Tools and techniques for the risk manager

A number of software tools and management frameworks are available to give government risk management initiatives some teeth.

One challenge has been that unlike discrete industry sectors such as automotive or financial services, the information technology industry is broad, making it difficult to develop relevant prepackaged risk management modeling tools. Nevertheless, the products that are available are beginning to mature, industry experts say.

One example is a risk and decision analysis software product called @Risk from Palisade Corp. @Risk is based on the Monte Carlo method of evaluating possible outcomes based on a variety of risk factors. Monte Carlo is a simulation technique first used by scientists developing the atom bomb and named after the location of the first casinos. In the IT program context, it can provide users with numeric values based on risk outcomes.

Another package frequently cited by risk management experts is Decisioneering Inc.'s Crystal Ball 2000 software, which is also based on the Monte Carlo simulation.

"Not long ago, Monte Carlo simulation was too difficult to learn and use," said J. Davidson Frame, academic dean of the University of Management and Technology. "With today's PC-based software, some Monte Carlo simulators have been developed that you can learn to use in a half-hour."

For instance, both @Risk and Crystal Ball 2000 work in conjunction with Microsoft Corp.'s Excel spreadsheet application to generate Monte Carlo models of possible risk outcomes. Palisade also offers tools that work with Microsoft's MS Project to use Monte Carlo simulation methods on project schedules, Frame said.

The city of Tampa, Fla., tapped Digital Sandbox Inc. for its Site Profiler risk management solution, which creates risk assessment reports in Microsoft Word. Site Profiler can be used to build and manage a "library of plausible threats," according to the company.

Software may be improving, but such packages have yet to catch on in government, according to Keith Kerr, a senior consulting manager at Robbins-Gioia LLC. "We haven't seen our federal customers using too many sophisticated risk management software/tool packages," he said. Instead, Kerr and others stress the value of solid risk management processes over technical tools.

Some recommend use of a broad risk management framework such as Six Sigma to ride herd over a project's many potential risk factors. Developed by Motorola Inc. more than a decade ago, Six Sigma was designed to help manufacturers keep product defects to a minimum.

Six Sigma has since been expanded to pull in program management essentials such as customer focus, organizational culture and overarching goals of quality and performance.

"Six Sigma is an approach, structure or framework that allows you to look at a project upfront and go through a methodical process to define, measure and control risks," said Kent Bauer, principal consultant and director of GRT Corp.'s Knowledge Management Office.

Some program managers are also turning to the Carnegie Mellon University Software Engineering Institute's Capability Maturity Model product suite to help manage project risks.

"CMM was developed for software," said Tom O'Rourke, a senior consultant at Total Quality Organization. But the institute and others have built on CMM concepts to expand use of the framework for more comprehensive IT undertakings, he said.