Area 8: Project Risk

Management
 Learning Objectives
 Explain the concept of risk as it relates to project
management
 List the advantages of managing project risks
 Discuss the elements of planning risk management and the
contents of a risk management plan
 List common sources of risks on information technology (IT)
projects
 Describe the process of identifying risks and create a risk
register and risk report
 Discuss qualitative risk analysis and explain how to calculate
risk factors
 Learning Objectives

 Create probability/impact matrixes,

 Understand Top Ten Risk Item Tracking technique
 Explain quantitative risk analysis and how to apply
decision trees, simulation, and sensitivity analysis to
quantify risks
 Understand different types of risk responses
 Discuss how to monitor risks
 Describe how software can assist in project risk
management
 What is risk?
 A dictionary definition of risk is “the possibility of loss
or injury”
 An uncertain event or condition that, if it occurs, has
positive or negative effect on the project objectives.
 Risk management is like a form of insurance; it is an
investment.

5
 Managing Project Risk
 Project risk management is the art and science of
identifying, assigning, and responding to risk
throughout the life of a project and
 It is done in the best interests of meeting project
objectives
 But it can help improve project success by helping
 Select good projects,
 Determining project scope, and
 Developing realistic estimates

6
 Managing Project Risk

 Risk management is often overlooked

 Study shows that risk has the lowest maturity rating of
all the knowledge areas
 KPMG study showed that 55 projects that had schedule
and cost overruns – did no risk management at all
Benefits from Software Risk Mngt
 Why take risks?

Try to balance risks and opportunities

Risks Opportunities
9
 Risk utility
 Risk utility is the amount of satisfaction or pleasure received
from a potential payoff
 Utility rises at a decreasing rate for a person who is risk-averse
 Those who are risk-seeking have a higher tolerance for risk and
their satisfaction increases when more payoff is at stake
 The risk neutral approach achieves a balance between risk and
payoff
 The y-axis represents utility, or the amount of pleasure received
from taking a risk.
 The x-axis shows the amount of potential payoff or dollar value of
the opportunity at stake.

10
Risk utility function

11
 Risk utility function
 For example, a risk-averse organization might not purchase
hardware from a vendor who has not been in business for a
specified period of time.
 A risk-seeking organization might deliberately choose start-up
vendors for hardware purchases to gain new products with
unusual features that provide an advantage.
 A risk-neutral organization might perform a series of analyses to
evaluate possible purchase decisions.
 This type of organization evaluates decisions using a number of
factors—risk is just one of them
 Goal
 The goal of project risk management can be viewed as
minimizing potential negative risks while maximizing
potential positive risks.
 The term known risks is sometimes used to describe risks
that the project team has identified and analyzed.
 Known risks can be managed proactively.
 However, unknown risks, or risks that have not been
identified and analyzed, cannot be managed.
 Risk Management Processes
 Good project managers know it is good practice to take the
time to identify and manage project risks.
 Six major processes are involved in risk management
1. Planning risk management involves deciding how to
approach and plan risk management activities for the project.
The main output of this process is a risk management
plan.

2. Identifying risks involves determining which risks are

likely to affect a project and documenting the characteristics
of each.
The main outputs of this process are a risk register, risk
report, and project documents updates.
 Risk Management Processes

3. Performing qualitative risk analysis involves prioritizing

risks based on their probability of occurrence and impact.
After identifying risks, project teams can use various tools and
techniques to rank risks and update information in the risk
register. The main outputs are project documents updates.

4. Performing quantitative risk analysis involves

numerically estimating the effects of risks on project
objectives.
The main outputs of this process are project documents updates.
 Risk Management Processes

5. Planning risk responses: involves taking steps to enhance

opportunities and reduce threats to meeting project objectives.
Using outputs from the preceding risk management processes,
project teams can develop risk response strategies that often
result in change requests, updates to the project management
plan and project documents.
6. Implementing risk responses: Involves implementing the
risk response plans.
Outputs include change requests and project documents updates
 Risk Management Processes
7. Monitoring risk involves
 monitoring identified and residual risks,
 identifying new risks,

 carrying out risk response plans, and

 evaluating the effectiveness of risk strategies throughout the life

of the project.
The main outputs of this process include work performance
information, change requests, and updates to the project
management plan, project documents, and organizational process
assets.
 Risk Management Processes

