Review of Lectures 23-29

The first 22 lectures deal with the management functions of staffing, communicating and motivating. The remainder of the lectures deals with selected aspects of control. It is assumed that the student understands methods of cost and schedule control appropriate to the student’s organization. If not, references for self-study are provided in lecture 23. It is critical to understand how to apply the principles of control to different organization types because these principles must be tailored to the organization type and applying them inappropriately results in significant inefficiencies. It is also necessary to understand management accounting, which differs from standard financial accounting, in order to make sound decisions relating to costs of products or services. The three aspects of control discussed in lectures 23-28 relate to processes involved in the day to day work of any organization. These three are risk management, theory of constraints and process improvement.

Risk is the consequence of undesirable events on the work of an organization. Risk is inherent in every type of activity. The objective of risk management is to proactively identify risks and take actions that reduce the probability that an undesirable event occurs and/or reduce the consequence of the event should it occur. Lecture 24 describes a ten-step process for effective risk management and provides templates used in risk management. The primary templates are the risk summary grid, which is useful in the early stages of an activity for communicating risks to managers, customers and the team working the activity and the risk register, which is more useful in day to day management of risks once an activity is underway.

Lecture 25 is a brief overview of the theory of constraints. Understanding the theory of constraints is easier if we think of a process as the combination of supplier, input, process, output and customer, or what is termed SIPOC for the initials of each word. The inputs are transformed to outputs by the process. The activities or processes that any organization performs are a series of SIPOC steps with the outputs of one step being the inputs to the following step. Actual processes are usually complex networks of SIPOC steps but we can understand the theory by examining a simple series of steps. Then it is clear that the output of the overall process cannot occur at a rate any faster than the rate of the slowest step in the process. Applying the theory of constraints should be the first step in process improvement.

Often managers try to keep every worker busy all of the time thinking that is the most efficient way to manage an activity. This can violate the theory of constraints and lead to costly excess work in process and sometimes extra workers to facilitate work in process. It doesn’t matter if the process is a service process dealing with paperwork or a manufacturing process. Applying the theory of constraints minimizes work in process, cycle time and staff size. Some workers may not be busy at all times but this doesn’t lead to extra costs. Rather it creates time for workers to conduct process improvement and opportunities for cross training workers to do more than one step. The student is encouraged to read the referenced books by Eliyahu Goldratt.

Lecture 26 explains that statistical variation is present in the actual values of all parameters relating to an organization’s processes. Measuring this variation and understanding the resulting information is essential to effective management. Managers and workers must know the difference between common cause variation (the manager’s responsibility) and special cause variation (the worker’s responsibility). An activity, the “system” in process improvement language, must be stable, i.e. exhibit only common cause variation, before attempting to improve the process by reducing the variation and/or changing the mean value of a parameter. A system is brought into stability by fixing the special cause variation revealed by data measuring the variation. Control charts are a visual means of evaluating variation to determine common cause and special cause.

Effective process improvement is achieved via several different approaches. Total Quality Management and Six Sigma are two popular approaches proven to be effective. Implementing any effective process improvement approach requires that all or a subset of workers and managers receive comprehensive training in statistical process control. Only after such training should workers, or specially trained facilitators, be empowered to execute process improvement.

Lecture 27 provides guidelines for learning and using statistical methods. Learning to think statistically is discussed and approaches to learning this useful skill are outlined. This lecture also describes two of W. Edwards Deming’s famous experiments and one that I developed that help managers understand variation and how to manage in the presence of variation. The funnel experiment demonstrates dramatically the things that go wrong when inappropriate actions are taken in the presence of variation. The red bead experiment demonstrates how hard workers try to carry out manager’s directions, even when the goals a manager sets are obviously impossible due to the effects of variation. Watching a video of this experiment is an experience beneficial for all managers. It provides vivid demonstration of the “goodness of intent” of most workers and of the damage managers cause via arbitrary, and often unrealistic, slogans and exhortations. The productivity experiment teaches the value of reducing variation.

Lecture 28 concludes the discussion of variation and process improvement by giving some simple examples that illustrate the typical steps in a process improvement activity. Visual tools, including fish bone diagrams, flow charts, work flow diagrams, deployment charts and control charts are described. These examples teach enough of the methodology of statistical process control to enable the student to begin improving simple work processes. It is important for the student to undergo more thorough training before applying statistical methods to complex work processes. Complex processes can have subtleties that are not covered in the simple examples discussed in lecture 28.

Lecture 29 deals with leading the team, which is the main function of an organization’s manager. Developing an effective organization, as described in the first 28 lectures, can be viewed as necessary to free the manager from being so bogged down with problem solving related to personnel or processes that there is no time to lead the organization in achieving its strategic objectives. Key to leading the team is effective planning. Lecture 29 summarizes a planning process called Process Quality Management (PQM) that focuses on the fundamentals of planning. I and many others have found this process effective in helping the manager lead his organization in achieving strategic objectives. PQM facilitates the planning for achieving strategic objectives in a one or two day concentrated session.

There are no exercises for this review session as the last lecture is your most important exercise.

