Why risk management is important

Risk Management  Just what is risk?

 The possibility of suffering harm or loss (PMI)
 Uncertainty inherent in plans and the possibility of
COMP 4050 Project Management
something happening that can affect the prospects of
F ll 2008 Lecture
Fall L 17 achieving business or project goals
Dr. Dean Jin (British Standard #6079)
 Overall, risk management should include:
 Identification of potential risks
 Potential for damaging our project

 Means
M to
t reduce
d those
th risks
i k or their
th i iimpactt

Research Shows We Need to Improve Project Management Maturity by Industry Group

P j t Risk
Project Ri k M
Managementt and
dKKnowledge A 1
l d Area
3 4

KEY: 1 = LOWEST MATURITY RATING 5 = HIGHEST MATURITY RATING

 Ibbs and Kwak (2000) show risk has the lowest Engineering/ Telecommunications Information Hi-Tech
maturity
t it rating
ti off allll kknowledge
l d areas. Knowledge Area Construction Systems Manufacturing

Scope 3.52 3.45 3.25 3.37

 KLCI (2001) study shows the benefits of following Time 3.55 3.41 3.03 3.50

good software risk management practices. Cost 3.74 3.22 3.20 3.97
Quality 2.91 3.22 2.88 3.26
 KPMG1 studyy found that 55 percent
p of runaway y Human Resources 3 18
3.18 3 20
3.20 2 93
2.93 3 18
3.18
projects (projects that have significant cost or
Communications 3.53 3.53 3.21 3.48
schedule overruns)) did no risk management
g at all. Risk
ik 2 93
2.93 28
2.87 2
2.75 2 6
2.76
Procurement 3.33 3.01 2.91 3.33

1 Cole, Andy, “Runaway Projects - Cause and Effects,” Software World, 26(3), pp. 3-5 (1995). 1 C.W. Ibbs and Y. H. Kwak. “Assessing Project Management Maturity,”
Project Management Journal (March 2000).
 Benefits from Software Risk Management
Practices1 Risk As A Trade
Trade-Off
Off
5 6

100%
 Of i
Oftentimes we take
k risks
i k to save money or time
i
80%
80%  There is a possibility of having to buy another item or
60%
60% 47% 47% 43%
redo the same job
35%
40%  … or, at least, suffer greater stress levels
20%
0%
6%
 Trade-offs can be identified with time, money,
te
q
quality
y

ns
ps
ts
es
s

e
m

tia

en

on
ru
sli
ris
le

go

N
itm

er
The consequences of some risks may be more severe
p

e
ob

ov
ur

ul
ne


m
pr

ts

d
m

st
he
to
d

en

co
co
oi

sc than others (ex.

(ex nuclear power plant control system)
y
ev
av

ilit

ce
er

ce
Pr

ab
/

m
te

u
u

ed
to
a

ed
e
ip

us
ov

R Personal views on risk play a role: some people are

R
tic

tc
pr


An

Im

ee
M

more prone tto make

k risky
ik d decisions
ii than
th others
th
1 P. Kulik and C. Weber, “Software Risk Management Practices – 2001,” KLCI Research
Group (August 2001).

Risk Utility Risk Utility Function and Risk Preferences

7 8

 Risk utility or risk tolerance is the amount of

satisfaction or p
pleasure received from a potential
p
payoff.
 Utility
Utilit d
decreases (th
(their
i ttolerance
l iis llower)) ffor people
l
who are risk-averse – even if the payoff is larger.
 Those who are risk-seeking have a higher tolerance for
risk and their satisfaction increases when more payoff is
at stake.
k
 The risk-neutral approach
pp achieves a balance between
risk and payoff.
 Risk Management Processes Risk Management Processes (2)
9 10

 Risk Management planning

 Risk Response Planning
 Deciding
g how to approach
pp and plan
p the risk management
g
 Takingsteps to enhance opportunities and reduce threats
activities for the project.
to meeting project objectives.
 Risk Identification
 Risk Monitoring and Control
 Determiningwhich risks are likely to affect a project and
 Monitoring identified risks, identifying new risks, carrying
documenting the characteristics of each.
each
out risk response plans, and evaluating the effectiveness
 Risk Analysis of risk strategies throughout the life of the project.
 Prioritizing risks
k based
b d on their
h probability
b bili and
d impact
i off
occurrence.
 Estimating the effects of risks on project objectives.

