Project Risk

Management
IT Project Management
IT G09101
Nicodemus M. M, PhD.

Initially created by: Dr. Deogratius M. Lashayo& Dr. Bakari A. Mashaka

This is Where We Are
What is a Risk?

An uncertain event that, if it occurs, has a positive

or negative effect on project objectives
Risk Management
• A proactive attempt to recognize and manage internal events
and external threats that affect the likelihood of a project’s
success
• It is all about
• What can go wrong (risk event)
• How to minimize the risk event’s impact (consequences)
• What can be done before an event occurs (anticipation)
• What to do when an event occurs (contingency plans)
Risk Event Graph
Risk Management Benefits
• A proactive rather than reactive approach
• Reduces surprises and negative consequences
• Prepares the project manager to take advantage of appropriate
risks
• Provides better control over the future
• Improves chances of reaching project performance objectives
within budget and on time
Risk Management Activities
Risk Management Activities
Risk Assessment
• The purpose of the risk assessment task is to identify the risks, analyse them,
and then prioritize them.
• For information systems projects, risk assessment consists of two traditional
components
• Risk Identification
• The risk identification activity focuses on enumerating possible risks to the project.
• The basic activity is to try to envision all situations that might make things in the project go
wrong.
• Risk Prioritization
• The risk prioritization activity considers all aspects of all risks and then prioritizes them (for the
purposes of risk management).
• Although identification and analysis are two distinct activities, they are often
carried out simultaneously.
• That is, a project manager may identify and analyse the risks together.
Risk Identification
• For a project, any condition, situation, or event that can occur and would
jeopardize the success of the project constitutes a risk.
• Identifying risks is therefore an exercise in envisioning what can go wrong.
• Methods that can aid risk identification include;
• checklists of possible risks
• Surveys
• meetings and brainstorming
• reviews of plans, processes, and work product
• Checklists of frequently occurring risks are probably the most common tool
for risk identification
• Software Engineering Institute (SEI) has also provided a taxonomy of risks to
aid in risk identification.
Risk Identification in Info Systems
• The commonly occurring risks for projects have been compiled from a
survey of previous projects.
• This list forms the starting point for identifying risks for the current
project.
• Frequently, the risks in the current project will appear on the list.
• A project manager can also use the process database to get
information about risks and risk management on similar projects.
• Evaluating and thinking about previously encountered risks also help
identify other risks that may be pertinent to this project but do not
Risk Prioritization
• In prioritizing risks, you identify the risks that should be
managed.
• In other words, prioritization determines where the extra effort of
risk management should be spent to get the maximum benefit.
• For this effort, two factors are important.
• First is the chance of a risk occurring; a more likely risk is a natural
candidate for risk management.
• Second is the effect of the risk; a risk whose impact is very high is also
a likely candidate.
Risk Prioritization
• Prioritization requires analyzing the possible effects of the risk
event in case it actually occurs.
• That is, if the risk materializes, what will be the loss to the project?
• The loss could include a direct loss, a loss due to lost business
opportunity or future business, a loss due to diminished
employee morale, and so on.
• Based on the possible consequences and the probability of the
risk event occurring, you can compute the risk exposure, which
you can then use for prioritizing risks.
Probability
• One way to prioritize risks is to estimate the probability of its
occurrence and its consequences when it does occur.
• The product of these values, the expected value of the loss
for the risk, can be used for prioritization.
• This expected value is called risk exposure.
• If Prob(R) is the probability of a risk R occurring and if
Loss(R) is the total loss incurred if the risk materializes, then
risk exposure, RE, for the risk is given by the following equation
RE (R) = Prob(R) x Loss(R)
Tools: Ratings and Ranges
Impact Categories
Probability of risk event happening
Level of Consequences Range
Low 0.0–3.0
Medium 3.0–7.0
High 7.0–9.0
Very high 9.0–10.0

• Method for Risk Prioritization 1

• For each risk, rate the probability of it
happening as low, medium, or high.
• If necessary, assign probability values in
the ranges given for each rating.
• For each risk, assess its impact on the
project as low, medium, high, or very high.
• If necessary, assign a weight on a scale of
1 to 10.
Tools: Ratings and Ranges
Impact Categories
Probability of risk event happening
Level of Consequences Range
Low 0.0–3.0
Medium 3.0–7.0
High 7.0–9.0
Very high 9.0–10.0

