Chapter 10: Project Risk Management

adopted from PMIs PMBOK 2000 and Textbook : Information Technology Project Management

Contents
The Importance of Project Risk Management Project Risk Management process
Risk management planning Risk identification Qualitative risk analysis Quantitative risk analysis Risk response planning Risk monitoring and control
Chapter 10 2

Results of good project risk management

Typical Risk Management

The Importance of Project Risk Management

Project risk management is the art and science of identifying, assigning, and responding to risk throughout the life of a project and in the best interests of meeting project objectives Risk management is often overlooked on projects, but it can help improve project success by helping select good projects, determining project scope, and developing realistic estimates Study by Ibbs and Kwak show how risk management is neglected, especially on IT projects KPMG study found that 55 % of runaway projects did no risk management at all
Chapter 10 4

What is Project Risk Management?

The goal of project risk management is to minimize potential risks while maximizing potential opportunities. Six processes include
Risk management planning Risk identification Qualitative risk analysis Quantitative risk analysis Risk response planning Risk monitoring and control
Chapter 10

planning controlling

What is Project Risk Management?

Risk management planning: Quantitative risk analysis: deciding how to approach measuring the probability and and plan the risk management consequences of risks activities for the project Risk response planning: Risk identification: taking steps to enhance determining which risks are opportunities and reduce likely to affect a project and threats to meeting project documenting their objectives characteristics Risk monitoring and Qualitative risk analysis: control: monitoring known characterizing and analyzing risks, identifying new risks, risks and prioritizing their reducing risks, and evaluating effects on project objectives the effectiveness of risk reduction
Chapter 10 6

Risk Management Planning

15th of 21 planning phase process The main output of risk management planning is a risk management plan The project team should review project documents and understand the organizations and the sponsors approach to risk The level of detail will vary with the needs of the project
Chapter 10 7

Inputs to Risk Management Planning

Project charter: formally recognizes the existence of a project Organizations risk management policies: provide a predefined approach to risk analysis and response Defined roles & responsibilities: provide authority levels for decision-making. Stakeholder risk tolerances: indicators of how stakeholders might react in different situations and risk events Template for the organizations risk management plan: pro-forma standard for used by the project WBS: a deliverable-oriented grouping of project elements that organized and defines the total scope of the project 8

Tools and technique

Planning meetings
everyone responsible for planning and executing activities.

Output
Risk management plan
It documents procedures for managing risk throughout the project It details identification and quantification of risk, responsibilities for managing risks, how contingency plans will be implemented, and how reserves will be allocated. other associated documents are
Contingency plan, feedback plan
10

Contingency and Fallback Plans, Contingency Reserves

Contingency plans
provide predefined actions that the project team will take if an identified risk event occurs

Fallback plans
developed for risks that have a high impact on meeting project objectives

Contingency reserve or allowances

extra provisions held by the project sponsor that can be used to mitigate cost or schedule risk if changes in scope or quality occur
Chapter 10 11

Risk Identification
16th of 21 planning phase process Risk identification is the process of understanding what potential unsatisfactory outcomes are associated with a particular project Risk identification is a facilitating planning process
Common Sources of Risk on Information Technology Projects Several studies show that IT projects share some common sources of risk
12

Table 10-3. Information Technology Success Potential Scoring Sheet

Success Criterion User Involvement Executive Management support Clear Statement of Requirements Proper Planning Realistic Expectations Smaller Project Milestones Competent Staff Ownership Clear Visions and Objectives Hard-Working, Focused Staff Total
Chapter 10

Points 19 16 15 11 10 9 8 6 3 3 100
13

Other Categories of Risk

Market risk:
Will the new product be useful to the organization or marketable to others? Will users accept and use the product or service?

Financial risk:
Can the organization afford to undertake the project? Is this project the best way to use the companys financial resources?

Technology risk:
Is the project technically feasible? Could the technology be obsolete before a useful product can be produced?
Chapter 10

14

Tools and Techniques

Documentation reviews
provide a structure review of project plans and assumptions

Information gathering
brainstorming, Delphi method, interviewing. SWOT analysis

Checklists provided by previous projects. Assumptions analysis

explores the assumptions and identifies potential risks

Diagramming techniques
help to understand various cause-and-effect relationships. Examples are cause-and-effect diagram. System or process flowcharts.
15

Outputs
Risks uncertain events or condition Triggers symptoms of risks; indirect manifestation or actual risk events such as poor morale Inputs to other processes for examples, constraints or assumptions

16

Qualitative Risk Analysis

Qualitative Risk Analysis (17th of 21 planning phase process) It is the process to assess the impact and likelihood of identified risks.
determine their magnitude and priority

Chapter 10

17

Inputs:
Risk management plan
It documents procedures for managing risk throughout the project.

