Project risk management
|
|
|
- Cecil Phelps
- 5 years ago
- Views:
Transcription
1 Project risk management 6th African Rift Geothermal Conference ARGeo-C6 Short Course 1 Project Management for Geothermal Development Carine Chatenay, Verkís
2 Learning outcome How to develop risk management culture in the project Ways to implement risk management Risk management principles and structure
3 Content Risk culture Management principles Roles and responsibilities Monitoring and review Risk assessment: Process Assessment methods Risk ranking Tips
4 Risk culture What is risk management
5 What is risk
6 What is risk? Source:
7 Various concepts Danger, hazard Occurence Probability Uncertainty Opportunity vs. threat
8 A definition of risk Risk is the effect of uncertainty on objectives (from ISO Risk management Principles and guidelines ) Can be negative: threat Or positive: opportunity
9 Other definitions combination of the probability of occurrence of harm and the severity of that harm NORSOK Z-013 an uncertain event or condition that, if it occurs, has a positive or negative impact on project s objectives PMBok Source:
10 Risk management process Identify and characterize threats Assess the vulnerability of critical assets to specific threats Determine the risk (expected likelihood and consequences of specific attacs on specific assets) Identify ways to reduce risk Prioritize risk reduction measures based on strategy
11 Risk management culture Why develop an effective risk management culture? Creating and protecting of value Part of decision making and of all processes Addresses uncertainties in a systematic, structured and manner Examples: Maersk
12 Risk management principles How is risk management implemented?
13 Risk management principles Tailorable Protect everything of value Takes into account the internal context (organization...) Systematic and structured Part of decision making Transparent, dynamic, iterative, etc..
14 Risk management process 1. Communication and consultation 2. Establish the context 3. Risk assessment 4. Risk treatment 5. Monitoring and review
15 Risk management framework Define roles & responsibilities, plans, objectives, methods and implement risk management activities accordingly. Act Plan Check Do
16 Building capacity and competence At organization level, but also at project level Select people with skills and knowledge Get managements support
17 3. Roles and responsibilities Who are the players?
18 At organization level Senior management responsibilities The role of individuals
19 In a project - Who is in charge? Project manager Risk champion (if required) Risk owners Action owners
20 Communication and consultation Communication = key element Ongoing process Build positive attitude
21 Process How is risk assessment conducted?
22 Risk management process 2. Establishing the context 3. Risk assessment 1. Communication and consultation 3.1 Risk identification 3.2 Risk analysis 3.3 Risk evaluation 5. Monitoring and review 4. Risk treatment
23 Typical fields of application Project risk management Cost and schedule risk managment Technical risk management Health, safety and environment risk management Procurement,...
24 Make a risk management plan Highly recommended from the beginning: used to define the risk management framework and outline risk activities required. Typical content: Risk management methodology; Roles and responsibilities and relevant authority level; Budgeting; Planning; Risk evaluation scheme; Documentation and reporting requirements.
25 Typical activities to plan Project risk Technical risk assessment Risks during construction Field of application Project Pre-feasibility Feasibility Detail design EXECUTION Project risks Project risks Project risks 1 Project risks 2 Cost and schedule Cost and schedule risk assessment Cost and schedule risk assessment Cost and schedule risks 3 Technical Preliminary Hazard Analysis 4 Preliminary HazOp 5 HazOp 6 HazOp update 7 Construction hazard study 8 HSE Specific HSE risk studies Specific HSE risk studies JSEA and on the go assessments Root Cause analysis Procurement Packages procurement risk strategy Contractors risk
26 Players & roles Project manager Responsible for risk management: makes sure it is implemented Overall owner of the risk register Risk study leader / risk analyst Project manager for individual risk assessment study Facilitates the risk assessment process Workshop (risk assessment) participants Provide input and contribute to the risk assessment Risk owners Responsible for ensuring that a risk is managed Action owners Allocated specific tasks to manage the risk
27 1. Communication & consultation 2. Establishing the context 3. Risk assessment 1. Communication and consultation 3.1 Risk identification 3.2 Risk analysis 3.3 Risk evaluation 5. Monitoring and review 4. Risk treatment
28 1. Communication & consultation Communication and consultation is a key element of the risk management process To be used as relevant at each stage of the risk management process In accordance with the project communication plan or principles.
