Lessons of conducting a risk management system in IPDC
Based on a request for proposal from Iran Power Development Co. (IPDC), The Iranian governmental agent for power plant projects, a comprehensive risk management system was designed and implemented in selected projects of the company by a group of risk management consultants.
The method of consultants was surveying IPDC and determining its maturity level at risk management and simultaneously conducting required trainings before starting system designing. Then based on the results of the evaluations, literature review and research works about the context, the PMBOK® Guide (PMI, 2008) was selected as the source for system design. Some adjustments and modifications were made to the standard processes and a system was designed that consisted of 22 documents (procedure, form, database, etc.).
Based on the agreement between client and the consultant company, the designed system was implemented in two pilot projects.
Actions in system designing and implementing phases have had some lessons learned that can be helpful for similar risk system projects and organizations.
Risk management is still a new topic in project management and one of the new areas of project management knowledge that pioneer project-based organizations as it applies structured and systematically. The poor understandings of managers in project-based organizations of this important topic showed that not enough effort is being exerted for systematic development of risk management in these organizations. Even in more pioneer project-based organizations risk management is the last thing that is taken into serious account.
What is presented here is lessons learned of a consulting project for designing and implementing a risk management methodology for IPDC. To perform these projects four steps has passed: “initial studies and surveying,” “researches and conceptual works,” “trainings,” “risk management system design,” and “risk management implementation.” In this paper the following items will be explained:
▪ The project environment and starting motive;
▪ The process of selecting an approach for designing the risk management system;
▪ Risk management system documents;
▪ The process of implementing the risk management system;
▪ Samples of completed work;
▪ Issues and findings that are now experiences and lessons learned.
Consulting services was demanded by Iran Power Development Company (IPDC). Primarily this organization was founded as an R&D center in one of subdivisions of the power ministry in 1987 with a mission of preserving and rehabilitating power facilities and creating new potentials in the power industry. Finally, this center turned to a separate company, dependant to the power ministry in 1996 as an executive agent of the ministry. Currently, IPDC is the governmental agent for managing power industry projects and programs. Activities of the company are in the field of power plants, power transference, dispatching centers, power telecom networks, and their facilities. The company has been able to commission more than 200 power plants with a total capacity of more than 32,000 MW by the end of 2012. As well, IPDC has more than 300 power plants in the feasibility study in executing phases that their total capacity is more than 36,000 MW. The vision of the company is to endeavor for:
▪ Replacement of electrical power instead of other types of powers for making an improvement in the people's life;
▪ Minimizing environmental damages results from supplying electrical power and creating clean energy.
The top chart of the IPDC is as illustrated in Exhibit 1.
Exhibit 1 – IPDC top chart.
It is obvious that in a project-oriented organization all departments deal with projects risks, although some of them are directly encountered with these risks and some are indirectly. In IPDC, program managers have the main role of managing risks and risk management has the most importance for them. The deputy of engineering, based on its mission, is responsible for technical risks and its familiarity with risk management concepts can be helpful on reducing schedule and cost slippage. The deputy of logistics can help in managing risks related to human resources, financing, legal affairs, etc.
In IPDC “the deputy of planning can be taken into account as the most important participant in risk management processes, especially because the fact that the ‘program planning office’ in this department has the roles of “PMO.” This office has three sub-divisions: “Project management system development,” “Project control,” and “Budgeting.” This deputy has the main role in training, coordinating and culture development for risk management and could be the leader for implementing a risk management system in the whole organization. To develop risk management culture this office should try to change the focus of organization from managing issues to managing risks.
In the consultancy contract, based on the nature of such services, two power plant projects were designated for implementing the risk management system, a gas power plant and a combined cycle power plant. IPDC was responsible for developing the system to its other projects.
Objectives of the Risk Management Project
IPDC tried to develop project management methodology in various project management areas, but risk management was in fact a forgotten area before 2010. However, the project's circumstances had many uncertainties because of various reasons. Some of the source factors of uncertainties are listed below:
▪ Multiplicity of projects;
▪ Large-scale projects that required great amount of funding;
▪ Variable environmental situations;
▪ Variable project delivery systems.
