Using risk platform in the project delivery stage Project managers and all au- thorized stakeholders have access to the database. First step is to enter preliminary information about the project, name, type, budget, contractors, time and a brief descrip- tion. The project gets an ID, which is a number generated by the system P ID. Later, the authorized users can access the database and enter the risks, the exceptions that take place during implementation of the project, they describe the event, its causes, how it was handled, by who, how long was the delay caused, what are the extra costs incurred. Same steps are done for each project, and the data are accumulated in the platform for later use.
Using risk platform in the business case development stage When new projects are being planned, authorized project managers can access the database and make a query to get information about previous projects, i.e. Number of events per project of type ‘Infrastructure’, or the cost of event (x) in project of the type ‘procurement’.
Figure 3.5: Project Information Entry
For example, figure 3.6 represents a query of the number of events per project of type ‘Infrastructure ICT’, type of risk, number of events, extra cost caused by the event and the length of the delay caused by the event.
Figure 3.6: A screen-shot of a query
3.4.1 Scaling
Let’s say that a manager wants to have a broad idea about risk events in more projects and see how much a project of a certain type can exceed the budget and planned time. The second column shows the risk category, how many times the risk event occurred for each project, and how much did hose events add up to the projects budget, in terms of time and money. More queries and screen-shots in Appendix C. The project manager can assess based on these data, that when running a software project, we can expect to have extra costs resulting from legal issues, obviously related to licensing, afterwards he can refer to another table to have more details about the event, to either avoid it or handle it in the upcoming project.
After extracting the data from the table, it is not reasonable to take the information and apply it directly without making a comparison between the size of the project at hand and the projects in the platform to extract a comparable information. Assume the information in the risk platform is about a project with an initial budget e6 million, and a planned time frame of 2 years. The number of events registered for this project wasn, and the time frame was extended for 6 months. If the user is preparing a business case for a project with initial budget e2 million. In this case it is not acceptable to take the information and use it without scaling.
To calculate the expected number of eventsmfor the new project, the user can extrapolate the number of events:
m= e2million×n
e6million
The extrapolation can be related to the time frame, for example to estimate the time extension, the user can calculate the time extension as a ratio to the planned time. If the project is planned for 2 years and was extended for 6 months, then the new project with
a time frame of 3 years is expected to be extended for
t= 3years×0.5year
2years = 0.75
this number is compared to 9 months, so one can expect the project to be extended for 9 months. Of course scaling can take many forms, this is directly related to the type of project, size and other external factors related to the organization using the platform. All corporate and organizational projects face risk at one time or another. Having a risk platform in place simply provides a better means of responding to problems as they arise. The risk platform is there to help with the decision-making process and enables man- agers and project stakeholders to handle risk in the most appropriate way. A risk needn’t be a threat to the project, it is simply an issue that can arise during the project; if ef- fectively managed, it shouldn’t prevent the project from attaining its goals and objectives.
This chapter provided an answer to the research question ”How can Risk quantification contribute to the projects valuation?”, as was mentioned in this chapter, the information obtained from the risk platform are essential to the future projects, for the fact that it incorporates experience from past projects in future projects, that s in the project delivery stage. On the other hand, it facilitates the risk quantification of expected risks, to help creating a rather reasonable business case in the business case development stage.
In chapter 4, the results of using the risk platform are explained with a case study in the organization ORG.
Chapter 4
Case Study
”A value-creating strategy starts with up-front investments in strategic projects in a certain business and extends with cash-generating opportunities in a later stage of the market. Investing in such projects involves acquiring options for future company growth.”
(Panayi & Trigeorgis, 1998).
In this section a case study with embedded real options will be analyzed using the sce- nario analysis and decision tree or the revised classic approach, as mentioned in section 2.5.5 to answer the second research question: “Is the real options a better approach to projects valuation compared to the traditional methods?” To answer this question, first a project will be evaluated using the discounted cash flow to find the traditional NPV. The revised classic approach will be applied on the project to analyze the possible outcomes using embedded real options. First, the base case scenario will be analyzed with certain probabilities of success or failure to find the NPV of the project. Option to delay and option to abandon will be embedded in the project, and the decision tree will be built to find the NPV of the project under flexibility. The results will be compared to the base case NPV of the project. A sensitivity analysis will be conducted to find the effect of interest rate and revenues on the overall value of the project and the option.
4.1
The Organization and the Case
The organization where this research was conducted is a non-profit organization that is based in the Netherlands. This organization is owned by the government, the name will be hidden for privacy, instead it will be named ORG. ORG is a service non-profit organization, it offers services and support to entities inside the Netherlands and to individuals when needed. For ORG to be able to regulate the cash flow and to adapt to recent changes in its scope and strategy it needs a new IT system to boost its operations, maximize performance and protect it from cyber-attacks. The management is considering installing the DMZ system. The DMZ stands for Demilitarized Zone, which is defined as ”a physical or logical sub-network that contains and exposes an organization’s external-facing services to an un-trusted network, usually a larger network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN), an external network node can access only what is exposed in the DMZ, while the rest of the organization’s network is fire-walled. The DMZ functions as a small, isolated network positioned between the Internet and the private network” (contributors, 2018)
2014 2015 2016 Personnel e52.768 e161.704 e79.424 Apparatus e4.774.388 e1.577.938 Maintenance e84.167 e230.020 Hardware e12.230 Other e848 e-848 Total e4.912.171 e1.968.814 e91.654 Table 4.1: Project DMZ Cash Flow
The Project
DMZ provides Up to date life-cycle management for software and hardware; It is also expected to Improve performance, capabilities and functionality of firewalls; it is enhanced by intrusion detection components.
The direct management of the financial department demands this new system because the expansion plans of ORG requires more autonomy and higher security. DMZ system is expected to give more autonomy to the office services which means more flexibility in the work place.
Table 4.1 gives an indication of the estimated cash flows of the whole project.
The project is a non- cash generating project, but it is supposed to create savings ofe2 million/year for ten years, afterwards the system will be considered as obsolete, and it must be replaced by a new system. The system will be scrapped for zero value.
However, it should be emphasized that there are other benefits of the project that cannot be measured on the short run, measuring the benefits of such projects requires monitoring and using different methods of performance measurement and KPI’s, but measuring the performance of the system and its benefits is not the subject of this research.
The project will be implemented in four phases, the four phases are described below:
Phase One: Change the currently implemented firewalls; Change the big data hardware; Implement Junior Space. Time expected 6 months.
Phase Two: Change the switch and implement the DMZ; Create sub-zone to take over the load from the old hardware; Split the firewalls to internal and external; Migrate the old DMZ to the new DMZ; Finish the last phase of big data server removal; Implement hardware for phase three. This phase was supposed to take another 6 months.
Phase Three: Create the internal protection zone; Split internet access of the inter- nal environment; Create the office protected zone; Migrate office services to the office environment. Phase three lasts 7 months.
Phase Four: Finishing of the internal firewalls, finalize the protecting borders and Elim- inate old hardware. This phase was supposed to be finished in 6 months.
The project did not go as planned in the business case, it had to be frozen in the first phase for causes external to the project, the second phase which includes migration and migration iterations took much longer than expected, the actual time was three times longer than the budgeted time.
The project DMZ is dominated by private risks, this means that the project is not associated with fluctuations in the market, which is one of the reasons for the use of the revised classic approach, in addition to the fact that it is not possible to find a matching portfolio to replicate the project, there are no profits expected, and no competition in the market to affect the pace of the project.