Implementing project risk management

1
Implementing project risk management

• Kate Boothroyd FIRMDirector, KB Risk Consulting
  LimitedIRM North West England Regional Group
• Workshop D10

2
Agenda

• A typical risk process
• A typical project lifecycle
• How the two are linked
• Pre-project phase
• Pre-implementation phase
• Implementation phase
• Business operation phase
• Summary

3
1. Typical risk management process
4
Risk and Risk Management

• Risk
• An uncertain event, which should it occur, may
  impact positively or negatively on the outcome of
  defined objectives
• Considers both opportunities and threats
• Risk Management
• A formal process that enables identification,
  assessment, planning and management of risks

5
2. Typical project lifecycle
Business operation phase
6
3. How the two are linked
7
3.1. Pre-project phase

• Part of a clients strategic plan
• Strategy is about aiming in the right direction,
  and strategic risks look at whether a company is
  doing the right things
• Projects become a means of implementing your
  strategic plans
• Risk management is used to help a client decide
  whether to proceed with a project does it help
  them do the right things?
• Perhaps you have been invited to help with this
  decision

8
3.2 Pre-implementation phase

• Probably when you first get to know about the
  project
• Initial review to decide whether to submit a
  proposal
• Kick off meeting held to decide how to undertake
  this phase and the project itself
• Resources?
• Time?
• Capability?
• Frenzied activity
• Discussions with client, client representatives,
  designers, staff, suppliers, sub-contractors, etc
• Production of proposal information

9
Pre-implementation phase

• Where is your risk management in all of this?
• Is there a request for a risk identification
  workshop two days before the proposal is due for
  review by senior management (if youre lucky!)?
• You have a kick off meeting. Use this to kick
  start your risk management process
• Develop your risk management plan.

10
Risk management plan

• Defines and plans risk process
• Project Risk Management Plan
• Project specific document that holds the
  definition
• of your chosen risk management process,
• including -
• Scope objectives
• Organisation, roles responsibilities
• Approach process, tools techniques
• Deliverables
• Reporting flows and structures
• Process meeting life cycle
• Record of how, who, when and how often!
• Integral part of Project Execution Plan

11
Risk management plan

• Plan how you will implement the risk management
  process for this phase, but also plan for the
  next phase too
• Resources
• On site
• Advisory support
• Job descriptions
• Time
• to effectively hand over the project at
  implementation
• To carry out risk management at all stages
• Does your process suit the needs of the project?
  
• One size does NOT fit all, even if the colour and
  shape meets your corporate needs
• Have you engaged your stakeholders? Do they
  understand why they need to use risk management
  and why they need to be involved?

12
Pre-implementation phase

• You have decided how, what, why and when in
  relation to risk management
• What have you based these decisions on?
• Is this when you should do risk identification?
• Does everyone fully understand the clients
  requirements, and the companys requirements?
• Have you identified what it is you need to
  protect and enhance to ensure that the project is
  a success?
• Consider defining the objectives

13
Define objectives

• Sets the scene for risk identification
• Understand why the project / activity is being
• undertaken and what has to be achieved.
• Who are the stakeholders?
• Directly involved e.g. Client
• Affected e.g. Neighbours
• Interested e.g. Media
• Will the right people be involved
• What has to be achieved? (Benefits)
• Can the success criteria be defined - KPIs?
• Use value management
• What assumptions/exclusions have been made?
• Review and challenge requirements

14
Exercise - Spot the risks

• Task
• Leave this room and go to the car park
• Identify the risks you may encounter on this
  journey

• Did you take account of different scenarios?
• E.g.
• Jane sets off the fire alarm
• Peter starts a fire in the reception
• Joe asks you to go for the hell of it

Moral ASK WHY YOURE DOING IT If you dont
ascertain the objective of the exercise then you
cant accurately identify the risks and you
willwaste time, effort and resources
15
Pre-implementation phase

• You now have a plan to implement risk management
• You know what the objectives are
• Is this when you should identify you risks?
• Yes!!

