Embed Size (px)
Citation preview
Project Risk Management
Mohammad A. Rob
The Importance of Project Risk Management
Project risk management is the art and science of identifying, assigning, and responding to risk throughout the life of a project and in the best interests of meeting project objectives
Risk management is often overlooked on projects, but it can help improve project success by helping select good projects, determining project scope, and developing realistic estimates
What is Risk?
A dictionary definition of risk is “the possibility of loss or injury”
Project risk involves understanding potential problems that might occur on the project and how they might impede project success
Risk management is like a form of insurance; it is an investment
Why Take Risks? Because of Opportunities!
OpportunitiesRisks
Try to balance risks and opportunities
What is Project Risk Management?
The goal of project risk management is to minimize
potential risks while maximizing potential opportunities.
Major processes include– Risk management planning: deciding how to approach and plan
the risk management activities– Risk identification: determining which risks are likely to affect a
project– Risk analysis: measuring the probability and consequences of
risks and estimating their effects– Risk response planning: taking steps to enhance opportunities
and reduce threats– Risk monitoring and control: monitoring known risks, identifying
new risks, and responding to risks over the course of the project
Risk Management Planning
The process of deciding how to approach and plan for
risk management activities
The major inputs to this process:
– project charter, WBS, roles and responsibility matrix, corporate
risk management policies, risk management templates
The major tool : planning meeting to develop risk
management plan
The major output: risk management plan
– it describes how risk identification, qualitative an quantitative
analysis, response planning, monitoring, and control will be
structured and performed during the project life cycle
Broad Categories of Risk
Market risk: Will the new product be useful to
the organization or marketable to others? Will
users accept and use the product or service?Financial risk: Can the organization afford to
undertake the project? Is this project the best way to use the company’s financial resources?
Technology risk: Is the project technically feasible? Could the technology be obsolete before a useful product can be produced?
Common Sources of Risk on Information Technology Projects
Barry Boehm developed a list of top risk items in software development. Some are:– Personnel shortfalls: To overcome personnel problems, obtain
quality people and build a good team– Control dynamic requirements: Some changes in scope is
inevitable, but control continuous changes. One way to control is not to change plan until it is absolutely clear that they are needed
– Control externally provided project components: combining system components from multiple sources creates risk. Reduce risk by coordination and compatibility checking
– Unrealistic estimates: This is due to difficulty in accurate estimation of cost and time. Build a cost risk factor in the budget or designing the project within the budget
McFarlan’s Major Sources of Risk According to F.W. McFarlan, there are three
major categories of risk: people, structure, and technology– People risk: includes inadequate skills (technical and
managerial) inexperience in general, and inexperience in a specific area of technology
– Structural risk: includes the degree of change a new project will introduce into user areas and business procedures, the number of distinct groups the project must satisfy, and the number of other systems the new project must interact with
– Technological risk: involves using new or untried technology
Developing a Risk Management Plan
Questions a risk management plan should address:– Why is it important to take/ not take this risk in
relation to the project objectives?– What is the specific risk, and what are the risk
mitigation deliverables?– How is the risk going to be mitigated? What
approach?– Which individuals will be responsible for implementing
risk management plan?– When will the milestones associated with the
mitigation approach occur?– How much is required in terms of resources to
mitigate risk?
McFarlan’s Risk Questionnaire1. What is the project estimate in calendar (elapsed) time?
