TOPIC 6: RISK MONITORING, CONTROL AND REPORTING
1. Meaning of terms
2. Importance of Risk Monitoring, Reporting and Control
3. Steps in Risk Monitoring, Reporting and Control
4. Parameters of Risk Monitoring and Control
5. Tools and Techniques used in Risk Monitoring and Control
6. Process of Integrating Risk Monitoring and Control
MEANING OF TERMS
Risk monitoring is the ongoing process of managing risk. Risk management often has an initial phase that involves identifying risk, agreeing to treatments and designing controls. Risk monitoring is the process of tracking risk management execution and continuing to identify and manage new risks.
Terms are used in Risk monitoring
Risk-A problem which may occur
Audit – A review of risks and the effectiveness of risk management strategies
Risk Management Strategy – a protocol which has been put in place to reduce or remove risk.
Effectiveness – The extent to which a risk management strategy has worked.
Types of Risk monitoring
Voluntary – these risk monitoring strategies are not required by law, but are carried out by companies to help them to learn from events which have occurred in the past.
Obligatory – These risk monitoring strategies are required by law for some organisations, to ensure that proper risk monitoring and management methods are used.
Reassessment – Secondary or tertiary assessments of risk and risk management
Continual – Monitoring which is always ongoing.
Project Risk Reporting
Project risk reporting is at the lowest level in the project risk hierarchy. This is carried out by each project manager and the appropriate members of the project team.
1. Project-level Risk reporting covers risks that are relevant to the scope of the project work, and external factors that may affect the project in some way. For example:
The risk of price changes for key materials
The risk of resources not being available to carry out work at the required time
The risk of suppliers not being able to complete their contracted work.
Each project should have a risk log that documents the risks specifically related to the project. The risk log records the tasks that are being done to actively manage the risk and the owner – the person responsible for completing the action plan.
The project risk report is used by the project manager, and created with input from the project team members. All the risks will be in the risk log; only the top risks make it into the risk report as these are the ones that need management attention right now.
While the risk log is likely to be in use weekly, if not more frequently, risk reporting is probably only done as part of a management reporting cycle, such as at the end of each month.
2. Program Risk Reporting
When a project is part of a program, the program manager will also have a record of relevant program-level risks. Program-level risks are those that relate to:
A particular project within the program where the risk is significant enough to need to be escalated to the program manager
Overlaps or dependencies between projects within the program
The program overall, and do not naturally link back to a specific project. “Significant” project risk is a determination that you can work out with the project and program managers, but would typically relate to things that had a high financial,
operational or strategic implication.
The program risk report is used by the program manager and created by the program team. It is produced at a frequency determined by your program management framework, which could be monthly.
3. Portfolio Risk Reporting
Portfolio-level risk reporting is a way of showing the aggregated risk profile for all the projects and programs in the portfolio.
The major risks per program (or per project, for those projects that do not form part of a program) are drawn together and presented in a way that makes it easy to see an overall summary. The report should highlight areas where management teams need to be aware, for example, where risk action plans could take two or more routes. This draws attention to the decisions that need to be taken so that program and project teams can get on with executing the work.
The portfolio risk report is created by the PMO, with data drawn from program and project risk reports. Ideally, this should be pulled directly from an enterprise project management software tool to ensure it reflects the most up-to-date information.
This report is likely to be produced monthly.
4. Business Risk Reporting
Finally, there is business-level risk reporting. Some businesses include operational activity in the scope of the portfolio, so wouldn’t have a need for this level for reporting.
However, it’s common to see projects managed across the organization with a portfolio approach, and operational work falling outside that.
If this sounds like your company, a risk report that shows the aggregated risks across the portfolio isn’t the true risk profile for your business. Each business unit and function will have their own risks that relate to their operational activity. These risks
can be significant.
Note: The project manager together with the project team and the risk owner creates reports and communicates with the stakeholders in order to maintain the consistency of risk management actions and underlying assumptions.
A risk report is a summary of project risks and opportunities, the latest status of treatment actions, and an indication of trends in the incidence of risks. The following items serve as the basis for generating project risk status reports:
The risk register and the supporting risk treatment action plan
Work performance data reviews
Project schedule progress
Status of project deliverables produced
Risks reports are usually submitted to senior management on a regular basis or as required.
Project risk reporting is a part of standard project management reporting.
