chap 11 risk

8/3/2019 Chap 11 Risk

1/39

1IT Project Management, Third Edition Chapter 11

Chapter 11:

Project Risk Management

8/3/2019 Chap 11 Risk

2/39


Learning Objectives

Understand what risk is and the importance of goodproject risk management

Discuss the elements involved in risk managementplanning

List common sources of risks on informationtechnology projects

Describe the risk identification process and tools andtechniques to help identify project risks

Discuss the qualitative risk analysis process andexplain how to calculate risk factors, useprobability/impact matrixes, the Top Ten Risk ItemTracking technique, and expert judgment to rank risks

8/3/2019 Chap 11 Risk

3/39


Learning Objectives

Explain the quantify risk analysis process and how touse decision trees and simulation to quantitative risks

Provide examples of using different risk response

planning strategies such as risk avoidance, acceptance,

transference, and mitigation

Discuss what is involved in risk monitoring and control

Describe how software can assist in project risk

management Explain the results of good project risk management

8/3/2019 Chap 11 Risk

4/39


The Importance of Project Risk

Management Project risk management is the art and science of

identifying, assigning, and responding to riskthroughout the life of a project and in the best interestsof meeting project objectives

Risk management is often overlooked on projects, butit can help improve project success by helping selectgood projects, determining project scope, anddeveloping realistic estimates

A study by Ibbs and Kwak show how risk managementis neglected, especially on IT projects

KPMG study found that 55 percent of runaway projectsdid no risk management at all

8/3/2019 Chap 11 Risk

5/39


Table 11-1. Project Management Maturity

by Industry Group and Knowledge Area

8/3/2019 Chap 11 Risk

6/39


What is Risk?

A dictionary definition of risk is thepossibility of loss or injury

Project risk involves understandingpotential problems that might occur on theproject and how they might impede projectsuccess

Risk management is like a form ofinsurance; it is an investment

8/3/2019 Chap 11 Risk

7/39


Risk Utility

Risk utility or risk tolerance is the amount ofsatisfaction or pleasure received from apotential payoff

Utility rises at a decreasing rate for a person whois risk-averse

Those who are risk-seeking have a highertolerance for risk and their satisfaction increaseswhen more payoff is at stake

The risk-neutral approach achieves a balancebetween risk and payoff

8/3/2019 Chap 11 Risk

8/39


Figure 11-1. Risk Utility

Function and Risk Preference

8/3/2019 Chap 11 Risk

9/39


What is Project Risk Management?

The goal of project risk management is to minimize potential risks

while maximizing potential opportunities. Major processes include Risk management planning: deciding how to approach and plan

the risk management activities for the project

Risk identification: determining which risks are likely to affect aproject and documenting their characteristics

Qualitative risk analysis: characterizing and analyzing risks andprioritizing their effects on project objectives

Quantitative risk analysis: measuring the probability andconsequences of risks

Risk response planning: taking steps to enhance opportunitiesand reduce threats to meeting project objectives

Risk monitoring and control: monitoring known risks,identifying new risks, reducing risks, and evaluating theeffectiveness of risk reduction

8/3/2019 Chap 11 Risk

10/39


Risk Management Planning

The main output of risk management planning is

a risk management plan

The project team should review projectdocuments and understand the organizations

and the sponsors approach to risk

The level of detail will vary with the needs of

the project

8/3/2019 Chap 11 Risk

11/39


Table 11-2. Questions Addressed

in a Risk Management Plan

8/3/2019 Chap 11 Risk

12/39


Contingency and Fallback Plans,

Contingency Reserves

Contingency plans are predefined actions thatthe project team will take if an identified riskevent occurs

Fallback plans are developed for risks that havea high impact on meeting project objectives

Contingency reserves or allowances are

provisions held by the project sponsor that canbe used to mitigate cost or schedule risk ifchanges in scope or quality occur

8/3/2019 Chap 11 Risk

13/39


Common Sources of Risk on

Information Technology Projects

Several studies show that IT projects share some

common sources of risk

The Standish Group developed an IT successpotential scoring sheet based on potential risks

