UVK Verlag Tübingen
114 Gesellschaft für Projektmanagement

Risk Management

James B.  Duffy
This paper identifies a risk management approach that may be applied to a broad range of business activities within any industry. The approach was developed for the aerospace industry from risk management principles that are believed to represent “universal truths” about risk. It is purposely a broad and comprehensive approach in order to capture the full scope of problems that may be encountered in any business or project. Once implemented, the approach can be updated periodically without having to recreate the entire process. It is strongly recommended that any risk management approach be kept updated so the results are always aligned with changing business objectives and environments.
19 Risk Identification and Characterisation: This phase is where a list of problems is generated - What could go wrong? Such a list could obviously become quite extensive, so a method is proposed which will narrow the list of potential problems to only those which are most relevant to the company objectives. Such a method will prove to be very useful when company objectives or strategies change in the future. Risk Management: This phase is where specific tactics to deal with the risks are identified. Tactics are actions that can be taken to prevent risks from occurring or to minimise the impacts when the risk does occur (for example, launch insurance). Risk tactics have their own costs however, which must also be accounted for by the company. Tactics are often implemented only under certain (negative) conditions. The implementation of risk tactics must be planned so the decision to implement them results in the remedy being in place when it is needed. Risk Measurement: This phase summarises the costs of the most likely risk events (including any risk prevention measures). The costs should be expressed in terms relevant to the company business plan. 2.3 Phase 1: Risk Environment The major sources of risk will be found both within the business and in the business’ external environment. It is important that all sources of risk be considered; otherwise the Achilles Heel may not be discovered. There is always some level of risk that is acceptable to a business, but this level varies as the business environment and company experiences change. It is important that this level of risk be understood by the risk analyst at the beginning of any risk assessment. Internal sources of risk are well known to every manager and are generally within the control of management. These risks are usually detected quickly and thus cause only low to moderate impacts. These risks include cost and schedule problems, engineering problems, test failures, and manufacturing or quality problems. External sources of risk are generally not within the control of management, and are usually the greatest risks to a business or project. These most dangerous sources of risk include new technologies, new or stronger competitors or products, and political or environmental changes. It is also important to note that these external sources of risk are constantly changing! It is important to try to anticipate these changes and avoid exposure to risk by actively searching for trends in the market. Note also that internal company organisations and operations are often a reflection of the business external environment. Everywhere the business interfaces with the external environment is also where the environment can introduce risks. Understanding these interfaces and their sensitivity to change is helpful in evaluating the potential for additional internal risks. 2.4 Phase 2: Risk Identification Once all sources of risk are understood, the actual risks (or risk events) must be identified - this could be a very large task. To develop a list of everything that could go wrong is a nearly perpetual task, and certainly would take too much time and effort to be useful. A process to generate a meaningful subset of problems is necessary. One process that has been found very effective for this purpose is Quality Function Deployment (QFD). The QFD process is normally used to transmit the “Voice of the Customer” down into a product design. In the risk identification application, QFD is used to transmit the P M - V E R F A H R E N / K O N Z E P T E P R O J E K T M A N A G E M E N T 4 / 2 0 0 0 20 most important needs of the business down into the large pool of potential risks. Using QFD in this manner, a rather short list of problems (risks) can be identified which represents only the most important risks that must be actively managed. The problem list is also directly linked to specific company requirements or objectives. When requirements or objectives change, the information can be readily updated and a new list of most relevant risks identified. Having created a list of potential significant problems (risk events) for the business, they must be prioritised so effort is not spent managing risks which are not of great significance or have very low probability of occurrence. To quickly prioritise a potentially large list of risks, a rather easy and fast criticality assessment can be performed. A numerical formula is available from standard risk assessment practices to calculate the criticality of a risk event based upon the probability and the consequence of occurrence. Risk Criticality = [Probability + Consequence] - [Probability × Consequence] The definition of the scales to be used for Probability and for Consequence can be rather arbitrary. A numerical scale from zero to one must be used, but any definition of the scale values that fit the needs or conditions of the business (or project) is acceptable. The objective is not to calculate an exact value, but only to rank the risks in order of importance (Criticality). For risks that are of very high criticality and consequence to the business, further risk analysis should be performed to fully understand the risk. A good process for this deeper risk analysis is the Failure Modes Effects and Criticality Analysis (FMECA). The FMECA is a standard process applied to aerospace hardware and software systems. For risk assessment, the process is applied more to the business elements and the effects being investigated are to the business - not to a hardware element. As is normally done in hardware FMECAs, multiple failure (risk) events need to be considered and analysed. 2.5 Phase 3: Risk Management There are no special procedures for identifying risk prevention or risk reduction methods. This phase is a time and place where creativity is valuable. The only criterion is that all critical risk events should be covered. Every industry seems to have a basic set of self-protection methods that range from tolerance to risk reduction, risk prevention, and ultimately intervention. These levels of risk protection are related to the acceptability of the loss event (not always expressed in terms of cost). Concepts such as insurance imply a willingness to tolerate the event, whereas nuclear power plants provide entire systems to intervene in (and recover from) risk events. Past practices used in an industry are usually time-proven and can be expected to continue to work, but new environments often require new solutions. Examination of risk prevention tactics from other industries often generates some interesting concepts. A sample of industries that employ strong “risk management” practices, and some characteristics of their practices, is provided in table 1. The risk protection methods selected to reduce or prevent risks (costs) will also cost money to implement. The resources to implement any risk protection method must be Industry Risk Acceptability Risk Management Characteristics Insurance Tolerance Probabilistic forecasting of risk, minimal or no actions to reduce or prevent risks Investment banking Reduction Probabilistic forecasting of risk, plus strategic planning to reduce risk exposure Aerospace (development) Reduction Subjective forecasting of risk, risk reduction actions implemented usually only after the risk event (recovery) Amusement parks Prevention High reliability and redundancy, plus barriers installed to prevent risk event occurrence Nuclear power Strong Intervention Multi-redundant systems to prevent risk, systems to monitor and detect risk sources, plus systems installed to recover from risk events Table 1: Industries that employ strong “risk management” practices and some characteristics of their practices 21 estimated and included in the business operating costs. It is useful to estimate the amount by which a tactic will actually reduce the project risk. A cost/ benefit ratio will aid in the selection of which risk protection methods to actually implement. There is no certainty that any of the identified risks will actually occur, but it is also certain that not all of the identified risks will occur. The actual amount of risk to plan for lies somewhere between these extremes. It is important that a “best estimate” (risk envelope) be developed of the actual risk losses the project will encounter in order that appropriate budgets will be established to deal with the risks (including to fund the risk protection tactics). One or more future scenarios of risk events that might occur should be developed. Past experience will give a good indication of what can be expected, but can also give a false sense of security. Several combinations of risk event scenarios should be developed to examine the full range of possibilities. The range should include not just the expected (nominal) combinations, but more importantly the worst case (feared) combinations of risk events. In such situations, a decision analysis technique called the Analytical Hierarchy Process (AHP) has been found most useful. To execute the selected risk protection tactics, many actions will be required. These actions must be time phased (planned) such that the protection is in place when the risk is likely to occur. Decisions to implement (or to not implement) any of the actions must also be appropriately timed, including the failure and decision criteria for risk events. All such information should become part of an overall Risk Management Plan that is actively reviewed and updated. 2.6 Phase 4: Risk Measurement With a “most likely” risk envelope (or scenario) and a selected set of risk protection tactics, the total risk exposure of the business or project can be estimated. The anticipated costs of both the risk events and the planned risk protection tactics should be estimated and time-phased. These costs may then incorporated into the business financial planning. This will reveal the true costs of risk exposure that the business must manage. For those risk events that are external to the business and that may occur randomly, risk identifiers should be identified. Risk identifiers are not too difficult to find if the risk event can be identified and understood. The key is to find identifiers that provide early detection of the event and thus more time to react to it. It is important to note that external risks are rarely truly random - somewhere, somebody causes these events to occur! 3 CONCLUSIONS The recommended approach for risk management should be expected to accomplish several objectives for any company or project. ● Identification of the most significant risk events to be managed ● Identification of the best approaches to deal with the risks ● Identification of the full cost exposure due to risk (risks and risk management actions) Further details of the execution of this approach have been developed for specific companies. It is found that individual company (or project) characteristics will begin to dominate the details of the approach at lower levels. Indeed, any risk management program should be carefully tailored to the needs and resources of the company. A risk management program that is based on the above approach, however, will be found to provide a comprehensive view of the risk exposure that nevertheless still produces a reasonable set of problems to manage. ■ References [1] King, Bob: Better Designs in Half the Time. GOAL/ QPC, M A. 1989 [2] Lasker, Edward: Chess Strategy. Dover Publications, N.Y. 1959 [3] Saat y, Thomas L.: Multicriteria Decision Making. The Analytical Hierarchy Process. 2nd ed. Pittsburgh, PA, RWS Publications, 1996 [4] Qualit y Function Deployment. Application Guide. Training seminar by Technicomp, 1986 Author James B. Duffy has been a project manager and system engineer for Rockwell International (now the Boeing Company) for twent y years. He held technical management positions on projects such as the Space Shuttle, the National AeroSpace Plane (NASP, X-30), and the X-33 Reusable Launch Vehicle. He founded TeraSim A ssociates two years ago to provide management and system engineering consulting services to the aerospace industry in Europe. Address TeraSim A ssociates Südliche Auffahrtstraße 47 D -80639 München Tel.: 0 89/ 17 99 83 07 E -Mail: jim.duffy@t-online.de P M - V E R F A H R E N / K O N Z E P T E P R O J E K T M A N A G E M E N T 4 / 2 0 0 0 22 Zusammenfassung Es wird versucht, die quantitative Wirkung von Risikovorsorge und -bewältigungsmaßnahmen zu ermitteln. Dazu werden die bedrohlichen Risiken identifiziert und die Maßnahmen im Ablauf eines Projektmodells beschrieben. Am Beispiel einer Neuentwicklung eines Serienproduktes wird die dramatische Zeit- und Budgetunterschreitung deutlich, wenn Risikomanagement als konsequente konstruktive Vorgehensweise betrachtet wird. Abstract In the paper there is made an attempt to calculate the quantitative value of risk reduction. Therefore the most dangerous risks are identified and the actions are described in context with a project model. The development of a new serial product is used to show the outstanding time and budget reduction which results from a consequent and constructive practice in risk management. Schlagwörter Aktionszyklen, Projektmodell, Risikomanagement, Risikoport folio, Risikoursachen, Team Expert Choice 1 RISIKOANALYSE UND BEWERTUNG 1.1 Was sind Risiken? Im üblichen Sprachgebrauch bezeichnet man mit Risiken Wagnisse und Gefahren. In der Wirtschaft versteht man darunter die Verlustgefahr, die mit jeder Unternehmung verbunden ist. Diese kann verursacht werden z. B. durch betriebliche Störungen, Fehlinvestitionen, Zahlungsunfähigkeit der Kunden, Absatzschwierigkeiten. Das eigentliche Geschäftsrisiko eines Unternehmens ist nicht erfassbar; in der Marktwirtschaft trägt es der Unternehmer. Was hat das mit Projekten zu tun? Nun, Projekte sind Unternehmen auf Zeit. Jedes Projekt ist also während seiner Initiierung und Durchführung von Risiken bedroht. Diese zu erkennen, zu bewerten (Analyse) und ihnen vorzubeugen oder zu bewältigen ist Aufgabe des Risikomanagements [1]. Die Risikoerkennung wird erfahrungsgemäß dadurch erschwert, dass Risiken kaum sichtbar sind. Es spielt dabei keine Rolle, ob sie „unsichtbar“ sind oder wegen menschlicher Schwächen so behandelt werden [2]. 