Using a Risk Maturity Model to Audit and Benchmark Project ... a Risk Maturity... · (P3M3) Unknown...

36
© Copyright QinetiQ Limited 2014 QinetiQ Proprietary Mark Lee Head of Profession Programme Assurance Procurement Advisory Services 16 September 2014 Using a Risk Maturity Model to Audit and Benchmark Project Health Presentation to 2014 SCAF Conference People Who Know How

Transcript of Using a Risk Maturity Model to Audit and Benchmark Project ... a Risk Maturity... · (P3M3) Unknown...

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

Mark Lee

Head of Profession – Programme Assurance

Procurement Advisory Services

16 September 2014

Using a Risk Maturity Model

to Audit and Benchmark Project Health

Presentation to 2014 SCAF Conference

People Who Know How

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

2

Objectives

1. Introduce the principles of risk management maturity assessment

− Why a mature approach to risk management is important to cost (and schedule) control

2. Explore and explain the QinetiQ Risk Maturity Model (QRMM)

− Context and history: development of the model

− Model construct and scope

− Why this particular model offers advantage to Defence (and other sectors)

− How the QRMM is applied in practice to benchmark projects and organisations

3. Demonstrate the value of QRMM in application

− Summary case examples from Defence and Oil & Gas

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

3

QinetiQ ... What’s in a Number?

• Formed in 2001 from Defence Evaluation and Research Agency (DERA)

• FTSE 250 - £1.3bn market capitalisation

• 6,233 people worldwide, with ~1,100 specialists in weapons and testing

• Member of The 5% Club – investing in graduates and apprentices

• 37 sites across the UK – from Cape Wrath to Shoeburyness

• 95% of QinetiQ’s UK employees hold national security clearance

• 25 year Long Term Partnering Agreement (LTPA) with MOD, signed in 2006

• Empire Test Pilots’ School (ETPS) – training flight test professionals for 70 years

• More than 1,500 patents granted, 1,000 patents pending

• 75 years of test and evaluation at Aberporth …

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

4

QinetiQ Procurement Advisory Services

"We deliver independent, essential, expert services across the entire

acquisition lifecycle that enable the MOD to make fit for purpose, value

for money acquisitions, compliant with legal and policy requirements"

Defence Acquisition

Lifecycle Services

Concept

Assessment

Demonstration

Manufacture

In-service

Disposal

Defence Acquisition

Lifecycle Services

Concept

Assessment

Demonstration

Manufacture

In-service

Disposal

Underpinning our offerings is QinetiQ’s independence, enhanced by

the unique breadth and depth of technical expertise and experience

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

5

Programme Assurance

“Enabling change and supporting business delivery through optimised

solutions focused on efficient governance, increased confidence and

minimised risk and uncertainty"

• Development, analysis and control of project schedules

• Production, analysis and management of risk registers

• Development of risk and opportunity management plans

• Schedule and Cost Risk Analysis

• Project and programme management, assurance and control

• Risk analysis, management and reporting

• Development and tailoring of capability dashboards

• Development of novel and tailored project control solutions

• Risk management improvement and training

• Risk Maturity Assessment

• Provision of client advice and governance support

• Stakeholder and contract management

• Business and project transformation

Information and Knowledge

Management

Programme Management

Project Management

Risk Management

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

6

Speaker Biography

• Chartered Engineer: MIET, MIMechE

• MBA (Lancaster), MSP® Registered Practitioner

• 29 years in Defence industry

• 10 years in consultancy

• Complex programme/project/risk management

• Contract and support/ILS management

• Risk management maturity assessment

− QinetiQ lead

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

Why is a Mature Risk Management Approach Important? Case Examples

Scottish Parliament

Forecast: £10-40m and 2001 opening

Actual: £414m and 2004 opening

Thermae Bath Spa

Forecast: £13m and 2002 opening

Actual: £45m and 2006 opening

7

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

Why is a Mature Risk Management Approach Important? “Doing the Thing Right …. or Doing the Right Thing?”

Astute Class Submarine

£1.35bn* over budget

57 months* schedule slippage

* Nov 2009 figures

New Coke 1986

A (failed) project that delivered the product to the planned time and cost

…. but an example of the wrong project being selected

Have any MOD projects ever proved to be the wrong project …?

8

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

Why Does this Happen …?