If you find that the pace of blog posts isn’t compatible with the pace you  would like to maintain in studying this material you can buy the book “The Manager’s Guide for Effective Leadership” in hard copy or for Kindle at:

http://www.amazon.com/Managers-Guide-Effective-Leadership-Organizations/dp/1449000673/ref=sr_1_2?ie=UTF8&qid=1346946310&sr=8-2&keywords=Joe+Jenney

or hard copy or for nook at:

http://www.barnesandnoble.com/s/Joe-Jenney?keyword=Joe+Jenney&store=book

or hard copy or E-book at:

http://bookstore.authorhouse.com/Products/SKU-000269270/The-Managers-Guide-for-Effective-Leadership.aspx

24 C The Risk Burn Down Chart

A spreadsheet similar to the risk register can be developed to manage risks and manage the budgets associated with risk management on large and long duration projects. It isn’t possible to avoid all arbitrariness in forecasting the risk management budget but it is possible to provide good management visibility into the process. One approach is as follows: (This description is a bit tedious so look ahead at figures 10 and 11. If the process is obvious to you from the figures skip the text. If not then just wade through the description. It may help to drawn out the spreadsheet as you read the description.)

•           Develop a spreadsheet with time, e.g. months, in the first column and the known risks in the first row of adjoining columns. The planned mitigation expense estimate as a function of time for each risk is added in the rows for each known risk. Summing the entries in each row across columns results in the estimated mitigation expense for all risk mitigation activities for that time period. As new risks are identified they are added in the first row of new columns and mitigation budgets are added in appropriate time rows in the new columns.

•           Develop a second spreadsheet with the following columns

o          Time line, e.g. month number from beginning of the project or actual dates

o          Planned Mitigation Expense per time period to be spent on risk mitigation for known risks, i.e. the cumulative value of the row for that time period from the first spreadsheet

o          Cumulative Planned Mitigation Expenses, i.e. the cumulative cost estimates for mitigation activities for the risks known at the time the plan is developed.

•           Recognize that as the project progresses new risks will appear as decisions are made and additional risk management budget is needed to mitigate these new risks. Therefore add the following columns to the spreadsheet.

o          Adjusted Cumulative Mitigation Budget; the planned expenses plus an adjustment, e.g. an arbitrary percentage, to mitigate unknown risks that will arise during the project.

o          Actual Mitigation Expenses for each time period.

o          Cumulative Actual Mitigation Expense

It may be helpful at this point to show a chart resulting from an example of the process described so far. Figure 10 is a chart for a large project in which the mitigation budget is nearly $40 million dollars. In this example the initially identified risks were planned to be mitigated with just over $30 million. The arbitrary adjustments for unknown risks increased the budget to nearly $40 million and the actual expenses at the end of a year were just below the adjusted budget. For situations where the budget for risk mitigation is released incrementally or for a large project that continues for several more years having data such as this chart provides the project managers sound arguments to defend their requests for risk mitigation budgets.

  Figure 10 An example of risk mitigation budget and expense resulting from the example approach.

The mitigation budget and expense are only half of the story. Risk is the rest of the story so now let’s return to the example approach:

•           At the beginning of a project sum up the expected values of all risks on the risk register. This cumulative risk value is the amount of over budget expense that is likely if initially known risks are not mitigated before they impact the project. Add a column to the second spreadsheet for this Cumulative Risk Value before Mitigation.

•           Add a risk value adjustment factor for each time period to cover unknown risks that will arise and add a new column to the second spreadsheet for the Adjusted Cumulative Risk Value before Mitigation. These “adjusted” values represent the best estimate of how both identified and new risks will be mitigated throughout the project

•           As the project continues, new risks are added and all risks are mitigated so that a Cumulative Risk Value after Mitigation can be added to the spreadsheet. Now there is sufficient data to construct a Risk Burn Down Chart which shows how the risk value is reduced over time by the risk mitigation work.

An example of a risk burn down chart is shown in figure 11. In this example the adjusted and actual cumulative risk values track each other reasonably well. If the manager of this project needed additional risk management funding in the middle of the project then showing this chart to the funding authority would provide excellent justification for the needed funds. If the planned and actual risk mitigation expenses also tracked each other well, as in the example shown in figure 10, then the funding authority should have good confidence in the management team.

 Figure 11 An example risk burn down chart for a large project with high initial risk.

The charts resulting from the approach outlined above are useful for showing those responsible for funding projects the most likely project expense if risk mitigation is effectively conducted and the likely budget impacts if risks are not proactively mitigated. In the example shown the likely budget impact if risks are not mitigated is over $400 million. This budget impact is reduced to about $23 million by an expenditure of about $38 million for a total impact of about $63 million compared to over $400 million.

The percentage adjustments risks that will be identified during a project are necessarily arbitrary but can be adjusted during the project if the actual expected risk value line deviates substantially from the adjusted expected value line.

In summary, spending a small amount of money in proactively mitigating risks is far better than waiting until the undesirable event occurs and then having to spend a large amount of money fixing the consequences. Remember that risk management is proactive (problem prevention) and not reactive. Also risk management is NOT an action item list for current problems. Finally, risk management is an on-going activity. Do not prepare risk summary grids or risk registers and then put them in a file as though that completes the risk management process, a mistake inexperienced managers make too often.

Exercise

1. Spend some quiet time thinking about what the worst possible thing your competitors could do that would negatively impact your organization in the short and long terms. If you have already done this and have mitigation plans in place or on the shelf you are a mature risk manager. If not, you have some homework to do.

