Lecture 12 (21/4) - Risk Management
PRINCE2 definition of risk
'the chance of exposure to the adverse(ugunstig) consequences of future events'.
Sociotechnical model of risk
A diagrammatic representation containing Actors, Technology, Structure, and Tasks. Risk often arises from the relationship between these factors. It is also called The Lyytinen-Mathiassen-Ropponen risk framework.
What is a common problem with risk identification?
A list of risks is potentially endless.
Resource dependency
A resource dependency is where one activity has to wait for a resource (usually a person in software development) which is being used by another activity to become available. If an activity on this critical chain is late it will push the project completion date.
Project risks as a category of risks
Are those that could prevent the achievement of the objectives given to the project manager and the project team.
Monte Carlo simulation
As an alternative to the PERT technique, and to provide a greater degree of flexibility in specifying likely activity durations, we can use Monte Carlo simulation techniques to evaluate the risks of not achieving deadlines. The basis of this technique involves calculating activity completion times for a project network a large number of times, each time selecting estimated activity times randomly from a set of estimates for each activity.
Checklists for risk identification in planning for risks
Checklists are simply lists of the risks that have been found to occur regularly in software development projects. An example of a specialized list of software development risks is by Barry Boehm where one column contain the identified risk and a column next to it names risk reduction techniques.
Risk planning
Having identified the major risks and allocated priorities, the task is to decide how to deal with them.
Risk reduction
Here we decide to go ahead with a course of action despite the risks, but take precautions that reduce the probability of the risk. It must be appreciated that each risk reduction action is likely to involve some cost. Risk reduction attempts to reduce the likelihood of the risk occurring. To reduce the likelihood of a risk from happening. Example: If you are afraid of sharks you can swim with something that repels sharks.
Brainstorming for risk identification in planning for risks
Ideally, representatives of the main stakeholders should be brought together once some kind of preliminary plan has been drafted. They then identify, using their individual knowledge of different parts of the project, the problems that might occur. This collaborative approach may generate a sense of ownership in the project.
What is a drawback to the application of methods like PERT?
In practice there is a tendency for developers to work to the schedule even if a task could be completed more quickly. Even if tasks are completed earlier than planned, project managers are not always quick to exploit the opportunities to start subsequent activities earlier than scheduled. This can be tackled by critical chain management.
Fairley's four commercial off-the-shelf (COTS) software acquisition risks
Integration Upgadring No source code Supplier failures of buyouts
Risk exposure
Is calculated using the formula: risk exposure = risk likelihood × risk impact. The need for frequent reassessment of effort and duration estimates during a project applies to risk exposure as well, as some risks apply only at certain stages.
Key elements of a risk
It relates to the future The future is inherently uncertain. Some things which seem obvious when a project is over might not have been so obvious during planning. It involves cause and effect Both the cause (or hazard), such as 'inexperienced staff', and a particular type of negative outcome, such as 'lower productivity', should be defined for each risk.
Risk reduction leverage (RRL)
On those occasions where a risk exposure value can be calculated as a financial value using the formula described, the cost-effectiveness of a risk reduction action can be assessed by calculating the risk reduction leverage (RRL). An RRL above 1.00 indicates that the reduction in risk exposure achieved by a measure is greater than its cost.
General example of risk management approaches
Our project is to provide ourselves with a better method of transportation. The method is purchasing a bike. The risk we identify is that the bike gets stolen. 1. Risk acceptance: Don't do anything 2. Risk avoidance: Don't buy the bike 3. Risk reduction: We store the bike in a locked basement or we lock the bike with a chain. 4. Risk mitigation: If we don't want to lose too much money I would purchase a bike that is not as expensive. If we want to be able to still move around then we would buy an extra bike. 5. Risk transfer Get insurance on the bike.
PERT duration estimates
PERT requires three estimates for the duration of each task: 1. Most likely time The time we would expect the task to take under normal circumstances. 2. Optimistic time The shortest time in which we can expect to complete the activity. 3. Pessimistic time The worst possible time, allowing for all reasonable eventualities. PERT then combines these three estimates to form a single expected duration using a formula.
PERT
Program Evaluation and Review Technique A technique which takes account of the uncertainties in the durations of activities within a project. PERT was developed to take account of the uncertainty surrounding estimates of task durations.
PM-BOK definition of risk
Project Management Body of Knowledge (PM-BOK) defines risk as 'an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives'.
Categories of risks
Project risks Business risks
Choices of how to deal with identified risks
Risk acceptance Risk avoidance Risk reduction Risk mitigation Risk transfer
Risk management approaches
Risk acceptance Risk avoidance Risk reduction Risk mitigation Risk transfer
Boehm's risk engineering task breakdown
Risk engineering risk analysis | risk management risk identification risk estimation risk evaluation | risk planning risk control risk monitoring risk directing risk staffing
Risk management
Risk management is also called risk engineering. The key role of risk management is considering uncertainty remaining after a plan has been formulated. Every plan is based on assumptions and risk management tries to plan for and control the situations where those assumptions become incorrect. Risk planning is carried out in Steps 3 and 6.
