Project and Change

Management Week 8
21/03/2007

Risk Management Key concepts

Uncertainty
Risk
Threat
Opportunity

Common sources of project

uncertainty

Work scope
Quality of estimates
False Assumptions
Technological Novelty
User interface
Staff Productivity
Skill Levels
Management
(Sub)contractor
performance
Customers

Market Share
Competition
Inflation/exchange rates
Site conditions
Weather
Transportation logistics
Approvals/funding
Public relations
Extensive software
development

Where does risk come from?

All projects contain risk arising from
interactions between
Objectives
What must happen

Uncertainty
What might happen

What is a risk?
An uncertain event or set of circumstances
that, should it occur, will have an effect on
achievement of project objectives

Assessing two dimensions

Uncertainty: how likely?
Probability
High/Medium/low
% probability of occurence (1-99 %)

Effect on objectives: how bad or how good

Time delay or saving
Extra cost or reduction
Performance shortfall or enhancement
Reduced business benefits or improved

Defining Risk Management

The systematic process of identifying
analysing and responding to project risk. It
includes maximising . Positive events
and minimising.. Adverse events

Risk Management
Problems that havent happened yet
Why is it hard?
Some are wary of bearing bad news
No one wants to be the messenger
Or seen as a worrier

You need to define a strategy early in your

project

Risk Management
Should be about more than identifying risks
Process should include formal planning activity
Analysis to estimate the likelihood and predict
the impact of identified risks
A handling strategy
The ability to monitor the process
Goal: avoid a crisis
Risk Mgmt. vs. Project Mgt.
For a specific vs. all projects
Proactive vs. reactive

Project Risk
Characterized by:
Uncertainty (0 < probability < 1)
An associated loss (money, life, reputation, etc)
Manageable some action can control it

Risk Exposure
Product of probability and potential loss

Problem
A risk that has materialized

Types of Risks
Schedule Risks
Schedule compression (customer, marketing, etc.)

Cost Risks
Unreasonable budgets

Requirements Risks

Incorrect
Incomplete
Unclear or inconsistent
Volatile

Types of Risks
Quality Risks
Operational Risks
Most of the Classic Mistakes
Feature Creep
Requirements gold plating
Inadequate design
Silver bullet syndrome
Weak personnel

PMI risk management process

Risk management
planning

Risk
Identification

Risk monitoring
and control

Qualitative risk
assessment

Risk response
and Planning

Quantitative risk
analysis

Risk Management Processes

Risk management Planning deciding how to
approach and plan the risk management activities in a
project
Risk Identification determining which risks might
effect the project and documenting their characteristics
Qualitative risk analysis performing a qualitative
analysis of risks and conditions to prioritize their
effects on project conditions
Quantitative risk analysis measuring the probability
and consequences of risks and estimating their
implications for project objectives

Risk Management Processes

Risk response planning developing
procedures and techniques to enhance
opportunities and reduce threats to the
projects objectives
Risk monitoring and control monitoring
residual risk, identifying new risks,
executing risk reduction plans, and
evaluating their effectiveness throughout
the project lifecycle

Risk Management Planning

The process of deciding how to approach and
plan risk management activities for a project
Decisions cover:
Organisation and staffing
Appropriate methodologies
Tools and techniques

Ensure level, type and visibility of process

match:
Risk level of project
Importance of project to organisation

Output: Risk Management plan

Risk Management Plan

Defines level of risk process for each project
Example contents:

Methodology
Roles and Responsibilities
Timing
Thresholds
Reporting formats
Monitoring and reviews

Integral part of project plan revised throughout

project

Risk Identification
Aim to expose all knowable risks
Common risk id techniques

Brainstorming/ workshops/ SWOT

Prompt lists/ check lists
Baseline cost estimates
Plan/WBS decomposition
Schedule analysis
Interviews/ questionnaires
Assumptions/constraints analyais
Other techniques
Document review
Delphi groups/ NGT
Diagramming techniques

Evaluate the performance of past

projects
Identify past projects that have similarities
to the current project
Interview the project manager and key
contributors
Quantify the information received
Examine the project files and lessons
learned reports
Determine what lessons can be learned
and what risks should be considered

