Project Risk Management A Control Best Practices Perspective

University of Nebraska Lincoln Operations Analysis August 13, 2010

1

Purpose
Identify control best practices for managing project risk Review Microsoft Excel Risk Assessment Template to assist in identifying & mitigating project risk

Agenda
Purpose Agenda Definition of Terms Manage Projects Why Project Risk Is Important Project Risk Management Risk Assessment Template Summary
3

Definition of Terms
Risk Possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood (Institute of Internal Auditors)

Definition of Terms (continued)

Control Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.
Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. (Institute of Internal Auditors)

Definition of Terms (continued)

COBiT Control Objectives for Information and related Technology IT governance and control framework Designed to help optimize IT-enabled investments & ensure IT is successful in delivering business requirements IT Processes Thirty-four generally accepted IT activities. Covers IT responsibilities across lifecycle o Example: PO10 Manage Projects Contains tools to help fulfill business requirements

Definition of Terms (continued)

COBiT and PMBOK complement each other PMBOK provides a model for project management that, whilst not IT-specific, addresses the requirements of PO10, Manage Projects. COBiT complements PMBOK by providing IT-specific control requirements that address PMBOK process requirements at a more detailed level.
(COBiT Mapping: Mapping of PMBOK With COBiT 4.0, page 26)

Manage Projects
Manage Projects One of COBiT s 34 IT processes (Plan & Organize PO10) A programme & project management framework for the management of all IT projects
o Ensures correct prioritization & coordination of all projects

(COBiT 4.1, page 67)

Manage Projects (continued)

Manage Projects (continued) Includes: o Master plan o Assignment of resources o Definition of deliverables o Approval by users o Phased approach to delivery o Quality Assurance o Formal test plan o Testing and post-implementation review after installation (COBiT 4.1, page 67)
9

Manage Projects (continued)

Manage Projects (continued) This approach o Reduces risk of unexpected costs & project cancellations o Improves communications to & involvement of business & end users o Ensures the value & quality of project deliverables o Maximizes their contribution to IT-enabled investment programmes
(COBiT 4.1, page 67)

10

Manage Projects COBiT Control Objectives

# Control Objective (High-level best practice requirements)

PO10.1 PO10.2

Programme Management Framework Project Management Framework

PO10.3 PO10.4 PO10.5 PO10.6 P010.7

Project Management Approach Stakeholder Commitment Project Scope Statement Project Phase Initiation Integrated Project Plan

11

Manage Projects Control Objectives (continued)

# Control Objective (High-level best practice requirements)

PO10.8 Project Resources PO10.9 Project Risk Management PO10.10 Project Quality Plan PO10.11 Project Change Control PO10.12 Project Planning of Assurance Methods PO10.13 Project Performance Measurement, Reporting & Monitoring P010.14 Project Closure
12

Why Project Risk Is Important

Numerous surveys indicate high percentage of projects Did not meet target requirements Experienced overruns in time or budget Project risks are potential threats to the success of the project. (Gaulke, 2002) Many risks associated with projects Success or failure (of a project) ultimately depends on how project leadership manage the full range of technical and nontechnical issues. (Krigsman, 2008)

13

Why Project Risk Is Important Risk Examples

Integration Inadequate planning (project & operations) Poor resource allocation Inadequate integration management Poor user acceptance
o Example: Why are we doing this?

Business need not defined Changes in IT infrastructure Poor post-project reviews

14

Why Project Risk Is Important Risk Examples

Scope
Scope changes
o Example: Changes in user expectations

Requirements change
o Example: Additional features

Requirements not adequately defined

o Example: Security & auditing requirements not considered

Use of deliverable/solution not clearly defined

o Example: How will users use system?

Poorly defined metrics

o Example: How measure project success?

15

Why Project Risk Is Important Risk Examples

Time Timeline changes Insufficient resources & time Errors in time estimates Poor time allocation Changes in environment
o Examples: Competitive product released, regulatory changes

16

Why Project Risk Is Important Risk Examples (continued)

Cost Funding uncertainty Loss of funding Errors in cost estimates Price changes Inadequate productivity Inadequate contingency planning

17

Why Project Risk Is Important Risk Examples (continued)

Quality Inadequate attention to quality Substandard design Inadequate quality assurance efforts Poorly defined quality metrics Changes in development tools Production disruption

18

Why Project Risk Is Important Risk Examples (continued)

Human Resources Poor project organization
o Examples: Are team members competent? Do they have proper skills?

