Risk Management
EMGT587
Something that
should be fun
to assess with
your project!
Above – In assessing risks, technical people tend to focus
on technical issues which have occurred to them, but the
major risks for a product may be business-related –
obstacles they don’t consider as often..
1
Risk
Definition
• Risk is the potential that something
will go wrong as a result of one or a
series of events.
• Measured as the combined effect of
the probability of occurrence and the
assessed consequences of the
occurrence.
2
Risk Management
Definition
• Risk management is an organized method
for identifying and measuring risk and
for selecting and developing options for
handling risk.
• Basic Elements are:
Assessment
– Risk Assessment
– Risk Analysis
– Risk Abatement
Risk
Analysis
Abatement
3
Risk Assessment
• Risk assessment involves the ongoing
review of technical design and/or
program management decisions, and
the identification of potential areas
of risk.
4
Risk Analysis
• Risk analysis includes analyzing the
probability of events and the
consequences associated with their
occurrence.
– Event → Cause → Effects → Risk level.
• Tools Include
– Network analysis, Fishbone, FMEA,
Hazard Analysis, etc.
5
Risk Abatement
• Planning for risk. Techniques and
methods to reduce or control the
risk.
• Identify and monitor high risk
items or areas more closely or
frequently.
6
Areas of Risk
• Project areas of risk can include:
– Technical,
Not meeting a design requirement
– Schedule,
– Resources,
– Personnel,
– Budget,
– Political
7
Risk Models
• At the Project or System level
• At the Component or Subsystem level
For the soda machine:
1. In an overall sense, is this a high risk project?
2. Where are the areas of high risk, which modules, what functionality ?
8
Risk Models- System Level
• Quantitative models incorporating:
– Probability of occurrence, Pi
– Consequences of occurrence, Ci.
• Models often tailored to
circumstances.
• Risk Factor Rf = Pf + Cf – PfCf
– Defense Systems Management College model.
9
Risk Model
• Risk Model Categories and Weights
• Risk Analysis and Reporting
10
‘Probability/Consequence’
Approaches are Common
11
Example Project Design
1.
System design uses off-the-shelf hardware with
minor modifications to the software.
2. The design is relatively simple involving the use
of standard hardware.
3. The design requires software of somewhat
greater complexity.
4. The design requires a new database to be
developed by a subcontractor.
5. The consequences of this items failure due to
technical factors causes problems of a
corrective nature, but the correction causes an
8% cost increase and a 2 month schedule slip.
12
Risk Model Tables
Pf is the ‘probability of failure’ term
13
Risk Model Tables (cont)
Ct
Cf is the ‘consequence’ of the failure term
14
Risk Model Tables (cont)
15
Risk Model Process/Decision
16
Example Project Design
(cntd)
1.
System design uses off-the-shelf hardware with
minor modifications to the software.
2. The design is relatively simple involving the use
of standard hardware.
3. The design requires software of somewhat
greater complexity.
4. The design requires a new database to be
developed by a subcontractor.
5. The consequences of this items failure due to
technical factors causes problems of a
corrective nature, but the correction causes an
8% cost increase and a 2 month schedule slip.
17
Calculations
Factors
Weights
PMhw
0.1
0.2
PMsw
0.3
0.1
PChw
0.1
0.4
PCsw
0.3
0.1
Pd
0.9
0.2
Pf
0.3
Ct
0.3
0.4
Cc
0.5
0.5
Cs
0.3
0.1
Cf
0.4
RF
0.58
This is a Medium Risk
Project
18
Benefits of the Risk Model
• Identify overall project risk.
• Identify areas of the project for
closer tracking and monitoring.
19
Risk Abatement-1
• Accept, Assign, Eliminate, Reduce, or
Control the Risk
• Possible Actions:
–
–
–
–
Just live with it….
Assign to someone else (insurance) ..
Redesign the system for lower risk.
If risk concentrated in one subsystem, allocate
it differently.
– If risk spread throughout the system,
concentrate it in a few.
20
Risk Abatement-2
• Eliminate, Reduce, or Control the Risk
• Possible Actions:
– Increased management reporting and review,
– Allocate more resources,
– Adjust schedules,
– Hire consultants or specialists,
– Implement testing plan to identify causes,
– Start special R&D activities,
– Develop a ‘Plan B or fall-back’ plan.
21
Risk Management in
Large-Scale Systems
Characteristics
1. Simultaneous Autonomy and Interdependence
2. Intended and Unintended Consequences
3. Long Incubation Periods
4. Risk Migration
22
Simultaneous Autonomy and
Interdependence
• Sub-systems function independently
and are responsible for their own
survival and growth.
• Yet are linked with other systems.
• Actions to reduce risk at
the subsystem level might
increase risk at the
system level.