All projects have uncertainties and changing variables, arising from …

• Budget changes

• Schedule changes

• Requirement changes

• Omissions and errors

• Failure to tackle risk at source

• Things that “just go wrong”

“…… because as we know, there are known knowns; there are things we know

we know. We also know there are known unknowns; that is to say we know

there are some things we do not know. But there are also unknown unknowns -

the ones we don't know we don't know” Donald Rumsfeld

10

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

Confidence … Driven by Uncertainty

Confidence is a major factor in human behaviour … and decision-making

• Sub-prime mortgage crisis – Missouri house prices crashed by 90%

• Global recession - US companies stored cash (until very recently)

• Scottish Referendum – investors selling Sterling

Wouldn’t it be useful if we could have confidence in

our ability to manage risk…?

11

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

Control of Risk Management Maturity - Schedule Impact QinetiQ Analysis of Historical NAO Data

Source Data: NAO Major Projects Reports

Current Schedule Performance vs Original Forecast of MOD Top 20 Major Projects

41%

46%

114%

47%

32%

51%

63%

54% 53%

42%

75%

8%10%

0% 0% 0%

11%

0%0%

20%

40%

60%

80%

100%

120%

Typhoon (

Nov-8

7)

Sting R

ay (

May-9

5)

Nim

rod M

RA

4 (

Jul-96)

Astu

te C

lass S

ub (

Mar-

97)

A400M

(M

ay-0

0)

Type 4

5 D

estr

oyer

(Jul-

00)

Support

Vehic

le (

Nov-0

1)

NG

LA

AW

(M

ay-0

2)

Terr

ier

(Jul-02)

Naval E

HF

/SH

F S

at

Com

ms (

Aug-0

3)

Sooth

sayer

(Aug-0

3)

MT

AD

S (

Sep-0

4)

Watc

hkeeper

(Jul-05)

Falc

on (

Mar-

06)

Merlin

(M

ar-

06)

Futu

re L

ynx (

Jun-0

6)

Advanced J

et

Tra

iner

(Aug-0

6)

Typhoon F

utu

re

Capabili

ty (

Jan-0

7)

Sc

he

du

le o

verr

un

as %

of

ori

gin

al fo

reca

st

Risk Maturity Uncontrolled Risk Maturity @ Level 3+

Forecast schedule

overrun calculated

from the summary of

post-Main Gate

projects in NAO Major

Projects Reports

Many factors affect

projects, but those with

risk maturity applied at

all CADMID stages are

more aware of issues

and have mitigations in

place to respond to

those risks

Major projects from the

NAO reports with risk

maturity applied are

statistically less likely

to experience

schedule overruns

Schedule Performance vs Original Forecast of MOD Major Projects

12

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

Control of Risk Management Maturity - Cost Impact QinetiQ Analysis of Historical NAO Data

Source Data: NAO Major Projects Reports

Current Schedule Performance vs Original Forecast of MOD Top 20 Major Projects

-21%

28%

48%

0%

29%

-7%

-18%

6%

-26%

42%

-7%

-1%

-5%

-1%

1%

-5%

-2%

-30%

-20%

-10%

0%

10%

20%

30%

40%

50%

Typhoon (

Nov-8

7)

Stin

g R

ay (

Ma

y-9

5)

Nim

rod M

RA

4 (

Jul-96)

Astu

te C

lass S

ub (

Ma

r-

97)

A400M

(M

ay-0

0)

Type 4

5 D

estr

oyer

(Jul-

00)

Support

Vehic

le (

Nov-0

1)

NG

LA

AW

(M

ay-0

2)

Te

rrie

r (J

ul-02)

Naval E

HF

/SH

F S

at

Com

ms (

Aug-0

3)

Sooth

sayer

(Aug-0

3)

MT

AD

S (

Sep-0

4)

Watc

hkeeper

(Jul-05)

Fa

lcon (

Ma

r-06)

Me

rlin

(M

ar-

06)

Fu

ture

Lynx (

Jun-0

6)

Advanced J

et

Tra

iner

(Aug-0

6)

Typhoon F

utu

re

Capabili

ty (

Jan-0

7)

Cu

rren

t o

vers

pen

d a

s %

of

ori

gin

al fo

recast

Risk Maturity Uncontrolled Risk Maturity @ Level 3+

Forecast cost overrun

calculated from the

summary of post-Main

Gate projects in NAO

Major Projects Reports

Projects with Risk

Maturity applied

experience less

budget volatility

(overspend or

underspend),

compared with projects

whose level of risk

maturity is uncontrolled

Budget Performance vs Original Forecast of MOD Major Projects

13

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

14

QinetiQ Risk Management Maturity Model (QRMM) A Brief History …

• Developed by QinetiQ (1999) to objectively assess risk management maturity

• Referenced on (and compliant) with

− MOD’s Acquisition Operating Framework (AOF)

