EFFECTIVE TECHNIQUES IN RISK MANAGEMENT. Joseph W. Mayo, PMP, RMP, CRISC September 27, 2011

Similar documents
RISK MANAGEMENT. Budgeting, d) Timing, e) Risk Categories,(RBS) f) 4. EEF. Definitions of risk probability and impact, g) 5. OPA

Project Risk Management

For the PMP Exam using PMBOK Guide 5 th Edition. PMI, PMP, PMBOK Guide are registered trade marks of Project Management Institute, Inc.

Project Theft Management,

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Managing Project Risk DHY

Practical aspects of determining and applying a risk appetite for SMEs

Unit 9: Risk Management (PMBOK Guide, Chapter 11)

An Overview of the Enterprise Risk Management Process

RISK MANAGEMENT GUIDE FOR DOD ACQUISITION

Business Auditing - Enterprise Risk Management. October, 2018

Project Management for the Professional Professional Part 3 - Risk Analysis. Michael Bevis, JD CPPO, CPSM, PMP

Quality Control & Compliance Initiative. This document is publicly available to any staff member on the following network path:

Enterprise Risk Management Integrated Framework

LCS International, Inc. PMP Review. Chapter 6 Risk Planning. Presented by David J. Lanners, MBA, PMP

Risk Management Made Easy 1, 2

Risk Management Made Easy. I. S. Parente 1

M_o_R (2011) Foundation EN exam prep questions

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

Applying COSO s Enterprise Risk Management Integrated Framework

RISK MANAGEMENT STANDARDS FOR P5M

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

Project Risk Management. Prof. Dr. Daning Hu Department of Informatics University of Zurich

2014 Own Risk and Solvency Assessment (ORSA) Feedback Pilot Project Observations of the Group Solvency Issues (E) Working Group

Risk Manage Manag ment men & the PMBOK John H. Dittmer, VI PMP, PMP CISSP CISSP ISSMP

Energize Your Enterprise Risk Management

GOV : Enterprise Risk Management Policy

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

1. Define risk. Which are the various types of risk?

0470_022817_03_chap01.fm Page 11 Wednesday, September 8, :29 PM. Part I The basics of project risk management

Risk Management Guidelines

Risk Management Plan for the <Project Name> Prepared by: Title: Address: Phone: Last revised:

Kidsafe NSW Risk Management Plan. August 2014

NAIC OWN RISK AND SOLVENCY ASSESSMENT (ORSA) GUIDANCE MANUAL

Project Management Professional (PMP) Exam Prep Course 11 - Project Risk Management

Fundamentals of Project Risk Management

RISK MANAGEMENT MADE EASY. Susan Parente Project Management Symposium.

The Evolution of Risk Management and The Risk Management Process

RISK MANAGEMENT POLICY October 2015

Achieve PMP Exam Success Five-Day Course Syllabus

The PRINCE2 Practitioner Examination. Sample Paper TR. Answers and rationales

Risk Management Policy

Risk Management. Webinar - July 2017

Understanding Enterprise Risk Management: An Overview

CORPORATE RISK MANAGEMENT POLICY

Project Management Certificate Program

Enterprise Risk Management Program

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

Policy Number: 040 Risk Management August 2018

The Components of a Sound Emerging Risk Management Framework

Chapter-8 Risk Management

Measurement of Market Risk

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Cost Risk Assessment Building Success and Avoiding Surprises Ken L. Smith, PE, CVS

Managing Project Risks. Dr. Eldon R. Larsen, Marshall University Mr. Ryland W. Musick, West Virginia Division of Highways

Certified Enterprise Risk Professional (CERP) Test Content Outline

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

Applied Risk Assessment into EPC Projects By Pulung Susilo Rahardjo

Project Risk Management

Enterprise Risk Management Focusing on the Right Risks

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

Project Management Professional (PMP) Exam Prep Course 06 - Project Time Management

Five-Day Schedule and Course Content

Making Risk Management Tools More Credible: Calibrating the Risk Cube

Master Class: Construction Health and Safety: ISO 31000, Risk and Hazard Management - Standards

Procedures for Management of Risk

Scouting Ireland Risk Management Framework

AN INTRODUCTION TO RISK CONSIDERATION

Enterprise Risk Management Sources. Universe. Tolerance. Appetite

Objectives. What is Risk? But a Plan is not Reality. Positive Risks? What do we mean by Uncertainty?

