Project and Change Management Week 821/03/2007

Risk Management Key conceptsUncertaintyRiskThreat Opportunity

Common sources of project uncertaintyWork scopeQuality of estimatesFalse AssumptionsTechnological NoveltyUser interfaceStaff ProductivitySkill LevelsManagement(Sub)contractor performanceCustomersMarket ShareCompetitionInflation/exchange ratesSite conditionsWeatherTransportation logisticsApprovals/fundingPublic relationsExtensive software development

Where does risk come from?

All projects contain risk arising from interactions between Objectives What must happenUncertaintyWhat might happen

What is a risk?An uncertain event or set of circumstances that, should it occur, will have an effect on achievement of project objectives

Assessing two dimensionsUncertainty: how likely?ProbabilityHigh/Medium/low% probability of occurence (1-99 %)Effect on objectives: how bad or how goodTime delay or savingExtra cost or reductionPerformance shortfall or enhancementReduced business benefits or improved

Defining Risk ManagementThe systematic process of identifying analysing and responding to project risk. It includes maximising . Positive events and minimising.. Adverse events

Risk ManagementProblems that havent happened yetWhy is it hard?Some are wary of bearing bad newsNo one wants to be the messengerOr seen as a worrierYou need to define a strategy early in your project

Risk ManagementShould be about more than identifying risksProcess should include formal planning activityAnalysis to estimate the likelihood and predict the impact of identified risksA handling strategyThe ability to monitor the processGoal: avoid a crisisRisk Mgmt. vs. Project Mgt.For a specific vs. all projectsProactive vs. reactive

Project RiskCharacterized by:Uncertainty (0 < probability < 1)An associated loss (money, life, reputation, etc)Manageable some action can control itRisk ExposureProduct of probability and potential lossProblemA risk that has materialized

Types of RisksSchedule RisksSchedule compression (customer, marketing, etc.)Cost RisksUnreasonable budgetsRequirements RisksIncorrectIncompleteUnclear or inconsistentVolatile

Types of RisksQuality RisksOperational RisksMost of the Classic MistakesFeature CreepRequirements gold platingInadequate design Silver bullet syndromeWeak personnel

PMI risk management process Risk management planningRisk monitoring and controlRisk IdentificationQuantitative risk analysisQualitative risk assessmentRisk response and Planning

Risk Management ProcessesRisk management Planning deciding how to approach and plan the risk management activities in a projectRisk Identification determining which risks might effect the project and documenting their characteristicsQualitative risk analysis performing a qualitative analysis of risks and conditions to prioritize their effects on project conditionsQuantitative risk analysis measuring the probability and consequences of risks and estimating their implications for project objectives

Risk Management ProcessesRisk response planning developing procedures and techniques to enhance opportunities and reduce threats to the projects objectivesRisk monitoring and control monitoring residual risk, identifying new risks, executing risk reduction plans, and evaluating their effectiveness throughout the project lifecycle

Risk Management Planning The process of deciding how to approach and plan risk management activities for a projectDecisions cover:Organisation and staffingAppropriate methodologiesTools and techniquesEnsure level, type and visibility of process match:Risk level of projectImportance of project to organisationOutput: Risk Management plan

Risk Management PlanDefines level of risk process for each projectExample contents:MethodologyRoles and ResponsibilitiesTimingThresholdsReporting formatsMonitoring and reviewsIntegral part of project plan revised throughout project

Risk IdentificationAim to expose all knowable risksCommon risk id techniquesBrainstorming/ workshops/ SWOTPrompt lists/ check listsBaseline cost estimatesPlan/WBS decompositionSchedule analysisInterviews/ questionnairesAssumptions/constraints analyaisOther techniquesDocument reviewDelphi groups/ NGTDiagramming techniques

Evaluate the performance of past projectsIdentify past projects that have similarities to the current projectInterview the project manager and key contributorsQuantify the information receivedExamine the project files and lessons learned reportsDetermine what lessons can be learned and what risks should be considered

