CHAPTER SEVEN

LEESON LEARNED & BUILDING A RISK

MANAGEMENT SYSTEM
 LESSONS LEARNED
 A lessons learned project review should be conducted soon after project close out
and should include all project team members, a member of top management, and
stakeholder representatives.
 A “Lesson Learnt” involves bringing those involved in the project (the PM, the
Sponsor, any Team Member, the Client, a Stakeholder) for a discussion of what
went wrong and what went right in the project risk management and what needs
to change (Example page 182)

 The objective of the Lessons Learnt process is to ensure successful risk

management in future projects.
.
 Lessons Learned Process involves the following five steps.
The lesson learned review can be accomplished by scheduling and facilitating the
meeting around key risk issues or topics that help to capture the risks inherent in
the project.

The team identifies where such lessons can be applied in the risk management
process, and identifies possible institutional or organizational problems associated
with the lessons learned.

A project audit will then be conducted based on potential audit issues identified
during lesson learned that top management would like to earmark for policy,
system, or organizational change
 Transition from Lessons Learned to Audit

.
 Project audit, unlike the lessons-learned session, focus on an independent gathering
of information and documents from the project, and reviewing them against the goals
and objectives of the project and best practice criteria.

 The project performance audit involves the question, ‘did the project produce what it
intended to produce, and how effectively and efficiently?’

 Questions focus on key aspects of the project that include business planning, follow up
response, Organization-wide culture and more (Page 184)

 The question of efficiency is reviewed through earned value and cost variance
calculations. The issues would be:

 Did the project stay consistent with the schedule and budget?
 Did the project manager make adequate adjustments based on variations from
risk events'?
 Did the project make its quality, schedule, and budget goals?
 ORGANIZATIONAL MATURITY IN RISK MANAGEMENT

 Risk management maturity (RMM) measures how effectively an organization can identify and
tackle the risks it faces. System-building activity for risk is likely to correlate strongly with
organization’s level of risk management maturity.

 Organizations must be able to benchmark their present maturity and capability in managing
risk using a risk maturity model framework. The models are based on a series of attributes
that describe the organization’s risk management capabilities.

 Hilson (1997), identifies four levels of maturity: naive, novice, normalized, and natural. It
attempts defining a limited number of 'maturity levels', ranging from organizations with no
formal risk management process to those with highly developed and fully integrated
processes.

 According to Hilson each RMM level is characterized in terms of four attributes namely
culture, process, experience and application.
 Risk Management Maturity Model (Hilson, 1997, 2002) – Four levels of risk
management maturity.
Level 1 –: Naive The organization is unaware of the need for risk management and has no
structured approach to dealing with uncertainty, resulting in a series of crises for each
project or operation.

Level 2 – Novice : Organizations are experimenting with the application of risk

management, usually through a small number of nominated individuals within specific
projects.

Level 3 – Normalized : The organization has implemented risk management into their
routine business processes and implements risk management in most, if not all, projects.

Level 4 – Natural: The organization has a fully project -based culture, with a proactive approach
to the management of risk in all aspects of the organization, It has established a risk-aware (not
risk-averse) culture.
Attribute Level 1 Level2 Level 3 Level 4
NAIVE NOVICE NORMALISED NATURAL
 .
Culture No risk awareness Risk management Accepted policy for Top-down
used only on selected risk management. commitment to risk
projects management, with
leadership by
example

Process No formal process No generic formal Generic processes Risk-based

processes applied to most organizational
projects. processes.

Experience No understanding of Limited to individuals In-house core of All staff risk aware
risk principles or who may have had expertise. and capable of using
language. little or no formal basic risk skills.
training.
Application No structured Inconsistent Routine and Risk ideas applied to
application application of consistent application all activities
resources. to all projects
.
 Decay is unlikely to occur in an organization at level 1 risk management maturity, but a level 2
organization is likely to experience decay in its risk management activity for several reasons:
 Several projects have been completed without any clearly obvious benefit.
 The champion senior management for the RMS loses enthusiasm or leaves the organization.
 Staff responsible for the RMS are swamped by other duties.
 The advice of outside consultants proves impractical.
 The post-project debriefings appear to yield little information of value.
 The risk knowledge database, proves too cumbersome or costly to operate and maintain

