360 degree RISK management model
a new model to rate, mitigate and exploit opportunities
“The whole point of undertaking a project is to achieve or establish something new, to venture, to take chances, to risk” (PMI, 1997). There are several risks in the software industry, due to technology, people, process, and environment. Current models of risk management in the software industry do not exploit the multiple dimensions of risk. More often than not, project managers and hence organizations view risks as threats and devise means to avoid them instead of planning responses effectively. Risks provide opportunities for innovation. In addition, by creatively mitigating and managing project risks there is immense potential to improve customer satisfaction and increase delivery efficiency. Software project managers and organizations that do so not only deliver projects successfully but also add value for the client—which is very essential for differentiating from the competition. This paper is focused on enabling project managers to (1) identify and mitigate the negative consequences of risk consciously, effectively and periodically; (2) exploit the opportunities provided by risk to embark on new missions and improve processes; and (3) use the learning from handling and dealing with risks to enhance the capability of managers. In the penultimate section the model is applied to the manufacturing industry to illustrate its use in controlling supplier risks while ensuring business continuity.
Software project risk in itself is not a new concept. It has been known for many decades, and is in fact as old as the software industry itself. However, recently fierce competition and increased business dynamics have increased the probability and frequency of exposure to risks in the software industry. With the increasing role of software in all facets of business, the impact of risks from software will not only threaten the Information Systems department but will have serious repercussions on the entire business. Software failure implies business failure. Hence we need to deal with risk head-on. Several risks are present in the software industry and are increasing every day due to threats in the form of technology, people, process, and environment:
- Technology – risks from embedded software, risks to mobile computing, risks to B2B and B2C portals, (Forrester puts the average cost of site downtime at about $8,000 per hour), risks to equipment and software from virus, spam, infrastructure and data vulnerability, proliferation of software piracy, risks from software running on legacy systems, risk to human life from medical equipment and diagnosis running on software
- People – threats of information and data disclosure due to resource turnover or for monetary gains, violation of intellectual property agreements
- Process – risks from non-compliance, lack of disaster management, business continuity vulnerability
- Environment – Lack of awareness to seek redress, laws to tackle cybercrimes, lack of firmness in implementing regulations
Though a well-known concept, software project managers have neither been successful in identifying risk nor have they creatively exploited the opportunities of a risk. The question is whether we have understood “risk” completely. Have we looked at risk “holistically”? Probably not. Risk is a concept that denotes both a potential positive and a negative impact to an asset due to a present or future event. However, in the software industry, it is commonly viewed as a threat or a negative event. In contrast, risks are viewed as asset enhancers in the fields of finance and game theory. In the world of business, stock markets, and gambling, a fundamental idea is the relationship between risk and return. The higher the level of risk an investor is prepared to accept, the higher the potential return over time may be (Wikipedia, 1996). Insurance is another classic example of an investment that reduces risk — the buyer pays a guaranteed amount and is protected from a potential large loss.
Risk in itself is not bad; risk is essential to progress, and failure is often a key part of learning. But we must learn to balance the possible negative consequences of risk against the potential benefits of its associated opportunity. (Van Scoy, 1992)
Exhibit 1 – Holistic View of Risk
The current model of managing risks at the individual project level is not holistic, as it is reactive, focused on solving risks in a project's context only, and not learning from the experiential knowledge of others in the organization. There is a tendency to be complacent in avoiding risks and taking a conservative approach by avoiding opportunities (see Exhibit 1). The pitfalls are depicted in Exhibit 2.
Exhibit 2 – Need for a “Holistic” Risk Management Model
Independent analysts comment that the cost of a fragmented approach to software risk can be 10 times that of an integrated risk management model, and about 30% of IT investment in silo-based support for risk management and compliance is wasted (Industry Direct Research, 2006). Similarly, in enterprise risk management there are three broad frameworks (AON, 2006) to deal with enterprise risk with respect to financial and legal compliance. Similarly, in software project management, standard frameworks for dealing with risk need to be defined and practiced.
360 Degree Risk Management Model - Overview
The model will build, own, and manage knowledge assets, operated by people in the organization, meeting all needs of users for risk management services through a set of processes, methodologies, and tools. The approach to the agile risk management is driven by the SEI definition that emphasizes the continuous aspect of risk management (Software Engineering Institute, Continuous Risk Management) through a cycle of Plan-Do-Check-Act (Deming's wheel or PDCA Cycle) (Quality Tool Box, 1994). The 360 Degree Risk Management Index (elaborated on in the following section) is monitored at all stages of the PDCA cycle. A snapshot of the components of the model is provided in Exhibit 3.
