Professional Documents
Culture Documents
#10. Risk Management 2008.09.01
#10. Risk Management 2008.09.01
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Objectives
The 'Golden Triangle' of Project Success
I I I
A delighted client (expectations met) Delivered the agreed objectives Met an agreed budget - $, resources etc. Within an agreed time frame and
Time
Cost
Rajesh Dhake
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Initiation
Review
Initiation Plan
Detailed Plan
Status Report
Objective There are things we know we know. We also know there are known unknowns, that is to say we know there are some things we do not know. But there are also unknown unknowns the ones we dont know we dont know.
Provide you with an overview of the main concepts of Risk Management
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Definition of Risk
It is impossible for risks not to be present. Risks are always there in life: crossing the street paying for items by credit card deciding on who to hire deciding which priority is higher proposing a new idea/project investing $50,000,000 in a new facility
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Definition of Risk Definition Risk is an uncertain outcome Any threat that, if it occurs, may prevent the projects objectives from being achieved in whole, or in part. Meaning Risk does not represents only negative events sometimes the impact can be positive and sometimes negative
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Risk
Cannot be eliminated but must be managed and resolved Three steps for risk management:
identify the risks assess the likelihood of occurrence and impact develop risk management plans
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
What is Risk?
Risk
is characterised by Uncertainty is characterised by Loss is defined by
Objectives
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Future
Risk
Benefits of Risk Management Completion of project within specified time, specified quality Realistic costing Proper allocations of resources Higher probability of meeting targets Full awareness of potential hazards for everyone Informed go/no-go decisions
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Risk identification
Risk analysis
Risk planning
Risk monitoring
Risk assessment
Rajesh Dhake
1. Risk Identification
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
1. Risk Identification
Objective: To identify all the things that could potentially go wrong (or right)
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
1. Risk Identification
Continuous, Iterative Process What is it and what does it look like The sooner the better The more the merrier A fact is not a risk Be specific Dont try to do everything at once
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Examples of Risks
Risk Staff turnover Description Experienced staff will leave the project before it is finished. Management There will be a change of change organisational management with different priorities. Equipment Equipment that is essential for the unavailability project will not be delivered on schedule. Requirements There will be a larger number of change changes to the requirements than anticipated. Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Examples of Risks
Risk Specification delays Size underestimate Technology change Product competition Description Specifications for various parameters are not available on schedule The size of the project has been underestimated. The underlying technology on which the project is built is superseded by new technology. A competitive product is marketed before the project is completed.
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Risk Factors
Risk type Technology People Organisational Tools Potential indicators Late delivery of hardware or support software, many reported technology problems Poor staff morale, poor relationships amongst team member, job availability organisational gossip, lack of action by senior management reluctance by team members to use tools, complaints about CASE tools, demands for higher-powered workstations many requirements change requests, customer complaints failure to meet agreed schedule, failure to clear reported defects
Requirements Estimation
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
1. Risk Identification
Best to identify all the possible risks: Reject potential risks only after the analysis - do not apply materiality at this stage. Involve as many people as possible: No one person can fully understand every aspect of the project well enough to identify all the risks alone. Pessimists make good risk identifiers Identification of risks should never be considered to be complete: Risks will become apparent later in the process and during operations and should be included! Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Commercial/Financial
Resources
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Critical Path
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
1. Risk Identification
Consider all your stakeholders: Project Owner Contractor Suppliers Government Employees Good questions to ask: what can go wrong? what if . ? does it matter?
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
2. Risk Analysis
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
2. Risk Analysis
Assess probability and seriousness of each risk Probability may be very low low moderate high very high Risk effects might be catastrophic serious tolerable insignificant
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
2. Risk Analysis
Risk Organisational financial problems force reductions in the project budget. It is impossible to recruit staff with the skills required for the project. Key staff is ill at critical times in the project. Changes to requirements which require major design rework are proposed. The organisation is restructured so that different management are responsible for the project. The database used in the system cannot process as many transactions per second as expected. The time required to develop the software is underestimated. Customers fail to understand the impact of requirements changes. Required training for staff is not available. The rate of defect repair is underestimated. The size of the project is underestimated.
