PowerPoint Presentation
Information Technology
FIT2002
IT Project Management
Lecture 7
Project Risk Management
Video 1:
Learning Objectives
Understand risk and the importance of good project risk
management
Discuss the elements of planning risk management and the
contents of a risk management plan
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 2
The Importance of Project Risk Management
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 3
Project risk management is the art and science of identifying,
analysing, and responding to risk throughout the life of a project
and in the best interests of meeting project objectives
Risk management is often overlooked in projects, but it can help
improve project success by helping select good projects,
determining project scope, and developing realistic estimates
Helps project stakeholders understand the nature of the project,
and helps to integrate other project management knowledge
areas.
Benefits from Software Risk Management
Practices*
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 4
*Source: Kulik and Weber, KLCI Research Group
Global Issues
According to a global survey of 316 financial services executives,
over 70 percent of respondents believed that the losses
stemming from the credit crisis were largely due to failures to
address risk management issues
Worldwide banking and insurance sectors will spend about $78.6
billion on risk information technologies and services in 2015,
growing to $96.3 billion by 2018
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 5
Negative Risk
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 6
A dictionary definition of risk is “the possibility of loss or
injury”
Negative risk involves understanding potential problems
that might occur in the project and how they might impede
project success
Managing negative risks involves a number of possible
actions such as to avoid, lessen, change, or accept the
potential effects of risks on projects
Risk Can Be Positive
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 7
Positive risks are risks that result in good things happening;
sometimes called opportunities
A general definition of project risk is an uncertainty that can
have a negative or positive effect on meeting project objectives
The goal of project risk management is to minimize potential
negative risks while maximizing potential positive risks
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 8
Risk Management
Risk management is an investment—costs are associated with it
Cost for risk management should not exceed the potential
benefits
Organisation should not only address tactical and negative risks
David Hillson, (www.risk-doctor.com) suggests to as integrated
risk management by widening the scope of risk management to
encompass both strategic risks and upside opportunities
Some ‘Risk’ Terms
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 9
Risk appetite – the degree of uncertainty an entity is willing to
take on, in anticipation of a reward
Risk tolerance – the maximum acceptable deviation an entity is
willing to accept as the potential impact.
Risk utility is the amount of satisfaction or pleasure received
from a potential payoff
Known risks – Risks that the project team has identified and
analyzed and that can be managed proactively.
Unknown risks – Risks that have not been identified and
analysed and cannot be managed.
Risk Utility Function and Risk Preference
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 10
Utility rises at a
decreasing rate for
people who are risk-
averse
Risk-neutral
approach achieves a
balance between risk
and payoff
Risk-seekers have a
higher tolerance for risk
& satisfaction increases
with higher payoffs
Project Risk Management Processes
Planning risk management : Deciding how to approach and
plan the risk management activities for the project
Identifying risks: Determining which risks are likely to affect a
project and documenting the characteristics of each
Performing qualitative risk analysis: Prioritizing risks based on
their probability and impact of occurrence
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 11
Project Risk Management Processes (cont’d)
Performing quantitative risk analysis: Numerically estimating
the effects of risks on project objectives
Planning risk responses: Taking steps to enhance
opportunities and reduce threats to meeting project objectives
Controlling risk: Monitoring identified and residual risks,
identifying new risks, carrying out risk response plans, and
evaluating the effectiveness of risk strategies throughout the life
of the project
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 12
Project Risk Management Summary
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 13
Planning Risk Management
The main output of this process is a risk management
plan—a plan that documents the procedures for managing
risk throughout a project
The project team should review project documents and
understand the organization’s and the sponsor’s
approaches to risk
The level of detail will vary with the needs of the project
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 14
Topics Addressed in a Risk Management Plan
Methodology
Roles and responsibilities
Budget and schedule
Risk categories
Risk probability and impact
Revised stakeholders’ tolerances
Tracking
Risk documentation
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 15
Video 2:
Learning Objectives
Discuss the different categories of risk
Describe a risk breakdown structure
Describe the process of identifying risks and create a risk
register (in supplementary video)
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 16
IT Success Potential Scoring Sheet
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 17
Success Criterion Relative Importance
User Involvement 19
Executive Management support 16
Clear Statement of Requirements 15
Proper Planning 11
Realistic Expectations 10
Smaller Project Milestones 9
Competent Staff 8
Ownership 6
Clear Visions and Objectives 3
Hard-Working, Focused Staff 3
Total 100
Broad Categories of Risk
Market risk
Financial risk
Technology risk
People risk
Structure/process risk
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 18
Risk Breakdown Structure
A risk breakdown structure is a hierarchy of potential risk
categories for a project
Similar to a work breakdown structure but used to identify and
categorize risks
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 19
Sample Risk Breakdown Structure
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 20
Potential Negative Risk Conditions Associated With
Each Knowledge Area
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 21
Identifying Risks
Identifying risks is the process of understanding what potential
events might hurt or enhance a particular project
Another consideration is the likelihood of advanced discovery
Risk identification tools and techniques include:
– Brainstorming
– The Delphi Technique
– Interviewing
– SWOT analysis
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 22
Brainstorming
Brainstorming is a technique by which a group attempts to
generate ideas or find a solution for a specific problem by
amassing ideas spontaneously and without judgment
An experienced facilitator should run the brainstorming session
Be careful not to overuse or misuse brainstorming.
