Government Enterprise Risk Management. Concepts & Guidance. Government Enterprise Risk Management

Transcription

1 Government Enterprise Risk Management Concepts & Guidance Government Enterprise Risk Management 1

2 About WSB Early in their careers, the founders of WSB recognized that outstanding results are born from outstanding cultures. Since 1995, WSB has remained dedicated to creating a culture of relationship building, forward thinking and collaboration that enables technically advanced, thoughtful, and creative engineering and design solutions that build a legacy - your legacy. By inspiring each other to look beyond solutions for today, and capitalize on the opportunities of tomorrow, WSB is able to support the innovation and technical excellence clients would expect from a national firm, while maintaining the trusting and meaningful relationships found in local agencies. Today, the firm offers services in over 20 areas under the discipline of planning, design, and implementation for government, commercial, and energy clients.

3 Government Enterprise Risk Management Concepts and Guidance This Government Enterprise Risk Management guide is intended to support the management of our collective future. This guide will help you understand risks, and systematically explore predictions and possibilities so you can make timely and informed decisions. With the practices outlined in this guide, you can more effectively prepare for the challenges you face as you plan for the future. We appreciate your input, so please let us know what you think, and always let us know if we can assist you. We hope you enjoy! Sincerely, Bret A. Weiss, PE President/CEO

4 About the Author Phil Barnes is a nationally recognized subject matter expert in Risk Management, with more than 12 years of experience in public sector management and analysis. He has led hundreds of diverse risk planning and assessment meetings that have generated numerous strategic directions, decisions, and management plans. Phil is experienced in leading Enterprise Risk Management (ERM) initiatives at the State of Minnesota, and is currently on a team working for the Federal Highway Administration (FHWA) to develop cutting edge risk-based Stewardship and Oversight practices at a national level. Phil s risk management processes integrate strategic planning, and risk forecasts to align resources and policies with clients strategic objectives. Phil s strength is facilitating collaborative decisions with diverse stakeholder and public interests, and he holds experience in assessing complex risk impacts at a corporate, program, operations, and project level for governments of all sizes. For information or support please contact Phil Barnes at: (763) Pbarnes@wsbeng.com or visit:

5 What s Inside Enterprise Risk Management...2 Risk Assessment Best Practices Gather Information...4 Develop Objectives...5 Identify/Develop Risk Statements..6 Assess Risk Impact...6 Forecast Probability...7 Develop Risk Response Strategies..9 Frequently Asked Questions...10 Glossary...12 The text of this guide contains general information and is not intended as a substitute for specific recommendations. Guidelines and regulations change and may be different from when this text was published.

6 Enterprise Risk Management Defining Enterprise Risk Management The Enterprise Risk Management (ERM) process helps public officials document and analyze the information needed to make supported decisions. The ERM process enhances the ability to assess stakeholder s interests, current and future needs, and most importantly helps to put focus on solutions for the right challenges, at the right time. High Medium Medium Low High Medium Critical High Understanding and prioritizing risk levels creates powerful knowledge. A risk is a forecasted event that can have a negative or positive impact on a objective. A risk can be prioritized by assessing the probability and impact it may have on your objective. Mathematically, a risk level can be shown as: Probability x Impact = Risk Level The end result of an ERM process is a credible risk management plan that develops stakeholder trust and confidence and moves objectives forward. Likelihood Low Low Low Impact Low Medium Mdi Visualizing Risk Level Medium High What are ERM s major areas of focus for an organization? Organizations have diverse risks related to the achievement of various objectives, and ERM is constantly evolving to address the needs of stakeholders seeking to understand the broad spectrum of these risks. A central goal for ERM is improving the capacity of organizations to assess risks across functions. To start, it is recommended that organizations assess risks to the following areas of focus: The assessment of management of risks to the overall organizational performance through assessing tasks, people, structure, and culture. The process includes the assessment of the organizations ability to be congruent and compatible to managing strategic performance goals. Strategic The assessment process to help determine system and public risks that leads to investment priorities for funding that utilizes current strategic plan and integrated performance measurement. Also may include assessing risks to a program s objective and the process of managing several related projects. Program Assessing risks with overseeing, designing, and controlling the process of production and delivery of services. Assessments help understand whether operations are efficient in terms of using as few resources as needed, and effective in terms of meeting customer requirements. Operations The process of management that deals with identifying, quantifying, and responding to, and controlling the risks in project decisions, oversight levels, and project objectives. Project 2 Enterprise Risk Management