− Project risk management best practice – APM Project Risk Analysis and Management (PRAM) Guide

− Combined Code (‘Turnbull Guidance’) for UK Corporate Governance – Financial Reporting Council

• Proven capability and value in application over 15 years

− Over £75bn of Defence projects/programmes (across all domains) assessed … and counting

− Used in Oil & Gas (FTSE 100 multi-national), Rail and Manufacturing

• QinetiQ analysis of NAO Major Projects Reports has indicated that RMM can

− Increase confidence in project success through improved cost/schedule adherence

− Deliver forecast improvement in schedule and cost out-turn on major projects

AOF

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

15

Why QRMM? A Comparison of Risk Maturity Models

QinetiQ analysis of AOF-referenced models for a MOD Business Case: 2013

AOF

Defence

Heritage

Risk-Specific

Maturity Model

Implementation

Guidance

Available

Implementable

Risk Maturity

Model Available

Question and

Anwer Set

Developed and

Available

Questions

Mapped to

Maturity Levels

Analysis and

Reporting Tools

Available

Improvement

Roadmap

Guidance and/or

Tool Available

Number of

Maturity

Levels

Number of

Questions

Implementable

Without

Investment

Management of Risk

(MOR®) Maturity

Model

Unknown

High level only

Would need to be

developed from

first principles

No question set

available

5

0

No question

set available

HM Treasury Risk

Management

Assessment

Framework (RMAF)

Unknown

Guidance only

No discrete

mapping 5 38

OGC Portfolio,

Programme and

Project Management

Maturity Model

(P3M3)

Unknown 5 9

QinetiQ Risk Maturity

Model (QRMM)

15 years

Over £75bn

of MOD

assets

Extremely

detailed

guidance

Software-based

implementation,

allowing

repeatable

assessment

Fully embedded in

software

Detailed

algorithms,

embedded in

software

QinetiQ

proprietary

tools,

supporting

analysis and

reporting

Detailed

guidance,

supported by

QinetiQ

proprietary tool

4 50

Immediately

available

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

16

QRMM as an Enabler to Better Risk Management

• Assesses and benchmarks the quality and consistency of risk management implementation

• Improves confidence in the ability to predict and deliver against schedule and cost

• Establishes an independent, objective and evidence-based baseline measure of risk maturity

• Identifies strengths and weaknesses in risk management process and its enablers

• Supports formulation of a prioritised ‘roadmap’ of improvement actions against the baseline

• Supports identification of common issues across projects, to help tackle risk at source

• Facilitates sharing of good practice within and across business units

• Builds confidence in the quality of underpinning data (e.g. for Business Cases)

• Scalable: applicable at all levels, at all points in the project/business lifecycle

• Can be used to support supplier assessment

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

17

QRMM Construct – Scope and Inputs

• A maturity framework covering 6 risk management perspectives

− Risk Identification; Risk Analysis; Risk Mitigation

− Project Management; Stakeholders; Culture

• Each perspective is scored within the algorithm, at one of 4 levels (QinetiQ IPR)

− Level 1 = Naive (process design or application flawed and probably not adding value)

− Level 2 = Novice (some value-add, but weakness in process design or implementation)

− Level 3 = Normalised (formalised process, implemented systematically and adding value)

− Level 4 = Natural (applied at strategic level in driving objectives and optimising outcomes)

• Level 3 is an acceptable score (complex programmes/projects may aspire to Level 4)

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

18

QRMM Construct – Top Level Output

Risk Maturity Assessment

Stakeholders Risk

Identification

Risk Analysis Risk

Mitigation

Project

Management

Culture

Current

Maturity

Potential

Improvement

Level 4 -

Natural

Level 3 -

Normalised

Level 2 -

Novice

Level 1 -

Naive

“An organisation is only as strong as its weakest element”

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

Characteristics of Maturity Levels What Does ‘Good’ Look Like …?

