roles & responsibilities.
Risk Management Plan (Contents)
• Introduction – project background and description; philosophy• Risk Methodology (Tools & Techniques)• Roles & Responsibilities• Information & Communication protocols• Training required• Budget• Timing (Schedule)• Risk Categories – RBS• Definitions of probability & impact• Probability / Impact Matrix & High, Medium, Low definition• Tolerances with respect to risk categories and any predefined
actions required.• Report Formats – registers, tracking, reports, change.
RISK IDENTIFICATION
Identification of risks affecting, or that may affect the project, in a systematic manner. Identification of what, where, when, why and how events could prevent, delay or enhance the achievement of the objectives.
RISK IDENTIFICATION - WHAT
• What can happen - the effect – the RISK. Use of EFFECT & CONSEQUENCE to define RISK rather than risk definition first.
• Definition is important so that it is clear and not ambiguous.
RISK IDENTIFICATION - WHY
• Enables ‘definitions’ to be established so risks are described properly and not repeated in different guises using different descriptors.
• Beware that a rsik is confused with cause.
RISK IDENTIFICATION - WHEN
• During initial planning once the plan has been formulated.
• Plus when risks can happen during the project life cycle (project phases, construction, O&M, factory, delivery, handover etc).
Sequential & Continuous
RISK IDENTIFICATION - HOWTools & Techniques based on:• Information Gathering Techniques:• Brainstorming• Comprehensive Listings• Delphi• Interview• Root Cause determination• SWOT• Historical records Checklists• Questionnaires• Pre Mortem• Affinity diagram• Nominal group Technique
RISK IDENTIFICATION - HOW
Checklist AnalysisAssumptions AnalysisDiagramming• Cause & Effect• Flow Charts• Influence diagrams
TEMPLATE
RISK IDENTIFICATION - WHERE
• Off site, agenda and time / location, workshop environment time bound
• Where will risk occur (On site/offsite etc)
RISK IDENTIFICATION - WHO
• Project Manager,• Stakeholders• Subject MatterSpecialists, experts• ‘Three Wise Men’• Project Team• Historical Records - Advisors
RISK IDENTIFICATION - DELIVERABLES
• RISK REGISTER • List of ID’d Risks• Definitions• Root Cause• Risk categories• Potential response (?)
QUALITATIVE ANALYSIS
To develop an understanding and a prioritisation of risks so that decisions may be made regarding the acceptance of risks, or actions to be taken to mitigate such risks. ID and evaluate existing controls.Determine consequences & likelihood of risk plus range of potential consequences (sensitivity).
Evaluation / Ranking
LIKELIHOOD CONSEQUENCE
Insignificant Minor Moderate Major Catastrophic
Almost Certain Significant Risk Significant Risk High Risk High Risk High Risk
Likely Moderate Risk Significant Risk Significant Risk High Risk High Risk
Moderate Low Risk Moderate Risk Significant Risk High Risk High Risk
Unlikely Low Risk Low Risk Moderate Risk Significant Risk High Risk
Rare Low Risk Low Risk Moderate Risk Significant Risk Significant Risk
QUALITATIVE ANALYSIS - WHAT
• Determine the negative consequences of IDd risks in the context of likelihood and probability with respect to the Project and its Scope.
• Use of past records, experience, research, prototypes, assumptions, ‘tailored’ scales and matrices of probability & impact.
• Information and records are key – Market factors, industry norms and range, experience of others, public consultation, economics and economic trends, government legislation /planning, etc
QUALITATIVE ANALYSIS - WHY
• So informed decisions may be made. • Initial screening of risks to identify ‘High
Risks’ and allow management to focus on higher risks and allocate appropriate resource.
• WHENAt commencement.Initial part of prioritising risk prior to qualitative Analysis.If there are no hard and fast data regarding time / cost.
QUALITATIVE ANALYSIS - WHEN
•At commencement of the Project•As part of prioritising risk prior to Quantitative Analysis.•If there are no hard and fast data regarding time / cost thereby obviating any quantitative analysis.
