SW Project Management Managing Project Risk

1
SW Project ManagementManaging Project Risk

• INFO 420
• Glenn Booker

2
Risk avoided

• American culture avoids facing risk
• This leads to many problems in project management
• We want to stick our heads in the sand
• Somehow that doesnt make risks go away
• We need to manage risks proactively

3
Risk Management

• If you dont actively attack risks, they will
  attack you - Tom Gilb
• Risk management is still looked upon as bad news
  - and messengers are still shot

4
What is risk?

• A risk is something that might go wrong, which
  could affect the project outcome
• The key word is might
• If the probability is zero, it isnt a risk at
  all
• If the probability is one, its certain to occur,
  and can be treated as a project constraint
• So any risk has 0 lt p lt 100

5
Risk management problems

• Typical problems in risk management are
• Not valuing risk management (RM)
• Some insist there is no benefit to doing RM
• Not allowing time for RM
• RM takes time and effort, get over it!
• Not identifying and assessing risks consistently
• Which can waste time and miss opportunities

6
Risk lessons learned

• So a few lessons learned include
• Get commitment by all stakeholders, both to do
  RM, and agree on significant risks
• Identify an owner for each risk, so someone is
  actively managing it
• Look for typical risks for your type of project
  patterns vary

7
RM elements

• The main elements in risk management are
• Risk management planning
• Risk identification
• Qualitative and Quantitative risk analysis
• Risk response planning
• Risk monitoring and control

8
Risk Management Planning

• Similar to security analysis
• Identify threats
• Prevent threats
• Detect threats (not trivial with information
  systems!)
• Mitigate (reduce) the effects of the threats

9
Risk planning

• The PMBOK defines risk as
• An uncertain event or condition that, if it
  occurs, has a positive or negative effect on the
  project objectives
• So a risk can be a good thing
• We tend to think of the bad ones

10
Project reserves

• A financial reserve is kept for most projects, in
  part for risk management
• Helps protect against
• Flawed estimates
• Minor anomalies (unexpected events)
• Permanent variances (unexpected skill levels)
• Minor variances (estimates slightly off)

11
Project risk management steps

• Risk planning
• Get commitment from stakeholders
• Allocate resources
• Develop and approve RM plan
• Risk identification
• Develop a list of risks, their causes and effects

12
Project risk management steps

• Risk assessment
• Analyze the risks for probability and impact
• Risk strategies
• Document how to respond to each risk if it occurs
  (risk response or mitigation plan)
• Risk monitoring and control
• During project, look for known risks to occur,
  and identify new risks

13
Project risk management steps

• Risk response
• Respond to risks that have occurred
• Risk evaluation
• Find lessons learned, and how to improve future
  projects RM

14
Identifying IT project risks

• The scope and context of risks can be a little
  intimidating at first, so we break the big
  problem into little ones
• Ultimately, and risk might affect the projects
  MOV
• Which could result from changes in scope,
  quality, schedule, or budget

15
Identifying IT project risks

• These could result from people, legal, process,
  environment, technology, organization, product,
  or other issues
• These could be internal to your organization, or
  external
• Risks could be known risks, known-unknown risks
  (risk is known, extent is unknown), or completely
  unknown risks (unimaginable)

16
Identifying IT project risks

• And finally, risks could affect any part of the
  project life cycle
• Conceptualize and initialize the project
• Develop project charter and plan
• Execute and control the project
• Close project
• Evaluate project success

17
All clear?

• That only gives
• 1x4x7x2x3x5 840 ways to classify a risk!
• Realistically, we only focus on the issues most
  likely to affect our project
• Our goal is to identify all the significant
  risks, not every conceivable risk!

18
Risk tools

• Learning cycles
• For each suspected risk area, identify facts
  known about it, assumptions being made, and what
  needs to be researched in that area
• Test assumptions, and conduct research to
  identify specific risks
• Brainstorming

19
Nominal Group Technique (NGT)

• Have everyone write down ideas on paper
• Write on flip chart, one idea from each person,
  until all are recorded
• Discuss and clarify the ideas
• Each person ranks and prioritizes the ideas
• Group discusses ranking and priorities
• Redo personal ranking and prioritization
• Summarize for the group

20
Risk tools

• Delphi technique same as used for estimation,
  but use for identifying risks and their
  probability and impact
• Interviewing
• Checklists, typically from past projects or
  industry common risks

21
Risk tools

• SWOT analysis look at organization and
  projects strengths, weaknesses, opportunities
  and threats
• Past projects the ideal solution for all
  project management problems!
• Use lessons learned from previous projects

22
Risk tools

• Cause and effect diagram, or fishbone diagram
• Start with a major type of risk
• Identify 4-6 categories of causes of that risk
• Brainstorm about what could cause that risk to
  occur, based on the categories
• Fill in details until youre bored
• Then eliminate known minimal risks areas or causes

23
Risk analysis and assessment

• Risk analysis estimates the probability and
  impact of each risk
• Risk assessment prioritizes risks to help define
  your risk strategy
• Which risks are significant enough to prevent
  actively?
• Which will require effort if they occur?