Risk control is the set of methods by which firms evaluate potential losses and take action to reduce or eliminate such threats. It is a technique that utilizes findings from risk assessments, which involve identifying potential risk factors in a company’s operations, such as technical and non-technical aspects of the business, financial policies and other issues that may affect the well-being of the firm.
Risk control also implements proactive changes to reduce risk in these areas. Risk control thus helps companies limit lost assets and income. Risk control is a key component of a company’s enterprise risk management (ERM) protocol.
The core concepts of risk control include:
Avoidance is the best method of loss control. For example, after discovering that a chemical used in manufacturing a company’s goods is dangerous for the workers, a factory owner finds a safe substitute chemical to protect the workers’ health.
Loss prevention accepts a risk but attempts to minimize the loss rather than eliminate it. For example, inventory stored in a warehouse is susceptible to theft. Since there is no way to avoid it, a loss prevention program is put in place. The program includes patrolling security guards, video cameras and secured storage facilities. Insurance is another example of risk prevention that is outsourced to a third party by contract.
Loss reduction accepts the risk and seeks to limit losses when a threat occurs.
For example, a company storing flammable material in a warehouse installs state of-the-art water sprinklers for minimizing damage in case of fire.
Separation involves dispersing key assets so that catastrophic events at one location affect the business only at that location. If all assets were in the same
place, the business would face more serious issues. For example, a company utilizes a geographically diverse workforce so that production may continue when issues arise at one warehouse.
Duplication involves creating a backup plan, often by using technology. For example, because information system server failure would stop a company’s operations, a backup server is readily available in case the primary server fails.
Diversification allocates business resources for creating multiple lines of business offering a variety of products or services in different industries. A significant revenue loss from one line will not result in irreparable harm to the company’s bottom line. For example, in addition to serving food, a restaurant has grocery stores carry its line of salad dressings, marinades, and sauces.
There are three main types of internal controls:
Detective, Preventative, and Corrective.
Controls are typically policies and procedures or technical safeguards that are implemented to prevent problems and protect the assets of an organization. All organizations are subject to threats occurring that unfavourably impact the organization and affect asset loss. From innocent but costly mistakes, to fraudulent manipulation, risks are present in every business. Regardless of why it transpires, controls need to be established to avoid or minimize loss to the organization.
What are detective internal controls
Detective internal controls are those controls that are used after the fact of a discretionary event. Some examples of detective controls are internal audits, reviews, reconciliations, financial reporting, financial statements, and physical inventories.
What are preventative internal controls Preventative internal controls are those controls put in place to avert a negative event
from occurring. For example, most applications have checks and balances built-in to avoid or minimize entering incorrect information.
There are also physical controls or administrative preventive controls:
Segregation of duties that are routinely performed by companies.
Video surveillance or posting security guards at entry points
Verifying ID credentials and restricting access, are illustrative of physical safeguards.
Computer and Server backups are all types of preventative internal controls that avoid asset loss and undesirable events from occurring.
What are corrective internal controls?
Corrective internal controls are typically those controls put in place after the detective internal controls discover a problem. These controls could include:
Software patches or modifications
New policies prohibiting practices such as employee tailgating.
They are usually put into place after discovering the reasons why they occurred in the first place.
IMPORTANCE OF RISK MONITORING, REPORTING AND CONTROL
Risk monitoring and control is the process of identifying, analysing, and planning for newly discovered risks and managing identified risks. Throughout the process, the risk owners track identified risks, reveal new risks, implement risk response plans,
and gage the risk response plans effectiveness Continuous monitoring, control and reporting by the project risk manager and the
project team ensures that new and changing risks are detected and managed and that risk response actions are implemented and effective.
Risk monitoring, reporting and control keeps track of the identified risks, residual risks, and new risks. It also monitors the execution of planned strategies for the identified risks and evaluates their effectiveness.
Importance of Monitoring ,Reporting and Control
Risk monitoring, reporting and control determines whether the Project Risk Management Team is performing periodic risk review and updating
Risk monitoring, reporting and control determines whether Risk management policies and procedures are being followed.
Risk monitoring, reporting and control determines whether the remaining contingency reserves for cost and schedule are adequate
Risk monitoring, reporting and control improves prevention of accident or injury in the workplace.
