Risk Management

Risk management is increasingly seen as one of

the main jobs of project managers.
It involves anticipating risks that might affect the
project schedule or quality of the software being
developed and taking action to avoid these risks
The results of the risk analysis should be
documented in the project plan along with an
analysis of the consequences of a risk occurring.
Effective risk management makes it easier to
cope with problems and ensure that these do
not lead to unacceptable budget or schedule
slippage.
 Risk Management
What is risk?
The APM bok defines risk as
factors that may cause a failure to
meet the projects objectives..
What is Risk Management?
Risk Management is defined by
PMBOK as the systematic
processes of identifying, analyzing
and responding to project risk
 Types of Risks
Project risks risks that affect the project
schedule or resources. An example might be
the loss of an experienced designer in
system development project.
Product risks risks that affect the quality or
performance of the software being
developed. An example might be the failure
of a purchased component to perform as
expected.
Business risks risks that affect the
organisation developing or procuring the
software. For example, a competitor
introducing a new product is a business risk.

Risk
Software engineer turnover
Management change
Hardware unavailability
Requirement change
Specification delays
Size underestimate
CASE tool under
performance
Technology change
Production competition
Possible Software Risks
Risk Type Descriptions
Project Experienced software engineer may leave
the project before it is finished
Project There may be a change of organisation
management with different priorities.
Project Hardware which is essential for the project
may not be delivered on schedule
Project and Product There may be a large number of changes to
the requirements than anticipated
Project and Product Specifications of essential interfaces may
not available on schedule
Project and Product The size of the system might been
underestimated
Product CASE tools which support the product may
not performs as anticipated
Business The underlying technology on which the
system is built may be superseded by
new technology
Business A competitive product may be marketed
before the system is completed
 The Risk Management Process
Risk Risk Risk Planning Risk
Identificatio Analysi monitorin
n s g

List of potential Prioritized risk Risk avoidance & Risk

risks list contingency assessme
plans nt

It involves several stages:

Risk identification-possible risks are identified
Risk analysis-likelihood and consequences of these risks
are assessed
Risk planning-plans to address the risk are drawn up
Risk Monitoring-risk is constantly assessed and plans for
risk mitigation are revised as more information about
risk become available
 Risk Identification
It is the first stage of risk management
It concerned with discovering possible risks to
the project
May be carried out as a team process using
brainstorming approach or be based on
experience
There are at least six types
Technology risks: from hardware and software
technologies used
People risk
Organizational risks
Requirements risks
Estimation risks
 Risk Analysis
It involves to consider each identified risk and
make a judgement about the probability and
the seriousness of it.
There is no ease way to this- you must rely on
your own judgement and experience
The probability of risk might be assessed as very
low, low, moderate, high or very high
The effects of the risk might be assessed as
catastrophic, serious, tolerable or insignificant.
Then you should then tabulate the results
ordered according to the seriousness of the
risk
 Risk Analysis .Contd
Risk Probabili Effects
ty
Organizational financial problems forces Low Catastroph
reductions in the project budget ic
Impossible to recruit staff with skills required for High Catastroph
the project ic
Key staff are ill at critical times in the project Moderat Serious
e
The time required to develop the software is High Serious
underestimated
CASE
Figure 2 tools cannot be integrated High Tolerable
The sizethe
Both of probability
the softwareandisassessment
underestimated Highchange Tolerable
of effects of a risk may as more
Theinformation
code generated
about a by
riskCASE tools
become is inefficient
available Moderatplans
and risk management Insignifica
are
implemented. e nt

Your judgement must depend on combination of the probability of risk arising

and effects of that risk
 Risk Analysis .Contd
Once risk is has been analyzed and
ranked, you should assess which are
most significant.
Your judgment must depend on a
combination of the probability of the risk
arising and the effects of that risk.
In general, catastrophic risks should
always be considered, as should all
serious risks that have more than a
moderate probability of occurance.
 RISK PLANNING
The risk planning process considers each of
the key risks that have been identified and
identifies strategies to manage the risk.
There is no simple process that can be
followed to establish risk management
plans.
It relies on the judgment and experience of
the project manager.
Figure 3 shows possible strategies that have
been identified for the key risk from figure
2
Risk Strategy
Organizational Financial Prepare are briefing document for
Problems senior management showing how
the project is making a very
important contribution to the
goals of the business.
Staff illness Reorganize team so that there is
more overlap of work and people
therefore understand each
others jobs.
Defective components Replace potentially defective
components with bought-in
components of known reliability
Underestimated development Investigate buying-in
time
Figure 3
components, investigate the use
of a program generator.
 Possible Strategies
Avoidance strategies- following these
strategies means that the probability that
the risk will rise will be reduced. E.g. the
strategy of dealing with defective
components shown in figure 3.
Minimization strategy following these
strategies means that the impact of the risk
will be reduced. E.g. staff illness
Contingency plans following these means
that you are prepared for the worst and
have a strategy in place to deal with it. E.g.
organizational Financial problems in figure 3
 Risk Monitoring
Risk monitoring involves regularly assessing each of
the identified risks to decide whether or not that risk is
becoming more or less probable and whether the effects
of the risk have changed.
This can not usually be observed directly, so you have
to look at other factors that give you clues about the risk
probability and its effects
These factors are obviously dependent on the types of
risk
Risk monitoring should be a continuous process, and,
at every management progress review, you should
consider and discuss each of the key risks separately.
 Risk Monitoring (risk factors)
Risk Type Potential indicators
Technology Late delivery of hardware or support
software, many reported technology
problems
People Poor staff morale, poor relationships
amongst team members, job availability
Organizational Organizational scandal, lack of action by
senior management
Requirements Many requirements change requests,
customer complaints
Estimation Failure to meet agreed schedule, failure
to clear reported defects
 Key Points

