The Technical Manager’s Survival Guides Concepts and Practices By Marcus Goncalves and Raj Heda Goncalves and Heda Risk Management for Project Managers Risk Management for Project Managers Concepts and Practices “Good read This book is a template for managing complex businesses and contains information that every Asset Manager should know Highly recommended.” —James Willey, P.E., Vice President, Pearl Energy Philippines Operating, Inc “Marcus’s new guide to risk management provides pragmatic advice that project managers can use to help them frame risks, use that knowledge to retain control of their projects and get their project completed with a minimum number of unpleasant surprises An excellent book that all project managers should keep on their book shelf.” —Rick Welch, Senior Vice President of Services, Demandware Corporation, Burlington, MA, USA Two Park Avenue New York, NY 10016, USA www.asme.org Job Name:280684 Color: Black Risk Management           for Project Managers “Uncertainty, or risk, is an essential part of life so that thoughtful action can influence the success or failure of endeavours This is nowhere more apparent than in projects, where poor risk management often leads to failure Goncalves and Heda’s new book makes a valuable contribution to the project risk management literature, highlighting the need to systematically and practically manage risks, and gives valuable best-practice advice on how this can be done effectively and efficiently It is a concise, easy read for non-technical managers who will find it full of practical information.” —Richard Whitfield PhD, President, East-West Institute for Advanced Studies, Macau, China By Marcus Goncalves Raj Heda The Technical Manager’s Survival Guides Date:13-11-21 PANTONE 300 U PDF Page:280684pbc.p1.pdf Risk Management for Project Managers Concepts and Practices By Marcus Goncalves and Raj Heda The Technical Manager’s Survival Guides © 2014, ASME, Park Avenue, New York, NY 10016, USA (www.asme.org) All rights reserved Printed in the United States of America Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher Information contained in this work has been obtained by the American Society of Mechanical Engineers from sources believed to be reliable However, neither ASME nor its authors or editors guarantee the accuracy or completeness of any information published in this work Neither ASME nor its authors and editors shall be responsible for any errors, omissions, or damages arising out of the use of this information The work is published with the understanding that ASME and its authors and editors are supplying information but are not attempting to render engineering or other professional services If such engineering or professional services are required, the assistance of an appropriate professional should be sought ASME shall not be responsible for statements or opinions advanced in papers or printed in its publications (B7.1.3) Statement from the Bylaws For authorization to photocopy material for internal or personal use under those circumstances not falling within the fair use provisions of the Copyright Act, contact the Copyright Clearance Center (CCC), 222 Rosewood Drive, Danvers, MA 01923, tel: 978-750-8400, www.copyright.com Requests for special permission or bulk reproduction should be addressed to the ASME ­Publishing ­Department, or submitted online at: http://www.asme.org/kb/books/book-proposalguidelines/permissions ASME Press books are available at special quantity discounts to use as premiums or for use in corporate training programs For more information, contact Special Sales at customercare@asme.org Library of Congress Cataloging-in-Publication Data Goncalves, Marcus  Risk management for project managers : concepts and practices / by Marcus Goncalves and Raj Heda  pages cm (The technical manager's survival guides) Includes bibliographical references ISBN 978-0-7918-6023-6  1 Risk management Project management I Heda, Raj II Title HD61.G646 2013 658.15'5 dc23 2013041478 Acknowledgement I would like to thank, yet again, Mary Grace Stefanchik, the editor at the American Society of Mechanical Engineers (ASME), not only for publishing yet another one of my work for ASME’s collection, but especially for her continuous patience during the production phase of this book Many thanks, again, to my co-author and friend Raj Heda, for finding time in his schedule to land his expertise on risk management, and write this book with me Raj Heda: I wish to record my debt to some of the people who have made an indelible mark in my life A special note of thanks to my dear professor and now friend and colleague, Marcus Goncalves, for his generous helpfulness, trust, support and above all, for offering me again the opportunity to co-author this book To my mother for being ever loving and encouraging To my brother Ravi for all the love and the fun days we spent To my aunt, Meenu for always lending me a patient ear and giving me genuine advice in all my endeavors To my friend and colleague in business, Dorothy, for her sincere lookout for my well-being and for her beautiful heart To my dear friends Anand, Shrikant, Prajay, Prashant and Amit for always being