Creating Risk IntelligenceA High Level How To Guide for Program Managers

1
Creating Risk IntelligenceA High Level How To
Guide for Program Managers

• Nathan Houser Sean Conlin, Deloitte
• November 2006

This presentation is incomplete without the
accompanying discussion
2
Agenda

• Whats in it for me!?
• A day-in-the-lifecan we make this better?
• Making it happen
• Critical success factors
• What can I do on Monday morning?

3
What is a Risk?

• RISK potential loss from inability to achieve a
  programs objectives
  
• caused by people, process, system, or external
  factors
  
• Impact can be positive or negative
• Risks can result from any combination of factors
• people, process, systems, technology, science, or
  external events

4
DoEs World of Risk Management
Program Managers
5
Whats in it for me?
Leaders, managers, and staff alike benefit from
risk management.
Higher impact programs Better control of the over
all portfolio Stronger focus on long-term rather
than short-term Time to focus on areas currently
neglected
More predictable cost estimates
Less chaotic days, that are more productive
More visibility in project activities
Fewer and simpler legislative reporting requests
Better client relationships More predictable qual
ity of life Mechanism to raise issues and have re
solved
More follow-on work
6
Risk Intelligence Differs by Program/Project
Specific objectives dictate desired level of risk
sophistication.
Built into decision-making Risk interactions are
managed with incentives Intelligent risk taking
Sustainable Risk management is everyones
job
Integrated response to adverse events
Performance linked metrics Rapid escalation Cult
ural transformation underway Bottom-up Proactive

Tone set at the top Policies, procedures, risk a
uthorities defined and communicated
Business function Primarily qualitative Reactive

Reaction to adverse events by specialists
Discrete roles established for small set of
risks
Typically finance, insurance, compliance
Ad-hoc / chaotic depends primarily on individua
l heroics, capabilities and verbal wisdom

1 Tribal Heroic
2 Specialist Silos
3 Top-Down
4 Systemic
5 Risk Intelligent
7
The Life of the Tribe
Daily life is chaotic, ad-hoc heroics carry the
day.
Negative surprises are the norm
Regular re-baselining Difficult conversations w
ith FPDs Appropriators
Lots of stress, reacting to events
To do list grows not shrinks Stay late, no kids
, no gym
Less job satisfaction
Despite planning, seem to be reacting
Difficult client meetings Long hours, stressful
days
Muddled job satisfaction
8
The Life of the Tribe
Project assessments in a reactive culture.
The risk assessment performed does not
adequately distinguish amount of contractor risk
and government risk.
The risk contingency is considered marginal at
best.
The potential for substantial changes in the
project design as a consequence of external
reviews is an unrecognized risk.
9
Life with Leadership
Senior Leadership imposes top-down risk controls
On a mission to stop rampant re-baselining
Establish new risk policy/procedures
Many meetings to rigorously enforce
policy/procedures Reactive but feeling of progre
ss
Increased OH due to PM pressure on cost
re-baselining Some additional risks factored int
o re-baselines
Still reactive
Increased OH Numerous meetings to discuss risks
mitigation Difficult contingency budget conve
rsations with FPD Concern risk conversations dis
tracting from PM role
10
The Good Life
Risk Intelligence proactively a part of all
activities
FPDs proactively anticipate risk/mitigation
plans Stable baselines DOE studied as best pra
ctice for Risk Intelligence Seen as proactive/c
redible by Appropriators
Reduced OH Proactively out ahead of mitigating
prioritized risks Recognized for excellence in P
M Recent crisis, executed plan, still home at no
rmal time
Excellent client relationship
DOE business growing Monthly reports include up
dates on top risks/mitigation
Strong job satisfaction/personal health up,
working out
11
Getting there from here
Structured methods, tools, and reporting provide
predictable results.
Methodology Tools Management Reporting
12
Five-step Risk Management Lifecycle
The risk lifecycle applies across all parts of a
program or project. .
ExecutionComponents
Managing Risk
1. Identify Risks
5. Monitor, Assure Escalate
4. Design Test Controls
3. Respond to Risks
2. Assess Measure Risks
Hazard
Strategic
Operational
Governance
Technology
Financial
People
Process
Compliance
FoundationalElements
Risk Areas
13
Step 1. Identify the Top (relevant) Risks
Hundreds of insignificant risks can easily
distract from a few critical.
14
Step 2. Assess and Measure the Risks
Evaluate each risk and its impact on cost, scope,
and schedule.
major weather event
Natural Environ.
dominate party change
Political
reduction in supplyavailability ?
constituent priority shift
Social
External Risks
Reduction in available funding ??
technology innovation
Technological
reduction inavailable funding ?
reorganization
Inter-Dept/Agency
Changes solution ??
Objective Complete entire Project by 2010 within
budget
Infr. not avail. ?
changespriorities ??
Union contract expires ??
Inadequate projectmonitoring ?
Infrastructure
Improved constructionmethods ?
Personnel
Internal Risks
Process
Technology
15
Step 3. Respond to Risks
Choose the corrective actions, execute, and
evaluate effectiveness.
Identify corrective actions
Monitor effectiveness of actions
16
Step 4. Design Test Controls
Corrective actions result in mitigated risk, but
come with a cost.
Sample risk Technology advances and innovation
require design changes.
Very High
1
2,3
High
Incremental Mitigated Risk(Perform Cost/Benefit
Analysis)
2,3,4
Corrective Actions
Medium
Residual Risk
2,3
Low
2,3,4
Actual
Planned
Very Low
Q1 06
Q2 08
Q3 08
Q2 06
Q3 06
Q4 06
Q1 07
17
Step 5. Monitor, Assure, and Escalate
Complete set of risks must be considered to
understand the risk profile.
Very
5
6
High
10
3
1
3
8
7
2
Inherent (Gross) Risk
4
Example Risks Technology Innovation Departmenta
l Reorganization
9
Very
Very
Current Residual (Net) Risk
Low
High
18
Critical success factors
Everyone has a role to play in making risk
management part of the culture.
Seek and maintain senior leadership sponsorship
Establish common language for risk management
Integrate risk management across programs
Focus on changing the culture, not on executing
the tactics
Assign ownership of risks as appropriate (govt,
contr.) Coordinate risk management across project
Focus on the value to all of managing risk, not
the burden
Raise ALL risks identified on the ground
Designate operational accountability for
corrective actions Make risk management a priori
ty
19
For more information

• Sean Conlin
• sconlin_at_deloitte.com
• Nathan Houser
• nhouser_at_deloitte.com