2. Handling anything your competitors do or responding to the loss of your most important customer are the easy ones. Now imagine that your organization is stable, progressing well on improving effectiveness, trust in management is growing, enthusiasm is growing and then your superiors tell you to lay off 10% of your people in order to increase enterprise profits for the year. You know this is going to demoralize the organization for some time and erode trust in the benefits of working to improve the organization. How do you respond to your people and to your superiors? There is no easy answer to this question but in today’s environment it is not an unlikely occurrence and you should be prepared for it.

2. Does your organization have a standard risk management process in place? If so then go on the next lecture. If not then think through a plan to put a standard process in place and train workers to use it. This can be a commercial process or a process you or your workers develop. You can implement it via formal training or on an incremental basis. The important thing is having a process and using it religiously.

If you find that the pace of blog posts isn’t compatible with the pace you  would like to maintain in studying this material you can buy the book “The Manager’s Guide for Effective Leadership” in hard copy or for Kindle at:

http://www.amazon.com/Managers-Guide-Effective-Leadership-Organizations/dp/1449000673/ref=sr_1_2?ie=UTF8&qid=1346946310&sr=8-2&keywords=Joe+Jenney

or hard copy or for nook at:

http://www.barnesandnoble.com/s/Joe-Jenney?keyword=Joe+Jenney&store=book

or hard copy or E-book at:

http://bookstore.authorhouse.com/Products/SKU-000269270/The-Managers-Guide-for-Effective-Leadership.aspx

24 B The Risk Register

The risk register ranks risks by the dollar value of each risk according to the operational definition of risk given earlier. Constructing the risk register on a spreadsheet allows risks to be sorted by dollar value so that the highest risks are always on top of the list. The risk register also facilitates keeping all risks in the same data base even though management actions may be active on only the top five or ten at any time. When a high risk is mitigated the expected dollar value of the risk is reduced and it falls out of the top five or ten but is still on the list. This enables reviewing mitigated risks to ensure they remain mitigated or to readdress a risk at a later time when all the higher risks have been mitigated to even lower values. An example of a simple risk register constructed on a spread sheet is shown in figure 9.

Figure 9.  An example template of a risk register constructed in columns on a spread sheet.

The risk type and impact if risk occurs are usually described as “if”, “then” statements. This helps the management team remember specifically what each risk entails as they conduct reviews over the life of the activity. Expected values are expressed in dollars, which facilitates both ranking and decisions about how much resources should be assigned to mitigation activities. I am assuming of course that in managing activities in your organization it is the practice to hold some fraction of the budget in reserve to handle unforeseen events. It is this reserve budget that is assigned to risk mitigation activities. Risk mitigation actions should be budgeted and scheduled as part on on-going work. A failure many inexperienced managers make is handling risks outside of the mainline budget and schedule. This undisciplined approach often leads to risk management degenerating into an action item list and finally to a reactive approach to unexpected events rather that a proactive approach to reduce the risks systematically.

A more complete risk register template than the example shown in figure 9 might contain columns for the risk number, title, description (if), impact (then), types (three columns: cost, schedule, quality or technical), probability of occurrence, cost impact, schedule impact, mitigation plan and mitigation schedule. The form of the risk register template is not critical so the team managing the risks should construct a template that contains the information they feel they need to effectively manage risks.

The risk register, if properly maintained and managed, is a sufficient tool for risk management on small and short duration projects. Setting aside an arbitrary management reserve budget to manage risks is ok for small projects. Portions of the reserve are allocated to mitigation of risks and the budgets and expenses for risk mitigation can be folded into the overall cost management system. Large, long duration projects or high value projects warrant a more focused approach to budgeting for risk management.

If you find that the pace of blog posts isn’t compatible with the pace you  would like to maintain in studying this material you can buy the book “The Manager’s Guide for Effective Leadership” in hard copy or for Kindle at:

http://www.amazon.com/Managers-Guide-Effective-Leadership-Organizations/dp/1449000673/ref=sr_1_2?ie=UTF8&qid=1346946310&sr=8-2&keywords=Joe+Jenney

or hard copy or for nook at:

http://www.barnesandnoble.com/s/Joe-Jenney?keyword=Joe+Jenney&store=book

or hard copy or E-book at:

http://bookstore.authorhouse.com/Products/SKU-000269270/The-Managers-Guide-for-Effective-Leadership.aspx

24 A Introduction to Risk Management

The following three lectures define risk, outline a risk management process and provide examples of templates useful for risk management.

Risk is the consequence of things happening that negatively impact the performance of an organization’s planned activities. Risks arise from events that occur inside and outside an organization. The consequence of the event can impact the quality, cost or schedule of an activity, or some combination of these effects. There is risk in any activity but there are usually more risks associated with activities that are new to the organization. New activities include the introduction of new products or services or changes to the processes, people, materials or machines used to produce existing products or services. Risks to stable products and services arise from unplanned changes to the internal environment or changes in the external environment, such as the economy, costs of materials, labor market, customer preferences or actions by a competitor, a regulating body or a government agency. An effective manager faces up to risks and manages risks so that the negative impacts are minimized.

Definition of Risk

There is an operational definition of risk that aids in managing risk. This definition is:

Risk R is The Probability p of an Undesirable Event Occurring; Multiplied by The Consequence of the Event Occurrence measured in $, or R=p x $.

