1. 1

2. The Importance of Project Risk Management Project risk management is the art and science of identifying, assigning, and responding to risk throughout the life of a project and in the best interests of meeting project objectives Risk management is often overlooked on projects, but it can help improve project success by helping selecting good projects, determining project scope, and developing realistic estimates Study has shown how risk management is neglected, especially on IT projects 2

3. The Importance of Project Risk Management KPMG 2001 study found that: 55 % of runaway projects (projects that have significant cost or schedule overruns) did no have risk mgmt at all 38% did some (but half didn’t use their risk findings) 7% didn’t know whether they have risk mgmt or not This study suggest risk mgmt important to improve project success and prevent runaway project 3

4. Table 10-1. Project Management Maturity by Industry Group and Knowledge Area 4

5. What is Risk? A dictionary definition of risk is “the possibility of loss or injury” Project risk involves understanding potential problems that might occur on the project and how they might impede project success Risk management is like a form of insurance; it is an investment 5

6. What is Project Risk Management (PRM)? PRM goal : to minimize potential risks while maximizing potential opportunities. Major processes include a. Risk management planning b. Risk identification c. Risk analysis d. Risk response planning e. Risk monitoring and control 6

7. a. Risk Management Planning Is the process of deciding how to approach and plan for risk mgmt activities The main output of risk management planning is a risk management plan (RMP) The project team should review project documents and understand the organization’s and the sponsor’s approach to risk RMP include Summary results of other processes - risk identification, risk analysis, response planning and monitoring & control processes Roles & responsibility for managing risk Resources required to manage risks 7

8. Table 10-2. Questions Addressed in a Risk Management Plan 8

9. Others Similar Plan Contingency plans are predefined actions that the project team will take if an identified risk event occurs. Ex: if the project team knows that a new release of a software package may not be available in time for them to use it for their project, they might have a contingency plan to use the existing, older version of the software. Fallback plans define actions to be taken if attempts to reduce fails. Contingency reserve or allowances are provisions held by the project sponsor that can be used to mitigate cost or schedule risk if changes in scope or quality occur. Ex: if a project appears to be off course because the staff is inexperienced with some new technology, the project sponsor may provide additional funds from contingency reserves to hire outside consultant to train and advise the project staff in using the new technology. 9

10. Common Sources of Risk on Information Technology Projects Several studies show that IT projects share some common sources of risk The Standish Group developed an IT success potential scoring sheet based on potential risks Risk questionnaire to help access risk Other broad categories of risk help identify potential risks 10

11. Table 10-3. Information Technology Success Potential Scoring Sheet 11

12. Other Categories of Risk Market risk: Will the new product be useful to the organization or marketable to others? Will users accept and use the product or service? Financial risk: Can the organization afford to undertake the project? Is this project the best way to use the company’s financial resources? Technology risk: Is the project technically feasible? Could the technology be obsolete before a useful product can be produced? 12

13. b. Risk Identification Risk identification is the process of understanding what potential unsatisfactory outcomes are associated with a particular project Output – list of identified risks Review past risk on similar project Tools & techniques Brainstorming – technique by which a group attempts to generate ideas/find a solution for a specific problem by amassing ideas spontaneously and without judgment. Small group face-to-face The Delphi technique – to derive a consensus among a panel of experts who make predictions about future developments. Uses repeated rounds of questioning and written responses, including feedback to earlier-round responses, to take advantage of group input, while avoiding the biasing effects possible in oral panel deliberations. Interviewing – a fact-finding technique for collecting information in face-to-face/telephone discussions. Through email & instant messaging SWOT analysis Checklist 13

14. Table 10-5. Potential Risk Conditions Associated With Each Knowledge Area 14

15. Example risk in project life cycle PhasePossible risk Requirement Definition Misunderstanding user/client requirements Lack of communication or lack of user involvement in determining requirement Analysis/ Design Misinterpretation of requirement Making assumptions on what users want or need Incomplete design specification TestingInadequate testing User not accepting the system 15

16. c. Risk Analysis Can be done quantitatively and qualitatively Qualitative tools and techniques include Probability/Impact matrixes The Top 10 Risk Item Tracking technique Expert judgment 16

17. Sample Probability/Impact Matrix 17

18. - Top 10 Risk Item Tracking Top 10 Risk Item Tracking is a tool for maintaining an awareness of risk throughout the life of a project Establish a periodic review of the top 10 project risk items List the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk item 18

19. Table 10-7. Example of Top 10 Risk Item Tracking 19

20. - Expert Judgment Many organizations rely on the intuitive feelings and past experience of experts to help identify potential project risks Experts can categorize risks as high, medium, or low with or without more sophisticated techniques 20

21. Risk Analysis: Quantitative Risk Often follows qualitative risk analysis, but both can be done together or separately Large, complex project involving leading edge technologies often require extensive quantitative risk analysis Main techniques include Decision tree analysis simulation 21

22. - Decision Trees and Expected Monetary Value (EMV) A decision tree is a diagramming method used to help you select the best course of action in situations in which future outcomes are uncertain EMV is a type of decision tree where you calculate the expected monetary value of a decision based on its risk event probability and monetary value 22

23. Figure 10-3. Expected Monetary Value (EMV) Example 23

24. d. Risk Response Planning After identifying and quantifying risk, you must decide how to respond to them Four main strategies: Risk avoidance: eliminating a specific threat or risk, usually by eliminating its causes A project team may decide to continue using a specific of hardware/software on a project because they know it works. Other products that could be used on the project may be available, but if the team is unfamiliar with them – could cause significant risk. Risk acceptance: accepting the consequences should a risk occur A project team planning a big project review meeting could take an active approach to risk by having a contingency plan if they cannot get approval for a specific site for the meeting. Risk transference: shifting the consequence of a risk and responsibility for its management to a third party A project team may purchase special insurance/warranty protection for specific hardware needed for a project. If the hardware fails, the insurer must replace it within an agreed-upon period of time. Risk mitigation: reducing the impact of a risk event by reducing the probability of its occurrence Include using proven technology, having competent project personnel, using various analysis and validation techniques, and buying maintenance/service agreements from subcontractors. 24

25. Table 10-8. General Risk Mitigation Strategies for Technical, Cost, and Schedule Risks 25

26. e. Risk Monitoring and Control Monitoring risks involves knowing their status Controlling risks involves carrying out the risk management plans as risks occur Workarounds are unplanned responses to risk events that must be done when there are no contingency plans Input: risk reassessment, risk audits, technical performance measurement, status meeting. And others The main outputs of this process are corrective action, project change requests, recommended corrective and preventive actions, and updates to other plans 26

27. Using Software to Assist in Project Risk Management Databases can keep track of risks. Many IT departments have issue tracking databases Spreadsheets can aid in tracking and quantifying risks 27

28. Results of Good Project Risk Management Unlike crisis management, good project risk management often goes unnoticed Well-run projects appear to be almost effortless, but a lot of work goes into running a project well Project managers should strive to make their jobs look easy to reflect the results of well-run projects 28

29. Discussion 1. Find a template or example of risk management plan. 2. List 2 possible risks in each of the software development life cycle phase? a. Analysis or design phase b. Development or production phase c. Testing phase 29