230 likes | 1.17k Views
Creating Risk Intelligence A High Level “How To” Guide for Program Managers Nathan Houser & Sean Conlin, Deloitte November 2006 This presentation is incomplete without the accompanying discussion Agenda What’s in it for me!? A day-in-the-life…can we make this better? Making it happen…
E N D
Creating Risk IntelligenceA High Level “How To” Guide for Program Managers Nathan Houser & Sean Conlin, Deloitte November 2006 This presentation is incomplete without the accompanying discussion
Agenda • What’s in it for me!? • A day-in-the-life…can we make this better? • Making it happen… • Critical success factors… • What can I do on Monday morning?
What is a Risk? • RISK = potential loss from inability to achieve a program’s objectives • caused by people, process, system, or external factors • Impact can be positive or negative • Risks can result from any combination of factors • people, process, systems, technology, science, or external events
Federal Project Directors Contractor Project Managers DoE’s World of Risk Management Program Managers
What’s in it for me? Leaders, managers, and staff alike benefit from risk management. • Higher impact programs • Better control of the overall portfolio • Stronger focus on long-term rather than short-term • Time to focus on areas currently neglected • More predictable cost estimates • Less chaotic days, that are more productive • More visibility in project activities • Fewer and simpler legislative reporting requests • Better client relationships • More predictable quality of life • Mechanism to raise issues and have resolved • More follow-on work
Risk Intelligence Differs by Program/Project Specific objectives dictate desired level of risk sophistication. Built into decision-making Risk interactions are managed with incentives Intelligent risk taking Sustainable “Risk management is everyone’s job” Integrated response to adverse events Performance linked metrics Rapid escalation Cultural transformation underway Bottom-up Proactive Tone set at the top Policies, procedures, risk authorities defined and communicated Business function Primarily qualitative Reactive Reaction to adverse events by specialists Discrete roles established for small set of risks Typically finance, insurance, compliance Ad-hoc / chaotic; depends primarily on individual heroics, capabilities and verbal wisdom 1: Tribal & Heroic 2: Specialist Silos 3: Top-Down 4: Systemic 5: Risk Intelligent
The Life of the Tribe Daily life is chaotic, ad-hoc; heroics carry the day. • Negative surprises are the norm • Regular re-baselining • Difficult conversations with FPDs & Appropriators • Lots of stress, reacting to events • To do list grows not shrinks • Stay late, no kids, no gym • Less job satisfaction • Despite planning, seem to be reacting • Difficult client meetings • Long hours, stressful days • Muddled job satisfaction
The Life of the Tribe Project assessments in a reactive culture. “The risk assessment performed does not adequately distinguish amount of contractor risk and government risk.” “The risk contingency is considered marginal at best.” “The potential for substantial changes in the project design as a consequence of external reviews is an unrecognized risk.”
Life with Leadership Senior Leadership imposes top-down risk controls • On a mission to stop rampant re-baselining • Establish new risk policy/procedures • Many meetings to rigorously enforce policy/procedures • Reactive but feeling of progress • Increased OH due to PM pressure on cost re-baselining • Some additional risks factored into re-baselines • Still reactive • Increased OH • Numerous meetings to discuss risks & mitigation • Difficult contingency budget conversations with FPD • Concern risk conversations distracting from PM role
The Good Life… Risk Intelligence proactively a part of all activities • FPDs proactively anticipate risk/mitigation plans • Stable baselines • DOE studied as best practice for Risk Intelligence • Seen as proactive/credible by Appropriators • Reduced OH • Proactively out ahead of mitigating prioritized risks • Recognized for excellence in PM • Recent crisis, executed plan, still home at normal time • Excellent client relationship • DOE business growing • Monthly reports include updates on top risks/mitigation • Strong job satisfaction/personal health up, working out
Getting there from here… Structured methods, tools, and reporting provide predictable results. Methodology Tools Management Reporting
Department Operations Programs IT Investments Procurement Legislature Strategic Planning Risk Management Human Capital Five-step Risk Management Lifecycle The risk lifecycle applies across all parts of a program or project. . ExecutionComponents Managing Risk 1. Identify Risks 2. Assess & Measure Risks 3. Respond to Risks 4. Design & Test Controls 5. Monitor, Assure & Escalate Governance Technology Strategic Operational Hazard People Process Compliance Financial FoundationalElements Risk Areas
Step 1. Identify the Top (relevant) Risks Hundreds of insignificant risks can easily distract from a few critical.
Step 2. Assess and Measure the Risks Evaluate each risk and its impact on cost, scope, and schedule. major weather event Natural Environ. dominate party change Political reduction in supplyavailability ↓ constituent priority shift External Risks Social Reduction in available funding ↑↓ technology innovation Technological reduction inavailable funding ↓ reorganization Inter-Dept/Agency Changes solution ↑↓ Objective: Complete entire Project by 2010 within budget Infr. not avail. ↓ changespriorities ↑↓ Union contract expires ↑↓ Inadequate projectmonitoring ↓ Infrastructure Improved constructionmethods ↑ Personnel Internal Risks Process Technology
Step 3. Respond to Risks Choose the corrective actions, execute, and evaluate effectiveness. Identify corrective actions Monitor effectiveness of actions
Step 4. Design & Test Controls Corrective actions result in mitigated risk, but come with a cost. Sample risk: Technology advances and innovation require design changes. Very High # 1 #2,3 High Incremental Mitigated Risk(Perform Cost/Benefit Analysis) #2,3,4 Corrective Actions Residual Risk Medium #2,3 Low #2,3,4 Actual Planned Very Low Q3 ‘08 Q1 ‘06 Q2 ‘08 Q2 ‘06 Q3 ‘06 Q4 ‘06 Q1 ‘07
Corrective Action Status Risk reduced to an acceptable level Risk reduction occurring, not complete Further action required Step 5. Monitor, Assure, and Escalate Complete set of risks must be considered to understand the risk profile. Very 5 6 High 10 3 1 3 8 7 2 Inherent (Gross) Risk 4 • Example Risks: • Technology Innovation • Departmental Reorganization 9 Very Very Current Residual (Net) Risk Low High
Critical success factors… Everyone has a role to play in making risk management part of the culture. • Seek and maintain senior leadership sponsorship • Establish common language for risk management • Integrate risk management across programs • Focus on changing the culture, not on executing the tactics • Assign ownership of risks as appropriate (gov’t, contr.) • Coordinate risk management across project • Focus on the value to all of managing risk, not the burden • Raise ALL risks identified “on the ground” • Designate operational accountability for corrective actions • Make risk management a priority
For more information… • Sean Conlin • sconlin@deloitte.com • Nathan Houser • nhouser@deloitte.com