Upload
emory-griffith
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
WISQA: Risk Management for I/S Projects
Paula Duchnowski CQA, CSTEpaula.duchnowski@generalcasualty
.comGeneral Casualty Insurance
May 9, 2002
Risk Management for I/S Projects
Why is Risk Management Important?What is Risk?Risk Management Process
– Identify project goals & objectives– Identify Risk– Analyze Risk– Plan for Risk– Control Risk
Why are we here?
Information Technology Projects are difficult to manage
Project failures occur with alarming frequency
Prudent measures to assess and manage risk can increase probability of project success
What is Risk?
A potential problem waiting to happen
May adversely impact schedule, cost, objectives
Will vary in probability, impact and timeframe
What is Risk Management?Risk Management is
a systematic process of identifying, analyzing and responding to project risk.
PMI’s PMBOK
Step 1: Identify Project Goals and ObjectivesWhat are business objectives? What are technical objectives?What are project constraints?Identify and state risks as they relate
to the ability to achieve objectives within the known constraints
Note: If objectives aren’t well-defined - that is a major risk.
Case Study Introduction
Improving and enforcing the Software Development Life Cycle– Small Shop– Not a process-
oriented culture
Project Objectives:Increase consistency
among all software development projects
Utilize processes that will increase the probability of project success
Step 2: Identify Risks
Encourage input of perceived riskIdentify risk while there is time to
take actionCapture risk in readable formatCommunicate risk to those who
can solve itGoal: Prevent project surprises
Risk Identification: examplesInadequate
Management Commitment
Ambiguous requirements
Inadequate user involvement
New Technology
Undefined or ambiguous Scope
Insufficient or inappropriate staffing
Inadequate tools or technology
Large and dispersed project team
Identifying Risks
Various publications and organizations have developed generic risk categories and generic checklists.
Checklists help assure aren’t overlooking something
Consider three perspectives: – Project
Management and staffing
– Technical– Quality of Product
Project Management Perspective: Tactical Considerations BudgetResource availability
and expertiseAdequacy of
Methodology / process
Project Size & Complexity
Schedule & Estimating risks
Vendor Management
Project Communication
Sponsorship and high-level support
Technical Perspective
Data Conversion: (GIGO) System Interfaces Operations / Post-
implementation Support New or unproven
Technology Implementation & rollout Infrastructure support Adequacy of Infrastructure Legacy Impacts / Support
Quality Risks
How well will product meet expectations?– Ease of Use– Data Integrity– Understand
impact to users
Defects in production
Techniques to Identify Risk
Checklists: Several Checklists are available as reminders of possible risk areas to consider
Interviews: Group or individualWorking Group / WorkshopPeriodic meetings: Dialogue of risk
informationSurveys: Selected categories of
people identify risks quickly
Statement of Risk
May need to “Drill Down” to determine the real risk to the project:– Asking Why?– Why is this situation a risk to the project?– What is the worst case scenario if the risk
is realized?– Some less than ideal circumstances may
not be true risks
Discussion
Case Study: Enhancing and enforcing the Software Development Life Cycle
What are some of the risks?
(be creative- pretend you know this company)
Step 2: Risk Analysis
Quantify two factors: – Probability of a failure– Impact of a failure
Risk Exposure (RE) = P x IExamples:
– Tornado in Wisconsin (low probability, high impact)– My son forgetting to take out garbage (High
probability, low impact)– Others: What risk(s) have you taken today??
Quantifying Risk
Early in Project More difficult to be
precise Establish risk ‘order
of magnitude’ Continue to revisit
as part of risk management process
Quantifying Risk: Tools and Techniques
Decision tree– Identify possible outcomes: associated
likelihood and impactIdentify expected monetary value:
– (probability %) x (Risk event value)Simulation:
– Prototype ‘what if’ scenariosExpert Judgement (Use a
‘judgement’ based scale)
Quantifying Risk
Define scale you will be using for Probability and Impact
Try to define scale to correspond to key objectives and constraints
Look at example Checklist
See GC’s Risk Checklist
Work in ProcessBased on Lessons Learned &
Industry standard risksTool for PMsIncludes a risk ‘scale’ for probability
and impactWeighted factors for size &
complexity
Discussion: Case Study Risks
What is probability of each risk occurring?
What is impact if the risk is realized?
Step 4: Plan for Risk
Develop Risk Management Plan
For each Risk– Determine Time
Frame for action– Define Mitigation
Strategy
Plan for Risk: Risk Management PlanDefine the Process for
tracking and monitoring risk
Roles & Responsibilities What and how risk
information will be tracked
Establish Mitigation Strategies
Possible Mitigation Strategies
Acceptance: Consciously choose to live with the risk consequences
Avoidance: Eliminate the risk. Protection: Backup / contingency
plan, i.e. Redundant system.Reduction: Reduce either the
probability or impact of the risk.
More Mitigation Strategies
Research: Need more information - i.e. market research; prototypes
Risk Reserves: Leave a contingency - or margin for error.
Transfer: Shift risk to another organization, person or group (retain responsibility)
Document Known Risks
Description of riskDate identifiedWho identifiedCategoryStatusRisk OwnerWho is assignedMitigation strategy
Action PlanTime Frame to actRE: Probability &
ImpactOther Measures:
– Quantitative threshold
– Leading indicators– Risk Leverage
Discussion
Discuss possible mitigation strategies for case study risks
Step 5: Control Risk - On-goingPeriodic monitoring and reporting of risk
data– Visibility and accountability regarding risk
status– Reports from risk repository
Periodic meetings / updates regarding risk status
Periodic re-assessment of risk exposureUpdate Risk data and project plan
Summary
Why Risk Management is ImportantSteps of a Risk Management Process
– Identify Project Goals & Objectives– Identify Risk– Analyze Risk– Plan for Risk– Control Risk
Thank you
Bibliography Project Management Institute: Project Management
Body of Knowledge Keil, Mark; Cule, Paul; Lytinen, Kalle; Schmidt, Roy: A
Framework for identifying software project risks: Communications of the ACM, November 1998
Hall, Elaine. Managing Risk. Methods for software systems development. Reading, MA: Addison-Wesley Publishing, 1998.
Jones, Capers. Assessment and Control of Software Risks, 1994.
Mulcahy, Rita, Managing and Estimating Project Risks, September, 1999.