29 2. Establishing the context 2. Establishing the context 3. Risk assessment 1. Communication and consultation 3.1 Risk identification 3.2 Risk analysis 3.3 Risk evaluation 5. Monitoring and review 4. Risk treatment
30 Tip: initiate a risk study What for? Determine exact scope of the risk study (components, limits, extent of the study) Identify stakeholders Determine consultation and communication requirements Who is involved in initiation? Project manager Risk facilitator or risk study leader
31 2. Establishing the context Understand the background of the study: Objectives of the study; Identifying the internal and external environment of the study; Specifying the scope and objectives of the study; Specifying the boundaries of the study; Determining the criteria against which the risks are to be evaluated; Defining the key elements of the study.
32 Context External context: Social, cultural, political, legal, regulatory, financial, technological, economic, natural... Key drivers External stakeholders Internal context: Governance, organizational structure,... Policies, objectives Resources: capital, time, people, technologies Organization s culture...
33 Context tool example: PESTLE Political factors Legal factors Environmental factors Project Economic factors Social factors Technological factors
34 3. Risk assessment 1. Communication and consultation 2. Establishing the context 3. Risk assessment 3.1 Risk identification 3.2 Risk analysis 3.3 Risk evaluation 5. Monitoring and review 4. Risk treatment
35 3. Risk assessment Risk is generally associated with the following components: A source of risk or hazard; An event or incident; A cause for the presence of the hazard or for the event to occur; A location where the hazard (where) or event takes place and a given moment (when); A consequence, outcome or impact; Controls to prevent the risk from happening, characterized by a given level of effectiveness or adequacy to control the risk.
36 3.1. Risk identification Risk identification consists in 1. identifying first what can happen? 2. where? 3. and when? It is then necessary to identify the possible causes and scenarios by asking 1. why? 2. and how? to ensure no significant causes are omitted.
37 3.2. Risk analysis Risk analysis involves developing understanding of the existing controls and determining consequences, likelihood and hence the level of risk. Scenarios of the most serious credible consequence are identified in order to capture all potential consequences of the risk.
38 Types of analysis Quantitative analysis Semi-quantitative analysis Quantitiavite analysis
39 3.3. Risk evaluation Risk evaluation is aimed at assisting the decision making process in determining the need for risk treatment and priority for treatment implementation.
40 4. Risk treatment 1. Communication and consultation 2. Establishing the context 3. Risk assessment 3.1 Risk identification 3.2 Risk analysis 3.3 Risk evaluation 5. Monitoring and review 4. Risk treatment
41 4. Risk treatment Risk treatment consists in identifying and selecting the options for treating risks and implementing them. Decisions on risk treatment may be based on a cost-benefit analysis and are taken in cooperation with the Risk Study Owner.
42 Risk treatment decision Retain: accept the risk, do nothing about it Reduct: of probability and/or impact Avoidance: no performing the activity that implies the risk (NB: may lead to other risks) Transfer: pass on to another party (e.g. Insurance, contract...)
43 Risk treatment consideration Avoid the risk by deciding not to start the activity that gives rise to the risk; Seek an opportunity by deciding to start or continue with an activity likely to create or enhance the risk; Remove the source of a threat; Change the nature and/or magnitude of likelihood; Reduce the consequences of a threat; Enhance the gain from an opportunity; Change both likelihood and consequences of a risk; 1. Process Accept the risk and develop suitable contingency plans; Monitor the causes of the risk and develop response plans for when it occurs.
