The subcontractor's subject matter experts may not be available when needed or their work may not meet expectations.
Mitigation Actions:
- Define clear roles and responsibilities for subcontractor in SOW
- Include penalty clauses for non-performance
- Require resumes of key personnel and approve in advance
- Establish regular check-ins with subcontractor to review progress
- Maintain list of backup subcontractor resources
Risk Category: Schedule
• Aggressive timeline increases risk of delays
Mitigation Actions:
- Add schedule contingency/float
- Break work into phases with checkpoints
- Overstaff critical activities
- Identify and prioritize critical path activities
- Establish escalation process
2. Introduction
• Jane Davison, Vice President Engagement
Assessment Services
• Since 2009, responsible for team providing risk
assessments & oversight of delivery for strategic projects
& major outsourcing contracts within Canada
• Over 30 years’ consulting experience in the IT sector
• Achieved CMC designation in 1999; FCMC in 2008
Today, we will review how CGI has implemented
the theory of Risk Management
3
Confidntial
CGI’s Health Check Process Benefits
• Based on CGI’s experience
• A pragmatic approach to risk management using the
techniques we will review today has allowed CGI to reduce:
• The number of project failures
• Cost overruns
• Schedule delays
• Management time spent dealing with project failures
• Benefits realized include:
• Increased quality
• Increased customer satisfaction
• Increased member satisfaction
4
Confidential
2
3. Risk Management - Defined
Confidential
The Importance of Risk Management
“Any threat to the achievement of one of the primary
objectives of the project”
• All projects face threats to their success
• To achieve success we must recognize and actively
manage risk
6
Confidential
3
4. Keys to Successful Risk Management
• Identify and manage risks before they become issues – avoid surprises!
• Include all stakeholders (including the client) to ensure all resources can be
brought to bear on risks
• Maintain a proper risk log throughout the opportunity/project life cycle
• Ensures continuity – nothing falls between the cracks
• Key document for ensuring Quality Hand-Offs across life-cycle stages
• Be disciplined around reviewing risks in every applicable meeting
• Clearly identify responsibilities for all Risk Management activities
• Keep Risk Management activities visible internally & externally
• Ensure clear and safe escalation triggers
Effective Risk Management significantly
increases the probability for project success
7
Confidential
Ensure Proper Escalation of Risks
• All risks must be visible to the
Client Your
appropriate level in a timely Organization’s Organization’s
manner Chain of command Chain of command
• Escalation should only be utilized
if normal communication
channels have not addressed Risk Mgt Owner
risk mitigation steps BD Leader, Proposal
Leader, Contract Leader,
• It is Management’s responsibility Project Manager
to provide a safe escalation
environment Project Team Members
and Subcontractors
Addresses issues
Escalates (if persists and no
resolution)
8
Confidential
4
5. Definitions
RISK
Project risk is an uncertain event or condition that, if it occurs, has a positive or a
negative effect on a project’s objective
RISK MANAGEMENT
Approach by which uncertainty can be understood, assessed and managed within
projects
A PRAGMATIST’S DEFINITION OF RISK
There are things that might go wrong and, when they do, we better have a plan in
place to deal with them
9
Confidential
Risk Management - in Practice
Confidential
5
6. Things that can go wrong
• No clear scope baseline
• Change not managed
• Inappropriate original estimates & missed costs
• Failure to re-estimate and re-plan
• Insufficient project management resources
• Inadequate communication
• Inadequate or inappropriate staffing
• Failure to manage subcontractors
• Subcontractor inability to deliver
• Failure to manage client involvement, expectations
• Lack of, or inappropriate, technical architecture
• Unclear decision-making process
“How do projects get to be a year late?... One day at a time.”
Fred Brooks, The Mythical Man Month
11
Confidential
Managing Risk Through the Life of a Project
Risk Management is a Continual, disciplined, and Visible process.
Unknown, Identified Opportunity Dev
Potential Risks
Managing Meeting of the Minds
Managing Risks Early
Proposal
Risk Management identifies,
reduces to an acceptable
level, and mitigates
Risk over a Contract
period
of time.
Delivery - Start-Up
Manageable Risks
12
Confidential
6
7. The Importance of Early Risk Management
Narrowing of Options Increase of Costs
as time passes to Mitigate Risk
If risk is not addressed, the costs to
mitigate and resolve increase over time,
while options decrease.
As each decision point passes, options
are reduced. We need to maximize the
desirable quality of outcomes at each
phase.
