Information Technology Project Management

By Jack T. Marchewka Northern Illinois University Power Point Slides by Gerald DeHondt Grand Valley State University

8-1

Copyright 2012 John Wiley & Sons, Inc.

Managing Project Risk

Chapter 8

PMBOK Risk Management Processes

Plan Risk Management

Determining how to approach and plan the project risk management activities. An output of this process is the development of a risk management plan. Deciding which risks can impact the project. Risk identification generally includes many of the project stakeholders and requires an understanding of the projects goal, as well as the projects scope, schedule, budget, and quality objectives. Focusing on a qualitative analysis concerning the impact and likelihood of the risks that were identified. Using a quantitative approach for developing a probabilistic model for understanding and responding to the risks identified.

Identify Risks

Perform Qualitative Risk Analysis

Perform Quantitative Risk Analysis

Plan Risk Responses

Developing procedures and techniques to reduce the threats of risks, while enhancing the likelihood of opportunities.
Providing an early warning system to monitor identified risks and any new risks. This system ensures that risk responses have been implemented as planned and had the effect as intended. Copyright 2012 John 8-3 Wiley & Sons, Inc.

Monitor and Control Risks

Managing Project Risk

The baseline project plan is based on a number of estimates and assumptions Estimation implies uncertainty so managing the uncertainty is crucial to project success Project risk management is an important subdiscipline of software engineering

Focuses on identifying, analyzing and developing strategies for responding to project risk efficiently and effectively The goal is to make well informed decisions as to what risks are worth taking and to respond to those risks in an appropriate manner Provides an early warning system for impending problems 4 that need to be addressed or resolved

Common Mistakes in Managing Project Risk

By not following a formal risk management approach, many projects end up in a perpetual crisis mode (firefighting) reacting rather than being proactive

Inability to make effective and timely decisions Client wants results, not interested in how achieved . Managers take aggressive risks or may optimistically ignore risks which turn into threats to the projects success Should not be treated as an add-on but integrated throughout the project life cycle Assess and plan for project risk in the earliest stages of the project
5

Not understanding the benefits of risk management

Not providing adequate time for risk management

Common Mistakes in Managing Project Risk

Not identifying and assessing risk using a standardized approach

Can overlook both threats and opportunities Time and resources expended on problems that could have been avoided, opportunities will be missed Decisions will be made without complete understanding or information

Effective & Successful Risk Management Requires

Commitment by all stakeholders

Otherwise, the process will be sidestepped the moment a crisis arises and the project is in trouble Each risk must have an owner who will take responsibility for monitoring the project in order to identify any new or increasing risks and report them to the project sponsor You can not manage all projects and risks the same way, this can lead to disaster

Stakeholder responsibility

Different risks for different types of projects

Definitions

Risk

An uncertain event or condition that, if occurs, has a positive or negative effect on the project objectives. Includes the processes concerned with conducting risk management planning, identification, analysis, responses, and monitoring and control of a project; most of these processes are updated throughout the project. The objectives of project risk management are to increase the probability and impact of positive events and decrease the probability and impact of events adverse to the project.
8

Project Risk Management (PMBOK)

PMBOK Risk Management Processes

Risk management planning

Determining how to approach and plan the project risk management activities. An output of this process is the development of a risk management plan. Deciding which risks can impact the project. Risk identification generally includes many of the project stakeholders and requires an understanding of the projects goal, as well as the projects scope, schedule, budget, and quality objectives. Focusing on a qualitative analysis concerning the impact and likelihood of the risks that were identified. Using a quantitative approach for developing a probabilistic model for understanding and responding to the risks identified. Developing procedures and techniques to reduce the threats of risks, while enhancing the likelihood of opportunities. Providing an early warning system to monitor identified risks and any new risks. This system ensures that risk responses have been implemented as planned and had the effect as intended.

Risk identification

Qualitative risk analysis

Quantitative risk analysis

Risk response planning

Risk monitoring and control

IT Project Risk Management Processes

10

Risk Planning

Requires firm commitment by all stakeholders to a RM approach Assures adequate resources are in place to plan properly for and manage the various risks of the IT project

Stakeholders also must be committed to the process

Systematic preparation and planning can help minimize adverse effects on the project while taking advantage of opportunities as they arise

Focuses on preparation

11

Risk Identification

Once commitment has been obtained and preparations have been made, the next step entails identifying the various risks to the project. Both threats and opportunities must be identified.

