Tài liệu Module 4: Risk Management ppt

At the end of this module, you will be able to „ Understand risk and why managing it is important „ Understand the MSF proactive risk managementprocess „ Understand the differences betwe

4

At the end of this module, you will be able to

„ Understand risk and why managing it is important

„ Understand the MSF proactive risk managementprocess

„ Understand the differences between risk mitigationand risk contingency

„ Demonstrate the ability to do risk assessment

Lessons

1 Risk Fundamentals

2 Risk Management Overview

3 Risk Identification and Analysis

4 Risk Planning

5 Risk Tracking and Control

„Definitions

„ Dictionary: “Possibility of loss

or injury”

Webster’s Collegiate Dictionary, 10th edition

„ Common: A problem waiting to happen

„Characteristics

„ Inherent in every project

„ Neither intrinsically good nor bad

„ Not something to fear, but something

to manage

Risk is the possibility, not the certainty, of suffering a loss The loss could beanything from diminished quality of a solution to increased cost, misseddeadlines, or project failure

Risk is a fundamental ingredient of opportunity and so is not inherently bad, but

it is inherent in every project Successful teams deal with risk by recognizingand minimizing uncertainty

Risks can come from many sources, including

„ Mission and goals

„ Decision drivers or organization management

„ Customers or end users

„ Budget, cost, schedule, and personnel

Risk can affect a project in a variety of ways

„ Cost overruns and schedule slips

Lesson 2:

Risk Management Overview

The MSF approach to risk management

„Assesses risks continuously throughout the project life cycle

„Uses risk-based decision-making

„Establishes some level of formality

„Covers all key persons and processes, including business and technology areas

„Treats risk identification as a positive

This slide lists a few of the characteristics typical of successful riskmanagement

Prepare for consequences React to a crisis

to minimize impactUse a known and Use an ad hoc processstructured process

Risk management should be proactive, not reactive It should continuouslyassess what can go wrong and use that information for all project decision-making Proactive risk management requires a visible, measurable, andrepeatable process

Preventing risk is the transition point between proactive and reactive riskmanagement

„Reduce the risk

Example: Minimize the probability

(likelihood of the condition)

Example: Minimize the impact

(level of the consequence)

„Transfer the risk

Example: Move to different hardware Example: Subcontract to a third party

„Avoid the risk

Example: Don’t undertake certain projects Example: Rely on proven, not cutting-edge,

contracting for fire safety with a third party)

example, by building something less prone to fire than a warehouse)

5HWLUHG5LVNV

5LVN

$VVHVVPHQW 'RFXPHQW 7RS#43 61#3ODQ 81#&RQWURO

51#$QDO\]H 41#,GHQWLI\ 6WDWHPHQWV5LVN

71#7UDFN

The ongoing deliverable of this process is a living risk assessment document

MSF risk management is a five-step process through which the team mitigatesrisks by identifying them and taking actions appropriate to the nature of eachindividual risk

„ Identifying risks allows the team to bring risks to the surface so it can dealwith them before they hurt the project

make decisions

„ Devising risk plans is the next step that turns information into decisions andactions

taken to mitigate them

management, which is crucial in making sure that risk management remains

a high-profile activity

Lesson 3:

Risk Identification and Analysis

The first and second steps in proactively managing risks

To effectively discover and recognize potential problems with the project

„ Use a collaborative approach

„ Seek potential problems frommany different sources

„ Examine risks from twodirections

„ Potential issues and their likely consequences

„ Potential consequences and their likely causes

Example:

Identifying fire as

a potential warehouse risk

Identifying risks gives the project team the opportunities and the information itneeds to bring risks to the surface Because risk identification involves all keyteam players, it also reveals for the team the assumptions and viewpoints held

by those players

A fundamental aspect of risk identification is that it should be treated as apositive action, not a negative one When the process of identifying risks isperceived negatively, team members have no incentive to bring possible risks tothe attention of the rest of the team By adopting the idea that risk identification

is positive, team members have an incentive to identify risks before they poseproblems

Condition

Flammable liquidsare stored in thewarehouse

Consequence

The warehousemight catch fire

Therefore

„Before a risk can be managed

„ It must be clearly stated, including both conditionand consequence

„ It must be easily understood

„Condition-consequence risk statements help to clearly articulate risk

A risk can’t be managed effectively until it has been stated clearly Riskstatements should clearly and simply state the condition of the risk (the cause)and the consequence of the risk (the effect)

Look for shared conditions and consequences across multiple risk statements tosee if they constitute a root issue

To effectively convert risk data into risk decision-making information

„ Assess risk probability

„ Assess risk impact

„ Calculate risk exposure

Example:

Understanding what might cause a fire in the warehouse and how costly fire damage would be

Analyzing risks moves the project team from gathering raw data about risks todeciding what to do about them

Risk analysis allows the team to quantify risk priorities Analysis considers thelikelihood that the risk will occur and how serious the impact will be if the riskoccurs, and then assigns a degree of exposure calculated by comparing the riskswith others from the same project