Level Descriptor Formal Definition Example (Project) Characteristics

1 Naïve “Although a risk management

process may have been

initiated, its design or

application is fundamentally

flawed

At this level, it is likely that the

process does not add value”

• Poor understanding of risk management principles and application

• No formalised risk process, or elements of the process have lapsed

• Risk process design or application fundamentally flawed

• Risk process ad-hoc and/or poorly applied

• Projects claiming to be implicitly managing risk by virtue of the

effectiveness of other processes, such as planning

• Likely to ignore (or fail to understand) that deterministic project

processes are not designed to manage implications of uncertainty

2 Novice “The risk management

process influences decisions

taken by the project in a way

that is likely to lead to

improvements in performance

as measured against its

objectives

However, whilst the process

may add value, weaknesses

with either the process design

or its implementation result in

significant benefits being

unrealised”

• A project that has taken professional advice or followed standard

guidance to initiate its risk management process

• Value being added by applying the risk process should be greater than

the cost (and other resource implications) of its application

• A project where there is at least a ‘light’ application of the risk process,

and the process itself is standardised and followed with robustness

• A project that has recently initiated a formal risk management process

that follows best practice

• A larger project where process application may be an issue

• A larger project where issues of process design may be difficult to

correct

19

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

Characteristics of Maturity Levels What Does ‘Good’ Look Like …?

Level Descriptor Formal Definition Example (Project) Characteristics

3 Normalised “The risk management

process is formalised and

implemented systematically

Value is added by

implementing effective

management responses to

significant sources of

uncertainty that could affect

the achievement of project

objectives”

• The discipline of implementing the process across the whole project is

clearly in place

• A high and consistent quality of application of risk management is

obvious in practice

• A risk register is used to underpin routine reviews of the implications of

risk, with effectiveness and implementation of responses designed to

manage them

• Risks are understood in a way that clarifies all relevant and significant

sources of uncertainty

• Key skills are in place to ensure that the risk register contains the right

risks (and they continue to be the right risks), that they are managed

by the right risk owners, and that appropriate and sound methods are

used to select and prioritise risks for review

• Application of the process is disciplined, broad, continuous and sound

• The process actively engages all relevant stakeholders

• Risk management is being used to support achievement of objectives

20

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

Characteristics of Maturity Levels What Does ‘Good’ Look Like …?

Level Descriptor Formal Definition Example (Project) Characteristics

4 Natural “The risk management

process leads to the selection

of risk-efficient strategic

choices when setting project

objectives and choosing

between options for solutions

or delivery

Sources of uncertainty that

could affect the achievement

of objectives are managed

systematically within the

context of an organisational

culture that is conducive to

optimising project outcomes”

• The risk management process is contributing to the selection of risk-

efficient strategic choices, when setting business objectives, and

choosing between options for solutions or delivery

• Risk is managed from a strategic (not just tactical) perspective

• Risk is helping to provide assurance that the planned project is the

correct strategic choice

• Risk responses are likely to be executed from Sponsor level

• Sophisticated risk management techniques are used routinely in, for

example, quantifying risk at the overall project level

• Organisational personnel have the ability and experience to select risk

techniques that are appropriate to the business

• Risk management is implicit, with over-reliance on the Probability

Impact Matrix and use of an integrated risk register and Monte-Carlo

simulation toolset avoided

• Risk management is built into projects from the outset

21

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

22

QRMM in Application Empirical Assessment Process

Enablers include …

ROMPs

Risk Registers

Management Plans

Stakeholder Maps

Risk Review Records

SRA and CRA Reports

Enablers include …

QRMM hosted in AWARDTM

Workshop materials

RMA SQEP facilitators

Stakeholder workshop attendees

Enablers include …

Workshop Q&A set

Documentary evidence

RMA analysis SQEP

Review

Documentary

Evidence Audit

Conduct RMA

Workshop

Analyse and

Report Results Implement

Improvement Plan

Enablers include …

Risk Improvement Action Plan

SQEP stakeholder personnel

RMA Benchmark

(Level 1 to 4)

Periodic re-assessment against current benchmark

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

23

QRMM in Application Risk Maturity Assessment Framework – Hosted in AWARDTM

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

24

QRMM in Application Risk Maturity Assessment Framework – Hosted in AWARDTM

Context Statement

Question

Answers

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

25

QRMM in Application Risk Maturity Assessment Workshop – Use of Electronic Voting

• Well-established method of group decision support

• Used to elicit opinion

− Primarily interested in the reasons for the votes

− Votes are anonymous

• Provides a framework to consider arguments before expressing opinion

• Discussion is limited to clarification before voting

− Understand the question and supporting narrative, in relation to risk maturity

− Understand how the question and context relates to the project under assessment

• Divergence in votes may provide additional insight: an opportunity for discussion

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

26

QRMM in Application Risk Maturity Assessment Workshop – Use of Electronic Voting

• Question is posed

− Consider the question and context ... and vote

• Facilitated discussion

− Voting results presented

− Salient points recorded for analysis/reporting

− Record the consensus view (score, any narrative)

• Re-vote (as necessary)

• Why use Delphi Technique?

