1
Chapter Seven
2
Risk management
This lecture will touch upon:
• Definition of ‘risk’ and ‘risk management’ • Some ways of categorizing risk
• Risk management
• Risk identification – what are the risks to a project?
• Risk analysis – which ones are really serious?
• Risk planning – what shall we do?
• Risk monitoring – has the planning worked?
3
Risk
‘ Risk is an uncertain event or condition that, if it occurs,
Risk Key Elements
• It relates to the future
• The future is uncertain
•Risks involve a possible cause and its effect(s)
e.g. developer leaves > task delayed Causes:
The use of untrained staff Poor specifications.
An inaccurate estimate of effort. Effects:
Cost over run
Low productivity.
Boundaries of Risk Management
• Every plan is based on assumptions and risk management tries to plan
for and control the situations where those assumptions become incorrect.
• Risk planning is carried out at steps: 3 & 6 of stepwise project
planning.
Risk Categories
• Project Risks: are risks that could prevent the
achievement of the objectives given to the project manager and the project team.
• These objectives are formulated toward achieving
project success.
• Project success factors:
• On time
• Within budget
• Required functionality • Quality
• Project risks can be classified under these four
categories.
Risk Categories (cont’d)
• A different way to categorize risks:
• A sociotechnical model proposed by Kalle Lyytinen and his colleagues
8
• Actors : refers to all people involved in the
development of the application.
• Risk: A high staff turnover, leads to expertise of value to
the project being lost.
• Technology: encompasses both the technology: – Used to implement the application and – That embedded in the delivered products.
Risk: – Relating to the appropriateness of the technology and –
The possible faults in it.
• Structure: describes the management structures
and systems, including those affecting planning and control.
• Risk: Responsibility for managing the users involvement
at the implementation stage might not be clearly allocated.
• Tasks: relates to the work planned.
• Risk: The complexity of work might lead to delays because of the additional time required integrate the large number of
components.
Nature of risks
11
1. Risks caused by the difficulties of estimation
2. Risks due to assumptions made during
planning process
3. Risks due to unforeseen events occurring
1. Risks caused by the difficulties of estimation
12
A framework for dealing with risk
The planning for risk includes these steps:
• Risk identification – what risks might there be?
• Risk analysis and prioritization – which are the most serious risks? • Risk planning – what are we going to do about them?
13
Risk identification
Risk identification consists of listing all risks that can adversely affect the successful execution of project.
Approaches to identifying risks include:
• Use of checklists – usually based on the experience of past projects • Brainstorming – getting knowledgeable stakeholders together to pool
concerns
Approaches to identifying risks include:
1. Brainstorming:
• Brainstorming involves a group of people working together to identify
potential risks, causes, failure modes, hazards and criteria for decisions and/or options for treatment.
• Brainstorming should stimulate and encourage free-flowing conversation
amongst a group of knowledgeable people without criticising or rewarding ideas.
• The inputs for successful brainstorming include the following:
• A well-defined problem.
• A team of people with knowledge of the problem. • A brainstorming technique.
• A facilitator.
2. Checklist:
• Checklists are pre-populated lists of hazards, risks or control failures that have
16
Boehm’s top 10 development risks
Risk Risk reduction techniques
Personnel shortfalls Staffing with top talent; job matching; teambuilding; training and career development; early scheduling of key personnel
Unrealistic time and cost
estimates Multiple estimation techniques; design to cost; incremental development; recording and analysis of past projects; standardization of methods
Developing the wrong software
functions Improved software evaluation; formal specification methods; user surveys; prototyping; early user manuals
Developing the wrong user
17
Boehm’s top ten risk - continued
Gold plating Requirements scrubbing, prototyping,
design to cost
Late changes to
requirements Change control, incremental development
Shortfalls in externally
supplied components Benchmarking, inspections, formal specifications, contractual agreements, quality controls
Shortfalls in externally
performed tasks Quality assurance procedures, competitive design etc
Real time performance
problems Simulation, prototyping, tuning
Development technically too
Risk Analysis
• After risk identification, we need some way of assessing the
importance of risk
• For risk assessment, first each risk should be rated in two ways:
• Risk likelihood : it is the probability of hazard’s occurring.
• Risk impact: It is the effect that the resulting problem will have on project •Risk exposure or value: It is the importance of risk.
•The risk value is calculated as:
Reducing the Risks
• There are 5 strategies for risk
reduction:-1. Hazard prevention:
Ex: risk of staff unavailable for meetings can be minimized by early scheduling.
2. Likelihood reduction: Some risks cannot be prevented, so their likelihoods can be reduced.
Ex: risk of late changes in requirements specification can be reduced by prototyping.
3. Risk Avoidance : Some risks can be avoided , Ex: Risk of a project overrunning a
schedule by increasing duration estimates.
4. Risk Transfer: the impact of some risk can by transferred away from project by
taking insurance.
21
Risk planning:
Risks can be dealt with by:
• Risk acceptance
• Risk avoidance
• Risk reduction
• Risk transfer
Risk acceptance
• This is the do-nothing option.
• We could decide that damage inflicted by risks would be less than the
Risk Avoidance
• Risk avoidance is the elimination of hazards, activities and exposures
that can negatively affect an organization's assets.
Risk reduction
• Here we decide to go ahead with a course of action despite the risks,
Risk Transfer
• Risk transfer is a risk management and control strategy that involves
SPM (5e) risk management© The McGraw-Hill Companies,
2011 26
Evaluating Risk to schedules:
Using PERT to evaluate the effects of
uncertainty
• Project evaluation and review technique (PERT) charts are a more sophisticated form of activity chart.
• The duration assigned to tasks by the project manager are only estimates.
• Therefore, in reality the duration of an activity is a random variable with
some probability distribution.
• PERT charts can be used to determine the probabilistic times for reaching
various project mile stones, including the final mile stone.
• PERT charts like activity networks consist of a network of boxes and
When we use PERT ?
• PERT is used when activity times are uncertain. – Determine the duration of the project .
28
Three estimates are produced for each activity
• Most likely time (m) : the time we would expect the task to take
normally
• Optimistic time (a) : the shortest time that could be realistically be
expected
• Pessimistic (b) : worst possible time
• ‘expected time’ te = (a + 4m +b) / 6
• ‘activity standard deviation’ S = (b-a)/6
• SD is the average deviation from the estimated time.
• Standard deviation indicates degree of uncertainty for each activity OR Risk for each activity .
SPM (5e) risk management© The McGraw-Hill Companies,
2011 29
Assessing the likelihood of meeting a target
• Z values are calculated for each node that has a target date. • Say the target for completing A+B+C was 52 days (T)
• Calculate the z value thus
z = (T – te)/s , where T is target date and te is expected date .
30
