Week 9 Risk Mgmt

The Risk Management Process

(1) Planning Risk Management (2) Performing Risk Assessment (3) Planning risk responses (4) Monitoring and controlling risks

(1) Planning Risk Management

(1) Planning Risk Management: Deciding how to approach and plan the risk management activities for the project.

(2) Performing Risk Assessment

(2) Performing Risk Assessment: Risk identification: Determining which risks are likely to affect a project and documenting the characteristics of each. Qualitative risk analysis: characterizing and analyzing risks, and prioritizing their effects on project objectives Quantitative risk analysis: Numerically measuring the probability and consequences of risks (i.e. effects on project objectives).

(3) Planning risk responses

(3) Planning risk responses: Planning and taking steps to enhance opportunities and reduce threats to meeting project objectives.

(4) Monitoring and controlling risks

(4) Monitoring and controlling risks: Monitoring known risks, identifying new risks, reducing risks (e.g. by carrying out risk response plans), and evaluating the effectiveness of risk strategies

Decision Trees & Expected Monetary Value (EVM)

A decision tree is a diagramming method used to help you select the best course of action in situations in which future outcomes are uncertain. EMV is a type of decision tree where you calculate the expected monetary value of a decision based on its risk event probability and monetary value.

(3) Qualitative Risk Analysis Probability / Impact Matrix1

A probability/impact matrix or chart lists the relative probability of a risk occurring on one side of a matrix or axis on a chart and the relative impact of the risk occurring on the other. List the risks and then label each one as high, medium, or low in terms of its probability of occurrence and its impact if it did occur.

Watch List

A watch list is a list of risks that are low priority but are still identified as potential risks Qualitative analysis can also identify risks that should be evaluated on a quantitative basis

(5) Risk Response Planning

After identifying and quantifying risks, you must decide how to respond to them. Four main strategies for negative risks: Risk avoidance: eliminating a specific threat or risk, usually by removing its causes Risk acceptance: accepting the consequences should a risk occur Risk transference: shifting the consequence of a risk and responsibility for its management to a third party Risk mitigation: lessen the impact of a risk event by reducing the probability of its occurrence

Benefits from Project risk management

Anticipate/avoid problems Prevent surprises IMprove ability to negotiate meet customer commitments Reduce schedule slips Reduce cost overruns

(3) Qualitative Risk Analysis

Assesses the likelihood and impact of identified risks to determine their magnitude and priority. Tools and techniques include: Probability / Impact matrixes Top 10 Risk Item Tracking technique Expert judgment

Information Gathering: Tools & Techniques Brainstorming

Brainstorming: a technique by which a group attempts to generate ideas or find a solution for a specific problem by amassing ideas spontaneously and without judgment. Use an experienced facilitator to run the brainstorming session. Be careful not to overuse or misuse brainstorming. Psychology literature shows that individuals produce a greater number of ideas working alone than they do through brainstorming in small, face-to-face groups. Group effects often inhibit idea generation.

Information Gathering: Tools & Techniques

Cause and Effect (Fishbone) Diagramming (Schwalbe, Ch 6) SWOT analysis (Schwalbe) Brainstorming (Schwalbe) The Delphi Technique (Schwalbe) Nominal Group Technique (NGT) Interviewing (Schwalbe) Other (Schwalbe): Checklists, Analysis of Assumptions, Other Diagramming Techniques (e.g. flow charts, Influence diagrams)

Information Gathering: Tools & Techniques Cause and Effect Diagramming

Cause-and-Effect Diagrams are used to understand causes or factors of a risk and its effects. STEPS Identify the risk (threat or opportunity) Identify main factors that cause the risk to occur Identify detailed factors for each of the main factors Continue refining the diagram (i.e. repeat step 3) until satisfied that the diagram is complete

Categories of IS Project Risk

Constant flux of technology in today's business environment Locating, hiring, and retaining competent IS personnel Acceptance of project outputs by diverse, distributed user community Numerous methodologies available during systems development

Contingency, Fallback Plans & Contingency Reserves

Contingency plans are predefined actions that the project team will take if an identified risk event occurs. Fallback plans are developed for risks that have a high impact on meeting project objectives. Contingency reserves or allowances are provisions held by the project sponsor that can be used to mitigate cost or schedule overruns to an acceptable level, if changes in scope or quality occur.

External Integration Tools

Devices to link project team's work with user or client community User (client) as project manager User (client) steering committee User (client) involvement (e.g., responsible for training, user approval process, etc.)

Formal Planning Tools

Devices to structure sequence of tasks & estimate needed resources Formal specification of activities, costs, and standards Network diagrams, critical path, and PERT used Identification of well-defined milestones Specific project approval and post-audit procedures

Formal Control Tools

Devices used to evaluate progress, spot problems, make adjustments Formal status reporting that includes reporting against plans Formal presentations to review status & progress against milestones Formal change control Earned value analysis used

What is Risk?

