Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 1 Assignment 1: Planning for the Unknown-Risk Management

for IT Projects

Risk Management for IT Projects by Sunita Goel PMAN 637 Project Risk Management Professor Richard M Casey University of Maryland University College Date: 26th June, 2011

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 2 Table of Contents
Introduction................................................................................................................ 3 Purpose and Scope.....................................................................................................3 Risk Management Planning........................................................................................4 Risk Identification.......................................................................................................5 Identifying Risks: Scope Risks.................................................................................5 Identifying Risks: Schedule Risks............................................................................5 Tools & Techniques for Identifying Risks:................................................................6 Risk Analysis...............................................................................................................7 Risk Planning & Mitigation..........................................................................................8 Risk Monitoring & Controling....................................................................................11 Risk Management Responsibilities............................................................................11 Risk Classification.....................................................................................................11 Summary..................................................................................................................15

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 3 Introduction Risk management is about planning for the unknown risks. Even the most carefully planned projects can run into trouble. The objective of the Risk Management Plan is put you in control so that you can manage risks with acceptable minimal impact on cost and schedule, as well as operational performance of the project. A study conducted Standish Group in 1994 reported that 75 percent of IT projects failed (Kendrick, 2009, p. 17). This failure was attributed to the fact that projects were outside the technical capabilities; over constrained, and incompetently managed (Kendrick, 2009, p. 17). This signifies a very high percentage of failure rates, and compels project managers to adapt to best practices of project management and risk management to avoid unnecessary project failures. Purpose and Scope The purpose of the Risk Management Plan is to establish a strategy for monitoring, evaluating, and managing risks throughout the life of the project. The goal of project risk management is to minimize potential negative risks and maximize potential positive risks (Gray & Larson, 2006, pp. 209-211). The risk management process will help identify potential risk; assess individual risks, its likelihood of occurrence & impact; evaluate alternative approaches to mitigate high and moderate risks; and develop action plans to handle individual risks. The product of risk management planning will be the Risk Register. The Risk Register is used to document the various risks within their risk classification, risk mitigation & risk handling strategies, risk impact on cost and schedule, and followed by action items. The risk management process includes these five attributes-Risk Management Planning which is deciding how to approach and conduct the risk management activities for the project; Risk Identification which is an initial and continuous effort to identify, quantify and document risks; Risk Analysis which is to evaluate identified risks to determine probability of occurrence & Impact; Risk Planning / Mitigation which is to establish an action plan for risks, and assign responsibility; and Risk Monitoring and Control which is to capture, compile, and report risks.

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 4 Risk Management Planning Risk Management Planning defines what methodology will be used to approach and conduct risk activities for the project. The diagram in 1.0 shows the functional relationships between five risk management components:
R IS KM A N A G E M E N TP la n n in R IS KM A N A G E M E N TC O N T R O L

1 Id e n tifyR is k

6 D e fin e ris ks ta tu s a n d re p o rtin g a p p ro a c h

9 Im p le m e n tR is k M a n a g e m e n t a p p ro a c h

2 P e rfo rmR is k A s s e s s m e n t

3 S e le c tR is k s to m a n a g e

R is ka n a ly s is c o m p le e t

7 D e fin ew h oo w n s th e ris k

1 0 C o n d u c tp ro c e s s re v ie w ,s ta tu sa n d c o rre c tiv ea c tio n s

5 D e fin eR is k C o n tin g e n c y

4 D e fin e ris k a v o id e n c e

8 D o c u m e n tR is k M a n a g e m e n tP la n

1 1 Im p le m e n t ris k c o n tin g e n c y a p p ro a c h e s

Diagram 1.0: Functional relationships between 5 risk management processes Projects are successful generally due to adaptation of best practices of project management. Good project management is based on experience, and learning from experience of others. PERIL database provides valuable information for common project risks (Kendrick, 2009, p. 31). Some characteristics of projects are not known until later stage of the project, such as cost, performance and schedule. Risk is a net negative impact of exercise of vulnerability, reviewing both the probability and impact of occurrence. Risk can also include opportunities within the project. Project risk management process is used to identify positive consequences of risks and exploit them to improve project scope and processes (PMBOK, 2008, p. 52). In technology projects there is an attitude of indifference to risk planning, originating from the thought process of it being a waste of time, and hence seen as unnecessary overhead. Kendrick states that in order to offset the overhead costs, measureable benefits must be established (2009, pp. 26-27).

