Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Technology Project Management – Third Edition By Jack T. Marchewka Northern Illinois University Copyright 2009 John Wiley & Sons, Inc. all.

Similar presentations

Presentation on theme: "Information Technology Project Management – Third Edition By Jack T. Marchewka Northern Illinois University Copyright 2009 John Wiley & Sons, Inc. all."— Presentation transcript:

1 Information Technology Project Management – Third Edition By Jack T. Marchewka Northern Illinois University Copyright 2009 John Wiley & Sons, Inc. all rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information contained herein. 1

2 Managing Project Risk Chapter 8 2

3 Managing Project Risk  The baseline project plan is based on a number of estimates and assumptions  Estimation implies uncertainty so managing the uncertainty is crucial to project success  Project risk management is an important sub-discipline of software engineering  Focuses on identifying, analyzing and developing strategies for responding to project risk efficiently and effectively  The goal is to make well informed decisions as to what risks are worth taking and to respond to those risks in an appropriate manner  Provides an early warning system for impending problems that need to be addressed or resolved 3

4 Common Mistakes in Managing Project Risk  By not following a formal risk management approach, many projects end up in a perpetual crisis mode (firefighting) – reacting rather than being proactive  Inability to make effective and timely decisions  Not understanding the benefits of risk management  Client wants results, not interested in how achieved. Managers take aggressive risks or may optimistically ignore risks which turn into threats to the project’s success  Not providing adequate time for risk management  Should not be treated as an add-on but integrated throughout the project life cycle  Assess and plan for project risk in the earliest stages of the project 4

5 Common Mistakes in Managing Project Risk  Not identifying and assessing risk using a standardized approach  Can overlook both threats and opportunities  Time and resources expended on problems that could have been avoided, opportunities will be missed  Decisions will be made without complete understanding or information 5

6 Effective & Successful Risk Management Requires  Commitment by all stakeholders  Otherwise, the process will be sidestepped the moment a crisis arises and the project is in trouble  Stakeholder responsibility  Each risk must have an owner who will take responsibility for monitoring the project in order to identify any new or increasing risks and report them to the project sponsor  Different risks for different types of projects  You can not manage all projects and risks the same way, this can lead to disaster 6

7 Definitions  Risk  An uncertain event or condition that, if occurs, has a positive or negative effect on the project objectives.  Project Risk Management (PMBOK ® )  Includes the processes concerned with conducting risk management planning, identification, analysis, responses, and monitoring and control of a project; most of these processes are updated throughout the project. The objectives of project risk management are to increase the probability and impact of positive events and decrease the probability and impact of events adverse to the project. 7

8 PMBOK ® Risk Management Processes  Risk management planning  Determining how to approach and plan the project risk management activities. An output of this process is the development of a risk management plan.  Risk identification  Deciding which risks can impact the project. Risk identification generally includes many of the project stakeholders and requires an understanding of the project’s goal, as well as the project’s scope, schedule, budget, and quality objectives.  Qualitative risk analysis  Focusing on a qualitative analysis concerning the impact and likelihood of the risks that were identified.  Quantitative risk analysis  Using a quantitative approach for developing a probabilistic model for understanding and responding to the risks identified.  Risk response planning  Developing procedures and techniques to reduce the threats of risks, while enhancing the likelihood of opportunities.  Risk monitoring and control  Providing an early warning system to monitor identified risks and any new risks. This system ensures that risk responses have been implemented as planned and had the effect as intended. 8

9 IT Project Risk Management Processes 9

10 Risk Planning  Requires firm commitment by all stakeholders to a RM approach  Assures adequate resources are in place to plan properly for and manage the various risks of the IT project  Stakeholders also must be committed to the process  Focuses on preparation  Systematic preparation and planning can help minimize adverse effects on the project while taking advantage of opprotunities as they arise 10

11 Risk Identification  Once commitment has been obtained and preparations have been made, the next step entails identifying the various risks to the project.  Both threats and opportunities must be identified.  They must be identified clearly so that the true problem, not just a symptom, is addressed.  Causes and effects of each risk must be understood so that effective strategies and responses can be made.  Project risks are rarely isolated, they tend to be interrelated and affect the project and its stakeholders differently. 11

