Presentation on theme: "Information Technology Project Management – Third Edition"— Presentation transcript:
1 Information Technology Project Management – Third Edition By Jack T. MarchewkaNorthern Illinois UniversityCopyright 2009 John Wiley & Sons, Inc. all rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information contained herein.
3 Managing Project RiskThe baseline project plan is based on a number of estimates and assumptionsEstimation implies uncertainty so managing the uncertainty is crucial to project successProject risk management is an important sub-discipline of software engineeringFocuses on identifying, analyzing and developing strategies for responding to project risk efficiently and effectivelyThe goal is to make well informed decisions as to what risks are worth taking and to respond to those risks in an appropriate mannerProvides an early warning system for impending problems that need to be addressed or resolved
4 Common Mistakes in Managing Project Risk By not following a formal risk management approach, many projects end up in a perpetual crisis mode (firefighting) – reacting rather than being proactiveInability to make effective and timely decisionsNot understanding the benefits of risk managementClient wants results, not interested in how achieved . Managers take aggressive risks or may optimistically ignore risks which turn into threats to the project’s successNot providing adequate time for risk managementShould not be treated as an add-on but integrated throughout the project life cycleAssess and plan for project risk in the earliest stages of the project
5 Common Mistakes in Managing Project Risk Not identifying and assessing risk using a standardized approachCan overlook both threats and opportunitiesTime and resources expended on problems that could have been avoided, opportunities will be missedDecisions will be made without complete understanding or information
6 Effective & Successful Risk Management Requires Commitment by all stakeholdersOtherwise, the process will be sidestepped the moment a crisis arises and the project is in troubleStakeholder responsibilityEach risk must have an owner who will take responsibility for monitoring the project in order to identify any new or increasing risks and report them to the project sponsorDifferent risks for different types of projectsYou can not manage all projects and risks the same way, this can lead to disaster
7 Definitions Risk Project Risk Management (PMBOK®) An uncertain event or condition that, if occurs, has a positive or negative effect on the project objectives.Project Risk Management (PMBOK®)Includes the processes concerned with conducting risk management planning, identification, analysis, responses, and monitoring and control of a project; most of these processes are updated throughout the project. The objectives of project risk management are to increase the probability and impact of positive events and decrease the probability and impact of events adverse to the project.
8 PMBOK® Risk Management Processes Risk management planningDetermining how to approach and plan the project risk management activities. An output of this process is the development of a risk management plan.Risk identificationDeciding which risks can impact the project. Risk identification generally includes many of the project stakeholders and requires an understanding of the project’s goal, as well as the project’s scope, schedule, budget, and quality objectives.Qualitative risk analysisFocusing on a qualitative analysis concerning the impact and likelihood of the risks that were identified.Quantitative risk analysisUsing a quantitative approach for developing a probabilistic model for understanding and responding to the risks identified.Risk response planningDeveloping procedures and techniques to reduce the threats of risks, while enhancing the likelihood of opportunities.Risk monitoring and controlProviding an early warning system to monitor identified risks and any new risks. This system ensures that risk responses have been implemented as planned and had the effect as intended.
10 Risk PlanningRequires firm commitment by all stakeholders to a RM approachAssures adequate resources are in place to plan properly for and manage the various risks of the IT projectStakeholders also must be committed to the processFocuses on preparationSystematic preparation and planning can help minimize adverse effects on the project while taking advantage of opprotunities as they arise
11 Risk IdentificationOnce commitment has been obtained and preparations have been made, the next step entails identifying the various risks to the project.Both threats and opportunities must be identified.They must be identified clearly so that the true problem, not just a symptom, is addressed.Causes and effects of each risk must be understood so that effective strategies and responses can be made.Project risks are rarely isolated, they tend to be interrelated and affect the project and its stakeholders differently.
12 Risk AssessmentOnce the project risks have been identified and their causes and effects understood, the next step requires that we analyze these risks.Answers to two basic questions are required:What is the likelihood of a particular risk occurring?What is the impact on the project if it does occur?Assessing these risks helps the project manager and other stakeholders prioritize and formulate responses to those risks that provide the greatest threat or opportunity to the project.Because there is a cost associated with responding to a particular risk, risk management must function within the constraints of the project’s available resources.
13 Risk StrategiesThe next step of the risk planning process is to determine how to deal with the various project risks.In addition to resource constraints, an appropriate strategy will be determined by the project stakeholders’ perceptions of risk and their willingness to take on a particular risk.Essentially, a project risk strategy will focus on one of the following approaches:Accept or ignore the risk.Avoid the risk completely.Reduce the likelihood or impact of the risk (or both) if the risk occurs.Transfer the risk to someone else (i.e., insurance).
14 Risk StrategiesIn addition, triggers or flags in the form of metrics should be identified to draw attention to a particular risk when it occurs.This system requires that each risk have an owner to monitor the risk and to ensure that resources are made available in order to respond to the risk appropriately.Once the risks, the risk triggers, and strategies or responses are documented, this document then becomes the risk response plan.