Risk monitoring, reporting and control allows applied have organisation to determine whether the control methods been effective in reducing or eliminating the risks or whether they should be re-evaluated.
The process of controlling and monitoring risks provides assurance that appropriate controls and procedures for managing risks are clearly understood and strictly followed.
The process allows determining whether the treatment actions adopted resulted in what was actually planned.
Risk monitoring, reporting and control informs whether all information on risk management procedures was appropriate.
The process is used to identify what lessons could be learnt for risk measurements and management for future projects.
The risk controlling and monitoring process results in generating revisions to the risk register and supplementing with new action items for the risk treatment process.
STEPS IN RISK MONITORING, REPORTING AND CONTROL
1. Monitor Agreed-Upon Risk Response Plans
For each risk or set of risks, a response should be planned. Risk owners or their assigned risk action owners execute the plans. Some risks merit an immediate response. Project managers work with the risk owners to evaluate the effectiveness of the responses. Responses are modified as needed.
2. Track Identified Risks
The project manager uses tools to track the overall project risk. Are the risk response plans ensuring that the project team delivers the project on time, on budget, and in accordance with the requirements
Trigger conditions are defined when defining risk response plans. Project managers work with the risk owners to determine the trigger conditions and the related metrics.
3. Identify and Analyze New Risks
New risks arise over time. For example, an insurance company was implementing a new policy administration system. A vendor delivered an update while an insurance company was testing major modifications in their interfaces. As the new code was introduced, there was the risk of breaking the interfaces. Project managers periodically work with their project team to identify new risks. What’s new? What has changed?
What have we overlooked?
Project managers should identify new risks for the following events:
Major changes to the project or its environment
Key milestones reached
Occurrence of a major risk
Changes in key team members or stakeholders
4. Evaluate Risk Process Effectiveness So, you’ve implemented the risk management processes:
1. Plan for risk management
2. Identify risks
3. Perform qualitative risk analysis
4. Perform quantitative risk analysis
5. Plan risk responses
6. Implement risk responses
7. Monitor risks
PARAMETERS OF RISK MONITORING AND CONTROL
Risk parameters are used to provide common and consistent criteria for comparing risks to be managed.
Without these parameters, it is difficult to gauge the severity of an unwanted change caused by a risk and to prioritize the actions required for risk mitigation planning. Projects should document the parameters used to analyze and categorize risks so that
they are available for reference throughout the life of the project because circumstances change over time.
Using these parameters, risks can easily be re-categorized and analyzed when changes occur. The project can use techniques such as failure mode and effects analysis (FMEA) to examine risks of potential failures in the product or in selected product development
processes. Such techniques can help to provide discipline in working with risk parameters.
Parameters for evaluating, categorizing, and prioritizing risks include the
Risk likelihood (i.e., probability of risk occurrence)
Risk consequence (i.e., impact and severity of risk occurrence)
Thresholds to trigger management activities
Risk Contingency Planning
Contingency planning is the act of preparing a plan, or a series of activities, should an adverse risk occur. Having a contingency plan in place forces the project team to think in advance as to a course of action if a risk event takes place.
• Identify the contingency plan tasks (or steps) that can be performed to implement the mitigation strategy.
• Identify the necessary resources such as money, equipment and labor.
• Develop a contingency plan schedule. Since the date the plan will be implemented is unknown, this schedule will be in the format of day 1, day 2, day 3, etc., rather than containing specific start and end dates.
• Define emergency notification and escalation procedures, if appropriate. • Develop contingency plan training materials, if appropriate.
• Review and update contingency plans if necessary.
• Publish the plan(s) and distribute the plan(s) to management and those directly involved in executing the plan(s).
Project quality tools and metrics
This section mainly covers various quality metrics that were employed successfully in the real-world complex projects.
Quality mission control
The project managers and leads should maintain a holistic view of the overall project, which will help them see the complete project health and help them track and manage the quality. One such aid is to maintain a comprehensive quality dashboard.
