RMRP 2002-02, Version 1.0Risk Management Maturity LevelDevelopmentApril 2002Risk Management Research andDevelopment Program Collaboration[Formal Collaboration:INCOSE Risk Management Working Group; Project Management Institute RiskManagement Specific Interest Group; UK Association for Project ManagementRisk Specific Interest Group]RMRP 2002-02, Version 1.02Table of ContentsAbstractMajor Contributors1.0 Introduction2.0 The Risk Management Maturity Model3.0 The Risk Management Maturity Model FrameworkLevel 1 Ad HocLevel 2 … Continue reading “Risk Management Maturity Level Development | My Assignment Tutor”
RMRP 2002-02, Version 1.0Risk Management Maturity LevelDevelopmentApril 2002Risk Management Research andDevelopment Program Collaboration[Formal Collaboration:INCOSE Risk Management Working Group; Project Management Institute RiskManagement Specific Interest Group; UK Association for Project ManagementRisk Specific Interest Group]RMRP 2002-02, Version 1.02Table of ContentsAbstractMajor Contributors1.0 Introduction2.0 The Risk Management Maturity Model3.0 The Risk Management Maturity Model FrameworkLevel 1 Ad HocLevel 2 InitialLevel 3 RepeatableLevel 4 Managed4.0 Determining Organizational Maturity Level5.0 Progressing Between Maturity LevelsLevel 1 to Level 2Level 2 to Level 3Level 3 to Level 4Maintaining Level 46.0 ConclusionsReferencesAppendix 1 Risk Management Maturity Model ChecklistAppendix 2 EIA/IS 731Appendix 3 Basic Risk AttitudesRMRP 2002-02, Version 1.03AbstractOrganizations wishing to implement a formal approach to risk management or to improvetheir existing approach need a framework against which to benchmark their current RiskManagement practice. Best Practice benchmarks are usually defined in terms ofmaturity, normally reflecting increasing levels of sophistication together with otherfeatures. This report describes a Risk Management Maturity Model (RMMM) with fourlevels of capability maturity, each linked to specific attributes. Organizations andprojects can use this model to assess their current level of Risk Management capabilitymaturity, identify realistic targets for improvement, and produce action plans fordeveloping or enhancing their Risk Management capability maturity level. This is amaturity model that is very simplified and designed to quickly target weaknesses butNOT to be so formal that it would become a constraint or overly invasive. Thedevelopers decided that an assessment of Risk Management capability did not requirethat much formality. If someone felt such formality was required, they could use the fullEIA/IS 731 assessment process or the CMMI assessment process. All we advocate andpresent here is a simple assessment tool that helps organizations understand the maturityand possible shortcomings of their risk management process.Major ContributorsRoger Graves, Davion Systems Ltd [rgraves@davion.com]Dr. Stephen Grey, Broadleaf Capital [grey@broadleaf.com.au]Scott Gunderson, TriQuint Semiconductor [sgunderson@tqs.com]David C. Hall, SRS Information Services [dhall5@earthlink.net]Dr. David Hillson, PM Professional [dhillson@pmprofessional.com]Dr. David Hulett, Hulett & Associates [info@projectrisk.com]Robert Jones, Robert Jones Associates [RJonesAssn@aol.com]Ron Kohl, Titan Sytems [ron.kohl@titan.com]Steve Waddell, Naptheon [waddell_js@naptheon.com]Additional ReviewersNote that inclusion on this list does not imply agreement with the contents of this report. Bruce ChadbourneTed HammerPaul CallenderDavid JacobsRalph SimonEtienne BossardCraig PetersonRon SiddawayElmar KutschChristopher BoedickerSandee Whitmoyer RMRP 2002-02, Version 1.041.0 IntroductionThe PMBOK® Guide 2000 Edition, defines Project Risk Management as the systematicprocess of identifying, analyzing, and responding to project risk. Successful projectshave dealt effectively with all types of risk1, maximizing benefits while minimizinguncertainty. This Program is developing guidelines and standards to define SuggestedPractices2 for effective Risk Management. Risk Management within organizations andindividual projects has developed into an accepted discipline, with its own language,techniques, procedures and tools. The value of a proactive formal structured approach tomanaging risks and uncertainty is widely recognized, and many organizations are seekingto introduce risk management into their organizational and project processes in order togain the potential benefits.Despite this increasing consensus on the value of risk management, effectiveimplementations of risk management processes into organizations and projects are notcommon. Those who have tried to integrate risk management into their businessprocesses have reported differing degrees of success, and some have given up the attemptwithout achieving the potential benefits. In many of these uncompleted cases, it appearsthat expectations were unrealistic, and there was no clear vision of what implementationwould involve or how it should be managed. Organizations attempting to implement aformal structured approach to risk management need to treat the implementation itselfas a project, requiring clear objectives and success criteria, proper planning andresourcing, and effective monitoring and control. In order to define the goals, specifythe process and manage progress, it is necessary to have a clear view of theorganization s current approach to risk, as well as a definition of the intended destination.The organization must be able to benchmark its present maturity and capability inmanaging risk, using a generally accepted framework to assess current levels objectivelyand assist in defining progress towards increased maturity.There is currently a broad consensus on the fundamentals and potential benefits of projectrisk management when it is conducted within a mature and effective process andsupported by a comprehensive infrastructure. The core elements of project riskmanagement are known and used, and many organizations are noting the benefits ofimplementing risk processes within their projects and