7 As management trends come and go, there will continue to be a need for a systematic process that facilitates the identification, assessment, management, and communication of threats and opportunities surrounding government objectives. Develop risk response strategies Gather Information Develop a clear objective Communication Forecast probability of risks Assess the impact of risks Identify risk statements Understanding the Risk Management Process The Risk Management process can be broken into 6 steps: Step 1 - Gather information Step 2 - Develop a clear, stakeholder-driven objective Step 3 - Identify a list of risk statements to objective Step 4 - Assess the impact of each risk Step 5 - Forecast the probability of each risk Step 6 - Develop risk response strategies for elevated risks Communication is at the center of many risk-based processes. Each step is supported by clear, consistent, and effective communication to stakeholders. When the process is completed collaboratively, the risk management process will enhance the ability for stakeholders to support the current evaluation of risks, while laying groundwork with stakeholders to enhance planning practices for the future. While reviewing this guide, public officials may find it helpful to consider applying concepts to: Effectively managing internal controls in an organization Effectively managing a project or program Prioritizing investments and resources in a program Coordinating office staff resources Developing and maintaining performance measures Developing a strategic plan for organization s objectives Risk Management is a continuous process Enterprise Risk Management 3

8 Concepts & Guidance Step Gather Information Although not always readily available, data and information are a confidence building force behind a solid risk-based plan. To start, public officials should organize all of the relevant material regarding preliminary objectives. This may include, but not limited to: Peer-level reviews, audits, process review documentation Dashboards, performance measures, raw data National, regional and peer studies and reports Preliminary or developed plans Questionnaires, surveys Interview and meeting minutes Lessons learned and best practices documentation Information regarding stakeholder perspective 4 Concepts & Guidance

9 1 Step Develop a Clear Objective Statement A clear and comprehensive objective statement is the foundation for a successful risk assessment. Objective statements can be a vision, mission, or project purpose and needs statement. In some cases, interested and influential stakeholders can hold a perspective that can create a barrier to reaching your objectives. To avoid surprises, the development of solid stakeholder relationships is ideal. Capturing key stakeholder interests in the objective statement will ensure identified risks can be assessed accurately. It is also helpful to have a preliminary understanding of how tolerant stakeholders will be to certain risks. In government work there will be multiple stakeholders, and it may be valuable to categorize stakeholders by estimated risk appetite. Identifying a risk appetite for each stakeholder group can help you better develop a communication strategy and approach. Competitors Legal/ Court Employees Consumers Financial Institutions General Public Clear Objective Statement Suppliers Government Share- holders Interest Groups Media Scientific Community Low Informed Conservatives Independent Conservatives High Risk Tolerance Low Risk Knowledge Goal: Informed Innovators Risk Takers High Capture stakeholder interests in objective statements Stakeholders can have a risk appetite that is: Averse: Avoidance of risk and uncertainty to interests is the main objective. Minimal: Preference for ultra-safe options even though the reward potential in the objective may be great. Open: Willing to consider all potential options and wants an acceptable value for risk. Hungry: Eager to be innovative and interested in high objective rewards despite greater risk. Bear in mind, not everyone is eager to partner. Some stakeholders are vested in their interests only. For example, technical experts may not want to be included in the entire process of managing internal controls. A stakeholder analysis should help identify those who are interested and influential in the objective, and whom will commit spending time partnering and strategizing for the future. Guidance for stakeholder analysis Concepts & Guidance 5

10 1 2 Step Examples of a risk statement: Poorly written: Project has cost overruns and impacts. Improved: Software programmers are not available during testing, thereby causing usability challenges and a 6 month schedule impact. Identify and Develop Risk Statements Diverse perspectives help to productively identify risk. By using a collaborative approach with stakeholders, identifying risks surrounding objectives can be accelerated through workshop-style settings. Workshops make it easier for public officials to create understanding through background presentations, and can encourage support in risk planning efforts. When building a risk management plan, a documented list of risks, or a risk register is needed. Many public officials new to risk management have a tendency to identify risks with two-word phrases: reputation risk, cost increase risk, and so on. These are not risk statements. Rather, they are general categories within which we specify risk. Risk statement should be as specific as possible, use complete sentences, and state the area of impact in relation to the objective statement. Risk statements should not include questions or action items. A brainstorming workshop with stakeholders is a good technique for building a preliminary risk register. Effective brainstorming may require a skilled facilitator who will drive collaboration, create a safe environment for conversation, and challenge the status quo. The more risk identification and discussion that takes place, the more likely stakeholders will understand the variety of interests captured in the objective Step Catastrophic: Results in failure of the transportation system Large: Major impacts to the performance of the system Endurable: Pockets of system performance failure Small: System performance is not impacted noticeably Assess the Impact of Each Risk A risk is a forecasted event that can have a negative or positive impact on an objective. A risk is prioritized by rating the probability and impact it may have on your objective. It is recommended that each risk is assessed for impact first, then probability before moving to the next risk in the register. The context of a risk impact is driven by the objective statement. It may be helpful to develop a scale that illustrates the impact on the objective with potential examples. The assessment of impact involves developing an understanding of where to prioritize the risk statement, assuming it occurs. Example of using a scale to ensure risk context Assume you have an objective of a well performing transportation system. You want to estimate risks to the transportation system, and want to be sure the community has a safe way to travel. Using an impact scale of 1-4, the risk of a pothole could be ranked a 1. While this is a nuisance, a pothole does not completely prevent the community from traveling safely. However, a risk of a fl ooded road causing temporary detours for a year would be more troublesome, and potentially rank a 3 since closures limit the community s ability to travel safely. Assuming the risk event occurs is the fi rst step to ensuring the impact is scaled correctly for the objective. 6 Concepts & Guidance

