Running Head: INFORMATION TECHNOLOGY PROJ ECT RISK MANAGEMENT 1

Information Technology Project Risk Management:

How Risk Management Impacts the IT Project

Brian Tschinkel
Pace University



August 14, 2011

INFORMATION TECHNOLOGY PROJ ECT RISK MANAGEMENT 2
Abstract

Information technology project management is a lengthy, yet critical, process for project
managers. Project management includes nine different knowledge areas and numerous activities
that require project managers to fulfill many different roles and responsibilities. Project risk
management plays a vital role in that it can have drastic impacts on a projects schedule, budget,
and quality. This paper discusses the project management process and two project risk
management approachesOracles Primavera Risk Analysis and Michael D. Taylors risk
management approach. These risk management plans identify tools and techniques that project
managers can use to mitigate risks and their impacts. Several techniques are introduced to help
project managers assess, analyze, and proactively react to uncertain risks that may develop
throughout the life of a project.

Keywords: project management, knowledge areas, risk management techniques, risk
assessment, risk planning, triple constraint, project success

INFORMATION TECHNOLOGY PROJ ECT RISK MANAGEMENT 3
Information Technology Project Risk Management:
How Risk Management Impacts the IT Project

Project managers are left with a daunting task to effectively manage, monitor, and control
projects of all scales in organizations. Projects can vary in size and can range from one person to
hundreds or thousands of people. Information technology projects can last one day or take years
to develop; information technology projects often have large budgets to manage, too. Project
managers must take on many different roles in the project management process. This paper will
discuss the typical process of project management and focus on the impact of project risk
management. Risk management will be defined and effective risk management approaches will
be discussed; techniques to mitigate project risk will also be detailed.
The Project Management Body of Knowledge (PMBOK) Guide defines a project as a
temporary endeavor undertaken to create a unique product, service, or result. Further, they
define project management as the application of knowledge, skills, tools, and techniques to
project activities to meet the project requirements. (Project Management Institute, 2008).
Project management includes nine different knowledge areasfour core areas, four facilitating
areas, and one overall area. Knowledge areas include scope management (work required to
complete the project), time management (how long it will take to complete the work), cost
management (preparing and managing a budget), quality management (satisfying the stated or
implied needs), human resource management (making effective use of people), communications
management (generating, collecting, and storing project information), risk management
(identifying and responding to risks), procurement management (acquiring goods and services
from outside), and integration management (intertwines all project knowledge areas
simultaneously). Project managers must be able to excel in each of these nine areas in order to
lead a successful project.
There are many varying definitions on the success or failure of a project, but the most
common criteria include completing the project on time, under budget, and of acceptable quality.
While The Standish Group uses these criteria to define success of a project, other factors are
important, too. For instance, the project should satisfy the customer and project stakeholders.
The execution of the project should be of satisfaction to the users it was designed for.
Sometimes, a project that is over budget and behind schedule can still satisfy customers if the
end result was achieved long-term.