wider business. However, there area number of areas where risk management needs to develop in order to build on thefoundation that currently exists. One of the most important of these is the ability tomeasure effectiveness in managing risk.This report describes a Risk Management Maturity Model (RMMM) with four levels ofprocess maturity, each linked to specific attributes, that provides a methodology thatallows an organization to determine whether or not its risk processes are adequate for the1See Program Report URP-001, Universal Risk Project Final Report.2We use the term suggested practices rather than best practices since all organizations, projects andoperations have differing requirements and, for risk management, one size does not fit all. Considerabletailoring may have to be accomplished in most or all of the procedures and techniques described here.RMRP 2002-02, Version 1.05organization3, identify realistic targets for improvement, and produce action plans fordeveloping or enhancing their Risk Management process maturity level. This is amaturity model that is very simplified and designed to quickly target weaknesses butNOT to be so formal that it would become a constraint or overly invasive. Thedevelopers decided that an assessment of organizational and project Risk Managementprocesses did not require much formality. If an organization believed that such formalitywas required, they can use the full EIA/IS 731 assessment process (see appendix 1) or theCMMI assessment process. This model provides some measures to enable anorganization to compare its risk management process with Suggested Practice and anaccepted benchmark for determining your organizational risk management processmaturity level. Note that much of the model is based on the initial work accomplished byDr. David Hillson as detailed in references 1 and 2.2.0 The Risk Management Maturity Model (RMMM)The concept of maturity models is well developed and accepted. The SoftwareEngineering Institute (SEI) at Carnegie-Mellon University has developed a CapabilityMaturity Model (CMM) for Software organizations and one (CMMI) for SystemsEngineering organizations4. These models define five levels of increasing capability andmaturity, termed Initial (Level 1), Repeatable (Level 2), Defined (Level 3), Managed(Level 4) and Optimizing (Level 5). Each level is clearly characterized and defined,enabling organizations to assess themselves against an agreed scale. Having discoveredits CMM level, an organization can then set clear targets for improvement, aimingtowards the next level of capability and maturity.Although the SEI CMMI is becoming well established, its application is limited by itsoverall invasiveness. To fully apply the CMMI model (which contains a riskmanagement maturity model) requires significant amounts of resources and integrationwithin the overall Systems Engineering process. The RMMM outlined in this reportfocuses on Risk Management specifically and provides a less formal methodology thatcan be accomplished much easier than a formal CMMI assessment. It is more of ageneric risk-focused maturity model that attempts to be of assistance to organizationswishing to implement formal risk processes or improve their existing approach. It shouldbe applicable to all types of projects and all types of organizations in any industry,government or commercial sector.The RMMM is designed as a diagnostic tool instead of a prescriptive model forimplementation. The authors recommend that organizations use either EIA/IS-731.1 orCMMI SE/SW for a formal administrative system if one is desired. The RMMM3Note that there can be (and usually are) differing issues (attribution of the importance of a risk occurringis normally the one most seen) between an organization and an individual project. This fact needs to betaken into account in using the model. One must first decide if they want to determine their organization srisk management maturity level or a specific project s risk management maturity level.4 www.sei.cmu.edu/cmmiRMRP 2002-02, Version 1.06includes four levels to measure maturity, which compare to other model levels as shownin the following table:Table 1. Comparison of Maturity Model Levels LevelRMMMCMMI SE/SWEIA/IS-731.10Ad HocIncompleteInitial1InitialPerformedPerformed2RepeatableManagedManaged3RepeatableDefinedDefined4ManagedManaged quantitativelyMeasured5ManagedOptimizingOptimizing The RMMM offers a framework to allow an organization to benchmark its approach torisk management against four standard levels of maturity, and outlines the activitiesnecessary to move to the next level. The Risk Management Maturity Model (RMMM)described here provides clear guidance to organizations wishing to develop or improvetheir approach to risk management, allowing them to assess their current level ofmaturity, identify realistic targets for improvement, and develop action plans forincreasing their risk maturity. The four RMMM levels are outlined, followed byguidelines to allow diagnosis of current level. Suggested strategies for developingtowards the next level of maturity are then discussed.3.0 The Risk Management Maturity Model FrameworkThe maturity of an organization s Risk Management processes can be categorized intogroups that range from those who have no formal process to organizations where riskmanagement is fully integrated into all aspects of the organization. In order to reflectthis, the Risk Management Maturity Model (RMMM) described in this report providesfour standard levels of risk management maturity (Figure 1). As with all models, it isexpected that some organizations may not fit neatly into these categories, but the RMMMlevels are defined sufficiently different to accommodate most organizationsunambiguously. It was felt that to have more than four levels would increase ambiguitywithout giving any additional refinement to the model.RMRP 2002-02, Version 1.07Level 1 :Ad HocLevel 2 :InitialLevel 3 :RepeatableLevel 4 :ManagedFigure 1 : The Four Levels of Risk Management MaturityThe