Exhibit 3 – 360 Degree Risk Management Model
The chief constituents of the 360 Degree Risk Management Model are:
- Stakeholders – They are the influencers and receivers of the software system. The common set of stakeholders is department heads, heads of project delivery and execution, quality managers, portfolio managers and project managers of the performing organization. The stakeholders from the outsourcing organization are the business and IT managers.
- Governance Model – at the organizational level, an independent group of experts form the Risk Management council to govern the risks. This group forms a project management office (PMO) type of organization to provide the following services with the objective of reducing the number of high-risk projects in an organization and to reduce the negative impact of such projects. The level of support comprises of the whole spectrum from risk identification, categorization, and prioritization, risk response planning to implementation, monitoring and tracking.
- Services – Some of the services provided by the
- Portfolio support – analyze trends of risks at program or portfolio level and make recommendations
- Project support – provide risk management guidance to project managers in business units
- Training – conduct training programs for project managers
- Maintain corporate risk repository – identification and house-keeping of the list of risks in a database
- Innovation – sieve the risks to identify and exploit opportunities
- Process – The model will be supported and managed by a robust set of processes. They ensure the smooth functioning of the model and that the services are provided to the stakeholders. Current risk management systems deal with project risks in isolation. In the proposed model, the risks are dealt with much earlier, at the contract drafting stage. The risks are managed at the project, portfolio, and program levels. Senior management also participates in the process.
- Tools and techniques – For efficient execution of activities, and provision of services, the model will use a variety of tools and techniques. The tools are created by the people in the model for standardized usage. The tools aid in project planning, budget preparation, knowledge sharing, and tracking the health of portfolio performance.
The effectiveness and efficiency of 360 Degree Risk Management are measured by the index in Exhibit 4.
Exhibit 4 – 360 Degree Risk Management Index
Having seen the 360 degree model, let us see some mechanisms that will be possible because of this model.
360 Degree Risk Management Model – Details
360 Degree Risk Management Process
Opportunity Level Process: The risk monitoring for an organization begins at the pre-sales stage. The response to proposals is vetted by the Risk Management Council to review the level of risk in the clauses of the contract. The key parameters are the Service Level Agreements (SLA), the basis of SLAs, and whether the SLAs are reasonable compared to the objectives of the project, In/Out of Scope activities. Risk monitoring also helps in prioritizing projects and in program scheduling.
Portfolio or Program Level Process: The high-risk projects are tracked during the execution phase by the Risk Management Council means of a status tracker on parameters relating to quality, cost, and time, and the progress of risks. Depending on the project type, special indices are tracked to see if the quality of the software is in control. Some of these are product quality metrics for development and maintenance projects and service satisfaction index for production support projects. The project health and risks are reported through dashboards to senior management. Dashboard of risk data could be role-based, where finer details could be made available at a drill-down level. This data is updated to the corporate risk database.
Reviews and audits: Senior management and members of the Risk Management Council intervene periodically on all projects to review whether project risks are identified and managed efficiently, whether the project is using the knowledge from other projects and also contributing to the common repository and the Capability Maturity Model of the project.
Risk Reporting: Project managers give alerts every week about project status. Some of the points to watch for are deviations in schedule, effort, or defects. Earned value management also provides a good indicator of risks due to the triple constraints. The most crucial portion of the status alert would be to draw attention to the short, medium, and long-term risk, dependencies, impact, and steps taken towards addressing them.
Trend Analysis: The quality team helps the project manager in quantitative and qualitative measurement of the risk and its impact. These are performed to ensure that the project risk mitigation strategy is in compliance with the process that has been established. These are performed by means of management reviews and audits. Project milestone reports provide an indication of the residual and secondary risks. Metrics that are tracked include stability of the system with respect to change requests, defect density, changes to critical paths due to risks, errors due to incorrect releases, and productivity.
360 Degree Risk Management Tools and Techniques
Corporate Risk Database: Collation of statistics and data from each project to be stored in an organizational risk database. Value-adding information such as choices or options that were available during the time of risk imminence, decisions taken that were taken to mitigate or attack the risk and its success could be documented. This historic information should be made available to future projects to help make right decisions at the right time.
Pop-up tools that draw from the lessons learned corporate database to list the risks from similar projects while preparing the project plan of a new project
Program Dashboard is a graphical indicator of the risks in all projects of a portfolio or operations on parameters such as earned value to track schedule, effort and budget variances, quality of software, coverage of projects under 360 Degree Risk Management, the percentage of projects in high, medium, and low risk categories, process metrics trends in delivered defects, productivity, customer feedback index and financial analytics.
Money at risk calculator, which calculates the dollar value at stake due to occurrence of risks.