Review the project plan for sources of potential riskPrepare a requirement analysis so as to identify the intrinsic risks to the project and filter out the projects with unacceptably high risksDetermine to what extent the requirements of the project fit in with the demonstrated competencies of the organisation (i.e. achievability)Determine too what extend the project relies on new or unproven technologyReview the WBS for completenessReview the accuracy for duration estimates for activities on the critical path and activities with long durations

Review the project plan for sources of potential riskReview the assumptions about the actual working time available to team members, given their other responsibilities and commitmentsReview assumptions made about key technical issuesReview the assumptions made in resource planningCreate an overall list of potential risk areas

Identify potential risk eventsIdentify dependencies on individuals or organisations outside the control of the project organisationIdentify over reliance on unique or limited skill setsIdentify milestones for the demonstration of new or unproven technologyIdentify key customer approval milestonesIdentify potential risk events from the world at large that could impact the projectCreate an overall list of risk events

Monitor project performance for risk symptomsIdentify actions or events during the execution of the project which invalidate assumptions made during project planningIdentify symptoms of unanticipated riskList these symptoms of risk for team evaluation and disposition

Provide inputs for other processesAssess what elements of the project plan the various risks impactDetermine the potential impact of risk areas and events and make changes in those areas as requiredMake sure all identified risks are properly evaluated and acted upon

Risk AssessmentQualitative assessmentWhat is the risk?Why might it occur?How likely is it?How bad /good might it be?Does it matter?What can we do?When should we act?Who is responsible?Record in risk registerQuantitative AssessmentModelling uncertaintySimulate combined effects of resultsPredicting outcomesRange, min/max, expectedTesting scenariosSetting confidence limitsIdentifying criticalitiesDetermining optionsModel in software

Risk analyses based on information that can cone fromAnalyses of plans and related documentsComparisons with similar systemsExperience and interviewingModelling and simulationRelevant lessons-learned studyResults from test and prototype developmentSensitivity analysis of alternatives and inputsSpecialist and expert judgement

Probability Impact MatrixProbabilityIMPACT

Probability Impact MatrixDefine scales then rank each risk in both directionsDetermine size and relative importance of risksRed = urgent, Yellow = monitor, Green = OKFor both threats and opportunities

Example project specific scales

Quantitative techniquesSensitivity analysis determines which risks have the most overall risk on the project. Determines extent to which uncertainty of one element effects the objective when all other uncertain elements are held at baseline values Decision Tree analysis Diagram that describes a decision under consideration and the implication of choosing one or another of the alternativesSimulation e.g. Monte Carlo simulation

Decision Trees and Expected Monetary Value (EMV)A decision tree is a diagramming method used to help you select the best course of action in situations in which future outcomes are uncertainEMV is a type of decision tree where you calculate the expected monetary value of a decision based on its risk event probability and monetary value

Expected Monetary Value (EMV) Example

Risk response developmentIdentify risk prevention activitiesAvoidance also referred to as risk abatement reduces the possibility that a risk will occurMitigation (control) the activities that are involved here reduce the consequences of the risk should it occur ( does not try to eliminate the source of the risk)Assumption (also known as acceptance) the active acknowledgement of the existence of a particular risk situation and a conscious decision to accept the associated level of risk Transfer - the risk is shared with or completely transferred to others by the user of insurance or warranty

Risk control examplesEarly prototypingAlternative designIncremental development design with the intention of upgrading system parts in the futureUse of standard items/ software reuseReviews walkthroughs and inspections

Risk Response Implement PlanIdentify the occurrence of an actual risk that was identified in the risk management planDecide if the planned contingency action is still appropriate and modify as neededCommunicate the occurrence of the risk event and planned action to affected stakeholdersTake the contingent action and monitor results

Risk Response- Identify other risksIdentify additional sources of risk that were not planned in the original risk management planEstimate likelihood of occurrence and potential impactDefine appropriate preventive and contingent actionsAssign ownership for all risk-related actions

Inform stakeholdersDetermine the required level of stakeholders in risk quantification and planningInform stakeholders of the newly identified risks and response plansInvolve stakeholders in risk quantification and planning to the extent needed

Risk response -documentationDocument all actions taken in response to anticipated risks, along with the results of such actions, and include as part of the project fileDefine the activities involved with preventive actions planned for newly identified risksIdentify activity dependencies and sequencing of preventive actionsEstimate the durations of preventive actionsEstimate the additional resource requirements and cost impacts, if any of the preventive actionsUpdate the project schedule and related documents with estimates from all preventive actionsUpdate the risk management plan with preventive and contingency actions

Risk response take preventive actionsReview the updated project schedule with the team and ensure activity owners are defined for all preventive actionsExecute preventive actionsReport progress on all preventive actions

Risk responses examplesProcurement acquiring goods and services from outside the immediate project organisation is often an appropriate response to some kind of risksContingency plans delineate the action steps to be taken if an identified risk should occur (risk mitigation)Alternative strategies risk events are often prevented are avoided by changing the planned approach (risk abatement)Insurance (risk transfer)

Selecting the appropriate risk response mechanismMagnitude of riskProject managers tolerance for riskProcedural requirements of the project management methodologyOrganisational cultureExistence of alternatives or possibly lack of optionsLength of exposure to riskAmount and quality of information on the actual hazards that caused the riskAmount and quality of information on the magnitude of the damage

Selecting the appropriate risk response mechanismCan the strategy be feasibly implement ed and still meet the users needs ?What is the expected effectiveness of the handling strategy in reducing program risk to an acceptable level ?Is the strategy affordable in terms of monetary value and other resources ?Is time available to develop and implement the strategy and what effect does that have on the overall program schedule ?What effect does the strategy have on the systems technical performance ?

Risk Response PlanningUsing risk information to make decisionsBased on:Type and nature of riskManageabilityImpact severityResource availabilityCost-effectivenessIdentify:Best owner for responseAppropriate responseEffective management action

Risk Monitoring and ControlEffective proactive management actionAdjust strategyTake risks safelyGain the benefits

Implementation ConsiderationsWhich group of managers have responsibility for risk management decision making ?Which group owns and maintains the risk management process?Which group or individual is responsible for risk management training and assisting others in risk management implementation?Who identifies candidate risks?How are risk analyses performed and approved?How are risk handling plans developed and approved?How are data for risk monitoring metrics collected?How are independent risk reviews performed to ensure that project risks are properly identified, analysed, handled and monitored?

Risk Monitoring and ControlMonitor changes in risk exposurePeriodic risk reviewsNew risks, closed risks, changes in assessmentEarned value analysisDetermine effectiveness of responsesAdditional risk response planningAssess effectiveness of risk processExternal risk audits

Techniques used for risk monitoringEarned Value: This uses standard cost/schedule data to evaluate a programs cost performance (and provides and indicator of schedule performance) in an integrated fashionProgram Metrics: These are formal periodic performance assessments of the selected development process evaluating how well the development process is achieving its objectivesSchedule performance monitoringTechnical performance measurement

Risk reviewsEssential because risk changesRisks happen (opportunities and threats)Risks are resolvedRisks time-outRisks get better or worseNew risks emergeReview/update risk exposure regularlyCheck actions at project review meeting

Reporting riskBasis for management actionKey risk themesTrends changes and predictionsRecommended actions

Hard benefits of risk management Better informed credible plansIncreased chance of successMore suitable contractsBetter assessment of contingencyProtects against unsound projectsGenerates metrics for future projectsObjective comparison of alternativesIdentifies best risk owner

Soft benefits of risk manageemntImproves communicationDevelops common understanding team spiritDistinguishes between luck and managementBuilds risk awarenessFocuses attentionFacilitates risk takingDemonstrates professionalismExposes personnel issues

Shortfalls of risk managementGIGOLack of ownershipBoredom / complacencyLoss of momentumtick in the box mentalityCost of managing riskAssessing riskAddressing riskMeasuring effectiveness