Chapter 7�Project Risk Management

Chapter Objectives

By the end of this chapter students will be able to:

• Discuss the importance of good project risk management.
• List common sources of risks on IS/IT projects.
• Describe the process of identifying risks.
• Discuss qualitative and quantitative risk analysis and provide examples of different risk response planning strategies to address both negative and positive risks.
• Discuss how to control risks.

​

7.1 Project Risk Management (PRM)- Introduction

• PRM is the processes of identifying, analyzing and responding to risk throughout a project to meet project objectives.
• Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality.
• Negative risk/threats involves understanding potential problems that might occur in the project and how they might impede project success. Eg., having limited personnel for the project
• If IT projects are so risky, why do companies pursue them?
• Positive risks/ opportunities are risks that result in good things happening. Eg., availability of additional personnel
• Positive risk management is like investing in opportunities.
• Risk management is an investment- costs are associated with it.
• the cost should not exceed the potential benefits.

​

​

​

​

​

​

​

​

​

​

Cont…

• Project risk has its origins in the uncertainty present in all projects.
• The objectives of PRM are to increase the likelihood and impact of positive events, while decreasing the likelihood and impact of negative events in the project.
• Known risks: risks that the project team has identified and analyzed.
• possible to plan responses for them - can be managed proactively
• Known risks that cannot be managed proactively, should be assigned a contingency reserve.
• Unknown risks: risks that have not been identified and analyzed.
• cannot be managed proactively and therefore may be assigned a management reserve.
• Risk Tolerance: the maximum acceptable deviation an entity is willing to accept on the project or business objectives as the potential impact.

​

​

​

​

Cont…

• The project may be accepted if the risks are within tolerances and are in balance with the rewards that may be gained by taking the risks.
• Positive risks that offer opportunities within the limits of risk tolerances may be pursued in order to generate enhanced value. For example, adopting an aggressive resource optimization technique is a risk taken in anticipation of a reward for using fewer resources.
• A consistent approach to risk should be developed for each project, and communication about risk and its handling should be open and honest.
• Risk responses reflect an organization’s perceived balance between risk taking and risk avoidance.
• Moving forward on a project without a proactive focus on risk management is likely to lead to more problems arising from unmanaged threats.

Project Risk Management Processes

• Plan Risk Management: deciding how to approach and plan the risk management activities for the project.
• Identify Risks: determining which risks may affect the project and documenting their characteristics.
• Perform Qualitative Risk Analysis: prioritizing risks based on their probability of occurrence and impact.
• Perform Quantitative Risk Analysis: numerically estimating the effect of identified risks on overall project objectives.
• Plan Risk Responses: developing options and actions to enhance opportunities and reduce threats to meet project objectives.
• Control Risks: implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project.

​

7.2 Plan Risk Management

• should begin when a project is conceived and should be completed early during project planning.

​

​

​

​

​

​

​

• Output - a risk management plan –
• documents the procedures for managing risk
• important to clarify roles and responsibilities, prepare budget and schedule estimates for risk-related work and identify risk categories for consideration
• The level of detail will vary with the needs of the project

​

​

​

Contingency & Fallback Plans, Contingency Reserves

• In addition to a risk management plan, many projects also include:
• Contingency plans: predefined actions that the project team will take if an identified risk event occurs.
• For example, expecting new release of a SW package, must plan to use older version if delayed.
• Fallback plans: developed for risks that have a high impact on meeting project objectives, and are put into effect if attempts to reduce the risk are not effective.
• College graduate has main plan and contingency plans of where to live after graduation but needs fallback plan to possibly live at home.
• Contingency reserves or allowances: provisions held by the project sponsor or organization to reduce the risk of cost or schedule overruns to an acceptable level.
• Project falling behind schedule due to inexperience with new technology, use these funds to hire outside trainer .

​

​

Common Sources of Risk in IT/IS Projects

• Several studies show that IT projects share some common sources of risk. The Standish Group developed an IT success potential scoring sheet (next slide) based on potential risks
• If a potential project does not receive a minimum score, the organization might decide not to work on it or to take actions to reduce the risks before it invests too much time or money
• The Standish Group developed specific questions for each success criterion to help decide the number of points to assign to a project
• User Involvement:
• Do I have the right users?
• Did I involve the users early on?
• Do I have a quality relationship with the users?
• Do I make involvement easy? …
• Did I find out what the users need?