Risk Risk
Risk analysis Risk planning
identification monitoring

Risk avoidance
List of potential Prioritised risk Risk
and contingency
risks list assessment
plans
 1. Planning Risk Management
 A risk management plan documents the procedures for
managing risk throughout the project
 It is also important to review the risk tolerances of various
stakeholders
 A risk management plan summarizes how risk management
will be performed on a particular project
 Like plans for other knowledge areas, it becomes a subset
of the project management plan
 In addition to a risk management plan, contingency plans,
fallback plans, contingency reserves, and management
reserves are also factored.
 Risk planning
 Contingency plans are predefined actions that the project
team will take if an identified risk event occurs
 Fallback plans are developed for risks that have a high
impact on meeting project objectives and are put into effect if
attempts to reduce the risk do not work
 Sometimes the terms contingency plan and fallback plan are
used interchangeably
 Contingency reserves are provisions held by the project
sponsor for possible changes in project scope or quality that
can be used to mitigate cost and/or schedule risk
 Management reserves are funds held for unknown risks that
are used for management control purposes. They are not part
of the cost baseline
21
 Sources of Risk or Risk types
 Market risk: Will the new product be useful to the
organization or marketable to others? Will users accept and
use the product or service?
 Financial risk: Can the organization afford to undertake the
project? Is this project the best way to use the company’s
financial resources?
 Technology risk: Is the project technically feasible? Could
the technology be obsolete before a useful product can be
produced?
 People Risk: Does the organization have people with
appropriate skills to complete the project successfully?
22
 9. Potential risk areas
Knowledge Area Risk Conditions
Integration Inadequate planning; poor resource allocation; poor integration
management; lack of post-project review
Scope Poor definition of scope or work packages; incomplete definition
of quality requirements; inadequate scope control
Time Errors in estimating time or resource availability; poor allocation
and management of float; early release of competitive products
Cost Estimating errors; inadequate productivity, cost, change, or
contingency control; poor maintenance, security, purchasing, etc.
Quality Poor attitude toward quality; substandard
design/materials/workmanship; inadequate quality assurance
program
Human Resources Poor conflict management; poor project organization and
definition of responsibilities; absence of leadership
Communications Carelessness in planning or communicating; lack of consultation
with key stakeholders
Risk Ignoring risk; unclear assignment of risk; poor insurance
management
Procurement Unenforceable conditions or contract clauses; adversarial relations

23
 Source of risks for IT projects
 Several studies show that IT projects share some
common sources of risk
 The Standish Group developed an IT success potential
scoring sheet based on potential risks
 McFarlan developed a risk questionnaire to help assess
risk
 Other broad categories of risk help identify potential
risks

24
 9. McFarlan’s risk questionnaire
1. What is the project estimate in calendar (elapsed) time?
( ) 12 months or less Low = 1 point
( ) 13 months to 24 months Medium = 2 points
( ) Over 24 months High = 3 points
2. What is the estimated number of person days for the system?
( ) 12 to 375 Low = 1 point
( ) 375 to 1875 Medium = 2 points
( ) 1875 to 3750 Medium = 3 points
( ) Over 3750 High = 4 points
3. Number of departments involved (excluding IT)
( ) One Low = 1 point
( ) Two Medium = 2 points
( ) Three or more High = 3 points
4. Is additional hardware required for the project?
( ) None Low = 0 points
( ) Central processor type change Low = 1 point
( ) Peripheral/storage device changes Low = 1
( ) Terminals Med = 2
( ) Change of platform, for example High = 3
PCs replacing mainframes 25
 2. Identifying risk
 Risk identification is the process of understanding what
potential unsatisfactory outcomes are associated with a
particular project
 It is important to identify potential risks early, but you must
also continue to identify risks based on the changing project
environment.
 Also remember that you cannot manage risks if you do not
identify them first
 Some common techniques include brainstorming, the Delphi
technique, interviewing, root cause analysis, and SWOT
analysis
26
 Risk Register
 A risk register is a document that contains results of
various risk management processes
 It is often displayed in a table or spreadsheet format.
 A risk register is a tool for documenting potential risk
events and related information.
 Risk events refer to specific, uncertain events that may
occur to the detriment or enhancement of the project.
 For example, negative risk events might include the
performance failure of a product created
Sample Risk Register
 3. Preform Qualitative Risk Analysis

 Qualitative risk analysis involves assessing the likelihood and

impact of identified risks to determine their magnitude and
priority.
 IT describes how to use a probability/ impact matrix to
produce a prioritized list of risks.
 Tracking technique for Top Ten Risk Item to produce an
overall ranking for project risks
 3. Preform Qualitative Risk Analysis

 Discusses the importance of expert judgment in performing

risk analysis.
 Note that some organizations simply determine that risks are
high, medium, or low and
 color code them as red, yellow, and green, with very little
analysis.
 Using the methods described in this section can greatly
improve qualitative risk analysis
 Probability/Impact Matrix
 People often describe a risk probability or consequence as
being high, medium or moderate, or low
 A project manager can chart the probability and impact of
risks on a probability/ impact matrix
 Which lists the relative probability of a risk occurring and
the relative impact of the risk occurring
 To use this approach, project stakeholders list the risks they
think might occur on their projects.
 They then label a risk as having a high, medium, or low
probability of occurrence and a high, medium, or low impact
if it does occur
Sample Probability/Impact Matrix
 Top Ten Risk Item Tracking