This definition allows risks to be quantified and ranked in relative importance so that the manager knows which risks to address first and to evaluate how much investment is reasonable to eliminate or reduce the consequence of the risk. The definition measures risk in dollars. Thus impacts to the quality of a product or service or to the schedule of delivering the product or service are converted to costs. Impacts to quality are converted to dollar costs via estimated warranty costs, cost of the anticipated loss of customers or loss of revenue due to anticipated levels of discounting prices. Schedule delays are converted to dollar costs by estimating the extra costs of labor during the delays and/or the loss of revenue due to lost sales caused by the schedule delays.

The key to good risk management is to address the highest risk first. There are three reasons to address the highest risk first. First is that mitigating a high risk can result in changes to plans, designs, approaches or other major elements in an activity. The earlier these changes are implemented the lower the cost of the overall activity because money and people resources are not wasted on work that has to be redone later. The second reason is that some activities may fail due to the impossibility of mitigating an inherent risk. The earlier this is determined the fewer resources are spent on the failed activity thus preserving resource for other activities. The third reason is that any activity is continually competing for resources with other activities. An activity that has mitigated its biggest risks has a better chance of competing for continued resource allocation than an activity that has gone on for some time and still has high risks.

Managing Risk

Managing risk is accomplished by taking actions before risks occur rather than reacting to occurrences of undesirable events. The steps in effective risk management are:

1.     Listing the most important requirements that the activity must meet to satisfy its customer(s). These are called Cardinal Requirements

2.     Identifying every risk to an activity that might occur that would have significant consequence to meeting each of the Cardinal Requirements

3.     Estimating the probability of occurrence of each risk and its consequences in terms of dollars

4.     Ranking the risks by the magnitude of the product of the probability and dollar consequence (i.e. by the definition of risk given above)

5.     Identifying proactive actions that can lower the probability of occurrence and/or the cost of occurrence of the top five or ten risks

6.     Selecting among the identified actions for those that are cost effective

7.     Assigning resources (funds and people) to the selected actions

8.     Managing the selected action until its associated risk is mitigated

9.     Identifying any new risks resulting from mitigation activities

10.  Replace mitigated risks with lower ranking or new risks as each is mitigated

11.  Conduct regular (weekly or biweekly) risk management reviews to:

·       Status risk mitigation actions

·       Brainstorm for new risks

·       Review that mitigated risks stay mitigated

In identifying risks it is important to involve as many people that are related to the activity as possible. This means people from senior management, your organization, other participating organizations and supporting organizations. Senior managers see risks that workers do not and workers see risks that managers don’t recognize. It is helpful to use a list of potential sources of risk in order to guide people’s thinking to be comprehensive. Your list might look like that shown in figure 7.

Figure 7 An example template for helping identify possible sources of risk to the customer’s cardinal requirements.

It also helps ensure completeness of understanding risks if each risk is classified as a technical, cost or schedule risk or a combination of these categories.

Risk Summary Grid and Risk Register

Two useful templates used in risk management are the risk summary grid and the risk register. The risk summary grid is a listing of the top ranked risks on a grid of probability vs. impact. The risk summary gird is excellent for showing all top risks on a single graphic and grouping the risks as low, medium or high. Typical grids are 3 x 3 or 5 x 5. An example 5 x 5 template is shown in figure 8.

Figure 8 An example of a 5 x 5 risk summary grid

The 5 x 5 risk summary grid enables risks to be classified as low, medium or high; typically color coded green, yellow and red respectively, and ranked in order of importance. Note that the definitions for low and medium are not standard. The definition used in figure 8 is conservative in limiting low risk to the six squares in the lower left of the grid. Others, e.g. the Risk Management Guide for DOD Acquisition (An excellent tutorial on risk management that is available as a free download at http://www.dau.mil/pubs/gdbks/risk_management.asp) define the entire first column plus six other lower left squares as low risk.

Relative importance is the product of probability and impact. Identified risks are assigned to a square according to the estimates of their probability of occurrence and impact to the overall activity. In figure 8 there is one medium risk, shown by the x in the square with a probability 0.3, impact 7 and therefore having a relative importance of 2.1. The numbers shown for impact are arbitrary and must be defined appropriate to the activity for which risk is being managed.

A typical approach is to construct a four column by six row table with Impact being the heading of the first column and the numbers 1,3,5,7,9 (or whatever five numbers or letters you choose) in each succeeding row of the first column. The remaining three columns are labeled Technical, Schedule and Cost. Each box in the rows under the Technical, Schedule and Cost headings is defined appropriately for the activity at risk. For example, costs could be defined as either percentage of budget or in actual monetary units. Similarly schedule can be defined as percent slip or actual time slip.

The process using a 3 x 3 risk summary grid typically assigns risks as 0.1, 0.3 or 0.9 and impacts as 1, 3 or 9. There are three squares for each of the low, medium and high risk classifications with relative importance values ranging from 0.1 to 8.1 according to the products of probability and impact. Specific processes or numerical values are not important. What is important is having a process that allows workers and managers to assess and rank risks and to communicate these risks to each other, and in some cases to customers. The simple risk summary grids are useful tools for accomplishing these objectives and are most useful in the early stages of the life cycle of an activity and for communicating an overall picture of risks. The risk summary grid can be used as a tool in risk management meetings but a better tool is the risk register discussed in the next lecture.