11 Step 6 5 Forecast Probability of Each Risk Many public officials will not be comfortable with a process where they are asked to guess whether a future event will happen. When the probability of the risk occurring is unknown, the best bet is to estimate the probability at 50%. Uncertainty in forecasting is a challenge, and can be tackled with qualitative or quantitative data, a series of criteria, or technical expert judgments. While the goal is to define a probability or percentage, one should be wary of anyone who is overly certain and suggests a risk is 100% or 0%, or assumes external actions will take place to manage risks. For example, assuming that more funding will show up for a project or program may quickly skew the estimation of probability. Using a baseline scenario assumption, such as business as usual circumstances, or one where nothing different happens, is a best practice. Data can influence the level of certainty, help draw logical conclusions, and increase confidence Using data, the risk forecasting goal is to identify the most likely impact level to the defined objective. If asked to roll two dice and predict the total, there may be little confidence in the accuracy of a guess. However, data can show that every time two dice are rolled, there are 36 possibilities (6 X 6), resulting in anything from 2 to 12. Data recorded over a period of time and rolls will create a defined probability distribution. From the probability distribution, confidence intervals are developed, creating confidence in probability predictions. With this dice case, the most likely roll, and best forecast is 7. Number of possibilities ( out of 36) probability of rolling 4 or less Results of Rolling 2 dice 16.7 probability of rolling 10 or more 16% 14% 12% 10% 8% 6% 4% 2% 0% Example of probability Concepts & Guidance 7

12 Understanding risk levels The probability of the identified risk, multiplied by the impact gives an assessor a risk level. The risk score in the table below helps forecast the expected level of a problem (or opportunity). This table shows an example of pavement risks for a transportation system, on a 1 through 5 scale, with 5 being a major problem for the transportation system. Risk Category Risk Event Probability Impact (1-5) Expected Value Pavement Erosion Pavements continue to erode to 18.5% poor condition by 2019, that results in public trust and confidence issues and impacts public s quality of life. 95% Performance Scorecard We are unable to communicate the unbalanced performance scorecard, that results in the public and legislature holding the organization accountable to the system problems. 95% Inflation Oil prices go up substantially (120 a barrel) and unit prices go up, that results in revenue shortfalls and expenditure long falls. 75% 4 3 Communications Current blanket messages about pavement conditions hurts the ability to communicate that District pavements are inconsistent, that results in pain points in some districts and the public misunderstanding. 95% Answer the tough questions fast Organizing a risk register further can support expedited decisions. Although the complexity of the risk register depends on the size of the objective and context, some information may include: Identification number for each risk identified for tracking purposes Expected date and phase of the preliminary project, program or objective plan Risk categories such as legal approval, or reputation A detailed description of risk events. The description should be clear enough that others will understand what it means. Risk triggers. Each identified risk might include risk triggers. Some risks come with a warning of imminent threat or opportunity. These warning signs should be clearly described. For example, an emerging need for legal approval may be a risk trigger for a legal risk that has larger impacts to key objectives, like schedule and cost. 8 Concepts & Guidance

