Use of Risk Maturity Model to Benchmark Project Health, 26 May 2016

Atkins were the host of this event at their Hub Offices, Aztec West, Bristol. Our speaker, Mark Lee, is a Principal P3M Consultant at QinetiQ. His presentation focussed on how maturity in risk management can assist with successful project delivery, to time and cost.

Mark introduced the principles of risk maturity assessment and why it is important to control schedule and cost.  National Audit Office, (NAO), data from MoD projects showed that where risk maturity was uncontrolled, average schedule overruns were 56% compared with only 4% where risk maturity was at level 3+, and for cost  8% overruns compared to 3% under spend.  Risk maturity can help protect an organisation’s reputation and avoid lurid headlines in the media about project failure.  A prime cause of project failure is the failure to define risks and opportunities.  The key point is that we have to get better at managing risk.

Uncertainty is an inherent characteristic of all projects. Customers change their minds, which can impact both schedule and cost, and things just go wrong.  No matter how good it is, no plan survives contact with the enemy for very long.  In an attempt to control Defence projects, the Defence Reform Act, was introduced in 2014. This introduced a regulatory framework for pricing of all single source contracts. Prices have to be backed up with robust evidence that people have confidence in.  Confidence is a major driver for human behaviour and decision making, and for projects, this often means confidence in our ability to manage the inherent uncertainty.

Tools, such as the QinetiQ Risk Maturity Model, (QRMM), can help provide a level of confidence in a project’s ability to manage uncertainly: both risk and opportunities. Use of QRMM establishes an independent, objective and evidence-based baseline measure of risk maturity. It can identify both strengths and weakness in risk management, and it can be used as a benchmark against others. It can provide a level of confidence in the quality of underpinning data, e.g. for business cases.  Mark provided a comparison between QRMM and other common risk maturity models.

QRMM is a maturity framework covering 6 risk management perspectives: Risk Identification; Risk Analysis; Risk Mitigation, Project Management; Stakeholders; Culture. It has 4 levels: 1. Naive, 2. Novice, 3. Normalised and 4. Natural.  Level 3, Normalised, represents an acceptable level of maturity. Examples of indicators for the 4 levels were discussed. 

The assessment process is based on 50 questions over the 6 perspectives and starts with a documentation review to identify evidence. This is followed by a facilitated risk maturity assessment workshop with key stakeholders. A system of anonomised electronic voting is used to ensure a robust unbiased assessment using the Delphi technique. The results are analysed and the results reported, including the benchmark maturity level, L1-L4. Finally, prioritised recommendations are made for an improvement plan to improve the risk maturity level.

Mark then discussed several case study examples to highlight the benefits of the QRMM approach.

In summary, there is inherent uncertainty in all projects and programmes and controlling risk management maturity is a key enabler for ensuring successful project delivery. Risk management maturity assessment tools, such as QRMM, can increase confidence in how a projects risk management approach is effectively managing uncertainty. 

The presentation slides are available on the APM web site.

Martin Gosden
SWWE Branch Chairman