Risk and Issue Management 1 MSP is a registered trade mark of AXELOS Limited Simplilearn Solutions Agenda
MSP framework Risk and issue management Risk and issue management Introduction Potential sources for identifying risks Managing risks in a programme Risk management framework Issues Issue management framework Change control Configuration management Risk and issue management within transformational flow Roles and area of focus Information Risk and issue management 2 Simplilearn Solutions MSP Framework Key Inner Circle Second Ring Outer Ring Transformational Flow Crown copyright 2011. Reproduced under licence from AXELOS Limited. Governance Theme Principles Remaining aligned with corporate strategy Programme Organisation Closing a Programme Defining a Programme Identifying a Programme M a n a g i n g
t h e
T r a n c h e s
Delivering the Capability Realising the Benefits 3 Simplilearn Solutions Risk and Issue
Risk Uncertain event which, if occurs, will affect achievement of objectives. Risk can either be negative (threat) or positive (opportunity). Each identified risk should have cause, event and effect. Issue Events that have happened, were not planned and need management actions. Risks, should they occur, become issues. 4 Simplilearn Solutions Potential Sources for Risks Benefits management, transition activities, costs, scope and timescales Dependencies, constraints, assumptions, quality of operations, resources and programme deliverables Anything that cannot be resolved by the project, or issues common to more than one project Stakeholders, organisation, programme staff and third parties Degradation of operational performance staff and third parties Degradation of operational performance beyond acceptable levels 5 Simplilearn Solutions Risk Management Perspectives Driven by external factors, inter-programme dependencies and internal political pressure Strategic level Driven by projects, lack of direction, complexity of outcomes, resource availability, etc. Programme level Arises from resource constraints, scheduling, scope creep and being non-aligned with programme Project level Arises from need of creating balance between operation stability and implementing new capabilities Operational level 6 Simplilearn Solutions M_o_R risk management principles 7 Aligns with Objectives Fits the context Engages stakeholders Provides clear guidance Informs decision making Facilitates continual improvement Creates a supportive culture Achieves measurable value Simplilearn Solutions Managing Risks in a Programme Risk management strategy Risk appetite Tolerance thresholds Assumptions Early-warning indicators Risk register Threat and opportunity Evaluating risks Risk aggregation Proximity Progress reporting 8 Simplilearn Solutions Risk Management Strategy Risk Management Strategy Project assumptions Information flow Organisations risk policies and processes Risk management process of programme Risk appetite How opportunities will be managed? Benefits management Interfaces Clarifies Defines Reflects Reviews Clarifies and explains 9 Simplilearn Solutions Risk Appetite and Tolerance Thresholds Risk appetite: Amount of risk that an organisation is willing to accept. This helps in defining the tolerance levels. Tolerance thresholds: Thresholds translate risk appetite into guidelines that steer programme and project behaviour. 10 Simplilearn Solutions Assumptions, Early Warning Indicators and Risk Register Assumptions: Assumptions define the boundary of programme/projects in business case. Assumptions are result of uncertainty and should be treated as sources of risk. Review project assumptions at programme level. Early warning indicators: These indicators provide advance warning of trends or events that could adversely affect the programmes outcomes. Can be used to track sensitive risks. Risk register: Repository used to capture information about risks in a consistent and structured manner. Risk management strategy defines content and purpose of risk register. 11 Simplilearn Solutions Threats and Opportunities Risks are normally threats (negative impact) to programme but some risks actually provide opportunities (positive impact) to improve programmes outcomes. Same event can have different impact on different constituent projects. Also, aggregation of threats or opportunities at programme level may change resulting effects again. There can be multiple triggers for a single threat or opportunity. Differentiate between threat and opportunity to focus on risk response. Risk management and benefits management can overlap in a scenario where an opportunity becomes a potential benefit. 12 Simplilearn Solutions Evaluating Risks Risk will potentially impact the programmes cost, time and benefits Impacts can be shown in the form of probability impact grid, giving criteria to each level within scale (very high to very low). Expected value is a way of estimating the financial exposure of risks by discounting the total cost of their impact against probability of their occurrence. The other methods that can be used are estimated monetary value calculation or net present value calculation. 