12 Risk Assessment  Once the project risks have been identified and their causes and effects understood, the next step requires that we analyze these risks.  Answers to two basic questions are required:  What is the likelihood of a particular risk occurring?  What is the impact on the project if it does occur?  Assessing these risks helps the project manager and other stakeholders prioritize and formulate responses to those risks that provide the greatest threat or opportunity to the project.  Because there is a cost associated with responding to a particular risk, risk management must function within the constraints of the project’s available resources. 12

13 Risk Strategies  The next step of the risk planning process is to determine how to deal with the various project risks.  In addition to resource constraints, an appropriate strategy will be determined by the project stakeholders’ perceptions of risk and their willingness to take on a particular risk.  Essentially, a project risk strategy will focus on one of the following approaches:  Accept or ignore the risk.  Avoid the risk completely.  Reduce the likelihood or impact of the risk (or both) if the risk occurs.  Transfer the risk to someone else (i.e., insurance). 13

14 Risk Strategies  In addition, triggers or flags in the form of metrics should be identified to draw attention to a particular risk when it occurs.  This system requires that each risk have an owner to monitor the risk and to ensure that resources are made available in order to respond to the risk appropriately.  Once the risks, the risk triggers, and strategies or responses are documented, this document then becomes the risk response plan. 14

15 Risk Monitoring & Control  Once the salient project risks have been identified and appropriate responses formulated, the next step entails scanning the project environment so that both identified and unidentified threats and opportunities can be followed, much like a radar screen follows ships.  Risk owners should monitor the various risk triggers so that well informed decisions and appropriate actions can take place. Risk Response  Provides a mechanism for scanning the project environment for risks, but the risk owner must commit resources and take action once a risk threat or opportunity is made known. This action normally follows the planned risk strategy 15

16 Risk Evaluation  Responses to risks and the experience gained provide keys to learning.  A formal and documented evaluation of a risk episode provides the basis for lessons learned and lays the foundation for identifying best practices.  This evaluation should consider the entire risk management process from planning through evaluation.  It should focus on the following questions:  How did we do?  What can we do better next time?  What lessons did we learn?  What best practices can be incorporated in the risk management process?  The risk planning process is cyclical because the evaluation of the risk responses and the risk planning process can influence how an organization will plan, prepare, and commit to IT risk management. 16

17 Risk Identification Framework IT Project Risk Identification Framework 17

18  At the core of the framework is the MOV  Next layer includes the project objectives – scope, budget, schedule and quality. They play a critical role in supporting the MOV  The third layer focuses on the sources of IT project risk  The next layer focuses on whether the risks are internal or external  If a team member is not properly trained to use a technology, the risk can be mitigated or avoided by additional training or assigning the task to a more experienced team member  A PM may not be accountable for project cancellation if the project sponsor went bankrupt  A poorly performing external vendor is still the responsibility of the PM if s/he chose that vendor 18 IT Project Risk Identification Framework

19  The fifth layer includes known risks, known-unknown risks and unknown-unknown risks  Known: events that are going to occur  Known-unknown: identifiable uncertainty  You pay an electricity bill each month, but the amount changes based on usage  Unknown-unknown: known only after they occur 19 IT Project Risk Identification Framework

20  The final layer shows that though risk management is critical at the start of a project, vigilance for opportunities and problems is required throughout the entire project life cycle 20 IT Project Risk Identification Framework

21  The framework can be used to understand a risk after it occurs  Vendor is hired to develop a BI system, client is sued and has to cut back on project. Due to importance of project, break it into two phases (basic and bells-and-whistles).  Threat occurred in Develop Project Charter and Project Plan Phase  Unknown-unknown risk  External risk, PM and project team not responsible  Sources of risk – environment (economic), organizational (client) and people (if management is to blame)  Impact on scope, budget and schedule  MOV changes due to phased approach 21 Applying the IT Project Risk Identification Framework

22  The framework can be used to proactively identify IT risks  Start from the outer core of the framework, analyzing the WBS and work packages to identify risks for each work package under the various project phases  Categorize known/unknown types  Categorize external/internal  Identify sources of risk (may be inter-related)  Assess how a particular risk will impact the project objectives and in turn the MOV  See paper on website “Performing a Project Premortem”  Can also be used going from inner core and working out 22 Applying the IT Project Risk Identification Framework