15 Risk Monitoring & Control Once the salient project risks have been identified and appropriate responses formulated, the next step entails scanning the project environment so that both identified and unidentified threats and opportunities can be followed, much like a radar screen follows ships.Risk owners should monitor the various risk triggers so that well informed decisions and appropriate actions can take place.Risk ResponseProvides a mechanism for scanning the project environment for risks, but the risk owner must commit resources and take action once a risk threat or opportunity is made known. This action normally follows the planned risk strategy
16 Risk EvaluationResponses to risks and the experience gained provide keys to learning .A formal and documented evaluation of a risk episode provides the basis for lessons learned and lays the foundation for identifying best practices.This evaluation should consider the entire risk management process from planning through evaluation.It should focus on the following questions:How did we do?What can we do better next time?What lessons did we learn?What best practices can be incorporated in the risk management process?The risk planning process is cyclical because the evaluation of the risk responses and the risk planning process can influence how an organization will plan, prepare, and commit to IT risk management.
18 IT Project Risk Identification Framework At the core of the framework is the MOVNext layer includes the project objectives – scope, budget, schedule and quality. They play a critical role in supporting the MOVThe third layer focuses on the sources of IT project riskThe next layer focuses on whether the risks are internal or externalIf a team member is not properly trained to use a technology, the risk can be mitigated or avoided by additional training or assigning the task to a more experienced team memberA PM may not be accountable for project cancellation if the project sponsor went bankruptA poorly performing external vendor is still the responsibility of the PM if s/he chose that vendor
19 IT Project Risk Identification Framework The fifth layer includes known risks, known-unknown risks and unknown-unknown risksKnown: events that are going to occurKnown-unknown: identifiable uncertaintyYou pay an electricity bill each month, but the amount changes based on usageUnknown-unknown: known only after they occur
20 IT Project Risk Identification Framework The final layer shows that though risk management is critical at the start of a project, vigilance for opportunities and problems is required throughout the entire project life cycle
21 Applying the IT Project Risk Identification Framework The framework can be used to understand a risk after it occursVendor is hired to develop a BI system, client is sued and has to cut back on project. Due to importance of project, break it into two phases (basic and bells-and-whistles).Threat occurred in Develop Project Charter and Project Plan PhaseUnknown-unknown riskExternal risk, PM and project team not responsibleSources of risk – environment (economic), organizational (client) and people (if management is to blame)Impact on scope, budget and scheduleMOV changes due to phased approach
22 Applying the IT Project Risk Identification Framework The framework can be used to proactively identify IT risksStart from the outer core of the framework, analyzing the WBS and work packages to identify risks for each work package under the various project phasesCategorize known/unknown typesCategorize external/internalIdentify sources of risk (may be inter-related)Assess how a particular risk will impact the project objectives and in turn the MOVSee paper on website “Performing a Project Premortem”Can also be used going from inner core and working out
23 Risk Identification Tools & Techniques Learning CyclesIdentify facts (what is known), assumptions (what they think they know) and research (things to find out) to identify various risksBrainstormingUse IT risk framework and the WBS to identify risksNominal Group TechniqueStructured technique for identifying risks that attempts to balance and increase participationIdeas discussed, prioritized, priorities discussed, prioritized again and summarizedDelphi TechniqueGroup of experts assembled to identify potential risks and their impact on the project
24 Risk Identification Tools & Techniques InterviewsGain alternative opinions from stakeholders about risksChecklistsStructured tool for identifying risks that have occurred in the pastBe aware of things not on the listSWOT AnalysisStrengths, weaknesses, opportunities and threatsIdentify threats and opportunities as well as their nature in terms of the project or organizational strengths and weaknessesCause & Effect (a.k.a. Fishbone/Ishikawa)Can be used to for understanding the causes and factors of a particular risk as well as its effectsPast ProjectsLessons learned from earlier projects
25 Nominal Group Technique (NGT) Each individual silently writes their ideas on a piece of paperEach idea is then written on a board or flip chart one at a time in a round-robin fashion until each individual has listed all of his or her ideasThe group then discusses and clarifies each of the ideasEach individual then silently ranks and prioritizes the ideasThe group then discusses the rankings and prioritiesEach individual ranks and prioritizes the ideas againThe rankings and prioritizations are then summarized for the group
26 Risk Check List Funding for the project has been secured Funding for the project is sufficientFunding for the project has been approved by senior managementThe project team has the requisite skills to complete the projectThe project has adequate manpower to complete the projectThe project charter and project plan have been approved by senior management or the project sponsorThe project’s goal is realistic and achievableThe project’s schedule is realistic and achievableThe project’s scope has been clearly definedProcesses for scope changes have been clearly defined