 In a level 3 and level 4 organizations, decay in risk management maturity will be due to lack of
continuing commitment from senior management, or loss of key staff. However, in level 4
organizations it is only temporary due to the organization's risk management maturity and
engagement with performance benchmarking.
 ORGANIZATIONAL RMS POLICY AND
IMPLEMENTATION STRATEGY
 An important part of initiating a RMS in a project stakeholder organization is the formulation of an
organizational policy towards risk management and a strategy for implementing.
 Organizational scan ( page 156) can provide a richer picture of the state of risk management
practice and can guides the directions in which it can be formalized and improved.
1. What (project) activities clearly require formal risk management?
2. How are decisions made about them?
3. What risk attitudes are evident?
4. What formal risk management is already in place?
5. How effective is it?
6. Is any informal risk management evident?
7. Where are the gaps in current risk management practice?
8. How could the gaps be filled?
9. Who should be involved in that?
 The project stakeholder should be in a position to formulate (and document) a coherent
risk management policy based on the result of the organizational scan.

 Documentation of risk management policies and procedures is important to facilitate

communication, accountability and subsequent performance review.

 A RMS implementation strategy objective should be to grow a risk management

culture within the organization by
 motivating staff who will be involved in RMS.
 diffusing risk management knowledge throughout the organization
 building a risk-aware culture
 organizing risk management training and development program.
 enabling staff to develop skills and confidence in managing risks.
 For any project in the organization RMS implementation, objectives must be clarified,
tasks should be scheduled, commitments need to be confirmed, and resources must be
obtained and organized
Clarifying Objectives, Tasks And Commitments

Clear objectives including procurement objectives ( budgeted cost, intended operational date
and quality), functional objectives (what the project is required to do) , and strategic objectives
( what the outcomes of the RMS is expected to achieve).

Scheduling tasks largely depends upon the three ways on how the system is intended to operate
a RMS
1. Single : centrally based system to deal with all the activities of the organization.
2. Dual: centrally based systems: one to deal with project activities; the other to deal
with internal organization maintenance activities.( Usually found in level 3 RMM organization).
3. Multiple: separate systems for each project; plus a single system for internal
organization maintenance. ( Most likely implemented with level 2 risk maturity organization)

Committed support and involvement of senior management is needed to ensure the

involvement of staff at all levels in activities involving such as system design, assigning
responsibility, trialing techniques etc..( page 160).
 Issues of responsibility for the RMS must be resolved, and responsibility should
be transparent, extending to the highest levels within the organization. For
instilling and growing a risk culture in the organization is a top-down
leadership task and is the responsibility of senior management.

 An appointment of a risk manager can contribute substantially to the

effectiveness of the RMS at all stages but it does not automatically resolve all
risk management responsibility issues including decision- making within an
organization.

 As the organization's risk management maturity increases, RMS operating

team will be substantially different from the RMS building team. Using
extremal consultants in risk management can make a valuable contribution to
the implementation of a risk management system and to assist in RMS building
by facilitating workshops.
Building a RMS also requires creating a project risk management framework. The
system framework can be as simple, or as sophisticated, as the requirements of the
organization warrant.

 For an organization with level 2 risk management maturity the simple

computer spreadsheet approach illustrated on table 163 &164 can satisfy early
risk management system requirements.

 Organizations with level 4 risk management maturity are likely to have

developed more sophisticated risk management system frameworks, and may
well be using intra- and extra-net computer information technology networks
to process and communicate project risk information within and, outside the
organization.
 RMS building and performance will be enhanced if due attention is paid to communication,
trialing techniques and training staff.

 Effective communication is critical to know and understood the risk management process. The
RMS building process should ensure that sufficient precision and reliability are incorporated
into all of the media-related aspects of the RMS.

 An organization lacking any formal system of risk management need to use different
techniques for trialing risk management techniques. The process of trialing risk management
techniques should be carefully planned and properly resourced when building a RMS.

 Evaluation of RMS performance should be conducted by evaluating the effectiveness of each

part of the RMS and requires an appropriate periodic performance review mechanisms put in
place.
Performance Review Focus for a Project Stakeholder Organization RMS