Risk & Uncertainty

management
Cédric Verbeeck

The Phoenix Project:

Remediation of a Cybersecurity Crisis at the University of Virginia
Session content

Simulation debriefing
Managing risk & uncertainty
Case: The Phoenix project
Project management
simulation B,C+F

3
Class discussion (1)

What’s different about the project context

in these scenarios?

B C F

4
Class discussion (3)

What strategies did you use to

deal with these scenarios? What
worked? What didn’t? Where you
able to complete the project
successfully?

5
Class discussion (2)

In these scenarios, how have causal

relationships been affected or changed? Why
have they changed?

6
Default causal model
Too much time
in meeting Outsourcing Team size
Unrealistic
schedule
schedule
morale
scope

Unfinished stress Hours worked

1-1 coaching tasks
New tasks
Status completed
meetings Project
knowledge Productivity
Daily standup
meetings
Team change
Team size
Project Task completed
Mistake rate
Outsourcing Required coordination incorrectly
coordination

7
How does uncertainty affect this model?
Too much time
in meeting outsourcing Team size
Unrealistic
Schedule
schedule
morale
Scope
stress
Unfinished Hours worked
1-1 coaching
tasks
New tasks
Status meetings Project completed
knowledge
Daily standup
Productivity
meetings Team change
Team size
Project Task completed
Outsourcing Mistake rate
Required coordination incorrectly
Unexpected coordination
events Productivity drain due
Skill level of to uncertainty
staff
8
Exercises in managing projects in different conditions

• Low uncertainty: • High uncertainty:

• You anticipate few • You anticipate many unexpected
unexpected problems problems

9
Class discussion (4)

Having dealt now with the different project

scenarios, how would you revise your
project management advice?

10
How would you revise your project management advice?

• Selecting project team members capable of in-progress learning and adjustment

• Obtaining top management sponsorship and attention, and establishing a
process for their rapid intervention when needed
• Taking a flexible approach to scope that permits arranging project components for
completion in a different order than planned
• Creating risk-sharing arrangements with partners and vendors that provide
everyone with incentives to adjust, rather than to continue to operate under out-
of-date plans
• Creating more iterative project structures that divide projects into smaller pieces
and allow more frequent scope, resource, and schedule reconfiguration
• Use prototypes: allows you to detect problems earlier on. Find a Tradeoff
between cost of prototype and cost and time gained in the project

11
Managing Risk &
uncertainty

12
Learning Objectives

• Define project risk.

• Recognize four key stages in project risk management and the steps necessary to
manage risk.
Projects & Uncertainty

Project operate in an environment composed of uncertainty:

Funding

Resources

Client expectations

Technological problems
Project Risk & Risk Management

Project risk—an uncertain event or condition that, if it occurs, has a positive or

negative effect on one or more project objectives such as scope, schedule, cost, or
quality.

Risk = Probability of Event  * (Consequences of Event)

Risk management—the art and science of identifying, analyzing, and responding

to risk factors throughout the life of a project and in the best interest of its
objectives.
Questions to Consider in Risk Management
What is likely to happen (the probability and impact)?

What can be done to minimize the probability or impact of these events?

What cues will signal the need for such action (i.e., what clues should I
actively look for)?

What are the likely outcomes of these problems and my anticipated

reaction?
Risk and opportunity over the project life cycle

R. Max Wideman. (2004). A Management Framework for Project, Program and Portfolio Integration. Victoria, BC, Canada, 2004.
Four Stages of Risk Management

Risk identification

Analysis of probability and consequences

Risk mitigation strategies

Control and documentation

Jeffrey Pinto , Project Management: Achieving Competitive Advantage, 5th edition

1.Risk Identification

• Risk clusters • Common Types of Risks:

• Financial • Absenteeism
• Technical • Resignation
• Commercial • Staff pulled away
• Execution • Time overruns
• Contractual or legal risk • Skills unavailable
• Ineffective training
• Specs incomplete
• Change orders
1. Risk Factor Identification methods

Brainstorming Expert opinion Past history Multiple (or

meetings team-based)
assessments
1. Risk Breakdown Structure (RBS) tool

Jeffrey Pinto , Project Management: Achieving Competitive Advantage, 5th edition

Risk Breakdown Structure (RBS) example

Jeffrey Pinto , Project Management: Achieving Competitive Advantage, 5th edition

2. Risk Impact Matrix
2. Project Risk Scoring (1 of 2)
1. Use project team’s consensus to determine the score for each Probability
of Failure category:
For example 3 categories: Maturity (Pm), Complexity (Pc), and Dependency (Pd).
2. Calculate overall probability:

Pm  Pc  Pd
Pf 
3
3. Use project team’s consensus to determine the score for each Consequence
of Failure category:
For example 4 cost categories: Cost (Cc), Schedule (Cs), Reliability (Cr), and
Performance (Cp).
Example of risk categories applied to software development
product

Jeffrey Pinto , Project Management: Achieving Competitive Advantage, 5th edition

25
2. Project Risk Scoring (2 of 2)
4. Calculate Cf by adding the four categories and dividing by 4:

Cc  Cs  Cr  Cp
Cf 
4
5. Calculate Overall Risk Factor for the project by using the formula:

RF  Pf  Cf   Pf Cf 
Rule of Thumb:
Low Risk RF < 0.30
Medium Risk RF = 0.30 to 0.70
High Risk RF > 0.70
Exercise

Assume the following information for an IT project.

Probability of Failure Consequences of Failure

Maturity = .7 Cost = .9
Complexity = .7 Schedule = .7
Dependency = .5 Performance = .3
Client Concerns = .5 Future Business = .5
Programmer Skill = .3

Calculate the overall risk factor for this project. Would you assess this level of risk as low, moderate,
or high? Why?

27
3. Risk Mitigation Strategies
Accept

Minimize

Share

Transfer

• Fixed price contracts

• Liquidated damages

Contingency Reserves

• Task contingency
• Managerial contingency
4. Control and Documentation

Helps managers classify and codify risks, responses, and outcomes

Change management report system answers:

A control document should contain information to the following questions:

• What? source of uncovered risk
• Who? project team member responsible for control & mitigation
• When? time frame for mitigation action
• Why? most likely reason for the risk
• How? plan how the risk is mitigated
Phoenix case study

30
Case questions

1. Case introduction:
1. Describe the role of Information Technology services (ITS) in fulfilling UVA’s mission
2. What attracts cyberattackers to universities?
3. What are the most common attack methods and approaches for mitigating
cyberattacks?
2. Describe each of the five objectives of the Phoenix project. What level of
effort would be required to accomplish these objectives?
3. Describe the various internal and external stakeholders associated with
the Phoenix project. How would you recommend the project team
communicate with each stakeholder group?
4. Identify the key risks (10-18) inherent to this project. How would you
recommend the team manage these risks?

31
 What does this mean for you team
assignment

1. Identify risks and categories them

2. Estimate impact and propability per risk (category)
3. Calculate project risk
4. Propose mitigation strategies