9 posts categorized "Risk Management"

In March 2011, ESI International conducted a Global PMO Survey: The Global State of the PMO: Its Value, Effectiveness and Role as the Hub of Training. Some of the key findings of this survey were highlighted in a recent seminar I attended in Dubai (Risk Management Practices for Establishing and/or Sustaining a Project Management Office by Raed Hadddad):

• There is a paradigm shift from PMO Maturity to PMO Value and benefits realization
• There is a general struggle in measuring the PMO effectiveness, and in defining the appropriate metrics for this measurement
• The PMO sometimes acts as a hub of project management training, but does not measure the impact of this training in effective performance
• Most of the PMOs operate more at a tactical level and are not involved in portfolio management or benefits realization

All those topics and more will be covered during PMI's 2011 PMO Symposium in Orlando in November. If you are interested in getting more out of your PMO, make sure you do join.

I'm attending a two days workshop on IT Cost Savings & Optimization. In the afternoon, David Baumann (our host) started using a statement I made during lunch break and - funnily enough - referred to it as "The Fred Principle": There is a direct correlation between the risk transferred to a vendor in an outsourcing agreement and the economic inefficiency of this deal. In other words, if you push it too hard on your vendor, you will just end up paying more than what you might have by insurring that risk yourself in the first place. The corollary David kept using during the afternoon session actually works in a similar fashion as Occam's Razor, but in the Outsourcing context: "How would I have done it if I had kept it?".

Frederic, 318 connections changed jobs in 2010. Did you reconnect? is the title of an email I received yesterday from the well known business networking portal LinkedIn. I got lost for words. 21.24% of my network (on this site) changed job last year (me too). In other words, at this pace, in 4 years and 8 months ... statistically everyone I'm connected to would have transitioned...

Being optimistic by nature, I would assume that most of them made the jump by choice. But I cannot believe that, especially in the current economic context. The crisis did hit them hard. Really hard. It has completely reshuffled the cards, and I would assume that some of them now have a job they are not 100% satisfied with (it's a tough job market). One consequence of this situation is that as soon as the crisis is over, and there are better opportunities out there, they will be gone.

Now, let's assume for one second that you're a Project Manager, and that some of those guys and girls from my network are esteemed members of your project team. Let's look at the potential risk strategies available there...

• Avoidance: While this may typically be seen as the ultimate response to any particular risk, it also means losing the potential gain that goes along with that risk. Not hiring those "risky" employees, would mean not having someone doing some work for you, which is not really a practical solution.
• Reduction: This can take the form of reducing the severity (or likelihood) of a risk happening, or finding a balance between this risk and the benefit of the activity. You could look at outsourcing as a valid method of Risk Reduction in this scenario, if the outsourcer can demonstrate a higher capability at risk management than yours.
• Transfer Technically more of a Risk Sharing, this could take the form of and Insurance Policy that protects you financially from this risk (although not being able to perform a job has more than just a financial impact).
• Acceptance: If you can't do any of the above, well, you will have to accept the fact that they might just leave. Some risks just can't be avoided, reduced or transfered, in which case acceptance is a viable strategy, as long as properly documented, and a risk response accordingly formulated.

What would you do?

A couple of weeks ago, in the latest Risk Doctor newsletter, there was a very interesting article about repeating mistakes. David Hillson sums it up like this:

If a risk happens once, that's understandable;

If the same risk happens twice, that's unlucky;

If the same risk happens three times, that's unacceptable.

People have a natural tendency to repeat their mistakes, either by letting the same threats happen repeatedly or by constantly missing the same opportunities. If you look around you, you will realize that this is happening all over the place, and it clearly tells that Risk Management is still overlooked in most businesses. Now there's value to add!

• Manage your risks or they will manage you
  Risk management is not a passive process, you need to be on top of it.
• Commit your Top Management
  Show them the savings, quicker time-to-market, reputation increase and get their support.
• Say "NO" to the blame culture
  Share your risks with your boss, your customers, your suppliers, your colleagues, with everyone around you.
• Review risks outside the lines of business
  Have an independant Risk Review Committee who also defines and adjusts risk appetite at enterprise level.
• Learn from your mistakes
  Do not reinvent the wheel, use lessons learned and previous risk logs on similar areas

The Risk Management Plan is the key element of the Risk Management Process. It defines the Risk Process for the project, including Methodology, Roles and Responsibilities, Timing, Thresholds, Reporting, monitoring and review formats and procedures. You can find several templates on the net (like this one from PMHut), but what is really important is how you will use it, and how well it suits your own risk management processes. Amongst all criteria for judging the maturity of such a document, the two the most important in my eyes are the ability to manage threats as well as opportunities, and the ability to efficiently respond to a risk becomes an issue.

What is the risk? Why might it occur? How likely is it to occur? How bad or good might it be? Does it matter to the project? What can we do about it? When should we act? Who is responsible for the risk? Who is responsible for the response? These are all questions that should find answers in the Risk Register (part of the Risk Management Plan). This document must be reviewed and updated regularly, since new risks might arise during the lifetime of the project, and risks might realize, becoming issues, needing responses that might trigger new risks, etc.