Identified risk
taken from previous risk identification process. Evaluate these risks for their potential impacts no the project.

Project status
identifies risks through the project life cycle

Project type
determines the amount of risk you can expect. Common or recurrent projects have less risk, while state-of-the-art, first-time technology, or highly complex projects have more uncertainty.
18

Inputs
Data precision
tests the value of data. Data precision measures the extent of data available, reliability of the data, and source of the data

Scales of probabilities and impact

assess the two key dimensions of risk (probability and impact)

Assumptions
identified during risk identification process. These are used as part of evaluations.
19

tools and techniques

Risk probabilities & impact the two dimensions of specific risks. Risk probability is the likelihood that a risk will occur. Risk consequences (or impact), are the effect of project objectives if the risk event occurs Probabilities / Impact risk rating matrix (also known as PI risk matrix) Project assumptions testing performed against 2 criteria: assumption stability and the consequences on the project if the assumption is false. Data precision ranking technique to evaluate the degree to which the data is useful for risk management. Data should be unbiased and accurate
20

Figure 10-2. Chart Showing High-, Medium-, and Low-Risk Technologies

21

Top 10 Risk Item Tracking

Top 10 Risk Item Tracking is a tool for maintaining an awareness of risk throughout the life of a project Establish a periodic review of the top 10 project risk items List the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk item
Chapter 10 22

Table 10-7. Example of Top 10 Risk Item Tracking

Monthly Ranking Risk Item Inadequate planning Poor definition of scope Absence of leadership This Month 1 2 Last Month 2 3 Number Risk Resolution of Months Progress 4 3 Working on revising the entire project plan Holding meetings with project customer and sponsor to clarify scope Just assigned a new project manager to lead the project after old one quit Revising cost estimates Revising schedule estimates

Poor cost estimates Poor time estimates

4 5

4 5

3 3

23

Expert Judgment
Many organizations rely on the intuitive feelings and past experience of experts to help identify potential project risks Experts can categorize risks as high, medium, or low with or without more sophisticated techniques

Chapter 10

24

Output
Overall risk ranking for the project List of priorities risks List of risks for additional analysis and management Trends in qualitative risk analysis results

25

Quantitative Risk Analysis

18th of 21 planning phase process A process that numerically analyses the probability of each risk and its consequence on objectives. Often follows qualitative risk analysis, but both can be done together or separately Large, complex project involving leading edge technologies often require extensive quantitative risk analysis
Chapter 10 26

Inputs
Risk management plan Identified risk List of prioritized risk List of risk for additional analysis & management Historical information Expert judgment
determines whether risks have a probability of occurrence (ranked H, M, L) and the level of impact (ranked Severe, moderate or limited)

Other planning outputs

27

Tools and techniques

Interviewing: using projects stakeholders and subject matter experts to quantify the probability and consequences of risk on project objectives. Sensitivities analysis: help to determine which risks have the greatest impact on the project. It is the simplest form of risk analysis. Sensitivity analysis examines the change of a single project variable to analyze its effect on the project plan. Decision tree analysis : identify possible options or outcomes. It forces consideration of the probability of each outcome Simulation : uses a model of system to analyze the behavior or performance of the system. Examples are 28 Monte Carlo, Critical Path and PERT.

Decision Trees and Expected Monetary Value (EMV)

A decision tree is a diagramming method used to help you select the best course of action in situations in which future outcomes are uncertain EMV is a type of decision tree where you calculate the expected monetary value of a decision based on its risk event probability and monetary value
Chapter 10 29

Figure 10-3. Expected Monetary Value (EMV) Example

30

Simulation
Simulation uses a representation or model of a system to analyze the expected behavior or performance of the system Monte Carlo analysis simulates a models outcome many time to provide a statistical distribution of the calculated results To use a Monte Carlo simulation, you must have three estimates (most likely, pessimistic, and optimistic) plus an estimate of the likelihood of the estimate being between the optimistic and most likely values
Chapter 10 31

Risk Response Planning

19th of 21 planning phase process Involves developing options and determining actions to enhance opportunities to reduce threats to project objectives. After identifying and quantifying risk, you must decide how to respond to them
Chapter 10 32

