This document discusses the importance of continuous risk management for project success. It outlines five key concepts for effective risk management: 1) hoping is not a strategy, 2) single point estimates are inaccurate, 3) integrating cost, schedule, and technical performance is essential, 4) a formal risk management model is needed, and 5) risk communication is critical. The document emphasizes that risk management requires identifying risks early, quantifying their potential impacts, and developing mitigation plans. An effective risk management process is proactive rather than reactive and considers uncertainties as well as known risks.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Continuous Risk Management
1. Increasing the Probability of Program Success with Continuous Risk
Management
Glen Alleman, Tom Coonce, and Rick Price
Risk management is essential for the success of any significantproject.1 Information aboutkey projectcost,
performance, and scheduleattributes is often unknown until the projectis underway. Risks that can be identified
early in the project that impacts the projectlater are often termed “known unknowns.” These risks can be
mitigated, reduced, or retired with a risk management process.For risks thatare beyond the vision of the project
team a properly implemented risk management process can also rapidly quantify therisks impactand provide
sound plans for mitigatingits affect.
Risk management is concerned with the outcomes of a future event. Events whose impacts areunknown. Risk
management is aboutdealingwith this uncertainty.Outcomes are categorized as favorableor unfavorable.Risk
management is the artand scienceof planning,assessing,handling,and monitoringfuture events to ensure
favorableoutcomes. A good risk management process is proactiveand fundamentally differentthan reactive issue
management or problem solving.
The fundamentals of Risk Management can be described in 5 simpleconcepts:
1. Hope is not a strategy – Hoping that something positive happens will notlead to success.Preparingfor
success is thebasis of success.
2. All singlepointestimates arewrong – Single pointestimates of cost, scheduleand technical performance
are no better than 50/50 guesses in the absence of knowledge about the variances of the underlying
distribution.
3. Without integratingCost, Schedule and Technical Performanceyou are drivingin the rearview mirror.The
effort to produce the productor serviceand the resultingvaluecannotbe made without makingthese
connections.
4. Without a model for risk management, you are drivingin the dark with the headlights turned off – Risk
management is not an ad hoc process that you can make up as you go. A formal foundation for risk
management is needed. Choose one that has worked in high risk domains –defense, nuclear power,
manned spaceflight.
5. Risk Communication is everything – Identifyingrisks without communicating them is a waste of time.
Risk management is an importantskill thatcan be applied to a wide variety of projects.In an era of downsizing,
consolidation,shrinkingbudgets, increasingtechnological sophistication,and shorter development times, risk
management provides valuableinsights to help key projectpersonnel plan for risks.It alerts them to potential risk
issues,which can then be analyzed,and plans develop, implemented, and monitored to address risks beforethey
surfaceas issues and adversely affectprojectcost,performance, and schedule.
Hope is Not a Risk Handling Strategy
Hoping that the project will proceed as planned is not a strategy for success.These same project managers who
constantly seek ways to eliminateor control risk,varianceand uncertainly.This isa hopeless pursuit.
Managing“in the presence” of risk,varianceand uncertainty is the key to success.Some projects have few
uncertainties –only the complexity of tasks and relationshipsis important –but most projects are characterized by
several types of uncertainty. Although each uncertainty type is distinct,a singleprojectmay encounter some
combination of four types: 2
1. Variation – comes from many small influences and yields a rangeof values on a particularactivity.
Attempting to control these variances outsidetheir natural boundaries isa wasteof time.
2. Foreseen Uncertainty – are uncertainties identifiableand understood influences that the team cannot be
sure will occur.There needs to be a mitigation plan for these foreseen uncertainties.
1
“Risk Management during Requirements,” TomDeMarco and TimLister, IEEESoftware, September/October,2003
2
“Managing ProjectUncertainty: From Variation to Chaos,”Arnoud DeMeyer, ChristophH. Loch andMichaelT. Pich, MIT Sloan Management
Review, Winter 2002
2. 3. Unforeseen Uncertainty – is uncertainty that can’t be identified duringproject planning.When these occur,
a new plan is needed.
4. Chaos – appears in the presence of “unknown unknowns”
Plans arestrategies for the successful completion of the project. Plans aredifferent than schedules.Schedules
show “how” the projectwill be executed. Plans show“what” accomplishments mustbe performed and the success
criteria for these accomplishments alongthe way to completion.
The Plan describes the increasingmaturity of the project
through “maturity assessment” points.The unit of measure
for this maturity must be meaningful to the stakeholders.
Something that can be connected to the investment they
have made in the project.
When we speak the word “Hope,” itlays the foundation for
failure.In the use of Hope we really mean “success is
possiblebutnot probable.” When we speak the word
“Plan,” itdoes not assuresuccess,butsuccess isa probable
outcome. It is the definition of the probability of success
P(s), that is the foundation of the Plan.Havinga Plan–A, Plan–Band possibly a Plan–C exposes risk,assigns
mitigations and measures the probability of success.