Inadequate leadership (project manager, sponsor) Loss of sponsor Loss of key team members Poor project attitude
o Example: We dont plan, we do

19

Why Project Risk Is Important Risk Examples (continued)

Human Resources (continued) Team friction Poor conflict resolution Poor vendor management Lack of user involvement in design, testing & implementation

20

Why Project Risk Is Important Risk Examples (continued)

Communications Poor communication planning Inadequate communications Insufficient stakeholder involvement

21

Why Project Risk Is Important Risk Examples (continued)

Procurement Technology may be immature Wrong solution delivered Insufficient/inadequate contract clauses
o Example: Security requirements or right-to-audit clause not included in contract

Contract clauses unenforceable Poor relations with vendor

22

Why Project Risk Is Important Risk Examples (continued)

Risk Undetected project risks Lack of mitigating action for identified risks Undetected project showstoppers
(IT Assurance Guide, page 108)

23

Project Risk Management

Action-oriented definition:
Eliminate or minimize specific risks associated with individual projects through a systematic process of planning, identifying, analyzing, responding to, monitoring and controlling the areas or events that have the potential to cause unwanted change. Risks faced by the project management process and the project deliverable should be established and centrally recorded.
(COBiT 4.1, page 68)

Project Risk Management is an essential element of managing a project.

24

Project Risk Management Benefits

Examples of business benefits that can result from managing project risk
Early identification of potential showstoppers when considering project feasibility & approval Management able to identify & plan for contingencies & countermeasures to reduce risk impact Clearly defined risk & issue owners Mitigating actions monitored Consistent & efficient approach for risk management within projects aligned to the organizations risk management framework

(IT Assurance Guide, page 108)

25

Project Risk Management Control Practices

Six Control Practices
Mechanisms (i.e., how, why, and what to implement for each control objective)

26

Project Risk Management Control Practices (continued)

#1 Establish a formal project risk management framework that includes
Identifying Analyzing Responding to Mitigating Monitoring Controlling risks

Make risk management part of your project. (Jutte, 2008)

27

Project Risk Management Control Practices (continued)

#2 Assign appropriately skilled personnel, the responsibility for executing the organizations project risk management framework within a project Consider allocating this role to independent team, especially if oObjective viewpoint is required or oProject is considered critical

28

Project Risk Management Control Practices (continued)

#3 Perform project risk assessment of identifying & quantifying risks continuously throughout the project
Sources of information:
o Project team members & project documentation o Individuals & documentation external to project o Current events

Manage & communicate risk appropriately within the project governance structure
o Include project risk on project team meeting agenda
29

Project Risk Management Control Practices (continued)

#4 Reassess project risks periodically, including
At entry into each major project phase As part of major change request submissions

30

Project Risk Management Control Practices (continued)

#5 Identify risk and issue owners for responses to
Avoid Mitigate Transfer Accept risks

31

Project Risk Management Control Practices (continued)

Action
Avoid Risk

Definition
Exit the activities or conditions that give rise to the risk. Do this when no other options are adequate Take action to detect, reduce frequency, and reduce impact of risk

Examples
Terminate difficult team member Terminate project Do not use technology because it prevents future growth Counsel difficult team member Apply additional controls (e.g., increase monitoring, increase testing, apply stricter change management) Obtain insurance Have vendor perform high risk part of project

Mitigate Risk

Transfer Risk

Make someone else responsible for all or part of the risk

Accept Risk

Take no action to avoid, mitigate, or transfer risk

Done when risk is known and management decides it is acceptable to accept risk

32

Project Risk Management Control Practices (continued)

#6 Maintain and review project risk register of all potential project risks Maintain log of all project issues and their resolution
o Risk description o Owner o Cause & effect o Priority o Status o How resolved

Analyze the log periodically for trends and recurring problems, to ensure root causes are corrected
o Assess specific issue o Assess impact to entire project
(COBiT Control Practices, page 64)
33

Risk Assessment Template

Risk Assessment Template.xlsx Location: http://oa.unl.edu/businessprocess/ Contains:
Template Overview & Definitions Risk Assessment Steps Blank Template Samples

Flexible
Create own risk categories Modify as appropriate
34

Risk Assessment Template (continued)

Risk Assessment Steps
Identify risks Assess risks based on estimated impact & likelihood of occurrence Identify points of contact to mitigate risk Identify risk mitigation strategy Identify monitoring in place Review for accuracy Reassess periodically
35

Summary
Project risk management is essential element of managing a project
Should be done throughout project

There are several business benefits to managing project risk There are a number of mechanisms project teams should employ to manage project risk

36

Questions?

37