Dictionary definition of risk: "the possibility of loss or injury" Project risk is an uncertainty that can have a negative or positive effect on meeting project objectives ... Known risks vs unknown risks (How do these differ?) Murphy's Law: if something can go wrong, it will Managing negative risk includes understanding potential problems that might occur on the project and how they might impede project success. Negative risk mgmt is like a form of insurance; it is an investment

Internal Integration Tools

Ensure that project team operates as an integrated unit Team building exercises Experienced IS project leader Frequent team meetings & reviews with minutes distributed to all Managed low turnover of team members Team member participation in setting goals and targets

Risk Assessment (2) Risk Identification2

How to identify - can look at ... Control Features (e.g. Project Size, Experience, Requirements Stability, Corporate Culture, Organisational Stability) Broad Categories of Risk (e.g. Market, Financial, Technology, People, Structure, Process) PMBOK (e.g. Scope, Time, Cost, Quality, HR, etc) Lifecycle Approaches Project Lifecycle (e.g. Project Approval, Preliminary Planning and Detailing, Project Execution, Project closure SDLC (e.g. Feasibility Study, Analysis, Design, Development, Implementation)

Information Gathering: Tools & Techniques Interviewing & Other Techniques

Interviewing: Fact-finding technique for collecting information in face-to-face, phone, e-mail, or instant-messaging discussions. Interviewing people with similar project experience is an important tool for identifying potential risks. Other Techniques Checklists: based on prior project experience and known risks. Can include lessons-learned. Project Assumptions: what are they? Are they valid, complete, accurate, consistent - If not, may lead to risks. Other Diagramming techniques: Flow charts, Influence Diagrams

Residual and Secondary Risks

It's also important to identify residual and secondary risks. Residual risks are risks that remain after all of the response strategies have been implemented. Secondary risks are a direct result of implementing a risk response.

Potential Negative Risk Conditions Associated With Each Knowledge Area

Knowledge Area Risk Conditions Integration Inadequate planning; poor resource allocation; poor integration management; lack of post-project review Scope Poor definition of scope or work packages; incomplete definition of quality requirements; inadequate scope control Time Errors in estimating time or resource availability; poor allocation and management of float; early release of competitive products Cost Estimating errors; inadequate productivity, cost, change, or contingency control; poor maintenance, security, purchasing, etc. Quality Poor attitude toward quality; substandard design/materials/workmanship; inadequate quality assurance program Human Resources Poor conflict management; poor project organization and definition of responsibilities; absence of leadership Communications Carelessness in planning or communicating; lack of consultation with key stakeholders Risk Ignoring risk; unclear assignment of risk; poor insurance management Procurement Unenforceable conditions or contract clauses; adversarial relations

Expert Judgment

Many organizations rely on the intuitive feelings and past experience of experts to help identify potential project risks. Experts can categorize risks as high, medium, or low with or without more sophisticated techniques. Can also help create and monitor a watch list, a list of risks that are low priority, but are still identified as potential risks.

Topics Addressed in a Risk Management Plan

Methodology for managing risk throughout the project Roles and responsibilities for the risk activities identified in the risk management plan Budget and schedule for risk management Risk categories Risk probability and impact Risk documentation

(6) Risk Monitoring & Control

Monitoring risks involves knowing their status. Controlling risks involves carrying out the risk management plans as risks occur. Workarounds are unplanned responses to risk events that must be done when there are no contingency plans. The main outputs of risk monitoring and control are: Requested changes Recommended corrective and preventive actions Updates to the risk register, project management plan, and organizational process assets

(4) Quantitative Risk Analysis

Often follows qualitative risk analysis, but both can be done together or separately. Large, complex projects involving leading edge technologies often require extensive quantitative risk analysis. Main techniques include: Decision tree analysis Simulation Sensitivity Analysis

Positive Risks

Positive risks are risks that result in good things happening; sometimes called opportunities Recall: a general definition of project risk is an uncertainty that can have a negative or positive effect on meeting project objectives The goal of project risk management is to minimize potential negative risks while maximizing potential positive risks

What is Project Risk Management?

Project risk management focuses on identifying, analyzing, and developing strategies for responding to project risk efficiently and effectively. Goal: not to avoid risks at all cost but to make well-informed decisions about what risks are worth taking and to respond to those risks in an appropriate manner. Two approaches to risk management: reactive and proactive Problem: risk mgmt. is often overlooked in projects, but can help improve project success by helping select good projects, determining project scope, and developing realistic estimates.

Risk Mgmt Summary

Project risk management is the art and science of identifying, analyzing, and responding to risk throughout the life of a project. Common sources of risk for IS projects are project size, technology, and structure. Project management approaches (internal & external integration, planning & control tools) should be adapted accordingly. Main processes of project risk management include: Risk management planning Risk identification Qualitative risk analysis Quantitative risk analysis Risk response planning Risk monitoring and control

(5) Risk Response Planning Risk Response Strategies

Response Strategies for Positive Risks Risk exploitation: Do what you can to make sure the risk happens Risk sharing or allocating ownership of the risk to another party (to maximize the likelihood that the risk happens) Risk enhancement or changing the size of the opportunity by identifying and maximizing key drivers of the positive risk. Risk acceptance occurs when the team cannot or choose not to take any actions towards the risk.

