Standardized Program Risk Management Peerasit Patanakul Rose Martin, a senior program manager of the AB - 99 program, sits at her desk and looks at

Standardized Program Risk Management

Peerasit Patanakul

Rose Martin, a senior program manager of the AB - 99 program, sits at her desk and looks at the risk management framework her team currently uses. This framework

has been developed over the years and is adopted by her organization as a stand- ard framework. Rose is wondering whether this standard methodology should be

revised to address the challenges of future programs. " Our organization is taking more risks these days. If our risk management framework cannot handle this, one

day we will be on the front page, which may not necessarily be good. "

THE COMPANY AND THE AB - 99 PROGRAM

Rose works for a multinational aerospace manufacturer, global security, and advanced technology company. The company is the world ' s largest defense con-

tractor by revenue and offers a variety of products and services. Systems integration is among these services.

Rose ' s program, AB - 99, is one of the programs under the Systems Integration business unit. The company is the prime systems integration contractor for AB - 99

with the total responsibility of overseeing all systems integration efforts. It is a multiyear contract to integrate advanced electronic systems into 99 multimission

helicopters to improve their communications capabilities.

STANDARD RISK MANAGEMENT METHODOLOGY

For AB - 99, Rose creates the environment that promotes a positive attitude toward risk management. Risk management is considered as an important part of program

management. In fact, risk management is ingrained in the company culture. It is practiced in every program by everyone. Since it is typical that a major defense

program consists of extended teams, it is important that the program stakeholders are involved in risk management on at least two different levels — the team level

and the program level see Figure 20.1 . Each level forms its own risk manage- ment board. At the team level, the team takes responsibility for the program risk

391

Risk Data base Online data repository

Facilitating real-time program risk management

Risk identification

Risk assessment

Risk handling Risk

surveillance Potential

risks Assessed

risks Response

plans Risk tracking data

Risk status data Potential risks

Assessment tools and techniques

Assessed risks Response plans

Team level

Risk identification,

assessment, and handling

Risk surveillance

Escalation Assignment

Program level

Potential risks Assesses risks

Response plans Risk tracking data

Risk status data - Periodical

program management

reviews - Ongoing

monitoring via data base

- Etc.

- Risk factor: probability and impact

- Quantitative risk analysis

- Assignment of ownership for risk

handling, e.g., team lead - Develop risk

response plans - Approval of risk

response plans by e.g., team lead

- Periodical project reviews

- Periodical status reviews

- Periodical technical performance

reviews - Risk meeting

- Technical reviews - Subcontractor reviews

- Ongoing program monitoring

- Technical performance measurements

- Cost and schedule analysis

- Periodical program management reviews

- Etc. - Program risk

reviews

Figure 20.1 Standard Risk Management Process

392

Standardized Methodologies 393

in their areas. The team is also responsible for highlighting risks that warrant elevation to the Program Risk Management Board. Risk management at the pro-

gram level is performed to facilitate the coordination and oversight of the overall program risks.

The company practices a standard risk management process which is aligned with the Department of Defense policy. The typical steps in the risk management

process include risk identification, risk assessment, risk handling, risk surveil- lance, and risk closure.

Risk Identification: Risks are identified at all levels and throughout the entire program life cycle. For AB - 99, Rose recalls that, during the early stage of the

program, they identified risks by examining the contract requirements, Statement of Work SOW, specification and other Request for Proposal RFP materials, as well

as the internally developed work breakdown structure WBS, Integrated Master Schedule IMS, and program plans. This initial assessment led to areas where the

team focused on improving the performance position to meet technical requirements, cost targets, and schedule goals, while balancing all three elements. The risk iden-

tification process also includes the review of the WBS against the internal risk taxonomy matrix. This matrix, in fact, serves as a checklist for risk categories,

which include requirements, design, integration and test, management processes, program constraints, production, and logistics including obsolescence.

Risk Assessment: To identify risk priority, risks were assessed by using both qualitative and quantitative approaches. For the qualitative risk assessment,

risks were classified by likelihood and impact levels. The likelihood represents the probability of risk occurrence. For the impact level, the adverse trends in

performance - measuring parameters from the impact or risks are measured and predicted. These parameters are the technical, cost, and schedule dimensions. In

terms of assessment scales, the AB - 99 team uses a scale of 1 to 5 to assess likeli- hood remote to near certain and impact high to low. The explicit operational

definitions for both likelihood and impact were used to facilitate a consistent evaluation standard. After the assessment, risks were added to a matrix. This

risk matrix helped facilitate the risk prioritization and the group review and discussion of the risk and corresponding step - by - step mitigation schemes. Rose

remembers that the cumulative effect of all of the risks on program cost in dollars was provided by a summation of the individual factored cost exposures. Cost

exposure is reviewed on a premitigation and a postmitigation basis, enabling the program to review the predicted reduction of cost exposure.

In addition to the qualitative risk assessment, the AB - 99 team also employed the quantitative risk assessment. In particular, the risk likelihood was evaluated in

terms of percent and the impact level was identified in terms of dollars cost or days schedule. Factored cost or schedule exposure was defined as the product

of the likelihood and impact in dollars or days. Rose recalls that each risk analy- sis included the determination of a root cause. By categorizing the root cause,

potential mitigation actions became more evident and more effective.

394 CASE STUDIES

Risk Handling: After the program risks were evaluated and prioritized,

the action plans were developed for responding to the moderate and high risks. Avoidance, mitigation, and the use of contingency acceptance were the com-

mon action plans. Low risks were maintained on a watch list, reviewed quarterly for changes, and closed when no longer applicable.

Risk Surveillance: At the team level, the risk management board of each team continually tracked high - or moderate - risk items. On a particular risk item,

once the board agreed that the risk level changed from moderate or high to low, that risk item was placed on the watch list and monitored for changes. The board

also monitored whether any risk items needed possible additional funding from the management reserve, whether any risks warranted elevation to the program

risk management board, and whether there were any newly identified risks. At the program level, the program risk management board met regularly to review and

discuss new potential risks and to manage existing risk mitigation efforts.

Risk Closure: Closure criteria were developed to evaluate risk items.

According to the criteria, if risks especially the ones on the watch list are assessed as no longer a factor, they are closed and removed from the list.

THE USE OF A RISK MANAGEMENT DATA BASE

To make this risk management activity possible, the AB - 99 team uses a risk man- agement data base. In the data base, risks are described, catalogued, updated,

tracked, and so forth. Rose believes fully that the use of the data base helps them manage risks effectively. The team uses the data base to support 1 the integrated

risk management, 2 the risk verifi cation by risk management boards, 3 the risk scoring system, and 4 the establishment of metrics and closure criteria for miti-

gation tracking. The data base also 1 is the central location for obtaining risk assessment data for the program, 2 provides for the team to respond quickly to

emerging risks, 3 facilitates shared monitoring of risks affecting multiple sub- systems, and 4 is the tool used to communicate risk areas and status to the chief

engineers and program leadership council. Rose loves the automated notifi cation feature of her data base because it gives any team member the ability to enter or

update risks and the ownerauctioneer receives an immediate notifi cation so they are aware of the changes and can access the information directly.

Discussion item

1. Discuss the standard risk management methodology of AB - 99 and suggest what Rose should do to improve this standard methodology.

2.Determine which stakeholders would need to be consulted

3.Describe the process you would use to mentor project managers involved with the program the case study