1. Chapter 8
Managing Project Risk

2. Risk? Risk vs. Uncertainty
Although no one can predict the future with 100% accuracy, having a solid foundation (processes, tools, and techniques) can increase our confidence in these estimates (e.g., cell phone in 2000)
Keep in mind that the goal of risk management is not to avoid risks at all costs, but to make well informed decisions
Crisis Management – take a reactive approach after they have become problems (e.g., terrorist attacks, kidnappings)

3. PMBOK® Risk Management Processes
Plan Risk Management
Determining how to approach and plan the project risk management activities. An output of this process is the development of a risk management plan.
Identify Risks
Deciding which risks can impact the project. Risk identification generally includes many of the project stakeholders and requires an understanding of the project’s goal, as well as the project’s scope, schedule, budget, and quality objectives.
Perform Qualitative Risk Analysis
Focusing on a qualitative analysis concerning the impact and likelihood of the risks that were identified.
Perform Quantitative Risk Analysis
Using a quantitative approach for developing a probabilistic model for understanding and responding to the risks identified.
Plan Risk Responses
Developing procedures and techniques to reduce the threats of risks, while enhancing the likelihood of opportunities.
Monitor and Control Risks
Providing an early warning system to monitor identified risks and any new risks. This system ensures that risk responses have been implemented as planned and had the effect as intended.

4. Common Mistakes in Managing Project Risk
Not understanding the benefits of risk management (risks are often schedule, delays, budget overruns)
Not providing adequate time for risk management (at the earliest stages)
Not identifying and assessing risk using a standardized approach (overlook both Opportunities and Threats)

5. Effective & Successful Risk Management Requires
Commitment by all stakeholders (project sponsors/client, senior management, project manager, and project team)
Stakeholder responsibility
Different risks for different types of projects (each project has it own unique risk considerations)

6. Definitions Risk Project Risk Management (PMBOK®)
An uncertain event or condition that, if occurs, has a positive or negative effect on the project objectives.
Project Risk Management (PMBOK®)
Includes the processes of conducting risk management planning, identification, analysis, response planning, and monitoring and control on a project; most of these processes are updated throughout the project.
The objectives of Project Risk Management are to increase the probability and impact of positive events and decrease the probability and impact of events adverse to the project.

7. IT Project Risk Management Processes
SWOT
Prioritize Risks

8. Risk Planning
Requires firm commitment by all stakeholders to a RM approach
Assures adequate resources are in place <time, people, technology>
Focuses on preparation

9. IT Project Risk Identification Framework

10. Risk Identification Tools & Techniques
Learning Cycles - identify facts, assumptions
Brainstorming less structured
Nominal Group Technique - structured
Delphi Technique a group of experts
Interviews
Checklists structure tools
SWOT Analysis
Cause & Effect (a.k.a. Fishbone/Ishikawa)
Past Projects lessons learned from past

11. Nominal Group Technique (NGT)
Each individual silently writes their ideas on a piece of paper
Each idea is then written on a board or flip chart one at a time
in a round-robin fashion until each individual has listed all of his or her
ideas
The group then discusses and clarifies each of the ideas
Each individual then silently ranks and prioritizes the ideas
The group then discusses the rankings and priorities
Each individual ranks and prioritizes the ideas again
The rankings and prioritizations are then summarized for the group

12. Risk Check List RiRsk Check List
Funding for the project has been secured
Funding for the project is sufficient
Funding for the project has been approved by senior management
The project team has the requisite skills to complete the project
The project has adequate manpower to complete the project
The project charter and project plan have been approved by senior management or the project sponsor
The project’s goal is realistic and achievable
The project’s schedule is realistic and achievable
The project’s scope has been clearly defined
Processes for scope changes have been clearly defined

13. SWOT Analysis

14. Cause & Effect Diagram

15. Risk Analysis & Assessment
Risk = f(Probability * Impact)
Risk assessment focuses on prioritizing risks so that
an effective strategy can be formulated for those risks
that require a response.
Can’t respond to all risks!
Depends on Stakeholder risk tolerances

16. Risk Analysis & Assessment Qualitative Approaches
Expected Value & Payoff Tables
Decision Trees
Risk Impact Table & Ranking
Tusler’s Risk Classification
Which risks require a response?