Risk Management Planning Typical

yp Risk Management
g Plan
11 12

 The main output of risk management planning is a  Methodology

Ri k M
Risk Managementt Pl
Plan – a document
d t that
th t outlines
tli  R l and
Roles d responsibilities
ibiliti
the procedures for managing risk throughout a  Budget and schedule
project.
j
 Risk categories
 The project team should review project documents
 Risk probability and impact
and understand the approach to risk taken by the
organization and the sponsor.  Risk documentation
 Creation and maintenance of a
Risk Log
 Other Plans and Reserves Risk identification
13 14

 Contingency
C ti plans
l are predefined
d fi d actions
i that
h the
h  Key Risk Symptoms
project team will take if an identified risk event  theelements of the project likely to indicate that
occurs. something is going wrong
 Fallback plans are developed for risks that have a  At this stage,
g , we need to know the outcome of the
high impact on meeting project objectives, and are risk, so that it can be quantified in the next stage of
put into effect if attempts
p p to reduce the risk are not the analysis
y
effective.
 Contingency reserves or allowances are provisions
held by the project sponsor or organization to
reduce the risk of cost or schedule overruns to an
acceptable level.

Potential Negative Risk Conditions Associated

Broad Categories of Risk W h Each
With E h Knowledge
K l d Area
A
15 16

 Market risk – Is this a new product? Will people use it Knowledge Area Risk Conditions
Inadequate planning; poor resource allocation; poor integration
Integration
and buyy it? Is there competition
p for it? management; lack of post-project review
Poor definition of scope or work packages; incomplete definition
Scope
 Financial risk – Can the organization afford to do this of quality requirements; inadequate scope control
Errors in estimating time or resource availability; poor allocation
project? Is there confidence in financial projections? Time
and management of float; early release of competitive products
Estimating errors; inadequate productivity, cost, change, or
 Technology risk – Technically feasible? Easily obsolete? Cost
contingency control; poor maintenance, security, purchasing, etc.
Poor attitude toward q
quality;
y; substandard
M t /l di
Mature/leading-edge/bleeding
d /bl di edge d technology?
t h l ? Quality
design/materials/workmanship; inadequate quality assurance
program
 People risk – People have appropriate skills? Does Human Resources
Poor conflict management; poor project organization and
definition of responsibilities; absence of leadership
management support it? Good sponsor relationship? Carelessness in planning or communicating; lack of consultation
Communications
with key stakeholders
 Structure/process
/p risk – Changes
g existing g procedures?
p Risk
Ignoring risk; unclear assignment of risk; poor insurance
Does it need to interact with other systems? Procurement
management
Unenforceable conditions or contract clauses; adversarial relations
 Common Sources of Risk in Information Information Technology Success Potential
T h l
Technology PProjects
j Scoring Sheet
17 18

Relative
 Several studies show that IT projects share some Success Criterion
Importance
common sources of risk.
risk User Involvement 19
 After CHAOS, the Standish Group developed an Executive Management support 16

IT success potential
i l scoring
i sheet
h b
basedd on Clear Statement of Requirements 15
Proper Planning 11
potential risks Realistic Expectations 10
 Consisted of a questionnaire whose responses relate Smaller Project Milestones 9
to identified project success criteria Competent Staff 8
 Scales based on Yes answers to questions were used Ownership 6
Clear Visions and Objectives 3
to identify how well a project satisfies the criteria
Hard-Working Focused Staff
Hard-Working, 3
Total 100

Expert Judgment Categorizing Identified Risks

19 20

 Many organizations rely on the intuitive feelings and

past experience of experts to help identify potential
project risks.
 Experts can categorize risks as high,
high medium,
medium or low
with or without more sophisticated techniques.
 Can also help create and monitor a watch list, a list
of risks that are low priority, but are still identified as
potential risks.
 Another Score each Top 10 Risk Driver from 1
M th d
Method (L Risk)
(Low Ri k) to 3 (Hi
(Highh Ri
Risk)
k)
 Use techniques that
have been found to
be effective in
other projects
p j

Copyright © 2003 by Robert K. Wysocki,

Rudd McGary. All rights reserved. Copyright © 2003 by Robert K. Wysocki, Rudd McGary. All rights reserved.