RMMM levels are described as follows:Level 1 Ad Hoc (Worship The Hero)At the Ad Hoc Level, the organization is unaware of the need for risk management andhas no structured approach to dealing with uncertainty, resulting in a series of crises foreach project5 or operation. Management and engineering processes, if they exist, arerepetitive and reactive, with little or no attempt to learn from past projects or to preparefor future uncertainties. No attempt is made to identify risks to the project or to developmitigation or contingency plans. The normal method for dealing with problems is toreact after a problem occurs with no proactive thought. During a crisis, projects typicallyabandon plans and hope for the best. Project success depends on having an exceptionalmanager and a seasoned and effective team. Occasionally, capable and forceful managerscan identify and work to mitigate risks during the project; but when they leave, theirinfluence leaves with them. Even a strong engineering process cannot overcome theinstability created by the absence of sound risk management practices.In spite of this chaotic process of reactive crisis management, Level 1 organizationsfrequently develop products that work, even though they will normally exceed theiroriginal budget and schedule and will not contain all of the originally requiredfunctionality. Success in Level 1 organizations depends on the competence and heroicsof the people in the organization and cannot be repeated unless the same competent5For this discussion, the term project is defined as a temporary endeavor undertaken to achieve a particular aim for an identifiedcustomer. Every project has a definite beginning and a definite end. While projects are similar to operations in that both areperformed by people, both are generally constrained by limited resources, and both are planned, executed and controlled, projectsdiffer from operations in that operations are ongoing and repetitive while projects are temporary and unique. Projects are created at alllevels of an organization. They may involve a single person or thousands. Their time spans vary greatly. They may involve a singledepartment of one organization or cross organizational boundaries.RMRP 2002-02, Version 1.08individuals are assigned to the next project. Thus, at Level 1, capability is a characteristicof the individuals, not of the organization.Note that the most difficult step in this maturity model is the move from Level 1 to Level2. This is because of all the management procedures and activities that have to be put inplace. It can also be due to the lack of perceived need to change. An Ad Hocorganization may lack any sense or awareness of having a problem. At higher levels ofmaturity the organizational and project management has better visibility on theuncertainties, and can take any necessary mitigative or contingency actions. Thisvisibility enables management to take such action before something goes wrong or tohave a plan in place when something goes wrong. The difference in maturity levels isalso characterized by the ability to accurately identify and proactively deal withuncertainties. As an organization moves up the maturity level ladder, identification ofrisks becomes more accurate and the mitigation/contingency actions required becomeclearer.Level 2 Initial (Try It Out)At the Initial Level, organizations are experimenting with the application of riskmanagement, usually through a small number of nominated individuals within specificprojects. At this level, the organization has no formal or structured Risk Managementprocess in place. Although the organization is aware, at some level, of the potentialbenefits of managing their project risks, there is no effectively implemented organizationwide process implemented. Some projects, those containing the nominated individuals,learn from past mistakes, however, there is no method implemented for providing theseLessons Learned to all of the organization s projects. Risk management at this point maybe described as the start of crystallization of the organization s corporate experience. Theorganization is becoming aware that it can learn from past mistakes, but this knowledgeis not yet formalized nor are there any structures in place to ensure its consistentapplication throughout the organization.Level 3 – Repeatable (Plan The Work, Work The Plan)At the Repeatable Level, the organization has implemented risk management into theirroutine business processes and implements risk management in most, if not all, projects.Generic risk policies and procedures are formalized and widespread, and the benefits areunderstood at all levels of the organization, although they may not be consistentlyachieved in all cases. Planning and managing new projects is based on experience withsimilar projects. Risk Management capability is enhanced by establishing basic RiskManagement discipline on a project-by-project basis. Projects implement riskmanagement through processes that are defined, documented, practiced, trained,measured, enforced, and improvable. All projects have an assigned Risk Manager. Onsmall projects, the roles of the Project Manager and Risk Manager may be combined inthe same person, but on larger projects the Risk Manager is distinct from the ProjectManager.Projects in Level 3 make realistic project commitments based on the results observed onprevious projects and on the risks identified for the current project. The Risk Manager forRMRP 2002-02, Version 1.09a project track costs, schedules, functionality and quality6; problems in meetingcommitments are identified as they arise. The Risk Manager for the project works withits customers and subcontractors (if any) to establish an effective customer-supplierrelationship.Risk Management processes may differ between projects in a Level 3 organization. Theorganizational requirement for achieving Level 3 is that there be organization-levelpolicies that guide the projects in establishing the appropriate management processes.The risk management