# Risk Assessment. Goal: being able to prioritize risks according to their impact and likeness on the project Making explicit the information necessary.

## Presentation on theme: "Risk Assessment. Goal: being able to prioritize risks according to their impact and likeness on the project Making explicit the information necessary."— Presentation transcript:

Risk Assessment

Goal: being able to prioritize risks according to their impact and likeness on the project Making explicit the information necessary to define the risk management strategies (risk management planning)

Techniques Two techniques: –Qualitative risk analysis Simpler Can be used when no precise information about probabilities of risk is available –Quantitative risk analysis More systematic Suitable for mathematical analysis Provide figures on the (economial) impact of risks

Qualitative Risk Analysis A three-step process Define probability, impact, and score Organize risk Highlight significant risks

Qualitative Risk Assessment Define classes of probabilities and classes of impact Example –Probability: Very low, low, moderate, high, very high –Impact: negligible, low, moderate, severe, catastrophic –Risk Score: low, medium, high

Qualitative Risk Assessment … or numeric: Risk Score = P x I Very Low0.11 Low0.32 Moderata0.53 High0.74 Very High0.95 Negligible0.11 Low0.32 Moderate0.53 Severe0.74 Catastrophic0.95

Risk analysis (i)

Risk analysis (ii)

Risk Matrix NegligibleLowModerateSevereCatastrophic Very HighR1R5 HighR2R6, R7, R8 ModerateR3 LowR4 Very LowR9, R10

Risk Matrix NegligibleLowModerateSevereCatastrophic Very HighR1R5 HighR2R6, R7, R8 ModerateR3 LowR4 Very LowR9, R10

Risk Matrix NegligibleLowModerateSevereCatastrophic Very HighR1R5 HighR2R6, R7, R8 ModerateR3 LowR4 Very LowR9, R10

Socially constructed risk Two problems with qualitative risk People will believe some things are risk, even when the statistics indicate they aren't (and vice versa ). We are "risk illiterate ” Who says what the probabilities are? How do we calculate the risk exposures objectively?

Socially Constructed Risk When seeking to put people's minds at rest, qualitative risk assessment may not be enough When assessing risk "objectively", we are in fact using subjective judgements … People are emotional! (and fortunately so)

Some examples of real risks Did you know: you should be more frightened of taking a bath than of walking down a dark alleyway you should be more wary of yourself than of flying in a plane Chances are your death will be by: being shot by a stranger...1 in 22,500 drowning in the bath...1 in 17,500 plane crash...1 in 800,000 car accident...1 in 300 suicide...1 in 160 accidental fall...1 in 150 cancer...1 in 4

Quantitative Risk Analysis Similar as qualitative: Define probability and impact (in a sense: which depends on the techniques; how depends on the domain) Use techniques to numerically assess risks and to visualize data Highlight significant risks

Quantitative Risk Assessment Approach: Expected monetary value analysis. It computes the expected monetary outcome (according to different statistical criteria) of a decision/risk –Technique: Decision tree analysis. Technique that helps solving the EMV analysis. Approach: Modeling. Provide a model of the project. –Technique: Sensitivity analysis. Helps determining which risks have the most impact by examining one variable at a time. (Tornado diagrams) –Technique: simulation, monte-carlo technique.

Decision Theory S1S2S3S4S5 D1C11C12C13C14c15 D2C21… D3C31 D4 D5c55

Decision Theory Si: states of the system Dj: decisions (risks) Cij: cost associated to Dj in Si

Decision Theory Choose cost of decision according to different strategies: Minimax, take the decision which has the maximum minimum gain associated do D Average, take the decision which has the maximum average gain associated Max, take the decision which has the maximum gain associated … who’s optimistic, who’s pessimistic?

EMV Decision D has probability pj of generating gain gj (j = 1..N, SUM(pj) = 1) Expected Monetary Value associated to D is –EMV(D) = SUMj(pj * gj) Take decision with maximum EMV

Decision Trees A way of computing EMV It graphically represents all the possible outcomes in a tree Costs are associated to leaves (and propagate to nodes) Probability are associated to labels

Event Trees “Software Risk Management: Principles and Practices” [Boehm IEEE Software 1991]

Modeling Define a model for the decision/project (some formula describing how inputs are transformed into outputs) “Play” with the formula to understand the main factors (sensitivity analysis) or to get a global value