If you find that the pace of blog posts isn’t compatible with the pace you  would like to maintain in studying this material you can buy the book “The Manager’s Guide for Effective Leadership” in hard copy or for Kindle at:

http://www.amazon.com/Managers-Guide-Effective-Leadership-Organizations/dp/1449000673/ref=sr_1_2?ie=UTF8&qid=1346946310&sr=8-2&keywords=Joe+Jenney

or hard copy or for nook at:

http://www.barnesandnoble.com/s/Joe-Jenney?keyword=Joe+Jenney&store=book

or hard copy or E-book at:

http://bookstore.authorhouse.com/Products/SKU-000269270/The-Managers-Guide-for-Effective-Leadership.aspx

23 B Risk Management, Theory of Constraints and Process Improvement

I include risk management in this course because poor risk management is the second highest contributor to failure in projects or in major changes in operations for manufacturing and service organizations. (Don’t forget that team dynamics is the primary contributor to failure in such activities.) A second reason for including risk management is that inexperienced managers are the ones that typically ignore risk management or just give it lip service. If you are going to be an effective leader you must understand and practice sound risk management. Risk management is the topic of the following lecture.

I include theory of constraints because it is often left out of treatments of control and in some traditional approaches to manufacturing this failure leads to promoting techniques that are inappropriate and cause inefficiencies. The lecture following risk management is an introduction to theory of constraints and I hope it leads the student to further study of this important topic.

The remainder of this course addresses that portion of control that deals with what is typically called process improvement or quality improvement. The objective of the process improvement part of control is to assess work processes and to make continuous improvements to these processes so that employees’ jobs are easier and more cost efficient due to fewer and fewer quality problems and to reduced use of resources; including labor, materials and maintenance.

There are many versions of process improvement in use. Six Sigma and total quality management (TQM) are two popular versions. Kaizan is a Japanese term for continuous improvement and many organizations use this term to describe their process improvement work. Sometimes Kaizan is used to simplify processes without gathering data and some quality gurus are critical of non-data driven process improvement. Another term used by manufacturing organizations is Lean. Lean is using a set of tools or methods that improves manufacturing processes by eliminating waste and errors. Some organizations combine Lean and Six Sigma into Lean Six Sigma. Whereas both Six Sigma and TQM are proven to be effective I favor TQM, or data driven Kaizen if you prefer the Japanese term. Let me give short descriptions of the two approaches and then discuss the reasons I favor TQM.

Six Sigma thoroughly trains a small number of people and then empowers these trained specialists to work with other workers and managers to improve processes throughout the enterprise. These specialists get titles according to the amount of training they have received, e.g. those with extensive training are usually called black belts or master black belts. An experienced manager is selected to manage the specialists and their process improvement activities. Other managers are given overview training so that they know what to expect and what is expected of them.

In the version of TQM that I have practiced all employees in the enterprise, workers and managers, receive about 50 hours of basic training in process improvement techniques. A very few receive additional training in special techniques and serve as a resource to all the workers and managers. After training, all workers and managers are empowered to work on process improvement of the processes they own, i.e. the processes they use in their day to day work. There is a coordinator to authorize teams and facilitate access to any data needed by the teams or to the specialists that provide analysis beyond the capabilities of the team. The authorization is necessary to prevent workers from getting involved in several teams at once and impacting productivity by spending too much time on process improvement at the expense of process execution.

Either of these approaches is effective and if your enterprise is already involved in one of these or a related approach then stick with it. If your enterprise is not yet involved in process improvement then I strongly recommend the TQM approach. The advantage of TQM is that it empowers every employee to control processes they own. This empowerment results in two benefits compared to approaches like Six Sigma that empower only a few specially trained personnel. First, empowering employees to have control over their own processes is highly motivating. It is one of the things required for employees to reach Maslow’s highest level of needs fulfillment, i.e. self-actualization. Second, employees at any level know more about the processes they own than their supervisors, or any specialist, because they are more intimately involved with the processes. They feel, smell, hear and experience details of their process that supervisors or specialists do not experience. They are better at recognizing what aspects of their processes need improvement first, second and so on. They are also better at developing improvement approaches because often they have been thinking about better ways to do their job for a long time. They are inclined to look for improvements that make their job easier as well as more cost effective.

The disadvantages of the Six Sigma type approaches from my experience are that sometimes the workers resent outside experts coming to change their work processes and the outside experts aren’t as familiar with the work processes as are the employees that own the processes. I have observed that the process owners tend to create simple and effective improvements whereas the highly trained experts tend to go for elegant and expensive improvements, but not necessarily any better improvements. Another disadvantage is that the experts attack the most important processes first and work their way through enterprise processes a few at a time, depending on how many experts there are. With TQM all processes are subject to attention at any time. The process owners naturally prioritize processes they own but even simple processes get attention that are unlikely to be addressed in a Six Sigma approach until all higher priority processes have been addressed.

An apparent disadvantage of TQM is that all employees must be trained and therefore the training costs tend to be higher than for Six Sigma, assuming only a few employees are given the full Six Sigma training. I believe this extra cost is more than offset by the more comprehensive attack on process improvement that TQM achieves and from the increase in employee motivation that results from empowering employees to have control over their own processes. TQM also requires a more careful introduction to empowering employees after they have been trained. There must be boundaries to the empowerment and these boundaries must be carefully communicated to the employees as they are empowered. Otherwise employees adapt their individual definitions of empowerment and some naturally expand the boundaries beyond what is acceptable in an efficient enterprise that is under control. Obvious examples of items employees are not empowered to change include recipes, standards and accounting rules; changes of which must be handled very carefully and usually with management involvement.