16
Risk Identification

• Aims to be -
• Comprehensive
• Consistent
• Complete
• All risks ??
• If you dont identify a risk, you cant manage it

17
Identification Techniques

• Structured Brainstorming - Affinity Grouping
  (sticky notes)
• SWOT Analysis
• Assumptions analysis
• Interviews
• Generic Categories / Prompt lists / Check lists /
  
• risk questionnaires
• Strengths weaknesses

Which is the best technique?
Horses for courses
Use a combination
18
Assumptions

• Thoughts regarding assumptions
• An assumption is a statement that is taken as
  being true for the purposes of planning a project
  in the earlier stages (but could change if new
  information becomes available)
• If it does turn out not to be true then the
  project may need considerable re-planning
• Assumptions are not priced at least as part of
  a proposal. So if re-planning is required, who
  is going to pay for it?
• Assumptions analysis (testing if they are true)
  is a very good way of getting your first list of
  risks but you cant do this if you havent
  written them ALL down
• Dont abuse assumptions!

19
Generic Risk Categories

• Enables co-ordinated / combined management of
  risks across the sites / projects
• Used in the identification of risks
• Guides users towards more common descriptions
• Used in the identification of feedback
• Enables identification of trends - especially
  effective when one management action can cover
  more than one risk
• Examples of risk categories or risk breakdown
  structure -

20
Risk Naming - A Structured Language

• Risk Name
• A structured description
• Understandable
• Means something to those who read it
• Bounds risk and subsequent analysis

21
Mouse on Mars
22
Real Risks Vs Causes Vs Effects
Background conditions
CAUSE
Impact on Objectives
EFFECT
23
Which is which?

• Can you tell the difference between
• causes, risks and effects?
• For the following planning issues

Poor quality plans drawn
Ignorance of Planning regulations
Neighbours object
May not receive planning approval
Well never be allowed to build it!
Go over budget
Project delays

24
Capture both sides of uncertainty

• Due to ground surveys, geotechnical studies,
  trial pits, etc not having been carried out,
  unsuitable grounds conditions may be discovered,
  generating additional costs and potential project
  delays.

• Due to ground surveys, geotechnical studies,
  trial pits, etc not having been carried out,
  unsuitable grounds conditions may be discovered,
  generating additional costs and potential project
  delays.

• Risk Title
• Unsuitable ground conditions
• -ve statement giving consideration only to
  threat, therefore only taking account of half of
  the Real Risk / Uncertainty
• Unknown ground conditions
• Could result in a ve or -ve effect, therefore
  considering both opportunity and threat
• Always take a balanced approach

25
Risk Workshops

• Preparation
• Issue clear agenda
• Risk Workshops
• Ensure objectives have been or are defined
• Record specific impact scale
• Identify risks
• Assess risks
• Allocate owners
• Develop action plans for significant risks
• Issue risk report
• Make sure you have the right people involved,
  including representatives of the implementation
  phase

26
Risk Owners

• Identification of the person to manage a risk
• Note the distinction between a risk owner and a
  risk carrier
• Risk Owner
• Responsible for effective management and
  mitigation of risks allocated to them best
  person to own and therefore influence the risk
• Risk Carrier
• The party that carries the cost, time,
  functionality penalty if a risk occurs
• You may own a risk on behalf of the client as you
  are the best person to manage it, but you might
  not be the risk carrier.
• This may need to be made specific through the
  contract negotiations

27
Pre-implementation phase

• You have a list of risks, but you dont know
  which risks are the biggest
• Should monies be included for managing risks or
  do you need contingency sums
• Now is the time to assess your risks

28
Assessment

• Assess objectively
• Prioritise key risks
• Develop effective strategies
• Focus management attention
• Two methods
• Qualitative (descriptive)
• Quantitative (mathematical)

29
Qualitative assessment - risk ratings

• Project Cost or Profit
• Programme
• Safety
• Security
• Legal
• Reputation
• Environmental

30
Example Of Specific Scales
Each risk has one probability of occurrence and
at least one impact
The impact with the highest impact type that is
transferred to the Probability Impact Diagram
(PID) Try and make it project specific
31
PID Diagram
32
Current and post ratings

