This document discusses project risk management for an IT project management course. It defines risk management and identifies key risk management processes: planning, identification, analysis, response planning, and monitoring/control. Various risk analysis techniques are described like probability/impact matrices and decision trees. The goal of risk management is to minimize negative risks while maximizing positive opportunities through risk avoidance, acceptance, transference, or mitigation strategies.

1. ITEC 459
Project Management
Project Risk Management

2. Learning Outcome 5
Identify solutions to possible risks that affect the
planning and executing of an IT project.
5.1 Identify potential risks that may occur at different
stages of the project.
5.2 Analyze risks using quantitative and qualitative
techniques such as decision trees, probabilities,
simulation and sensitivity analysis.
5.3 Develop a risk response plan that will eliminate or
reduce the effect of potential risks

3. Lesson Objectives
 Understand Risk Management
 Risk Management Processes

4. What is Risk?
 Risk
– It is the possibility of loss or injury
– It is everywhere
• Driving a car
• Walking down the street
• Traveling, etc.
 Project Risk
– Part of any project and represents the
uncertainty element in the project
• No escaping it!
– Unplanned events or conditions that can have
an effect on the project
• The effects can be negative or positive

5. Risk Management
 Project Risk Management is an activity
undertaken to lessen the impact of potentially
adverse events on the project
– Think of it as an insurance against surprises
 Risk Management can help improve project
success by helping select good projects,
determining project scope, and developing
realistic estimates
 Failure to address Risk Management issues can
translate into losses
– Financial losses due to the credit crisis of 2008

6. Risks
 Risks can be positive or negative
– Positive Risks: Result in good things or
opportunities
– Negative Risks: Results in losses
 The goal of Project Risk Management
is to minimize potential negative
risks while maximizing potential
positive risks

7. Risk Management Processes
1. Risk Management Planning
2. Risk Identification
3. Qualitative Risk Analysis
4. Quantitative Risk Analysis
5. Risk Response Planning
6. Risk Monitoring & Control

8. 1. Risk Management Planning
 It is deciding how to approach the
risk
 Output  Risk management plan
 This plan summarizes the result in risk
identification, quantitative & qualitative
analysis and response method
 It also includes Contingency plan which is
a predefined action that a project team
will take if an identified risk event occurs

9. Contingency and Fallback Plans, Contingency
Reserves
 Contingency plans are predefined actions that the
project team will take if an identified risk event
occurs
 Fallback plans are developed for risks that have a
high impact on meeting project objectives and are
put into effect if attempts to reduce the risk are not
effective
 Contingency reserves or allowances are
provisions held by the project sponsor or
organization to reduce the risk of cost or schedule
overruns to an acceptable level

10. Risk Breakdown Structure
 A risk breakdown structure is a
hierarchy of potential risk categories
for a project
 Similar to a work breakdown
structure but used to identify and
categorize risks

11. Sample Risk Breakdown Structure

12. Potential Negative Risk Conditions Associated with
Each Knowledge Area

13. 2. Risk Identification
 It is the process of gaining understanding
of the potentially unsatisfactory outcomes
that can occur to the project
– What can potentially go wrong?
 Historical information can help identifying
the areas where risk is high
 Risk is present in all project management
areas, like Scope, Time, Cost, Quality, HR,
Communication, Risk , Procurement and
Integration

14. Sources of Risk in IT projects
 Technical Risk
– From new, unproven or complex technology (what
if it doesn’t work?)
 Quality Risk
– From levels of expectations (what if quality
measure are set too high?)
 Financial Risk
– From budget (what if project goes over budget?)
 Project Management Risk
– From improper project management (what if we
were wrong in time and resources allocation?)
 External Risk
– From things external to the project such as nature
and political situations (what if a tornado hit or a
war erupted?)

