6 Project Risk Management Kathys

8/10/2019 6 Project Risk Management Kathys

1/20

1

Chapter 11:

Project Risk Management

2

Learning Objectives Understand what risk is and the importance of good

project risk management

Discuss the elements involved in risk managementplanning

List common sources of risks on informationtechnology projects

Describe the risk identification process and tools andtechniques to help identify project risks

Discuss the qualitative risk analysis process andexplain how to calculate risk factors, use

probability/impact matrixes, the Top Ten Risk ItemTracking technique, and expert judgment to rank risks


2/20

3

Learning Objectives

Explain the quantify risk analysis process and how touse decision trees and simulation to quantitative risks

Provide examples of using different risk response

planning strategies such as risk avoidance, acceptance,

transference, and mitigation

Discuss what is involved in risk monitoring and control

Describe how software can assist in project risk

management

Explain the results of good project risk management

4

The Importance of Project Risk

Management Project risk management is the art and science of

identifying, assigning, and responding to riskthroughout the life of a project and in the best interestsof meeting project objectives

Risk management is often overlooked on projects, butit can help improve project success by helping selectgood projects, determining project scope, anddeveloping realistic estimates

A study by Ibbs and Kwak show how risk managementis neglected, especially on IT projects

KPMG study found that 55 percent of runaway projectsdid no risk management at all


3/20

5

Table 11-1. Project Management Maturity by

Industry Group and Knowledge Area

6

What is Risk?

A dictionary definition of risk is thepossibility of loss or injury

Project risk involves understandingpotential problems that might occur on theproject and how they might impede projectsuccess

Risk management is like a form ofinsurance; it is an investment


4/20

7

Risk Utility

Risk utility or risk tolerance is the amount ofsatisfaction or pleasure received from a

potential payoff

Utility rises at a decreasing rate for a person whois risk-averse

Those who are risk-seeking have a highertolerance for risk and their satisfaction increaseswhen more payoff is at stake

The risk-neutral approach achieves a balance

between risk and payoff

8

Figure 11-1. Risk Utility Function

and Risk Preference


5/20

9

What is Project Risk Management?

The goal of project risk management is to minimize potential risks

while maximizing potential opportunities. Major processes include Risk management planning: deciding how to approach and plan

the risk management activities for the project

Risk identification: determining which risks are likely to affect aproject and documenting their characteristics

Qualitative risk analysis: characterizing and analyzing risks andprioritizing their effects on project objectives

Quantitative risk analysis: measuring the probability andconsequences of risks

Risk response planning: taking steps to enhance opportunitiesand reduce threats to meeting project objectives

Risk monitoring and control: monitoring known risks,identifying new risks, reducing risks, and evaluating theeffectiveness of risk reduction

10

Risk Management Planning

The main output of risk management planning is

a risk management plan

The project team should review project

documents and understand the organizations

and the sponsors approach to risk

The level of detail will vary with the needs of

the project


6/20

11

Table 11-2. Questions Addressed in a

Risk Management Plan

12

Contingency and Fallback Plans,

Contingency Reserves

Contingency plans are predefined actions thatthe project team will take if an identified riskevent occurs

Fallback plans are developed for risks that havea high impact on meeting project objectives

Contingency reserves or allowances are

provisions held by the project sponsor that canbe used to mitigate cost or schedule risk ifchanges in scope or quality occur


7/20

13

Common Sources of Risk on

Information Technology Projects

Several studies show that IT projects share some

common sources of risk

The Standish Group developed an IT success

potential scoring sheet based on potential risks

McFarlan developed a risk questionnaire to help

assess risk

Other broad categories of risk help identify

potential risks

14

Table 11-3. Information Technology

Success Potential Scoring SheetSuccess Criterion Points

User Involvement 19

Executive Management support 16

Clear Statement of Requirements 15

Proper Planning 11

Realistic Expectations 10

Smaller Project Milestones 9

Competent Staff 8

Ownership 6

Clear Visions and Objectives 3

Hard-Working, Focused Staff 3

Total 100


8/20

15

Table 11-4. McFarlans Risk Questionnaire1. What is the project estimate in calendar (elapsed) time?

