miguel nunes email: [email protected] information systems project management is project risk...

Miguel Nunesemail: [email protected]

Information Systems Project Management

IS Project Risk Management

Aims of this SessionAims of this Session

• To present and discuss risk management issues:

•define risk;•discuss how we can manage risk;•consider how to minimise and control

risk.

An Information System can be defined technically as a set of interrelated components that collect, process, store and retrieve, and distribute information to support decision making, co-ordination and control in an organisation.

An information system is an organisational and management solution, based on information and communication technology, to a challenge posed by the environment.

3

Information SystemDefinition

Information SystemDefinition

A system that assembles, stores, processes and delivers information relevant to an organisation (or socio-technical environment), in such a way that the information is accessible and useful to those who wish to use it as required by their activity practices, including managers, staff, customers, suppliers, other business partners and citizens.

An IS is therefore an human-activity system which may or may not involve the use of IT based systems.

Any IS project has at least 4 stages:

start-up;development;completion;operational.

5Types of IS Project Resources

A resource is any item or person required for the execution of the project (from clips to key technical personnel).

In general resources can be categorised as follows:

Labour (also known as Human Resources);Equipment;Materials;Space;Services;Time;Budgetary resources.


These team members may take one or more of the following types of roles:


Management: Project Manager; Quality Manager; Risk Manager; Configuration and

Integration Manager;

Technical: Analysts and Designers; Programmers; Graphics Designer; Database Administrator; Implementation Officer;

Support: Users; Testers; Project Champion; Secretaries; Clerks; Training Officer:

Organising: Steering Committee; User Group; Risk Management

Committee; Joint Application

Development Team.And more ……….

Human Resources is very expensive (typically 80% of budget of the project) and the more specialised the resources are the more scarce and expensive they become.

Human resource allocation depends on:

Management Style of Project Manager.Type and nature of the project;IS Methodology Selected;Constraints and Budget of the Project.


Time is a resource that is very scarce and limits the use of other resources.

Time allocation in the plan depends on IS methodology, effort estimation, quality standards used, risk management and the use of human resources.


IS Development Methodologies


“ a coherent collection of concepts, beliefs, values and principles supported by resources to help a problem-solving group to perceive, generate, assess and carry-out in a non-random way changes to the information system”

(Avison and Wood-Harper, 1990)

1. Set of methods for tackling the different problems involved.

2. Sound theoretical basis in order to understand why and when to use the methods.


A collection of procedures, techniques, tools and documentation aids that help developers in their efforts to understand users, their socio-technical environment, their work practices and their information needs.

IS Methodologies consist of phases whish will guide the systems developers in what to do and their choice of techniques that might be appropriate at each stage. Each phase may contain subphases.

These phases (or stages, or main activities) form the IS Project and help manage, control and evaluate the project.

11

There are 3 main types of methodologies in use today:

Structured Approaches (e.g. SSDAM);

Agile Methodologies: Prototyping approaches (e.g. RAD or DSDM);

Incremental approaches (e.g. XP or SCRUM);

Object Oriented Approaches (e.g. UML).

12


Process-Based Estimation

Allocation of time and human resources should be is based on Process Based Estimation ... supported by DTL and WBS and expressed in terms of Gantt and CPM charts.

Process decomposition sets of: Stages into activities

Activities into tasks.Consideration of past experience and data from past projects through:

expert judgement; or

analogy.Consideration of “especial factors” (individual skill, support tools, communication and co-ordination problems);Estimation of effort required for each individual task.

Quality Assurance

• Evaluate the results of the different stages throughout the whole project;

• Confirm that these results have been appropriately reached by the scheduled date;

• Confirm that the work is done at internal, external and professional standards;

• Ensure the existence of appropriate communications between the different parts involved and especially between IT/IS Specialists and Customers.

Quality Assurance Quality of Conformance: checks every

deliverable associated with each milestone against agreed requirements, objectives and functionality as well as external and professional standards (validation).

Quality of the Process: checks the suitability of the processes associated with achieving a specific milestone against their agreed purpose or function including both internal and external standards and needs (verification).

Information SystemsProject Planning

Time allocation in the plan depends on the IS methodology selected, effort estimation, quality standards used, risk management and the use of human resources.

Question answered:What IS Methodology to use?Who will do the work?When will the work be done?How long will each of the stages, activities and tasks last?What type of quality do we need in our work and product?

Question remaining:

What risks are we willing to run?

Risk Definition

Risk is the occurrence of an event that has consequences or impacts.

Risk Definition

Risk is the occurrence of an event that has consequences for, or impacts on, projects

(Kliem and Ludin, 2000).

All projects involve risk of some sort.

This is risk may stem:• from the nature of the work; • from the type of resources available;• from the contractual relationship which is in place or from

the political factors which influence the project.

Risk Definition"First, risk concerns future happenings. Today and

yesterday are beyond active concern, as we are already reaping what was previously sowed by our past actions. The question is, can we, therefore, by changing our actions today, create an opportunity for a different and hopefully better situation for ourselves tomorrow.

Second, that risk involves change, such as changes of mind, opinion, actions, or places

Third risk involves choice, and the uncertainty that choice itself entails. Thus paradoxically, risk, like death and taxes, is one of the few certainties in life."

(Charrette, 1989)

Risk Definition"While it is futile to try and eliminate risk, and

questionable to try and minimise it, it is essential that the risks taken are the right risks."

(Drucker, 1975)

Risks always involves two major characteristics:• Uncertainty - the event that characterises the risk may or

may not happen, i.e. there are no 100% probable risks. A risk of 100% is a project constraint.

• Loss - If the risk becomes a reality and unwanted consequences or losses will occur.

• Opportunity - If the risk becomes a reality and positive outcomes can be accrued.

Areas of Risk

• The commercial background;

• The contract;

• The customer;

• The users;

• Acceptance criteria:

• Performance, reliability, availability and maintainability criteria;

• The functional requirements;

• The technical requirements;

• The project plan;

• The teams skills and Levels of project staffing;

• The development environment;

• The development tools, methods and techniques;

• The target architecture;

• Bought-in items.

IS Risk Categorisation

Project Risks - identify potential budgetary, schedule, personnel (staffing and organisation), resource, customer, and requirements problems and their impact on a software project.

Technical Risks - identify potential design, implementation, interfacing, verification, and maintenance problems. Additionally, specification ambiguity, technical uncertainty, technical obsolescence and leading-edge technology may also result in technical risks.

Business Risks - identify business suitability, usefulness and validity problems, that is strategic, management, market, and budgetary risks.

Risk Categorisation

Acceptable vs. non-acceptable risks; Short-term vs. long-term risks; Positive vs. negative risks; Manageable vs. non-manageable risks; Internal vs. external risks.

IS RiskCategorisation

Regardless of how risks are categorised, project managers have five key elements to consider:

The probability of the occurrence of a risk; The frequency of the occurrence of a risk; The impact of an occurrence of a risk.; The importance relative to other risks; The exposure or vulnerability created by the

impact of a risk on a product, system or project.

IS Risk Management

Not all risks are equal, some have greater importance then others to a particular project's outcome.

Probability, frequency, impact, importance and exposure are the necessary factors in analysing the four vital steps in risk management: risk identification, risk analysis, risk control and risk reporting (Kliem and Ludin 2000).

IS Risk Management

IS developers and Software engineers are eternal optimists and when planning software projects, they often assume that everything will go exactly as planned (Wiegers, 1998).

This often results in reactive strategies for dealing with risk, that Tomsett (1992) called "The Indiana Jones School of Risk Management".

Don't worry, I’ll think of something!“

Really ???

IS Risk Management

Sadly, as noted by Pressman (1997), the average project manager is not Indiana Jones.

Consequently, this strategy often leads to unwanted surprises, when unexpected events happen, that throw the project off track.

Reactive Strategies rather then proactive.

IS Risk Management

Reactive strategies will not provide early insight into what could go wrong.

• Resources will have to be spent correcting problems that could have been avoided sooner;

• Catastrophic problems (surprises) may occur without warning and sometimes with no recovery possible;

• Decisions will be made without complete information or adequate knowledge of future consequences;

• The overall probability of successful completion of the program is compromised, and the project will probably always be in a crisis.

IS Risk ManagementTherefore, there is a need for a cultural shift from "fire-fighting" and "crisis management" to proactive decision making that considers and if possible avoids problems before they arise.

While we can never predict the future with certainty, we can apply structured risk management practices to peek over the horizon at the traps that might be looming, and take actions to minimise the likelihood or impact of these potential problems.

Risk management means dealing with a concern before it becomes a crisis.

IS Risk Management Framework

An IS Risk Management Framework provides a disciplined environment for proactive decision making to:

assess continuously what could go wrong (risks); determine which risks are important to deal with; implement strategies to deal with those risks.

IS Risk Management Framework

Risk Identification

Risk identification is the process of examining a project and identifying areas of potential risk.

Risk identification is associated with the nature of the project, the IS methodology selected, the project team and the required quality assurance.

Risk Identification can be facilitated with the help of a checklist of common risk areas for IS projects, or by examining the contents of an organisational data warehouse of previously identified risks and mitigation strategies (both successful and unsuccessful).

Risk Assessment

Therefore, risks need to be identified in the planned stages, activities and tasks rather then holistically, that is, each activity needs to examined and risks associated assessed.

Risk assessment is also closely associated with the nature of the project, the IS methodology selected, the project team and the required quality assurance.

Remediation, mitigation or avoidance actions can then be devised to control risk.

Risk AssessmentAnother example of Risk Assessment …

Would an estimation for a particular programme component have the same impact if

-the programmer is very experienced;-the programmer is very junior;

-in an SSADM team of 4 programmers working in parallel (3 seniors and 1 junior);-in an XP team of two programming pairs (2 seniors and 1senior + 1 junior)?

Why?

Risk Assessment

Example of Risk Assessment …

Would an error in the specification of a particular requirement have the same impact in

-SSADM Requirement Specification Document; -XP user story;-RAD JAD document; or-UML use case?

- Why?

Risk ControlRisk is the process by which project managers identify the measures, or controls to establish, to lessen or to avoid the impact of an identified risk on a process.

Common strategies used in risk control, include: Avoidance; Diversification; Proactive planning; Sharing: Distribute a portion of the risk through a contract with

another party, such as insurance; Transference: Distribute all of the risk through a contract with another

party, such as outsourcing; Acceptance: Allow minor risks to exist to avoid spending more on

managing the risks than the potential harm.

Recording Risk

ID Risk Description P L E First Indicator Risk Mitigation Approach Who Due

List each major risk facing the project. Describe each risk in the form "condition – consequence".

Example:

"Subcontractor’s staff does not have sufficient technical expertise, so their work is delayed for training and slowed by learning curve."

*P *L *E For each risk, describe the earliest indicator or trigger condition that might indicate that the risk is turning into a problem.

For each risk, state one or more approaches to control, avoid, minimize, or otherwise mitigate the risk. Risk mitigation approaches should yield demonstrable results, so you can measure whether the risk exposure is changing.

Assign each risk mitigation to an individual.

State a date by which the mitigation approach is to be imple- mented.

To Sum up ...A formal risk management process provides a number of benefits

to the project team:

• First, it provides a structured mechanism to identify and control threats to project success.

• By considering the potential impact of each risk item, we can make sure we focus on controlling the most severe risks first.

• A team approach allows the various project stakeholders to collaboratively address their shared risks, and to assign responsibility for risk mitigation to the most appropriate individuals.

• We can combine risk assessment with project estimation to quantify possible schedule slippage if certain risks materialise into problems.

Ahh …but this is a bit boring ….

Project ManagementWhat has happened ?What is happening ?What is going to happen ?

What What needs to be done ?How How are we going to do it ?

WhenWhen are we doing it ?

Who Who is going to do it ?

What What is the quality of our work and product?

What What are the risks involved ?

Project Management

Planning and Organising

(What and How)Estimating

( When and Who)Scheduling and Monitoring

( awareness of progression, remediation action, quality assurance)

Planning and OrganisingPlanning and Organising

(What and How)

Understanding requirements;

Selecting a methodology;

Selecting a Team;

Estimating Effort;

Determining deliverables and milestones;

Determining verification and validation checks.

Determining and assessing risks.

Determining risk control and monitoring strategies.

This module’s question:“We know why projects fail,

we know how to prevent their failure -- so why do they still

fail?“ Cobb (1995)

Old question!???

But maybe now we have an answer

46

That is it?That is IS Project Management?

Really !!!???

Ahhhhh !!!Not so boring after all …

Group 3 - RADGroup 4 - SSADM

Your Turn now !!!!

Group 1 - UMLGroup 2 - XP

For TomorrowFor Tomorrow:

Produce the risk record identifying ALL the risks associated with all main activities that your methodology needs for the specific IS Project for the case study. Assess those risks and devise any needed mitigation strategies. Represent these in your Gant Chart (4 group members work on this).

Select 1 representing PM for your group and prepare a 15 minute presentation of your project plan in Powerpoint (1 group members work on this).

miguel nunes email: [email protected] information systems project management is project risk...

Documents

project resources management

project risk management

use of human resources

general resources

information system avison

risk management issues

information relevant

control risk