Objectives
On successful completion of this module, you should be able to:
À
understand what risk is and the importance of good project risk managementÁ
discuss the elements involved in risk management planningÂ
list common sources of risks on information technology projectsÃ
describe the risk identification process and tools and techniques to help identify project risksÄ
discuss the qualitative risk analysis process and explain how to calculate risk fac- tors, use probability/impact matrixes, the Top Ten Risk Item Tracking technique, and expert judgment to rank risksÅ
explain the quantify risk analysis process and how to use decision trees and simulation to quantitative risksÆ
provide examples of using different risk response planning strategies such as risk avoidance, acceptance, transference, and mitigationÇ
discuss what is involved in risk monitoring and controlÈ
describe how software can assist in project risk managementÉ
explain the results of good project risk management.Learning resources
Text
Chapter 11, Schwalbe (4th edition)
Module overview
This module provides an introduction to project risk management, one of the most misunderstood knowledge areas of project management. Important topics include un- derstanding what risk is and why risk management is important, the project risk man- agement processes, tools and techniques such as probability/impact matrices, Top Ten Risk Item tracking, and simulations.
Figure 12.1: Overview of project risk management (source:PMBOK Guide 2004, p. 239)
Figure 12.1provides an overview as to what processes, inputs, tools and techniques, and outputs project risk management involve, based on thePMBOK® Guide 2004. In the following sections, we briefly summarise the key concepts and principles pre- sented in this module.
12.1
Importance of project risk management
Project risk management is the art and science of identifying, analyzing, and respond- ing to risk throughout the life of a project and in the best interests of meeting project objectives.
All industries, especially the software development industry, tend to neglect the impor- tance of project risk management. A survey conducted by KPMG revealed that55%of runaway projects did no risk management at all,38% did some, and7%did not know whether they did risk management or not.
The general dictionary meaning of risk is possibility of loss or injury. Project risk in- volves understanding potential problems that might occur on the project and how they might impede project success.
Risk management should be regarded as an investment, with costs associated. The benefit of the investment is to lessen the impact of potentially adverse events on a project. In any case, the cost for risk management should not exceed the potential benefits.
Risk utility orrisk tolerance is the amount of satisfaction or pleasure received from a potential payoff. Depending on their attitude towards risk, people are divided into the following three categories:
Ê
Risk-averse: people who see utility rise at a decreasing rate of potential payoff.Ë
Risk-seeking: people who see utility rise at an increasing rate of potential payoff.Ì
Risk-neutral: people who achieve a balance between risk and payoff. There aresix major processesincluded in project risk management:Ê
Risk management planning: involves deciding how to approach and plan the risk management activities for the project.Ë
Risk identification: involves determining which risks are likely to affect a project and documenting the characteristics of each.Ì
Qualitative risk analysis: involves characterising and analysing risks and priori- tising their effects on project objectives.Í
Quantitative risk analysis: measuring the probability and consequences of risks and estimating their effects on project objectives.Î
Risk response planning: involves taking steps to enhance opportunities and re- duce threats to meeting project objectives.Ï
Risk monitoring and control: involves monitoring known risks, identifying new risks, reducing risks, and evaluating the effectiveness of risk reduction throughout the life of the project.12.2
Risk management planning
The main output of risk management planning is arisk management plan, which doc- uments the procedures for managing risk throughout the project. A risk management plan summarises the results of the risk identification, qualitative analysis, quantitative analysis, response planning, and monitoring and control processes.
