An important step from risk analysis to risk management
This paper shall stress the differences between performing risk analysis and pro-active risk management. The paper will give a short introduction in different risk analysis methods used within Ericsson Global Services and their main application as well as in which situation the different tools are most feasible based on real experiences. The paper shall help the reader to understand that risk analysis is just an important but small part in an integrated risk management approach.
A lot of experience is input to this paper since there are 12 consultants trained and used to work as risk management facilitators in customer projects and the author is the subject matter responsible for risk management within Ericsson Global Services. The paper will show how and when to use which tool, what to expect, and how to manage risks continuously and efficiently. It will address to problem to come over the first resistance against risk analysis and how to handle the even harder resistance against more advanced techniques and against pro-active continuous risk management. All these shall be illustrated by examples of both best practices and mistakes made in real-life use. In this part even the aspect how to measure risk and the influence of risk on existing KPIs will be addressed.
Introduction – What are risks
A project risk is an uncertain event or condition and may have positive or negative effects (Project Management Institute, 2000).
According to Webster risk itself is a possibility of loss or injury.
The risk exposure is the probability of a risk times impact of this risk.
With probability we mean the likelihood of unsatisfactory outcome.
The impact of the risk is just the effect if unsatisfactory outcome.
With risk scope we understand the business opportunity connected to the risk.
We have to face both known risks and unknown risks.
Risk, uncertainty or opportunity
Reading articles or books about risk management you will see that risk, uncertainty and even opportunity are quite frequently used, sometimes even more or less as synonyms. There is no doubt about a clear correlation between risks and opportunities. This could be described as follows:
|No risks||- no opportunities!|
|Unknown risks||- unknown opportunities!|
|Managed risks||- managed opportunities!|
The basics – Know your risks
Risk analysis – what is in it for you
The risk analysis gives you an opportunity to reach consensus on the project possibilities among the participants.
This will help you to reach or keep the scope of your project.
The risk analysis gives you the possibility to take action, often where it is most needed!
And a risk budget can be used as addition to cost estimations.
Risk analysis methods
There is a plenty of risk analysis methods which we use more or less frequently:
- Brainstorming: repetitively, in all projects
- Risk checklists: for repetitive projects and stable environment
- Assumption analysis: in repetitive or similar projects and stable environment
- Delphi method: if stakeholders can't meet, no time pressure exists and people prefer to be anonymous
- Interviewing: if stakeholders can't meet and there is a person dedicated for risks management
- SWOT analysis: in very early phases, to get quick uncertainties analysis
- Risk rating matrix: for the identification of main risks
- Decision tree analysis: an alternative method for identification of main risks
- Diagramming techniques: identification of risks with main effects
- Minirisk: in smaller projects, especially in later phases, used for identification of main risks, a risk rating method
- Successive Principle: in big projects, if there are many uncertainties, in early phases and changing environment
The most feasible usage of it requires some experience with risk management since there are many parameters to consider. Among them are the size of the project, the complexity, the grade of alignment between the stakeholders, the phase of the project, if it is a unique project or if there are similar experiences existing, etc.
Manage your risks – Risk management process
Risk Management covers all phases
If course risk management has to cover all phases:
- Risk Management planning
- Risk identification
- Qualitative Risk analysis
- Quantitative Risk analysis
- Risk response planning
- Risk monitoring and control
- Lessons learned
But if we look into the daily practice we see that fragmental risk management is very usual. Risk management planning is much too often a happening and no structured process, very seldom proactively and documented. Risk identification is a part of the analysis which is done in the average project. The main focus of it is on the qualitative risk analysis whereas a quantitative risk analysis is quite seldom performed. Risk response planning is partly done, risk monitoring and control is more seldom. The usual case is that some risk mitigation actions are defined, documented and sometimes followed up. Almost never we see that there is a risk trigger defined and very seldom it is monitored if the risk occurs or not. And last but not least are lessons learned very seldom analyzed, documented and leading to improvement.