8

IT/IS Success Potential Scoring Sheet

9

​

• The number of questions corresponding to each success criterion determines the number of points each positive response is assigned
• E.g: User involvement: add 19/5 (or 3.8) points for each question answered positively.

Broad Categories of Risk

• Many organizations develop their own risk questionnaires.
• Some of the categories of risk might include:
• Market risk – Will the new service or product be useful to the organization or marketable to others? Will the users accept it? Will someone else create a better product?
• Financial risk – can the organization afford to undertake the project? Will the project meet NPV, ROI and payback estimates?
• Technology risk – is the project technically feasible? Is it leading edge or bleeding edge technology?
• People risk – Are people with appropriate skills available to help complete the project? Does senior management support the project?
• Structure/process risk – What degree of change the new project will introduce into user areas and business procedures? With how many other systems does a new project/system need to interact?

10

Risk Breakdown Structure

• A risk breakdown structure (RBS) is a hierarchy of potential risk categories for a project
• Similar to a work breakdown structure but used to identify and categorize risks

​

​

​

​

​

​

​

• In addition to identifying risk based on the nature of the project or products produced, it is also important to identify potential risks according to PMKA

11

Sample Risk Breakdown Structure

Potential Negative Risk Conditions Associated With Each Knowledge Area

12

7.3 Identifying Risks

• Risk identification is the process of understanding what potential events might hurt or enhance a particular project.
• ongoing process throughout the project lifecycle as things change
• key benefit: the documentation of existing risks and the knowledge and ability it provides to the project team to anticipate events.

Participants in risk identification:

• project manager, project team members, risk management team (if assigned), customers, SME from outside the project team, end users,
• other project managers, stakeholders, and risk management experts.

Identifying: Tools and Techniques

1. Information Gathering Techniques

• Brain storming- is a technique by which a group (the project team and experts who are not part of the team), under the leadership of an experienced facilitator, attempts to generate ideas or find a solution for a specific problem by amassing ideas spontaneously and without judgment (to obtain a comprehensive list of project risks)
• Delphi Technique is used to derive a consensus among a panel of experts who make predictions about future developments
• a facilitator uses a questionnaire to solicit ideas about the important project risks, the responses are summarized and are then recirculated to the experts for further comment till consensus may be reached in a few rounds.
• Provides independent and anonymous input and avoids the biasing effects possible in oral methods, such as brainstorming

​

​

​

​

Cont…

• Interviewing - experienced project participants, stakeholders and SMEs helps to identify risks.
• Root cause analysis - to identify a problem, discover the underlying causes that lead to it and develop preventive action.
• SWOT analysis
• Helps to identify the broad negative and positive risks that apply to a project
• identifies any opportunities for the project that arise from organizational strengths, and any threats arising from organizational weaknesses.
• examines the degree to which organizational strengths offset threats, as well as identifying opportunities that may serve to overcome weaknesses.

​

​

​

​

Identifying Risks: Outputs

1. Risk Register: a list of identified risks and other information needed to begin creating a risk register.
1. A risk register is:
• a document that contains the results of various risk management processes and that is often displayed in a table or spreadsheet format
• a tool for documenting potential risk events and related information
• Risk events refer to specific, uncertain events that may occur to the detriment or enhancement of the project
• Negative risks: delays in completing work as scheduled, increases in estimated costs, supply shortages, litigation, strikes
• Positive risks: completing work sooner and/or cheaper than planned, collaborating with suppliers to produce better products, good publicity,

​

Cont…

• Risk Register Contents:
• An identification number, and a rank for, the name and description of each risk event, the category under which each risk event falls and the root cause of each risk
• Triggers for each risk; triggers are indicators or symptoms of actual risk events.
• Cost overruns on early activities, defective products
• Potential responses to each risk
• The risk owner: person who will own or take responsibility for each risk
• The probability and impact of each risk occurring
• The status of each risk

​

Fig.- Sample Risk Register

7.4 Perform Qualitative Risk Analysis

• Assess the likelihood and impact of identified risks to determine their magnitude and priority.
• key benefit: it enables project managers to reduce the level of uncertainty and to focus on high-priority risks.

Perform Qualitative Risk Analysis: Tools and Techniques

1. Risk Probability and Impact Assessment
• Risk probability assessment investigates the likelihood that each specific risk will occur.
• Risk impact assessment investigates the potential effect on a project objective such as schedule, cost, quality, or performance, including both negative effects for threats and positive effects for opportunities.
• Risks can be assessed in interviews or meetings with participants selected for their familiarity with the risk categories on the agenda.
2. Probability and Impact Matrix
• lists the relative probability of a risk occurring on one side of a matrix or axis on a chart and the relative impact of the risk occurring on the other
• List the risks and then label/rate each one as high, medium, or low based on their assessed probability and impact.

