Project risk management involves identifying, analyzing, and responding to risks throughout a project's lifecycle to help meet project objectives. It is important for improving project success. Some common sources of risk for IT projects include scope changes, inaccurate estimates, lack of resources, and technology risks. Risk management techniques include risk identification, quantification methods like expected monetary value analysis and simulation, developing risk response plans, and tracking risks over the project.
1. Jump to first page
1
9. Managing project risk
Project risk management is the art and
science of identifying, assigning, and
responding to risk throughout the life of a
project and in the best interests of meeting
project objectives
Risk management is often overlooked, but it
can help improve project success by helping
select good projects, determining project
scope, and developing realistic estimates
2. Jump to first page
2
9. What is risk?
A dictionary definition of risk is “the possibility
of loss or injury”
Project risk involves understanding potential
problems that might occur on the project and
how they might impede project success
Risk management is like a form of insurance;
it is an investment.
3. Jump to first page
3
9. Why take risks?
Opportunities
Risks
Try to balance risks and opportunities
4. Jump to first page
4
9. Risk utility
Risk utility or risk tolerance is the amount of
satisfaction or pleasure received from a
potential payoff
Utility rises at a decreasing rate for a person
who is risk-averse
Those who are risk-seeking have a higher
tolerance for risk and their satisfaction
increases when more payoff is at stake
The risk neutral approach achieves a balance
between risk and payoff
6. Jump to first page
6
9. Common source of risks for
IT projects
Several studies show that IT projects share
some common sources of risk
The Standish Group developed an IT
success potential scoring sheet based on
potential risks
McFarlan developed a risk questionnaire to
help assess risk
Other broad categories of risk help identify
potential risks
7. Jump to first page
7
9. McFarlan’s risk questionnaire
1. What is the project estimate in calendar (elapsed) time?
( ) 12 months or less Low = 1 point
( ) 13 months to 24 months Medium = 2 points
( ) Over 24 months High = 3 points
2. What is the estimated number of person days for the system?
( ) 12 to 375 Low = 1 point
( ) 375 to 1875 Medium = 2 points
( ) 1875 to 3750 Medium = 3 points
( ) Over 3750 High = 4 points
3. Number of departments involved (excluding IT)
( ) One Low = 1 point
( ) Two Medium = 2 points
( ) Three or more High = 3 points
4. Is additional hardware required for the project?
( ) None Low = 0 points
( ) Central processor type change Low = 1 point
( ) Peripheral/storage device changes Low = 1
( ) Terminals Med = 2
( ) Change of platform, for example High = 3
PCs replacing mainframes
8. Jump to first page
8
9. Risk types
Market risk: Will the new product be useful to the
organization or marketable to others? Will users
accept and use the product or service?
Financial risk: Can the organization afford to
undertake the project? Is this project the best way to
use the company’s financial resources?
Technology risk: Is the project technically feasible?
Could the technology be obsolete before a useful
product can be produced?
9. Jump to first page
9
9. Technology risk
David Anderson, a project manager for Kaman Sciences
Corp., shared his lessons learned from a project failure in
an article for CIO Enterprise Magazine. After spending two
years and several hundred thousand dollars on a project to
provide new client-server based financial and human
resources information systems for their company, Anderson
and his team finally admitted they had a failure on their
hands. Anderson admitted that he was too enamored by
using cutting edge technology and took a high-risk approach
on the project. He "ramrodded through" what the project
team was going to do, and he admitted that he was wrong.
The company finally decided to switch to a more stable
technology to meet the business needs of the company.
Hildebrand, Carol. “If At First You Don’t Succeed,” CIO Enterprise Magazine, April 15, 1998
10. Jump to first page
10
9. What is project risk?
The goal of project risk management is to minimize
potential risks while maximizing potential
opportunities. Major processes include
Risk identification: determining which risks are likely
to affect a project
Risk quantification: evaluating risks to assess the
range of possible project outcomes
Risk response development: taking steps to
enhance opportunities and developing responses to
threats
Risk response control: responding to risks over the
course of the project
11. Jump to first page
11
9. Identifying risk
Risk identification is the process of
understanding what potential unsatisfactory
outcomes are associated with a particular
project
Several risk identification tools include
checklists, flowcharts, and interviews
12. Jump to first page
12
9. Potential risk areas
Knowledge Area Risk Conditions
Integration Inadequate planning; poor resource allocation; poor integration
management; lack of post-project review
Scope Poor definition of scope or work packages; incomplete definition
of quality requirements; inadequate scope control
Time Errors in estimating time or resource availability; poor allocation
and management of float; early release of competitive products
Cost Estimating errors; inadequate productivity, cost, change, or
contingency control; poor maintenance, security, purchasing, etc.
Quality Poor attitude toward quality; substandard
design/materials/workmanship; inadequate quality assurance
program
Human Resources Poor conflict management; poor project organization and
definition of responsibilities; absence of leadership
Communications Carelessness in planning or communicating; lack of consultation
with key stakeholders
Risk Ignoring risk; unclear assignment of risk; poor insurance
management
Procurement Unenforceable conditions or contract clauses; adversarial relations
13. Jump to first page
13
9. Quantifying risk
Risk quantification or risk analysis is the
process of evaluating risks to assess the
range of possible project outcomes
Determine the risk’s probability of occurrence
and its impact to the project if the risk does
occur
Risk quantification techniques include
expected monetary value analysis,
calculation of risk factors, PERT estimations,
simulations, and expert judgment
15. Jump to first page
15
Bid the Best Project by utilizing EMV
and your personal risk tolerance
Project Chance of Outcome Estimated Profits
Project 1
50%
50%
$120,000
-$50,000
Project 2
30%
40%
30%
$100,000
$50,000
-$60,000
Project 3
70%
30%
$20,000
-$5,000
Project 4
30%
30%
20%
20%
$40,000
$30,000
$20,000
-$50,000
16. Jump to first page
16
9. Simulation for quantifying risk
McDonnell Aircraft Company used Monte Carlo simulation to help
quantify risks on several advanced-design engineering projects. The
National Aerospace Plan (NASP) project involved many risks. The
purpose of this multi-billion dollar project was to design and develop a
vehicle that could fly into space using a single-stage-to-orbit approach.
