Академический Документы
Профессиональный Документы
Культура Документы
Risk Management
By Amit Agarwal
OVERVIEW
1. WHAT IS RISK 2. WHAT IS RISK MANAGEMENT 3. INTEGRATED RISK MANAGEMENT 4. PRINCIPLES & CHARACTERISTICS 5. LIFE CYCLE 6. PROCESS CHART 7. CHALLENGES & BARRIERS 8. KEY CONTRIBUTION FACTORS 9. SUMMARY
What Is Risk?
Risk is a condition in which there is a possibility of an adverse deviation from a desired outcome that is expected . (Vaughn)
the threat that any event or action will adversely affect an organizations ability to achieve its business objectives and execute its strategies. (Kloman)
What Is Risk?
RISK = potential loss from inability to achieve a projects objectives caused by people, process, system, or external factors Risks can result from any combination of factors people, process, systems, technology, science, or external events
Risk is
.a measure of future uncertainties in achieving project performance goals and objectives within defined cost, schedule, and performance constraints.
...an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective.
Applicability
Risk Management is applicable to all industries and complex efforts Financial, Market, Investment, Credit Health Environmental Business Compliance Safety Project (Types of Project) Security (Cyber, Physical) TAKE ACTION Mission Assurance GOAL: IDENTIFY / ASSESS THREAT MINIMIZE / PREVENT LOSS
Risk Management is
the process of defining and analyzing risk, and then deciding on the appropriate course of action in order to minimize risk, whilst still achieving business goals he optimal allocation of resources to arrive at cost affective investment in defensive measures within an organization .It minimizes both cost and risk a variety of activities undertaken by an organization to control and minimize threats to the continuing efficiency, profitability, and success of its operations. the process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk , if this is excessive, developing a strategy to mitigate appropriate individual risks until the overall level of risk is reduced to an acceptable level.
Risk Management is
The systematic application of management policies, standards, procedures, and practices to the tasks of identifying, assessing, prioritizing, responding to, and monitoring risk A structured, iterative process with defined scope and objectives Proactive and anticipatory Objective is to decrease the probability and/or impact of negative events OR increase the probability and/or impact of positive events
Integrate per Websters Dictionary: to form, coordinate, or blend into a functioning or unified whole Integrated risk management is a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It is about making strategic decisions that contribute to the achievement of an organization's overall corporate objectives. Integrated risk management process includes all disciplines required to support the life cycle of their system (e.g., systems safety, logistics, engineering, producibility, in-service support, contracts, test, earned value management, finance).
Post-Loss Objectives Survival Continuity of Operations Earnings Stability Continued Growth Social Responsibility
Pre-Loss Objectives Economic Efficiency Reduction in Anxiety Meeting Externally Imposed Obligations Social Responsibility
Principles
Risk Management Should
create Value be an integral Part of Organizational processes be a part of decision making explicitly address uncertainty be systematic & structured based on best available information be tailored / customized take into account human factors be transparent & inclusive be dynamic, iterative & responsive to change be capable of continual improvement & enhancement
Characteristics
Characteristics
A clear and consistent Risk Management champion Requirements supported by leadership and stakeholders A close partnership with users and stakeholders Mature risk management processes Established thresholds and criteria for proactively implementing defined risk mitigation plans Resourced risk mitigation plans Periodic risk assessments Integrated data environments that maximize participation
Approaches
Successful Approach
A documented and mature risk management process Quantitative assessments of risk impacts estimated against cost and schedule baselines Defined risk filtration criteria Risk reduction at the lowest level of the organization A defined set of risk consequence definitions for performance, schedule, and cost Structured approached for communicating risk across multiple programs/organizational levels
Risk Management Planning Risk Identification Qualitative Risk Analysis Quantitative Risk Analysis Risk Response Planning Risk Monitoring & Control
Deciding how to approach & plan the risk management activities for the project Determining which risks are likely to affect a project & documenting their characteristics Characterization & analyzing risks & prioritizing their effects on project objectives Measuring the probability & consequences of risks Taking steps to enhance opportunities & reduce threats to meeting project objectives Monitoring known Risks, Identifying new risks, reducing risks & evaluating the effectiveness of risk reduction
Managing Risk
1. Identify Risks 2. Assess & Measure Risks 3. Respond to Risks 4. Design & Test Controls 5. Monitor, Assure & Escalate
Foundational Elements
Risk Areas
Risk Identification
Hundreds of insignificant risks can easily distract from a few critical.
