10

Keep It Alive (Major Reviews)

Chapters 4 to 9 describe the steps required to undertake an initial assessment of risk for a medium-sized project, but the ATOM process does not end when this first pass is complete. It is true that the first time a project team is involved in the risk process there is usually lots of enthusiasm, which can lead to an efficient process, which in turn increases effectiveness. However, doing the process once does not ensure that risk remains effectively managed on any project; indeed, it is only the start. It is essential to maintain momentum throughout the project, and ATOM provides for this with a series of risk reviews. These are termed major and minor to reflect the required level of effort. Figure 10-1 illustrates the main differences between a Major and Minor Review.

Major Reviews usually take place at key points during the project, either at the beginning of a new phase or at significant milestones within a phase, but they do not happen often enough to ensure that the assessment of risk exposure remains current. To do this, ATOM uses a series of regular Minor Reviews that take place in line with the normal reporting regime of the project. In the typical medium-sized project, the initial pass through the ATOM process is followed by one or more Minor Reviews, with a Major Review occurring some time later, as illustrated in Figure 10-2.

The remainder of this chapter describes the ATOM Major Review; Minor Reviews are covered in Chapter 11.

A Major Review essentially uses a single workshop to repeat all the steps that make up the First Risk Assessment, providing a full reassessment of the project’s risk position. This workshop normally takes place at the beginning of a phase or at key milestones during the project, and at the frequency defined in the Risk Management Plan. However, there may be other times when an additional Major Review is justified (perhaps after a significant change to the project), and the project sponsor or project manager can initiate a Major Review at any time.

Figure 10-1: Differences between Major and Minor Reviews

Figure 10-2: Relation between Major and Minor Reviews

The ATOM Major Review aims to:

•  Review all current risks and any other risks raised since the last formal review

•  Identify new risks (including secondary risks)

•  Update the Risk Register

•  Produce a full report and periodic reporting information for project progress reports and progress meetings

•  Check the effectiveness of the current risk management process.

In order to do this, the following inputs are required:

•  Risk Management Plan outlining project objectives and scope of the risk process

•  Risk breakdown structure (RBS)

•  Work breakdown structure (WBS)

•  The Risk Register, which contains full details of all risks (current and draft), including:

•  Risk owners and agreed-upon response strategies

•  Action owners and agreed-upon actions

•  Current status of each risk

•  An overview of the current status of the project

•  Risk management tool (spreadsheet, database, or proprietary software).

A Major Review involves the following activities:

•  Pre-workshop preparation

•  Risk workshop, which includes:

•  Initial scene-setting

•  Reviewing all current and draft risks

•  Identifying, assessing, and categorizing new risks

•  Updating the Risk Register

•  Reviewing the effectiveness of the risk process

•  Post-workshop actions:

•  Risk champion interviews risk owners to confirm new responses

•  Risk owners consider the need to modify existing responses

•  Risk owners liaise with risk action owners to refine existing actions and develop new actions

•  Risk owners liaise with risk champion to provide details of refined responses and new actions

•  Risk champion updates the Risk Register and produces a full risk report

•  Risk champion liaises with the project manager to add any new activities to the project plan

•  Project manager communicates escalated risks to the appropriate part of the organization or person, if known

•  Project manager considers the need for change control as required.

A Major Review produces the following outputs:

•  Updated Risk Register containing the latest information and status of all risks

•  Modified and new actions required to respond effectively to current risks

•  Full risk report

•  Inputs to project review meetings and periodic project reports

•  Further activities in the project schedule that relate to risk actions

•  A revised Risk Management Plan (if required).

These inputs, activities, and outputs are illustrated in Figure 10-3 and are described in detail in the sections that follow.

Inputs

The Risk Management Plan defines when Major Reviews are planned and also includes a list of key project stakeholders who may be invited to participate in the Major Review.

The RBS is used to structure risk identification techniques, and the WBS provides a structure for mapping the effects of risks.

The Risk Register is the prime input to the Major Review because it contains a complete set of data for each identified risk. This includes the name of the risk owner responsible for overall management of each risk, together with the agreed-upon response strategy and the names of action owner(s) responsible for implementing the actions needed to execute the response strategy. In addition, the Risk Register contains the current status of each risk (draft, active, expired, occurred, closed, or deleted). Draft risks are those that have been identified since the last risk review.

Another key input to the risk workshop is an overview of the current status of the project, which is provided by the project manager. It is important to know if anything in the project has changed, either internal or external, that could directly affect the assessment of an existing risk.

As in previous steps, it is assumed that a risk management tool is used to support the ATOM risk management process and that this tool will be available when required.

Activities

The activities in the Major Review are focused on a risk workshop, which for a medium-sized project usually takes one day. Conducting the workshop properly requires a number of pre- and post-workshop activities. It is the risk champion’s responsibility to ensure that all pre- and post-workshop activities are carried out, either by himself or by others (e.g., risk owners). The risk champion is usually responsible for facilitating the risk workshop.

Figure 10-3: Flowchart for Major Review Step

Many of the Major Review workshop tasks are identical to those that make up the initial risk identification and assessment workshop and are summarized here (for detailed descriptions, see Chapters 5 and 6).

PRE-WORKSHOP PREPARATION

This includes agreeing on attendees, preparing and distributing a workshop agenda (see Figure 10-4), and circulating pre-workshop briefing material; this material might include workshop objectives and current project status reports. Risk owners also receive a list, in priority order, of all the risks for which they are responsible. (The risk management tool should produce these filtered and sorted lists automatically.) Risk owners should review their risks in advance of the meeting and be prepared to comment on the current status of each one.

Figure 10-4: Sample Agenda for a Major Review Workshop

The risk champion also prepares for himself and the project manager a prioritized list of all active risks, extracted from the Risk Register, showing key details for each risk such as the risk description, probability and impacts, risk owner, risk action owner( s), agreed-upon response strategy and associated actions, and last reported status. A list of all draft risks taken from the Risk Register is also prepared for review at the meeting; this list may be either circulated in advance or handed out at the meeting.

THE MAJOR REVIEW WORKSHOP

The Major Review workshop is usually facilitated by the risk champion, although it is possible to use a specialist facilitator, and includes the following elements.

Initial Scene Setting If necessary, the workshop begins by introducing participants to one another and confirming the project objectives. The risk champion also presents a brief summary of the risk management process, if required. These steps are not necessary when the project team is stable and participants have been involved in previous risk workshops.

The risk champion outlines the purpose, scope, and ground rules of the workshop, clarifying what is expected from the participants and what outputs should result. The project manager then presents a brief summary of the current status of the project, highlighting any current issues that workshop participants need to know when identifying risks.

Review all Current Risks The first main task during the Major Review workshop is to review existing risks. To ensure that effort is spent on the most important risks, all active risks are reviewed in priority order, taking threats before opportunities, as follows:

1. Red threats

2. Red opportunities

3. Amber threats

4. Amber opportunities

5. Green threats

6. Green opportunities.

For each risk, the following must be reviewed:

•  Current status. If a risk is no longer active, the risk owner explains its current status and why or how this status change has occurred.

•  Current probability and impact. If the risk is still active, its probability and impacts are reassessed, taking into account the effects of any completed or in-progress actions, any changes to the internal or external environment of the project, and the overall status of the project.

•  Action status. The risk owner will know the status of agreed-upon actions for his or her risks, either from discussions with action owners or by checking progress as reported in the project plan. For actions that are either in progress or recently completed, the risk owner reports to the meeting on their effectiveness in achieving the desired outcome. If completed actions are not addressing the risk in the expected way, the risk owner first considers whether an alternative response strategy is required and then meets with allocated action owners immediately following the workshop to develop additional actions for either the existing or the new response strategy. If these actions also require the raising of new project activities, then that is done as well. Future or planned actions are considered and any adjustments to planned actions made. Any changes to response strategies or actions should be reflected in the assessment of post-response probability and impact.

Review Draft Risks The meeting next considers all risks that have been raised since the last formal review (including proposed new risks and secondary risks arising from implementation of agreed-upon actions). These are labeled with draft status in the Risk Register. Risk workshop participants either make these active if they are recognized as genuine risks, or mark them as rejected if they are not thought to be risks or if they are duplicates of existing risks. Rejected risks are marked in the Risk Register accordingly and not considered further. Risks with impacts outside the project are marked as escalated, and the project manager communicates them after the review to the appropriate part of the organization or person, if known.

Draft risks should already have been properly described using the risk metalanguage, had their probability and impacts assessed, a risk owner appointed, a response strategy developed, and action owners identified, as described in Chapter 9. When a draft risk is converted to active status, each element of this data is reviewed during the meeting and confirmed or amended as necessary.

Identify, Assess, and Categorize New Risks Having reviewed all active and draft risks, the workshop moves on to identify new risks that have arisen since the last formal review. The risk champion or workshop facilitator chooses a suitable method, such as brainstorming, assumptions and constraints analysis, or a checklist (as previously described in Chapter 5), bearing in mind that a different technique might help participants expose risks not previously considered.