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 5 Risk Identification IT projects share some common sources of risks. A baseline set of risks is created and entered into the Risk Register. These baseline risks must be identified during the project planning process. Risk statement is written for each identified risk. Not all risks can be identified or mitigated, but general risk management plan that specifies project deliverables, work processes, milestones, schedule dates, resource estimates, and resources, will help identify majority of the project risks. Two main categories of risks for IT projects are scope and time related risks. Potential risks associated with scope are poor definition of scope and deliverables or incomplete definition of a project. Time risks are due to errors in estimating time or resources availability, errors in determining critical path for project, poor allocation and management of float and early release of competitive products. Identifying Risks: Scope Risks Scope risk is one of the most damaging risks for IT projects and can be further categorized as scope creep, scope gaps and dependencies (Kendrick, 2009, p. 42). According to PMBOK, project scope risks are related to project deliverables. Majority of scope risk is related to changes and defects. Scope creep often impacts majority of technical projects as new opportunities, technical information and alternatives are discovered. Scope changes can come from many internal and external factors such as new design to improve deliverables or change in legislative requirements such as compliance with Sarbanes Oxley. In IT projects defects risks can arise from hardware, software, and integration failures. Identifying Risks: Schedule Risks Schedule risks are second most common risks impacting IT projects in PERIL database after scope risk (Kendrick, 2009, p.70). Schedule risks fall in three categories: delays, estimates, and dependencies. Schedule risks are due to delays under projects control. Estimate risks are related to inaccurate estimates on project duration activities and are most damaging, and schedule dependency risks are related to slippage due to external factors such as delay in decisions. Schedule risks become visible through planning and scheduling

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 6 processes, and serve as a foundation for project risk analysis and risk management (Kendrick, 2009, p. 97). Tools & Techniques for Identifying Risks: There are several risk identifying tools such as brainstorming, the Delphi technique, interviewing, SWOT analysis, expert judgment, documentation reviews, check list analysis, Work Breakdown Structure and diagramming techniques. Risk qualitative tools and techniques include probability and impact matrixes, the top ten risk item tracking, expert judgment, risk data quality assessment, and risk urgency assessment (PMBOK, 2009, pp. 246249). Brainstorming technique is often used with use of an experienced facilitator to compile a comprehensive list of project risks and it can use Risk Break down (RBS), defined below as a project framework. Delphi technique is used to drive consensus among a panel of experts who can make risk predictions through anonymity, hence avoiding biases. Interviewing people with similar project experience is an important tool for identifying risks. SWOT analysis helps identify broad negative and positive risks that apply to a project. Other techniques include Work break down structure (WBS), which requires decomposing the activities into measurable work packages; and critical path method (CPM) which combines duration method with sequencing to calculate minimum project duration. The inputs to define activity processes are scope baseline (deliverables, constraints and assumptions, enterprise environmental factors (project management and information systems), and organizational process assets (organizational policies and procedures, lessons learned and past project documentation) (Heldman, 2009, p. 149). Another popular tool for risk identification is to categorization of risks to provide foundation for risk management (Heldman, 2009, p. 237). You can use RBS (Risk breakdown structure), which is a list a hierarchy of potential risk categories for a project and similar to WBS but used to identify and categorize risks. IT project RBS could be broken down into business (competitors, suppliers, cash flow), technical

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 7 Software hardware and network), organizational (polices, senior management user and team support) and project management (estimates, communication and resources) categories. Some of the sample risk categories are as defined in the table below Table: Risk Categories CATEGORY Financial Resource EXAMPLES Cost overruns, budget deficiencies, funding issues, etc. Availability of people, infrastructure, office equipment, space, network, skill limitations, attrition Schedule Technical Completion date slippage, target date constraints Failure to meet performance requirements, hardware and software failures, new and untested technology , learning curve with new technology Management Communications Operational Project complexity, and inexperienced PM Failure to manage sponsor expectations and user requirements Failure to meet usability, training, and or maintenance requirements

