SPM Chapter7

(1)

Risk management

CHAPTER

(2)

Risk management

CHAPTER

Objectives

Identify the factors putting a project at risk;

Categorize and prioritize action for risk elimination or

containment;

(3)

Risk management

7.1 Introduction

What is risk management?

The probability of an undesirable event occurring coupled

Risk

The probability of an undesirable event occurring coupled with the impact of that event on the desired outcome

Risk

The act or practice of controlling risk

Risk Management

• It systematically identifies risk items that may oppose the implementation of improvements

• It systematically identifies risk items which are a direct result of

Slide# 3 Software Project Management

• It systematically identifies risk items which are a direct result of making process improvements

• It then prevents those high risk items from occurring or minimizes their impact with appropriate risk abatement steps

(4)

Risk management

More detailed evaluation:

The identification of possible problems that could cause the The identification of possible problems that could cause the project to run late or over budget and with the identification of the steps that can be taken to avoid those problems or minimize their effects.

The identification of the hazards and possible problems, the evaluation of their importance and the drawing up of plans to monitor and deal with those problems is known as risk

(5)

Risk management

Select Project

0

Identify project

1 Identify project 2 Identify project scope and objective

1 Identify project

infrastructure

2

Identify the products and activities

4 Estimate effort for activity 5 Identify activity risks 6 Analyze project characteristics 3

For each activity Lower level detail

Review

Allocate resources

7

Review/publicize plan

8

Lower level planning

10

Execute plan

(6)

Risk management

History of FMEA

• First used in the 1960’s in the Aerospace industry during the

• First used in the 1960’s in the Aerospace industry during the Apollo missions

• In 1974 the Navy developed MIL-STD-1629 regarding the use of FMEA

• In the late 1970’s, automotive applications driven by liability costs, began to incorporate FMEA into the management of their processes

processes

(7)

Risk management

FMEA Basic Definitions

Failure Mode:

• The manner in which a specific part/process fails

• If not detected and either corrected or removed, will cause one of the “effects” to occur (can sometimes be identical to effect)

• Can be associated with a defect - an event that goes outside of specification. How could this process fail to complete its intended function?

Cause:

• A condition that produces a Failure Mode or a process deficiency that results in a Failure Mode

Failure Mode

Failure Effect:

• Impact on customer requirements if failure mode is not prevented or detected (often cost, schedule, and/or performance related). Effect is the result of the Failure Mode occuring?

(8)

Risk management

Failure modes

_Causes

Effects

Examples

No standard process

Lost paperwork Unsatisfied Customers

Computer interface not accurate

User unable to access information

Mismatch between systems

Tool Broken _{Excessive feed}

rate

Damaged part

(9)

Risk management

Linking Cause to Effect

Cause 1 Effect 1

Cause 2 Effect 2

Cause 1

Effect 1

Effect 2

Cause 1

(10)

Risk management

Linking Failure Mode to

FMEA Model

Linking Failure Mode to

Cause and Effect

Cause Failure Mode_(Defect) Effect

(11)

Risk management

7.2 The nature of risk

Risk

is associated with uncertainty, but we do not

call all uncertain events or outcomes ‘

risks

’. We normally

reserve the word ‘

risk

’ to describe non-desirable events or

outcomes – beneficial occurrences are normally called

‘opportunities’.

(12)

Risk management

7.2 The nature of risk

Car journey hazards’ case (Example)

Hazard Likely problem Action plan

Unusually bad Could miss start of Listen to traffic reports Traffic congestion interview on radio

Flat tyre Could miss interview Ensure spare tyre is

or be late usable and inflated

(13)

Risk management

7.3 Categories of risk

Describes the

management structures and systems including those affecting planning those affecting planning and control

(14)

Risk management

7.3 Categories of risk

Domain Class Description

Target Information system The characteristics of the information system – Target Information system The characteristics of the information system – there are independent of the technologies that might be used

Computer system The characteristics of the part of the information system that has been computerized

Project Project Type of task to be undertaken

Structure The communication systems, management structures, work flows etc.

ISPL situational factors

structures, work flows etc.

Actors The people involved in the project

(15)

Risk management

7.3 Types of risk

Three types of risk:

Those caused by the inherent difficulties of estimation; Those due to assumptions made during the planning process;

Those of unforeseen (or at least unplanned) events or hazards occurring.

(16)

Risk management

Estimation errors

Problems: lack of experience of similar tasks.

