LESSON IV

RISK IDENTIFICATION
You got to be careful if you don’t know where you’re
going, because you might not get there.
– Yogi Berra

Once we know our weaknesses, they cease to do us any

harm.
– G.C. Lichtenberg, German physicist, philosopher
 CHAPTER IV
RISK IDENTIFICATION
 Introduction
 Risk identification
 Risk projection (estimation)
 Risk mitigation, monitoring, and
management
 RISK IDENTIFICATION
• Topic 1: Sources of Risk
• Topic 2: Risk Gathering Techniques
• Topic 3: Preparing the Risk Register
• Topic 4: Using Risk Identification Tools and Techniques

3
 RISK IDENTIFICATION
• Learning Objectives
– After completing this lesson you should be able to
• Recognize the sources of risk during the identify risks process
• Outline the various methods that can be used to identify and gather risk
information
• Explain how to structure and populate a risk register
• Prepare a risk register for the course case study

4
 Project Risks
What can go wrong?
What is the likelihood?
What will the damage be?
What can we do about it?

5
Introduction
 What Is Risk?
• Risk is an expectation of loss, a potential problem that may or may
not occur in the future.
• It is generally caused due to lack of information, control or time.
• A possibility of suffering from loss in software development process
is called a software risk.
• Loss can be anything, increase in production cost, development of
poor quality software, not being able to complete the project on
time.

7
 Types of Risks
• Project risk exists because the future is uncertain and there
are many known and unknown things that cannot be
incorporated in the project plan.
• A project risk can be of two types
– (1) internal risks that are within the control of the project manager
and
– (2) external risks that are beyond the control of project manager.

8
 Definition of Risk
• A risk is a potential problem – it might happen and it might not
• Conceptual definition of risk
– Risk concerns future happenings
– Risk involves change in mind, opinion, actions, places, etc.
– Risk involves choice and the uncertainty that choice entails

• Two characteristics of risk

– Uncertainty – the risk may or may not happen, that is, there are no
100% risks (those, instead, are called constraints)
– Loss – the risk becomes a reality and unwanted consequences or
losses occur
9
 Risk Categorization – Approach #1
• Project risks
– They threaten the project plan
– If they become real, it is likely that the project schedule will slip
and that costs will increase
• Technical risks
– They threaten the quality and timeliness of the software to be
produced
– If they become real, implementation may become difficult or
impossible
• Business risks
– They threaten the viability of the software to be built
– If they become real, they jeopardize the project or the product
10
Risk Categorization – Approach #1 (cont…)
• Sub-categories of Business risks
– Market risk – building an excellent product or system that no
one really wants
– Strategic risk – building a product that no longer fits into the
overall business strategy for the company
– Sales risk – building a product that the sales force doesn't
understand how to sell
– Management risk – losing the support of senior management
due to a change in focus or a change in people
– Budget risk – losing budgetary or personnel commitment
11
 Risk Categorization – Approach #2
• Known risks
– Those risks that can be uncovered after careful evaluation of the
project plan, the business and technical environment in which the
project is being developed, and other reliable information sources
(e.g., unrealistic delivery date)
• Predictable risks
– Those risks that are extrapolated from past project experience (e.g.,
past turnover)
• Unpredictable risks
– Those risks that can and do occur, but are extremely difficult to
identify in advance 12
 Risk Management
• “The process of determining the maximum acceptable level
of overall risk to and from a proposed activity, then using
risk assessment techniques to determine the initial level of
risk and, if this is excessive, developing a strategy to
ameliorate appropriate individual risks until the overall
level of risk is reduced to an acceptable level.”