13 Step 6 Alternative A Risks Strategies Mutual Interests: Vision of Success Alternative B Risks Strategies Alternative C Risks Strategies Develop Risk Response Strategies Building from information in previous steps, a risk response strategy can be developed and evaluated. This evaluation includes the consideration of available budget and strategy costs. After a strategy has been developed for each risk, what remains is referred to as residual risk. Residual risk is the forecasted risk level after assuming implementation of risk response strategies. This concept becomes valuable when assessing scenarios and making complex decisions. Below is a basic equation for the analysis of strategy effectiveness using the residual risk concept: Risk Level Response Strategy = Residual Risk Profile A Profile B Profile C Avoiding risk means choosing a different option to get to your objective. Avoiding means eliminating a threat, or at least eliminating the possibility of it having any impact on the objective. Not all risks can be avoided or eliminated, and much less would get accomplished if everyone attempted to avoid every risk. Avoid Insurance, warranties, contracts, and guarantees, are all examples of contracts that can transfer risk to other parties. The threat still exists, however it is owned and managed by another party. Transference almost invariably involves some sort of legal or contractual relationship. Transfer Mitigate This strategy is about developing a plan, budget, and actions to lower the likelihood of the problem occurring, or by lowering the impact of the risk when it occurs. In other words, it is an attempt to reduce risk exposure that is too high to be acceptable. The chances of the threat s occurrence are merely reduced - not eliminated. Accept There are two common types of acceptance strategies: Active = Risk is accepted for the time being, but a contingency plan is developed for implementation later in case the risk occurs. Passive = Risk is accepted because there is no affordable or effective mitigation, and benefits of the objective are valuable. 4 common categories of risk response strategies Acceptance of risk is the most difficult part of reaching objectives. For the most part, acceptance of some level of risk is required to reach any objective. Consideration should be given to confirm accepted risks represent a balance between the potential benefits of the objective. Concepts & Guidance 9

14 Frequently Asked Questions How do ERM processes work with performance measurement goals? Performance goals and measurements are supportive for fiscally constrained goal setting. In most settings, public officials have limited resources and some level of risk needs to be accepted. Risk tolerance is the risk level that one can stand, while appetite is the risk level one desires. Performance measures and goals can help identify and measure risk thresholds that match organizational tolerances. Like overeating, managing too much risk can have diminished returns. Similarly, not eating enough, or not managing risk can have the forecasted negative results. Performance measures can help track and measure realistic goals while accounting for risk tolerances and appetites. Performance Invest in Roads Invest in Water Invest in Bridges Risk Tolerance WATER BRIDGES ROADS Risk Level Diminishing Returns Risk Appetite 5 years 10 years 15 years 20 years 25 years 30 years Time Using risk levels and performance measures for program measurement What can be done with a risk adverse stakeholder? Risk adverse stakeholders may have no tolerance or appetite for any risk that impacts their interest. At times, these stakeholders can lead to over management, scope creep, and expenditures that may not clearly support the objective. A skilled risk management facilitator can help steward stakeholders whom are risk adverse. For example, they can develop a custom impact scale that is based on the bigger picture. This technique will remind all stakeholders of the rewards of the objectives and the reasons to have a reasonable appetite for risk. Show stakeholders the bigger picture. Is discussing risk appropriate for government or public work? Managing like a futurist is part of the government s job. For example, without the risk of terrorism, we would not need spending and strategies for defense. Without erosion and flood risk, we would not need as much drainage infrastructure. Without transportation risk, we would not need to invest in highways, bridges, and transit. For most public officials, forecasting the future effectively is crucial for public decision making. 10 Frequently Asked Questions

15 Is ERM worth the effort? The value behind ERM processes is the communication around expectations and ramifications for the future of objectives. When done properly, the process will enhance the ability to make informed decisions much faster than traditional approaches. A risk assessment can be addressed in a workshop with leadership and completed informally in 30 minutes, or assessed in greater detail by auditors or internal controls specialists leading to new processes and internal controls. While both processes are correct, the time dedicated to the ERM process is worth the effort. Can risk management is help me do more with less? One goal of a good manager is to put resources in the areas where they are most valued. In reality, not all objectives move forward because of budget constraints or lack of support. Similar to needing a high credit score for a mortgage, public officials need a credible risk profile and management plan to gain support for their objectives. An ERM process will look at the opportunities and rewards of the government s objective, and balance this public benefit with the risk. This process builds stakeholder support for the credit score, allowing the government to move objectives forward in the most effective way possible. What are some common external and internal sources of risk that will help me brainstorm? External: Public Political Technological Customer Partners Research Social Media Economic Environmental process Business community Conformity determinations Legal Agencies Are risk-based approaches productive for negotiation? Custom risk processes can take the focus away from personal relationships, interpersonal conflicts, and towards risks to a mutually defined objective statement. When gauging risk to the objective, we are negotiating around the probability and impact variables, disregarding interpersonal conflicts. Collaborative risk-based workshops as part of the ERM process can be very productive in creating transparency and creating a safe environment to talk about uncertainty directly. A B A Risk Moving to Productive Negotiation B Internal: Stove piping Expertise Security Missions Resource competition Lack of cohesive purpose Tensions Competitive outsourcing Systems Structure Strategy and operational differences Accountability Values Ethics Legal Individually Strategic plans Leadership Frequently Asked Questions 11

