Self Assignment

Risk Management
By Amit Agarwal

OVERVIEW
1. WHAT IS RISK 2. WHAT IS RISK MANAGEMENT 3. INTEGRATED RISK MANAGEMENT 4. PRINCIPLES & CHARACTERISTICS 5. LIFE CYCLE 6. PROCESS CHART 7. CHALLENGES & BARRIERS 8. KEY CONTRIBUTION FACTORS 9. SUMMARY

What Is Risk?

Risk is a condition in which there is a possibility of an adverse deviation from a desired outcome that is expected . (Vaughn)

the threat that any event or action will adversely affect an organizations ability to achieve its business objectives and execute its strategies. (Kloman)

What Is Risk?

RISK = potential loss from inability to achieve a projects objectives caused by people, process, system, or external factors Risks can result from any combination of factors people, process, systems, technology, science, or external events

Risk is
.a measure of future uncertainties in achieving project performance goals and objectives within defined cost, schedule, and performance constraints.

...an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective.

Likelihood of an event occurring. The consequence if such event occurs.

Applicability
Risk Management is applicable to all industries and complex efforts Financial, Market, Investment, Credit Health Environmental Business Compliance Safety Project (Types of Project) Security (Cyber, Physical) TAKE ACTION Mission Assurance GOAL: IDENTIFY / ASSESS THREAT MINIMIZE / PREVENT LOSS

Supports Decision Analysis Resource Allocation

Risk Management is
the process of defining and analyzing risk, and then deciding on the appropriate course of action in order to minimize risk, whilst still achieving business goals he optimal allocation of resources to arrive at cost affective investment in defensive measures within an organization .It minimizes both cost and risk a variety of activities undertaken by an organization to control and minimize threats to the continuing efficiency, profitability, and success of its operations. the process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk , if this is excessive, developing a strategy to mitigate appropriate individual risks until the overall level of risk is reduced to an acceptable level.

Risk Management is

The systematic application of management policies, standards, procedures, and practices to the tasks of identifying, assessing, prioritizing, responding to, and monitoring risk A structured, iterative process with defined scope and objectives Proactive and anticipatory Objective is to decrease the probability and/or impact of negative events OR increase the probability and/or impact of positive events

Risk Management needs to be integrated into an organizations decision making process

Integrated Risk Management

Integrate per Websters Dictionary: to form, coordinate, or blend into a functioning or unified whole Integrated risk management is a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It is about making strategic decisions that contribute to the achievement of an organization's overall corporate objectives. Integrated risk management process includes all disciplines required to support the life cycle of their system (e.g., systems safety, logistics, engineering, producibility, in-service support, contracts, test, earned value management, finance).

Providing insights into three key areas

Project Performance Combines previously disparate project analysis and execution into an actionable framework for the project manager Requires dialog and collaboration between engineering, scheduling and management groups Creates a total risk profile for projects to fully assess potential delays to delivery and increases in cost Project Investment Provides a framework to develop detailed plans for risk mitigation and identify associated costs Tracks progress of investment against specific mitigation activities Assists decision makers in prioritizing investment against high impact risks and effects

Providing insights into three key areas

Oversight Responds to government policy guidance and industry best practices in risk management Provides auditable trail of risks, cost changes and schedule progress for industry and government clients Creates transparency in developing project budget and reserve requirements when used prior to project start date

Risk Management Objectives

Post-Loss Objectives Survival Continuity of Operations Earnings Stability Continued Growth Social Responsibility

Pre-Loss Objectives Economic Efficiency Reduction in Anxiety Meeting Externally Imposed Obligations Social Responsibility

Principles
Risk Management Should

create Value be an integral Part of Organizational processes be a part of decision making explicitly address uncertainty be systematic & structured based on best available information be tailored / customized take into account human factors be transparent & inclusive be dynamic, iterative & responsive to change be capable of continual improvement & enhancement

Characteristics
Characteristics

A clear and consistent Risk Management champion Requirements supported by leadership and stakeholders A close partnership with users and stakeholders Mature risk management processes Established thresholds and criteria for proactively implementing defined risk mitigation plans Resourced risk mitigation plans Periodic risk assessments Integrated data environments that maximize participation

Approaches
Successful Approach

A documented and mature risk management process Quantitative assessments of risk impacts estimated against cost and schedule baselines Defined risk filtration criteria Risk reduction at the lowest level of the organization A defined set of risk consequence definitions for performance, schedule, and cost Structured approached for communicating risk across multiple programs/organizational levels

