CH 8

Project Risk Management Planning

8 - 1

Objectives

Define and recognize risk Define the contents of a risk management

plan Conduct a risk identification and prioritization

process Define the correct risk response strategy for

the organization

8 - 2

8 - 3

The Importance of Project Risk Management

Every IT project regardless of size, complexity, location, or organization contains some measure of risk

Aid the project team in assessing the impact a negative event will have on the project and how likely (generally expressed as a percentage or qualitative term) is the event to occur

8 - 4

The Importance of Project Risk Management

The PM’s objective: is not the removal of all risk, this simply can’t be done, but to identify and manage risks to the benefit of the project

Risks on a project can be a good thing if managed appropriately

The main objectives of risk management are to increase the probability and impact of positive outcomes and decrease the probability and impact of negative outcomes

8 - 5

The Importance of Project Risk Management

Unfortunately, many organizations don’t follow a formal risk management process and operate in a perpetual state of crisis management

Crisis management is the opposite of good risk management – organizations find themselves trying to figure out what to do about a problem after it has occurred instead of planning for issues in advance

This is also referred to as perpetual “fire fighting”

8 - 6

What Is Risk?

Dictionary definition of risk: “the possibility of loss or injury”

A Function of the {likelihood, and impact} An event if it occurs will have a negative

impact on one or more of: project scope, time, cost, quality, or resources

8 - 7

Reasons for Risk Management Makes aggressive risk-taking possible Decriminalizes risk Sets up projects for success with honest

evaluation of issues Bounds uncertainty Provides minimum-cost downside protection Protects against invisible transfers of

responsibility Save part of a failed effort Maximizes opportunity for personal growth Protects management from getting blindsided Focuses attention where it is needed

8 - 8

Risk Utility An organization’s approach to risk management is

driven by their risk utility or tolerance for risk Risk utility or risk tolerance is the amount of

satisfaction or pleasure received from a potential payoffUtility rises at a decreasing rate for a person who is risk-

averseThose who are risk-seeking have a higher tolerance for risk

and their satisfaction increases when more payoff is at stake

The risk-neutral approach achieves a balance between risk and potential payoff

8 - 9

Risk Utility Function and Risk Preference

8 - 10

Risk Management Planning Processes

Risk management planning: deciding how to approach and plan the risk management activities for the project

Risk identification: determining which risks are likely to affect a project and documenting their characteristics

Qualitative risk analysis: characterizing and analyzing risks and prioritizing their effects on project objectives

Quantitative risk analysis: measuring the probability and consequences of risks

Risk response planning: taking steps to enhance opportunities and reduce threats to meeting project objectives

8 - 11

Risk Management Planning

The main deliverable of risk management planning is the risk management plan!

The organization identifies, in the risk management plan, the approach, plan, and who will execute the risk management activities

The risk management plan is created early in the planning phase of the project and updated throughout the life of the project

8 - 12

Key Best Practices Manage projects by managing their risks Create and maintain a census of risks for each

project Track the causal risks, not just the ultimate

undesirable outcomes Assess each risk for probability and likely cost Predict for each risk the earliest symptom that

might indicate materialization

8 - 13

Key Best Practices

Appoint a risk officer, one person who is not expected to maintain a “Can-Do” attitude run the risk of bad information not getting communicated

Establish easy (perhaps anonymous) channels for bad news to be communicated up the hierarchy

8 - 14

Risk Management Plan Contents Methodology – approaches (process steps), tools,

and data sources that may be used to perform risk management

Roles and responsibilities to manage risks throughout the entire project

Budgeting for risk management activities (mitigation strategies)

Timing of risk management activities (how often are the risks reviewed, when will mitigation strategies be implemented)

8 - 15

Risk Management Plan Contents

Risk categories – high level used during identification (Technology, Customers, Performance, etc.)