16 Risk Language Glossary Acceptance: Risk response strategy that prepares for and deals with the consequences of a risk, either actively (e.g., developing a contingency plan to execute if the risk event occurs) or passively (e.g., accepting a lower profit if some activities run over budget). Alternatives: Different means available to attain objectives. Alternatives Analysis: Process of breaking down a complex situation to generate solutions and approaches and evaluate the impact of trade-offs to attain objectives. Assumption: Factor that is considered to be true, real, or certain and is often used as a basis for decision making. Avoidance: Risk response strategy that eliminates the threat of a specific risk event, usually by eliminating its potential cause. The project management team can never eliminate all risk, but certain risk events often can be eliminated. Brainstorming: Problem solving technique that can be used for planning purposes, risk identification, improvement efforts and other projectrelated endeavors. Participants are invited to share their ideas in a group setting where no disapproving verbal or nonverbal behaviors are permitted. The technique is designed to generate a large number of ideas by helping people think creatively and allowing them to participate fully without feeling inhibited or criticized by others. Cause: Instigating factor that drives a risk event to occur. Contingency: Provision for any risk elements within the project scope; particularly important when a comparison of estimates and actual data suggests that certain risk events are likely to occur. If an allowance for escalation is included in the contingency, it should be a separate item that is calculated to fit expected price-level escalation conditions for the project. Contingency Plan: Plan that identifies alternative strategies to be used if specified risk events occur. Examples include a contingency reserve in the budget, alternative schedule activity sequences, and emergency responses to reduce the impacts of risk events. Contingency Reserve: Quantity of money or time that is intended to reduce the impact of missed cost, schedule, or performance objectives, which can be only partly planned (sometimes called known unknowns ); normally is included in the project s cost and schedule baseline. Corporate Risk Profile: An environmental scan and a comprehensive listing of risk categories for an organization, as well as tolerances and thresholds in support of the risk management framework. Critical Risk: Risk that can jeopardize achievement of a project s cost, time, or performance objectives. Data Collection: Gathering and recording of facts, changes, and forecasts for status reporting and future planning. Data Mining: Sifting through a massive volume of information usually stored in a database for research, investigative, marketing, and other business purposes. Decision Theory: Technique used in risk quantification to assist in decision making; it points to the best possible course of action, considering uncertainties. Delphi Technique: Form of participative expert judgment; an iterative, anonymous, interactive technique using survey methods to derive consensus on work estimates, approaches, issues, and any matter of importance requiring that a decision is made. Dependent Event: Two or more events in which the occurrence of one event is contingent upon the occurrence of another event. Environmental Scanning: An assessment of the organization, culture, climate, behaviors, and/or atmosphere of the program or project in order to clarify the setting in which all risk evaluations and discussions will be conducted. Estimating: Forecasting the cost, schedule, and resource requirements needed to produce a specific deliverable. Event: Key component of risk. Usually a description of the negative or positive incident associated with a risk. Expert Interview: Risk identification technique in which qualified individuals are consulted to determine the risks to an objective. Expert Judgment: Opinions, advice, recommendations, or commentary offered, usually upon request, by a person or persons recognized, either formally or informally, as having specialized knowledge, proficiency, or training in a specific area. Exploit: Risk response strategy that eliminates the uncertainty associated with an opportunity by ensuring that it will occur. Exposure: Impact value of a risk multiplied by its probability of occurring; another name for the expected value for threats. External Risk: Risk beyond the control or influence of a team (e.g., a hurricane or typhoon). See also internal risk. Facilitator: Person external to the group whose purpose is to help the group work more effectively. Fallback Position: Alternative (second-choice) position. Fast Decision Process: Process in which a small, empowered, cross-functional or cross-organizational team, with the help of a trained facilitator, makes decisions quickly. Differs from other processes because it concentrates on producing deliverables. Feasibility: Assessment of the capability for successful implementation; the possibility, probability, and suitability of accomplishment. Filtering: Sorting technique that is used to measure the importance of risks based on predetermined criteria or filters. A series of questions is designed to separate risks of high priority from those of lower priority. Risks that do not survive the filter are removed from the priority listing. Forecast: Estimate or prediction of future conditions and events based on information and knowledge available at the time of the estimate, including financial and schedule information, resource requirements, or any other element of an objective. Frequency: An assessment of the likely number of occurrences of a given risk event over a specified period of time. Functional Organizational Experts: Customer-provided or internal personnel who are process and knowledge experts that provide validation and work on technical aspects of the objective. Impact: Estimate of the effect that a risk will have on schedule, costs, product quality, safety, and performance on an objective. Impact Analysis: Qualitative or quantitative assessment of the magnitude of loss or gain to be realized should a specific risk or opportunity event, or series of interdependent events, occur. Information Gathering and Analysis: Specific actions taken to gain information about project requirements, system elements, or critical acquisition processes for which the level of knowledge is insufficient to permit an informed decision to be made with respect to other risk-handling options. Insurable Risk: Risk that can be covered by an insurance policy. Also called pure risk. 12 Risk Language Glossary

17 Interdependencies: Relationships among organizational functions in which one function, task, or activity is dependent on others. Internal Risk: Risk under the control or influence of the project team. See also external risk. Issue: Formally identified item related to a project that, if not addressed may affects its schedule, change its direction, diminish its quality, and increase its cost. It is distinguished from a risk in that it is an existing problem, whereas a risk is a future event. Known Knowns: Risks that are foreseen and have been identified and documented in the objective s risk listing. For example, when scope changes are certain and the extent of the scope changes is known at the outset. Known Unknowns: Those future situations that are possible to plan for or predict in part. For example, when schedule changes are certain but the extent of the changes is unknown. Lessons Learned: Documented information, usually collected through meetings, discussions, or written reports, to show how both common and uncommon project events were addressed. This information can be used by other project managers as a reference for subsequent project efforts. Management Reserve: Separately planned quantity of money or time intended to reduce the impact of missed cost, schedule, or performance objectives that are impossible to plan for (sometimes called unknown unknowns ). Minor Risk: Risk event that does not cause significant problems, no matter what its probability. Mission: Specific purpose that all or part of the organization is dedicated to achieving. Mission Statement: Description prepared and endorsed by members of the organization that answers these questions: What do we do? For whom do we do it? How do we go about it? Used as a guide for making decisions in projects. Mitigation: Risk response strategy that decreases risk by lowering the probability of a risk event s occurrence or reducing the effect of the risk should it occur. Need: Gap between what is and what should be. It should not be confused with a want, which is desirable but nonessential. Negotiating: Process of bargaining with individuals concerning resources, information and activities. Conferring with others to come to terms or reach an agreement. Also, process in which parties with different interests reach an acceptable agreement through communication and compromise. Negotiation Plan: Approach to conducting a specific negotiation. It includes: (1) Background (e.g., contractor and negotiation situation); (2) Major and minor negotiation issues and objectives (both price and nonprice); (3) Negotiation priorities and positions on key issues (minimum, objective, maximum positions on price); and (4) Negotiation approach. Nominal Group Technique: Specific structured process of team brainstorming and creative problem-solving that draws on individual and group strengths, but prevents domination by any one individual. Consists of five separate steps: (1) Silent generation (individual team members write responses to the problem statement in silence); (2) Round robin (each team members recites his or her responses, which are written on a flip chart, white board or other mechanism so all parties can view the list at the same time); (3) Clarification (the group discusses the remarks); (4) Selection and ranking (each team member selects and ranks in priority order the top 3-10 ideas collected); and (5) Final selection and ranking (the facilitator tallies the results and prepares the group s rank set of ideas). Objective: (1) End toward which effort is directed; a predetermined result; and (2) Organizational performance criteria to be achieved and measured in the use of organizational resources. Open-Ended Problem: Problem without a correct answer that has challengeable boundaries. Opportunity: (1) Future event or series of events that, if they occur, will have a positive impact on a objective; (2) Benefit to be realized from undertaking a project. Opportunity Assessment: Examination of the uncertainty associated with the possible occurrence of an event that is expected to have a positive impact on a objective. Opportunity Cost: Rate of return that would have been earned by selecting an alternative rather than the one selected. Opportunity cost is used as one variable in alternative selection. Organizational Response: The consistent response to certain risk events as dictated by senior management or at a strategic level. Overall Risk Rating: Overall probability and impact for each risk as a combined risk ranking. The overall risk rating can be presented as a qualitative or quantitative (expected value) rating. Participative Estimating: Estimating approach in which the primary estimator depends on other people to provide or review estimates for part or all of a work estimate. Participative Management Style: Management approach in which the manager solicits information from and shares decision-making authority with the a team. Performance Measure: Quantitative or qualitative method or characteristic for describing performance; a measure used to track progress (or lack thereof) toward a strategic objective or intermediate result. Plan: Intended future course of action. Planning Process: Any process undertaken to define and describe scope, develop a management plan, and identify and schedule the activities and tasks. Policy Development: Process of developing and promulgating policies in the organization; translating senior management s objectives into more specific and quantifiable objectives in each unit in the organization. Positional Negotiation: Negotiating approach in which immediate needs are stated on the assumption that the environment will not, or cannot, change. Power: Ability to influence the behaviors, decisions, opinions, methods, strategies and commitment of others. Like conflict, power may be used in either a positive or a negative way. Probability: Likelihood of occurrence. Problems: Negative risk events, known or unknown, that have materialized and have had a negative impact on project objectives. Process: Series of interconnected actions, steps or procedures leading to a result. Process Review: Formal review of the effectiveness of a process. Program Risk: Any identified risk that will affect achievement of the program s business objectives. Such risk can include stakeholder issues, delivery of value, ensuring availability of resources, and successfully executing the transition plan. Program risk tends to be found at the interproject level, as opposed to the risks inherent in individual projects. Projection: Estimate of future performance based on the review of historical information, present situation and future outlook. Project Risk Management: Processes involved with identifying, analyzing, and responding to project risk; consists of risk identification, risk quantification, risk response development and risk response control. Project Risk Manager: Person on the project team responsible for preparing and tracking a risk management plan and integrating risk management issues into project planning and execution. Pure Risk: Risk associated with loss that is generally insurable. Also called insurable risk. Risk Language Glossary 13

