This document summarizes a presentation on risk management in five steps. It discusses that risk management is essential for projects to plan for uncertainties and ensure favorable outcomes. The five steps presented are: 1) hoping is not a strategy, plans need estimates of variability; 2) single point estimates are guesses without knowing variability; 3) integrating cost, schedule and performance is key; 4) a risk management model is needed, not an ad hoc process; 5) communicating risks is important. The presentation also discusses categorizing outcomes, types of uncertainties projects may encounter, and how risk tolerance should decrease over time.
1. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
Risk management is essential for any significant project. and is useful for any project where an
unfavorable outcome is undesirable. Certain information about key project cost, performance, and
unfavorable outcome is undesirable Certain information about key project cost performance and
schedule attributes are often unknown until the project is underway. The emerging risks that can
be identified early in the project that impact the project later, are often termed “known
unknowns.” These risks can be mitigated with a good risk management process. For risks that are
beyond the vision of the project team a properly implemented risk management process can also
rapidly quantify the risks impact and provide sound plans for mitigating its affect.
Risk management is concerned with the outcome of future events, whose exact outcome is
unknown, and with how to deal with these uncertainties. Outcomes are categorized as favorable or
unfavorable, and risk management is the art and science of planning, assessing, handling, and
monitoring future events to ensure favorable outcomes. A good risk management process is
proactive and fundamentally different than issue management or problem solving, which is
reactive.
This presentation describes the fundamental of Risk Management in 5 easy steps – using Jack
Nicholson’s “Five Easy Pieces” 1970’s movie as a backdrop. The Five Pieces are:
1. Hope is not a strategy
2. All point estimates are wrong
3. Without integrating Cost, Schedule and Technical Performance you’re driving in the rearview
mirror
4. Without a model for risk management, you’re driving in the dark with the headlights turn off
5. Risk Communication is everything
Risk management is an important skill that can be applied to a wide variety of projects. In an era
of downsizing, consolidation, shrinking budgets, increasing technological sophistication, and shorter
development times, risk management provides valuable insights to help key project personnel plan
for risks, alert them of potential risk issues, analyze these issues, and develop, implement, and
monitor plans to address risks long before they surface as issues and adversely affect project cost,
performance, and schedule.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 1
2. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
1. Hoping that something positive will result is not a very good strategy. Preparing for success is the
basis of success.
2. Single point estimates are no better than 50/50 guesses in the absence of knowledge of the
standard deviation of the underlying distribution
3. Without connecting cost, schedule, and technical performance of the effort to produce the
product or service the connection to value cannot be made.
4. Risk management is not an ad hoc processes that you can make up as you go. A formal
foundation for risk management is needed.
foundation for risk management is needed
5. Identifying risks without communication them is a waste of time.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 2
3. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
Project Managers constantly seek ways to eliminate or control risk, variance and uncertainly.
This is a hopeless pursuit.
Managing “in the presence” of risk, variance and uncertainty is the key to success. Some projects
have few uncertainties –only the complexity of tasks and relationships is important – but most
projects are characterized by several types of uncertainty. Although each uncertainty type is
distinct, a single project may encounter some combination of four types:
1. Variation – comes from many small influences and yields a range of values on a particular
activity. Attempting to control these variances outside their natural boundaries is a waste
activity. Attempting to control these variances outside their natural boundaries is a waste
(Muda)
2. Foreseen Uncertainty – are uncertainties identifiable and understood influences that the team
cannot be sure will occur. There needs to be a mitigation plan for these foreseen uncertainties.
3. Unforeseen Uncertainty – is uncertainty that can’t be identified during project planning. When
these occur, a new plan is needed.
4. Chaos – appears in the presence of “unknown unknowns”
“Managing Project Uncertainty: From Variation to Chaos,” Arnoud De Meyer, Christoph H. Loch
and Michael T. Pich, MIT Sloan Management Review, Winter 2000.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 3
4. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
Larger variances can be tolerated in early periods. But tolerances for risk must decrease as the
program matures.
At all times, avoiding unseen risk is mandatory.
Any unknown risk must be discovered before it becomes and issue.
The management of variance must first recognize four types of risk, their associated variances and
the impact of these risks and variances:
1. Normal Variation – in activity durations, costs, and technical and business performance level
delivered by the project.
2. Foreseen Risks – are indentified, but have uncertain influences on the project
3. Unforeseen Risks – are not formally identified in the planning stage, are not anticipated and a
mitigation plan has not been identified.
4. Chaos – is fundamental uncertainty about the basic structure of the project plan itself.
The key concept here is that as the project proceeds the risk must be reduced. But also the
tolerance for risk must be reduced as well. This means that the variance and the tolerance must be
reduced in tandem. They must track each other to the end of the project.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 4
5. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
Project duration and costs are random variables drawn from some underlying probability
distribution.
