1. Faculty of Applied Sciences, Dept of Computing, Engineering and Technology ATF 202 – Project Risk Management Alan Stafford Project Manager, AMAP/Digital Factory project

2. Learning outcomes: What is meant by the term risk in the context of projects Be aware of the significance of risk and its role in project management Understand the meaning of Hazard, Risk & Importance Understand the elements and intent of Risk Analysis and purpose of a risk register Understand the elements and intent of Risk Management Cultural nature of risk management Faculty of Applied Sciences, Dept of Computing, Engineering and Technology ATF 202 – Project Risk Management

3.  We live with RISK every day  How do you assess risk?  80 mph on motorway?  40 mph past a primary school?  Aren’t you making a mental sum of the likelihood of an incident and the consequences?  Do you think differently for something new as opposed to a regular activity?  Do you reflect before action, during and after? Introduction & reflection

4.  Are we rational about risk? Which is the greater risk, MMR vaccine, Nuclear Power, Flight or everyday Driving ? What about cycling in traffic?

5.  If you were managing a project would the everyday way you deal with risk be good enough?  What if something went fatally wrong?  What if an occurrence adversely affected the project delivery and you incurred a penalty?  What if you left part way through the project? Introduction & reflection

6. Risk in Projects What is different about Risk in projects and everyday life? Why are project managers particularly concerned with risk?

7. Risk in Projects  Projects are one off undertakings as opposed to operations where things are tried and tested.  Therefore greater likelihood of things going wrong  Consequences (magnitude) can be serious  Need to have a robust approach

8. Basic concepts of Risk Terminology and concepts

9. Basic concepts of Risk Risk = “The possibility of suffering harm or loss” (as a result of exposure to the hazard) Importance = Likelihood x Magnitude A Hazard = something that has potential to cause harm or loss e.g. delays, cost, failure What are the hazards, risks & importance for The turkey? The cooks “project”?

10. Risk in Projects  What kinds of risk affect projects? Technical failure Project Risks (internal) Human error Acts of nature Business failure due to Political, Economic, Technological, Social, Legal, Environmental changes Consequence: Project becomes invalid Responsibility of Senior management Part of the Business Case Consequence: Deviation from the project Physical financial Schedule Business Risks (external)

11. Risk in Projects  What kinds of risk affect projects? Technical failure Project Risks (internal) Human error Acts of nature Responsibility of the Project Manager Consequence: Deviation from the project Physical financial Schedule

12. Methodologies To ensure consistency and quality of approach it is normal to follow a recognised methodology

13.  There are various frameworks and models to help deal with risk and they are all very similar Project Management Institute Methodologies

14. Methodology All methods can be broken down into : “Risk Analysis” & “Risk Management” We will follow the Project Management Institute model

15. Methodology

16. 1) Risk Identification 2) Risk Quantification Two key concepts – Hazard and risk What is a hazard? A Hazard- something that has potential to cause harm to a project e.g. delays, cost, failure What is a Risk? Risk = “The possibility of suffering harm or loss from exposure to a hazard”. Risk Analysis

17. 1) Risk Identification 2) Risk Quantification Two key concepts, Hazard and risk Risk Analysis Hazard? Risk (magnitude x likelihood)? What would be the consequences? For the individuals concerned? For you & the firm? For the delivery of the project?

18. 1) Risk Identification 2) Risk Quantification Two key concepts, Hazard and risk Risk Analysis Hazard? Risk (magnitude x likelihood)?

19.  Generic hazards, e.g.  People factors  experience and appropriateness of experience  skills, turn-over rate, level of absenteeism  cultural differences Risk Analysis 1) Risk Identification 2) Risk Quantification What is a hazard?  Project specific hazards, e.g.  Application specific factors  the nature of the application  complexity of the project  the size and cost of the project

20.  Generic hazards, e.g.  People factors  e.g. experience and appropriateness of experience  skills, turn-over rate, level of absenteeism  Project specific hazards, e.g.  Application specific factors  the nature of the application  Complexity of the project  the size and cost of the project Risk Analysis 1) Risk Identification 2) Risk Quantification Think about where can things go wrong? Inputs might be:  Product breakdown structure – impact on cost, quality, schedule  Work breakdown structure  Estimates – optimistic, pessimistic?  Team (experienced/inexperienced)  Similar project to another or new ground? What is a hazard?