PDF created with pdfFactory trial version www.pdffactory.com
Moderate
Serious
R44
R21
R7
Project severity = expectation (1-10) * impact (1-10) When should risk analysis be formed? Is not a time activity Periodic update and reviewed
Rajesh Dhake 37
PDF created with pdfFactory trial version www.pdffactory.com
Calculating Severity
Problem
Staff availability Late delivery of equipment Communication and Networks problem
Expectation 6 5 5
Impact 5 8 5
Severity 30 40 25
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake 41
PDF created with pdfFactory trial version www.pdffactory.com
1. Probability/Impact Matrix
A probability/impact matrix or chart lists the relative probability of a risk occurring on one side of a matrix or axis on a chart and the relative impact of the risk occurring on the other. List the risks and then label each one as high, medium, or low in terms of its probability of occurrence and its impact if it did occur. Can also calculate risk factors: Numbers that represent the overall risk of specific events based on their probability of occurring and the consequences to the project if they do occur. Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
42
Rajesh Dhake 43
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake 44
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake 45
PDF created with pdfFactory trial version www.pdffactory.com
4 5
4 5
3 3
Rajesh Dhake 47
PDF created with pdfFactory trial version www.pdffactory.com
3. Expert Judgment
Many organizations rely on the intuitive feelings and past experience of experts to help identify potential project risks. Experts can categorize risks as high, medium, or low with or without more sophisticated techniques. Can also help create and monitor a watch list, a list of risks that are low priority, but are still identified as potential risks.
Rajesh Dhake 48
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake 51
PDF created with pdfFactory trial version www.pdffactory.com
1. Decision Trees and Expected Monetary Value (EMV) A decision tree is a diagramming analysis technique used to help select the best course of action in situations in which future outcomes are uncertain. Estimated monetary value (EMV) is the product of a risk event probability and the risk events monetary value. You can draw a decision tree to help find the EMV.
Rajesh Dhake 52
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake 53
PDF created with pdfFactory trial version www.pdffactory.com
1 2 3
Risk Assessment Methods and Tools; can perform analysis or review output from analysis; or consultation on: - FMEA, Fault Tree Analysis, Probabilistic Risk Assessment - Tools: SHAPHIRE and RELEX (Receive/coordinate training)
Rajesh Dhake
Early 10% Develop In House ($20,000) On Time 20% Delayed 70% Develop In House or Contract? Early 10% Contract ($30,000) On Time 70% Delayed 20%
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
2. Sensitivity Analysis
Sensitivity analysis is a technique used to show the effects of changing one or more variables on an outcome. For example, many people use it to determine what the monthly payments for a loan will be given different interest rates or periods of the loan, or for determining break-even points based on different assumptions. Spreadsheet software, such as Excel, is a common tool for performing sensitivity analysis.
Rajesh Dhake 56
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake 57
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
3. Risk Planning
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Risk Planning
Consider each risk and develop a strategy to manage that risk Avoidance strategies The probability that the risk will arise is reduced Minimisation strategies The impact of the risk on the project or product will be reduced Contingency plans If the risk arises, contingency plans are plans to deal with that risk Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Risk Planning
What are we going to do about it? Techniques/Strategies:
Avoidance Eliminate it Transference Pawn it off Mitigation Reduce probability or impact of it Acceptance Do nothing
Hint: Dont spend more money preventing the risk than the impact of the risk would be if it occurs J
The Risk Response Plan/Risk Response Register
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake 63
PDF created with pdfFactory trial version www.pdffactory.com
General Risk Mitigation Strategies for Technical, Cost, and Schedule Risks
Rajesh Dhake 64
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake 65
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake 66
PDF created with pdfFactory trial version www.pdffactory.com
Media Snapshot
A highly publicized example of a risk response to corporate financial scandals, such as those affecting Enron, Arthur Andersen, and WorldCom, was legal action. The Sarbanes-Oxley Act of 2002 is considered the most significant change to federal securities laws in the United States since the New Deal. This Act has caused many organizations to initiate projects and other actions to avoid litigation.*
*Iosub, John C., What the Sarbanes-Oxley Act Means for IT Managers, TechRepublic, (March 19, 2003) (http://techrepublic.com.com/5100-6313-5034345.html). Rajesh Dhake 67
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
3.1 Risk Reduction Definition: reducing the probability that an event will occur
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
3.1 Risk Reduction What can be done to prevent a risk from occurring? contracts in place outlining the scope of work and expectations of each side indemnification clauses meeting minutes engineering controls Risk is seldom eliminated entirely. It is typically reduced or transferred.