there for me in good times and bad To my good friend, Matt, for help with graphics in the book Many thanks to Marcus and the team at ASME for involving me in this project I am indebted to my beautiful daughters, Radhika and Vrinda, for showering all their love on me and for always bringing a smile to my face; they make everything worth the effort I am grateful to my loving wife for always having the confidence in me - even beyond what I have in myself Finally, I can never forget the contributions of my mother in getting me to where I am in my life today Love you Mom! Dedication To my wife Carla, sons Samir and Josh (in memory), and my princess Andrea (also in memory), the true joy of my life To God be the glory! Marcus Goncalves, Summer 2013 To my wife, Anu, for being such a caring and loving life partner, for her synergistic help in all my activities and for her invaluable editing of this book To my beautiful princesses Radhika and Vrinda, who are my true loves and who make it all worth the while! In loving and thankful memory of my dearest father, Shiv Heda, the angel always beside me Raj Heda, Summer 2013 Table of Contents Acknowledgement iii Dedication v Chapter Understanding Risk: Opportunities or Threat? Overview What is Risk? Chapter Risk Management Theory and Practice Overview What is Risk Management? Appetite for Risk Categories of Risk 11 Outcome of Risk Assessment 11 Chapter 13 Developing a Risk Assessment and Mitigation Strategy 13 Overview 13 Chapter 19 The Risk Management Process 19 Overview 19 Risk Identification 21 Qualitative and Quantitative Risk Analysis 22 Risk Response Planning 23 Risk Monitoring and Control 23 Chapter 25 Risk Analysis Tools and Methodologies 25 Overview 25 Qualitative Risk Analysis: Tools and Techniques 25 Risk Probability and Impact Assessment 26 Probability and Impact Matrix 26 Risk Data Quality Assessment 27 Risk Categorization 28 Risk Urgency Assessment 28 Quantitative Risk Analysis: Tools and Techniques 28 Data Gathering and Representation Techniques 29 Probability Distributions 30 vii Monte Carlo Simulation 31 Sensitivity Analysis 32 Decision Tree Analysis 33 Chapter 35 Identifying Risk 35 Overview 35 Identifying Risks 38 Risk Identification Process 41 Best Practices for Risk Identification 45 Chapter 49 Assessing and Mitigating Risk 49 Overview 49 Four Steps to Risk Assessment 51 Prioritizing Risk 53 Measuring Risk Impact 54 Measuring Likelihood 58 Risk Mitigation Strategies 59 Risk Assessment Best Practices 60 Chapter 63 Developing Risk Response Strategies 63 Overview 63 Developing a Risk Response Strategy 64 Responding to Risk Events 67 Identifying Risk Response Alternatives 68 Selecting Response Alternatives 69 Assigning Risk Ownership 70 Preparing Risk Response Plans 70 Chapter 73 Implementing Risk Response Controls 73 Overview 73 Response Controls and the Risk Registrar 74 Inputs to Risk Monitoring and Controls 76 Techniques to Risk Monitoring and Response Control 76 Outputs to Risk Monitoring and Response Controls 77 Handling Change Requests 78 Chapter 10 83 Incident Management and BC/DR Planning 83 Overview 83 viii Distinguishing Business Continuity from Disaster Recovery Planning 86 What is in the Plans 88 Developing a Business Impact Analysis 91 Incident Management Process 92 Glossary of Terms 95 About the Authors 99 ix • Facilities and Infrastructure – the underlying infrastructure must be structured to be recoverable – this involves physical infrastructure as well • Operational BC/DR Planning – there must be an operational and tested plan to recover • Processes and Procedures – BC/DR must be incorporated into stan­ dard processes and procedures or the organization, or project What is in the Plans All BC/DR plans need to embody how employees will communicate, where they will go and how they will keep doing their jobs when an incident (or a disaster!) strikes The level of details can vary greatly It will depend on the size and scope of a project or company, and the way it does business For some businesses, for instance retail stores (i.e supermarkets) and hospitals, issues such as supply chain logistics are most crucial and are the focus on the plan For others, such as banking and other financial institutions, information technology may play a more pivotal role, and the BC/DR plan may have more of a focus on systems recovery For example, the plan at one multinational manufacturing company would restore critical mainframes with vital data at a backup site within four to six days of a disruptive event, obtain a mobile PBX unit with 4,000 telephones within forty-eight hours, recover the company’s 1,500-plus local area network (LAN) in order of business need, and set up a temporary call center for 150 agents at a nearby training facility Weather we look at the issue as an IcM or BC/DR, such plans should be considered to be much more that just the analysis of perceived threats and hazards towards a project or organization It should be remembered that as well as an important part of risk management process and business resilience planning that BC/DR is a real time physical activity The critical point here is that neither element can be ignored, and physical, IT