A real world "successful" risk management methodology


Bayfront Health Systems has established a risk management methodology to facilitate, educate, and mitigate project risks with our Hospital Information System implementation projects.

Bayfront Health Systems has realized the benefits of breaking down risk into qualitative and quantitative areas when taking on a large, complex enterprisewide project. As the organization transformed itself from a risk-reactive to a risk-proactive organization, we realized efficiencies and significant cost savings associated with a formal project risk methodology. Six benefit-driven points that this paper will cover are as follows:

  1. How to effectively communicate risk across project teams
  2. How to have project risk information formally documented
  3. How to assess and document quantitative and qualitative risk areas
  4. How to document cost and scheduling changes associated with project risk
  5. How to mitigate risk with proper project structure
  6. How return on investment is associated with project risk

Now in our fourth iteration of the Hospital Information System software, the risk management methodology has saved the organization short-term and long-term associated costs. “Time is Money.”

What is a Project at Bayfront Health Systems?

At Bayfront Health Systems, a project is a “temporary” endeavor (consisting of greater than 40 hours of work) undertaken to create a unique product, service, or result (i.e., install new technology or upgrade or change existing technology). Projects are marked by a definite beginning and end date. Projects are defined in terms of cost as any amount higher than $15,000. All technology projects undertaken within Bayfront Health System are initiated and sanctioned as outlined in Exhibit 1.

Bayfront Medical Center Project Process

Exhibit 1 –Bayfront Medical Center Project Process

The Current Environment at Bayfront Medical Center

The current Bayfront Health System environment encompasses versions of the following application systems, with various automated and manual interfaces between the systems. These systems are defined as shown in Exhibit 2.

Application Systems Used in the Current Bayfront Health Systems Environment

Exhibit 2—Application Systems Used in the Current Bayfront Health Systems Environment.

Proposed Project Profile Document

(Project Charter document to outline all aspects of a Proposed Project)


1.1 Profile/project title

1.2 Profile control number


The project management office will register the proposed project profile (PPP) in the project control system.

1.3 Profile preparation team

  Name Specialty Position  


1.4 Profile completion date

1.5 Business/clinical case

              (1) Refer to an early-stage Service Outcome Cost

              (2) Strategic direction or action steps

              (3) Budgeted for capital year (Yes or No)


              2.1 Project scope

              2.2 Project objectives

              2.3 Project background/linkage

              2.4 Project assumptions

              2.5 Project classification

              2.6 Recommended project start and completion dates



                    3.1 Project manager

                    3.2 Project management team

  Name Specialty Position  


              3.3 Project phasing

       Project phase-workload estimate table


  Phase Work
Estimated Cost  


             4.1 Project objectives

             4.2 Project risks

             4.3 Project structure

             4.4 Hardware requirements (if applicable)

Risk Management

Risk Assessment Methodology

  • Risk management is the process of identifying areas of risk that could negatively impact the success of the project and proactively managing those areas. Risk is analyzed during the initial stages of the project to lay the foundation for success and on an ongoing basis throughout the project.
  • Risk assessments are the means used to analyze risk. They highlight common areas of risk with the intent of identifying and controlling the risk. After high-risk areas are identified, risk control processes are selected and implemented.
  • The following risk assessment (Exhibit 3) describes potential high-risk areas of projects and documents the mechanism established to control these areas.
  • Exhibit 4 describes a Quantitative Assessment and how probability and impact are used to assess risk.
  • Exhibit 5 outlines common risk areas.
  • Exhibit 6 is the Risk Tracker tool used as part of the assessment.
Qualitative Risk Assessment

Exhibit 3 – Qualitative Risk Assessment

  • Assign a probability that the risk will occur.
  • Assign an impact to the project if the risk occurs.
  • Put the risk on the matrix.
  • Deploy one or more of the risk management strategies to the risks in the red (“show-stopper”) section first.
  • Work on the yellow (“caution needed”) ones, if time permits.
  • Ignore the green (“everything is OK”) ones.