18 Qualitative Risk Assessment: Non-numeric description of a risk (such as high, medium, low), including the likelihood that it will occur, its impact, the methods for containing the impact, possible fallback or recovery measures and ownership data. Quantitative Risk Assessment: Numeric analysis of risk estimates, including probability of occurrence and quantification of impact, in order to forecast the project s schedule and costs and determine likely outcomes. Residual Risk: The risk that remains after developing responses or strategies to the original risk level. Response Analysis Matrix: Matrix grid that shows potential relationships between sets of high-priority risks and potential risk response strategies. Ratings entered into the grid can indicate the positive or negative effects that response strategies might have on multiple identified project risks. Response Planning: Process of formulating project risk management strategies, including allocating responsibility to the project s various functional areas. May involve avoidance, acceptance, mitigation and the use of certain tools and techniques such as deflection and contingency planning. Response System: Ongoing process to monitor, review and update any objective risks and make necessary adjustments. Return on Ideas: Qualitative or quantitative evidence collected showing the gain that resulted from the implementation of a particular idea or group of ideas. Return on Investment (ROI): Amount of gain (expressed as a percentage) earned on an investment or group of investments. To calculate ROI, the benefit or return of an investment is divided by the cost of the investment and the result is expressed as a percentage or ratio. Risk: A future event that may occur with a direct effect (positive or negative) to the project, issue, decision or policy. Risk Allowance: Time or money budgeted to cover uncertainties because of inaccuracies in deterministic estimates or the occurrence of risk events. See also contingency reserve and management reserve. Risk Analysis: Analysis of the probability that certain desirable and beneficial events will occur and their impact on attaining objectives. Risk Areas: Program areas that are primary sources of program risk. Risk areas include, but are not necessarily limited to: threat and requirements; technology; design and engineering; manufacturing; support; cost; and schedule. Risk Assessment: (1) Review, examination and judgment to see whether identified risks are acceptable according to proposed actions; (2) Identification and quantification of project risks to ensure that they are understood and can be prioritized. Also called risk evaluation. Risk Assumption: Risk-handling option in which selected risks are accepted and monitored by the management team. Risk Audit: Formal, methodical review of risk management to assess whether the identified risks and risk strategies are acceptable; helps determine overall progress performance of the risk management plan. Risk Budget: Cost and schedule allowance held in reserve and spent only if uncertainties or risks occur. Risk Control: Risk-handling option that monitors a known risk and then takes specific actions to minimize the likelihood of the risk occurring and/ or reduce the severity of the consequences. Risk Event: Discrete occurrence that may affect a project (positively or negatively). See also project risk. Risk Event Status: (1) Measure of importance of a risk event. Also referred to as criterion value or ranking; (2) Probability and impact of a risk as of the data date. Risk Exposure: (1) Impact value of a risk multiplied by its probability of occurring; (2) Loss provision made for a risk; requires that a sufficient number of situations in which this risk could occur have been analyzed. Risk Identification: The systematic process of consistent discovery and detection of potential risk events. Risk Level: Probability times impact (any scale). Risk Listing: Comprehensive list of risks identified on a project and used by the project team to track the results of risk analysis, response planning and any actions taken during the risk management process. See also risk register. Risk Management Plan: Documentation of the procedures to be used to manage risk during the life of a project or issue and the parties responsible for managing various areas of risk. This living document includes procedures for performing risk identification and quantification, planning risk response, implementing contingency plans, allocating reserves and documenting results. Risk Management Strategy: Formal statement of how risk management will be carried out for an objective, what resources will be used, and, if applicable, what roles contractors and subcontractors will play. Risk Mitigation: See mitigation. Risk Monitoring: Process that systematically tracks and evaluates the performance of risk items against established metrics throughout the objective and develops further risk reduction handling options as appropriate. Risk Perception: There are some factors that affect our perception of risk: level of control; time; personal, organizational and cultural values; and risk preferences (risk avoider, risk taker or average person). Risk Probability: Assessment of the likelihood that a risk event will occur. Risk Register: Record of the risks identified in a project or program that are monitored by the team to determine when or if they will occur. As a best practice, each identified risk should be assigned to one or more persons whose responsibility it is to monitor the risk triggers and implement the risk response plan should the risk occur. See also risk listing. Risk Response Control: Process of implementing risk strategies, documenting risk and responding to changes in risk during the life of the objective. Risk Response Development: Identification of specific actions to maximize the occurrence of opportunities and minimize the occurrence of specific risks in a project. Risk Symptom: Indirect manifestation of an actual risk event, such as poor morale serving as an early warning signal of an impending schedule delay or cost overruns on early activities pointing to poor estimating. Also called risk trigger. Risk Tolerance: Specific points beyond which the organization will not knowingly go under any circumstances. Published widely, risk tolerances establish absolute limits of acceptable risk and risk behaviors. Risk Transfer: (1) Risk-handling option that reallocates system requirements or design specifications between different system elements in order to reduce overall system risk, system element risk or process risk; (2) Risk-handling option that shares selected program risks between the buyer and seller by means of various contractual arrangements; (3) Any practice that transfers the management of risk from one party to another. Showstopper: Event or condition serious enough to disrupt or halt a negotiation, project or program. Sources of Risk: Categories of possible risk events that may affect the project positively or negatively. Descriptions of risk sources should 14 Risk Language Glossary

