Effective risk management plays a major role in the final outcome of any business project in terms of its ability to meet cost and time objectives. There are limitations in the amount of risk management that can be done, however, which may make it difficult to reduce uncertainty and increase efficiency in projects. Six Sigma concepts aid in working with these limitations though, because risk management activities can be incorporated into the DMAIC (Define, Measure, Analyze, Improve, Control) phases.

Risk Management Limitations

The main limitation for any business activity when it comes to improving efficiency is time. A project typically has a definite start and end date, which means any improvement initiative has to be focused within that limited time period. This translates to working in parallel with the activities of a project as they actually happen.

The second main limitation is that a project is inherently unique in nature. There may be few repeated tasks from which data can be collected to provide insight into the performance of the process. For instance, material is ordered just once and when there is a delay in receiving the material causing the schedule to slip, the focus is often on identifying a work-around rather than addressing the root cause of material delay. Statistical analysis, as a part of the Six Sigma methodology, focuses on having extensive repetitive data.

The third limitation is the level of uncertainty (risk) in the project’s life cycle and the corresponding amount at stake. Details become available only when time progresses as a part of the life cycle. The ideal scenarios in Figure 1 illustrate the level of uncertainty and cumulative costs in projects.

At the point when the amount at stake is the highest, usually during the later part of the life cycle when project execution takes place, the corresponding level of risk, ideally, should be low. In reality, however, this is not always the case and as a result, time and cost objectives are compromised. The key to efficiency is to reduce the occurrence of either the risk itself or reduce the impact of a risk.

Using Past Problems to Avoid Future Risk

The difference between an issue or defect and a risk is that risk is in the future; an issue or a defect is either now or the past. A risk becomes an issue or defect if it is not addressed. When documenting issues faced in past projects, it is useful to categorize them to enable gathering a comprehensive list. A sample issue breakdown structure is shown in Figure 2. At this point, the focus is in identifying all issues, irrespective of their impact or seriousness. Most project organizations maintain an issue log or a register that documents all issues and corresponding attributes.

Blending DMAIC and Risk Management

The time element in projects invariably can lead to a situation in which project managers take action only when they see that there is a cost or schedule overrun in the current project. This may make their actions reactive. Using Six Sigma tools to understand past issues and applying them to current projects makes it proactive. Project risk management includes the following activities, as described by the Project Management Institute’s project management body of knowledge:

1. Risk management planning
2. Risk identification
3. Qualitative risk analysis
4. Quantitative risk analysis
5. Risk response planning
6. Risk monitoring and control

Telecom Case Study

A case study featuring a telecom supplier that applied Six Sigma concepts to overcome risk-management limitations and improve overall efficiency illustrates how the DMAIC method and project risk management activities can be linked. The company applied the concepts to a project on expanding an existing telecommunications network. The activities involved in the network expansion included planning the expansion, manufacturing and delivering necessary items, installing and configuring items at the site, and implementing and integrating the expansion.

In this case, arguments from project managers regarding the granularity of risk-management activities hinted toward a reactive attitude. Project managers were too caught up in fire-fighting costs and schedule overruns to take time out and realize the need for root cause analysis. Project managers did not realize that the issues they faced daily were a result of ineffective risk management.

The first task for the Black Belt was to compile measurements indicating the performance of past projects, such as cost and schedule overruns. Fifty-three projects were selected and corresponding overruns documented. The underlying assumption was that issues caused overruns. Issues in past projects would need to be identified, quantified, analyzed and categorized as risks for current or future projects to reduce future cost overruns.

Based on the knowledge of overruns in the past projects and the root causes, the Black Belt was able to predict the performance of the current or future projects in relation to the project objectives. The performance of the current or future projects depended on the analysis performed to determine probabilities and the impact of risks. Overruns in Figure 4 were treated as the impact.

From here, this case study can serve as a model for the use of both Six Sigma phases and risk management activities to prevent the reoccurrence of problems such as cost overruns.

Define Phase Meets Project Risk Management Planning

Define phase: This phase typically involves gathering customer requirements, putting the team together, understanding the problem and the scope, and making plans for subsequent activities. A key part of the Define phase is getting organizational support in the form of management commitment and budget for the initiative. The Define phase sets the project in motion by ensuring buy-in and support from stakeholders.

Project risk management planning: This includes details on how to approach subsequent risk management processes. It covers roles and responsibilities with clear communication of what is expected, the budget for risk activities, timing, thresholds, reporting formats, and scoring and interpretation information. As in the Define phase, in risk management planning, the project team needs to identify stakeholders who can support the project.

Case study example: Stakeholders were identified and classified following an analysis of their expectations and risk thresholds. Because the project involved subcontractors for certain activities, a representative from the subcontractor was included in the core improvement team. Scope included risks to be identified from all activities in the network schedule. A high-level cost-benefit analysis revealed an initial cost of poor quality of about 25 percent of the sales of the current project. This translated to $1.5 million. The message communicated to the stakeholders was that the Six Sigma team would provide risks, risk responses, monitoring and control support to the telecom project team, in turn reducing the potential overruns.