Opportunity Proposal Contract Delivery Start-Up Delivery Execution End of Contract
Development Project Life Cycle
Risk Management Owners
Opp Mgr => Proposal Mgr => Contract Mgr =>………………Project Manager………………………
Warm hand-off of assumptions & risks
13
Confidential
Example – Election Referendum Project Risk
Proposal Phase
Risk :
• To be election-ready at short-notice, we need to train in advance 3,000
electoral staff on the data entry application, who may not be available to
work by the time the election is called
Mitigations:
• Confirm attrition percentage from previous electoral events with the client,
across different Canadian geographies; that is, remote locations vs. towns
vs. cities
• Train more people than needed to deal with attrition, based on the pre-
established attrition percentage
• Establish a process & person responsible for monitoring attrition of trained
staff, leading up to the Referendum Call
• Partner with a Canadian-wide agency to establish a process & persons
responsible to identify a pipeline of candidates & fill staffing gaps quickly
once the Referendum is called
14
Confidential
7
8. The CGI Approach to Risk Management
• Risk management on every project
• Project manager is responsible for risk management
• Start risk management as early as possible
• Disciplined approach to risk management
• Quality hand-offs between risk owners
• Risks are made visible
• Involves all stakeholders (including client, 3rd parties)
• Utilizes synergy groups
• Continually revisited
• Leverages lessons learned
• Follows CGI’s Risk Management Methodology
Risk Management is the responsibility of every member!
15
Confidential
Risk Management – Make it an integral part of
Project Management
• Take an action-oriented focus
• All Status Reports should have a designated section
for Risks and Issues
e.g.: weekly status; monthly status; Steering Committee
Agenda
• Weekly Status Reports
Every team member submits a weekly written status report
Reports status against project plan and schedule
Designed section for Risks and Issues
– What would prevent you from meeting your milestones?
– What would prevent our team or our partners from meeting it’s
milestones?
– What would prevent our client from meeting their milestones?
16
Confidential
8
9. Make Risks Visible
• Take an action-oriented focus (cont.)
• Weekly Status Meetings – Team Level
Project Manager to ensure risk visibility
Roundtable - Key questions to each team member
– Walkthrough your status report
• Status Meeting Rollup: From Team to Client Level
Project Manager => Engagement Manager
Engagement Manager / Project Manager => BU Management
Engagement Manager / Project Manager => Client / Steering
Committee
17
Confidential
Risk Management at CGI – Beyond the Project
Level (Health Check Process)
• Corporate EAS team provides independent assurance of
project performance, through monthly monitoring
• Web Health Check Application, plus regular meetings
• Principles: value-added, independent, continuous, universal, timely
• Clearly defined framework for reporting
• Key project risks & issues are reported to Management
Committees, plus the Risk and Audit Committee of the Board
• Enterprise level risks are managed through the internal Audit
Department
• Corporate EAS team also promotes pro-active risk
management through internal tools
• Sharing lessons learned & championing adoption of new methods/tools
• Providing workshops & coaching
• Initiating in-depth project reviews, with recommended corrective actions
18
Confidential
9
11. Develop the Risk Management Plan
• Good Risk Management starts with a Risk Management Plan
• Defines the process for managing risks on an project
• Determines the level, type and visibility of risk management to be applied
• Leverages processes, templates, and tools
• Attributes of a Successful Risk Management Plan
• Involves the right people (including external parties) who should be
involved in risk reviews
• Addresses client-facing and internal risks
• Is an on-going process (monitoring and adjusting)
• Updates provided on previous risks & mitigation action plan
• Elements of new risks identified through the project life cycle
• Includes details of individual risks & associated mitigations
• Priorities, impact, action due dates & action owners
• Has appropriate visibility internally & externally; reporting and escalation
• Is understood and followed by the delivery team and client
21
Confidential
Identify Risks
• Determine which risks might affect the project
• Participants may include team, subject matter experts external to the
team, project stakeholders, clients, users
• Inputs include (but are not limited to) the following:
• Risk management plan
• Risks identified in the opportunity phase
• Project plan, schedule, and estimates
• Resource plan
• Assumptions and constraints
• Client objectives and business strategies
• Output: A list of risks (start of the project risk log)
Note: New risks arise throughout the course of a project
22
Confidential
11
12. Constructive risk management
• Use brainstorming and collaboration
• Get input from every key player
• Cover every aspect of the project/program
• Think through very step of the delivery and ask: what
could go wrong?
• Whittle down the list to those that would have the
greatest impact and brainstorm an effective response
• Use outside help when stuck – to get creative ideas
• Make sure that the cost plan covers risk responses
and/or contingency
23
Confidential
Example – Election Referendum Project Risk
Proposal Phase
Risk :
• To be election-ready at short-notice, we need to train in advance 3,000
electoral staff on the data entry application, who may forget their training
by the time the election is called
Mitigations:
• Schedule ten last-minute, web-based training sessions for Returning
Office train-the-trainers as a refresher; two for each time zone
• Per Returning Office, figure out how many computers need to be
equipped for web-based training, and include in technical build
specification
• Record (voice & video) an early training session and make two copies on
DVD for each of the 295 Returning Offices
• Adjust the specification for at least two computers per Returning Office to
include a DVD player
24
Confidential
12
13. Analyze and Evaluate Risks
What is the probability the risk will occur?