The use of point estimates for durations and costs is many times the first impulse in an
organization low on the project management maturity scale. Understanding cost and durations are
actually “random variables,” drawn from an underlying distribution of possible value is the starting
point for managing in the presence of uncertainty.
In probability theory, every random variable is attributed to a probability distribution. The
probability distribution associated with a cost or duration describes the variance of these random
probability distribution associated with a cost or duration describes the variance of these random
variables. A common distribution of probabilistic estimates for cost and schedule random variables
is the Triangle Distribution.
The Triangle Distribution is used as a subjective description of a population for which there is
only limited sample data, and especially where the relationship between variables is known but
data is scarce. It is based on the knowledge of the minimum and maximum and a “best guess” of
the modal value (the Most Likely).
Using the Triangle Distribution for the costs and durations, a Monte Carlo simulation of the
Ui h T i l Di ib i f h dd i M C l i l i f h
network of activities and their costs can be performed. Monte Carlo methods are used to
numerically transform and integrate the posterior quantitative risk assessment into a confidence
interval. The result is a “confidence” model for the cost and completion times for the project based
on the upper and lower bounds of each distribution assigned to each duration and cost.
This approach to estimating provides insight into the behavior of the plan as well as sensitivity
between the individual elements of the plan.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 5
6. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
Estimating is a very vague art in the absence of a formal process. One place to start is with the
statistical definition of an “estimate.”
But even that definition has three (3) different possibilities.
The Mode is the most likely value. The value that occurs most often when statistical samples are
drawn from the underlying population.
The Median is the “middle” value between the highest and lowest value from the total of all
samples drawn from the underlying statistical population.
The Mean is the “average” of all the samples drawn from the population.
The most important concept is to understand that the “sum” of all the “estimates” is never one of
these three estimates.
The details of this are beyond the scope of this presentation but it has to do with “summing”
probability distributions is not actually a summation process – it is a convolution process. This
means that the probability distribution – represented by an integral equation – is convolved with
the other integral equations.
the other integral equations
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 6
7. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
The actual duration or cost are random variables, drawn from a probability distribution.
The Mean, Mode, Median are statistical terms that characterize probability distributions – not point
values.
When we naively speak about a duration or cost in the absence of a variance, the result is suspect.
Ignoring for the moment the Mean, Mode, and Median issues, this missing variance creates odd
outcomes.
The median temperature in Cody Wyoming is very close to the median temperature in Trinidad
Tobago . Both are around 78°. In Trinidad the variance is significantly less than in Cody.
Tobago Both are around 78° In Trinidad the variance is significantly less than in Cody
Cody has a temperature range between 10°F and 100°F. The Median is 60°F. Fudge this up to 78°
In Trinidad Tobago, the maximum temperature runs around 89°F with minimums running around
68°F. Means of 77°F in the winter and 85°F in the summer.
Answering the variance question is as important or possibly more important than answering the
Median question.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 7
8. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
In the project planning business, the use of deterministic and probabilistic analysis are both useful.
The deterministic description is great for “power point” type displays of the scheduled activities and
management briefings. This type of information shows a “static” description of the schedule, cost,
or technical performance.
The probabilistic description is useful as the basis for risk analysis. This type of information shows
the range of possible values each variable can take one. The analysis derived from these variables
shows to impact on the project. This itself is a variance – a variance of impact.
The difference between Probability and Statistics is important to the notion of “randomness” of
The difference between Probability and Statistics is important to the notion of “randomness” of
durations and cost.
We need to know things about the underlying statistical behavior of the durations and costs before
we can ask question about the probabilistic confidence in the planned completion date and planned
completion costs.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 8
9. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
In many descriptions of project management – cost, schedule, and quality are considered as the
“Iron Triangle.” Change one and the other two must change as well. It turns our this is too narrow a
view of what's happening on a project.
It’s the Technical Performance Measurement that replaces Quality. Quality is one of the Technical
Performance measures.
Cost and Schedule are obvious elements of the project. Technical Performance Measures describe
the status of technical achievement of the project at any point in time.
The Planned technical achievement is part of the Performance Measurement Baseline (PMB) in the
The Planned technical achievement is part of the Performance Measurement Baseline (PMB) in the
same way the Planned Value (BCWS) is part of the PMB.
The Technical Performance Measurement System (TPMS) uses the techniques of risk analysis and
probability to give program managers the early warning needed to avoid unplanned costs and
slippage in schedule. Systems engineering uses technical performance measurements to balance
cost, schedule, and performance throughout the life cycle.
Technical performance measurements compare actual versus planned technical development and
design. They also report the degree to which system requirements are met in terms of
performance, cost, schedule, and progress in implementing risk handling. Performance metrics are
traceable to user‐defined capabilities.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 9
10. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
Measures of Effectiveness, Measures Performance, and Measures of Quality are typical Technical
Performance Measures.
