Using a Risk Maturity Model to Audit and Benchmark Project ... a Risk Maturity... · (P3M3) Unknown...
Transcript of Using a Risk Maturity Model to Audit and Benchmark Project ... a Risk Maturity... · (P3M3) Unknown...
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
Mark Lee
Head of Profession – Programme Assurance
Procurement Advisory Services
16 September 2014
Using a Risk Maturity Model
to Audit and Benchmark Project Health
Presentation to 2014 SCAF Conference
People Who Know How
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
2
Objectives
1. Introduce the principles of risk management maturity assessment
− Why a mature approach to risk management is important to cost (and schedule) control
2. Explore and explain the QinetiQ Risk Maturity Model (QRMM)
− Context and history: development of the model
− Model construct and scope
− Why this particular model offers advantage to Defence (and other sectors)
− How the QRMM is applied in practice to benchmark projects and organisations
3. Demonstrate the value of QRMM in application
− Summary case examples from Defence and Oil & Gas
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
3
QinetiQ ... What’s in a Number?
• Formed in 2001 from Defence Evaluation and Research Agency (DERA)
• FTSE 250 - £1.3bn market capitalisation
• 6,233 people worldwide, with ~1,100 specialists in weapons and testing
• Member of The 5% Club – investing in graduates and apprentices
• 37 sites across the UK – from Cape Wrath to Shoeburyness
• 95% of QinetiQ’s UK employees hold national security clearance
• 25 year Long Term Partnering Agreement (LTPA) with MOD, signed in 2006
• Empire Test Pilots’ School (ETPS) – training flight test professionals for 70 years
• More than 1,500 patents granted, 1,000 patents pending
• 75 years of test and evaluation at Aberporth …
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
4
QinetiQ Procurement Advisory Services
"We deliver independent, essential, expert services across the entire
acquisition lifecycle that enable the MOD to make fit for purpose, value
for money acquisitions, compliant with legal and policy requirements"
Defence Acquisition
Lifecycle Services
Concept
Assessment
Demonstration
Manufacture
In-service
Disposal
Defence Acquisition
Lifecycle Services
Concept
Assessment
Demonstration
Manufacture
In-service
Disposal
Underpinning our offerings is QinetiQ’s independence, enhanced by
the unique breadth and depth of technical expertise and experience
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
5
Programme Assurance
“Enabling change and supporting business delivery through optimised
solutions focused on efficient governance, increased confidence and
minimised risk and uncertainty"
• Development, analysis and control of project schedules
• Production, analysis and management of risk registers
• Development of risk and opportunity management plans
• Schedule and Cost Risk Analysis
• Project and programme management, assurance and control
• Risk analysis, management and reporting
• Development and tailoring of capability dashboards
• Development of novel and tailored project control solutions
• Risk management improvement and training
• Risk Maturity Assessment
• Provision of client advice and governance support
• Stakeholder and contract management
• Business and project transformation
Information and Knowledge
Management
Programme Management
Project Management
Risk Management
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
6
Speaker Biography
• Chartered Engineer: MIET, MIMechE
• MBA (Lancaster), MSP® Registered Practitioner
• 29 years in Defence industry
• 10 years in consultancy
• Complex programme/project/risk management
• Contract and support/ILS management
• Risk management maturity assessment
− QinetiQ lead
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
Why is a Mature Risk Management Approach Important? Case Examples
Scottish Parliament
Forecast: £10-40m and 2001 opening
Actual: £414m and 2004 opening
Thermae Bath Spa
Forecast: £13m and 2002 opening
Actual: £45m and 2006 opening
7
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
Why is a Mature Risk Management Approach Important? “Doing the Thing Right …. or Doing the Right Thing?”
Astute Class Submarine
£1.35bn* over budget
57 months* schedule slippage
* Nov 2009 figures
New Coke 1986
A (failed) project that delivered the product to the planned time and cost
…. but an example of the wrong project being selected
Have any MOD projects ever proved to be the wrong project …?
8
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
Why is a Mature Risk Management Approach Important? Audit Evidence
Source: NAO Major Projects Report 2013
9
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
Why Does this Happen …?
