Risk Management in Five Easy Pieces with Apologies to Jack

Risk management is essential for any significant project. Information about key project cost, performance, and schedule attributes is often known once the project is underway. The emerging risks that can be identified early in the project that impact the project later are often termed “known unknowns.” These risks can be mitigated with a good risk management process. For risks beyond the project team's vision, a properly implemented risk management process can also rapidly quantify the risk's impact and provide sound plans for mitigating its effect.

Managing Risk is How Adults Manage Projects

• Hope is not a strategy
• No point estimate of cost or schedule can be correct
• Without integrating cost, schedule, and technical performance, you are driving in the rearview mirror
• Without a model for risk management, you are driving in the dark with the headlights off
• Risk management means communication management

Hope is Not a Strategy

Strategy is the Plan for the Successful Completion of the Project

• When General Custer was surrounded, his chief scout asked, “General, what's our strategy?” Custer replied, “The first thing we need to do is make a note to ourselves – never get in this situation again.”
• Suppose the project’s success factors, the processes that deliver them, the alternatives when they fail, and the measurement of this success are not defined in meaningful ways for both the customer and managers of the project. In that case, Hope is the only strategy left.

Hoping that the project will proceed as planned is na?ve at best and poor management at worst. Project Managers constantly seek ways to eliminate or control risk, variance, and uncertainty. This is a hopeless pursuit. ?Managing “in the presence” of risk, variance, and uncertainty is the key to success. Some projects have few uncertainties –only the complexity of tasks and relationships is important – but several types of uncertainty characterize most projects. Although each uncertainty type is distinct, a single project may encounter some combination of four types:

• Variation – comes from many small influences and yields a range of values on a particular activity. Attempting to control these variances outside their natural boundaries is a waste (Muda)
• Foreseen Uncertainty – uncertainties identifiable and understood influences that the team cannot be sure will occur. There needs to be a mitigation plan for these foreseen uncertainties.
• Unforeseen Uncertainty – uncertainty that can’t be identified during project planning. When these occur, a new plan is needed.
• Chaos – appears with the presence of “unknown unknowns.”

The Plan for the project is the Strategy for its successful completion. This Plan needs to define:

• How the products and services will be “matured” as the project progresses?
• What are the “units of measure” for this increasing maturity?
• At what point in the project will this maturity be assessed to confirm progress?

Hope must be replaced with a risk-tolerant plan. In this plan, larger variances can be tolerated in the early parts of the project. However, as the project proceeds, the risk tolerance must be reduced. At the end of the project, all the risks must have been retired.

No Point Estimate of Cost or Duration can be Correct

Point estimates for durations and costs are the first impulse in an organization low on the project management maturity scale. Understanding cost and durations are actually “random variables,” drawn from an underlying distribution of possible value is the starting point for managing uncertainty. In probability theory, every random variable is attributed to a probability distribution. The probability distribution associated with a cost or duration describes the variance of these random variables. A common distribution of probabilistic estimates for cost and schedule random variables is the Triangle Distribution.

Point Estimates are Always Wrong

• A Single Point Estimate uses sample data to calculate a single value, serving as a "best guess" for an unknown population parameter.
• A Bayesian Inference is a statistical inference in which evidence or observations are used to infer the probability that a hypothesis may be true.
• Without this statistical information, statements about cost, schedule, completion dates, or costs are simply 50/50 guesses.

The Triangle Distribution is a subjective description of a population for which only limited sample data exists, especially where the relationship between variables is known, but data is scarce. It is based on the knowledge of the minimum and maximum and a “best guess” of the modal value (the Most Likely). A Monte Carlo simulation of the network of activities and their costs can be performed using the Triangle Distribution for the costs and durations.

Monte Carlo methods numerically transform and integrate the posterior quantitative risk assessment into a confidence interval. The result is a “confidence” model for the cost and completion times for the project based on the upper and lower bounds of each distribution assigned to each duration and cost. This approach to estimating provides insight into the behavior of the plan as well as sensitivity between the individual elements of the plan.

The notion that project task durations are random variables is the foundation of programmatic risk management. The numeric value of a duration or a cost is drawn from a probability distribution. This distribution represents the range of all possible values of the duration or cost. The probability distribution's shape describes how many possible values will appear when drawn from the distribution. When a “Point Estimate” is used for the duration and cost, this number is only one of all the possible values that could occur. Without an understanding of the statistical nature of these values, there is no understanding of how “confident” we should be in the number.

Estimating is a very vague art in the absence of a formal process. One place to start is with the statistical definition of an “estimate.” But even that definition has three (3) different possibilities:

• The Mode is the most likely value. The value often occurs when statistical samples are drawn from the underlying population.
• The Median is the “middle” value between the highest and lowest value from the total of all samples drawn from the underlying statistical population.
• The Mean is the “average” of all the samples drawn from the population.