Activities: Estimate with some degree of accuracy how long the task will take and how much it will cost.

Solutions: Estimation can be improved by analysing historic data for similar activities and similar systems. Keeping

(17)

Risk management

Planning assumptions

At each stage in the planning process, it is important to list explicitly all of the assumptions that have been made and identify what effects they might have on the plan if they are inappropriate.

(18)

Risk management

Eventualities

The majority of unexpected event can be identified – the requirements specification might be alter some if the

(19)

Risk management

7.4 A framework for dealing with risk

Planning for risk includes these steps:

I. Risk identification;

II. Risk analysis and prioritization;

III. Risk planning;

IV. Risk Monitoring.

(20)

Risk management

7.4 Managing risk

The objective of risk management is to avoid

or minimize the adverse effects of unforeseen

events by avoiding the risks or drawing up

(21)

Risk management

7.4 Managing risk

Risk engineering

Two main components – risk analysis and risk management.

Risk analysis

• Risk identification • Risk estimation • Risk evaluation

Risk management

• Risk planning • Risk control

• Risk monitoring

(22)

Risk management

7.5 Risk identification

The two main approaches to the identification of risks are the The two main approaches to the identification of risks are the use of checklists and brainstorming

Checklists are simply list of the risks that have been found to occur regularly in software development projects.

Brainstorming represents the main stockholders. They then

identify, using their individual knowledge of different parts of the project. Brainstorming can also be used to identify possible

(23)

Risk management

Top ten list of software risks is based on one presented by Barry Boehm

Risk Risk reduction techniques

Personnel shortfalls Staffing with top talent; job matching teambuilding, training and career

development etc.

Unrealistic time and cost estimates Multiple estimation techniques; design to cost, incremental development, recording

and analysis of past projects, etc.

Developing the wrong software function Improved software evaluation, formal specification methods, user surveys, prototyping, early user manuals

Developing the wrong user interface Prototyping, task analysis, user involvement

Gold plating Requirements scrubbing, prototyping, cost-benefit analysis, design to cost

Late change to requirements Stringent change control procedures, high change threshold, incremental

development (deferring change) Shortfalls in externally supplied

components Benchmarking, inspections, formal specifications, contractual agreement, qualityassurance procedures and certification

Shortfall in externally performed tasks Quality assurance procedure, competitive design or prototyping, contract incentives

Real-time performance shortfalls Simulation, benchmarking, prototyping, tuning, technical analysis

(24)

Risk management

7.5 Risk identification – Causal mapping

Low staff turnover. … high Experienced staff… inexperienced High productivity …low + + + Deadlines met… missed Heavy management pressure…low + + -Uncertain user requirements …certain Unstable environment …stable +

(25)

Risk management

What is a hazard? What is a hazard?

The first stage in any risk assessment exercise is to identify the hazards that might affect the duration or resource costs of the project.

In identifying and analyzing risks, we can usefully distinguish

between the cause (or hazard), its immediate effect (the problem that it creates) and the risk that it will pose to the project.

(26)

Risk management

7.5 Hazard identification

Some hazards are:

Generic risks – they are relevant to all software projects and standard checklists can be used and augmented from an analysis of past projects to identify them.

Specific risks – are relevant to an individual project and these are likely to be more difficult to identify without an involvement of the members of the project team and a working environment that encourages risk assessment.

(27)

Risk management

Application factors;

Categories of factors:

Application factors;

Staff factors;

Project factors;

Project methods;

Hardware/software factors;

Changeover factors;

Supplier factors;

Environment factors;

(28)

Risk management

(29)

Risk management

Table 7.2 Hazard ranking

Priority Criteria Action

1 Any critical hazard Take immediate action

2 Significant, likely and near-term Initiate risk planning procedures 3 Significant, likely and far-term Get more information and take

to next review meeting

4 Significant but unlikely Get more information about likelihood and reassess

(30)

Risk management

7.6 Risk Assessment

Risk exposure

• Probability of a hazard occurring called risk likelihood; • Probability of a hazard occurring called risk likelihood; • Effect that the resulting problem will have on the project

called risk impact

• The importance of the risk called risk value or risk exposure.