Risk Assessment Tools In IT projects risk framework, risk complexity index and risk assessment grid are some of the identified techniques for risk assessment in the initial stages of the project (Kendrick, 2009, p. 54). There are other scope related risks which are outside the realm of project management such as market risks and confidentiality risks. Market risks can arise from several factors such as timing and cost of technology release and confidentially risks can arise when release of information about the project that can decrease its value (Kendrick, 2009, pp. 64-65). Risk Analysis Risk analysis process consists of evaluating each risk by determining its impact, probability of occurrence, and timeframe. Each Risk is analyzed to determine its relationship to other identified risks. Risks can be quantified from range of 1-5, based on their severity of

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 8 impact and quantified based on their likelihood of occurrence. Qualitative risk analysis defines a method to prioritize risks based on it likelihood of occurrence and its impact on the project. Qualitative risk analysis is most cost efficient way to establish risk priorities using project scope, organizational process assets and past project lessons learnt reports. It lays foundation for quantitative risk analysis which is not subjective like quantitative risk analysis (PMBOK, 2009, p. 251). Risk reporting section which helps with risk communication across all levels of project, contains the following elements outlined in a table below. Table of risk reporting sections: TITLE Risk Watch List LEVEL Organization and project Risk Mitigation Plan Risk profile Organization and project Project Lists avoidance, mitigation actions when risk occurs Displays planned, projected and actual progress in reducing risks Risk Planning & Mitigation Risk handling is identification of action or inaction plan selected for managing a risk. All identified risks must be handled. Specific handling methods are chosen for each risk after probable impact on the project is determined. Risk management responses include risk avoidance, transfer or sharing risk, prevent risk or develop a risk mitigation and or contingency plan. Scope of a project must be completely defined in order to mitigate project scope related risks such as inadvertent requirements, omissions, errors, and misunderstandings. Scope can be used to write clear and concise Statement of Work (SOW) and Project Management plan. DESC. Lists risks to help monitor risks

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 9 In order to mitigate time related risks there must be specific requirement document, laying out the availability of internal/external resources, relevant skills, and resource availability. Project manager determines what action must be taken for each risk and determine whether to keep the risk, delegate responsibility, or transfer the risk responsibility up the management chain. Risk planning requires a decision to perform further research, accept the risk (document acceptance rational in the risk register and close the risk), watch the risk attributes and status (assign to watch list in Risk Register), or mitigate the risk (create a mitigation plan, assign action items, and monitor the activities and risk). The areas of potential risks in Software (SW), development have been identified, as an example, in the table below: Table: Areas of Potential Risk in Software Development: New Technology Database Software (SW) Application Project size User Systems knowledge Change tendency Turnover of team Customer relations Ready to takeover Change process Team Consultants or full time employees Organization stability PM Consultants or full time employee Problem solving skills Managerial identity Influence skills Achievement skills Experience with application

Communications Functional SW complexity Programming SW Tools Network Testing Desktops New Vs replacement Quality of information Vulnerable to change Capture all business needs Organizational Impact

Transitional stability time Technical skills Level of morale Staff availability Application know how Senior management support Champion the project Budgets Standards and procedures

Level of Staff commitment turnover

Accountability Experience for change with

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 10 organization Geographic dispersion Reliability of personnel Dependent on other projects Conversion difficulty Application know how Acceptance to test Staff conflicts Size of team Extended team commitment Conflict resolution strategy Experience with project team Planning skills

In all projects identifying risks is an iterative process as new risks may evolve during the life cycle of a project. After identifying and quantifying risks, you must plan on risk responses. There are four response strategies for negative risks-avoidance, acceptance, transference, and mitigation. Outsourcing is an example in IT projects of transferring risks. General Risk mitigation strategies for technical, costs and schedule risks are as following: Technical Risks Emphasize team-support and standalone project structure Increase PM Authority Improve problem handling and communication Increase frequency of project monitoring Use WBS and CPM There are 4 responses strategies for positive risks-risk exploitation, risk sharing, risk enhancement, and risk acceptance. It is also critical to identify residual and secondary risks. Residual risks are risks that remain after all response strategies have been implemented, and secondary risks are direct result of implementing a risk response. According to Baccarini & Archer, there is a need to rank and prioritize risks in a project in order for project managers to focus on high risks. Similar approach can be used Use WBS and CPM Improve communications all across. Increase project manager authority Use WBS and CPM Select most experienced PM Cost Risks Increase frequency of project monitoring Schedule Risks Increase frequency of project monitoring

