Identifying and Managing Critical Project Risks

IdentifyingandManagingCriticalProjectRisks
Tom Kendrick, PMP
Program Director, UC Berkeley Extension Project Management Curriculum

John Canniffe
American Management Association

Our Presenter Today

Tom Kendrick, PMP, is Program Director for the University of California Berkeley Extension Project Management curriculum. He is author of Identifying and Managing Project Risk, Project Management Tool Kit, and 101 Project Management Problems and How to Solve Them. He regularly conducts classes and presentations on program, project, and risk management for conferences, associations, and universities. He also spent over 20 years with Hewlett Packard in its Project Management Initiative and has almost 40 years of worldwide PM experience, including work for Visa, DuPont, General Electric, and as an independent consultant.

Defining Risk
Insurance industry: Loss times Likelihood. PMI PMBOK: An uncertain event or condition that, if it occurs, has an effect on at least one project objective. Wikipedia: Risk denotes a potential negative impact to some characteristic of value that may arise from a future event.

Keys: Probability and Impact

All risk definitions include the themes of chance and material damage. Estimating Probability:
Risk likelihood (percentages)

Estimating Impact:
Risk consequences (time lost, money spent, extra effort, or other impact)

Risk Probability: Uncertain

Probability estimates may be based on mathematical models, empirical analysis, or guesses.

Project risk probabilities are usually guesses, generally highly uncertain, and are often biased.

Risk Impact: Also Uncertain

Impact estimates are based on incremental assessment of time, cost, effort, or other consequences of risks. Estimate accuracy is no better than other project estimates, and the focus tends to be on easily measurable consequences.

"Not everything that can be counted counts, and not everything that counts can be counted." -- Albert Einstein

Black Swans
Assumed to be true: All swans are white. In 17th century logic, A black swan was something that could not occur. Then, people journeyed to Australia. Today: A Black Swan may be any largeimpact, hard-to-predict, rare event.

Risk Response Dispositions

Four Options for Risks Identified: Choose to Manage: Yes Hooray for Us No

Yes Risk Occurs: No

Risk Response Dispositions

FourOptionsforRisksIdentified: Choose to Manage: Yes Hooray for Us No

Yes Risk Occurs: No

Lucky

Risk Response Dispositions

Four Options for Risks Identified: Choose to Manage: Yes Hooray for Us No Black Swans (Type 2 errors)

Yes Risk Occurs: No

Lucky

Risk Response Dispositions

Four Options for Risks Identified: Choose to Manage: Yes Hooray for Us No Black Swans (Type 2 errors)

Yes Risk Occurs: No

Oh Well (Type 1 Errors)

Lucky

Type 1 Errors: Waste

Managing a risk that fails to materialize Any risk can happen. Justifying action may be hard.

If you act to prevent a risk that does not occur, criticism is common, because you can never prove that your estimates of potential harm were appropriate.

Type 1 Error: Y2K?

Doomsday 2000 Peter de Jager. ComputerWorld, 1993: One IS person surveyed 104 systems, 18 would fail in the year 2000. These 18 mission-critical systems contained over 11,000 programs, data-entry screens, and databases. With less than seven years to go, someone is going to be working overtime. Risk Probability: Very High (essentially 100%) Risk Impact: Also Very High Cost of Mitigation: Hundreds of Billions of Dollars, worldwide Actual result: The world did not end. Worthwhile?

Type 2 Errors: Damage

Failing to managing a risk that does occur Risks with estimated low probabilities do happen (Black Swans).

Again, after-the-fact criticism is common: You failed to see and manage this (in retrospect) obvious problem.

Type 2 Error: BP Gulf Oil Spill

BP operates deep sea oil wells lots of them. Each is complex, and has minimal and fragmented oversight. In 2010 the Deep Sea Horizon project took shortcuts and people on site had little power. Risky? Risk Probability: Assumed to be Very Low Safe so Far Risk Impact: Poorly estimated, though insured (to some extent), so seen as Low Result: BP has established a $20 billion spill response fund, but this is not a cap (And: Corporate reputation? Wildlife? Gulf region economies? )

Managing Risks with Heat Maps

Probability
Very High High

Hi gh e

st

Ri sk

Moderate Low Very Low

Lo we s

tR

isk
Low Moderate High Very High

Very Low

Impact

Some Issues with Heat Maps

They appear to be symmetric: Are the corners the same? Heat maps are subjective, based on guesses.
Probability
Very High High

Hi gh es

tR

is k

Moderate Low Very Low

Lo we

st

Ri sk
Low Moderate High Very High

Very Low

Impact

Sorted lists (or tables) based on credible impact assessment weighted with quantitative probabilities can be much more useful. But What do you do about the inevitable uncertainty?

Expected Impact of a Risk

Quantitative assessment of each significant risk:
Loss times likelihood

Probability:
Base percentage estimates on history, a model, simulation, or whatever credible methods you find.

Impact:
Identify units of measure for material impacts, and develop realistic estimates of potential consequences for each impact type.

Example: Expected Risk Impact

Risk:
Loss of a key contributor with unique skills

Probability:
Based on past projects, fairly low, about 20-30%

Impact:
Cost: Hiring and training a new person $1000-$2000. Duration: Two to six weeks of delay for hiring and learning curve.

Expected (based on worst cases):

Consequences: ~$600 and about two weeks of slip.

Set Materiality Thresholds

Determine the risk appetite of management. Determine a High/Low discrimination points based on risk tolerance. Probability:
High: Likely enough to cause concern (e.g.: >30%). Low: Low enough to be considered unlikely. Not known: No good basis for assessment.

