Topic:
Project Risk Management
IT Project Management
INSTRUCTOR,SHU LIU
HIT SCHOOL OF SOFTWARE
Fall 2005
All rights reserved
Project Integration Management 2
Outline
What is Risk?
What is Project Risk Management?
Project Risk Management Processes:
Risk management planning
Risk identification
Qualitative risk analysis
Quantitative risk analysis
Risk response planning
Risk monitoring and control
IT Project Management
Project Integration Management 3
What is Risk?
A dictionary definition of risk is
,the possibility of loss or injury”
The question is how to minimize,the
possibility of loss or injury”
Risk Management
IT Project Management
Project Integration Management 4
Risk Management
Risk management is an investment
There are costs associated with identifying risks,
analyzing those risks,and establishing plans to
mitigate those risks.
Those costs must be included in cost,schedule,
and resource planning.
Organizations take risks to benefit from
potential opportunities
IT Project Management
Project Integration Management 5
Risk Utility
Risk utility or risk tolerance is the amount of
satisfaction or pleasure received from a
potential payoff
Risk-averse people do not like to take risks.
Risk-seekers have a higher tolerance for risk and
their satisfaction increases when more payoff is at
stake
The risk-neutral approach achieves a balance
between risk and payoff
IT Project Management
Project Integration Management 6
Risk Utility Function and Risk Preference
IT Project Management
Project Integration Management 7
The Importance of Project Risk Management
Project risk management is the art and science
of identifying,assigning,and responding to
risk throughout the life of a project and in the
best interests of meeting project objectives
IT Project Management
Project Integration Management 8
The Importance of Project Risk Management
Risk management is often overlooked on projects,
but it can help improve project success by
helping select good projects
determining project scope
developing realistic estimates
KPMG study found that 55 percent of runaway
projects did no risk management at all
IT Project Management
Project Integration Management 9
Project Management Maturity by Industry Group and
Knowledge Area
Project Integration Management 10
Project Risk Management
The goal of project risk management is to minimize
potential risks while maximizing potential
opportunities,
Major processes include:
Risk management planning
Risk identification
Qualitative risk analysis
Quantitative risk analysis
Risk response planning
Risk monitoring and control
IT Project Management
Project Integration Management 11
Risk Management Planning
The main output of risk management planning is a
risk management plan
The project team should review project documents
and understand the organization’s and the
sponsor’s approach to risk
Base the review,the project team can formulate a
risk management plan
The level of detail will vary with the needs of the
project
Project charter,WBS,roles and responsibilities,
Stakeholder risk tolerances,and the organization’s
risk management policies,etc,
IT Project Management
Project Integration Management 12
Questions Addressed in a Risk Management Plan
IT Project Management
Project Integration Management 13
The risk management plan should includes:
Methodology for risk management
Roles and responsibilities for activities involved in risk
management
Budgets and schedules for the risk management
activities
Descriptions of scoring and interpretation methods used
for the qualitative and quantitative analyses of risk
Threshold(极限 ) criteria for risks
Reporting formats for risk management activities
A description of how the team will track and document
risk activities.
IT Project Management
Project Integration Management 14
Contingency,Fallback Plans,and Contingency Reserves
Contingency(意外事故 ) plans
are predefined actions that the project team will take if
an identified risk event occurs
Fallback plans
are developed for risks that have a high impact on
meeting project objectives,and are put into effect if
attempts to reduce the risk are not effective
Contingency reserve or allowances
are provisions( 预备) held by the project sponsor that
can be used to mitigate cost or schedule risk if changes
in scope or quality occur
IT Project Management
Project Integration Management 15
Common Sources of Risk on Information
Technology Projects
Several studies show that IT projects share some
common sources of risk
The Standish Group developed an IT success
potential scoring sheet based on potential risks
McFarlan developed a risk questionnaire to help
assess risk
Other broad categories of risk help identify
potential risks
IT Project Management
Project Integration Management 16
Risk Identification
Risk identification is the process of understanding
what potential unsatisfactory outcomes are
associated with a particular project
By reviewing a project’s risk management plan,other
planning documents,and the broad categories of risk
By reviewing historical information related to risks on
similar projects is also an important input to the risk
identification process.