21.  Two main approaches  Use of checklists  Brainstorming When would you use each method?  Knowledge based software is also available to help with the task of hazard identification Risk Analysis 1) Risk Identification 2) Risk Quantification Hazard & Risk? Generic hazards Project specific hazards

22.  How do we put a value on the risks identified?  This may feed back to senior management (go/no go)  May influence the contingency funding/planning Risk Analysis 1) Risk Identification 2) Risk Quantification

23. Risk Analysis 1) Risk Identification 2) Risk Quantification  Once identified risks should be assessed for their possible affect on the project  The level of importance or priority of a risk must also be established.  This is often done by assessing the risk value  Possible to use qualitative/quantitative methods

24. Risk Analysis 1) Risk Identification 2) Risk Quantification Marginal - Minimal effect on project e.g. project approval delays Minor – Some effect on project e.g. delay, change in personnel/suppliers Intermediate – Significant effect on project e.g. cost overrun > 10%, equipment not fit for purpose Major - Severe effect on project e.g. project failure, major injury to personnel, Qualitative method of displaying risk

25. Risk Analysis 1) Risk Identification 2) Risk Quantification Advantage of qualitative methods is that they are easily understood from an overall point of view – showing those risks which need attention. Doesn’t show the “value” of the risk, i.e. the expected cost

26. Risk Analysis 1) Risk Identification 2) Risk Quantification  Risk impact is often estimated in monetary terms  Risk likelihood is assessed as a probability  Risk exposure therefore is an expected cost

27. Risk Analysis 1) Risk Identification 2) Risk Quantification Hazard Likelihood Impact Exposure 1Changes to the requirements1 8 8 specification during coding 2Specification take longer than3 7 21 expected 3Staff sickness affecting5 7 35 critical path activities 4Staff sickness affecting10 3 30 non-critical activities Quantitative method of displaying risk

28. Risk Analysis 1) Risk Identification 2) Risk Quantification Hazard Likelihood Impact Exposure 1Changes to the requirements10% £8k £800 specification during coding 2Specification take longer than10% £6k £600 expected 3Staff sickness affecting30% £20k £6,000 critical path activities 4Staff sickness affecting60% £3k £1,800 non-critical activities Quantitative method of displaying risk, can be shown in monetary terms

29. Risk Analysis 1) Risk Identification 2) Risk Quantification Output from this process is a Risk Register

30. Methodology So we have covered the two elements of Risk Analysis using the PMI methodology And have a Risk Register

31. Methodology Having identified & quantified the risk what are we going to do about it? That’s where Risk Management comes in

32. Risk Management  Having identified the major risks and allocated priorities, the next task is to decide how to deal with them and there are 3 main options 3) Response Development 4) response Control

33. Risk Management  3 options 3) Response Development 4) response Control  Risk acceptance  Risk avoidance  Mitigation  Risk reduction  Risk transfer  Contingency

34. Risk Management  Risk acceptance  Risk avoidance  Mitigation  Risk reduction  Risk transfer  Contingency  Unlikely occurrences  Things you can’t do anything about  “Acts of God”  Could also be something where the fix costs more than the problem! 3) Response Development 4) response Control

35. Risk Management  Risk acceptance  Risk avoidance  Mitigation  Risk reduction  Risk transfer  Contingency  Attempts to “Design Out” the risk  Avoid the activity or issue, but  by doing so may introduce another 3) Response Development 4) response Control

36. Risk Management 3) Response Development 4) response Control  Risk acceptance  Risk avoidance  Mitigation  Risk reduction  Risk transfer  Contingency  Reduce either likelihood and/or the impact so that it is acceptable, e.g.  ensure expert is used to reduce risk of failure

37. Risk Management 3) Response Development 4) response Control  Risk acceptance  Risk avoidance  Mitigation  Risk reduction  Risk transfer  Contingency  Transfer the impact, e.g.  Insurance policy – known cost v impact  Particularly lends itself to physical risks  Your own car or house insurance  Penalty clause with supplier  Benefit: reduce likelihood & impact

38. Risk Management 3) Response Development 4) response Control  Risk acceptance  Risk avoidance  Mitigation  Risk reduction  Risk transfer  Contingency  Holding something in reserve – should the worst happen, e.g.  Reserve funds  Playing safe  Add additional time to uncertain process  Backup supplier/plan Activated when a trigger takes place, i.e. Response Control

39. Risk Management 3) Response Development 4) response Control Risk management plan is a response to, and an extension of, the Risk Register Details of responses are recorded and the trigger points that bring them into action

40. Risk Management 3) Response Development 4) Response Control Ongoing activity throughout the project, part of the plan-action-monitor-control cycle  No matter how thorough the Risk Analysis unforeseen events will arise.  Control can be broken down into  Passive &  Active responses

41. Risk Management 3) Response Development 4) Response Control  Passive control  Ensuring steps in Response Development are implemented at triggers  Active control  Constant monitoring of triggers  May be part of a risk calendar for example.  Work arounds for unseen occurrences  Last resort/necessary evil – to be avoided.

42. Summary  Projects are one off undertakings -therefore more risk than normal operations  Terminology – Hazard, Risk, Importance  Methodology – Various standards  Typically consist of elements that can be broken down into:  An example is:

43. Summary  Risk management is a culture  not a paper exercise or bolt on  has strategic implications, e.g. damage to reputation, loss of future business  Generally more successful if team based  Risk owned by individuals but all contribute  Contributes to “ownership” and “buy-in”  No-Fear culture, i.e. don’t shoot the messenger  Encourage a “learning organisation”  Not a cost but a saving

44. Faculty of Applied Sciences, Dept of Computing, Engineering and Technology ATF 202 – Project Risk Management Q & A