Risk Analysis in IT Projects

What Is Project Risk Analysis And Management?

Project Risk Analysis and Management is a process which enables the analysis and management of the risks associated with a project. Properly undertaken it will increase the likelihood of successful completion of a project to cost, time and performance objectives.

Objectives
The objective of performing risk management is to enable the organization to accomplish its missions: (1) by better securing the IT systems that store, process, or transmit organizational information;

(2) by enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget;
(3) by assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management.

The Importance of Project Risk Management

Project risk management is the art and science of identifying, analyzing, and responding to risk throughout the life of a project and in the best interests of meeting project objectives Risk management is often overlooked in projects, but it can help improve project success by helping select good projects, determining project scope, and developing realistic estimates

Integration of Risk Management into the SDLC

SDLC Phases Phase 1Initiation Phase Characteristics The need for an IT system is expressed and the purpose and scope of the IT system is Documented The IT system is designed, purchased, programmed, developed, or otherwise Constructed The system security features should be configured, enabled, tested, and verified The system performs its functions. This phase may involve the disposition of information, hardware, and software. Support from Risk Management Activities Identified risks are used to support the development of the system requirements. The risks identified during this phase can be used to support the security analyses of the IT System. The risk management process supports the assessment of the system implementation against its requirements. Risk management activities are performed for periodic system Reauthorization. Risk management activities are performed for system Components.

Phase 2Development or Acquisition

Phase 3Implementation

Phase 4Operation or Maintenance Phase 5Disposal

Project Risk Management Processes

Risk identification: determining which risks are likely to affect a project and documenting the characteristics of each.
Risk analysis: prioritizing risks based on their probability and impact of occurrence. Risk planning: taking steps to enhance opportunities and reduce threats to meeting project objectives.

Risk monitoring and control: monitoring identified and residual risks, identifying new risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies throughout the life of the project.

Risk Breakdown Structure

A risk breakdown structure is a hierarchy of potential risk categories for a project.

Similar to a work breakdown structure but used to identify and categorize risks.

Sample Risk Breakdown Structure

Risk Identification

Risk identification is the process of understanding what potential events might hurt or enhance a particular project.
Risk identification tools and techniques include:

Brainstorming The Delphi Technique Interviewing

SWOT analysis

Risk Assessment Methodology Flowchart

Contd.

Qualitative Risk Analysis

Assess the likelihood and impact of identified risks to determine their magnitude and priority.
Risk quantification tools and techniques include:

Risk-Level matrixes

Risk-Level Matrix
A Risk-Level matrix or chart lists the relative probability of a risk occurring on one side of a matrix or axis on a chart and the relative impact of the risk occurring on the other

Risk Scale and Necessary Actions

Quantitative Risk Analysis

A Qualitative Analysis allows the main risk sources or factors to be identified.

It enables the impacts of the risks to be quantified against the three basic project success criteria: cost, time and performance.

Quantitative Techniques

Sensitivity Analysis simply determines the effect on the whole project of changing one of its risk variables such as delays in design or the cost of materials .

Probabilistic Analysis specifies a probability distribution for each risk and then considers the effect of risks in combination. This is perhaps the most common method of performing a quantitative risk analysis. Influence Diagrams are a relatively new technique for risk analysis. They provide a powerful means of constructing models of the issues in a project which are subject to risk . Decision Trees are another graphical method of structuring models. They bring together the information needed to make project decisions and show the present possible courses of action and all future possible outcomes.

Risk Mitigation
Risk mitigation, involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.

Risk mitigation can be achieved through any of the following risk mitigation options: Risk Assumption. Risk Avoidance. Risk Limitation. Research and Acknowledgment. Risk Transference.

Risk Mitigation Strategy

Risk Monitoring and Control

In most organizations, the components change, and its software applications replaced or updated with newer versions. In addition, personnel changes will occur and security policies are likely to change over time.
These changes mean that new risks will surface and risks previously mitigated may again become a concern. Thus, there is a need for an ongoing risk evaluation and

assessment.

In implementing recommended controls to mitigate risk, an organization should consider: Technical Management Operational security controls to maximize the effectiveness of controls for their IT systems and organization.

Risk Analysis Using an Enhanced FMEA TECHNIQUE The TCS Way.

Failure Mode and Effects Analysis (FMEA) is a structured, proactive technique to identify the ways in which a product or process can fail and to prevent such failure.
It is a systematic technique to analyze potential failure modes and assist in mitigating them. It systematically anticipates and studies the cause and effect of failure.

TCS Risk Management Circle

FMEA The Driver Model

The power of FMEA is four-fold. Firstly, all FMEA artifacts are dynamic, living documents. Continuous improvement and risk level reduction drive FMEA. Next, the technique identifies high-priority, vital few risks because, in real life, not all problems are equally important. Thirdly, FMEA is customer-oriented although a customer representative may not be an end-user. Fourthly, FMEA offers audit trails, i.e. a well documented record of improvements arising out of corrective action implemented.
In sum, FMEA gives one a mechanism to document and monitor all data elements required to meet business drivers.

REFERENCES

www.openseminar.org Risk Management, Author: Laurie Williams and Sarah Smith www.sei.cmu.edu The Software Engineering Institute for risk management. Effective Risk Management: Risk Analysis Using an enhanced FMEA technique - Vijaya Deepti Nimmagadda Ramanamurthy and K. Uma Balasubramania (Tata Consultancy Services) Bangalore, Karnataka India Risk Analysis Techniques - By Geoffrey H. Wold and Robert F. Shriver