A risk management plan should address the following questions:
Ê
Why is it important to take/not take this risk in relation to the project objectives?Ë
What is the specific risk, and what are the risk mitigation deliverables?Ì
What risk mitigation approach is to be used?Í
Who are the individuals responsible for implementing the risk management plan?Î
When will the milestones associated with the risk mitigation approach occur?Ï
How much is required in terms of resources to mitigate risk? The risk management plan can include the following contents:Ê
a methodology for risk managementË
roles and responsibilities for activities involved in risk managementÌ
budgets and schedules for the risk management activitiesÍ
descriptions of scoring and interpretation methods used for the qualitative and quantitative analysis of riskÎ
threshold criteria for risksÏ
reporting formats for risk management activitiesÐ
a description of how the project team will track and document risk activities. In addition to a risk management plan, many projects also include the following items:Ê
Contingency plan: predefined actions that the project team will take if an identified risk event occurs.Ë
Fallback plan: developed for risks that have a high impact on meeting project objectives, and are put into effect if attempts to reduce risk are not effective.Ì
Contingency reserves or contingency allowance: provisions held by the project sponsor that can be used to mitigate cost or schedule risk if changes in project scope or quality occur.12.3
Common sources of risk on information
technology projects
Several studies have shown some common sources of risks on software development and information technology projects. A study done by the Standish Group <http: //www.standishgroup.com>revealed the following common sources of risks on infor- mation technology projects:
Ê
lack of user involvementË
insufficient executive management supportÌ
clear statement of requirementsÍ
poor planningÎ
unrealistic expectationsÏ
too few project milestonesÐ
lack of competent staffÑ
unclear ownershipÒ
unclear visions and objectivesÓ
lack of hardworking, focused staff. Other broad categories of risk include:Ê
market riskË
financial riskÌ
technology risk.Understanding common sources of risk also helps in risk identification, the next step in project risk management.
12.4
Risk identification
Risk identification is the process of understanding what potential unsatisfactory out- comes are associated with a particular project. This is done through reviewing the project’s risk management plan, other planning documents, and the broad categories of risks. Risk identification can also be done through a review of historical information related to risks on similar projects.
It is important to identify potential risks according to project management knowledge areas. The potential risk conditions that can exist within each knowledge area are listed below:
Ê
Integration: Inadequate planning, poor resource allocation, poor integration man- agement, lack of post-project review.Ë
Scope: Poor definition of scope or work packages, incomplete definition.Ì
Time: Errors in estimating time or resource availability, errors in determining the critical path, poor allocation and management of float, early release of competi- tive products.Í
Cost: Estimating errors, inadequate productivity, cost, change, or contingency.Î
Quality: Poor attitude toward quality, substandard design/materials/workmanship, inadequate quality assurance program.Ï
Human Resources: Poor conflict management, poor project organisation and definition of responsibilities, absence of leadership.Ð
Communications: Carelessness in planning or communicating, lack of consulta- tion with key stakeholders.Ñ
Risk: Ignoring risk, unclear analysis of risk, poor insurance management.Ò
Procurement: Unenforceable conditions or contract clauses, adversarial rela- tions.There are several tools and techniques for identifying risks. Six common information- gathering techniquesinclude brainstorming, the Delphi Technique, interviewing, SWOT analysis, checklists and diagrams:
Ê
Brainstorming: a technique by which a group attempts to generate ideas or find a solution for a specific problem by amassing ideas spontaneously and without judgement. However, group effects such as fear of social disapproval, the effects of authority hierarchy, and domination of the session by one or two very vocal people often inhibit idea generation for many participants.Ë
Delphi Technique: developed by the Rand Corporation for the U.S. Air Force in the late 1960s, is to derive a consensus among a panel of experts who make predictions about future developments. The Delphi Technique uses repeated rounds of questioning and written responses, including feedback to earlier-round responses, to take advantage of group input, while avoiding the biasing effects possible in oral panel deliberations.Ì
Time: a fact-finding technique for collecting information in face-to-face, tele- phone, e-mail, or instant messaging discussions.Í
SWOT: stands for strengths, weaknesses, opportunities, and threats as intro- duced in Module 6, Project Scope Management. It is often used in strategic planning. It can also assist in risk identification by having project teams focus on the broad perspectives of potential risks for particular projects.Î
Checklists: based on risks that have been encountered in previous projects pro- viding a meaningful template for understanding risks in a current project.Ï
Diagrams: include using cause-and-effect diagrams or Fishbone diagrams, flow charts, and influence diagrams.The main output of the risk identification process are identified risk events for the project, triggers or risk symptoms, and inputs to other processes. Risk eventsare spe- cific things that may occur to the detriment of the project. Triggers orrisk symptoms
are indicators of actual risk events.
12.5
Qualitative risk analysis
Qualitative risk analysisinvolves assessing the likelihood and impact of identified risks, to determine their magnitude and priority.
A few techniques for qualitative risk analysis are introduced in this section, which in- clude: