1

Chapter 10:Project Risk Management

adopted from PMI’s PMBOK 2000 and

Textbook : Information Technology Project Management

2

Contents

• The Importance of Project Risk Management• Project Risk Management process

– Risk management planning– Risk identification– Qualitative risk analysis– Quantitative risk analysis– Risk response planning– Risk monitoring and control

• Results of good project risk management

Chapter 10

3

Typical Risk Management

4

The Importance of Project Risk Management

• Project risk management is the art and science of identifying, assigning, and responding to risk throughout the life of a project and in the best interests of meeting project objectives

• Risk management is often overlooked on projects, but it can help improve project success by helping select good projects, determining project scope, and developing realistic estimates

• Study by Ibbs and Kwak show how risk management is neglected, especially on IT projects

• KPMG study found that 55 % of runaway projects did no risk management at all

Chapter 10

5

• The goal of project risk management is to minimize potential risks while maximizing potential opportunities.

• Six processes include– Risk management planning– Risk identification– Qualitative risk analysis– Quantitative risk analysis– Risk response planning– Risk monitoring and control

What is Project Risk Management?

Chapter 10

planning

controlling

6

What is Project Risk Management?

• Risk management planning: deciding how to approach and plan the risk management activities for the project

• Risk identification: determining which risks are likely to affect a project and documenting their characteristics

• Qualitative risk analysis: characterizing and analyzing risks and prioritizing their effects on project objectives

• Quantitative risk analysis: measuring the probability and consequences of risks

• Risk response planning: taking steps to enhance opportunities and reduce threats to meeting project objectives

• Risk monitoring and control: monitoring known risks, identifying new risks, reducing risks, and evaluating the effectiveness of risk reduction

Chapter 10

7

Risk Management Planning

• 15th of 21 planning phase process• The main output of risk management planning is

a risk management plan• The project team should review project

documents and understand the organization’s and the sponsor’s approach to risk

• The level of detail will vary with the needs of the project

Chapter 10

8

Inputs to Risk Management Planning

• Project charter: formally recognizes the existence of a project

• Organization’s risk management policies: provide a predefined approach to risk analysis and response

• Defined roles & responsibilities: provide authority levels for decision-making.

• Stakeholder risk tolerances: indicators of how stakeholders might react in different situations and risk events

• Template for the organization’s risk management plan: pro-forma standard for used by the project

• WBS: a deliverable-oriented grouping of project elements that organized and defines the total scope of the project

9

Tools and technique

• Planning meetings– everyone responsible for planning and

executing activities.

10

Output

• Risk management plan– It documents procedures for managing risk

throughout the project– It details identification and quantification of

risk, responsibilities for managing risks, how contingency plans will be implemented, and how reserves will be allocated.

– other associated documents are• Contingency plan, feedback plan

11

Contingency and Fallback Plans, Contingency Reserves

• Contingency plans – provide predefined actions that the project team will

take if an identified risk event occurs

• Fallback plans– developed for risks that have a high impact on

meeting project objectives

• Contingency reserve or allowances– extra provisions held by the project sponsor that can

be used to mitigate cost or schedule risk if changes in scope or quality occur

Chapter 10

12

Risk Identification

• 16th of 21 planning phase process• Risk identification is the process of

understanding what potential unsatisfactory outcomes are associated with a particular project

• Risk identification is a facilitating planning process– Common Sources of Risk on Information Technology

Projects– Several studies show that IT projects share some

common sources of risk

13

Table 10-3. Information Technology Success Potential Scoring Sheet

Success Criterion Points

User Involvement 19

Executive Management support 16

Clear Statement of Requirements 15

Proper Planning 11

Realistic Expectations 10

Smaller Project Milestones 9

Competent Staff 8

Ownership 6

Clear Visions and Objectives 3

Hard-Working, Focused Staff 3

Total 100

Chapter 10

14

Other Categories of Risk

• Market risk:– Will the new product be useful to the organization or

marketable to others? Will users accept and use the product or service?

• Financial risk:– Can the organization afford to undertake the project?

Is this project the best way to use the company’s financial resources?

• Technology risk: – Is the project technically feasible? Could the

technology be obsolete before a useful product can be produced?

Chapter 10

15

Tools and Techniques

• Documentation reviews – provide a structure review of project plans and assumptions

• Information gathering– brainstorming, Delphi method, interviewing. SWOT analysis

• Checklists• provided by previous projects. • Assumptions analysis

– explores the assumptions and identifies potential risks

• Diagramming techniques– help to understand various cause-and-effect relationships.

Examples are cause-and-effect diagram. System or process flow-charts.