•    Terms and Definitions

• Risk: the chance of damage, loss, injury, or destruction

• Probability: the likelihood of an event occurring

• Impact: the cost or consequence of failure

• Likelihood of risk occurring

• High (26% to 100%)

• Medium (11% to 25%)

• Low (0% to 10%)

• Percentage of impact measured in time and/or cost

• High (16% to 100%)

• Medium (6% to 15%)

• Low (0% to 5%)

Quantitative Risk Assessment Method

Exhibit 4 – Quantitative Risk Assessment Method

Project Risk Areas

Exhibit 5 – Project Risk Areas

Risk Tracker

Exhibit 6 – Risk Tracker

Risk Mitigation Processes

Project Structure

One of the key foundations of risk mitigation is establishing an effective project structure. Success requires thorough planning and regular review and approval of aforementioned risks. An experienced, knowledgeable, and committed project organization must be assembled, with certain members designated as leaders. The formal project structure will comprise the following organizations:


Steering Committee. The role of the steering committee is to provide executive direction and approval to the project team and to ensure that the direction of the project team is consistent with Bayfront’s goals and objectives. The steering committee is responsible for:

• Initial review and approval of the project definition document and prioritizing of projects

• Final review and approval of deliverables produced throughout the project

• Determining project priorities

• Resolving issues beyond the authority of the project team

• Ensuring commitment of resources throughout the project

• Communicating project status to Bayfront Medical Center senior management

• Contractual aspects of this project

Project Sponsor. The project sponsor is responsible for:

• Communicating project directives and objectives to the steering committee and gaining consensus on scope and objectives

• Communicating project directives, scope, and objectives to the application areas

• Directing user involvement

• Monitoring the project progress by functional area

• Communicating the Bayfront Medical Center’s needs to the project team

Project Management Office Director. The role of the project management office director is to coordinate the implementation effort and ensure that the implementation objectives are being successfully met in a timely manner within budget. The project management office director is responsible for:

• Directing the project team

• Providing status reports to the steering committee and directing project status review meetings with the project lead

• Recommending issue resolutions to the steering committee and obtaining approval for project deliverables and key decisions

• Ensuring that liaison efforts between subteams are facilitated

Vendor Project Manager. Vendor project manager will be contracted to advise and assist in the overall project effort, to include:

• Providing full-time project management assistance as detailed in the contract

• Providing full-time project management assistance, to include participation with steering committee and advisory committee meetings

• Assisting the project director in meeting responsibilities

• Providing additional resources on an ad hoc basis, as required

Project Team Lead. At Bayfront Medical Center, the role of the project lead is to provide direction to the project team and to the resources assigned to each coordinator’s team to fulfill project tasks. The project lead will provide direction by:

• Monitoring project plans and implementation schedules to ensure that upcoming tasks are identified and communicated to team members

• Making task assignments and ensuring task completion

• Identifying and documenting potential problems or issues and ensuring these are communicated to the project director and project management team

• Reporting progress to the project director and other team leaders in status report meetings

• Maintaining the official project documentation

Project Management Team. The project management team consists of IT leadership within the organization as well as from participating consultants and vendors.

Application Leads. Applications leads are responsible for:

• Acting as a liaison to Bayfront Medical Center counterparts for communication and decisions

• Obtaining consensus from Bayfront Medical Center counterparts, when appropriate

• Attending other project subteam meetings in an advisory capacity when business-practice knowledge is needed

Risk Mitigation Through Proper Security Measures

  • Data in all its forms (electronic, paper, or other) and throughout its life cycle (creation, entry, storage, processing, and disposal) will be protected from unauthorized access, modification, destruction, and disclosure, whether accidental or intentional, at Bayfront Health System.
  • Security risks can no longer be addressed through an unplanned series of spot checks or an uncoordinated patchwork of technical fixes. Security risks and tools have become too complex for ad hoc administration. Protecting the integrity of our data is of vital importance at Bayfront. This protection is provided through user access controls, password management, employee awareness programs, and monitoring/reporting.
  • User access controls

    • One of the key ingredients of information protection is user access controls, determining who can access the information and how it can be accessed. To ensure appropriate levels of access, security measures will be instituted for this project.

  • Security will be controlled by menu design as well as by security levels attached to individual items.