• (Pre) Current - indicates the current rating of
  the risk
• - at the start of the activity indicates the
  position as undertaken within a competent
  site, with normal controls / procedures in
  place
• - position prior to additional handling
  strategies (mitigation) undertaken
• - once mitigation undertaken, indicates
  revised position of the rating
• Post mitigation - indicates the suggested rating
  of the risk once any new actions have been
  successfully implemented

33
Recording risk data

• Risk assessment produces lots of data
• risk
• root cause/effect
• probability
• impacts
• timing (trigger dates / action dates)
• proximity (immediate / near-term / long-term)
• handling strategies (actions / contingency/fallbac
  k)
• owner
• etc
• Need structured method to record report
• This is the Risk Register

34
Quantitative assessment

• Aims to
• Quantify the effect of risks
• Predict likely project outcomes
• Identify options
• how to respond
• Balance response against potential cost
• Focus management attention
• priority areas

35
Contingency

• Contingency is usually arrived from the
  combination of the following two forms -
• Estimating Uncertainty uncertainty associated
  with possible performance for project or
  operational work scope in terms of cost and
  schedule duration.
• Discrete risk an event, circumstance or
  condition that may or may not occur, which could
  influence delivery of project or operational work
  scope

36
Draw Up Base Programme and Estimate

• Establish the base programme and estimate before
  risk assessment
• All impact assessments must reflect the current
  baseline
• Assumptions, exclusions, allowances
• Constraints
• Note that part of a risk may already be covered
  within a base estimate or programme
• Response strategies / mitigation actions must be
  reflected in the base plan this provides
  funding for risks should they impact.
• Must map discrete risks across correctly to the
  base plan not all risks span all phases
• If this is not done correctly in development of
  the proposal then funding for the Project will be
  incorrect

37
Pricing risks

• Price relevant risks only
• 3 point estimate (3PtE)
• Assess
• Percentage likelihood of occurrence (not the risk
  rating)
• Impacts (not the risk rating)
• Either financial (s) or programme (working days)
• Estimate
• the risk impact and likelihood of occurrence
  based upon residual risk assessment, assuming
  mitigation to have occurred, but only if
  mitigation activities and their associated cost
  have been included in the base estimate and there
  is a reasonable level of confidence about the
  future success of that mitigation
• Using the above details Monte Carlo simulation
  can be used to establish a realistic risk estimate

38
Monte Carlo Simulation - What Is It?

• Monte Carlo
• Based on the Central limit theorem
• Mean of a set of n variables (where n is large),
  drawn independently from the same distribution
  ?(x) will be Normally distributed as follows
• x Normal(?, ? / ? n )
• Swings roundabouts
• looks at a pot of risks
• some things will go wrong, but some will go right
• not everything will go wrong, but not everything
  will go right
• if some things go right these this may compensate
  for those things that go wrong
• Wags and swags

39
Caveats

• May not be
• required
• appropriate
• affordable
• depends on project complexity (in line with
  ME/G/113 guidance)
• Most useful when most difficult
• early - lack details
• Difficulty in estimating uncertainty
• GIGO

40
Exercise Estimating accuracy

• How well do you understand your ability to
  estimate when uncertain?
• For each question, estimate a credible min/max
  range for which you are 90 confident that the
  true value lies in your range, i.e.
• 910 chance of being in range, 110 chance of
  being outside
• Need to judge extremes carefully
• avoid zero to infinity answers!
• set as close together as possible within 90
  confidence limit
• Clarifying questions are allowed
• Use all available data

41
Pre-implementation phase

• Not all risks need to be priced in a contingency
• Probably 80 can be managed, often by processes
  that are already in place
• Risk management is NOT there to price you out of
  every project
• It should give you the information to help you
  decide
• How much to include to pay for the risks you are
  expected to take
• How much to include in the base plan for
  management actions
• Whether you want to submit a proposal for the job
  at all!
• How else can you manage your risks, both threats
  and opportunities?

