Risk Management

1
Risk Management

• Objectives
• introduce and discuss what is meant by risk
• introduce classic theorists on risk
• introduce a series of approaches to managing risk
• identify and discuss a risk management framework
• outline a simplistic approach to risk management

2
Risk PhilosophySource Software Engineering
Institute, Carnegie-Mellon University

• As we take measures to make our projects/IS more
  predictable and safer, we can expect people to
  ask us to undertake more risky work
• People accept a certain amount of risk,
  regardless of what you do to reduce it
• Risk and opportunity go hand in hand
• Risk in itself is not bad risk is essential for
  progress, and failure is often a key part of
  learning. But we must learn to balance the
  possible negative consequences of risk against
  the potential benefits of its associated
  opportunity

3

• to project objectives. Figure 11-1 provides an
  overview of the following
• major processes
• 11.1 Risk Management Planningdeciding how to
  approach and plan the risk management
• activities for a project.
• 11.2 Risk Identificationdetermining which risks
  might affect the project and documenting
• their characteristics.
• 11.3 Qualitative Risk Analysisperforming a
  qualitative analysis of risks and conditions
• to prioritize their effects on project
  objectives.
• 11.4 Quantitative Risk Analysismeasuring the
  probability and consequences of
• risks and estimating their implications for
  project objectives.
• 11.5 Risk Response Planningdeveloping procedures
  and techniques to enhance
• opportunities and reduce threats to the projects
  objectives.
• 11.6 Risk Monitoring and Controlmonitoring
  residual risks, identifying new risks,
• executing risk reduction plans, and evaluating
  their effectiveness throughout the
• project life cycle.

4
Risk ManagementBarry W. Boehm Software Risk
Management (1989)
Risk identification
Risk assessment
Risk analysis
Risk prioritisation
Risk management
Risk management planning
Risk control
Risk resolution
Risk monitoring
5
A Spiral Model of Software Development and
EnhancementBarry W. Boehm, TRW Defense Systems
Group (Computer, May 1988)

• developed a prioritised top-ten list of software
  risk items along with associated risk management
  techniques to address them-
• personnel shortfalls
• unrealistic schedules and budgets
• developing the wrong software functions
• developing the wrong user interface
• gold plating
• continual stream of requirement changes
• shortfalls in externally furnished components
• shortfalls in externally performed tasks
• real-time performance shortfalls
• straining computer-science capabilities

6
Portfolio approach toinformation systemsF.
Warren McFarlan Harvard Business Review (Jan/Feb
1974)

• By risk McFarlan suggested exposure to-
• failure to obtain all, or even any, of the
  anticipated benefits
• costs of implementation that vastly exceed
  planned levels
• time for implementation that is much greater than
  expected
• technical performance of resulting systems that
  turns out to be significantly below estimate
• incompatibility of the system with the selected
  hardware and software
• Three elements to project risk-
• project size experience with the technology
  project structure

7
Portfolio approach toinformation
systemsF.Warren McFarlan Harvard Business
Review (Jan/Feb 1974)
Project Structure
High
Low
Large - low risk
Large - low risk (very susceptible
to mismanagement)
Low company relative technology
Small - very low risk (very susceptible to
mismanagement)
Small - very low risk
High company relative technology
Large - medium risk
Large - very high risk
Small - medium-low risk
Small - high risk
8
Levels of Risk ManagementSteve McConnell Rapid
Development (1996)

• Crisis management fire-fighting, address risks
  only after they have become problems
• Fix on failure detect and react to risks
  quickly, but only after they have occurred
• Risk mitigation plan ahead of time to provide
  resources to cover risks if they occur, but do
  nothing to eliminate them in the first place
• Prevention implement and execute a plan as part
  of the software projects to identify risks and
  prevent them from becoming problems
• Elimination of root causes identify and
  eliminate factors that make it possible for risks
  to exist at all

