1. 1-1 Information Technology Project Management by Jack T. Marchewka Power Point Slides by Richard Erickson, Northern Illinois University Copyright 2003 John Wiley & Sons, Inc. all rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express permission of the copyright owner is unlawful. Request for further information information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information contained herein.

2. 1-2 Chapter 8 – Managing Project Risk

3. 1-3 Chapter 8 Objectives Describe the project risk management planning framework introduced in this chapter.Describe the project risk management planning framework introduced in this chapter. Define risk identification and the causes, effects, and integrative nature of project risks.Define risk identification and the causes, effects, and integrative nature of project risks. Apply several qualitative and quantitative analysis techniques that can be used to prioritize and analyze various project risks.Apply several qualitative and quantitative analysis techniques that can be used to prioritize and analyze various project risks. Describe the various risk strategies, such as insurance, avoidance, or mitigation.Describe the various risk strategies, such as insurance, avoidance, or mitigation. Describe risk monitoring and control.Describe risk monitoring and control. Describe risk evaluation in terms of how the entire risk management process should be evaluated in order to learn from experience and to identify best practices.Describe risk evaluation in terms of how the entire risk management process should be evaluated in order to learn from experience and to identify best practices.

4. 1-4 The Baseline Project Plan is based on: Our understanding of the current situationOur understanding of the current situation The information availableThe information available The assumptions we makeThe assumptions we make

5. 1-5 “Although no one can predict the future with 100 percent accuracy, having a solid foundation, in terms of processes, tools, and techniques, can increase our confidence in these estimates.”

6. 1-6 Common Mistakes in Managing Project Risk Not Understanding the Benefits of Risk ManagementNot Understanding the Benefits of Risk Management Not Providing Adequate Time for Risk ManagementNot Providing Adequate Time for Risk Management Not Identifying and Assessing Risk Using a Standardized ApproachNot Identifying and Assessing Risk Using a Standardized Approach

7. 1-7 Effective and successful project risk management requires: Commitment by all stakeholdersCommitment by all stakeholders Stakeholder ResponsibilityStakeholder Responsibility –each risk must have an owner Different Risks for Different Types of ProjectsDifferent Risks for Different Types of Projects

8. 1-8 PMBOK Processes of Risk Management Risk Management PlanningRisk Management Planning Risk IdentificationRisk Identification Qualitative Risk AnalysisQualitative Risk Analysis Quantitative Risk AnalysisQuantitative Risk Analysis Risk Response PlanningRisk Response Planning Risk Monitoring and ControlRisk Monitoring and Control

9. 1-9 IT Project Risk Management Planning Process PMBOK definition of Project RiskPMBOK definition of Project Risk –An uncertain event or condition that, if it occurs, has a positive or negative effect on the project objectives. PMBOK definition of Project Risk ManagementPMBOK definition of Project Risk Management –The systematic process of identifying, analyzing, and responding to project risk. It includes maximizing the probability and consequences of positive events and minimizing the probability and consequences of adverse events.

10. 1-10 IT Project Risk Management Process

11. 1-11 IT Project Risk Management Planning Process Risk PlanningRisk Planning –Requires a firm commitment to risk management from all project stakeholders –Ensures adequate resources to plan for and manage risk –Focuses on preparation

12. 1-12 IT Project Risk Management Planning Process Risk Identification of:Risk Identification of: –Threats and opportunities –Causes and effects of each risk –Effective strategies for and responses to risk

13. 1-13 IT Project Risk Management Planning Process Risk AssessmentRisk Assessment –What is the likelihood of a particular risk occurring? –What is the impact on the project if it does occur?

14. 1-14 IT Project Risk Management Planning Process Risk StrategiesRisk Strategies –Accept or ignore the risk –Avoid the risk completely. –Reduce the likelihood or impact of the risk (or both) if the risk occurs. –Transfer the risk to someone else (i.e., insurance).

15. 1-15 IT Project Risk Management Planning Process Risk Monitoring and ControlRisk Monitoring and Control Risk ResponseRisk Response Risk EvaluationRisk Evaluation –How did we do? –What can we do better next time? –What lessons did we learn? –What best practices can be incorporated in the risk management process?

16. 1-16 IT Project Risk Framework

17. 1-17 Identifying IT Project Risks Tools and TechniquesTools and Techniques –Learning Cycles –Brainstorming –Nominal Group Technique (NGT) –Delphi Technique –Interviewing –Checklists –SWOT Analysis –Cause and Effect Diagrams –Past Projects

18. 1-18 Identifying IT Project Risks Nominal Group Technique (NGT)Nominal Group Technique (NGT) –a. Each individual silently writes her or his ideas on a piece of paper –b. Each idea is then written on a board or flip chart one at a time in a round-robin fashion until each individual has listed all of his or her ideas. –c. The group then discusses and clarifies each of the ideas. –d. Each individual then silently ranks and prioritizes the ideas. –e. The group then discusses the rankings and priorities of the ideas. –f. Each individual ranks and prioritizes the ideas again. –g. The rankings and prioritizations are then summarized for the group.

