The Project Risk Maturity Model This page intentionally left blank The Project Risk Maturity Model Measuring and Improving Risk Management Capability Martin Hopkinson QinetiQ, UK First published 2011 by Gower Publishing Published 2016 by Routledge Park Square, Milton Park, Abingdon, Oxon OX14 4RN 711 Third Avenue, New York, NY 10017, USA Routledge is an imprint of the Taylor & Francis Group, an informa business Copyright © 2011 Martin Hopkinson Martin Hopkinson has asserted his moral right under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work All rights reserved No part of this book may be reprinted or reproduced or utilised in any form or by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying and recording, or in any information storage or retrieval system, without permission in writing from the publishers Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe British Library Cataloguing in Publication Data Hopkinson, Martin The project risk maturity model : measuring and improving risk management capability Risk management – Mathematical models Operational risk – Mathematical models Project management – Mathematical models I Title 658.1'55'015118–dc22 Library of Congress Cataloging-in-Publication Data Hopkinson, Martin The project risk maturity model : measuring and improving risk management capability / by Martin Hopkinson p cm Includes bibliographical references and index ISBN 978-0-566-08879-7 (hbk : alk paper) Risk management Project management I Title HD61.H568 2010 658.15'5–dc22 2010021053 ISBN 9780566088797 (hbk) Contents List of Figures List of Tables Foreword Preface vii ix xi xiii PART I INTRODUCTION TO THE PROJECT RISK MATURITY MODEL Chapter The Project Risk Maturity Model Chapter Scope and Context 17 Chapter Starting from the Top: Using a Multi-pass Risk Management Process 37 Chapter The UK MoD Defence Procurement Agency: A Project Risk Maturity Model Case Study 65 Chapter Risk Maturity Model Data Collection 87 PART II GUIDE TO THE PROJECT RISK MATURITY MODEL Chapter Stakeholders Chapter Risk Identification 113 Chapter Risk Analysis 127 Chapter Risk Responses 165 95 Chapter 10 Project Management 179 Chapter 11 Risk Management Culture 199 Appendix A Attributes of Risk Maturity Model Levels Appendix B Project Risk Management Principles Appendix C Governance of Project Management Appendix D QinetiQ References Software User Instructions Index 219 221 225 229 231 235 243 This page intentionally left blank List of Figures Figure 1.1 Figure 1.2 Figure 1.3 Figure 1.4 Figure 1.5 Figure 1.6 Figure 2.1 Figure 2.2 Figure 2.3 Figure 2.4 Figure 2.5 Figure 2.6 Figure 3.1 Figure 3.2 Figure 3.3 Figure 3.4 Figure 3.5 Figure 3.6 Figure 4.1 Figure 4.2 Figure 4.3 Figure 4.4 Figure 4.5 Figure 4.6 Figure 4.7 Figure 4.8 Figure 4.9 Figure 4.10 Figure 4.11 Figure 4.12 Figure 8.1 Figure 8.2 Figure 8.3 Figure 8.4 Figure 8.5 Figure 8.6 Figure 8.7 Figure 8.8 Figure 8.9 Figure 8.10 Figure 8.11 Risk maturity model levels Example of the results from a Project RMM Assessment PRAM Guide mapping for four of the RMM perspectives Augmented version of the PRAM Guide process Project RMM assessment results for Project A Project RMM assessment results for Project B The extended project life cycle (APM Body of Knowledge) Graphical representations of overall project cost risk Comparison of risk forecasts for NPV Risk management process being delivered over time (PRAM 2004) Risk management process (PRAM 2004) Example of a PIM for prioritising threats and opportunities Profile of first pass bridge project estimates First pass NPV risk modelling results Tornado chart from the first pass modelling results Effect of NPV discount factor on first pass modelling estimates Second pass analysis NPV risk modelling results Third pass NPV risk modelling results The CADMID project life cycle Derivation of three-point confidence forecasts Idealised comparison of Initial Gate and Main Gate confidence forecasts Weakest RMM perspective analysis Comparison of MoD and prime contract RMM results for one project Comparison of MoD and prime contract RMM results for one project Summary of RMM results for 30 major projects Comparison of first and second RMM assessment results Illustration of the NAO’s calculation of risk differential consumed Schedule risk differential consumed for 13 major projects Percentage in-year cost variance for 19 major projects Percentage schedule and cost variance for 13 major projects