7DIG Risk Revisited: The Problem of Risk Matrices

Several years ago, project risk was high up the agenda especially in PRINCE2 projects.  But it was always viewed negatively.  People are naturally reticent about exposing risk in their area of responsibility.  Much more positive responses were achieved by reversing the questions and asking for levels of confidence.  Let’s call it Confidence Management, rather than Risk Management.  There are examples of success.

The method starts with interviews for assessing levels of confidence in achieving business targets.  Confidence levels are used to generate data in risk logs, which quantify business risk as a company wide, or even global, risk index.  It has a simple value for risk impacts that range from a few pounds to billions.

A 2X2 risk matrix is commonly used.

2X2 Risk Matrix

It does not give much information, but better than nothing.  More complicated versions with colour coding can alert senior executives.

5X5 Risk Matrix

The main problem of such matrices is that they mask the importance of very low probability, but very high or catastrophic risk impacts.  The undersea blow-out of a BP oil rig is a recent example. Some risk impacts have to be measured in billions, but such crude methods do not alert people adequately. The axes are often not given numerical values and therefore impossible to correlate projects across a programme.

The next blogs show a new way of identifying risks and a quantitative method for prioritising risks across complex programmes.

PASC 2: Absence of IT Policy Governance

The second of the Public Administration Select Committee (PASC) 12 questions, asks:

2. How effective are its governance arrangements?

There does not appear to be an agreement on what constitutes “governance arrangements” for policy. Information governance is complex – just look at the complexity of the definitions. Each department, government agency and local authority has its own opinion on what is the policy and how to implement it. There’s no obligation to follow internal processes, let alone any Cabinet Office pronouncement.

There are some areas of security and privacy competence in following CESG policy. The codes of connection between networks is one good example. Policy should also include keeping an information asset register; most organisations do not have one. People cannot control what they don’t know exists, nor where it is located, nor who is responsible for governance.

Quarkside identifies seven dimension of information governance that attempts to cover the whole policy domain.

1. Objectives
2. Outcomes
3. People
4. Assets
5. Process
6. Risk
7. Time

Each dimension needs separate consideration in departmental policy. Together with inter-relationships, all dimensions need a control process. At an operational level there is an opportunity to promote the virtues of Prince2 for projects and ITIL for continuous service management and control. The policy should be to use these standards.

Briefly, there is a need for cross government governance arrangements, but they aren’t obviously published. Without enforceable standards, it is difficult to see how to change the culture of indifference to information governance. Will Martha Lane Fox’s appeal for standards result in any action?

PASC 3: Learn from success, not just failure

The third of the Public Administration Select Committee (PASC) 12 questions, asks:

3. Have past lessons from NAO and OGC reviews about unsuccessful IT programmes been learnt and applied?

Too many past and present failures demonstrate that People have not learnt how to manage complex programmes consistently. Internal programme management skills have not been developed sufficiently. Contracting out so much of the work is evidence of a lack of internal skills and abrogating much of the responsibility the big suppliers, who are not averse to earning extra income.

Prince2 was developed by OGC with public sector programmes and projects in mind. Prince2 clarifies the desired Outcomes and People responsible for controlling the Assets and Processes to reach measurable Outcomes on Time, with regard to Risk throughout. It is no accident that the Eurim information governance basic principles of information governance  have been adopted by Quarkside as a mantra. The use of Prince2 entirely supports the seven dimensions of information governance.   Another disappointing example is the amateurism of the Prime Minister’s Structural Reform Plans (SRPs). There’s no apparent Prince2 programme management regime. It looks like an unco-ordinated set of To Do lists and no evidence of a transparent risk register. The avoidance of standards is endemic. In the private sector it could be a career limiting offence.

Quality assurance and risk assessment must be performed by independent bodies, not the prime contractor. Even internal staff cannot be relied upon to expose failures of people who may be planning their career path – but collecting evidence will be hard.

Finally, the question is too narrow in the sense that it is possible to learn from success, not just failure.  I remember a quotation from a project management guru.  “A good project manager resolves problems, a better project manager avoids problems before they happen.” Paradoxically,  the career of the better, risk aware, project manager is worse – because the success is below the management radar.

SRPs avoid PM standards

As Quarked previously, the baseline (Draft) Structural Reform Plans (SRPs) for each Department are almost acceptable. There’s just about enough to begin a reasonable job of monitoring and control. There are actions with start dates and end dates. There are also milestones.

What is missing are definitions of what has to be delivered by an end-date. Quarkside believes that all public sector projects are expected to use Prince2 for project management. It is almost written in stone in Local Government. As everybody who has been trained knows, Prince2 “Focuses on products and their quality“.  In other words it is ‘Product based planning’.  A plan is only considered complete when it has described WHAT should be DELIVERED by a specific date, WHO should deliver it and the QUALITY criteria for acceptance.  All these points rely a documented and agreed Prince2 Product Description.

Number 10’s Implementation Unit have misunderstood the guidelines, or have chosen to avoid them. You can identify a product deliverable because it is (usually) a concrete noun in the Product Breakdown Structure. The SRPs use a verbal description of an action eg Home Office

• 3.2.ii “Introduce English language requirements for spouses”.

Are these requirements a statute, a regulation or a ministerial memo to the Immigration and Nationality Directorate? Delivery implies the complete acceptance of a specific product. An alternative might be:

• 3.2.ii “English Language regulations agreed by Parliament and applied in Border Control”

Quarkside is not making a political point or just being pedantic. The first definition has many options on what the end product might be; the second is more specific and would be linked to the Product Description.   In fact 3.2.ii in the Draft SRP does not give an end date, showing uncertainty.  Prince2, using Product Flow Diagrams, would enable an end-date to be calculated.

Action based planning must have its devotees.  Notably that’s the path followed by Microsoft Project out of the box.  MS Project, unsurprisingly, does not follow the UK standard but is easy to tailor for Prince2 methods.

Martha Lane Fox has called for the use of standards  Not only does it increases the interoperability project managers, it is the most effective way of controlling projects.   The good news is that it is not be a big problem to change the Draft SRPs and produce a Prince2 plan with a useful Product Breakdown Structure.  When this process is done it always uncovers things that had originally been considered.  It improves the Plan.

The current Plan is little more than a ToDo list.  That style is suitable for planning a foreign holiday for a group of thirteen people. It is not suitable for the far reaching political reforms of the coalition government. Prince2 is the Standard.  The No 10 Implementation Unit should have ensured that each of the thirteen Departments understood and used Prince2 for both the Plan and the control mechanisms.

It’s not too late to produce a final plan that follows the Prince2 Standard.  Then we can produce a transparent monitoring and control process.