Cont…

• Deal first with those risks in the high probability/high impact cell

​

Fig.- Sample probability impact matrix

Cont…

3. Top Ten Risk Item Tracking
• is a qualitative risk analysis tool that helps to identify risks and maintain an awareness of risks throughout the life of a project
• Establish a periodic review of the top ten project risk items
• List the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk item
• Keeps management and the customer aware of the major influences that could prevent or enhance the project’s success
• By involving the customer, the project team may be able to consider alternative strategies for addressing the risks
• It’s a means of promoting confidence in the project team by demonstrating to management and the customer that the team is aware of the significant risks, has a strategy in place and is effectively carrying out that strategy

​

​

​

Example of Top Ten Risk Item Tracking

22

• Watch List
• A watch list is a list of risks that are low priority, but are still identified as potential risks
• Qualitative analysis can also identify risks that should be evaluated on a quantitative basis

7.4 Perform Quantitative Risk Analysis�

• Perform Quantitative Risk Analysis is performed on risks that have been prioritized by the Perform Qualitative Risk Analysis process as potentially and substantially impacting the project’s competing demands.
• key benefit: it produces quantitative risk information to support decision making in order to reduce project uncertainty.

​

​

Perform Quantitative Risk Analysis: Tools and Techniques

1. Decision Trees and Expected Monetary Value (EMV)
• A decision tree is a diagramming analysis technique used to help select the best course of action in situations in which future outcomes are uncertain.
• Expected monetary value (EMV) is the product of a risk event probability and the risk event’s monetary value.
• You can draw a decision tree to help find the EMV
• EMV Example
• Suppose there is a 20% probability (P =.20) that Cliff’s firm will win the contract for Project 1, which is estimated to be worth $300,000 in profits and an 80% probability (P = .80) that the firm will not win the contract for Project 1, and the outcome is estimated to be $40,000. Also on Project 2, suppose there is a 20% and 10% probabilities that Cliff’s firm will lose $50,000 and $20,000 respectively, and a 70% probability that it will earn $60,000. Which project(s) the organization might pursue based on the EVM calculation of each project?

​

​

​

Cont…

• EMV calculation of each project
• Project 1: .2($300,000)+.8($40,000) = $60,000 - $32,000 = $28,000
• Project 2: .2($50,000) + .1($20,000) + .7($60,000)= - $10,000 - $2,000 + $42,000 = $30,000

​

​

​

​

​

​

​

​

​

• Because the EMV is positive for both Projects 1 and 2, Cliff’s firm would expect a positive outcome from each and could bid on both projects.

​

​

Decision Tree

Cont…

2. Sensitivity analysis is a technique used to show the effects of changing one or more variables on an outcome

• For example, what the monthly payments for a loan will be, given different interest rates or periods of the loan, or for determining break-even points based on different assumptions
• Spreadsheet software, such as Excel, is a common tool for performing sensitivity analysis

3. Modeling and simulation- uses a model that translates the specified detailed uncertainties of the project into their potential impact on project objectives. E.g., Monte Carlo simulation

4. Expert judgment

• is required to identify potential cost and schedule impacts, to evaluate probability, and to define inputs such as probability distributions into the tools.

7.5 Plan Risk Response

• After identifying and quantifying risks, you must decide how to respond to them.
• key benefit: it addresses the risks by their priority, inserting resources and activities into the budget, schedule and project management plan as needed.
• Risk responses should be appropriate for the significance of the risk, cost-effective, realistic within the project context, agreed upon by all parties involved, and owned by a responsible person.
• Selecting the optimum risk response from several options is often required.

Plan Risk Responses: Tools and Techniques

Strategies for Negative Risks or Threats

• Risk Avoidance: eliminate the threat or protect the project from its impact.
• E.g., don’t use HW or SW if unfamiliar with them
• isolating the project objectives from the risk’s impact or changing the objective that is in jeopardy.
• Eg, extending the schedule, changing the strategy, reducing scope.
• Risk Transfer: shifting the impact of a threat to a third party (usually with payment of a risk premium), together with ownership of the response
• For example, to deal with financial risk exposure, a company may purchase special insurance for specific HW needed for a project. If the HW fails, insurer has to replace it.