Exploit the Opportunities in Risk for Positive Impact
There is a very famous anecdote that reveals the silver lining in the clouds of risk. Two shoe salespeople were sent to Africa to open up new markets. Three days after arriving, one salesperson called the office and said: “I'm returning on the next flight. I can't sell shoes here. Everybody goes barefoot.” At the same time the other salesperson sent an email to the factory, telling “The prospects are unlimited. Nobody wears shoes here!” Several companies that initially saw only the risks in outsourcing later not only identified an opportunity but also exploited it to set up their bases all across the globe.
Some of the mechanisms that can be used to identify and exploit opportunities in risks are:
SWOT Analysis is a strategic business planning tool to evaluate strengths, weaknesses, opportunities, and threats in a project or business venture (MindTools.com, 1996). Opportunities and threats lie in changes due to external factors like political/legal, economic condition, expectations of stakeholders, technology, market expectations, competitors and competitive actions. Strengths and weaknesses lie in internal factors and resources: financial, intellectual, geographic presence, customer service, efficiency, competitive advantages, infrastructure, quality, employees, management, price, delivery time, cost, capacity, strong relationships with key industry customers, strong brand and reputation in the market.
TRIZ (Russian acronym for “Theory of Inventive Problem Solving”) (Kowalick, J, 2006) – a collage of concepts and tools employed by many Fortune 500 companies to solve manufacturing problems and create new products. This concept could be used to turn risks into opportunities for growth and diversification. There are 40 inventive principles and 39 contradictions. The TRIZ community has developed a variety of computer-aided tools:
- tools for searching patent and other databases for technical solutions in other fields
- tools for precisely identifying contradictions
- tools for mapping a company, industry and technology along Lines of Evolution
Portfolio level innovation techniques – In this method the trends of risks are studied at a portfolio level and the learning is used to create new ideas for other projects. The specific solution to a risk could be converted into a more generic one and it could be applied to all projects in a portfolio.
Project level opportunities tracking – In this method the inherent risk in a project would lead to creation of new tools. For example, if there is a schedule risk and the code documentation is yet to be developed, creating a new tool to automate the documentation would definitely save effort and help meet the schedule. This document generator is a contribution by the project to more services-like tool-based code documentation.
Process Changes – In this method the corrective actions taken in various portfolios in the organization in a time period (such as annual) due to risk are analyzed for root causes, and if required, changes are made to processes at the organization level.
Enabling Managers Through Knowledge Sharing
The reaction of a manager to risk varies based on his psychology, social settings, experiential knowledge in the industry and the organization's risk tolerance levels. A strong risk champion needs to be able to balance all the issues associated with a project or product—economic factors, performance requirements, regulatory issues, management issues, and more, and create a winning software product. In order to enable managers to deal with risk consistently, mechanisms need to be devised. In the 360 Degree Risk Model, sharing knowledge and training managers on risk is a critical success factor of the model. Some of the mechanisms are:
- Training – Establish education and certification programs to enhance the skills of people in risk management and with risk management tools.
- Create a network of managers who have been through high-risk projects to share their learning and experiences in dealing with risks. The forum would also serve as a stress-buster in times of high tension and provide support from peers.
- Create a risk experts forum that can be contacted when projects need informed decisions and trade-offs in critical risk situations.
- Create a portal of lessons learned from projects.
- Conduct knowledge sharing colloquiums to gather lessons learned and best practices from other companies in the industry.
- Create a corporate risk database – a compendium of all possible risks in the lines of business to be undertaken by the organization, with causes, impacts to product quality metrics and performance metrics.
- Create a risk knowledge asset of risk lists and a comprehensive set of generic protective actions. For example, testing high-risk modules first reduces the overall risk of the software release significantly.
- Build risk management into goals of project managers and business units to encourage risk seeking.
Based on the context and the needs of the hour, the managers could tailor the 360 Degree Risk management model to a project or organization. The organization culture could advance to a risk-seeking and explorative one by providing rewards and incentives to risk-takers and improving tolerance for experimentation and learning.
Benefits of This Model
The 360 Degree Risk Management Model offers substantial benefit over conventional risk management models:
- Risk management as a competitive differentiator
- Protect companies from severe financial loss and loss of operational continuity due to software failure
- Formal method to calculate both the positive and negative impacts of risk
- Enhances brand value and increases trust with customers
- Improves quality of service and products to customer
- Reap the benefits of seeking out the opportunities in risk and exploiting them
- Expansion of business footprint, product and services diversification
- Increase operation efficiency of current systems by using the learning and tools from other project at risk
- Portfolio managers able to identify areas of opportunity from areas of reckless risk-appetite
- Enable managers to move from unknown-unknown to known-unknown
Application of This Model to the Manufacturing Domain
The application of this risk management model to the global supply chains is an interesting one and has been done to “Management of Supplier Risks in Global Supply Chains” (Srividhya & Jayaraman, 2007). Supplier risk management has, of late, gained prominence in the wake of low-cost country outsourcing, geo-political instability, and recurrent natural disasters. Applying the 360 Degree Risk Management model to this situation has helped define a simple risk management framework (Global Supply Risk Management Model) as shown in Exhibit 5.
