Chapter 10,
Project Risk Management
2013-3-1 2
Learning Objectives
? Understand the importance of good project risk management
? Understand what risk is and describe different tolerances for risk
? Describe each of the processes involved in project risk
management,
? Identify common sources of risk on IT projects and develop
strategies for reducing them
? Describe common risk conditions that occur in each project
management knowledge area and techniques for identifying
potential risks on specific projects
? Use tools and techniques for qualitative and quantitative risk
analysis,
? Describe can assist in project risk management
? Explain the results of good project risk management
2013-3-1 3
Chapter Outline
? The Importance of Project Risk Management
? Risk Management Planning
? Common Sources of Risk on Information Technology
Projects
? Risk Identification
? Qualitative Risk Analysis
? Quantitative Risk Analysis
? Risk Response Planning
? Risk Monitoring and Control
? Using Software to Assist in Project Risk Management
? Results of Good Project Risk Management
10.1 The Importance of Project
Risk Management
2013-3-1 5
Project Risk Management
? Project risk management is the art
and science of identifying,assigning,and
responding to risk throughout the life of a
project and in the best interests of
meeting project objectives
? Risk management is often overlooked on
projects,but it can help improve project
success by helping select good projects,
determining project scope,and
developing realistic estimates
2013-3-1 6
Project Management Maturity by Industry
Group and Knowledge Area
2013-3-1 7
What is Risk?
? A dictionary definition of risk is,the
possibility of loss or injury”
? Project risk involves understanding
potential problems that might occur on
the project and how they might impede
project success
? Risk management is like a form of
insurance; it is an investment
2013-3-1 8
Why Take Risks? Because of
Opportunities!
Opportunities Risks
Try to balance risks and opportunities
2013-3-1 9
Risk Utility
? Risk utility or risk tolerance is the
amount of satisfaction or pleasure
received from a potential payoff
? Utility rises at a decreasing rate for a
person who is risk-averse
? Those who are risk-seeking have a
higher tolerance for risk and their
satisfaction increases when more payoff
is at stake
? The risk neutral approach achieves a
balance between risk and payoff
2013-3-1 10
Risk Utility Function and Risk
Preference
2013-3-1 11
Project Risk Management Processes
? The goal of project risk management is to
minimize potential risks while maximizing
potential opportunities,
? project risk management Processes are,
? Risk management planning,deciding how to
approach and plan the risk management activities
for the project
? Risk identification,determining which risks
are likely to affect a project and documenting
their characteristics
2013-3-1 12
Project Risk Management Processes
? Qualitative risk analysis,characterizing and
analyzing risks and prioritizing their effects on
project objectives
? Quantitative risk analysis,measuring the
probability and consequences of risks
? Risk response planning,taking steps to
enhance opportunities and reduce threats to
meeting project objectives
? Risk monitoring and control,monitoring
known risks,identifying new risks,reducing risks,
and evaluating the effectiveness of risk reduction
10.2 Risk Management Planning
2013-3-1 14
Risk Management Planning
? The main output of risk management
planning is a risk management plan
? The project team should review
project documents and understand
the organization’s and the sponsor’s
approach to risk
? The level of detail will vary with the
needs of the project
2013-3-1 15
Questions Addressed in a Risk
Management Plan
2013-3-1 16
Contingency,Fallback Plans,Contingency
Reserves
? Contingency plans are predefined actions
that the project team will take if an
identified risk event occurs
? Fallback plans are developed for risks that
have a high impact on meeting project
objectives
? Contingency reserve or allowances are
provisions held by the project sponsor that
can be used to mitigate cost or schedule
risk if changes in scope or quality occur
10.3 Risk Identification
2013-3-1 18
Risk Identification
? Risk identification is the process of
understanding what potential
unsatisfactory outcomes are associated
with a particular project
? Several risk identification tools and
techniques include
? Brainstorming
? The Delphi technique
? Interviewing
? SWOT analysis
2013-3-1 19
Basic Categories of Risk
? Market risk,Will the new product be useful
to the organization or marketable to others?
Will users accept and use the product or
service?
? Financial risk,Can the organization afford
to undertake the project? Is this project the
best way to use the company’s financial
resources?
? Technology risk,Is the project technically
feasible? Could the technology be obsolete
before a useful product can be produced?
2013-3-1 20
Common Sources of Risk on IT Projects
? Several studies show that IT projects
share some common sources of risk
? The Standish Group developed an IT
success potential scoring sheet based on
potential risks
? McFarlan developed a risk questionnaire
to help assess risk
? Other broad categories of risk help
identify potential risks
2013-3-1 21
IT Success Potential Scoring Sheet
S u c c e ss Cr ite r ion P oin t s
User I nvolvement 19
Ex e c uti ve Mana g e ment s uppor t 16
C lea r S tatement of Requir e ments 15
P r ope r P lanning 11
R e a li st ic Ex pe c tati ons 10
S mall e r P r ojec t M il e st one s 9
C ompetent S taf f 8
Owne r shi p 6
C lea r Vis ions a nd Objec ti ve s 3
Ha r d - W or king,F oc used S taf f 3
Total 100
2013-3-1 22
McFarlan’s Risk Questionnaire
1,W hat i s t he proj e c t est im a te in c a lend a r (e laps e d) t im e?