and human resources plans cannot be developed in isolation from each other 88 Figure 10.4 - Global causes of business disasters The nature of the disaster may vary, as depicted in Figure 10.41, but contingency plans must be communicated quickly and effectively As a matter of fact, BC/DR has a lot in common with security convergence, as at its heart, BC/DR is about constant communication Therefore, business, facility, security, and IT leaders should work together to determine what kind of plan is necessary and which systems and business units are most crucial to the project or organization Together, they should decide which people are responsible for declaring a disruptive event and mitigating its effects Most importantly, the plan should establish a process for locating and communicating with employees after such an event In a catastrophic event, such as Hurricane Katrina for example, the plan will also need to take into account that many of those employees will have more important concerns than getting back to work The main rationale for proactive and effective BC/DR planning is that effective business resilience can take place to ensure minimal loss or damage whether that is to tangible or non tangible assets of that organization Hence, the only way such effective plan can be implemented is by According to STS at http://www.sounditservices.com/services/offsite-disaster-recovery/ 89 efficient physical management of the incident/disaster, making best use of both time and resources that are available and understanding how to get more resources from outside the organization when needed by clear and timely liaison According to the National Fire Protection Association (NFPA) incident management can be described as; “When an emergency occurs or there is a disruption to the business, organized teams will respond in accordance with established plans Public emergency services may be called to assist Contractors may be engaged and other resources may be needed Inquiries from the news media, the community, employees and their families and local officials may overwhelm telephone lines How should a business manage all of these activities and resources? Businesses should have an incident management system (IMS)2 An IMS is “the combination of facilities, equipment, personnel, procedures and communications operating within a common organizational structure, designed to aid in the management of resources during incidents” (National Fire Protection Association (NFPA, 2013)3 The International Organization for Standardization (ISO), the worlds largest developer of international standards, also makes a point in the description of its risk management, principles and guidelines document ISO 31000:2009 that, “Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment” This again shows the importance of not just good planning but effective allocation of resources to treat the risk (ISO 31000, 2009)4 Federal Emergency Management Agency (FEMA) (2012) [online] Available from: http:// www.ready.gov/business/implementation/incident [Accessed 10 April 2013] National Fire Protection Association (NFPA) (2013) Available from: http://www.nfpa.org/ aboutthecodes/AboutTheCodes.asp?DocNum=1600&cookie%5Ftest=1 [Accessed 10 April 2013] International Organization for Standardization (ISO) (2009) [online] Available from: http:// www.iso.org/iso/home/standards/iso31000.htm 90 Developing a Business Impact Analysis As discussed earlier in this chapter, the intention here is not to dive too deep into the subject, but rather to provide you with some basic awareness of the importance of BC/DR and IcM But a good first step in assessing your project or organization preparedness is a business impact analysis (BIA) This process will help you identify the project and business’s most crucial systems and processes and the effect an outage would have on it The greater the potential impact, the more money a company should spend to restore a system or process quickly For instance, a banking institution may decide to pay for completely redundant IT systems that would allow it to immediately start processing trades at another location On the other hand, a power generation company may decide that it can wait 24 hours to resume generating power A BIA will help companies set a restoration sequence to determine which parts of the business should be restored first The following is a list of the ten most important basics your plan should cover: Develop and practice a contingency plan that includes a succession plan for your CEO or project manager Train backup employees to perform emergency tasks, as the employees you currently count on to lead in an emergency may not always be available Determine offsite crisis meeting places and crisis communication plans for top executives Practice crisis communication with employees, customers and the outside world Invest in an alternate means of communication in case the phone networks go down Make sure that all employees, as well as executives, are involved in this exercises so that they get practice in responding to an emergency Make business continuity exercises realistic enough to tap into employees’ emotions so that you can see how they’ll