All projects have uncertainties and changing variables, arising from …
• Budget changes
• Schedule changes
• Requirement changes
• Omissions and errors
• Failure to tackle risk at source
• Things that “just go wrong”
“…… because as we know, there are known knowns; there are things we know
we know. We also know there are known unknowns; that is to say we know
there are some things we do not know. But there are also unknown unknowns -
the ones we don't know we don't know” Donald Rumsfeld
10
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
Confidence … Driven by Uncertainty
Confidence is a major factor in human behaviour … and decision-making
• Sub-prime mortgage crisis – Missouri house prices crashed by 90%
• Global recession - US companies stored cash (until very recently)
• Scottish Referendum – investors selling Sterling
Wouldn’t it be useful if we could have confidence in
our ability to manage risk…?
11
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
Control of Risk Management Maturity - Schedule Impact QinetiQ Analysis of Historical NAO Data
Source Data: NAO Major Projects Reports
Current Schedule Performance vs Original Forecast of MOD Top 20 Major Projects
41%
46%
114%
47%
32%
51%
63%
54% 53%
42%
75%
8%10%
0% 0% 0%
11%
0%0%
20%
40%
60%
80%
100%
120%
Typhoon (
Nov-8
7)
Sting R
ay (
May-9
5)
Nim
rod M
RA
4 (
Jul-96)
Astu
te C
lass S
ub (
Mar-
97)
A400M
(M
ay-0
0)
Type 4
5 D
estr
oyer
(Jul-
00)
Support
Vehic
le (
Nov-0
1)
NG
LA
AW
(M
ay-0
2)
Terr
ier
(Jul-02)
Naval E
HF
/SH
F S
at
Com
ms (
Aug-0
3)
Sooth
sayer
(Aug-0
3)
MT
AD
S (
Sep-0
4)
Watc
hkeeper
(Jul-05)
Falc
on (
Mar-
06)
Merlin
(M
ar-
06)
Futu
re L
ynx (
Jun-0
6)
Advanced J
et
Tra
iner
(Aug-0
6)
Typhoon F
utu
re
Capabili
ty (
Jan-0
7)
Sc
he
du
le o
verr
un
as %
of
ori
gin
al fo
reca
st
Risk Maturity Uncontrolled Risk Maturity @ Level 3+
Forecast schedule
overrun calculated
from the summary of
post-Main Gate
projects in NAO Major
Projects Reports
Many factors affect
projects, but those with
risk maturity applied at
all CADMID stages are
more aware of issues
and have mitigations in
place to respond to
those risks
Major projects from the
NAO reports with risk
maturity applied are
statistically less likely
to experience
schedule overruns
Schedule Performance vs Original Forecast of MOD Major Projects
12
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
Control of Risk Management Maturity - Cost Impact QinetiQ Analysis of Historical NAO Data
Source Data: NAO Major Projects Reports
Current Schedule Performance vs Original Forecast of MOD Top 20 Major Projects
-21%
28%
48%
0%
29%
-7%
-18%
6%
-26%
42%
-7%
-1%
-5%
-1%
1%
-5%
-2%
-30%
-20%
-10%
0%
10%
20%
30%
40%
50%
Typhoon (
Nov-8
7)
Stin
g R
ay (
Ma
y-9
5)
Nim
rod M
RA
4 (
Jul-96)
Astu
te C
lass S
ub (
Ma
r-
97)
A400M
(M
ay-0
0)
Type 4
5 D
estr
oyer
(Jul-
00)
Support
Vehic
le (
Nov-0
1)
NG
LA
AW
(M
ay-0
2)
Te
rrie
r (J
ul-02)
Naval E
HF
/SH
F S
at
Com
ms (
Aug-0
3)
Sooth
sayer
(Aug-0
3)
MT
AD
S (
Sep-0
4)
Watc
hkeeper
(Jul-05)
Fa
lcon (
Ma
r-06)
Me
rlin
(M
ar-
06)
Fu
ture
Lynx (
Jun-0
6)
Advanced J
et
Tra
iner
(Aug-0
6)
Typhoon F
utu
re
Capabili
ty (
Jan-0
7)
Cu
rren
t o
vers
pen
d a
s %
of
ori
gin
al fo
recast
Risk Maturity Uncontrolled Risk Maturity @ Level 3+
Forecast cost overrun
calculated from the
summary of post-Main
Gate projects in NAO
Major Projects Reports
Projects with Risk
Maturity applied
experience less
budget volatility
(overspend or
underspend),
compared with projects
whose level of risk
maturity is uncontrolled
Budget Performance vs Original Forecast of MOD Major Projects
13
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
14
QinetiQ Risk Management Maturity Model (QRMM) A Brief History …
• Developed by QinetiQ (1999) to objectively assess risk management maturity
• Referenced on (and compliant) with
− MOD’s Acquisition Operating Framework (AOF)
− Project risk management best practice – APM Project Risk Analysis and Management (PRAM) Guide
