Project Risk Management: Are You Asking, “What can go wrong?”
Originally published by Inside Sarbanes-Oxley
By Marc Weinberg, Protiviti
According to a study by The Standish Group International (a leading IT advisory firm) of 365 small, medium and large projects, 13.1 percent of all projects will be canceled before completion, 52.7 percent of all projects will cost 189 percent of their original estimates, and the average time overrun is 222 percent of the original estimate.
Even with all the advances in project management software, weekly status reporting and constant updating of issues logs, why is it that projects do not deliver what is expected, within budget and within the expected time frame?
A critical ingredient appears to be a lack of proactive risk management. Take for example, the U.S.-led coalition of troops after they invaded Iraq. Lack of a proactive risk management plan resulted in chaos, more political in-fighting and a greater loss of life than was ever expected. The U.S.-led coalition had to tactically adjust and react to the situation at hand. Most projects are not much different. We walk through a proverbial minefield of issues and problems and try to fix them as they occur or unfold before us. The quality gurus of today have continually told us that the cost of fixing the problems is always more expensive than the cost of preventing them. Even Benjamin Franklin had it right when he said “an ounce of prevention is worth a pound of cure.”
Risk management should not be reactionary but perpetually in place to identify possible outcomes (both good and bad) for the project’s duration. Negative outcomes should be identified and prioritized by reviewing the combination of impact (potential loss) and probability of occurrence for each outcome. Once negative outcomes are prioritized, a risk response plan is then developed for those risks that have a medium/high combination, i.e., high impact and medium probability; medium impact and high probability; and, high risk and high probability. The purpose of the risk response plan is to determine what can be done to reduce the overall risk of the project by decreasing the probability or impact of the short-listed risks. This includes contingency planning, which identifies the actions one will take if the risk actually happens.
So, what kind of risks can you expect to occur in your projects? You will most likely find people, process and technology risks, among others. Based on my experience, if you are involved in a Sarbanes-Oxley Section 404 documentation project where you need to interview process owners and identify typical causes, risks and effects, your project might include the following:
People-related:
· Process owners out on vacation—people unavailable for interviews—Project Delayed.
· Lack of senior management support—people refusing to meet with you because they consider being interviewed as unimportant—Project Delayed.
Process-related:
· Poorly defined work breakdown structures that detail project requirements, i.e., end items, tasks and resources into manageable work units—project team spends valuable time in an unproductive activity determining the meaning and/or relationship of tasks and associated end items—Project Delayed.
· Inadequate change control process—scope creep (unplanned additional work, i.e., interviewing and documenting procedures)—Project Cost Overrun.
· Accounting is busy closing the books—accounting personnel off-limits for everyone—Project Delayed.
Technology-related:
· System conversion issues – unclean data resulting in valuable process owner time spent fire-fighting—Project Delayed.
· System crashes—time lost for everyone involved—Project Delayed.
Your risk response plan will indicate how you addressed your short-listed risks. You can choose to (1) avoid a risk by eliminating its cause; (2) accept the risk if it occurs, which means doing nothing; (3) mitigate it, i.e., doing something that will make the resulting outcome less unfavorable; or (4) outsource/transfer the risk to another party.
How would you go about mitigating the above listed people, process and technology risks?
· For people risks, (1) process owners might be asked to delay their vacation time until after project completion, and (2) the company’s CFO might be appointed project czar or champion, whose role is to communicate the project’s importance throughout the company.
· For process risks, (1) the project team would clearly define the meaning of each component task of the work breakdown structure and its associated end item prior to project execution, (2) the project manager would develop a change control system that formally defines how project deliverables and documentation will be controlled, changed and approved, and (3) documentation of the Accounting department’s general ledger and financial reporting processes might be scheduled at a more appropriate time when accounting resources are available.
· For technology risks, (1) develop a data scrubbing contingency plan to expedite completion of system conversion and free-up process owners for interviews, and (2) develop a data back-up and recovery plan with quick turnaround time.
The benefits of taking the time to develop a risk management plan are clear—a better-managed project resulting in a greater likelihood of achieving project expectations in terms of time, cost and quality.
Remember, if you fail to manage risk, you are planning to fail!
Marc Weinberg is a senior manager with Protiviti Inc. He can be reached via e-mail at marc.weinberg@protiviti.com.
Article from Protiviti KnowledgeLeader – www.knowledgleader.com.
KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.
|
Protiviti is a leading provider of truly independent internal audit and business and technology risk consulting services. We help clients identify, measure and manage operational and technology-related risks they face within their industries and throughout their systems and processes. And we offer a full spectrum of audit services, technologies and skills for business risk management and the continual transformation of internal audit functions.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. |
