RISK MANAGEMENT… MADE EASYpmsymposium.umd.edu › pm2018 › wp-content › uploads ›...
Transcript of RISK MANAGEMENT… MADE EASYpmsymposium.umd.edu › pm2018 › wp-content › uploads ›...
htt
p:/
/pm
sym
pos
ium
.um
d.e
du/p
m20
18/
Susan ParentePMP, PMI-RMP, PMI-ACP, CSM, CSPO, PSM I, CISSP, CRISC, RESILIA, ITIL, MS Eng. Mgmt.Associate Professor, Post University, CT, MBA Program: PM ConcentrationAdjunct Professor, Montclair State University, NJ, MBA Program: Risk Management
2018 Project Management Symposium
RISK MANAGEMENT…MADE EASY
Agendau Definition of Risk Management
u Risk Management Overview
u Risk Management Processu Identification, Assessment, Response Planning,
Execution
u Monitoring, Documentation and Communication
u Applicability to Projects
u Summary
Copyright © 2011 S3 Technologies, LLC
2
Risk Definedu A Risk is an uncertain event or condition, that if it occurs, has a
positive or negative effect on at least one objective
u A Risk is described by the probability that an event will occur and the impact of the consequence of that event should it occur
u Note the Difference Between a Risk and a Problem or Issueu A Risk is an event that may occur in the future
u A Problem or Issue is something that has already occurred and you are dealing with now
Both Risks and Issues must be addressed3
Probability:The Likelihood of OccurrenceThat an Objective Will Not Be Met Using the Current Plan
Impact:The Consequence of OccurrencePenalty Incurred If theObjective Is Not Obtained
Increas
ed
Risk Exp
osure
Increased Impact
Incr
ease
d Pr
obab
ility
Copyright © 2011 S3 Technologies, LLC
Why Manage Risk?
Risk Management is what we have been doing for years as successful PMs, but in a structured &
rigorous manner.4
Image from: NPS (n.d.) Climbing Experience Program. Retrieved from https://www.nps.gov/ciro/planyourvisit/climbing-experience-program.htm
Risk Managementu Risk Management has us inquire in
uncertainty…
uWhat are our project unknowns?
u…known unknowns?
u…unknown unknowns?
u Risk Management provides a capability to quickly and effectively communicate risk information up and down the management chain
5
Copyright © 2011 S3 Technologies, LLC
Benefits of Risk Managementu Identifies existing as well as potential problems
u Describes and classifies risks
u Prioritizes risks so resources may be effectively applied
u Identifies strategies to reduce threat risks
u Minimizes safety risk to personnel
u Provides a structured and systematic review of the processes to manage risk
u Provides ongoing structure for project/ product improvements
u Provides continuous risk communication 6
Copyright © 2011 S3 Technologies, LLC
Benefits of Risk Management
7
Risk Management facilitates
communication by offering processes, mechanisms, and a
common language for stakeholders to identify, define,
evaluate and control risks.
Image from: Pixabay (2016) Retrieved from https://pixabay.com/en/rock-climbers-teamwork-summit-peak-1720497/
Risk Management Processes
u Identificationu Discovery of a potential risk
u Assessmentu Review, analysis, and
prioritizationu Response Planning
u To mitigate, avoid, transfer, accept, escalate threats
u To enhance, exploit, share, accept or escalate opportunities
u Executionu Of response strategies, as
determined in response planning
Assess
Plan ResponseExecute
Identify
8
► Planning, Monitoring, Documentation and Communication§ Foundational for project mgmt. & essential to all processes§ Part of continuous process improvement for the RMP
PlanMonitor
DocumentCommunicate
Copyright © 2011 S3 Technologies, LLC
Risk Identificationu Any and all personnel on a project
are responsible for identifying risks –it’s an everyday part of the job
u It is not necessary to resolve the risk at this stage – simply capture the potential problem
u Identification Methodsu Brainstormingu Checklistsu Cost/Schedule Analysisu Functional/Failure Analysisu Interviewing u Subject Matter Experts
9
Copyright © 2011 S3 Technologies, LLC
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
Risk Identification
If You Haven’t Identified Your Risks,
You're Already Taking Them.