Probability
“Highly Likely” Highly likely the risk will occur
“Likely” The risk will probably occur
“Unlikely” The risk may occur, but it is not likely
What is severity (impact) if the risk occurs?
Severity
“Major” Very significant impact on clients, customers and/or budget, which would prevent
achievement of the objective. Significant adjustment required to meet objectives.
“Moderate” Viability of project or achievement of objective(s) are threatened. Adjustments required to
achieve objectives.
“Minor” Minor threat to the efficiency and effectiveness of some aspects of achievement. Little or no
adjustments required.
* From “Guide to Managing Risk” (Audit & Risk Division), 2006
25
Confidential
Prioritize Risks
Prioritize risks based on both Probability and Severity to come
up with a risk priority
Severity
Probability “Minor” “Moderate” “Major”
“Unlikely” Insignificant Low Medium
“Likely” Low Medium High
“Highly Likely” Medium High Very High
Focus on the most important risks (no more than 10)
For example, Very High, High, and selective Mediums
26
Confidential
13
14. Develop Mitigations and Action Plans
There are several risk mitigation strategies
Avoid the risk Reduce the impact of risk
e.g. Do not proceed with the activity e.g. develop treatments to reduce
which is the source of the risk; consequences should risk occur;
(De-scope project) (establish help desk etc).
Mitigating
Risks
Reduce likelihood of risk Share the risk
e.g. Develop strategies to reduce the Use combination of e.g. Transfer all or part of risk to third
likelihood of the risk event occurring; strategies party; (Ask another agency to
(Regular project reviews etc.) as appropriate undertake control of the risk etc.)
27
Confidential
Clearly Articulate Mitigations
S pecific WHO WHAT
M easurable
THINK
A greed “SMART”
R ealistic
HOW WHEN
T imely
- Specific Who has ownership to ensure that the mitigation strategy is
executed? What are the specific actions required ?
- Measurable How can we measure (track and manage) the mitigation strategy to
completion?
- Agreed Mitigation strategy must be agreed with relevant parties
- Realistic Mitigation strategy must realistic and actionable
- Timely By when must the mitigation strategy be executed?
Note: Mitigations should be reflected in the project plan and
associated costs included in the financial forecast
28
Confidential
14
15. Example – Election Referendum Project Risk
Proposal Phase
Risk :
• Electoral staff have problems with the data entry application once it is up
and running in the Returning Office (could be technical or application
related)
Mitigations:
• Develop a “Frequently Asked Questions” document
• Write a User Manual for the data entry application, and include a trouble-
shooting section for reference
• Set-up a Help Desk toll-free line for Returning Offices to call
• Staff the Help Desk to cover all time zones when Returning Offices are
open, with a least two staff knowledgeable in the application
• At least two technical staff will be on call during all time zones when
Returning Offices are open
• Include spare parts in each infrastructure kit for the Returning Office;
specifically, two desktops & two cables.
29
Confidential
How do you know your Risk Management
Process is Effective?
• Risk reviews have been built into standard agendas for progress
meetings and management meetings
• Risks are visible & escalated appropriately
• If you asked project team members about the top 3 things that could go
wrong, they would show on the risk log
• For the top risks, there is time and money allocated for mitigations
• Mitigation activities are included in the project plan, and/or contingency
money is allocated
• Risks are being actively monitored regularly to determine if
• Mitigations have been implemented as planned
• Mitigations are working (i.e., effective)
• Project assumptions are still valid
• Risk exposure has changed
• Any new risks have arisen
30
Confidential
15
16. Risk Management - Examples
Confidential
Risks and Mitigation Actions – Example
Proposal Stage
Risk Category: Subcontractor
• Critical reliance on subcontractor subject matter experts and solution to
deliver
Mitigations:
• Assign a Project Coordinator to produce a plan for subcontractor work;
assign a CGI lead to oversee vendor and to work on vendor site 50% of
the time
• Prepare a Teaming Agreement to include:
• A responsibility matrix tied to the RFP; put vendor’s code in escrow
• A statement of sign-off that technology/application will meet the RFP
requirements
• Tie payment to CGI acceptance of deliverables and ultimate client acceptance
• Implement a joint internal steering committee
• Include activities to transition vendor’s work to CGI within the first year
• Vendor has provided a technical paper to confirm scalability; no
infrastructure constraints or commitments in contract
32
Confidential
16
17. Risks and Mitigation Actions – Example
Proposal Stage
Risk Category: Technical
• Client has included performance criteria within the scope of the contract,
which includes the use of shared production resources (routers; servers;
firewall)
Mitigations:
• Client to provide a test environment within their architecture
• Evaluate the need/cost for a separate test environment to validate the raw
performance of the new application
• Conduct testing baseline with network traffic at a minimum
• Conduct baselines of current environment to validate expectations (e.g.