Stages in Risk Management Life Cycle

Stages Activity

Risk Management Planning Risk Identification Qualitative Risk Analysis Quantitative Risk Analysis Risk Response Planning Risk Monitoring & Control

Deciding how to approach & plan the risk management activities for the project Determining which risks are likely to affect a project & documenting their characteristics Characterization & analyzing risks & prioritizing their effects on project objectives Measuring the probability & consequences of risks Taking steps to enhance opportunities & reduce threats to meeting project objectives Monitoring known Risks, Identifying new risks, reducing risks & evaluating the effectiveness of risk reduction

Risk Management Lifecycle

The risk lifecycle applies across all parts of a program or project. .
Execution Components
Department Operations Programs IT Investments Procurement Legislature Strategic Planning Risk Management Human Capital Governance People Technology Process Strategic Compliance Operational Financial Hazard

Managing Risk
1. Identify Risks 2. Assess & Measure Risks 3. Respond to Risks 4. Design & Test Controls 5. Monitor, Assure & Escalate

Foundational Elements

Risk Areas

Risk Identification
Hundreds of insignificant risks can easily distract from a few critical.
Identified Risks Inter-Agency / Department Actions Changing Design Requirements Cost estimating techniques Legal / Regulatory / Ethics Investigations and Audits Contractor stability / quality Natural Disasters Roles of govt and contractor defined Seasonality/Cyclicality 4 Rank Identified Risks Budget and Funding Issues 1 2 3 Identified Risks Financial Management Hazardous materials handling Technology Terrorism and Emerging Diseases Capability Advancement Insurance Coverage Identify the Top (relevant) Risks Labor Disputes / Actions Personnel and HR Issues 7 5 Rank Grants Management Scientific Integrity and Agency Reputation Third Party Strategy / Execution / Integration Environmental liabilities / concerns Value for cost (value to taxpayers) Stakeholder Demand / Preference Changes 6 Political Issues 8 Rank

Risk Identification
Techniques

Document Reviews Brain Storming Delphi Technique / Interviewing SWOT Analysis Checklists Assumption Analysis Flow Charting

Qualitative & Quantitative Risk Analysis

Evaluate each risk and its impact on cost, scope, and schedule.
Natural Environ. major weather event dominate party change constituent priority shift technology innovation reorganization Objective: Complete entire Project by 2010 within budget

External Risks

Political Social Technological Inter-Dept/Agency

Internal Risks

Infrastructure Personnel Process Technology

Qualitative & Quantitative Risk Analysis

Techniques

Qualitative :
Probability Impact Matrix Ordinal & cardinal Ranking SWOT Analysis Force Field Analysis

Quantitative:
Sensitivity Analysis Expected Monetary Value Decision Tree Analysis Simulation Program Evaluation & Review Technique (PERT)

Risk Response
Choose the corrective actions, execute, and evaluate effectiveness. Identify corrective actions
Corrective Actions Policies and Procedures Management Review & Approvals Scenario Planning Contingency Planning Training and rehearsals Physical and Cyber Security Equipment Performance & Design Documentation Communications plans Performance Indicators System Controls / Monitoring Physical Controls / Monitoring Inspections / Audit Other

Inter-Agency

Monitor effectiveness of actions

Technology

Risk N

Contd
Corrective actions result in mitigated risk, but come with a cost.
Sample risk: Technology advances and innovation require design changes.
1. Evaluate potential benefits of new technology. 2. Involve key stakeholders that are knowledgeable about technology innovation. 3. Refine communications approach and execution to address on-going findings. 4. Update long-term roadmap for incorporation of key
#1

RKS AKH VM RNS

Quarterly On-going Monthly Biannually

Conduct workshops, seek input Identify stakeholder liaison responsible for maintaining buy-in Appoint communications coordinator to maintain channels Conduct routine roadmap updates to maintain buy-in
Very High

Corrective Actions

High

#2,3

(Perform Cost/Benefit Analysis)

#2,3,4 #2,3 #2,3,4

Medium

Low

Planned
Q1 09 Q2 09

Actual
Q3 09 Q4 09 Q1 10 Q2 10 Q3 10 Very Low

Residual Risk

Incremental Mitigated Risk

Monitoring & Control

Complete set of risks must be considered to understand the risk profile.
Very High
10