23 Risk Identification Tools & Techniques  Learning Cycles  Identify facts (what is known), assumptions (what they think they know) and research (things to find out) to identify various risks  Brainstorming  Use IT risk framework and the WBS to identify risks  Nominal Group Technique  Structured technique for identifying risks that attempts to balance and increase participation  Ideas discussed, prioritized, priorities discussed, prioritized again and summarized  Delphi Technique  Group of experts assembled to identify potential risks and their impact on the project 23

24 Risk Identification Tools & Techniques  Interviews  Gain alternative opinions from stakeholders about risks  Checklists  Structured tool for identifying risks that have occurred in the past  Be aware of things not on the list  SWOT Analysis  Strengths, weaknesses, opportunities and threats  Identify threats and opportunities as well as their nature in terms of the project or organizational strengths and weaknesses  Cause & Effect (a.k.a. Fishbone/Ishikawa)  Can be used to for understanding the causes and factors of a particular risk as well as its effects  Past Projects  Lessons learned from earlier projects 24

25 Nominal Group Technique (NGT) 1.Each individual silently writes their ideas on a piece of paper 2.Each idea is then written on a board or flip chart one at a time in a round-robin fashion until each individual has listed all of his or her ideas 3.The group then discusses and clarifies each of the ideas 4.Each individual then silently ranks and prioritizes the ideas 5.The group then discusses the rankings and priorities 6.Each individual ranks and prioritizes the ideas again 7.The rankings and prioritizations are then summarized for the group 25

26 Risk Check List  Funding for the project has been secured  Funding for the project is sufficient  Funding for the project has been approved by senior management  The project team has the requisite skills to complete the project  The project has adequate manpower to complete the project  The project charter and project plan have been approved by senior management or the project sponsor  The project’s goal is realistic and achievable  The project’s schedule is realistic and achievable  The project’s scope has been clearly defined  Processes for scope changes have been clearly defined 26

27 Cause & Effect Diagram 27

28 Risk Analysis & Assessment Risk = f(Probability * Impact) Risk analysis – determine each identified risk’s probability and impact on the project Risk assessment - focuses on prioritizing risks so that an effective strategy can be formulated for those risks that require a response. Can’t respond to all risks! Depends on Stakeholder risk tolerances 28

29 Risk Analysis & Assessment Qualitative Approaches  Expected Value & Payoff Tables  Determine return or profit the project will return  Decision Trees  Graphical view of various decisions and outcomes  Risk Impact Table & Ranking  Analyze and prioritize various IT project risks  Tusler’s Risk Classification 29

30 ABA*B Schedule RiskProbability Payoff (In thousands) Prob * Payoff (In thousands) Project completed 20 days early5% $ 200 $10 Project completed 10 days early 20% $ 150$30 Project completed on Schedule50% $ 100 $50 Project completed 10 days late 20% $ - $0 Project completed 20 days late5% $ (50) ($3) 100 % $88 The Expected Value 30  Expected Value & Payoff Tables  Expected value is an average, taking into account the probability and impact of various outcomes  Expected return on the project

31 31  Decision Trees $10, *$2,000 Least cost but small probabiltiy of success

32 %0-10P*I Risk (Threats)ProbabilityImpactScore Key project team member leaves project40%41.6 Client unable to define scope and requirements50%63.0 Client experiences financial problems10%90.9 Response time not acceptable to users/client80%64.8 Technology does not integrate with existing application60%74.2 Functional manager deflects resources away from project20%30.6 Client unable to obtain licensing agreements5%70.4  Risk Impact Table 32

33 Risk (Threats) Ranking Response time not acceptable to users/client1 Technology does not integrate with existing application2 Client unable to define scope and requirements3 Key project team member leaves project4 Client experiences financial problems5 Functional manager deflects resources away from project6 Client unable to obtain licensing agreements7 Risk Rankings 33