44 Risk increasing The ALRAP, or ALARA, concept Intolerable region risk cannot be justified Tolerable only if risk reduction is impractical or if cost is grossly disproportionate to the benefits gained Acceptable risk, no need for ALARP
45 Cost/benefit of risk mitigations Source:
46 Most effective HSE: hierarchy of control Least effective Elimination Substitution Engineering controls Administrative controls PPE Physically remove the hazard Replace the hazard Isolate people from the hazard Change the way people work Protect worker with Personal Protective Equipment
47 Risk treatment plan key issues Details to be recorded: What is the risk treatment? if needed detailed actions? Who is responsible for follow-up (risk owner)? By when it is to be completed? Monitoring if needed? Validation at the right level Project manager of if needed higher level Ownership Inform the risk owner; make sure communication is in place Follow-up plan:
48 5. Follow-up, report & monitoring 2. Establishing the context 3. Risk assessment 1. Communication and consultation 3.1 Risk identification 3.2 Risk analysis 3.3 Risk evaluation 5. Monitoring and review 4. Risk treatment
49 5. Follow-up, report & monitoring Why? For transparency purposes, to demonstrate to relevant stakeholders how the risk management process has been conducted; To provide evidence of a systematic approach to risk assessment; To provide record of risks and develop a database for the purpose of learning lessons; To keep track of the decision taken concerning the risks identified and provide a framework for continuing monitoring and review; To satisfy audit requirements; To share information & provide support to communication on risk.
50 Monitor, review and continuous improvement Monitor and review Learn from risk events What happened How and why? Likelihood of the event happening again Review of the risk treatment approach Communication aspects
51 Recording Documents to be considered for record: Risk management plan Risk registers Risk study report Incident database
52 current target session session Risk register sample Project risks Risk identification Risk analysis Risk treatment Monitoring Risk # Risk title Cause Consequence Risk Risk treatment Risk owner Monitoring Due date Risk Progress Status Initial Rev. Monitoring plan: milestone and report ID Impact of summer vacation on the project milestones Project staff summer vacation not appropriately taken into account in the schedule Delay on project milestones up to 1 month. IV Coordinate project activities and planned summer vacation to ensure project progress as planned. Plan for back-up staff to reinforce the team if required. xxx, Project manager at 80% completion of the risk treatment plan III Plan not approved Draft 1 ID
53 Risk assessment methods What methods are available?
54 Assessment technique selection Selection based on: Complexity of the problem Information available Resources required: time, level of expertise,... Desired output (qualitative, quantitative?)
55 Selection Methods attributes Method Look-up methods Supporting methods Scenario analysis Function analysis Controls assessment Statistical analysis Risk assessment technique Check-lists; preliminary hazard analysis Structured interview; brainstorming; Delphi, SWIFT; human reliability analysis Root cause analysis; toxilogical risk assessment; business impact analysis; faulttree analysis; event-tree analysis; cause/consequence analysis; cause and effect analysis; FMEA/FMECA; reliability; sneak analysis; HazOp; HACCP LOPA (Layers of protection) analysis; bow tie analysis Markov analysis; monte-carlo analysis; bayesian analysis
56 Preliminary hazard identification Overview Use Inputs Process Output Pros Cons Identification of hazards Early stage of project development or as a preliminary study for prioritizing further analysis List of hazard or generic hazardous situations is formulated Qualitative analysis sometimes used to analyze the risks List of hazards Recommendations Practical when information is limited Simple approach Only preliminary, not comprehensive
57 Brainstorm Overview Use Inputs Process Output Pros Cons Free-flowing conversation aimed at identifying potential risks. At any stage Knowledgeable people, key stakeholders Structured or not. May be facilitated by someone starting off discussion or prompting the group e.g. List of risk Involvement of key stakeholders Quick and easy Lack of structure, highly dependent on the group dynamic