( ) 12 months or less Low = 1 point

( ) 13 months to 24 months Medium = 2 points

( ) Over 24 months High = 3 points

2. What is the estimated number of person days for the system?

( ) 12 to 375 Low = 1 point

( ) 375 to 1875 Medium = 2 points

( ) 1875 to 3750 Medium = 3 points

( ) Over 3750 High = 4 points

3. Number of departments involved (excluding IT)

( ) One Low = 1 point

( ) Two Medium = 2 points

( ) Three or more High = 3 points

4. Is additional hardware required for the project?

( ) None Low = 0 points

( ) Central processor type change Low = 1 point

( ) Peripheral/storage device changes Low = 1

( ) Terminals Med = 2

( ) Change of platform, for example High = 3

PCs replacing mainframes

16

Other Categories of Risk Market risk: Will the new product be useful to

the organization or marketable to others? Will

users accept and use the product or service?

Financial risk: Can the organization afford to

undertake the project? Is this project the best

way to use the companys financial resources?

Technology risk: Is the project technicallyfeasible? Could the technology be obsolete

before a useful product can be produced?


9/20

17

What Went Wrong?

Many information technology projects fail because of technology risk. Oneproject manager learned an important lesson on a large IT project: focus on

business needs first, not technology. David Anderson, a project manager for

Kaman Sciences Corp., shared his experience from a project failure in an article

for CIO Enterprise Magazine. After spending two years and several hundred

thousand dollars on a project to provide new client/server-based financial and

human resources information systems for their company, Anderson and his

team finally admitted they had a failure on their hands. Anderson revealed that

he had been too enamored of the use of cutting-edge technology and had taken

a high-risk approach on the project. He "ramrodded through" what the project

team was going to do and then admitted that he was wrong. The company

finally decided to switch to a more stable technology to meet the business needs

of the company.

Hildebrand, Carol. If At First You Dont Succeed, CIO Enterprise Magazine, April 15, 1998

18

Risk Identification

Risk identification is the process ofunderstanding what potential unsatisfactoryoutcomes are associated with a particular project

Several risk identification tools and techniquesinclude

Brainstorming

The Delphi technique Interviewing

SWOT analysis


10/20

19

Table 11-5. Potential Risk Conditions

Associated with Each Knowledge AreaKnowledge Area Risk Conditions

Integration Inadequate planning; poor resource allocation; poor integration

management; lack of post-project review

Scope Poor defin it ion of scope or work packages; incomplete definit ion

of quality requirements; inadequate scope control

Time Errors in est imat ing t ime or resource availability; poor allocat ion

and management of float; early release of competitive products

Cost Estimat ing errors; inadequate productivit y, cost, change, or

contingency control; poor maintenance, security, purchasing, etc.

Quality Poor attitude toward qualit y; substandard

design/materials/workmanship; inadequate quality assurance

program

Human Resources Poor conflict management; poor project organization and

definition of responsibilities; absence of leadership

Communications Carelessness in planning or communicating; lack of consultationwith key stakeholders

Risk Ignoring risk; unclear assignment of risk; poor insurance

management

Procurement Unenforceable conditions or contract clauses; adversarial relations

20

Quantitative Risk Analysis Assess the likelihood and impact of

identified risks to determine their magnitude

and priority

Risk quantification tools and techniques

include

Probability/Impact matrixes

The Top 10 Risk Item Tracking technique Expert judgment


11/20

21

Sample Probability/Impact Matrix

22

Table 11-6. Sample Probability/Impact Matrix for Qualitative Risk Assessment


12/20

23

Figure 11-3. Chart Showing High-, Medium-,

and Low-Risk Technologies

24

Top 10 Risk Item Tracking Top 10 Risk Item Tracking is a tool for

maintaining an awareness of risk throughout

the life of a project

Establish a periodic review of the top 10

project risk items

List the current ranking, previous ranking,

number of times the risk appears on the listover a period of time, and a summary of