− Combined Code (‘Turnbull Guidance’) for UK Corporate Governance – Financial Reporting Council
• Proven capability and value in application over 15 years
− Over £75bn of Defence projects/programmes (across all domains) assessed … and counting
− Used in Oil & Gas (FTSE 100 multi-national), Rail and Manufacturing
• QinetiQ analysis of NAO Major Projects Reports has indicated that RMM can
− Increase confidence in project success through improved cost/schedule adherence
− Deliver forecast improvement in schedule and cost out-turn on major projects
AOF
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
15
Why QRMM? A Comparison of Risk Maturity Models
QinetiQ analysis of AOF-referenced models for a MOD Business Case: 2013
AOF
Defence
Heritage
Risk-Specific
Maturity Model
Implementation
Guidance
Available
Implementable
Risk Maturity
Model Available
Question and
Anwer Set
Developed and
Available
Questions
Mapped to
Maturity Levels
Analysis and
Reporting Tools
Available
Improvement
Roadmap
Guidance and/or
Tool Available
Number of
Maturity
Levels
Number of
Questions
Implementable
Without
Investment
Management of Risk
(MOR®) Maturity
Model
Unknown
High level only
Would need to be
developed from
first principles
No question set
available
5
0
No question
set available
HM Treasury Risk
Management
Assessment
Framework (RMAF)
Unknown
Guidance only
No discrete
mapping 5 38
OGC Portfolio,
Programme and
Project Management
Maturity Model
(P3M3)
Unknown 5 9
QinetiQ Risk Maturity
Model (QRMM)
15 years
Over £75bn
of MOD
assets
Extremely
detailed
guidance
Software-based
implementation,
allowing
repeatable
assessment
Fully embedded in
software
Detailed
algorithms,
embedded in
software
QinetiQ
proprietary
tools,
supporting
analysis and
reporting
Detailed
guidance,
supported by
QinetiQ
proprietary tool
4 50
Immediately
available
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
16
QRMM as an Enabler to Better Risk Management
• Assesses and benchmarks the quality and consistency of risk management implementation
• Improves confidence in the ability to predict and deliver against schedule and cost
• Establishes an independent, objective and evidence-based baseline measure of risk maturity
• Identifies strengths and weaknesses in risk management process and its enablers
• Supports formulation of a prioritised ‘roadmap’ of improvement actions against the baseline
• Supports identification of common issues across projects, to help tackle risk at source
• Facilitates sharing of good practice within and across business units
• Builds confidence in the quality of underpinning data (e.g. for Business Cases)
• Scalable: applicable at all levels, at all points in the project/business lifecycle
• Can be used to support supplier assessment
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
17
QRMM Construct – Scope and Inputs
• A maturity framework covering 6 risk management perspectives
− Risk Identification; Risk Analysis; Risk Mitigation
− Project Management; Stakeholders; Culture
• Each perspective is scored within the algorithm, at one of 4 levels (QinetiQ IPR)
− Level 1 = Naive (process design or application flawed and probably not adding value)
− Level 2 = Novice (some value-add, but weakness in process design or implementation)
− Level 3 = Normalised (formalised process, implemented systematically and adding value)
− Level 4 = Natural (applied at strategic level in driving objectives and optimising outcomes)
• Level 3 is an acceptable score (complex programmes/projects may aspire to Level 4)
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
18
QRMM Construct – Top Level Output
Risk Maturity Assessment
Stakeholders Risk
Identification
Risk Analysis Risk
Mitigation
Project
Management
Culture
Current
Maturity
Potential
Improvement
Level 4 -
Natural
Level 3 -
Normalised
Level 2 -
Novice
Level 1 -
Naive
“An organisation is only as strong as its weakest element”
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
Characteristics of Maturity Levels What Does ‘Good’ Look Like …?
