Professional Documents
Culture Documents
43
44 4 Enterprise Risk Management in Projects
toward risk, and qualitatively identify things that can go wrong. Risk attitude depends upon stakeholders. Identification of
what might go wrong and stakeholder preference for dealing with them can affect project management team roles and
responsibilities.
Risk management planning concludes with a risk management plan. This plan should define methodologies for
dealing with project risks. Such methodologies can include training internal staff, outsourcing activities that other
organizations are better equipped to deal with, or insurance in various forms. Ultimately, every organization has to decide
which risks they are competent to manage internally (core competencies), and which risks they should offload (at some
expected cost).
Risk Identification
Once the risk management plan is developed, it can naturally lead to the next step, risk identification. The process of risk
identification identifies major potential sources of risk for the specific project. The risk management plan identifies tasks
with their risks, as well as project team roles and responsibilities. Historical experience should provide guides (usually
implemented in the form of checklists) to things that can go wrong, as well as the organization’s ability to cope with them.
Specific types of risk can be viewed as arising in various ways. A classical view is the triumvirate of quality, time,
and budget. Software projects are often said to allow any two of the three - you can get code functioning as intended on
time, but it usually involves more cost than expected; you can get functional code within budget as long as you are patient;
you can get code on time and within budget as long as you don’t expect it to work as designed. This software engineering
project view often generalizes to other projects, but with some different tendencies. In construction, there is less duration
variance, although unexpected delays from geology or the weather commonly create challenges for project managers. If
weather delays are encountered, the tradeoff is usually whether to wait for better weather, or to pay more overtime or extra
resources. If geological elements are creating difficulties, more time and money is usually required. The functionality of
the project is usually not degraded. Governmental projects may involve emergency response, where time is not something
that can be sacrificed. The tradeoff is between quality of response and cost. Usually emergency response teams do the best
they can within available resources, and public outcry almost always criticizes the insufficiency of the effort.
There are a number of techniques that can be used to identify risks. Some qualitative approaches include interviews of
experts or stakeholders, supplemented by techniques such as brainstorming, the nominal group technique, the Delphi
method, or SWOT analysis (strengths, weaknesses, opportunities, and threats). Each of these methods are relatively easy
to implement, and the quality of output depends on the participation of a diverse group of stakeholders. Historical data can
also be used if the organization has experience with past projects similar to the current activity. This works well if past
experiences are well-documented and retrieved efficiently.
The outputs from risk identification is a more complete list of risks expected in the project, as well as possible
responses along with their expected costs. This results in a set of responses that can be reviewed as events develop,
allowing project managers to more intelligently select appropriate responses. While success can never be guaranteed, it is
expected that organizational project performance will improve.
Qualitative Risk Analysis
After a more precise estimation of project element risk is identified, the relative probabilities and risk consequences can be
addressed. Initial estimations usually require reliance on subjective expert opinion. Historical records enable more
precision, but one project element of importance is that projects by definition almost always involve new situations and
activities. Experts have to judge the applicability of historical records to current challenges.
A qualitative risk analysis can be used to rank overall risks to the organization. A priority system can be used to
identify those risks that are most critical, and thus require the greatest degree of managerial attention. In critical path
analysis terms, critical path activities would seem to call for the greatest managerial attention. Behaviorally, humans tend
to work hardest when the boss is watching. However, the fallacy of this approach is that other activities that are not
watched may become critical too if they delay too far beyond their expected duration.
Qualitative risk analysis can provide a valuable screening to cancel projects that are just too risky for an organization.
It also can affect project organization, with more skilled personnel assigned to tasks that call for more careful
management. It also can be a guide to look for means to offload risk, either through subcontracting, outsourcing, or
insurance.
Quantitative Risk Analysis
We will present more formal quantitative tools in the following sections. Quantitative analysis requires data. The critical
path method calls for a specific duration estimate, which we will demonstrate. Simulation is less restrictive, calling for
probability distributions. But this is often more difficult for humans to estimate, and usually only works when there is
some sort of historical data available with which to estimate probability distributions.
Quantitative risk analysis, as will be demonstrated, can be used to estimate probabilities of project completion times,
as well as other items of interest that can be included in what is essentially a spreadsheet model. These examples focus on
Project Management Risk 45
This is a clear example of risk management - paying the price of more formality to yield reduced risk in terms of product
output. Other process risk management models in software engineering include Boehm’s spiral model, 11 which provides
iterative risk analysis throughout the phases of the software development.
Bannerman12 categorized software project risk management into the three areas of process models (reviewed above),
analystical frameworks (based on some dimension such as risk source, the project life cycle, or model elements), and
checklists.
Project Management Tools 47
Checklists are often found as the means to implement risk management, with evidence of positive value. 13 Checklists can
be (and have been) applied in any type of project. To work well, the project must repeat a domain, as each type of project
faces its own list of specific risks. The value of a checklist of course improves with the depth of experience upon which it
is based.
Simulation Models of Project Management Risk
We will focus on demonstrating quantitative tools to project risk management. We will demonstrate how simulation can
be used to evaluate the time aspect of project management risk. The models are based on critical path, which can be
modeled in Excel, enabling the use of distributions through Crystal Ball simulation. We begin with a basic software
engineering project using a traditional waterfall model. Figure 4.1 gives a schematic of the activities and their precedence
relationships.
D. NRC 30 weeks A
E. Conceptual design 36 weeks A
F. Regulation compliance 70 weeks E
G. Site selection 40 weeks A
H. Construction permit 0 Constant D,F,G
I. Construction 100 weeks H
J. Procurement 70 weeks F SS, I SS+5 weeks
K. Install equipment 72 weeks I
L. Operating permit 0 K
M. Cold start test 16 weeks K
N. Readiness test 36 weeks M
O. Hot test 16 weeks N
P. Begin conversion 0 L,O
14. Cates, G.R., and M. Mollaghasemi. 2007. The project assessment by simulation technique. Engineering Management Journal 19(4): 3-10.