Exhibit 5 – Global Supply Risk Management Model
At each node of the supply chain, the operation managers, third-party logistics providers, and purchasing analysts comprise the risk experts. The risk evaluation starts with profiling supply and suppliers. This is done by reviewing the processes within a supply chain and segregating the risk based on likelihood of occurrence and severity of impact. Based on the risk profiles generated, risk managers assess, prioritize, and plan risk response. Using the tools provided above, the risk management could be effectively implemented and monitored. Software is used as a tool to handle risks in a three-tiered approach: tool for operational efficiency, tool for risk analytics (mining), and tool for strategic decisions (diagnose problems, evaluate options, optimize operations, and mitigate risk factors). The next stage in the evolution of supply risk management goes beyond the first tier to subsequent tiers in the supply chain and involves an increased level of collaboration and data and knowledge sharing with suppliers' suppliers. Governance is achieved through a central body that stresses compliance to a set of performance and quality standards in addition to risk control metrics. This robust, multi-enterprise-wide approach to risk management is essential to meet business objectives in a flat world.
The reaction to risk in the software industry has typically varied from being risk-averse at one end of the spectrum, to risk-embracing at the other end. The strategic benefits listed above provide incentive to use a 360 Degree approach to risk management so as to minimize the threat of failure while exploiting the opportunity to achieve success. Based on inherent strengths and weaknesses of the organizations, risk handling strategies have to be adopted that enable the manager and organizations to make programs and projects successful. The concepts and skills need to be woven into day-to-day business decision-making, and become self-correcting and self-sustaining for the continuous improvement of software products and services. The organizational culture and people must move to calculated risk taking with buy-in from all and commitment from the board of directors. Identifying and deploying the Global Supply Risk Management model based on the above 360 Degree Risk Management model will improve predictability and business continuity. By viewing RISK as a means to Rate, Innovate, and Share Knowledge with the 360 Degree view of risk management, the software industry could progress from being a technology solution provider to being a trusted partner in the world of business.
Altshuller, Industry Direct Research (2006) in Reducing the cost of Maintaining Risk Management & Compliance, Retrieved on Oct 1, 2006 from http://www.idlworldwide.com/iob100134qp/
AON(February 2006), Enterprise Risk Management Quantification - An Opportunity, 3, Retrieved on November 29, 2006 from http://www.aon.com/about/publications/pdf/issues/wp_2006_02_enterprise_risk_management_235.pdf
Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2004). Enterprise risk management – Integrated framework. Retrieved on October 4/ 2006 from http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
Industry Direct Research. (2006). In Reducing the cost of maintaining risk management & compliance. Retrieved on October 1, 2006 from http://www.idlworldwide.com/iob100134qp/
Kingshuk, D. (2006). Engineering performance of IT applications– An Infosys perspective., Retrieved on October 23, 2006 from http://www.infosys.com/events/KingshukDasgupta-Webinar-Presentation-Performance-Engg.pdf.
Mind Tools.com. SWOT Analysis: Discover new opportunities, manage and eliminate threats. Retrieved on October 10, 2006 from http://www.mindtools.com/pages/article/newTMC_05.htm
Project Management Institute. (1997). A guide to the project management body of knowledge (PMBOK® Guide). Newtown Square, PA: Project Management Institute.
Software Engineering Institute, Carnegie Mellon University, The Principles of Risk Management, Retrieved on November 29, 2007 from http://www.sei.cmu.edu/risk/overview.html
Kowalick J, F., (2006) Technology forecasting with TRIZ,_Retrieved on September 3, 2006 from http://www.triz-journal.com/
Srividhya, V. S. & Jayaraman, R. (2007). Management of supplier risks in global supply chains. http://www.infosys.com/technology/toc-SCM-strategies.asp
Tague, N. R.. (2004). The quality toolbox, Second Ed. ASQ Quality Press, 2004, 390-392, Retrieved on August 1 from http://www.asq.org/learn-about-quality/project-planning-tools/overview/pdca-cycle.html
The Committee of Sponsoring Organizations of the Treadway Commission(COSO) (2004), Enterprise Risk Management - Integrated framework (2004), 8, Retrieved on October 4,’ 2006 from http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
Wikipedia. (1996). Retrieved on September 1, 2006 http://en.wikipedia.org/wiki/Investment_risk
Van Scoy, R. L. (September 1992). Software development risk: Opportunity, not problem. Software Engineering Institute, CMU/SEI-92-TR-30, ADA 258743.
© 2008, Ananth Subramanian and V. S. Srividhya
Originally published as a part of 2008 PMI Global Congress Proceedings – Sydney, Australia