Risk Management in Five Easy Pieces

Colorado Springs PMIRisk Management in Five Easy PiecesColorado Springs, Colorado May 8th , 2008

Risk management is essential for any significant project. and is useful for any project where an unfavorable outcome is undesirable Certain information about key project cost performance andunfavorable outcome is undesirable. Certain information about key project cost, performance, and schedule attributes are often unknown until the project is underway. The emerging risks that can be identified early in the project that impact the project later, are often termed “known unknowns.” These risks can be mitigated with a good risk management process. For risks that are beyond the vision of the project team a properly implemented risk management process can also rapidly quantify the risks impact and provide sound plans for mitigating its affect.

Risk management is concerned with the outcome of future events, whose exact outcome is unknown, and with how to deal with these uncertainties. Outcomes are categorized as favorable or unfavorable, and risk management is the art and science of planning, assessing, handling, and monitoring future events to ensure favorable outcomes. A good risk management process is proactive and fundamentally different than issue management or problem solving, which is reactive.

This presentation describes the fundamental of Risk Management in 5 easy steps – using Jack Nicholson’s “Five Easy Pieces” 1970’s movie as a backdrop. The Five Pieces are:1. Hope is not a strategy2. All point estimates are wrong3. Without integrating Cost, Schedule and Technical Performance you’re driving in the rearview

mirrormirror4. Without a model for risk management, you’re driving in the dark with the headlights turn off5. Risk Communication is everythingRisk management is an important skill that can be applied to a wide variety of projects. In an era

of downsizing, consolidation, shrinking budgets, increasing technological sophistication, and shorter development times, risk management provides valuable insights to help key project personnel plan for risks, alert them of potential risk issues, analyze these issues, and develop, implement, and monitor plans to address risks long before they surface as issues and adversely affect project cost, performance, and schedule.

1

Glen B. AllemanLewis & Fowler, 8310 South Valley Highway, Englewood CO80112www.lewisandfowler.com


1. Hoping that something positive will result is not a very good strategy. Preparing for success is the basis of success.

2. Single point estimates are no better than 50/50 guesses in the absence of knowledge of the standard deviation of the underlying distribution

3. Without connecting cost, schedule, and technical performance of the effort to produce the product or service the connection to value cannot be made.

4. Risk management is not an ad hoc processes that you can make up as you go. A formal foundation for risk management is neededfoundation for risk management is needed.

5. Identifying risks without communication them is a waste of time.

2



Project Managers constantly seek ways to eliminate or control risk, variance and uncertainly. This is a hopeless pursuit.

Managing “in the presence” of risk, variance and uncertainty is the key to success. Some projects have few uncertainties –only the complexity of tasks and relationships is important – but most projects are characterized by several types of uncertainty. Although each uncertainty type is distinct, a single project may encounter some combination of four types:

1. Variation – comes from many small influences and yields a range of values on a particular activity. Attempting to control these variances outside their natural boundaries is a wasteactivity. Attempting to control these variances outside their natural boundaries is a waste (Muda)

2. Foreseen Uncertainty – are uncertainties identifiable and understood influences that the team cannot be sure will occur. There needs to be a mitigation plan for these foreseen uncertainties.

3. Unforeseen Uncertainty – is uncertainty that can’t be identified during project planning. When these occur, a new plan is needed.

4. Chaos – appears in the presence of “unknown unknowns”

“Managing Project Uncertainty: From Variation to Chaos,” Arnoud De Meyer, Christoph H. Loch and Michael T. Pich, MIT Sloan Management Review, Winter 2000.

3



Larger variances can be tolerated in early periods. But tolerances for risk must decrease as the program matures.

At all times, avoiding unseen risk is mandatory.

Any unknown risk must be discovered before it becomes and issue.

The management of variance must first recognize four types of risk, their associated variances and the impact of these risks and variances:

1. Normal Variation – in activity durations, costs, and technical and business performance level delivered by the project.

2. Foreseen Risks – are indentified, but have uncertain influences on the project

3. Unforeseen Risks – are not formally identified in the planning stage, are not anticipated and a mitigation plan has not been identified.

4. Chaos – is fundamental uncertainty about the basic structure of the project plan itself.

The key concept here is that as the project proceeds the risk must be reduced. But also the tolerance for risk must be reduced as well. This means that the variance and the tolerance must be reduced in tandem. They must track each other to the end of the project.

4



Project duration and costs are random variables drawn from some underlying probability distribution.