Risk mitigation
Risk mitigation is action taken to ensure that the impact of the risk is lessened when it occurs. We accept that the risk can happen but we prepare for its occurrence so that the impact of the risk is minimal. Example: Reducing the impact of the shark attack by swimming with something that, if the attack happens, will not kill you but you might lose a leg.
Risk monitoring
Risk reduction activities would appear to have only a small impact on reducing the probability of some risks, for example, staff absence through illness. While some employers encourage their employees to adopt a healthy lifestyle, it remains likely that some project team members will at some point be brought down by minor illnesses such as flu. These kinds of risks need a contingency plan.
Risk engineering related to software
Risk transfer in relation to software processes: In traditional environments / software processes, an example of risk transfer is when there is a contract between the client and the development team. The Client transfers some kind of risk to the team. Risk transfer is present in Scrum when the product owner during the sprint planning lists the items of the product backlog that are of highest priority and the team commits to a specific set of items to work on. Suddenly it is the responsibility of the team to uphold the commitment. It is not the PO that is responsible for making sure that the team delivers what they promised.
Risk transfer
Risk transfer is what effectively happens when you buy insurance. In this case, the risk is transferred to another person or organization. With software projects, an example of this would be where a software development task is outsourced to an outside agency for a fixed fee. Decide we want to take the risk and give it to someone else to deal with. We need to have two entities: from - to. Example: Storing your database with some cloud provider. The risk transfer happens in the service level agreement we sign.
Risk avoidance
Some activities may be so prone to accidents that it is best to avoid them altogether. It is the opposite approach of risk acceptance. We want to completely avoid the identified risk so we do not engage with the specific activity. We reduce the likelihood to 0 by avoiding the activity. We find an alternative set of activities to fulfill the goal of the avoided activity. An example could be: If you are worried about sharks then don't go into the water.
The PERT network
The PERT method does not indicate the earliest date by which we could complete the project but the expected (or most likely) date. An advantage of this approach is that it places an emphasis on the uncertainty of the real world. The method can be applied both to activity-on-arrow networks and on activity-on-node diagrams.
Actors in the sociotechnical model
The box labelled 'Actors' refers to all the people involved in the development of the application in question. A typical risk in this area is that high staff turnover leads to expertise of value to the project being lost.
Structure in the sociotechnical model
The box labelled 'Structure' describes the management structures and systems, including those affecting planning and control. For example, the implementation might need user participation in some tasks, but the responsibility for managing the users' contribution might not be clearly allocated.
Tasks in the sociotechnical model
The box labelled 'Tasks' relates to the work planned. For instance, the complexity of the work might lead to delays because of the additional time required to integrate the large number of components.
Technology in the sociotechnical model
The box labelled 'Technology' encompasses both the technology used to implement the application and that embedded in the delivered products. Risks here could relate to the appropriateness of the technologies and to possible faults within them, especially if they are novel.
Critical chain approach
The critical chain is the longest chain of activities in the project, taking account of both task and resource dependencies. This is different from the critical path as the latter only takes account of task dependencies.
Using expected durations
The expected durations are used to carry out a forward pass through a network. In this case, however, the calculated event dates are not the earliest possible dates but the dates by which we expect to achieve those events.
What is the main advantage of the PERT technique?
The main advantage of the PERT technique is that it provides a method for estimating the probability of meeting or missing target dates.
Why is an activity network and a GANTT chart used in project management?
The reason for these two artifacts (activity network diagram and GANTT chart) is to monitor the progress in the project.
Risk identification in planning for risks
The two main approaches to the identification of risks are the use of checklists and brainstorming.
Business risks as a category of risks
There could be risks that an application after successful implementation is a business failure.
Contingency plan
This is a planned action to be carried out if the particular risk materializes. The cost of a contingency measure will only be incurred if the risk actually materializes.
Risk acceptance
This is the do-nothing option. We could decide that the damage inflicted by some risks would be less than the costs of action that might reduce the probability of a risk happening.
Risk register
When the project planners have picked out and examined what appear to be the most threatening risks to the project, they need to record their findings in a risk register. After work starts on the project more risks will emerge and be added to the register.
Steps in planning for risks
1. Risk identification 2. Risk analysis and prioritization 3. Risk planning 4. Risk monitoring Step 1 to 3 will probably be repeated.
Risk assessment / Risk analysis and prioritization
A way is needed of distinguishing the damaging and likely risks. This can be done by estimating the risk exposure for each risk.
Risk engineering
Happens for each of the activities that are identified within a project. We challenge ourselves in a thought exercise where we see if there is any event that may jeopardize or delay an activity. It should at this point be made visible.