2. 1 Risk Management

3. 2 n IEEE defines risk as: “the likelihood of an event, hazard, threat or situation occurring and its undesirable consequences” [Std. 1540-2001] n The purpose of risk management is: “to identify & mitigate the risks continuously” n What does this mean?

4. 3 Which Means? n Risk management is a recognition of the fact that projects do not go according to plan, and that planning is not a once for all activity n ‘Risk’ means risk to the project

5. 4 EXAMPLES Looking at ‘runaway projects’ (significant cost or time overruns) ä 55% of ‘runaway projects’ did no risk management ä 38% did some (but half of these did not use risk findings once project was underway) ä 7% did not know if they did risk management or not [Schwalbe: 2004: 391]

6. 5 Why Plan for Risk? n Be Prepared n Maximise chances of success n A balancing act

7. 6 Risk Management Planning n Is a management responsibility n A RMP is part of the project documentation n Is a proactive management activity, intended to identify and pre-empt problems n Will involve costs n Is closely linked to estimation & planning

8. 7 Identify a Strategy n Decide on the risk management approach and specify what is involved (Who, how & What) n Consider ä Prevention ä Reduction strategy ä Avoidance strategy ä Contingency strategy

9. 8 Categories of Risk n Project risks – affect the project schedule or resources. n Product risks – affect the quality or performance of the software. n Business Risks – risk to the developer or client

10. 9 Risk Identification n Techniques include analyse the project plan against the categories of risk n Not all risks represent the same threat to the project n May not be feasible to prepare for all risks n Temptation is to focus on the risks which are easily identified and planned for

11. 10 Risk Analysis n Each risk is evaluated & judgement made - n How likely is it that the risk will occur? n How much of a threat does the risk present? n Can anything be done about the risk? n Tools exist to help with analysis but the final judgement will be based on experience and personal opinion

12. 11 Severity Scale n Identify a possible risk n On a scale of 1-10, assess the likelihood of the risk occurring n On a scale of 1-10, assess the significance of the risk n Multiply the two values to produce a severity rating

13. 12 Severity Scale Example ProblemLikelihoodSignificanceSeverity Late delivery of components 8216 Late agreement on requirements 41040

14. 13 Possible Weaknesses n How good is the data? How accurate are the assumptions? n Arbitrary allocation of values n False precision (spurious authenticity) n May not take into account compound risks e.g. if the risk that full implementation will be late is 5, how does that impact on the timetable for user training?

15. 14 Contingency Planning ProblemStrategyResponsible User training delayed due to late installation because of delays on building works Provide training versions of program to run on standalones. Defer training on network element until installation complete Team leader

16. 15 Risk Management & Costs n A risk may not occur, but this does not mean it should not have been planned for n But – there are costs involved in risk planning n Not sensible to plan for every risk

17. 16 Monitoring the RMP n Monitor all the identified risks at agreed intervals n Revise plan as necessary n Continue process of risk identification throughout project n n Review and evaluate as you go n Review and evaluate at end of project

18. 17 Additional reading Hughes et al chapter 7