( ) 12 months or less Low = 1 point
( ) 13 months to 24 months Medium = 2 points
( ) Over 24 months High = 3 points
2. What is the estimated number of person days for the system?
( ) 12 to 375 Low = 1 point
( ) 375 to 1875 Medium = 2 points
( ) 1875 to 3750 Medium = 3 points
( ) Over 3750 High = 4 points
3. Number of departments involved (excluding IT)
( ) One Low = 1 point
( ) Two Medium = 2 points
( ) Three or more High = 3 points
4. Is additional hardware required for the project?
( ) None Low = 0 points
( ) Central processor type change Low = 1 point
( ) Peripheral/storage device changes Low = 1
( ) Terminals Med = 2
( ) Change of platform, for example High = 3
PCs replacing mainframes
Risk Management Plan
Risk management plan documents the procedures for managing risk throughout the project
It summarizes the results of the risk identification, quantitative analysis, qualitative analysis, response planning, and monitoring and control processes
It is important to define specific deliverables for the project related to risk, assign people to work on the deliverables, and evaluate milestones associated with the risk management approach
Risk Management Plan
Risk management plan includes:– Methodology of risk management: the approaches, tools and
data sources that twill be used– Roles and responsibilities: defines the lead, support, and risk
management team membership for each type of action– Budgeting: budget for risk management for the project– Timing: defines how often the risk management process will be
performed throughout the life cycle– Scoring and interpretation: appropriate (qualitative and/or
quantitative) methods used for risk analysis– Threshold: the criteria for risks that will be acted upon, by whom,
and in what manner– Reporting formats: content and format of the dissemination of
risk response plan to stakeholders– Tracking: documenting all facets of risk activities, benefiting
current project, identifying future needs, and lesson learned
Information Technology Success Factors
Success Criterion Points
User Involvement 19
Executive Management support 16
Clear Statement of Requirements 15
Proper Planning 11
Realistic Expectations 10
Smaller Project Milestones 9
Competent Staff 8
Ownership 6
Clear Visions and Objectives 3
Hard-Working, Focused Staff 3
Total 100
Risk IdentificationRisk identification is the process of determining which
risks might affect the project and documenting their characteristics
In addition to identifying risk according to the areas discussed before, risks can be identified according to the project management knowledge areas, such as scope, time,and cost
Risk identification tools include: brainstorming among group members, interviewing people, checklists of a set of questions, process diagrams
The main output of risk identification is a list of risk events, triggers or risk symptoms, and inputs to other systems (internal or external)
Potential Risk Conditions Associated With Knowledge Areas
Knowledge Area Risk Conditions
Integration Inadequate planning; poor resource allocation; poor integrationmanagement; lack of post-project review
Scope Poor definition of scope or work packages; incomplete definitionof quality requirements; inadequate scope control
Time Errors in estimating time or resource availability; poor allocationand management of float; early release of competitive products
Cost Estimating errors; inadequate productivity, cost, change, orcontingency control; poor maintenance, security, purchasing, etc.
Quality Poor attitude toward quality; substandarddesign/materials/workmanship; inadequate quality assuranceprogram
Human Resources Poor conflict management; poor project organization anddefinition of responsibilities; absence of leadership
Communications Carelessness in planning or communicating; lack of consultationwith key stakeholders
Risk Ignoring risk; unclear assignment of risk; poor insurancemanagement
Procurement Unenforceable conditions or contract clauses; adversarial relations
Risk Analysis
Risk analysis is the process of evaluating risks to assess the range of possible project outcomes
Risk probability is the likelihood that a risk will occurRisk consequence is the effect on project objectives if
the risk event occursRisks can be assessed qualitatively or quantitatively Qualitative risk analysis involves identifying the
probability of risk and consequences of risk in qualitative terms such as very high, high, moderate, low, or very low.
