210 likes | 484 Views
Managing the risks of risk management. American Society of Quality Chapter 509, Washington DC November 2006 Software SIG Meeting. November 29, 2006 John E. Moore, Ph.D. Systems Engineer Northrop Grumman Corporation. Risk Management is Popular!.
E N D
Managing the risks of risk management American Society of Quality Chapter 509, Washington DC November 2006 Software SIG Meeting November 29, 2006 John E. Moore, Ph.D. Systems Engineer Northrop Grumman Corporation Unclassified
Risk Management is Popular! • “Risk management is the best of the best practices” • Then, why aren’t you doing it? • “Risk management is just project management for adults” • If you aren’t doing it, you must not be “mature” • What’s wrong, are you afraid to behave like a “grown-up” and face your risks? • PMP exam tests you for knowledge of risk principles and risk management • CMMI has a process area dedicated to risk Unclassified
What Could Possibly Be Risky About Risk Management? • Risk/Reward Law of Economics (1) • Great gains are accompanied by taking great risks • If risk management is so powerful, it likely involves significant risks. • Sources of risk for risk management • Model weaknesses • Human/political weaknesses • Implementation weaknesses Unclassified
What is a “Risk?” • Definition • An event or condition which might occur in the future and which results in a negative impact or failure • An uncertainty with positive or negative consequences (PMI def., ref. 7) • A situation where the outcome is not known with certainty, but the probability is understood perfectly (Omerod, ref. 8) • Characterization • A natural byproduct of doing work, especially unique, creative, innovative, unexplored work • Not problems - problems are negative impacts that have already occurred or are certain to occur Unclassified
What is an “Opportunity?” • Definition • An opportunity is an event or condition which might occur in the future and results in positive benefit • A risk with positive consequences (PMI definition) • Characterization • Planned opportunities – i.e. the project plan. Every element of the project plan represents a future event that has benefit • Unplanned opportunities - people usually think of “opportunities” in this way, i.e. “serendipity” Unclassified
Example – BP Texas City Refinery Explosion, March 2005 • “Cost-Cutting Led to Blast at BP Plant, Probe Finds” Washington Post headline, Oct 31, 2006 • What were the risks? • What were the opportunities? Unclassified
Purpose of Project Risk Management • Assist proactive, rational decision making • Minimize surprises • Temper enthusiasm with skepticism • Programmers and engineers are inherently optimistic problem solvers • They need a “reality check” • Identify threats to the project The purpose of risk management is not to eliminate risk - if you eliminate risk you eliminate opportunity Unclassified
Risk Radar is a typical risk model Model Weaknesses in Risk Management • Probability and Impact values are based on subjective “professional” opinion • Unfortunately, there are few other options • Potential for political influence • Impact categories are non-linear(4) • Impact types are not independent Unclassified
Model Weaknesses - cont’d • Ultimate impacts are difficult to predict • Actual impact to the project can occur through multiple decision paths – some with worse impacts than others • Connection to associated opportunity is missing • Prevents consideration of opportunity maximization as a strategy instead of only risk mitigation(5) • If you have enough information to calculate risk, it probably isn’t much of a risk! Unclassified
Model Weaknesses - cont’d Risk exposure is treated as a metric In most cases we have no backup data Thresholds are inappropriate Comparison of risk exposure between projects is unreliable Threat time frame is not considered Impacts: unreliable information is used in decision making; people do not trust the model; risk management fails to provide value to the project Unclassified
Mitigating Model Weaknesses • Focus on the strengths of the model • Identification and prioritization • Recognize the weaknesses • Risk exposure is not a metric • Focus efforts on the Top N risks(6) • Include the associated opportunity when modeling risk • Develop simple rules of thumb (8) The purpose is to help you make informed decisions – not to make those decisions for you Unclassified
