Planning for Risk and Change Geoff Leese Sept 1999 revised Sept 2001, Jan 2003, Jan 2006, Jan 2007, Jan 2008, Dec 2008 (special thanks to Geoff Leese)

Risk and risk management n Much “risk management” focussed on Health and Safety risks these days n Topic is much bigger than that ä Business risk ä Security risk ä Business continuity

Introduction n Is it worth doing? ä Cost/benefit analysis n What might affect it if we go ahead? ä Risk management

Cost-benefit analysis (1) n Cashflow projection n Payback period ä Time taken to “break even” n Return on Investment (Accounting Rate of Return) ä average annual profit/total investment*100

Cost-benefit analysis (2) n Present value ä value in year t/(1+r) t ä “r” is discount rate as decimal value n Discount factor tables are available! n Net Present Value of a project (NPV) ä Sum of discounted values of all cashflows for that project

Assessment of risk “Risky” projects less likely to start. Apply “Risk premium” to discount rates for NPV

Expected Value Weighted average of all possible outcomes. A useful measure for comparing contracts!

Risk Profile Analysis n Sensitivity analysis ä Vary each factor (in turn) by + or - 5% ä Recalculate costs/benefits ä Indicates sensitivity of project to each factor ä Helps with risk assessment n Monte Carlo Method? (see Cotterill. & Hughes Chap 7)

Decision trees (1) Improve or replace machinery? Market will expand, or not expand? D Improve Replace Expansion No expansion NPV (£) -100,000 75, , ,

Decision trees (2) n Improve - ä (0.2*-100,000) +(0.8*75,000) ä =£25,600 n Replace ä (0.2*250,000) + (0.8*-50,000) ä =£10,000 n Therefore choose Improvement !

Project Evaluation n Evaluate on economic,strategic and technical grounds n Assess all costs & income over lifetime of project n Discount accordingly n Allow for uncertainty! n Evaluate expected outcomes and choose strategies

Risk management (1) n Estimation errors ä Use historical data and keep records! n Planning assumptions ä State, and be prepared to revise them! n Eventualities ä Identify, and deal with them!

Risk management (2) n Hazard identification n Risk analysis n Risk prioritisation n Risk reduction n Risk monitoring

Hazard identification n Contract Factors (is it special or different?) n Customer Factors n Staff Factors n Project Methods n Technology Factors n Changeover Factors n Supplier Factors n Environment Factors Consider for each phase or product!

Risk Analysis (1) n Risk Value = Likelihood * Impact n Impact expressed as monetary values? ä Likely to be difficult or impossible! n Likelihood AND impact expressed using “arbitrary scale “ (1-10) n Most likely - 10, least likely - 1 n Highest impact -10, lowest impact - 1

Risk Analysis (2)

Risk Prioritisation n Prioritise by risk value? n Consider ä Confidence in assessment ä Compound risks ä Number of risks ä Cost of action n Risk Reduction Leverage (RRL) ä = (RV(before) - RV(after))/risk reduction cost ä Use the same units!

Risk Reduction (1) n Hazard prevention n Likelihood reduction n Risk avoidance n Risk transfer n Contingency planning

Risk Reduction (2) n Personnel shortfalls ä get the best, job matching, early scheduling, personal development, team building n Unrealistic estimating ä multiple estimates, use of different techniques, standardisation of methods, use of historical data

Risk Monitoring n Assign INDIVIDUALS to monitor risks n Part of “change plan” n Use PERT techniques to assess potential effects of uncertainties on project schedule ä 3 way estimating ä Activity standard deviations ä Probability & “Z” values” (Cott. & Hughes)

Evaluation and Review n Projects should be reviewed on completion n The risk management plan should be reviewed at the end of the project. ä Risks were successfully foreseen? ä Contingencies were properly planned for? ä Lessons to be learnt? ä Improvements to be made? ä should be built into the risk management plan

Change Control Plan n Vital part of the project plan n Changes are almost inevitable Example: the client originally asked for sweetcorn on all sandwiches but now wants sweetcorn on tuna only. What changes will need to be made? n Project roles should include a Project Librarian, responsible for logging change requests and responses.

Controlling Change n Risk of “scope creep” n One big change? Lots of little ones? n Poorly documented changes make maintenance and enhancement difficult n May comprise the integrity of the design n May comprise the profitability and deliverability of the contract

Change Control Plan n Change Request (CRF) n Change Specification n Change Analysis n Costing & feasibility n Change decision (Change Control Board) n Change implementation & documentation

And the downside - n Perceived as bureaucratic, expensive & time-consuming n Likely to annoy users and may affect their relationship with the company. n Will definitely annoy production staff. n Restricts responsiveness to user needs n Emphasises costs and control rather than user needs

Summary n Project evaluation ä should we do it? ä How should we do it? n Risk management - ä what COULD happen if we do? ä How will we cope if it does? n Change control

Further Reading ä ä Link to BSI risk management Link to BSI risk management