16

Outputs

• Risks – uncertain events or condition

• Triggers – symptoms of risks; indirect manifestation or actual risk events such as poor morale

• Inputs to other processes – for examples, constraints or assumptions

17

Qualitative Risk Analysis

• Qualitative Risk Analysis (17th of 21 planning phase process)

• It is the process to assess the impact and likelihood of identified risks.– determine their magnitude and priority

Chapter 10

18

Inputs:

• Risk management plan– It documents procedures for managing risk throughout the

project.

• Identified risk– taken from previous risk identification process. Evaluate these

risks for their potential impacts no the project.

• Project status– identifies risks through the project life cycle

• Project type– determines the amount of risk you can expect. Common or

recurrent projects have less risk, while state-of-the-art, first-time technology, or highly complex projects have more uncertainty.

19

Inputs

• Data precision– tests the value of data. Data precision measures the

extent of data available, reliability of the data, and source of the data

• Scales of probabilities and impact– assess the two key dimensions of risk (probability

and impact)

• Assumptions– identified during risk identification process. These

are used as part of evaluations.

20

tools and techniques

• Risk probabilities & impact – the two dimensions of specific risks. Risk probability is the likelihood that a risk will occur. Risk consequences (or impact), are the effect of project objectives if the risk event occurs

• Probabilities / Impact risk rating matrix – (also known as PI risk matrix)

• Project assumptions testing – performed against 2 criteria: assumption stability and the consequences on the project if the assumption is false.

• Data precision ranking – technique to evaluate the degree to which the data is useful for risk management. Data should be unbiased and accurate

21

Figure 10-2. Chart Showing High-, Medium-, and Low-Risk Technologies

22

Top 10 Risk Item Tracking

• Top 10 Risk Item Tracking is a tool for maintaining an awareness of risk throughout the life of a project

• Establish a periodic review of the top 10 project risk items

• List the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk item

Chapter 10

23

Table 10-7. Example of Top 10 Risk Item Tracking

Monthly Ranking

Risk Item This

Month

Last

Month

Numberof Months

Risk ResolutionProgress

Inadequateplanning

1 2 4 Working on revising theentire project plan

Poor definitionof scope

2 3 3 Holding meetings withproject customer andsponsor to clarify scope

Absence ofleadership

3 1 2 Just assigned a newproject manager to leadthe project after old onequit

Poor costestimates

4 4 3 Revising cost estimates

Poor timeestimates

5 5 3 Revising scheduleestimates

24

Expert Judgment

• Many organizations rely on the intuitive feelings and past experience of experts to help identify potential project risks

• Experts can categorize risks as high, medium, or low with or without more sophisticated techniques

Chapter 10

25

Output

• Overall risk ranking for the project

• List of priorities risks

• List of risks for additional analysis and management

• Trends in qualitative risk analysis results

26

Quantitative Risk Analysis

• 18th of 21 planning phase process• A process that numerically analyses the

probability of each risk and its consequence on objectives.

• Often follows qualitative risk analysis, but both can be done together or separately

• Large, complex project involving leading edge technologies often require extensive quantitative risk analysis

Chapter 10

27

Inputs

• Risk management plan • Identified risk • List of prioritized risk • List of risk for additional analysis & management • Historical information• Expert judgment

– determines whether risks have a probability of occurrence (ranked H, M, L) and the level of impact (ranked Severe, moderate or limited)

• Other planning outputs

28

Tools and techniques

• Interviewing: using projects stakeholders and subject matter experts to quantify the probability and consequences of risk on project objectives.

• Sensitivities analysis: help to determine which risks have the greatest impact on the project. It is the simplest form of risk analysis. Sensitivity analysis examines the change of a single project variable to analyze its effect on the project plan.

• Decision tree analysis : identify possible options or outcomes. It forces consideration of the probability of each outcome

• Simulation : uses a model of system to analyze the behavior or performance of the system. Examples are Monte Carlo, Critical Path and PERT.

29

Decision Trees and Expected Monetary Value (EMV)

• A decision tree is a diagramming method used to help you select the best course of action in situations in which future outcomes are uncertain

• EMV is a type of decision tree where you calculate the expected monetary value of a decision based on its risk event probability and monetary value

Chapter 10

30

Figure 10-3. Expected Monetary Value (EMV) Example

31

Simulation

• Simulation uses a representation or model of a system to analyze the expected behavior or performance of the system

• Monte Carlo analysis simulates a model’s outcome many time to provide a statistical distribution of the calculated results

• To use a Monte Carlo simulation, you must have three estimates (most likely, pessimistic, and optimistic) plus an estimate of the likelihood of the estimate being between the optimistic and most likely values

Chapter 10

32

Risk Response Planning

• 19th of 21 planning phase process

• Involves developing options and determining actions to enhance opportunities to reduce threats to project objectives.

• After identifying and quantifying risk, you must decide how to respond to them

Chapter 10

33

Inputs

• Risk management plan - It documents procedures for managing risk throughout the project.

• List of prioritized risk - includes those grouped by ranks, WBS level, risks requiring immediate response, risk that can be handled later, and risk that affect cost, schedule, functionality and quality.

• Risk ranking of the project – indicates that overall risk position of a project relative to other projects by comparing risk scores.

• Prioritized list of quantified risks – identifies those that pose the greatest threat or opportunity to the project and proposes some means of measuring their impact

34

Inputs

• Probabilities analysis of achieving the cost and time objective – assessed under the current project plan and with the current knowledge of the project risks

• List of potential response – identifies specific risks or categories of risk. These list specify the actions the team will take.

• Risk thresholds – the acceptable level of risk to the organization, which influences risk response planning

• Risk owners – identifies staff to provide accountabilities for managing responses.

• Common risk causes – several risks driven by a common causes. This reveals opportunities to mitigate many risks with one response.

• Trends in qualitative & quantitative risk analysis result - become apparent as the analysis is repeated can make risk response more or less urgent and important.

35

Table 10-8. General Risk Mitigation Strategies for Technical, Cost, and Schedule Risks

Chapter 10

36

Tools and techniques

• Risk avoidance: eliminating a specific threat or risk, usually by eliminating its causes

• Risk acceptance: accepting the consequences should a risk occur

• Risk transference: shifting the consequence of a risk and responsibility for its management to a third party

• Risk mitigation: reducing the impact of a risk event by reducing the probability of its occurrence

37

Outputs

• Risk response plan • Residual risks

– remain after avoidance, transfer, or mitigation responses have been taken.

• Secondary risk – arise in direct result of implementing a risk response.

• Contractual agreements • Contingency reserve amounts needed • Inputs to other processes • Inputs to a revised plan

38

Risk Monitoring and Control

• 8 of 8 controlling phase process• This is the process of keeping track of the

identified risks, monitoring residual risk and identify new risks, ensuring the execution of risk plans, and evaluating the plans’ effectiveness in reducing risk.– Monitoring risks involves knowing their status– Controlling risks involves carrying out the risk

management plans as risks occur– Workarounds are unplanned responses to risk events

that must be done when there are no contingency plans

Chapter 10

39

Risk Response Control

• Risk response control involves executing the risk management processes and the risk management plan to respond to risk events

• Risks must be monitored based on defined milestones and decisions made regarding risks and mitigation strategies

• Sometimes workarounds or unplanned responses to risk events are needed when there are no contingency plans

Chapter 10

40

Using Software to Assist in Project Risk Management

• Databases can keep track of risks. Many IT departments have issue tracking databases

• Spreadsheets can aid in tracking and quantifying risks

• More sophisticated risk management software, such as Monte Carlo simulation tools, help in analyzing project risks

Chapter 10

41

Results of Good Project Risk Management

• Unlike crisis management, good project risk management often goes unnoticed

• Well-run projects appear to be almost effortless, but a lot of work goes into running a project well

• Project managers should strive to make their jobs look easy to reflect the results of well-run projects

Chapter 10

42

Outputs

• The main outputs of risk monitoring and control are corrective action, project change requests, and updates to other plans – Corrective action: This encompasses anything that

brings your expected performance back in line with the project plan. At this stage, it involves carrying out either your contingency plan or workaround.

– Project change requests: Implementing a contingency plan or workaround frequently requires changing the risk responses described in the project plan. Know the process flow and feedback loop.

43

Outputs (2)

– Updates to risk response plan: Document the risks that occur. Risks that don't occur should also be noted and closed out in the risk response plan. It's important to keep this up-to-date, and it becomes a permanent addition to project records, eventually feeding into lessons learned.

– Workaround plans

– Risk database

– Updates to risk identification checklists

44

Summary• Project Risk Management

– is the art and science of identifying, assigning, and responding to risk

• Project Risk Management process– Risk management planning: deciding how to approach and plan the

risk management activities for the project– Risk identification: determining which risks are likely to affect a

project and documenting their characteristics– Qualitative risk analysis: characterizing and analyzing risks and

prioritizing their effects on project objectives– Quantitative risk analysis: measuring the probability and consequences

of risks– Risk response planning: taking steps to enhance opportunities and

reduce threats to meeting project objectives– Risk monitoring and control: monitoring known risks, identifying new

risks, reducing risks, and evaluating the effectiveness of risk reduction

45

Summary 2

• Tools– charts – risk item tracking – expert judgment– decision trees– expected monetary value (EMV)

• Using software to assist project risk management– database, simulation, Monte Carlo

• Results of good project risk management– unusually un-notice, look easy but require a lot of good risk

management