17. Payoff Table The Expected Value Payoff A B A*B Schedule Risk
Payoff Table A B
A*B
Schedule Risk
Probability
Payoff
(In thousands)
Prob * Payoff
Project completed 20 days early 5%
$ 200
$10
Project completed 10 days early
20%
$ 150
$30
Project completed on Schedule
50%
$ 100
$50
Project completed 10 days late
$ - $0
Project completed 20 days late
$ (50)
($3)
100%
$88
The
Expected
Value

18. Decision Tree Analysis

19. IT Project Risk Impact Analysis
Risk Impact Table
IT Project Risk Impact Analysis %
0-10
P*I
Risk (Threats)
Probability
Impact
Score
Key project team member leaves project
40% 4
1.6
Client unable to define scope and requirements
50% 6
3.0
Client experiences financial problems
10% 9
0.9
Response time not acceptable to users/client
80%
4.8
Technology does not integrate with existing application
60% 7
4.2
Functional manager deflects resources away from project
20% 3
0.6
Client unable to obtain licensing agreements 5%
0.4

20. Risk Rankings Risk (Threats)
Risk Rankings
Risk (Threats)
Ranking
Response time not acceptable to users/client 1
Technology does not integrate with existing application 2
Client unable to define scope and requirements 3
Key project team member leaves project 4
Client experiences financial problems 5
Functional manager deflects resources away from project 6
Client unable to obtain licensing agreements 7

21. Risk Analysis & Assessment Quantitative Approaches
Quantitative Probability Distributions
Discrete
Binomial
Continuous
Normal
PERT
TRIANG

22. Binomial Probability Distribution

23. Normal Distribution

24. Normal Distribution Rules of thumb with respect to observations
Approximately….
68% + 1 standard deviations of mean
95% + 2 standard deviations of the mean
99% + 3 standard deviations of the mean

25. PERT Distribution PERT MEAN = (a + 4b + c)/6 Where:
a = optimistic estimate
b = most likely
c = pessimistic

26. PERT Distribution

27. Triangular Distribution
TRIANG Mean = (a+b+c)/3

28. Simulations Monte Carlo
Technique that randomly generates specific values for a variable with a specific probability distribution
Goes through a number of trials or iterations and records the outcome
@RISK®
An MS Project® add in that provides a useful tool for conducting risk analysis of your project plan

29. Monte Carlo Simulation

30. Cumulative Probability Distribution

31. Sensitivity Analysis Using a Tornado Graph

32. Risk Strategies Accept or Ignore Avoidance Mitigate Transfer
Management Reserves
Released by senior management
Contingency Reserves
Part of project’s budget
Contingency Plans
Avoidance
Mitigate
Reduce the likelihood or impact (or both)
Transfer
E.g. insurance

33. Risk Strategies Depend On
The nature of the risk
Really an opportunity or threat?
Impact on MOV and project objectives
Probability? Impact?
Project constraints
Available resources?
Risk tolerances or preferences of the project stakeholders

34. Risk Monitoring & Control
Risk Audits
External to project team
Risk Reviews
Internal
Risk Status Meetings & Reports

35. Risk Response Plan should include:
A trigger which flags that the risk has occurred
An owner of the risk (i.e., the person or group responsible for monitoring the risk and ensuring that the appropriate risk response is carried out)
A response based on one of the four basic risk strategies
Adequate resources

36. Risk Evaluation Lessons learned and best practices help us to:
Increase our understanding of IT project risk in general.
Understand what information was available to managing risks and for making risk-related decisions.
Understand how and why a particular decision was made.
Understand the implications not only of the risks, but also the decisions that were made.
Learn from our experience so that others may not have to repeat our mistakes.