The Project Management Process

Project managers tend to work systematically when it comes to managing a project.
While there are many different approaches, there are set activities that a project manager follows.
Activities, as alluded to in PMBOKs definition of project, are components of work performed
during the course of a project. The main activities of the project management process, as listed
in Whitten & Bentleys Systems Analysis and Design Methods, are negotiating scope,
INFORMATION TECHNOLOGY PROJ ECT RISK MANAGEMENT 4
identifying tasks, estimating task durations, specifying intertask dependencies, assigning
resources, directing the team effort, monitoring and controlling progress, and assessing project
results and experiences (2007, pp. 130-149).
Negotiating scope is a crucial step to any project. Project scope is the work that must be
performed to deliver a product, service, or result with the specified features and functions
(Project Management Institute). Projects often fail because of scope creep, which occurs when
features or functionalities are added to the scope of a project, without regards to how it will
affect the projects outcome. Projects can also fail because requirements are not properly defined
in this activity. If projects continue past this activity without an approved statement of work,
there is a high chance that the project will not completely satisfy the project owners.
After negotiating the scope and producing a statement of work, the next activity is to
identify the tasks, or work to be completed, for the project. A key asset of this task is the creation
of a work breakdown structure. The work breakdown structure can normally be extrapolated
from the statement of work; it is essentially an outline of the phases, tasks, and activities that
must be performed in order to complete the project successfully.
Once outlining the projects tasks, the project manager must estimate the duration of the
project to the best of his/her ability. Estimating task durations is a difficult activity, especially
when working in information technology projects. The concept of elapsed time is important
because it takes into consideration efficiency and interruptions. Fred Brooks, author of The
Mythical Man-Month: Essays on Software Engineering, describes how interruptions can affect
the outcome of a project. Brooks theorizes that adding more people to a project when in crisis
will not get the project done faster. Regular interruptions can include phone calls, visitors, or
even unplanned sick days. Whitten and Bentley state that interruptions can consume anywhere
from ten to fifty percent of a workers day! Also, the average worker [is only] seventy-five
percent efficient because of lunch breaks, restroom breaks, or distractions from e-mail. Project
managers make an important first impression with stakeholders and project owners when
providing time and budget estimates. Project human resource management describes different
psychological tests and routines to best determine how to manage the efficiency and work ethic
of people. Estimate the duration of a project is critical to its success and it relates to the type of
risk-taker the project manager might be.
Project managers can often make use of popular project management software
applications, such as Microsoft Project. Microsoft Project is particularly useful in outlining
project tasks and specifying their dependencies. This activity of project management helps
outline the flow of the project and how much slack time can be allowed in between tasks. Project
managers can use this slack time for fluctuations to meet the deadline and for adjusting the
critical path. It is important for project managers to have some measure of the teams work ethic
and efficiency when specifying how different tasks are related.
The next activity in the project management process is effectively assign resources, in
which resources include people, services, facilities, supplies, and money. Many of the project
management knowledge areas come into play in this activity, so it is important for the project
INFORMATION TECHNOLOGY PROJ ECT RISK MANAGEMENT 5
management to be able to effectively manage this activity. This activity can include assigning
people to tasks based on their expertise, allocating facilities and supplies needed for the project,
and ensuring that the resources are level across the tasks. The critical path for the project is
important in this activity. The critical path of a project is defined by PMBOK Guide as the
sequence of schedule activities that determines the duration of the project. It is also defined as
the earliest possible completion date of the project. As such, slack time (the amount of available
delay) is important to allocate between tasks. Money is important in this activity because the cost
of the resources can have an impact on the projects budget. Communication between the project
manager and the project team, stakeholders, and owners is also crucial.
When the project is underway, the project manager has to lead and direct the team. A
project managers soft skills (or people and leadership traits) are most important in this activity.
Project managers are taught be consistent, supportive, realistic, and encouraging. As part of
project human resource management, ineffectively managing people on a project is a major
pitfall to project success.
Perhaps one of the largest activities of project management that can have drastic impacts
on the success of a project is monitor and control. This activity requires the project manager to
monitor the progress of a project against the triple constraintthe scope, schedule, and budget.
Many projects implement a change management system, which is essentially a formal list of
procedures for suggesting, analyzing, and approving changes to a project. As one can imaging,
making changes in a project can easily impact the project deadline or budget. There are many
tools available to help assist project managers in making sound decisions on requested changes.
Expectation management matrices, for example, can be used to weigh the expectations of the
project against a proposed change and how it will affect the outcome. Risk management is the
related knowledge area for this activity, which is later discussed in further detail.
When a project is completed, the last activity is to assess the results and experiences.
Project managers should hold meetings with their team members in order to determine how
effective the process used helped guide the success of a project. Often, project managers write
lessons-learned reports to use for future reference when working on similar projects.