13
 Risk Management
• Risk management is carried out to:
– Identify the risk
– Reduce the impact of risk
– Reduce the probability or likelihood of risk
– Risk monitoring

14
 Reactive vs. Proactive
Risk Strategies

• Reactive risk strategies

– "Don't worry, I'll think of something"
– The majority of software teams and managers rely on
this approach
– Nothing is done about risks until something goes
wrong
• The team then flies into action in an attempt to
correct the problem rapidly (fire fighting)
– Crisis management is the choice of management
techniques 15
 Reactive vs. Proactive
Risk …

• Proactive risk strategies

– Steps for risk management are followed (see next slide)
– Primary objective is to avoid risk and to have a
contingency plan in place to handle unavoidable risks
in a controlled and effective manner

16
 Steps for Risk Management
1) Identify possible risks; recognize what can go wrong
2) Analyze each risk to estimate the probability that it will occur and
the impact (i.e., damage) that it will do if it does occur
3) Rank the risks by probability and impact
- Impact may be negligible, marginal, critical, and catastrophic
4) Develop a contingency plan to manage those risks having high
probability and high impact

17
 Steps for Risk Management
Identify possible risks; recognize what can go
wrong

Analyze each risk to estimate the probability that

it will occur and the impact (i.e., damage) that it
will do if it does occur
Rank the risks by probability and impact
- Impact may be negligible, marginal, critical,
and catastrophic

Develop a contingency plan to manage those

risks having high probability and high impact
18
Risk Identification
 True Story
• A company suffered a catastrophic loss one night when its office burned
to the ground.
• As the employees gathered around the charred remains the next
morning, the president asked the secretary if she had been performing
the daily computer backups. To his relief she replied that yes, each day
before she went home she backed up all of the financial information,
invoices, orders ...
• The president then asked the secretary to retrieve the backup so they
could begin to determine their current financial status. “Well”, the
secretary said, “I guess I cannot do that. You see, I put those backups in
the desk drawer next to the computer in the office.” 20
 Risk is all around us…
• “Investing in stocks carries a risk …”

• “Car speeding carries a risk …”

• “An outdate anti-virus software carries a risk …”

21
 Risk is all around us…
• “If you know the enemy and know yourself, you need not
fear the result of a hundred battles
• If you know yourself but not the enemy, for every victory
gained you will also suffer a defeat

• If you know neither the enemy nor yourself, you will

succumb in every battle”-- Sun Tzu
22
 Knowing Yourself
• Identifying, examining and understanding the information
and how it is processed, stored, and transmitted
• Armed with this knowledge, one can initiate an in-depth
risk management program
• Risk management is a process
– Safeguards and controls that are devised and implemented are not
install-and-forget devices

23
 Knowing the Enemy
• Identifying, examining, and understanding the threats
facing the organisation’s assets and project
• Must fully identify those threats that pose risks to the
organisation and the security of its project
• Risk management
– The process of assessing the risks to an organisation’s project and
determining how those risks can be controlled or mitigated

24
 Accountability for Risk Management
• Project stakeholders of interest must work together
– Evaluating the risk controls
– Determining which control options are cost-effective
– Acquiring or installing the appropriate controls
– Overseeing processes to ensure that the controls remain effective
– Identifying risks
– Assessing risks
– Summarising the findings
25
 Background
• Risk identification is a systematic attempt to specify threats
to the project plan
• By identifying known and predictable risks, the project
manager takes a first step toward avoiding them when
possible and controlling them when necessary

• 26
 Background
• Generic risks
– Risks that are a potential threat to every software project
• Product-specific risks
– Risks that can be identified only by those a with a clear understanding of
the technology, the people, and the environment that is specific to the
software that is to be built
– This requires examination of the project plan and the statement of scope
– "What special characteristics of this product may threaten our project
plan?"
Risk Identification Process

28
 Risk Identification (cont’d.)
• Risk identification begins with the process of self-
examination
– Managers identify the organisation’s information assets
• Classify them into useful groups
• Prioritise them by their overall importance

29
30
 Where do Risks Come From?
• Identifying risk is about gathering information.
• If the risk event were to occur particular areas of the project may be
affected.
• The process of identifying risks determines the risk events that could
affect the project
• Identifying risks helps to gain common understanding within the
project team of what the risks are.

‘What do you think are the major risk in your project?’