Inputs
Risk management plan - It documents procedures for managing risk throughout the project. List of prioritized risk - includes those grouped by ranks, WBS level, risks requiring immediate response, risk that can be handled later, and risk that affect cost, schedule, functionality and quality. Risk ranking of the project indicates that overall risk position of a project relative to other projects by comparing risk scores. Prioritized list of quantified risks identifies those that pose the greatest threat or opportunity to the project and proposes some means of measuring their impact
33

Inputs
Probabilities analysis of achieving the cost and time objective assessed under the current project plan and with the current knowledge of the project risks List of potential response identifies specific risks or categories of risk. These list specify the actions the team will take. Risk thresholds the acceptable level of risk to the organization, which influences risk response planning Risk owners identifies staff to provide accountabilities for managing responses. Common risk causes several risks driven by a common causes. This reveals opportunities to mitigate many risks with one response. Trends in qualitative & quantitative risk analysis result - become apparent as the analysis is repeated can make risk response more or less urgent and important.
34

Table 10-8. General Risk Mitigation Strategies for Technical, Cost, and Schedule Risks

Chapter 10

35

Tools and techniques

Risk avoidance: eliminating a specific threat or risk, usually by eliminating its causes Risk acceptance: accepting the consequences should a risk occur Risk transference: shifting the consequence of a risk and responsibility for its management to a third party Risk mitigation: reducing the impact of a risk event by reducing the probability of its occurrence
36

Outputs
Risk response plan Residual risks
remain after avoidance, transfer, or mitigation responses have been taken.

Secondary risk arise in direct result of implementing a risk response. Contractual agreements Contingency reserve amounts needed Inputs to other processes Inputs to a revised plan
37

Risk Monitoring and Control

8 of 8 controlling phase process This is the process of keeping track of the identified risks, monitoring residual risk and identify new risks, ensuring the execution of risk plans, and evaluating the plans effectiveness in reducing risk.
Monitoring risks involves knowing their status Controlling risks involves carrying out the risk management plans as risks occur Workarounds are unplanned responses to risk events that must be done when there are no contingency plans
Chapter 10 38

Risk Response Control

Risk response control involves executing the risk management processes and the risk management plan to respond to risk events Risks must be monitored based on defined milestones and decisions made regarding risks and mitigation strategies Sometimes workarounds or unplanned responses to risk events are needed when there are no contingency plans
Chapter 10 39

Using Software to Assist in Project Risk Management

Databases can keep track of risks. Many IT departments have issue tracking databases Spreadsheets can aid in tracking and quantifying risks More sophisticated risk management software, such as Monte Carlo simulation tools, help in analyzing project risks
Chapter 10 40

Results of Good Project Risk Management

Unlike crisis management, good project risk management often goes unnoticed Well-run projects appear to be almost effortless, but a lot of work goes into running a project well Project managers should strive to make their jobs look easy to reflect the results of well-run projects
Chapter 10 41

Outputs
The main outputs of risk monitoring and control are corrective action, project change requests, and updates to other plans
Corrective action: This encompasses anything that brings your expected performance back in line with the project plan. At this stage, it involves carrying out either your contingency plan or workaround. Project change requests: Implementing a contingency plan or workaround frequently requires changing the risk responses described in the project plan. Know the process flow and feedback loop.
42

Outputs (2)
Updates to risk response plan: Document the risks that occur. Risks that don't occur should also be noted and closed out in the risk response plan. It's important to keep this up-to-date, and it becomes a permanent addition to project records, eventually feeding into lessons learned. Workaround plans Risk database Updates to risk identification checklists

43

Summary
Project Risk Management
is the art and science of identifying, assigning, and responding to risk

Project Risk Management process

Risk management planning: deciding how to approach and plan the risk management activities for the project Risk identification: determining which risks are likely to affect a project and documenting their characteristics Qualitative risk analysis: characterizing and analyzing risks and prioritizing their effects on project objectives Quantitative risk analysis: measuring the probability and consequences of risks Risk response planning: taking steps to enhance opportunities and reduce threats to meeting project objectives Risk monitoring and control: monitoring known risks, identifying new risks, reducing risks, and evaluating the 44 effectiveness of risk reduction

Summary 2
Tools
charts risk item tracking expert judgment decision trees expected monetary value (EMV)

Using software to assist project risk management

database, simulation, Monte Carlo

Results of good project risk management

unusually un-notice, look easy but require a lot of good risk management
45