Upload
latehours
View
176
Download
12
Embed Size (px)
Citation preview
1
Chapter 10:Project Risk Management
adopted from PMI’s PMBOK 2000 and
Textbook : Information Technology Project Management
2
Contents
• The Importance of Project Risk Management• Project Risk Management process
– Risk management planning– Risk identification– Qualitative risk analysis– Quantitative risk analysis– Risk response planning– Risk monitoring and control
• Results of good project risk management
Chapter 10
3
Typical Risk Management
4
The Importance of Project Risk Management
• Project risk management is the art and science of identifying, assigning, and responding to risk throughout the life of a project and in the best interests of meeting project objectives
• Risk management is often overlooked on projects, but it can help improve project success by helping select good projects, determining project scope, and developing realistic estimates
• Study by Ibbs and Kwak show how risk management is neglected, especially on IT projects
• KPMG study found that 55 % of runaway projects did no risk management at all
Chapter 10
5
• The goal of project risk management is to minimize potential risks while maximizing potential opportunities.
• Six processes include– Risk management planning– Risk identification– Qualitative risk analysis– Quantitative risk analysis– Risk response planning– Risk monitoring and control
What is Project Risk Management?
Chapter 10
planning
controlling
6
What is Project Risk Management?
• Risk management planning: deciding how to approach and plan the risk management activities for the project
• Risk identification: determining which risks are likely to affect a project and documenting their characteristics
• Qualitative risk analysis: characterizing and analyzing risks and prioritizing their effects on project objectives
• Quantitative risk analysis: measuring the probability and consequences of risks
• Risk response planning: taking steps to enhance opportunities and reduce threats to meeting project objectives
• Risk monitoring and control: monitoring known risks, identifying new risks, reducing risks, and evaluating the effectiveness of risk reduction
Chapter 10
7
Risk Management Planning
• 15th of 21 planning phase process• The main output of risk management planning is
a risk management plan• The project team should review project
documents and understand the organization’s and the sponsor’s approach to risk
• The level of detail will vary with the needs of the project
Chapter 10
8
Inputs to Risk Management Planning
• Project charter: formally recognizes the existence of a project
• Organization’s risk management policies: provide a predefined approach to risk analysis and response
• Defined roles & responsibilities: provide authority levels for decision-making.
• Stakeholder risk tolerances: indicators of how stakeholders might react in different situations and risk events
• Template for the organization’s risk management plan: pro-forma standard for used by the project
• WBS: a deliverable-oriented grouping of project elements that organized and defines the total scope of the project
9
Tools and technique
• Planning meetings– everyone responsible for planning and
executing activities.
10
Output
• Risk management plan– It documents procedures for managing risk
throughout the project– It details identification and quantification of
risk, responsibilities for managing risks, how contingency plans will be implemented, and how reserves will be allocated.
– other associated documents are• Contingency plan, feedback plan
11
Contingency and Fallback Plans, Contingency Reserves
• Contingency plans – provide predefined actions that the project team will
take if an identified risk event occurs
• Fallback plans– developed for risks that have a high impact on
meeting project objectives
• Contingency reserve or allowances– extra provisions held by the project sponsor that can
be used to mitigate cost or schedule risk if changes in scope or quality occur
Chapter 10
12
Risk Identification
• 16th of 21 planning phase process• Risk identification is the process of
understanding what potential unsatisfactory outcomes are associated with a particular project
• Risk identification is a facilitating planning process– Common Sources of Risk on Information Technology
Projects– Several studies show that IT projects share some
common sources of risk
13
Table 10-3. Information Technology Success Potential Scoring Sheet
Success Criterion Points
User Involvement 19
Executive Management support 16
Clear Statement of Requirements 15
Proper Planning 11
Realistic Expectations 10
Smaller Project Milestones 9
Competent Staff 8
Ownership 6
Clear Visions and Objectives 3
Hard-Working, Focused Staff 3
Total 100
Chapter 10
14
Other Categories of Risk
• Market risk:– Will the new product be useful to the organization or
marketable to others? Will users accept and use the product or service?
• Financial risk:– Can the organization afford to undertake the project?
Is this project the best way to use the company’s financial resources?
• Technology risk: – Is the project technically feasible? Could the
technology be obsolete before a useful product can be produced?
Chapter 10
15
Tools and Techniques
• Documentation reviews – provide a structure review of project plans and assumptions
• Information gathering– brainstorming, Delphi method, interviewing. SWOT analysis
• Checklists• provided by previous projects. • Assumptions analysis
– explores the assumptions and identifies potential risks
• Diagramming techniques– help to understand various cause-and-effect relationships.
Examples are cause-and-effect diagram. System or process flow-charts.
