SW Project Management Managing Project Risk INFO 420

SW Project Management Managing Project Risk INFO 420 Dr. Jennifer Booker INFO 420 Chapter 8 1

Risk avoided American culture avoids facing risk n This leads to many problems in project management n ¨ We want to stick our heads in the sand Somehow that doesn’t make risks go away n We need to manage risks proactively n INFO 420 Chapter 8 2

Risk Management n “If you don’t actively attack risks, they will attack you” - Tom Gilb n Risk management is still looked upon as bad news - and messengers are still shot INFO 420 Chapter 8 3

What is risk? A risk is something that might go wrong, which could affect the project outcome n The key word is might n ¨ If the probability is zero, it isn’t a risk at all ¨ If the probability is one, it’s certain to occur, and can be treated as a project constraint ¨ So any risk has 0% < p < 100% INFO 420 Chapter 8 4

Risk management problems n Typical problems in risk management are ¨ Not n Some insist there is no benefit to doing RM ¨ Not n valuing risk management (RM) allowing time for RM RM takes time and effort, get over it! ¨ Not identifying and assessing risks consistently n INFO 420 Which can waste time and miss opportunities Chapter 8 5

Risk lessons learned n So a few lessons learned include ¨ Get commitment by all stakeholders, both to do RM, and agree on significant risks ¨ Identify an owner for each risk, so someone is actively managing it ¨ Look for typical risks for your type of project; patterns vary INFO 420 Chapter 8 6

RM elements n The main elements in risk management are ¨ Risk management planning ¨ Risk identification ¨ Qualitative and Quantitative risk analysis ¨ Risk response planning ¨ Risk monitoring and control INFO 420 Chapter 8 7

Risk Management Planning n Similar to security analysis: ¨ Identify threats ¨ Prevent threats ¨ Detect threats (not trivial with information systems!) ¨ Mitigate (reduce) the effects of the threats INFO 420 Chapter 8 8

Risk planning n The PMBOK defines risk as ¨ “An uncertain event or condition that, if it occurs, has a positive or negative effect on the project objectives” n So a risk can be a good thing ¨ We INFO 420 tend to think of the bad ones Chapter 8 9

Project reserves A financial reserve is kept for most projects, in part for risk management n Helps protect against n ¨ Flawed estimates ¨ Minor anomalies (unexpected events) ¨ Permanent variances (unexpected skill levels) ¨ Minor variances (estimates slightly off) INFO 420 Chapter 8 10

Project risk management steps n Risk planning ¨ Get commitment from stakeholders ¨ Allocate resources ¨ Develop and approve RM plan n Risk identification ¨ Develop INFO 420 a list of risks, their causes and effects Chapter 8 11

Project risk management steps n Risk assessment ¨ Analyze n the risks for probability and impact Risk strategies ¨ Document how to respond to each risk if it occurs (risk response or mitigation plan) n Risk monitoring and control ¨ During project, look for known risks to occur, and identify new risks INFO 420 Chapter 8 12

Project risk management steps n Risk response ¨ Respond n to risks that have occurred Risk evaluation ¨ Find lessons learned, and how to improve future projects’ RM INFO 420 Chapter 8 13

Identifying IT project risks n The scope and context of risks can be a little intimidating at first, so we break the big problem into little ones ¨ Ultimately, and risk might affect the project’s MOV ¨ Which could result from changes in scope, quality, schedule, or budget INFO 420 Chapter 8 14

Identifying IT project risks ¨ These could result from people, legal, process, environment, technology, organization, product, or other issues ¨ These could be internal to your organization, or external ¨ Risks could be known risks, known-unknown risks (risk is known, extent is unknown), or completely unknown risks (unimaginable) INFO 420 Chapter 8 15

Identifying IT project risks ¨ And finally, risks could affect any part of the project life cycle: Conceptualize and initialize the project n Develop project charter and plan n Execute and control the project n Close project n Evaluate project success n INFO 420 Chapter 8 16

All clear? n That only gives: ¨ 1 x 4 x 7 x 2 x 3 x 5 = 840 ways to classify a risk! Realistically, we only focus on the issues most likely to affect our project n Our goal is to identify all the significant risks, not every conceivable risk! n INFO 420 Chapter 8 17