IT Project Management
Project Integration Management 17
Potential Risk Conditions Associated With Each Knowledge Area
K nowl e dge A r e a R is k C ond it ion s
I n t e gr a t i o n I n a de qua t e p l a nni ng ; poo r r e s o u r c e a l l o c a t i o n; po o r i n t e gr a t i o n
m a n a ge m e n t ; l a c k o f po s t - p r o j e c t r e vi e w
Sco pe Poor de f i n i t i o n o f s c o pe o r w or k pa c ka ge s ; i n c o m pl e t e de f i ni t i o n
o f qua l i t y r e qu i r e m e n t s ; i na de qua t e s c o pe c o n t r o l
T i m e E r r or s i n e s t i m a t i n g t i m e o r r e s o ur c e a v a i l a bil i t y ; po o r a l l o c a t i o n
a n d m a n a ge m e n t o f f l o a t ; e a r ly r e l e a s e o f c o m pe t i t i ve pr o duc t s
C o s t E s t i m a t i n g e r r or s ; i n a de qu a t e pr o duc t i vi t y,c o s t,c h a n g e,or
c o n t i n ge n c y c o n t r o l ; po or m a i n t e n a n c e,s e c ur i t y,pur c h a s i ng,e t c,
Q ua l i t y Poor a tt i t ude to w a r d qua l i t y ; s u bs t a n da r d
de s i g n / m a t e r i a l s /wo r km a ns hi p ; i n a de qu a t e qua l i t y a s s ur a nc e
pr o g r a m
H u m a n R e s o ur c e s Poor c o nf li c t m a n a g e m e n t ; poo r pr o j e c t o r ga ni z a t i o n a n d
de f i n i t i o n o f r e s po n s i b i li t i e s ; a bs e n c e o f l e a de r s hi p
C o m m u ni c a t i o ns C a r e l e s s ne s s i n p l a nni ng o r c o m m u ni c a t i n g ; l a c k o f c o n s u l t a t i o n
w i t h ke y s t a ke h o l de r s
R i s k I gn o r i n g r i s k ; un c l e a r a s s i g nm e n t o f r i s k ; po or i n s ur a n c e
m a n a ge m e n t
Pr o c ur e m e n t U n e nf o r c e a bl e c o n d i t i o n s o r c o n tr a c t c l a u s e s ; a d v e r s a r i a l r e l a t i o ns
Project Integration Management 18
Risk Identification
Several risk identification tools and techniques include
Brainstorming
Is a technique by which a group attempts to generate ideas or find a
solution for a specific problem by amassing ideas spontaneously and
without judgment.
The Delphi technique
Is to derive a consensus among a panel of experts who make predictions
about future developments.
Interviewing
Is a fact-finding technique for collecting info,In face-to-face or
telephone discussions.
SWOT analysis
Strengths,Weaknesses,Opportunities,Threats
IT Project Management
Project Integration Management 19
Qualitative(定性的 ) Risk Analysis
Qualitative risk analysis involves assessing(评估 ) the likelihood and impact of identified
risks to determine their magnitude(量级 ) and
priority(优先 )
Risk qualitative analysis tools and techniques
include
The Top 10 Risk Item Tracking technique
Expert judgment
Probability/Impact matrixes
IT Project Management
Project Integration Management 20
Top 10 Risk Item Tracking
In addition to identifying risks,it also maintaining
an awareness of risk throughout the life of a
project
It involves establishing a periodic review of the
top 10 project risk items
List the current ranking,previous ranking,number
of times the risk appears on the list over a period
of time,and a summary of progress made in
resolving the risk item
IT Project Management
Project Integration Management 21
Example of Top 10 Risk Item Tracking
M ont hl y R ank ing
R is k I t e m T his
M ont h
L as t
M ont h
N um be r
of M ont hs
R is k R e s o l ut ion
P r og r e s s
I n a de qu a t e
p l a nn i ng
1 2 4 W o r k i n g o n r e vi s i ng t h e
e n t i r e pr o j e c t pl a n
Poor de f i n i t i o n
o f s c o pe
2 3 3 H o l d i ng m e e t i n g s w i t h
pr o j e c t c us to m e r a n d
s po n s o r to c l a r i f y s c o pe
A bs e n c e o f
l e a de r s hi p
3 1 2 J us t a s s i g n e d a n e w
pr o j e c t m a na ge r to l e a d