    • A complete analysis of existing application access and security will be done and adjustments made to ensure all existing users have access specific to their job requirements.

  • Password management

    • Passwords are not displayed when entered.

  • Employee awareness programs

    • The most extensive security products, systems, and procedures can fail at the human level. To prevent this from happening, Bayfront Medical Center team members are informed at employee orientation of the importance of protecting the enterprise’s valuable secrets and of the proper security practices. Failure to comply with data security policies, standards, and procedures constitutes improper conduct and is handled in accordance with personnel policies concerning disciplinary action, up to and including dismissal. A confidentiality agreement is signed by each employee and kept in Human Resources.

  • Monitoring/reporting

    • The security administrator, when appointed, ensures the integrity, confidentiality, and security of data through the use of appropriate controls. Data security violations are reported promptly to hospital management for review.

Cost and Scheduling Management

Cost and scheduling management is the process of managing cost and schedules to previously agreed-upon areas of the project. Cost and scheduling can affect many risk areas: the project resources, the project deliverables, the cost and timeframe in which objectives must be achieved, and even the project priority. Cost and scheduling changes will be viewed positively as long as their purpose is to ensure that Bayfront’s business needs are met. Cost and scheduling management documentation preserves the integrity of the project definition document, provides a mechanism for handling change in cost and scheduling requests, and provides a means for retaining historical cost and scheduling information to enhance future project management efforts.

The following process is followed when a change to the budget or schedule of the project is required:

  • Identify the cost or schedule change. Determine if the cost or schedule is within or outside the scope of the project.
  • Record the request. Complete the budget or schedule change request form and submit to the project manager.
  • Evaluate the request. The project team will review the proposed cost and schedule change and make a decision to approve, disapprove, or alter the cost or schedule change request. The steering committee will be contacted if a decision requires approval at a higher level.
  • Implement the cost or schedule change. If it is determined that the cost or schedule change should be incorporated into the project, the project work plan will be updated to reflect the change in cost, tasks, resource requirements, deliverables, and/or timeframes.

“Cost/Benefit” Analysis

The following cost/benefit analysis should produce a large list of risks associated with cost and scheduling constraints. It must be determined if the identified risks are real and if they are worth addressing, and their importance and urgency must be specified in view of your organizational needs and requirements. For example:

  • Cost-effectiveness – how does the cost of the problem compare with the cost of implementing a solution? In other words, a cost-benefit analysis is performed.
  • Legal mandates – are there laws requiring a solution (i.e., safety or regulatory compliance)?
  • Executive pressure – does top management expect a solution?
  • Population – are many people or key people involved?
  • Customers – what influence is generated by team members’ specifications and expectations? If some of your needs are of relatively low importance, it would be better to devote your energies to addressing other human performance problems with greater impact and value.

After it has been determined that the identified risks are real and should be addressed, the next step is to check the actual financial risk of an organization against existing standards, or to set new standards. This step actually has two parts:

  • Consider the current situation. The current financial state of your organization must be determined. This analysis also should examine your organizational goals, climate, and internal and external constraints.
  • Consider the desired or necessary situation: the desired or necessary financial conditions for organizational and personal financial success must be identified. This analysis focuses on the necessary job tasks/standards, as well as the skills, knowledge, and abilities needed to accomplish them successfully. It is important that you identify the critical tasks necessary, and not just observe your current practices. You also must distinguish your actual needs from your perceived needs and wants.

The difference, or the “gap,” between the current and the necessary financial picture will identify the needs, purposes, and objectives that pertain to risk.


Next you need to consider what it is that you are looking for. Here are some questions to ask, to determine where the financial needs risk assessment may be useful in providing solutions:

  • Problems or deficits – are there financial problems in the organization that might be solved by specific software?
  • Impending change – are there financial problems that do not currently exist but are foreseen due to changes, such as new processes and equipment, outside competition, and/or changes in staffing?
  • Opportunities – could a competitive edge be gained by taking advantage of new technologies, training programs, consultants, or suppliers?
  • Strengths – how can we take advantage of our organizational strengths, as opposed to reacting to our weaknesses? Are there opportunities for applying new software to these areas?
  • New directions – could we take a proactive approach, applying new software to move our organizations to new levels of performance?

