Project and Program Risk Management
Reasons to Manage Risks
ISO31000 for Risk Management
Risk Management in Project Lifescycle
Tools to manage Project Risks
2. Increased
Risk
Introduction
The rising importance of risk management
More complex markets
Global markets
Greater product Complexity
New businesses
Increasing competition
New players
Regulatory imbalances
Global trends are leading to …
3. What is Risk
A Risk is characterised by the combination of the probability that a
program or project will experience an undesired event and the
consequences, impact, or severity of the undesired event, were it to occur.
Risk was defined before as:
The probability of occurring danger or hazard
But is now defined as (ISO 31000, 2009):
Effect of uncertainty on objectives.
Uncertainties include events (which may or not happen) and
uncertainties caused by a lack of information or ambiguity.
They could impose both negative and positive impacts on objectives.
So, they could be threat or opportunity
5. The Unknown Unknowns
by Donald Rumsfeld
As we know, There are known knowns,
There are things we know we know.
We also know, There are known unknowns,
That is to say We know there are some things We do not
know.
But there are also unknown unknowns,
The ones we don't know, We don't know.
(Feb. 12, 2002, US Department of Defence news briefing)
6. Risk and Risk Management
Undertaking a project that promises any sort of reward
almost always entails risk.
Risk management is a process of anticipating thread
and/or opportunity and minimising their impact. Also, Is a
Comprehensive System that includes:
Creating an appropriate risk management environment,
Maintaining an efficient Risk Measurement,
Mitigating and Monitoring Process,
Establishing an Adequate Internal Control
Arrangement,
Core of the Strategic Management of the Company,
7. Risk Management Principals
7
ISO identifies the following principles of risk management:
Risk management should:
create value - resources expended to mitigate risk should generally
exceed the consequence of inaction, or (as in value engineering), the
gain should exceed the pain
be an integral part of organizational processes
be part of decision making
explicitly address uncertainty and assumptions
be systematic and structured
be based on the best available information
be tailorable
take into account human factors
be transparent and inclusive
be dynamic, iterative and responsive to change
be capable of continual improvement and enhancement
be continually or periodically re-assessed
8. Risk Management Approaches
Proactive Risk Management:
This approach is the recommended way to manage project
uncertainty and risk through three main elements: Policies,
Methodologies, and Infrastructure. Also it’s known as strategic
risk management which significantly adds value to project
success.
Reactive Risk Management:
This risk management approach is better known as crisis
management or putting out fires. This type of risk management
almost always negatively affects the project’s schedule, cost, and
quality. In addition, process improvement opportunities are
ignored – fire fighting
9. Risk in Project, Program and
Portfolio Management
They are inherently risky because they are unique,
constrained, based on assumptions, performed by people
and subject to external influences. Risk includes both
opportunities and threats.
Risk is defined at two levels for projects, Programs and
portfolios.
At the detailed level, an individual risk is defined as ‘an uncertain
event or set of circumstances that, should it occur, will have an
effect on achievement of one or more objectives’.
At the higher level of the project, Program or portfolio, overall risk
is defined as ‘exposure of stakeholders to the consequences of
variation in outcome’ arising from an accumulation of individual
risks together with other sources of uncertainty.
12. Established in 1910s at Commonwealth level to
collecting revenue
administering the goods and services tax (GST)
governing a range of programs to benefits the community
administering Australia’s superannuation system
Managing the Australian Business Register
More than 25000 employee across the Australia
More than 415,800 ($M) tax revenue in 2014 (26 % of GDP)
A PMO with more than 50 person supports more than 500 projects and
programs per year to maintain and develop their taxation systems
A Portfolio Called : Reinventing the ATO
Risk Management in Australian Taxation Office
13. A program Called : ATO Project Management has been defined to
develop the Project and program Management System to :
Develop a organisational wide “Project and Program Management
Methodology Using MSP, PRINCE and PMBOK
Deploy and Customise an Enterprise Project Management System (MS
SharePoint and Project Server 2013)
Develop a Project Risk Management Methodology
Develop a integrated Project Financial management system
Develop a organisational wide Business Intelligence
Retire the previous systems and applications in order to develop an
integrated project management system
KPMG, Accenture and SMS Technology were chosen
Risk Management in Australian Taxation Office
14. Risks and Issues in Project
Risk – an event that may occur and cause negative/positive impact
Issue – an event that has occurred and is causing impact
What do we do about Risks and Issues?
“Calling them out early” – proactively identify and assess risks/issues
“Acting upon them” – determine and implement planned actions
“Keeping them under control” – monitor and report progress
How are Risks and Issues reported?
Risks and Issues are reported at various levels, to establish visibility and
addressed:
Within a Team
Across the Project , or
Across the Phase or Program
15. Project Risk Management
Risk management at project level is most often focused on
individual risks that, should they occur, will affect the project’s
objectives. It is, however, also important for the project manager
to understand the overall risk exposure of the project, so that
this can be reported to the project sponsor and other
stakeholders.
