Downloaded 139 times
More Related Content
Similar to Managing Risk And Opportunity In IT Projects
Managing Risk And Opportunity In IT Projects
- 1. PMI OVOC 10thAnnual Project Management Symposium October 12 – 14, 2010 Unleashing the Power of Project Management Template V3 Managing Risk and Opportunity in IT Projects Robert Venczel
- 2. 3 Key LearningPoints 1. Describe the risk management process – Definitions, utility theory, steps, responsibilities, etc. – Corporate strategy relationship 2. Explain the RiskIT Model – IT goals, associated metrics, and IT-related risks – IT project risk management – Risk scenarios and implementation of controls 3. Application of IT risk management – Case study 2Presented at PMI OVOC Project Management Symposium 2010
- 3. Your Presenter • RobertVenczel, MBA, CMA, CISA, PMP, CIA • Bivium Executive Consulting Ltd. • Over 18 years of management consulting experience in both public and private sectors in the areas of: – Project and programme risk management – IT project management and governance – IT audit – Business strategy 3Presented at PMI OVOC Project Management Symposium 2010
- 4. Agenda • Risk ManagementProcess – A Quick Review • Project Risk Management • IT Risks vs. Overall Risk Universe • IT Project Risk Management Continuum • Case Study – SuperSoftware Inc. 4Presented at PMI OVOC Project Management Symposium 2010
- 5. What is Risk? •Risk is defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events.* *Orange Book (UK) Definition 5Presented at PMI OVOC Project Management Symposium 2010
- 6. RM Process • RiskIdentification • Risk Assessment • Risk Mitigation and Monitoring • Risk Reporting 6Presented at PMI OVOC Project Management Symposium 2010
- 7. The Riskit RiskManagement Cycle 7Presented at PMI OVOC Project Management Symposium 2010 Source: Kontio, J , Getto, G. and Landes. D. (1998),Experiences in improving risk management processes using the concepts of Riskit method, SIGSOFT’98 sixth International Symposium on the Foundations of Software Engineering.
- 8. Risk Identification • Typesof risk: – Organization-wide vs. programme/project – External vs. internal – Inherent vs. residual • Risk identification: – Using common methodology – From top down and from bottom up • Part of short- and long-term business planning process • Continuous not a one-time exercise 8Presented at PMI OVOC Project Management Symposium 2010
- 9. Risk Assessment • Utilitytheory • Likelihood and impact • Need to develop a simple scoring/weighting methodology that can be applied on a consistent basis across the organization. 9Presented at PMI OVOC Project Management Symposium 2010
- 10. Impact vs. Likelihood 10Presentedat PMI OVOC Project Management Symposium 2010
- 11. Addressing Risks /Risk Tolerance Tolerate Treat Transfer Terminate Risk tolerance vs. risk appetite 11Presented at PMI OVOC Project Management Symposium 2010
- 12. Risk Management/Risk Mitigation •Identification of mitigating actions and controls • Ensuring that mitigating actions and controls are implemented (risk owners) • Monitoring and reporting on the effectiveness of mitigating actions and controls • Reporting and escalating problems up the management chain 12Presented at PMI OVOC Project Management Symposium 2010
- 13. Risk Mitigation Plan •Choosing the most appropriate “treatment” or combination of treatment options • Costs and efforts vs. benefits • Risk treatment itself can introduce risks 13Presented at PMI OVOC Project Management Symposium 2010
- 14. Risk Monitoring andReporting • Review periodically: – If the status of risks has changed or new risks emerged – The effectiveness of the mitigation strategies against indicators – The validity of the initial assumptions – The existence of appropriate contingency plans • Reporting: – Status, performance and results – Trends and patterns 14Presented at PMI OVOC Project Management Symposium 2010
- 15. RM Responsibilities forRisk Owners vs. Risk Managers – Risk Owners: • Deemed ultimately accountable for the effective management of specific risk categories • Do not necessarily own or control all aspects of the risk • Depend on others to help mitigate the risks • Risk Managers: • Responsibility for the risk management process • Have the authority to manage risks 15Presented at PMI OVOC Project Management Symposium 2010
- 16. PMBOK® - ProjectRisk Management Project Risk Management Processes • Plan Risk Management • Identify Risks • Perform Qualitative Risk Analysis • Perform Quantitative Risk Analysis • Plan Risk Responses • Monitor and Control Risks 16Presented at PMI OVOC Project Management Symposium 2010 Source: PMI’s PMBOK Guide, Fourth Edition (2008)
- 17. Opportunity vs. Risk •On the positive side… new business initiatives successfully enabled by IT • On the negative side… IT projects misaligned with the strategic objectives; waste of resources due to failed projects; etc. 17Presented at PMI OVOC Project Management Symposium 2010
- 18. Defining IT Goalsand Enterprise Architecture for IT 18Presented at PMI OVOC Project Management Symposium 2010 Source: ISACA’s COBIT® 4.1 Framework for IT Governance and Control (2007)
- 19. IT Risk vs.Overall Risk Universe 19Presented at PMI OVOC Project Management Symposium 2010 Source: ISACA’s The Risk IT Framework (2009)
- 20. IT Project RiskManagement Continuum 20Presented at PMI OVOC Project Management Symposium 2010 Needs and Requirements Specifications Contractor/Team Selection Design and Development Systems Integration Conceptual Design Demonstration/ Validation Engineering, Manufacturing, Development, and Production Maintenance and Major Upgrade
- 21. System Complexity vs.Risk 21Presented at PMI OVOC Project Management Symposium 2010 Risk(technical;cost;schedule) Complexity (technology; team; expertise; etc.)