react when the situation gets stressful 91 Form partnerships with local emergency response groups such as firefighters, police and EMTs, to establish a good working relationship Let them become familiar with your company and site Evaluate your project or company’s performance during each test, and work toward constant improvement Continuity exercises should reveal weaknesses Test your continuity plan regularly to reveal and accommodate changes Technology, personnel and facilities are in a constant state of flux at any company 10 Building an Enterprise-Wide Business Continuity Program Incident Management Process An incident management process has many phases and will tend to vary according to the industry But by and large, the process describes the sequence of steps that begin when an incident reaches your project, or organization Depending on the incident it could follow a very simple or very sophisticated model Our recommendation is that you begin planning your incident management process with a simple set of tasks and subsequently expand it to new ones according to the challenges you are facing in your project or organization, as well as environment For example, as an international management-consulting firm, we at MGCG (www.mgcgusa.com), often have to tweak our IcM process depending on the country we are working and the current geo-political atmosphere at the time We have a client in the jungles of the Philippines that required us to adjust our security IcM process This is the only client we had to make such adjustment However, some other regions of the world, prone to hyperinflation, cause us to adjust our IcM process to account for lack or resources in case of an incident or disaster You can use the set of tasks discussed below, as depicted in ­Figure 10.5, as a framework for your incident handling procedure Notice how the process flows from top-down, but in a sequence, starting with incident report, 92 Figure 10.5 - Incident management process workflow then registration and triage, and continuing all the way to the end, to the bottom, at post analysis and improvement proposal Most likely, every incident management process should consist of these tasks It is up to you how much you will develop them and how much more detail you will go into Good practice is to start with the simple model and then, as you and your team become more experienced, develop the procedure further A critical component of success in meeting service level targets is for each project worker, or individual at the organization involved with this IcM process to hold themselves accountable for deviations from acceptable performance This will be accomplished by producing meaning reports that can be utilized to focus on areas that need improvement The reports must then be used in coordinated activities aimed at improving the support Be specific when reporting incidents Remember, a proactive incident management may prevent major disasters The following is a list of variables you should consider tracking generally on a monthly basis, with quarterly summaries Metrics to be reported should include but not be limited to: 93 • Total numbers of Incidents (as a control measure) • Breakdown of incidents at each stage (e.g logged, work in ­progress, closed etc.) • Size of current incident backlog • Number and percentage of major incidents • Mean elapsed time to achieve incident resolution or circumvention, broken down by impact code • Percentage of incidents handled within agreed response time as defined by industry standards • Number of incidents reopened and as a percentage of the total • Number and percentage of incidents incorrectly assigned • Number and percentage of incidents incorrectly categorized • Percentage of Incidents closed by the Service Desk without reference to other levels of support (often referred to as ‘first point of contact’) • Number and percentage the of incidents processed per Service Desk agent • Number and percentage of incidents resolved remotely, without the need for a visit • Breakdown of incidents by time of day, to help pinpoint peaks and ensure matching of resources These reports should be analyzed during quality assurance (QA) meetings by the QA manager, whom will conduct sessions with each ­service provider group to review performance reports The goal of the ­sessions is to identify: • Processes that are working well and need to be reinforced • Patterns related to incidents where support failed to meet targets • Reoccurring incidents where the underlying problem needs to be identified and resolution activities are pursued • Identification of work around solutions that need to be developed until root cause can be corrected 94 Glossary of Terms Activity Standards Standards that focus on activity undertaken to achieve a particular result regardless of the success of that activity (such as number of calls fielded, site visits, classes taught, etc.) Business Risk Risk that is inherent to the operations of a particular organization, including the possibility of loss, no loss or gain Chief Risk Officer (CRO) Newer title denoting a senior manager with day-to-day oversight of enterprise risk management Cost of Risk The