The idea of a Plan as a Strategy is critical to makingchanges in the behavior of the project teams that can lead to
“risk adjusted projectmanagement.” Without a Plan,the schedule is simply a listof activitiesto be performed. The
reason for their performance may be understood, but itis unlikely theseactivities fitin any cohesiveStrategy.
Strategies have goals,critical successfactors,and key performance indicators.
No Single Point Estimate of Cost, Schedule or Technical Performance Can
Correct
How longwill this take? How much is itgoingto cost? What is the confidencein those two numbers? These are
three questions that must be answered for the project team to have a crediblediscussion with the stakeholders
about success.Decidingwhataccuracy is needed to provide a credibleanswer is a startingpoint. But that does not
address the question – “how can that accuracy beobtained.”
There are many check lists for estimating costand schedule, with simpleguidanceon how to build estimates.Most
of this adviceis wrongin a fundamental way. The numbers produced by the estimatingprocess do not have their
variancedefined in any statistically sound manner.By statistically sound itmeans that the underlyingprobability
distributionsareknown. If they areno known, then some form of estimatingtakingthis unknown into account
must be used.
The Project Management Institute(PMI) advices producingthree estimates – optimistic,mostlikely,pessimistic.
But these numbers are fraught with error. We can’t tell how these numbers were arrived at? Are they based on
best engineering judgment? Based in historical data? Whatis the varianceon the varianceof this distribution –the
2nd standard deviation? In the absence of this information,they are of littleusein estimating risk.
Figure 1 –The Plan for the project mustassure risk is being
reduced inproportion totheproject’s tolerancefor risk
3. The use of point estimates for duration and cost is the first
approach in an organization lowon the project management
maturity scale.Understanding that costand durations are
actually “randomvariables,”drawn from an underlying
distribution of possiblevalueis thestartingpointfor managing
in the presence of uncertainty.
In probability theory,every random variableis attributed to a
probability distribution.Theprobability distribution associated
with costor duration describes the varianceof these random
variables.A common distribution of probabilisticestimates for
costand scheduleis the Triangle Distribution.
The TriangleDistribution in Figure 2 can be used as a
subjectivedescription of a population for which there is only
limited sampledata, and especially wherethe relationship
between variablesis known but data is scarce.Itis based on
the knowledge of the minimum and maximum and a “best guess” of the modal value(the Most Likely).
Usingthe TriangleDistribution for costand duration,a Monte Carlo simulation of the network of activities and
their costs can be performed. In technical terms, Monte Carlo methods numerically transformand integrate the
posterior quantitativerisk assessmentinto a confidence interval.The resultis a “confidence” model for the cost
and completion times for the project based on the upper and lower bounds of each distribution assigned to the
duration and cost.
Integrating Cost, Schedule, and Technical Performance
In many project management methods – cost, scheduleand quality are
described as an “Iron Triangle.”Change one and the other two must
change. This is too narrowa view of what's happeningon a project. It’s
the Technical PerformanceMeasurement that replaces Quality.Quality
is one Technical Performancemeasure.
Cost and Schedule are obvious elements of the project. Technical
Performance Measures (TPM) describes the status of technical
achievement of the project at any point in time. The planned technical
achievement is partof the Performance Measurement Baseline(PMB).
The Technical PerformanceMeasurement System (TPMS) uses the
techniques of risk analysisand probability to provideproject managers
with the early warnings needed to avoid unplanned costs and slippage
in schedule. Systems engineering uses technical performance
measurements to balancecost,schedule,and performance throughout the project lifecycle.
Connecting Cost, Schedule, and Technical Performance Measures closes the loop on how well a project is achieving
its technical performancerequirements whilemaintainingits costand schedulegoals.IEEE 1220,EIA 632 and "A
Guide to the ProjectManagement Body of Knowledge“ all provideguidancefor TPM planningand measurement
and for integrating TPM with cost and scheduleperformance measures (Earned Value). 3
Technical performancemeasurements compare actual versus planned technical development and design. They
report the degree to which system requirements are met in terms of performance, cost, schedule,and progress in
implementing risk retirement. Technical PerformanceMeasures are traceableto user–defined capabilities.
Integrating these three attributes produces a Performance Measurement Baseline that:
Is a plan driven by product quality requirements rather than work or effort requirements?
Focuses on technical maturity and quality,in addition to costand schedule.
Focuses on progress toward meeting success criteria of technical reviews.
Enables insightful varianceanalysis.
3 Performance Based Earned Value, Paul SolomonandRalphYoung,John Wiley & Sons, 2006.
Figure 2 –triangle distributions areusefulwhen there is
limitedinformationaboutthecharacteristics ofthe
random variables areallthat is available.
Figure 3 –the “new” trianglemust beused.
One where cost, schedule, andtechnical
performanceareinterconnected.
4. Ensures a lean and cost–effective approach to project planningand controls.
Enables scalablescopeand complexity depending on risk.
Integrates risk management activities with the performance measurement baseline.