The use of point estimates for durations and costs is many times the first impulse in an organization low on the project management maturity scale. Understanding cost and durations are actually “random variables,” drawn from an underlying distribution of possible value is the starting point for managing in the presence of uncertainty.

In probability theory, every random variable is attributed to a probability distribution. The probability distribution associated with a cost or duration describes the variance of these randomprobability distribution associated with a cost or duration describes the variance of these random variables. A common distribution of probabilistic estimates for cost and schedule random variables is the Triangle Distribution.

The Triangle Distribution is used as a subjective description of a population for which there is only limited sample data, and especially where the relationship between variables is known but data is scarce. It is based on the knowledge of the minimum and maximum and a “best guess” of the modal value (the Most Likely).

U i h T i l Di ib i f h d d i M C l i l i f hUsing the Triangle Distribution for the costs and durations, a Monte Carlo simulation of the network of activities and their costs can be performed. Monte Carlo methods are used to numerically transform and integrate the posterior quantitative risk assessment into a confidence interval. The result is a “confidence” model for the cost and completion times for the project based on the upper and lower bounds of each distribution assigned to each duration and cost.

This approach to estimating provides insight into the behavior of the plan as well as sensitivity between the individual elements of the plan.

5



Estimating is a very vague art in the absence of a formal process. One place to start is with the statistical definition of an “estimate.”

But even that definition has three (3) different possibilities.

The Mode is the most likely value. The value that occurs most often when statistical samples are drawn from the underlying population.

The Median is the “middle” value between the highest and lowest value from the total of all samples drawn from the underlying statistical population.

The Mean is the “average” of all the samples drawn from the population.

The most important concept is to understand that the “sum” of all the “estimates” is never one of these three estimates.

The details of this are beyond the scope of this presentation but it has to do with “summing” probability distributions is not actually a summation process – it is a convolution process. This means that the probability distribution – represented by an integral equation – is convolved with the other integral equationsthe other integral equations.

6



The actual duration or cost are random variables, drawn from a probability distribution.

The Mean, Mode, Median are statistical terms that characterize probability distributions – not point values.

When we naively speak about a duration or cost in the absence of a variance, the result is suspect. Ignoring for the moment the Mean, Mode, and Median issues, this missing variance creates odd outcomes.

The median temperature in Cody Wyoming is very close to the median temperature in Trinidad Tobago Both are around 78° In Trinidad the variance is significantly less than in CodyTobago . Both are around 78°. In Trinidad the variance is significantly less than in Cody.

Cody has a temperature range between 10°F and 100°F. The Median is 60°F. Fudge this up to 78°

In Trinidad Tobago, the maximum temperature runs around 89°F with minimums running around 68°F. Means of 77°F in the winter and 85°F in the summer.

Answering the variance question is as important or possibly more important than answering the Median question.

7



In the project planning business, the use of deterministic and probabilistic analysis are both useful.

The deterministic description is great for “power point” type displays of the scheduled activities and management briefings. This type of information shows a “static” description of the schedule, cost, or technical performance.

The probabilistic description is useful as the basis for risk analysis. This type of information shows the range of possible values each variable can take one. The analysis derived from these variables shows to impact on the project. This itself is a variance – a variance of impact.

The difference between Probability and Statistics is important to the notion of “randomness” ofThe difference between Probability and Statistics is important to the notion of “randomness” of durations and cost.

We need to know things about the underlying statistical behavior of the durations and costs before we can ask question about the probabilistic confidence in the planned completion date and planned completion costs.

8



In many descriptions of project management – cost, schedule, and quality are considered as the “Iron Triangle.” Change one and the other two must change as well. It turns our this is too narrow a view of what's happening on a project.

It’s the Technical Performance Measurement that replaces Quality. Quality is one of the Technical Performance measures.

Cost and Schedule are obvious elements of the project. Technical Performance Measures describe the status of technical achievement of the project at any point in time.

The Planned technical achievement is part of the Performance Measurement Baseline (PMB) in theThe Planned technical achievement is part of the Performance Measurement Baseline (PMB) in the same way the Planned Value (BCWS) is part of the PMB.

The Technical Performance Measurement System (TPMS) uses the techniques of risk analysis and probability to give program managers the early warning needed to avoid unplanned costs and slippage in schedule. Systems engineering uses technical performance measurements to balance cost, schedule, and performance throughout the life cycle.

Technical performance measurements compare actual versus planned technical development and design. They also report the degree to which system requirements are met in terms of performance, cost, schedule, and progress in implementing risk handling. Performance metrics are traceable to user‐defined capabilities.