Risk tools n Learning cycles ¨ For each suspected risk area, identify facts known about it, assumptions being made, and what needs to be researched in that area ¨ Test assumptions, and conduct research to identify specific risks n Brainstorming INFO 420 Chapter 8 18

Nominal Group Technique (NGT) ¨ Have everyone write down ideas on paper ¨ Write on flip chart, one idea from each person, until all are recorded ¨ Discuss and clarify the ideas ¨ Each person ranks and prioritizes the ideas ¨ Group discusses ranking and priorities ¨ Redo personal ranking and prioritization ¨ Summarize for the group INFO 420 Chapter 8 19

Risk tools Delphi technique – same as used for estimation, but use for identifying risks and their probability and impact n Interviewing n Checklists, typically from past projects or industry common risks n INFO 420 Chapter 8 20

Risk tools SWOT analysis – look at organization and project’s strengths, weaknesses, opportunities and threats n Past projects – the ideal solution for all project management problems! n ¨ Use INFO 420 lessons learned from previous projects Chapter 8 21

Risk tools n Cause and effect diagram, or fishbone diagram ¨ Start with a major type of risk ¨ Identify 4 -6 categories of causes of that risk ¨ Brainstorm about ‘what could cause’ that risk to occur, based on the categories ¨ Fill in details until you’re bored ¨ Then eliminate known minimal risks areas or causes INFO 420 Chapter 8 22

Risk analysis and assessment Risk analysis estimates the probability and impact of each risk n Risk assessment prioritizes risks to help define your risk strategy n ¨ Which risks are significant enough to prevent actively? ¨ Which will require effort if they occur? INFO 420 Chapter 8 23

Qualitative vs quantitative n Both kinds of assessment can be done ¨ Use the former most of the time ¨ Use the latter for key risks in a steady environment n Caveat: the text is misleading about qualitative vs quantitative assessment ¨ What they call qualitative is really quantitative ¨ What they call quantitative is statistical process control (SPC) INFO 420 Chapter 8 24

Expected value n Think of ‘deal or no deal’ ¨ If we have several possible outcomes, can calculate for each the probability and resulting payoff (or cost) ¨ Multiply probability and payoff to get the impact of each outcome ¨ Add impact outcomes to determine the overall expected value of all possible results INFO 420 Chapter 8 25

Decision Tree n This is a graphic form of a payoff table ¨ Nodes represent choices (and their costs) or probabilities ¨ Map out possible choices, and what their impact outcomes are ¨ Pick the highest impact outcome INFO 420 Chapter 8 26

Risk Impact Table n Great for analysis and prioritization of risks ¨ Define n each risk, its probability, and impact Impact could be in $ or effort to resolve the risk ¨ Multiply the latter to get the impact outcomes (P-I score) ¨ Sort risks by descending P-I score instant prioritization! (risk rankings) INFO 420 Chapter 8 27

Risk Impact Table n You could* categorize risks by their general impact and probability ¨ Kittens – low probability and impact ¨ Puppies – high prob, low impact ¨ Alligators – low prob, high impact ¨ Tigers – high prob and impact, was good at golf * I wouldn’t, but you could… INFO 420 Chapter 8 28

“Quantitative” approaches Those approaches will cover most situations and needs n These approaches might apply if you have more extensive data on specific risks n All are based on various types of probability distributions n INFO 420 Chapter 8 29

Discrete probability distribution n When you’re measuring discrete events (it happens, or not) then a family of discrete probability distributions come into play ¨ In these cases, calculate the probability of each individual event happening (x=0, x=1, etc. ), and add them up ¨ A subset of these are binomial distributions, where events either happen, or not (like a coin flip, or someone dies) INFO 420 Chapter 8 30

Continuous probability distribution Often of interest is when a measurement can have real values (not just integers) n This results in a continuous probability distribution n ¨ There are dozens of them: Gaussian, Poisson, Chi-square, F, Student T, etc. INFO 420 Chapter 8 31

Normal distribution n A normal (Gaussian) distribution is a bell curve has a mean value m and a standard deviation s ¨ The probability of an event occurring is the area under the curve ¨ It n If we know a risk follows a normal distribution, we can predict how likely it is to occur within a given range (e. g. of time) INFO 420 Chapter 8 32

