1. Information Technology Project Management – Third Edition
By Jack T. Marchewka
Northern Illinois University
Copyright 2009 John Wiley & Sons, Inc. all rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information contained herein.

2. Managing Project Risk
Chapter 8

3. Managing Project Risk
The baseline project plan is based on a number of estimates and assumptions
Estimation implies uncertainty so managing the uncertainty is crucial to project success
Project risk management is an important sub-discipline of software engineering
Focuses on identifying, analyzing and developing strategies for responding to project risk efficiently and effectively
The goal is to make well informed decisions as to what risks are worth taking and to respond to those risks in an appropriate manner
Provides an early warning system for impending problems that need to be addressed or resolved

4. Common Mistakes in Managing Project Risk
By not following a formal risk management approach, many projects end up in a perpetual crisis mode (firefighting) – reacting rather than being proactive
Inability to make effective and timely decisions
Not understanding the benefits of risk management
Client wants results, not interested in how achieved . Managers take aggressive risks or may optimistically ignore risks which turn into threats to the project’s success
Not providing adequate time for risk management
Should not be treated as an add-on but integrated throughout the project life cycle
Assess and plan for project risk in the earliest stages of the project

5. Common Mistakes in Managing Project Risk
Not identifying and assessing risk using a standardized approach
Can overlook both threats and opportunities
Time and resources expended on problems that could have been avoided, opportunities will be missed
Decisions will be made without complete understanding or information

6. Effective & Successful Risk Management Requires
Commitment by all stakeholders
Otherwise, the process will be sidestepped the moment a crisis arises and the project is in trouble
Stakeholder responsibility
Each risk must have an owner who will take responsibility for monitoring the project in order to identify any new or increasing risks and report them to the project sponsor
Different risks for different types of projects
You can not manage all projects and risks the same way, this can lead to disaster

7. Definitions Risk Project Risk Management (PMBOK®)
An uncertain event or condition that, if occurs, has a positive or negative effect on the project objectives.
Project Risk Management (PMBOK®)
Includes the processes concerned with conducting risk management planning, identification, analysis, responses, and monitoring and control of a project; most of these processes are updated throughout the project. The objectives of project risk management are to increase the probability and impact of positive events and decrease the probability and impact of events adverse to the project.

8. PMBOK® Risk Management Processes
Risk management planning
Determining how to approach and plan the project risk management activities. An output of this process is the development of a risk management plan.
Risk identification
Deciding which risks can impact the project. Risk identification generally includes many of the project stakeholders and requires an understanding of the project’s goal, as well as the project’s scope, schedule, budget, and quality objectives.
Qualitative risk analysis
Focusing on a qualitative analysis concerning the impact and likelihood of the risks that were identified.
Quantitative risk analysis
Using a quantitative approach for developing a probabilistic model for understanding and responding to the risks identified.
Risk response planning
Developing procedures and techniques to reduce the threats of risks, while enhancing the likelihood of opportunities.
Risk monitoring and control
Providing an early warning system to monitor identified risks and any new risks. This system ensures that risk responses have been implemented as planned and had the effect as intended.

9. IT Project Risk Management Processes

10. Risk Planning
Requires firm commitment by all stakeholders to a RM approach
Assures adequate resources are in place to plan properly for and manage the various risks of the IT project
Stakeholders also must be committed to the process
Focuses on preparation
Systematic preparation and planning can help minimize adverse effects on the project while taking advantage of opprotunities as they arise

11. Risk Identification
Once commitment has been obtained and preparations have been made, the next step entails identifying the various risks to the project.
Both threats and opportunities must be identified.
They must be identified clearly so that the true problem, not just a symptom, is addressed.
Causes and effects of each risk must be understood so that effective strategies and responses can be made.
Project risks are rarely isolated, they tend to be interrelated and affect the project and its stakeholders differently.

12. Risk Assessment
Once the project risks have been identified and their causes and effects understood, the next step requires that we analyze these risks.
Answers to two basic questions are required:
What is the likelihood of a particular risk occurring?
What is the impact on the project if it does occur?
Assessing these risks helps the project manager and other stakeholders prioritize and formulate responses to those risks that provide the greatest threat or opportunity to the project.
Because there is a cost associated with responding to a particular risk, risk management must function within the constraints of the project’s available resources.