(3) Qualitative Risk Analysis Probability/Impact Matrix2

Risk factor quantifies the overall risk of specific events based on probability of occurring and the consequences to the project if they do occur). To calculate a risk factor: Assign a number to represent probability of failure (Pf) and consequence of failure (Cf) Formulae: Pf + Cf - (Pf*Cf) Requires expert judgment

Risk Assessment (2) Risk Identification1

Risk identification is the process of understanding what potential events might hurt or enhance a particular project. Performed by project managers, project teams, risk management team, experts, end users, managers, and other stakeholders. Approaches: Common sources of risks in IT projects Reviewing project documentation and prior projects Information gathering techniques (e.g., brainstorming or interviewing)

Preferences: Risk Utility/Risk Tolerance

Risk utility or risk tolerance is the amount of satisfaction or pleasure received from a potential payoff. Utility rises at a decreasing rate for people who are risk-averse. Those who are risk-seeking have a higher tolerance for risk; satisfaction increases when greater payoff is at stake. The risk-neutral approach achieves a balance between risk and payoff.

Information Gathering: Tools & Techniques Nominal Group Technique

STEPS Each individual silently writes his/her ideas on paper Each idea is then written in a board one at a time, round-robin until each individual has listed all his/her ideas Group then discusses and clarifies each idea Each individual then silently ranks and prioritizes the ideas The group then discusses the rankings and priorities of the ideas. Each individual then silently ranks and prioritizes the ideas again. The rankings and priorities are then summarized for the group.

Information Gathering: Tools & Techniques SWOT Analysis

SWOT analysis (strengths, weaknesses, opportunities, and threats) can also be used during risk identification. Key advantage: helps identify broad negative and positive risks: threats and opportunities that apply to the project and their nature in terms of project/ organizational strengths and weaknesses Brainstorming, NGT or the Delphi Technique can be used to identify and understand the nature of the risks and categorize them using the SWOT framework.

(4) Quantitative Risk Analysis Simulation & Sensitivity Analysis

Simulation uses a representation or model of a system to analyze the expected behavior or performance of the system. Monte Carlo analysis simulates a model's outcome many times to provide a statistical distribution of the calculated results. To use a Monte Carlo simulation, you must have three estimates (most likely, pessimistic, and optimistic) plus an estimate of the likelihood of the estimate being between the optimistic and most likely values. Sensitivity analysis is a technique used to show the effects of changing one or more variables on an outcome.

Managing Risky IT Projects2 General Guidelines

Some general guidelines: The more unstructured the project is, the more input and participation you need from the users. The less experience you have with the technology, the more important team cohesiveness becomes. The larger the project, the more formal planning and control mechanisms you need. When uncertainty about structure or technology is high, exercise control to manage change requests.

Managing Risky IT Projects (Warren McFarlan, Harvard Business School)

The 3 common sources of risk in IS projects: Project size In dollars, time, staff, etc. In general, risk increases as project size increases. Experience with technology Does the project team have a good understanding of the technology being used in this project? In general, risk increases as experience decreases. Project structure Are outputs completely understood and well defined? Are outputs stable? In general, risk increases as structure decreases.

Managing Risky IT Projects2 Management Tools1

The 4 sets of project management tools that project managers have in their toolkits: External integration tools Internal integration tools Formal planning tools Formal control mechanisms

Information Gathering: Tools & Techniques Delphi Technique

The Delphi Technique: used to derive a consensus among a panel of experts who make predictions about future developments. Provides independent and anonymous input regarding future events. Uses repeated rounds of questioning and written responses and avoids the biasing effects possible in oral methods, such as brainstorming.

Risk Register

The main output of the risk identification process is a list of identified risks and other information needed to begin creating a risk register. A risk register is: A document that contains the results of various risk management processes; often displayed in a table or spreadsheet format. A tool for documenting potential risk events & related information. Risk events refer to specific, uncertain events that may occur to the detriment or enhancement of the project.

(3) Qualitative Risk Analysis Top 10 Risk Item Tracking

Top 10 Risk Item Tracking is a tool for maintaining an awareness of risk throughout the life of a project. Establish a periodic review of the top 10 project risk items. List the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk item.

Results of Good Project Risk Management

Unlike crisis management, good project risk management often goes unnoticed. Well-run projects appear to be almost effortless, but a lot of work goes into running a project well. Project managers should strive to make their jobs look easy to reflect the results of well-run projects.

Managing Risky IT Projects2 Management Tools5

external internal planning control integration integration tools mechanisms Hi structure Hi technology LOW HIGH LOW LOW Small size Lo structure Lo technology HIGH MEDIUM HIGH HIGH Large size Lo structure Hi technology HIGH HIGH LOW LOW Small size