In my Risk Register, I typically have 13 columns:

• The RiskID, which is the unique identification for a risk, used by everyone to refer to that specific risk.
• The ProjectID, which is the unique identification for the project within the corporate portfolio. If a risk is likely to happen in several project, it needs to be documented with several RiskIDs.
• The Risk Category helps predefining responses or owners. It also serves for reporting purposes, thus helping on the predetermination front for future projects.
• The Date Raised serves to track the evolution of the risk profile of a project. The more stable the risk register, the lower the risk profile of a project.
• The Risk Owner has the ultimate responsibility to monitor the risk, and to raise the occurence of the risk to the Risk Manager. This needs to be documented in the Roles and Reponsibilities section of the Risk Management Plan.
• The Risk Description is ... well ... the description of the risk.
• The Impact is the result of the Risk Qualitative Analysis process. This field will usually have three possible values (low/medium/high), or if you want to more precisely rank your risks, five possible values (very low/low/medium/high/very high).
• The Probability is the result of the Risk Quantitative Analysis process. This field will have similar values as the Impact (i.e. 3 or 5 possible values).
• The Priority is a calculated field (which is why I usually use an Excel spreadsheet for my risk registers, unless I have access to an Enterprise Project Management software. It is a combination of Probability and Impact, and you can live without it, it just allows a quicker filtering on those who need your attention.
• The Response Description is ... well ... the description of the response to the risk.
• The Response Type is one of the following: Avoidance, Trnsfer, Mitigation, Acceptance. This will also help monitoring the efficiency of the risk management processes.
• The Response Owner has the ultimate responsibility to act in the event of a risk realized. It can be someone else as the Risk Owner, and it needs to be documented in the Roles and Responsibilities section of the Risk Management Plan.
• The Realized Date is the date when a Risk has triggered. This is the moment when a RiskID leaves the Risk Register to enter the Issue Log to continue being monitored in this document.

I understand this might look a little cumbersome, but in most situations, it can be the difference between saving a project and pulling the plug...

Very few organizations are capable of admitting that possibility of success is gone and that a project is failing. If expected benefits can't be delivered and deadlines can't be met, for the greater health, such projects must be terminated. It is never an easy decision to make, and it requires an objective and pragmatic analysis: Trade-offs need to be carefully weighted, and you need to have a comprehensive plan to address all anticipated issues (politics, expenses, relationships, etc).

Pulling the plug is important, because the cost associated with continuing the project might be (much) higher than the cost of terminating the project. This is valid for every single type of project, even a job hunting project: sometimes, it is better to back off if you don't feel comfortable with the way things are looking like.

It has been a long time since I wanted to talk a bit more about risk. Risk Management is one of my preferred knowledge areas in the Project Management Body of Knowledge, but the sad thing is that it is often misused. It starts with the definition of a risk. In the common language, a risk has always a negative connotation: it refers to the possibility of misfortune or loss; to hazard; to something exposing to danger; perilous. To be honest, most people just keep looking at that single side of the coin. If you want to implement an integrated risk management process, you will have to consider that risk isn't always just a bad thing.

The PMI defines risk as an uncertain event or condition that, if it occurs, has a positive or negative effect on an objective. Dr. David Hillson has a much simpler definition of a risk: an uncertainty that matters. I love this sentence. It clearly outlines the two dimensions of a risk: the uncertainty (or probability); and the effect on objectives (or impact). That makes things easier to understand: if you can predict 100% of chances for something to happen, then it is not a risk. Nor is it a risk if it is uncertain, but has no impact at all on the project or its deliverables.

That being clarified, the PMBOK defines Risk Management as the systematic process of identifying, analyzing and responding to risk. There is a suitable set of processes in the framework to deal with risks, that works for both threats and opportunities. These processes naturally follow the phases of a project, but really need to be taken seriously. Underestimate them and chances are high that you will end up pulling the plug.

Coming next: The Risk Management Plan

Voici une explication très simple pour ceux qui essaient encore de comprendre ce qui s'est passé :Madame Ginette a une buvette à Bertincourt, dans le Pas-de-Calais. Pour augmenter ses ventes, elle décide de faire crédit à ses fidèles clients, tous alcooliques et presque tous au chômage de longue durée. Vu qu'elle vend à crédit, Madame Ginette voit non seulement augmenter sa fréquentation, mais en plus peut augmenter légèrement les prix du calva et du ballon de rouge.

Le jeune et dynamique directeur de l'agence bancaire locale, quant à lui, considère les ardoises du troquet comme des actifs recouvrables, et commence à faire crédit à Madame Ginette en prenant les dettes des ivrognes comme garantie. Au siège de la banque, des traders avisés transforment ces actifs recouvrables en CDO, CMO, SICAV, SAMU, OVNI, SOS et autres sigles financiers incompréhensibles.

Ces instruments financiers servent ensuite de levier au marché actionnaire et conduisent, au NYSE, à la City et aux Bourses de Francfort et de Paris à des opérations de dérivés, dont les garanties sont totalement inconnues de tous : les ardoises des ivrognes de Madame Ginette.

Ces dérivés sont négociés pendant quelques années comme s'il s'agissait de titres solides et sérieux sur les marchés financiers de 80 pays, jusqu'au jour où quelqu'un prend soudainement conscience que les alcoolos du troquet de Bertincourt n'ont pas un rond pour payer leurs dettes.

La buvette de Madame Ginette fait faillite ... et le monde entier l'a dans le luc ...

Voici un autre lien qui explique de façon plus détaillée comment cela fonctionne...