23
Intended and Unintended
Consequences
• Due to complexity, size, and
interactions in systems and
projects– decisions have intended
and unintended consequences.
• Decisions made with imperfect
data and sometimes ‘negotiated’.
24
Long Incubation Periods
• Accidents and disasters (failure to see risks)
often have long incubation periods:
– Events often signal danger during
incubation period – but ignored or
overlooked.
– The longer unnoticed,
• more difficult to recognized them,
• more difficult to correct them.
25
Risk Migration
• Long incubation periods present
opportunities for risk to migrate to
other subsystems and parts of the
project.
26
Focus Items for
Risk Mitigation
Organizational excellence at:
– Communication
• Make ‘autonomy and interdependence’
explicit.
– Decision Making
• Ownership, ‘buck stops everywhere’.
– Culture
• Oversight, strong norms, checks/balances.
• Multiple authority structures.
– Interfaces
27
Risk Maturity Levels
Definition
Culture
Level 1 – Ad Hoc
Level 2 – Initial
Unaware of the need for
management of uncertainties (risk).
No structured approach to dealing
with uncertainty.
Repetitive and reactive
management processes.
Little or no attempt to learn from
past projects or prepare for future
projects.
No risk awareness.
No upper management
involvement.
Resistant/reluctance to change.
Tendency to continue with existing
processes even in the face of
project failures.
Shoot the messenger.
Experimenting with risk
management through a
small number of individuals.
No structured approach in
place.
Aware of potential benefits
of managing risk, but
ineffective implementation.
Management of uncertainty built into
all organizational processes.
Risk management implemented on
most or all projects.
Formalized generic risk process.
Benefits understood at all
organizational levels, although not
always consistently achieved.
Risk-aware culture with proactive
approach to risk management in all
aspects of the organization.
Active use of risk information to
improve organizational processes and
gain competitive advantage.
Risk process may be viewed
as additional overhead with
variable benefits.
Upper management
encourages, but does not
require, use of Risk
Management.
Risk management used only
on selected projects.
No generic formal
processes, although some
specific formal methods
may be in use.
Process effectiveness
depends heavily on the
skills of the project risk
team and the availability of
external support.
All risk personnel located
under project.
Accepted policy for risk management.
Benefits recognized and expected.
Upper Management requires risk
reporting.
Dedicated resources for risk
management.
“Bad news” risk information is
accepted.
Top-down commitment to risk
management, with leadership by
example.
Upper management uses risk
information in decision-making.
Proactive risk management encouraged
and rewarded.
Organizational philosophy accepts idea
that people make mistakes.
Risk-based organizational processes.
Risk Management culture permeating
the entire organization.
Regular evaluation and refining of
process.
Routine risk metrics used with
consistent feedback for improvement.
Key suppliers and customers participate
in the Risk Management process.
Direct formal communication channel
to organization management.
Process
No formal process.
No Risk Management Plan or
documented process exists.
None or sporadic attempts to apply
Risk Management principles.
Attempts to apply Risk
Management process only when
required by customer.
Experience
No understanding of risk principles
or language.
No understanding or experience in
accomplishing risk procedures.
Limited to individuals who
may have had little or no
formal training.
Application
No structured application.
No dedicated resources.
No risk management tools in use.
No risk analysis performed.
Inconsistent application of
resources.
Qualitative risk analysis
methodology used
exclusively
Level 3 – Repeatable
Generic processes applied to most
projects.
Formal processes incorporated into
quality system.
Active allocation and management of
risk budgets at all levels.
Limited need for external support.
Risk metrics collected.
Key suppliers participate in Risk
Management process.
Informal communication channel to
organization management.
In-house core of expertise, formally
trained in basic risk management skills.
Development and use of specific
processes and tools.
Routine and consistent application to
all projects.
Dedicated project resources.
Integrated set of tools and methods.
Both qualitative and quantitative risk
analysis methodologies used.
Level 4 - Managed
All staff risk aware and capable of
using basic risk skills.
Learning from experience as part of the
process.
Regular training for personnel to
enhance skills.
Risk ideas applied to all activities.
Risk-based reporting and decisionmaking.
State-of-the-art tools and methods.
Both qualitative and quantitative risk
analysis methodologies used with great
stress on having valid and reliable
historical data sources.
Dedicated organizational resources.
28
Exercise
: Company X
• Company X is a small entrepreneurial company,
three years old, selling monitoring products and
systems into an emerging industrial and technical
market. The company faces a decision to select a
product development direction for the next
generation of the companies’ product lines. Two
major directions and product platforms have been
proposed and are being considered.
• See the case writeup for more details
(the doc file in Week08 stuff).
29
Exercise
: Company X
• What are the risk scores for each
option?
• Where are areas of high risk?
• What would a risk management plan
look like for each option (develop an
outline) ?
30