Information Technology Project Management – Third Edition By Jack T. Marchewka Northern Illinois University Copyright 2009 John Wiley & Sons, Inc. all rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information contained herein.

Managing Project Risk Chapter 8

Managing Project Risk The baseline project plan is based on a number of estimates and assumptions Estimation implies uncertainty so managing the uncertainty is crucial to project success Project risk management is an important sub-discipline of software engineering Focuses on identifying, analyzing and developing strategies for responding to project risk efficiently and effectively The goal is to make well informed decisions as to what risks are worth taking and to respond to those risks in an appropriate manner Provides an early warning system for impending problems that need to be addressed or resolved

Common Mistakes in Managing Project Risk By not following a formal risk management approach, many projects end up in a perpetual crisis mode (firefighting) – reacting rather than being proactive Inability to make effective and timely decisions Not understanding the benefits of risk management Client wants results, not interested in how achieved . Managers take aggressive risks or may optimistically ignore risks which turn into threats to the project’s success Not providing adequate time for risk management Should not be treated as an add-on but integrated throughout the project life cycle Assess and plan for project risk in the earliest stages of the project

Common Mistakes in Managing Project Risk Not identifying and assessing risk using a standardized approach Can overlook both threats and opportunities Time and resources expended on problems that could have been avoided, opportunities will be missed Decisions will be made without complete understanding or information

Effective & Successful Risk Management Requires Commitment by all stakeholders Otherwise, the process will be sidestepped the moment a crisis arises and the project is in trouble Stakeholder responsibility Each risk must have an owner who will take responsibility for monitoring the project in order to identify any new or increasing risks and report them to the project sponsor Different risks for different types of projects You can not manage all projects and risks the same way, this can lead to disaster

Definitions Risk Project Risk Management (PMBOK®) An uncertain event or condition that, if occurs, has a positive or negative effect on the project objectives. Project Risk Management (PMBOK®) Includes the processes concerned with conducting risk management planning, identification, analysis, responses, and monitoring and control of a project; most of these processes are updated throughout the project. The objectives of project risk management are to increase the probability and impact of positive events and decrease the probability and impact of events adverse to the project.

PMBOK® Risk Management Processes Risk management planning Determining how to approach and plan the project risk management activities. An output of this process is the development of a risk management plan. Risk identification Deciding which risks can impact the project. Risk identification generally includes many of the project stakeholders and requires an understanding of the project’s goal, as well as the project’s scope, schedule, budget, and quality objectives. Qualitative risk analysis Focusing on a qualitative analysis concerning the impact and likelihood of the risks that were identified. Quantitative risk analysis Using a quantitative approach for developing a probabilistic model for understanding and responding to the risks identified. Risk response planning Developing procedures and techniques to reduce the threats of risks, while enhancing the likelihood of opportunities. Risk monitoring and control Providing an early warning system to monitor identified risks and any new risks. This system ensures that risk responses have been implemented as planned and had the effect as intended.

IT Project Risk Management Processes

Risk Planning Requires firm commitment by all stakeholders to a RM approach Assures adequate resources are in place to plan properly for and manage the various risks of the IT project Stakeholders also must be committed to the process Focuses on preparation Systematic preparation and planning can help minimize adverse effects on the project while taking advantage of opprotunities as they arise

Risk Identification Once commitment has been obtained and preparations have been made, the next step entails identifying the various risks to the project. Both threats and opportunities must be identified. They must be identified clearly so that the true problem, not just a symptom, is addressed. Causes and effects of each risk must be understood so that effective strategies and responses can be made. Project risks are rarely isolated, they tend to be interrelated and affect the project and its stakeholders differently.

Risk Assessment Once the project risks have been identified and their causes and effects understood, the next step requires that we analyze these risks. Answers to two basic questions are required: What is the likelihood of a particular risk occurring? What is the impact on the project if it does occur? Assessing these risks helps the project manager and other stakeholders prioritize and formulate responses to those risks that provide the greatest threat or opportunity to the project. Because there is a cost associated with responding to a particular risk, risk management must function within the constraints of the project’s available resources.

Risk Strategies The next step of the risk planning process is to determine how to deal with the various project risks. In addition to resource constraints, an appropriate strategy will be determined by the project stakeholders’ perceptions of risk and their willingness to take on a particular risk. Essentially, a project risk strategy will focus on one of the following approaches: Accept or ignore the risk. Avoid the risk completely. Reduce the likelihood or impact of the risk (or both) if the risk occurs. Transfer the risk to someone else (i.e., insurance).

Risk Strategies In addition, triggers or flags in the form of metrics should be identified to draw attention to a particular risk when it occurs. This system requires that each risk have an owner to monitor the risk and to ensure that resources are made available in order to respond to the risk appropriately. Once the risks, the risk triggers, and strategies or responses are documented, this document then becomes the risk response plan.