Exercise

This is an introductory lecture and no exercise is required unless the student is unfamiliar with text book methods of control for manufacturing, projects and service organizations and with the differences between financial accounting and management accounting. If you aren’t familiar with these methods of control and cost management then take the time now to learn the basics. It is important to effective process improvement that changes to processes do not violate sound basic principles. It may be frustrating to put this course on hold while you study other subjects for several weeks but it is beneficial in the long term. If you are familiar with these basics then go on to the next lecture.

If you find that the pace of blog posts isn’t compatible with the pace you  would like to maintain in studying this material you can buy the book “The Manager’s Guide for Effective Leadership” at:

http://www.amazon.com/Managers-Guide-Effective-Leadership-Organizations/dp/1449000673/ref=sr_1_2?ie=UTF8&qid=1346946310&sr=8-2&keywords=Joe+Jenney

or hard copy or for nook at:

http://www.barnesandnoble.com/s/Joe-Jenney?keyword=Joe+Jenney&store=book

or hard copy or E-book at:

http://bookstore.authorhouse.com/Products/SKU-000269270/The-Managers-Guide-for-Effective-Leadership.aspx

Two More Risk Reduction Tools

10.3.2 Risk Register - The risk summary grid can be used as a tool in the development team’s risk management meetings but a better tool is the risk register. The risk register ranks risks by the expected dollar value of each risk according to the operational definition of risk given earlier. Constructing the risk register on a spreadsheet allows risks to be sorted by dollar value so that the highest risks are always on top of the list. The risk register also facilitates keeping all risks in the same data base even though management actions may be active on only the top five or ten at any time. When a high risk is mitigated the expected dollar value of the risk is reduced and it falls out of the top five or ten but is still on the list. This enables reviewing mitigated risks to ensure they remain mitigated or to readdress a risk at a later time when all the higher risks have been mitigated to even lower values. An example of a simple risk register with three risks constructed on a spread sheet is shown in Figure 10-8.

Figure 10-8 An example of a risk register constructed in columns on a spread sheet.

The risk type and impact if risk occurs are usually described as “if”, “then” statements as in Figure 10-8. This helps the management team remember specifically what each risk entails as they conduct reviews over the life of the activity. Expected values are expressed in dollars, which facilitates both ranking and decisions about how much resources should be assigned to mitigation activities. Assuming of course that in managing activities in the development organization it is the practice to hold some fraction of the budget in reserve to handle unforeseen events. Funds from this reserve budget are assigned to risk mitigation activities. Risk mitigation actions should be budgeted and scheduled as part on on-going work. A failure many inexperienced managers make is handling risks outside of the mainline budget and schedule. This undisciplined approach often leads to risk management degenerating into an action item list and finally to a reactive approach to unexpected events rather that a proactive approach to reduce the risks systematically.

A more complete risk register template than the example shown in Figure 10-8 might contain columns for the risk number, title, description (if), impact (then), types (three columns: cost, schedule, quality or technical), probability of occurrence, cost impact, schedule impact, mitigation plan and mitigation schedule. The form of the risk register template is not critical so the team managing the risks should construct a template that contains the information they feel they need to effectively manage risks.

The risk register, if properly maintained and managed, is a sufficient tool for risk management on small and short duration projects. Setting aside an arbitrary management reserve budget to manage risks is ok for small projects. Portions of the reserve are allocated to mitigation of risks and the budgets and expenses for risk mitigation can be folded into the overall cost management system. Large, long duration projects or high value projects warrant a more focused approach to budgeting for risk management. These management actions do not usually involve systems engineering but systems engineers should be aware of the methods used for management of risk reduction budgets.

In summary, spending a small amount of money in proactively mitigating risks is far better than waiting until the undesirable event occurs and then having to spend a large amount of money fixing the consequences. Remember that risk management is proactive (problem prevention) and not reactive. Also risk management is NOT an action item list for current problems. Finally, risk management is an on-going activity. Do not prepare risk summary grids or risk registers and then put them in a file as though that completes the risk management process, a mistake inexperienced managers make too often.

10.4 Design Iterations Reduce Risk

Design iterations are planned “build, test and learn” activities for high risk parts of the system; parts that are small enough to build, test and assess rapidly. Examples best illustrate the concept of using design iterations to reduce risk:

• Engineering builds and tests two types of breadboard circuits to get data needed for a subsystem specification, trade studies and subsequent detailed design
• Manufacturing pilots a new production process during architecture definition and uncovers yield problem early
• Analysts simulate three candidate signal processing algorithms during concept development and recommend the best
• Software implements and tests high risk parts of three alternative approaches for system control software during requirements analysis.

Design iteration is not a fire fighting technique; it is a methodical risk reduction methodology. Design iteration is not “build the entire system, test it and fix it if it doesn’t work” approach; in fact it is intended to avoid falling into such an unproductive approach. Note that “spiral development”, described earlier, is system level risk reduction methodology. Design iterations can be thought of as a methodology that supports implementing progressive freeze.

Recall the message in Figure 6-32 that the cost of making design changes is low in the early stages of a system development when there are many degrees of freedom and becomes higher as the development progresses and there are fewer and fewer degrees of freedom. Thus design iterations are cost effective for many high risk items in the early stages of a development. It’s ok to have many short cycle iterations in parallel in early phases and it’s ok to “throw away” some results as the team learns and lowers risk.

