INFO 638Lecture #101 Software Project Management Review INFO 638 Glenn Booker.
INFO 420Chapter 8 1 SW Project Management Managing Project Risk INFO 420 Dr. Jennifer Booker.
-
Upload
coleen-phillips -
Category
Documents
-
view
217 -
download
0
Transcript of INFO 420Chapter 8 1 SW Project Management Managing Project Risk INFO 420 Dr. Jennifer Booker.
Chapter 8 2INFO 420
Risk avoided
American culture avoids facing risk This leads to many problems in project
managementWe want to stick our heads in the sand
Somehow that doesn’t make risks go away We need to manage risks proactively
Chapter 8 3INFO 420
Risk Management
“If you don’t actively attack risks, they will attack you” - Tom Gilb
Risk management is still looked upon as bad news - and messengers are still shot
Chapter 8 4INFO 420
What is risk?
A risk is something that might go wrong, which could affect the project outcome
The key word is might If the probability is zero, it isn’t a risk at all If the probability is one, it’s certain to occur,
and can be treated as a project constraintSo any risk has 0% < p < 100%
Chapter 8 5INFO 420
Risk management problems
Typical problems in risk management areNot valuing risk management (RM)
Some insist there is no benefit to doing RM
Not allowing time for RM RM takes time and effort, get over it!
Not identifying and assessing risks consistently
Which can waste time and miss opportunities
Chapter 8 6INFO 420
Risk lessons learned
So a few lessons learned include Get commitment by all stakeholders, both to
do RM, and agree on significant risks Identify an owner for each risk, so someone is
actively managing itLook for typical risks for your type of project;
patterns vary
Chapter 8 7INFO 420
RM elements
The main elements in risk management areRisk management planningRisk identificationQualitative and Quantitative risk analysisRisk response planningRisk monitoring and control
Chapter 8 8INFO 420
Risk Management Planning
Similar to security analysis: Identify threatsPrevent threatsDetect threats (not trivial with
information systems!)Mitigate (reduce) the effects of the threats
Chapter 8 9INFO 420
Risk planning
The PMBOK defines risk as“An uncertain event or condition that, if it
occurs, has a positive or negative effect on the project objectives”
So a risk can be a good thingWe tend to think of the bad ones
Chapter 8 10INFO 420
Project reserves
A financial reserve is kept for most projects, in part for risk management
Helps protect againstFlawed estimates Minor anomalies (unexpected events)Permanent variances (unexpected skill levels)Minor variances (estimates slightly off)
Chapter 8 11INFO 420
Project risk management steps
Risk planningGet commitment from stakeholdersAllocate resourcesDevelop and approve RM plan
Risk identificationDevelop a list of risks, their causes and
effects
Chapter 8 12INFO 420
Project risk management steps
Risk assessmentAnalyze the risks for probability and impact
Risk strategiesDocument how to respond to each risk if it
occurs (risk response or mitigation plan) Risk monitoring and control
During project, look for known risks to occur, and identify new risks
Chapter 8 13INFO 420
Project risk management steps
Risk responseRespond to risks that have occurred
Risk evaluationFind lessons learned, and how to improve
future projects’ RM
Chapter 8 14INFO 420
Identifying IT project risks
The scope and context of risks can be a little intimidating at first, so we break the big problem into little onesUltimately, and risk might affect the project’s
MOVWhich could result from changes in scope,
quality, schedule, or budget
Chapter 8 15INFO 420
Identifying IT project risks
These could result from people, legal, process, environment, technology, organization, product, or other issues
These could be internal to your organization, or external
Risks could be known risks, known-unknown risks (risk is known, extent is unknown), or completely unknown risks (unimaginable)
Chapter 8 16INFO 420
Identifying IT project risks
And finally, risks could affect any part of the project life cycle:
Conceptualize and initialize the project Develop project charter and plan Execute and control the project Close project Evaluate project success
Chapter 8 17INFO 420
All clear?
