CS3100Software Project Management

Risk

Dr Tracy Hall

CS3100. Risk Slide 2

1. To be able to critically discuss issues of risk with respect to likelihood and impact

2. To be able to explain and exemplify the different classes of risk action that can be taken

learning outcomes

CS3100. Risk Slide 3

Loss: “occurrence of unwanted consequences”

Project impact

Business impact

Technical impact

Any others…?

* difficulties of estimation

* assumptions made during planning

• unplanned events or hazards

• Underestimated risks

These incidents might arise from…

What is Risk?The chance that some adverse incidents may affect the project

Basics: involves two characteristics:

Uncertainty: “may or may not happen”

CS3100. Lecture 14: RiskSlide 4

Levels of Risk Management: risk strategies

Reactive Proactive

Fix on failure. react to risks quickly after they’ve occurred.

Prevention. Identify risks and prevent them from becoming problems.

Risk mitigation. Resource planning for risks IF they do occur.

Elimination of root causes. Identify &

eliminate factors that make it possible for risks to exist at all.

Crisis management – ‘fire fighting’. address risks only after they’ve become a problem.

CS3100. Lecture 14: RiskSlide 5

Risk ManagementPlan risk

management approach

Identify risks

Assess risks

Plan risk responses

Carry out risk reduction actions

Risk Register

Risk Manageme

nt Plan

Project Objectives Achieved

(Cadle and Yeates 2004)

CS3100. Risk Slide 6

using a

checklist….

or/and through

brain-storming…

…you may consider…staff factors

changeover factors

supplier factors

and so on…

…you might discuss those risks which are…

hazardous

political

generic

or

specific

First step is to “identify” risks

CS3100. Lecture 14: RiskSlide 7

Risk and planning

PLANNING

REVIEW

MANAGEMENT

PEO

PLE

CS3100. Lecture 14: RiskSlide 8

Low

Low

High

High‘likelihood’

‘impact’

Project overrun - late component for an urgent safety-critical application enhancement.

Next “assess” the risks

CS3100. Lecture 14: RiskSlide 9

Low

Low

High

High‘likelihood’

‘impact’- Graduate programmer unfamiliar with programming language of a rapid, trivial prototype development

Next, “assess” the risks

CS3100. Lecture 14: RiskSlide 10

Low

Low

High

High‘likelihood’

‘impact’

- Client pulls out for financial reasons after significant initial commitment

Next, “assess” the risks

CS3100. Lecture 14: RiskSlide 11

Low

Low

High

High‘likelihood’

‘impact’ - Project administrator leaves in the first week after a lengthy project has “kicked off”.

Next, “assess” the risks

CS3100. Lecture 14: RiskSlide 12

Low

Low

High

High‘likelihood’

‘impact’

- Late delivery of a vital component for an urgent safety-critical application enhancement.

- Graduate programmer unfamiliar with programming language of a rapid, trivial prototype development.

- Client pulls out for financial reasons after significant initial commitment.

- Project administrator leaves in the first week after a lengthy project has “kicked off”.

Next, “assess” the risks

CS3100. Lecture 14: RiskSlide 13

Low

Low

High

High‘likelihood’

‘im

pact

’

How about…?

• New O/S released?• Integration tests fail• Customer changes spec• Customer goes bankrupt• Key programmer resigns• Your company is taken over

CS3100. Lecture 14: RiskSlide 14

So you’ve looked ahead…

PLANNING

REVIEW

MANAGEMENT

PEO

PLE

CS3100. Risk Slide 15

Understanding impact of the risks: Risk exposure

Determine the ‘risk exposure’ of each of the risks that you have identified.

Risk Exposure

=probability of the unexpected loss

size of the loss

But how do you determine the probability and size of loss? …by estimating…

(Rapid Development [chapter 5] by Steve McConnell, 1996)

CS3100. Risk Slide 16

RiskExposure

= probability of the unexpected loss

size of the loss

Get project/system guru to estimate…

Use delphi or group consensus practices

Determining the probability and size of loss…

CS3100. Risk Slide 17

Obvious and easy estimates…i.e. a project might be approved only at the start of a month. Breakdown loss into

smaller losses, estimate each and aggregate these to make the combined loss.

Determining the probability and size of loss…

RiskExposure

= probability of the unexpected loss

size of the loss

CS3100. Risk Slide 18

Some simple examplesExample: say there’s a 25% chance that it will take 4 weeks longer to get project approved.

Risk Exposure = 25% x 4 weeks

Risk Exposure = 1 week

Example: say there’s a 15% chance that project will suffer 8 weeks loss because new programming tools do not produce promised savings.

Risk Exposure = 15% x 8 weeks

Risk Exposure = 1.2 weeks

Example: say there’s a 30% chance that project will lose 12 weeks because of inadequate designs – redesign required.

