1

The Importance of Project Risk ManagementProject risk management is the art and science

of identifying, assigning, and responding to risk throughout the life of a project and in the best interests of meeting project objectives

Risk management is often overlooked on projects, but it can help improve project success by helping selecting good projects, determining project scope, and developing realistic estimates

Study has shown how risk management is neglected, especially on IT projects

2

The Importance of Project Risk ManagementKPMG 2001 study found that:

55 % of runaway projects (projects that have significant cost or schedule overruns) did no have risk mgmt at all

38% did some (but half didn’t use their risk findings)

7% didn’t know whether they have risk mgmt or not

This study suggest risk mgmt important to improve project success and prevent runaway project

3

4

What is Risk?

A dictionary definition of risk is “the possibility of loss or injury”

Project risk involves understanding potential problems that might occur on the project and how they might impede project success

Risk management is like a form of insurance; it is an investment

5

What is Project Risk Management (PRM)?

PRM goal : to minimize potential risks while maximizing potential opportunities. Major processes includea. Risk management planningb. Risk identificationc. Risk analysisd. Risk response planninge. Risk monitoring and control

6

a. Risk Management PlanningIs the process of deciding how to approach

and plan for risk mgmt activitiesThe main output of risk management

planning is a risk management plan (RMP)The project team should review project

documents and understand the organization’s and the sponsor’s approach to risk

RMP include Summary results of other processes - risk

identification, risk analysis, response planning and monitoring & control processes

Roles & responsibility for managing riskResources required to manage risks

7

8

Others Similar PlanContingency plans are predefined actions that the

project team will take if an identified risk event occurs.Ex: if the project team knows that a new release of a

software package may not be available in time for them to use it for their project, they might have a contingency plan to use the existing, older version of the software.

Fallback plans define actions to be taken if attempts to reduce fails.

Contingency reserve or allowances are provisions held by the project sponsor that can be used to mitigate cost or schedule risk if changes in scope or quality occur.Ex: if a project appears to be off course because the staff

is inexperienced with some new technology, the project sponsor may provide additional funds from contingency reserves to hire outside consultant to train and advise the project staff in using the new technology.

9

Common Sources of Risk on Information Technology Projects

Several studies show that IT projects share some common sources of risk

The Standish Group developed an IT success potential scoring sheet based on potential risks

Risk questionnaire to help access riskOther broad categories of risk help identify

potential risks

10

11

Success Criterion Points

User Involvement 19

Executive Management support 16

Clear Statement of Requirements 15

Proper Planning 11

Realistic Expectations 10

Smaller Project Milestones 9

Competent Staff 8

Ownership 6

Clear Visions and Objectives 3

Hard-Working, Focused Staff 3

Total 100

Other Categories of RiskMarket risk: Will the new product be useful

to the organization or marketable to others? Will users accept and use the product or service?

Financial risk: Can the organization afford to undertake the project? Is this project the best way to use the company’s financial resources?

Technology risk: Is the project technically feasible? Could the technology be obsolete before a useful product can be produced?

12

b. Risk IdentificationRisk identification is the process of understanding what

potential unsatisfactory outcomes are associated with a particular project

Output – list of identified risksReview past risk on similar projectTools & techniques

Brainstorming – technique by which a group attempts to generate ideas/find a solution for a specific problem by amassing ideas spontaneously and without judgment. Small group face-to-face

The Delphi technique – to derive a consensus among a panel of experts who make predictions about future developments. Uses repeated rounds of questioning and written responses,

including feedback to earlier-round responses, to take advantage of group input, while avoiding the biasing effects possible in oral panel deliberations.

Interviewing – a fact-finding technique for collecting information in face-to-face/telephone discussions. Through email & instant messaging

SWOT analysis Checklist

13

14

Knowledge Area Risk Conditions

Integration Inadequate planning; poor resource allocation; poor integrationmanagement; lack of post-project review

Scope Poor definition of scope or work packages; incomplete definitionof quality requirements; inadequate scope control

Time Errors in estimating time or resource availability; poor allocationand management of float; early release of competitive products

Cost Estimating errors; inadequate productivity, cost, change, orcontingency control; poor maintenance, security, purchasing, etc.

Quality Poor attitude toward quality; substandarddesign/materials/workmanship; inadequate quality assuranceprogram

Human Resources Poor conflict management; poor project organization anddefinition of responsibilities; absence of leadership

Communications Carelessness in planning or communicating; lack of consultationwith key stakeholders

Risk Ignoring risk; unclear assignment of risk; poor insurancemanagement

Procurement Unenforceable conditions or contract clauses; adversarial relations

Example risk in project life cycle

Phase Possible risk

Requirement

Definition

•Misunderstanding user/client requirements •Lack of communication or lack of user involvement in determining requirement

Analysis/

Design

•Misinterpretation of requirement•Making assumptions on what users want or need•Incomplete design specification

Testing •Inadequate testing•User not accepting the system

15

c. Risk Analysis

Can be done quantitatively and qualitatively

Qualitative tools and techniques include Probability/Impact matrixesThe Top 10 Risk Item Tracking techniqueExpert judgment

16

17

- Top 10 Risk Item TrackingTop 10 Risk Item Tracking is a tool for

maintaining an awareness of risk throughout the life of a project

Establish a periodic review of the top 10 project risk items

List the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk item

18

19

Monthly Ranking

Risk Item This

Month

Last

Month

Numberof Months

Risk ResolutionProgress

Inadequateplanning

1 2 4 Working on revising theentire project plan

Poor definitionof scope

2 3 3 Holding meetings withproject customer andsponsor to clarify scope

Absence ofleadership

3 1 2 Just assigned a newproject manager to leadthe project after old onequit

Poor costestimates

4 4 3 Revising cost estimates

Poor timeestimates

5 5 3 Revising scheduleestimates

- Expert Judgment

Many organizations rely on the intuitive feelings and past experience of experts to help identify potential project risks

Experts can categorize risks as high, medium, or low with or without more sophisticated techniques

20

Risk Analysis: Quantitative Risk

Often follows qualitative risk analysis, but both can be done together or separately

Large, complex project involving leading edge technologies often require extensive quantitative risk analysis

Main techniques includeDecision tree analysissimulation

21

- Decision Trees and Expected Monetary Value (EMV)

A decision tree is a diagramming method used to help you select the best course of action in situations in which future outcomes are uncertain

EMV is a type of decision tree where you calculate the expected monetary value of a decision based on its risk event probability and monetary value

22

23

d. Risk Response PlanningAfter identifying and quantifying risk, you must decide how to

respond to themFour main strategies:

Risk avoidance: eliminating a specific threat or risk, usually by eliminating its causes A project team may decide to continue using a specific of hardware/software on a

project because they know it works. Other products that could be used on the project may be available, but if the team is unfamiliar with them – could cause significant risk.

Risk acceptance: accepting the consequences should a risk occur A project team planning a big project review meeting could take an active approach

to risk by having a contingency plan if they cannot get approval for a specific site for the meeting.

Risk transference: shifting the consequence of a risk and responsibility for its management to a third party A project team may purchase special insurance/warranty protection for specific

hardware needed for a project. If the hardware fails, the insurer must replace it within an agreed-upon period of time.

Risk mitigation: reducing the impact of a risk event by reducing the probability of its occurrence Include using proven technology, having competent project personnel, using various

analysis and validation techniques, and buying maintenance/service agreements from subcontractors.

24

25

e. Risk Monitoring and Control

Monitoring risks involves knowing their statusControlling risks involves carrying out the risk

management plans as risks occurWorkarounds are unplanned responses to risk

events that must be done when there are no contingency plans

Input: risk reassessment, risk audits, technical performance measurement, status meeting. And others

The main outputs of this process are corrective action, project change requests, recommended corrective and preventive actions, and updates to other plans

26

Using Software to Assist in Project Risk Management

Databases can keep track of risks. Many IT departments have issue tracking databases

Spreadsheets can aid in tracking and quantifying risks

27

Results of Good Project Risk Management

Unlike crisis management, good project risk management often goes unnoticed

Well-run projects appear to be almost effortless, but a lot of work goes into running a project well

Project managers should strive to make their jobs look easy to reflect the results of well-run projects

28

Discussion

1. Find a template or example of risk management plan.

2. List 2 possible risks in each of the software development life cycle phase?

a. Analysis or design phaseb. Development or production phasec. Testing phase

29