Risk Management in Five Easy Pieces

Managing Cost, Schedule, and Technical Performance is the Basis of Good Project Management

Risk management is essential for any significant project. Certain information about key project costs, performance, and schedule attributes are often unknown until the project is underway. The emerging risks that can be identified early in the project that impact the project later is often termed “known unknowns.” These risks can be mitigated with a good risk management process. For risks that are beyond the vision of the project team a properly implemented risk management process can also rapidly quantify the impact of the risk and provide sound plans for mitigating its effect.

Risk management is concerned with the outcome of future events, whose exact outcome is unknown, and with how to deal with these uncertainties.

Outcomes are categorized as favorable or unfavorable, and risk management is the art and science of planning, assessing, handling, and monitoring future events to ensure favorable outcomes. A good risk management process is proactive and fundamentally different than issue management or problem-solving, which is reactive.

Risk management is an important skill that can be applied to a wide variety of projects. In an era of downsizing, consolidation, shrinking budgets, increasing technological sophistication, and shorter development times, risk management provides valuable insights to help key project personnel plan for risks, alert them of potential risk issues, analyze these issues, and develop, implement, and monitor plans to address risks long before they surface as issues and adversely affect project cost, performance, and schedule.

Hope is Not a Strategy

Hoping that the project will proceed as planned is naïve at best and poor management at worse. Project Managers constantly seek ways to eliminate or control risk, variance, and uncertainty. This is a hopeless pursuit. Managing “in the presence” of risk, variance, and uncertainty is the key to success. Some projects have few uncertainties –only the complexity of tasks and relationships is important – but most projects are characterized by several types of uncertainty. Although each uncertainty type is distinct, a single project may encounter some combination of four types:

• Variation – comes from many small influences and yields a range of values on a particular activity. Attempting to control these variances outside their natural boundaries is a waste (Muda) § Foreseen Uncertainty – are uncertainties identifiable and understood influences that the team cannot be sure will occur. There needs to be a mitigation plan for these foreseen uncertainties.
• Unforeseen Uncertainty – uncertainty that can’t be identified during project planning. When these occur, a new plan is needed.
• Chaos – appears with the presence of “unknown unknowns”

The Plan for the project is the Strategy for its successful completion. This Plan needs to define:

• How the products and services will be “matured” as the project progresses?
• What are the “units of measure” for this increasing maturity?
• At what points in the project will this maturity be assessed to confirm progress is being made?

Hope must be replaced with a risk-tolerant plan. In this plan, larger variances can be tolerated in the early parts of the project. But as the project proceeds the risk tolerance must be reduced. At the end of the project, all the risks must have been retired.

No Point Estimate of Cost, Schedule or Technical Performance Can Be Correct

Using point estimates for durations and costs is the first impulse in an organization low on the project management maturity scale. Understanding cost and durations are actually “random variables,” drawn from an underlying distribution of possible value is the starting point for managing in the presence of uncertainty. In probability theory, every random variable is attributed to a probability distribution. The probability distribution associated with a cost or duration describes the variance of these random variables. A common distribution of probabilistic estimates for cost and schedule random variables is the Triangle Distribution.

The Triangle Distribution is used as a subjective description of a population for which there is only limited sample data, especially where the relationship between variables is known but data is scarce. It is based on the knowledge of the minimum and maximum and a “best guess” of the modal value (the Most Likely). Using the Triangle Distribution for the costs and durations, a Monte Carlo simulation of the network of activities and their costs can be performed. Monte Carlo methods are used to numerically transform and integrate the posterior quantitative risk assessment into a confidence interval. The result is a “confidence” model for the cost and completion times for the project based on the upper and lower bounds of each distribution assigned to each duration and cost. This approach to estimating provides insight into the behavior of the plan as well as sensitivity between the individual elements of the plan.

The notion that project task durations are random variables is the foundation of programmatic risk management. The numeric value of a duration or a cost is drawn from a probability distribution. This distribution represents the range of all possible values of the duration or cost. The shape of the probability distribution describes how many of the possible values will appear when drawn from the distribution. When a “Point Estimate” is used for the duration and cost, this number is only one of all the possible values that could occur. Without an understanding of the statistical nature of these values, there is no understanding of how “confident” we should be in the number.

Estimating is a very vague art in the absence of a formal process. One place to start is with the statistical definition of an “estimate.” But even that definition has three (3) different possibilities:

• The Mode is the most likely value. The value occurs most often when statistical samples are drawn from the underlying population.
• The Median is the “middle” value between the highest and lowest value from the total of all samples drawn from the underlying statistical population.
• The Mean is the “average” of all the samples drawn from the population.

The most important concept is to understand that the “sum” of all the “estimates” is never one of these three estimates. The details of this are beyond the scope of this presentation but it has to do with “summing” probability distributions is not a summation process – it is a convolution process. This means that the probability distribution – represented by an integral equation – is convolved with the other integral equations.

When we speak in terms like “Best Estimate” we need to understand what that means. What does the “Best Estimate” mean?

• The Most Likely – this is the Mode
• The 50th percentile – this is the Median §
• The expected value – this is the Mean In all cases when the individual estimates are “rolled up” they NEVER mean one of these.

In all cases when the individual estimates are “rolled up” they NEVER mean one of these.

One simple approach to cost and schedule estimating in the presence of uncertainty is to use a Triangle Distribution for the possible values of the estimate. A triangle distribution provides a convenient way to represent uncertainties where values toward the middle of the range of possible values are considered more likely to occur than values near either extreme. Although not a traditional distribution, the arbitrary shape and “sharp corners” of triangle distribution is a convenient way to state that the details of the shape of the distribution are not precisely known. This may help to prevent over-interpretation or a false sense of confidence in subtle details of the results [Morgan, M. and Henrion, M., Uncertainty: A Guide to Dealing with Uncertainty in Quantitative Risk and Policy Analysis, Cambridge University Press, Cambridge, United Kingdom, 1990]. A triangle distribution is a good distribution to use early in expert elicitation since it is easy to obtain judgments for it.

Triangle distributions are useful when is limited information about the characteristics of the random variables is all that is available. Since point estimates are always wrong a method is needed to produce probabilistic estimates. Table 1 describes how to move from Point Estimating to Probabilistic Estimating.

Without Integrating Cost, Schedule, and Technical Performance You're Driving in the Rear View Mirror

Addressing customer satisfaction means incorporating product requirements and planned quality into the Performance Measurement Baseline to assure the true performance of the project is made visible.

Connecting Cost, Schedule, and Technical Performance Measures closes the loop on how well a project is achieving its technical performance requirements while maintaining its cost and schedule goals. IEEE 1220, EIA 632, and "A Guide to the Project Management Body of Knowledge“all provide guidance for TPM planning and measurement and for integrating TPM with cost and schedule performance measures (Earned Value).

Integrating these three attributes results in a Performance Measurement Baseline process which is distinguished from traditional cost and schedule management in several ways. The Performance Measurement Baseline:

• Is a plan driven by product quality requirements, not work requirements?
• Focuses on technical maturity and quality, in addition to cost and schedule.
• Focuses on progress toward meeting success criteria of technical reviews.
• Enables insightful variance analysis.
• Ensures a lean and cost-effective approach to project planning and controls.
• Enables scalable scope and complexity depending on risk.
• Integrates risk management activities with the performance measurement baseline.
• Integrates risk management outcomes into the Estimate at Completion.

Without A Model For Risk Management, You're Driving in the Dark With the Headlights Off

Technical performance is a concept absent from traditional approaches to risk management. Yet it is the primary driver of risk in many technology-intensive projects. Cost growth and schedule slippage often occur when unrealistically high performance levels are required and little flexibility is provided to degrade performance during the program. Quality is often a cause rather than an impact on the program and can generally be broken down into Cost, Performance, and Schedule components.

The framework shown here provides:

• Risk management policy
• Risk management structure
• Risk Management Process Model
• Organizational and behavioral considerations for implementing risk management
• The performance dimension of the consequence of the occurrence
• The performance dimension of Monte Carlo simulation modeling
• A structured approach for developing a risk-handling strategy

Risk Management Means Risk Communication

An interactive process of exchange of information and opinion among individuals, groups, and institutions; often involves multiple messages about the nature of the risk or expressing concerns, opinions, or reactions to risk messages or to legal or institutional arrangements for risk management. Risk communication is the basis of risk mitigation. It serves no purpose to have a risk plan and the defined mitigations in the absence of a risk communication plan.

The Risk Management Communications Plan must address:

• Identify risks for project cost and schedule
• Model the behavior of these risks and their impact on the project
• Development Risk Handling processes tailored to the business domain
• Provide oversight, advice, guidance, and control systems associated with Programmatic Risk management

Summary

Risk management is a continuous process applied throughout the project life cycle. It is an organized methodology for continuously identifying and measuring unknowns; developing mitigation options; selecting, planning, and implementing appropriate risk mitigations; and tracking the implementation to assure successful risk reduction. Effective risk management depends on risk management planning; early identification and analysis of risk; early implementation of corrective actions; continuous monitoring and reassessment; and communication, documentation, and coordination.

About the Author

Glen B. Alleman is a principal of Niwot Ridge LLC, Niwot Colorado. Glen’s primary role is the development of Program Planning and Controls processes for aerospace and defense clients. These practices start with the Integrated Master Plan and Integrated Master Schedule (IMP/IMS) paradigm. Using Glen’s book Performance-Based Project Management® the risk-adjusted plan assures the Program Management Office that both programmatic and technical risks are identified and handled. Glen also focuses on Capabilities-Based Planning and Balanced Scorecard performance management processes for large, complex, and risky programs. By combining IMP/IMS, PP&C, and Balanced Scorecard a performed-based strategy for successful project delivery can be constructed and executed.