31
 Identify Risks
• Identifying Risks is the process of determining which risks may
affect the project and documenting their characteristics.
• Participants in the Identify Risks process will usually include
• project team
• risk management team
• subject matter experts from other parts of the company
• customers
• end users
• other project managers, stakeholders, and outside experts
32
 Identify Risks
• The Identify Risks process is said to be iterative in that new risks
may become known as the project life cycle progresses.
• The frequency of iteration and who participates in each cycle will be
different with different projects.
• The project team needs to be involved in the process so that it can
develop and maintain a sense of ownership and responsibility for the
risks and associated risk-response actions.
• Additional objective information can be provided by persons outside
the team.
• The Identify Risks process usually leads to the Perform Qualitative 33
34
 Risk identification…
• Risk identification is a continual process throughout the life cycle of
the project. It proceeds in an iterative fashion using the following steps
• step 1 (first iteration) – usually carried out by a part of the project
team or by the risk management team
• step 2 (second iteration) – usually carried out by a part of the project
team or by the risk management team
• step 3 (final iteration) – usually carried out by persons who are not
involved in the project, in order to achieve an unbiased analysis
• step n… (final iteration) – it is not known how many iterations are
required and as the process proceeds, all stakeholders are involved 35
 Sources of Risk Identification

• The sources of risk for the risk identification process are

–  categories
–  roles and responsibilities
–  historical information
–  project management tools and techniques
–  project team members
• Risk is sourced from a combination of these elements – for
example, historical information is sourced from planning
techniques and categories. 36
 Categories of Risk
• Risks that affect a project can be identified and organized into risk categories. These categories
need to be well defined and should reflect common sources of risk for the industry or application
area.

•Risk categories include:

 technical, quality, or performance risks
• Examples of this risk category include reliance on unproven or complex technology, unrealistic
performance goals, and changes to the technology used or to industry standards during the
project. Instances where technical categories are relevant include software installations, updates
to technology, etc.
 project-management risks
• Examples of this risk category include poor allocation of time and resources, inadequate quality
of the project plan, or poor use of project management disciplines.
 organizational risks
• Examples of this risk category include cost, time, and scope objectives that are internally
inconsistent; lack of prioritization of projects; inadequacy or interruption of funding; and resource
conflicts with other projects in the organization. 37
 external risks
38
39
40
 Historical Information
• Another useful source of input to the risk identification process is
historical information gleaned from previous projects.
• Examples of sources of historical information include
•  project files – Organizations involved in the project may have records of
the results of previous projects. These results, taken from final project
reports or risk-response plans, can be used to identify risks.
• Project files may include organized "lessons learned" that describe
problems and their resolutions. This information could also be available
through the experience of the project stakeholders or others in the
organization. 41
 Project Management Tools and Techniques
• To complement the other sources of risk, a successful risk
identification process will require an understanding of the
project’s mission and scope, as well as the objectives of the
owner, sponsor, or stakeholders.
• Outputs of other processes become inputs to the Identify
Risks process. These outputs also need to be reviewed.

42
43
Risk Gathering Techniques

44
 Risk Identification
Inputs Tools & Techniques
Enterprise
Environmental Factors  Documentation Reviews
 Information Gathering
Organizational Techniques Outputs
Process Assets
 Checklist Analysis Risk Register
Project Scope  Assumption analysis
Statement
 Diagramming techniques
Risk Management
Plan
Project Management
Plan

Risk Risk Qualitative Quantitative Risk Risk

Management Identification Risk Analysis Risk Response Monitoring
Planning Analysis Planning and Control
 Information Gathering Techniques
• Brainstorming
• Delphi technique
– Successive anonymous questionnaires on project risks with
responses summarized for further analysis
• Interviewing
• Root cause identification
• Strengths, weaknesses, opportunities, and threats (SWOT)
analysis
 Diagramming Techniques
• Cause and Effect Diagrams
– Also known as Ishikawa or fishbone

Testing Inadequate Project

Time Prioritization

Product
Delivered
Late

Personnel Materials Insufficient Bad Specs

Resources

Potential Causes Effect

 Risk Register
• List of
– Identified risks
– Potential responses
– Root causes
• Updated risk categories (if required)
 Risk Register
• The risk register is a document in which the results of risk analysis and
risk response planning are recorded. It contains the outcomes of the
other risk management processes as they are conducted resulting in an
increase in the level and type of information contained in the risk register
over time. The preparation of the risk register begins in the Identify Risks
process with a list of identified risks and a list of potential responses.
• List of identified risks. The identified risks are described in as much detail
as is reasonable. In addition to the list of identified risks, the root causes
of those risks may become more evident. These are the fundamental
conditions or events that may give rise to one or more identified risks.
They should be recorded and used to support future risk identification 49
 Risk Management Planning
Inputs Tools & Techniques
Organizational
Process Assets • Risk probability and impact
Project Scope statement
Statement Outputs
• Probability and impact matrix Risk Register
Risk • Risk data quality assessment (UPDATED)
Management • Risk categorization
Plan
• Risk urgency assessment
Risk Register

Risk Risk Qualitative Quantitative Risk Risk

Management Identification Risk Analysis Risk Response Monitoring
Planning Analysis Planning and Control
 Methodologies
• Probability and Impact Matrix
– Based on Failure Modes and Effects Analysis (FMEA)
– From 1950’s analysis of military systems
 Probability and Impact Matrix
• Define Probability Scale & Impact Scale

Impact Scale Probability Scale

Consequence Health and Safety Likelihood of Occurrence
Likelihood Class (events/year)
Fatality or multiple fatalities
Extreme expected <0.01% chance of
Not Likely (NL) occurrence
Severe injury or disability likely; or
High some potential for fatality 0.01 - 0.1% chance of
Low (L) occurrence
Lost time or injury likely; or some
potential for serious injuries; or 0.1 - 1% chance of
Moderate small risk of fatality Moderate (M) occurrence

First aid required; or small risk of 1 - 10% chance of

Low serious injury High (H) occurrence
Negligible No concern Expected (E) >10% chance of occurrence
 Probability and Impact Plots
Rate each
risk on
scales
then plot
on matrix
Develop
mitigation
technique
for risks
above
tolerance
 Risk Register Update
• Add
– Probability and Impact Matrix results
– Perform quality check on results
– Categorize the risks to make them easier to handle
– Perform urgency assessment to determine which risk need
immediate attention
Risk Register
56
• LESSON 3: ANALYZING RISK

57
 LESSON V
ANALYZING RISK
You got to be careful if you don’t know where you’re going,
because you might not get there.
– Yogi Berra

Once we know our weaknesses, they cease to do us any harm.

– G.C. Lichtenberg, German physicist, philosopher
 ANALYZING RISK
1. Structuring Risk Analysis
2. Probability and Impact Assessment
3. Quantitative Risk Analysis
4. Performing Risk Analysis

59
 ANALYZING RISK
Learning Objectives
• After completing this lesson you should be able to
– Outline the various components of risk analysis and identify
how they are used
– Demonstrate how to measure risk using probability and
impact with relevant tools and techniques
– Identify the various tools and techniques that are part of
quantitative risk analysis
– Discuss how to analyze risk
60
 Risk Analysis
• Risk analysis is carried out as part of the risk management plan.

• Risk analysis is about understanding and evaluating the identified risks

associated with a project and determining which risk events warrant a
response.

• A project’s risk event status is determined from a combination of

probability and impact.

61
 Risk Analysis
• A project’s risk event status…
– Probability is defined as the likelihood of an event occurring and is
usually expressed as a number from 0 to 1 (or equivalent %ges).
– Impact is defined as the effect that a risk or opportunity will have on
cost, schedule, or performance.

•The risk management plan covers the

– Probability of a discrete risk event occurring – these risk events can
be either desirable (opportunities) or undesirable (threats)
– Cost or time impact on the project if the risk event occurs
Risk analysis can be carried out using a qualitative or quantitative 62
 Risk Analysis

• Risk analysis can be carried out using a qualitative or

quantitative approach.

63
…

64