13 Simplilearn Solutions Risk Aggregation Risks can be interdependent and have cascading effect. It can grow and accumulate to critical mass. Prepare summary risk profile which provides visual explanation of aggregations and interdependencies. To manage aggregation, programme manager should be aware of level of risk impact on each operation/project. Cost of contingency needs to be planned. Mitigation plan should be prepared to minimise the risk. 14 Simplilearn Solutions Probability Impact grid & Summary Risk profile 15 Simplilearn Solutions Proximity and Progress Reporting Proximity: Informs the management when a risk will occur in future. Helps management realise the impending urgency of the risk. Progress reporting: Monitors the evolution of risk exposure. Acts as an independent report aimed to monitor overall risk and issue trends across the programme. 16 Simplilearn Solutions Risk Management Framework Understand scope, objectives, assumptions, stakeholders and internal & external environment Identify risks and enter them in risk register Identify Estimate the threats and opportunities in terms of probability, impact and proximity Evaluate net aggregated effect of identified risks Assess Prepare specific management responses to threats and opportunities Analyse the impact of residual risk as well Plan Ensure that planned actions for managing risks have been implemented Risk owner and risk actionee should be identified in advance Implement Effective communication is key to identification of new threats and opportunities Implementation of risk management is dependent on good communication Ensures risk management strategy is appropriately followed Controls the process with reviews and health checks 17 Communicate Embed & Review Simplilearn Solutions Issues Issue is a relevant and unplanned event that requires management action to prevent or reduce its impact on programme Issues can emerge from constraints identified at the outset of a programme It can come from stakeholders Issues can be generated by participating projects or operations 18 Simplilearn Solutions Threat and Opportunity Responses Options Use Avoid Remove cause of threat Reduce Reduce the probability/impact of threat Transfer Pass part of risk to third party, like insurance Share Seek multiple parties to share the pain Accept Decision to allow risk to happen Contingency plans "We will accept risk for now but we will make a plan on what we'll do if situation changes" Options Use Exploit Increase and strengthen cause of opportunity Enhance Maximise an opportunity Share Share the gains Accept Decision to allow opportunity to come Transfer Opportunity shared with third party for a different kind of gain, like earning reputation or better relations Contingency plans Fall back plan as plan to exploit an opportunity may not succeed THREAT OPPORTUNITY 19 Simplilearn Solutions Issue Management Framework Capture Analyse issue that has been raised Categorise issue and assess the severity and impact Examine Examine the issue by impact analysis Impact analysis should cover programme, projects, objectives, blueprint and operations Propose course of action Consider all options and choose the most effective one Decide Issue management strategy defines who has the authority to take decisions about changes Plan the change with appropriate contingency Implement Implement the change Communicate decision and response action to all stakeholders Update issue register Record lessons learnt 20 Simplilearn Solutions Issue Management Strategy and Issue Register Issue management strategy: Describes programmes approach to issue management Outlines how issues will be identified, categorised, severity- rated and managed Change control procedure will be defined by issue management strategy Issue register: Created in defining a programme, to record issues Includes former risks that have materialised Shape, content and purpose defined in issue management strategy 21 Simplilearn Solutions Change Control Capture the change and define why it is needed Allocate priority to indicate urgency Assess the impact Analyse all options and test potential solutions Authorise agreed solution Implement the change and monitor the effects Review effectiveness 22 Simplilearn Solutions Configuration Management Planning: Decide what level of configuration management is appropriate based on blueprint Identifying: Identify all assets for which configuration management is required Controlling: Version control changes in configuration document along with other documents Status accounting: Maintain current and historical information concerned with each configuration Verifying: Audit the programme to ensure there is conformity between expected and actual status 23 Simplilearn Solutions IDENTIFYING A PROGRAMME Risk management focused on identifying and clarifying ambiguity. Programme brief will include an initial set of programme risks and issues.
ASPECTS OF RISK AND ISSUE MANAGEMENT
DEFINING A PROGRAMME Risk management and issue management strategies are created. Risk and issue register are set to record risks and issues respectively. New risks and issues are captured. MANAGING THE TRANCHES Implements defined governance arrangements for risk and issue management. TRANSFORMATIONAL FLOW Risk and Issue Management within Transformational Flow 24 Simplilearn Solutions DELIVERING THE CAPABILITY Project briefs contain guidance on risk and issue managements. Aggregated risks from projects are a major concern.