t h e pr o j e c t a f t e r o l d o n e
qu i t
Poor c o s t
e s t i m a t e s
4 4 3 R e vi s i ng c o s t e s t i m a t e s
Poor t i m e
e s t i m a t e s
5 5 3 R e vi s i ng s c h e du l e
e s t i m a t e s
Back
IT Project Management
Project Integration Management 22
Expert Judgment
Many organizations rely on the intuitive(直觉 ) feelings and past experience of experts
to help identify potential project risks
Experts can categorize risks as high,
medium,or low with or without more
sophisticated(复杂的 ) techniques
Back
IT Project Management
Project Integration Management 23
Probability/Impact Matrixes
Calculating Risk Factors Using Probability/Impact
Matrixes
The Defense Systems Management College (DSMC)
developed a technique for calculating risk factors
Risk factors are numbers that represent the overall risk of
specific events,based on their probability of occurring and
the consequences to the project if they do occur.
Risk factor = (Pf + Cf) – (Pf * Cf)
Pf – Probability(可能 ) of failure
Cf – Consequence(后果 ) of failure
IT Project Management
Project Integration Management 24
Sa
mp
le
Pro
ba
bil
ity
/Im
pa
ct
Ma
trix
fo
r
Qu
ali
tat
ive
R
isk
A
sse
ssm
en
t
Project Integration Management 25
Chart Showing High-,Medium-,and Low-
Risk Technologies
Project Integration Management 26
Quantitative(定量的 ) Risk Analysis
Quantitative risk analysis often follows qualitative
risk analysis,but both can be done together or
separately
Large,complex project involving leading edge
technologies often require extensive quantitative
risk analysis
Main techniques include
Decision tree analysis
Simulation
IT Project Management
Project Integration Management 27
Decision Trees and
Expected Monetary Value (EMV)
A decision tree is a diagramming method used to
help you select the best course of action in
situations in which future outcomes are uncertain
EMV is a type of decision tree where you
calculate the expected monetary value of a
decision based on its risk event probability and
monetary value
IT Project Management
Project Integration Management 28
Expected Monetary Value (EMV) Example
IT Project Management
Project Integration Management 29
Risk Response Planning
After identifying and quantifying risk,you must
decide how to respond to them
Four main strategies:
Risk avoidance
Risk acceptance
Risk transference
Risk mitigation
IT Project Management
Project Integration Management 30
Risk Response Planning
Risk avoidance,eliminating a specific threat or
risk,usually by eliminating its causes
For example,using familiar hardware or
software
Risk acceptance,accepting the consequences
should a risk occur
IT Project Management
Project Integration Management 31
Risk Response Planning
Risk transference,shifting the consequence of a
risk and responsibility for its management to a
third party
For example,buying special insurance or
warranty protection for specific hardware
needed for a project
Risk mitigation,reducing the impact of a risk
event by reducing the probability of its occurrence
For example,using proven technology
IT Project Management
Project Integration Management 32
General Risk Mitigation Strategies for Technical,Cost,
and Schedule Risks
IT Project Management
Project Integration Management 33
Risk Response Planning
Important outputs from risk response planning include:
Development of a risk response plan
Describes identified risks,people assigned responsibilities for
managing those risks,results from risk analysis,response
strategies,budget and schedule estimates for responses,and
contingency and fallback plans
Analysis of residual risks
Residual risks are risks that remain after all of the response
strategies have been implemented
Analysis of secondary risks
Secondary risks are a direct result of implementing a risk
response.
