A probability/impact matrix orchart lists the relative probability of a risk occurring on one side of a matrix or axis on a chart and the relative impact of the risk occurring on
the other. Each risk is labelled as being high, medium or low in terms of itsprobability of occurrence and itsimpact if it does occur. The results of all potential risks are then summarised in a probability/impact matrix or chart, which is illustrated in figure12.2.
Figure 12.2: Probability/Impact Matrix (Schwalbe, K 2006, Figure 11-4)
In the above figure, the project team should focus on any risks that fall in the high sections of the probability/impact matrix or chart, such as risk 6, risk 9, risk 1 & 4, and risk 12.
Calculating risk factors is a more sophisticated approach to using probability/impact information. The technique was developed by Defense Systems Management College (DSMC). Risk factors are numbers that represent the overall risk of specific events, based on their probability of occurring and the consequence to the project if they do occur. Determined by the nature of each project, probabilities of a risk occurring can be estimated based on several factors. Factors evaluated for software development technology risks include:
Ê
the technology is not matureË
the technology is too complexÌ
an inadequate support base for developing the technology. The impact of a risk occurring could include factors such as:Ë
the consequences of not meeting performance estimateÌ
the consequences of not meeting cost estimateÍ
the consequences of not meeting schedule estimate.In practice, calculating risk factors is done through assigning aProbability of Failure(Pf) value and a Consequence of Failure(Cf) value to each proposed technique. Both Pf and Cf values take a value between 0 and 1. This is shown in Table 11-6 in Schwalbe’s text. A risk factor is defined as the Pf plus the Cf minus the product of the two like
Rf = (P f+Cf)−P f×Cf, (12.1) where Rf is the resulting risk factor, whereas P f and Cf are the Pf and Cf values for the proposed technique, respectively. Note that both P f and Cf are normalised values, ranging from 0 to 1.
Furthermore, the risk factors for all the proposed techniques can be grouped together to graph the probability of failure and consequence of failure to visualise the final result, as depicted in Figure 11-3 in Schwalbe’s text.
12.5.2
Top ten risk item tracking
Top Ten Risk Item Tracking maintains an awareness of risks throughout the life of a project in addition to identifying risks. It involves establishing a periodic review of the project’s most significant risk items with management and with the customer (option- ally). The following matters are likely to be discussed in the review:
Ê
the status of top ten sources of risk on the projectË
each item’s current ranking, previous ranking, and number of times it appears on the list over a period of timeÌ
a summary of progress made in resolving the risk item since the previous review. Table 11-7 in Schwalbe’s text provides an example of a Top Ten Risk Item Tracking Chart.Arisk management review accomplishes the following objectives:
Ê
It keeps the management and the customer aware of the major influences that could prevent the project from being a success.Ë
The project team may be able to consider alternatives that could mitigate the risk by involving the customer.Ì
It is a means of promoting confidence in the project team by demonstrating to management and the customer that the significant project risks are under control of the project team.12.5.3
Expert judgement
Many organisations rely on the experience of experts in performing qualitative risk analyses. Expert judgement is one of the main methods with which these organisations conduct risk analyses.
Expert judgement has a number of advantages compared to other sophisticated risk analysis techniques. For example, experts can categorise risks as being high, medium, or low without using sophisticated techniques such as calculating risk factors, which can easily confuse people with little math and statistics background.
12.6
Quantitative risk analysis
Large and complex projects often require extensivequantitative risk analysis, which is not necessary for smaller projects. The main technique for quantitative risk analysis includes decision tree analysis and simulation.
12.6.1
Decision trees and expected monetary value
Adecision treeis a diagramming analysis technique, which helps select the best course of action in situation in which future outcomes are uncertain. A common application of decision tree analysis involves calculatingexpected monetary value(EMV), which is the product of a risk event probability and the risk event’s monetary value.
Figure 11-4 in Schwalbe’s text illustrates how to select the most appropriate project(s) out of a number of candidate projects. Each candidate project needs to be assigned the probabilities of certain events occurring. There is a outcome value associated with each probabilities. The sum of the probabilities for outcomes for each candidate project must equal one. Probabilities are normally determined based on expert judgement. To calculate EMV, one multiplies the probability by the outcome value for each potential project and sum the results like the following
EMV=p1s1+p2s2+· · ·+pnsn, (12.2) where pn and sn are the probability and outcome value of the nth candidate project, respectively.
EMV provides an estimate for the total value of a decision. A positive number is desired, and the higher the EMV, the better. Using EMV helps account for all possible outcomes and their probabilities of occurrence, thereby reducing the tendency to pursue overly aggressive or conservative risk strategies.