The most important concept is understanding that the “sum” of all the “estimates” is never one of these three estimates. The details of this are beyond the scope of this presentation, but it has to do with “summing” probability distributions. It is not a summation process – it is a convolution process. This means the probability distribution – represented by an integral equation – is convolved with the other integral equations.

When we speak in terms like “Best Estimate,” we need to understand what that means. What does the “Best Estimate” mean?

• The Most Likely – this is the Mode
• The 50th percentile – this is the Median
• The expected value – this is the Mean

One simple approach to cost and schedule estimating in the presence of uncertainty is to use a Triangle Distribution for the possible values of the estimate. A triangle distribution provides a convenient way to represent uncertainties where values toward the middle of the range of possible values are considered more likely to occur than values near either extreme. Although not a traditional distribution, the arbitrary shape and “sharp corners” of triangle distribution is a convenient way to state that the details of the shape of the distribution are not precisely known.

This may help to prevent over-interpretation or false sense of confidence in subtle details of the results [Morgan, M. and Henrion, M., Uncertainty: A Guide to Dealing with Uncertainty in Quantitative Risk and Policy Analysis, Cambridge University Press, Cambridge, United Kingdom, 1990].

A triangle distribution is a good distribution to use early in expert elicitation since it is easy to obtain judgments for it.

Triangle distributions are useful when limited information about the characteristics of the random variables is all that is available. Since point estimates are always wrong, a method is needed to produce probabilistic estimates. Table 1 describes how to move from Point Estimating to Probabilistic Estimating.

Without Integrating Cost, Schedule & Technical Performance You’re Driving In The Rearview Mirror

Addressing customer satisfaction means incorporating product requirements and planned quality into the Performance Measurement Baseline to ensure the project's true performance is visible.

Connecting Cost, Schedule, and Technical Performance Measures (TPM) closes the loop on how well a project achieves its technical performance requirements while maintaining its cost and schedule goals. IEEE 1220, EIA 632, and "A Guide to the Project Management Body of Knowledge “ all guide TPM planning and measurement and integrate TPM with cost and schedule performance measures (Earned Value).

Integrating these three attributes results in a Performance Measurement Baseline processes which is distinguished from traditional cost and schedule management in several ways. The Performance Measurement Baseline:

• Is a plan driven by product quality requirements, not work requirements?
• Focuses on technical maturity and quality, in addition to cost and schedule
• Focuses on progress toward meeting success criteria of technical reviews.
• Enables insightful variance analysis.
• Ensures a lean and cost-effective approach to project planning and controls.
• Enables scalable scope and complexity depending on risk.
• Integrates risk management activities with the performance measurement baseline.
• Integrates risk management outcomes into the Estimate at Completion.

Without A Model For Risk Management, You’re Driving In The Dark With The Headlights Off

Technical performance is a concept absent from the traditional approaches to risk management.? Yet, it is the primary driver of risk in many technology-intensive projects. Cost growth and schedule slippage often occur when unrealistically high-performance levels are required, and little flexibility is provided to degrade performance during the program. Quality is often a cause rather than an impact on the program and can generally be broken down into Cost, Performance, and Schedule components.

The framework shown here provides:

• Risk management policy.
• Risk management structure.
• Risk Management Process Model.
• Organizational and behavioral considerations for implementing risk management.
• The performance dimension of the consequence of the occurrence.
• The performance dimension of Monte Carlo simulation modeling.
• A structured approach for developing a risk-handling strategy.

Risk Management Means Risk Communications

An interactive process of exchange of information and opinion among individuals, groups, and institutions; often involves multiple messages about the nature of risk or expressing concerns, opinions, or reactions to risk messages or to legal or institutional arrangements for risk management. Risk communication is the basis of risk mitigation. Without a risk communication plan, it serves no purpose to have a risk plan and defined mitigations.

The Risk Management Communications Plan must address:

• Identify risks for project cost and schedule
• Model the behavior of these risks and their impact on the project
• Development Risk Handling processes tailored to the business domain
• Provide oversight, advice, guidance, and control systems associated with Programmatic Risk management

Summary

Risk management is a continuous process applied throughout the project life cycle. It is an organized methodology for continuously identifying and measuring unknowns, developing mitigation options, selecting, planning, and implementing appropriate risk mitigations, and tracking the implementation to ensure successful risk reduction. Effective risk management depends on risk management planning, early identification and analysis of risk, early implementation of corrective actions, continuous monitoring and reassessment, and communication, documentation, and coordination.