19 include rough estimates of the probability that a risk event from that source will occur, the range of possible outcomes, the expected timing and the anticipated frequency of risk events from the source. Notes Stakeholder: Individual or organization actively involved in the objective or whose interests may be affected (positively or negatively) as a result of execution or successful completion. Also called party-at-interest. Stakeholder Analysis: Assessment of project stakeholder information needs and sources, and development of reporting procedures to meet those needs. A key to stakeholder analysis is to attempt to convert those who are opponents of the objective to a position of neutrality or advocacy. Stakeholder Tolerances: Term that describes the capacity of each stakeholder and group of stakeholders to recognize and deal with risk. Strategic Planning: Type of planning that establishes an organization s future mission, objectives, goals and strategies. Strategy: Action plan to set the direction for the coordinated use of resources through programs, projects, policies, procedures, and organizational design and establishment of performance standards. Strengths, Weaknesses, Opportunity, and Threat (SWOT) Analysis: Analysis used to determine where to apply special efforts to achieve desired outcomes. Entails listing strengths and how best to take advantage of them; weaknesses and how to minimize their impacts; opportunities presented by the project and how best to take advantage of them; and threats and how to deal with them. Technical Risk: Risk that arises from activities related to technology, design and engineering, manufacturing and the critical technical processes of testing, production and logistics. Threat: Future event or series of events that will negatively affect the project if it occurs. Also called jeopardy. Threshold: Time, monetary unit, or resource limit that causes some type of management review to occur if exceeded. Transfer: Risk response strategy that seeks to shift the impact of a risk to a third party, along with ownership of the response. Also called deflection. See also acceptance, avoidance and mitigation. Uncertainty: (1) Situation in which only part of the information needed for decision making is available; and (2) Lack of knowledge of future events. What-if Analysis: Process of evaluating alternative strategies by changing certain variables and assumptions to predict the outcome of such strategies. Workaround: Unplanned response to a negative risk event. Distinguished from contingency plan because it is not planned in advance of the risk event s occurrence. Worst-Case Scenario: Worst possible outcome given the circumstances. Notes 15

20 Building a legacy - your legacy. (800) wsbeng.com