Project Management Institute European Conference June 2001.
Andrew Moore, Astute Risk Manager, Alec Fearon and Mark Alcock, Astute Risk Team
The contributions to this paper made by John Knott of the Astute Risk Team and David Booth of Alenia Marconi Systems are gratefully acknowledged.
BAE SYSTEMS Astute Class Limited (ACL) was set up in 1997 as an independent company within GEC Marconi to manage the £1.8B prime contract for the next generation of nuclear submarines to be designed and built for the UK Royal Navy. The company now also manages upgrade contracts for the existing submarines and a risk reduction contract for the second buy of Astute Class submarines announced by the Defence Procurement Minister at the keel laying ceremony for HMS ASTUTE on 31 January this year. Over the past 4 years, the company has evolved a management system for opportunity and risk to support the proactive management of the business and projects. This paper identifies some of the approaches taken and discusses some of the more valuable lessons learned.
As a new company ACL had the opportunity to take a fresh look at the subject of risk management based on its immediate need to manage a single large prime contract. After a faltering start, a robust set of processes and methods were developed from what was then considered good project risk management practice in industry. These were then documented in a Risk Management Plan, which was issued and accepted by the Defence Procurement Agency (DPA) customer in July 1998. Shortly afterwards, all the initially identified risks were transferred to a database tool that had been developed 'in-house' as a prototype to prove the requirements of an Opportunity And Risk System (OARS). Over the following months, all risks owned by both ACL and the DPA were input to the risk register which was to be accessible to both parties. Shortly afterwards, the shipbuilder, now BAE SYSTEMS Marine at Barrow, added his risks and gained access to the register, which was run over a secure WAN with terminals at each site. Over the subsequent years, the processes have been developed and expanded into a system that encompasses the management of both opportunity and risk that could affect any of the projects run by the company or the company directly. The development of the business risk elements was accelerated by the publication of the Turnbull guidance (Turnbull, 1999) and, more recently by the issuing of the BAE SYSTEMS Operational Framework, (BAE Systems, 2000). This latter document stresses the need to manage risk and opportunity effectively if the company is to optimise its shareholder value. The company has recently completed a major update to its existing Project Lifecycle Guide for Risk Management (LM01/02 2001), which follows the principles in the British Standard, A Guide to the management of business related risk (BS6079:2000-3). It also supports the Operational Framework and incorporates many of the lessons learned on Astute presented here.
This paper is presented to communicate some of the more important lessons learned from the Astute experience so that other companies and organisations, in particular those that work with BAE SYSTEMS, can benefit from them.
This paper is limited to the Astute experience and does not necessarily represent the approach that would currently be taken by other BAE SYSTEMS companies, although efforts are being made to develop a common approach through the Operational Framework and the new Lifecycle Guide.
The main lessons learned from the Astute Experience are:
The top requirements placed on any business are detailed in the Turnbull guidance (Turnbull, 1999) and include enhancing shareholder value and meeting the needs of all stakeholders. The lower level requirements then developed to support it will depend on the nature of the business and the other needs of its stakeholders. The business must then be structured to meet these requirements. This approach is a business implementation of the systems building block described in the International Council on Systems Engineering (INCOSE) Standard (EIA/IS 632 1999).
In the case of ACL, the business was structured to design and build 3 nuclear powered attack submarines as a major project. As the project progressed and the business started to get involved in related work, the business structure was modified to meet the evolving requirements upon it. A clear understanding of these requirements and the business structure for them is essential if the risks and opportunities to them are to be managed effectively.
In this sense any business can be considered as a collection of projects set up to realise the objectives determined by the requirements. These projects may include traditional design and production projects, concept and feasibility studies as well as the more business orientated projects such as meeting increased quality standards in a production line, improving productivity in the workforce and implementing a business improvement strategy. All of these projects require requirements and acceptance criteria to be set, appropriate business / engineering processes to be identified with a plan for their use, leading to an outcome or product that meets the original requirement to an acceptable standard. The opportunity and risk management process sets out to identify the threats and opportunities to the achievement of the desired outcome and then to take actions to mitigate the threats and realise the opportunities.
Any event or circumstance that affects one or more of these requirements, as they evolve, is a potential risk or opportunity to the business. If they do not affect the requirements they cannot be risks and any time or money spent managing them is wasted. This also means that if the requirements are not clearly understood and communicated, a business will lose time and money by failing to manage the business to meet the requirements including failing to identify and manage risk and opportunity effectively.