( ) 12 m on th s o r less L ow = 1 po in t
( ) 13 m on th s t o 2 4 m on th s M e di um = 2 po in ts
( ) Ove r 24 m on th s Hig h = 3 p oi nt s
2,W hat i s t he e st im a ted n um ber of per so n d a y s fo r th e sy st e m?
( ) 12 t o 3 75 L ow = 1 po in t
( ) 375 to 18 75 M e di um = 2 po in ts
( ) 187 5 t o 3 75 0 M e di um = 3 po in ts
( ) Ove r 37 50 Hig h = 4 p oi nt s
3,Num ber of depa rtm e nt s i nv ol ved (e x c lu di ng I T)
( ) One L ow = 1 po in t
( ) Two M e di um = 2 po in ts
( ) Three or m ore Hig h = 3 p o ints
4,I s add it io nal h a rdwa re re qu ired for t he proj e c t?
( ) None L ow = 0 po in ts
( ) C e nt ra l p roce ss or t y pe c hang e L ow = 1 po in t
( ) P e rip hera l/ st orag e devi c e c hang e s L ow = 1
( ) Te rm in a ls M e d = 2
( ) C hang e of p latfo rm,for e x a m pl e Hig h = 3
P C s replac in g m a in fra m e s
2013-3-1 23
Potential Risk Conditions Associated With
Each Knowledge Area
K n ow ledge Ar e a Risk Cond ition s
I nteg r a ti on I na de qua te planning ; poor r e sourc e a ll oc a ti on; poor int e g r a ti on
mana g e ment; lac k of post - pr ojec t re view
S c ope P oor de f ini ti on of sc ope or wor k pa c ka g e s; incompl e te de f ini ti on
of qua li ty r e quire ments; inade qua te sc ope c ontrol
Tim e Er r or s i n e st im a ti ng ti me or r e sourc e a va il a bil it y ; poor a ll oc a ti on
a nd mana g e ment of f loat; e a r ly r e lea se of c ompeti ti ve pr oduc ts
C ost Esti mati ng e r r or s; inade qua te pr oduc ti vit y,c ost,c ha ng e,or
c onti ng e nc y c ontrol; poor maint e na nc e,se c ur it y,pur c ha si ng,e tc,
Qua li ty
P oor a tt it ude towar d qua li ty ; s ubst a nda r d
de si g n/m a ter ials/ wor kmanship; inade qua te qua li ty a ssura nc e
pr og r a m
Human Resour c e s P oor c onf li c t m a na g e ment; poor pr ojec t org a niz a ti on a nd
de f ini ti on of r e sponsi bil it ies; abse nc e of lea de r shi p
C omm unica ti ons C a r e lessne ss i n planning or c omm unica ti ng ; l a c k of c onsul tati on
wit h ke y st a ke holder s
R is k I g nor ing r is k; unclea r a ssi g nment of r is k; poor insura nc e
mana g e ment
P r oc ur e ment Une nf or c e a ble c ondit ions or c ontra c t clause s; a d ve r sa r ial re lati ons
10.3 Qualitative Risk Analysis
2013-3-1 25
1.Calculating Risk Factors Using
Probability/Impact Matrixes
? Assess the likelihood and impact of
identified risks to determine their
magnitude and priority/ranking
? Risk quantification tools and techniques
include
? Risk probability and impact
? Probability/impact risk rating matrix
? Project assumptions testing
? Data precision ranking
2013-3-1 26
Sample Probability/Impact Matrix
2013-3-1 27
Chart Showing High-,Medium-,and Low-
Risk Technologies
2013-3-1 28
Simpler Example of Probability/Impact
Analysis
? Think about potential risks related to
planning a large family reunion
? Jot down at least 3 potential risks
? Rank the probability of the risk as high,
medium,or low
? Rank the impact of the risk as high,
medium or low
? I’ll graph some of your examples
2013-3-1 29
Probability/Impact Matrix
Impact
Probability
low
med
high
low med high
2013-3-1 30
2.Top 10 Risk Item Tracking
? Top 10 Risk Item Tracking is a tool for
maintaining an awareness of risk
throughout the life of a project
? Establish a periodic review of the top 10
project risk items
? List the current ranking,previous ranking,
number of times the risk appears on the
list over a period of time,and a summary
of progress made in resolving the risk
item
2013-3-1 31
Example of Top 10 Risk Item Tracking
Mon th l y Ra n k i n g
Ri s k I te m T h i s
Mon th
L as t
Mon th
Nu m b er
of Mon th s
Ri s k Reso l u tion
P rogre s s
I nadequa t e
pl annin g
1 2 4 W orkin g on re vi s i ng t he
enti re proj ec t pl an
P oor def i ni t i on
of scope
2 3 3 Hol di ng m ee t i ng s wi t h
project cus t om er and
s pon s or to clar i f y s cope
Abs enc e of
l ea der s hi p
3 1 2 J us t ass i g ned a ne w
project m ana g er t o l ea d
t he projec t af t er ol d on e
qui t
P oor cost
est i m ates
4 4 3 R evis i ng cost est i m ates
P oor t i m e
est i m ates
5 5 3 R evis i ng s che dul e
est i m ates
2013-3-1 32
3.Expert Judgment- The Delphi method
? Many organizations rely on the
intuitive feelings and past experience
of experts to help identify potential
project risks
? Experts can categorize risks as high,
medium,or low with or without more
sophisticated techniques
10.4 Quantitative Risk Analysis
2013-3-1 34
Quantitative Risk Analysis