Identified Risks Inter-Agency / Department Actions Changing Design Requirements Cost estimating techniques Legal / Regulatory / Ethics Investigations and Audits Contractor stability / quality Natural Disasters Roles of govt and contractor defined Seasonality/Cyclicality 4 Rank Identified Risks Budget and Funding Issues 1 2 3 Identified Risks Financial Management Hazardous materials handling Technology Terrorism and Emerging Diseases Capability Advancement Insurance Coverage Identify the Top (relevant) Risks Labor Disputes / Actions Personnel and HR Issues 7 5 Rank Grants Management Scientific Integrity and Agency Reputation Third Party Strategy / Execution / Integration Environmental liabilities / concerns Value for cost (value to taxpayers) Stakeholder Demand / Preference Changes 6 Political Issues 8 Rank
Risk Identification
Techniques
Document Reviews Brain Storming Delphi Technique / Interviewing SWOT Analysis Checklists Assumption Analysis Flow Charting
External Risks
Internal Risks
Qualitative :
Probability Impact Matrix Ordinal & cardinal Ranking SWOT Analysis Force Field Analysis
Quantitative:
Sensitivity Analysis Expected Monetary Value Decision Tree Analysis Simulation Program Evaluation & Review Technique (PERT)
Risk Response
Choose the corrective actions, execute, and evaluate effectiveness. Identify corrective actions
Corrective Actions Policies and Procedures Management Review & Approvals Scenario Planning Contingency Planning Training and rehearsals Physical and Cyber Security Equipment Performance & Design Documentation Communications plans Performance Indicators System Controls / Monitoring Physical Controls / Monitoring Inspections / Audit Other
Inter-Agency
Risk N
Contd
Corrective actions result in mitigated risk, but come with a cost.
Sample risk: Technology advances and innovation require design changes.
1. Evaluate potential benefits of new technology. 2. Involve key stakeholders that are knowledgeable about technology innovation. 3. Refine communications approach and execution to address on-going findings. 4. Update long-term roadmap for incorporation of key
#1
Conduct workshops, seek input Identify stakeholder liaison responsible for maintaining buy-in Appoint communications coordinator to maintain channels Conduct routine roadmap updates to maintain buy-in
Very High
Corrective Actions
High
#2,3
Medium
Low
Planned
Q1 09 Q2 09
Actual
Q3 09 Q4 09 Q1 10 Q2 10 Q3 10 Very Low
Residual Risk
5 1 8 2 4 9
6 3 3 7
Corrective Action Status Risk reduced to an acceptable level Risk reduction occurring, not complete Further action required
Very Low
Inherent (Gross) Risk (without mitigation/controls) Very High High Medium Low Very Low
> 5 days disruption of core operational activities; long term impact to reputation; may result in government investigation 3 to 5 days disruption of core operational activities; concern that could result in an action; may result in official inquiry Between 1 and 2 days disruption of core operational activities; unfavorable media coverage Between 2 and 8 hours disruption of core operational activities; brief unfavorable media coverage Less than 2 hours of disruption of core operational activities; no media coverage, unlikely to have an impact on the NIH appropriation
Response
Avoidance Transference of Deflect Mitigation Acceptance Contingency Reserves Fallback Plan
Traditional Approach
Integrated Risk Management extracts actionable information from traditionally stove-piped data streams
Risk Exposure? Impact Relationships? Goals Too Risky? Which Design? More Reserves? Major Drivers? Adequately Mitigated?
