Project Risk Management Mohammad A. Rob

The Importance of Project Risk Management Project risk management is the art and science of identifying, assigning, and responding to risk throughout the life of a project and in the best interests of meeting project objectives Risk management is often overlooked on projects, but it can help improve project success by helping select good projects, determining project scope, and developing realistic estimates

What is Risk? A dictionary definition of risk is “the possibility of loss or injury” Project risk involves understanding potential problems that might occur on the project and how they might impede project success Risk management is like a form of insurance; it is an investment

Why Take Risks? Because of Opportunities! Opportunities Risks Try to balance risks and opportunities

What is Project Risk Management? The goal of project risk management is to minimize potential risks while maximizing potential opportunities. Major processes include –Risk management planning: deciding how to approach and plan the risk management activities –Risk identification: determining which risks are likely to affect a project –Risk analysis: measuring the probability and consequences of risks and estimating their effects –Risk response planning: taking steps to enhance opportunities and reduce threats –Risk monitoring and control: monitoring known risks, identifying new risks, and responding to risks over the course of the project

Risk Management Planning The process of deciding how to approach and plan for risk management activities The major inputs to this process: –project charter, WBS, roles and responsibility matrix, corporate risk management policies, risk management templates The major tool : planning meeting to develop risk management plan The major output: risk management plan –it describes how risk identification, qualitative an quantitative analysis, response planning, monitoring, and control will be structured and performed during the project life cycle

Broad Categories of Risk Market risk: Will the new product be useful to the organization or marketable to others? Will users accept and use the product or service? Financial risk: Can the organization afford to undertake the project? Is this project the best way to use the company’s financial resources? Technology risk: Is the project technically feasible? Could the technology be obsolete before a useful product can be produced?

Common Sources of Risk on Information Technology Projects Barry Boehm developed a list of top risk items in software development. Some are: –Personnel shortfalls: To overcome personnel problems, obtain quality people and build a good team –Control dynamic requirements: Some changes in scope is inevitable, but control continuous changes. One way to control is not to change plan until it is absolutely clear that they are needed –Control externally provided project components: combining system components from multiple sources creates risk. Reduce risk by coordination and compatibility checking –Unrealistic estimates: This is due to difficulty in accurate estimation of cost and time. Build a cost risk factor in the budget or designing the project within the budget

McFarlan’s Major Sources of Risk According to F.W. McFarlan, there are three major categories of risk: people, structure, and technology –People risk: includes inadequate skills (technical and managerial) inexperience in general, and inexperience in a specific area of technology –Structural risk: includes the degree of change a new project will introduce into user areas and business procedures, the number of distinct groups the project must satisfy, and the number of other systems the new project must interact with –Technological risk: involves using new or untried technology

Developing a Risk Management Plan Questions a risk management plan should address: –Why is it important to take/ not take this risk in relation to the project objectives? –What is the specific risk, and what are the risk mitigation deliverables? –How is the risk going to be mitigated? What approach? –Which individuals will be responsible for implementing risk management plan? –When will the milestones associated with the mitigation approach occur? –How much is required in terms of resources to mitigate risk?

McFarlan’s Risk Questionnaire

Risk Management Plan Risk management plan documents the procedures for managing risk throughout the project It summarizes the results of the risk identification, quantitative analysis, qualitative analysis, response planning, and monitoring and control processes It is important to define specific deliverables for the project related to risk, assign people to work on the deliverables, and evaluate milestones associated with the risk management approach

Risk Management Plan Risk management plan includes: –Methodology of risk management: the approaches, tools and data sources that twill be used –Roles and responsibilities: defines the lead, support, and risk management team membership for each type of action –Budgeting: budget for risk management for the project –Timing: defines how often the risk management process will be performed throughout the life cycle –Scoring and interpretation: appropriate (qualitative and/or quantitative) methods used for risk analysis –Threshold: the criteria for risks that will be acted upon, by whom, and in what manner –Reporting formats: content and format of the dissemination of risk response plan to stakeholders –Tracking: documenting all facets of risk activities, benefiting current project, identifying future needs, and lesson learned

