managing risk and opportunity in it projects
DESCRIPTION
Presentation made by Robert Venczel at the PMI OVOC 10th Annual Project ManagementSymposium (12-14 October 2010, Ottawa, Ontario, Canada)More info at http://www.pmiovoc.org/files/Events/Symposium.htmlTRANSCRIPT
PMI OVOC 10th Annual Project Management Symposium
October 12 – 14, 2010
Unleashing the Power ofProject Management
Template V3
Managing Risk and Opportunityin IT Projects
Robert Venczel
3 Key Learning Points
1. Describe the risk management process– Definitions, utility theory, steps, responsibilities, etc.– Corporate strategy relationship
2. Explain the RiskIT Model– IT goals, associated metrics, and IT-related risks– IT project risk management– Risk scenarios and implementation of controls
3. Application of IT risk management– Case study
2Presented at PMI OVOC Project Management Symposium 2010
Your Presenter
• Robert Venczel, MBA, CMA, CISA, PMP, CIA• Bivium Executive Consulting Ltd.• Over 18 years of management consulting experience
in both public and private sectors in the areas of:– Project and programme risk management– IT project management and governance– IT audit– Business strategy
3Presented at PMI OVOC Project Management Symposium 2010
Agenda
• Risk Management Process – A Quick Review• Project Risk Management• IT Risks vs. Overall Risk Universe• IT Project Risk Management Continuum• Case Study – SuperSoftware Inc.
4Presented at PMI OVOC Project Management Symposium 2010
What is Risk?
• Risk is defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events.*
*Orange Book (UK) Definition
5Presented at PMI OVOC Project Management Symposium 2010
RM Process
• Risk Identification• Risk Assessment• Risk Mitigation and Monitoring• Risk Reporting
6Presented at PMI OVOC Project Management Symposium 2010
The Riskit Risk Management Cycle
7Presented at PMI OVOC Project Management Symposium 2010
Source: Kontio, J , Getto, G. and Landes. D. (1998),Experiences in improving risk management processes using the concepts of Riskit method, SIGSOFT’98 sixth International Symposium on the Foundations of Software Engineering.
Risk Identification
• Types of risk:– Organization-wide vs. programme/project– External vs. internal– Inherent vs. residual
• Risk identification:– Using common methodology– From top down and from bottom up
• Part of short- and long-term business planning process
• Continuous not a one-time exercise8Presented at PMI OVOC Project Management Symposium 2010
Risk Assessment
• Utility theory• Likelihood and impact• Need to develop a simple scoring/weighting
methodology that can be applied on a consistent basis across the organization.
9Presented at PMI OVOC Project Management Symposium 2010
Impact vs. Likelihood
10Presented at PMI OVOC Project Management Symposium 2010
Addressing Risks / Risk Tolerance
Tolerate Treat Transfer Terminate
Risk tolerance vs. risk appetite
11Presented at PMI OVOC Project Management Symposium 2010
Risk Management/Risk Mitigation
• Identification of mitigating actions and controls• Ensuring that mitigating actions and controls are
implemented (risk owners)• Monitoring and reporting on the effectiveness of
mitigating actions and controls• Reporting and escalating problems up the
management chain
12Presented at PMI OVOC Project Management Symposium 2010
Risk Mitigation Plan
• Choosing the most appropriate “treatment” or combination of treatment options
• Costs and efforts vs. benefits• Risk treatment itself can introduce risks
13Presented at PMI OVOC Project Management Symposium 2010
Risk Monitoring and Reporting
• Review periodically:– If the status of risks has changed or new risks emerged– The effectiveness of the mitigation strategies against
indicators– The validity of the initial assumptions– The existence of appropriate contingency plans
• Reporting:– Status, performance and results– Trends and patterns
14Presented at PMI OVOC Project Management Symposium 2010
RM Responsibilities for Risk Owners vs. Risk Managers
– Risk Owners: • Deemed ultimately accountable for the effective management of specific risk
categories• Do not necessarily own or control all aspects of the risk• Depend on others to help mitigate the risks
• Risk Managers:• Responsibility for the risk management process• Have the authority to manage risks
15Presented at PMI OVOC Project Management Symposium 2010
PMBOK® - Project Risk Management
Project Risk Management Processes• Plan Risk Management• Identify Risks• Perform Qualitative Risk Analysis• Perform Quantitative Risk Analysis• Plan Risk Responses• Monitor and Control Risks
16Presented at PMI OVOC Project Management Symposium 2010
Source: PMI’s PMBOK Guide, Fourth Edition (2008)
Opportunity vs. Risk
• On the positive side… new business initiatives successfully enabled by IT
• On the negative side… IT projects misaligned with the strategic objectives; waste of resources due to failed projects; etc.