They must be identified clearly so that the true problem, not just a symptom, is addressed. Causes and effects of each risk must be understood so that effective strategies and responses can be made. Project risks are rarely isolated, they tend to be interrelated and affect the project and its stakeholders differently.

12

Risk Assessment

Once the project risks have been identified and their causes and effects understood, the next step requires that we analyze these risks. Answers to two basic questions are required:

What is the likelihood of a particular risk occurring? What is the impact on the project if it does occur?

Assessing these risks helps the project manager and other stakeholders prioritize and formulate responses to those risks that provide the greatest threat or opportunity to the project. Because there is a cost associated with responding to a particular risk, risk management must function within the constraints of the projects available resources.
13

Risk Strategies

The next step of the risk planning process is to determine how to deal with the various project risks. In addition to resource constraints, an appropriate strategy will be determined by the project stakeholders perceptions of risk and their willingness to take on a particular risk. Essentially, a project risk strategy will focus on one of the following approaches:

Accept or ignore the risk. Avoid the risk completely. Reduce the likelihood or impact of the risk (or both) if the risk occurs. Transfer the risk to someone else (i.e., insurance).

14

Risk Strategies

In addition, triggers or flags in the form of metrics should be identified to draw attention to a particular risk when it occurs. This system requires that each risk have an owner to monitor the risk and to ensure that resources are made available in order to respond to the risk appropriately. Once the risks, the risk triggers, and strategies or responses are documented, this document then becomes the risk response plan.

15

Risk Monitoring & Control

Once the salient project risks have been identified and appropriate responses formulated, the next step entails scanning the project environment so that both identified and unidentified threats and opportunities can be followed, much like a radar screen follows ships. Risk owners should monitor the various risk triggers so that well informed decisions and appropriate actions can take place.

Risk Response

Provides a mechanism for scanning the project environment for risks, but the risk owner must commit resources and take action once a risk threat or 16 opportunity is made known. This action normally follows

Risk Evaluation

Responses to risks and the experience gained provide keys to learning .

A formal and documented evaluation of a risk episode provides the basis for lessons learned and lays the foundation for identifying best practices. This evaluation should consider the entire risk management process from planning through evaluation. It should focus on the following questions:

How did we do? What can we do better next time? What lessons did we learn? What best practices can be incorporated in the risk management process?

The risk planning process is cyclical because the evaluation of the risk responses and the risk planning process can influence 17 how an organization will plan, prepare, and commit to IT risk

Risk Identification Framework

IT Project Risk Identification Framework

18

IT Project Risk Identification Framework

At the core of the framework is the MOV Next layer includes the project objectives scope, budget, schedule and quality. They play a critical role in supporting the MOV The third layer focuses on the sources of IT project risk The next layer focuses on whether the risks are internal or external

If a team member is not properly trained to use a technology, the risk can be mitigated or avoided by additional training or assigning the task to a more experienced team member A PM may not be accountable for project cancellation if the project sponsor went bankrupt A poorly performing external vendor is still the

19

IT Project Risk Identification Framework

The fifth layer includes known risks, knownunknown risks and unknown-unknown risks

Known: events that are going to occur Known-unknown: identifiable uncertainty

You pay an electricity bill each month, but the amount changes based on usage
20

Unknown-unknown: known only after they occur

IT Project Risk Identification Framework

The final layer shows that though risk management is critical at the start of a project, vigilance for opportunities and problems is required throughout the entire project life cycle

21

Applying the IT Project Risk Identification Framework

The framework can be used to understand a risk after it occurs

Vendor is hired to develop a BI system, client is sued and has to cut back on project. Due to importance of project, break it into two phases (basic and bells-andwhistles).

Threat occurred in Develop Project Charter and Project Plan Phase Unknown-unknown risk External risk, PM and project team not responsible Sources of risk environment (economic), organizational (client) and people (if management is to blame) Impact on scope, budget and schedule MOV changes due to phased approach
22

Applying the IT Project Risk Identification Framework

The framework can be used to proactively identify IT risks

Start from the outer core of the framework, analyzing the WBS and work packages to identify risks for each work package under the various project phases Categorize known/unknown types Categorize external/internal Identify sources of risk (may be inter-related) Assess how a particular risk will impact the project objectives and in turn the MOV

See paper on website Performing a Project Premortem

Can also be used going from inner core and working out
23

Risk Identification Tools & Techniques

Learning Cycles

Identify facts (what is known), assumptions (what they think they know) and research (things to find out) to identify various risks Use IT risk framework and the WBS to identify risks