15. Risk Identification Techniques
 Reviewing Project Documents
– Project plan, scope, etc.
 Brainstorming
– Project team
 Interviewing
– Subject matter experts and project stakeholders
 Delphi Technique
– An anonymous method to query experts about foreseeable
 SWOT Analysis
– Strengths, Weaknesses, Opportunities & Threats
 Diagramming Techniques
– Ishikawa (Fishbone) and Flow charts
 Usually a combination of these methods is used to asses
risk involved

16. The Delphi Technique
 A forecasting method that relies on a
number of independent experts
 A questionnaire related to project
risk is given to the experts
– They answer anonymously
 Results are analyzed and then re-circulated
for more round and
discussions

17. SWOT Example
Helps identify the broad
negative and positive risks
that apply to a project

18. Ishikawa Diagram
 Also called the fishbone diagram
– Because it looks like a fishbone

19. 3. Qualitative Risk Analysis
 It involves assessing the likelihood احتمال
قوي and impact of identified risks, then
determine their magnitude and priority
– In other words, prioritizing risks based on their probability and
impact of occurrence (put high probability in the first)
 Methods of qualitative risk analysis
include
– Using Probability/Impact matrix
– Top 10 risk item tracking
– Expert Judgment

20. Probability/Impact Method
 The project risks are rated according to their probability
and impact
– Risk probability
• is the likelihood that a risk event may happen
– Risk impact
• is the consequence that the result of the event will have on the project
objectives
 Two ways to rank
– Cardinal
• Example
– 0.01 very low
– 1.0 is certain
– Ordinal
• Example
– Very high
– High
– Unlikely
– Very unlikely

21. Probability/Impact Matrix (1)
 Example:
– An identified risk in a project is the
possibility that the vendor may be late
in delivering the hardware
– Step 1  Identify the risk
– Step 2  Decide on the risk ranking

22. Probability/Impact Matrix (2)
 Example -continued:
– Step 1  the vendor maybe late in
delivering the HW
– Step 2 
• Probability ranking: 0.1, 0.3, 0.5, 0.7, 0.9
• Impact ranking: 0.05, 0.10, 0.20, 0.40 0.80

23. Probability/Impact Matrix (3)
Risk Scores
Probability
0.9
0.7
0.5
0.3
0.1
0.05 0.10 0.20 0.40 0.80
Impact
Insert the rankings into the matrix and do the math

24. Probability/Impact Matrix (4)
Risk Scores
Probability
0.9 0.05 0.09 0.18 0.36 0.72
0.7 0.04 0.07 0.14 0.28 0.56
0.5 0.03 0.05 0.10 0.20 0.40
0.3 0.02 0.03 0.06 0.12 0.24
0.1 0.01 0.01 0.02 0.04 0.08
0.05 0.10 0.20 0.40 0.80
Impact
Results are rounded
Green  Low (<0.05)
Orange  Moderate (>=0.05 and <0.18)
Red  High (>=0.18)

25. Example of Top Ten Risk Item Tracking

26. 3. Quantitative Risk Analysis
 Quantitative risk analysis attempts to
numerically assess the probability and
impact of the identified risks
 Quantitative risk analysis also creates
an overall risk score for the project
 Methods
– Decision Trees & Expected Monetary Value
– Simulation
• What-If analysis (Monte Carlo technique)
– Sensitivity analysis

27. Decision Tree & Expected
Monetary Value

28. Sensitivity Analysis
 Sensitivity analysis is a technique used to
show the effects of changing one or more
variables on an outcome
 For example, many people use it to determine
what the monthly payments for a loan will be
given different interest rates or periods of the
loan, or for determining break-even points
based on different assumptions
 Spreadsheet software, such as Excel, is a
common tool for performing sensitivity analysis

29. Sample Sensitivity Analysis for Determining
Break-Even Point

30. 4. Risk Response Planning
 Involves
– Risk Avoidance:
• trying to eliminate some or all the risk
involved
– Risk Acceptance:
• just accepting the consequences of taking
the risk (if you can)
– Risk Transference: involved third part
• like using insurance, warranties, guarantees
– Risk mitigation:
• involve reducing the impact of the risk event
by reducing the probability of occurrence

31. General Risk Mitigation Strategies for
Technical, Cost, and Schedule Risks

32. 5. Risk Monitoring and Control
 Risk monitoring and control is the
process of monitoring identified risks
for signs that they may be occurring,
controlling identified risks with the
agreed responses, and looking for
new risks that may creep into the
project