17Presented at PMI OVOC Project Management Symposium 2010
Defining IT Goals and Enterprise Architecture for IT
18Presented at PMI OVOC Project Management Symposium 2010
Source: ISACA’s COBIT® 4.1 Framework for IT Governance and Control (2007)
IT Risk vs. Overall Risk Universe
19Presented at PMI OVOC Project Management Symposium 2010
Source: ISACA’s The Risk IT Framework (2009)
IT Project Risk Management Continuum
20Presented at PMI OVOC Project Management Symposium 2010
Needs and Requirements Specifications Contractor/Team
SelectionDesign and
DevelopmentSystems
Integration
Conceptual Design
Demonstration/ Validation
Engineering, Manufacturing, Development,
and Production
Maintenance and Major Upgrade
System Complexity vs. Risk
21Presented at PMI OVOC Project Management Symposium 2010
Risk
(tec
hnic
al; c
ost;
sche
dule
)
Complexity (technology; team; expertise; etc.)
IT Risk Management Supports Success
By enabling IT project management to:• Deal effectively with potential future events that
create uncertainty.• Respond in a manner that reduces the likelihood that
objectives will not be achieved and increases the likelihood of success.
22Presented at PMI OVOC Project Management Symposium 2010
Practicing Risk Management
• Integrate IT project risk management with business planning and priority setting
• Promote use of the common language, framework, and process
• Use common tools, techniques and models for risk mapping and monitoring
• Use of risk management concepts in decision making and reporting
• Consult and communicate with internal and external stakeholders throughout the process
• Monitor, evaluate, and adjust systems, processes, and practices
23Presented at PMI OVOC Project Management Symposium 2010
IT Project Risk Scenario Example
24Presented at PMI OVOC Project Management Symposium 2010
Beta Test
SuccessfulUsers not ready to
use the new software
Cost: $15K+
Unsuccessful
Project terminated because of changed business priorities
Cost: $100K+
Project delayed
Time: 1 month
Cost: $20K+
Software development project
Case Study – SuperSoftware Inc.
• Software development project• Stakeholders• Team• Risks• Evaluation of risks (quantitative vs. qualitative)• Mitigation, monitoring and reporting• Lessons learned
25Presented at PMI OVOC Project Management Symposium 2010
Conclusions
• Get senior management’s buy in and support for a risk-aware culture.
• Use risk management people who understand the business and information technology, and are also good communicators.
• Successful IT risk management is all about connection and alignment with business strategy.
26Presented at PMI OVOC Project Management Symposium 2010
Additional Resources
• Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management – Integrated Framework
• Risk management: Principles and guidelines - International Standard, ISO 31000: 2009• Australian/New Zealand Standard for risk management - AS/NZS 4360:2004• Risk management policies, directives and standards developed by the Treasury Board
Secretariat (TBS’s) to guide good management across the Canadian Federal Government:– Integrated Risk Management Framework (IRMF)– Integrated Risk Management Implementation Guide– Policy on Active Monitoring– Risk Management Policy– Draft Core Management Controls– Management Accountability Framework (MAF) criteria.
• PMI’s PMBOK Guide, Fourth Edition (2008)• ISACA’s COBIT® 4.1 Framework for IT Governance and Control (2007)• ISACA’s The Risk IT Framework (2009)• ISACA’s The Risk IT Practitioner Guide (2009)
27Presented at PMI OVOC Project Management Symposium 2010
For more information…
• Thank you for your participation today!• For more information on the contents of this
presentation, please feel free to contact me as follows:– Robert Venczel, MBA, CMA, CISA, PMP, CIA– Bivium Executive Consulting Ltd.
• “Achieving Excellence Through Change”
– [email protected]– 613-843-7629
28Presented at PMI OVOC Project Management Symposium 2010
Copyright Notice
• The contents of this presentation are Copyright © 2010 by the presenter and PMI OVOC.
• Permission is granted for participants to print the presentation handouts for use during the conference and later personal reference.
• PMI OVOC reserves the right to store this content for archival purposes as a record of conference proceedings and to publish this content electronically for the purpose of disseminating conference proceedings to conference participants.
• All other use, storage, retrieval, distribution, or reproduction must be authorized in advance, in writing.
29Presented at PMI OVOC Project Management Symposium 2010
Supplementary Slides
30
Guiding Principles
31Presented at PMI OVOC Project Management Symposium 2010
Source: ISACA’s The Risk IT Framework (2009)
Sample IT Risk Heat Map
32Presented at PMI OVOC Project Management Symposium 2010
1.00 1.20 1.40 1.60 1.80 2.00 2.20 2.40 2.60 2.80 3.00 1.00
1.20
1.40
1.60
1.80
2.00
2.20
2.40
2.60
2.80
3.00
IT Risks
IT Risks
IT Risks
IT Risks
IT Risks
IT Risks
Likelihood
Impact