Chapter 5:

Project Risk Management

Learning Objectives
🞂 Understand risk and the importance of good project risk
management
🞂 Discuss the elements of planning risk management and
the contents of a risk management plan
🞂 List common sources of risks on information technology
(IT) projects
🞂 Describe the process of identifying risks and create a
risk register
🞂 Discuss qualitative risk analysis

2
Learning Objectives (cont’d)
🞂Explain quantitative risk analysis
🞂Discuss how to control risks

Information Technology Project

Management, Eighth Edition 3
The Importance of Project Risk Management

🞂Project risk management is the art and science of

identifying, analyzing, and responding to risk
throughout the life of a project and in the best
interests of meeting project objectives

🞂Risk management is often overlooked in projects,

but it can help improve project success by helping
select good projects, determining project scope,
and developing realistic estimates

4
Benefits from Software Risk Management
Practices*

*Source: Kulik and Weber, KLCI Research Group

5
Negative Risk or threat
🞂A dictionary definition of risk is “the
possibility of loss or injury”
🞂Negative risk involves understanding
potential problems that might occur in the
project and how they might block project
success

6
Positive Risk or Opportunities
🞂Positive risks are risks that result in good
things happening; sometimes called
opportunities
🞂A general definition of project risk is an
uncertainty that can have a negative or
positive effect on meeting project
objectives
🞂The goal of project risk management is to
minimize potential negative risks while
maximizing potential positive risks
7
Project Risk Management Processes

🞂Planning risk management : Deciding how to

approach and plan the risk management activities for
the project
🞂Identifying risks: Determining which risks are likely
to affect a project and documenting the
characteristics of each
🞂Performing qualitative risk analysis: Prioritizing
risks based on their probability and impact of
occurrence

8
Project Risk Management Processes
🞂Performing quantitative risk analysis:
Numerically estimating the effects of risks on project
objectives
🞂Planning risk responses: Taking steps to enhance
opportunities and reduce threats to meeting project
objectives
🞂Controlling risk: Monitoring identified and residual
risks, identifying new risks, carrying out risk
response plans, and evaluating the effectiveness of
risk strategies throughout the life of the project

Information Technology Project

Management, Eighth Edition 9
Planning Risk Management
🞂The main output of this process is a risk
management plan—a plan that documents the
procedures for managing risk throughout a
project
🞂The project team should review project
documents and understand the organization’s
and the sponsor’s approaches to risk
🞂The level of detail will differ with the needs of the
project

10
Contingency and Fallback Plans,
Contingency Reserves
🞂 Contingency plans are predefined actions that the project
team will take if an identified risk event occurs
🞂 Fallback plans are developed for risks that have a high
impact on meeting project objectives, and are put into effect
if attempts to reduce the risk are not effective
🞂 Contingency reserves or Contingency allowances are
provisions held by the project sponsor or organization to
reduce the risk of cost or schedule overruns to an
acceptable level;
🞂 Management reserves are funds held for unknown risks
that are NOT part of the cost baseline but ARE part of the
budget and funding requirements
11
 Broad Categories of Risk
🞂 Market risk : Will the new service or product be useful to the
organization or marketable to others? Will the users accept it? Will
someone else create a better product?

🞂 Financial risk : Can the organization afford to undertake the

project? Will the project meet NPV, ROI and payback estimates?

🞂 Technology risk : is the project technically feasible? Is it leading

edge or bleeding edge technology?

🞂 People risk : Are people with appropriate skills available to help

complete the project? Does senior management support the
project?

🞂 Structure/process risk : What is the degree of change the new

project will introduce into user areas and business procedures?
With how many other systems does a new project/system need to
interact?

12
Risk Breakdown Structure
🞂A risk breakdown structure is a hierarchy of
potential risk categories for a project

🞂Similar to a work breakdown structure but used to

identify and categorize risks

13
Identifying Risks
🞂Identifying risks is the process of understanding
what potential events might hurt or enhance a
particular project
🞂Risk identification tools and techniques
include:
◦ Brainstorming
◦ The Delphi Technique
◦ Interviewing
◦ SWOT analysis

14
Brainstorming
🞂Brainstorming is a technique by which a group
attempts to generate ideas or find a solution for a
specific problem by amassing ideas spontaneously
and without judgment
🞂An experienced facilitator should run the
brainstorming session
🞂Be careful not to overuse or misuse brainstorming.
◦ Psychology literature shows that individuals produce a
greater number of ideas working alone than they do
through brainstorming in small, face-to-face groups
◦ Group effects often constrain idea generation

15
Delphi Technique
🞂The Delphi Technique is used to derive a
consensus among a panel of experts who make
predictions about future developments

🞂Uses repeated rounds of questioning and written

responses and avoids the biasing effects possible
in oral methods, such as brainstorming
◦ Requires a panel of experts for the particular area in
question

16
Interviewing
🞂Interviewing is a fact-finding technique for collecting
information in face-to-face, phone, e-mail, or instant-
messaging discussions

🞂Interviewing people with similar project experience is

an important tool for identifying potential risks

SWOT Analysis
🞂SWOT analysis (strengths, weaknesses,
opportunities, and threats) can also be used during
risk identification

🞂Helps identify the broad negative and positive risks

that apply to a project
17
Performing Qualitative Risk Analysis
🞂After identifying risks, the next step is to
understand which risks are most important
🞂Assess the probability and impact of identified
risks to determine their size and priority
🞂Risk quantification tools and techniques include:
◦ Probability/impact matrixes
◦ The Top Ten Risk Item Tracking
◦ Expert judgment

18
Probability/Impact Matrix
🞂A probability/impact matrix or chart lists the
relative probability of a risk occurring on one side of
a matrix or axis on a chart and the relative impact of
the risk occurring on the other
🞂List the risks and then label each one as high,
medium, or low in terms of its probability of
occurrence and its impact if it did occur

19
Sample Probability/Impact Matrix

Information Technology Project

Management, Eighth Edition 20
Top Ten Risk Item Tracking
🞂Top Ten Risk Item Tracking is a qualitative risk
analysis tool that helps to identify risks and
maintain an awareness of risks throughout the life
of a project
🞂Establish a periodic review of the top ten project
risk items
🞂List the current ranking, previous ranking, number
of times the risk appears on the list over a period
of time, and a summary of progress made in
resolving the risk item

21
Example of Top Ten Risk Item Tracking

Information Technology Project

Management, Eighth Edition 22
Performing Quantitative Risk Analysis
🞂Often follows qualitative risk analysis, but both
can be done together
🞂Large, complex projects involving leading edge
technologies often require extensive quantitative
risk analysis
🞂Main techniques include:
◦ Decision tree analysis and Expected Monetary Value
(EMV)
◦ Simulation

23
Decision Trees and Expected
Monetary Value (EMV)
🞂A decision tree is a diagramming analysis
technique used to help select the best course of
action in situations in which future outcomes are
uncertain
🞂Estimated monetary value (EMV) is the product of
a risk event probability and the risk event’s
monetary value
🞂You can draw a decision tree to help find the EMV

24
Example
Expected Monetary Value (EMV) Example

27
Simulation
🞂Simulation uses a representation or model of a
system to analyze the expected behavior or
performance of the system
🞂Monte Carlo analysis simulates a model’s
outcome many times to provide a statistical
distribution of the calculated results
🞂To use a Monte Carlo simulation, you must have
three estimates (most likely, pessimistic, and
optimistic) plus an estimate of the likelihood of the
estimate being between the most likely and
optimistic values

29
Response Strategies for Positive Risks
🞂After identifying and quantifying risks, you must
decide how to respond to them
🞂Four main response strategies for negative risks:
◦ Risk avoidance – don’t use h/w or s/w if unfamiliar with
them
◦ Risk acceptance – prepare for risk with backup plan or
contingency reserves
◦ Risk transference – to deal with financial risk exposure, a
company may purchase special insurance for specific h/w
needed for a project. If h/w fails, insurer has to replace it.
◦ Risk mitigation – reduce probability of occurrence e.g., use
proven technology, buy maintenance or service contract

30
Controlling Risks
🞂Involves executing the risk management process to
respond to risk events and ensuring that risk
awareness is an ongoing activity performed by the
entire project team throughout the entire project
🞂Main outputs of risk control are:
◦ Work performance information
◦ change requests
◦ updates to the project management plan, other project
documents, and organizational process assets

Information Technology Project

Management, Eighth Edition 31
Chapter Summary
🞂Project risk management is the art and science of
identifying, analyzing, and responding to risk
throughout the life of a project and in the best
interests of meeting project objectives
🞂Main processes include:
◦ Plan risk management
◦ Identify risks
◦ Perform qualitative risk analysis
◦ Perform quantitative risk analysis
◦ Plan risk responses
◦ Control risks

32