The Importance of Project Risk Management

Kathy Schwalbe, author of Information Technology Project Management, defines project
risk management as the art and science of identifying, analyzing, and responding to risk
throughout the life of a project and in the best interests of meeting project objectives (2011, p.
422). A risk in a project is an unknown that can either impact a project positively or negatively.
The goal of project risk management, as defined by Schwalbe, is to minimize potential
negative risks [and] maximize potential positive risks. An Oracle White Paper stresses the
importance of project risk management: Projects are becoming increasingly more complex and
costly, making it even more difficult to analyze and mitigate risks using informal methods (A
Standardized Approach to Risk Improves Project Outcomes and Profitability, 2010). Oracle
INFORMATION TECHNOLOGY PROJ ECT RISK MANAGEMENT 6
metaphorically refers to project managers as firefighters when it comes to managing risks
traditionally[project managers] race around responding to problems as they arise rather than
avoiding them in the first place.
Humans have varying personalities, and those that have a higher risk tolerance can pose
more danger to a projects success. Project managers can be one of three types of risk-takers:
risk-averse, risk-seeking, or risk-neutral. Risk-averse project managers do not gain satisfaction
when more of a payoff is at stake. Risk-seeking project managers, on the other hand, have a
higher tolerance for risk and are more satisfied when the payoff is higher. Risk-neutral project
managers maintain a balance between payoff and satisfaction. The example below shows the
downfall of a risk-seeking project manager that opted to continue a project despite cost overruns
and poor risk management.
In the mid-1990s, Denver International Airport set out to build a new, automated baggage
handling system that would integrate all three concourses into one system. Due to poor
estimation of the complexity of the project, Denver Airport failed to open for sixteen months and
cost the airport $560 million. In a drastic measure to complete the project, the scope of the
system was reduced significantly and the system only managed to handle baggage for outgoing
flights from a single concourse. The system remained in use for almost a decade, but was
abandoned due to the $1 million monthly cost to maintain the system!
A case study by Calleam Consulting, Ltd. sites many key points of failure, but it also
includes issues related to poor risk management. The project ran into a roadblock when the
electrical system suffered from varying power fluctuations that crashed the system. In order to
rectify and prevent the failures, filters needed to be installed to prevent electrical surges. Because
delivery and installation took several months, testing was limited. The case study attributes this
problem to poor risk management, stating that such issues were likely predictable had the team
been more focused. They also attribute poor schedule management to the lack of time needed to
develop a sound risk management approach. (Case Study - Denver International Airport Baggage
Handling System - An illustration of ineffectual decision making, 2008)
The example of the Denver Airport baggage handling system has shown has drastic the
consequences can be for a project if risk is not assessed properly. Many sources outline steps for
designing a risk management plan, which is one of the most systematic and effective approaches
for analyzing and handling risks successfully.

Implementing a Risk Management Plan

A risk management plan, as defined by PMBOK Guide, describes how project risk
management will be structured and performed on the project. Risk management plans can be
very detailed and include many topics, ranging from the risk procedures to the budget and
schedule impacts to the risk tracking activities. Risks affect everyone on the project for both
short-term and long-term periods, so it is important to manage risk effectively. The key to
mitigating risks is to have a sound, complete risk management plan.
INFORMATION TECHNOLOGY PROJ ECT RISK MANAGEMENT 7
The Oracle White Paper suggests a standardized approach for managing risk. A
collaborative risk identification process helps create buy-in on project assumptions and spreads
awareness throughout the organization. It is important to effectively communicate risks across
the board with project members and stakeholders; Oracle also suggests that newer approaches
integrate schedule impacts as well.
Many standardized approaches typically include risk planning, identification, assessment,
and response. Two approaches, one by Oracle and another from an experienced project manager
at the University of California will be discussed in detail. The similarities between both
approaches help contribute to effective risk management planning.