Level Descriptor Formal Definition Example (Project) Characteristics
1 Naïve “Although a risk management
process may have been
initiated, its design or
application is fundamentally
flawed
At this level, it is likely that the
process does not add value”
• Poor understanding of risk management principles and application
• No formalised risk process, or elements of the process have lapsed
• Risk process design or application fundamentally flawed
• Risk process ad-hoc and/or poorly applied
• Projects claiming to be implicitly managing risk by virtue of the
effectiveness of other processes, such as planning
• Likely to ignore (or fail to understand) that deterministic project
processes are not designed to manage implications of uncertainty
2 Novice “The risk management
process influences decisions
taken by the project in a way
that is likely to lead to
improvements in performance
as measured against its
objectives
However, whilst the process
may add value, weaknesses
with either the process design
or its implementation result in
significant benefits being
unrealised”
• A project that has taken professional advice or followed standard
guidance to initiate its risk management process
• Value being added by applying the risk process should be greater than
the cost (and other resource implications) of its application
• A project where there is at least a ‘light’ application of the risk process,
and the process itself is standardised and followed with robustness
• A project that has recently initiated a formal risk management process
that follows best practice
• A larger project where process application may be an issue
• A larger project where issues of process design may be difficult to
correct
19
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
Characteristics of Maturity Levels What Does ‘Good’ Look Like …?
Level Descriptor Formal Definition Example (Project) Characteristics
3 Normalised “The risk management
process is formalised and
implemented systematically
Value is added by
implementing effective
management responses to
significant sources of
uncertainty that could affect
the achievement of project
objectives”
• The discipline of implementing the process across the whole project is
clearly in place
• A high and consistent quality of application of risk management is
obvious in practice
• A risk register is used to underpin routine reviews of the implications of
risk, with effectiveness and implementation of responses designed to
manage them
• Risks are understood in a way that clarifies all relevant and significant
sources of uncertainty
• Key skills are in place to ensure that the risk register contains the right
risks (and they continue to be the right risks), that they are managed
by the right risk owners, and that appropriate and sound methods are
used to select and prioritise risks for review
• Application of the process is disciplined, broad, continuous and sound
• The process actively engages all relevant stakeholders
• Risk management is being used to support achievement of objectives
20
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
Characteristics of Maturity Levels What Does ‘Good’ Look Like …?
Level Descriptor Formal Definition Example (Project) Characteristics
4 Natural “The risk management
process leads to the selection
of risk-efficient strategic
choices when setting project
objectives and choosing
between options for solutions
or delivery
Sources of uncertainty that
could affect the achievement
of objectives are managed
systematically within the
context of an organisational
culture that is conducive to
optimising project outcomes”
• The risk management process is contributing to the selection of risk-
efficient strategic choices, when setting business objectives, and
choosing between options for solutions or delivery
• Risk is managed from a strategic (not just tactical) perspective
• Risk is helping to provide assurance that the planned project is the
correct strategic choice
• Risk responses are likely to be executed from Sponsor level
• Sophisticated risk management techniques are used routinely in, for
example, quantifying risk at the overall project level
• Organisational personnel have the ability and experience to select risk
techniques that are appropriate to the business
• Risk management is implicit, with over-reliance on the Probability
Impact Matrix and use of an integrated risk register and Monte-Carlo
simulation toolset avoided
• Risk management is built into projects from the outset
21
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
22
QRMM in Application Empirical Assessment Process
Enablers include …
ROMPs
Risk Registers
Management Plans
Stakeholder Maps
Risk Review Records
SRA and CRA Reports
Enablers include …
QRMM hosted in AWARDTM
Workshop materials
RMA SQEP facilitators
Stakeholder workshop attendees
Enablers include …
Workshop Q&A set
Documentary evidence
RMA analysis SQEP
Review
Documentary
Evidence Audit
Conduct RMA
Workshop
Analyse and
Report Results Implement
Improvement Plan
Enablers include …
Risk Improvement Action Plan
SQEP stakeholder personnel
RMA Benchmark
(Level 1 to 4)
Periodic re-assessment against current benchmark
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
23
QRMM in Application Risk Maturity Assessment Framework – Hosted in AWARDTM
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
24
QRMM in Application Risk Maturity Assessment Framework – Hosted in AWARDTM
Context Statement
Question
Answers
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
25
QRMM in Application Risk Maturity Assessment Workshop – Use of Electronic Voting
• Well-established method of group decision support
• Used to elicit opinion
− Primarily interested in the reasons for the votes
− Votes are anonymous
• Provides a framework to consider arguments before expressing opinion
• Discussion is limited to clarification before voting
− Understand the question and supporting narrative, in relation to risk maturity
− Understand how the question and context relates to the project under assessment
• Divergence in votes may provide additional insight: an opportunity for discussion
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
26
QRMM in Application Risk Maturity Assessment Workshop – Use of Electronic Voting
• Question is posed
− Consider the question and context ... and vote
• Facilitated discussion
− Voting results presented
− Salient points recorded for analysis/reporting
− Record the consensus view (score, any narrative)
• Re-vote (as necessary)
• Why use Delphi Technique?