24
Qualitative vs quantitative

• Both kinds of assessment can be done
• Use the former most of the time
• Use the latter for key risks in a steady
  environment
• Caveat the text is misleading about qualitative
  vs quantitative assessment
• What they call qualitative is really quantitative
• What they call quantitative is statistical
  process control (SPC)

25
Expected value

• Think of deal or no deal
• If we have several possible outcomes, can
  calculate for each the probability and resulting
  payoff (or cost)
• Multiply probability and payoff to get the impact
  of each outcome
• Add impact outcomes to determine the overall
  expected value of all possible results

26
Decision Tree

• This is a graphic form of a payoff table
• Nodes represent choices (and their costs) or
  probabilities
• Map out possible choices, and what their impact
  outcomes are
• Pick the highest impact outcome

27
Risk Impact Table

• Great for analysis and prioritization of risks
• Define each risk, its probability, and impact
• Impact could be in or effort to resolve the
  risk
• Multiply the latter to get the impact outcomes
  (P-I score)
• Sort risks by descending P-I score ? instant
  prioritization! (risk rankings)

28
Risk Impact Table

• You could categorize risks by their general
  impact and probability
• Kittens low probability and impact
• Puppies high prob, low impact
• Alligators low prob, high impact
• Tigers high prob and impact, good at golf

I wouldnt, but you could
29
Quantitative approaches

• Those approaches will cover most situations and
  needs
• These approaches might apply if you have more
  extensive data on specific risks
• All are based on various types of probability
  distributions

30
Discrete probability distribution

• When youre measuring discrete events (it
  happens, or not) then a family of discrete
  probability distributions come into play
• In these cases, calculate the probability of each
  individual event happening (x-0, x1, etc.), and
  add them up
• A subset of these are binomial distributions,
  where events either happen, or not (like a coin
  flip, or someone dies)

31
Continuous probability distribution

• Often of interest is when a measurement can have
  real values (not just integers)
• This results in a continuous probability
  distribution
• There are dozens of them Gaussian, Poisson,
  Chi-square, F, Student T, etc.

32
Normal distribution

• A normal (Gaussian) distribution is a bell curve
• It has a mean value m and a standard deviation s
  
• The probability of an event occurring is the area
  under the curve
• If we know a risk follows a normal distribution,
  we can predict how likely it is to occur within a
  given range (e.g. of time)

33
PERT distribution

• This goes with the PERT estimation technique
• The mean is (low likely high)/6
• Std deviation is (high low)/6
• The PERT distribution is lopsided, since we know
  zero cant occur

34
Triangular distribution

• This is similar to a simplified PERT distribution
• The mean is (low likely high)/3
• Std dev (high-low)2
  (likely-low)(likely-high) /18 1/2

35
Simulations

• In studying the behavior of projects, we could
  try to determine how they are affected by changes
  in inputs (assumptions, task durations, etc.)
• The output of interest might be the projects
  cost, schedule, customer satisfaction, etc.

36
Monte Carlo simulations

• If we automate this kind of analysis, one
  approach is using a Monte Carlo simulation
• (Monte Carlo is the Las Vegas of Europe)
• In a MC simulation, we define the probability
  distribution of the inputs weve defined

37
Monte Carlo simulations

• Then the project results are simulated to see how
  they turn out
• This produces a histogram of outputs, with the
  mean duration, and can find the probability of
  finishing within a range of times
• Tools exist (e.g. _at_Risk) to automate this kind of
  analysis

38
Tornado graph

• This type of analysis can also produce a tornado
  graph, which is a bar chart emphasizing the
  highest risk tasks
• This is like a Pareto diagram
• Here the highest risk also implies has the
  highest probability of affecting the project
  schedule

39
Risk strategies

• Ok, so we have defined risks, and analyzed them
  to find the biggest threats
• Now we answer a big question so what?
• If these risks occur, what, if anything, will we
  do about it?
• Thats our risk strategy, which is different for
  each risk

40
Risk strategies

• How we select a strategy depends on
• Is the risk a threat or opportunity?
• How and when will the project be affected?
• How do we know if the risk is occurring (triggers
  or risk detection)?
• What impact does the risk have on MOV?

41
Risk strategies

• How many resources do we have to deal with this
  risk?
• Remember the balance among scope, schedule,
  budget, and quality
• Can we modify a contract or assign resources or
  otherwise mitigate a risk?
• How tolerant are the stakeholders of this risk?

42
Risk strategy choices

• In response to a risk, we can
• Accept or ignore the risk, if the impact is
  minimal, or we cant do anything about it
• Use financial reserves to deal with it
• Have a contingency plan in place
• Avoid the risk (prevention)
• Change the project to reduce the chance of the
  risk occurring

43
Risk strategy choices

• Mitigate the risk lessen the impact of the risk
  after it has occurred
• Transfer the risk give the problem to someone
  else!
• Buy insurance, subcontract something out, etc.

44
Risk response plan

• Once key risks have been identified, and your
  strategies selected, put all this in a risk
  response plan
• For each risk, identify
• What trigger tells you the risk has occurred
• The owner of the risk (person, not group)
• The risk response strategy

45
Risk monitoring and control

• Now your job is to monitor the risk triggers to
  see which ones go off
• And then follow up with appropriate responses
• Tools exist, such as Risk Radar to help do this
• Can also conduct risk audits, reviews, or status
  meetings

46
Risk response

• When a risk is triggered, your response plan is
  put into action
• May include following your mitigation strategy
• Could include assigning resources to deal with
  the risk

47
Risk evaluation

• The process of risk management can be improved
  like any other through keeping lessons learned
• What risks did you identify?
• Which ones occurred?
• How severe was their impact?
• Did you risk strategy work or not? Why?

48
Summary

• Manage risks, or they will manage you
• Identify plausible risks
• Quantify their probability and impact
• Identify significant risks
• Develop strategies for dealing with them
• Keep an eye out for risks which occur, and follow
  your strategies for dealing with them