Risk in project management process
If we would just follow A Guide to the Project Management Body of Knowledge (PMBOK® Guide) (PMI, 2000) we would cover all that. The planning processes contains risk management planning as core and risk identification, qualitative risk analysis, quantitative risk analysis and risk response planning as supporting processes. Risk monitoring and control can be found in the controlling processes as core process. And in the closing processes we have a core process lessons learned as part of administrative closure. So just using PMI would help us to manage our risks. We don't we do it then? There are many different explanations if you ask different project or line managers but I dare to summarize it with the general statement that there is not enough focus on risk management since it is much too often seen as administrative burden without any explicit benefits.
How to sell in risk management
Risk management all the way
It is a matter of fact that almost everyone understands the benefits of risk management, but almost everyone gives low prioritization to it until he suffers himself. Then there is a risk management focus which often does not last that long and he forgets about risk management soon again. Why that? One reason is that it becomes mote crisis management then instead of proactive risk management. Another reason might be that there is high attention of the stakeholders in these situations whereas it is often very difficult to get them on one table in well defined and planned projects.
- To highlight the effect of the risk analysis itself sometimes opens the eyes about the value of the analysis which can be a catalyst for even see the benefits of the whole risk management portfolio. The main effects besides the identification and mitigation planning of the risks could be that the group of stakeholders is getting aligned on goals incl. financials and that the workshop contributes to team building, as well.
- To compare just the cost of a risk analysis vs. the expected benefit could lead to an easy calculated business case and by this way opening for one initial risk analysis. If this is positive it can of course start some positive avalanche effect.
- To show a concrete business case is of course the most impressive way to get risk management anchored. An example can be to use the current project of the student in a risk management training. Another approach could be to quantify the main risks with a PERT estimation (least, most and most probable effect on the project if risk is hit be some risk).Another idea is to compare the result after mitigation with mitigation cost and by this way calculate the specific business case on a single project. Finally we can calculate simulation scenarios to compare the different results.
How to “sell-in” more advanced techniques and a continuous risk management approach could be a bit tricky but is usually also very dependent on explaining the total picture. The benefit of an external facilitator is such a clear thing which unfortunately has to be repeated from project to project: the project manager or any other project stake-holder is not objective and would have impact on the result by guiding the outcome their own way. WE can use business control, quality audit, etc. as a similar experience. They are always performed by external personnel, an external facilitator will prepare better for the analysis meeting, stealing less time of project manager and members).
Manage Uncertainties comprises both risks and opportunities and leads to better scoping (less uncertainty = less risk) and add-on sales (make use of opportunities). Another example could be a 2 days facilitated workshop which is also a team-building activity and pays off by better understanding of the situation (not only risks), more commitment, more proactive risk management and focus on the critical path in the project.
Best practice 1: Risk management week
We face a delivery program to a main customer in UK with subprograms and a plenty of parallel projects. There are risk registers existing and the main action points (APs) are maintained by each project manager in delivery phase. To investigate the status regarding risk management we performed a “risk management week” which meant that 2 risk management experts acted as external risk analysis facilitators for seven of the projects. By even interviewing some of the program managers we got a good impression on the status of the program. At the end of the week we made a presentation and compiled a final report with the TOP5 risks per project (incl. mitigation plan and quantitative analysis) and findings on program level. In this specific case it lead to improved risk management since
- Risk analysis are performed earlier now (already before quotation)
- All projects and programs got planned risk management activities
- This customer account will continue with external facilitation of risk analysis by letting the project manager of one project acting as external facilitator for another project and so on.
- Risk management is also done on program levels now
If we try to quantify the benefits of it, we can focus on the monetary advantages of the better and earlier coverage of risks on all levels and of the better focus on main risks to address and mitigate. The extra costs for this activity is about 25 additional project internal and 5 additional project external manhours per project and quarter. Of course these costs have to be put in relation to the total cost and to the possible benefits on a per project basis, i.e. the business case has to be calculated for each project.
Best practice 2: Successive Principle scenarios
In this case we faced a big potential project (some hardware but mainly services) with enormous dependencies on third party deliveries to be sold towards a demanding customer in Asia. Of course we wanted to take that business but the open question was it is better to offer as a “prime contractor” or just to offer explicitly our parts in the wanted customer solution. In the beginning of this exercise we were not exactly sure about how to perform the advanced risk analysis we were asked for and we started by letting two external risk analysis facilitators interview the key account management, the manager of this offer and further internal stakeholders. Already the first interviews showed that a common risk analysis following successive principle method would be the most appropriate approach for this since it would automatically lead to a review and improvement of the existing project plan.
