Contents Overview 1 Introduction to Risk 2 Steps of the MSF Risk Management Process 8 Review 10 Module 2: MSF Risk Management Model Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  1999 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, MS, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. MOC Project Advisor: Janet Wilson MOC Project Lead: Sharon Salavaria Program Manager/MSF Project Manager: Sharon Limbocker Program Manager/Technical Consultant: Dolph Santello Instructional Designer: Marilyn McCune (Independent) Product Manager: Jim Wilson Product Manager: Jerry Dyer Graphic Artist: Andrea Heuston (Artitudes Layout & Design) Editing Manger: Lynette Skinner Editors: Marilyn McCune (Independent) and Wendy Cleary (S&T Onsite) Production Support: Ed Casper (S&T Consulting) Manufacturing Manager: Bo Galford Lead Product Manager: Development Services: Elaine Nuerenberg Lead Product Manager: Mary Larson Group Product Manager: Robert Stewart Module 2: MSF Risk Management Model iii Instructor Notes Module 2: MSF Risk Management Model This module provides students with an introduction to Microsoft Solutions Framework (MSF) risk management, including principles of successful risk management, MSF proactive risk management, risk management strategies, and in-depth information on the steps of the risk management process. The activity for this module is a brainstorming session, with the instructor capturing and writing down ideas as the class develops them. Typically, people tend to think in terms of the consequences of risk. This activity is intended to demonstrate that fact as a way of generating discussion about condition and consequence and facilitating understanding of the importance of both. The module concludes with an instructor-led question and answer review to reinforce learning objectives. At the end of this module, students will be able to:  Recognize the characteristics of risk.  Describe the value of proactive risk management.  Explain each step of the MSF risk management process and how the process helps an organization manage risk. Materials and Preparation This section provides you with the materials and preparation needed to teach this module. Materials To teach this module, you need the following materials:  Microsoft® PowerPoint® file 1639A_02.ppt  Module 2, “MSF Risk Management Model”  Flip chart or white board and pens for recording student responses during the planned activity Preparation To prepare for this module, you should:  Read all of the materials for this module.  Review the instructor notes for the activity.  Explore the MSF Web site at http://www.microsoft.com/msf Presentation: 45 Minutes Activity A: 15 Minutes iv Module 2: MSF Risk Management Model Instructions for Activity A: Understanding Risk Description This activity is designed to illustrate how most people automatically think of the consequences of risk—not the risk condition—when they talk about risk management. It asks students to work together as if they were owners of a company planning to build a warehouse. Their task is to deal with the risk of fire. The activity tries to approach the subject as neutrally as possible, but the assumption is that most students in your class will offer plans that deal with consequences as ways to handle the risk of fire. Your part of the activity is to lead the whole class in a brainstorming exercise to find ways to deal with the threat of fire. It is important that you avoid saying anything about preventing a fire, because that will encourage students to think of prevention instead of dealing with consequences. You want to highlight the fact that people instinctively perform reactive risk management, in which they focus only on dealing with the consequences. The goal of MSF risk management is to become proactive: to focus more on finding ways of prevention of the risk by eliminating the possible conditions. When you ask people how they will deal with the risk of fire, you will typically get suggestions such as installing a sprinkler system or setting up an escape route. None of these things does anything to reduce the probability of fire or reduce the fire risk exposure to an acceptable level, which would be dealing with the risk condition. Their suggestions address minimizing the impact of the fire, which is dealing with risk consequences. If the majority of answers are consequence related (which is what you are hoping for), then take the opportunity to talk about dealing with risk conditions, and discuss what warehouse owners might do to prevent a fire or to reduce the exposure to an acceptable level. If you have students who are already thinking in terms of risk, congratulate them, and make sure that they clearly understand the distinction between dealing with conditions and consequences. Estimated time to complete this activity: 15 minutes Objective Following is the learning objective for this activity: • In an instructor-led brainstorming session, given a scenario to work from, students will be able to distinguish between risk condition and risk consequence. Module 2: MSF Risk Management Model v Module Strategy Use the following strategy to present this module:  Introduction to Risk This section provides an introduction to risk and MSF proactive risk management. At the end of this section, students will be able to distinguish between conditions of risk and risk consequence, and explain the five principles of proactive risk management. Early in this section, students will participate in an activity, “Understanding Risk.” Topics in this section include: • Qualifying Risk This topic defines risk and characteristics of risk and provides examples of risk source and risk impact. You should make two key points here to emphasize the important components of the MSF approach to proactive risk management. First, make certain that students understand that risk really is a fact of everyday life, whether someone is involved in working on a technology project or driving an automobile. The point is that you cannot avoid or overlook risk, because it is an inherent part of life. The second point is that risk is neither intrinsically good nor bad. Nor should it be feared. Furthermore, risk taking is essential to progress. • Principles of Successful Risk Management This topic describes some of the underlying principles of successful risk management; the examples are not exhaustive, such as: continual risk assessment, risk-based decision making, implementation of a structure for dealing with risk, breadth of team analysis of risk, and treating risk as a positive. • MSF Proactive Risk Management The MSF approach to risk management emphasizes creating an environment in which on an ongoing basis the team proactively examines what can go wrong, makes proactive choices about which risks need to be addressed, and then addresses them. The team will carry risks forward and deal with them until they are resolved or until they turn into issues and are handled as such. Proactive risk management means that the project team has a visible, measurable, and repeatable process for managing risks. Preventing risk is the transition point between reactive and proactive approaches. Prevention occurs in the planning stages of a project, when actions can be taken to preclude risks from occurring. To reach the higher levels of proactive risk management, the team must be willing to take risks. This means not fearing risk, but rather viewing it as a means to create the right type of opportunity. To do so, the team must be able to evaluate the risks (and opportunities) unemotionally and then take actions that will address the causes of these risks, not just their symptoms. vi Module 2: MSF Risk Management Model • Risk Management Strategies This topic introduces three ways that a project team can mitigate a risk, including risk reduction, risk transference, and risk avoidance. In all three approaches, action must be undertaken ahead of time to be effective. In other words, the approach must be proactive rather than reactive, although some of the examples used can appear to be both proactive and reactive. For example, fire insurance would be one way to minimize the impact of a fire in a warehouse. Buying the insurance is a proactive move. But the benefit of having the insurance is realized only in the event of a fire, which is reactive.  Steps of the MSF Risk Management Process This topic introduces the five-step MSF risk management process by which a team can mitigate risks, including identifying the risk, analyzing the risk, planning for the risk, tracking the risk and controlling the risk. This ongoing process should be part of all project management. Topics in this section include: • Risk Assessment Document This topic presents the function and minimum contents of the risk assessment document. Module 2: MSF Risk Management Model vii Background on Risk Identifying Risk Identifying risk is the first step in a five-step process. When the team identifies a risk, a risk statement is written to ensure that the team understands the risk. Risk identification is an ongoing part of the risk management process. Guidelines for Identifying Risks  Use a collaborative approach. It takes an entire team watching for potential problems to do an effective job of identifying risk. Identifying risk gives the project team the opportunity and the information that it needs to bring risk factors to the surface. Because risk identification involves all key team players, it also reveals for the team the assumptions and viewpoints held by those players.  Seek potential problems from many different sources. If the entire team is involved in identifying risk, chances are greater that different sources will be examined for risk. However, best practice is to examine as many potential sources as possible.  Approach risk positively. A fundamental aspect of risk identification is that it should be treated as a positive action, not a negative one. When the process of identifying risks is perceived negatively, team members have no incentive to bring possible risks to the attention of the rest of the team. By adopting the idea that risk identification is positive, team members have an incentive to identify risks before they pose problems.  Examine risks from two directions. • Potential issues and likely consequences For example, you know that there are no fire extinguishers in the building. What are the likely consequences of that? • Potential consequences and likely causes For example, you know that you may have a fire in your warehouse. What are the likely causes of fire? Guidelines for Creating a Risk Document At a minimum, a risk document should contain the following information:  Risk statements. The result of analyzed risk is a risk statement. A risk cannot be managed effectively until it has been clearly stated. Risk statements should clearly and simply state the condition of the risk and the consequences of the risk. For example: • Condition. Flammable liquids are stored in the warehouse. • Consequence. The warehouse might catch fire.  Risk probability. Describes the likelihood that the risk will occur.  