In addition to these motives for starting a risk management project, IPDC top managers believed in the benefits of a risk management system. IPDC followed some objectives from developing a risk management system in the organization:
▪ Putting in the place a documented and comprehensive risk management system for projects;
▪ Managing risks based on a similar methodology in all projects of the organization;
▪ Preparing integrated and comprehensive risk management reports for managers in different levels of organization;
▪ Helping top managers make effective decisions;
▪ Developing organizational expertise in risk management.
Executing the Risk Management Project
Designing and implementing risk management system in IPDC was executed in five phases (steps).
▪ Surveying the organization;
▪ Performing relevant researches and studies;
▪ Training the organization;
▪ Implementing system design;
▪ Completing system implementation.
The master schedule of the project is as shown in Exhibit 2. The total duration of the contract was 12 months.
Exhibit 2 – Project master schedule.
Surveying the Organization
In this step the consulting team tried to get an appropriate understanding about the IPDC organization. Some of the actions were:
▪ Introducing IPDC's organizational chart and responsibilities of each department;
▪ Introducing IPDC's projects;
▪ Studying organizational documents relevant to risk management;
▪ Identifying requirements;
▪ Studying organization strategies;
▪ Holding meetings with relevant individuals.
Perusing 93 strategic objectives of the organization showed that 20 of the objectives (22%) can directly or indirectly be linked to implementing a risk management system and encouraging it. This was a good motivation for aligning the consulting team's efforts with different organizational divisions.
The consulting team continued its surveying with a risk management maturity assessment based on its own methodology. This methodology classifies organizations in four levels. Assessment results showed that the organization is in level 1 of maturity. It meant that the organization had little understanding about project risk management. By this understanding, the consulting team aimed at improving IPDC to level 2 of risk management maturity. At this level, organizations have a wider understanding on project risk management, have documented an appropriate methodology for dealing with project risks, and are able to apply it in designated projects.
Performing Relevant Researches and Studies
The consulting team conducted research on some well-known standards that had mentioned risk management. The following standards were studied:
▪ Australian and New Zealand Standard (AS/NZS 4360);
▪ Project Risk Analysis and Management (PRAM)—The Association for Project Management;
▪ Management of Risk (M_o_R)—Office of Government Commerce;
▪ Project Management Body of Knowledge (PMBOK).
The research showed that each of these standards has its own approaches but in a wide perspective they all have similar steps. In Exhibit 3, the processes of these standards are illustrated.
Exhibit 3 – Comparison of risk management processes in four standards.
After these findings and obtaining IPDC experts’ opinion, the PMBOK® Guide (PMI, 2008) was chosen as the source standard because of its better process orientation and more practical approach as well as more familiarity of customer's experts with this standard.
Train the Organization
After surveying and conducting needed studies, some basic trainings about project risk management was provided for relevant individuals in the IPDC organization and projects. The goal of these trainings was familiarizing audiences with the concept of project risk management and its processes.
As well, some advanced trainings were provided for some individuals. Project risk management software was taught to the candidates that were forming risk management teams in IPDC projects. Finally, a special training about the designed system and established methodology was provided for “program planning office,” which was in fact the PMO of the organization. This office had the responsibility for utilizing designed systems and conducting risk management processes in designated projects of organization. Advanced trainings were accomplished at the end of the consulting services.
Approach and Processes
The consulting team established eight principals for system designing:
▪ Designing the processes in high level because of the owner (Customer) position of IPDC in mega projects;
▪ Designing a comprehensive system that can be used in different project types of IPDC;
▪ Getting IPDC experts and managers buy-in and comments in designing the system;
▪ Obtaining the maximum adaptability with the existing organizational chart;
▪ Having the appropriateness of designed system with the maturity level of IPDC in risk management;
▪ Simplifying the system and its workflows and avoiding complexity;
▪ Having a top-down approach in designing;
▪ Designing the processes based on a customized model of the PMBOK® Guide.