Risk Exposure = 30% x 12 weeks

Risk Exposure = 3.6 weeks

CS3100. Risk Slide 19

Risk-Assessment TableRisk Probability

of LossSize of Loss (weeks)

Risk Exposure (weeks)

Overly optimistic schedule 50% 5 2.5

Inadequate design 15% 15 2.25

Delay with Project approval

25% 4 1.0

Facilities not ready in time 10% 2 0.2

Programming tools do not produce promised savings

30% 5 1.5

Change in specific reqs 40% 12 4.8

Unstable graphics engine 7% 4 0.3

Reduced quality assurance 35% 6 2.1

NB: Risks are more usually expressed in monetary terms

CS3100. Risk Slide 20

Prioritised Risk Assessment Table

Risk Probability of Loss

Size of Loss (weeks)

Risk Exposure (weeks)

Change in specific reqs 40% 12 4.8

Overly optimistic schedule 50% 5 2.5

Inadequate design 15% 15 2.25

Reduced quality assurance 35% 6 2.1

Programming tools do not produce promised savings

30% 5 1.5

Delay with Project approval 25% 4 1.0

Unstable graphics engine 7% 4 0.3

Facilities not ready in time 10% 2 0.2

CS3100. Lecture 14: RiskSlide 21

Next step, “plan risk responses…”Acceptance

Let the risk happen because countermeasures are unfeasible or more expensive.

Mitigation/Reduction

Steps to reduce impact of risk, if they happen.

TransferMaking someone else bare the burden if the risks occur, i.e. by taking out insurance.

Avoidance/ Prevention

Steps to reduce

likelihood of risks

occurring.

CS3100. Risk Slide 22

Risk Register

Contains a list of risks, their likely impact and estimated probabilities e.g.:

Risk: failure at integration

Assessment: Risk is low (we have integrated the last 4 projects successfully) but impact would be significant (remedial activity plus loss of reputation and further business). Say 5% probability x £200k = £10k

Mitigation: If risk materialises, we will assemble a recovery team for 2 months to join the project team. Weekly review meetings. Also, we will buy in 2 major platform components.

Plan risk management approach

Identify risks

Assess risks

Plan risk responses

Carry out risk reduction actions

Risk Register

Risk Management

Plan

Project Objectives Achieved

CS3100. Risk Slide 23

NO!remember…the risk

management process,

to enable you to EVALUATE as you go

along, because…

the nature of the risks may change as the project proceeds, for instance…

Predicted risks occur and are dealt with as planned.

Predicted risks fail to appear.

New, unanticipated risks materialise.

Then, you execute when necessary. But, is it that simple?

CS3100. Lecture 14: RiskSlide 24

how about seeking advice…particularly as different organisations will follow different approaches.

‘risk register’ - a repository for information about each risk, i.e. current status; potential impacts…

‘risk management plan’ - outlining the risk management cycle specific to the project - roles/responsibilities for the risks (‘risk

ownership’) - other expectations.

How would you know how to deal with these instances?

CS3100. Lecture 14: RiskSlide 25

Managing the problems…

PLANNING

REVIEW

MANAGEMENT

PEO

PLE

CS3100. Risk Slide 26

How would you act if the risks materialise as problems?

Go back to lectures on monitoring & control and on recovering from failure

CS3100. Risk Slide 27

So, when evaluating the risks…

Plan risk management

approach

Identify risks

Assess risks

Plan risk responses

Carry out risk reduction actions

Risk Register

Risk Managemen

t Plan

Project Objectives Achieved

attempting to

‘understand

uncertainty’

CS3100. Risk Slide 28

Why do we attempt to understand uncertainty?

for planning (or predicting) for the future there is always uncertainty!

therefore…

we need the best tools to predict, with reliable precision, for planning…- statistical techniques (static)- simulation techniques (dynamic)

CS3100. Risk Slide 29

…methods to explore “what if” scenarios:

simulation

study aspects of the behaviour of a system by creating approximate dynamic model of it.

By modelling activities throughout the project we can:- develop insights to the interrelationship between the activities; - predict bottle-necks in the project;- save on the cost of making real mistakes and- train for new users (team or customers)

which are more likely to be used in…

CS3100. Lecture 14: RiskSlide 30

and we have tools…

simulation tools general purpose simulation languages simulators project management simulators

project mgmt tools estimating and scheduling methods planning and management techniques progress reporting and tracking

CS3100. Risk Slide 31

To round up…

Risk management needs sharp planning, review, management and people-skills!

Risk Management is cyclical & requires vigilance!

The nature of risks may change with events.Different companies adopt different risk

management approaches to understand uncertainty.

Each company will have its own documentation to capture and manage risk