? Often follows qualitative risk analysis,but
both can be done together or separately
? Large,complex project often require
extensive quantitative risk analysis
? Main techniques include
? Interviewing
? Sensitivity analysis
? Decision tree analysis
? Simulation
2013-3-1 35
1.Decision Trees and Expected
Monetary Value (EMV)
? A decision tree is a diagramming
method used to help you select the best
course of action in situations in which
future outcomes are uncertain
? EMV is a type of decision tree where
you calculate the expected monetary
value of a decision based on its risk
event probability and monetary value
2013-3-1 36
EMV Example
2013-3-1 37
Simple EMV Exercise
? Project 1 has a 50% chance of providing
a profit of $200,000,a 20% chance of
costing you $50,000,and a 30% chance
of costing you $30,000,
? Project 2 has a 70% chance of providing
a profit of $100,000,and 30% of costing
you $1,000,
? What is the EMV for each project?
? Which would you recommend?
2013-3-1 38
2.Simulation
? Simulation uses a representation or model
of a system to analyze the expected
behavior or performance of the system
? Monte Carlo analysis simulates a model’s
outcome many time to provide a statistical
distribution of the calculated results
? To use a Monte Carlo simulation,you must
have three estimates (most likely,
pessimistic,and optimistic) plus an estimate
of the likelihood of the estimate being
between the optimistic and most likely
values
2013-3-1 39
Sample Monte Carlo Simulation Results
for Project Schedule
2013-3-1 40
Sample Monte Carlo Simulations Results
for Project Costs
10.5 Risk Response Planning
2013-3-1 42
Risk Response Planning
? After identifying and quantifying risk,you
must decide how to respond to them
? Four main strategies,
? Risk avoidance,eliminating a specific threat or
risk,usually by eliminating its causes
? Risk acceptance,accepting the consequences
should a risk occur
? Risk transference,shifting the consequence
of a risk and responsibility for its management to
a third party
? Risk mitigation,reducing the impact of a risk
event by reducing the probability of its
occurrence
2013-3-1 43
General Risk Mitigation Strategies for Technical,
Cost,and Schedule Risks
10.6 Risk Monitoring and
Control
2013-3-1 45
Risk Monitoring and Control
? Monitoring risks involves knowing their
status
? Controlling risks involves carrying out the
risk management plans as risks occur
? Workarounds are unplanned responses to
risk events that must be done when there
are no contingency plans
? The main outputs of risk monitoring and
control are corrective action,project change
requests,and updates to other plans
2013-3-1 46
Risk Response Control
? Risk response control involves executing
the risk management processes and the
risk management plan to respond to risk
events
? Risks must be monitored based on defined
milestones and decisions made regarding
risks and mitigation strategies
? Sometimes workarounds or unplanned
responses to risk events are needed when
there are no contingency plans
10.7 Using Software to Assist in
Project Risk Management
2013-3-1 48
Using Software to Assist in Project
Risk Management
? Databases can keep track of risks,
Many IT departments have issue
tracking databases
? Spreadsheets can aid in tracking and
quantifying risks
? More sophisticated risk management
software,such as Monte Carlo
simulation tools,help in analyzing
project risks
10.8 Results of Good Project Risk
Management
2013-3-1 50
Results of Good Project Risk
Management
? Unlike crisis management,good
project risk management often goes
unnoticed
? Well-run projects appear to be
almost effortless,but a lot of work
goes into running a project well
? Project managers should strive to
make their jobs look easy to reflect
the results of well-run projects
2013-3-1 51
Quick Quiz
? What are the most important success criteria for information
technology projects,according to the Standish Group?
? If a project has a 50 percent probability or making $100 and a 50
percent probability of making no money at all,what is its expected
monetary value?
? What does risk mitigation mean? Provide an example of how to
mitigate risk on a project,
ANSWER,User involvement,executive management support,and a clear
statement of requirements,
ANSWER,$50
ANSWER,Risk mitigation means reducing the impact of a risk event
by reducing its probability of occurrence,An example of mitigating
risk on a project would be to assign a very experienced project manager
to a project to mitigate the risk of poor management