9
Risk ManagementQuantitative Risk

• Risk is the possibility of loss
• Risk is a function of three things (Leveson,
  1991)
• the likelihood of a hazard occurring (h)
• the likelihood that the hazard will lead to an
  accident (a)
• the worst possible potential loss associated with
  that accident (l)
• r P(h) P(a) l
• Risk management seeks to reduce at least one of
  the three elements of risk

10
Risk ManagementQualitative Risk

• since most risks cannot always be calculated
  accurately, but some way of categorising risks is
  useful, we need a pragmatic approach-

A
B
C
High
Potential value of loss
B
C
D
Medium
C
D
E
Low
High
Medium
Low

• tackle the As first
• then the Bs
• dont worry too much about the Es

Likelihood
11
Risk Anticipation

• common sense e.g. gut feel
• past experience e.g. learn from our mistakes
• historical data e.g. our memories are unreliable
• tools and aids e.g. check lists, decision trees
• independent assessors e.g. external view
• analogues e.g. motor insurance
• creative thinking i.e. crazy questions

12
Risk and Decision Making

• To make appropriate choices, a manager needs to
  answer the following questions-
• What could go wrong?
• What are the likely causes and the possible
  impact?
• What is the likelihood of it going wrong?
• What could be done to prevent it going wrong?
• How will I know if it has gone wrong?
• What will I do (or be able to do) to recover, if
  it goes wrong?
• Will alternative courses of action produce other
  risks? If so, are they more or less severe?

13
Risk Resolution

• avoid the risk
• transfer the risk from one part of the system to
  another
• buy information about the risk
• eliminate the root cause of the risk
• assume the risk
• publicise the risk
• control the risk
• remember the risk

14
Risk ManagementA simple risk matrix

• Step by Step Approach
• compile a list of perceived risks
• each risk is assigned a probability and impact
  score
• typically a number between 1-10 (1 low 10
  high)
• multiply to give a Risk Index
• consider applying a date event horizon

Risk Probability Impact RI
Management
Software supplied by third-party software company
not compliant
9
7
63
Begin immediate dialogue with supplier. Assurance
obtained of work to be undertaken by
the supplier. Obtain proof.
15
Risk ManagementA simple risk matrix

• Risk Index is in 4 categories
• gt75 Risk very high - urgent action required
• gt50 lt 75 Risk high - action as soon as possible
• gt25 lt 50 Risk may be acceptable - more analysis
  required
• lt25 Low risk - no gains expected from extra work
• review the Risk Matrix every month
• revise probability and impact scores in light of
  new information
• avoid analysis paralysis

16
Contingency Plan Basics

• a business impact analysis to establish the key
  processes and parts of the organisation
• a comprehensive risk analysis to establish the
  likelihood of problems affecting these processes
  (and the organisation)
• the development of alternative, preventative
  measures to avoid or contain problems arising
  from the date change
• the development of recovery strategies which
  define alternative ways of operating in the event
  of unavoidable risks
• the development of tactical implementation plans,
  so that all individuals involved know exactly
  what their role is

17
Classic Quotes

• If you dont ask for risk information, you are
  asking for trouble Tom Gilb
• While it is futile to try to eliminate risk, and
  questionable to try to minimise it, it is
  essential that the risks taken be the right
  risks
• It is not only the magnitude of the risk that we
  need to be able to appraise in entrepreneurial
  decisions. It is above all the character of the
  risk. Is it, for instance, the kind of risk we
  can afford to take, or the kind of risk we cannot
  afford to take? Or is it that rare but singularly
  important risk, the risk we cannot afford not to
  take - regardless of the odds Peter Drucker
• Successful organisations actively look for ways
  to trade small amounts of increased overhead for
  large amounts of risk reduction Steve
  McConnell

18

• --- Mitigation v.s. AvoidanceWhen you are having
  a hike, there is a jungle in the middle of way.
  Someone has told you there's snakes and lions in
  the jungle. To pass through this
  jungle-------MITIGATIONEquip yourself with
  protection facilities to protect you from being
  injured. It may consume more energy of you, this
  is a RESIDUAL risk.AVOIDANCETake another safe
  way outside the jungle. You may hit by a car,
  this is a SECONDARY risk.