IT Project Management
Project Integration Management 34
Risk Monitoring and Control
Risk monitoring and control involves executing the
risk management processes and the risk
management plan to respond to risk events
Monitoring risks involves knowing their status
Controlling risks involves carrying out the risk
management plans as risks occur
IT Project Management
Project Integration Management 35
Risk Monitoring and Control
Risks must be monitored based on defined
milestones and decisions made regarding risks and
mitigation strategies
Sometimes workarounds or unplanned responses
to risk events are needed when there are no
contingency plans
The main outputs of risk monitoring and control
are:
corrective action
project change requests
updates to other plans
IT Project Management
Project Integration Management 36
Results of Good Project Risk Management
Unlike crisis management,good project risk
management often goes unnoticed
Well-run projects appear to be almost effortless,
but a lot of work goes into running a project well
Project managers should strive to make their jobs
look easy to reflect the results of well-run projects
IT Project Management
Project Integration Management 37
Problems and Points to Ponder
(1) Exercises 4 on page 330
(2) Would you rate yourself as being risk-averse,risk-
neutral,or risk-seeking? Give a examples of each
approach from different aspects of your life,such as your
current job,your personal finances,romances,and eating
habits,(Exercises 1 on page 329)
IT Project Management
Project Integration Management 38
Project Integration Management 39
IT Success Potential Scoring Sheet
Su c c e s s C r it e r ion P oin t s
U s e r I nv o l ve m e n t 19
E x e c ut i v e M a n a ge m e n t s upp o r t 16
C l e a r S t a t e m e n t o f R e qu i r e m e n t s 15
Pr o pe r Pl a nni ng 11
R e a li s t i c E x pe c t a t i o ns 10
S m a ll e r Pr o j e c t M i l e s t o n e s 9
C o m pe t e n t St a f f 8
O w n e r s hi p 6
C l e a r V i s i o ns a n d O bj e c t i v e s 3
H a r d- W o r ki n g,F o c us e d St a f f 3
T ot a l 100
◆ This study brought
together 60 information
technology
professionals to
elaborate(详细说明 ) on
how to evaluate a
project’s overall
likelihood to being
successful
◆ This tale shows the
the relative importance
of the project success
criteria factors
Back
Project Integration Management 40
Mc
Far
lan
’s
Ris
k Qu
estio
nn
air
e
1,W h a t i s t h e pr o j e c t e s t i m a t e i n c a l e n d a r ( e l a ps e d) t i m e?
( ) 12 m o n t h s o r l e s s L o w = 1 p o i n t
( ) 13 m o n t h s to 24 m o n t hs M e d i u m = 2 po i n t s
( ) Ov e r 24 m o n t h s H i g h = 3 po i n t s
2,W h a t i s t h e e s t i m a t e d n u m b e r o f pe r s o n da y s f o r t h e s y s t e m?
( ) 12 to 375 L o w = 1 p o i n t
( ) 375 to 187 5 M e d i u m = 2 po i n t s
( ) 187 5 to 375 0 M e d i u m = 3 po i n t s
( ) Ov e r 375 0 H i g h = 4 po i n t s
3,Nu m b e r o f de pa r t m e n t s i nv o l v e d ( e x c l ud i ng I T )
( ) On e L o w = 1 p o i n t
( ) T w o M e d i u m = 2 po i n t s
( ) T h r e e o r m o r e H i g h = 3 po i n t s
4,I s a dd i t i o na l h a r dwa r e r e qu i r e d f o r t h e pr o j e c t?
( ) N o n e L o w = 0 p o i n t s
( ) C e n t r a l pr o c e s s o r t y pe c h a n ge L o w = 1 p o i n t
( ) P e r i p h e r a l /s t o r a ge de vi c e c h a n ge s L o w = 1
( ) T e r m i na l s M e d = 2
( ) C h a n ge o f p l a t f o r m,f o r e x a m p l e H i g h = 3
P C s r e pl a c i ng m a i n f r a m e s
Back
Project Integration Management 41
Other Categories of Risk
Market risk,Will the new product be useful to the organization
or marketable to others? Will users accept and use the product
or service?
Financial risk,Can the organization afford to undertake the
project? Is this project the best way to use the company’s
financial resources?
Technology risk,Is the project technically feasible(可行的 )?
Could the technology be obsolete(陈旧的 ) before a useful
product can be produced?
Back