McFarlan developed a risk questionnaire to help

assess risk

Other broad categories of risk help identify

potential risks

8/3/2019 Chap 11 Risk

14/39


Table 11-3. Information Technology

Success Potential Scoring SheetSuccess Criterion Points

User Involvement 19

Executive Management support 16

Clear Statement of Requirements 15

Proper Planning 11

Realistic Expectations 10

Smaller Project Milestones 9

Competent Staff 8

Ownership 6

Clear Visions and Objectives 3

Hard-Working, Focused Staff 3

Total 100

8/3/2019 Chap 11 Risk

15/39


Table 11-4. McFarlans Risk Questionnaire

1. What is the project estimate in calendar (elapsed) time?

( ) 12 months or less Low = 1 point

( ) 13 months to 24 months Medium = 2 points

( ) Over24 months High = 3 points

2. What is the estimated number of person days for the system?( ) 12 to 375 Low = 1 point

( ) 375 to 1875 Medium = 2 points

( ) 1875 to 3750 Medium = 3 points

( ) Over3750 High = 4 points

3. Number of departments involved (excluding IT)( ) One Low = 1 point

( ) Two Medium = 2 points

( ) Three or more High = 3 points

4. Is additional hardware required for the project?( ) None Low = 0 points

( ) Central processor type change Low = 1 point

( ) Peripheral/storage device changes Low = 1

( ) Terminals Med = 2

( ) Change of platform, for example High = 3

PCs replacing mainframes

8/3/2019 Chap 11 Risk

16/39


Other Categories of Risk

Market risk: Will the new product be useful to

the organization or marketable to others? Will

users accept and use the product or service?

Financial risk: Can the organization afford toundertake the project? Is this project the best

way to use the companys financial resources?

Technology risk: Is the project technicallyfeasible? Could the technology be obsolete

before a useful product can be produced?

8/3/2019 Chap 11 Risk

17/39


What Went Wrong?

Many information technology projects fail because of technology risk. Oneproject manager learned an important lesson on a large IT project: focus on

business needs first, not technology. David Anderson, a project manager for

Kaman Sciences Corp., shared his experience from a project failure in an article

for CIO Enterprise Magazine. After spending two years and several hundred

thousand dollars on a project to provide new client/server-based financial and

human resources information systems for their company, Anderson and his

team finally admitted they had a failure on their hands. Anderson revealed that

he had been too enamored of the use of cutting-edge technology and had taken

a high-risk approach on the project. He "ramrodded through" what the project

team was going to do and then admitted that he was wrong. The company

finally decided to switch to a more stable technology to meet the business needsof the company.

Hildebrand, Carol. If At First You Dont Succeed, CIO Enterprise Magazine, April 15, 1998

8/3/2019 Chap 11 Risk

18/39


Risk Identification

Risk identification is the process ofunderstanding what potential unsatisfactoryoutcomes are associated with a particular project

Several risk identification tools and techniquesinclude

Brainstorming

The Delphi technique

Interviewing

SWOT analysis

8/3/2019 Chap 11 Risk

19/39


Table 11-5. Potential Risk Conditions

Associated with Each Knowledge AreaKnowledge Area Risk Conditions

Integration Inadequate planning; poor resource allocation; poor integration

management; lack of post-project review

Scope Poor definition of scope or work packages; incomplete definition

of quality requirements; inadequate scope control

Time Errors in estimating time or resource availability; poor allocation

and management of float; early release of competitive products

Cost Estimating errors; inadequate productivity, cost, change, or

contingency control; poor maintenance, security, purchasing, etc.

Quality Poor attitude toward quality; substandard

design/materials/workmanship; inadequate quality assurance

program

Human Resources Poor conflict management; poor project organization and

definition of responsibilities; absence of leadership

Communications Carelessness in planning or communicating; lack of consultation

with key stakeholders

Risk Ignoring risk; unclear assignment of risk; poor insurance

management

Procurement Unenforceable conditions or contract clauses; adversarial relations

8/3/2019 Chap 11 Risk

20/39


Quantitative Risk Analysis

Assess the likelihood and impact ofidentified risks to determine their magnitude

and priority

Risk quantification tools and techniquesinclude

Probability/Impact matrixes

The Top 10 Risk Item Tracking technique Expert judgment

8/3/2019 Chap 11 Risk

21/39


Sample Probability/Impact Matrix

8/3/2019 Chap 11 Risk

22/39


Table 11-6. Sample Probability/Impact

Matrix for Qualitative Risk Assessment

8/3/2019 Chap 11 Risk

23/39


Figure 11-3. Chart Showing High-,

Medium-, and Low-Risk Technologies

8/3/2019 Chap 11 Risk

24/39


Top 10 Risk Item Tracking

Top 10 Risk Item Tracking is a tool formaintaining an awareness of risk throughout