Human Factors in Risk Management • Risks are perceived as negative events (failures or losses) which might occur in the future • Negative information is very powerful (i.e. lessons learned, peer reviews, quality measurement, testing, risk assessment) • Negative information can be very hazardous • People work in competitive environments • Negative information can be used destructively by the competition • Negative information can be misused and abused Unclassified
Human Factors - Example Irish Bank Hit by Fraud How to Lose $750m 'Mr Middle America' John M. Rusnak hid millions of dollars of trading loses to avoid telling his boss he made a mistake Stock Market Rocked Rogue trader meets FBI People often do not deal well with negative information(2) Unclassified
Human Factors - cont’d • Some will distrust the risk management process • Some will go overboard – “Chicken Little Syndrome”(3) Impacts: failure to identify and manage important risks; reduced benefit of risk management; potential for termination of project or personnel Unclassified
Mitigating Human Factor Risks • Change the culture • Develop a project and organizational culture that deals constructively with all forms of negative information – especially risks • Include positive information to balance the negative - Opportunity Management vs RM • Keep two sets of books • Politically correct risks vs. politically sensitive risks – undesirable but sometimes unavoidable • Don’t call them “risks” This is not easy and will take time and effort Unclassified
Implementation Risks in Risk Management • Risks are poorly defined • Problems are misidentified as risks • Initiating event, the intermediate impacts, and ultimate impacts are unclear leading to poor decision making • A Risk Officer or a Risk IPT is made responsible for risk • A thankless job that deals only with negative information • No ability to influence associated opportunities Unclassified
Mitigating Implementation Risks • Use “If-Then-Resulting-In” format for describing risks • The Risk IPT or a risk facilitator should promote risk management, not manage risk • Risk management training and consulting • Help risk identification, prioritization and communication • Develop an negative information safety policy and procedure Risk management must be performed by those responsible for the associated opportunities Unclassified
Opportunity and Risk • Opportunity Management: a better approach than Risk Management? • It will require culture change • Should apply to all levels of decision making • Risks should fall out of requirements management • Opportunities • Known - i.e. the existing project plan • Unknown - future discoveries that could provide benefit and reduce the chance of failure • Risks and opportunities are inherently linked to project management. We cannot manage one without impacting the other Unclassified
Recommendations 1. Clarify risk definition and characterization 2. Replace the risk officer with a risk facilitator • Simplify risk characterizations – use a “Top 10” list • Recognize risk management limitations – we cannot predict the future • Use the WBS as your TBQ • Establish a negative information safety culture • Integrate risk and opportunity management into project management – do not keep them separate Unclassified
References 1. Gilb, T., Principles of Software Engineering Management, Addison Wesley, 1988. See p72. 2. Bernstein, P. L., Against the Gods, The Remarkable Story of Risk, John Wiley and Sons, 1998. See Chpt 16, “The Failure of Invariance,” on how negative information seriously impacts decision making. 3. Young, R., Effective Requirements Practices, Addison-Wesley, 2001. See p164-5 for strategies to combat “negativism.” 4. Jones, C., Assessment and Control of Software Risks, Prentice Hall, 1994. See Chpt 5 for risks associated with artificial categories. 5. Gilb, T., Competitive Engineering, draft to be published in 2002. See fig 1.2, the risk strategy is to “maximize benefits, not minimize risk.” • McConnell, S., Software Project Survival Guide, Microsoft Press, 1998. See p93-101 for his very realistic risk management model, which focuses on the “Top 10” risk list. The value of a “risk officer” is open to question. • Hillson, D. “Extending Risk Process to Manage Opportunities,” Fourth European Project Management Conference, PMI Europe, 6-7 June 2001. Hillson promotes opportunity management, but it is basically the same as traditional risk management. • Ormerod, Paul, Why Most Things Fail, Pantheon Books, New York, 2005, p24. Definition of risk and uncertainty. Unclassified
Contact information John E. Moore, PhD Northrop Grumman IT Defense Group 571-642-6636 (work) 703-869-1326 (cell) john.moore@ngc.com Unclassified