A risk description broken into three components Variability risk described using three components Ambiguity risk described using three components Relationship between a risk description and types of risk response Examples of risk probability distributions Example of the relationships between direct and secondary risk effects Simple model for detecting vulnerability to estimating bias Illustration of the process of uncertainty suppression Typical features of a Monte Carlo schedule risk analysis model Scatter diagram: correlation of 0.5 between two Beta Pert distributions Effect of the inclusion of correlation in a Monte Carlo risk model 9 12 13 20 21 23 25 27 29 42 43 43 44 49 52 66 68 69 72 75 76 77 78 80 81 82 83 130 131 132 133 137 139 146 148 151 153 154 viii The Project Risk Maturity Model Figure 8.12 Figure 8.13 Figure 8.14 Figure 10.1 Figure 11.1 Figure C.1 Figure C.2 Example of a faulty common-practice cost risk model Overall cost risk shown as a distribution of possible outcomes Example of a faulty common-practice Monte Carlo cost risk model Typical labelling and purpose of project financial contingencies Example of a risk that includes both threat and opportunity Governance of Project Management (APM 2004) Governance of Project Management: four components 157 158 159 194 213 225 227 List of Tables Table 2.1 Table 3.1 Table 3.2 Table 3.3 Table 3.4 Table 3.5 Table 4.1 Table 9.1 Table 10.1 Examples of different ways of conceptualising risks Illustration of the effects of the Net Present Value calculation First pass risk estimates Effect of risk sharing on third pass risk estimates for revenue Risk forecasts from fourth pass analysis Database fields selection Overall RMM Assessments for the 30 major projects Risk management strategies identified by three guides Typical purposes of risk reports 31 40 41 51 54 57 72 169 190 232 T h e P r o j e c t R i s k M a t u r i t y M o d e l Hillson, D 1997 Towards a risk maturity model International Journal of Project and Business Risk Management, Volume 1, Issue 1, March —— 2002 Use a Risk Breakdown Structure (RBS) to Understand Your Risks San Antonio, Texas, USA: PMI Annual Seminars & Symposium —— 2004 Effective Opportunity Management for Projects: Exploiting Positive Risk New York, USA: Marcel Dekker Inc —— and Murray-Webster, R 2005 Understanding and Managing Risk Attitude Farnham, UK: Gower Publishing Hopkinson, M 2000a Using Risk Maturity Models Kluwer’s Risk Management Briefing, Issue 40, (May), 4–8 —— 2000b The Risk Maturity Model Risk Management Bulletin, Volume 5, Issue 4, (November), 25–29 —— (2001) Schedule Risk Analysis: Critical Issues for Planners and Managers London, UK: PMI Europe Conference ——and Brown, R 2002 Measuring Risk Maturity in UK MoD Projects Project Manager Today, Risk Management Conference, London, UK —— and Lovelock, G 2004 The Project Risk Maturity Model – Assessment of the UK MoD’s Top 30 Acquisition Projects Prague, Annual PMI Congress Europe Hopkinson, M et al 2008 Prioritising Project Risks Princes Risborough, UK: Association for Project Management Hulett, D 2009 Practical Schedule Risk Analysis Farnham, UK: Gower Publishing Kerzner, H 2001 Strategic Planning for Project Management using a Project Management Maturity Model New York, USA: John Wiley & Sons Inc Leitch, M 2008 Intelligent Internal Control and Risk Management: Designing High-Performance Risk Control Systems Farnham, UK: Gower Publishing Lichtenberg, S 1989 The Successive Principle: A New Decision Tool for the Conception Phase Atlanta, US:, Joint Project Management Institute/IPMA Symposium Lichtenberg, S 2000 Proactive Management of Uncertainty using the Successive Principle Copenhagen, Denmark: Polyteknisk Press Mackay, C 1852 Extraordinary Popular Delusions and the Madness of Crowds Wordsworth Edition Ltd, Ware, Hertfordshire (1995) Murray-Webster, R and Hillson, D 2008 Understanding and Managing Group Risk Attitude Farnham, UK: Gower Publishing Parliamentary Office of Science and Technology POST Report 200 (2003) Millbank, London Project Management Institute 2004 A Guide to the Project Management Body of Knowledge (PMBOK) (3rd Edition) Philadelphia, USA: Project Management Institute —— 2009 Practice Standard for Project Risk Management., Pennsylvania, USA: Project Management Institute Inc Reuvid, J (ed.) 2007 Managing Business Risk: A Practical Guide to Protecting Your Business (4th Edition) London, UK: IRM (Institute of