Risk Breakdown Structure Sample Risk Breakdown Structure

23 24

 A Risk Breakdown Structure is a hierarchy of

IT Project
potential risk categories
p g for a project.
p j
 Similar to a WBS but used to identify and Project
Business Technical Organizational
categorize risks.
risks Management

Executive
Competitors Hardware Estimates
pp
support

Suppliers
pp Software User support
pp Communication

Cash flow Network Team support Resources

 Risk Analysis Expected Value
25 26

 Just how risky is an event or activity?  Expected value of an identified event is the value
 Analysis
y in terms of likelihood (probability)
(p y) and the of the possible outcome multiplied by the
extent of the effects probability of its occurrence
 Project A: 50% chance, $200 million return
 Some projects fail because of risks that were not
initially identified  Project B: 70% chance, $150 million return

 Decision?
 Therefore,
Therefore a third factor to consider is risk “hideability”
– the ability of a party to conceal the fact that things  Project B ($100 million for A vs. $105 million for B)
are going wrong with part of the project  The same kind of reasoning can be applied to risks

Failure Mode Effect Analysis Probability/Impact Matrix

27 28

 For each activity on the critical path, look at their  A Probability/Impact Matrix or Chart lists the relative
likelihood, severity, and hideability probability of a risk occurring on one side of a matrix
 Rate each of these on a scale from 1 to 10 and the relative impact of the risk occurring on the
 Total risk for an activity is the product of the three other.
 Ex. Consider the risk of a SW development activity:  List the risks and then label each one as high, medium,
or low in terms of its probability of occurrence and its
Activity Likelihood Severity Hideability Total impact if it did occur.
In House
In-House
8 2 2 32  Can also calculate risk factors:
Development
 Numbers that represent the overall risk of specific events
Outsourced
O tso rced
6 2 7 84 b d on their
based th i probability
b bilit off occurring
i and d th
the
Development consequences to the project if they do occur.
 Sample Probability/Impact Matrix Monte Carlo Simulation
29 30

 Uses a range of values (or probability distribution)

for each variable
 A number of random values within a given range (or
fitting
g the given
g distribution)) is generated;
g ; the value
of the project/risk is then calculated
 After a number of runs,runs results are analyzed to
obtain the mean and standard deviation
 C
Computer facilities
f ili i are ((obviously!)
b i l !) neededd d

Sensitivity Analysis Sensitivity Analysis

31 32

 Similar to PERT, only we use equal deviations above  Note that any of our original numbers may change,
and below the expected
p value (10%
( is quite
q and they may not change in the way we’d like them to
common) and calculate the resulting values  The following chart shows how the profit varies with
 Note that changes need not go in the same direction changes
g in material and labour & overhead costs
 Consider a project with revenue of $1,200 that requires: Materials cost Materials cost Materials cost
 $600 of materials 10% less as expected 10% more
 $200 of labour Labour & Overhead
165 105 45
 $350 of overhead costs cost 10% less
 Profit
= revenue - materials – (labour + overhead) Labour & Overhead
110 50 -10
as expected
= $1,200
$1 200 – 600 – (200 + 350) Labour & Overhead
55 -5 -65
= $50 cost10% more
 Risk Response Planning Risk Response Planning
33 34

Different approaches exist: Accept the risk and …

 Ignore the risk  Prevent it: by taking steps to inhibit or thwart the risk

 Good for small ones, bad for medium ones, …  If the project life cycle spans into the next fiscal year, and
 Avoid the risk: stayy clear of,, sidestep,
p, p
pass up
p there is a risk that new funds may not be allocated, getting
ALL the funds in this fiscal year prevents the risk
 Transfer the risk
 Mitigate it: define steps and actions to be taken so as to
 Many among the cheaper air tickets are non-refundable
non refundable
alleviate or lessen the risk
 Insurance against malpractice
 If there is a risk that a subcontractor will not deliver by a
 Not so easy with IT (unfortunately)
certain date, written commitments can be sought, or strong
 Note: this does not absolve the project manager of all penalties can be put in the contract
responsibilities
 Use the
h contingency plan:
l what to do if the risk
 Finally, we can … materializes

Example Risk Monitoring and Control

35 36

 There is a resource (i.e. skilled people) shortage as  Involves executing the risk management process to
a result of budget cuts and staff turnover respond
p to risk events.
 Options  Main outputs of risk monitoring and control are:
 Ignore: not a viable option  Requested changes.
changes
 Avoid: restructure the project (downsize)  Recommended corrective and preventive actions.
 Transfer: outsource the project  Updates
U d to the
h risk
i k log,
l project
j management plan,
l and
d
 Accept: transfer resources, defer the project until organizational process assets.
people with critical skills become available  Workarounds are unplanned responses to risk events
that must be done when there are no contingency
plans.