Risk severity. Defines the impact of the risk. viii Module 2: MSF Risk Management Model  Risk exposure. Quantifies the overall threat.  Mitigation plans. Describes the effort to prevent or minimize the risk.  Contingency plans and triggers. Describes what to do if the risk occurs and when to do it.  Risk ownership. Describes who is responsible for monitoring the risk. Analyzing Risk Risk analysis is the second step in the process. Risk analysis takes the raw data provided by risk identification and turns it into something that the team can use to make decisions about risk. Risk analysis enables the team to quantify risk priorities. Teams can decide which risk to focus time and energy on. Analyzing risk involves:  Risk probability. The likelihood that the problem will occur.  Risk impact. The amount of damage that will result if the problem occurs.  Risk exposure. Compares and prioritizes risk. Assessing Risk Probability Risk probability tries to determine the likelihood that what you think might happen will in fact happen. The only complicating issue is the need to find a common way of measuring probability so that you can compare different risk factors. One way to compare risk factors is to assign a measurable value to represent the likelihood of risk. MSF risk management recommends using numeric scales, such as 3, 2, and 1, because the overall exposure of the risk must be calculated, and it is easier to do that with numbers. Although this is the recommended approach, you can use any scale that you want (such as colors or levels, such as high, medium, or low), as long as you use the same one across the project. If you use a numeric scale, keep in mind that it is easy to agree about probability on a scale of 1 to 3, but it is not so easy to explain the distinction between 17 and 18, for example, on a scale of 1 to 20. Assessing Risk Impact Assessing risk impact means assessing the severity or magnitude of loss if the risk occurs. Assessing risk impact also requires assigning a measurable value to represent the impact of the risk. Unlike risk probability, you can sometimes quantify risk impact, for example by using a dollar value. In such a case it is easy to multiply that value to calculate risk exposure. MSF recommends a simple scale of measurement used consistently, because you will multiply this figure by the probability figure to calculate exposure. Ultimately, the important thing when assessing risk impact is that you pick a scale, stick with it, and avoid mixing scales. Note Module 2: MSF Risk Management Model ix Calculating Risk Exposure Calculating risk exposure means quantifying the overall threat constituted by each risk. The risk exposure calculation is why consistency in scales is so important. Risk exposure is an artificial way of quantifying the overall threat of a risk. It has meaning only within the context of the project and by comparison with other risks. Risk exposure is arrived at by the simple mathematical formula of multiplying the number that you have arrived at for risk probability by the number that you have determined for impact: Probability x impact = exposure The risk exposure calculation makes it clear why it is so important that project teams use simple, consistent ways of measuring probability and impact. Risk Planning The third step in the risk management process is risk planning: planning what to do about risk factors that have been identified and analyzed. A team should only make plans for the risk factors that have consequences that the team cannot accept. Devising Risk Plans A risk plan should address:  How to prevent the risk, if that is possible.  How to minimize it ahead of time, if prevention is not possible.  What to do if prevention and minimization do not work, and the risk occurs as a result. There are five key considerations for determining which risk factors to plan against:  Research. Does the team know enough about the risk?  Acceptance. Can the team live with the risk consequences?  Avoidance. Can the risk be avoided? If your team cannot live with the consequences of a risk and cannot avoid it, it may be necessary to mitigate the risk or develop a contingency plan for it.  Mitigation. Can the probability of the risk be reduced?  Contingency. Can the impact of the risk be reduced? x Module 2: MSF Risk Management Model Planning Risk Mitigation The essence of mitigation is doing something ahead of time to try to keep the risk from occurring. There are a number of ways that a project team can mitigate risk.  Use targeted mitigation. Proactive means that the team focuses on the root causes rather than the symptoms of risk. It is likely that any chance for mitigation will be found at or close to the root causes. Trying to fix the symptom will leave the risk unmitigated, which means that it will probably recur.  Focus team energy only on high-exposure risks. Most projects have far too many risk factors for any project team to handle. Teams should pick only those risk factors that must be handled and focus energy on them.  Address the conditions of risk to reduce the probability. For example, if the risk is that employees smoking in the warehouse may cause a fire, then the issue of the employees smoking inside needs to be addressed. By having them smoke outside, you may dramatically reduce the probability of fire.  