Impact:
High: Visible impact to the organization (e.g.: Estimated impact exceeding project cost). Low: Impact not significant outside the project. Not known: No reliable basis for assessment.

The Easy Cases

High Impact with High Probability Manage all:
Treat these risks as issues or problems. Work to develop a response. Accept only if there is no effective response, but always investigate recovery options. Use risk analysis to establish risk reserves for budget, schedule, or both.

Low Probability with Low Impact Accept all:

Note and monitor only (if the estimates are credible).

Risk Map (Reflecting Uncertainty)

Probability: High Manage All

Not Known

Low

Accept All

Impact:

Low

Not Known

High

Other Risk Responses

But what about the rest? Low probability risks with high impact estimates? Risks with non-quantitative significant impact? Risks where the prevention (avoid/mitigate/transfer) costs are well below the loss times likelihood. Risks with moderate (or low) probability/impact assessments? Risks where your best probability estimates are WAGs? Risks where your best impact estimates are WAGs?

High Impact with Unknown or Low Probability

Manage most: Because impact would be material, develop responses for all risks with unknown probability. Be skeptical of low probability risk estimates. Consider responses for all high impact risks where you cannot afford the impact. For risks accepted, do develop contingency plans. Accept some: If the cost of the response exceeds the expected risk. If there is no known response (but the overall project benefits justify the risk). Closely monitor all of these risks.

Risk Map (Reflecting Uncertainty)

Probability: High Manage All Manage Most

Not Known

Low

Accept All Low Not Known

Manage Most High

Impact:

Unknown Impact with High, Low or Unknown Probability Consider worst-case impact: Determine ranges for impact, and consider the consequences of the worst cases. Manage most risks if the impact appears to be high. Consider managing where an effective response would require only trivial project changes. Accept where: The cost of a response would exceed the worst-case cost of the risk. The expected cost of the risk fails to justify the best identified response. (But do consider contingency actions, especially if the impact could be significant.

Risk Map (Reflecting Uncertainty)

Probability: High Manage Most Consider Worst-case Impact Accept All Low Consider Worst-case Impact Not Known Manage All Manage Most

Not Known

Low

Manage Most

Impact:

High

Low Impact, Any Probability

Accept most: For low impact risks, ad-hoc responses may be sufficient. Consider managing where an effective response would require only trivial project changes. Monitor all risks, and plan to reassess impact periodically, especially for longer projects.

Risk Map (Reflecting Uncertainty)

Probability: High Accept Most Manage Most Manage All Manage Most

Not Known

Accept Most

Consider Worst-case Impact Consider Worst-case Impact Not Known

Low

Accept All

Manage Most

Impact:

Low

High

Justifying Type 1 Errors

Clearly document significant investments made to manage risks:
Use data to show the damage. Use historical project information to show impact and occurrence of past risks. Do simulations to test project impact assumptions. Identify all beneficial side effects of risk management tactics. (For example: Process improvements that also increase efficiency.)

Solicit early sponsor and stakeholder support (in writing) for actions adopted.

Minimizing Type 2 Errors

Manage estimating bias:
Probability: People significantly overestimate chances of beneficial outcomes and underestimate them for adverse results. Probe for reasons and ranges, and use highest estimates. Impact: Work to uncover worst cases and root causes. Investigate unintended consequences and probe for correlations with other risks and events.

Respond to all risks that are under your control. Develop a strong case for risk responses requiring changes needing sponsor and stakeholder approval. Document all risks not managed, and strive to establish project-level risk reserves.

Summary
Know your project risks, and manage all significant risks there usually are more than you think. Be skeptical of estimating bias around impact and especially probability; assess all risks realistically. Accept some waste. Develop a sense of overall project risk and clearly communicate the downside (worst case) exposure. Scrupulously manage all project changes, and periodically review project plans to reassess risks.

Thank You!

Tom Kendrick, PMP

Program Director, UC Berkeley Extension 2010 President, PMI Silicon Valley, CA Chapter

The AMA Solution:

Project Risk Management:

Practical Techniques for Failure-Proofing your Projects
Seminar #6501

Specific approaches for uncovering project risks Thorough survey of risk assessment techniques How to lessen the impact of risks on key project components Strategies and methods to respond to significant project risks Develop a plan to handle risks in your project environment

Use Promo Code: LDGU for $100 Discount

(you must register before July 15, 2011) www.amanet.org or 1-800-262-9699

Webcasts
July 27: Ten Steps for Innovating with Speed Aug 3: Wired & Dangerous: Transforming Demanding Customers into Eager Partners Aug 10: How to Make the Internal Business Case for Green Initiatives Aug 24: Harnessing the Power of Total Confidence Sep 7: Taking Your Leadership to the Next Level

For details and FREE registration, visit www.amanet.org/events

You can access todays webcast within three business days on www.amanet.org/editorial

Webinars
July 28: How to Project Confidence with Demanding People Aug 11: Mastering Excel Shortcuts: Powerful Tips and Tricks that Increase Your Productivity Aug 16: From Chaos to Control: How to Be Resilient to Workplace Stress Sept 8: Hiring for High Emotional Intelligence: How to Use the EQ Interview Process Sept 13: Creating Friction Free Relationships Sept 15: Managing Your Workload Sept 27: Mastering Excel Pivot Tables
For details and registration, visit: www.amanet.org/events

Questions?