A single-stage-to-orbit approach meant the vehicle would have to
achieve a speed of Mach 25 (25 times the speed of sound) without a
rocket booster. A team of engineers and business professionals
worked together in the mid-1980s to develop a software model for
estimating the time and cost of developing the NASP. This model was
then linked with Monte Carlo simulation software to determine the
sources of cost and schedule risk for the project. The results of the
simulation were then used to determine how the company would invest
its internal research and development funds. Although the NASP
project was terminated, the resulting research has helped develop
more advanced materials and propulsion systems used on many
modern aircraft.
17. Jump to first page
17
9. Expert judgment
Many organizations rely on the intuitive
feelings and past experience of experts to
help identify potential project risks
The Delphi method is a technique for
deriving a consensus among a panel of
experts to make predictions about future
developments
18. Jump to first page
18
9. Response to risk
Risk avoidance: eliminating a specific threat
or risk, usually by eliminating its causes
Risk acceptance: accepting the
consequences should a risk occur
Risk mitigation: reducing the impact of a risk
event by reducing the probability of its
occurrence
19. Jump to first page
19
9. Risk Mitigation Strategies
Technical Risks Cost Risks Schedule Risks
Emphasize team support
and avoid stand alone
project structure
Increase the frequency of
project monitoring
Increase the frequency of
project monitoring
Increase project manager
authority
Use WBS and PERT/CPM Use WBS and PERT/CPM
Improve problem handling
and communication
Improve communication,
project goals understanding
and team support
Select the most experienced
project manager
Increase the frequency of
project monitoring
Increase project manager
authority
Use WBS and PERT/CPM
20. Jump to first page
20
9. Risk planning
A risk management plan documents the
procedures for managing risk throughout the
project
Contingency plans are predefined actions
that the project team will take if an identified
risk event occurs
Contingency reserves are provisions held by
the project sponsor for possible changes in
project scope or quality that can be used to
mitigate cost and/or schedule risk
21. Jump to first page
21
9. Risk management questions
Why is it important to take/not take this risk in
relation to the project objectives?
What specifically is the risk and what are the risk
mitigation deliverables?
How is the risk going to be mitigated? (What risk
mitigation approach is to be used?)
Who are the individuals responsible for implementing
the risk management plan?
When will the milestones associated with the
mitigation approach occur?
How much is required in terms of resources to
mitigate risk?
22. Jump to first page
22
9. Response to risks
Risk response control involves executing the
risk management processes and the risk
management plan to respond to risk events
Risks must be monitored based on defined
milestones and decisions made regarding
risks and mitigation strategies
Sometimes workarounds or unplanned
responses to risk events are needed when
there are no contingency plans
23. Jump to first page
23
9. Tracking risks
Top 10 risk item tracking is a tool for
maintaining an awareness of risk throughout
the life of a project
Establish a periodic review of the top 10
project risk items
List the current ranking, previous ranking,
number of times the risk appears on the list
over a period of time, and a summary of
progress made in resolving the risk item
24. Jump to first page
24
9. Example for risk tracking
Monthly Ranking
Risk Item This
Month
Last
Month
Number
of Months
Risk Resolution
Progress
Inadequate
planning
1 2 4 Working on revising the
entire project plan
Poor definition
of scope
2 3 3 Holding meetings with
project customer and
sponsor to clarify scope
Absence of
leadership
3 1 2 Just assigned a new
project manager to lead
the project after old one
quit
Poor cost
estimates
4 4 3 Revising cost estimates
Poor time
estimates
5 5 3 Revising schedule
estimates
25. Jump to first page
25
9. Tools for tracking risks
Databases can keep track of risks
Spreadsheets can aid in tracking and
quantifying risks
More sophisticated risk management
software helps develop models and uses
simulation to analyze and respond to
various project risks
26. Jump to first page
26
9. Good project risk management
Unlike crisis management, good project risk
management often goes unnoticed
Well-run projects appear to be almost
effortless, but a lot of work goes into running
a project well
Project managers should strive to make
their jobs look easy to reflect the results of
well-run projects
28. Jump to first page
28
9. Discussion questions
Can you avoid risks?
What are common sources of risk for IT
projects?
How does spreadsheet help to quantify risk?
How does simulation help to quantify risk?
What is the best way to plan for risks?
What is the difference between contingency
plan and contingency reserve?
29. Jump to first page
29
9. Discussion questions
Read and comment on interview questions
and answers at the end of this chapter.
What question or which response do you
find interesting and why?
Which group of risks (internal, external)
described in this chapter is more critical to
an information system project? Why? What
is the most critical risk for any information
system project?
30. Jump to first page
30
9. Discussion questions
Is user involvement important to risk
management? Why?
Comment on sources of risk:
continued management support
top management style
alignment with organizational needs
user acceptance
shifting goals and objectives
31. Jump to first page
31
9. Discussion questions
Comment on sources of risk:
vendors
consultants
contract employees
market and change fluctuation
government regulation
What are effective ways of avoiding the risk
of losing internal talents to external
providers?