16
Outputs
• Risks – uncertain events or condition
• Triggers – symptoms of risks; indirect manifestation or actual risk events such as poor morale
• Inputs to other processes – for examples, constraints or assumptions
17
Qualitative Risk Analysis
• Qualitative Risk Analysis (17th of 21 planning phase process)
• It is the process to assess the impact and likelihood of identified risks.– determine their magnitude and priority
Chapter 10
18
Inputs:
• Risk management plan– It documents procedures for managing risk throughout the
project.
• Identified risk– taken from previous risk identification process. Evaluate these
risks for their potential impacts no the project.
• Project status– identifies risks through the project life cycle
• Project type– determines the amount of risk you can expect. Common or
recurrent projects have less risk, while state-of-the-art, first-time technology, or highly complex projects have more uncertainty.
19
Inputs
• Data precision– tests the value of data. Data precision measures the
extent of data available, reliability of the data, and source of the data
• Scales of probabilities and impact– assess the two key dimensions of risk (probability
and impact)
• Assumptions– identified during risk identification process. These
are used as part of evaluations.
20
tools and techniques
• Risk probabilities & impact – the two dimensions of specific risks. Risk probability is the likelihood that a risk will occur. Risk consequences (or impact), are the effect of project objectives if the risk event occurs
• Probabilities / Impact risk rating matrix – (also known as PI risk matrix)
• Project assumptions testing – performed against 2 criteria: assumption stability and the consequences on the project if the assumption is false.
• Data precision ranking – technique to evaluate the degree to which the data is useful for risk management. Data should be unbiased and accurate
21
Figure 10-2. Chart Showing High-, Medium-, and Low-Risk Technologies
22
Top 10 Risk Item Tracking
• Top 10 Risk Item Tracking is a tool for maintaining an awareness of risk throughout the life of a project
• Establish a periodic review of the top 10 project risk items
• List the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk item
Chapter 10
23
Table 10-7. Example of Top 10 Risk Item Tracking
Monthly Ranking
Risk Item This
Month
Last
Month
Numberof Months
Risk ResolutionProgress
Inadequateplanning
1 2 4 Working on revising theentire project plan
Poor definitionof scope
2 3 3 Holding meetings withproject customer andsponsor to clarify scope
Absence ofleadership
3 1 2 Just assigned a newproject manager to leadthe project after old onequit
Poor costestimates
4 4 3 Revising cost estimates
Poor timeestimates
5 5 3 Revising scheduleestimates
24
Expert Judgment
• Many organizations rely on the intuitive feelings and past experience of experts to help identify potential project risks
• Experts can categorize risks as high, medium, or low with or without more sophisticated techniques
Chapter 10
25
Output
• Overall risk ranking for the project
• List of priorities risks
• List of risks for additional analysis and management
• Trends in qualitative risk analysis results
26
Quantitative Risk Analysis
• 18th of 21 planning phase process• A process that numerically analyses the
probability of each risk and its consequence on objectives.
• Often follows qualitative risk analysis, but both can be done together or separately
• Large, complex project involving leading edge technologies often require extensive quantitative risk analysis
Chapter 10
27
Inputs
• Risk management plan • Identified risk • List of prioritized risk • List of risk for additional analysis & management • Historical information• Expert judgment
– determines whether risks have a probability of occurrence (ranked H, M, L) and the level of impact (ranked Severe, moderate or limited)
• Other planning outputs
28
Tools and techniques
• Interviewing: using projects stakeholders and subject matter experts to quantify the probability and consequences of risk on project objectives.
• Sensitivities analysis: help to determine which risks have the greatest impact on the project. It is the simplest form of risk analysis. Sensitivity analysis examines the change of a single project variable to analyze its effect on the project plan.
• Decision tree analysis : identify possible options or outcomes. It forces consideration of the probability of each outcome
• Simulation : uses a model of system to analyze the behavior or performance of the system. Examples are Monte Carlo, Critical Path and PERT.
29
Decision Trees and Expected Monetary Value (EMV)
• A decision tree is a diagramming method used to help you select the best course of action in situations in which future outcomes are uncertain
• EMV is a type of decision tree where you calculate the expected monetary value of a decision based on its risk event probability and monetary value
Chapter 10
30
Figure 10-3. Expected Monetary Value (EMV) Example
31
Simulation
• Simulation uses a representation or model of a system to analyze the expected behavior or performance of the system
• Monte Carlo analysis simulates a model’s outcome many time to provide a statistical distribution of the calculated results
• To use a Monte Carlo simulation, you must have three estimates (most likely, pessimistic, and optimistic) plus an estimate of the likelihood of the estimate being between the optimistic and most likely values
Chapter 10
32
Risk Response Planning
• 19th of 21 planning phase process
• Involves developing options and determining actions to enhance opportunities to reduce threats to project objectives.
