Presentation made by Robert Venczel at the PMI OVOC 10th Annual Project Management
Symposium (12-14 October 2010, Ottawa, Ontario, Canada)
More info at http://www.pmiovoc.org/files/Events/Symposium.html
1. PMI OVOC 10th Annual
Project Management Symposium
October 12 – 14, 2010
Unleashing the Power of
Project Management
Template V3
Managing Risk and Opportunity
in IT Projects
Robert Venczel
2. 3 Key Learning Points
1. Describe the risk management process
– Definitions, utility theory, steps, responsibilities, etc.
– Corporate strategy relationship
2. Explain the RiskIT Model
– IT goals, associated metrics, and IT-related risks
– IT project risk management
– Risk scenarios and implementation of controls
3. Application of IT risk management
– Case study
2Presented at PMI OVOC Project Management Symposium 2010
3. Your Presenter
• Robert Venczel, MBA, CMA, CISA, PMP, CIA
• Bivium Executive Consulting Ltd.
• Over 18 years of management consulting experience
in both public and private sectors in the areas of:
– Project and programme risk management
– IT project management and governance
– IT audit
– Business strategy
3Presented at PMI OVOC Project Management Symposium 2010
4. Agenda
• Risk Management Process – A Quick Review
• Project Risk Management
• IT Risks vs. Overall Risk Universe
• IT Project Risk Management Continuum
• Case Study – SuperSoftware Inc.
4Presented at PMI OVOC Project Management Symposium 2010
5. What is Risk?
• Risk is defined as this uncertainty of outcome,
whether positive opportunity or negative threat, of
actions and events.*
*Orange Book (UK) Definition
5Presented at PMI OVOC Project Management Symposium 2010
6. RM Process
• Risk Identification
• Risk Assessment
• Risk Mitigation and Monitoring
• Risk Reporting
6Presented at PMI OVOC Project Management Symposium 2010
7. The Riskit Risk Management Cycle
7Presented at PMI OVOC Project Management Symposium 2010
Source: Kontio, J , Getto, G. and Landes. D. (1998),Experiences in improving risk management processes using the concepts of Riskit
method, SIGSOFT’98 sixth International Symposium on the Foundations of Software Engineering.
8. Risk Identification
• Types of risk:
– Organization-wide vs. programme/project
– External vs. internal
– Inherent vs. residual
• Risk identification:
– Using common methodology
– From top down and from bottom up
• Part of short- and long-term business planning
process
• Continuous not a one-time exercise
8Presented at PMI OVOC Project Management Symposium 2010
9. Risk Assessment
• Utility theory
• Likelihood and impact
• Need to develop a simple scoring/weighting
methodology that can be applied on a consistent
basis across the organization.
9Presented at PMI OVOC Project Management Symposium 2010
11. Addressing Risks / Risk Tolerance
Tolerate
Treat
Transfer
Terminate
Risk tolerance vs. risk appetite
11Presented at PMI OVOC Project Management Symposium 2010
12. Risk Management/Risk Mitigation
• Identification of mitigating actions and controls
• Ensuring that mitigating actions and controls are
implemented (risk owners)
• Monitoring and reporting on the effectiveness of
mitigating actions and controls
• Reporting and escalating problems up the
management chain
12Presented at PMI OVOC Project Management Symposium 2010
13. Risk Mitigation Plan
• Choosing the most appropriate “treatment” or
combination of treatment options
• Costs and efforts vs. benefits
• Risk treatment itself can introduce risks
13Presented at PMI OVOC Project Management Symposium 2010
14. Risk Monitoring and Reporting
• Review periodically:
– If the status of risks has changed or new risks emerged
– The effectiveness of the mitigation strategies against
indicators
– The validity of the initial assumptions
– The existence of appropriate contingency plans
• Reporting:
– Status, performance and results
– Trends and patterns
14Presented at PMI OVOC Project Management Symposium 2010
15. RM Responsibilities for Risk Owners vs.
Risk Managers
– Risk Owners:
• Deemed ultimately accountable for the effective management of specific risk
categories
• Do not necessarily own or control all aspects of the risk
• Depend on others to help mitigate the risks
• Risk Managers:
• Responsibility for the risk management process
• Have the authority to manage risks
15Presented at PMI OVOC Project Management Symposium 2010
17. Opportunity vs. Risk
• On the positive side… new business initiatives
successfully enabled by IT
• On the negative side… IT projects misaligned
with the strategic objectives; waste of
resources due to failed projects; etc.