capability of Level 3 organizations can be summarized asdisciplined because planning and tracking of the project is stable and earlier successescan be repeated. The project’s risk management process is under the effective control of aproject management system, following realistic plans based on the performance ofprevious projects.Level 4 – Managed (Measure The Work, Work The Measures)At the Managed Level, the organization has established a risk-aware (not risk-averse)culture that requires a proactive approach to the management of risks in all aspects of theorganization. Risk information is continually developed and actively used to improve allorganization processes and to increase the probability of success in projects andoperations. A standard Risk Management process (or processes) is documented and usedacross the organization. Processes established at Level 3 are used (and changed, asappropriate) to help the organization s project and operations managers and technicalstaff perform more effectively. A group of personnel within the organization areassigned responsibility for Risk Management. This formal assignment provides for aninformal communications channel to organization management outside of the Projectcommunications channels or operational management structure. An organization-widetraining program is implemented to ensure that the staff and managers have theknowledge and skills required to fulfill their assigned roles.Projects tailor the organization’s standard Risk Management process and tools to developtheir own defined process, which accounts for the unique characteristics of the project. Itis the process used in performing the project’s activities. A defined risk managementprocess contains a coherent, integrated set of well-defined risk identification, assessment,handling and monitoring tools and processes. A well-defined process can becharacterized as including readiness criteria, inputs, standards and procedures forperforming the work, verification mechanisms (such as peer reviews), outputs, andcompletion criteria. Because the risk management process is well defined, managementhas good insight into risks and their potential impact on the project or operation.The Risk Management process capability of Level 4 organizations can be summarized asstandard and consistent because activities are stable and repeatable. Within establishedproduct lines, cost, schedule, functionality and quality risks are known, controlled, andrisk mitigation status is tracked. This process capability is based on a common,6 Note: The effect of a risk occurring can be to deliver lower quality, both in the project deliverables (e.g.more bugs in a software program) and in the project process itself (e.g. more accidents on a constructionsite). Quality is as important a measure of project success as the delivered functionality.RMRP 2002-02, Version 1.010organization-wide understanding of the activities, roles, and responsibilities in a definedrisk management process.Innovations that exploit the best risk management practices are identified and transferredthroughout the organization. Risk Management teams in Level 4 organizationscontinuously analyze the results from past projects to determine how accurate riskidentification was versus actual impacts and causes. They disseminate lessons learnedthroughout the organization.4.0 Determining Organizational Maturity LevelThe brief descriptions of each RMMM level can indicate where an organization stands interms of the relative maturity of its risk processes, but a more detailed diagnostic tool isrequired for objective and consistent assessment of risk management process maturity.Table 1 (Appendix 1) presents suggested attributes of a typical organization at eachRMMM level under four attribute headings: Culture, Process, Experience andApplication. This breakout enables an organization to compare itself against clearcriteria that have been accepted by numerous professional Risk Managementorganizations7 and assess its current level of risk maturity. It is recognized that someorganizations may cross the boundaries between successive RMMM levels, but thegranularity between levels is such that there should be a clear distinction in most casesand it should prove possible to determine where most organizations are to a single level.The extent to which the attributes noted in the Maturity Level Table in Appendix 1 areimplemented at each level determines the process maturity level rating of anorganization. The extent of implementation of a specific attribute is evaluated byassessing:Commitment to perform (policies and leadership)Ability to perform (resources and training)Activities performed (plans and procedures)Measurement and analysis (measures and status)Verification of implementation (oversight and quality assurance)5.0 Progressing Between Maturity LevelsThe assessed RMMM level can be used in a number of ways. For example, organizationsmay wish to enhance their level of risk capability by devising strategies to enable moreeffective management of risk. Alternatively, they may want to rate themselves againstkey competitors in order to gain advantage in the market place.Once your current risk maturity level is determined, action plans for moving towards thenext level can be developed. Many organizations are at Level 2 or Level 3, or have7 International Council on Systems Engineering Risk Management Working Group, Project ManagementInstitute Risk Management Specific Interest Group and the Risk Management Specific Interest Group ofthe UK Association for Project Management.RMRP 2002-02, Version 1.011embarked on the transition from Level 2 to Level 3 and a significant number are at Level1.Different barriers are faced by organizations at each of the RMM levels, which must beovercome if progress is to be made to the next level of risk maturity. These are outlinedbelow, together with some suggested strategies for overcoming them.Level 1 to 2 Ad Hoc to InitialThe Level 1 organization faces a number of problems as it starts