Risk management must be closely aligned to schedule
management. Cost, time and resource estimates should always
take risks into account.
The project manager is accountable for ensuring that risk
management takes place. Depending on the size and complexity
of the project, a specialist risk manager may be appointed to
oversee and facilitate the risk management process.
16. Program Risk Management
The Program will establish a common framework and standards for risk
management across the Program. This will enable comparison of risk,
reduce the time taken to initiate management processes at project level,
and help identify interdependencies between risks across the Program.
The common framework will be set out in the Program risk management
plan.
Program risk management is made up of two distinct areas of focus:
project risk escalation and aggregation;
wider business risk and risks to benefit achievement.
Program risk management addresses any individual risks at project level
that, if realised, will have a wider impact. Project risks that cannot be
effectively managed within projects In addition, related or common risks
within individual projects may combine or aggregate to have an effect at
Program level, in which case they also need to be escalated.
17. Risks at portfolio level are often of such scale that they may have
significant impact on the ability of the organisation to operate. Portfolio
risk management will focus on two areas:
risks escalated from projects or Programs and from areas of day-to-
day business;
risks that impact upon the objectives of the portfolio and the host
organisation.
Project and Program risks that cannot be effectively managed at their
originating level may be escalated to the portfolio for responses
unavailable at project or Program level.
The consideration of risk efficiency is of particular importance to portfolio
risk management. The principles of risk efficiency have been established
in financial portfolios for many years. They are equally relevant to
portfolios of projects and Programs.
Portfolio Risk Management
24. Risk Response Strategies
Strategies for Threats (risks)
Avoid : Don’t do the project or the part of the project,
Transfer : Making another party responsible for the risk,
Mitigate : Reducing the probability or impact, making it smaller,
Strategies for opportunities
Exploit : Doing everything to make sure the event happens,
Share : Sharing the risk,
Enhance : Increasing the probability of the occurrence of risks,
Strategies For both
accept : Do nothing – If it happens, it happens!
Contingency plan is a must response
Managing Residual risk (secondary risk)
25. Contingency Plan and Business
Continuity Management
“……..is an alternative plan that will be used if a possible foreseen
risk event becomes a reality” C. Gray & E. Larson
In project management, a contingency plan is a part of the project
management plan and it describes every action that you will take if
the risk is about to happen or has happened.
Fallback plan is implemented when the contingency plan fails or is
not fully effective. In other words, you can say that the fallback
plan is generally made for residual risks
26. Risk Monitoring
Should be done periodically
(e.g., when certain milestones are reached, at the end
of project phases, at steering committee meetings, etc.)
Useful to regularly assess and update project risk
exposure
Senior management should be involved in
monitoring and should be aware of exposures
Listen to the project group
27. Project or Program Risks/Issues Process
Identify and raise
Risk/Issue via
JIRA
Assess Risk/Issue
Complete&
appropriate?
Amend/revise as
appropriate
No
Phase or Stream
/
Status&progress
of Risk/Issue
tracked at weekly
Program Risks&
Issues Meeting
Yes
Program Level
Risk/Issue
Risk/Issue
resolved?
Status&progress
of Risk/Issue
discussed and
tracked as part of
Escalation Items
to Sponsors
Yes
Program Level
Risk/Issue
Assignee
Discuss&
establish Agreed
Action as
mitigation/
resolution with
Assignee
Undertake Agreed
Action and update
Progress Notes
Yes
Requires
escalation?
No
Resolve Risk/
Close Risk/Issue
in Project Server
Risk/Issue
Reporter
Inform Phase/
Stream
Coordinator of a
potential Program
Risk/Issue
in Project Server
30. Stage of
PLC
Define
Project
focus Identify Structure Ownership Estimate Evaluate Plan Manage
Conceive
Design
Plan
Allocate
Execute
Deliver
review
Support
Project Life Cycle and RM Steps
33. Sample RMP Matrix
Risk Item Description of
Risk
Impact
(technical,
schedule,
cost, quality
Severity
(high,
medium ,
low)
Contingency plan Ranking
Testing Critical function
needed by new
system may be
overlooked if
not tested
properly
Technical High Formal testing plan
Test plan
Test cases
Testing schedule
Method to log test
results
5
Termination
, if
applicable
Project
termination
needs to be done
earl as not lose
money and time
Cost/
Quality
Low Enough research
should have been
done to terminate
the project before
it got to far
1
37. 37
A successful project manager is a successful risk manager,
Prepare the organization through improving Risk Culture,
Manage Training and Development in Risk,
Build up a Learning Organization,
Develop the Risk Management System with following capabilities
Centralized Risk Register that eliminates disconnected spreadsheets
Built-in Accountability Management clearly assigns mitigation actions
and timeframes increasing an organization’s risk-bearing capacity
Executive Dashboards with key performance indicators deliver visibility
to high priority risks that could impact project cost, schedule or technical
performance
Automated Alerts Engine that notifies project managers early to avoid
surprises
Workflow management that guides each risk through its lifecycle
ensuring that nothing falls through the cracks
Summary