42
Handling responses

• Determine responses
• appropriate, achievable affordable
• Allocate Action Owners
• responsibility for taking action associated with
  risk responses under the control of the Risk
  Owner
• Allocate review dates

43
Basic Response Strategies

• Terminate (Avoid)
• Transfer
• Treat (Mitigate)
• Tolerate (Accept)
• Take (Exploit Opportunity)

44
Appropriate Response Checklist

• Do you think you are already managing risks?
• Consider controls already in place to manage the
  risks identified
• Can you improve on existing management
• Is it cost effective?
• When
• Immediate response ?
• Ongoing action ?
• Contingency / fallback plans ?
• How
• SMART action plans

45
Pre-implementation phase

• When compiling the proposal are you happy that
  you have
• got the right risk management approach
• included the right resources to implement risk
  management effectively
• the right risks against the right objectives
• included the right people in identifying the
  risks
• priced the right risks
• mitigated the risks and included the associated
  costs appropriately in the proposal
• All the work put in at this stage will
• Give you the information you need when questioned
  at review stage any commercial decisions can be
  made on as many facts as possible rather than
  just plucking a number from the air!
• Give you the confidence to defend figures or
  facts when questioned by the client
• Give you the confidence to walk away if you need
  to and sometimes you need to!
• You will now have increased confidence in your
  proposal

46
3.3 Implementation phase

• Okay, you have got the project!
• Do you have to start again?
• No?
• So why do most people!
• If you have taken the time to properly undertake
  risk management in the pre-construct phase, why
  should this not be taken through to the next
  stage
• The risk management process must be included in
  the handover of the project to the implementation
  team
• They must understand what their roles and
  responsibilities are, why the risks were raised,
  what plans were put in place to manage them and
  the money that they have for any priced residual
  risk

47
Setting yourself up successfully

• Do you have a risk drawdown policy when monies
  can be drawn against discrete risks or estimating
  uncertainty pots
• Recognise that as the project progresses and more
  information is known that monies may be released
  from general contingency to fund new risks
• Think about training how are you going to
  effect a change in culture if the team dont
  understand the process
• Include risk reviews at regular project meetings
  otherwise you will waste time and effort and
  lose support for the process
• Put risk management at the top of the agenda
  straight after health and safety
• Recognise that there may be three risk registers
  on a project the project one, the clients and
  yours. Sometimes that are risks owned by you or
  the client that are not for public discussion

48
Manage / review / report

• Why have we gone through the planning, defining
  objectives, identification, assessment and
  planning steps?
• So we have got a clear focus on
• What the risks are relevant to our objectives
• Which risks require the most attention
• What we are going to do about them
• We are now in a position to manage the risks in a
  professional and concise manner.
• Its called Risk MANAGEMENT for a reason!!

49
Managing risk effectively

• Risk Status active, ongoing, closed
• Risk Reviews regular report
• Risk Reports what do management need to know?
  What should keep them awake at night?
• Risk Management Audits constructive reviews,
  internal and external audits

50
Sustaining the risk process

• Feedback to stakeholders (Project team)
• Demonstrate benefits
• Refresh the process
• Use different techniques
• Re-launch
• Visible use of results
• Risk Register
• P/I Grid
• Risk Profiles
• Risk Management Community

51
3.4 Business operation phase

• Once project has been handed over to the client
  to operate and maintain does the risk management
  process end?
• No!
• The process that has been developed should be
  handed over effectively to the client or operator

52
Feedback

• Key vehicle for others to learn from successes
  and mistakes
• Continuous improvement for the business and
  projects
• Improved planning and estimating
• Improved Risk Management process, maintaining its
  success
• Gathered by -
• Questionnaire
• Interview
• Workshop
• External sources
• Can be gathered at any time throughout the whole
  project, but usually completed at the end
• Make sure it is gathered before everyone leaves
  for the next project!

53
4. Summary

• Risk management is cradle to grave
• It isnt there to price you out of every project
• Ensure you involve the right people
• Ensure you hand the process over properly at each
  stage
• Ensure you resource it properly
• It is there to help you make better decisions, so
  ensure you use it in the decision making process
• Dont forget to MANAGE the risks!