5 1 8 2 4 9

6 3 3 7

Corrective Action Status Risk reduced to an acceptable level Risk reduction occurring, not complete Further action required

Inherent (Gross) Risk

Example Risks: 1) 2) Technology Innovation Departmental Reorganization

Very Low

Current Residual (Net) Risk

Very High Residual (Net) Risk (without mitigation/controls)

No viable mitigation plan in place, the risk event would likely overwhelm the agency Heroic efforts would be needed to manage the event Fairly well-prepared base mitigation plans are in place; organization has talent/resources to manage through the event Mitigation responses, contingency plans and programmed responses have been or are being established Mitigation responses, contingency plans and programmed responses are established, rehearsed on a periodic basis and revised as conditions change

Inherent (Gross) Risk (without mitigation/controls) Very High High Medium Low Very Low
> 5 days disruption of core operational activities; long term impact to reputation; may result in government investigation 3 to 5 days disruption of core operational activities; concern that could result in an action; may result in official inquiry Between 1 and 2 days disruption of core operational activities; unfavorable media coverage Between 2 and 8 hours disruption of core operational activities; brief unfavorable media coverage Less than 2 hours of disruption of core operational activities; no media coverage, unlikely to have an impact on the NIH appropriation

Risk Response, Monitoring & Control

Techniques

Response
Avoidance Transference of Deflect Mitigation Acceptance Contingency Reserves Fallback Plan

Monitoring & Control

Workarounds Change Requests Feedback into Risk Management Plan

Traditional Approach
Integrated Risk Management extracts actionable information from traditionally stove-piped data streams

Risk Exposure? Impact Relationships? Goals Too Risky? Which Design? More Reserves? Major Drivers? Adequately Mitigated?

Enables critical decision making

Integrated Approach

Risk Analysis

Program Manager

Cost Analysis

Schedule Analysis

Decision

Risk Management Process

Step 1: Identify and Document Identify Potential Risks Enter in Risk Register Assumption Testing Data About the Risk Understand the Risk Step 2: Analyze and Assess Quantify Risk Cost, Schedule, Performance Event Analysis Relational analysis with existing risks and open issues Cost / Schedule Impacts Probability of Occurrence (RP) Impact of Occurrence (RI) Step 3: Select Handling Plan Risk Management IPT Establish Risk Triggers Handling Strategy Contingency Plan Assign Resources Step 4: Handle and Monitor Escalate? Implement Handling Strategy Update IMS Modification / Change Order Monitor Actions Reassess

Risk Exposure is High or Moderate

RIOM Board Reassessment

Database Program and Risk Management Tools

Risk Exposure is Low Step 3a Risk Watch List Step 7: Document Lessons Learned

Risk Revised Handling Handling Replanning Plan Step 3b Contingency Plan Step 6: Closeout RIOM Board Consensus

Step 5: Handling Risk Has Been Handled

Key Planned

Re-planning

Challenges
Top 3 challenges in applying risk management Improving risk communication Political obstacles to risk-based resource allocation Lack of strategic thinking Lack of comprehensive risk management strategies that are well integrated with program, budget, and investment decisions There have been attempts at acquisition reform to address the following areas: A. Decisions regarding which programs to keep B. Developing approaches to better analyze and prioritize needs C. Better management of development cycles D. Establish knowledge-based cost and schedule estimates E. Detailed systems engineering planning

Barriers to Integration
Barriers Lack of a clear and consistent Risk Management champion Unclear or non-existent Decision rights Silos of analyses and reporting of different risk types Maturity Technology, governance, process and people Communication internal and external to the program/organization Culture (How does the organization operate?) Perception of a risk manager and roles/responsibilities Every PM wants to do it their way Organizational barriers regarding focal point of risk management

Decision Making
Defining decision rights are an important aspect of a comprehensive risk management program
What are Decision Rights?