Product Recall Risk Assessment By Tony Munns. Product recall is a key area of risk for today s company. With greater focus

Risk Assessment of the Niagara Tunnel Project

28 July May October 2016

ISO/DIS 9001:2015 Risk-Based Thinking

Presented to: Eastern Idaho Chapter Project Management Institute. Presented by: Carl Lovell, PMP Contract and Technical Integration.

There are many definitions of risk and risk management.

Integrating Environmental, Social, and Governance Risks into Enterprise Risk Management. 7 May 2018

Welcome! A Critical Tool of the Project Manager. What People Are Doing 9/15/2016. Risk Management A Critical Tool

ERM, the New Regulatory Requirements and Quantitative Analyses

NYISO Capital Budgeting Process. Draft 01/13/03

Integrated Cost-Schedule Risk Analysis Improves Cost Contingency Calculation ICEAA 2017 Workshop Portland OR June 6 9, 2017

Break the Risk Paradigms - Overhauling Your Risk Program

New Actuarial Standards of Practice No. 46 Risk Evaluation in ERM No. 47 Risk Treatment in ERM

Introduction to Life Cycle Risk Management Glossary

Crowe, Dana, et al "EvaluatingProduct Risks" Design For Reliability Edited by Crowe, Dana et al Boca Raton: CRC Press LLC,2001

Introduction to Risk for Project Controls

An Introductory Presentation for ECU Staff

The Basics of Risk Management

1st Capacity Building Seminar on Enterprise Risk Management

Security Risk Management

Use of Internal Models for Determining Required Capital for Segregated Fund Risks (LICAT)

Presented by Kristina Narvaez President & CEO ERM Strategies, LLC

Project Management DR. GRACE LA TORRA, PMP THE SEATTLE SCHOOL OF THEOLOGY AND PSYCHOLOGY

AFERM Best Practices: Guideposts, Risk Registers and a Maturity Model

13.1 Quantitative vs. Qualitative Analysis

Guidance paper on the use of internal models for risk and capital management purposes by insurers

The Risky Business of. Risk Management

Enterprise Risk Management (ERM)

Retirement. Optimal Asset Allocation in Retirement: A Downside Risk Perspective. JUne W. Van Harlow, Ph.D., CFA Director of Research ABSTRACT

ERM Implementation and the Own Risk and Solvency Assessment (ORSA)

Transcription:

EFFECTIVE TECHNIQUES IN RISK MANAGEMENT Joseph W. Mayo, PMP, RMP, CRISC September 27, 2011

Effective Techniques in Risk Management Risk Management Overview Exercise #1 Break Risk IT Exercise #2 Break Risk Management Tools and Techniques Q&A 2

Risk Management Overview 3

Risk Management Standards Project Management Body of Knowledge (PMBOK) ISO/IEC 16085 2006 Systems and software engineering Life cycle processes Risk Management ISO 31000 Risk management Principles and guidelines AS/NZS 4360:2004 Risk Management Information Systems Audit and Control Association (ISACA) Risk IT 4

Risk Management Fundamentals 1 Risk Governance 2 Risk Analysis 3 Risk Response / Treatment 5

Risk Governance PMBOK ANZ- 4360 ISO 16085 ISO 31000 Risk IT Align with Enterprise Risk Management (ERM) Risk tolerance and risk appetite Risk policy Risk management planning 6

Risk Analysis PMBOK ANZ- 4360 ISO 16085 ISO 31000 Risk IT Identify risks Maintain a risk register Estimate and quantify risk impact Prioritize risks Establish risk scenarios Risk frequency 7

Risk Treatment PMBOK ANZ- 4360 ISO 16085 ISO 31000 Risk IT Risk strategies Risk treatment / response plan Monitor ERM alignment and risk tolerance thresholds Organization s ability to treat the risk Continuous improvement 8

Risk Management Summary 9

Risk Management Process 10

Governance Risk Management Plan (RMP) Compliant with ISO 16085 or AS/NZS 4360 PMBOK is weak in governance (e.g. risk policy, risk tolerance, and risk appetite) and specific guidance Establish the context Context should include at least schedule and budget Mature organizations can include mission accomplishment 11