QUALITATIVE ANALYSIS - HOW
• INFORMATION / RISK REGISTER• ID TEAM TO ANALYSE RISKS• ASSUMPTIONS RECORDED• PROBABILITY / IMPACT SCALES• CARRY OUT ANALYSIS• DETERMINE RISKS AND CATEGORIES• DOCUMENT ANALYSIS• IDENTIFY ANY TRENDS• DECISIONS AND CATEGORISATION• INPUT TO QUANTITATIVE ANALYSIS
QUALITATIVE ANALYSIS - HOW
• Structured Interviews with Experts.• Multi – disciplinary groups• Questionnaires• Models & Simulations• 3x3 and 5X5 or 10x10 matrices.• Thresholds, risk ranking / scoring
QUALITATIVE ANALYSIS - WHERE
• Off site to create a working environment to focus on risks.
• On site during specific focussed workshops
QUALITATIVE ANALYSIS - WHO
• Project Manager• Experts• All involved disciplines and those involved
with interfaces etc.• IDd Risk Owners / Managers• Team Members / Contributors• Facilitators.
QUALITATIVE ANALYSIS• “I know my business” does not make the risks low;
Firms / individuals with a greater risk appetite still need to be aware of risk and at least take a pragmatic / realistic approach so appropriate reaction may be made in a timely manner.
• It can’t happen to me. Bad things happen to others.• Pushing through bids to win work – site will sort it out –
we have experienced people.• ID Impact / Severity and Probability / Likelihood rather
than High, Medium, Low to move away from group think as to LOW (optimistic) or HIGH (pessimistic)
QUALITATIVE ANALYSIS –TREATMENT
QUANTITATIVE ANALYSIS
Numerical analysis of risk with probability expressed as a number or percentage and impact as a definitive cost/delayA means of prioritising risks that have been categorised qualitatively.
Quantitative Analysis
Cost Probability Total cost Cumulative Frequency Line Graph
-0.100.200.300.400.500.600.700.800.901.00
405 410 415 420 425 430 435 440 445
Total cost (value)
Prob
abili
ty
Total cost frequency distribution
-0.020.040.060.080.100.120.140.160.180.20
Total Cost (value)
Prob
abili
ty
QUANTITATIVE ANALYSIS -WHAT
• Decide upon which risks which require a response.
• Risk Register indicates ‘high priority’ risks based on ranking.
• Focus can be on commercial / business exposure and ranking projects on basis of risk.
• OR schedule• OR performance
QUANTITATIVE ANALYSIS - WHY
• Determining risk exposure in tangible and business terms so that management time and effort is focussed on areas of greatest risk (Business / Commercial) in order to decrease overall project risk.
QUANTITATIVE ANALYSIS - WHEN
• During planning phase following qualitative.
QUANTITATIVE ANALYSIS - HOW
• Convert probability and impacts into numerical values. Use of expert judgement, guesstimates (educated guesses) based on experience, historical data, industry data, corporate knowledge.
• Tools include 1. Monte Carlo Analysis (Cost & Time)2. Risk Management Software (Cost & Time)3. Precedence Diagram (Time)• Also use interviews, sensitivity analyses, EMV and
decision trees.• Tornado Diagram
QUANTITATIVE ANALYSIS - WHERE
• As required• Specialist activity – off site
QUANTITATIVE ANALYSIS - WHO
• Expert input for input parameters and review of outputs.
• Specialist software users.
QUANTITATIVE ANALYSIS
• Semi quantitative can be carried out if cost/time not known exactly.
• Probability / Impact is based on time frequency ranges and impacts in terms of money/accident time etc.
• Accident severity is linked to financial loss.• Monte Carlo simulations aid semi-
quantitative analysis when ranges ID’d/guessed
RISK RESPONSE PLANNING - • Determining strategy(s) and techniques for
dealing with risk.• Evaluate estimated risk levels against pre-
established criteria and consider balance between potential benefit vs adverse outcome so decisions as to extent and nature of treatment required and priorities.
• Plan for implementation of specific cost-effective strategy and action plans to increase benefit/reduce costs.
RISK RESPONSE PLANNING - WHAT
• Prioritised risks ranking. Identification of risks within Risk thresholds, Risk Owners and allocation of management responsibility, financial authority.
• Contingency plans, fallback positions. Secondary risks.
• Creation of reserves (time, cost, resources (just in case)
• Go / No Go decisions with respect to certain risks and action required.
