managing risk and opportunity in it projects

PMI OVOC 10th Annual Project Management Symposium

October 12 – 14, 2010

Unleashing the Power ofProject Management

Template V3

Managing Risk and Opportunityin IT Projects

Robert Venczel

3 Key Learning Points

1. Describe the risk management process– Definitions, utility theory, steps, responsibilities, etc.– Corporate strategy relationship

2. Explain the RiskIT Model– IT goals, associated metrics, and IT-related risks– IT project risk management– Risk scenarios and implementation of controls

3. Application of IT risk management– Case study

2Presented at PMI OVOC Project Management Symposium 2010

Your Presenter

• Robert Venczel, MBA, CMA, CISA, PMP, CIA• Bivium Executive Consulting Ltd.• Over 18 years of management consulting experience

in both public and private sectors in the areas of:– Project and programme risk management– IT project management and governance– IT audit– Business strategy


Agenda

• Risk Management Process – A Quick Review• Project Risk Management• IT Risks vs. Overall Risk Universe• IT Project Risk Management Continuum• Case Study – SuperSoftware Inc.


What is Risk?

• Risk is defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events.*

*Orange Book (UK) Definition


RM Process

• Risk Identification• Risk Assessment• Risk Mitigation and Monitoring• Risk Reporting


The Riskit Risk Management Cycle


Source: Kontio, J , Getto, G. and Landes. D. (1998),Experiences in improving risk management processes using the concepts of Riskit method, SIGSOFT’98 sixth International Symposium on the Foundations of Software Engineering.

Risk Identification

• Types of risk:– Organization-wide vs. programme/project– External vs. internal– Inherent vs. residual

• Risk identification:– Using common methodology– From top down and from bottom up

• Part of short- and long-term business planning process

• Continuous not a one-time exercise8Presented at PMI OVOC Project Management Symposium 2010

Risk Assessment

• Utility theory• Likelihood and impact• Need to develop a simple scoring/weighting

methodology that can be applied on a consistent basis across the organization.


Impact vs. Likelihood


Addressing Risks / Risk Tolerance

Tolerate Treat Transfer Terminate

Risk tolerance vs. risk appetite


Risk Management/Risk Mitigation

• Identification of mitigating actions and controls• Ensuring that mitigating actions and controls are

implemented (risk owners)• Monitoring and reporting on the effectiveness of

mitigating actions and controls• Reporting and escalating problems up the

management chain


Risk Mitigation Plan

• Choosing the most appropriate “treatment” or combination of treatment options

• Costs and efforts vs. benefits• Risk treatment itself can introduce risks


Risk Monitoring and Reporting

• Review periodically:– If the status of risks has changed or new risks emerged– The effectiveness of the mitigation strategies against

indicators– The validity of the initial assumptions– The existence of appropriate contingency plans

• Reporting:– Status, performance and results– Trends and patterns


RM Responsibilities for Risk Owners vs. Risk Managers

– Risk Owners: • Deemed ultimately accountable for the effective management of specific risk

categories• Do not necessarily own or control all aspects of the risk• Depend on others to help mitigate the risks

• Risk Managers:• Responsibility for the risk management process• Have the authority to manage risks


PMBOK® - Project Risk Management

Project Risk Management Processes• Plan Risk Management• Identify Risks• Perform Qualitative Risk Analysis• Perform Quantitative Risk Analysis• Plan Risk Responses• Monitor and Control Risks


Source: PMI’s PMBOK Guide, Fourth Edition (2008)

Opportunity vs. Risk

• On the positive side… new business initiatives successfully enabled by IT

• On the negative side… IT projects misaligned with the strategic objectives; waste of resources due to failed projects; etc.


