Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Project Risk See also Sommerville Chapter 22.1.

Similar presentations


Presentation on theme: "IT Project Risk See also Sommerville Chapter 22.1."— Presentation transcript:

1 IT Project Risk See also Sommerville Chapter 22.1

2 Risk Management Ideas of risk management originate in Probability theory Insurance mathematics which seek to Quantify and control risk Make a net profit in the long term Not be ruined in the short term

3 Recall the definition of an expectation over a discrete probability distribution. E = Σ p( event i ) * e( event i ) e.g. tossing a fair coin let event 1 = head event 2 = tail p( event 1 ) = 0.5, p( event 2 ) = 0.5 e( event 1 ) = +1€ e(event 2 ) = -1€

4 Expectation = (0.5 * 1 ) + (0.5 * -1) = 0.0 In the long term we make no gain or loss! But in the short term we might go bankrupt!

5 For each event ε i we need to define: (1)The impact e(ε i ) of ε i as a gain or loss (financial, time etc … ) (2)The risk r( ε i ) associated with ε i as the expression r( ε i ) = p( ε i ) * e(ε i )

6 History During 1990s ideas of risk management spread from insurance to other industries such as Banking and finance Information technology Especially through support of US legislation

7 Clinger-Cohen Act 1996 Information Technology Aquistition Reform Act “… assessing and managing the risks of the IT acquisitions of executive (government) agencies … “ And later … Department of Defence (DoD) Directive 5000.1 (1996, 1999)

8 Capability Maturity Model (CMM) Level 3 accreditation requires structured risk management.

9 Definitions A project risk is a project event ε i with three distinguishing features: (1)Associated loss which could include time, money, quality, control, understanding etc. We try to measure this value which is the risk impact e(ε i )

10 (2) A likelihood that each possible outcome ε i event occurs. We try to measure this value which is the risk probability p(ε i ). Measuring p(ε i ) is usually much harder. Often a semiquantitative approach is used e.g. Unlikely : possible : likely : very likely gives four quartiles 25 : 50 : 75 : 100

11 (3) There is some way to influence the impact. We need only be interested in risks where we can avoid or minimise the impact. Some risks are always beyond the scope of influence e.g. physics, war, legislation, etc.

12 Risk Exposure This is the cumulative exposure over a complete and independent set of events E = Σ p( event i ) * e( event i ) Risk control is a set of planned actions to reduce the risk exposure.

13 Example Consider the risk exposure for testing a new software product. Delivery of the product yields 300K€. However, if critical bugs are present a penalty payment of 150K€ is owed to the client.

14 Probability estimates By spending 50K€ (6 man month) on testing we estimate that we will find all critical bugs with a probability of 0.75. We estimate the probability that the product is free of critical bugs (from the start) to be 0.2 We estimate the probability that we will overlook a critical bug to be 0.05

15 Outcome tree P( exists fault) = 0.8P( exists no fault) = 0.2 P( find no fault) = 0.05P( find fault) = 0.75 A tree structure naturally produces a complete independent set of outcomes

16 Risk exposure Exposure = 0.75 * (300,000 – 50,000 ) + 0.05 * (300,0000 – ( 150,000 + 50,000 )) + 0.2 * (300,000 – 50,000 ) = 187,500 + 5000 + 50,000 =242,000

17 What does this calculation actually tell us? Over the long term we would make a profit of 242,000€ on a series of projects with these characteristics. However, this project is probably unique! Each summand is positive, and therefore under each outcome we make some profit.

18 The result is dominated by the term 0.75 * (300,000 – 50,000 ) = 187,500 To improve the average outcome, we could: (a)Improve testing effectiveness to raise the value 0.75 (at no cost?) (b)Reduce testing labour to reduce the value 50K (possible?) (c)Raise the product price above 300K€ (desirable? Possible?)

19 Risk Leverage Risk management procedures alter the value of our exposure … but they usually cost money to put in place. When does the gain exceed the expense? (The law of diminishing returns.)

20 Define the risk leverage of a specific risk reduction to be the value Leverage = exposure after – exposure before cost of reduction

21 Example In the previous testing scenario, suppose doubling the test budget to 100K€ will halve the probability p( find no fault ) = 0.025 so that p( find fault ) = 0.775 while p( exists no fault ) = 0.2 is unchanged.

22 Exposure after reduction Exposure after = 0.775 * ( 300,000 – 100000 ) + 0.025 * ( 300,000 – (150,000 + 100,000 )) + 0.2 * ( 300,000 – 100,000 ) = 155,000 + 1250 + 40,000 = 196,250

23 Leverage Leverage = exposure after – exposure before cost of reduction = (196,250 - 242,000 ) / 50,000 = -0.915 A leverage value < 1.0 is an uneconomic reduction!

24 Risk Management Process … has its own lifecycle (1)Identify the risks using previous project histories, similar projects, checklists etc (2)Analyse risks, try to find the probabilities and impacts, even semi-quantitatively (3)Plan risk handling actions, prioritise top n risks (e.g. n = 10) in terms of exposure (4)Make contingency plans (i.e. damage control) for all n risks (5)Monitor and adjust, Update probabilities and recalculate

25 Risk Reduction Strategies There are 4 basic strategies for dealing with risk. 1. Accept the risk (i.e. do nothing) This seems most advantageous when the leverage falls below 1.0. Especially if exposure is already low.

26 (2) Transfer the risk. Negotiate contract so that the risk is accepted or shared by another party, e.g. customer, subcontractor consortium partner, bank, etc. (3) Reduce probabilities of Negative Outcomes. Invest in project activities which reduce probabilities, e.g. if risk = software bugs, activities = design, test, etc.

27 (4) Reduce Losses Associated with Negative Outcomes. Invest in catastrophe management which reduces negative impact, e.g. insurance against law suites. Note (3) = “buying smoke alarms” while (4) = “buying fire engines”

28 Risk Hierarchy It is useful to structure different types of risk into a taxonomy, e.g. to perform systemic risk analysis. There are many published taxonomies (aka. checklists) see e.g. Sommerville, course handouts and course web page.

29 Generic Project Risks Generic IT Project Risks Specific IT Project Risks Staff shortage New technology Equipment failure Subcontractor failure Unknown product Team risk….

30 Böhm’s Top IT project risks Recall the spiral lifecycle model? Böhm has studied the top IT project risks, and suggested fixes. 1.Personnel shortfall 2.Unrealistic schedules and budgets 3.Developing the wrong software functions

31 IT Risks (continued) (4) Developing the wrong user interface (5) Gold plating (6) Continuing stream of requirement changes (7) Shortfalls in externally furnished components (8) Shortfalls in externally performed tasks (9) Real time performance shortfalls Question: What fixes would you suggest?

32 Implementing Risk Control Risk management is getting easier to motivate politically. Fire Safety Officer Paradox With a good fire safety officer there are never any fires … but then why hire an officer?


Download ppt "IT Project Risk See also Sommerville Chapter 22.1."

Similar presentations


Ads by Google