Managing Risk And Opportunity In IT Projects

3,429 views

Published on

Presentation made by Robert Venczel at the PMI OVOC 10th Annual Project Management
Symposium (12-14 October 2010, Ottawa, Ontario, Canada)

More info at http://www.pmiovoc.org/files/Events/Symposium.html

Published in: Business, Economy & Finance
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,429
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
127
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Managing Risk And Opportunity In IT Projects

  1. 1. PMI OVOC 10th Annual Project Management Symposium October 12 – 14, 2010 Unleashing the Power of Project Management Template V3 Managing Risk and Opportunity in IT Projects Robert Venczel
  2. 2. 3 Key Learning Points 1. Describe the risk management process – Definitions, utility theory, steps, responsibilities, etc. – Corporate strategy relationship 2. Explain the RiskIT Model – IT goals, associated metrics, and IT-related risks – IT project risk management – Risk scenarios and implementation of controls 3. Application of IT risk management – Case study 2Presented at PMI OVOC Project Management Symposium 2010
  3. 3. Your Presenter • Robert Venczel, MBA, CMA, CISA, PMP, CIA • Bivium Executive Consulting Ltd. • Over 18 years of management consulting experience in both public and private sectors in the areas of: – Project and programme risk management – IT project management and governance – IT audit – Business strategy 3Presented at PMI OVOC Project Management Symposium 2010
  4. 4. Agenda • Risk Management Process – A Quick Review • Project Risk Management • IT Risks vs. Overall Risk Universe • IT Project Risk Management Continuum • Case Study – SuperSoftware Inc. 4Presented at PMI OVOC Project Management Symposium 2010
  5. 5. What is Risk? • Risk is defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events.* *Orange Book (UK) Definition 5Presented at PMI OVOC Project Management Symposium 2010
  6. 6. RM Process • Risk Identification • Risk Assessment • Risk Mitigation and Monitoring • Risk Reporting 6Presented at PMI OVOC Project Management Symposium 2010
  7. 7. The Riskit Risk Management Cycle 7Presented at PMI OVOC Project Management Symposium 2010 Source: Kontio, J , Getto, G. and Landes. D. (1998),Experiences in improving risk management processes using the concepts of Riskit method, SIGSOFT’98 sixth International Symposium on the Foundations of Software Engineering.
  8. 8. Risk Identification • Types of risk: – Organization-wide vs. programme/project – External vs. internal – Inherent vs. residual • Risk identification: – Using common methodology – From top down and from bottom up • Part of short- and long-term business planning process • Continuous not a one-time exercise 8Presented at PMI OVOC Project Management Symposium 2010
  9. 9. Risk Assessment • Utility theory • Likelihood and impact • Need to develop a simple scoring/weighting methodology that can be applied on a consistent basis across the organization. 9Presented at PMI OVOC Project Management Symposium 2010
  10. 10. Impact vs. Likelihood 10Presented at PMI OVOC Project Management Symposium 2010
  11. 11. Addressing Risks / Risk Tolerance  Tolerate  Treat  Transfer  Terminate  Risk tolerance vs. risk appetite 11Presented at PMI OVOC Project Management Symposium 2010
  12. 12. Risk Management/Risk Mitigation • Identification of mitigating actions and controls • Ensuring that mitigating actions and controls are implemented (risk owners) • Monitoring and reporting on the effectiveness of mitigating actions and controls • Reporting and escalating problems up the management chain 12Presented at PMI OVOC Project Management Symposium 2010
  13. 13. Risk Mitigation Plan • Choosing the most appropriate “treatment” or combination of treatment options • Costs and efforts vs. benefits • Risk treatment itself can introduce risks 13Presented at PMI OVOC Project Management Symposium 2010
  14. 14. Risk Monitoring and Reporting • Review periodically: – If the status of risks has changed or new risks emerged – The effectiveness of the mitigation strategies against indicators – The validity of the initial assumptions – The existence of appropriate contingency plans • Reporting: – Status, performance and results – Trends and patterns 14Presented at PMI OVOC Project Management Symposium 2010
  15. 15. RM Responsibilities for Risk Owners vs. Risk Managers – Risk Owners: • Deemed ultimately accountable for the effective management of specific risk categories • Do not necessarily own or control all aspects of the risk • Depend on others to help mitigate the risks • Risk Managers: • Responsibility for the risk management process • Have the authority to manage risks 15Presented at PMI OVOC Project Management Symposium 2010
  16. 16. PMBOK® - Project Risk Management Project Risk Management Processes • Plan Risk Management • Identify Risks • Perform Qualitative Risk Analysis • Perform Quantitative Risk Analysis • Plan Risk Responses • Monitor and Control Risks 16Presented at PMI OVOC Project Management Symposium 2010 Source: PMI’s PMBOK Guide, Fourth Edition (2008)
  17. 17. Opportunity vs. Risk • On the positive side… new business initiatives successfully enabled by IT • On the negative side… IT projects misaligned with the strategic objectives; waste of resources due to failed projects; etc. 17Presented at PMI OVOC Project Management Symposium 2010
