The document discusses risk management frameworks and processes. It provides:
1) An overview of risk management, including highlighting risks at the project, program, and portfolio levels.
2) A risk management framework involving establishing context, risk identification, analysis, evaluation, and treatment.
3) Details of risk governance, including risk management plans, risk registers, governance documents, and ongoing and discrete risk activities.
7. Risk Exposure Areas
Concept Technology Sys Dev & Prod & Deploy Opns &
Refinement Develop Demo Support
Opportunity Capture Pre- Proposal Dev Post-
Assessment Team Dev Proposal Submit
7
9. Risk – Plan vs. Actual Performance
Poor Risk
io ns Management
ct at
x pe
Performance
e rE Technical
m Inability
s to
Cu
ce
rman
Perfo
Actual
Time
9
10. Risk Management Realities…
Insurance Not Purchased Insurance Not Available
Political Risk War / Strike
Environmental Reputational
Advertiser’s Liability Terrorism Biological
Professional Liability Nuclear / Radiation
E-Commerce Liability Regulatory Fines & Penalties
Certain lines of Products Poor Business Judgment
Patent Infringement Supply Chain Interruption
Product recall Loss of Market Share
Non-Owned Breach of Contract
Terrorism Global Pandemic
Liability Fraud
10
12. Integrated Risk Management
Life Cycle &
Environmen
Communi-
Scope Integration t Variables
cation
Ideas,
Expectation Directives,
s Feasibility Data
Exchange
Requiremen Projec Availability, Human
Quality Productivity
t Standards t Risk Resources
Cost
Time
Objectives,
Objectives,
Restraints
Restraints
Contract / Services,
Time Materials: Cost
Procure Performanc
e
Source: Wideman, Max R., ed.,
12
13. Project Risk - Exposure / Impact
Internal Schedul Resourc
Risks Financial Quality
e e
Project Project Project
Objectives Planning Execution
Externa Integra- Procure- Commun
Scope
l Risks tion ment i-cation
Opportunities for Tradeoffs - Resulting from Risk Analyses
13
14. Project - Opportunities / Risks
Opportunities Risks
• Identifies gaps in realisation of • Fragmented project plans
strategic objectives • Poorly defined project mission &
• Escalates current risks and tasks
identifies potential risks earlier • No clear process for escalating
• Ensures proper communications risks to senior management
to relevant stakeholders • Insufficient reporting to support
• Improves monitoring and control top-management decisions
of projects • Ineffective enforcement of project
• Mediates issue resolution controls and policies
• Increases efficiency in tracking • Conflict between line and project
progress of projects managers
• Integrates project plans for all • Projects do not meet deadlines
projects – standardises progress and / or milestones
reporting • Lack of standardised reports and
reporting frameworks
14
15. Projects & PPM – Risk Exposure
Scope Goals
Risk Risk
Risk Risk
Project
Risk Project Risk Portfolio Risk
Managemen Managemen
t t
Process
Time Cost Culture
Maturity
15
16. Risks - Project Manager’s Role
Understand business case and project context
Baseline the risk register
Oversee risk management activities
Embed risk thinking into project review meetings
Ensure risk response actions are carried out (threats,
issues & opportunities)
Utilise risk management reserve efficiently
Manage stakeholder expectations
Deliver to time, cost and quality
16
17. Program Manager’s Challenge
Shareholder /
Stakeholder
Value
Programme &
What are
Operational the risks?
Benefits
Project What are
the risks?
Deliverables
What are
the risks?
17
20. What is Risk?
There is a
GIVEN POSSIBILITY that,
Will
Condition Consequence
Occur
• Must be a FACT or perceived to be FACT
• Must be REALITY BASED
• Can have NO uncertainty attached
Must be ACTIONABLE
ONE condition and ONE consequence per statement
20
21. Risk Process – Conceptual Overview
Establish the context
Communicate and Consult
Identify risks
Monitor and Review
Analyse risks
Evaluate risks
Assess risks
Treat risks
21
22. Risk Elements
TOOLS & TECHNIQUES
Scaleable, fit for purpose
PROCESSES
PEOPLE & BEHAVIORS
Well defined,
part of normal
work routine, Management commitment,
consistently delivery teams own the risks,
used across operations involved early,
projects contractors engaged,
reward the right behaviors
22
23. Risk – Project & Process Elements
Project Elements Process Elements
Roles & Risk Assessment
Responsibilities What is the Scope of the Risk Assessment?
What Adverse Events Can Happen?
How Likely are These Events to Occur?
Personnel How Severe Would the Consequences Be if the Events Did Occur?
Feedback Loops
Qualifications
Risk Control & Decision Support
Management of Change
What Could Be Done to Control Risks?