That only gives:1x4x7x2x3x5 = 840 ways to classify a risk!
Realistically, we only focus on the issues most likely to affect our project
Our goal is to identify all the significant risks, not every conceivable risk!
Chapter 8 18INFO 420
Risk tools
Learning cyclesFor each suspected risk area, identify facts
known about it, assumptions being made, and what needs to be researched in that area
Test assumptions, and conduct research to identify specific risks
Brainstorming
Chapter 8 19INFO 420
Nominal Group Technique (NGT)
Have everyone write down ideas on paperWrite on flip chart, one idea from each
person, until all are recordedDiscuss and clarify the ideasEach person ranks and prioritizes the ideasGroup discusses ranking and prioritiesRedo personal ranking and prioritizationSummarize for the group
Chapter 8 20INFO 420
Risk tools
Delphi technique – same as used for estimation, but use for identifying risks and their probability and impact
Interviewing Checklists, typically from past projects or
industry common risks
Chapter 8 21INFO 420
Risk tools
SWOT analysis – look at organization and project’s strengths, weaknesses, opportunities and threats
Past projects – the ideal solution for all project management problems!Use lessons learned from previous projects
Chapter 8 22INFO 420
Risk tools
Cause and effect diagram, or fishbone diagram Start with a major type of risk Identify 4-6 categories of causes of that risk Brainstorm about ‘what could cause’ that risk to occur,
based on the categories Fill in details until you’re bored Then eliminate known minimal risks areas or causes
Chapter 8 23INFO 420
Risk analysis and assessment
Risk analysis estimates the probability and impact of each risk
Risk assessment prioritizes risks to help define your risk strategy Which risks are significant enough to prevent
actively?Which will require effort if they occur?
Chapter 8 24INFO 420
Qualitative vs quantitative
Both kinds of assessment can be done Use the former most of the time Use the latter for key risks in a steady environment
Caveat: the text is misleading about qualitative vs quantitative assessment What they call qualitative is really quantitative What they call quantitative is statistical process
control (SPC)
Chapter 8 25INFO 420
Expected value
Think of ‘deal or no deal’ If we have several possible outcomes, can
calculate for each the probability and resulting payoff (or cost)
Multiply probability and payoff to get the impact of each outcome
Add impact outcomes to determine the overall expected value of all possible results
Chapter 8 26INFO 420
Decision Tree
This is a graphic form of a payoff tableNodes represent choices (and their costs) or
probabilitiesMap out possible choices, and what their
impact outcomes arePick the highest impact outcome
Chapter 8 27INFO 420
Risk Impact Table
Great for analysis and prioritization of risksDefine each risk, its probability, and impact
Impact could be in $ or effort to resolve the risk
Multiply the latter to get the impact outcomes (P-I score)
Sort risks by descending P-I score instant prioritization! (risk rankings)
Chapter 8 28INFO 420
Risk Impact Table
You could* categorize risks by their general impact and probabilityKittens – low probability and impactPuppies – high prob, low impactAlligators – low prob, high impactTigers – high prob and impact, was good at
golf
* I wouldn’t, but you could…
Chapter 8 29INFO 420
“Quantitative” approaches
Those approaches will cover most situations and needs
These approaches might apply if you have more extensive data on specific risks
All are based on various types of probability distributions
Chapter 8 30INFO 420
Discrete probability distribution
When you’re measuring discrete events (it happens, or not) then a family of discrete probability distributions come into play In these cases, calculate the probability of
each individual event happening (x=0, x=1, etc.), and add them up
A subset of these are binomial distributions, where events either happen, or not (like a coin flip, or someone dies)
Chapter 8 31INFO 420
Continuous probability distribution
Often of interest is when a measurement can have real values (not just integers)
This results in a continuous probability distributionThere are dozens of them: Gaussian,
Poisson, Chi-square, F, Student T, etc.
