INFO 420Chapter 8 1 SW Project Management Managing Project Risk INFO 420 Dr. Jennifer Booker

INFO 420 Chapter 8 1

SW Project ManagementManaging Project Risk

INFO 420Dr. Jennifer Booker

Chapter 8 2INFO 420

Risk avoided

American culture avoids facing risk This leads to many problems in project

managementWe want to stick our heads in the sand

Somehow that doesn’t make risks go away We need to manage risks proactively

Chapter 8 3INFO 420

Risk Management

“If you don’t actively attack risks, they will attack you” - Tom Gilb

Risk management is still looked upon as bad news - and messengers are still shot

Chapter 8 4INFO 420

What is risk?

A risk is something that might go wrong, which could affect the project outcome

The key word is might If the probability is zero, it isn’t a risk at all If the probability is one, it’s certain to occur,

and can be treated as a project constraintSo any risk has 0% < p < 100%

Chapter 8 5INFO 420

Risk management problems

Typical problems in risk management areNot valuing risk management (RM)

Some insist there is no benefit to doing RM

Not allowing time for RM RM takes time and effort, get over it!

Not identifying and assessing risks consistently

Which can waste time and miss opportunities

Chapter 8 6INFO 420

Risk lessons learned

So a few lessons learned include Get commitment by all stakeholders, both to

do RM, and agree on significant risks Identify an owner for each risk, so someone is

actively managing itLook for typical risks for your type of project;

patterns vary

Chapter 8 7INFO 420

RM elements

The main elements in risk management areRisk management planningRisk identificationQualitative and Quantitative risk analysisRisk response planningRisk monitoring and control

Chapter 8 8INFO 420

Risk Management Planning

Similar to security analysis: Identify threatsPrevent threatsDetect threats (not trivial with

information systems!)Mitigate (reduce) the effects of the threats

Chapter 8 9INFO 420

Risk planning

The PMBOK defines risk as“An uncertain event or condition that, if it

occurs, has a positive or negative effect on the project objectives”

So a risk can be a good thingWe tend to think of the bad ones

Chapter 8 10INFO 420

Project reserves

A financial reserve is kept for most projects, in part for risk management

Helps protect againstFlawed estimates Minor anomalies (unexpected events)Permanent variances (unexpected skill levels)Minor variances (estimates slightly off)


Project risk management steps

Risk planningGet commitment from stakeholdersAllocate resourcesDevelop and approve RM plan

Risk identificationDevelop a list of risks, their causes and

effects



Risk assessmentAnalyze the risks for probability and impact

Risk strategiesDocument how to respond to each risk if it

occurs (risk response or mitigation plan) Risk monitoring and control

During project, look for known risks to occur, and identify new risks



Risk responseRespond to risks that have occurred

Risk evaluationFind lessons learned, and how to improve

future projects’ RM


Identifying IT project risks

The scope and context of risks can be a little intimidating at first, so we break the big problem into little onesUltimately, and risk might affect the project’s

MOVWhich could result from changes in scope,

quality, schedule, or budget



These could result from people, legal, process, environment, technology, organization, product, or other issues

These could be internal to your organization, or external

Risks could be known risks, known-unknown risks (risk is known, extent is unknown), or completely unknown risks (unimaginable)



And finally, risks could affect any part of the project life cycle:

Conceptualize and initialize the project Develop project charter and plan Execute and control the project Close project Evaluate project success


All clear?

That only gives:1x4x7x2x3x5 = 840 ways to classify a risk!

Realistically, we only focus on the issues most likely to affect our project

Our goal is to identify all the significant risks, not every conceivable risk!


Risk tools

Learning cyclesFor each suspected risk area, identify facts

known about it, assumptions being made, and what needs to be researched in that area

Test assumptions, and conduct research to identify specific risks

Brainstorming


Nominal Group Technique (NGT)

Have everyone write down ideas on paperWrite on flip chart, one idea from each

person, until all are recordedDiscuss and clarify the ideasEach person ranks and prioritizes the ideasGroup discusses ranking and prioritiesRedo personal ranking and prioritizationSummarize for the group


Risk tools

Delphi technique – same as used for estimation, but use for identifying risks and their probability and impact

Interviewing Checklists, typically from past projects or

industry common risks


Risk tools

SWOT analysis – look at organization and project’s strengths, weaknesses, opportunities and threats

Past projects – the ideal solution for all project management problems!Use lessons learned from previous projects


Risk tools

Cause and effect diagram, or fishbone diagram Start with a major type of risk Identify 4-6 categories of causes of that risk Brainstorm about ‘what could cause’ that risk to occur,

based on the categories Fill in details until you’re bored Then eliminate known minimal risks areas or causes


Risk analysis and assessment

Risk analysis estimates the probability and impact of each risk

Risk assessment prioritizes risks to help define your risk strategy Which risks are significant enough to prevent

actively?Which will require effort if they occur?