We ran successive principle method together with potential subcontractors by using Futura © tool. We even made simulations in the tool by estimating risk mitigation activities and their effect on the project. The main example for these simulations was to change from being prime contractor to a scenario where we were equal partner to all other subcontractors. We investigated three scenarios in detail and calculated for each of them the probability about total project cost and time and illustrated this in probability S-curves and an uncertainty profile.
Exhibit 1 – Schedule Probability S-Curve example
Exhibit 2 – Schedule uncertainty profile
Many risks were identified and quantified - both in cost and effect on project lead time. Finally we defined and estimated mitigation actions.
The benefit of this exercise was that we could provide clear business cases for all 3 different scenarios, we got a better understanding on key risks and effect of mitigation actions and last but not least got the stakeholders aligned on their view of the project, the project risks and the possible alternatives. The extra costs we spent on this exercise were about 300 additional manhours, evenly divided between project members, external stakeholders (line management and 3PP) and the 2 risk management experts.
Best practice 3: Active risk management
In that case we have a delivery program to another main customer in UK with a plenty of subcontractors that got more or less stuck. The original situation was that internal risk analysis was done, risk register existed and mitigation action points were identified and maintained by both the customer program manager and subproject managers. To get the program on course again the method active risk management was chosen. A new aggressive risk management plan was developed together with the customer and subcontractors. The risk project manager got high authority in the delivery program, in escalation cases even higher then the customer program manager. So far this project has come today.
To planned situation is that we get the program on course again and improve the risk management (since this is in progress now, we have no final result yet). Improved risk management shall be achieved by proactively planned risk management activities, an extra focus on risks and their mitigation and by using risk management as catalyst for common, very creative re-planning together with customer and subcontractors.
The expected benefit is that this approach enables formerly impossible approaches and solutions and that it kicks on the program without playing a “blame game”. The extra costs are quite high since it needs:
- 1 additional senior customer project manager with excellent background in risk management for about 6 months
- About 25 additional project internal manhours per project and month
- About 5 manhours from customer are spent on risk management per week (we can question if they really are additional?)
- About 5 manhours from each subcontractor are spent on risk management per week (we can question if they really are additional?)
Real life experience
As shown here there are always some best practices and won benefits to share. Never underestimate the worth of sharing it since there is no blueprint for the total risk management approach existing, it is too dependent on the specific situation, size of the project, customer, number and type of subcontractors, etc.
It is also important to share some mistakes and caused losses or missed opportunities. For this part I would like to generalize a bit and share the observation that risk management often isn't planned, started too late, involves too few people, is not focusing on the most important parts, is not followed-up and does not lead to sustainable improvements.
Another important question from real life experience is which KPIs to observe under the aspect of risk management. This question I want to leave unanswered here since our experience is showing an extremely shattered pattern. Maybe this is because we as risk management experts are mainly asked to work on the really tricky projects and issues, maybe this is a statistically relevant pattern. Even the question how to measure risk should be answered just according to the specific project. For big projects in early phases all shall be translated either in cost or lead time, but for small project in late phases we might just chose lead time for one project, unrealized margin for another and cost for the third one – it would not be worth the effort to translate it into total cost or lead time in such cases. This leads finally to the question about which effort in risk management is feasible for which project. Even here I just give you the maybe unsatisfactory answer: do your risk management business case as early as possible on a project by project base. Re-use your risk management approach - this makes the business case more positive. And in case of uncertainty do even a business case on a mitigation action base.
Summary: Learning objectives
What you should understand now is that risk analysis is an important but small part with potential big positive financial impact in an integrated risk management approach that covers much more, e.g. planning, early start, continuous work, external facilitation, integration in project follow-up, etc. And please DO NOT …
- overwork risk management
- forget about it in the next project
- start it too late
- prioritize it too low
- try to formalize it in your process too much
ONCE AGAIN understand that
- risk analysis is just an important but small part in an integrated risk management approach.
Project Management Institute. (2000) A guide to the project management body of knowledge (PMBOK®) (2000 ed.). Newtown Square, PA: Project Management Institute.
© 2006, Herwig Stöckl
Originally published as a part of 2006 PMI Global Congress Proceedings – Madrid, Spain