it_club_ncp_risk_management_26_03_2013
TRANSCRIPT
• Introduction game• What is Risk and Risk Management?• Identifying risks• Categorize risks - Extreme, High, Medium and Low• Risk-based requirement writing• Risk-based testing• Defects / bugs / issues in IT projects• Software vs. Review defects• Impact of identifying and resolving review defects• Intro to Disaster Risk Management & Green Risk
Management• Q&A
Kompusys Consultants 2
Introduction Game
Let’s play a game by introducing ourselves
• Name• Area of specialization
Kompusys Consultants 3
What is Risk?Risk: Is the probability that a particular threat will
exploit a particular vulnerability of the systemDamage (consequences / impact, loss)
– Direct loss: financial, environmental, market, etc.– Technical: impact on other projects / products or services– Loss of (faith of) clients, damage to corporate identity, like hacking– Legal, loss of license, due to regulatory lapses– Technical: detection and repair time, e.g. underground– Probability of use– Lost morale
Probability of failure– Depends on the knowledge of development project and product (just before testing)
Kompusys Consultants 4
Risk Management• Risk identification: Is the process of determining
risks that could potentially prevent the project, enterprise, or investment from achieving its objectives. It includes documenting and communicating the concern to the stakeholders
• Risk estimation: The likelihood of occurrence and consequences of each risk identified
• Risk evaluation: Risks evaluated against its risk thresholds and placed in priority ordering - criteria determined by stakeholders. Contingency plans should be developed for all risks above their thresholds
Kompusys Consultants 5
Risk Management (contd..)• Risk treatment: Involves the selection, planning,
monitoring, and controlling of actions to decrease risk exposure
• Risk mitigation: The process of elimination or reduction of the severity, frequency or magnitude of exposure to risks or minimization of the impact of a threat
• Risk management: It’s a continuous process for systematically addressing risk throughout the life-cycle of a project or service
• Risk management plan: A plan that defines how the risk management activities are implemented and supported during a project. It is always PROACTIVE.
Kompusys Consultants 6
Risk Management (contd..)
Managing risks is of no value without understanding what risks to take and why!
Kompusys Consultants 7
Risks
Threats
Vulnerability
Consequence
Identifying risksCatalysts to identify risk• Stakeholders –
people on a project• Experience – lessons
learnt• Location – country,
industry• Funding• Technology• Environment
Types of IT risks• Strategic – long-term
opportunities• Regulatory – Changes by local
government• Training – project / product• Operational – late shipment,
incomplete project or obsolete process
• Financial – not getting paid• Inherent – meetings,
documentation, sign-off, etc.Kompusys Consultants 8
Categorize risks - Extreme, High, Medium and Low
Risk = Probability * Impact• Simply put: How LIKELY it is to happen and how
BAD it would be if it ever happened• Without uncertainty or damage, there is no risk• Every individuals perspective of IMPACT is
different The biggest single risk for any organization
is the risk management doesn’t really work – leading to rising failed projects
Kompusys Consultants 9
Categorize risks – Risk matrix –Extreme, High, Medium and Low
Very high High Moderate Low
Most likely EXTREME EXTREME HIGH HIGH
Likely EXTREME HIGH HIGH MEDIUM
Less likely HIGH HIGH MEDIUM LOW
Least likely HIGH MEDIUM LOW LOW
Unlikely MEDIUM LOW LOW LOW
Kompusys Consultants 10
IMPACT ANALYSIS
Probability means Likelihood
Impact Analysis is Consequence
Risk-based requirement writing• Requirements should be
malleable – flexible till project / product end
• Requirement changes, which create significant risk
• It allows business analysts to decide what requirement additions are valid from a policy or development standpoint
• Provides platform to negotiate with the customer
• Encourages development teams to negotiate risk mitigation strategies with stakeholders
• Helps to identify and resolve inconsistencies in requirements
• Ensures consistency between the requirements, all policies, and the system’s functionality
• Stakeholder involvement is key to this
Kompusys Consultants 12
Risk-based requirement (contd..)• Offers developers and customers, the opportunity to
compromise on four variables (cost, time, scope, quality)• Customers are allowed to choose the desired values for three
of these four variables, and the developers determine the value of the last variable
Examples• Customer might state that they want “a high quality release”
on May 1 for $x, and the developers can tell them which of the customer-prioritized requirements might make it into that release
• Customer might state that they want a “high quality release” with specified features for $y, and the developers will determine when they can deliver the release.