RISK RESPONSE PLANNING - WHY
• So that appropriate plans can be made in advance and sufficient funds etc may be made available to respond to risk.
• Appropriate insurances or methodologies may be adopted to reduce risk exposure.
• Selection of the appropriate choice to deal with risks.
RISK RESPONSE PLANNING - WHEN
• Prior to awarding contracts.• Prior to execution• Prior to new activities
RISK RESPONSE PLANNING - HOW
• Four main methods are adopted depending on risk rating:
• TERMINATE / AVOID - Activity is not carried out.
• TRANSFER / ALLOCATE - Insurance, warranty, guarantees
• TREAT / MITIGATE - Choose a specialist supplier, build in redundancy, adopt a JV partner
• TAKE / ACCEPT - As part of regular operations and dealt with through organisational capability or specific operating procedures
RISK RESPONSE PLANNING - WHERE
• As required
RISK RESPONSE PLANNING - WHO
• Management• Financial Controllers• Insurance specialists• Project Manager• Construction / Technical Specialists• Contract Specialists
RISK RESPONSE PLANNING
PMI Process GroupMONITORING & CONTROL
RISK MONITORING & CONTROL
Monitor the effectiveness of all steps of Risk Management Process so that risks are treated effectively.Any underestimates/overestimate of risk may be identified and appropriate changes to the plan implemented.
RISK MONITORING & CONTROL - WHAT
• Assess – Treat – Monitor - Assure• Monitoring physical execution of a project,
identification of any adverse trends.• ID of key metrics. “Cannot manage what
you don’t measure”.• Trends – emerging issues and change ID• Reviews of risk handling
RISK MONITORING & CONTROL - WHY
• Early identification of trends.• Avoidance of risk• Time implementation of a risk response
plan prior to risk becoming an issue
RISK MONITORING & CONTROL - WHEN
• Continuous to monthly to quarterly depending on circumstances.
• At Project Phase Completion /Gateways• On commencement of new activities
(utilising lessons learnt for repeat activities)
RISK MONITORING & CONTROL - HOW
• Monitoring and measurement of key metrics. (Rates of progress, EVM – not just money but drawings/recruitment/materials placement etc, NCRs)
• Definition of Trigger Levels, Thresholds, Variance, Delays, “Drop Dead Dates”, trends.
• Audits – not blame and error but opportunity to correct and improve; correct errors before they become mistakes
• AVOIDING NEGLECT AND SUBSEQUENT NEGLIGENCE
RISK MONITORING & CONTROL - WHERE
• On site• Off site• Project Retreats• Corporate reviews
RISK MONITORING & CONTROL – WHO
• Project Team• Project Controls• Project Manager• PM Office• CEO/CFO
RISK CLOSE OUTPMI Process Group
Not Indicated
Closure of risk register and review of effectiveness of Risk Management Plan, Risk ID and Risk Response Planning / Execution.Opportunity for lessons learnt being includd into corporate knowledge
RISK CLOSE OUT
• WHAT – Risks were realised and which controls were effective
• WHY - Lessons learnt and knowledge• WHEN -During execution, end of stages /
partial completion• HOW - Records / Reports / Close out
Report / Interviews• WHERE - On site, corporate HQ• WHO - Project Team / Facilitator
Value of Risk
• Return on Risk – 12.5 to 1 • Ounce of prevention is a one pound of
cure• Stitch in time saves 9.• (16 +9)/2 = 12.5
Risk Sayings:
• If it can go wrong…it will (Murphy’s Law)• Ignoring a risk does not make it go away.• You pay for your risk management if you do it or
not…unfortunately it may cost you more to cure than prevent. (An ounce of prevention is worth more than a pound of cure)
• Risk is the mind of the beholder and all too often people believe their own hype - Optimism Bias
More Sayings…
• Risks vs Issue – Risk – you can smell it, Issue – your standing in it
• A little bit of risk management can prevent a lot of fan cleaning
• Risk...isn’t that something that to happens to other people/projects/companies?
• …but it’s on the Risk Register…but nobody was assigned to own/monitor/act
• Risk clusters at interfaces, junctions, boundaries
Conclusion
• Risk is a perception• Risk can happen to everybody• Risk management allows a sensible and
pragmatic approach to be taken to executing projects
• Risk management can help avoid project failure
• Risk management can help promote project success.