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
3.1 Risk Reduction When to Transfer Risks Risks are rarely eliminated. Instead they are transferred between parties. Key points to remember: Everyone is trying to manage risk to some, this means they must minimize the risks they accept. Risks should be held by the people best positioned to manage them.
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
3.1 Risk Reduction How to Transfer Risks Contractually Legally waivers pure regulatory requirements
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Group Exercise
For 3 of the Risks associated with Homecoming weekend, identify risk reduction measures
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
3.2 Risk Mitigation Definition: Reducing the impact of an event once its occurred
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
3.2 Risk Mitigation -How to do it? Insurance Temporary staff to meet surge demands Storing back up tapes off-site Emergency Response Plans/Business Continuity Plans
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Group Exercise
For the same 3 risks associated with earlier identify risk mitigation measures
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Insurance
Insurance has a limited role. Insurance is good when: large numbers of similar events can be insured premiums can be established based on logic/experience premiums are commercially feasible Cases when insurance is not useful: delays in projects (ERP etc) regulatory fines or jail time loss of a blackberry when things go right! Dont forget all insurance has specified limits!
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
4. Risk Monitoring
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
4. Risk Monitoring
Definition: Ensuring that the risk identification, risk reduction and risk mitigation activities are effective
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
4. Risk Monitoring
Assess each identified risks regularly to decide whether or not it is becoming less or more probable Also assess whether the effects of the risk have changed Each key risk should be discussed at management progress meetings
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
4. Risk Monitoring
Learning from the past to influence the future Key questions to ask: what hasnt gone ideally? what went unexpectedly right? what went wrong that I didnt predict? when things went wrong did we have a plan? was the plan realistic and implementable? did everyone know what they needed to? did they know it when they needed to?
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Scenario
Not Expected to Occur Small Likelihood Occurs quite often Common Occurrence Very Frequent
Probability
<1% 1-20% 21-49% 50-85% >85%
Score
1 2 3 4 5
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Financial
0-$49,999
Regulatory
Not regulated
Injury
Environmental
Reputational
negative internal impact, short term
Operational
Disrupts single lab operation, but normal functions able to resume quickly Disrupts operation of a floor, but normal functions able to resume quickly; or disrupts operations of a single lab for longer periods Disrupts operation of a bldg but normal operations resume quickly; disrupts operations of a floor; extensive renovations to a lab Disrupts more than one bldg, not resume quickly; disrupts one bldg for longer period
Score
5
Marginal
$50,000-$249,999
first aid
Minor or localized internal negative internal impact and internal clean impact, long term up crew
10
Substantial
15
Severe
$1,000,000$3,000,000
Serious external impact negative external and external cleanup impact, long term crew, required notification to authorities Significant external significant negative impact requires external external impact, long crew & has long lasting term impact requiring authority and community notification
20
Disastrous
<$3,000,000
wide scale disruption of more than one bldg for longer periods, major disruption to a bldg requiring major renovations
25
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Probability
VLO LO MED HI VHI
Impact
Im pa ct
5 5 5 5 5
4 4 4 5 5
3 3 3 4 4
2 2 3 3 3
1 1 1 1 1
Risk Categories
1 Critical 2 Severe 3 Significant 4 Minor 5 Possible Concern
Rajesh Dhake
Risk Tolerance
What risks are acceptable risks? Risk tolerance statements are a subject of much discussion with the Board of Governors Typical statements include: 10% of faculty/service budget or $1,000,000 (whichever is lower) carrying weapons conducting human stem cell research
There is no absolute right answer on what is an acceptable risk until hindsight is used
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Implementation Risk Management A well thought out, well documented risk management plan is a piece of paper. It is not worth more than that unless the planned risk reduction and risk mitigation measures are implemented. Typically the weakest point in implementation is communications. It is recommended that a Champion be identified for each risk, including ensuring the risk reduction and risk Rajesh mitigation measures are implemented. Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Using Software to Assist in Project Risk Management Risk registers can be created in a simple Word or Excel file or as part of a database. More sophisticated risk management software, such as Monte Carlo simulation tools, help in analyzing project risks. The PMI Risk Specific Interest Groups Web site at www.risksig.com has a detailed list of software products to assist in risk management.