Cont…

• Risk Mitigation: reduce the probability of occurrence or impact of a risk. Mitigation actions include
• use proven technology, prototype development, adopting less complex processes, conducting more tests, or choosing a more stable supplier, buy maintenance or service contract

​

​

​

​

​

​

​

​

• Risk Acceptance: prepare for risk with backup plan or contingency reserves.

Table: General Risk Mitigation Strategies

Strategies for Positive Risks or Opportunities�

• Risk Exploitation: doing whatever you can to make sure the the opportunity is realized.
• For example a project manager might organize news coverage of the project, write a press release, or hold some other public event to ensure that the project produces good public relations for the company, which could lead to more business.
• Risk Enhancement: is used to increase the probability and/or the impacts of an opportunity by identifying and maximizing key drivers of the positive risk.
• For example, an important driver of getting good public relations for the computer classrooms project might be to generate awareness and excitement about it among students, parents, and teachers. These groups might then do their own formal or informal advertising of the project and Cliff’s company, which in turn might interest other groups and generate more business.

​

Cont…

• Risk Sharing: allocating some or all of the ownership of the opportunity to a third party who is best able to capture the opportunity for the benefit of the project.
• For example the project manager could form a partnership with the school board, or parent-teacher organization to share responsibility for achieving good public relations for the project. And, the company might partner with a local training firm to provide free training for all of the teachers on how to use the new computer classrooms.
• Risk Acceptance: is being willing to take advantage of the opportunity if it arises, but not actively pursuing it.
• Assume the product will speak for itself
• For example, the computer classrooms project manager might assume that the project will result in good public relations for the company and not feel compelled to do anything extra.
• Exercise: compare and contrast Risk exploitation & Enhance.

Cont… (Tools & Techniques)

3. Residual and Secondary Risks
• Residual risks are risks that remain after all of the response strategies have been implemented
• Even though used stable HW platform, it still may fail
• Secondary risks are a direct result of implementing a risk response
• Using stable HW may have caused a risk of peripheral devices failing to function properly
4. Contingent response strategies
• responses designed for use only if certain events occur.
• Events that trigger the contingency response, such as missing intermediate milestones or gaining higher priority with a supplier, should be defined and tracked.
5. Expert judgment
• Expertise may be provided by any group or person with specialized education, knowledge, skill, experience, or training in establishing risk responses.

​

7.6 Control Risk

• executing the risk management process to respond to risk events. It’s ongoing activity –
• new risks identified, old risks disappear, weaken or get stronger
• Workarounds are unplanned responses to risk events that must be done when there are no contingency plans.
• key benefit: it improves efficiency of the risk approach throughout the project life cycle to continuously optimize risk responses.

Tools and techniques

1. Risk assessment: identification of new risks, reassessment of current risks, and closing of outdated ones
2. Risk audits: examine and document the effectiveness of risk responses in dealing with identified risks and their root causes, as well as the effectiveness of the risk management process.
3. Variance and trend analysis: compare planned results to the actual results, and review trends in the project execution
4. Technical performance measurement: compare technical accomplishments during project execution to the schedule of technical achievement
5. Reserve analysis: compares the amount of contingency reserves remaining to amount of risk remaining at any time to determine if the remaining reserve is adequate.
6. Meetings

Cont…

• Main outputs of risk monitoring and control are:
• Requested changes
• Recommended corrective and preventive actions
• Updates to the risk register, project management plan, and organizational process assets
• Results of Good Project Risk Management
• Unlike crisis management, good project risk management often goes unnoticed
• Well-run projects appear to be almost effortless, but a lot of work goes into running a project well
• Project managers should strive to make their jobs look easy to reflect the results of well-run projects

​

35

Discussion Questions

• What are some questions that should be addressed in a risk management plan?
• Discuss the common sources of risk on IT projects and suggestions for managing them. Which suggestions do you find most useful? Which do you feel would not work in your organization? Why?
• What is the difference between using brainstorming and the Delphi technique for risk identification? What are some of the advantages and disadvantages of each approach? Describe the contents of a risk register and how it is used in several risk management processes.
• Describe how to use a probability/impact matrix and the Top Ten Risk Item Tracking approaches for performing qualitative risk analysis. How could you use each technique on a project?
• Explain how to use decision trees and Monte Carlo analysis for quantifying risk. Give an example of how you could use each technique on an IT project.
• Provide realistic examples of each of the risk response strategies for both negative and positive risks.

36