ASPECTS OF RISK AND ISSUE MANAGEMENT
REALISING THE BENEFITS Helps avoid failure. If any tranches deliver below expectation, this is treated as issue. CLOSING A PROGRAMME If a programme is closed prematurely, it is due to major risks and issues that cannot be managed by programme. TRANSFORMATIONAL FLOW Risk and Issue Management within Transformational Flow (Contd.) 25 Simplilearn Solutions Roles and Area of Focus Role Area of Focus Authorises the risk management strategy and issue management strategy and its enhancements Intervenes to control risks and issues Initiates assurance reviews of risk and issue management effectiveness Ownership of strategic risks and issues, ensuring mitigation actions are dealt with, at appropriate senior level Senior Responsible Owner (SRO) Develops and implements strategies for handling risks and issues Designs and manages the risk and issue management cycle Manages the aggregated levels of risks and issues Assures programme adherence to risk management principles Allocates risks and issues as appropriate Ensures that change control is correctly authorised Programme Manager 26 Simplilearn Solutions Roles and Area of Focus (Contd.) Ensures that impact of individual and aggregated risks is understood by relevant stakeholders Defines clear rules for escalation, cascade and threshold Ownership of programme level risks and issues Deploys a consistent language for risk management across all projects Communicates the progress of resolution of issues in a clear and timely fashion Escalates items that cross programme boundaries to SRO for resolution Designs and implements configuration management system Programme Manager Manages and coordinates the resolution of risks relating to operational performances and benefits achievement Ensures risk management cycle includes operational risks Manages risks that impact on business performance and transition Business Change Manager Role Area of Focus 27 Simplilearn Solutions Roles and Area of Focus (Contd.) Identifies operational issues and ensures that they are managed by programme Identifies opportunities from the business operations and raises them for inclusion in the programme Contributes to impact assessments and change control Monitors and reports on business performance issues that may require attention of programme during transition Business Change Manager Manages and coordinates the information and support systems to enable efficient risk and issue management Maintains the programme risk and issue register Establishes, facilitates and maintains risk and issue management cycle Provides support and advice on risks and issues to projects Coordinates risk and issue management interfaces with projects Maintains the configuration management systems Facilitates change control steps Programme Office Role Area of Focus 28 Simplilearn Solutions Risk Management Strategy Purpose: Defines programme approach to risk management Content: Roles and responsibilities for managing risk in programme Process adapted from organisations risk management standards Interface with benefits management strategy on approach to managing opportunities Scales for estimating probability and impact along with criteria for each level Guidance on calculating expected value and proximity Risk response categories including threats and opportunities Risk templates including risk register Early warning indicators Timing of risk management activities and information flow and reports Criteria for escalating risks and assessing effectiveness Risk management standards 29 Simplilearn Solutions Risk Register Purpose: Used to capture and actively manage risks for programme Content: Risk identifier Unique risk id, description of risk (cause, event and effect) Categorization (threat or opportunity), probability and proximity of risk occurring and its impact on the programme Description of proposed risk response and residual risk after it has been implemented Risk actionee Individual responsible for the implementation of risk Risk owner Responsible for management and control of risk assigned to them Current status of risk and progress of any action related to risk Cross reference to programme plan to identify where risk response has been scheduled 30 Simplilearn Solutions Issue Management Strategy Purpose: Describes mechanisms and procedures for resolving issues Content: How issues will be identified, captured and assessed How issues will be managed across programmes, projects and operations Responsibilities for effective management and issue resolution Process and explanation of how change control will work in programme Change control procedures for authorising changes resulting from issues Procedures for implementing and controlling the changes How exceptions beyond tolerance levels will be managed How responses to issues will be identified and by whom Criteria for dividing issues between project and programme and allocating severity ratings Other strategies used to support issue management strategy Monitoring and evaluating mechanism for issue response 31 Simplilearn Solutions Issue Register Purpose: Used to capture and actively manage programme issues Content: Unique reference for each issue raised along with date, who raised the issue and description Description of cause and impact of issue Severity rating and categorisation Description of issue response action to be undertaken and by whom Issue owner Responsible for management and control of issues Issue actionee Individual responsible for implementation of given issue response action, progress and status update Cross reference change control procedure, if applicable Description of how issue was resolved and lessons learnt 32 Simplilearn Solutions Risks are present at each level of organisation and in each phase of programme. Risk can either be a threat or an opportunity. Risk management strategy describes an approach to risk management which reflects programmes unique objectives. Each organisation has its own risk appetite and tolerance thresholds which governs the risk responses. Issue is a risk that has happened. Issue management strategy is similar to risk management strategy in approach and provides clear guidance on how issue will be managed across the board. Change control puts measures in place to ensure all required changes go through proper levels of check and impact analysis. Configuration management controls the development and changes to items that are important to programme. It specifies how the individual configuration items fit together. Summary 33 Simplilearn Solutions 34 Simplilearn Solutions Question One In a programme, a response action to an issue impacts the operational area. Who is the best person to be involved with implementing the change? a) Programme manager b) Project manager c) Appropriate BCM d) SRO 35 Simplilearn Solutions Question One In a programme, a response action to an issue impacts the operational area. Who is the best person to be involved with implementing the change? Answer: c) Appropriate BCM Explanation: BCM comes from operational sections and thus is the best person to manage the change. 36 a) Programme manager b) Project manager c) Appropriate BCM d) SRO Simplilearn Solutions Question Two Which is not an accepted method of handling an opportunity? a) Exploit b) Reduce c) Transfer d) Share 37 Simplilearn Solutions Question Two Which is not an accepted method of handling an opportunity?