Qualitative vs quantitative

Both kinds of assessment can be done Use the former most of the time Use the latter for key risks in a steady environment

Caveat: the text is misleading about qualitative vs quantitative assessment What they call qualitative is really quantitative What they call quantitative is statistical process

control (SPC)


Expected value

Think of ‘deal or no deal’ If we have several possible outcomes, can

calculate for each the probability and resulting payoff (or cost)

Multiply probability and payoff to get the impact of each outcome

Add impact outcomes to determine the overall expected value of all possible results


Decision Tree

This is a graphic form of a payoff tableNodes represent choices (and their costs) or

probabilitiesMap out possible choices, and what their

impact outcomes arePick the highest impact outcome


Risk Impact Table

Great for analysis and prioritization of risksDefine each risk, its probability, and impact

Impact could be in $ or effort to resolve the risk

Multiply the latter to get the impact outcomes (P-I score)

Sort risks by descending P-I score instant prioritization! (risk rankings)


Risk Impact Table

You could* categorize risks by their general impact and probabilityKittens – low probability and impactPuppies – high prob, low impactAlligators – low prob, high impactTigers – high prob and impact, was good at

golf

* I wouldn’t, but you could…


“Quantitative” approaches

Those approaches will cover most situations and needs

These approaches might apply if you have more extensive data on specific risks

All are based on various types of probability distributions


Discrete probability distribution

When you’re measuring discrete events (it happens, or not) then a family of discrete probability distributions come into play In these cases, calculate the probability of

each individual event happening (x=0, x=1, etc.), and add them up

A subset of these are binomial distributions, where events either happen, or not (like a coin flip, or someone dies)


Continuous probability distribution

Often of interest is when a measurement can have real values (not just integers)

This results in a continuous probability distributionThere are dozens of them: Gaussian,

Poisson, Chi-square, F, Student T, etc.


Normal distribution

A normal (Gaussian) distribution is a bell curve It has a mean value and a standard deviation The probability of an event occurring is the area under

the curve

If we know a risk follows a normal distribution, we can predict how likely it is to occur within a given range (e.g. of time)


PERT distribution

This goes with the PERT estimation techniqueThe mean is (low + 4*likely + high)/6Std deviation is (high – low)/6

The PERT distribution is lopsided, since we know zero can’t occur


Triangular distribution

This is similar to a simplified PERT distributionThe mean is (low + likely + high)/3Std dev = { [ (high-low)2 +

(likely-low)*(likely-high) ]/18 }1/2


Simulations

In studying the behavior of projects, we could try to determine how they are affected by changes in inputs (assumptions, task durations, etc.)

The output of interest might be the project’s cost, schedule, customer satisfaction, etc.


Monte Carlo simulations

If we automate this kind of analysis, one approach is using a Monte Carlo simulation(Monte Carlo is the Las Vegas of Europe)

In a MC simulation, we define the probability distribution of the inputs we’ve defined


Monte Carlo simulations

Then the project results are simulated to see how they turn outThis produces a histogram of outputs, with the

mean duration, and can find the probability of finishing within a range of times

Tools exist (e.g. @Risk) to automate this kind of analysis


Tornado graph

This type of analysis can also produce a tornado graph, which is a bar chart emphasizing the highest risk tasksThis is like a Pareto diagramHere the ‘highest risk’ also implies ‘has the

highest probability of affecting the project schedule’


Risk strategies

Ok, so we have defined risks, and analyzed them to find the biggest threats

Now we answer a big question: so what? If these risks occur, what, if anything, will we

do about it?That’s our risk strategy, which is different for

each risk


Risk strategies

How we select a strategy depends on Is the risk a threat or opportunity?How and when will the project be affected?How do we know if the risk is occurring

(triggers or risk detection)?What impact does the risk have on MOV?


Risk strategies

How many resources do we have to deal with this risk?

Remember the balance among scope, schedule, budget, and quality

Can we modify a contract or assign resources or otherwise mitigate a risk?

How tolerant are the stakeholders of this risk?


Risk strategy choices

In response to a risk, we canAccept or ignore the risk, if the impact is

minimal, or we can’t do anything about it Use financial reserves to deal with it Have a contingency plan in place

Avoid the risk (prevention) Change the project to reduce the chance of the

risk occurring


Risk strategy choices

Mitigate the risk – lessen the impact of the risk after it has occurred

Transfer the risk – give the problem to someone else!

Buy insurance, subcontract something out, etc.


Risk response plan

Once key risks have been identified, and your strategies selected, put all this in a risk response plan

For each risk, identifyWhat trigger tells you the risk has occurredThe owner of the risk (person, not group)The risk response strategy


Risk monitoring and control

Now your job is to monitor the risk triggers to see which ones go offAnd then follow up with appropriate

responsesTools exist, such as Risk Radar to help do

this Can also conduct risk audits, reviews, or

status meetings


Risk response

When a risk is triggered, your response plan is put into actionMay include following your mitigation strategyCould include assigning resources to deal

with the risk


Risk evaluation

The process of risk management can be improved like any other through keeping lessons learnedWhat risks did you identify?Which ones occurred?How severe was their impact?Did you risk strategy work or not? Why?


Summary

Manage risks, or they will manage you Identify plausible risks

Quantify their probability and impact Identify significant risks

Develop strategies for dealing with them Keep an eye out for risks which occur, and

follow your strategies for dealing with them

Documents

INFO 420Chapter 8 1 SW Project Management Managing Project Risk INFO 420 Dr. Jennifer Booker