Common Tools: Stakeholder analysis; process flow charts; suppliers, inputs, process, outputs, customers (SIPOC) diagram

Measure Phase Meets Project Risk Identification

Measure phase: The Measure phase includes defining the defect and other metrics that are necessary for a baseline. A data plan is formulated and low-hanging fruits are identified. The focus is on understanding the performance of the processes based on current circumstances. Data collection involves looking at process maps in detail to identify areas of potential bottlenecks. Trends in the big Y metrics are identified and documented. Process map analysis should point toward the type of data to be collected.

Project risk identification: This step includes determining and documenting where the project might be at risk. Looking at issues of past projects provides information about potential risks for current or future projects. There are different methods used for documenting risks, but the most common method is to identify a risk, its drivers, the impact of the risk and the drivers for the impact. A degree of cause-and-effect relationship is used when identifying risks.

Case study example: The Black Belt team used the network diagram to identify sources of risks. Experts – those involved in the past 53 projects – were asked to provide information on the issues that they were privy to in their projects. Brainstorming techniques were used to make a list of all issues. Each activity in the network diagram was dissected to drill down to potential issues. For instance, drilling down to the activity of transporting material to a site revealed several issues, including material damage due to road conditions and a requirement for special vehicles. The issues were translated into a cause-and-effect diagram (Figure 5).

Common tools: Brainstorming; strengths, weaknesses, opportunities and threats (SWOT) analysis; cause and effect diagrams; data collection plans

Analyze Phase Meets Project Risk Analysis

Analyze phase: This phase in Six Sigma involves determining the cause-and-effect relationship based on statistical significance to the project goals. Steps include identifying value and non-value-added process steps and drilling down to the vital few x’s. Based on the data collected, the Black Belt tries to identify correlations, causations and trends. The key element of the Analyze phase is to identify the issues that require the most attention based on quantified values.

Project risk analysis: This includes assessment of the likelihood and impact of the identified risks. The identified risks are still considered as issues from past projects. There are two types of analysis: qualitative and quantitative. In analyzing risks, practitioners look closely at two aspects: probability and impact (sometimes referred to as effect or consequence). Risk probability is the likelihood of occurrence of the risk event; the scales can be numeric or descriptive. Quantitative risk analysis includes distributions, simulations and decision-tree analysis. The key element of analysis is to quantify the identified risk.

Case study example: The Black Belt team collected the cost of overruns for all the issues and compiled it in a Pareto chart (Figure 6). This indicated the cost of a risk occurring. A Pareto was also created to identify the probability of a risk happening again based on historical information.

Common tools: Pareto charts, regression analysis, statistical analysis, hypothesis testing, Monte Carlo simulation

Improve Phase Meets Project Risk Response Planning

Improve phase: This phase in Six Sigma involves developing potential solutions based on the root causes identified. The assumption is that solutions to make an impact on the root causes will subsequently have an impact on the project goals. Operating tolerances are documented, and pilot studies are validated for their impact. It includes putting into action solutions that have a sound statistical, data-driven basis after conducting a cost-benefit analysis.

Project risk response planning: Examining options and deciding on actions to enhance opportunities and reduce risks are a part of this activity. Responses are validated for appropriateness and cost effectiveness and are agreed upon by all parties involved in the response plans. Common strategies for responses include:

• Avoid – Change the project management plan to eliminate the threat posed by an adverse risk.
• Transfer – Shift the negative impact of a threat, along with ownership of the response, to a third party. Does not eliminate the risk.
• Mitigate – Reduce the probability and/or impact of an adverse risk event to an acceptable threshold.
• Acceptance – Decide not to deal with a risk, or be unable to identify any other suitable response strategy.

Case study example: A sample of the responses identified by the Black Belt:

Risk: Damage of hardware in transportation
Response: Have special packaging for the hardware to prevent damage during transit

Risk: Delay at customs because customs duty is not paid
Response: Assign responsibility to ensure customs duty paid

Control Phase Meets Project Risk Monitoring and Control

Control Phase: This phase includes:

• Implementing statistical process control to ensure that results are sustainable.
• Implementing transfer plans and hand-off procedures.
• Verifying results through a cost-benefit analysis.
• The creation of a control plan to ensure that processes are monitored and action plans are in place when there are significant deviations.

Project risk monitoring and control: This step involves managing the project according to the risk response plan. The project team keeps track of identified risks by looking out for warning signals. Corrective actions are evaluated and the risk response plans are reviewed and evaluated. Risk reassessments are on the agenda of team meetings as apart of risk control. Documents are updated for the actual outcomes of project risks as lessons are learned.

Case study example: The Black Belt team put the risk response plans into action, and as a result inherent causes of variation in terms of cost overruns were reduced. Monitoring actual cost overruns indicated a reduction by 80 percent from the trend observed in previous projects. Some of the root causes indicated need for change beyond the project, placing onus on the performing organization’s operational departments, including the procurement department.

Common tools: Control charts, cost-benefit analysis, audits and assessments

Be Proactive About Risk

Using Six Sigma principles for risk management in projects aims to decrease the level of uncertainty in projects by addressing root causes. DMAIC helps in shifting a project manager’s focus from firefighting to proactive management of issues and risks. Some organizations treat project management as risk management, referring to the concept of managing the unknowns proactively. Applying DMAIC tools and knowledge to risk management translates into efficiency in projects through better decision-making and predictability.