− Decisions from a structured group facilitation are more accurate
− In this scenario, exploring voting rationale can aid interpretation and understanding
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
27
QRMM in Application Example Analysis Outputs
Category 1
Recommendations to Establish a Basic Risk Management Regime that Supports Improvement of D Eqpt Risk Capability to Level 2 Risk Maturity
Recommendation Complexity Value
R1.3 – Division of Responsibilities Low High
R1.1 – Confirmation of High Level Business Objectives Low Medium
R4.2 – Pre- and Post-Mitigation Assessment Low Medium
R4.1 – Risk Response Tracking Medium High
R4.4 – Use of Fallback Triggers Medium Medium
R3.3 – Secondary Risk Effects Low Low
Category 2
Recommendations to Establish an Enhanced Regime that Supports Formalised and Systematic Application of Risk Management Required for a Level 3 Risk Maturity
Recommendation Complexity Value
R3.6 – Risk Estimation Medium High
R1.4 – Formal Risk Sharing with Equipment DLoD Stakeholders High High
R5.7 – Review of Risk Process Effectiveness Low Medium
R4.7 – Use of Cost Benefit Comparisons Low Medium
Stakeholders
Risk Identif ication
Risk Analysis
Risk Responses
Project Management
Culture
Category 1 Category 2
Level 1 Level 2 Level 3 Level 4
Level of maturity after
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
28
QRMM in Application Case Examples from Defence – Case 1
• Portfolio of 4 projects, with QinetiQ contracted by MOD to
− Formulate and deliver a formal Risk Improvement Programme: April-Aug 2011
− Conduct a repeat RMA in February 2014 to identify current baseline and improvements
• April 2011 status of each project
− Project A – in-service project undergoing contract change, with risk transfer to industry
− Project B – mature equipment, in-service until ~2020, with industry managing risk
− Project C – in Assessment Phase (AP) [due to be placed on contract in 2014]
− Project D – complex international project, in AP [cleared Main Gate in 2014]
Project Measured RMA
April 2011
Measured RMA
July 2011
Measured RMA
February 2014
Forecast RMA
Project A Level 1 Level 2 Level 2 Level 3
Project B Level 3 Level 3 Level 3 Level 4
Project C Level 1 Level 2 Level 3 Level 3
Project D Level 1 Level 2 Level 4 Level 4
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
29
QRMM in Application Case Examples from Defence – Case 1
• February 2014 forward improvement plans, focused to achieve
− Project A: from high L2 (almost L3) to weak L3 in 3 months, consolidating to a firm L3
− Project B: from high L3 to a weak L4, consolidating to a firm L4 through secondary actions
− Project C: from weak L3 (with risk of slipping back to L2) to a firm L3
− Project D: from weak L4 (risk of slipping back to L3) to a firm L4
• A good example of where focused MOD effort, and periodic RMA, can enhance risk execution
Perspective Number of Projects at Each Level – Feb ‘14
Level 2 Level 3 Level 4
Stakeholders √ √ √ √
Risk Identification √ √ √ √
Risk Analysis √ √ √ √
Risk Responses √ √ √ √
Project Management √ √ √ √
Culture √ √ √ √
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
30
QRMM in Application Case Examples from Defence – Case 2 (MOD 1* )
• Level 1 across all 6 perspectives – the worst ever RMA score recorded by QinetiQ!
• Risk improvement roadmap established to target
− Level 2 in 3 months (22 actions)
− Level 3 in a further 9 months (16 actions)
Stakeholders
Risk Identif ication
Risk Analysis
Risk Responses
Project Management
Culture
Category 1 Category 2
Level 1 Level 2 Level 3 Level 4
Level of maturity after
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
31
QRMM in Application Case Examples from Defence – Case 2 (MOD 1*)
• Improvements were not implemented, due to
− Lack of capacity within MOD to implement the plan
− Conflicting demands and changing priorities
− Ongoing organisational uncertainty
− Realisation that implementation of improvements at 1* level would be insufficient
• QinetiQ was then requested to
− Formulate a risk transformation programme covering the 2* group (4 x 1* units)
• What happened next?