Risk probability and impact scales (very likely to very unlikely 5 levels) or (just three low, medium, high) these scales need to be defined for consistency across projects and project managers

Format for the risk register and its use; how are risks communicated and tracked

8 - 16

Risk Identification

The first step is to identify as many risks as possible for the upcoming project with the knowledge that you can never see them all

Risk identification is not a one time process; but should be a continuous process of team members and stakeholders looking for new issues that may affect the success of the project

8 - 17

Risk Identification Techniques

Broad Organizational Categories Analogy Brainstorming Interviews Delphi Technique SWOT Analysis

8 - 18

Where to Look for Risks?

8 - 19

Success Criterion Points

User Involvement 19

Executive Management support 16

Clear Statement of Requirements 15

Proper Planning 11

Realistic Expectations 10

Smaller Project Milestones 9

Competent Staff 8

Ownership 6

Clear Visions and Objectives 3

Hard-Working, Focused Staff 3

Total 100

Broad Categories of Risk People (human resources) Technology (changes) Quality and performance issues Customers Vendors Management Funding Political Issues or Legal Issues Market Forces

8 - 20

Analogy

Uses information from past similar projects or the experience of team members to look for risks

Previous projects must be up to date!

8 - 21

Brainstorming Brainstorming is a non-structured or semi-structured

method of eliciting ideas from a group with the goal of generating a complete list of ideas

The key to running a successful brainstorming session is to foster an atmosphere that allows all ideas to be spoken regardless of likelihood

If everyone feels able to contribute to the discussion free from persecution or harassment a better more complete list of ideas will be generated If not possible other techniques to brainstorming are

available such as Delphi Technique or “Post-it Notes”

8 - 22

Delphi Technique Using this technique the participants are

unknown to each other so ideas can be generated without fear of ridicule

A moderator presents the question electronically to each participant who then generates ideas and sends them electronically to the moderator

The moderator accumulates all responses into one list which is then distributed for team comment. The comments are returned to the moderator for accumulation and dissemination

This process continues until a general consensus is reached

8 - 23

Post-it Notes During a short time interval such as five minutes, have

each participant write down on post-it notes as many ideas as they can think of putting one idea per post-it

Participants then hand their notes to the moderators who stick them on a chalk or white board. duplicate ideas are stuck on top of each other to reduce the number of entries. A list of ideas is then quickly generated and the team discusses the merits of each

Ideas which have close to zero probability of occurring or zero impact to the project are removed from the board

8 - 24

Post-it Notes The ideas that remain must then be rated for

likelihood and impact. A large matrix is drawn on the board similar to the probability and impact matrix (Figure 8-2). The post-it notes can then be moved around inside the matrix until the team agrees on each placement

Finally, generate the start of the risk register (figure 8-1) from the remaining post-it notes

8 - 25

Interviewing The project leader and other key members of

the team with interview skills, conduct personal one-on-one discussions with key stakeholders

The crucial aspect to successful interviewing is to make sure the stakeholders feel comfortable sharing ideas with the interviewer

The success of this technique is heavily dependent on the skills of the interviewer

8 - 26

SWOT Analysis SWOT is an acronym which stands for

Strengths, Weaknesses, Opportunities, and Threats which was first defined and used during project selection in Chapter 4

SWOT analysis offers a framework with which to conduct a brainstorming session, sticky-note exercise, or a Delphi Technique session

A key benefit of this technique is a focus on both sides of each issue; strengths versus weaknesses and opportunities versus threats

8 - 27

SWOT Analysis• Strengths – patents, strong brand name,

reputation, cost advantages from proprietary know-how, access to distribution networks

• Weaknesses – lack of patent, weak brand name, poor reputation, lack of access to distribution networks

• Opportunities – an unfilled customer need, arrival of new technologies, better regulations, international trade barriers

• Threats – shifts in consumer tastes away from, substitute products, worse regulations, trade barriers

8 - 28

Risk Register

8 - 29

Risk Register Contents Risk – name of the risk along with short

description. Some like to include a numbering scheme to make it easier to reference

Trigger event – explanation of the event or events that signal to the person monitoring that this risk is about to happen or has happened; looking at the root cause of the risk

Responsible – name of the person (preferred) or group/department responsible for monitoring the risk and executing mitigation activities

8 - 30

Risk Register Contents Consequence – explanation of the impact to

the project if the risk occurs Probability – an estimation of the likelihood

the risk will materialize and affect the project. The probability is often a qualitative rating (low, medium, high) or could be a more quantitative number

Mitigation – explanation of the strategy being used to lesson the chances the risk will occur

8 - 31

Qualitative Risk Analysis Subjective methods for qualifying each risk for

impact and probability of occurrence This usually involves a method which can be

done quickly in a short period of time with little resources

Risk qualitative tools and techniques includeInterviews with Subject Matter Experts Probability/Impact matrix

8 - 32

Interviews

Just as interviews were used to identify risks in the first place, they can be used to assess their impact and probability

In most cases discovering the risk and assessing its impact and probability is done during the same interview

Method works well based on the interviewer’s skills and the SME’s knowledge

8 - 33

Probability/Impact Matrix

The probability and impact matrix aids the project team in prioritizing which risks need more attention based on either their probability of occurring or the size of the impact to the project or both

8 - 34

Probability and Impact Matrix

8 - 35

Probability/Impact Matrix The columns represent the degree of impact to

the project’s scope, time, cost, and quality goals This example using a five level scale: zero to low

impact, low to medium, medium, medium to high, and high impact. The scores are determined by subject matter experts and historical data

The next step determine the probability that a risk will materialize again using expert judgment and historical data

8 - 36

Risk Rating Scores

8 - 37

Probability/Impact Matrix Once the risk has been given both a probability

score and an impact score it should be placed in the proper cell in the matrixIf the risk falls into one of the shaded areas, the

team should prepare mitigation strategies and monitor them closely

The number of shaded cells is dependent on the organization’s culture and risk utility

The key issue with qualitative risk assessment centers on the issue of estimator bias

8 - 38

Quantitative Risk Analysis Much like qualitative risk analysis, quantitative

risk analysis attempts to estimate the impact a risk may have on a project as well as the probability

The key difference between the two is that quantitative analysis is based on mathematical or statistical techniques to model the behavior of a particular risk

The decision whether to use quantitative or qualitative analysis techniques is made on a project by project basis and can be made on a risk by risk basis

8 - 39

Quantitative Risk Analysis Techniques

Decision trees with expected monetary value analysis

Simulation (Monte Carlo)

8 - 40

Decision Trees and Expected Monetary Value (EMV)

Decision tree analysis is generally used along with its graphical representation that describes a set of options under consideration along with estimated implications of each option

The analysis consists of costs, revenues (or benefits), and probabilities for each option path

The EMV analysis technique is a statistical concept that calculates the average outcome when dealing with unknown future scenarios

8 - 41

Decision Tree with EMV

8 - 42

Simulation Monte Carlo simulation was introduced back in

Chapter 6 as an aid in building accurate time estimates for WBS activities

It can also be used during quantitative risk analysis to simulate the impact a risk may have on project goals

Based on the probabilities of various outcomes, similar to the decision tree analysis example, the simulation can be run multiple times based on the frequency distribution to determine the expected outcomes with probabilities

8 - 43

Monte Carlo Analysis Simulation during the risk management

process is generally used to determine cost and schedule outcomes using three point estimates of task durations

8 - 44

Risk Response Planning After identifying and quantifying risk, you must

decide how to respond to them Four main strategies:

Risk avoidance: eliminating a specific threat or risk, usually by eliminating its causes

Risk acceptance: accepting the consequences should a risk occur without trying to control it

Risk transference: shifting the consequence of a risk and responsibility for its management to a third party internal or external to the organization

Risk mitigation: reducing the impact of a risk event by reducing the probability of its occurrence

8 - 45

Mitigation StrategiesThe final step after the risk response has been

chosen; update the risk register with the mitigation strategy: fallback plans, contingency plans, and contingency reserves. Fallback plansContingency plans. Contingency reserves

Contingency plans use the contingency reserves to meet project objectives

8 - 46

Risk Management Process Steps

1. Build/choose the risk management plan format

2. Identify risks3. Risk assessment4. Complete the risk register5. Complete the risk management plan (budget,

schedule of activities, any specific tools needed)

8 - 47