current environment may not be capable of supporting the performance
without the new application running)
33
Confidential
Risks and Mitigation Actions – Example
Proposal Stage
Risk Category: Global Delivery
• We need to conduct project work in a geography that is new to us; we need to be
well prepared to avoid risks (schedule/costs) to delivery of the project for the
client
Mitigations:
• Research how to do business in that geography
• Brief the project team on local customs
• Build in schedule delays for obtaining visas for staff; include visa costs in budget
• Include tax requirements/costs to company & individuals in the budget
• When staffing, ensure members have time for recommended immunization before going
on site; build in schedule delay & costs
• Budget for travel costs based on clear assumptions of number of trips, per trip
costs & number of team members travelling
• Budget for security services based on safety risk; such as, car & driver;
kidnapping insurance
• Brief the project team on security & safety risks
• Identify safe hotels and budget accordingly as part of travel costs
• Budget for currency exchange risk over the life of the deal
34
Confidential
17
18. Risks and Mitigation Actions – Example
Project Delivery
Risk Category: Schedule
• There is a key dependency on the quality of client’s data for conversion, in
order to meet expected conversion quality outcome of 99% accuracy &
the go-live date for the application
Mitigations:
• Conduct a data assessment early on in the project schedule to identify
data quality issues
• Based on the issues identified, work with the client to identify required
clean-up activities
• Build a plan for the clean-up activities, identify tasks, method (manual or
automated), time line and persons responsible
• Identify key milestone checkpoints to ensure work is on track
• Report status on data cleanup
• Run pilot conversion routines early, so there is time to recover from any
surprises
35
Confidential
Risk/Contingency Relationship
Confidential
18
19. How Much is the Right Amount of
Contingency?
Contingency depends on risk factors of each project
There is no one-size fits all
• Contingency should address specific anticipated issues or risks which could arise
and which can not be avoided, transferred or mitigated with a specific action plan
• For each key risk, state in detail its probability, associated financial impact, the
activities chosen to mitigate it and any specific contingency amount allocated to it.
This way, the size of the overall contingency amount is supported through a
factual analysis and can stay visible throughout all phases
• Project contingencies should always be identified separately in the schedule and
in the budget, not buried at task levels
37
Confidential
In Summary
Confidential
19
20. Develop a Working Risk Management System
Challenges
Risk
Project
Activities Mitigated
Elements Risks
Addressing Early Unmitigated Following Through
Risks
Are the right people addressing the Did we do a thorough follow-
right things at the right time? through until the risk is mitigated?
Making Quality Decisions
Risks Are the right people at the table? Mitigation
Plan
Is there a culture of accepting escalation?
Did we assess the impact of the decision?
The Importance of Early Risk Management 39
Confidential
Alignment with PMI Critical Success Factors
Recognize
Value of Risk
Management
Integrate Individual
with Project Commitment/
Management Responsibility
Risk
Management
Success
Scale Risk
Effort Open & Honest
To Project Communication
Organizational
Commitment
40
Confidential
20
21. Critical Success Factors
• Use risks identified in the Proposal Stage to help establish costs &
contingency for fixed-price projects
• Widen the focus of effort
• Instead of looking at risk just from your internal perspective, think
about what would reduce risk for both your company & the client
• Instead of purely preventative techniques and building a large “list of
assumptions”…..
• Leverage lessons learned & prior experience; create alternate &
creative solutions
• Actively manage risks & mitigations; make them visible & start early
• No more than 10 key risks for each project
• Don’t fall into the trap of filling out templates & reports and forgetting
about them because you are too busy
• Take risk management seriously & apply discipline
• Important to have executive level support in your organization
41
Confidential
In Summary
• Risk Management is
• A pro-active process every project should practice
• The responsibility of every team member
• Revisited often (at least monthly)
• NOT just a list of every risk
• Risk Management should
• Include the entire team and partners (client and vendors)
• Address real risks and plans for handling their occurrence
• Broken down by client facing and Your Company internal risks (two
separate lists)
• Provide strong achievable mitigation strategies (not just closer
management)
• Be adjusted throughout the project
• Take into account the impact to each aspect of the project
42
Confidential
21
22. Final Thought
• Keep it simple!
• There are many sophisticated models and methods
available for performing detailed quantitative and
qualitative risk analysis, but…
There’s no need to be fancy!
Just perform basic risk management and you’ll
be in a much better position to achieve success
43
Confidential
Questions
44
Confidential
22