13. Risk Strategies
The next step of the risk planning process is to determine how to deal with the various project risks.
In addition to resource constraints, an appropriate strategy will be determined by the project stakeholders’ perceptions of risk and their willingness to take on a particular risk.
Essentially, a project risk strategy will focus on one of the following approaches:
Accept or ignore the risk.
Avoid the risk completely.
Reduce the likelihood or impact of the risk (or both) if the risk occurs.
Transfer the risk to someone else (i.e., insurance).

14. Risk Strategies
In addition, triggers or flags in the form of metrics should be identified to draw attention to a particular risk when it occurs.
This system requires that each risk have an owner to monitor the risk and to ensure that resources are made available in order to respond to the risk appropriately.
Once the risks, the risk triggers, and strategies or responses are documented, this document then becomes the risk response plan.

15. Risk Monitoring & Control
Once the salient project risks have been identified and appropriate responses formulated, the next step entails scanning the project environment so that both identified and unidentified threats and opportunities can be followed, much like a radar screen follows ships.
Risk owners should monitor the various risk triggers so that well informed decisions and appropriate actions can take place.
Risk Response
Provides a mechanism for scanning the project environment for risks, but the risk owner must commit resources and take action once a risk threat or opportunity is made known. This action normally follows the planned risk strategy

16. Risk Evaluation
Responses to risks and the experience gained provide keys to learning .
A formal and documented evaluation of a risk episode provides the basis for lessons learned and lays the foundation for identifying best practices.
This evaluation should consider the entire risk management process from planning through evaluation.
It should focus on the following questions:
How did we do?
What can we do better next time?
What lessons did we learn?
What best practices can be incorporated in the risk management process?
The risk planning process is cyclical because the evaluation of the risk responses and the risk planning process can influence how an organization will plan, prepare, and commit to IT risk management.

17. IT Project Risk Identification Framework

18. IT Project Risk Identification Framework
At the core of the framework is the MOV
Next layer includes the project objectives – scope, budget, schedule and quality. They play a critical role in supporting the MOV
The third layer focuses on the sources of IT project risk
The next layer focuses on whether the risks are internal or external
If a team member is not properly trained to use a technology, the risk can be mitigated or avoided by additional training or assigning the task to a more experienced team member
A PM may not be accountable for project cancellation if the project sponsor went bankrupt
A poorly performing external vendor is still the responsibility of the PM if s/he chose that vendor

19. IT Project Risk Identification Framework
The fifth layer includes known risks, known-unknown risks and unknown-unknown risks
Known: events that are going to occur
Known-unknown: identifiable uncertainty
You pay an electricity bill each month, but the amount changes based on usage
Unknown-unknown: known only after they occur

20. IT Project Risk Identification Framework
The final layer shows that though risk management is critical at the start of a project, vigilance for opportunities and problems is required throughout the entire project life cycle

21. Applying the IT Project Risk Identification Framework
The framework can be used to understand a risk after it occurs
Vendor is hired to develop a BI system, client is sued and has to cut back on project. Due to importance of project, break it into two phases (basic and bells-and-whistles).
Threat occurred in Develop Project Charter and Project Plan Phase
Unknown-unknown risk
External risk, PM and project team not responsible
Sources of risk – environment (economic), organizational (client) and people (if management is to blame)
Impact on scope, budget and schedule
MOV changes due to phased approach

22. Applying the IT Project Risk Identification Framework
The framework can be used to proactively identify IT risks
Start from the outer core of the framework, analyzing the WBS and work packages to identify risks for each work package under the various project phases
Categorize known/unknown types
Categorize external/internal
Identify sources of risk (may be inter-related)
Assess how a particular risk will impact the project objectives and in turn the MOV
See paper on website “Performing a Project Premortem”
Can also be used going from inner core and working out