What Are the Relative Merits of the Risk Control Options?
What Set of Activities Best Achieves Risk Management Goals?
Communications
Documentation
Performance Monitoring & Feedback
Project Evaluation and What Improvements are Expected to Result from the Risk Control
Decisions?
Improvement What Measures Best Capture These Expected Outcomes?
Are the Selected Risk Control Activities Having the Intended Effect?
How Can the Overall Risk Management Process be Improved?
23
28. Defining a Risk Framework
Goals and Objectives
Internal Timing
Audit
Milestones
Risk
Executive
Manage Team composition
Management Approach and
r
Methodology
Tools
Project
Sponsor Reporting
Information Criteria
28
29. Risk Framework
ion
Stra
t
ecu
t
egy
Ex
Iterate &
Improve
Tactical
29
41. Organisation Maturity & Risk Strategies
Level 1 Level 2 Level 3 Level 4 Level 5
Culture Increased Culture becomes Consistency of
Unaware Early awareness Awareness Known and Past and Future
and bias Uniform Actions
Technology Isolated projects; More "joined up" Vision drives Vision becomes
None initiated from the thinking, but still
vision bottom up silo-oriented. decisions Competitive Edge
Alignment of Weak, early Understanding Understanding Understanding of
bus. and IT Unknown concept awareness and focus at silo
level
and focus across
lines of business
wider scope;
collaboration
Stakeholder First signs of Stakeholder Well Understood, Optimal
alignment No alignment Stakeholder Analysis, Trade Drives Decisions Stakeholder
centricity; silos Off analysis Benefits
Early Attempts Governance model
Governance None Becomes a To resolve Defines and in Strong Governance
model concern Governance issues Place Culture
No process Team-based; Process integration Shared processes End-to-end
Process fragmented; At department across process
Integrity orientation minimal insight level the company optimisation
Weak, Fragmented; Strong Strong functionality Superior functionality;
IT plan limited functionality functionality with company- integrated beyond
Very fragmented; and focus within silos level integration the company
Data None, poor Focus on silo Ongoing, Iterative Competitive
strategy quality Operational focus quality Process to maintain Differentiator
Quality
41
42. Example – Risk Maturity Matrix
Increase in maturity of Risk Mgt core skill sets
Increase # of Risk Mgt core skill sets
PROJECT EXECUTION RISK MATURITY MATRIX INDEX Current Target
& Date
Level
Level 0 Level 1 Level 2 Level 3 Level 4 Level 5
(Score) Q4'03
Certified (2) Risk Mgr or
Divisional PM's assigned Divisional Risk Coordinators
1. Risk Org Support PM core team has not been PM responsibility allocated to Functional Risk Div/Area/Site Risk
Structure's in place allocated to project yet Risk Mgt of project Coordinators appointed Coordinator nominated to
Risk Mgt responsibility for all
divisions involved in project
assigned for all divisions involved 2 3
in project
support project when required
(1)
Project Team trained in BT
Certified (2) Divisional or
Risk & Oppty Mgt 5 Step
Area/ Site Risk Mgt support Project Team trained (1) in BT Project Team trained (1) in BT Risk
2. Project Teams Risk No training received by Project Process (Module 2)
coord allocated to support ROP Database Use (Module 6) Costing Methodology (Module 8)
Trained (1 & 2) Team
Informal training received emphasis on understanding
project core team assigned to and how to run a Risk Meeting and reporting Risk in the MOR 1 5
3C's methodology (Module 3)
project trained in Facilitating (Module 7) (Module 10)
Roles & Responsibility
Risk Workshops (Module 5)
(Module 4)
Risk & Opp - ID, Assess & Risk & Opp - ID, Assess & Cross Divisional Risk & Opp - ID,
Risk & Opp Assess & (3 & 4)
Risk & Opp - ID, Assess & Mitigation workshops (3 & 4) run Mitigating Action workshops (3 Mitigation workshops run Assess & Mitigation workshops (3 & 4)
3. Appropriate (3 & 4) No
Risk Workshops held
Risk & Opp Workshops run Mitigation workshops (3 & 4) run by a NON certified facilitator & 4)
run by certified facilitator by certified facilitator
(2)
for run by certified facilitator
(2)
for 3 3
by a NON certified facilitator for lead & supporting Divisions (2) lead & supporting Divisions lead & supporting Divisions
involved in the Project involved in the Project involved in the Project
Project set up in ROP for all
Project set up in ROP with Project set up in ROP with Project Set up in ROP with all Project Set up in ROP for all
4. Projects Set up in Divisions in Project with
ROP
Project not in ROP only PM assigned as Risk
Coord for Risks & Opps
some Risk Coords assigned
for Risks & Opps
Risk Coords assigned for
some Risk Coords assigned
Divisions in Project with all Risk
Coords assigned for Risks & Opps
2 3
Risks & Opps
for Risks & Opps
1 - 20% Risks & Opps have 21 - 40% Risks & Opps have 41 - 60% Risks & Opps have 61 - 80% Risks & Opps have 81 - 100% Risks & Opps have Action