• Method for Risk Prioritization 2

• Rank the risks based on the probability
and effects on the project
• for example, a high-probability, high-
impact item will have higher rank than a
risk item with a medium probability and
high impact.
• In case of conflict, use your judgment (or
assign numbers to compute a numeric
value of risk exposure).
Risk Management Activities
Risk Management Activities
Risk Control
• Once a project manager has identified and prioritized the risks,
the question becomes what to do about them.
• Knowing the risks is of value only if you can prepare a plan so
that their consequences are minimal—that is the basic goal of
risk management.
• You minimize the effects of risk in the second step of risk
management: risk control.
• Essentially, this step involves planning the risk mitigation
followed by executing the plan and monitoring the risks.
Risk Management Planning
• To manage the risks, proper planning is essential.
• The main task is to identify the actions needed to minimize the risk
consequences, generally called risk mitigation steps.
• As with risk identification, you refer to a list of commonly used risk
mitigation steps for various risks and select a suitable risk mitigation step.
• The list used at Infosys appears in Table on the next slide.
• This table is a starting point not only for identifying risks but also for
selecting risk mitigation steps after the risks have been prioritized.
• As with identification, you are not restricted to the steps mentioned in the
table. You can use the process database to identify the risks and the risk
mitigation steps.
Risk Mitigation Table: Information Systems
(See 08_Tool_01)
Sequence Risk Category Risk Mitigation Steps
Number
1 Shortage of technically · Make estimates with a little allowance for initial learning time.
trained manpower · Maintain buffers of extra resources.
· Define a project-specific training program.
· Conduct cross-training sessions.
2 Too many requirement · Obtain sign-off for the initial requirements specification from the client.
changes · Convince the client that changes in requirements will affect the schedule.
· Define a procedure to handle requirement changes.
· Negotiate payment on actual effort.
3 Unclear requirements · Use experience and logic to make some assumptions and keep the client informed;
obtain sign-off.
· Develop a prototype and have the requirements reviewed by the client.
4 Manpower attrition · Ensure that multiple resources are assigned on key project areas.
· Have team-building sessions.
· Rotate jobs among team members.
· Keep extra resources in the project as backup.
· Maintain proper documentation of each individual's work.
· Follow the configuration management process and guidelines strictly.
Risk Management Activities
Risk Management Activities
Risk Management
Process
Risk Management
Process
• Step 1: Risk Identification
• Generate a list of possible risks
through brainstorming, problem
identification and risk profiling.
• Macro risks first, then specific events
• Step 2: Risk Assessment
• Scenario analysis
• Risk assessment matrix
• Failure Mode and Effects Analysis
(FMEA)
• Probability analysis
• Decision trees, NPV, and PERT
• Semiquantitative scenario analysis
Tools: Partial Risk Format for
Product Development Project
Various key questions
and factors to consider
when assessing project
risks and readiness in
different areas of project
management.
Risk Breakdown Structure (RBS)
• A Risk Breakdown Structure
(RBS) is a hierarchical
representation of risks that
could potentially affect a
project.
• It organizes risks into different
categories and subcategories
to provide a clear overview of
where project vulnerabilities
may lie.
• The structure is similar to a
Work Breakdown Structure
(WBS) but focuses on risk
rather than tasks.
Tools: Risk Severity Matrix
A Risk Severity Matrix is a
tool used in project
management to evaluate
and prioritize risks based on
their likelihood of
occurrence and potential
impact on the project.
Tools: Assessment Form
Tools: Impact Scales
Risk Management
Process
• Step 3: Risk Response Development
• Mitigating Risk
• Reducing the likelihood an adverse event will
occur
• Reducing impact of adverse event
• Transferring Risk
• Paying a premium to pass the risk to another
party
• Avoiding Risk
• Changing the project plan to eliminate the
risk or condition
• Sharing Risk
• Allocating risk to different parties
• Retaining Risk
• Making a conscious decision to accept the
risk
Contingency Planning
• Contingency Plan
• An alternative plan that will be used if a possible foreseen risk
event actually occurs
• A plan of actions that will reduce or mitigate the negative impact
(consequences) of a risk event
• Risks of Not Having a Contingency Plan
• Having no plan may slow managerial response
• Decisions made under pressure can be potentially dangerous and
costly
Response Matrix
Risks and Contingency Planning
• Technical Risks
• Backup strategies if chosen technology fails
• Assessing whether technical uncertainties can be resolved
• Schedule Risks
• Use of slack increases the risk of a late project finish
• Imposed duration dates (absolute project finish date)
• Compression of project schedules due to a shortened project
duration date
Risks and Contingency Planning
• Costs Risks
• Time/cost dependency links: costs increase when problems take
longer to solve than expected.
• Deciding to use the schedule to solve cash flow problems should be
avoided.
• Price protection risks (a rise in input costs) increase if the duration of a
project is increased.
• Funding Risks
• Changes in the supply of funds for the project can dramatically affect
the likelihood of implementation or successful completion of a project.
Contingency Funding and Time Buffers
• Contingency Funds
• Funds to cover project risks—identified and unknown
• Size of funds reflects overall risk of a project
• Budget reserves
• Are linked to the identified risks of specific work packages
• Management reserves
• Are large funds to be used to cover major unforeseen risks (e.g., change in project
scope) of the total project

• Time Buffers
• Amounts of time used to compensate for unplanned delays in the
project schedule
Risk Management
Process
• Step 4: Risk Response Control
• Risk control
• Execution of the risk response strategy
• Monitoring of triggering events
• Initiating contingency plans
• Watching for new risks
• Establishing a Change Management
System
• Monitoring, tracking, and reporting risk
• Fostering an open organization environment
• Repeating risk identification/assessment
exercises
• Assigning and documenting responsibility
for managing risk
Integrating Risk Management in the Project
Development Process
• Risk assessment and
monitoring take information
from project execution,
along with other factors, to
identify risks to be
managed.
• The risk management
activities, on the other
hand, affect the project's
process for minimizing the
consequences of the risk.