financial impact of an organization from undertaking activities with an uncertain outcome The cost of managing risks and incurring losses Cost of Risk The total cost incurred by an organization because of the possibility of accidental loss Enterprise Risk Management An approach to managing all of an organization’s key business risks & opportunities with the intent of maximizing shareholder value Hazard Risk Risk from accidental loss, including the possibility of loss and no loss Inherent Risk The risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact Loss Exposure Any condition that presents a possibility of loss, whether or not an actual loss occurs Metrics Measuring the effectiveness and/or success of risk mitigation strategies 95 Opportunity The possibility that an event will occur and positively affect the achievement of objectives Post-Loss Goals Risk Management Goals that should be in place in the event of a significant loss (such as: Survival, Continuity of ops, Profitability, Earnings Stability, Social Responsibility, Growth.) Pre-Loss Goals Risk Management Goals that should be in place even if no significant losses occur Residual Risk The remaining risk after management has taken action to alter the risk’s likelihood or impact Results Standards Standards that focus on achievements regardless of the efforts they require (measured in dollars, percentages, ratios or number of losses or claims.) Risk Uncertainty about outcomes that can be either negative or positive Risk Acceptance No action is taken to affect risk likelihood or impact Risk Analysis Identifying, describing and estimating risks, and developing a risk profile Risk Appetite An organization’s tolerance for risk The broad-based amount of risk MCCCD is willing to accept in pursuit of its mission (or vision) Risk Assessment Determining the impact of an identified risk on the organization Risks are assessed on an inherent and residual basis Risk Management The process of making and implementing decisions that will minimize the adverse effects of accidental losses on an organization Risk Management Policy Statement A tool for communicating the goals of the risk management program and the roles that people thoroughout the organization have in achieving the organization’s risk management goals 96 Risk Management Program A system for planning, organizing, leading and controlling the resources and activities that an organization needs to protect itself from the adverse effects of accidental loss Risk Mitigation Actions which reduce a risk or its consequences 97 About the Authors About Marcus Goncalves, Ed.D Dr Marcus Goncalves has more than 25 years of international management consulting experience in the U.S., Latin America, Europe, Middle East and Asia Dr Goncalves is the former CTO and earlier on CKO of Virtual Access Networks, which under his leadership, and project management skills, was awarded the Best Enterprise Product at Comdex Fall 2001, leading to the acquisition of the company by Symantec He holds a master’s degree in CIS, a BA in Business Administration, and a doctoral in Educational Leadership from Boston University He has more than 45 books published in the U.S., many available internationally, in Brazil, Japan, China, Taiwan, Germany, Spain and Romania He’s often invited to speak on these subjects worldwide Marcus is an Associate Professor and the International Business Chair at Nichols College He also teaches at Boston University and Brandeis University He is a visiting professor teaching MBA Project Management courses at Saint Joseph University, in Macao, China, where he also advises on graduate researches He can be contacted via email at marcus.goncalves@nichols.edu or at marcusg@mgcgusa.com About Raj Heda, PMP Raj Heda has about 15 years of work experience in various Information Technology areas with broad consulting, leadership, teamwork and project management skills He is well versed in professional services, software product development, managing client relationships and agile, and PMP coaching He works with edX, the joint initiative of MIT and Harvard, as a Senior Program Manager leading the PMO office He holds certifications for Project Management Professional (PMP) and Certified Scrum Master (CSM) He has 11 patents to his credit He teaches classes on Project Management, Web Design, Information Systems Analysis and Design, IT Perspectives and Leadership to Masters and MBA students at Boston College, Boston University and Brandeis University He has co-authored a book on Agile Project Management with Marcus Goncalves 99 ... Institute of Standards and Technology (NIST) published a set of risk management best practices According to the guide, risk management consists of risk assessments, risk mitigation, and ongoing risk evaluations... evaluations and assessments For instance, the risk assessment stage is where project managers identify and evaluate each risk, the impact these risks have on the organization, and any risk- reducing... Manage and Monitor Risks Extensive Management essential MODERATE Risk are bearable to certain extent management ­effort worthwhile Management effort required MINOR Accept Risks Accept but monitor Risks