− Decisions from a structured group facilitation are more accurate

− In this scenario, exploring voting rationale can aid interpretation and understanding

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

27

QRMM in Application Example Analysis Outputs

Category 1

Recommendations to Establish a Basic Risk Management Regime that Supports Improvement of D Eqpt Risk Capability to Level 2 Risk Maturity

Recommendation Complexity Value

R1.3 – Division of Responsibilities Low High

R1.1 – Confirmation of High Level Business Objectives Low Medium

R4.2 – Pre- and Post-Mitigation Assessment Low Medium

R4.1 – Risk Response Tracking Medium High

R4.4 – Use of Fallback Triggers Medium Medium

R3.3 – Secondary Risk Effects Low Low

Category 2

Recommendations to Establish an Enhanced Regime that Supports Formalised and Systematic Application of Risk Management Required for a Level 3 Risk Maturity

Recommendation Complexity Value

R3.6 – Risk Estimation Medium High

R1.4 – Formal Risk Sharing with Equipment DLoD Stakeholders High High

R5.7 – Review of Risk Process Effectiveness Low Medium

R4.7 – Use of Cost Benefit Comparisons Low Medium

Stakeholders

Risk Identif ication

Risk Analysis

Risk Responses

Project Management

Culture

Category 1 Category 2

Level 1 Level 2 Level 3 Level 4

Level of maturity after

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

28

QRMM in Application Case Examples from Defence – Case 1

• Portfolio of 4 projects, with QinetiQ contracted by MOD to

− Formulate and deliver a formal Risk Improvement Programme: April-Aug 2011

− Conduct a repeat RMA in February 2014 to identify current baseline and improvements

• April 2011 status of each project

− Project A – in-service project undergoing contract change, with risk transfer to industry

− Project B – mature equipment, in-service until ~2020, with industry managing risk

− Project C – in Assessment Phase (AP) [due to be placed on contract in 2014]

− Project D – complex international project, in AP [cleared Main Gate in 2014]

Project Measured RMA

April 2011

Measured RMA

July 2011

Measured RMA

February 2014

Forecast RMA

Project A Level 1 Level 2 Level 2 Level 3

Project B Level 3 Level 3 Level 3 Level 4

Project C Level 1 Level 2 Level 3 Level 3

Project D Level 1 Level 2 Level 4 Level 4

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

29

QRMM in Application Case Examples from Defence – Case 1

• February 2014 forward improvement plans, focused to achieve

− Project A: from high L2 (almost L3) to weak L3 in 3 months, consolidating to a firm L3

− Project B: from high L3 to a weak L4, consolidating to a firm L4 through secondary actions

− Project C: from weak L3 (with risk of slipping back to L2) to a firm L3

− Project D: from weak L4 (risk of slipping back to L3) to a firm L4

• A good example of where focused MOD effort, and periodic RMA, can enhance risk execution

Perspective Number of Projects at Each Level – Feb ‘14

Level 2 Level 3 Level 4

Stakeholders √ √ √ √

Risk Identification √ √ √ √

Risk Analysis √ √ √ √

Risk Responses √ √ √ √

Project Management √ √ √ √

Culture √ √ √ √

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

30

QRMM in Application Case Examples from Defence – Case 2 (MOD 1* )

• Level 1 across all 6 perspectives – the worst ever RMA score recorded by QinetiQ!

• Risk improvement roadmap established to target

− Level 2 in 3 months (22 actions)

− Level 3 in a further 9 months (16 actions)

Stakeholders

Risk Identif ication

Risk Analysis

Risk Responses

Project Management

Culture

Category 1 Category 2

Level 1 Level 2 Level 3 Level 4

Level of maturity after

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

31

QRMM in Application Case Examples from Defence – Case 2 (MOD 1*)

• Improvements were not implemented, due to

− Lack of capacity within MOD to implement the plan

− Conflicting demands and changing priorities

− Ongoing organisational uncertainty

− Realisation that implementation of improvements at 1* level would be insufficient

• QinetiQ was then requested to

− Formulate a risk transformation programme covering the 2* group (4 x 1* units)

• What happened next?

