The Project Risk Maturity Model
eBook - ePub

The Project Risk Maturity Model

Measuring and Improving Risk Management Capability

Martin Hopkinson

Share book
  1. 264 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

The Project Risk Maturity Model

Measuring and Improving Risk Management Capability

Martin Hopkinson

Book details
Book preview
Table of contents
Citations

About This Book

Top businesses recognise risk management as a core feature of their project management process and approach to the governance of projects. However, a mature risk management process is required in order to realise its benefits; one that takes into account the design and implementation of the process and the skills, experience and culture of the people who use it. To be mature in the way you manage risk you need an accepted framework to assess your risk management maturity, allowing you to benchmark against a recognised standard. A structured pathway for improvement is also needed, not just telling you where you are now, but describing the steps required to reach the next level. The Project Risk Maturity Model detailed here provides such an assessment framework and development pathway. It can be used to benchmark your project risk processes and support the introduction of effective in-house project risk management. Using this model, implementation and improvement of project risk management can be managed effectively to ensure that the expected benefits are achieved in a way that is appropriate to the needs of each organisation. Martin Hopkinson has developed The Project Risk Maturity Model into a robust framework, and this book allows you to access and apply his insights and experience. A key feature is a downloadable resource containing a working copy of the QinetiQ Project Risk Maturity Model (RMM). This will enable you to undertake maturity assessments for as many projects as you choose. The RMM has been proven over a period of 10 years, with at least 250 maturity assessments on projects and programmes with a total value exceeding ÂŁ60 billion. A case study in the book demonstrates how it has been used to deliver significant and measurable benefits to the performance of major projects.

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is The Project Risk Maturity Model an online PDF/ePUB?
Yes, you can access The Project Risk Maturity Model by Martin Hopkinson in PDF and/or ePUB format, as well as other popular books in Business & Insurance. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Routledge
Year
2017
ISBN
9781351883450
Edition
1
Topic
Business
Subtopic
Insurance
Index
Business

PART I
Introduction to the
Project Risk
Maturity Model

CHAPTER 1
The Project Risk Maturity Model

A Risk Maturity Model (RMM) is a tool designed to assess risk management capability. The Project RMM software provided with this book will allow its user to assess the capability of the risk management process being applied on any project. It will also allow capability improvements to be assessed and for the capabilities of different projects to be compared. However, assessing risk management capability is not a simple task. Obtaining reliable results requires an assessor (or auditor) who has insight into the subtleties of project risk management; what is best practice for one project might be inappropriate to another.
This book has been written to describe the issues facing anyone tasked with assessing project risk management capability. Whilst it is possible for any owner of the Project RMM software to load it onto their computer and start their assessment process forthwith, following the guidance in this book should provide them and their organisation with a sounder basis for believing the results.
By way of introduction, the rest of this chapter describes how the Project RMM has been constructed and how its results should be interpreted. Subsequent chapters then describe the issues that assessors should understand before putting the RMM into action or making recommendations for process improvement. The section ‘Software User Instructions’ at the end of the book (pp. 235–42), provides user instructions for how the Project RMM software should be installed and used.

The Project Risk Maturity Model (RMM)

The Project RMM was first developed by HVR Consulting Services in 1999. Its four-level capability structure, illustrated in Figure 1.1 is derived directly from the structure developed by David Hillson (1997) who used it to establish a generic Risk Maturity Model framework. The matrix for assessments identified by Hillson’s paper published in the International Journal of Project and Business Risk Management has been reproduced in Appendix A.
Figure 1.1
Risk maturity model levels
images
In order to adapt the Hillson Risk Maturity Model for project-specific purposes, the following additional sources were used:
  • Standard risk management guides, most notably the Project Risk Analysis and Management (PRAM) Guide (1997) published by the Association for Project Management (APM).
  • The project risk management literature published in academic journals and books.
  • The Turnbull Guidance1 (1999) – Internal Control: Guidance for Directors on the Combined Code.
  • The experience, dating back to 1987, of risk management consultants working for HVR Consultancy Services.
Since its creation the Project RMM has continued to evolve in response to lessons learned from its application. To date, it has been used for approximately 250 assessments on projects with an estimated combined value in excess of ÂŁ60 Billion. Changes have also been made in response to new literature on the subject. Later chapters in this book identify the sources that have been the most influential. The software on the CD ROM included with this book is the latest version (version no. 6.0.0) of the model, updated in 2010.
The definitions of each level of project risk management capability are:
  1. LEVEL 1 – NAIVE
    1. Although a project risk management process may have been initiated, its design or application is fundamentally flawed. At this level, it is likely that the process does not add value.
  2. LEVEL 2 – NOVICE
    1. The project risk management process influences decisions taken by the project team in a way that is likely to lead to improvements in project performance as measured against its objectives. However, although the process may add value, weaknesses with either the process design or its implementation result in significant benefits being unrealised.
  3. LEVEL 3 – NORMALISED
    1. The project risk management process is formalised and implemented systematically. Value is added by implementing effective management responses to significant sources of uncertainty that could affect the achievement of project objectives.
  4. LEVEL 4 – NATURAL
    1. The risk management process leads to the selection of risk-efficient strategic choices when setting project objectives and choosing between options for project solutions or delivery. Sources of uncertainty that could affect the achievement of project objectives are managed systematically within the context of a team culture conducive to optimising project outcomes.