Rajesh Dhake 95
PDF created with pdfFactory trial version www.pdffactory.com
Effort
Time
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Exercise
For your typical projects: identify three risks identify two risk reduction measures for each risk identify two risk mitigation measures for each risk rank the risks
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Results of Good Project Risk Management Unlike crisis management, good project risk management often goes unnoticed. Well-run projects appear to be almost effortless, but a lot of work goes into running a project well. Project managers should strive to make their jobs look easy to reflect the results of well-run projects.
Rajesh Dhake 98
PDF created with pdfFactory trial version www.pdffactory.com
Summary
Risk is everywhere Risk cannot be totally eliminated Risks can not be managed unless they are identified Risk reduction is more important than risk mitigation Risk management isnt scary!
RISK
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Conclusion
The future is not necessarily less predictable than the past. The past was not predictable when it started.
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
People
Organisational The organisation is restructured so that different management are responsible for the project. Organisational financial problems force reductions in the project budget. Requirements Changes to requirements that require major design rework are proposed. Customers fail to understand the impact of requirements changes. The time required to develop the software is underestimated. The rate of defect repair is underestimated. Rajesh Dhake The size of the software is underestimated.
Estimation
Risk analysis
Assess probability and seriousness of each risk. Probability may be very low, low, moderate, high or very high. Risk effects might be catastrophic, serious, tolerable or insignificant.
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Risk Organisational financial problems force reductions in the project budge t. It is impossible to recruit staff with the skills required for the project. Key staff are ill at critical times in the project. Software components that should be reused contain defects which limit their functionality. Changes to requirements that require major design rework are proposed. The organisation is restructured so that different management are responsible for the project.
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Risk The database used in the system cannot process as many transactions per second as expec ted. The time required to develop the software is underestimated. CASE tools cannot be integrated. Customers fail to understand the impact of requirements changes. Required training for staff is not available. The rate of defect repair is underestimated. The size of the software is underestimated. The code generated by CASE tools is inefficient.
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Risk planning
Consider each risk and develop a strategy to manage that risk. Avoidance strategies The probability that the risk will arise is reduced; Minimisation strategies The impact of the risk on the project or product will be reduced; Contingency plans If the risk arises, contingency plans are plans to deal with that risk;
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Risk Organisational financial problems Recruitment problems Staff illness Defective components
Strategy Prepare a briefing document for senior management showing how th e project is making a very important contribution to the goals of the business. Alert customer of potential difficulties and the possibility of delays, investigate buying-in components. Reorganise team so that there is more overlap of work and people therefore understand each others jobs. Replace potentially defective components with bough tin components of known reliability.
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Risk monitoring
Assess each identified risks regularly to decide whether or not it is becoming less or more probable. Also assess whether the effects of the risk have changed. Each key risk should be discussed at management progress meetings.
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Risk indicators
Risk type Technology People Organisational Tools Requirements Estimation Potential indicators Late delivery of hardware or support software, many reported technology problems Poor staff morale, poor relationships amongst team member, job availability Organisational gossip, lack of action by senior management Reluctance by team members to use tools, complaints about CASE tools, demands for higher-powered workstations Many requirements change requests, customer complaints Failure to meet agreed schedule, failure to clear reported defects
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Key points
Good project management is essential for project success. The intangible nature of software causes problems for management. Managers have diverse roles but their most significant activities are planning, estimating and scheduling. Planning and estimating are iterative processes which continue throughout the course of a project.
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com
Key points
A project milestone is a predictable state where a formal report of progress is presented to management. Project scheduling involves preparing various graphical representations showing project activities, their durations and staffing. Risk management is concerned with identifying risks which may affect the project and planning to ensure that these risks do not develop into major threats.
Rajesh Dhake
PDF created with pdfFactory trial version www.pdffactory.com