The Cost and Schedule “measures” are straightforward in most cases.
The measures of Technical Performance involve Effectiveness, Performance, Technical Performance
Measures of Effectiveness (MOE) define the operational mission success factor as defined by the
customer. These are:
1. Stated from the customer point of view;
2. Focused on the most critical mission performance needs;
3. Independent of any particular solution;
4. Actual measures at the end of development.
Measures of Performance (MOP) characterize physical or functional attribute relating to the system
operation:
1. Supplier’s point of view
Supplier s point of view
2. Measured under specified testing or operational conditions
3. Assesses delivered solution performance against critical system level specified requirements
4. Risk indicators that are monitored progressively.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 10
11. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
Risk Management is a full time effort. Even if it is a part‐time job.
Someone needs to “own” the risks and the process around risk management.
Someone or a collection of “someone's” needs to have risk management in their mind(s) at
all times
Risk Management is not something you can do once and them forget. The risks don’t just
go away. They are forever there, even if they are mitigated, retired or bought down.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 11
12. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
Risk Management means using a proven risk management process, adapting this to the project
environment, and using this process for everyday decision making.
Technical performance is a concept absent from the traditional approaches to risk management.
Yet it is the primary driver of risk in many technology intensive projects. Cost growth and schedule
slippage often occur when unrealistically high levels of performance are required and little
flexibility is provided to degrade performance during the course of the program. Quality is often a
cause rather than an impact to the program and can generally be broken down into Cost,
Performance, and Schedule components.
The framework shown here provides:
Risk management policy
Risk management structure
Risk Management Process Model
Organizational and behavioral considerations for implementing risk management
The performance dimension of consequence of occurrence
Th f di i f f
The performance dimension of Monte Carlo simulation modeling
A structured approach for developing a risk handling strategy
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 12
13. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
The traditional three variables the “iron triangle” are inappropriate in today’s integrated software,
hardware and operational world and there are two other “triangles.”
One includes Risk, Customer Satisfaction, and Quality
The other includes CMMI, Six Sigma, and Lean.
The three collections of three attributes form a “system” to assess risk, address these risks and
manage the project in the presence of this risk.
Putting these 3 sets of 3 together results in a view of
Product risk – the risk that the product will not performance as specified or perform to the needs
of the customer
Programmatic risk – the risk that the project will be over budget or behind schedule in producing
the product
Process risk – the risk that the processes used to build the product or management the project
will fail in their desired outcomes.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 13
14. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
It does no good to manage risks if the results are not communicated to all the participants.
Only the participants can define the needed mitigations
Risk communication is the basis of risk mitigation. It serves no purpose to have a risk plan and the
defined mitigations in the absence of a risk communication plan.
This plan needs to address the following:
Executive summary – a simple summary of the program and the risks associated with the
activities of the program. Each risk needs an ordinal rank, a planned mitigation is the risk is active
(a risk approved by the Risk Board), and the mitigations shown in the schedule with associated
costs.
Program description – a detailed description of the program and the risk associated with each of
the deliverables. This description should be “operational” in nature, with the consequences
description in “operational” terms as well.
Risk reduction activities by phase – using some formal risk management process that connects
risk, mitigation and the IMS. The efforts for mitigation need to be in the schedule.
risk mitigation and the IMS The efforts for mitigation need to be in the schedule
Risk management methodology – using the DoD Risk Management process is a good start. This
approach has proven and approved by high risk, high reward programs. The steps in the
processes are not optional and should be executed for ALL risk processes.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 14
15. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
This list comes from guidance in the defense program management business. While some
of the statement may not be appropriate for the commercial world, every statement has
some applicability to every project – not matter what the domain. Whether formal or
informal the programmatic risk assessment of a project needs to ask or answer these
statements.
The actions needed to close any gaps from these statements are outside the scope of this
presentation.
But the next step is to have the project management team start to answer these questions.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 15
16. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
Many speak about risk management as part of the project management process.
But do they do risk management as part of the project management process?
Test yourself and anyone who claims to be doing risk management
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 16
17. Colorado Springs PMI
Risk Management in Five Easy Pieces
Colorado Springs, Colorado May 8th , 2008
The first set of questions should be:
How do we earn back the investment in risk management?
How can be measure the benefits of risk management?
Who gets to say what the value of risk management is?
These is monetized questions are risk. So the answers have to be monetized as well.
attaching money to risk is the starting point. attaching money to the mitigation activities is
the next. The risks and their mitigations need to be represented in the schedule and cost
the next The risks and their mitigations need to be represented in the schedule and cost
baseline. Otherwise risk management is not Project Management.
Glen B. Alleman
Lewis & Fowler, 8310 South Valley Highway, Englewood CO80112
www.lewisandfowler.com 17