Defining IT Goals and Enterprise Architecture for IT


Source: ISACA’s COBIT® 4.1 Framework for IT Governance and Control (2007)

IT Risk vs. Overall Risk Universe


Source: ISACA’s The Risk IT Framework (2009)

IT Project Risk Management Continuum


Needs and Requirements Specifications Contractor/Team

SelectionDesign and

DevelopmentSystems

Integration

Conceptual Design

Demonstration/ Validation

Engineering, Manufacturing, Development,

and Production

Maintenance and Major Upgrade

System Complexity vs. Risk


Risk

(tec

hnic

al; c

ost;

sche

dule

)

Complexity (technology; team; expertise; etc.)

IT Risk Management Supports Success

By enabling IT project management to:• Deal effectively with potential future events that

create uncertainty.• Respond in a manner that reduces the likelihood that

objectives will not be achieved and increases the likelihood of success.


Practicing Risk Management

• Integrate IT project risk management with business planning and priority setting

• Promote use of the common language, framework, and process

• Use common tools, techniques and models for risk mapping and monitoring

• Use of risk management concepts in decision making and reporting

• Consult and communicate with internal and external stakeholders throughout the process

• Monitor, evaluate, and adjust systems, processes, and practices


IT Project Risk Scenario Example


Beta Test

SuccessfulUsers not ready to

use the new software

Cost: $15K+

Unsuccessful

Project terminated because of changed business priorities

Cost: $100K+

Project delayed

Time: 1 month

Cost: $20K+

Software development project

Case Study – SuperSoftware Inc.

• Software development project• Stakeholders• Team• Risks• Evaluation of risks (quantitative vs. qualitative)• Mitigation, monitoring and reporting• Lessons learned


Conclusions

• Get senior management’s buy in and support for a risk-aware culture.

• Use risk management people who understand the business and information technology, and are also good communicators.

• Successful IT risk management is all about connection and alignment with business strategy.


Additional Resources

• Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management – Integrated Framework

• Risk management: Principles and guidelines - International Standard, ISO 31000: 2009• Australian/New Zealand Standard for risk management - AS/NZS 4360:2004• Risk management policies, directives and standards developed by the Treasury Board

Secretariat (TBS’s) to guide good management across the Canadian Federal Government:– Integrated Risk Management Framework (IRMF)– Integrated Risk Management Implementation Guide– Policy on Active Monitoring– Risk Management Policy– Draft Core Management Controls– Management Accountability Framework (MAF) criteria.

• PMI’s PMBOK Guide, Fourth Edition (2008)• ISACA’s COBIT® 4.1 Framework for IT Governance and Control (2007)• ISACA’s The Risk IT Framework (2009)• ISACA’s The Risk IT Practitioner Guide (2009)


For more information…

• Thank you for your participation today!• For more information on the contents of this

presentation, please feel free to contact me as follows:– Robert Venczel, MBA, CMA, CISA, PMP, CIA– Bivium Executive Consulting Ltd.

• “Achieving Excellence Through Change”

– [email protected]– 613-843-7629


mailto:[email protected]

Copyright Notice

• The contents of this presentation are Copyright © 2010 by the presenter and PMI OVOC.

• Permission is granted for participants to print the presentation handouts for use during the conference and later personal reference.

• PMI OVOC reserves the right to store this content for archival purposes as a record of conference proceedings and to publish this content electronically for the purpose of disseminating conference proceedings to conference participants.

• All other use, storage, retrieval, distribution, or reproduction must be authorized in advance, in writing.


Supplementary Slides

30

Guiding Principles


Source: ISACA’s The Risk IT Framework (2009)

Sample IT Risk Heat Map


1.00 1.20 1.40 1.60 1.80 2.00 2.20 2.40 2.60 2.80 3.00 1.00

1.20

1.40

1.60

1.80

2.00

2.20

2.40

2.60

2.80

3.00

IT Risks

IT Risks

IT Risks

IT Risks

IT Risks

IT Risks

Likelihood

Impact

managing risk and opportunity in it projects

Business

programme risk management

risk monitoring

risk managers risk owners

risk appetite

agenda risk management

risk management case

riskit risk management

risks risk tolerance