Although the PMBOK® Guide was opted as the source standard for devising a risk management system and methodology, some modifications were made to the PMBOK® Guide processes and finally the following six processes was taken into account for the IPDC risk management methodology:
▪ Risk Management Planning
▪ Risk Identification
▪ Risk Analysis
▪ Risk Response Planning
▪ Risk Monitoring & Controlling
▪ Documenting Risk Lessons Learned.
Exhibit 4 shows the interactions of these processes.
Exhibit 4 – IPDC risk management processes.
The SIPOC (Suppliers, Input, Process, Output, Customer) method was utilized for analyzing the mentioned processes. By this technique each process could be analyzed, on one hand, based on its inputs and relevant suppliers of inputs, and on the other hand, based on the outputs and who utilized the outputs. Accordingly, the consulting team could adopt the processes with IPDC requirements and walk through a customized methodology for the organization.
According to the top down (from a high-level design toward a detailed design of operating forms), a three-level documentary system was devised for defining the system and illustrating the methodology. By this perspective a “Risk Management Procedure” was placed at the highest level. This procedure could be addressed to show the project risk management policy in the organization, and in a high level, describe the total risk management system and its processes. At the next level there are “Work Instructions” for each process, which explains step-by-step activities and responsibilities of each related individual. At the lowest level there are applicable forms and databases that show how to record data and prepare end results of the system. The graphical expression of such approach is presented in Exhibit 5.
Exhibit 5 – The structure of IPDC risk management documents.
Finally, a collection of documents and databases were prepared for IPDC that spanned the triple level in Exhibit 5. The final list of documents is displayed in Exhibit 6.
Exhibit 6 – IPDC risk management document list.
A notable subject matter in system design was getting customer buy-in in system design activities. During this phase, meetings were held with selected individuals of customer (risk management project work group). During these meetings parties overviewed system design's basics, data flows, work flows, responsibilities and so forth, and by sharing opinions and giving comments from those that tried the risk management system has the most adaptability with organizational situation.
By completing the system design phase, the consulting team began the needed measures for the implementation step. As previously stated, two projects had been introduced by the customer (IPDC) as the pilot projects. The designed system was subject to test on these two candidate projects. The reasons of nominating these two projects were the belief of their project management teams in risk management and standing in the planning period of their life cycles. One of these two projects was a gas power plant and the other was a combined cycle power plant.
The first action was preparing a “risk management plan” for the pilot projects. In these plans subjects like “approach and methods in risk management,” “tools and techniques,” “financial resources for risk management activities,” “risk breakdown structure (RBS),” “roles and responsibilities,” “the feature of probability and impact matrixes,” “definition of risk response strategies,” “risk threshold of key stakeholders,” “risk tracking activities,” and “risk management reporting” were highlighted. Risk management plans have to be approved and authorized by risk management strategic committee.
After approval of plans, risk identification was conducted utilizing brainstorming sessions, one held in the central office and one at each project site. Proposing risk responses in the time of identification especially for obviously important risks was a noticeable point in the risk identification process. Although in a rational sequence the response planning should be conducted after risk analysis, the consulting team used it as an opportunity to discover some appropriate responses for serious risks.
After completing the identification process, the list of identified risks were given to all risk management work group members and they were asked to give their approximation about likelihood of risk occurrence in the project. After obtaining the probability of risks in the subsequent step, work group members gave their approximation about the impact of risk occurrence on considered objectives of the project. For calculating risk scores the weight of all work group members were assumed equal and the score averages was taken into account as the ultimate score of each risk.
The prepared database had the capability of grouping analyzed risks into “important” and “not important” risks so risk register and watch list forms could be completed easily. Notice: For pilot projects just qualitative analysis were conducted.
After completing the risk analysis process, again during brainstorming meetings, one to three responses were determined for each important risk and for each response a response owner was assigned.
By determining responses and their owners, planning stages of risk management came to a conclusion and project execution, and consequently conducting determined activities to control risks was started. During the execution, as well as following the implementation of the risk responses, the situation of risks was tracked to discover any changes in their attributes or detect new risks and iterate the risk management cycle. Also, status reports of project risks were prepared as an extension to projects’ monthly reports.