Quantitative risk analysis involves identifying the probability of risk and consequences of risk in quantitative terms
Qualitative Risk Analysis
Risk probability and risk consequence should be applied to specific risk events, not to the overall project
One technique of identifying qualitative risks is to create a probability/impact matrix, which assigns ratings for probability of risk and consequence of risks (impact) on risk events
Risks with high probability and high impact are likely to require further analysis, including quantification, and aggressive risk management
Many organizations rely on the intuitive feelings and past experience of experts to help identify potential project risks
Probability-Consequence Chart
Quantitative Risk AnalysisThe quantitative risk analysis process aims to analyze
numerically the probability of each risk and its consequences on project objectives, as well as the extent of overall project risk
It often follows from the qualitative risk analysisThe main techniques for quantitative risk analysis are:
decision tree and Monte Carlo simulation– Decision tree is a diagramming method used to help select the
best course of action in situations in which future outcomes are uncertain. A common application involves calculating expected monetary value (EMV)
– Monte Carlo analysis simulates a model’s outcome many times to provide a statistical distribution of the calculated results. A simulation may determine a project’s scope and cost goals at 10%, 50%, or 90% probability
Expected Monetary Value (EMV) Example
Risk Response PlanningRisk response planning is the process of developing
options and determining actions to reduce risk It includes the identification and assignment of
individuals or parties to take responsibility for each agreed risk response
Important tools for risk response are:– Risk avoidance: eliminating a specific threat or risk, usually by
eliminating its causes– Risk acceptance: accepting the consequences should a risk
occur– Risk transference: shift the responsibility and consequence of
risk to a third party– Risk mitigation: reducing the impact of a risk event by reducing
the probability of its occurrence
General Risk Mitigation Strategies for Technical, Cost, and Schedule Risks
Technical Risks Cost Risks Schedule Risks
Emphasize team supportand avoid stand aloneproject structure
Increase the frequency ofproject monitoring
Increase the frequency ofproject monitoring
Increase project managerauthority
Use WBS and PERT/CPM Use WBS and PERT/CPM
Improve problem handlingand communication
Improve communication,project goals understandingand team support
Select the most experiencedproject manager
Increase the frequency ofproject monitoring
Increase project managerauthority
Use WBS and PERT/CPM
Outputs of Risk Response Planning
The major outputs of risk response planning are: risk
response plan, contingency plan, and contingency
reserve
A risk management plan documents the procedures for
managing risk throughout the project
Contingency plans are predefined actions that the
project team will take if an identified risk event occurs
Contingency reserves are provisions held by the project
sponsor for possible changes in project scope or quality
that can be used to mitigate cost and/or schedule risk
Risk Monitoring and ControlRisk monitoring and control involves executing the risk
management processes and the risk management plan to respond to risk events
A previously identified risk may not materialize or a new risk event might arise. Newly identified risks need to go through the same process as those identified previously
Carrying out individual risk management plans involves monitoring risks on the basis of milestones and making decisions regarding risks and mitigation strategies
It may be necessary to alter a mitigation strategy if it is ineffective, implement a planed contingency activity, or eliminate a risk form the list when it no longer exists
Sometimes unplanned responses to risk events are needed when there are no contingency plans
Top 10 Risk Item Tracking
Top 10 risk item tracking is a tool for maintaining an awareness of risk throughout the life of a project
Establish a periodic review of the top 10 project risk items
List the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk item
Example of Top 10 Risk Item Tracking
Monthly Ranking
Risk Item This
Month
Last
Month
Numberof Months
Risk ResolutionProgress
Inadequateplanning
1 2 4 Working on revising theentire project plan
Poor definitionof scope
2 3 3 Holding meetings withproject customer andsponsor to clarify scope
Absence ofleadership
3 1 2 Just assigned a newproject manager to leadthe project after old onequit
Poor costestimates
4 4 3 Revising cost estimates
Poor timeestimates
5 5 3 Revising scheduleestimates
Using Software to Assist in Project Risk Management
Databases can keep track of risks. Example: Visual SourceSafe for software version control
Spreadsheets can aid in tracking and quantifying risks
More sophisticated risk management software helps develop models and uses simulation to analyze and respond to various project risks
Sample Monte Carlo Simulation Results for Project Schedule
Sample Monte Carlo Simulations Results for Project Costs
Results of Good Project Risk Management
Unlike crisis management, good project risk management often goes unnoticed
Resolving a crisis receives a much greater visibility, often accompanied by rewards
Well-run projects appear to be almost effortless, but a lot of work goes into running a project well
Project managers should strive to make their jobs look easy to reflect the results of well-run projects