Quality dashboard components include
Build reports providing the status of build
Code quality reports providing insights into various key quality attributes such as code standard compliance, cyclomatic complexity, depth of inheritance, code review reports, and so forth
Monitoring status reports showing real-time information about internal and external monitoring, including CPU/memory/network monitoring and application monitoring
Risk monitoring to track all risks related to application and business areas
Application monitoring provides performance of application on specified SLA parameters
Deployment report for health check on production deployments
Defect reports for tracking open defects
Web testing reports displaying information about automated web testing
Key project statistics such as milestone reports, schedule adherence report, budget/effort reports, and others Proactive project quality metrics
In addition to the dashboard, the project stakeholders should also continuously evaluate the effectiveness of the proactive measures implemented in the project. A list of metrics that sheds insights into this area is given below:
% defects reduced from release to release (RtR)
% service requests reduced from month to month
% reduction of production outages from RtR
SLA violation incident rates from release to release.
Monitoring these metrics serves as a critical evaluation of the proactive quality measures we discussed in previous sections. If any quality measures are found ineffective, the feedback loop analysis should customize the proactive quality measure to the project
context to make it more effective. In addition to the above metrics, it is also important for project managers to continuously monitor and control the following metrics: Process metrics: Effort/schedule variance metrics, productivity variance,
review/testing effectiveness Product metrics: Defect density, program complexity, component reusability Index Service metrics: Average ticket service time, average resolution time, turnaround time, system availability, on-time delivery, SLA adherence, ticket age
Usability metrics: Site traffic, repeat visitors, unique visitor, time on the site Business value metrics: Conversion ratio, bounce rate, exit rate. These metrics can be monitored in the quality dashboard.
Proactive risk control
Risks are present in all phases of a project, and they can be of various types, including business, technical, operational, and usability, starting from the requirements phase and continuing up to production deployment. Proactively anticipating risks and crafting risk
mitigation strategy help project managers in a forward-looking strategy.
A risk-monitoring dashboard should monitor the following attributes related to risk:
1.Risk type: Technical or business or operations
2.Risk priority: Technical or business priority of the risk
3.Risk probability: The likeliness of risk occurrence
4.Risk impact: Material impact on software/business due to risk occurrence
Risk mitigation plan:
A comprehensive plan to mitigate or minimize the risk occurrence. Project managers should proactively compile and disseminate the risk details to all related stakeholders and also communicate the risk mitigation strategy.
TOOLS AND TECHNIQUES USED IN RISK MONITORING AND CONTROL
The process of controlling and monitoring risks includes the following tools and techniques: Risk monitoring and control is the process of keeping track of the identified risks, monitoring residual risks and identifying new risks, ensuring the execution of risk
plans and evaluating their effectiveness in reducing risk. Risk monitoring and control records risk metrics that are associated with implementing contingency plans.
The tools and techniques for risk monitoring and control are given below:
1. Project risk response audits:
Risk auditors examine and document the effectiveness of the risk response in avoiding, transferring, or mitigating risk occurrence as well as the effective of the risk owner. Risk audits are performed during the project life cycle to control risk.
2. Periodic project risk reviews:
Project risk reviews should be regularly scheduled. Project risk should be an agenda item at all team meetings. Risk ratings and prioritization may change during the life of the project. Any changes may require additional quantitative and qualitative analysis.
3. Earned value analysis:
Earned value is used for monitoring overall project performance against a baseline plan. Result from an earned value analysis may indicate potential deviation of the project at completion from cost and schedule targets. When a project deviates significantly from the baseline, updated risk identification and analysis should be performed.
4. Technical performance measurement:
Technical performance measurement compares technical accomplishments during project execution to the project plans schedule of technical achievement. Deviation, such as not demonstrating functionality as planned at a milestone, can imply risk to
achieve the project’s scope.
5. Additional risk response planning:
If a risk emerges that was not anticipated in the risk response plan, or its impact on objectives is greater than expected, the planned response may not be adequate. It will be necessary to perform additional response planning to control the risk.
6. Risk reassessment
Risk reassessments involve the following activities: Identifying new risks ;
Evaluating current risks ;Evaluating the risk management processes ;Closing risks
7. Variance and trend analysis
As with many control processes, we now look for variances between the schedule and cost baselines and the actual results. When we the variances are increasing, there is increased uncertainty and risk. Watch the trends and respond before the situation
gets out of hand.
8. Reserve analysis
During the cost planning, the contingency and management reserves are added to the project budget as needed. As risks occur, the reserves may decrease. Depending on how your organization handles reserves and your risk management plan, project
managers may request more reserves when inadequate.