implementing effectiverisk management:Initially there is no clear understanding of a formal risk management process,procedures and techniques, and even the language and terminology will be unknown.There is no clear concept of the benefits that can be gained from formal riskmanagement, and the cost of implementing the process is normally not considered.There is no in-house expertise or experience in performing risk management or whentrying to consider the applicability of risk management to the organization programsand business processes.At least some of the organization s projects and business processes are in crisis at anygiven time, leading to a lack of time, energy or resources to commit to installing andfollowing a new process.The organization s upper level management may not be receptive to anyone, internalor external, that is promoting risk management, since they are uninformed customersand lack any track record or yardstick against which to judge the promised benefits.They may also believe that acknowledging that the organization s processes andprojects are subject to uncertainty may be seen as an admission of weakness or lack ofskill.The organizational culture may not be committed to quality and may lack the conceptof professionalism.In order to develop from an Ad Hoc level to the Initial level, a number of actions mustbe accomplished. Some of these actions are as follows (in no specific order):Clearly define the objectives of the risk management implementation to enablethe risk process to be tailored and scoped accordingly.Get advice and guidance from recognized external experts who have a trackrecord in assisting organizations in this type of implementation. Such externalexperts should be selected carefully, and the organization should beware of beingencouraged to adopt a generic solution that does not match their particularrequirements.Identify specific personnel to be the original implementers, carefully select andbuild a prototype team.Ensure adequate training and support for this team, including all the necessaryrisk skills and techniques, to ensure that they can act as intelligent customers .Undertake awareness briefings to sell the vision of risk management and itspotential benefits to the entire project organization, from senior management tofront-line employees. These awareness briefing should include project customersRMRP 2002-02, Version 1.012and subcontractors (see appendix 2 for some insight into views on riskmanagement one is likely to encounter when accomplishing this action).Ensure corporate backing, with nomination of a senior management sponsor topromote the implementation process.Nominate pilot applications for risk management, carefully selected to maximizethe chances of early success.Publicize and celebrate successes. Seek to develop momentum in the risk processand to encourage other projects and individuals to apply risk management to theirareas as they see clear benefits.Plan for the long-term, recognizing that effective implementation of riskmanagement will not be achieved overnight. Count the cost of the implementationproject, and ensure commitment of the necessary resources before starting.Build effective controls into the process from the outset, with breakpoints toenable progress to be monitored and reviewed at key intervals. Collect and trendappropriate metrics.Consider producing draft risk procedures with templates for key inputs andoutputs.Identify and use appropriate project risk management tools such as riskinformation databases.Level 2 to 3 Initial to RepeatableA Level 2 organization has a number of individuals (possibly only one) able toeffectively plan and apply risk management procedures and techniques. At this level,risk management is seen as an additional activity to be undertaken where necessary. Sowhatever risk process is used by various projects is unlikely to be used consistently orwidely. Application of any risk management process is limited to a few major orsignificant projects.This introduces a number of barriers to be overcome to reach Level 3 and normalize theapplication of a risk management process across the organization. It should be noted herethat that some organizations may choose to remain at Level 2, with risk managementbeing undertaken by an in-house team on selected projects only. There is nothing wrongwith this approach. The transition to Level 3 should only be undertaken if the benefitsare worth the cost and effort involved.Some of the problems faced by the Level 2 organization attempting to progress to Level 3are as follows:Lack of organizational-wide formal risk processes produces inconsistency in theirapplication and inconsistency in results.Dependence on the skills of a few in-house staff could limit the overall effectivenessof the risk process and negatively impact both existing projects that use riskmanagement and projects attempting to implement the process for the first time..Lack of support for those implementing risk management may lead to disillusionmentand low morale.Limiting promotion of risk to the lone enthusiast can undermine the credibility of therisk process.RMRP 2002-02, Version 1.013Partial or inconsistent application of risk processes is unlikely to generate usefulmetrics that fully demonstrate the benefits of managing risk. There is therefore noauditable track record of what risk management can achieve, resulting in a lack ofcredibility and a reluctance to adopt risk management more formally.Poor use of risk assessment tools and risk information databases.Lack of a benchmarking process to check process capability against industrystandards.These problems can be addressed in a number of ways to enable the organization toprogress towards Level 3. Where the actions listed above for the Level 1 to 2 transitionare not in place, these should be considered in addition to those provided below:Reinforce and strengthen corporate backing for those individuals and teamsattempting to implement the risk management process. Visible endorsement fromsenior management