9



Measures of Effectiveness, Measures Performance, and Measures of Quality are typical Technical Performance Measures.

The Cost and Schedule “measures” are straightforward in most cases.

The measures of Technical Performance involve Effectiveness, Performance, Technical Performance

Measures of Effectiveness (MOE) define the operational mission success factor as defined by the customer. These are:

1. Stated from the customer point of view;

2. Focused on the most critical mission performance needs;

3. Independent of any particular solution;

4. Actual measures at the end of development.

Measures of Performance (MOP) characterize physical or functional attribute relating to the system operation:

1. Supplier’s point of view1. Supplier s point of view

2. Measured under specified testing or operational conditions

3. Assesses delivered solution performance against critical system level specified requirements

4. Risk indicators that are monitored progressively.

10



Risk Management is a full time effort. Even if it is a part‐time job.

Someone needs to “own” the risks and the process around risk management.

Someone or a collection of “someone's” needs to have risk management in their mind(s) at all times

Risk Management is not something you can do once and them forget. The risks don’t just go away. They are forever there, even if they are mitigated, retired or bought down.

11



Risk Management means using a proven risk management process, adapting this to the project environment, and using this process for everyday decision making.

Technical performance is a concept absent from the traditional approaches to risk management. Yet it is the primary driver of risk in many technology intensive projects. Cost growth and schedule slippage often occur when unrealistically high levels of performance are required and little flexibility is provided to degrade performance during the course of the program. Quality is often a cause rather than an impact to the program and can generally be broken down into Cost, Performance, and Schedule components.

The framework shown here provides:

Risk management policy

Risk management structure

Risk Management Process Model

Organizational and behavioral considerations for implementing risk management

Th f di i f fThe performance dimension of consequence of occurrence

The performance dimension of Monte Carlo simulation modeling

A structured approach for developing a risk handling strategy

12



The traditional three variables the “iron triangle” are inappropriate in today’s integrated software, hardware and operational world and there are two other “triangles.”

One includes Risk, Customer Satisfaction, and Quality

The other includes CMMI, Six Sigma, and Lean.

The three collections of three attributes form a “system” to assess risk, address these risks and manage the project in the presence of this risk.

Putting these 3 sets of 3 together results in a view of

Product risk – the risk that the product will not performance as specified or perform to the needs of the customer

Programmatic risk – the risk that the project will be over budget or behind schedule in producing the product

Process risk – the risk that the processes used to build the product or management the project will fail in their desired outcomes.

13



It does no good to manage risks if the results are not communicated to all the participants.

Only the participants can define the needed mitigations

Risk communication is the basis of risk mitigation. It serves no purpose to have a risk plan and the defined mitigations in the absence of a risk communication plan.

This plan needs to address the following:

Executive summary – a simple summary of the program and the risks associated with the activities of the program. Each risk needs an ordinal rank, a planned mitigation is the risk is active (a risk approved by the Risk Board), and the mitigations shown in the schedule with associated costs.

Program description – a detailed description of the program and the risk associated with each of the deliverables. This description should be “operational” in nature, with the consequences description in “operational” terms as well.

Risk reduction activities by phase – using some formal risk management process that connects risk mitigation and the IMS The efforts for mitigation need to be in the schedulerisk, mitigation and the IMS. The efforts for mitigation need to be in the schedule.

Risk management methodology – using the DoD Risk Management process is a good start. This approach has proven and approved by high risk, high reward programs. The steps in the processes are not optional and should be executed for ALL risk processes.

14



This list comes from guidance in the defense program management business. While some of the statement may not be appropriate for the commercial world, every statement has some applicability to every project – not matter what the domain. Whether formal or informal the programmatic risk assessment of a project needs to ask or answer these statements.

The actions needed to close any gaps from these statements are outside the scope of this presentation.

But the next step is to have the project management team start to answer these questions.

15



Many speak about risk management as part of the project management process.

But do they do risk management as part of the project management process?

Test yourself and anyone who claims to be doing risk management

16



The first set of questions should be:

How do we earn back the investment in risk management?

How can be measure the benefits of risk management?

Who gets to say what the value of risk management is?

These is monetized questions are risk. So the answers have to be monetized as well. attaching money to risk is the starting point. attaching money to the mitigation activities is the next The risks and their mitigations need to be represented in the schedule and costthe next. The risks and their mitigations need to be represented in the schedule and cost baseline. Otherwise risk management is not Project Management.

17


Risk Management in Five Easy Pieces

Business

Transcript of Risk Management in Five Easy Pieces