Risk Management) Simon, P., Hillson, D and Newland, K 1997 Project Risk Analysis and Management (PRAM) Guide (1st Edition) High Wycombe, UK: Association for Project Management Turnbull, N et al 1999 Internal Control: Guidance for Directors on the Combined Code London, UK: Institute of Chartered Accountants Turner, R.J 1999 The Handbook of Project-based Management Maidenhead, UK: McGraw Hill Publishing Company R e f e r e n c e s 233 Vaughan, D 1996 The Challenger Launch Decision: Risky Technology, Culture and Deviance at NASA Chicago: Chicago University Press Vose, D 2008 Risk Analysis: A Quantitative Guide (3rd Edition) Chichester, UK: John Wiley and Sons Ltd Williams, T 2002 Modelling Complex Projects Chichester, UK: John Wiley and Sons Ltd This page intentionally left blank Software User Instructions Now you’ve tried it your way, read this to try it our way! Instructions sheet enclosed with a self-assembly kit The disk that comes with this book will enable you to run your own Project Risk Maturity Model (RMM) assessments The software is written in Microsoft Access but is packaged with an Access run time licence, making it unnecessary to have a copy of Microsoft Access itself The software should be compatible with common Microsoft Windows operating systems, including XP, Vista, Windows and other contemporary windows operating systems that are found in the workplace Although compatibility is not guaranteed, it can be noted that almost all most software issues fixed after testing were identified by users of Vista The licence is unlimited in terms of both time and the number of assessments that can be made As with most software applications, the licence conditions have to be accepted by the user during the installation process However, two conditions should be noted at this point First, there is no user help line; the software is relatively simple and these instructions should be sufficient Second, the licence is for one computer only If you want to transfer it to another computer, the software should be uninstalled first This second condition is intended to prevent the software from being used by people other than the owner of the book If other people want a copy of the software they should buy the book! After all, the book provides a lot of additional information that should be regarded as being important to achieving accurate assessments Using the software without this information should be discouraged Software Installation After being loaded in the computer’s CD drive, the Project RMM installation application may start automatically If it doesn’t, installation can be initiated by opening the QQPRMMSetup application file that can be found on the disk, for example, by using Windows Explorer The software will install after the licence conditions have been accepted (click on the acceptance box at the bottom left to enable installation) By default, the application will be installed on the Programmes directory in a folder created using the path Program Files/QinetiQ/Risk Maturity Model Book Software However, this default can be changed to an alternative path name at the user’s discretion As the installation process continues, it displays a Windows box stating that Access Runtime 2003 is being reconfigured This only affects the RMM software and should not alter the configuration of your computer in any other way The installation process should also create a desktop shortcut in the form of the RMM icon 236 T h e P r o j e c t R i s k M a t u r i t y M o d e l Software Launch The software can be launched in any of the following three ways: Double-click on the QinetiQ Project Risk Maturity Model icon (a white box with RMM in light blue letters) Use the Windows Start button to select Programs/QinetiQ Risk Tools/Project Risk Maturity Model Use Windows Explorer to locate and open the qqprmm application file following the path selected during the installation process As the software is launched, a blue QinetiQ/Project Risk Maturity Model flash screen will be displayed for a short period This will then be replaced by the RMM control panel shown in Figure Figure Control panel The control panel enables you to create assessments for a new project or to open a file previously created for a project On the first occasion that the software is launched, there will be no previously created files, so a new project has to be created S o f t w a r e U s e r I n s t r u c t i o n s 237 To