Review the project plan for sources

of potential risk
Prepare a requirement analysis so as to identify the
intrinsic risks to the project and filter out the projects with
unacceptably high risks
Determine to what extent the requirements of the project
fit in with the demonstrated competencies of the
organisation (i.e. achievability)
Determine too what extend the project relies on new or
unproven technology
Review the WBS for completeness
Review the accuracy for duration estimates for activities
on the critical path and activities with long durations

Review the project plan for sources

of potential risk
Review the assumptions about the actual
working time available to team members,
given their other responsibilities and
commitments
Review assumptions made about key
technical issues
Review the assumptions made in resource
planning
Create an overall list of potential risk areas

Identify potential risk events

Identify dependencies on individuals or
organisations outside the control of the project
organisation
Identify over reliance on unique or limited skill
sets
Identify milestones for the demonstration of new
or unproven technology
Identify key customer approval milestones
Identify potential risk events from the world at
large that could impact the project
Create an overall list of risk events

Monitor project performance for risk

symptoms
Identify actions or events during the
execution of the project which invalidate
assumptions made during project planning
Identify symptoms of unanticipated risk
List these symptoms of risk for team
evaluation and disposition

Provide inputs for other processes

Assess what elements of the project plan
the various risks impact
Determine the potential impact of risk
areas and events and make changes in
those areas as required
Make sure all identified risks are properly
evaluated and acted upon

Risk Assessment
Qualitative assessment

What is the risk?

Why might it occur?
How likely is it?
How bad /good might it be?
Does it matter?
What can we do?
When should we act?
Who is responsible?

Record in risk register

Quantitative Assessment
Modelling uncertainty
Simulate combined effects
of results
Predicting outcomes
Range, min/max, expected
Testing scenarios
Setting confidence limits
Identifying criticalities
Determining options

Model in software

Risk analyses based on information

that can cone from

Analyses of plans and related documents

Comparisons with similar systems
Experience and interviewing
Modelling and simulation
Relevant lessons-learned study
Results from test and prototype development
Sensitivity analysis of alternatives and inputs
Specialist and expert judgement

Probability Impact Matrix

VH
Probability

H
MED
L
VL
VL

L
IMPACT

MED

VH

Probability Impact Matrix

Define scales then rank each risk in both
directions
Determine size and relative importance of
risks
Red = urgent, Yellow = monitor, Green =
OK
For both threats and opportunities

Example project specific scales

RANK PROB

TIME

COST

PERFORMANCE

VH

71-99%

>12 weeks

<1000k

Effect on overall
functionality

51-70%

7-12 weeks

500 1000k

Major effect on key

parameters

MED

31-50%

3-6 weeks

250-500k

Minor effect on key

parameters

11-30%

1-2 weeks

100-250k

Effect on > 1 minor

parameters

VL

1-10%

< 1 week

< 100k

Effect on 1 minor
parameter

Nil

No change

No change

No change in
performance

Quantitative techniques
Sensitivity analysis determines which risks have
the most overall risk on the project. Determines
extent to which uncertainty of one element
effects the objective when all other uncertain
elements are held at baseline values
Decision Tree analysis Diagram that describes a
decision under consideration and the implication
of choosing one or another of the alternatives
Simulation e.g. Monte Carlo simulation

Decision Trees and Expected

Monetary Value (EMV)
A decision tree is a diagramming method
used to help you select the best course of
action in situations in which future
outcomes are uncertain
EMV is a type of decision tree where you
calculate the expected monetary value of
a decision based on its risk event
probability and monetary value

Expected Monetary Value (EMV)

Example

Risk response development

Identify risk prevention activities
Avoidance also referred to as risk abatement reduces
the possibility that a risk will occur
Mitigation (control) the activities that are involved here
reduce the consequences of the risk should it occur
( does not try to eliminate the source of the risk)
Assumption (also known as acceptance) the active
acknowledgement of the existence of a particular risk
situation and a conscious decision to accept the
associated level of risk
Transfer - the risk is shared with or completely
transferred to others by the user of insurance or warranty

Risk control examples

Early prototyping
Alternative design
Incremental development design with
the intention of upgrading system parts in
the future
Use of standard items/ software reuse
Reviews walkthroughs and inspections

Risk Response Implement Plan

Identify the occurrence of an actual risk that was
identified in the risk management plan
Decide if the planned contingency action is still
appropriate and modify as needed
Communicate the occurrence of the risk event
and planned action to affected stakeholders
Take the contingent action and monitor results