23. Risk Identification Tools & Techniques
Learning Cycles
Identify facts (what is known), assumptions (what they think they know) and research (things to find out) to identify various risks
Brainstorming
Use IT risk framework and the WBS to identify risks
Nominal Group Technique
Structured technique for identifying risks that attempts to balance and increase participation
Ideas discussed, prioritized, priorities discussed, prioritized again and summarized
Delphi Technique
Group of experts assembled to identify potential risks and their impact on the project

24. Risk Identification Tools & Techniques
Interviews
Gain alternative opinions from stakeholders about risks
Checklists
Structured tool for identifying risks that have occurred in the past
Be aware of things not on the list
SWOT Analysis
Strengths, weaknesses, opportunities and threats
Identify threats and opportunities as well as their nature in terms of the project or organizational strengths and weaknesses
Cause & Effect (a.k.a. Fishbone/Ishikawa)
Can be used to for understanding the causes and factors of a particular risk as well as its effects
Past Projects
Lessons learned from earlier projects

25. Nominal Group Technique (NGT)
Each individual silently writes their ideas on a piece of paper
Each idea is then written on a board or flip chart one at a time in a round-robin fashion until each individual has listed all of his or her ideas
The group then discusses and clarifies each of the ideas
Each individual then silently ranks and prioritizes the ideas
The group then discusses the rankings and priorities
Each individual ranks and prioritizes the ideas again
The rankings and prioritizations are then summarized for the group

26. Risk Check List Funding for the project has been secured
Funding for the project is sufficient
Funding for the project has been approved by senior management
The project team has the requisite skills to complete the project
The project has adequate manpower to complete the project
The project charter and project plan have been approved by senior management or the project sponsor
The project’s goal is realistic and achievable
The project’s schedule is realistic and achievable
The project’s scope has been clearly defined
Processes for scope changes have been clearly defined

27. Cause & Effect Diagram

28. Risk Analysis & Assessment
Risk = f(Probability * Impact)
Risk analysis – determine each identified risk’s probability and impact on the project
Risk assessment - focuses on prioritizing risks so that an effective strategy can be formulated for those risks that require a response.
Can’t respond to all risks!
Depends on Stakeholder risk tolerances

29. Risk Analysis & Assessment Qualitative Approaches
Expected Value & Payoff Tables
Determine return or profit the project will return
Decision Trees
Graphical view of various decisions and outcomes
Risk Impact Table & Ranking
Analyze and prioritize various IT project risks
Tusler’s Risk Classification

30. Expected Value & Payoff Tables
Expected Value & Payoff Tables
Expected value is an average, taking into account the probability and impact of various outcomes
Expected return on the project A B
A*B
Schedule Risk
Probability
Payoff
(In thousands)
Prob * Payoff
Project completed 20 days early 5%
$ 200
$10
Project completed 10 days early
20%
$ 150
$30
Project completed on Schedule
50%
$ 100
$50
Project completed 10 days late
$ - $0
Project completed 20 days late
$ (50)
($3)
100%
$88
The
Expected
Value

31. Decision Trees
$10,000+.
05*$2,000
Least cost but small probabiltiy of success

32. Risk Impact Table 0 - 100% 0-10 P*I Risk (Threats) Probability Impact
Risk Impact Table %
0-10
P*I
Risk (Threats)
Probability
Impact
Score
Key project team member leaves project
40% 4
1.6
Client unable to define scope and requirements
50% 6
3.0
Client experiences financial problems
10% 9
0.9
Response time not acceptable to users/client
80%
4.8
Technology does not integrate with existing application
60% 7
4.2
Functional manager deflects resources away from project
20% 3
0.6
Client unable to obtain licensing agreements 5%
0.4

33. Risk Rankings Risk (Threats)
Risk
Rankings
Risk (Threats)
Ranking
Response time not acceptable to users/client 1
Technology does not integrate with existing application 2
Client unable to define scope and requirements 3
Key project team member leaves project 4
Client experiences financial problems 5
Functional manager deflects resources away from project 6
Client unable to obtain licensing agreements 7

34. Risk Analysis & Assessment Qualitative Approaches
Tusler’s Risk Classification
Risk scores can be further analyzed using the following quadrants
Kittens – low probability of occurring and low impact. Don’t spend much time or resources on them whether positive or negative
Puppies – low impact but high probability of occurring. Must be watched so corrective action can be taken before they get out of hand
Tigers – high impact and high probability. Deal with them tout de suite.
Alligators – low probability but high impact if they get loose. Make sure you know where they are

35. Tusler’s Risk Identification Scheme
Tusler’s Risk Classification
Tusler’s Risk Identification Scheme
Can be troublesome
Must be
neutralized
Low prob/low impact
Not a problem
(if you know where they are)

36. Risk Analysis & Assessment Quantitative Approaches
Quantitative Probability Distributions
Discrete
Binomial
Continuous
Normal
PERT
TRIANG

37. Binomial Probability Distribution
Discrete Probability Distribution

38. Normal Distribution Continuous Probability Distribution
Useful when an event has an infinite number of possible values in a state range

39. Normal Distribution Properties
Distribution shaped by its mean (μ ) and standard deviation (σ)
Probability is associated area under the curve .
Area between any two points is obtained via a z score z=(x- μ)/σ
Since the normal distribution is symmetrical around the mean, outcome between - and μ has the same prob of falling between μ and 
Rules of thumb with respect to observations
Approximately….
68% + 1 standard deviations of mean
95% + 2 standard deviations of the mean
99% + 3 standard deviations of the mean

40. PERT Distribution PERT MEAN = (a + 4m + b)/6 Where:
a = optimistic estimate
m = most likely
b = pessimistic

41. PERT Distribution PERT Mean = (a + 4m + b)/6 Where:
a = optimistic estimate
m = most likely
b = pessimistic

42. Triangular Distribution
TRAING Mean = (a + m + b)/3
Where:
a = optimistic estimate
m = most likely
b = pessimistic

43. Simulations Monte Carlo
Technique that randomly generates specific values for a variable with a specific probability distribution
Goes through a number of trials or iterations and records the outcome
@RISK®
An MS Project® add in that provides a useful tool for conducting risk analysis of your project plan
Uses Monte Carlo simulation to show you many possible outcomes in your project – and tells you how likely they are to occur.
You can determine which tasks are most important and then manage those risks appropriately. Helps you choose the best strategy based on the available information.

44. Monte Carlo Simulation

45. Output From Monte Carlo Simulation 90
Output From Monte Carlo Simulation 90.4% chance of completing between 13.8 and 21.7 days

46. Cumulative Probability Distribution 40% chance of completing in 17 days

47. Sensitivity Analysis Using a Tornado Graph

48. Risk Strategies Depend On
The nature of the risk
Really an opportunity or threat?
Impact on MOV and project objectives
Probability? Impact?
Project constraints
Available resources?
Risk tolerances or preferences of the project stakeholders

49. Risk Strategies Responses
Accept or Ignore
Management Reserves
Released by senior management, usually not included in project’s budget
Contingency Reserves
Part of project’s budget
Contingency Plans (Plan B)
Disaster recovery plan in case of a natural disaster
Avoidance – eliminate the risk from occurring
Mitigate
Reduce the likelihood or impact (or both)
Transfer
e.g. insurance, subcontract to someone who has more expertise

50. Risk Response Plan should include:
A trigger which flags that the risk has occurred
An owner of the risk (i.e., the person or group responsible for monitoring the risk and ensuring that the appropriate risk response is carried out)
A response based on one of the four basic risk strategies
Adequate resources

51. Risk Monitoring & Control
Risk Audits
External to project team
Risk Reviews
Internal but outside the project team
Risk Status Meetings & Reports

52. Project Risk Radar Monitoring project risks is analogous
to a radar scope
where threat and
opportunities may
present themselves
at different times over
the project

53. Risk Evaluation Lessons learned and best practices help us to:
Increase our understanding of IT project risk in general.
Understand what information was available to managing risks and for making risk-related decisions.
Understand how and why a particular decision was made.
Understand the implications not only of the risks, but also the decisions that were made.
Learn from our experience so that others may not have to repeat our mistakes.