5. % Risks with Action 0 % Risks & Opps have Action
Plans Plan in place
Action Plan identified, dates
and ownership assigned
Action Plan identified, dates
and ownership assigned
Action Plan identified, dates
and ownership assigned
Action Plan identified, dates
and ownership assigned
Plan identified, dates and ownership
assigned
4 0
Risk & Opps consistently on Cross Divisional Risk& Opp Functional Risk & Opps
Risk & Opps appear adhoc
6. Maturity of Risk Risk & Opps not on any of the Project Coordination meeting mtg being held by lead meetings being run by Risk Action Plans progress linked to
Meetings Projects Mtg agendas
on the Projects Coordination
Mtg agendas
agenda with Action Plans Division in the project, with Coords with Action Plans Detailed Project Schedule (DPS) 1 2
progress tracked action plans being tracked progress tracked
All Risks, Opps & Mitigating
All Red Risks, Opps & Actions costed per BT costing All Risks, Opps & Mitigating Actions
Some Risks, Opps & All Red Risks, Opps & Mitigating Actions costed per methodology and figure for costed per BT costing methodology
7. Risks being costed No Risks or Opps costed per
correctly BT costing methodology
Mitigating Actions costed per
BT costing methodology
Mitigating Actions costed per
BT costing methodology
BT costing methodology with
some Yellow and Green
Provision using Sum of all
(Probabaility x Most Likely
and figure for Provision using Monte
Carlo simulation in EAC derived
0 2
costed as well Costs) in EAC derived from from this
this
8. Maturity of Risk No reporting of Risk & Opp Risk & Opp situation reported Risk & Opp situation reported Risk & Opp situation reported Risk & Opp situation reported Risk & Opp situation reported
Reporting situation Monthly to Project Core Team Monthly to Head of PM Monthly to Head of Functions Monthly to Divisional MOR Monthly to Group MOR 3 3
Certified / All Div's / Full
No activity Informal Division trained Group Certified All Divisions in Project
Process 16 21
In order to move up a level you must also have satisfied all the levels below Project RMMI 40% 53%
Risk Mgt Maturity Score
42
43. Management by Exception
Project Team
A risk tolerance structure is always
established early in the project to
Will I have unacceptable provide the boundaries within which
schedule variance? Yes
issues are categorised, managed,
No and escalated. Risk management is
Will I have unacceptable embedded in all work-streams.
budget variance?
Yes
No
Project
Manager Executive
Will I deviate appreciably
from specifications? Yes
Establish the Governance structure
No
that will span each of the Phases.
Is the issue I am facing This structure will be necessary to
politically sensitive? Yes
ensure the overall success of the
No project. The focus, attendance, and
structure of will be different in each
Make decision of the project phases.
43
45. Why Categorise Risk ?
Categories help identify additional risks
Categories may vary from project to
project
External: Beyond team control
Internal: Within team control
External Internal
Predictable
Unpredictable Financial Schedule Technical Legal
(but uncertain)
45
46. Eg. Risk Categories
Manufacturing
Product Design System/Software Fabrication
Data Accuracy & Assembly Material &
Product Design Processes
Performance Maturity Server/Network
Performance Process
Availability
Scaling Production
Test & Weight Factor Tooling
Evaluation System Maintenance
Technology Compatibility Process
Software Supplier
Development Level
Process
Security
Project Management Quality
All Other
Resources Schedule Quality
Market Consumer
Calibration Service Systems
Product
Customer Teamwork Cost Process Sigma
Environment,
Health &
Adoption Capability Levels
Safety Changing Scope
46
51. Risk Rating Guide
Impact
Low High
1 3 5
Probability
High 5 15 25 R Show stopper
1 3 5
3 9 15 O Significant risk
Low 1 3 5 Y Proceed with caution
G No concern
Probability Impact
• Major uncertainties remain • Performance, quality, cost or safety
• No or little prior experience or data impacts resulting in major redesign and
High (5) program delay
• Infrastructure and/or resources not in
place
• Some uncertainties remain • Performance, quality, cost and/or safety
impacts resulting in minor redesign and
Medium (3) • Some experience and data exist
schedule adjustment
• Infrastructure in place but under-
resourced
• Performance, quality, cost and safety
requirements met within planned
• Few uncertainties remain
schedule
Low (1) • Significant experience and data exist
• Infrastructure in place and fully
resourced
51
52. Qualitative Risk
Consequence of Occurrence
Probability
of Occurrence Very Low Low Moderate High Very High
Very Low
Low
Moderate
High
Very High
Low Risk Medium Risk High Risk
52
53. Risk – Impact & Probability Analysis
Impact Schedule Cost Performance Probability of
Assessment risk occurring