Integrated Approach
Risk Analysis
Program Manager
Cost Analysis
Schedule Analysis
Decision
Risk Exposure is Low Step 3a Risk Watch List Step 7: Document Lessons Learned
Risk Revised Handling Handling Replanning Plan Step 3b Contingency Plan Step 6: Closeout RIOM Board Consensus
Key Planned
Re-planning
Challenges
Top 3 challenges in applying risk management Improving risk communication Political obstacles to risk-based resource allocation Lack of strategic thinking Lack of comprehensive risk management strategies that are well integrated with program, budget, and investment decisions There have been attempts at acquisition reform to address the following areas: A. Decisions regarding which programs to keep B. Developing approaches to better analyze and prioritize needs C. Better management of development cycles D. Establish knowledge-based cost and schedule estimates E. Detailed systems engineering planning
Barriers to Integration
Barriers Lack of a clear and consistent Risk Management champion Unclear or non-existent Decision rights Silos of analyses and reporting of different risk types Maturity Technology, governance, process and people Communication internal and external to the program/organization Culture (How does the organization operate?) Perception of a risk manager and roles/responsibilities Every PM wants to do it their way Organizational barriers regarding focal point of risk management
Decision Making
Defining decision rights are an important aspect of a comprehensive risk management program
What are Decision Rights?
The underlying mechanics of how and by whom decisions are truly made in an organization
Clear Decision Rights Result in Clear decision-making authority results in effective and efficient decisionmaking Places decision rights with those with the knowledge and information to make the best decision Reduces the risk of poor decisions Reduces inefficient second-guessing
Unclear Decision Rights Causes Unclear decision-making authority results in senior management involvement in too many issues while lack of empowerment at the front-line can result in poor customer service and reduced employee satisfaction
Decision Making
Tools & Techniques
Cost-benefit analysis Evaluation of frequency/severity After-tax net present value analysis Risk Map Total Cost of Risk Ethical considerations Legal Requirements Commercial Requirements Do not risk more than you can afford Do not risk a lot for a little
Programs with mature risk management processes have the following components
1. Structured process for risk identification 2. Comprehensive risk baseline and categories 3. Risk root cause analysis methodology 4. Quantitative risk likelihood and risk consequence definitions 5. An established risk management board or similar risk decision-making body with robust participation 6. A strong, defined risk management lead or champion for the program
Risk Management Maturity Scale Calibrates the maturity of individual program risk processes Guides enhancements needed to standardize approaches
High: Integrated Enterprise Risk Management Comprehensive risk agenda that exists throughout the entire organization Risk management focus are cross-risk / cross-functional and aligned with strategic imperatives Linked to strategic and operational decision-making Embedded in corporate culture Risks are assessed and integrated across technical and agency performance elements, cost, and schedule Integrated tool set
Low: Coordinated Risk Management STILL NEED TO ADDRESS: Common taxonomy Alignment of risk categories Integrated toolset Clarity in criteria and thresholds for assessments Ownership Decision Making
MATURITY LEVEL
TIME/EFFORT
- Is the project on track to meet or exceed its threshold requirements? - How do current risk levels impact the ability to meet critical schedule milestones? - Which design solution provides the optimal balance between capital and operating costs?
Program Level
- What are the technical performance risks associated with delivering a given requirement or capability? - How will assembly, integration, and test schedules be impacted by a given risk event? - What are the cost impacts of delays in subcontractor deliveries?
Project Level
Subproject Level Risks ultimately should be filtered to the lowest level possible for ownership and mitigation
Creates understanding of information Defines linkages Establish working group or other forum Gather feedback prior to go-live Promotes buy-in
Sustains participation
COMMUNICATION
Higher impact programs Better control of the overall portfolio Stronger focus on long-term rather than short-term Time to focus on areas currently neglected
Middle Management
More predictable cost estimates Less chaotic days, that are more productive More visibility in project activities Fewer and simpler reporting requests
Better client relationships More predictable quality of life Mechanism to raise issues and have resolved More follow-on work
Seek and maintain senior leadership sponsorship Establish common language for risk management Integrate risk management across programs Focus on changing the culture, not on executing the tactics
Assign ownership of risks as appropriate (govt, contr.) Coordinate risk management across project Focus on the value to all of managing risk, not the burden
Raise ALL risks identified on the ground Designate operational accountability for corrective actions Make risk management a priority
Summary
Executive sponsorship does not use risk management as a blunt instrument Management team must be informed and committed Accurately size the risk management effort to the Project Do not bury the risk management functions in the bowels of the organizationPrivate sector companies have a CRO Cost Estimators, Schedulers, and Risk Management personnel collectively make up the risk management core team Communication within Risk Management Core Team
Tata Power
Thank You
Risk Mitigated
By Amit Agarwal