The underlying mechanics of how and by whom decisions are truly made in an organization

Clear Decision Rights Result in Clear decision-making authority results in effective and efficient decisionmaking Places decision rights with those with the knowledge and information to make the best decision Reduces the risk of poor decisions Reduces inefficient second-guessing

Unclear Decision Rights Causes Unclear decision-making authority results in senior management involvement in too many issues while lack of empowerment at the front-line can result in poor customer service and reduced employee satisfaction

Decision Making
Tools & Techniques

Cost-benefit analysis Evaluation of frequency/severity After-tax net present value analysis Risk Map Total Cost of Risk Ethical considerations Legal Requirements Commercial Requirements Do not risk more than you can afford Do not risk a lot for a little

Programs with mature risk management processes have the following components
1. Structured process for risk identification 2. Comprehensive risk baseline and categories 3. Risk root cause analysis methodology 4. Quantitative risk likelihood and risk consequence definitions 5. An established risk management board or similar risk decision-making body with robust participation 6. A strong, defined risk management lead or champion for the program

Risk Management Maturity Scale Calibrates the maturity of individual program risk processes Guides enhancements needed to standardize approaches

Risk Management Maturity Scale

High: Integrated Enterprise Risk Management Comprehensive risk agenda that exists throughout the entire organization Risk management focus are cross-risk / cross-functional and aligned with strategic imperatives Linked to strategic and operational decision-making Embedded in corporate culture Risks are assessed and integrated across technical and agency performance elements, cost, and schedule Integrated tool set

Low: Coordinated Risk Management STILL NEED TO ADDRESS: Common taxonomy Alignment of risk categories Integrated toolset Clarity in criteria and thresholds for assessments Ownership Decision Making

MATURITY LEVEL

TIME/EFFORT

Different Organizational Levels Face Different Types of Risks

- How does a risk to one program affect the delivery of other related programs? - Which external stakeholders have the ability to influence the success of one or more programs? - How can a successful risk mitigation strategy for one program be leveraged by other programs?

RISKS Enterprise Level

- Is the project on track to meet or exceed its threshold requirements? - How do current risk levels impact the ability to meet critical schedule milestones? - Which design solution provides the optimal balance between capital and operating costs?

Program Level

- What are the technical performance risks associated with delivering a given requirement or capability? - How will assembly, integration, and test schedules be impacted by a given risk event? - What are the cost impacts of delays in subcontractor deliveries?

Project Level

Subproject Level Risks ultimately should be filtered to the lowest level possible for ownership and mitigation

Risk Management can inform decision rights within an organization

Questions What are most vulnerable areas of the business/organization/acquisition/program/project/capability and what are the key risks that these areas face? Is there a systematic and comprehensive approach for identifying and assessing these risks and is it communicated? Is there a consistent and well defined approach to risk prioritization? Does the process add value to decision analysis or is it merely a reporting mechanism? Are decision rights aligned appropriately with risk tolerance? Level of risk assessed can determine required level of decision-making within the organization

Key Contributors to Success

Risk Management promotes a clear value proposition Demonstrate how resources will be saved or more efficiently applied Demonstrate how information will be more widely shared

Integrate Cost, Schedule and Risk personnel

Creates understanding of information Defines linkages Establish working group or other forum Gather feedback prior to go-live Promotes buy-in

Program input actively sought for framework development.

A clear and consistent risk sponsor.

Sustains participation

COMMUNICATION

Whats in it for me???

Leaders, managers, and staff alike benefit from risk management.

Top Program Management Managers

Higher impact programs Better control of the overall portfolio Stronger focus on long-term rather than short-term Time to focus on areas currently neglected

Middle Management

More predictable cost estimates Less chaotic days, that are more productive More visibility in project activities Fewer and simpler reporting requests

Front Line Contractor Engineer roject Managers

Better client relationships More predictable quality of life Mechanism to raise issues and have resolved More follow-on work

Critical success factors

Top Program Management Managers
Everyone has a role to play in making risk management part of the culture.

Seek and maintain senior leadership sponsorship Establish common language for risk management Integrate risk management across programs Focus on changing the culture, not on executing the tactics

Middle Management Front Line Contractor Engineer Project Managers

Assign ownership of risks as appropriate (govt, contr.) Coordinate risk management across project Focus on the value to all of managing risk, not the burden

Raise ALL risks identified on the ground Designate operational accountability for corrective actions Make risk management a priority

Summary
Executive sponsorship does not use risk management as a blunt instrument Management team must be informed and committed Accurately size the risk management effort to the Project Do not bury the risk management functions in the bowels of the organizationPrivate sector companies have a CRO Cost Estimators, Schedulers, and Risk Management personnel collectively make up the risk management core team Communication within Risk Management Core Team

Tata Power

Thank You

Risk Mitigated
By Amit Agarwal