Governance Risk Appetite The amount of risk an enterprise is prepared to accept Risk Tolerance The amount of risk that an organization is willing to withstand 12

Governance Management Reserve Unknown Unknowns An unknown-unknown is also referred to as a Black Swan event. Black Swan theory is based on Nassim Nicholas Taleb s article describing extreme events that cannot be reasonably conceived to happen (Taleb, 2007). Deepwater Horizon 2004 Indonesian Tsunami Contingency Reserve Known Knowns and Known Unknowns Used to managed documented risks (including risks that are accepted) 13

Risk Analysis Identify risks Not issues, conditions, symptoms, events, or opinions Utilize industry accepted nomenclature IF <bad thing> THEN <context> <impact> IF the integration test environment is not complete by Oct 1 THEN <the scheduled implementation> <will be delayed by 2 months> <something happens> LEADING TO <outcomes expressed in terms of impact on objectives> Update risk register Document containing the results of risk analysis and planned responses 14

Risk Analysis Objectively quantify impact Based on context Avoid risk normalization A U.S. Government agency normalizes all risks using a Risk Adjusted Cost (RAC). Using the Risk Adjusted Cost calculation, a risk with a $225,000 budget impact and a High probability of occurrence would have the same RAC ($157,500) as a risk with a $175,000 budget impact and a Very High probability of impact. Estimate probability or frequency 15

Risk Response Select treatment strategy Accept, avoid, mitigate, or transfer Prioritize Risks Develop formal risk treatment / response plan ISO 16085, ISO / IEC 31000, or AN/NZS 4360 compliant Risk response is a weakness in the PMBOK Monitor progress against the response plan 16

EXERCISE #1 RISK MANAGEMENT OVERVIEW 17

Fill in the blank The four industry accepted risk management strategies are,,, and Response,, and are the three functional aspects of risk management. 18

Term Matching Definition Describes threats, events, assets, and timing Document showing how the chosen options will be implemented The results of risk analysis and response planning The degree of risk that an entity is willing to withstand Amount of risk an entity is prepared to accept Term Appetite Risk Register Scenarios Tolerance Treatment Plan 19

Word Search G X R X P X B X G B Y E O G F H S W V B Q F R K D B H D O W I J Y N J A L V L L M W E U N I N H Q C B J C A K Q N V O W L A T E B S Y C C D R K N L P G E O Q S G P S S J U L B Y E Q G L P G P P Y A G H P I C V R G N F V Y C F T B A A M K O F E G A P V Y S F A Y M O N F S I Q J V Q T E M E R N K K F C F O E U C I G D E N I R O T A C T J G R C E M X E W U B R C T K I R E T M O N L P X T G N F B S N B E S T T W C R T W K E Q A U A D F R A Y V I N H L V N E Y T W Z E N R X K I N T D R X V M X F A A R A P R I I L L V C N W M Q E F Y T G R X N X T Q O L P N E F M G U U E P I U T E A G C B S I U N L W C Y D E E T Q I W L L I N L H A L W S L Y Y G C I V C J K Y Y O P L R E A U T P W X C M C E K T E K S T T T B O F F E A Q A P P V U U L P V I D W V E J C H E D J D Y R V J Z S D U S A V O I D Q F X ACCEPT ANALYSIS APPETITE AVOID GOVERNANCE MITIGATE RISK REGISTER SCENARIOS TOLERANCE TRANSFER TREATMENT PLAN (A to Z Teacher Stuff, L.L.C., 2010) 20

Break 21

ISACA s Risk IT 22

Risk IT at a Glance (Information Systems Audit and Control Association, 2001, p. 7). 23

Risk IT Define Risk Universe and Scoping Risk Management Risk Appetite and Risk Tolerance Risk Awareness, Communications, and Reporting Expressing and Describing Risk Risk Scenarios Risk Response and Prioritization 24

Define Risk Universe and Scoping Risk Management Consider overall business objectives Establish risk context(s) Develop a risk management plan (RMP) that is ISO 16085 compliant (Information Systems Audit and Control Association, 2001, p. 11). 25

Risk Appetite and Risk Tolerance Risk appetite The amount of risk an enterprise is prepared to accept Risk tolerance The amount of risk that an organization is willing to withstand 26

Risk Appetite and Risk Tolerance (Information Systems Audit and Control Association, 2001, p. 17). 27 27

Risk Awareness, Communications, and Reporting Clear Concise Consider using Information Dashboard Design by Stephen Few Useful Avoid risk normalization Timely Adapt information for the intended audience 28

Risk Awareness, Communications, and Reporting Clear 29

Probability What is the Likelihood the Risk will happen? Lvl Your approach and processes A Not Likely Will effectively avoid or mitigate this risk based on standard practices~10% B Somewhat Likely Have usually mitigated this type of risk with minimal oversight in similar cases~30% C Likely May mitigate this risk, but workarounds will be required~50% D Highly Likely Cannot mitigate this risk, but a different approach might ~70% E Near Certainty Cannot mitigate this type of risk; no known processes or workarounds are available~90% Lvl Technical Performance Schedule Cost 1 Minimal: Minimal or no consequence to technical Minimal or no impact Minimal or no impact performance impact 2 Some: minor reduction in technical performance or supportability, can be tolerated with little or no impact on program; same approach retained Additional activities required, able to meet key dates Budget increase or unit production cost increases 3 4 5 Medium: Moderate reduction in technical performance or supportability with limited impact on program objectives; workarounds available High: Significant degradation in technical performance or major shortfall in supportability; may jeopardize program success; workarounds may not be available or may have negative consequences Critical: Severe degradation in technical performance; cannot meet key performance parameter or key technical/supportability threshold; will jeopardize program success; no workarounds available Minor schedule slip, no impact to key milestones Program critical path affected, all schedule float associated with key milestones exhausted Cannot meet key program milestones Budget increase or unit production cost increases Budget increase or unit production cost increases Exceeds accepted standards/ requirements threshold 30

Real Risk Example Risk Description # 6-01: Generation of the monthly Site/System Usage Report is not possible without the specific details of what metrics are to be reported. Additionally, the software required to capture the data and has not been defined. While Citrix has some capability the Enterprise version is the only one that has the software included. There are many Citrix servers that do not have the required reporting software. The Windows platform does not natively produce the data required. As the exact requirement is defined a Decision Analysis Resolution (DAR) should be completed to assist in the selection of the best product to support the report. 31

Real Risk Example Probability: Near Certainty (Cannot mitigate this type of risk; no known processes or workarounds are available~90%) Impact High Level Technical Performance Schedule Cost High: Significant degradation in technical performance or major Program critical path affected, all schedule Budget increase or unit production cost 4 shortfall in supportability; may float associated with increases jeopardize program success; key milestones workarounds may not be available exhausted or may have negative consequences 32

Real Risk Example Mitigation Plan: System Administrators meet to brainstorm requirement Products are evaluated that meet the requirement. Perform a DAR to determine the ""best"" one. Provide selected tool(s) to each site with guidance on usage. Deploy solution and provide Site/System Usage Report monthly What is the real risk? What is the real impact? What is the context? What is the risk exposure to the Project? Sponsoring organization? 33

Risk Awareness, Communications, and Reporting Concise Consider using Information Dashboard Design by Stephen Few Useful Contingency Reserve Management Reserve Risk Management Budget 34

Expressing and Describing Risk Risk Analysis Impact Probability or Frequency Qualitative risk analysis For use in situations where limited information is available Less complex therefore, less expensive Quantitative risk analysis Objective, empirical data is available More complex and expensive than qualitative risk analysis 35

Expressing and Describing Risk Highly mature organizations tend to move towards probabilistic risk assessment Involves complex mathematical models (e.g. Monte Carlo simulation) 36

Expressing and Describing Risk A number of industry models exist for expressing business impact Balanced Scorecard (BSC) Westerman 4 A Agility, Accuracy, Access, Availability COSO ERM Strategic, Operations, Reporting, Compliance FAIR Productivity, Responses, Replacement, Competitive Advantage, Legal, Reputation 37

Risk Scenarios (Information Systems Audit and Control Association, 2001, p. 55). 38

Risk Response and Prioritization Select treatment strategy Accept, avoid, mitigate, or transfer Prioritize Risks 39