− MOD secured stakeholder buy-in to implement the ~18 month transformation programme

− In-FY underspend was secured to fund the initial phase

− Other areas developed an interest in improving their risk maturity

• A good example of where a localised RMA can lead to identification of a wider imperative

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

32

QRMM in Application Example Risk Transformation Programme – Defence (MOD 2* Group)

Month 1-4

Activities cover …

Maturity assessment workshops

Evidence-based documentation reviews

Detailed reviews of risk processes

Targeted investigations to gather evidence

Targeted meetings to qualify data/findings

Data analysis and correlation of findings

Development of implementation roadmap

Deliverables …

Report of Phase 1 findings

Roadmap for Phase 2/3

Month 6-10

Deliverables include …

Formal risk management policy

Integrated risk impact assessments

Integrated risk process

Enterprise risk definition set

Risk identification techniques

Risk response strategy suite

Risk audit, review and monitoring regime

Risk review Terms of Reference

Risk review data definitions

Risk escalation mechanisms

Risk fallback triggers and criteria

Risk and Opportunity Management Plan(s)

Risk estimation guide

Audit of existing risks and owners

Configured and populated risk tool

Risk response plans

Senior stakeholder training

Month 11-18

Deliverables include …

Risk ‘aide memoire’

Risk meta-language dictionary

Risk practitioner training

Top-down risk identification

Alignment of top-down and bottom-up risks

Schedule Risk Analysis (SRA)

Cost Risk Analysis (CRA)

SRA/CRA benefits report

Risk behaviour incentives

Early adoption risk guide

Detailed Terms of Reference (by post)

Cost/benefit comparators

Formal LFE mechanism

Project records process

Initial projects records suite

Risk-based enterprise capability

management plan

Enterprise capability management

dashboard

End-of-phase risk maturity assessments

Phase 1

Maturity Assessment and

Implementation Planning

Phase 2

Solution Development

and Implementation

Phase 3

Solution Optimisation

and Enhancement

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

QRMM in Application Example Risk Transformation Programme – Benefits Realisation

Forecast Risk Maturity (left-hand scale)

Phase 1 Phase 3 Phase 2

Potential for Schedule/Cost Overrun (right-hand scale)

Naïve (Level 1)

Risk process flawed

No real value-add

Novice (Level 2)

Risk process influencing decisions

Risk process adding value

Improving performance against objectives

Some process/implementation weaknesses

Potential for significant unrealised benefits

Normalised (Level 3)

Risk process formalised

Process implemented systematically

Effective risk responses executed

Sources of uncertainty under control

Significant value-add

Natural (Level 4)

Risk process informing

strategic choices

Sources of uncertainty

managed systematically

Risk culture conducive to

maximising outcomes

Level 1

Level 4

Level 3

Level 2

Ris

k M

atu

rity

Leve

l

0-10%

100%+

60-99%

11-60%

Sc

he

du

le/C

os

t O

ve

rru

n

(as a

% o

f b

aseli

ne

sch

ed

ule

/bu

dg

et)

33

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

34

QRMM in Application Case Example from Oil & Gas

• 2011: FTSE 100 Oil & Gas multi-national approached QinetiQ to pilot an RMA on a UK project

• QinetiQ amended the RMA framework Q&A set to reflect O&G-specific language

− Underlying model and algorithms were unchanged

• The pilot was conducted on the UK project

− Identified that lack of risk disclosure from the JV partner was a significant threat

− RMA was extremely well received by the client organisation

− Actions to address the shortfalls were not progressed – the report became ‘shelfware’

− There were serious repercussions for both JV partners

• A good example where failure to address risk maturity shortfalls can impact project health

• What happened next?

− QinetiQ undertook a further RMA on an operation in Asia, on completion of the UK pilot

− The Asia RMA identified significant pockets of good practice to share across the company

− QinetiQ was requested to develop a new corporate Cost & Schedule Risk Analysis standard

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

Summary – Key Points vs Objectives

1. Introduce the principles and importance of risk management maturity assessment

− There is inherent uncertainty in all projects, programmes and businesses

− Formalised risk management helps us to understand and respond to uncertainty

− Control of risk maturity is an important enabler to good risk management

2. Explore and explain the QinetiQ Risk Maturity Model (QRMM)

− Audits and benchmarks project health and focuses improvement initiatives

− Enhances confidence in the likelihood of an out-turn to schedule and within budget

− Enables us to more confidently establish our risk appetite and inform strategic choice

3. Demonstrate value of QRMM in application

− Case 1 – focused improvement and periodic re-assessment enhanced project control

− Case 2 – localised RMA can trigger wider imperative to enhance risk management

− Case 3 – failure to address risk maturity can impact project health

35

© Copyright QinetiQ Limited 2014 QinetiQ Proprietary

www.QinetiQ.com

“People Who Know How”