Return on Investment Tool

If you are going to recommend that your organization spend a great deal of its hard-earned money on a new system or process, you need to understand the return on investment (ROI) for the new system and its associated risks. Invariably, the first questions that will be thrown at you in your proposal presentation will be “How much is this going to cost, and what is the risk involved?” Having a basic knowledge of financial terms will help, but nothing is more effective than cold, hard, cost data.

The following tool has been developed to help you generate some solid payback data to be used in evaluating the return potential of your proposed method. Not only will it help convince the finance department, but it will also help you to understand whether your project is a winner or loser before you sign the purchase requisition.

  • ROI is based on a desired rate of return over a specified time period. It is important that you understand and accurately estimate how long the new system or process will be deployed.
  • Perform the cost comparison of the proposed methods versus the status quo.
  • Accurate estimates for the proposed method must be generated by the proposal manager. This is the crux of an ROI analysis and the engine of this tool. Historical data, information from vendors, and data from functional managers and quotes from consultants can be used as the basis for your estimates. As a last resort, you can use expert judgment with no supporting data, but be sure to document your assumptions in case you need to refer to them at a later date (i.e., at the proposal review). Your accounting and finance department can help you to generate data on the current operations. Once you have the numbers, simply fill in the cells under the Investment Summary tab.
  • Project the revenues resulting from implementation.
  • The proposed method may generate new opportunities for the company. For example, the implementation of a new Customer Relationship Management system may help the sales people generate additional sales from existing accounts. Using current sales data from your accounting or sales department, you should work with the sales people to determine if the new system will help generate more revenue. Keep in mind that new revenue streams may not result from the system implementation, so you should not go to too much trouble trying to justify the new system based on higher sales. In most cases, the ROI is based on a savings in operational expenses, not an increase in sales. (Of course, if your investigation shows that sales will actually decrease when you implement your idea, then you should bribe the sales folks, burn all of your back-up data, and never talk about the idea to anyone ever again.)
  • Determine the discount rate. The discount rate is basically your company’s rate for the cost of capital. Ask your finance department for the company-approved rate. If they look at you like you have three heads, just use the 6% figure already loaded into the tool or add 1 point to the current prime rate and load it into the tool.
  • Review the cost savings.
  • The tool provides you with a figure for the ROI based on the Net Present Value (NPV) of the savings throughout the life cycle of the proposed system. Have the finance department make sure this number is close to expectations and update your numbers as necessary.
  • Submit your proposal.
  • Once you have reviewed the numbers, you have everything you need to propose your project. Good luck!

©2008 Paul A. Capello, PMP
Originally published in PMI Global Congress Proceedings 2008 – Denver Colorado



Related Content

  • Project Management Journal

    Narratives of Project Risk Management member content locked

    By Green, Stuart D. | Dikmen, Irem The dominant narrative of project risk management pays homage to scientific rationality while conceptualizing risk as objective fact.

  • Project Management Journal

    Identifying Subjective Perspectives on Managing Underground Risks at Schiphol Airport member content locked

    By Biersteker, Erwin | van Marrewijk, Alfons | Koppenjan, Joop Drawing on Renn’s model and following a Q methodology, we identify four risk management approaches among asset managers and project managers working at the Dutch Schiphol Airport.

  • Project Management Journal

    Collective Mindfulness member content locked

    By Wang, Linzhuo | Müller, Ralf | Zhu, Fangwei | Yang, Xiaotian We investigated the mechanisms of collective mindfulness for megaproject organizational resilience prior to, during, and after recovery from crises.

  • PMI Case Study

    Saudi Aramco member content open

    This in-depth case study outlines a project to increase productivity with Saudi Arabian public petroleum and natural gas company, Saudi Aramco.

  • PM Network

    La certeza de la incertidumbre member content open

    By Fewell, Jesse Por mucho que anhelemos un regreso antes de la pandemia, es ingenuo pensar que las viejas formas de trabajo volverán alguna vez, incluso para lo ágil.