Brainstorming

Nominal Group Technique

Structured technique for identifying risks that attempts to balance and increase participation

Ideas discussed, prioritized, priorities discussed, prioritized again and summarized

Delphi Technique

Group of experts assembled to identify potential risks and their impact on the project
24

Risk Identification Tools & Techniques

Interviews

Gain alternative opinions from stakeholders about risks

Checklists

Structured tool for identifying risks that have occurred in the past Be aware of things not on the list Strengths, weaknesses, opportunities and threats Identify threats and opportunities as well as their nature in terms of the project or organizational strengths and weaknesses Can be used to for understanding the causes and factors of a particular risk as well as its effects
Lessons learned from earlier projects
25

SWOT Analysis

Cause & Effect (a.k.a. Fishbone/Ishikawa)

Past Projects

Nominal Group Technique (NGT)

1. Each individual silently writes their ideas on a piece of paper 2. Each idea is then written on a board or flip chart one at a time in a round-robin fashion until each individual has listed all of his or her ideas 3. The group then discusses and clarifies each of the ideas 4. Each individual then silently ranks and prioritizes the ideas 5. The group then discusses the rankings and priorities 6. Each individual ranks and prioritizes the ideas again 7. The rankings and prioritizations are then summarized for the group

26

Risk Check List

Funding for the project has been secured Funding for the project is sufficient Funding for the project has been approved by senior management The project team has the requisite skills to complete the project The project has adequate manpower to complete the project The project charter and project plan have been approved by senior management or the project sponsor The projects goal is realistic and achievable The projects schedule is realistic and achievable The projects scope has been clearly defined Processes for scope changes have been clearly defined
27

SWOT Analysis

8-28

Copyright 2012 John Wiley & Sons, Inc.

Cause & Effect Diagram

29

Risk Analysis & Assessment

Risk = f(Probability * Impact)

Risk analysis determine each identified risks probability and impact on the project Risk assessment - focuses on prioritizing risks so that an effective strategy can be formulated for those risks that require a response.
Depends on Stakeholder risk tolerances Cant respond to all risks!

30

Risk Analysis & Assessment Qualitative Approaches

Expected Value & Payoff Tables

Determine return or profit the project will return Graphical view of various decisions and outcomes

Decision Trees

Risk Impact Table & Ranking

Analyze and prioritize various IT project risks

Tuslers Risk Classification

31

Expected Value & Payoff Tables

Expected value is an average, taking into account the probability and impact of various outcomes Expected return on the project
A B Payoff
(In thousands)

A*B
Prob * Payoff
(In thousands)

Schedule Risk Project completed 20 days early Project completed 10 days early Project completed on Schedule Project completed 10 days late

Probability 5% 20% 50% 20%

$ 200 $ 150 $ 100

$10 $30 $50 $0

The Expected Value

Project completed 20 days late

5%
100%

$ (50)

($3)
$88

32

Decision Tree Analysis

Decision Trees

$10,000+. 05*$2,000

Least cost but small probabiltiy of success

33

Risk Impact Table

0 - 100% 0-10 P*I Risk (Threats) Probability Impact Score

Key project team member leaves project

40%

1.6

Client unable to define scope and requirements

50%

3.0

Client experiences financial problems

10%

0.9

Response time not acceptable to users/client

80%

4.8

Technology does not integrate with existing application

60%

4.2

Functional manager deflects resources away from project

20%

0.6

Client unable to obtain licensing agreements

5%

0.4

34

Risk Rankings

Risk (Threats)

Ranking

Response time not acceptable to users/client

Technology does not integrate with existing application

Client unable to define scope and requirements

Key project team member leaves project

Client experiences financial problems

Functional manager deflects resources away from project

Client unable to obtain licensing agreements

35

Risk Analysis & Assessment Qualitative Approaches

Tuslers Risk Classification

Risk scores can be further analyzed using the following quadrants

Kittens low probability of occurring and low impact. Dont spend much time or resources on them whether positive or negative Puppies low impact but high probability of occurring. Must be watched so corrective action can be taken before they get out of hand Tigers high impact and high probability. Deal with them tout de suite. Alligators low probability but high impact if they get loose. Make sure you know where they are

36

Tuslers Risk Classification

Tuslers Risk Identification Scheme

Can be troublesome Must be neutralized

Low prob/low impact

Not a problem (if you know where they are)