Address the consequences of risk to minimize the impact. For example, to minimize the impact of a warehouse fire, insurance can be purchased, which would make the risk less severe and reduce its exposure. Planning Risk Contingency Risk contingency planning is what you do for all risk factors identified as high priority by the team—including those that you have tried to mitigate—so that you know what to do if the problem occurs despite all your efforts. If the team needs to react, it is a planned reaction. A project team must know when to execute a plan. This is where contingency triggers come in. Contingency triggers are sets of parameters that determine when a contingency plan should go into effect:  Point-in-time triggers. Point-in-time triggers generally are the latest date by which something has to happen.  Threshold triggers. Threshold triggers focus on things that can be counted or measured. Risk Tracking Tracking, the fourth step in the risk management process is the guardian function of the proactive risk management process. Tracking risks requires teams to  Treat risk tracking as an ongoing exercise throughout the project life cycle.  Track the risks for any changes in condition or consequence.  Include risk reviews with regular project reviews.  Measure the effect of the mitigation plans.  Find their own mechanisms for changing risk status and effectively judging progress.  Monitor the contingency triggers. [...]... team When risk is identified, the team can then prepare for the risk and, hopefully, prevent it from occurring altogether 6 Module 2: MSF Risk Management Model MSF Proactive Risk Management Slide Objective To present the principles that provide the foundation of MSF proactive risk management Lead-in MSF risk management is proactive risk management Managing risks proactively means monitoring risk before... characteristics of risk, and the elements of risk Qualifying Risk Principles of Successful Risk Management MSF Proactive Risk Management Risk Management Strategies This section describes the MSF perspective on the fundamentals of risk It presents definitions of risk and offers examples of where many project risks originate and the sorts of impact that they may have on a project Module 2: MSF Risk Management Model. .. simply to remove the risks without maintaining a record of them Module 2: MSF Risk Management Model Overview Slide Objective To provide an overview of the module topics and objectives Lead-in In this module, you will learn about the elements of risk, the characteristics of successful risk management, and the MSF approach to risk management Introduction to Risk Steps of the MSF Risk Management Process... project teams assess risks only once during initial project planning, identifying and addressing major risks that they will never explicitly review again This is not an example of good risk management Module 2: MSF Risk Management Model 7 Risk Management Strategies Slide Objective To present the risk management strategies used by MSF Lead-in In MSF proactive risk management, when a risk is identified,... something less risky (for example, by building something less prone to fire than a warehouse) 8 Module 2: MSF Risk Management Model Steps of the MSF Risk Management Process Slide Objective To present all of the steps in the MSF risk management process 1 Identify Risk Statements 2 Lead-in MSF risk management is a five-step process, which should be an ongoing part of all project management Retired Risks 5... make decisions 3 Plan for the risk Devise plans that will support decision-making and actions taken 4 Track the risk Monitor the status of risks and any actions taken to mitigate them 5 Control the risk Move risk management into day-to-day project management, which is crucial in ensuring that risk management remains a high-profile activity Module 2: MSF Risk Management Model Risk Assessment Document Slide... of the MSF Risk Management Process At the end of this module, you will be able to: Explain the general characteristics of risk, as identified by the Microsoft Solutions Framework (MSF) Describe the value of proactive risk management Identify the five steps of the MSF Risk Management process 1 2 Module 2: MSF Risk Management Model Introduction to Risk Slide Objective To introduce the topics presented... dealing with the risk of a fire Estimated time to complete this activity: 15 minutes Module 2: MSF Risk Management Model 5 Principles of Successful Risk Management Slide Objective To present some of the principles of successful risk management Lead-in Successful risk management involves people, processes, and technology Assess Risks Continuously Throughout the Project Life Cycle Use Risk- based Decision... regularly Controlling Risk The final step in the risk management process is controlling risk During this step, the project team uses the results of the risk management process to retire a successfully mitigated risk, correct for variations from plans, respond to contingency triggers, or improve the risk management process Controlling risk helps integrate risk management into overall project management and... be made Retiring Risks Retiring a risk means removing the risk from the active risk management process Risks are retired because: The risk has occurred The risk has been resolved Retiring a risk allows the team to focus on risks that require management How a risk is retired is an organizational issue and depends on the process and tool put in place One approach may be to create a risk archive as a . Manager: Robert Stewart Module 2: MSF Risk Management Model iii Instructor Notes Module 2: MSF Risk Management Model This module provides students. elements of risk, the characteristics of successful risk management, and the MSF approach to risk management. 2 Module 2: MSF Risk Management Model