Information Technology Success Factors

Risk Identification Risk identification is the process of determining which risks might affect the project and documenting their characteristics In addition to identifying risk according to the areas discussed before, risks can be identified according to the project management knowledge areas, such as scope, time,and cost Risk identification tools include: brainstorming among group members, interviewing people, checklists of a set of questions, process diagrams The main output of risk identification is a list of risk events, triggers or risk symptoms, and inputs to other systems (internal or external)

Potential Risk Conditions Associated With Knowledge Areas

Risk Analysis Risk analysis is the process of evaluating risks to assess the range of possible project outcomes Risk probability is the likelihood that a risk will occur Risk consequence is the effect on project objectives if the risk event occurs Risks can be assessed qualitatively or quantitatively Qualitative risk analysis involves identifying the probability of risk and consequences of risk in qualitative terms such as very high, high, moderate, low, or very low. Quantitative risk analysis involves identifying the probability of risk and consequences of risk in quantitative terms

Qualitative Risk Analysis Risk probability and risk consequence should be applied to specific risk events, not to the overall project One technique of identifying qualitative risks is to create a probability/impact matrix, which assigns ratings for probability of risk and consequence of risks (impact) on risk events Risks with high probability and high impact are likely to require further analysis, including quantification, and aggressive risk management Many organizations rely on the intuitive feelings and past experience of experts to help identify potential project risks

Probability-Consequence Chart

Quantitative Risk Analysis The quantitative risk analysis process aims to analyze numerically the probability of each risk and its consequences on project objectives, as well as the extent of overall project risk It often follows from the qualitative risk analysis The main techniques for quantitative risk analysis are: decision tree and Monte Carlo simulation –Decision tree is a diagramming method used to help select the best course of action in situations in which future outcomes are uncertain. A common application involves calculating expected monetary value (EMV) –Monte Carlo analysis simulates a model’s outcome many times to provide a statistical distribution of the calculated results. A simulation may determine a project’s scope and cost goals at 10%, 50%, or 90% probability

Expected Monetary Value (EMV) Example

Risk Response Planning Risk response planning is the process of developing options and determining actions to reduce risk It includes the identification and assignment of individuals or parties to take responsibility for each agreed risk response Important tools for risk response are: –Risk avoidance: eliminating a specific threat or risk, usually by eliminating its causes –Risk acceptance: accepting the consequences should a risk occur –Risk transference: shift the responsibility and consequence of risk to a third party –Risk mitigation: reducing the impact of a risk event by reducing the probability of its occurrence

General Risk Mitigation Strategies for Technical, Cost, and Schedule Risks

Outputs of Risk Response Planning The major outputs of risk response planning are: risk response plan, contingency plan, and contingency reserve A risk management plan documents the procedures for managing risk throughout the project Contingency plans are predefined actions that the project team will take if an identified risk event occurs Contingency reserves are provisions held by the project sponsor for possible changes in project scope or quality that can be used to mitigate cost and/or schedule risk

Risk Monitoring and Control Risk monitoring and control involves executing the risk management processes and the risk management plan to respond to risk events A previously identified risk may not materialize or a new risk event might arise. Newly identified risks need to go through the same process as those identified previously Carrying out individual risk management plans involves monitoring risks on the basis of milestones and making decisions regarding risks and mitigation strategies It may be necessary to alter a mitigation strategy if it is ineffective, implement a planed contingency activity, or eliminate a risk form the list when it no longer exists Sometimes unplanned responses to risk events are needed when there are no contingency plans

Top 10 Risk Item Tracking Top 10 risk item tracking is a tool for maintaining an awareness of risk throughout the life of a project Establish a periodic review of the top 10 project risk items List the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk item

Example of Top 10 Risk Item Tracking

Using Software to Assist in Project Risk Management Databases can keep track of risks. Example: Visual SourceSafe for software version control Spreadsheets can aid in tracking and quantifying risks More sophisticated risk management software helps develop models and uses simulation to analyze and respond to various project risks

Sample Monte Carlo Simulation Results for Project Schedule

Sample Monte Carlo Simulations Results for Project Costs

Results of Good Project Risk Management Unlike crisis management, good project risk management often goes unnoticed Resolving a crisis receives a much greater visibility, often accompanied by rewards Well-run projects appear to be almost effortless, but a lot of work goes into running a project well Project managers should strive to make their jobs look easy to reflect the results of well-run projects