Risk Monitoring & Control Once the salient project risks have been identified and appropriate responses formulated, the next step entails scanning the project environment so that both identified and unidentified threats and opportunities can be followed, much like a radar screen follows ships. Risk owners should monitor the various risk triggers so that well informed decisions and appropriate actions can take place. Risk Response Provides a mechanism for scanning the project environment for risks, but the risk owner must commit resources and take action once a risk threat or opportunity is made known. This action normally follows the planned risk strategy

Risk Evaluation Responses to risks and the experience gained provide keys to learning . A formal and documented evaluation of a risk episode provides the basis for lessons learned and lays the foundation for identifying best practices. This evaluation should consider the entire risk management process from planning through evaluation. It should focus on the following questions: How did we do? What can we do better next time? What lessons did we learn? What best practices can be incorporated in the risk management process? The risk planning process is cyclical because the evaluation of the risk responses and the risk planning process can influence how an organization will plan, prepare, and commit to IT risk management.

IT Project Risk Identification Framework

IT Project Risk Identification Framework At the core of the framework is the MOV Next layer includes the project objectives – scope, budget, schedule and quality. They play a critical role in supporting the MOV The third layer focuses on the sources of IT project risk The next layer focuses on whether the risks are internal or external If a team member is not properly trained to use a technology, the risk can be mitigated or avoided by additional training or assigning the task to a more experienced team member A PM may not be accountable for project cancellation if the project sponsor went bankrupt A poorly performing external vendor is still the responsibility of the PM if s/he chose that vendor

IT Project Risk Identification Framework The fifth layer includes known risks, known-unknown risks and unknown-unknown risks Known: events that are going to occur Known-unknown: identifiable uncertainty You pay an electricity bill each month, but the amount changes based on usage Unknown-unknown: known only after they occur

IT Project Risk Identification Framework The final layer shows that though risk management is critical at the start of a project, vigilance for opportunities and problems is required throughout the entire project life cycle

Applying the IT Project Risk Identification Framework The framework can be used to understand a risk after it occurs Vendor is hired to develop a BI system, client is sued and has to cut back on project. Due to importance of project, break it into two phases (basic and bells-and-whistles). Threat occurred in Develop Project Charter and Project Plan Phase Unknown-unknown risk External risk, PM and project team not responsible Sources of risk – environment (economic), organizational (client) and people (if management is to blame) Impact on scope, budget and schedule MOV changes due to phased approach

Applying the IT Project Risk Identification Framework The framework can be used to proactively identify IT risks Start from the outer core of the framework, analyzing the WBS and work packages to identify risks for each work package under the various project phases Categorize known/unknown types Categorize external/internal Identify sources of risk (may be inter-related) Assess how a particular risk will impact the project objectives and in turn the MOV See paper on website “Performing a Project Premortem” Can also be used going from inner core and working out

Risk Identification Tools & Techniques Learning Cycles Identify facts (what is known), assumptions (what they think they know) and research (things to find out) to identify various risks Brainstorming Use IT risk framework and the WBS to identify risks Nominal Group Technique Structured technique for identifying risks that attempts to balance and increase participation Ideas discussed, prioritized, priorities discussed, prioritized again and summarized Delphi Technique Group of experts assembled to identify potential risks and their impact on the project

Risk Identification Tools & Techniques Interviews Gain alternative opinions from stakeholders about risks Checklists Structured tool for identifying risks that have occurred in the past Be aware of things not on the list SWOT Analysis Strengths, weaknesses, opportunities and threats Identify threats and opportunities as well as their nature in terms of the project or organizational strengths and weaknesses Cause & Effect (a.k.a. Fishbone/Ishikawa) Can be used to for understanding the causes and factors of a particular risk as well as its effects Past Projects Lessons learned from earlier projects

Nominal Group Technique (NGT) Each individual silently writes their ideas on a piece of paper Each idea is then written on a board or flip chart one at a time in a round-robin fashion until each individual has listed all of his or her ideas The group then discusses and clarifies each of the ideas Each individual then silently ranks and prioritizes the ideas The group then discusses the rankings and priorities Each individual ranks and prioritizes the ideas again The rankings and prioritizations are then summarized for the group

Risk Check List Funding for the project has been secured Funding for the project is sufficient Funding for the project has been approved by senior management The project team has the requisite skills to complete the project The project has adequate manpower to complete the project The project charter and project plan have been approved by senior management or the project sponsor The project’s goal is realistic and achievable The project’s schedule is realistic and achievable The project’s scope has been clearly defined Processes for scope changes have been clearly defined

Cause & Effect Diagram

Risk Analysis & Assessment Risk = f(Probability * Impact) Risk analysis – determine each identified risk’s probability and impact on the project Risk assessment - focuses on prioritizing risks so that an effective strategy can be formulated for those risks that require a response. Can’t respond to all risks! Depends on Stakeholder risk tolerances

Risk Analysis & Assessment Qualitative Approaches Expected Value & Payoff Tables Determine return or profit the project will return Decision Trees Graphical view of various decisions and outcomes Risk Impact Table & Ranking Analyze and prioritize various IT project risks Tusler’s Risk Classification

Expected Value & Payoff Tables     Expected Value & Payoff Tables Expected value is an average, taking into account the probability and impact of various outcomes Expected return on the project   A B A*B Schedule Risk Probability Payoff (In thousands) Prob * Payoff Project completed 20 days early 5% $ 200 $10 Project completed 10 days early 20% $ 150 $30 Project completed on Schedule 50% $ 100 $50 Project completed 10 days late $ - $0 Project completed 20 days late $ (50) ($3) 100% $88 The Expected Value

Decision Trees $10,000+. 05*$2,000 Least cost but small probabiltiy of success

Risk Impact Table 0 - 100% 0-10 P*I Risk (Threats) Probability Impact   Risk Impact Table   0 - 100% 0-10 P*I Risk (Threats) Probability Impact Score Key project team member leaves project 40% 4 1.6 Client unable to define scope and requirements 50% 6 3.0 Client experiences financial problems 10% 9 0.9 Response time not acceptable to users/client 80% 4.8 Technology does not integrate with existing application 60% 7 4.2 Functional manager deflects resources away from project 20% 3 0.6 Client unable to obtain licensing agreements 5% 0.4

Risk Rankings Risk (Threats)   Risk Rankings Risk (Threats) Ranking Response time not acceptable to users/client 1 Technology does not integrate with existing application 2 Client unable to define scope and requirements 3 Key project team member leaves project 4 Client experiences financial problems 5 Functional manager deflects resources away from project 6 Client unable to obtain licensing agreements 7

Risk Analysis & Assessment Qualitative Approaches Tusler’s Risk Classification Risk scores can be further analyzed using the following quadrants Kittens – low probability of occurring and low impact. Don’t spend much time or resources on them whether positive or negative Puppies – low impact but high probability of occurring. Must be watched so corrective action can be taken before they get out of hand Tigers – high impact and high probability. Deal with them tout de suite. Alligators – low probability but high impact if they get loose. Make sure you know where they are

Tusler’s Risk Identification Scheme Tusler’s Risk Classification Tusler’s Risk Identification Scheme Can be troublesome Must be neutralized Low prob/low impact Not a problem (if you know where they are)

Risk Analysis & Assessment Quantitative Approaches Quantitative Probability Distributions Discrete Binomial Continuous Normal PERT TRIANG

Binomial Probability Distribution Discrete Probability Distribution

Normal Distribution Continuous Probability Distribution Useful when an event has an infinite number of possible values in a state range

Normal Distribution Properties Distribution shaped by its mean (μ ) and standard deviation (σ) Probability is associated area under the curve . Area between any two points is obtained via a z score z=(x- μ)/σ Since the normal distribution is symmetrical around the mean, outcome between - and μ has the same prob of falling between μ and  Rules of thumb with respect to observations Approximately…. 68% + 1 standard deviations of mean 95% + 2 standard deviations of the mean 99% + 3 standard deviations of the mean

PERT Distribution PERT MEAN = (a + 4m + b)/6 Where: a = optimistic estimate m = most likely b = pessimistic

PERT Distribution PERT Mean = (a + 4m + b)/6 Where: a = optimistic estimate m = most likely b = pessimistic

Triangular Distribution TRAING Mean = (a + m + b)/3 Where: a = optimistic estimate m = most likely b = pessimistic

Simulations Monte Carlo Technique that randomly generates specific values for a variable with a specific probability distribution Goes through a number of trials or iterations and records the outcome @RISK® An MS Project® add in that provides a useful tool for conducting risk analysis of your project plan Uses Monte Carlo simulation to show you many possible outcomes in your project – and tells you how likely they are to occur. You can determine which tasks are most important and then manage those risks appropriately. Helps you choose the best strategy based on the available information. http://www.palisade.com/riskproject/default.asp

Monte Carlo Simulation

Output From Monte Carlo Simulation 90 Output From Monte Carlo Simulation 90.4% chance of completing between 13.8 and 21.7 days

Cumulative Probability Distribution 40% chance of completing in 17 days

Sensitivity Analysis Using a Tornado Graph

Risk Strategies Depend On The nature of the risk Really an opportunity or threat? Impact on MOV and project objectives Probability? Impact? Project constraints Available resources? Risk tolerances or preferences of the project stakeholders

Risk Strategies Responses Accept or Ignore Management Reserves Released by senior management, usually not included in project’s budget Contingency Reserves Part of project’s budget Contingency Plans (Plan B) Disaster recovery plan in case of a natural disaster Avoidance – eliminate the risk from occurring Mitigate Reduce the likelihood or impact (or both) Transfer e.g. insurance, subcontract to someone who has more expertise

Risk Response Plan should include: A trigger which flags that the risk has occurred An owner of the risk (i.e., the person or group responsible for monitoring the risk and ensuring that the appropriate risk response is carried out) A response based on one of the four basic risk strategies Adequate resources

Risk Monitoring & Control Risk Audits External to project team Risk Reviews Internal but outside the project team Risk Status Meetings & Reports

Project Risk Radar Monitoring project risks is analogous to a radar scope where threat and opportunities may present themselves at different times over the project

Risk Evaluation Lessons learned and best practices help us to: Increase our understanding of IT project risk in general. Understand what information was available to managing risks and for making risk-related decisions. Understand how and why a particular decision was made. Understand the implications not only of the risks, but also the decisions that were made. Learn from our experience so that others may not have to repeat our mistakes.