3 Large slip to key Large increase in Major shortfall in > 50%
milestone of total cost operational
contractual performance
importance
2 Small slip to key Significant Minor shortfall in 25-50%
milestone of increase operational
contractual in total cost performance,
importance which impacts
upon the
customer
1 Small slip to an Small increase in Minor shortfall in 10-25%
internal total cost operational
milestone performance,
which does not
impact the
customer
0 No impact on No increase in No impact on <10%
schedule total operational
cost performance
53
54. Example – Impact Analysis
Impact Cost Time Quality
Very Manageable by Slight slippage against Slight reduction in
Low exchange against internal targets quality / scope, no
internal budgets overall impact
Low Requires some Slight slippage against Failure to include
additional funding key milestones or certain ‘nice to have’
from institution published targets elements
Medium Requires significant Delay affects key Significant elements of
additional funding stakeholders – loss of scope for functionality
from institution confidence in the will be unavailable
project
High Requires significant Failure to meet key Failure to meet the
reallocation of deadlines in relation to needs of a large
institutional funds (or the academic year or proportion of
borrowing) strategic plan stakeholders
Very Increases threaten Delay jeopardises Project outcomes
High viability of project viability of project effectively unusable
54
55. Risk – Scoring System
Consequences 1. No direct effect on operating service level
2. Minor deterioration in operating service level
3. Definite reduction in operating service level
4. Serious deterioration in operating service level
5. Operating service level approaches zero
Likelihood of occurrence E. Probability of once in many years
D. Probability of once in many operating months
C. Probability of once in some operating weeks
B. Probability of weekly occurrence
A. Probability of daily occurrence
Likelihood of detection A. Detectability is very high
B. Considerable warning of failure before occurrence
C. Some warning of failure before occurrence
D. Little warning of failure before occurrence
E. Detectability is effectively zero
55
59. Example – Risk Contingency
How Long Can Impact of Doing Without? Vulnerabilities? Contingency in case of a
You Do Without? disaster?
Equipment (IT only) 5 days After five days no way to No UPS/generator, MD Use paper reports for 5 days
schedule production or hardware, SPOF SME then go manual for as many
track orders members as possible
Facility 0 days No production, potential for Metal building, flood Look for warehouse space,
bankruptcy, IT non-existent zone, poor attempt to salvage equipment
maintenance, no and restart operation, file
perimeter security, door bankruptcy
lock broken
Personnel 0 days Degraded operations, low Too many SPOF Best effort shifting of available
service levels staff, temps
Raw Materials 30 days before None until on hand Single supplier Search for alternative supplier
new deliveries exhausted relationship
Transportation 30 days in No supplies Location, design of None
System 2 days out No deliveries entrance
Utilities 0 hours/power Extrusion shuts down, lines Single power feed, no None
0 hours/water cleaned, waste collected generator or backup
and prepared for grinder, IT water supply
non-existent
Vendors (Sourcing) 4 hours No call center Mercy of vendor Bring in-house
59
61. Key Process Number
Process
Risk Number
Risk
Control
Objective
Control Number
Control Description
Control Owner
Process Narrative
Risk Control Matrix
Control Category
Control Type
Primary/
Secondary
Control Frequency
Design Assessment
61
62. Eg. Risk Register
Project: ……………………………….. Reference: ……….....
Key: H – High; M – Prepared by: …………….. Date: …………………
Medium; L - Low
Type of Description of Probability Impact Risk reduction Contingency Risk
Risk Risk strategy plans owner
H M L Perf. Cost Time
62
64. On a regular basis review / monitor ….
Top Down /
Risk Risk
Bottom Up
Policies and Technology
Risk
Procedures Used
Planning
Risk
Organisatio Risk Training and
n Risk Management Continuous
Culture,
Program Improvemen
Tolerance
t
Risk
Risk Staff
Monitoring
Alignment Competenc
&
and y/
Performanc
Governance Capability
e Measures
64
65. Note…
Risks impacts project objectives
The only thing we manage on a project is Risk
Sound Project Management is Sound Risk Management
Risks come from decisions we make as we try to
achieve objectives
As a minimum risks need to be identified in the areas of
technical, cost, schedule and quality
Risks require a factual condition and have a potential
negative consequence
Integrating risk activities and communicating, vastly
enhances the effectiveness of the overall Risk
Management Program
65
66. “A man's feet should be planted in his
country, but his eyes should survey the
world.”
- George Santayana
66