28 Risk Analysis & Assessment Risk = f(Probability * Impact)Risk analysis – determine each identified risk’s probability and impact on the projectRisk assessment - focuses on prioritizing risks so that an effective strategy can be formulated for those risks that require a response.Can’t respond to all risks!Depends on Stakeholder risk tolerances
29 Risk Analysis & Assessment Qualitative Approaches Expected Value & Payoff TablesDetermine return or profit the project will returnDecision TreesGraphical view of various decisions and outcomesRisk Impact Table & RankingAnalyze and prioritize various IT project risksTusler’s Risk Classification
30 Expected Value & Payoff Tables Expected Value & Payoff TablesExpected value is an average, taking into account the probability and impact of various outcomesExpected return on the projectABA*BSchedule RiskProbabilityPayoff(In thousands)Prob * PayoffProject completed 20 days early5%$ 200$10Project completed 10 days early20%$ 150$30Project completed on Schedule50%$ 100$50Project completed 10 days late$ -$0Project completed 20 days late$ (50)($3)100%$88TheExpectedValue
31 Decision Trees$10,000+.05*$2,000Least cost but small probabiltiy of success
32 Risk Impact Table 0 - 100% 0-10 P*I Risk (Threats) Probability Impact Risk Impact Table%0-10P*IRisk (Threats)ProbabilityImpactScoreKey project team member leaves project40%41.6Client unable to define scope and requirements50%63.0Client experiences financial problems10%90.9Response time not acceptable to users/client80%4.8Technology does not integrate with existing application60%74.2Functional manager deflects resources away from project20%30.6Client unable to obtain licensing agreements5%0.4
33 Risk Rankings Risk (Threats) RiskRankingsRisk (Threats)RankingResponse time not acceptable to users/client1Technology does not integrate with existing application2Client unable to define scope and requirements3Key project team member leaves project4Client experiences financial problems5Functional manager deflects resources away from project6Client unable to obtain licensing agreements7
34 Risk Analysis & Assessment Qualitative Approaches Tusler’s Risk ClassificationRisk scores can be further analyzed using the following quadrantsKittens – low probability of occurring and low impact. Don’t spend much time or resources on them whether positive or negativePuppies – low impact but high probability of occurring. Must be watched so corrective action can be taken before they get out of handTigers – high impact and high probability. Deal with them tout de suite.Alligators – low probability but high impact if they get loose. Make sure you know where they are
35 Tusler’s Risk Identification Scheme Tusler’s Risk ClassificationTusler’s Risk Identification SchemeCan be troublesomeMust beneutralizedLow prob/low impactNot a problem(if you know where they are)
36 Risk Analysis & Assessment Quantitative Approaches Quantitative Probability DistributionsDiscreteBinomialContinuousNormalPERTTRIANG
37 Binomial Probability Distribution Discrete Probability Distribution
38 Normal Distribution Continuous Probability Distribution Useful when an event has an infinite number of possible values in a state range
39 Normal Distribution Properties Distribution shaped by its mean (μ ) and standard deviation (σ)Probability is associated area under the curve .Area between any two points is obtained via a z score z=(x- μ)/σSince the normal distribution is symmetrical around the mean, outcome between - and μ has the same prob of falling between μ and Rules of thumb with respect to observationsApproximately….68% + 1 standard deviations of mean95% + 2 standard deviations of the mean99% + 3 standard deviations of the mean
40 PERT Distribution PERT MEAN = (a + 4m + b)/6 Where: a = optimistic estimatem = most likelyb = pessimistic
41 PERT Distribution PERT Mean = (a + 4m + b)/6 Where: a = optimistic estimatem = most likelyb = pessimistic
42 Triangular Distribution TRAING Mean = (a + m + b)/3Where:a = optimistic estimatem = most likelyb = pessimistic
43 Simulations Monte Carlo Technique that randomly generates specific values for a variable with a specific probability distributionGoes through a number of trials or iterations and records the outcome@RISK®An MS Project® add in that provides a useful tool for conducting risk analysis of your project planUses Monte Carlo simulation to show you many possible outcomes in your project – and tells you how likely they are to occur.You can determine which tasks are most important and then manage those risks appropriately. Helps you choose the best strategy based on the available information.
48 Risk Strategies Depend On The nature of the riskReally an opportunity or threat?Impact on MOV and project objectivesProbability? Impact?Project constraintsAvailable resources?Risk tolerances or preferences of the project stakeholders
49 Risk Strategies Responses Accept or IgnoreManagement ReservesReleased by senior management, usually not included in project’s budgetContingency ReservesPart of project’s budgetContingency Plans (Plan B)Disaster recovery plan in case of a natural disasterAvoidance – eliminate the risk from occurringMitigateReduce the likelihood or impact (or both)Transfere.g. insurance, subcontract to someone who has more expertise
50 Risk Response Plan should include: A trigger which flags that the risk has occurredAn owner of the risk (i.e., the person or group responsible for monitoring the risk and ensuring that the appropriate risk response is carried out)A response based on one of the four basic risk strategiesAdequate resources
51 Risk Monitoring & Control Risk AuditsExternal to project teamRisk ReviewsInternal but outside the project teamRisk Status Meetings & Reports
52 Project Risk Radar Monitoring project risks is analogous to a radar scopewhere threat andopportunities maypresent themselvesat different times overthe project
53 Risk Evaluation Lessons learned and best practices help us to: Increase our understanding of IT project risk in general.Understand what information was available to managing risks and for making risk-related decisions.Understand how and why a particular decision was made.Understand the implications not only of the risks, but also the decisions that were made.Learn from our experience so that others may not have to repeat our mistakes.