- 22. IT Risk ManagementSupports Success By enabling IT project management to: • Deal effectively with potential future events that create uncertainty. • Respond in a manner that reduces the likelihood that objectives will not be achieved and increases the likelihood of success. 22Presented at PMI OVOC Project Management Symposium 2010
- 23. Practicing Risk Management •Integrate IT project risk management with business planning and priority setting • Promote use of the common language, framework, and process • Use common tools, techniques and models for risk mapping and monitoring • Use of risk management concepts in decision making and reporting • Consult and communicate with internal and external stakeholders throughout the process • Monitor, evaluate, and adjust systems, processes, and practices 23Presented at PMI OVOC Project Management Symposium 2010
- 24. IT Project RiskScenario Example 24Presented at PMI OVOC Project Management Symposium 2010 Beta Test Successful Users not ready to use the new software Cost: $15K+ Unsuccessful Project terminated because of changed business priorities Cost: $100K+ Project delayed Time: 1 month Cost: $20K+ Software development project
- 25. Case Study –SuperSoftware Inc. • Software development project • Stakeholders • Team • Risks • Evaluation of risks (quantitative vs. qualitative) • Mitigation, monitoring and reporting • Lessons learned 25Presented at PMI OVOC Project Management Symposium 2010
- 26. Conclusions • Get seniormanagement’s buy in and support for a risk-aware culture. • Use risk management people who understand the business and information technology, and are also good communicators. • Successful IT risk management is all about connection and alignment with business strategy. 26Presented at PMI OVOC Project Management Symposium 2010
- 27. Additional Resources • Committeeof Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management – Integrated Framework • Risk management: Principles and guidelines - International Standard, ISO 31000: 2009 • Australian/New Zealand Standard for risk management - AS/NZS 4360:2004 • Risk management policies, directives and standards developed by the Treasury Board Secretariat (TBS’s) to guide good management across the Canadian Federal Government: – Integrated Risk Management Framework (IRMF) – Integrated Risk Management Implementation Guide – Policy on Active Monitoring – Risk Management Policy – Draft Core Management Controls – Management Accountability Framework (MAF) criteria. • PMI’s PMBOK Guide, Fourth Edition (2008) • ISACA’s COBIT® 4.1 Framework for IT Governance and Control (2007) • ISACA’s The Risk IT Framework (2009) • ISACA’s The Risk IT Practitioner Guide (2009) 27Presented at PMI OVOC Project Management Symposium 2010
- 28. For more information… •Thank you for your participation today! • For more information on the contents of this presentation, please feel free to contact me as follows: – Robert Venczel, MBA, CMA, CISA, PMP, CIA – Bivium Executive Consulting Ltd. • “Achieving Excellence Through Change” – rvenczel@biviumconsulting.ca – 613-843-7629 28Presented at PMI OVOC Project Management Symposium 2010
- 29. Copyright Notice • Thecontents of this presentation are Copyright © 2010 by the presenter and PMI OVOC. • Permission is granted for participants to print the presentation handouts for use during the conference and later personal reference. • PMI OVOC reserves the right to store this content for archival purposes as a record of conference proceedings and to publish this content electronically for the purpose of disseminating conference proceedings to conference participants. • All other use, storage, retrieval, distribution, or reproduction must be authorized in advance, in writing. 29Presented at PMI OVOC Project Management Symposium 2010
- 30.
- 31. Guiding Principles 31Presented atPMI OVOC Project Management Symposium 2010 Source: ISACA’s The Risk IT Framework (2009)
- 32. Sample IT RiskHeat Map 32Presented at PMI OVOC Project Management Symposium 2010 Poor communication Budget overrun Scope creep Inadequate functional requirements Lack of support from the top 1.00 1.20 1.40 1.60 1.80 2.00 2.20 2.40 2.60 2.80 3.00 1.00 1.20 1.40 1.60 1.80 2.00 2.20 2.40 2.60 2.80 3.00 Impact Likelihood IT Risks