Project managers should be deliberate risk managers. Engage your team members and appropriate stakeholders in meetings to facilitate the risk management
processes. For these meetings, be sure to:
Distribute an agenda with a clearly stated purpose
Invite the appropriate team members and stakeholders
Use appropriate tools and techniques
Some of the Controls you can create are:
Identify risk triggers. In order for you to set controls in your risk management action plan, you will need to take into account risks triggers: what will happen just before risk occurs?, what can we measure to discover risk is about to occur?, how will we know right away when it occurs?. Document these answers in risk response plan. This is your early warning system.
Re – analyze risks at set periods. Risk reassessments should be regularly scheduled for reassessment of current risks and closing of risks. Monitoring and controlling risks may also result in identification of new risks.
Risk audits for examining and documenting the effectiveness of risk responses in dealing with identified risks and their root causes, as well as the effectiveness of the risk management process. The risk audits should be
performed at an appropriate frequency and defined in the risk management planning. The format for the audit and its objectives should be clearly defined before the audit is conducted.
Regular scheduled risk meetings. Risk management should be an agenda item at periodic meetings. Frequent discussion about risk makes it more likely that people will identify risks and opportunities or advice regarding responses.
Variance and trend analysis using performance information for comparing planned results to the actual results, in order to control and monitor risk events and to identify trends. Outcomes from this analysis may forecast potential deviation (at completion) from targets and goals. There are many possible ways of communicating risk management to your organization:
Meetings: getting everyone in one room – if that is possible – is possibly the best way to start the risk management process, so you can explain face to face what it is about and why you are doing it. Keep people up to date so they know that risk is being taken seriously and to encourage them to provide further input.
Brainstorming sessions: brainstorming sessions are excellent communication tools because they make everyone feel involved.
Emails, newsletters and bulletins: getting everyone to meetings is not always possible, so it’s useful to put down on paper what’s happening in risk management.
Questionnaires / surveys: at the start of the risk management process and at critical steps along the way, it can be a good idea to send out a questionnaire to invite people to outline risks they perceive in your organization’s activities, and ideas for their abatement.
Write a guide: a risk management guide is an excellent tool for ensuring everyone involved in your organization is aware of risk management issues.
PROCESS OF INTEGRATING RISK MONITORING AND CONTROL
Integrated Risk Management strategy requires that all the key functions in your company, e.g., personnel, finance and accounting, manufacturing, procurement, information technology, legal, internal audit, strategic development, marketing, etc.,
take part in the risk management process. An integrated risk management framework establishes a structured approach to governing risk. Applying an integrated risk management strategy lets you evaluate your risks by providing a link between your business objectives, the functional departments of your company, and the components of a risk assessment, i.e., the extent of the potential loss and the probability that the loss will occur Benefits of integrating Risk Management to the organisation which are not available from the typical limited-scope risk process. These include:
Bridging the strategy/tactics gap to ensure that project delivery is tied to organisational needs and vision.
Focusing projects on the benefits they exist to support, rather than simply on producing a set of deliverables.
Identifying risks at the strategic level which could have a significant effect on the overall organisation, and enabling these to be managed proactively.
Enabling opportunities to be managed proactively as an inbuilt part of business processes at both strategic and tactical levels, rather than reacting too little and too late as often happens.
Providing useful information to decision-makers when the environment is uncertain, to support the best possible decisions at all levels.
Creating space to manage uncertainty in advance, with planned responses to known risks, increasing both efficiency and effectiveness, and reducing waste and stress.
Minimising threats and maximising opportunities, and so increasing the likelihood of achieving both strategic and tactical objectives.
Allowing an appropriate level of risk to be taken intelligently by the organisation and its projects, with full awareness of the degree of uncertainty and its potential effects on objectives, opening the way to achieving the increased rewards which are associated with safe risk-taking.
Development of a risk-mature culture within the organisation, recognising that risk exists in all levels of the enterprise, but that risk can and should be managed proactively in order to deliver benefits.
Strategy and tactics are connected through project objectives, which are both affected by uncertainty, leading to risk at both strategic and tactical levels. An integrated approach to risk management can create significant strategic advantage by bridging the strategy/tactics gap, and dealing with both threats and opportunities, to enable both successful project delivery and increased realisation of business benefits.
Risk Management Process Summary Here is a chart which gives a summary of the processes themselves, plus the tools & techniques used as part of that process