Developing a tornado diagram (100)(50)-50100150200250 NPV (Primary Criterion) 15%6% 100,000 Engineering Budget Investment Material Cost Labor Cost Market Size Market Share 10% 120,000 100 150,000 12060 Uncertainties are sorted in descending order of impact on NPV Third Base Value \$100 First Length of bar indicated impact on NPV one variable at a time Second

Montecarlo Simulation Automatically varies input variables (according to their statistical distribution) to get a probability distribution of the outputs

Quantitative Risk Assessment: Outputs Probabilistic Analysis of the project: estimates of the possible schedule and cost overruns with their probabilities Prioritized list of quantified risks: risks that pose the greatest threat or the greatest opportunity to the project Trends (by repeating the process, trends may emerge)

Risk Response Planning –Goal: define the strategies for taking care/exploit risks

Strategies: Menaces Avoid. –Change the plan to eliminate the threat (increase time, relax objectives, take corrective actions - increase time to do requirements) Transfer. –Shift the negative outcome to a third party. It transfers responsibility, it does not eliminate the risk (insurance, contracts to transfer liability… they require to pay you a price) Mitigate –Reduce probability or impact (often better than trying and repare the damage; prototyping)

Strategies: Opportunities Exploit –Eliminate uncertainty relate to the occurrence of the opportunity (e.g. assign more talented people, provide better quality) Share –Allocate responsibility of exploitation to a third party (joint-ventures, partnerships, …) Enhance –Modify the size of an opportunity by increasing probability and/or positive impact

Strategy for both Threats and Opportunities Acceptance –Difficult to deal with all the risks –May be: Passive: just let the team deal with them Active: provide some buffer (time, money, …) Contingent Response Planning –Prepare a plan to implement if the risk occur

Risk management strategies (i)

Risk management strategies (ii)

Risk Response Planning: Outputs Strategies for dealing with the risks Triggers (elements used to monitor and understand whether a risk has occurred) People responsible of monitoring the risk People responsible of applying contingency plans

Risk Monitoring and Control Process –Analyse deviations –Identify causes –Evaluate corrective actions –Modify current plan Mind: –Planned risks dealt with as above –Unplanned risks require the full process!

Risk Management: Conclusions

Risk Management Process

Risk homeostasis People accept a certain degree of risk, regardless of what you do to reduce it Today, life is "safer" than ever before, but mortality rates remain static (Gerald Wilde, cited in Bryson, 1997) Cars with ABS (anti-lock braking systems) no longer attract insurance discounts because their drivers drive more recklessly/carelessly As we take measures to make our projects more predictable and safer, we can expect people to ask us to undertake more risky work

It’s amazing – how many “intelligent” people take this approach to understanding uncertainty/risk Winners in the business world need to Manage uncertainty/risk © JohnPalmer@DecisionEd.c

Risk management Principles Global perspective Viewing software development within the context of the larger systems- level definition, design, and development. Recognizing both the potential value of opportunity and the potential impact of adverse effects. Forward-looking view Thinking toward tomorrow, identifying uncertainties, anticipating potential outcomes.Managing project resources and activities while anticipating uncertainties. Open communication Encouraging free-flowing information at and between all project levels.Enabling formal, informal, and impromptu communication. Using processes that value the individual voice (bringing unique knowledge and insight to identifying and managing risk). Integrated management Making risk management an integral and vital part of project management. Adapting risk management methods and tools to a project's infrastructure and culture. Continuous process Sustaining constant vigilance. Identifying and managing risks routinely through all phases of the project's life cycle. Shared product vision Mutual product vision based on common purpose, shared ownership, and collective communication. Focusing on results. Teamwork Working cooperatively to achieve common goal. Pooling talents, skills, and knowledge.

Most Common Errors Do not identify a maximum risk value. –Give up a project if too risky Do not write a balanced risk management plan –Not to big, not to simplicistic Misinterpret effects as causes –Being late with the project –We may be charged 100.000 euros as a penalty Do not apply contingency plans –Dealing with risk when they occur is more error- prone than think about the strategies before they occur

Most Common Errors Do not involve actors –Make sure stakeholders understand consequences of the risk (share the risk); involved stakeholders in dealing with them Do not update the plan –Helps keeping the contingency plans really applicable

Exercise Write the risk management plan for the digital-divide project Write the risk management plan for the e-procurement project

Download ppt "Risk Assessment. Goal: being able to prioritize risks according to their impact and likeness on the project Making explicit the information necessary."

Similar presentations