17Presented at PMI OVOC Project Management Symposium 2010
18. Defining IT Goals and Enterprise
Architecture for IT
18Presented at PMI OVOC Project Management Symposium 2010
Source: ISACA’s COBIT® 4.1 Framework for IT Governance and Control (2007)
19. IT Risk vs. Overall Risk Universe
19Presented at PMI OVOC Project Management Symposium 2010
Source: ISACA’s The Risk IT Framework (2009)
20. IT Project Risk Management Continuum
20Presented at PMI OVOC Project Management Symposium 2010
Needs and
Requirements
Specifications
Contractor/Team
Selection
Design and
Development
Systems
Integration
Conceptual
Design
Demonstration/
Validation
Engineering,
Manufacturing,
Development,
and Production
Maintenance
and Major
Upgrade
21. System Complexity vs. Risk
21Presented at PMI OVOC Project Management Symposium 2010
Risk(technical;cost;schedule)
Complexity (technology; team; expertise; etc.)
22. IT Risk Management Supports Success
By enabling IT project management to:
• Deal effectively with potential future events that
create uncertainty.
• Respond in a manner that reduces the likelihood that
objectives will not be achieved and increases the
likelihood of success.
22Presented at PMI OVOC Project Management Symposium 2010
23. Practicing Risk Management
• Integrate IT project risk management with business planning
and priority setting
• Promote use of the common language, framework, and
process
• Use common tools, techniques and models for risk mapping
and monitoring
• Use of risk management concepts in decision making and
reporting
• Consult and communicate with internal and external
stakeholders throughout the process
• Monitor, evaluate, and adjust systems, processes, and
practices
23Presented at PMI OVOC Project Management Symposium 2010
24. IT Project Risk Scenario Example
24Presented at PMI OVOC Project Management Symposium 2010
Beta Test
Successful
Users not ready to
use the new
software
Cost: $15K+
Unsuccessful
Project terminated
because of changed
business priorities
Cost: $100K+
Project delayed
Time: 1 month
Cost: $20K+
Software development project
25. Case Study – SuperSoftware Inc.
• Software development project
• Stakeholders
• Team
• Risks
• Evaluation of risks (quantitative vs. qualitative)
• Mitigation, monitoring and reporting
• Lessons learned
25Presented at PMI OVOC Project Management Symposium 2010
26. Conclusions
• Get senior management’s buy in and support for a
risk-aware culture.
• Use risk management people who understand the
business and information technology, and are also
good communicators.
• Successful IT risk management is all about
connection and alignment with business strategy.
26Presented at PMI OVOC Project Management Symposium 2010
27. Additional Resources
• Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk
Management – Integrated Framework
• Risk management: Principles and guidelines - International Standard, ISO 31000: 2009
• Australian/New Zealand Standard for risk management - AS/NZS 4360:2004
• Risk management policies, directives and standards developed by the Treasury Board
Secretariat (TBS’s) to guide good management across the Canadian Federal Government:
– Integrated Risk Management Framework (IRMF)
– Integrated Risk Management Implementation Guide
– Policy on Active Monitoring
– Risk Management Policy
– Draft Core Management Controls
– Management Accountability Framework (MAF) criteria.
• PMI’s PMBOK Guide, Fourth Edition (2008)
• ISACA’s COBIT® 4.1 Framework for IT Governance and Control (2007)
• ISACA’s The Risk IT Framework (2009)
• ISACA’s The Risk IT Practitioner Guide (2009)
27Presented at PMI OVOC Project Management Symposium 2010
28. For more information…
• Thank you for your participation today!
• For more information on the contents of this
presentation, please feel free to contact me as
follows:
– Robert Venczel, MBA, CMA, CISA, PMP, CIA
– Bivium Executive Consulting Ltd.
• “Achieving Excellence Through Change”
– rvenczel@biviumconsulting.ca
– 613-843-7629
28Presented at PMI OVOC Project Management Symposium 2010