Risk Analysis in Information Technology Projects Tennessee Summit ‘09 October 20, 2009 Thomas Danford Chief Information Officer Tennessee Board of Regents
<ul><ul><li>PRESENTATION BACKGROUND </li></ul></ul><ul><ul><li>The examples in this presentation are based upon contract work to analyze two major IT projects to develop go forward options, baseline cost estimates, acquisition cost estimates, and risk analysis of the options being considered by the clients. </li></ul></ul>
Goals, Objectives, and Ground Rules <ul><li>Discussion of Current Budgetary Climate </li></ul><ul><li>Overview of Risk Analysis Techniques and Methodologies Used for major IT Projects </li></ul><ul><li>The Role of Risk Analysis in Risk Management and Resource Allocation Decisions </li></ul><ul><li>No Math/Accounting Lessons or Review! </li></ul><ul><li>Examples are for Illustrative Purposes Only! </li></ul><ul><li>Focus on Implementation of New Projects </li></ul>
Why Project Risk Analysis? <ul><li>Improved information to support decisions regarding project direction, scheduling, and budget </li></ul><ul><li>Identify proactive actions that will improve technical solutions, scheduling, and ROI </li></ul><ul><li>Develop contingencies for known causes of poor project performance </li></ul><ul><li>Identify project metrics for project monitoring and status reporting </li></ul><ul><li>Demonstrate due diligence for audit and compliance requirements </li></ul>
Risk Analysis vs. Risk Management (Risk analysis is broadly defined to include risk assessment, risk categorization, risk communication, risk management, and policy relating to risk. In evaluating large scale IT projects they are typically done independently) What is Risk Analysis? Risk analysis is the systematic study of uncertainties and risks that could be encountered in business, engineering, public policy, and IT (as well as many other areas). What Is Risk Management? Active process of assessing, communicating and managing the risks facing an organization to ensure that an organization meets its objectives.
Roles in Risk Analysis/Management (In evaluating large scale IT projects risk analysis is typically part of the project evaluation process) Risk Analysts – identify risks faced, determine how and when they arise, and estimate the severity of impact of adverse outcomes. Risk Managers – Mitigate or hedge identified risks.
Primary Methodologies for Risk Analysis <ul><li>Quantitative & Qualitative Risk Analysis </li></ul><ul><li>Risk Simulation Models </li></ul><ul><li>Monte Carlo Analysis </li></ul>
Methodologies not easily adapted to IT Project Risk Analysis Risk Simulation Models – Useful in situations with "flows" of materials or parts, people, etc. with complex interrelationship through a system with multiple steps (logistics, manufacturing, budgeting) Monte Carlo Analysis – Useful for modeling where there is such significant uncertainty in many inputs that randomizing variables is viable for analysis (economics, oil production, sales)
Qualitative & Quantitative Risk Analysis Qualitative Risk Analysis – Used to identify potential risks, as well as assets and resources which are vulnerable to these risks. Includes both internally and externally driven risk elements Quantitative Risk Analysis – Provides arithmetic assessment of the probability and impact of the identified risks. Quantitative risk analysis is also used to create overall risk scores for the risk elements and project alternatives.
Qualitative Risk Elements Financial Risks Cost of Ownership Project Scope Cost Benefit Complexity Provisioning Change Management Technology Risks Contracts Governance Communication Environment Management Risks Strategic Risks Competition Requirements Industry Changes Customer Demand Life Cycle Integration State Appropriations Products & Services Recruitment Re-skilling Politics Technology Advances Maintenance & Upgrades Many risk elements have both external and internal drivers. Hence, those elements overlap.
Quantifying Risk Impact on Project Likelihood Low Medium High (10) (50) (100) High (1.0) Low Medium High 10 X 1.0 = 10 50 X 1.0 = 50 100 X 1.0 = 100 Medium (0.5) Low Medium Medium 10 X 0.5 = 5 50 X 0.5 = 25 100 X 0.5 = 50 Low (0.1) Low Low Low 10 X 0.1 = 1 50 X 0.1 = 5 100 X 0.1 = 10
Risk Analysis Explicitly Addresses: Heuristics – Tendency of people to use "rules of thumb", intuition, educated guesses or even common sense, which doesn't serve very well in complex IT, business, and policy decisions. Cognitive Bias – Tendency to over-weight the most recent adverse event and projecting current good or bad outcomes too far into the future. Optimism Bias – The demonstrated systematic tendency for people to be overly optimistic about the outcome of planned actions. Fear, Uncertainty, and Doubt (FUD) – Strategy to influence decision making by disseminating negative (dis)information designed to undermine the credibility of a project.
Determining Risk Tips for a Better Analysis <ul><li>Don’t start with any predetermined conclusions </li></ul><ul><li>Cross-functional team involvement is essential </li></ul><ul><li>Heuristics as well as cognitive, optimism, and pessimism (FUD) bias must be addressed </li></ul><ul><li>Deal appropriately with risk and uncertainty </li></ul>
Tangible Benefits of Proactive Risk Analysis <ul><li>Schedule : Improves planning & upstream activities. </li></ul><ul><li>Costs : Proactive identification of potential cost drivers. </li></ul><ul><li>Quality : Meeting all scope and feature objectives of the project. </li></ul>
Summary & a Few Caveats <ul><li>Business case requires risk analysis </li></ul><ul><li>Judgment – art as well as science </li></ul><ul><li>Heuristics, cognitive, optimism, and pessimism (FUD) bias must be controlled </li></ul><ul><li>Strategic Misrepresentation </li></ul><ul><li>Quantitative issues accompany risk (magnitude) </li></ul><ul><li>Cost and risk should be evaluated together </li></ul>
Additional Resources <ul><li>The Society for Risk Analysis (SRA) http://www.sra.org/ </li></ul><ul><li>Risk Management Association http://www.rmahq.org/RMA/ </li></ul><ul><li>Thanks for joining me today!! </li></ul>