19. 1-19 SWOT Analysis

20. 1-20 Cause and Effect Diagram Identify the risk in terms of a threat or opportunity.Identify the risk in terms of a threat or opportunity. Identify the main factors that can cause the risk to occur.Identify the main factors that can cause the risk to occur. Identify detailed factors for each of the main factors.Identify detailed factors for each of the main factors. Continue refining the diagram until satisfied that the diagram is complete.Continue refining the diagram until satisfied that the diagram is complete.

21. 1-21 Cause and Effect Diagram

22. 1-22 Risk Analysis and Assessment Qualitative ApproachesQualitative Approaches –Expected Value – probability weighted sum –Payoff Table –Decision Trees –Risk Impact Table –Tusler’s risk classification scheme

23. 1-23 Expected Value of a Payoff Table Schedule Risk AProbabilityB Payoff (in 000s) A + B Prob. * Payoff Project completed 20 days early 5%$200$10 Project completed 10 days early 20%$150$30 Project completed on schedule 50%$100$50 Project completed 10 days late 20% $ -- Project completed 20 days late 5% $ (50) $ (3) 100%$88 Expected Value

24. 1-24 Decision Tree Analysis

25. 1-25 Tusler’s Risk Classification Scheme

26. 1-26 Risk Analysis and Assessment Quantitative ApproachesQuantitative Approaches –Discrete Probability Distributions BinomialBinomial –Continuous Probability Distributions NormalNormal PERTPERT TriangularTriangular –Simulations

27. 1-27 Binomial Probability Distribution

28. 1-28 Normal Distribution

29. 1-29 Normal Distribution shape is determined by its mean (µ) and standard deviation ()shape is determined by its mean (µ) and standard deviation () Probability is associated with area under the curve.Probability is associated with area under the curve. Since the distribution is symmetrical, the following probability rules of thumb applySince the distribution is symmetrical, the following probability rules of thumb apply –About 68 percent of all the values will fall between +1  of the mean –About 95 percent of all the values will fall between +2  of the mean –About 99 percent of all the values will fall between +3  of the mean

30. 1-30 PERT Distribution

31. 1-31 PERT Distribution PERT distribution uses a three-point estimate where:PERT distribution uses a three-point estimate where: –a denotes an optimistic estimate –b denotes a most likely estimate –c denotes a pessimistic estimate PERT Mean = (a + 4m + b) / 6PERT Mean = (a + 4m + b) / 6 PERT Standard Deviation = (b - a) / 6PERT Standard Deviation = (b - a) / 6

32. 1-32 Triangular Distribution

33. 1-33 Triangular Distribution uses a three-point estimate similar to the PERT distribution where:uses a three-point estimate similar to the PERT distribution where: –a denotes an optimistic estimate –b denotes a most likely estimate –c denotes a pessimistic estimate weighting for the mean and standard deviation are different from PERTweighting for the mean and standard deviation are different from PERT –TRIANG Mean = (a + m + b) / 3 –TRIANG Standard Deviation = [((b-a) 2 + (m-a)(m-b)) /18] 1/2

34. 1-34 Simulations Monte CarloMonte Carlo –a technique that randomly generates specific values for a variable with a specific probability distribution. –goes through a specific number of iterations or trials and records the outcome. –@risk Sensitivity AnalysisSensitivity Analysis –Tornado Graph

35. 1-35 Risk Simulation Using @Risk for Microsoft Project

36. 1-36 Output from Monte Carlo Simulation

37. 1-37 Cumulative Probability Distribution

38. 1-38 Sensitivity Analysis Using a Tornado Graph

39. 1-39 Risk Strategies Function of:Function of: –The nature of the risk itself –The impact of the risk on the project’s MOV and objectives –The project’s constraints in terms of scope, schedule, budget, and quality –requirements

40. 1-40 Risk Strategy Alternatives Accept or IgnoreAccept or Ignore –Management Reserves –Contingency Reserves –Contingency plans AvoidanceAvoidance Mitigate – Reduce likelihood and/or impactMitigate – Reduce likelihood and/or impact Transfer – e.g. insuranceTransfer – e.g. insurance

41. 1-41 Risk Response Plan should include: The project riskThe project risk The trigger which flags that the risk has occurredThe trigger which flags that the risk has occurred The owner of the risk (i.e., the person or group responsible for monitoring the risk and ensuring that the appropriate risk response is carried out)The owner of the risk (i.e., the person or group responsible for monitoring the risk and ensuring that the appropriate risk response is carried out) The risk response based on one of the four basic risk strategiesThe risk response based on one of the four basic risk strategies

42. 1-42 Risk Monitoring and Control tools for monitoring and controlling project risktools for monitoring and controlling project risk –Risk Audits by external people –Risk Reviews by internal team members –Risk Status Meetings and Reports

43. 1-43 Project Risk Radar

44. 1-44 Risk Response and Evaluation lessons learned and best practices help us to:lessons learned and best practices help us to: –Increase our understanding of IT project risk in general. –Understand what information was available to managing risks and for making –risk-related decisions. –Understand how and why a particular decision was made. –Understand the implications not only of the risks but also the decisions that –were made. –Learn from our experience so that others may not have to repeat our mistakes.