Managing Project Risk

Project Risk

• “…an uncertain event or condition that, if it occurs, has a positive or a negative effect on a project objective.”

Information Systems Associated Risks

• Technology and project management related– Positive

• Availability of new project management tools

– Negative• Rate of change in technologies

– Upgrades and new releases

• Assumptions computer-generated output is always correct

• Formation of teams

Risk & Project Life Cycle

• Initiation stage– Identification and selection of specific projects

• Inside or outside of organization’s core competencies

• Planning stage– Procurement

• Unreliability of new technology delivery timeframe

• Development of accurate project schedule

• Execution stage– Missed scheduled delivery date

– Technology upgrades

• Control stage– Implementation of risk plan

– Modification of project schedule

• Closing stage– Acceptance of project as finished

Risk & Project Life Cycle (cont.)

Project Risk Examples

• New or different project management methodologies

• Different: – Cultures

– Organization structures

– Human resources

General Categories of Project Risk

• Ongoing changes to technology/materials

• Finding, assigning, and retaining skilled personnel

• Gaining user acceptance

• Choosing the correct development methodology

• Choosing correct manufacturing tools/materials

Outsourcing / Offshoring• Positives:– Expanded skill set availability

– Cheaper labor

– Reduced requirements for non-core competencies

• Negatives:– Internal resistance

• Possible solutions to reduce risk:

– Ensure strong upper management support– Select the right personnel– Involve managers early in the outsourcing process– Educate and reassure internal employees

• Negatives (cont.):– Increased security and privacy concerns

• Possible solutions to reduce risk:

– Increase physical security measures– Use software event logging and monitoring tools– Intrusion detection systems and firewalls– Encryption hardware/software

Outsourcing / Offshoring (cont.)

Top Five Project Risks

• Lack of top management commitment to the project

• Failure to gain user commitment/acceptance

• Misunderstanding the requirements

• Lack of adequate user/consumer involvement

• Failure to manage end user expectations

Risk Management Planning

• A systematic approach to planning the risk management activities of a given project

Risk Management Planning – Inputs

• Enterprise environmental factors– Attitudes toward risk and risk tolerance

• Organizational process assets– Processes in place to handle risk

• Project scope statement– Defining the project

• Project management plan– Project summary document

Risk Management Planning – Tools & Techniques

• Risk planning meetings– Senior managers, project team leaders, stakeholders,

project members with decision-making responsibilities

– Development of specific risk management plans

– Inclusion of risk-related items in budget and schedule

– Creation of risk management templates

Risk Management Planning – Outputs• Risk Management Plan– Methodology or approach to risk management

– Roles and responsibilities of project members

– Risk management budget

– Integration of risk management activities into project life cycle

– Scoring and interpretation of risk analysis

– Risk thresholds

– Reporting formats

– Tracking

Risk Identification

• The process of identifying potential risks to a project and documenting them

Risk Identification – Inputs

• Enterprise environmental factors

• Organizational process assets

• Project scope statement

• Project management plan

• Risk management plan

Risk Categories

• Defined in a Risk Register– A formal recording of all project risks, explaining the

nature of the risk and management of the risk

Risks

Risk Identification – Tools & Techniques

• Documentation reviews– The review of organizational information to aid during risk

identification• May include:

– Project profiles (previous project information and related lessons learned)

– Published information» Articles/studies/benchmarking information

Risk Identification – Tools & Techniques (cont.)

• Information gathering techniques– Brainstorming

– Delphi technique

– Interviewing

– Strengths, weaknesses, opportunities, and threats (SWOT)

– Checklists

Risk Identification – Tools & Techniques (cont.)

– Diagramming techniques• Cause and effect (Fishbone)

• System or process flowcharts

• Influence diagrams

Risk Identification – Output

Qualitative Risk Analysis

• Establishment of probabilities regarding both the impact and likelihood of specific risk occurrences

Qualitative Risk Analysis – Inputs

• Organizational process assets

• Project scope statement

• Risk management plan

• Risk register

Qualitative Risk Analysis – Tools & Techniques

• Risk probability and impact assessment

• Probability/impact risk rating matrix

• Risk data quality assessment

• Risk categorization

• Risk urgency assessment

Probability/Impact Risk Rating Matrix

• A technique used to analyze project risk in terms of its probability of occurrence and its impact on project outcomes

Risk Data Quality Assessment

• Assessment of the quality of the data used to assess risk

• May include:• Extent to which a risk is understood

• Available risk data

• Data quality

• Data integrity and reliability

Qualitative Risk Analysis – Outputs

• Updated risk register

Quantitative Risk Analysis

• Analysis of the probability of occurrence and impact of risk on project objectives using numerical techniques

Quantitative Risk Analysis – Inputs

• Organization process assets

• Project scope statement

• Risk management plan

• Risk register

• Project management plan

Quantitative Risk Analysis – Tools & Techniques

• Data gathering through interviewing

• Quantitative procedures– Sensitivity analysis

• Technique used to examine the potential impact of specific risks to a project (Tornado analysis)

– Decision tree analysis• Diagramming technique used to evaluate courses of action in terms

of their potential cost and benefits relative to other courses of action

– Expected monetary value analysis (EMV)• Statistical technique which captures the average value of potential

projects by analyzing the likelihood of possible project outcomes as well as each outcome’s financial consequences

– Simulation• Statistical technique where what-if analyzes are run to determine

the impact of a given situation on a project objective (Monte Carlo)

Quantitative Risk Analysis – Tools & Techniques (cont.)

Tornado Analysis

Expected Monetary Value + Decision Tree Analysis

Quantitative Risk Analysis – Outputs

• Updated risk register

Risk Response Planning

• The process of developing methods for responding to project risks

Risk Response Planning – Inputs

• Risk management plan

• Risk register

Risk Response Planning – Tools & Techniques

• Avoidance– Identified risks are avoided through a different course of

action

• Transference– Transfer of risk to another party through the use of

contracts

• Mitigation– Steps are taken to reduce the occurrence or impact of stated

risks

• Acceptance– Risks are accepted and contingency strategies are planned

Risk Response Planning – Outputs

• Updates to:– Risk register

– Project management plan

– Risk-related contractual agreements

Risk Response Plan Contents(Project Management Institute)

• Any risks that have been identified along with a description and the areas and objectives the identified risk may affect

• The roles and responsibilities of any risk owners

• Qualitative and quantitative risk analysis results as well as any trends identified during either of these processes

• A description of the risk response strategies including avoidance, transference, mitigation, and acceptance, and the risk that the strategies will be applied to

• An acknowledgement of any residual risk projected to remain after any risk response strategies have been applied

• A list of actions to be used to implement the risk response strategies

• Budget and schedule information in terms of risk response

• Any contingency plans used as part of an active response to accept risks

Additional Risk Terms

• Residual risks– Any risks remaining after risk response strategies have

been applied

• Secondary risks– Any risks resulting from the application of a risk response

strategy

• Contractual agreements– Any contracts for the purpose of risk transference during

the project

Risk Monitoring & Control

• The process of monitoring identified risks for change and controlling those changes

Questions?