Effective Management of Project Risk

1
Effective Management of Project Risk

• Risk Management in the Public Sector
• CIPFA London Division Meeting
• 29 November 2005

Tony Hargraves Director of Risk
Quality Programmes and Systems Delivery Department
for Work and Pensions
slide 1 of 18
2
Agenda

• Introduction
• Projects Risks?
• How do you know?
• What do you do about them?
• So what?

slide 2 of 18
3
The project

• - How would we recognise a project?

• A project is a temporary endeavour organised and
  undertaken to create a unique product or service
• Examples
• Developing a new product or service
• Effecting a change in structure, staffing or
  style of an organisation
• Developing a new transportation vehicle
• Developing or acquiring a new or modified
  information system
• Constructing a building or facility
• Running a campaign for political office
• Implementing a new business procedure or process

T5 2005
Giotto 1985
Source PMI 1996
slide 3 of 18
4
What is a project?
The 6 phases of a project

• A journey into the unknown, fraught with risk.
• A non-routine commercial or industrial
  operation.
• The deployment of scarce resources over a
  complex framework of tasks to achieve a goal.
• Little chunks of change - some change is chunky
  and some change is soft and squidgy
• The journey and the destination
• Unique goal-oriented action required to realise
  an idea, a proposal or a step in a development.

1. Enthusiasm 2. Disillusionment 3. Panic 4.
Search for the guilty 5. Punishment of the
innocent 6. Praise honours for the
non-participants
slide 4 of 18
5
The Project Phases - as defined by Kepner Tregoe
DEFINITION
scope
objectives
WBS
Resources
PLANNING
Assign responsibility
Sequence Deliverables
Protect the Plan
Schedule Deliverables
Schedule Resources
IMPLEMENTATION
Start to Implement
Monitor Project
Closeout Evaluate
Modify Project
slide 5 of 18
6
Why do some projects succeed?

• Good fortune law of averages
• Because some of them have to succeed
• Great stakeholder management
• Excellent project management
• An experienced, competent project manager
• Strong, capable, motivated and well-managed
  project team
• Crisp project design
• Supportive, demanding, understanding and engaged
  customers
• Appropriate budget and nearly enough time
• Clear and shared vision and understanding of what
  is required and why
• (Eventually) a clear definition of what the
  project will do and how it will do it
• Adequate governance
• A mature attitude to change
• Excellent risk management

slide 6 of 18
7
Why do some projects fail?
X

• Good fortune law of averages
• Because some of them dont have to..
• Great stakeholder management
• Excellent project management
• An inexperienced, incompetent project manager
• Strong, capable, motivated and well-managed
  project team
• Crisp project design
• Supportive, demanding, understanding and engaged
  customers
• Inappropriate budget and enough time
• Clear and shared vision and understanding of what
  is required and why
• (Eventually) a clear definition of what the
  project will do and how it will do it
• Inadequate governance
• An immature attitude to change
• Excellent risk management

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
slide 7 of 18
8
What is P R O J E C T R I S K?
An event that may or may not happen but if it
does, it causes unpleasant outcomes for our
project.
Project risks are threats to the success of the
project!
slide 8 of 18
9
Typical effects of unmanaged risks on projects

• They cost more than we thought they would!
• They take longer than we thought they would!
• They dont deliver what we expected them to
  deliver!
• They dont produce the effects we desired!
• Reputation is weakened
• Our customers arent delighted!

slide 9 of 18
10
Project failures?
Any otherscloser to home? What caused them to
fail?
slide 10 of 18
11
Common causes of project deferred success
Suppliers Customers Finance dept

• Optimism
• Realism
• Willing to please
• Resources (,People, Time)
• Ignorance
• Attitude
• Capability
• Governance
• Visibility
• Buy-in

slide 11 of 18
12
How to avoid the common causes of project failure!

• Dont do the project
• unless or until you are convinced you know how it
  will succeed and you are prepared to invest what
  is necessary (time, energy money)
• Invest more up front to ensure understanding and
  to assure design
• Deploy project management professionals,
  challenge and listen to them
• Ask the difficult questions
• show me
• how
• why
• what if..
• Do not tolerate mediocrity
• Operate a simple dashboard, be continually
  vigilant, watch the signs
• Dont be afraid to say S T O P
• Dont be afraid to say NO to that absolutely
  critical change request
• Operate PRAM

slide 12 of 18
13
Project Risk Analysis Management

• Plan and check the plan and recheck the plan
• Look for the threats to success
• Beware the GOD jobs!
• Size, analyse understand the threats
• Select the threats that really worry you
• Work out what you could do about them
• Work out what you can afford to do about them
• Decide what you will do about them
• Timing
• Budget
• Indicators
• Do what you said you will do
• Keep watching out!

slide 13 of 18
14
How do you Identify RISKS?
slide 14 of 18
15
Some risk analysis techniques

• Catastrophe theory
• Checklists
• Decision trees
• Sensitivity analysis
• Fuzzy-set theory
• Game theory
• Risk quantification
• Influence diagrams

• Three Point Estimating
• Monte Carlo simulation
• Multiple-criteria decision-making models
• Project Evaluation Review techniques
• Controlled Interval Memory Modelling
• Utility theory
• Assumptive
• Predictive analytics
• Ishikawa

slide 15 of 18
16
How do you quantify Risk?
Identify the value of what is at risk, and/or
identify
IMPACT COST OF RISK EVENT r PROBABILITY OF
RISK EVENT p RISK VALUE r x p
RISK EXPOSURE ( (r1 x p1) (r2 x p2)
.......(rn x pn) )

• 98 of people surveyed have an above average
  sense of humour!

slide 16 of 18
17
Ways of dealing with RISK?
Mitigate its effect
Avoid it
Eliminate it
Treat, transfer, terminate, take the risk!
slide 17 of 18
18
Summary - Effective management of project risk
Thank you for your time. Any questions?
slide 18 of 18
19
Supporting Information

• What is a project
• A typical project control system
• Minimise the downside of risk
• Ishikawa (fishbone/cause effect)
• Sensitivity analysis
• Example dash boardBeware of statistics
• Severity determination
• Recommended reading
• APMs Guide to Project Risk Management
• APMs Body of Knowledge
• PMIs Body of Knowledge

slide 19 of 27
20
What is a project

• "A TEMPORARY ENDEAVOUR IN WHICH HUMAN, MATERIAL
  AND FINANCIAL RESOURCES ARE ORGANISED IN A NOVEL
  STRUCTURED WAY, TO UNDERTAKE A UNIQUE SCOPE OF
  WORK, OF GIVEN SPECIFICATION, WITHIN CONSTRAINTS
  OF COST AND TIME, SO AS TO ACHIEVE BENEFICIAL
  CHANGE DEFINED BY QUANTITATIVE AND QUALITATIVE
  OBJECTIVES."

Adapted from a definition by J Rodney Turner
slide 20 of 27
21
A 'Typical' Project Control System
reports to management
Project Risk Analysis and
Management
Business Management
change requests
status reports
plans
delivered products
developed products
Change Control Configuration Management
Project and Quality Management
Technical Development
plans
Quality Assurance plans
rejected products
approved products
Standards and Procedures
Monitor Development Status Quality
products for QA
status progress reports
slide 21 of 27
22
Minimise the downside risk

• Why bother? - A risk is an event that will affect
  the value of your business. By managing risk, you
  minimise loss, maximise opportunities, reduce the
  time wasted on dealing with adverse events and
  provide a more reliable platform for planning.
• Identify, prioritise - The main problem is not
  being aware of a risk you face. Once you know
  about it, you can do something about it. Assess
  what risks you face in the following areas
  strategic, operational, financial and
  environmental then rank them in importance. In
  risk-mapping, the probability of the risk is
  plotted on one axis and its potential impact on
  the other the top right hand corner shows the
  risks that should have the highest priority .
• It aint just the money - People tend to think of
  the impact of risk purely in financial terms, but
  you should also consider r risk to reputation.
  Think of what happened to Arthur Anderson, all
  because it lost credibility.
• Take it or leave it - for each risk identified,
  you mist decide on a course of action. You can
  accept it, transfer it, reduce it or avoid it
  altogether. Insurance, financial derivatives and
  outsourcing are all ways of transferring risk
  you can reduce or avoid risk by downgrading your
  exposure or pulling out of a particular market.
  Nb. Ensure the cost of the action is not higher
  than the cost of the risk itself.
• Look in the mirror - What is your appetite for
  risk as a company, bearing in mind that the
  greater the risk the greater the reward? Are you
  in a high risk sector, that should inform your
  strategy. Compare yourself to other companies in
  your sector. Decisions about which risks are to
  self-insured must be made at board level. The
  risk strategy has to come from the top.
• If you accept risk - consider how you would
  finance a loss, You could maintain a contingency
  fund to cover losses. Establish that there is a
  comfort zone in the business, or a way to raise
  the money to tide you over. Build in controls -
  e.g. credit limits, security procedures - to
  counter retained risks, and budget for the cost
  of compliance with employment law and other
  regulations.
• Get an outside view - Risk management cannot be
  outsourced, but there is always a danger of not
  seeing the wood for the trees. At the very least,
  use somebody independent like a non-exec or a
  mentor to bounce your conclusions off.
• Keep up to date - Risk management isnt something
  you can do once and put away in a drawer. It
  needs to be updated and communicated to all those
  who need to know.
• Remember the upside - risk is about loss, but
  remember why you are managing the risk - what is
  the reward you are protecting?
• Do say - We have carried out an in-depth risk
  analysis, insured against the biggest potential
  losses and introduced a system of controls to
  minimise the impact of other adverse events.
• Dont say - Que sera, sera.

slide 22 of 27
23
Ishikawa
PEOPLE
PARTNERS
PROCESS
Company ABC
LATE DETECTION OF BUGS
REORGAN -ISATIONS
Company XYZ
PRODUCTIVITY LOSS
OSS
UNCONTROLLED CHANGE
INADEQUATE PROJECT MGT
LOSS OF KEY PERSONNEL
Zenith
POORPROJECT MGT
LATE SOLUTION DELIVERY
new technology
not mastered by partners
no fall-back
Expectation levels?
Contract Negotiation
Second Opinion?
none in this area
UNREALISTIC DEADLINE
Estimating
Other Drivers
Delivery Teams Estimates
Insufficient Systems Architects Designers
ESTIMATING
CLIENT
slide 23 of 27
24
Sensitivity Analysis
slide 24 of 27
25
Example risk dashboard

• Supporting material

slide 25 of 27
26
Statistics

• Your projects next delivery depends on 4 tasks
• Each task has an 85 chance of being on time.
• What is the likelihood of you delivering on time?
• 0.85 x 0.85 x 0.85 x 0.85
• 
  52

slide 26 of 27
27
Severity Determination
Extent of Impact
4
It will not happen
Concern
3
Low Risk
2
Medium Risk
High Risk
1
Unacceptable Risk
It will happen
0
70
60
50
40
30
20
90
80
100
10
Likelihood of Occurrence ()
slide 27 of 27