Risk Response- Identify other risks

Identify additional sources of risk that were
not planned in the original risk
management plan
Estimate likelihood of occurrence and
potential impact
Define appropriate preventive and
contingent actions
Assign ownership for all risk-related
actions

Inform stakeholders
Determine the required level of
stakeholders in risk quantification and
planning
Inform stakeholders of the newly identified
risks and response plans
Involve stakeholders in risk quantification
and planning to the extent needed

Risk response -documentation

Document all actions taken in response to anticipated risks,
along with the results of such actions, and include as part of
the project file
Define the activities involved with preventive actions planned
for newly identified risks
Identify activity dependencies and sequencing of preventive
actions
Estimate the durations of preventive actions
Estimate the additional resource requirements and cost
impacts, if any of the preventive actions
Update the project schedule and related documents with
estimates from all preventive actions
Update the risk management plan with preventive and
contingency actions

Risk response take preventive

actions
Review the updated project schedule with
the team and ensure activity owners are
defined for all preventive actions
Execute preventive actions
Report progress on all preventive actions

Risk responses examples

Procurement acquiring goods and services
from outside the immediate project organisation
is often an appropriate response to some kind
of risks
Contingency plans delineate the action steps
to be taken if an identified risk should occur (risk
mitigation)
Alternative strategies risk events are often
prevented are avoided by changing the planned
approach (risk abatement)
Insurance (risk transfer)

Selecting the appropriate risk

response mechanism
Magnitude of risk
Project managers tolerance for risk
Procedural requirements of the project management
methodology
Organisational culture
Existence of alternatives or possibly lack of options
Length of exposure to risk
Amount and quality of information on the actual hazards
that caused the risk
Amount and quality of information on the magnitude of
the damage

Selecting the appropriate risk

response mechanism
Can the strategy be feasibly implement ed and still meet
the users needs ?
What is the expected effectiveness of the handling
strategy in reducing program risk to an acceptable
level ?
Is the strategy affordable in terms of monetary value and
other resources ?
Is time available to develop and implement the strategy
and what effect does that have on the overall program
schedule ?
What effect does the strategy have on the systems
technical performance ?

Risk Response Planning

Using risk information to make decisions
Based on:

Type and nature of risk

Manageability
Impact severity
Resource availability
Cost-effectiveness

Identify:
Best owner for response
Appropriate response
Effective management action

Risk Monitoring and Control

Effective proactive management action

Adjust strategy
Take risks safely
Gain the benefits

Implementation Considerations
Which group of managers have responsibility for risk
management decision making ?
Which group owns and maintains the risk management
process?
Which group or individual is responsible for risk
management training and assisting others in risk
management implementation?
Who identifies candidate risks?
How are risk analyses performed and approved?
How are risk handling plans developed and approved?
How are data for risk monitoring metrics collected?
How are independent risk reviews performed to ensure that
project risks are properly identified, analysed, handled and
monitored?

Risk Monitoring and Control

Monitor changes in risk exposure
Periodic risk reviews
New risks, closed risks, changes in assessment

Earned value analysis

Determine effectiveness of responses

Additional risk response planning

Assess effectiveness of risk process

External risk audits

Techniques used for risk monitoring

Earned Value: This uses standard cost/schedule
data to evaluate a programs cost performance
(and provides and indicator of schedule
performance) in an integrated fashion
Program Metrics: These are formal periodic
performance assessments of the selected
development process evaluating how well the
development process is achieving its objectives
Schedule performance monitoring
Technical performance measurement

Risk reviews
Essential because risk changes
Risks happen (opportunities and threats)
Risks are resolved
Risks time-out
Risks get better or worse
New risks emerge

Review/update risk exposure regularly

Check actions at project review meeting

Reporting risk
Basis for management action
Key risk themes
Trends changes and predictions
Recommended actions

Hard benefits of risk management

Better informed credible plans

Increased chance of success
More suitable contracts
Better assessment of contingency
Protects against unsound projects
Generates metrics for future projects
Objective comparison of alternatives
Identifies best risk owner

Soft benefits of risk manageemnt

Improves communication
Develops common understanding team spirit
Distinguishes between luck and management
Builds risk awareness
Focuses attention
Facilitates risk taking
Demonstrates professionalism
Exposes personnel issues

Shortfalls of risk management

GIGO
Lack of ownership
Boredom / complacency
Loss of momentum
tick in the box mentality

Cost of managing risk

Assessing risk
Addressing risk

Measuring effectiveness