37

Risk Analysis & Assessment Quantitative Approaches

Mathematical or statistical techniques that allow a particular risk situation to be modeled

At the heart of many of these models is a probability distribution

Discrete

Quantitative Probability Distributions

Binomial Normal PERT TRIANG

Continuous

38

Binomial Probability Distribution

Discrete Probability Distribution

Uses only integers, no fractional values flipping a coin Chart below represents the distribution after flipping a coin a few hundred times

39

Normal Distribution

Continuous Probability Distribution

Useful when an event has an infinite number of possible values in a stated range

40

Normal Distribution

Properties

Distribution shaped by its mean ( ) and standard deviation () Probability is associated area under the curve .

Area between any two points is obtained via a z score z=(x- )/ Since the normal distribution is symmetrical around the mean, outcome between - and has the same probability of falling between and

Rules of thumb with respect to observations 68% + 1 standard deviations of mean

Approximately. 95% + 2 standard deviations of the mean

99% + 3 standard deviations of the mean

41

PERT Distribution
PERT MEAN = (a + 4m + b)/6 Where: a = optimistic estimate m = most likely b = pessimistic

42

PERT Distribution
PERT Mean = (a + 4m + b)/6 Where: a = optimistic estimate m = most likely b = pessimistic

43

Triangular Distribution
TRAING Mean = (a + m + b)/3 Where: a = optimistic estimate m = most likely b = pessimistic

44

Simulations

Monte Carlo

Technique that randomly generates specific values for a variable with a specific probability distribution Goes through a number of trials or iterations and records the outcome @RISK

An MS Project add in that provides a useful tool for conducting risk analysis of your project plan Uses Monte Carlo simulation to show you many possible outcomes in your project and tells you how likely they are to occur. You can determine which tasks are most important and then manage those risks appropriately. Helps you choose the best strategy based on the available information. http://www.palisade.com/riskproject/default.asp
45

Simulations

@RISK

Following example shows a project with an estimated completion time of 155 days Test results will require 17 days These estimates do not take into consideration any variability or risk @RISK model shows a probability distribution for each of the tasks under Test Results Report

Probabilities defined based on data collected from past projects pr based on statistical theory or project manager assumption

Review test plan with client is following a PERT distribution with parameters .5, 1, 2

46

Monte Carlo Simulation

47

Output From Monte Carlo Simulation

90.4% chance of completing between 13.8 and 21.7 days

48

Cumulative Probability Distribution

40% chance of completing in 17 days

49

Tornado Graph

8-50

Copyright 2012 John Wiley & Sons, Inc.

Sensitivity Analysis Using a Tornado Graph

Tornado graph enables a sensitivity analysis which summarizes the tasks with the most significant risk at top
Tornado Graph

51

Risk Strategy/Response Depends On

The nature of the risk

Really an opportunity or threat? At which points during the project lifecycle will the project be affected? What are the triggers? Probability? Impact? Available resources? Can contractual obligations be waived or modified?

Impact on MOV and project objectives

Project constraints

Risk tolerances or preferences of the project stakeholders

How much risk is each stakeholder willing to tolerate?

52

Risk Strategies Responses

Accept or Ignore

Management Reserves

Released by senior management, usually not included in projects budget

Part of projects budget

Contingency Reserves

Contingency Plans (Plan B)

Disaster recovery plan in case of a natural disaster

Avoidance eliminate the risk from occurring Mitigate

Reduce the likelihood or impact (or both) e.g. insurance, subcontract to someone who has more
53

Transfer

Risk Response Plan should include:

A trigger which flags that the risk has occurred An owner of the risk (i.e., the person or group responsible for monitoring the risk and ensuring that the appropriate risk response is carried out) A response based on one of the four basic risk strategies Adequate resources

54

Risk Monitoring & Control

Risk Audits

External to project team Internal but outside the project team

Risk Reviews

Risk Status Meetings & Reports

55

Project Risk Radar

Monitoring project risks is analogous to a radar scope where threat and opportunities may present themselves at different times over the project

56

Risk Evaluation

Lessons learned and best practices help us to:

Increase our understanding of IT project risk in general. Understand what information was available to managing risks and for making risk-related decisions. Understand how and why a particular decision was made. Understand the implications not only of the risks, but also the decisions that were made. Learn from our experience so that others may not have to repeat our mistakes.

57