the life of a project

Establish a periodic review of the top 10project risk items

List the current ranking, previous ranking,

number of times the risk appears on the list

over a period of time, and a summary of

progress made in resolving the risk item

8/3/2019 Chap 11 Risk

25/39


Table 11-7. Example of Top 10

Risk Item TrackingMonthly Ranking

Risk Item This

Month

Last

Month

Number

of Months

Risk Resolution

Progress

Inadequate

planning

1 2 4 Working on revising the

entire project plan

Poor definition

of scope

2 3 3 Holding meetings with

project customer andsponsor to clarify scope

Absence ofleadership

3 1 2 Just assigned a newproject manager to lead

the project after old one

quit

Poor cost

estimates

4 4 3 Revising cost estimates

Poor time

estimates

5 5 3 Revising schedule

estimates

8/3/2019 Chap 11 Risk

26/39


Expert Judgment

Many organizations rely on the intuitive feelings

and past experience of experts to help identify

potential project risks

Experts can categorize risks as high, medium, or

low with or without more sophisticated

techniques

8/3/2019 Chap 11 Risk

27/39


Quantitative Risk Analysis

Often follows qualitative risk analysis, but both

can be done together or separately

Large, complex projects involving leading edge

technologies often require extensive quantitative

risk analysis

Main techniques include

decision tree analysis

simulation

8/3/2019 Chap 11 Risk

28/39


Decision Trees and Expected

Monetary Value (EMV)

A decision tree is a diagramming method used

to help you select the best course of action in

situations in which future outcomes are

uncertain

EMV is a type of decision tree where you

calculate the expected monetary value of a

decision based on its risk event probability andmonetary value

8/3/2019 Chap 11 Risk

29/39


Figure 11-4. Expected Monetary

Value (EMV) Example

8/3/2019 Chap 11 Risk

30/39


Simulation

Simulation uses a representation or model of asystem to analyze the expected behavior orperformance of the system

Monte Carlo analysis simulates a models

outcome many times to provide a statisticaldistribution of the calculated results

To use a Monte Carlo simulation, you must

have three estimates (most likely, pessimistic,and optimistic) plus an estimate of thelikelihood of the estimate being between theoptimistic and most likely values

8/3/2019 Chap 11 Risk

31/39


What Went Right?A large aerospace company used Monte Carlo simulation to help quantify

risks on several advanced-design engineering projects. The NationalAerospace Plan (NASP) project involved many risks. The purpose of this

multibillion-dollar project was to design and develop a vehicle that could

fly into space using a single-stage-to-orbit approach. A single-stage-to-orbit

approach meant the vehicle would have to achieve a speed of Mach 25 (25

times the speed of sound) without a rocket booster. A team of engineers and

business professionals worked together in the mid-1980s to develop asoftware model for estimating the time and cost of developing the NASP.

This model was then linked with Monte Carlo simulation software to

determine the sources of cost and schedule risk for the project. The results

of the simulation were then used to determine how the company would

invest its internal research and development funds. Although the NASPproject was terminated, the resulting research has helped develop more

advanced materials and propulsion systems used on many modern aircraft.

8/3/2019 Chap 11 Risk

32/39


Risk Response Planning

After identifying and quantifying risks, youmust decide how to respond to them

Four main strategies:

Risk avoidance: eliminating a specific threat or risk,

usually by eliminating its causes

Risk acceptance: accepting the consequences shoulda risk occur

Risk transference: shifting the consequence of a riskand responsibility for its management to a thirdparty

Risk mitigation: reducing the impact of a risk eventby reducing the probability of its occurrence

8/3/2019 Chap 11 Risk

33/39


Table 11-8. General Risk Mitigation Strategies

for Technical, Cost, and Schedule Risks

8/3/2019 Chap 11 Risk

34/39


Risk Monitoring and Control

Monitoring risks involves knowing their status

Controlling risks involves carrying out the riskmanagement plans as risks occur

Workarounds are unplanned responses to riskevents that must be done when there are nocontingency plans

The main outputs of risk monitoring and controlare corrective action, project change requests,and updates to other plans

8/3/2019 Chap 11 Risk

35/39


Risk Response Control

Risk response control involves executing the riskmanagement processes and the risk management

plan to respond to risk events

Risks must be monitored based on definedmilestones and decisions made regarding risks

and mitigation strategies

Sometimes workarounds or unplanned responsesto risk events are needed when there are no

contingency plans

8/3/2019 Chap 11 Risk

36/39


Using Software to Assist in

Project Risk Management

Databases can keep track of risks. Many IT

departments have issue tracking databases

Spreadsheets can aid in tracking and quantifying

risks

More sophisticated risk management software,

such as Monte Carlo simulation tools, help in

analyzing project risks

8/3/2019 Chap 11 Risk

37/39


Figure 11-5. Sample Monte Carlo

Simulation Results for Project Schedule

8/3/2019 Chap 11 Risk

38/39


Figure 11-6. Sample Monte Carlo

Simulations Results for Project Costs

l f G d j i k

8/3/2019 Chap 11 Risk

39/39


Results of Good Project Risk

Management

Unlike crisis management, good project risk

management often goes unnoticed

Well-run projects appear to be almost effortless,

but a lot of work goes into running a project

well

Project managers should strive to make their

jobs look easy to reflect the results of well-runprojects

chap 11 risk

Documents