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 11 when selecting projects by assigning a risk profile to each project. This allows risks to be ranked for management purposes, and optimize use of scarce resources on high risk projects; projects selection using project risk rating (PPR). Risk Monitoring & Controling Risk information and metrics is defined during planning, and should be captured, tracked and analyzed for trends. Status reports should be provided on weekly basis on risk activities. Watched risks must be reported on a monthly basis. Decisions shall be made by the Project Manager during the weekly and monthly meetings to close risks, continue to research, mitigate or watch risks, re-plan or re-focus actions or activities, or invoke contingency plans. This is also the time when the Project Manager authorizes and allocates resources toward risks. Monitoring and controlling risks involves executing risk management process response to risk events. Workarounds are unplanned response to risk events that must be done in absence of contingency plans. Risk Management Responsibilities The following table describes the roles and responsibilities of the risk planning: Who Team Responsibilities

Identify new risks; estimate probability of risk, impact, and time frame; classify risk; recommend action, and assist in prioritizing risk IT PM Collect all risk information from individuals; ensure accuracy of probability, impact & time frame; Build the Risk Register; collect and report risk measures & metrics; Report risk to senior management & Prioritize Risk Executive Authorize expenditures of resources for mitigation and authorize Committee additional cost or time to mitigate risk. Risk Classification Risk shall be analyzed qualitatively using impact, likelihood and timeframe classifications defined in this section. Impact is based on project success, resources, cost, and schedule. Likelihood is used to provide an order of magnitude based on quantitative data and qualitative data. Risk event should be defined at a level such that risk a cause is

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 12 understandable and can be accurately assessed in terms of probability or likelihood and impact to establish the level of risk. Risk is classified as Performance or operational risks, costs risks, or schedule risks. Risk rating is a value given to a risk event or program risk profile based on analysis of probability or likelihood and impact, using criteria of high, moderate, low risks. High risk ratings have significant increase in costs, schedules, or degraded operational performance impact and require immediate communication and focus to mitigate the risks. Moderate risk may impact costs, schedules and degradation to performance and low risks have little or no potential for increase in cost, time or performance of the project. Sample Risk Assessment form for IT projects Risk Event Hardware/Software Delivery Personal Resource Availability Budget Cuts Schedules compressed Requirements change Likelihood Impact Detection Diff 4 5 4 4 4 4 5 4 5 4 3 2 1 2 4 When Initial Throughout the project Throughout the project During Implementation During Testing or design

Sample Risk Assessment Flow for IT Industry:

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 13

I N P U T R I S K A s s e s s m e n tA c t i v i t i e s O U T P U T

H W , S W ,. I n t e r f a c e s , D a t a a n d i n f o r m a t i o n , P e o p l e , s y s t e m o b j e c t i v e s

D e f i n e S y s t e m

(S c o p e

/c h a r a c t e r i s t i c s

S y s t e m f u n c t i o n s D a t a r e q u i r e m e n t s s e n s i t i v i t y

, d a t a

H i s t o r yo fp a s tr i s k s

I d e n t i f yr i s k s

S t a t e m e n to ft h r e a t s

S e c u r i t y r e q u i r e m e n t s S e c u r i t yt e s tr e s u l t s R e p o r t s f r o m p r i o rr i s k a s s e s s m e n t , l e s s o n s l e a r n e d a n d a u d i tr e q u i r e m e n t s

I d e n t i f yV u l n e r a b i l it y

L i s to fp o t e n t i a lv u ln e r a b i l i t i e s

C u r r e n tc o n t r o l sa n d p l a n n e d c o n t r o l s

A n a l y s i so fc o n t r o l s

L i s to fc u r r e n ta n d p l a n n e d c o n t r o l s

N a t u r e o fv u l n e r a b i l i t y C a p a c i t y o ft h r e a t

D e t e r m i n e L i k e l i h o o d

L i k e l i h o o d r a t i n g

I m p a c ta n a l y s is o fs c o p e A s s e tc r i t i c a l i t ya n a l y s is c r i t i c a l i t ya n d d a t a s e n s i t i v i t y

, , d a t a

-l o s so fi n t e g r i t y

I m p a c ta n a l y s i s -l o s so fd a t a , a v a i l a b i l i t ya n d c o n f i d e n t i a l i t y