Kompusys Consultants 13
Risk-based testing (RBT)More testing will not result in stable deliveries
• Traditional testing is finding the right bugs, whereas RBT involves deferring the right bugs, by employing right skills
• Helps to find the right level of quality that can be delivered within a short schedule and limited skilled resources
• Completely based on identifying business and technical requirements for an application
• Demonstrated improvement in the project success factor
• RBT allows QA teams to make informed decisions while setting a clear test exit criteria
Kompusys Consultants 14
Risk-based testing (RBT)More testing will not result in stable deliveries
• Industry specific – Healthcare, Insurance, Financial, Construction, Mining, …
• Test according to the risk matrix with a 3rd dimension – SCENARIO; customer-focused
• Schedule test for all risk-based requirements• Test all EXTREME / CRITICAL and HIGH risk items• Validate risk matrix with known situations• Test all medium risks during slack time or
between cycles• Document medium and low untested risks
during lessons learnt (project closure)
Kompusys Consultants 15
RBT- Scenario
Driver is driving a car• Loss of control – vehicle manufacturers• Meets with an accident – insurance • Either dies or is injured – health services
Probability for losing control is greater than accident, which is greater than the impact
Kompusys Consultants 16
RBT – Project Scenario
Project Manager is driving the project• Unclear scope – sponsor• Several defects – test team • Kill project or delay – stakeholdersReversing this Probability for successful project delivery is
greater when defects are fixed, which is greater when the risks are addressed earlier
Kompusys Consultants 17
Defects / bugs / issues in IT projects
• Defects are anomalies in the functionality• Incidence of risk occurrence – known defects• Considering the risk means considering the
defects• The defects should be analyzed and classified• Action is REACTIVE• RBT focuses on detecting issues much earlier
during planning
Kompusys Consultants 18
Software vs review defectsSOFTWARE DEFECTS• Traditionally found bugs
or issues• Identified only during
execution & monitoring phase
• Logged and managed between cycles
• Categorized with Severity & Priority
• Rarely linked to risks
REVIEW DEFECTS• Found while inspection
or review of documents• Identified throughout
the project lifecycle• Early detection starts
from planning stage• Classified by Severity • Linked with risk • Proven to save
substantial $s
Kompusys Consultants 20
Impact of identifying and resolving review defects
Addresses risks and saves moneyAdvantages• Universal across all industries• Risk based approach • Cost is quite low to fix any defects / bugs• Most defects lead to clarification and close• Resource training is uniform and the
turnaround cycles are quite aggressiveKompusys Consultants 21
Intro to Disaster Risk Management
Involves 4Rs – Readiness, Response, Recovery & Reduction
•Disaster risk reduction (DRR) is a systematic approach to identifying, assessing and reducing the risks of disaster•DRR if not acted upon quickly may turn out to be hazardous / critical•Helps build better infrastructure•DRR is an avoidance or delayed method
Kompusys Consultants 22
Intro to Green Risk Management
Greening IT infrastructure reducing the risks of failure lowers maintenance costs
•Green Risk Management is highly proactive•Returns on investment is sustainable•Better and faster infrastructure•Improved business results – Legacy IT migrations•Marketplace mandate – Current trends like Cloud computing•Environmental impacts are reduced
Kompusys Consultants 23
References
• IEEE Standards• BS standards• EN standards• PMI• DRM articles / papers• Green & Sustainable
Project Management
• Project experience - myself
• Several intl. papers• Online discussions• Research results• LinkedIn articles• Google images
Kompusys Consultants 25
Contact for future consultancy
Narasimhan Bhagavan - CPRM, CIPM, MPM, MQM, CIA, CLAPrincipal ConsultantKompusys Consultants
Phone: 647-248-1398eMail: [email protected]: http://www.linkedin.com/in/bnweb
Kompusys Consultants 26