Chapter 8 32INFO 420
Normal distribution
A normal (Gaussian) distribution is a bell curve It has a mean value and a standard deviation The probability of an event occurring is the area under
the curve
If we know a risk follows a normal distribution, we can predict how likely it is to occur within a given range (e.g. of time)
Chapter 8 33INFO 420
PERT distribution
This goes with the PERT estimation techniqueThe mean is (low + 4*likely + high)/6Std deviation is (high – low)/6
The PERT distribution is lopsided, since we know zero can’t occur
Chapter 8 34INFO 420
Triangular distribution
This is similar to a simplified PERT distributionThe mean is (low + likely + high)/3Std dev = { [ (high-low)2 +
(likely-low)*(likely-high) ]/18 }1/2
Chapter 8 35INFO 420
Simulations
In studying the behavior of projects, we could try to determine how they are affected by changes in inputs (assumptions, task durations, etc.)
The output of interest might be the project’s cost, schedule, customer satisfaction, etc.
Chapter 8 36INFO 420
Monte Carlo simulations
If we automate this kind of analysis, one approach is using a Monte Carlo simulation(Monte Carlo is the Las Vegas of Europe)
In a MC simulation, we define the probability distribution of the inputs we’ve defined
Chapter 8 37INFO 420
Monte Carlo simulations
Then the project results are simulated to see how they turn outThis produces a histogram of outputs, with the
mean duration, and can find the probability of finishing within a range of times
Tools exist (e.g. @Risk) to automate this kind of analysis
Chapter 8 38INFO 420
Tornado graph
This type of analysis can also produce a tornado graph, which is a bar chart emphasizing the highest risk tasksThis is like a Pareto diagramHere the ‘highest risk’ also implies ‘has the
highest probability of affecting the project schedule’
Chapter 8 39INFO 420
Risk strategies
Ok, so we have defined risks, and analyzed them to find the biggest threats
Now we answer a big question: so what? If these risks occur, what, if anything, will we
do about it?That’s our risk strategy, which is different for
each risk
Chapter 8 40INFO 420
Risk strategies
How we select a strategy depends on Is the risk a threat or opportunity?How and when will the project be affected?How do we know if the risk is occurring
(triggers or risk detection)?What impact does the risk have on MOV?
Chapter 8 41INFO 420
Risk strategies
How many resources do we have to deal with this risk?
Remember the balance among scope, schedule, budget, and quality
Can we modify a contract or assign resources or otherwise mitigate a risk?
How tolerant are the stakeholders of this risk?
Chapter 8 42INFO 420
Risk strategy choices
In response to a risk, we canAccept or ignore the risk, if the impact is
minimal, or we can’t do anything about it Use financial reserves to deal with it Have a contingency plan in place
Avoid the risk (prevention) Change the project to reduce the chance of the
risk occurring
Chapter 8 43INFO 420
Risk strategy choices
Mitigate the risk – lessen the impact of the risk after it has occurred
Transfer the risk – give the problem to someone else!
Buy insurance, subcontract something out, etc.
Chapter 8 44INFO 420
Risk response plan
Once key risks have been identified, and your strategies selected, put all this in a risk response plan
For each risk, identifyWhat trigger tells you the risk has occurredThe owner of the risk (person, not group)The risk response strategy
Chapter 8 45INFO 420
Risk monitoring and control
Now your job is to monitor the risk triggers to see which ones go offAnd then follow up with appropriate
responsesTools exist, such as Risk Radar to help do
this Can also conduct risk audits, reviews, or
status meetings
Chapter 8 46INFO 420
Risk response
When a risk is triggered, your response plan is put into actionMay include following your mitigation strategyCould include assigning resources to deal
with the risk
Chapter 8 47INFO 420
Risk evaluation
The process of risk management can be improved like any other through keeping lessons learnedWhat risks did you identify?Which ones occurred?How severe was their impact?Did you risk strategy work or not? Why?