Major project risk should be identified and

assessed to establish their probability
and the consequences for the project.
You should make plans to avoid, manage
or deal with likely risks if or when they
arise.
Risks should be explicitly discussed at
each project meeting
 Risk Management
By: Bakiri Angalia
 Risk Management Process
Risk
An uncertain event that, if it occurs, has a
positive or negative effect on project
objectives
Risk Management
A proactive attempt to recognize and manage
internal events and external threats that
affect the likelihood of a projects success
What can go wrong (risk event)
How to minimize the risk events impact (consequences)
What can be done before an event occurs (anticipation)
What to do when an event occurs (contingency plans)
The Risk Event Graph

FIGURE 7.1
 Risk Managements Benefits
A proactive rather than reactive approach
Reduces surprises and negative
consequences
Prepares the project manager to take
advantage of appropriate risks
Provides better control over the future
Improves chances of reaching project
performance objectives within budget
and on time
 The Risk
Management
Process

FIGURE 7.2
 Managing Risk
Step 1: Risk Identification
Generate a list of possible risks through
brainstorming, problem identification and risk
profiling.
Macro risks first, then specific events
Step 2: Risk Assessment
Scenario analysis
Risk assessment matrix
Failure Mode and Effects Analysis (FMEA)
Probability analysis
Semiquantitative scenario analysis
 Partial Risk Profile for
Product Development Project

FIGURE 7.4
Risk Breakdown Structure

FIGURE 7.3
Risk Assessment Form

FIGURE 7.6
Impact Scales

FIGURE 7.5
Risk Severity Matrix

FIGURE 7.7
 Managing Risk (contd)
Step 3: Risk Response Development
Mitigating Risk
Reducing the likelihood an adverse event will occur
Reducing impact of adverse event
Transferring Risk
Paying a premium to pass the risk to another party
Avoiding Risk
Changing the project plan to eliminate the risk or condition
Sharing Risk
Allocating risk to different parties
Retaining Risk
Making a conscious decision to accept the risk
 Contingency Planning
Contingency Plan
An alternative plan that will be used if a possible
foreseen risk event actually occurs
A plan of actions that will reduce or mitigate the
negative impact (consequences) of a risk event
Risks of Not Having a Contingency Plan
Having no plan may slow managerial response
Decisions made under pressure can be potentially
dangerous and costly
Risk Response Matrix

FIGURE 7.8
 Risk and Contingency Planning
Technical Risks
Backup strategies if chosen technology fails
Assessing whether technical uncertainties
can be resolved
Schedule Risks
Use of slack increases the risk of a late
project finish
Imposed duration dates (absolute project
finish date)
Compression of project schedules due to a
shortened project duration date
 Risk and Contingency Planning (contd)
Costs Risks
Time/cost dependency links: costs increase when
problems take longer to solve than expected.
Deciding to use the schedule to solve cash flow
problems should be avoided.
Price protection risks (a rise in input costs) increase
if the duration of a project is increased.
Funding Risks
Changes in the supply of funds for the project can
dramatically affect the likelihood of
implementation or successful completion of a
project.
 Contingency Funding and Time Buffers
Contingency Funds
Funds to cover project risksidentified and
unknown
Size of funds reflects overall risk of a project
Budget reserves
Are linked to the identified risks of specific work packages
Management reserves
Are large funds to be used to cover major unforeseen
risks (e.g., change in project scope) of the total
project
Time Buffers
Amounts of time used to compensate for
unplanned delays in the project schedule
Contingency Fund Estimate (000s)

TABLE 7.1
 Managing Risk (contd)
Step 4: Risk Response Control
Risk control
Execution of the risk response strategy
Monitoring of triggering events
Initiating contingency plans
Watching for new risks
Establishing a Change Management System
Monitoring, tracking, and reporting risk
Fostering an open organization environment
Repeating risk identification/assessment exercises
Assigning and documenting responsibility for managing
risk
 Change Management Control

Sources of Change
Project scope changes
Implementation of contingency plans
Improvement changes
 Change Management Control
The Change Control Process
Identify proposed changes.
List expected effects of proposed changes on
schedule and budget.
Review, evaluate, and approve or disapprove of
changes formally.
Negotiate and resolve conflicts of change, condition,
and cost.
Communicate changes to parties affected.
Assign responsibility for implementing change.
Adjust master schedule and budget.
Track all changes that are to be implemented.
 The Change
Control Process

FIGURE 7.9
 Benefits of a Change Control System
1. Inconsequential changes are discouraged by the
formal process.
2. Costs of changes are maintained in a log.
3. Integrity of the WBS and performance measures
is maintained.
4. Allocation and use of budget and management
reserve funds are tracked.
5. Responsibility for implementation is clarified.
6. Effect of changes is visible to all parties involved.
7. Implementation of change is monitored.
8. Scope changes will be quickly reflected in
baseline and performance measures.
Change
Request
Form

FIGURE 7.10
 Change
Request
Log

FIGURE 7.11