I m p a c tr a t i n g

M a g n i t u d e o fi m p a c t a d e q u a c y o fc o n t r o l s

R i s kD e t e r m i n a t i o n

R i s k a n d i t sa s s o c i a t e d r i s k l e v e l s

C o n t r o lR e c o m e n d a t i o n s

R e c o m m e n d a t i o n C o n t r o l s

R e s u l t s d o c u m e n t a t i o n

R i s k A s s e s s m e n tR e p o r t

Sample Risk Response matrix: Risk Event Requirements change Response Use Change Management Contingency Plan Trigger Who is Responsible PM

Technical issues

Outsourcing- fails to meet standards

Mitigate: use proto types before detail design Mitigate: due diligence

Have reserves to During handle minor requirements changes gathering , find scope gaps Have alternative During design options, programming and reserves Have backup plan in place to provide for Insufficient provision of services

PM/Staff

PM/Purchase Manager

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 14 alternate providers Risk Impact Classification Risk can be classified as High, Medium, low, or negligible, based on defined criterias such as slippage in timelines, cost overruns, performance etc. Likelihood of risk can be categorized similarly. Sample Risk Classification Chart RED High YELLOW

Significant Low

GREEN Negligible Negligible Low Significant High

Green - Items classified as green are acceptable without further mitigation and will be routinely tracked Yellow - Items classified as yellow may require mitigation. For these items, alternative dispositions will be identified and trade-offs conducted to determine the mitigation required. Red - Items classified as red are considered primary risk drivers. For these items, mitigation options will be developed. Red risks will be assessed for impact to budget reserves and will be tracked to closure.

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 15 Timeframe is used in conjunction with the Risk Classification Chart to determine priorities, establish when risks need to have actions taken, and how long risks may need to be watched or tracked before they no longer are a concern or can be closed. Summary There are no guarantees on any project. Even a simplest of the projects can run into unexpected problems which may impact the outcome of a project with risk events. Planning for a risk helps project manager deal with risks in a controlled manner when they occur. Risk management is a proactive approach rather than reactive approach. Well run projects appear effortless, but in reality lot of planning goes into running a project well. Project management is the art and science of identifying, analyzing, and responding to risk throughout the life of a project and in the best interest of meeting project objectives. Critical success factors for risk management are interactive organization which accepts status updates and usage of appropriate tools and techniques. Risk planning initiates even before the project is selected by analyzing risks, and determining if the project is even feasible within the framework of technology, project resources, scope and timeframe. Once the project is selected, planning for risks from the beginning prepares you in avoiding, mitigating, accepting risks in the risk management process of risk identification using several tools and techniques to perform qualitative and quantitate risk analysis. Qualitative risk analysis helps you prioritize each risk with its probability and impact. Risk Management is a critical success factor for all projects; specifically IT projects as they are more prone to failures due to variance in technology, unrealistic expectations in scope and time lines and stringent budgets. Process of Risk management helps you prevent problems, and eliminates the unknown. When you remove uncertainties, the estimates for work decreases, therefore, risk management saves time and money on a project. Not planning for risk management is planning to fail, when known and unknown risks present themselves in the project.

Assignment 1: Planning for the Unknown-Risk Management for IT Projects Page 16 References Baccarini, D., & Archer, R. (2001). The risk ranking of projects: a methodology. International Journal of Project Management, 19(3), 139-145. doi: 10.1016/S0263-7863(99)00074-5 Egeland, B. (2009 November 4). Skills of a successful project manager. Project Management Tips: Guidance for Real Life Situations. Retrieved from: http://pmtips.net/skillssuccessful- project-manager/ Gray, C. F., & Larson, E. W. (2006). Managing risk. In Project management: The managerial process. New York, NY: McGraw-Hill/Irwin. Heldman, K. (2009). PMP Project Management Professional Exam Study Guide. Indianapolis, IN: Wiley. Kendrick, T. (2009). Identifying and Managing Project Risk: Essential Tools for FailureProofing Your Project. New York, NY: AMACOM. Pinto, J. K., D. P. Slevin. Critical Success Factors in R&D Projects. Research Technology Management 32(1):31-35 (1989). Project Management Institute (PMI), (2008). A Guide to Project Management Body of Knowledge (PMBOK), 4th ed. Newtown Square, PA: Pearson. Rife, P. (2011). Compliance with the Sarbanes Oxley Act: What Should You Know? [PowerPoint presentation] Retrieved from WebTycho on https://www.umuc.edu/myumuc/