• After identifying and quantifying risk, you must decide how to respond to them
Chapter 10
33
Inputs
• Risk management plan - It documents procedures for managing risk throughout the project.
• List of prioritized risk - includes those grouped by ranks, WBS level, risks requiring immediate response, risk that can be handled later, and risk that affect cost, schedule, functionality and quality.
• Risk ranking of the project – indicates that overall risk position of a project relative to other projects by comparing risk scores.
• Prioritized list of quantified risks – identifies those that pose the greatest threat or opportunity to the project and proposes some means of measuring their impact
34
Inputs
• Probabilities analysis of achieving the cost and time objective – assessed under the current project plan and with the current knowledge of the project risks
• List of potential response – identifies specific risks or categories of risk. These list specify the actions the team will take.
• Risk thresholds – the acceptable level of risk to the organization, which influences risk response planning
• Risk owners – identifies staff to provide accountabilities for managing responses.
• Common risk causes – several risks driven by a common causes. This reveals opportunities to mitigate many risks with one response.
• Trends in qualitative & quantitative risk analysis result - become apparent as the analysis is repeated can make risk response more or less urgent and important.
35
Table 10-8. General Risk Mitigation Strategies for Technical, Cost, and Schedule Risks
Chapter 10
36
Tools and techniques
• Risk avoidance: eliminating a specific threat or risk, usually by eliminating its causes
• Risk acceptance: accepting the consequences should a risk occur
• Risk transference: shifting the consequence of a risk and responsibility for its management to a third party
• Risk mitigation: reducing the impact of a risk event by reducing the probability of its occurrence
37
Outputs
• Risk response plan • Residual risks
– remain after avoidance, transfer, or mitigation responses have been taken.
• Secondary risk – arise in direct result of implementing a risk response.
• Contractual agreements • Contingency reserve amounts needed • Inputs to other processes • Inputs to a revised plan
38
Risk Monitoring and Control
• 8 of 8 controlling phase process• This is the process of keeping track of the
identified risks, monitoring residual risk and identify new risks, ensuring the execution of risk plans, and evaluating the plans’ effectiveness in reducing risk.– Monitoring risks involves knowing their status– Controlling risks involves carrying out the risk
management plans as risks occur– Workarounds are unplanned responses to risk events
that must be done when there are no contingency plans
Chapter 10
39
Risk Response Control
• Risk response control involves executing the risk management processes and the risk management plan to respond to risk events
• Risks must be monitored based on defined milestones and decisions made regarding risks and mitigation strategies
• Sometimes workarounds or unplanned responses to risk events are needed when there are no contingency plans
Chapter 10
40
Using Software to Assist in Project Risk Management
• Databases can keep track of risks. Many IT departments have issue tracking databases
• Spreadsheets can aid in tracking and quantifying risks
• More sophisticated risk management software, such as Monte Carlo simulation tools, help in analyzing project risks
Chapter 10
41
Results of Good Project Risk Management
• Unlike crisis management, good project risk management often goes unnoticed
• Well-run projects appear to be almost effortless, but a lot of work goes into running a project well
• Project managers should strive to make their jobs look easy to reflect the results of well-run projects
Chapter 10
42
Outputs
• The main outputs of risk monitoring and control are corrective action, project change requests, and updates to other plans – Corrective action: This encompasses anything that
brings your expected performance back in line with the project plan. At this stage, it involves carrying out either your contingency plan or workaround.
– Project change requests: Implementing a contingency plan or workaround frequently requires changing the risk responses described in the project plan. Know the process flow and feedback loop.
43
Outputs (2)
– Updates to risk response plan: Document the risks that occur. Risks that don't occur should also be noted and closed out in the risk response plan. It's important to keep this up-to-date, and it becomes a permanent addition to project records, eventually feeding into lessons learned.
– Workaround plans
– Risk database
– Updates to risk identification checklists
44
Summary• Project Risk Management
– is the art and science of identifying, assigning, and responding to risk
• Project Risk Management process– Risk management planning: deciding how to approach and plan the
risk management activities for the project– Risk identification: determining which risks are likely to affect a
project and documenting their characteristics– Qualitative risk analysis: characterizing and analyzing risks and
prioritizing their effects on project objectives– Quantitative risk analysis: measuring the probability and consequences
of risks– Risk response planning: taking steps to enhance opportunities and
reduce threats to meeting project objectives– Risk monitoring and control: monitoring known risks, identifying new
risks, reducing risks, and evaluating the effectiveness of risk reduction
45
Summary 2
• Tools– charts – risk item tracking – expert judgment– decision trees– expected monetary value (EMV)
• Using software to assist project risk management– database, simulation, Monte Carlo
• Results of good project risk management– unusually un-notice, look easy but require a lot of good risk
management