All newly identified risks are clearly and unambiguously described using the risk metalanguage and given a unique risk identifier number. Participants should be careful to avoid raising risks that already exist in the Risk Register, and the facilitator should ensure that duplicates and non-risks are removed at this stage.

The probability and impacts of each new risk are assessed, using the scales defined in the Risk Management Plan. New risks are also categorized using the RBS and WBS. Workshop participants agree on a response strategy for each new risk and nominate a risk owner, who develops appropriate actions and appoints action owners after the workshop.

Update Risk Register The Risk Register must be kept up to date to reflect the current status of each risk. The risk champion is responsible for this, with input from risk owners. The Risk Register is updated during the Major Review workshop; otherwise, the risk champion updates it immediately afterward.

All risks that are reviewed as part of the workshop, whether they existed beforehand or are newly raised, are assigned one of the five overall statuses: active (this applies to all new risks), expired, occurred, closed, or deleted.

In addition to the overall status, the risk owner records all other information about each risk and ensures that the Risk Register contains the latest data, including:

•  Current assessments of probability and impacts

•  Progress on all agreed-upon actions

•  Changes to the risk owner or action owners

•  Changes to the response strategy or new actions.

Review Effectiveness of Risk Process The Major Review workshop ends with participants reviewing the risk process as currently implemented on the project and considering whether it is appropriate to meet the risk challenge faced by the project. This includes the scope and objectives of the risk process, use of tools and techniques, frequency of updates, etc. The risk champion leads an open discussion on this, encouraging full feedback and expression of any concerns. It may be decided that the risk process as defined in the Risk Management Plan is either insufficiently robust or too detailed. In either case, the risk champion meets with the project manager and the project sponsor following the workshop to agree on process changes; significant changes result in revision and reissue of the Risk Management Plan.

Close the Workshop On completion, the risk champion summarizes the achievements of the workshop and lists any agreed-upon actions. The schedule for the next planned review is also confirmed.

POST-WORKSHOP

Following the Major Review workshop, the risk champion interviews risk owners to refine any new responses generated in the workshop. In addition, risk owners in liaison with action owners refine existing actions and develop new ones. As part of this step, the post-response probability and impacts of each risk are assessed to determine the residual risk exposure, and to identify and record any secondary risks.

The risk champion liaises with the project manager to add any new activities to the project plan, and the project manager considers the need for change control as required.

If the Risk Register was not updated during the risk workshop, then the risk champion makes sure this is completed prior to producing the full risk report.

If the workshop suggests that a change is required to the risk process for the project, the risk champion, project manager, and project sponsor meet to agree on what modifications are necessary, and the risk champion then updates and reissues the Risk Management Plan. The project manager also communicates escalated risks to the appropriate part of the organization or person, if known.

Outputs

The two main outputs from a Major Review are an updated Risk Register that contains the current status of each risk and progress on agreed-upon actions, and a full risk report. The contents of the full risk report match the report prepared after the First Risk Assessment, as detailed in Chapter 8, but with inclusion of an additional section focusing on changes since the last review, to communicate whether the risk exposure has improved or worsened. This section of the report highlights what has changed, including the numbers of threats closed or deleted, how many threats and opportunities have occurred, the number of new risks raised, etc. The project may develop simple metrics to provide indicators of changes in risk exposure, though this is not mandatory for a medium-sized project. Examples of metrics are illustrated in Figure 10-5.

If modified or new actions are identified during the Major Review, these feed into the Implementation step (see Chapter 9) to ensure that they are performed.

A Major Review also considers the effectiveness of the risk management process. If modifications are required to the current process, these will be reflected in a revised Risk Management Plan.

Figure 10-5: Sample Metrics to Measure Risk Exposure

Summary

A Major Review ensures that the risk process is being carried out efficiently and effectively, updating the Risk Register to reflect the current risk exposure of the project. The Major Review contains the same steps as the First Risk Assessment but on a reduced scale and in a compressed time frame. The following activities are required:

•  Prepare for and facilitate a risk workshop

•  Review all current risks and newly raised risks to determine their status

•  Identify, describe, and assess new risks; appoint risk owners and develop responses

•  Update the Risk Register

•  Revise and define risk actions and appoint action owners

•  Update the project plan to take into account risk actions

•  Draft and distribute a full risk report and other information needed for project reporting

•  Consider the efficiency and effectiveness of the risk management process.

Major Reviews take place at the frequency set out in the Risk Management Plan, continuing until the Post-Project Review takes place as part of project closedown.