58 SWIFT Overview Use Inputs Process Output Pros Cons Structured What If Analysis - Alternative to HazOp. Systematic study using prompts words or phrases For systems, plants procedures... Description of the system studied: split into nodes, context Use of prompt list What if... apllied systematically to each node of the system. Risk identified assessed and evaluated. Risk register Rather simple and rapid, systematic Involvement of key players Experienced and capable facilitator needed Could become time consuming in not managed carefully May be too shallow, complex issues not revealed
59 Scenario analysis Overview Use Inputs Process Output Pros Cons Development of models on how the future may turn out Policy making, planning strategies, consider existing activities Team of people, brainstorm Consider changes and various factors and develop scenarios Described scenarios and range of options, how to modify the course of actions Interesting for risks considered in the long term Uncertainty, unrealistic scenarios
60 Take 5 a short job risk assessment Take 5 is a short and simple risk assessment to be performed by workers before they start on a task. The main issues are: 1. Mind the task: What is it I am supposed to do, with whom, where are the dangers, where is it to be performed, do I need a permit, do I have all necessary equipment, etc. 2. Analyse and assess Is there a risk, what risk is it, how great is it, is it acceptable? A threat to life Dangerous accidents possible Under control 3. Control the risk What can be done about the risk? Can it be removed or reduced? What means are available for that purpose? 4. Proceed with work in a safe way Use the means found to control the risk and work in a safe way If the risk is unacceptable and it is neither possible to remove it nor reduce it: Notify your foreman and do not commence with the task!
61 Risk ranking
62 What is risk? effect of uncertainties on objectives ISO 31000:2009 combination of the probability of occurrence of harm and the severity of that harm NORSOK Z-013 an uncertain event or condition that, if it occurs, has a positive or negative impact on project s objectives PMBok
63 Risk categories Typical categories: Health and safety Environment Capital cost Schedule Operation (increased cost) Production (loss) Maintenance (increased cost) Image...
64 Rating Consequence category Probability / frequency Number of persons concerned: sometimes used for a quantitative or semiquantitative assessment Control: sometimes used to assess if the controls in place address the risk adequately
65 Consequence rating - example Source:
66 Probability/frequency rating example Category Probability Frequency A Very high More than 15 times during project B High times during project lifetime C Occasional 5-10 times during project lifetime D Unlikely 1-5 times during project lifetime E Improbable Seldom Frequency Interval (Multiple events) Probability (Single events) Likelihood Very Unlikely Unlikely Probable Highly Likely Almost Impossible Possible Sometime Isolated Incidents Repeated Incidents <1/10 years 1/year 1/10 years 2/year 1/year >2/year < 1% 1% - 10% 10% - 25% > 25%
67 Control rating - example C3 C2 C1 C0 Adequately controlled The control addresses the risk but it documentation and implementation could be improved The control addresses the risk, at least partly, but it documentation and implementation could be improved Poorly controlled, risk is addressed at best but not documented or implemented, or at worst no control or control not addressing the risk appropriately.
68 Risk ranking - example
69 Risk matrix
70 What to retain?
71 Have a plan and follow it Lay eyes on the biggest threats to the project and manage them in a pro-active manner Opportunities should not be forgotten Use external, neutral facilitator if needed Involve all the project players in the process: risk management should work top-down and botom-up
72 References and further reading ISO 31000:2009 Risk management Principles and guidelines ISO Guide 73:2009 Risk management - Vocabulary ISO 31010:2009 Risk management Risk assessment techniques
73 6th African Rift Geothermal Conference ARGeo-C6 Short Course 1 Project Management for Geothermal Development Organized by: Financed by: Coordinator: Lecturers: United Nations University Geothermal Training Programme (UNU-GTP) Icelandic Ministry for Foreign Affairs ICEIDA and Nordic Development Fund Ingimar G. Haraldsson, UNU-GTP Anthony Ng ang a Ngigi, Geothermal Development Company, Kenya Carine Chatenay, Verkís Consulting Engineers, Iceland Peketsa Mwaro Mangi, Kenya Electricity Generating Company, Kenya Yngvi Gudmundsson, Verkís Consulting Engineers, Iceland