Constructing a Risk Summary Grid

10.3 Tools for Risk Management

Standard tools for risk management include risk matrices; also called risk summary grids, and risk registers. There are also tables of definitions and guidelines that aid in using the matrices and registers. A methodology useful for reducing risk through proactive and planned build and test steps is called design iteration. These tools and design iteration are described in this chapter. Other tools aiding or supporting the identification of risks include fault trees, worst case analysis and failure modes analysis. Risk burn down charts that display how the total expected value of all identified risks is reduced with time as mitigation actions are completed are useful in monitoring the overall progress of risk mitigation and the effectiveness of budgeting for risk management.^10-1 

10.3.1 Risk Summary Grid - The risk summary grid is a listing of the top ranked risks on a grid of probability vs. impact. The risk summary gird is excellent for showing all top risks on a single graphic and grouping the risks as low, medium or high. Typical grids are 3 x 3 or 5 x 5. An example 5 x 5 template is shown in Figure 10-2.

 Figure 10-2 One example of a 5 x 5 risk summary grid template

The 5 x 5 risk summary grid enables risks to be classified as low, medium or high; typically color coded green, yellow and red respectively, and ranked in order of importance. Relative importance is the product of probability and impact. Note that the definitions for low and medium are not standard. The definition used in Figure 10-2 is conservative in limiting low risk to the five squares in the lower left of the grid with risk values of 0.5 or less. Medium risks have values of 0.7 to 3.5 and high risks have values from 4.5 to 8.1. Others, e.g. the Risk Management Guide for DOD Acquisition^10-2 (An excellent tutorial on risk management), define the entire first column plus six other lower left squares as low risk.

Identified risks are assigned to a square according to the estimates of their probability of occurrence and impact to the overall activity. In Figure 10-2 there is one medium risk, shown by the x in the square with a probability 0.5, impact 7 and therefore having a relative importance of 3.5. The numbers shown for impact are arbitrary and must be defined appropriate to the activity for which risk is being managed.

Some risk management processes described on the web use letters rather than numbers to rank risk probability in constructing risk summary grids. The objective is to assign either a probability numbers or letter to each risk. To do this it is necessary to make a judgment of the likelihood that the risk occurs. The table shown in Figure 10-3 provides reasonable guidelines for such judgments. Thus, if the likelihood of an event occurring is judged to be remote then assign the probability of 0.1 or the letter A. If it is highly likely assign 0.7 or D. It may be argued that guidelines are needed for what is remote or likely. Unfortunately this wouldn’t help as there is always some guess work or judgment required. If several members of a team discuss the likelihood then they can probably reach agreement and this is adequate. It is important for the novice to understand that it isn’t essential that the probabilities are exact. The objective is to come close enough to compare the relative probabilities of several events so that the events can be prioritized in relation to their relative risk or relative probability of occurrence.

Figure 10-3 Guidelines for assigning probability numbers or letters to risk based on judgment criteria.

After assigning a probability to a risk it is necessary to make a judgment of the impact of occurrence of the risk. A risk event can cause an unexpected cost or cost increase, a slip in the schedule for achieving some related event or reduce the quality or technical performance of some design requirement. It is also possible for the risk to impact two or even all three of the cost, schedule or quality measures. The table shown in Figure 10-4 provides one set of guidelines for assigning impact numbers 1, 2, 3, 4 or 5 to a risk event.

Figure 10-4 Guidelines for assigning impact numbers to a risk event.

Costs can be defined as either percentage of budget, as shown in Figure 10-4, or in actual monetary units. Similarly schedule can be defined as percent slip, relative slip or actual time slip.

A risk summary grid template using the guidelines provided in Figures 10-3 and 10-4 is shown in Figure 10-5.

Figure 10-5 A less conservative risk summary grid template using the guidelines provided in Figures 10-3 and 10-4.

The process using a 3 x 3 risk summary grid typically assigns probability of risks as 0.1, 0.3 or 0.9 and impacts as 1, 3 or 9. There are three squares for each of the low, medium and high risk classifications with relative importance values ranging from 0.1 to 8.1 according to the products of probability and impact. An example of a 3 x 3 risk summary grid template is shown in Figure 10-6.

Figure 10-6 An example template for a 3 x 3 risk summary grid.

Specific process details or numerical values are not important. What is important is having a process that allows workers and managers to assess and rank risks and to communicate these risks to each other, and in some cases to customers. The simple risk summary grids are useful tools for accomplishing these objectives and are most useful in the early stages of the life cycle of an activity and for communicating an overall picture of risks.

The identified risks are collected in a list and the ten or so with the highest risk values are numbered or given letter identifications. The associated numbers or letters are then displayed in the appropriate square on the risk summary grid. In use the risk values of each square are either not shown in the square or made small so there is room for several risk identifiers in a square. The risk summary grid then provides a quick visual measure of the number of high, medium and low risks. In the early stages of a project it should be expected that there are more risks in the high and medium categories than the low and as risk mitigation progresses the number of high risks are reduced.

Having identified the risks and ranked them the team must decide what to do with risks that are assigned as Low, Medium or High. One set of guidelines is shown in the table provided in Figure 10-7.

Figure 10-7 Example guidelines for actions for each level of risk.

Again, the specific guidelines a team employs is not as important as it is for the team to have agreed upon guidelines appropriate to their work and organization and to follow them.