10
Risk Identification
u When is it appropriate to identify a risk?u If the risk poses threats to meeting success
criteria, mission objectives, critical milestones, etc.
u If you need resources to resolve the risk
u If broader awareness is needed
u If the risk presents threats to completing tasks
11
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
Copyright © 2011 S3 Technologies, LLC
Risk Identification
u Risk Statements are written in a structured manneru State the risk in the format of a “If…, then…”
Statements
uCondition (‘If’) statement - A short, succinct statement that describes the background information and/or description of the problem
uConsequence (‘Then’) statement - A short, succinct statement that describes the key possible outcome(s) of the current conditions
u Consequences should be directly traceable to the event: For example, “If I have a flat tire while commuting to work, then I may not get to work on time”
12
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
Copyright © 2011 S3 Technologies, LLC
Risk Assessment (Analysis)
u Risk Assessment/Analysis
u What is the probability of the risk occurring?
u What is the impact if the risk occurs?
u Qualitatively (subjective) Ex.: “significant”, “severe”
u Quantitatively (days or dollars) Ex.: 2 days or $10,000
u Both Probability and Impact are determined
u These are used to evaluate the risk:
Qualitative Assessment:
Ex. Risk Score or using the Probability and Impact Matrix
Quantitative Assessment:
Ex. EMV (Expected Monetary Value) = Probability x Impact13
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
Copyright © 2011 S3 Technologies, LLC
Risk Assessment (Qualitative)
u Use a Probability and Impact Matrix
14
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
Copyright © 2011 S3 Technologies, LLC
Risk Assessment (Quantitative)
u Results in a quantitative value (dollar or day) for the risk, which is based on the probability and impact of the risk.
u Methods Include:
u Monte Carlo Analysis (and Latin Hypercube)
u EMV (Expected Monetary Value)
u Decision Analysis
15
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
Copyright © 2011 S3 Technologies, LLC
Response PlanningRisk Response Strategies (for Threat Risks):
u Mitigation: Pre-Event actions to reduce the probability or impact of a risk
u Avoidance: Eliminate the risk producing activity entirely by choosing an alternate approach.
u Transfer: Take actions that redistribute risk to another area. (This does not relieve the responsibility of tracking and closing the risk)
u Accept: Accept the risk as stated with no other action.
u Passive: Accept and do nothing
u Active: Accept and put a plan in place to minimize the impact of the threat, should it occur.
16
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
Copyright © 2011 S3 Technologies, LLC
Response PlanningRisk Response Strategies (for Opportunity Risks):
u Enhance: Increase the likelihood of the risk event occurring and/or increase the magnitude of its impact.
u Exploit: Pre-Event actions to increase the probability and/or impact of an opportunity risk, to ensure it occurs and is full realized.
u Share: Optimize probability and/or impact of an opportunity risk occurring.
u Accept: Accept the risk as stated with no other action.
u Passive: Accept and do nothing
u Active: Accept and put a plan in place to take advantage of the opportunity, should it occur.
17
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
Copyright © 2011 S3 Technologies, LLC
Execution
u PMI’s PMBOK Guide 6th Edition calls this Implement Risk Response
u Implement response strategies, as determined during response planning.
u This includes the risk responses of:
u For Threats: Mitigate, Avoid, Transfer, Accept
u For Opportunities: Enhance, Exploit, Share, Accept
18
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
Copyright © 2011 S3 Technologies, LLC
More Risk Terms
u Secondary Risk: Often the “Consequence” of one risk statement becomes the hazard or “What can go wrong?” for another risk.
u Residual Risks: Risks that remain after implementing the Risk response.
u Risk Trigger: Is an event which when it occurs is a warning that the risk event will soon occur.
u Record & Track risks in a Risk Register
19
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
Copyright © 2011 S3 Technologies, LLC
Risk Planning, Monitoring, Documentation & Communication
uMonitor, Track and Communicate Risk
uTrack the progress of mitigating the risk.
uCommunicate this information to management and internal and external stakeholders.
u Integration of Risk Management with Cost and Schedule Processes
20
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
Copyright © 2011 S3 Technologies, LLC
Risk Planning, Monitoring, Documentation & Communication
uEffective Understanding and Prioritization of RisksuFacilitate Early Mitigation, Minimize Project
or Program Issues
uEscalationuEscalate Risks to the management level
where they can be resolved.
uExpedite Elevation of Critical Risks to Upper Management
21
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
ExecuteExecute Plan Plan ResponseResponse
AssessAssessIdentifyIdentify
Copyright © 2011 S3 Technologies, LLC
Applicability to Projects
Potential areas for implementation of Risk Management:
uProject Objectives
uProject Management Processes
uInformation Security
uDevelopment
22
Copyright © 2011 S3 Technologies, LLC
Applicability to Projects
Risk Categories:§ Integration
(hardware/software)
§ Logistics Support
§ Manufacturing§ Schedule
§ Technology
§ Budget (funding)
§ Capability of Developer
§ Management Strategies
23
Copyright © 2011 S3 Technologies, LLC
§ Requirements
§ Test/Evaluation
§ Environment
§ Systems Engineering§ Maintenance/
Supportability
§ Portfolio Management
§ Marketing
§ Other…
Summaryü Risk Management is an organized, systematic
decision-making process that efficiently plans, assesses, handles, monitors, and documents risk to increase the likelihood of achieving project goals and decrease the likelihood that a risk would become a future problem
ü Risk Management adds structure and rigor to a fundamental process
ü Risk Management is everyone’s job!That means you!