Figure 1 - Astute OARS - Object Diagram showing relationships
The Astute OARS has been developed along standard systems engineering principles based on object oriented design. The object diagram for the Risk part of OARS is illustrated in Figure 1. A similar diagram for Opportunities is also used. They form the basis of the OARS.
The start point is a clearly expressed and structured set of requirements, reflecting all stakeholder viewpoints, which enables the identification of potential areas in the outcome that could be affected by risks or opportunities to the business or the project, an Effects database. It also allows the construction of a solution, a design specification and plan to meet the requirements. This gives rise to a set of simple Baseline Assumptions about the solution from which issues will arise. Issues that remain unresolved become the causes of risks or lost opportunities. However, issues can be resolved by taking timely action, which, if successful, will reduce the probability of risks occurring and/or enable opportunities to be realised. The key point here is that issues are relatively easy to manage, you simply identify the action, carry it out and report on its completion. This can be done without fully detailing the likely impact or effect. The only 'owner' is the owner of the action.
As the business or project focus develops, the need arises to actively identify specific risks and opportunities with their probabilities of occurrence and severity of impact. This immediately requires the involvement of two or more owners who must communicate to manage the risk or opportunity. ACL follows the normal practice of identifying the owner of the impact as the Risk Owner. As the individual, who will either suffer or benefit, he will try to ensure that the agreed actions are carried out by the owners of the actions or Actionees, who may have many other priorities to be balanced against the need to complete the risk actions they own.
Thus, issues generally need higher level management than individual risks and opportunities, the management of which is more complex and time- consuming.
Both the actions and the impact timescales need to be identified in the plan that defines the process of achieving the desired outcome. In a project this would be the programme plan. When the actions are completed, a risk occurs or an opportunity is realised, their effects must be analysed against the Effects database. Any changes to the baseline assumptions are fed back to review all associated or secondary issues, opportunities and risks, completing the loop back to the solution of the initial requirements.
A risk is defined as an event or series of events, with a finite probability of occurrence, that could damage the project in terms of the performance / functionality of the product, the time of delivery / acceptance or cost. Thus a risk can only have a negative effect on the project.
Similarly, an opportunity is defined as a circumstance or set of circumstances, with a finite probability of realisation after action, that offers benefit to the project in terms of the same criteria. Thus an opportunity can only have a positive effect on the project.
ACL identifies uncertainty separately as an uncertainty in estimating performance, functionality, time or cost, which means that it is likely to include all minor risks and opportunities that may not have been identified separately. However it would specifically exclude the significant risk and opportunity events evaluated in the register. Thus it is able to have both a positive and negative effect on the project.
In many cases, an opportunity may be identified during a bidding phase and its benefits sold forward in the bid on the assumption that they will be realised. This approach gives rise to the risk that the assumption is unrealistic and that its benefits may not be realised, making opportunity and risk opposite sides of the same coin.
One of the major problems experienced by ACL has been lack of clarity in the understanding of risks and opportunities leading to ill-described actions without measurable outcomes. Some of the risk descriptions were simply statements of a possible impact, others were expressions of a possible action without any idea of its real benefit while some were simply motherhood and apple pie type statements that meant nothing. No management system can work effectively with this quality of input data. The solution was to introduce a clear semantic discipline for the expression of risks and opportunities. The approach for Risks is tabulated below.
Table 1 - Risk Description - Semantic Discipline
|Start the sentence with||Complete the sentence by:|
|There is a risk that||Describing the adverse event or series of events that might happen|
|The risk is caused by||Identifying the generic cause area and describing the specific source of risk|
|The direct impact of the risk occurring will be||Describing the direct impact in terms of the adverse effect on the objectives of the work area in which the risk occurs|
|If the risk occurs, the recovery action will involve||Outline the recovery action that will have to be taken if either nothing is done or mitigation of the risk is unsuccessful and the risk event occurs|
|The recovered impact on the programme goals will be||Describing the adverse impact on performance, schedule and/or cost goals once recovery action has been taken. This would usually be different action dependent on the success or failure of the mitigation action.|
A similar discipline is used for the description of opportunities. The increasing application of this discipline has led to a much clearer focus on appropriate actions and their timely completion, which is the essence of any effective management system.
Describing a risk or opportunity using the above discipline is not a quick exercise. Thus it is not suitable to use in a risk/opportunity identification brainstorm, where the rapid collection of ideas is paramount. ACL has developed a way of using focused identification brainstorms to identify worries and wishes. The worries and wishes tend to be a mixture of Issues, which if unresolved become the cause of risks or lost opportunities, Sources of Risk, Opportunity Actions and Effect/Benefit areas. Once collected, they can be broken down into these categories to develop Cause-Effect and Action-Benefit matrices.