„ Represent a subjectivescale numerically

Example: High = 3, medium = 2, low = 1 Example: High = 75%, medium = 50%, low = 25%

Example:

Because the warehouse contains flammables, the probability of a fire is high

The best way to estimate risk probability is to use a simple numeric scale andapply it consistently throughout the project If you know you’re going to usecost to measure impact, it is best to use percentages for risk probability

To assign a value representing the amount

of loss if the risk occurs

„Use a numeric scale forease of calculation

„Use a dollar value ifimpact is financial

Example: Risk impact = $100,000

„Use a subjective scale ifimpact is non-financial

Example: 5,4,3,2, and 1

„Do not mix scales

Example:

If the warehouse burns down, it will cost $500,000 to rebuild it and replace its contents

Assess the severity or magnitude of loss if the risk occurs If the impact isfinancial, express the impact in dollars and the probability as a percentage.Whatever you do, don’t mix different scales Pick the lowest commondenominator and continue using it

To quantify a value representing the amount

of exposure that each risk presents

„ Calculate it with this formula

(probability x impact = exposure) Example: 75% x $500,000 = $375,000

„ Use to compare risk priorities

„ Rank the risks and theirmanagement based onthe highest exposure number

Example:

The risk of the warehouse burning has an exposure of

$375,000

The risk exposure calculation is why consistency in scales is so important Forexample, the $375,000 exposure used in the slide comes from multiplying 75%(high) probability times the potential risk impact, resulting in the $500,000 itwould take to replace the warehouse if it burned

,Q#VPDOO#WHDPV#DQG#DV#D#ODUJH#JURXS=#

Lab

„Divide into teams

„Using the scenario provided, identify the risks posed by the project

„In a large group, choose the top five risks from those that the teams identified

„In small teams again, calculate the exposure of each risk

To effectively plan against risk

„ Prioritize planning decisionsbased on risk priority

„ Consider five key areas

„Research Do you know

enough about the risk?

„Acceptance Can you live

with its consequences?

„Avoidance Can you avoid

the risk?

„Mitigation Can you reduce the

probability or impact?

„Contingency Can you reduce the

impact through a planned reaction?

Example:

Planning how to prevent a warehouse fire and what to do

To minimize risk exposure

„Focus on high-exposure risks

„Address the condition toreduce the probability

„Look for root causes asopposed to symptoms

„Address the consequence

to minimize the impact

Example:

The company will institute a no-smoking policy

to reduce the probability of a fire

Don’t confuse risk mitigation with risk avoidance Avoiding risks involveseliminating the circumstances that would cause the risks to arrive Mitigatingrisks includes taking steps to minimize the risk’s probability and impact

To minimize the impact if the risk occurs

„Focus on high-exposure risks

„Plan how to react to theconsequence

„Set trigger values todetermine when toexecute the plan

Choose the appropriate type of triggers for executing your contingency plan

„Point-in-time

Example: If a key team

member quits, the latest date to train a replacement

„Threshold

Example: When network

bandwidth reaches a certain level, add more network capacity

Example:

The physical evidence of fire prompts someone

to call the fire department

Contingency triggers are the criteria that project teams use to determine when it

is time to execute contingency plans There are two general types ofcontingency triggers:

„ Point-in-time triggers are built around dates, generally the latest date bywhich something has to happen

„Divide into small teams

„Develop mitigation and contingency plans for each

of the three risks

„Present your results to the class

Lesson 5:

Risk Tracking and Control

The last steps in ongoing risk management

„ Track the risks for anychanges in condition orconsequence

„ Measure the effect of themitigation plans

„ Monitor the contingencytriggers

Example:

Reviewing the top

10 risk list for changes in priority

Tracking risk is required to ensure effective implementation of an action plan.Teams should include risk reviews within regular project reviews, includingassessing their progress at resolving the top 10 risks

Project teams should find their own mechanisms for changing risk status andeffectively judging progress

To get maximum benefit from risk management, use the risk assessment document to

a single document

The risk assessment document should contain:

„ Review the list regularly

„ Keep the list updated toshow changes in priority

Identifying the highest-priority risks in a list format

The number of risks is not important, although lists work best if they contain 10

or fewer risks A top 10 list works only if the team reviews it regularly

Another technique for focusing on risks is to conduct a meeting in whichspecific issues receive individual attention

To effectively control risks

„Adapt to changes in riskpriority

„React to variations fromthe plan

„Respond to triggeringevents

„Assess the riskmanagement process

Example:

Retiring a risk that has been successfully mitigated

The combination of tracking and controlling risk moves risk management from

a planning activity to a project management activity

Controlling risk is the step that enables the project team to react to the dynamics

of the project situation

Summary

„What is risk and why is it important?

„What is the difference between risk mitigation and risk contingency planning?

„How would you describe proactive risk management?

„What are the five steps of the MSF risk management process?

Now is the time to ask any further questions you may have about the materialpresented in this module

Although this concludes the risk management module, the concepts of riskmanagement and the use of risk-based techniques will appear throughout therest of the course