create a new project, click on the New Project button and then enter a file name for the new project in the Windows dialogue box that appears The browser at the top of the dialogue box can be used to select an appropriate folder for the file to be saved in After entering this information, click on the Save button This will create an RMM type file in the chosen folder The Save button also returns you to the Control Panel This time, however, the Display Q&A button will no longer be greyed out Click on the Display Q&A button to enter the RMM itself Assessment Data Entry Clicking the Display Q&A button takes the user to the data entry screen shown in Figure By default, having entered the model, you are shown the details of Question A1: the first of the RMM’s 50 questions The other questions can be viewed in turn by selecting Records at the bottom left of the screen However, assuming that a new project has just been created, it should be noted that the radio buttons (circular buttons to the left of each of the five answers) not yet respond to mouse clicks In order to start the data entry process, you have to create a new review (that is, RMM assessment) Figure Data entry screen 238 T h e P r o j e c t R i s k M a t u r i t y M o d e l To create a new review, click on the New button, found towards the top left of the screen This causes a small dialogue box to appear instructing the user to ‘Enter the name of the review you want to create’ The name that is entered here will later appear on the results graph It is therefore good practice to differentiate each review from the others recorded in each project file by including both the project name and a date Typically projects have short names, often in the form of mildly amusing acronyms Hence, for example, one might enter the name ‘SCRUM May 2011’ Having entered this name in the dialogue box, accept it by clicking on the OK button If a typing mistake is found after this procedure, it can be corrected by clicking on the Rename button and editing the review name Once accepted, each new review name is added to the Review name drop-down list to the left of the New button The review name selected from this drop-down list corresponds to the data that is entered for each of the RMM questions and the results graph produced in response Having created a new review name, it should be noticed that the five radio buttons to the left hand side of the screen will have become active and can be selected by mouse clicks Having selected a review name, answers to each of the RMM questions can thus be entered in turn by clicking on the appropriate radio button and then moving to the next question by clicking on the right-pointing Record selection arrow For convenience, answers can subsequently be selected by clicking on the text of the appropriate answer rather than the radio button The default selection for each RMM question is E; not applicable In practice, this should be regarded as being an invalid option for most questions Moreover, in the case of many questions (including, as shown in Figure 2, Question A1) the accompanying text identifies that it should be considered invalid, no matter what the project or its circumstances Hence care is required to ensure that positive selections are made for every question that is applicable to the project in question The golden rule for selecting answers (see p 93), should also be respected The golden rule is: ‘In order to select any answer to a question, the project must meet or exceed all criteria for both that answer and all answers that correspond to lower RMM levels’ At the end of the data entry process, there should only be a small number of questions that are treated as being not applicable As entries are being made, the results graph can be viewed However, the results are only valid when the data entry process has been completed for all 50 questions The data entry screen allows two other items of data to entered, both of which are optional First, the assessor’s name can be entered by typing in the Review facilitator field Second, the assessment data collection method can be recorded in the Data Collection field The latter has a drop-down list with the three RMM data collection methods described in Chapter 5: Self-assessment, Risk Management Process audit, and Project Team Workshops (pp 87–92) If another method has been used this can be typed directly into the box Both of these fields are designed