– Psychology literature shows that individuals produce a
greater number of ideas working alone than they do through
brainstorming in small, face-to-face groups
– Group effects often inhibit idea generation
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 23
Delphi Technique
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 24
The Delphi Technique is used to derive a consensus among a
panel of experts
It is a systematic, interactive procedure based on independent
and anonymous input from project risk experts.
Facilitator uses repeated rounds of questioning and written
responses and consensus may be reached in a few rounds of
this process
It avoids the biasing effects possible in oral methods, such as
brainstorming
Interviewing
Interviewing is a fact-finding technique for collecting information
in face-to-face, phone, e-mail, or instant-messaging discussions
Interviewing people with similar project experience or
stakeholders and subject matter experts is an important tool for
identifying potential risks
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 25
Root Cause Analysis and SWOT Analysis
Root cause analysis – a technique used to identify a problem,
discover the underlying causes and then develop preventive
measures
SWOT analysis (strengths, weaknesses, opportunities, and
threats) can also be used during risk identification
SWOT analysis helps identify the broad negative and positive
risks that apply to a project
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 26
Diagramming Techniques
Cause and effect diagrams – also known as Ishikawa or
fishbone diagram
Systems or process flowchart – show how various elements
of a system interrelate
Influence diagram – showing causal influences and
relationships among variables and outcomes
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 27
Risk Register
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 28
The main output of the risk identification process is a list of
identified risks and other information needed to begin creating a
risk register
A risk register is:
– A document that contains the results of various risk
management processes often presented in a table
– A tool for documenting potential risk events and related
information
Risk events refer to specific, uncertain events that may occur
– to the detriment (due to negative risk event) or
– enhancement (due to positive risk event) of the project
Sample Risk Register
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 29
• No.: R44
• Rank: 1
• Risk: New customer
• Description: We have never done a project for this organization before and
don’t know too much about them. One of our company’s strengths is
building good customer relationships, which often leads to further projects
with that customer. We might have trouble working with this customer
because they are new to us.
• Category: People risk
• Etc.
Risk Register Contents
An identification number for each risk event
A rank for each risk event
The name of each risk event
A description of each risk event
The category under which each risk event falls
The root cause of each risk
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 30
Risk Register Contents (cont’d)
Triggers for each risk; triggers are indicators or symptoms of
actual risk events
Potential responses to each risk
The risk owner or person who will own or take responsibility for
each risk
The probability and impact of each risk occurring.
The status of each risk
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 31
Video 3:
Learning Objectives
Discuss qualitative risk analysis
Explain how to calculate risk factors, create
probability/impact matrixes and apply the Top Ten Risk
Item Tracking technique to rank risks
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 32
Performing Qualitative Risk Analysis
Assess the likelihood and impact of identified risks to determine
their magnitude and priority
Risk quantification tools and techniques include:
– Probability/impact matrixes
– The Top Ten Risk Item Tracking
– Expert judgment
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 33
Probability/Impact Matrix
A probability/impact matrix or chart lists the relative probability
of a risk occurring on one side of a matrix or axis on a chart and
the relative impact of the risk occurring on the other
List the risks and then label each one as high, medium, or low in
terms of its probability of occurrence and its impact if it did occur
Can also calculate risk factors:
– Numbers that represent the overall risk of specific events
based on their probability of occurring and the
consequences to the project if they do occur
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 34
Sample Probability/Impact Matrix
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 35
36
Chart Showing High-, Medium-, and Low-Risk
Technologies
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning
Top Ten Risk Item Tracking
Top Ten Risk Item Tracking is a qualitative risk analysis tool
that helps to identify risks and maintain an awareness of risks
throughout the life of a project
Establish a periodic review of the top ten project risk items
List the current ranking, previous ranking, number of times the
risk appears on the list over a period of time, and a summary of
progress made in resolving the risk item
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 37
Example of Top Ten Risk Item Tracking
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 38
Risk Management Review
Objectives of risk management review:
– keeps management (and probably customer) aware of
major influences that could prevent or enhance the project’s
success;
– to consider alternative strategies for addressing the risks;
– promotes confidence in the project team by demonstrating
that the team is aware of significant risks, has a strategy in
place and is effectively carrying out that strategy
A watch list is a list of risks that are low priority, but are still
identified as potential risks
Qualitative analysis can also identify risks that should be
evaluated on a quantitative basis
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 39
Video 4:
Learning Objectives
Explain quantitative risk analysis and
How to apply decision trees, simulation, and sensitivity
analysis to quantify risks
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 40
Performing Quantitative Risk Analysis
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 41
Often follows qualitative risk analysis, but both can be done
together
Large, complex projects involving leading edge technologies
often require extensive quantitative risk analysis
Main techniques include:
– Data gathering
• Interviewing experts
• collecting probability distribution information
– Analysis and modelling techniques:
• Decision tree analysis
• Simulation
• Sensitivity analysis
Decision Trees and Expected Monetary Value
(EMV)
A decision tree is a diagramming analysis technique used to
help select the best course of action in situations in which future
outcomes are uncertain
Estimated monetary value (EMV) is the product of a risk event
probability and the risk event’s monetary value
You can draw a decision tree to help find the EMV
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 42
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 43
Expected Monetary Value (EMV) Example
Simulation
Simulation uses a representation or model of a system to
analyze the expected behavior or performance of the system
Monte Carlo analysis simulates a model’s outcome many times
to provide a statistical distribution of the calculated results
To use a Monte Carlo simulation, you must have three estimates
(most likely, pessimistic, and optimistic) plus an estimate of the
likelihood of the estimate being between the most likely and
optimistic values
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 44
Steps of a Monte Carlo Analysis
1. Assess the range for the variables being considered
2. Determine the probability distribution of each variable
3. For each variable, select a random value based on the
probability distribution
4. Run a deterministic analysis or one pass through the model
5. Repeat steps 3 and 4 many times to obtain the probability
distribution of the model’s results
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 45
Sensitivity Analysis
Sensitivity analysis is a technique used to show the effects of
changing one or more variables on an outcome
For example, sensitivity analysis may be used to determine the
monthly payments for a loan at different interest rates or periods
of the loan, or for determining break-even points based on
different assumptions
Spreadsheet software, such as Excel, is a common tool for
performing sensitivity analysis
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 46
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 47
Sample Sensitivity Analysis for Determining
Break-Even Point
Video 5:
Learning Objectives
Provide examples of using different risk response planning
strategies to address both negative and positive risks
Discuss how to control risks
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 48
Planning Risk Responses
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 49
After identifying and quantifying risks, you must decide how to
respond to them
Developing options and defining strategies for reducing negative
risks and enhancing positive risks
Four main response strategies for negative risks (TARA)
– Risk Transference
– Risk Avoidance
– Risk Mitigation (Reduction)
– Risk Acceptance
General Risk Mitigation Strategies for
Technical, Cost, and Schedule Risks
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 50
Response Strategies for Positive Risks
Risk exploitation
Risk sharing
Risk enhancement
Risk acceptance
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 51
Residual and Secondary Risks
It’s also important to identify residual and secondary risks
Residual risks are risks that remain after all of the response
strategies have been implemented
Secondary risks are a direct result of implementing a risk
response
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 52
Controlling Risks
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 53
Involves executing the risk management process to respond to
risk events and ensuring that risk awareness is an ongoing
activity performed by the entire project team throughout the
entire project
A redistribution of resources devoted to risk management may
be necessary because of changes in risk exposure
Monitoring risks based on defined milestones and making
decisions regarding risks and their response strategies
Workarounds are unplanned responses to risk events that must
be done when there are no contingency plans
Contingency and Fallback Plans, Contingency
Reserves
Contingency plans are predefined actions that the project team
will take if an identified risk event occurs
Fallback plans are developed for risks that have a high impact
on meeting project objectives, and are put into effect if attempts
to reduce the risk are not effective
Contingency reserves or allowances are provisions held by
the project sponsor or organization to reduce the risk of cost or
schedule overruns to an acceptable level;
Management reserves are funds held for unknown risks that are
NOT part of the cost baseline but ARE part of the budget and
funding requirements
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 54
Controlling Risks – Outputs, Tools & Techniques
Main outputs of risk control are:
– Work performance information
– change requests
– updates to the project management plan, other project
documents, and organisational process assets
Tools and Techniques:
– risk reassessment or audits
– variance and trend analysis
– technical performance measurements
– reserve analysis
– status meetings/periodic risk reviews – Top Ten Risk Item
Tracking
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 55
Results of Good Project Risk Management
Unlike crisis management, good project risk management often
goes unnoticed
Well-run projects appear to be almost effortless, but a lot of work
goes into running a project well
Managing project risks requires dedicated and talented
professionals
Schwalbe, K.. (2015). Information Technology Project Management. (8e) Cengage Learning 56