WISQA: Risk Management for I/S Projects

Paula Duchnowski CQA, CSTE paula.duchnowski@generalcasualty.com General Casualty Insurance May 9, 2002

Risk Management for I/S Projects

Why is Risk Management Important? What is Risk? Risk Management Process
Identify project goals & objectives Identify Risk Analyze Risk Plan for Risk Control Risk

Why are we here?

Information Technology Projects are difficult to manage Project failures occur with alarming frequency Prudent measures to assess and manage risk can increase probability of project success

What is Risk?
A potential problem waiting to happen May adversely impact schedule, cost, objectives Will vary in probability, impact and timeframe

What is Risk Management?

Risk Management is a systematic process of identifying, analyzing and responding to project risk.
PMIs PMBOK

Step 1: Identify Project Goals and Objectives

What are business objectives? What are technical objectives? What are project constraints? Identify and state risks as they relate to the ability to achieve objectives within the known constraints Note: If objectives arent well-defined that is a major risk.

Case Study Introduction

Improving and enforcing the Software Development Life Cycle
Small Shop Not a processoriented culture

Project Objectives: Increase consistency among all software development projects Utilize processes that will increase the probability of project success

Step 2: Identify Risks

Encourage input of perceived risk Identify risk while there is time to take action Capture risk in readable format Communicate risk to those who can solve it Goal: Prevent project surprises

Risk Identification: examples

Inadequate Management Commitment Ambiguous requirements Inadequate user involvement New Technology
Undefined or ambiguous Scope Insufficient or inappropriate staffing Inadequate tools or technology Large and dispersed project team

Identifying Risks
Various publications Consider three and organizations perspectives: have developed Project Management and staffing generic risk categories and generic checklists. Technical Checklists help assure Quality of Product arent overlooking something

Project Management Perspective:

Tactical Considerations
Budget Schedule & Resource availability Estimating risks and expertise Vendor Management Adequacy of Methodology / Project process Communication Project Size & Sponsorship and Complexity high-level support

Technical Perspective
Data Conversion: (GIGO) System Interfaces Operations / Postimplementation Support New or unproven Technology Implementation & rollout Infrastructure support Adequacy of Infrastructure Legacy Impacts / Support

Quality Risks
How well will product meet expectations?
Ease of Use Data Integrity Understand impact to users

Defects in production

Techniques to Identify Risk

Checklists: Several Checklists are available as reminders of possible risk areas to consider Interviews: Group or individual Working Group / Workshop Periodic meetings: Dialogue of risk information Surveys: Selected categories of people identify risks quickly

Statement of Risk
May need to Drill Down to determine the real risk to the project:
Asking Why? Why is this situation a risk to the project? What is the worst case scenario if the risk is realized? Some less than ideal circumstances may not be true risks

Discussion
Case Study: Enhancing and enforcing the Software Development Life Cycle What are some of the risks? (be creative- pretend you know this company)

Step 2: Risk Analysis

Quantify two factors:
Probability of a failure Impact of a failure

Risk Exposure (RE) = P x I Examples:

Tornado in Wisconsin (low probability, high impact) My son forgetting to take out garbage (High probability, low impact) Others: What risk(s) have you taken today??

Quantifying Risk
Early in Project
More difficult to be precise Establish risk order of magnitude Continue to revisit as part of risk management process

Quantifying Risk: Tools and Techniques

Decision tree
Identify possible outcomes: associated likelihood and impact

Identify expected monetary value:

(probability %) x (Risk event value)

Simulation:
Prototype what if scenarios

Expert Judgement (Use a judgement based scale)

Quantifying Risk
Define scale you will be using for Probability and Impact Try to define scale to correspond to key objectives and constraints Look at example Checklist

See GCs Risk Checklist

Work in Process Based on Lessons Learned & Industry standard risks Tool for PMs Includes a risk scale for probability and impact Weighted factors for size & complexity

Discussion: Case Study Risks

What is probability of each risk occurring? What is impact if the risk is realized?

Step 4: Plan for Risk

Develop Risk Management Plan For each Risk
Determine Time Frame for action Define Mitigation Strategy

Plan for Risk: Risk Management Plan

Define the Process for tracking and monitoring risk Roles & Responsibilities What and how risk information will be tracked Establish Mitigation

Possible Mitigation Strategies

Acceptance: Consciously choose to live with the risk consequences Avoidance: Eliminate the risk. Protection: Backup / contingency plan, i.e. Redundant system. Reduction: Reduce either the probability or impact of the risk.

More Mitigation Strategies

Research: Need more information - i.e. market research; prototypes Risk Reserves: Leave a contingency or margin for error. Transfer: Shift risk to another organization, person or group (retain responsibility)

Document Known Risks

Description of risk Date identified Who identified Category Status Risk Owner Who is assigned Mitigation strategy Action Plan Time Frame to act RE: Probability & Impact Other Measures:
Quantitative threshold Leading indicators Risk Leverage

Discussion
Discuss possible mitigation strategies for case study risks

Step 5: Control Risk - On-going

Periodic monitoring and reporting of risk data
Visibility and accountability regarding risk status Reports from risk repository

Periodic meetings / updates regarding risk status Periodic re-assessment of risk exposure Update Risk data and project plan

Summary
Why Risk Management is Important Steps of a Risk Management Process
Identify Project Goals & Objectives Identify Risk Analyze Risk Plan for Risk Control Risk

Thank you

Bibliography
Project Management Institute: Project Management Body of Knowledge Keil, Mark; Cule, Paul; Lytinen, Kalle; Schmidt, Roy: A Framework for identifying software project risks: Communications of the ACM, November 1998 Hall, Elaine. Managing Risk. Methods for software systems development. Reading, MA: Addison-Wesley Publishing, 1998. Jones, Capers. Assessment and Control of Software Risks, 1994. Mulcahy, Rita, Managing and Estimating Project Risks, September, 1999.