In these matrices the Effects and Benefit rows are the same and can be used to develop generic recovery strategies. In the case of a project the Effects would consist of elements of product performance, schedule and cost. In the case of a business they would include elements identified by Turnbull, i.e. Finance, Operations and Reputation.
The Issues, Sources of Risk and the Opportunity Actions would be used to develop generic mitigation / realisation action strategies. This encourages actions to be taken to resolve key issues at a stage before they can become the causes of risk or lost opportunity, often before the associated specific risks and opportunities have been identified or quantified. Managing issues in this way is usually the most effective way of managing opportunity and risk because it is pre-emptive.
The development of the matrices has been described as a top-down exercise. However, the semantic discipline used, for example, in describing a specific risk event also identifies cause and effect. This enables a reconciliation to be carried out between the contents of a risk register, much of which may be developed from the bottom up by individual risk owners, and the top down view of a brainstorm session. ACL believes that this ensures a clear understanding of the issues, risks and opportunities at all levels and disciplines in the organisation and is a useful way of ensuring that the data in the registers is as complete as possible.
To many people, the effort spent on managing risk and opportunity may be seen a distraction from their main tasks because they see no real benefit from it. ACL has found that a structured set of peer reviews of risks, opportunities and actions is the most effective way of communicating the benefits and ensuring that the necessary work is carried out. The meetings are held at 4 levels of detail:
Level 1 ACL Business level, chaired by the MD and attended by all directors. Held quarterly to manage the business issues and generic actions at a strategic level.
Level 2 Project level, chaired by a project director and attended by the appropriate directors and senior managers, including the chairmen of all lower level workshops within the project. Held quarterly to manage the project issues and actions.
Level 3 Sub-project level, chaired by the relevant director/senior manager and attended by other directors and senior managers as appropriate, including the chairmen of all subsidiary workshops. Held monthly to manage the reconciliation between the top down view of the higher level meetings with the bottom up view of the lower level meetings. The workshop also manages the more severe specific risks, important opportunities and associated actions.
Level 4 Functional area level, chaired by the relevant functional director or senior manager and attended by owners of specific risks, opportunities and actions. Held monthly to manage the detail as required by the Level 3 Workshop chairmen.
In the case of the smaller projects, levels 2 and 3 are combined in a single meeting. The level 4 meetings are primarily concerned with managing the specific actions and will normally only identify new risks and opportunities that are apparent at that level of working. The more important of these are passed up to the level 3 meeting to ratify. Top down brainstorms are held at all levels at major project / business milestones.
This structure provides a mechanism able to manage the detail while also co-ordinating the tactics at project level with the business strategy.
The evaluation of likely cost of risk at the business level was traditionally based on insurance premium cost. However, this figure is perhaps only 10% or less of the real cost of risk to the business, which can be about 10% of company turnover. Thus measurement of the cost of risk and its trend provides a clear understanding of the cost-benefit of expenditure on risk mitigation and opportunity realisation. Elements that need to be considered include:
These areas need to be examined to determine where the business is spending more than necessary and actions taken to minimise unnecessary spend or spend more initially to achieve greater savings later. The key thing is to do something about it rather than just accept the cost.
The other major contributor to the cost of risk in any business is associated with the projects it carries out. The ACL process is designed to enable to continuing prediction of the likely cost of risk trend by collecting all necessary data at the appropriate Risk & Opportunity Workshops.
Quantitative analysis of the risk & opportunity data collected provides an estimate of the current exposure and the predicted cost of risk at project completion. ACL also collects impact and action timing and cost data which allows the effectiveness of its Opportunity & Risk Management activities to be monitored in terms of reducing exposures against action spend and the trend of the predicted cost of risk at project outturn. These predictions form the basis of the Astute Project's profit trading plan.
This paper has expanded on the six main Opportunity & Risk Management lessons learned by ACL over the past 3 years. It has highlighted that, to be real, risks and opportunities must have some effect on the business or project requirements by affecting the business reputation, its profitability or the project outturn. It has explained why the clarity of expression of risks and opportunities is essential if their nature is to be communicated so that appropriate actions can be identified and implemented. It has shown that a focus on issues, causes, effects, actions and their structured management is the most effective way of managing both sides of the risk/opportunity coin. It has suggested that capturing and managing the trend of exposures and cost of risk can enable the effectiveness of any opportunity & risk management process to be monitored. However, the most important lesson is you must DO something to realise opportunities and reduce the effects of risks.