− MOD secured stakeholder buy-in to implement the ~18 month transformation programme
− In-FY underspend was secured to fund the initial phase
− Other areas developed an interest in improving their risk maturity
• A good example of where a localised RMA can lead to identification of a wider imperative
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
32
QRMM in Application Example Risk Transformation Programme – Defence (MOD 2* Group)
Month 1-4
Activities cover …
Maturity assessment workshops
Evidence-based documentation reviews
Detailed reviews of risk processes
Targeted investigations to gather evidence
Targeted meetings to qualify data/findings
Data analysis and correlation of findings
Development of implementation roadmap
Deliverables …
Report of Phase 1 findings
Roadmap for Phase 2/3
Month 6-10
Deliverables include …
Formal risk management policy
Integrated risk impact assessments
Integrated risk process
Enterprise risk definition set
Risk identification techniques
Risk response strategy suite
Risk audit, review and monitoring regime
Risk review Terms of Reference
Risk review data definitions
Risk escalation mechanisms
Risk fallback triggers and criteria
Risk and Opportunity Management Plan(s)
Risk estimation guide
Audit of existing risks and owners
Configured and populated risk tool
Risk response plans
Senior stakeholder training
Month 11-18
Deliverables include …
Risk ‘aide memoire’
Risk meta-language dictionary
Risk practitioner training
Top-down risk identification
Alignment of top-down and bottom-up risks
Schedule Risk Analysis (SRA)
Cost Risk Analysis (CRA)
SRA/CRA benefits report
Risk behaviour incentives
Early adoption risk guide
Detailed Terms of Reference (by post)
Cost/benefit comparators
Formal LFE mechanism
Project records process
Initial projects records suite
Risk-based enterprise capability
management plan
Enterprise capability management
dashboard
End-of-phase risk maturity assessments
Phase 1
Maturity Assessment and
Implementation Planning
Phase 2
Solution Development
and Implementation
Phase 3
Solution Optimisation
and Enhancement
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
QRMM in Application Example Risk Transformation Programme – Benefits Realisation
Forecast Risk Maturity (left-hand scale)
Phase 1 Phase 3 Phase 2
Potential for Schedule/Cost Overrun (right-hand scale)
Naïve (Level 1)
Risk process flawed
No real value-add
Novice (Level 2)
Risk process influencing decisions
Risk process adding value
Improving performance against objectives
Some process/implementation weaknesses
Potential for significant unrealised benefits
Normalised (Level 3)
Risk process formalised
Process implemented systematically
Effective risk responses executed
Sources of uncertainty under control
Significant value-add
Natural (Level 4)
Risk process informing
strategic choices
Sources of uncertainty
managed systematically
Risk culture conducive to
maximising outcomes
Level 1
Level 4
Level 3
Level 2
Ris
k M
atu
rity
Leve
l
0-10%
100%+
60-99%
11-60%
Sc
he
du
le/C
os
t O
ve
rru
n
(as a
% o
f b
aseli
ne
sch
ed
ule
/bu
dg
et)
33
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
34
QRMM in Application Case Example from Oil & Gas
• 2011: FTSE 100 Oil & Gas multi-national approached QinetiQ to pilot an RMA on a UK project
• QinetiQ amended the RMA framework Q&A set to reflect O&G-specific language
− Underlying model and algorithms were unchanged
• The pilot was conducted on the UK project
− Identified that lack of risk disclosure from the JV partner was a significant threat
− RMA was extremely well received by the client organisation
− Actions to address the shortfalls were not progressed – the report became ‘shelfware’
− There were serious repercussions for both JV partners
• A good example where failure to address risk maturity shortfalls can impact project health
• What happened next?
− QinetiQ undertook a further RMA on an operation in Asia, on completion of the UK pilot
− The Asia RMA identified significant pockets of good practice to share across the company
− QinetiQ was requested to develop a new corporate Cost & Schedule Risk Analysis standard
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary
Summary – Key Points vs Objectives
1. Introduce the principles and importance of risk management maturity assessment
− There is inherent uncertainty in all projects, programmes and businesses
− Formalised risk management helps us to understand and respond to uncertainty
− Control of risk maturity is an important enabler to good risk management
2. Explore and explain the QinetiQ Risk Maturity Model (QRMM)
− Audits and benchmarks project health and focuses improvement initiatives
− Enhances confidence in the likelihood of an out-turn to schedule and within budget
− Enables us to more confidently establish our risk appetite and inform strategic choice
3. Demonstrate value of QRMM in application
− Case 1 – focused improvement and periodic re-assessment enhanced project control
− Case 2 – localised RMA can trigger wider imperative to enhance risk management
− Case 3 – failure to address risk maturity can impact project health
35