  18. 18. Defining IT Goals and Enterprise Architecture for IT 18Presented at PMI OVOC Project Management Symposium 2010 Source: ISACA’s COBIT® 4.1 Framework for IT Governance and Control (2007)
  19. 19. IT Risk vs. Overall Risk Universe 19Presented at PMI OVOC Project Management Symposium 2010 Source: ISACA’s The Risk IT Framework (2009)
  20. 20. IT Project Risk Management Continuum 20Presented at PMI OVOC Project Management Symposium 2010 Needs and Requirements Specifications Contractor/Team Selection Design and Development Systems Integration Conceptual Design Demonstration/ Validation Engineering, Manufacturing, Development, and Production Maintenance and Major Upgrade
  21. 21. System Complexity vs. Risk 21Presented at PMI OVOC Project Management Symposium 2010 Risk(technical;cost;schedule) Complexity (technology; team; expertise; etc.)
  22. 22. IT Risk Management Supports Success By enabling IT project management to: • Deal effectively with potential future events that create uncertainty. • Respond in a manner that reduces the likelihood that objectives will not be achieved and increases the likelihood of success. 22Presented at PMI OVOC Project Management Symposium 2010
  23. 23. Practicing Risk Management • Integrate IT project risk management with business planning and priority setting • Promote use of the common language, framework, and process • Use common tools, techniques and models for risk mapping and monitoring • Use of risk management concepts in decision making and reporting • Consult and communicate with internal and external stakeholders throughout the process • Monitor, evaluate, and adjust systems, processes, and practices 23Presented at PMI OVOC Project Management Symposium 2010
  24. 24. IT Project Risk Scenario Example 24Presented at PMI OVOC Project Management Symposium 2010 Beta Test Successful Users not ready to use the new software Cost: $15K+ Unsuccessful Project terminated because of changed business priorities Cost: $100K+ Project delayed Time: 1 month Cost: $20K+ Software development project
  25. 25. Case Study – SuperSoftware Inc. • Software development project • Stakeholders • Team • Risks • Evaluation of risks (quantitative vs. qualitative) • Mitigation, monitoring and reporting • Lessons learned 25Presented at PMI OVOC Project Management Symposium 2010
  26. 26. Conclusions • Get senior management’s buy in and support for a risk-aware culture. • Use risk management people who understand the business and information technology, and are also good communicators. • Successful IT risk management is all about connection and alignment with business strategy. 26Presented at PMI OVOC Project Management Symposium 2010
  27. 27. Additional Resources • Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management – Integrated Framework • Risk management: Principles and guidelines - International Standard, ISO 31000: 2009 • Australian/New Zealand Standard for risk management - AS/NZS 4360:2004 • Risk management policies, directives and standards developed by the Treasury Board Secretariat (TBS’s) to guide good management across the Canadian Federal Government: – Integrated Risk Management Framework (IRMF) – Integrated Risk Management Implementation Guide – Policy on Active Monitoring – Risk Management Policy – Draft Core Management Controls – Management Accountability Framework (MAF) criteria. • PMI’s PMBOK Guide, Fourth Edition (2008) • ISACA’s COBIT® 4.1 Framework for IT Governance and Control (2007) • ISACA’s The Risk IT Framework (2009) • ISACA’s The Risk IT Practitioner Guide (2009) 27Presented at PMI OVOC Project Management Symposium 2010
  28. 28. For more information… • Thank you for your participation today! • For more information on the contents of this presentation, please feel free to contact me as follows: – Robert Venczel, MBA, CMA, CISA, PMP, CIA – Bivium Executive Consulting Ltd. • “Achieving Excellence Through Change” – rvenczel@biviumconsulting.ca – 613-843-7629 28Presented at PMI OVOC Project Management Symposium 2010
  29. 29. Copyright Notice • The contents of this presentation are Copyright © 2010 by the presenter and PMI OVOC. • Permission is granted for participants to print the presentation handouts for use during the conference and later personal reference. • PMI OVOC reserves the right to store this content for archival purposes as a record of conference proceedings and to publish this content electronically for the purpose of disseminating conference proceedings to conference participants. • All other use, storage, retrieval, distribution, or reproduction must be authorized in advance, in writing. 29Presented at PMI OVOC Project Management Symposium 2010
  30. 30. Supplementary Slides 30
  31. 31. Guiding Principles 31Presented at PMI OVOC Project Management Symposium 2010 Source: ISACA’s The Risk IT Framework (2009)
  32. 32. Sample IT Risk Heat Map 32Presented at PMI OVOC Project Management Symposium 2010 Poor communication Budget overrun Scope creep Inadequate functional requirements Lack of support from the top 1.00 1.20 1.40 1.60 1.80 2.00 2.20 2.40 2.60 2.80 3.00 1.00 1.20 1.40 1.60 1.80 2.00 2.20 2.40 2.60 2.80 3.00 Impact Likelihood IT Risks

×