1. Risk Management Environment (RME)
for Program and Portfolio
MCL Management Group
Cheryl Wilson, PMP, RMP, CCEP & Paul Lohnes, PMP
risk@mclmg.com
2. Paul H. Lohnes
PMP, Managing Partner
Over 28 years Project Management
experience
Own company for 24 years before
starting MCLMG with Cheryl
Risk management, project rescuer,
and project management consultant
Has delivered over 500 seminars to
over 10,000 attendees worldwide
Cheryl A. Wilson
PMP, PMI-RMP, CCEP
SVP, Risk Management Division
Over 26 years project and risk
management experience
Government, commercial, and non-profit
organizations
Established two complete RME at the
portfolio level in past 2 years
Compliance & ethics officer (SME)
2
MCLMG, LLC Alexandria, VA
4. Q1: What is a mature RME?
• Risk proactive: mitigate first, respond second
• Proactive risk mitigation mindset: reduce impact
First and foremost:
PROACTIVE
• Accountable means taking ownership
• Accountable means being active not passive
Be accountable
• Responsible means taking positive actions
• Responsible means being focused on solutions
Be responsible
• Transparent means accepting risk as part of PM
• Transparent means identifying & managing risks
Be transparent
• Ignoring risks, hoping they will go away
• Thinking risks are bad and should NOT be discussed Maturity is NOT
4
5. Risk Maturity Model (RMM™)
Assessing maturity of your RME
5 States of an RME’s maturity
• State 1: Adolescence (lowest)
• State 2: Transparent
• State 3: Responsible
• State 4: Accountable
• State 5: Proactive (highest)
Similar to the SEI’s CMMI structure
•Covers most project management activities – risk is project invasive!
•Does not require annual fees or membership
5
™ MCLMG,
2010
6. RMM™ Maturity States
•Risk ignorant, dismissive, ineffective
•No risk perspective or mindset in organization
Adolescence
•Risk accepting, acknowledging, and progressive
•Risk discovery, tracking, and monitoring
Transparent
•Taking actions towards the risks before triggering
•Beginning to instill a risk-friendly mindset in the PM activities
Responsible
•Taking ownership of risk mitigation actions
•Seeking and obtaining Sr. Management support
Accountable
•Active and effective risk mitigation strategies : REV reductions!
•Tracking and costing risk program to a Return on Investment
perspective
Proactive
6
REV = risk equivalent value; defined as REV = RCI * RPO (Slide 51)
7. MITIGATE
Characteristics of a Proactive RME
M Mature
I Inquisitive
T Thorough
I Investment-Oriented
G Goal-seeking
A Articulated
T Transitional
E Effective
7
8. Q2: How do I Assess my RME?
Begin with understanding your As-Is
• Where is the RME today?
• Do we have an active RME in our projects/programs/portfolios
(aggregate levels)?
Be honest and up front
• Everyone starts somewhere
• Don’t over rate your own program
Be objective – use a definitive model (RMM™)
Use a checklist to ensure consistency
8
9. RME Maturity Assessment Checklist
9
• Purpose
• Perform a self-assessment of the As-Is status
• Provides a baseline for comparison
• Outcomes
• Shows areas of strengths & weaknesses
• Provides starting line for maturity planning
• Starts RME maturity discussions
• Begins risk maturity mindset changes
10. Determine the Status of Your RME
Using outcome of RMM State Checklist
Which state is your RME at?
Portfolio level Program level Project level
What are the strengths & weaknesses at each aggregate level?
Where are the commonalities, differences?
10
11. Q3: How do you determine risk tolerance?
Organizational Risk Tolerance (ORT™) Model
•Organizational Risk Tolerance
•Risk characteristic or appetite of organization
•Purpose: drives project management risk tolerance
ORT ™
•Mitigation: use of risk mitigation strategies
•Maturity: level of risk understanding and acceptance
Based on two (2)
independent
variables
•Risk Seeking High maturity High mitigation
•Risk Accepting High maturity Low mitigation
•Risk Avoiding Low maturity High mitigation
•Risk Rejecters Low maturity Low mitigation
Four types of
organizational
risk tolerance
11
12. ORT ™ States I
The ORT™ defines four very
simple states of risk tolerance
based on the intersection of
two independent variables:
1. Maturity (level from RMM)
2. Mitigation (usage)
The ORT will impact the
project’s risk tolerance in that
a project can never be more
risk tolerant than the
organization that funds it.
12
13. ORT ™ States II
• High maturity, high
mitigation
• Understands value of
risk versus reward
concept
Risk Seeker
• High maturity, low
mitigation
• Accepts risk as
normal, deals with
issues instead
Risk
Accepter
• Low maturity, high
mitigation
• Avoids risks as normal,
proactive in transfer
or converting risks
Risk Avoider
• Low maturity, low
mitigation
• Ignores risks until
issues, reactive
Risk
Rejecter
Mitigation
Maturity
13
14. ORT Model Parameters
Participants
• Several senior management (C-level)
• Several senior PM managers (program/portfolio)
• Any certified risk professionals
• Sampling of project team members
Resources
• Online survey
• Off-line scoring
Created using two independent variables
• Maturity
• Mitigation
14
15. What is your ORT?
Perform the ORT assessment
Do the assessment on your organization
Be objective, comprehensive, and
focused
Perform the ORT
Do the
assessment on
your
organization Be objective
15
16. The ORT™ Solution Review
Which ORT
state
describes your
organization?
No single
organization is
characterized
in a single
state
Organizations
exhibit
characteristics
of several
•Internal state
•External state
Parameters
can alter ORT
State
•Size of
project/program
•Complexity of
project/program
•Visibility of
project/program
16
17. Q4: How do I Escalate Risks?
Risks should only be owned on single aggregate level
Risks can escalate across aggregate levels
•Begin at project, grow into program level risk
• Start as program risk, mitigated down to project
Escalation is a change in risk ownership
•Need process/procedure to transfer ownership
•Must be managed to prevent chaos
Portfolio level usually plays role of arbiter
17
19. Upward Escalation
Normal escalation
• From lower levels to higher
• Growth of risk beyond
budget or schedule of
lower level
Transfer of ownership
• Project manager to
program manager
• Project risk owner to
program risk owner
19
20. Downward Escalation
Abnormal escalation
• Less frequent than upward
• Requires more effort
Done for aged risks
• Older risks less powerful
• Older risks have lower REVs
20
21. Escalation Hand-off Process
Begins
with a
risk
review
Risk
parameters
have changed
•REV growth
•Risk impact zone
growth
•Complexity of
mitigation strategy
Agreement
between
transferring
parties
Risk
register
data
transfer
Re-assignment
of ownership
resources
21
22. Escalation Process Management
The oversight is
done by non-involved
party
• Project to program:
oversight by
portfolio
• Program to
portfolio: oversight
by director
• Risk manager
always involved
Arbitration for
escalation disputes
• Risk manager
determines
parameters of
dispute
• Assigns a non-involved
party as
arbiter
• Arbitration is
binding on
transferring parties
Constraints should
be reviewed
• Scope, time, cost,
and quality
constraints analysis
• Adjustments may
be needed to
handle REV /
mitigation values
upon transfer
22