is essential to give the necessary credibility.Provide formal risk training to develop in-house expertise and process knowledge.Use external expertise as necessary to reinforce and support existing in-houseskills. Use of external expertise can be useful in extending your existing riskmanagement process into new areas of the organization. Many of these new areasmay be outside the knowledge of your in-house staff. External consultants canalso be used to apply the risk management process to novel or difficult areas.Allocate adequate resources to the risk management implementation process, withassignment or recruitment of sufficient staff, and assigned budgets for riskmanagement training, risk assessment tools and other required risk managementactivities.Select key projects to demonstrate the benefits of risk management in all areas ofthe organization s business.Continue to publicize and celebrate successes, encouraging wider application ofrisk management to other areas as benefits become clear.Provide opportunities for in-house staff to attend ongoing risk managementtraining courses, conferences and seminars, workshops, etc.Formalize the chosen risk management process, with clear definition of the scopeand objectives of risk management, together with agreed upon procedures andproperly selected tools.Develop and promulgate an organizational policy on the use of risk management.Insist that your project managers use risk management as part of their routinemanagement of projects and business processes. Include regular risk reporting asan important part of management reviews.Start to assemble metrics from the risk process; identification of generic risks,effective responses, the cost of risk reduction, etc. Specific checklists can begenerated to facilitate the risk identification and assessment processes, based onactual experience of risk management within the organization.Level 3 to 4 Repeatable to ManagedLevel 3 is probably sufficient for most organizations, where risk processes are integral tothe organization and are consistently and routinely applied to most or all projects.However, the consensus of the professional organizations that contributed to this modelRMRP 2002-02, Version 1.014was that the Risk Management Maturity Model needed to identify a level beyond Level3, a maturity level where identifying, assessing and managing uncertainty becomessecond nature and is built into all the activities and business processes of theorganization. At Level 4, an organization can systematically use risk processes toaddress those uncertainties that have potential positive impact (i.e., opportunities orupside risk ). In many ways the Level 3 to Level 4 change is expected to be almost asdifficult as the transition from Level 1 to Level 2, since the Level 3 organization couldeasily come to believe that it has fully implemented risk management and no furtherchange is needed. If the organization wishes to progress to Level 4, the followingproblems are likely to be encountered:Loss of momentum could result in failure to maintain the required standards ofapplication, with resultant loss of quality of risk management support. This wouldreduce the credibility of the risk management process, making it seem to be atemporary management fad whose time has passed.The organization could fail to update the risk management process to take account ofchanges in business needs or other developments in the marketplace. This could resultin the risk process becoming outdated and increasingly irrelevant to the business of theorganization.Lack of continued investment in the risk management process could result in reducedrelevance or capability, as tools become obsolete, techniques become superseded andpersonnel skills are not maintained.Development of in-house expertise might result in risk management being seen as aspecialist discipline that is undertaken by experts, with consequent reduction incommitment and ownership by others in the projects and the organization.Actions to assist in progress towards Level 4 are as follows (in no specific order):Ensure effective learning from experience. Undertake regular reviews of the riskmanagement process, with value engineering of the process to ensure that itremains fully effective.Amend and strengthen the risk management process where necessary, includinginvestment in new tools, new methods, personnel training, etc.Investigate novel applications of the risk management process beyond thosealready covered. Seek to modify and apply risk management to every activitywithin the organization.Use every means possible to develop a Risk Management Culture, encouragingall personnel to think risk, be aware of uncertainty and use risk techniques toassess and manage potential threats and opportunities. Build risk thinking intoyour organizational culture. Be aware of the possible range of attitudes about risk(appendix 3).Ensure that risk is included as a routine criterion in all decision-making.Identify and counter incidences of risk fatigue , where staff are losing interest inthe process or there is a potential loss of momentum. Use regular re-launchpromotions to renew the process, celebrating successes, publicizing improvementmetrics, and rewarding effective risk management.Undertake regular risk management training to ensure that skills remain current.RMRP 2002-02, Version 1.015Consider use of external risk expertise to widen the application of riskmanagement into novel areas of the organization, or to add the necessarymomentum to maintain progress or introduce change.Maintaining Level 4It is expected that to succeed in making risk management a natural part of anyorganizational culture will require some significant changes in determining how to applyrisk techniques throughout the business and proactively manage uncertainty (includingboth risks and opportunities) in order to maximize the benefits mandates many changes inexisting organizational cultures and personal beliefs. Since the CMM maturity levelshave been available, very few organizations