Risk Response and Prioritization (Information Systems Audit and Control Association, 2001, p. 17). 40

Risk Response and Prioritization Develop formal risk treatment / response plan ISO 16085, ISO / IEC 31000, or AN/NZS 4360 compliant Risk response is a weakness in the PMBOK Monitor progress against the response plan 41

EXERCISE #2 RISK SCENARIOS 42

Warwickshire Community Multiple vehicle incident causing up to 10 fatalities and up to 20 casualties (internal injuries, fractures, possible burns); closure of lanes or carriageways causing major disruption and delays. 43

Risk Scenario Actor: Threat: Event: Asset(s): Timing: 44

Team Scenario 45

Risk Scenario Actor: Threat: Event: Asset(s): Timing: 46

WARWICKSHIRE CASE STUDY 47

References Information Systems Audit and Control Association. (2009). The Risk IT Practitioner Guide. Rolling Meadows, IL: Information Systems Audit and Control Association. A to Z Teacher Stuff, L.L.C.. (2010). Word Search Generator. Retrieved from http://tools.atozteacherstuff.com/word-searchmaker/wordsearch.php Taleb, N. (2007, April 22). The Black Swan: The Impact of the Highly Improbable. The New York Times. Retrieved from http://www.nytimes.com/2007/04/22/books/chapters/0422-1sttale.html?_r=1&ex=1178769600&en=bdae1078f2b4a98c&ei=507 0 48

QUESTIONS? 49

THANK YOU! JOSEPH W. MAYO, PMP, RMP, CRISC JOSEPH.MAYO@KEANE.COM 50

BACKUP SLIDES 51

ISO 16085 RMP Outline Overview Date of Issue and Status Issuing Organization Approval Authority Updates Scope [Define the boundaries and limitations of risk on the project] Reference Documents Glossary Risk Management Overview [Describe the specifics of risk management for this project or organization s situation.] 52

ISO 16085 RMP Outline Risk Management Policies [Describe the guidelines by which risk management will be conducted.] Risk Management Process Overview Risk Management Responsibilities [Define the parties responsible for performing risk management.] Risk Management Organization [Describe the function or organization assigned responsibility for risk management within the organizational unit.] Risk Management Orientation and Training Risk Management Costs and Schedules 53

ISO 16085 RMP Outline Risk Management Process Description [If there is an organizational risk management process that is being used for this project or situation, refer to it. If adaptation of the process is appropriate, describe the adaptations made. Describe the procedures that implement the risk management process. If no organizational process exists, describe the risk management process and procedures to be used for the project or situation.] Risk Management Context Risk Analysis Risk Monitoring Risk Treatment [Describe how risks are to be treated. If a standard management process exists for handling deviations or problems, refer to this process. If risks require a separate risk treatment activity due to specific circumstance, describe this activity.] 54

ISO 16085 RMP Outline Risk Management Process Evaluation [Describe how this project or organization will gather and use measurement information to help improve the risk management process for the project and/or for the organization.] Capturing Risk Information Assessing the Risk Management Process Generating Lessons Learned 55

ISO 16085 RMP Outline Risk Communication [Describe how risk management information will be coordinated and communicated among stakeholders and interested parties (i.e., those who are interested in the performance or success of the project or product, but not necessarily of the organization) such as what risks need reporting to which management level.] Process Documentation and Reporting Coordinating Risk Management with Stakeholders Coordinating Risk Management with Interested Parties Risk Management Plan Change Procedures and History 56

Risk Response Plans ISO 16085 ISO/IEC 31000 AN/NZS 4360 Overview Scope, reference documents, Glossary Planned Risk Treatment Activities and Tasks Treatment Resources and their Allocation Responsibilities and Authority Reasons for selection of treatment options, including expected benefits to be gained Proposed actions Resource requirements including contingencies Individuals accountable for approving the plan and those responsible for implementing the plan Summary (Recommended Response and Impact) Proposed Actions Resource Requirement(s) Responsibility Treatment Schedule Timing and schedule Timing Performance measures and constraints Treatment Control Measures Treatment Cost Interfaces among Parties Involved Risk Treatment Plan Change Procedures and History Reporting and monitoring requirements Reporting and monitoring required 57

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback