Risk Management in Projects

Introduction
- A risk is an uncertain event that has a positive or negative effect on at least one project objective.
- All risks have causes.
- All risks have uncertainty associated with them and all risks have an impact associated with them.
The impacts can affect the project baselines of cost, schedule, and scope.
- The risk may also affect activities in multiple areas of the project as well as activities outside of
the project.
- Risks are justified by the benefits that come as a result of taking them
- In project risk there are many things that can go wrong in the course of the project. The potential
benefits should justify the risks that are taken.
- Risks can have a positive or negative effect. They can produce benefits for the project, or they
can produce loss for the project.
- Risks can be divided into known and unknown risks. Known risks are those risks that can be
identified. Unknown risks are those that cannot be identified

When to Do Risk Management

- Risk management must be done during the whole life of the project.
- When risks are identified, they should be recorded in a risk management file or folder so that they
can be dealt with later in the project.
- As time goes by and progress is made on the project, the risks need to be reviewed, and the
identification process must be repeated for the discovery of new risks. As the project advances,
some risks disappear. Other risks that were not thought of earlier will be discovered.
The Risk Process
The risk process is divided into six major processes:
i) Risk management planning
ii) Risk identification
iii) Risk assessment
iv) Risk quantification
v) Risk response planning
vi) Risk monitoring and control
Risk categories
• Risk types to be found on Project
– those caused by the inherent difficulties of estimation
– those due to assumptions made during the planning process
– those of unforeseen (or at least unplanned) events occurring
• Estimation errors
– some tasks are easier to estimate than others
• manual writing is a reasonably straight forward task
• program testing and debugging may not be
– analysing historic data for similar things can help with deciding the level of
accuracy to be assigned to a particular estimation
• Planning errors
– assumptions are used when planning, if the assumption are wrong then the plan is
at risk
• e.g. the need for rework may not be planned
– when a plan is prepared the assumptions that have been made should listed and
details given to the affect on the plan if the assumption are incorrect
• Eventualities
– some eventualities might never be foreseen
– it has to be accepted that such eventualities do happen, even if they are rare!
– Most unforeseen eventualities generally could have been identified and predicted
• e.g. the required hardware not arriving on time
– plans should be in place to minimise the damage caused by an unforeseen event

Managing risk
• There are various models of risk management
• They are generally similar and identify to main elements
– risk identification
– risk management
• A popular model is the Boehm Risk Engineering Model
 Risk
Engineering

Risk Analysis Risk

Management

Risk Risk Risk

Identification Estimation evaluation

Risk Planning Risk Control Risk Risk Directing Risk Staffing

Monitoring

Risk identification
• Identification of hazards that may affect a project must be the first steps in a risk
assessment
• A hazard is an event that if it occurs may adversely affect the project
• The risk a hazard presents to a particular project must decided
• Checklist are often used to help in identifying hazards
• Knowledge based software is also available to help with the task of hazard identification
• Some hazards will be generic
 Other hazards will be project specific
 Various categories of factors will need to be considered
o Application factors
 the nature of the application
 e.g. simple data processing or safety critical system
 the size of the system
o Staff factors
  e.g. experience and appropriateness of experience
 skills, turn-over rate, level of absenteeism
 Project factors
o definition of the project
o project objectives
o team members understanding of the above
o project quality plan
 Hardware / software factors
o the use of new untried hardware carries a higher risk than using existing hardware
o where a system is developed on one type of hardware or software platform for use
on another, then this will carry higher risks
 Changeover factor
o An instant change over carries greater risks than an incremental change over
o Parallel running is desirable but has cost implications
 Supplier factors
o can be difficult to control suppliers
 e.g. installation of phone lines, delivery of equipment
 Environmental and social factors
o generally outside the control of the project
 e.g. changes in legislation
 e.g. public opinion
 Health and safety factors
o not generally a major issue for software project when compared to other
engineering projects
o still need to be covered to ensure compliance with statutory obligation

Risk analysis
• Once identified risks should be assessed for their possible affect on the project
• the level of importance of a risk must also be established this is often done by assessing
the risk value
• The importance of a risk is known as the risk value or the the risk exposure
 • risk exposure = risk likelihood x risk impact
• risk likelihood is the probability of hazard occurring
• risk impact is the effect the resulting problem will have on the project
• Risk impact is estimated in monetary terms
• Risk likelihood is assessed as a probability
• Risk exposure therefore is an expected cost, in a similar manner to a cost-benefit analysis
• Ranking schemes can be used to assess impact and likelihood
• Impact scores should take account of
• the cost of delay to scheduled dates for deliverables
• cost overruns caused by using additional or more expensive resources
• the costs incurred or implicit in any compromise to the system’s quality or functionality
• Managing risk involves the use of two strategies
- reducing the risk exposure by reducing likelihood and impact
- drawing up contingency plans to deal with the risk should it occur
• All attempts to reduce risk exposure will have a cost
• Risk reduction work should be prioritised to obtain best value
• Factor other than risk exposure that should be taken account of when prioritising risk
management
- confidence of risk assessment
- compound risks
- the number of risks
- cost of action
Reducing risks:
• There are five broad categories for risk reduction
- hazard prevention
- likelihood reduction
- risk reduction
- risk transfer
- contingency planning
Risk management:
• Risk Planning
 - preparing contingency plans
- large project will use a risk manager to do this
• Risk Control
- minimising the affect caused by the problems occurring
• Risk monitoring
- ongoing assessment of the importance and relevance of particular risks
 Risk directing and staffing
- the day-on-day management of risk
- risk aversion and problem solving