Risk exposure = risk impact × risk likelihood

(31)

Risk management

Example of Risk Exposure Assessment

Ref. Hazard Likelihood Impact Risk

exposure

R1 Changes to requirements specification during_coding 8 8 64

R2 Specification takes longer than expected 3 7 21

R3 Significant staff sickness affecting critical path_activities 5 7 35

R4 Significant staff sickness affecting non-critical_activities 10 3 30

R4 _activities 10 3 30

R5 Module coding takes longer than expected 4 5 20

(32)

Risk management

Probability level Range

High Greater than 50% chance of happening

Significant 30-50% chance of happening Significant 30-50% chance of happening

Moderate 10-29% chance of happening

Low Less than 10% chance of happening

Impact level Range

High More than 30% above budgeted expenditure

Quantitative descriptors of risk probability and associated range values

High More than 30% above budgeted expenditure

Significant 20 to 29% above budgeted expenditure Moderate 10 to 19% above budgeted expenditure

Low Within 10% of budgeted expenditure

(33)

Risk management

R6 R1

R2,

R3, R5

R4

High

Significant

Moderate

Note: These matrices have

Low

Low Moderate Significant High Note: These matrices have

(34)

Risk management

7.6 Hazard analysis

Impact measures, scored on a similar scale, must take into account the total risk to the project. This must include the following

potential costs: potential costs:

• The cost of delays to scheduled dates for deliverables;

• Cost overruns caused by using additional or more expensive resources;

• The costs incurred or implicit in any compromise to the system’s quality or functionality.

(35)

Risk management

Prioritizing the risks

Managing risk involves the use of two strategies:

• Reducing the risk exposure by reducing the likelihood or impact;

• Drawing up contingency plans to deal with the risk should it occur.

(36)

Risk management

Prioritizing the risks

In practice, there are generally other factors, in addition to the risk exposure value, that must also be taken into account when

prioritizing risks.

• Confidence of the risk assessment • Compound risks

• Compound risks

(37)

Risk management

7.7 Risk planning

• Risk Acceptance

• Risk Avoidance

• Risk Reduction and mitigation

• Risk Transfer

(38)

Risk management

7.7 Risk planning

Fairley’s four commercial off-the-shelf (COTS) software acquisition risks

Integration Difficulties in integrating the data formats and communication Integration Difficulties in integrating the data formats and communication

protocols of different applications

Upgrading When the supplier upgrades the package, the package might no longer meet the users’ precise requirements. Sticking with the old version could mean losing the supplier’s support for the package.

No source If you want to enhance the system, you might not be able to No source

code If you want to enhance the system, you might not be able todo so as you do not have access to the source code.

Supplier failures or buyouts

(39)

Risk management

7.8 Risk management

• Contingency

• Deciding on the risk actions

• Creating and maintaining the risk register

Risk Record

Risk ID Owner

Risk title

Date raised Status

Owner Date raised Status

Risk Description

Impact Description

(40)

Risk management

7.8 Risk management

Risk reduction leverage

Risk reduction leverage (RRL) formulas:

t

reduction

risk

RE

RRL

before after

cos

_





Where RE_before is the original risk exposure value, RE_after is the expected risk exposure value after taking action and the risk

(41)

Risk management

7.9 Evaluating risks to the schedule

• PERT, a technique which takes account of the uncertainties in • PERT, a technique which takes account of the uncertainties in

the durations of activities within a project.

• Monte Carlo Simulation

• Critical Chain Management

(42)

Risk management

7.10 Applying the PERT technique

Using PERT to evaluate the effects of uncertainty

PERT requires three estimates: PERT requires three estimates:

• Most likely time

• Optimistic time

• Pessimistic time

6

4 m

b

a

(43)

Risk management

Activity Optimistic Most likely Pessimistic Expected S.D.

(a) (m) (b)

A B

5

3 64 85

2 6

A T = 6

B

C T = 3 D

T = 4 T = 2H

B C D E F G H 3 2 3.5 1 8 2 2 4 3 4 3 10 3 2 5 3 5 4 15 4 2.5 Even number Expected date Target date Standard deviation Slide# 44 Software Project Management

1 0 3 ₄

5 10

4 9 6 13

B T = 4

F T = 10

D T = 4

E T = 3

G T = 3 H

(44)

Risk management

6

4 m

b

a

t

_e





Table 7.6 Expected time and standard deviations

(a) (m) (b) (t) (s)

A B

5

3 64 85 6.174.00

6 t

_e



(45)