Advancing through Project RMM Maturity Levels

RMM Level 1 could describe a project that is not implementing any process for managing risk. This would include projects that claim to be implicitly managing risk by virtue of the effectiveness of other project management processes such as planning (thus ignoring the fact that deterministic project management processes such as planning are not designed to manage the implications of uncertainty). However, since it would be unusual for projects to undergo RMM assessments when they have no formal risk management process, the more common cause of RMM Level 1 assessment results is a fundamental flaw with the design or application of the process. In practice, most problems at this level amount to failures of application. Whilst a risk management process might have been initiated, allowing any of its critical components to lapse into disuse will result in the overall process adding no value, hence producing a Level 1 assessment.
Once a project has taken professional advice or followed standard guidance to initiate its process, moving to a Level 2 RMM capability should be a relatively easy target to achieve. Level 2 does not set a particularly demanding standard. In effect, it requires that the value added by applying the risk management process should be greater than the cost and other resource implications of its application. Thus, even a relatively light application of the process can be sufficient to achieve this level.
The step-change difference between Level 2 and Level 3 RMM capability is mainly attributable to two factors: the discipline of implementing the process consistently across the whole project and the quality with which key skills are applied in practice.
A project will be able to achieve RMM Level 3 with the simple common-practice approach of using a risk register to underpin routine reviews of the implications of risks and the effectiveness and implementation of the responses designed to manage them. Although this is a simple process, there are a number of important skills involved in exploiting its potential to the full. For example, risks must be understood in a way that clarifies all relevant and significant sources of uncertainty. Failure to do this will impair the effectiveness of risk responses. Similarly, there are key skills involved in making sure that risk register contains the right risks, (and that they continue to be the right risks), that they are managed by the right risk owners, and that appropriate and sound methods are used to select and prioritise risks for review.
Although RMM Level 3 can be achieved with a simple process, application of the process must also be broad, continuous and sound. The process must actively engage all relevant members of the team and key stakeholder representatives. A key enabler of RMM Level 3 is the disciplined application of the process by risk owners. This discipline can usually only be maintained through regular risks reviews.
In practice, larger projects often have more difficulty achieving RMM Level 3 than smaller projects. Whilst they might find the process easier to initiate, issues of process application tend to be more common. Larger projects can also find it more difficult to correct issues of process design, particularly if the tools that they have invested in have insufficient flexibility. Thus, whilst smaller projects might have more difficulty initiating a risk management process, they often achieve RMM Level 3 in a relatively short period of time.
The biggest step change in the Project RMM lies in the difference between Level 3 and Level 4. Achieving Level 4 requires the risk management process to be capable of leading to ‘the selection of risk-efficient strategic choices when setting project objectives and choosing between options for project solutions or delivery ’. Whereas Level 3 capability requires the risk management process to support the ‘achievement of project objectives’, Level 4 capability makes it possible for risk management to contribute to decisions that set the project objectives in the first place. Similarly, where RMM Level 3 capability would typically identify responses to risks associated with a pre-existing project plan, Level 4 capability supports choices about the project solution; choices that can alter plans so fundamentally that they are, effectively, entirely different plans. Level 4 risk management capability therefore includes the management of risk from a project strategy perspective. Whereas RMM Level 3 supports a process designed to ‘deliver the project right’, Level 4 helps to provide assurance that the planned project is ‘the right project’.
The step from RMM Level 3 to Level 4 requires a change of mindset and the level of management at which risk decisions are supported. The power to authorise project objectives and fundamental changes to the project solution (for example, its products, utilisation of the organisation’s resources or the choice of parties to be involved) is usually vested in the project sponsor rather than the project manager. Executing the right risk responses from this level makes significant demands on both the organisation’s risk management culture and the project’s ability to provide relevant and realistic risk information.
Stepping up from RMM Level 3 to Level 4 usually also requires the use of more sophisticated risk management techniques. For example, at Level 4, it is necessary to quantify risk at the overall project level. Since risk management offers a wide range of techniques Level 4 capability requires people with the ability and experience to select the techniques that are appropriate to the project concerned.
One consequence of the need for different techniques is that simple techniques used to achieve Level 3 capability can prove to be too simplistic to support RMM Level 4. Temptation to over-exploit their use can thus become a barrier to achieving Level 4 capability. Perhaps the most common examples of incorrect exploitation are the Probability-Impact Matrix and the use of integrated risk register/Monte Carlo risk analysis tools. Chapter 8 (Risk Analysis, pp. 150–61) provides readers with explanations for this comment.
If the difficulties of achieving RMM Level 4 capability can be overcome, there are many benefits to be gained. An organisation with a Level 4 capability across all of its projects should find that not only more of its projects are delivered to plan, but that they are also more likely to have adopted the right project strategy when being planned. Risk management solutions will have been built into projects from the outset. Moreover, the techniques required for best practice are not always complex or time-consuming. Indeed, in the earliest stages they might be very simple (albeit not simplistic). What is required is that the right things are done by the right people at the right time.

Risk Maturity Model Questions

The Project RMM contains 50 questions, each one of which can yield information about a project’s risk management process from one or more perspectives. For example, Question C2 (see Chapter 8, pp. 134–5) asks: ‘How effectively do risk owners fulfil their role?’ Since risk owners are responsible for managing their risks, the answer to this question will yield information about whether or not risks are properly understood (a key aspect of risk analysis) responded to effectively and whether or not the project has a good risk management culture. The model is based on a structure of six perspectives:
  1. Project stakeholders,
  2. risk identification,
  3. risk analysis,
  4. risk responses,
  5. project management, and
  6. risk management culture.
Each of the fifty Project RMM questions is detailed in Chapters 6 to 11. The assessor selects the level of performance being achieved by the project in respect of each question. The options for each question range from A (Level 4) through to D (Level 1). ...

Table of contents