Published in the Project Post-Gazette, January 2014
by Cheryl A. Wilson, PMP, PMI-RMP, CCEP
More and more government regulations are requiring organizations to become more compliant and adhere to stronger standards as globalization has become a key driver in government sectors. The United States as always been ahead of the game in increased standards and regulations, but enforcing organizations to adhere to these standards has been slow.
The financial industries have lead the way for risk management frameworks, but as more and more government regulations are being enforced, organizations as a whole have adopted a risk management framework.
Projects rarely fail for technical reasons, but fail due to poor decision making stemmed from a combination of the lack of understanding of the customers’ requirements and poor leadership both at the project and executive level. Without a risk management framework to provide the structure for the production of fit-for-use (FFU) deliverables, and the information to make good decisions, projects will continue to fail or do poorly. A proactive approach to risk management enables an organization to have a high level of awareness from the organization’s operations to the approach for the management of project risks.
There are several risk management frameworks within the industry that provide definition on how to identify, assess and manage the risks for the project from conception to closure.
This article will provide a comparison of the following risk management frameworks:
- Project Management Institute (PMI),
- The United Kingdom’s AXELOS, and
- The International Standards Organization (ISO) 27000
Project Management Institute
Project Management Institute (PMI) was started by 5 individuals in 1969 as a nonprofit organization to share experiences and issues in project management. The founders felt the tools and techniques were a basis for all projects from IT to construction. PMI started a certification program in 1984. PMI introduced the compendium of project management planning and execution processes now called the Project Management Body of Knowledge (PMBOK® Guide) in 1987. It was updated it in 1996, 2000, 2004, 2008 and most recently in 2012 as the 5th edition.
The Institute of Electrical and Electronics Engineers (IEEE) adopted the PMBOK® Guide as their project management standard and in 1999 the PMI was accredited as an American National Standards Institute (ANSI) standards developer. PMI was the first organization to have its certification program attain International Organization for Standardization (ISO) 9001 recognition.
The PMBOK® Guide has ten areas of knowledge (AOK) with risk management being one of these areas. PMI’s risk management framework is divided into five process groups. The PMBOK® Guide’s framework is then divided across the ten (10) AOK starting at integration through closure of a project.
PMI’s Risk Management Process
PMI looks at projects as a series of processes that the project manager (PM) uses as the project context dictates; in other words, the PMI’s PMBOK® Guide is NOT a methodology. The PMI indicates that it is up to the PM to decide which of the current 47 processes are needed for his/her project, and in what order or in what iterative solution. Of the ten (10) AOK, chapter 11, Project Risk Management, is the PMI’s foundation recommendations for the management of risks and issues (although the PMI does not speak to issues except at the very basic level), their identification, analysis, response plan (again, the PMI is behind the current industry on the understanding that one does not respond to risk, but mitigates risks and responds to issues), and risk monitoring and control. One of the limitations of the current PMI’s risk management framework is that it has not been marginally updated for over 12 years according to a comparison between the 3rd Edition of the PMBOK® Guide and the now current 5th Edition. If there is one thing we at the PPG has seen over the past 10-15 years is the project risk management requires an entirely different approach to both the identification and assessment as well as the mitigation and control. The PMI needs to significantly upgrade its risk management processes in its 6th Edition that is now being planned and written.
Another issue with the PMI’s risk management framework is the reversal of qualitative and quantitative analysis that may have made sense 10-15 years ago when computers were slow, expensive, and limited; however, with desktop computing power that rivaled the largest mainframe of 15 years ago now populating the desktops of most PM, the need to limit quantitative analysis and place it after qualitative analysis simply does not make sense in today’s tool available environment.
M_o_R stands for Management of Risks. This “guide” to risk management is an organizational approach that can be applied at the strategic, program, project or operational levels. This guide was first published in 2002 to provide a generic framework for risk management across all parts of an organization primarily those in existence in the UK Government and UK-based businesses. However, it has been widely accepted and utilized outside the British Isles over the past decade. The PPG’s September 2013 issue did an in-depth review of the AXELOS’ M_o_R framework from the perspective of process improvement.
The M_o_R framework is based on four core concepts:
M_o_R Principles. These are essential for the development of good risk management practice. They are all derived from corporate governance principles in the recognition that risk management is a subset of an organization’s internal controls.
M_o_R Approach. The principles need to be adapted and adopted to suit each individual organization. Accordingly, an organization’s approach to the principles needs to be defined and stated within a Risk Management Policy, Process Guide and Strategies, and supported by the use of Risk Registers and Issue Logs.
M_o_R Processes: The steps involved in this concept include the identification of risks, risk assessment of its probability and impact, risk evaluation, and risk monitoring and mitigation.
M_o_R Embedding and Reviewing: a risk process needs to be built into the culture of the entire organization. This section deals with training, education, metrics, and maturity.
The primary risk management directive from the International Standards Organization (ISO) is labeled ISO 27005 which is a part of a family of standard called the ISO/IEC 27000, an information security management system (ISMS) standard published in 2005 in conjunction with the International Electrotechnical Commission (IEC). This standard was updated in 2013. The ISO 27000 is a series of standards that offer an Information Security Management System (ISMS) a framework detailing guidance for security issues for organizations to implement.
The risk management component, ISO 27005, provides the heavy weight guidelines for information security risk management, but follows the ISO/IEC 27000 concept that information security is implemented based on a risk management approach from the start. ISO 27005 is also applicable to all types of organizations such as commercial enterprises, government agencies and non-profits.
The ISO 27005 defines risk as “a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event.”
In this second edition, the framework outlined in ISO 27005 has been reviewed and updated to reflect the content of the following risk management documents:
- ISO 31000:2009, Risk management – Principles and guidelines
- ISO 31010:2009, Risk management – Risk assessment techniques
- ISO Guide73:2009, Risk management – Vocabulary.
It is interesting that ISO 27005:2011 does not provide any specific methodology for risk management. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, the context of risk management, or the industry sector.
While organizations are increasing their utilization of risk management solutions to assist with improving their project success rates, each organization will need to determine if any of the above frameworks are applicable to its particular risk and issue management needs. In some cases, you may find that a combination of parts of the above three risk management solution is more appropriate for your risk needs.