34 Risk Analysis & Assessment Qualitative Approaches  Tusler’s Risk Classification  Risk scores can be further analyzed using the following quadrants  Kittens – low probability of occurring and low impact. Don’t spend much time or resources on them whether positive or negative  Puppies – low impact but high probability of occurring. Must be watched so corrective action can be taken before they get out of hand  Tigers – high impact and high probability. Deal with them tout de suite.  Alligators – low probability but high impact if they get loose. Make sure you know where they are 34

35 Tusler’s Risk Classification Low prob/low impact Can be troublesomeMust be neutralized Not a problem (if you know where they are ) Tusler’s Risk Identification Scheme 35

36 Risk Analysis & Assessment Quantitative Approaches  Quantitative Probability Distributions  Discrete  Binomial  Continuous  Normal  PERT  TRIANG 36

37 Binomial Probability Distribution 37  Discrete Probability Distribution

38 Normal Distribution 38  Continuous Probability Distribution  Useful when an event has an infinite number of possible values in a state range

39 Normal Distribution  Properties  Distribution shaped by its mean ( μ ) and standard deviation (σ)  Probability is associated area under the curve.  Area between any two points is obtained via a z score z=(x- μ)/σ  Since the normal distribution is symmetrical around the mean, outcome between -  and μ has the same prob of falling between μ and   Rules of thumb with respect to observations  Approximately…. 68% + 1 standard deviations of mean 95% + 2 standard deviations of the mean 99% + 3 standard deviations of the mean 39

40 PERT Distribution PERT MEAN = (a + 4m + b)/6 Where: a = optimistic estimate m = most likely b = pessimistic 40

41 PERT Distribution 41 PERT Mean = (a + 4m + b)/6 Where: a = optimistic estimate m = most likely b = pessimistic

42 Triangular Distribution 42 TRAING Mean = (a + m + b)/3 Where: a = optimistic estimate m = most likely b = pessimistic

43 Simulations  Monte Carlo  Technique that randomly generates specific values for a variable with a specific probability distribution  Goes through a number of trials or iterations and records the outcome ®  An MS Project ® add in that provides a useful tool for conducting risk analysis of your project plan  Uses Monte Carlo simulation to show you many possible outcomes in your project – and tells you how likely they are to occur.  You can determine which tasks are most important and then manage those risks appropriately. Helps you choose the best strategy based on the available information.  43

44 Monte Carlo Simulation 44

45 Output From Monte Carlo Simulation 90.4% chance of completing between 13.8 and 21.7 days 45

46 Cumulative Probability Distribution 40% chance of completing in 17 days 46

47 Tornado Graph Sensitivity Analysis Using a Tornado Graph 47

48 Risk Strategies Depend On  The nature of the risk  Really an opportunity or threat?  Impact on MOV and project objectives  Probability? Impact?  Project constraints  Available resources?  Risk tolerances or preferences of the project stakeholders 48

49 Risk Strategies Responses  Accept or Ignore  Management Reserves  Released by senior management, usually not included in project’s budget  Contingency Reserves  Part of project’s budget  Contingency Plans (Plan B)  Disaster recovery plan in case of a natural disaster  Avoidance – eliminate the risk from occurring  Mitigate  Reduce the likelihood or impact (or both)  Transfer  e.g. insurance, subcontract to someone who has more expertise 49

50 Risk Response Plan should include:  A trigger which flags that the risk has occurred  An owner of the risk (i.e., the person or group responsible for monitoring the risk and ensuring that the appropriate risk response is carried out)  A response based on one of the four basic risk strategies  Adequate resources 50

51 Risk Monitoring & Control  Risk Audits  External to project team  Risk Reviews  Internal but outside the project team  Risk Status Meetings & Reports 51

52 Project Risk Radar Monitoring project risks is analogous to a radar scope where threat and opportunities may present themselves at different times over the project 52

53 Risk Evaluation  Lessons learned and best practices help us to:  Increase our understanding of IT project risk in general.  Understand what information was available to managing risks and for making risk-related decisions.  Understand how and why a particular decision was made.  Understand the implications not only of the risks, but also the decisions that were made.  Learn from our experience so that others may not have to repeat our mistakes. 53

Download ppt "Information Technology Project Management – Third Edition By Jack T. Marchewka Northern Illinois University Copyright 2009 John Wiley & Sons, Inc. all."

Similar presentations

Ads by Google