2. Agenda
1 2 3 4 5 6 7
1 Introduction
2 Risk – An EY context
3 What is risk management?
4 The risk management lifecycle
5 Good and bad risk management practice
6 Critical success factors for managing risk
7 Communicating risk to stakeholders
Page 2 2nd June 2009 Risk Management
3. Introduction
1 2 3 4 5 6 7
Jonathon Simon
â–ş Senior Manager in the Programme Advisory Services
team within the IT Advisory practice for Ernst & Young.
â–ş Project Management Institute (PMI) certified Project
management Professional (PMP).
â–ş Over 15 years industry experience in managing large
projects.
â–ş Prior to joining Ernst & Young, worked for a global IT service provider as a
Senior Project Manager fulfilling project and programme assignments for blue
chip clients in the private sector.
â–ş Current Chair of the UK PMI London Events Committee.
Page 3 2nd June 2009 Risk Management
4. Risk – an EY context
1 2 3 4 5 6 7
â–ş Ernst and Young is engaged globally in seeking to identify leading practices in the area
of risk management.
â–ş Our work with companies around the world suggests that there is a body of leading risk
management practice emerging, but many companies are still doing little in this area.
â–ş Our research has shown that, while strategic risks have become more important,
companies have been focusing on the easier-to-manage area of operational risk.
â–ş The implications for different sectors are blurred. Even within each sector, the risks for
each company may vary.
â–ş Most programs and projects encounter at least one of the following
â–ş Cost and schedule overruns
â–ş Schedule delays
â–ş Defects
â–ş Benefits not realised
â–ş Project cancellations
â–ş Loss of stakeholder confidence
â–ş No matter what program or project is undertaken, appropriate control and management
of risk is essential.
Page 4 2nd June 2009 Risk Management
5. Risk – an EY context
1 2 3 4 5 6 7
Keep us out of trouble Make our business better
Regulatory Enhanced Improved
non-compliance Schedule delays
capability visibility and
Goal transparency
Unanticipated
business impact Cost overruns
Enhanced
Increase accountability
business value
of initiatives
Loss of Post completion
stakeholder defects Increased
confidence confidence
Achieve
Project Unrealized sustainable Increased
cancellations benefits changes predictability
All too confusing and overdone… Must do it…
Except when we get in trouble but how do we do it better?
Page 5 2nd June 2009 Risk Management
6. What is risk management?
1 2 3 4 5 6 7
â–ş Many types of risk exist in an organisation
â–ş This presentation will focus on risks within projects
â–şA project risk is defined as the probability of an undesirable event occurring or a
desirable event failing to occur and the consequential impact of and on the project.
â–ş Project risk management is a structured process that allows individual risk events and
overall project risk to be understood and managed proactively, optimising project success
by minimising threats and maximising opportunities. Association for project management
Page 6 2nd June 2009 Risk Management
7. The risk management lifecycle
1 2 3 4 5 6 7
Monitor and Control
Monitor and Control Risk Planning
Risk Planning
Risks
Risks
Proximity
Respond to Risks
Respond to Risks Identify Risks
Identify Risks
The 3 dimensions
of risk
Impact Probability
Qualitative Risk
Qualitative Risk Quantitative Risk
Quantitative Risk
Analysis
Analysis Analysis
Analysis
Page 7 2nd June 2009 Risk Management
8. Good and bad risk management practice
1 2 3 4 5 6 7
Good Practice Bad Practice
1. Clear risk responsibilities 1. No clear responsibilities
2. Clarity of risk ownership 2. Lack of risk ownership
including senior sponsors
3. No process for managing risks
3. Shared understanding of how
4. No guidelines for managing
risks will be managed
and escalating risks
4. Effective methods of assessing
5. No process for monitoring and
and escalating risks
updating risks
5. Risks are monitored and good
6. Risks are not reviewed and
quality information is captured
action is not taken to address
6. Risks are reviewed as an risks
integral part of performance
management
Page 8 2nd June 2009 Risk Management
9. Integrated Risk Management
1 2 3 4 5 6 7
Corporate, Programme and Project Risks
Direction, Strategy
Focus on a strategic enterprise level governance
Knowing where to go of the delivery of an organisation’s complete
portfolio of transformational programmes and
projects to support the organisation’s strategic
Corporate goals
Outcome, Benefit
Inf
rs
2. Focus on the delivery of a strategic change to
ive
orm
Doing the right Programme the organisational state comprising a linked set of
Dr
projects and / or activities that are coordinated
things
s
Management and managed as a unit such that they achieve
outcomes and realise benefits
Eg, delivery of games and legacy
Output, Product
Focus on the delivery of a unique set of
Doing things 3. Project coordinated activities, with clearly articulated
start and end points, which is undertaken by an
right Management individual or team to meet specific objectives
within defined time, cost and performance
parameters as specified in the business case
Eg, Construction of a new building
There must be alignment and escalation from one level to another
Page 9 2nd June 2009 Risk Management
10. EY Case Study – Government Health Project
1 2 3 4 5 6 7
Situation…
â–ş A government department running a programme supporting a significant government health initiative
â–ş Risk management was performed at an operational and strategic level
â–ş No defined process for risk escalation
â–ş Lack of risk ownership at the executive board level
Consequence
â–ş Risks were not addressed on a timely basis
â–ş Lack of visibility of risks at a senior level
â–ş Potential for the project to fail to deliver its scope of work within time and budget
Actions taken…
â–ş Implemented a robust risk escalation process
â–ş Developed a risk dashboard that communicated a high level summary of risks to executive board members
â–ş Conducted analysis and developed mitigating actions to reduce risks to an acceptable level
â–ş Embedded risks review within the project management processes
â–ş Implemented a communications process for mitigating actions, timelines and ownership
Result
â–ş Clear roles and responsibilities for risk management
â–ş Project wide understanding of the process for managing risks
â–ş Visibility of risks at a senior level and actioning of risks within acceptable timeframe
Page 10 2nd June 2009 Risk Management
11. Critical success factors for managing risk
1 2 3 4 5 6 7
â–ş Be proactive - to be successful the organisation should be committed to addressing
risk management proactively and consistently throughout the project.
â–ş Conduct a regular risk assessment - that defines key risks and weights the impact
on business drivers.
â–ş Conduct scenario planning - for major risks identify and develop a number of
operational responses.
► Evaluate your project’s ability to manage risks - ensure that the risk management
process is linked to the actual risks that the business faces.
â–ş Undertake effective monitoring and control processes - to give both early warning
and improved ability to respond.
â–ş Keep an open mind - about where the risks can come from.
Page 11 2nd June 2009 Risk Management
12. Communicating risk to stakeholders
1 2 3 4 5 6 7
1 - Cannot operate without (no ability to trade)
2 - Workarounds available (limited ability to trade)
3 - Does not impact on ability to operate / trade
KEY
Criticality 3
Position on grid: priority and criticality of project
Priority - Proximity of time requirement for completion
Criticality - Ability of business to function without capability Focus management attention, project resource and reporting on:
• Projects which are time critical and impact ability to trade (top right
hand corner)
Size of circle: degree of risk associated to project
2 • Projects impacting on overall programme (large circles)
H
• Projects which are not on track (red circles)
L M Aim to push projects away from proximity to axis
L – Risk impact within project
M – Risk impact within IS
H – Risk impact to programme
1
Color of circle: current project status
R – Project late against plan (delay to critical path) 1 - Completion required for first wave of movement
A – Project at risk of slipping 2 - Workarounds available (inhibits movement)
3 - Completion not mandatory for movement
G – Project on track against plan
1 2 3 Priority
Page 12 2nd June 2009 Risk Management