are at Level 5 (their top level). For manyorganizations, the benefits of achieving the pinnacle of maturity have not been seen asworth the cost to get there. In addition, once this pinnacle is achieved, effort (andresources) must be expended to maintain the position. A continuous improvementprocess is required to stay at Level 4 or any other level; without such a process it is ofcourse possible to move down the RMMM framework and drop to a lower level or riskmanagement capability. An RMMM Level 4 organization will be threatened bycomplacency and boredom and should consider a number of actions to counter theseproblems, including those listed below:Ensure continued commitment of senior management. It may be necessary orbeneficial to change the sponsor from time to time to allow injection of fresh ideas andmomentum.Use audit and review techniques to keep application of risk management techniques atthe required quality and standards.Take full advantage of the competitive edge that results from proactive management ofuncertainty (including both risks and opportunities).Extend risk management beyond the usual applications, pioneering its use in all areasof the business.Continually invest in improving the risk process, tools, techniques, personnel skillsetc.Continue to involve customers and suppliers in the risk process.6.0 ConclusionsThe implementation of risk management into an organization is not a minor challenge,and cannot be undertaken in a short period of time. Risk Management is not a simpleprocess of identifying techniques, sending personnel to training courses, buying softwareand getting on with it. Risk management capability is a broad spectrum, ranging from theoccasional informal application of risk techniques to specific projects, through routineformal processes applied widely, to a risk-aware culture with proactive management ofuncertainty.The Risk Management Maturity Model (RMMM) presented in this report allowsorganizations to benchmark their risk management capability against four standard levelsof maturity. It also allows organizations to identify what needs to be done in order toimprove and increase their ability to manage risk. Use of the RMMM will also enableRMRP 2002-02, Version 1.016customers, suppliers and other areas of the organization to determine how well a projector organization is implementing risk management, and can aid in the development ofspecific strategies for going to a higher maturity level. Some additional work is requiredto enhance the diagnostic elements of the RMMM, however, the present RMMMframework provides a useful tool to those organizations or projects interested in eitherimplementing a formal approach to risk management or improving their existingapproach.References1. Towards a Risk Maturity Model, Dr. David Hillson, International Journal ofProject & Business Risk Management, Volume 1, Issue 1, pages 35-45, January19972. Benchmarking Risk Management Capability, Dr. David Hillson, PMI Europe2000 Symposium Proceedings, January 20003. Project Management Institute. 2000. A Guide to the Project Management Body ofKnowledge (PMBOK® Guide) 2000 Edition. Newtown Square, PA: ProjectManagement Institute, page 127.4. Spotlight: CMMI Model Representations, Sandy Shrum, SEI Interactive,December 19995. RM3 Risk Management Maturity Model, Steve Waddell, privatecommunication, February 20026. Key Characteristics of a Mature Project Risk Management Organization, Dr,David Hulett, 13th Annual International Integrated Program ManagementSymposium Proceedings, 20017. Project Management Risk Management: Continuous Representation, CMMISE/SW/IPPD/SS, version 1.1, 2001,www.sei.cmu.edu/cmmi/products/models.html8. Software, Systems Engineering and Product Development Capability MaturityModels (CMMs), www.sei.cmu.edu/cmm/cmms/transition.html9. Risk Management in Complex Project Organizations: A Godfather-DrivenApproach, G. Getto and D. Landes, Proceedings of the 30th Annual ProjectManagement Institute 1999 Seminars and Symposium, October 199910. Industry Models of Risk Management and Their Future, K. Artto and D. Hawk,Proceedings of the 30th Annual Project Management Institute 1999 Seminars andSymposium, October 199911. Risk and Opportunity Management, K. Forsberg and H. Mooz, Proceedings of theINCOSE Symposium, 2001.RMRP 2002-02, Version 1.017RMRP 2002-02, Version 1.0Appendix 1 Risk Management Maturity Level Checklist Level 1 Ad HocLevel 2 InitialLevel 3 RepeatableLevel 4 – ManagedDefinitionUnaware of the need formanagement of uncertainties (risk).No structured approach to dealingwith uncertainty.Repetitive and reactivemanagement processes.Little or no attempt to learn frompast projects or prepare for futureprojects.Experimenting with riskmanagement through asmall number of individuals.No structured approach inplace.Aware of potential benefitsof managing risk, butineffective implementation.Management of uncertainty built intoall organizational processes.Risk management implemented onmost or all projects.Formalized generic risk process.Benefits understood at allorganizational levels, although notalways consistently achieved.Risk-aware culture with proactiveapproach to risk management in allaspects of the organization.Active use of risk information toimprove organizational processes andgain competitive advantage.CultureNo risk awareness.No upper managementinvolvement.Resistant/reluctance to change.Tendency to continue with existingprocesses even in the face ofproject failures.Shoot the messenger.Risk process may be viewedas additional overhead withvariable benefits.Upper managementencourages, but does notrequire, use of RiskManagement.Risk management used onlyon selected projects.Accepted policy for risk management.Benefits recognized and expected.Upper Management requires riskreporting.Dedicated resources for riskmanagement.Bad news risk information isaccepted.Top-down commitment to riskmanagement, with leadership byexample.Upper management uses riskinformation in decision-making.Proactive risk management encouragedand