Oracles Primavera Risk Analysis

Oracles Primavera Risk Analysis enables a formal process to manage risk throughout a
companys complete project portfolio. Oracles approach begins with proper risk planning,
which enables better project selection decisions and more accurate budget and scheduling.
Risk planning is an important tool to allocate resources proactively and not reactively. Oracle
sites the use of a risk register, which is a document that contains results of various risk
management processes (Schwalbe, 2011, p. 436). Planning a complete risk register allows
project managers to utilize a list of standard approaches for the project. Planning for risks also
involves planning impacts on the projects schedule. Implementing impacts on the schedule in
the risk register can ensure use of best practices for handling such risks.
Once the risk register has been designed, Oracles approach transitions to risk
identification, which is the process of understanding what potential events might hurt or
enhance a particular project (Schwalbe, 2011, p. 434). There are many techniques to identify
risks, but Oracle suggests accompanying the risk register with risk templates and work
breakdown structures. Oracle stresses the importance of the risk register as it maintains a
repository for known risks that may occur throughout the life of a project. As risk management
always has an effect on the projects schedule, Oracle suggests creating templates to model risk
scenarios.
When a risk has been identified, a thorough assessment must be made on how to handle
and mitigate the risk. Oracle states that risk assessment is critical to understanding the impact of
risk and uncertainty on project schedule and cost. Oracle further stresses the importance of the
risk register, but they also rely on Monte Carlo analyses, which simulate a risk models
outcome to provide a statistical distribution of the results (Schwalbe, 2011, p. 444). A Monte
Carlo analysis is a quantitative risk analysis technique that can be used to predict the probability
of a schedule or budget factor. Oracle states that this technique can identify which key tasks will
drive the schedule and cost of the project.
It is important to note that Oracles approach does not immediately respond to the risk
without proper assessment first. Rapid response to a risk without proper planning is another
factor that impacts project success. Once the risk has been identified and thoroughly assessed,
INFORMATION TECHNOLOGY PROJ ECT RISK MANAGEMENT 8
the Oracle approach uses the risk register to mitigate the issue. Oracle actually implements a
mitigation plan that can be used to evaluate the effective of a risk response against the project
schedule. Throughout the entire Oracle approach, it is obvious that a risk can have a major
impact on the schedule and cost of a project; it is clear that each phase in the Oracle approach
seek to minimize the impact in these two areas.
Like most project management plans, Oracles risk approach concludes with reporting
and documenting the risk, as it helps to quantify the impact of risks on project cash flow and
track and allocate schedule and cost contingencies (2010). Oracle, for example, insists on using
histograms or distribution graphs to pictorially show the impact on the projects schedule.
Oracles Primavera Risk Analysis approach is a modern and standardized approach that
weighs heavily on examining the impact on cost and schedule. Oracle has cited many examples
of how its risk analysis approach has helped organizations. Oracle states that the approach can
substantially reduce the uncertainty factor in many projects and help ensure that projects are
completed on time and under budget.

Michael D. Taylors Risk Management Approach

Another approach by Michael D. Taylor, master project manager with over thirty years of
engineering and project management experience, heavily incorporates qualitative and
quantitative analysis into risk planning. Taylor is the Project and Program Management
Certificate coordinator from the University of California Extension in Silicon Valley.
Taylors approach is systematic and deals with the overall problem of uncertainties that
may arise. A risk management plan must be complete, and Taylor states that many risk
management plans address only foreseeable risks and fail to address the unforeseeable ones
(How to Effectively Manage Project Risks, 2009). Taylors approach is a five step process that
includes risk identification, qualitative analysis, quantitative analysis, risk response planning, and
risk monitoring and control. While qualitative and quantitative analyses are included in a
generalized risk assessment phase in Oracles approach, Taylor has made them separate
processes in his approach.
The first phase in Taylors approach is to identify risks. While this is a standard step in
most risk management plans, Taylor states that risk identification is an ongoing task for project
managers. Taylor suggests that project managers make use of flowcharts, analogous project
comparisons, risk checklists, work breakdown structures, brainstorming techniques, Ishikawa
diagrams, affinity diagrams, and risk breakdown structures. Many of these techniques can be
used to map risks to their root causes as well as group them according to different categories.
The importance of these techniques increases the focus on project risks and provides better
proactive visibility to risk for project managers.
Once identifying potential risks, Taylors approach continues to qualitative analysis.
Risk, says Taylor, is always to be analyzed by the probability of the event occurring and the
consequence if it does occur. Like Oracles approach, Taylor suggests that risk should focus on
INFORMATION TECHNOLOGY PROJ ECT RISK MANAGEMENT 9
the projects schedule, cost, scope, and quality. One of the project management knowledge areas
previously discussed is estimation. In risk identification, estimation is critical to probability and
consequence. Simply stated, If an estimator is unskilled or inexperienced, the estimates will be
inaccurate. One method that can be used to mitigate risks is by creating a risk probability
assessment and risk consequence analysis. In his booklet, Taylor identifies these two charts that
can be used to weigh the impacts of a risk based on a qualitative point scale. Each of these
impacts are weighted according to technical, schedule, and cost factors.
From qualitative analysis techniques, Taylor moves next to quantitative techniques from
a statistical approach. Taylor uses quantitative techniques to determine the magnitude of the
risk. Because Taylors approach is heavily based on probability and consequence impact, he
uses a weighted risk factor technique. This technique considers many different factors and
weighs them based on project priority, such as delayed requirements definition, lack of
experienced personnel, unavailable test equipment, subcontractor delays, and others. Taylor
suggests that simply using this technique is not enough; project managers must quantify the data
by assigning a risk response to the weighted risk factor. For example, a weighted risk factor for
experienced personnel from 0.7 to 1.0 is high, and the risk response should be to develop
abatement plans. Subcontractor delays with a weighted risk factor from 0.4 to 0.7 are a
moderate risk level and the response is based on expert judgment. Taylors approach is very
methodical and complete; he continually stresses that techniques need to be used effectively not
just for analysis but for proper response.
Taylors risk response phase states that negative risks can be: transferred to another party,
avoided altogether by changing the scope or schedule of the project, reduced by changing scope
to a lesser degree, shared between two parties, tolerated, accepted. Positive risks, identified as
opportunities, are best handled by exploiting the risks, sharing the benefits, and enhancing the
risks for a positive benefit. Oracles approach outlines many of these same tasks, but Taylors
response mechanisms are clearly defined for the project manager.
Taylors last phase, risk monitoring and control, emphasizes that risk management is not
a one-time effort. Most notably, Taylor states that new risks may present themselves as projects
progress. Taylor states that it is crucial for project managers to always remain alert of possible
threats and to take adequate measures to implement responses in time.

Conclusion

As evident by the detail of each phase of the project management plan, project managers
must assume many different roles and responsibilities. Oracles approach to risk management
emphasized the importance of risks on schedule and budget while Taylors approach emphasized
techniques to mitigate probability and consequence. While Oracles approach is somewhat
informative, Taylors approach is directive and provides many well-known techniques to
properly assess and handle risk. Project managers can greatly reduce risks in their projects by
employing the techniques described in Taylors approach to risk management.
INFORMATION TECHNOLOGY PROJ ECT RISK MANAGEMENT 10
References

Calleam Consulting, Ltd. (2008). Case Study - Denver International Airport Baggage Handling
System - An illustration of ineffectual decision making. Calleam Consulting, Ltd.
Oracle. (2010). A Standardized Approach to Risk Improves Project Outcomes and Profitability.
Redwood Shores: Oracle Corporation.
Project Management Institute. (2008). A Guide to the Project Management Body of Knowledge:
(PMBOK Guide) (4th ed.). Newtown Square, Pennsylvania, United States of America:
Project Management Institute, Inc.
Schwalbe, K. (2011). Information Technology Project Management (Revised 6th ed.). Boston,
Massachusetts, United States of America: Course Technology.
Taylor, M. D. (2009). How to Effectively Manage Project Risks. Systems Management Services
(www.projectmgt.com).
Whitten, J . L., & Bentley, L. D. (2007). Systems Analysis and Design Methods (7th ed.). New
York, New York, United States of America: McGraw-Hill/Irwin.