progress made in resolving the risk item


13/20

25

Table 11-7. Example of Top 10 Risk

Item TrackingMonthly Ranking

Risk Item This

Month

Last

Month

Number

of Months

Risk Resolution

Progress

Inadequate

planning

1 2 4 Working on revising the

entire project plan

Poor definition

of scope

2 3 3 Holding meetings with

project customer andsponsor to clarify scope

Absence ofleadership

3 1 2 Just assigned a newproject manager to lead

the project after old onequit

Poor costestimates 4 4 3 Revising cost estimates

Poor time

estimates

5 5 3 Revising schedule

estimates

26

Expert Judgment

Many organizations rely on the intuitive feelings

and past experience of experts to help identify

potential project risks

Experts can categorize risks as high, medium, or

low with or without more sophisticated

techniques


14/20

27

Quantitative Risk Analysis

Often follows qualitative risk analysis, but both

can be done together or separately

Large, complex projects involving leading edge

technologies often require extensive quantitative

risk analysis

Main techniques include

decision tree analysis

simulation

28

Decision Trees and Expected Monetary

Value (EMV)

A decision tree is a diagramming method used

to help you select the best course of action in

situations in which future outcomes are

uncertain

EMV is a type of decision tree where you

calculate the expected monetary value of a

decision based on its risk event probability and

monetary value


15/20

29

Figure 11-4. Expected Monetary Value

(EMV) Example

30

Simulation Simulation uses a representation or model of a

system to analyze the expected behavior orperformance of the system

Monte Carlo analysis simulates a modelsoutcome many times to provide a statisticaldistribution of the calculated results

To use a Monte Carlo simulation, you must

have three estimates (most likely, pessimistic,and optimistic) plus an estimate of thelikelihood of the estimate being between theoptimistic and most likely values


16/20

31

What Went Right?A large aerospace company used Monte Carlo simulation to help quantify

risks on several advanced-design engineering projects. The NationalAerospace Plan (NASP) project involved many risks. The purpose of this

multibillion-dollar project was to design and develop a vehicle that could

fly into space using a single-stage-to-orbit approach. A single-stage-to-orbit

approach meant the vehicle would have to achieve a speed of Mach 25 (25

times the speed of sound) without a rocket booster. A team of engineers and

business professionals worked together in the mid-1980s to develop a

software model for estimating the time and cost of developing the NASP.

This model was then linked with Monte Carlo simulation software to

determine the sources of cost and schedule risk for the project. The results

of the simulation were then used to determine how the company would

invest its internal research and development funds. Although the NASP

project was terminated, the resulting research has helped develop more

advanced materials and propulsion systems used on many modern aircraft.

32

Risk Response Planning After identifying and quantifying risks, you

must decide how to respond to them

Four main strategies:

Risk avoidance: eliminating a specific threat or risk,usually by eliminating its causes

Risk acceptance: accepting the consequences shoulda risk occur

Risk transference: shifting the consequence of a riskand responsibility for its management to a thirdparty

Risk mitigation: reducing the impact of a risk eventby reducing the probability of its occurrence


17/20

33

Table 11-8. General Risk Mitigation Strategies for

Technical, Cost, and Schedule Risks

34

Risk Monitoring and Control

Monitoring risks involves knowing their status

Controlling risks involves carrying out the riskmanagement plans as risks occur

Workarounds are unplanned responses to riskevents that must be done when there are nocontingency plans

The main outputs of risk monitoring and controlare corrective action, project change requests,and updates to other plans


18/20

35

Risk Response Control

Risk response control involves executing the riskmanagement processes and the risk management

plan to respond to risk events

Risks must be monitored based on defined

milestones and decisions made regarding risks

and mitigation strategies

Sometimes workarounds or unplanned responses

to risk events are needed when there are nocontingency plans

36

Using Software to Assist in Project

Risk Management

Databases can keep track of risks. Many IT

departments have issue tracking databases

Spreadsheets can aid in tracking and quantifying

risks

More sophisticated risk management software,

such as Monte Carlo simulation tools, help in

analyzing project risks


19/20

37

Figure 11-5. Sample Monte Carlo Simulation

Results for Project Schedule

38

Figure 11-6. Sample Monte Carlo Simulations

Results for Project Costs


20/20

39

Results of Good Project Risk

Management

Unlike crisis management, good project risk

management often goes unnoticed

Well-run projects appear to be almost effortless,

but a lot of work goes into running a project

well

Project managers should strive to make their

jobs look easy to reflect the results of well-run

projects

Documents

6 Project Risk Management Kathys