Integrates risk management outcomes into the Estimate at Completion.
The Cost and Schedule “measures” are straightforward in mostcases.The measures of Technical Performance
involvemeasures Effectiveness and Performance.
Measures of Effectiveness (MoE) arethe operational mission successfactor defined by the customer.
These are:
1. Stated from the customer point of view.
2. Focused on the most critical mission performanceneeds.
3. Independent of any particular solution.
4. Actual measures at the end of development.
5. Measures of Performance (MOP) characterizephysical or functional attributes relatingto the system operation:
5. Supplier’s pointof view.
6. Measured under specified testing or operational conditions.
7. Assesses delivered solution performanceagainstcritical systemlevel specified requirements .
8. Risk indicatorsthataremonitored progressively.
Programmatic Risk Must Follow a Well Defined Process
Using an ad hoc risk management process is itself risky.The first
placeto startto look for risk management processes is where
managingrisk is mandatory – aerospace,defense, and mission
critical projects and projects.These also includeERP and
Enterprise IT projects.
Technical performanceis a concept absentfrom the traditional
approaches to risk management. Yet itis the primary driver of risk
in many technology intensive projects.Cost growth and schedule
slippageoften occur when unrealistically high levels of
performance are required and littleflexibility is provided to
degrade performance duringthe courseof the project. Quality is
often a causerather than an impactto the projectand can
generally be broken down into Cost, Performance, and Schedule
components.
The framework shown in Figure 4 provides guidancefor:
Risk management policy
Risk management structure
Risk Management Process Model
Organizational and behavioral considerationsfor implementingrisk management
The performance dimension of consequence of occurrence
The performance dimension of Monte Carlo simulation modeling
A structured approach for developing a risk handlingstrategy
Risk Communication
To be effective the activities of risk management must properly communicate risk to all the participants.Risk is
usually a term to be avoided in normal business.Beingin the risk management business is not desirablein most
businesses –except insurance.Itis common to “avoid” the discussion of risk.
Communicatingrisk is the firststep in managingrisk. Listingthe risks and makingthem public is necessary butfar
from sufficient. Risk communication is the basis of risk mitigation and retirement. It serves no purpose to have a
risk management plan and the defined mitigations in the absenceof a risk communication.
The Risk Management Plan mustaddress:
Executive summary – a short summary of the projectand the risks associated with the activities of the project.
Each risk needs an ordinal rank,a planned mitigation is therisk is active(a risk approved by the Risk Board),and
the mitigations shown in the schedulewith associated costs.
Project description –a detailed description of the projectand the risk associated with each of the deliverables.
Risk reduction activities by phase – usingsome formal risk management process that connects risk,mitigation
and the IMS. The efforts for mitigation need to be in the schedule.
Risk management methodology – usingthe DoD Risk Management process is a good start. 4 This approach is
proven and approved by high risk,high reward projects.The steps in the processes arenot optional and should
be executed for ALL risk processes.
4 Risk ManagementGuide for DoD Acquisition 2003(FifthEdition, Version2.0), www.dau.mil/pubs/gbbks/risk_management.asp
Figure 4 –this risk management process is the“gold
standard.” Anything less is inviting additional risk.
6. In order to communicate risk,a clear and conciselanguage is
needed. English is notthe best choice.Ambiguity and
interpretation aretwo issues.Communicatingin mathematical
terms is also a problem,sincethe symbols and units of measure
may be confusing.
Figure 5 is from the Active Risk Manager 5 tool that connects risk
management with the scheduling system. ARM is a proprietary risk
management system, but illustrates howrisk is retired over time in
accordancewith a plan.The concept shows explicitly when each
risk will be“bought down” or “retired” duringthe project
execution. The Risk Registry and the Integrated Master Schedule
must be connected in some way. Without this connection, there is
no Risk Management process thatcan be used to forecast impacts
on costor schedule.
At each project maturity point, current risks,the planned
retirements of these risks,and the impact of the project must be
visiblein the schedule. With these connections,project managers can then answer the questions:
What happens if this risk is notmitigated?
What effort is needed to retire this risk beforea specific pointin time?
If this risk becomes an issue,what is Plan-B? How much will Plan-Bcost? Whatis the impactof Plan-Bon the
deliverables?
What costand schedulereserve is needed to cover all the currently activerisks?
In the End
Once cost, schedule,and techncial performanceare integrated into the Performance Measurement Baseline,risk
management can be applied to all three elements. With these connections in place,the projectmanagement team
can say with confidence – “we are doingrisk management on this project.”
The final reminder is to make sureall fiveelements of risk management are present. Leaving one out not only
reduces the effectiveness of the risk management process,but increases in the risk to the project. Project risk
management is a Practice.The theory of ProjectRisk Management is important,but the Practiceis howproject risk
gets managed.
5 www.strategicthought.com
Figure 5 –this risk retirementwaterfallshows
where in theplanrisk willbemitigatedor retired.