24
Copyright © 2011 S3 Technologies, LLC
Risk Management
Everyone wants to be doing it. Every thinks everyone else is doing it.
Not many people are actually doing it, and no one is doing it
particularly well…25
Risk Management
S3 Technologies, LLC
Susan Parente
www.s3-tec.com
O: 203-307-5246
26
Please join us on LinkedIn in the
Risk Management Implementation Group
http://www.linkedin.com/groups?mostPopular=&gid=3442533
For discussion and resources on Risk Management and Implementing Risk Management
QUESTIONS?
27
Additional Information
Risk Identification
u Sample Risk Register:
28
<Project> Risk Register- ThreatsLast Update: <date>Priority (Rank Order)
Probability Impact Exposure (Prob x Impact)
Risk ID #
Risk Type Status Owner POC Risk Statement
Very Low, Low, Med, High, Very High
Minimal, Moderate, Significant, Extensive, Severe
(see key) Ex: HIGH
4-5
1 Technical, Cost, Schedule, Security
Ex: D, DO, DOC, DOCN
First and Last Name Risk defined in "if… then…" statement.
Risk Statement Risk Triggers Risk Strategies Residual Risks or Secondary Risks
Status Notes Date Identified
Risk defined in "if… then…" statement. Mitigation, Avoidance, Transfer, Assume (include both short and long term)
Residual Risk is the risk remaining after employing the response. Secondary Risks are a direct result of the risk response.
History of Risk Status Date Risk was identified
Copyright © 2011 S3 Technologies, LLC
Risk Identification
u Risk Register Fields:
§ Priority
§ Probability
§ Impact
§ Exposure
§ Risk ID #
§ Risk Type
§ Status
29
§ Owner§ POC§ Risk Statement§ Risk Triggers§ Status§ Date of Identification
Copyright © 2011 S3 Technologies, LLC
Response Planning
Determining Risk Response Strategies:
30
Risk Source
<Priority 1> AvoidMinimize
ProbabilityMinimize Impact
TransferDefer
Assume
Potential Strategies
Mitigate
Estimated Benefit from Strategy Estimated Drawbacks of Strategy (including $/ resources)
Selected Strategy (check)
Copyright © 2011 S3 Technologies, LLC
31
Additional Information
PMI-RMP® Certification
32
PMI-RMP® CertificationPMI Risk Management Professional (PMI-RMP)®
u “PMI’s Risk Management Professional (PMI-RMP)® credential is a response to project management’s increasing growth, complexity and diversity. Globally recognized and demanded, the PMI-RMP® fills the need for a specialist role in project risk management.”
u “It recognizes your unique expertise and competency in assessing and identifying project risks, mitigating threats and capitalizing on opportunities, while still possessing a baseline knowledge and practical application in all areas of project management.”
Reference: PMI, “PMI Risk Management Professional (PMI-RMP)” Retrieved from: http://www.pmi.org/en/Certification/PMI-Risk-Management-Professional-PMI-RMP.aspx
33
PMI-RMP® CertificationWho should apply:u Risk management specialists and Project Risk Managersu To increase your skills in project managementu To highlight your specialized expertise to employers
PMI-RMP Requirements:u A 4 year degree (bachelor’s or the global equivalent),
with at least 3,000 hours of project RM experience and 30 hours of project RM education.
ORu A secondary diploma (high school or the global
equivalent) with at least 4,500 hours of project RM experience and 40 hours of project RM education.
Reference: PMI, “PMI Risk Management Professional (PMI-RMP)” Retrieved from: http://www.pmi.org/en/Certification/PMI-Risk-Management-Professional-PMI-RMP.aspx
34
PMI-RMP® Certification
How to Apply:u Online at www.pmi.orgu More Info:
u PMI-RMP Handbooku PMI-RMP Exam Preparation
Maintain Your PMI-RMP:u Earn 30 PDUs/ 3 year cycle in project risk managementu Learn more at: http://www.pmi.org/en/Certification/PMI-Risk-
Management-Professional-PMI-RMP.aspx
Reference: PMI, “PMI Risk Management Professional (PMI-RMP)” Retrieved from: http://www.pmi.org/en/Certification/PMI-Risk-Management-Professional-PMI-RMP.aspx