12.6.2
Simulation
Simulation is another sophisticated quantitative risk analysis technique. It uses a rep- resentation or model of a system to analyse the expected behavior or performance of the system. Monte Carlo analysis is a common technique for performing simulations. It simulates a model’s outcome many times to provide a statistical distribution of the calculated results. There are some basic steps involved in the Monte Carlo analysis:
Ê
Assess the range (most likely, optimistic, and pessimistic estimates) for the vari- ables being considered and determine the probability distribution for each.Ë
For each variable, select a random value based on the probability distribution for the occurrence of the variable.Ì
Run a deterministic analysis or one pass through the model using the combina- tion of values selected for each one of the variables.Í
Repeat the first and second steps above many times to obtain the probability distribution of the results. The number of iterations depends on the number of variables and the degree of confidence required in the results.It is important to distinguish Monte Carlo analysis from Program Evaluation and Re- view Techniques (PERT) analysis. PERT analysis, introduced in Module 7 Project Time Management, involves making three estimates of each activity’s duration. The weighting factors in the PERT formula are fixed, i.e., the most-likely estimate weighs
four times more than the pessimistic or optimistic estimates. Therefore, it does not provide the flexibility or accuracy of the Monte Carlo analysis.
12.7
Risk response planning
Risk response is the subsequent step after an organisation identifies and quantifies risks. Risk response planning involves defining steps for enhancing opportunities and developing plans for handling risks or threats to project success. Importantoutputsof the risk response development process include a risk management plan, contingency plans, and reserves.
There are four basic risk response strategies summarised as follows:
Ê
Risk avoidance: involves eliminating a specific threat or risk, usually by eliminat- ing its causes.Ë
Risk acceptance: means accepting the consequences should a risk occur.Ì
Risk transference: is shifting the consequence of a risk and responsibility for its management to a third party.Í
Risk mitigation: involves reducing the impact of a risk event by reducing the prob- ability of its occurrence.Generaltechnical,cost, andschedulerisks mitigation strategies are summarised in the following:
Ê
Technical Risks: Emphasise team support and avoid stand-alone project struc- ture, increase project manager authority, improve problem handling and commu- nication, increase the frequency of project monitoring, and use work breakdown structure (WBS) and critical path method (CPM).Ë
Cost Risks: Increase the frequency of project monitoring, use WBS and CPM, im- prove communication, project goals, understanding, and team support, increase project manager authority.Ì
Schedule Risks: Increase the frequency of project monitoring, use WBS and CPM, select the most experienced project manager.Even with risk management in place, there are stillresidual risks, which are risks that remain after all of the response strategies have been implemented. Other outputsof risk response planning include:
Ê
contractual agreementsË
estimates of needed contingency reserveÌ
inputs to other processes and the project plan.12.8
Risk monitoring and control
Risk monitoring and control involves executing the risk management processes and the risk management plan to respond to risk events. Executing the risk management processes means ensuring that risk awareness is an ongoing activity performed by the entire project team throughout the entire project. Executing the risk management planinvolves monitoring risks on the basis of defined milestones and making decisions regarding risks and mitigation strategies.
Thetools and techniquesneeded for performing risk monitoring and control include:
Ê
project risk auditsË
periodic risk reviewsÍ
technical performance measurementÎ
additional risk response planning.Outputsof this process include corrective action, project change requests, and updates to other plans.
12.9
Results of good project risk management
There are some differences between the risk management and crisis management. The major differences are summarised as follows:
Ê
Resolving a crisis has much greater visibility than risk management, whereas risk management often goes unnoticed.Ë
Good crisis management is often rewarded by management, whereas good risk management often results in fewer problems, and more expeditious resolutions.12.10
Using software to assist in project time
management
Some software tools can be used to assist in various risk management processes. Databases can keep track of risks, spreadsheets can aid in tracking and quantifying risks, and more sophisticated risk management software can help one develop models and use simulations to analyse and respond to various risks.
Several software packages are available to perform Monte Carlo simulations, such as
Risk+® by C/S Solutions, Inc., andCrystal Ball® by Decisioneering, Inc. The latter is Microsoft Excel® add-on software. These software packages use Monte Carlo-based
simulation techniques to estimate the probability of meeting specific schedule goals. To do so, one needs to collect optimistic,pessimistic, andmost-likely duration estimates for project tasks. One must also collect estimates for the probability of completing each task between the optimistic and most-likely times.
There is a crucial distinction between Monte Carlo and PERT analysis. The former focuses on schedule estimates, whereas the latter can also be used to estimate cost
risks. In addition to estimating overall probabilities of project goals, Monte Carlo anal- ysis can also be used to findtop sourcesof risks,i.e., risk drivers.
Activity 12.1
Microsoft Solution Framework and Risk Management
The Microsoft Solution Framework (MSF) is the framework Microsoft uses for managing projects. The MSF provides an adaptable framework for successfully delivering information technology solutions faster, requiring fewer people, and involving less risk, while enabling higher quality results. The MSF provides proven practices from Microsoft for managing software projects.
Risk management is a core discipline of the Microsoft Solutions Frame- work. The MSF Risk Management Discipline advocates a proactive approach to dealing with this uncertainty, evaluates risks continuously, and uses them to influence decision-making throughout the life cycle. The white paper of the MSF Risk Management can be downloaded from <http://msdn.microsoft.com/vstudio/enterprise/msf>.
Read through and research the MSF Risk Management Discipline White Paper. Write a one-page article to discuss how project managers can utilise the Microsoft Solution Framework to reduce project risks in devel- oping large-scale software projects.