10-1 The Manager’s Guide for Effective Leadership by Joe Jenney, AuthorHouse, 2009

10-2  Risk Management Guide for DOD Acquisition, Sixth Edition (Version 1.0), Department of Defense, August 2006 http://www.dau.mil/pubs/gdbks/risk_management.asp   

Introduction to Risk and Opportunity Management

Risk is always present; its presence is a fact of nature. Accepting that risk is always present is the first step toward managing risks to reduce the effects of risks. Managing risk is the responsibility of the development program leaders but the mechanics are often delegated to systems engineering. Even if systems engineers are not responsible for maintaining the processes and tools it is essential that they understand the importance of risk management and the methods used for effective risk management. Inattention to risk management is the second highest cause of projects not meeting expectations. Just like other systems engineering processes it takes experience and discipline to conduct effective risk management.

Development programs also have opportunities for improving cost, schedule or system performance. It is important to identify and manage opportunities as well as risks in order to have an effective program. This chapter defines risk, outlines a risk management process that can be used for risk and opportunity management and provides examples of templates and processes useful for risk and opportunity management.

10.1 Risk Definition

Risk is the consequence of things happening that negatively impact the performance of a system development project. Risks arise from events that occur inside and outside the development organization. The consequence of an event can impact the quality, cost or schedule of a system development project, or some combination of these effects. There is risk in any project but there are usually more risks associated with projects that are new to the development organization’s experience. Risks are always present in the development of new products or services or changes to the processes, people, materials or equipment used in the development of products or services. Risks to developing new products and services arise from unplanned changes to the internal environment or changes in the external environment, such as the economy, costs of materials, labor market, customer preferences or actions by a competitor, a regulating body or a government agency. An effective development team faces up to risks and manages risks so that the negative impacts are minimized.

There is an operational definition of risk that aids in managing risk. This definition is:

Risk R is The Probability p of an Undesirable Event Occurring; Multiplied by The Consequence of the Event Occurrence measured in arbitrary units C or dollars $; R=p x C or R=p x $.

This definition allows risks to be quantified and ranked in relative importance so that the development team knows which risks to address first, i.e. the risks with the highest values of R. If the event consequence is measured in dollars then it’s easier to evaluate how much budget is reasonable to assign to eliminate or reduce the consequence of the risk.

The second definition measures risk in units of dollars. Thus impacts to the quality of a product or service or to the schedule of delivering the product or service are converted to costs. Impacts to quality are converted to dollar costs via estimated warranty costs, cost of the anticipated loss of customers or loss of revenue due to anticipated levels of discounting prices. Schedule delays are converted to dollar costs by estimating the extra costs of labor during the delays and/or the loss of revenue due to lost sales caused by the schedule delays.

Opportunities can also be defined operationally by the product of the probability an opportunity for improvement can be realized and the consequence if the opportunity is realized, measured either in arbitrary units or dollars. In the rest of this chapter when risk is addressed the reader should remember that it can be viewed as “risk or opportunity”.

The key to good risk management is to address the highest risk first. There are three reasons to address the highest risk first. First is that mitigating a high risk can result in changes to plans, designs, approaches or other major elements in a project. The earlier these changes are implemented the lower the cost of the overall project because money and people resources are not wasted on work that has to be redone later. The second reason is that some projects may fail due to the impossibility of mitigating an inherent risk. The earlier this is determined the fewer resources are spent on the failed project thus preserving resource for other activities. The third reason is that any project is continually competing for resources with other activities. A project that has mitigated its biggest risks has a better chance of competing for continued resource allocation than activities that still have high risks.

10.2 Managing Risk

Managing risk means carrying out a systematic process for identifying, measuring and mitigating risks. Managing risk is accomplished by taking actions before risks occur rather than reacting to occurrences of undesirable events. The DoD SEF defines four parts to risk management and the NASA SE Handbook defines five top level parts and a seven block flow chart for risk management. It is helpful to decompose these into 11 steps. The 11 steps in effective risk management are:

1.      Listing the most important requirements that the project must meet to satisfy its customer(s). These are called Cardinal Requirements and are identified in requirements analysis or via Quality Function Deployment.

2.      Identifying every risk to a project that might occur that would have significant consequence to meeting each of the Cardinal Requirements

3.      Estimating the probability of occurrence of each risk and its consequences in terms of arbitrary units or dollars

4.      Ranking the risks by the magnitude of the product of the probability and consequence (i.e. by the definition of risk given above)

5.      Identifying proactive actions that can lower the probability of occurrence and/or the cost of occurrence of the top five or ten risks

6.      Selecting among the identified actions for those that are cost effective

7.      Assigning resources (funds and people) to the selected actions and integrating the mitigation plans into the project budget and schedule

8.      Managing the selected action until its associated risk is mitigated

9.      Identifying any new risks resulting from mitigation activities

10.  Replace mitigated risks with lower ranking or new risks as each is mitigated

11.  Conduct regular (weekly or biweekly) risk management reviews to:

·         Status risk mitigation actions

·         Brainstorm for new risks

·         Review that mitigated risks stay mitigated

In identifying risks it is important to involve as many people that are related to the activity as possible. This means people from senior management, the development organization, other participating organizations and supporting organizations. Senior managers see risks that engineers do not and engineers see risks that managers don’t recognize. It is helpful to use a list of potential sources of risk in order to guide people’s thinking to be comprehensive. A list might look like that shown in Figure 10-1.

Figure 10-1 An example template for helping identify possible sources of risk to the customer’s cardinal requirements.

It also helps ensure completeness of understanding risks if each risk is classified as a technical, cost or schedule risk or a combination of these categories.