Risk management

Using expected durations

• Forward pass

Even number Expected Target date Standard

• Forward pass Expected

date

Standard deviation

Table 7.5 PERT activity time estimates, Figure 7.4 PERT network

2 6.17

A t = 6.17

B

C t = 2.83 D

t = 4.08 t = 2.08H

6

1 0 3 4 5 10.5 4 9 6 13.5 B t = 4.00

F t = 10.5

D t = 4.08

E t = 2.83

G t = 3.00

H t = 2.08

0 ₄

10

(46)

Risk management

Activity standard deviations

a

b

s





6 a

b

s





Table 7.6 Expected time and standard deviations

(a) (m) (b) (t) (s)

A B

5

3 64 85 6.174.00 0.500.33

(47)

Risk management

Calculate Standard Deviation



2



2





s

2 6.17 A

t = 6.17 s = 0.50

B

C t = 2.83 s = 0.17 D

t = 4.08

H t = 2.08

0.50 6 Even number Expected date Target date Standard deviation







0 .

50

2

0 .

17

2



0 .

53

4 2 2 2 1











s

1 0 3 4 5 10.5 4 9 6 13.5 B

t = 4.00 s = 0.33

F t = 10.5 s = 1.17

t = 4.08 s = 0.25 E t = 2.83

s = 0.50 _G

t = 3.00 s = 0.33 t = 2.08 s = 0.08

(48)

Risk management

The likelihood of meeting targets

• calculate SD of each project event;

• calculate the z value for each event that has target • calculate the z value for each event that has target

date;

(49)

Risk management

Calculating the standard deviation of each project event

Calculating the z values

s

t

T

z





e where t is expected date, T is target date

z value is calculated for each node that has a target date.

(50)

Risk management

5 .

13

13 



z

Target Date = 13

Expected Date = 13.5

22 .

1 

z

Expected Date = 13.5

S.D. = 1.22

Z-Value = -0.41

Probability = 0.655

There is an 65.5% risk of not meeting the target date of the end of week 13

The probability is 1-0.655 or about 34.5% that this path will be finished on or before day 13.

(51)

Risk management

The advantage of PERTs

• Easy identification of the order of precedence

• Easy identification of the critical path and thus critical

activities

• Easy determination of slack time, the leeway to fall

behind on noncritical paths

(52)

Risk management

7.a Budget Uncertainty and Risk Management

Budget Uncertainty

• It is common in project management to make new forecasts about project completion time and cost at fixed points in the project life cycle.

(53)

Risk management

Budget Uncertainty

• Changes are due to errors, technological uncertainty and so on.

• The project team or client learns more about the nature of the performance goal of the project or the setting in which it is to be used.

• Change is the mandate: new law, government regulation etc. There are three basic causes for change in projects:

(54)

Risk management

P ro je ct C o st P ro je ct C o st P ro je ct C o st Time P ro je ct C o st Time P ro je ct C o st

t₀ t₁ Time

P ro je ct C o st

t₀ t₁ t₂

An estimate at the beginning of the project at t₀ as (a), As work on the project progresses, the uncertainty decreases as the project

t₀

(a) (b) (c)

(55)

Risk management

BUDGET INFORMATION

Task Name OptimisticCost = a Normal Cost= m PessimisticCost = b Expected Cost(a+4m+b)/6

Begin preparations for tribute dinner select date & secure room

obtain corporate sponsorships for event $ 100.00 $ 150.00 $ 350.00 $ 175.00 identify potential businesses to sponsor

phone/write businesses $ 100.00 $ 150.00 $ 350.00 $ 175.00 Event hosts/MC

identify and secure honoree of event identify and secure master of ceremonies identify/secure person to introduce honoree identify/secure event hosts & hostesses

identify/secure event hosts & hostesses Invitations

secure mailing lists

design invitation with PR firm $1,250.00 $ 1,500.00 $ 2,200.00 $ 1,575.00 Print invitation $2,300.00 $ 2,500.00 $ 3,000.00 $ 2,550.00 Mail invitation $ 250.00 $ 300.00 $ 410.00 $ 310.00 RSVP's back

(56)

Risk management

7.13 Conclusions

This chapter we have seen how to identify and manage the risks This chapter we have seen how to identify and manage the risks that might affect the success of a project. Risk management is concerned with assessing and prioritizing risks and drawing up plans for addressing those risks before they become problems.

This chapter has also described techniques for estimating the effect of risk on the project’s activity network and schedule.

effect of risk on the project’s activity network and schedule.