for record keeping purposes only They not appear on the RMM results output S o f t w a r e U s e r I n s t r u c t i o n s 239 Viewing and Using the Results Graph To view the result graph, click on the Current Perspectives Chart tab at the top of the screen This replaces the questions data entry screen with a results chart equivalent to that shown in Figure QinetiQ Project RMM - Perspectives Chart SCRUM May 2011 100% Level Natural 75% Level Normalise 50% Level Novice 25% Level Naïve 0% Stakeholders Figure Risk Risk Analysis Identification Risk Responses Project Management Culture Example of a Project RMM results chart As explained in Chapter (see pp 7–8), the overall RMM assessment is read from this chart as being the level corresponding to the lowest bar Hence, for example, Figure shows a project with a Level RMM capability The results chart can be exported into other applications such as Microsoft Word or PowerPoint by clicking on the Copy to Clipboard button and then pasting into the other application The best results are obtained by using Paste Special to paste the chart as a metafile or a Microsoft Graph Chart Object To return to the data entry screen, click on the Questions and Answers tab at the top of the screen to the left of the Current Perspectives Chart tab Protecting Data Entered for a Review When the data entry has been completed for a review, it can be protected from further change To this, click on the Commit button After this action, it should not be possible to amend any of the answers selected for the RMM questions and, hence, alter the results shown by the results graph 240 T h e P r o j e c t R i s k M a t u r i t y M o d e l Viewing Case Studies The software comes with seven one-page PDF files Please note that Adobe Acrobat Reader is required to open and read them Six of these files are case studies related to each of the RMM perspectives as labelled on the Results chart To view a case study, go to the Current Perspectives Chart screen and click on a RMM label (for example, Risk Identification) A hyperlink on the label opens the relevant case study All case studies are based on project risk management work on real projects The other PDF file provides background information on QinetiQ and the Project RMM and can be opened by clicking on the Find Out More button on the Control Panel Exiting the Risk Maturity Model To exit the Risk Maturity Model, click on the Close Screen button at the bottom left of the data entry screen Alternatively, you can close the screen by clicking on the box with the cross at the top right hand side of the application window Finally, click on the Exit Risk Maturity Model button on the Control Panel Opening and Using an Existing Project RMM file After opening the application to view the Control Panel, click on the Open Project button This will open a Windows dialogue box with which you can find the project to be opened RMM files created by the Project RMM are created and saved with a prm extension By default, this dialogue box will browse the last folder that was used by Risk Maturity Model If the file you are looking for is not in that folder and you cannot remember where it is stored, one approach is to search your computer disk for all files with a prm extension Having found and selected the right file, click on the Open button Finally, from the Control Panel, click on the Display Q&A Form button to start using the project file When the data entry screen is first displayed, none of the reviews previously created in the project file will be selected, all the radio buttons on the left hand side of the screen will be inactive To start using the tool, select a previous review using the Review Name drop-down list Alternatively, click on the New button and enter and OK the name of the new review you would like to create Functions not Enabled in the Software Provided with the Book For the purposes of the book release, some software functions are disabled that are available to QinetiQ consultants and client organisations that have bought rights to use their own bespoke versions of the tool These functions are: • • The Perspectives Comparison Chart (which enables the results of different reviews to be displayed side by side, but which will show a blank graph if selected using this software) The Notes function (which opens up notes fields for maintaining associated audit records) S o f t w a r e U s e r I n s t r u c t i o n s 241 • • The Turnbull Compliance Report (which identifies aspects of the project risk management process that fail to comply with standards of internal control required for companies listed on the London Stock Exchange) A reports function that prints hard copies of the Project RMM content and the results entered for selected project assessments A full copy of the Project Risk Maturity Model (and other similar models such as the Business Risk Maturity Model) can be negotiated with QinetiQ Organisations interested in this option also often choose to make minor alterations to the words in the model so as to tailor it to their in-house terminology This page intentionally left blank Index ambiguity risks 30, 131–2 arrow of attention 29 assumptions analysis 61 audit 89–91 benefits 59–60 bias 144–6 business as usual 34 business cases, scrutiny of 69 CADMID project life cycle 66–7 capital expenditure risk forecasts 55 CMM (Software Capability Maturity Model) 61–2 commercial risk 50–53 compliance risks 118–19 composite risks 30 constructive insubordination 60–61 contract design 33 contracting strategy 10, 204 correlation 153, 161 cost/benefit comparisons 170–71 cost risk models 54–5 cost risks 84, 157–9 covariance 149, 161 customer risk 10 data collection 87–92 defence equipment procurement 13–14 life cycle 66–7 risk 65–6 risk management 67–70 Defence Procurement Agency 66–7 delegated responsibility 200–201 disclosure and reporting of risk information 98–9, 108–9 distribution centres 22–4 end users 110–11 estimating heuristics 56, 146–7 event risks 30 exchange rates 30, 155 extended project life cycle 20, 84, 110, 121, 126 external customers 100–101 fallback decision points 166–7 fallback plans 162–3 first-tier suppliers 106–7 freedom to act 200–201 gate reviews 66–7 golden rule (RMM) 93, 238 governance of project management 225–8 HVR Consulting Services Ltd 229 independent assessors 88–9 Initial Gate 67, 69 internal control 96–7 IT security 119 iterative top-down risk management 24–6 joint risk management 74–5, 95 known knowns 17–18 known unknowns 18, 195 lead customers 10, 102–3 legal risks 118–19 lessons learned 124 Main Gate approvals 67, 69, 80–84 main suppliers 104–5 Ministry of Defence (MoD) cost risk 84 cost variances 82–3 Defence Procurement Agency 66–7 equipment procurement life cycle 66–7 244 T h e P r o j e c t R i s k M a t u r i t y M o d e l project assessment 72–3 risk management process 67–70 joint risk management 74–5 prime contractors 74–5 project approvals 79–84 project performance 70 Project Risk Maturity Model 70–74 risk management capability improvement monitoring 77–9 variations in practices 76–7 weaknesses 72–4 schedule variances 83 misile flight trials 204–5 Monte Carlo risk models 42, 147, 150–51 multi-pass risk management 37–59 first pass 41–6 initiation 39 second pass 45–9, 51 NAO (National Audit Office) 70 NASA Space Shuttle disaster 108 National Audit Office 70 net present value 40 non-compliance risks 118–19 NPV (net present value) 40, 156, 159–60 NPV risk models 40–52, 159–60 onerous terms and conditions 119 ongoing operations 34 opportunities 29, 210–14 optimisation 62 overall project risk 20–24 Parkinson’s law 203 planning 17–18, 188 planning consent 45, 55 PRAM Guide process probability estimates 140–41 Probability-Impact Matrix 29, 127, 143 process audits 89–91 programme management 33–4 progress monitoring 123 project benefits 59–60, 121, 136, 165 project complexity 34–5 project cost forecasts 194–6 project life cycles 19–20 project management 179–98 governance 225–8 project managers 32 project objectives 10 project performance 14 project planning 17–18, 188, 205 project purpose 180–83 project risk managers 32 Project Risk Maturity Model; see also risk management best practice 61–2 capability 62–3 data collection 87–92 disclosure and reporting 98–9, 108–9 end users 110–11 examples 11–14 external customers 100–101 first-tier suppliers 106–7 independent assessors 88–9 joint risk management 95 lead customers 102–3 levels 4–7 attributes of 220 main suppliers 104–5 Ministry of Defence 70–74 perspectives in practice 14–15 process audits 89–91 project approvals 80–84 project team workshops 91 questions risk identification 113–26 risk sharing 102–3 self-assessment 88 stakeholders 95–112 supplier hierarchies 108–9 weaknesses 72–4 project risk records 189 project size 34–5 project sponsors 31–2 project stakeholders 10 project strategy risks 30 project teams responsibilities 184–5 workshops 91 QinetiQ 229 I n d e x 245 quantitative modelling 129 quantitative schedule risk analysis 150–55 railways 121 RBS (Risk Breakdown Structure) 115 regulatory risks 118–19 repeatability 62 revenue risk 46–8 risk analysis assumptions 45 correlation 161 covariance 149, 161 economic performance 156–61 fallback plans 162–3 probability estimates 140–41 process improvement 164 quantitative modelling 129 quantitative schedule 150–55 risk descriptions 128–33 risk estimation 144–9 risk impacts 136–7 risk owners 134–5 risk prioritisation 142–3 risk responses 176–7 secondary effects 138–9 top-down 159–60 Risk Breakdown Structure 115 risk-by-risk management 26–8 risk descriptions 128–33 risk differentials 80–82 risk efficiency 24 risk-efficient choices 5–6, 24, 49, 177 risk estimation 41–2, 144–9 risk forecasts 54–5 risk identification breadth of 120–21 breadth of responsibility 125 learned experience 124 new risks 122–3 non-compliance risks 118–19 process improvement 126 progress monitoring 123 techniques 116–17 top-down 114–15 risk impacts 136–7 risk management; see also Project Risk Maturity Model assessment of capability 7–11 best practice 61–2 capability 11–14 capability assessment 197 capability improvement monitoring 77–9 culture 199–217 cycles 186–7 defence equipment procurement 67–70 disclosure and reporting 98–9, 105, 109 early use of 208 effectiveness 193 end users 110–11 external customers 100–101 first-tier suppliers 106–7 independent assessors 88–9 iterative top-down 24–6, 37–8 joint 74–5, 95 known unknowns 18 lead customers 102–3 main suppliers 104–5 multi-pass 37–59 passes first 39–46 second 36–49 third 50–53 fourth 53–6 fifth 56–9 plans 206–7 principles 221–3 process audits 89–91 process improvement 198 project approvals 79–84 project benefits 59–60 project cost forecasts 194–6 project planning 188 project purpose 180–83 project risk records 189 project team responsibilities 184–5 project team workshops 91 recognition for good practice 209 risk-by-risk 26–8 risk identification 113–26 risk reporting 190–91 risk reviews 192–3 risk sharing 102–3 risk taking 210–14 246 T h e P r o j e c t R i s k M a t u r i t y M o d e l roles 31–2 self-assessment 88 senior management 96–7 single pass 61 supplier hierarchies 108–9 tools and techniques 62 top-down 24–6, 37–8 variations in practices 76–7 weaknesses 72–4 risk owners 32–3, 56, 58, 134–5 risk prioritisation 44, 140–3 risk registers 11, 13–14, 54, 56–9 risk reporting 190–91 risk responses 165–78 cost/benefit comparisons 170–71 fallback decision points 166–7 implementation 174–5 plans 172–3 process improvement 178 risk analysis 176–7 secondary effects 171 strategies 168–9 timely implementation 215–16 risk reviews 56–7, 192–3 risk sharing 47–8, 51–3, 102–3 risk taking 210–14 risks conceptualising 28–32 as events 28–30 RMM, see Project Risk Maturity Model road bridge project 38–59, 62–3 Sarbanes–Oxley Act 96–7, 225 schedule risk analysis 12, 150–55, 190 schedule risk differentials 80–82 schedule risk models 54–5 schedule risks 33, 115, 214 Scottish Parliament building 196 secondary effects 138–9, 171 self-assessment 88 Smart Procurement 66–7 Software Capability Maturity Model 61–2 software user instructions 235–41 Space Shuttle disaster 108 stakeholders 95–112 disclosure and reporting 108–9 end users 110–11 external customers 100–101 first-tier suppliers 106–7 lead customers 102–3 main suppliers 104–5 process improvement 112 as risk owners 32–3 senior management 96–7 trust 204–5 steel industry 11–12 successive principle 37 supplier hierarchies 108–9 systemic risks 30 threats 29 three-point confidence forecasts 68–9 top-down risk analysis 159–60 top-down risk management 24–6, 37–8 trust 202–5 Turnbull Guidance 96–7, 225 uncertainty 30, 41 uncertainty suppression 148 unknown unknowns 19, 70, 195 variability risks 30, 131 workshops 91 .. .The Project Risk Maturity Model This page intentionally left blank The Project Risk Maturity Model Measuring and Improving Risk Management Capability Martin Hopkinson... both the Portfolio, Programme and Project Management Maturity Model (P3M3©) and the PRINCE2 Maturity Model (P2MM©), and the International Project Management Association has developed their Project. .. This chapter discusses the scope of project risk management and, hence, where the Project Risk Maturity Model (RMM) draws boundaries between risk management and other project management processes