Risk management consultancy to IPDC had some knowledge achievements for the consulting team, which is useful in similar projects. The most important lessons learned from this consulting project are as follow:
Tactical Lessons Learned
▪ Having the support of CEO and top managers of organization is crucial for birth and growth of the system.
▪ Conducting direct meetings with experts and customer managers and obtaining and applying their comments, on one hand, can lead to a better system design by creating a sense of teamwork, and on the other hand, helps on better implementation of system in the next stage.
▪ Instructing, educating, and training project teams and functional divisions in risk management have high importance.
▪ Committing enough time in the survey and study phase can facilitate next stages actions.
▪ Forming an internal expert team as the owner of leading the system is inevitable for success—this should be one of the first systematic endeavors in risk management.
▪ Understanding of audiences toward the system requires simplicity of the designed system leads.
Technical Lessons Learned
▪ Participating subcontractors of engineering, procurement, construction and commissioning contractors in managing project risks can help on better management of risks.
▪ Participating top managers and experts external to the organization is a good help in the planning stages of risk management.
▪ Documenting risk management lessons learned can be mentioned as a separate process, especially in cases that a total project management system is not the aim of system design.
▪ In projects that quantitative analysis is not necessary or in project-oriented organizations that don't have high maturity of risk management or utilize quantitative analysis rarely, quantitative analysis can be omitted from risk management system or qualitative and quantitative analysis can be merged into a single process.
▪ To have useful outputs (e.g., risk management plan, risk register, etc.) determining the exact required information and their placement in designing forms and making a form ID (which in adequate details describes how to complete the forms) is so important. It can help to have uniform results and prevent personal preference.
▪ Too wordy work instructions can lead to negative statements and obstacles against the system. To make work instructions briefer, expressions that are not directly related to the main document can be attached to it as appendices. To make documents more understandable, utilizing charts, flow diagrams and process mappings is a big help.
▪ Risk management doesn't come to conclusion by identifying just 20 or 30 risks!
▪ Brainstorming is one of the most effective tools that can be useful during different risk management processes.
▪ During risk identification process before entering to analysis process, some good responses to significant risks can be discovered!
▪ In risk analyzing, it is better to obtain probability and impact of risks separately in two steps.
▪ In risk response planning it's not necessary to determine response strategies in advance. The most important thing is just beneficial responses. Risk responses can be categorized in relevant strategy groups later!
▪ Determining an owner for each response or contingency plan (responsibility assignment) is so important for success of risk management.
As well as the project's lessons learned, explaining some results can be helpful:
▪ The major problem that happened during the implementation phase was a management change in contract representative position. The change was significant because the new management approach was different about systematic issues and also about risk management.
▪ Although the consulting team tried to complete its commitments in due dates, the project came to its end with a couple of months delay. Delays occurred because of management changes in the customer's organization what slowed the activities of the risk management work group.
▪ One of the strengths of the project was the appropriate knowledge and perception of the customer (especially in the non-managerial body) about the risk management concepts that helped on achieving a common literature and aligning viewpoints in the system design phase.
▪ According to a performed satisfaction assessment, the customer was satisfied with the results of the consulting services (system design and its implementing in pilot projects).
▪ Despite this satisfaction of appropriate performance of the consulting team, after management changes in the customer's party, developing the risk management system to other projects was held.
Aryana Project Management Institute. (2011). IPDC risk management documents. Tehran, Iran: Aryana Project Management Institute (Internal Publication).
Masudifar, P., & Fardad, F. (2012, Nov.). Risk management maturity model (RM3). 8th International Project Management Conference, Tehran- Iran.
Masudifar, P., & Fardad, F. (2012, Nov.). Lessons learned from designing & implementing a comprehensive risk management system based on PMBOK 2008 in IPDC. 8th International Project Management Conference, Tehran- Iran.
Project Management Institute. (2008). A guide to the project management body of knowledge (PMBOK® guide) (4th ed.). Newtown Square, PA: Project Management Institute.
©2013 Puian Masudifar, Fereydoun Fardad, Majid Farahani
Originally published as a part of 2013 PMI Global Congress Proceedings – Istanbul, Turkey