PERT distribution n This goes with the PERT estimation technique ¨ The mean is (low + 4*likely + high)/6 ¨ Std deviation is (high – low)/6 n The PERT distribution is lopsided, since we know zero can’t occur INFO 420 Chapter 8 33

Triangular distribution n This is similar to a simplified PERT distribution ¨ The mean is (low + likely + high)/3 ¨ Std dev = { [ (high-low)2 + (likely-low)*(likely-high) ]/18 }1/2 INFO 420 Chapter 8 34

Simulations In studying the behavior of projects, we could try to determine how they are affected by changes in inputs (assumptions, task durations, etc. ) n The output of interest might be the project’s cost, schedule, customer satisfaction, etc. n INFO 420 Chapter 8 35

Monte Carlo simulations n If we automate this kind of analysis, one approach is using a Monte Carlo simulation ¨ (Monte n Carlo is the Las Vegas of Europe) In a MC simulation, we define the probability distribution of the inputs we’ve defined INFO 420 Chapter 8 36

Monte Carlo simulations n Then the project results are simulated to see how they turn out ¨ This produces a histogram of outputs, with the mean duration, and can find the probability of finishing within a range of times n Tools exist (e. g. @Risk) to automate this kind of analysis INFO 420 Chapter 8 37

Tornado graph n This type of analysis can also produce a tornado graph, which is a bar chart emphasizing the highest risk tasks ¨ This is like a Pareto diagram ¨ Here the ‘highest risk’ also implies ‘has the highest probability of affecting the project schedule’ INFO 420 Chapter 8 38

Risk strategies Ok, so we have defined risks, and analyzed them to find the biggest threats n Now we answer a big question: so what? n ¨ If these risks occur, what, if anything, will we do about it? ¨ That’s our risk strategy, which is different for each risk INFO 420 Chapter 8 39

Risk strategies n How we select a strategy depends on ¨ Is the risk a threat or opportunity? ¨ How and when will the project be affected? ¨ How do we know if the risk is occurring (triggers or risk detection)? ¨ What impact does the risk have on MOV? INFO 420 Chapter 8 40

Risk strategies ¨ How many resources do we have to deal with this risk? n Remember the balance among scope, schedule, budget, and quality ¨ Can we modify a contract or assign resources or otherwise mitigate a risk? ¨ How tolerant are the stakeholders of this risk? INFO 420 Chapter 8 41

Risk strategy choices n In response to a risk, we can ¨ Accept or ignore the risk, if the impact is minimal, or we can’t do anything about it Use financial reserves to deal with it n Have a contingency plan in place n ¨ Avoid n INFO 420 the risk (prevention) Change the project to reduce the chance of the risk occurring Chapter 8 42

Risk strategy choices ¨ Mitigate the risk – lessen the impact of the risk after it has occurred ¨ Transfer the risk – give the problem to someone else! n INFO 420 Buy insurance, subcontract something out, etc. Chapter 8 43

Risk response plan Once key risks have been identified, and your strategies selected, put all this in a risk response plan n For each risk, identify n ¨ What trigger tells you the risk has occurred ¨ The owner of the risk (person, not group) ¨ The risk response strategy INFO 420 Chapter 8 44

Risk monitoring and control n Now your job is to monitor the risk triggers to see which ones go off ¨ And then follow up with appropriate responses ¨ Tools exist, such as Risk Radar to help do this n Can also conduct risk audits, reviews, or status meetings INFO 420 Chapter 8 45

Risk response n When a risk is triggered, your response plan is put into action ¨ May include following your mitigation strategy ¨ Could include assigning resources to deal with the risk INFO 420 Chapter 8 46

Risk evaluation n The process of risk management can be improved like any other through keeping lessons learned ¨ What risks did you identify? ¨ Which ones occurred? ¨ How severe was their impact? ¨ Did you risk strategy work or not? Why? INFO 420 Chapter 8 47

Summary Manage risks, or they will manage you n Identify plausible risks n ¨ Quantify n Identify significant risks ¨ Develop n their probability and impact strategies for dealing with them Keep an eye out for risks which occur, and follow your strategies for dealing with them INFO 420 Chapter 8 48