 Top Ten Risk Item Tracking is a qualitative risk analysis

tool.
 In addition to identifying risks, it maintains an awareness
of risks throughout the life of a project by helping to
monitor risks.
 Using this tool involves establishing a periodic review of
the project’s most significant risk items with management
 Similar reviews can also occur with the customer.
Sample Top Ten Risk Item Tracking
 4. Perform Quantitative Analysis
 Risk quantification or risk analysis is the process of
evaluating risks to assess the range of possible project
outcomes
 Determine the risk’s probability of occurrence and its impact
to the project if the risk does occur
 Risk quantification techniques include expected monetary
value analysis, calculation of risk factors, PERT estimations,
simulations, and expert judgment

35
Decision Tree and Expected Monetary Value

36
Bid the Best Project by utilizing EMV and your
personal risk tolerance
Project Chance of Outcome Estimated Profits
50% $120,000
Project 1
50% -$50,000
30% $100,000
Project 2 40% $50,000
30% -$60,000
70% $20,000
Project 3
30% -$5,000
30% $40,000
30% $30,000
Project 4 20% $20,000
20% -$50,000 37
 Sensitivity Analysis
 Sensitivity Analysis is a technique to see the effects of
changing one or more variables on an outcome.
 People often use spreadsheet software like Microsoft Excel
to perform sensitivity analysis
 The main outputs of quantitative risk analysis are updates to
project documents, such as the risk report and risk register.
 The quantitative analysis also provides high-level
information about the probabilities of achieving certain
project objectives.
 This information might cause the project manager to suggest
changes in contingency reserves
Simulation
 5. Plan Risk Response
 After an organization identifies and quantifies risks, it must
develop an appropriate response to them.
 It involves developing options and defining strategies for
reducing negative risks and enhancing positive risks
 There are five basic response strategies for negative risks are
as follows
 Risk Avoidance
 Risk Acceptance
 Risk Transfer
 Risk Mitigation
 Risk Escalation
 Risk Mitigation Strategies
Technical Risks Cost Risks Schedule Risks
Emphasize team support Increase the frequency of Increase the frequency of
and avoid stand alone project monitoring project monitoring
project structure
Increase project manager Use WBS and PERT/CPM Use WBS and PERT/CPM
authority
Improve problem handling Improve communication, Select the most experienced
and communication project goals understanding project manager
and team support
Increase the frequency of Increase project manager
project monitoring authority
Use WBS and PERT/CPM

41
 6 Implement Risk Responses

 The next process is implementing risk responses as defined in

risk responses plan.
 Key outputs include change requests and project documents
updates i.e. issue log, lessons-learned register, project team
assignments, risk register, and risk report
 7 Monitor Risks
 Monitoring risks involves ensuring the appropriate risk
responses are performed, tracking identified risks, identifying
and analyzing new risk, and evaluating the effectiveness of
risk management throughout the entire project.
 Project risk management does not stop with the initial risk
analysis.
 Identified risks may not materialize, or their probabilities of
occurrence or loss may diminish.
 7 Monitor Risks
 Previously identified risks may be determined to have a
greater probability of occurrence or a higher estimated loss
value.
 Similarly, new risks will be identified as the project
progresses.
 Newly identified risks need to go through the same process as
those identified during the initial risk assessment.
 A redistribution of resources devoted to risk management may
be necessary because of relative changes in risk exposure.
 Project teams sometimes use workarounds—unplanned
responses to risk events— when they do not have contingency
plans in place
 Tools for tracking risks

 Databases can keep track of risks

 Spreadsheets can aid in tracking and quantifying risks
 More sophisticated risk management software helps develop
models and uses simulation to analyze and respond to various
project risks

45
 Good project risk management

 Unlike crisis management, good project risk management

often goes unnoticed
 Well-run projects appear to be almost effortless, but a lot of
work goes into running a project well
 Project managers should strive to make their jobs look easy
to reflect the results of well-run projects

46
47
 9. Risk management questions
 Why is it important to take/not take this risk in relation to the
project objectives?
 What specifically is the risk and what are the risk mitigation
deliverables?
 How is the risk going to be mitigated? (What risk mitigation
approach is to be used?)
 Who are the individuals responsible for implementing the risk
management plan?
 When will the milestones associated with the mitigation approach
occur?
 How much is required in terms of resources to mitigate risk?

48
 9. Discussion questions
 Can you avoid risks?
 What are common sources of risk for IT
projects?
 How does spreadsheet help to quantify risk?

 How does simulation help to quantify risk?

 What is the best way to plan for risks?

 What is the difference between contingency

plan and contingency reserve?
49