Answer: b) Reduce Explanation: Opportunity should be enhanced not reduced. Threats are reduced. 38 a) Exploit b) Reduce c) Transfer d) Share Simplilearn Solutions Question Three a) True b) False 39 State whether True or False. Share the risk means we can have an insurance where insurer picks up risk cost and insured retains the impact on other objectives. Simplilearn Solutions Question Three State whether True or False. Share the risk means we can have an insurance where insurer picks up risk cost and insured retains the impact on other objectives. Answer: b) False Explanation: Above example is of transfer the risk. 40 a) True b) False Simplilearn Solutions Question Four Which document shows the interactions between critical risks? a) Risk register b) Risk management plan c) Risk strategy d) Risk profile 41 Simplilearn Solutions Question Four Which document shows the interactions between critical risks?
Answer: d) Risk profile Explanation: Risk register is a risk repository but it does not show inter- dependencies. Risk management plan and risk strategy are governance arrangements. Risk profile shows the interactions between critical risks. 42 a) Risk register b) Risk management plan c) Risk strategy d) Risk profile Simplilearn Solutions Question Five a) Strategic level b) Programme level c) Project level d) Un-manageable Risks related to changes driven by external political, economic, social, legislative, environmental and technical factors are: 43 Simplilearn Solutions Question Five Answer: a) Strategic level Explanation: These risks need to be managed at strategic level. 44 Risks related to changes driven by external political, economic, social, legislative, environmental and technical factors are: a) Strategic level b) Programme level c) Project level d) Un-manageable Simplilearn Solutions Question Six a) Cost b) Time c) Benefit d) All of the above Select right option for the following sentence: Risk will potentially impact programmes: 45 Simplilearn Solutions Question Six Answer: d) All of above Explanation: Risk might impact more than one aspect of programme. Select right option for the following sentence: Risk will potentially impact programmes: 46 a) Cost b) Time c) Benefit d) All of the above Simplilearn Solutions Question Seven a) Proximity b) Tolerance c) Aggregation d) None of the above Which term reflects the fact that risks will occur at particular times in future? 47 Simplilearn Solutions Question Seven Answer: a) Proximity Explanation: Tolerance is related to risk appetite of organisation and aggregation represents the situation when we are combining the effects of risk. Proximity reflects the fact that risks will occur at particular times in future. 48 Which term reflects the fact that risks will occur at particular times in future? a) Proximity b) Tolerance c) Aggregation d) None of the above Simplilearn Solutions Question Eight a) Risk management strategy b) Issue management strategy c) Risk aggregation d) Risk threshold Consider currency exchange rates. The future movement of these rates can have an impact on individual projects, but the accumulated effect is often only visible at the higher programme level. This explains: 49 Simplilearn Solutions Question Eight Answer: c) Risk aggregation Explanation: Aggregation represents the situation when we are combining the effects of risk. 50 Consider currency exchange rates. The future movement of these rates can have an impact on individual projects, but the accumulated effect is often only visible at the higher programme level. This explains: a) Risk management strategy b) Issue management strategy c) Risk aggregation d) Risk threshold Simplilearn Solutions Question Nine a) Capture b) Examine c) Propose course of action d) Identify Which one of the following is not a step in issue management framework? 51 Simplilearn Solutions Question Nine Answer: d) Identify Explanation: Since issues have already happened, there is no need to identify them. 52 Which one of the following is not a step in issue management framework? a) Capture b) Examine c) Propose course of action d) Identify Simplilearn Solutions 53