rewarded.Organizational philosophy accepts ideathat people make mistakes.ProcessNo formal process.No Risk Management Plan ordocumented process exists.None or sporadic attempts to applyRisk Management principles.Attempts to apply RiskManagement process only whenrequired by customer.No generic formalprocesses, although somespecific formal methodsmay be in use.Process effectivenessdepends heavily on theskills of the project riskteam and the availability ofexternal support.All risk personnel locatedunder project.Generic processes applied to mostprojects.Formal processes incorporated intoquality system.Active allocation and management ofrisk budgets at all levels.Limited need for external support.Risk metrics collected.Key suppliers participate in RiskManagement process.Informal communication channel toorganization management.Risk-based organizational processes.Risk Management culture permeatingthe entire organization.Regular evaluation and refining ofprocess.Routine risk metrics used withconsistent feedback for improvement.Key suppliers and customers participatein the Risk Management process.Direct formal communication channelto organization management.ExperienceNo understanding of risk principlesor language.No understanding or experience inaccomplishing risk procedures.Limited to individuals whomay have had little or noformal training.In-house core of expertise, formallytrained in basic risk management skills.Development and use of specificprocesses and tools.All staff risk aware and capable ofusing basic risk skills.Learning from experience as part of theprocess. RMRP 2002-02, Version 1.019 Regular training for personnel toenhance skills.ApplicationNo structured application.No dedicated resources.No risk management tools in use.No risk analysis performed.Inconsistent application ofresources.Qualitative risk analysismethodology usedexclusivelyRoutine and consistent application toall projects.Dedicated project resources.Integrated set of tools and methods.Both qualitative and quantitative riskanalysis methodologies used.Risk ideas applied to all activities.Risk-based reporting and decisionmaking.State-of-the-art tools and methods.Both qualitative and quantitative riskanalysis methodologies used with greatstress on having valid and reliablehistorical data sources.Dedicated organizational resources. RMRP 2002-02, Version 1.020RMRP 2002-02, Version 1.0Appendix 2EIA 731Systems Engineering Capability Model (SECM) EIA/IS 731What is EIA/IS-731?The G-47 Committee of GEIA sponsored project PN-3879, a joint working groupcomposed of GEIA, EPIC, and INCOSE, to bring together the EPIC SystemsEngineering Capability Maturity Model (SE CMM) and the INCOSE SystemsEngineering Capability Assessment Model (SECAM) into a single capability model. Thepurpose was to minimize confusion within the industry and to relate the resultingcapability model to the EIA-632 Standard, Processes for Engineering a System. The newcapability model has been developed as EIA/IS-731, Systems Engineering CapabilityModel (SECM), and will be issued as an interim standard. EIA/IS 731 is published andavailableHistoryEIA/IS-731 was selected by the CMMI Steering Group as a primary source document forsystems engineering processes. EIA/IS-731, Systems Engineering Capability Model, isnot a process standard but actually a standard for defining and assessing maturity of theSystems Engineering discipline. To eliminate confusion, EIA has created EIA/IS-731 asan interim standard and intends to allow EIA/IS-731 to go out of existence as the CMMIcomes into existence. It is hoped that this will eliminate confusion and conflict withinthe systems engineering community one of the original objectives of EIA, EPIC, andINCOSE in cooperating to create EIA/IS-731.Reference: http://www.geia.org/sstc/G47/page6.htmRMRP 2002-02, Version 1.022Appendix 3Basic Risk AttitudesFrom: Benchmarking Risk Management Capability by Dr. David Hillson, PMI Europe2000 Symposium Proceedings, January 2000Based on years of experience by the risk practitioners that aided in the development ofthis model, one thing stands out: the organization’s attitude and culture can make orbreak the risk management efforts. The only successful ventures found are where themanagement team was 100% behind the effort. They backed up the commitment withpeople and money resources as well as leadership in making sure it was implemented.Half-hearted management support only erodes the effort in the long term and givespeople a way out of using good processes. In this vein, there are three basic risk attitudesone normally runs into. They can be summarized as follows:1. Risk-averse: This indicates a conservative risk attitude with a preference forsecure payoffs. People who are risk-averse make good middle managers,administrators and engineers. Their key characteristics include being practical,accepting, and showing common sense. Risk-averse people enjoy facts more thantheories, and support established methods of working. They excel at activitiesthat involve remembering, persevering and building.2. Risk-seeking: These show a preference for speculative payoffs, and make goodentrepreneurs and negotiators. Risk-seeking people are adaptable and resourceful,enjoy life and are not afraid to take action. They are good at activities that requireperforming, acting and taking risks.3. Risk-neutral: This attitude prefers future payoffs. People who are risk-neutralmake good executives, system architects and group leaders. They think abstractlyand creatively and envisage the possibilities. They enjoy ideas and are not afraidof change or the unknown. Risk-neutral people are good at learning, imaginingand inventing.The importance of understanding risk attitude is clear, since people have such a profoundeffect on the effectiveness of any risk process. Knowledge of potential problems inconvincing different types of people about the benefits of a risk management process willassist in revealing underlying risk attitudes, enabling systemic bias to be exposed andcorrected.