1.2 Grundfunktionen des Risikomanagements Ein wesentlicher Erfolgsfaktor des Risikomanagements ist die Risikoanalyse und -bewertung. Zu Beginn einer Risikoanalyse müssen allerdings Auftrag und Vorgehensweise eindeutig definiert und abgegrenzt werden. Denn erst wenn das Ziel des Auftrages klar ist und auch der Weg dahin einigermaßen vorstellbar, können die Projektrisiken identifiziert werden. Die Risikoanalyse besteht aus den Aktivitäten ● Risikoidentifikation und ● Risikodokumentation. Die Ungewissheiten dabei sind zum Teil erfassbar durch sorgfältige Planung (Projektstrukturplan etc.), Marktforschung (Wer ist der Kunde? , Was will er im Kern? ) etc. Ziel der Risikobewertung ist es, die analysierten Risiken nach ihrer Eintrittswahrscheinlichkeit einzustufen und nach ihrer Tragweite zu quantifizieren (in der Regel in Geldeinheiten). Hierzu eignet sich eine Expertenbefragung. Bei größeren Pro- Management immer wiederkehrender Projektrisiken D I E T E R C O Y 23 jekten sollten die Experten aus der Gruppe der Beteiligten und Betroffenen (Interessen von Anspruchsgruppen) kommen und ein Risikodialog geführt werden [3]. Das Ergebnis dieser Befragung oder dieses Dialoges wird dokumentiert und die Bewerbung graphisch in einem Risikoportfolio dargestellt. 1.3 Risikoportfolio Ein Beispiel für ein Risikoportfolio aus der Praxis ist in Tabelle 1 und Abb. 1 wiedergegeben. Es handelt sich um die Einschätzung einer Neuentwicklung im Rahmen einer Machbarkeitsstudie. Mit der Diagonalen in Abb. 1 wird eine erste Selektion von bedrohlichen (rechts oben) und weniger bedrohlichen Risiken durchgeführt. Diese bedrohlichen Risiken, gegen die sofort Maßnahmen ergriffen werden müssen, können weiter klassifiziert werden in ● für das Projekt existentielle Risiken (ganz rechts oben); ● Risiken vom „Katastrophentyp“ (links oben). Bei diesen Risiken ist die Eintrittswahrscheinlichkeit extrem gering, der Schaden aber extrem hoch; ● Risiken vom Typ „Sand im Getriebe“ (rechts unten). Bei diesen Risiken ist der Schaden zwar sehr gering, dafür tritt er aber fast täglich ein. Die üblichen Betriebsrisiken gelten als beherrschbar und Kontrahentenrisiken (Lieferanten, Kunden, Banken, Behörden, allg. Vertragsbeziehungen) als gestaltbar. Marktrisiken (Wettbewerbs- und Absatzmarkt, rechtliches, soziales und politisches Umfeld, Beschaffungs-, Arbeits- und Kapitalmarkt) allerdings gelten als nicht beeinflussbar. Für Projektrisiken muss diese Einteilung sorgfältig überprüft werden: Die Risikolage in einem Projekt ist wesentlich höher als das „normale“ Unternehmerrisiko, denn ein Projekt kennt keinen so hohen Grad an Wiederholcharakter. Auch genügt es nicht mehr, sich nur auf die Risiken vom Katastrophentyp zu konzentrieren. Die Risiken vom Typ „Sand im Getriebe“ verursachen oft Termin- und Budgetüberschreitungen. 1.4 Risikosteuerung Die beste Risikosteuerung sind vorbeugende Maßnahmen. Die erste besteht darin, den erfassten Risikostatus regelmäßig zu überprüfen. Auf Unternehmensebene ist dieses Pflicht seit Veröffentlichung des KonTraG- Gesetzes. Für alle börsennotierten Gesellschaften und für alle übrigen Kapitalgesellschaften gilt es als Empfehlung im Sinne von „best practice“. Für Projekte gilt dies entsprechend verschärft: Je einmaliger/ neuartiger ein Projekt ist, desto mehr ist planerisch zu tun; je komplexer ein Projekt ist, umso mehr Steuerungsaufwand ist vorzusehen. Maßnahmen im Einzelnen können sein [1]: ● Zielorientierung überprüfen (zyklisch), ● Wirtschaftlichkeits- und Investitionsrechnungen/ Revision durchführen, ● Organisationsregeln zu Projektbeginn festlegen, Systematik des Reportings prüfen, P M - M E T H O D E N / I N S T R U M E N T E Eintrittswahrsch. Schadenhöhe 1 Eichpunkt 1,00 1,00 2 Personalressourcen zu knapp 1,00 0,90 3 Investsumme zu hoch 0,66 0,61 4 großer Produkthaftungsfall 0,43 0,83 5 unzureichende Prozessqualität 0,35 0,83 6 Anlagenbetriebskosten zu hoch 0,57 0,61 7 Zeitrahmen gesprengt 1,00 0,17 8 unzureichende Qualifikation 0,89 0,27 des Betriebspersonals 9 größter Wettbewerber wehrt sich 1,00 0,12 mit einer Preissenkung ... 25 kein Zweitlieferant 0,14 0,09 Tabelle 1: Bewertung der Risikoereignisse mit Team Expert Choice [6] Abb. 1: Portfolio der Risiken