Information Technology Project
Management – Third Edition
By Jack T. Marchewka
Northern Illinois University
Copyright 2009 John Wiley & Sons, Inc. all rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the
1976 United States Copyright Act without the express permission of the copyright owner is unlawful. Request for further information should be
addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for
distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the
1
use of the information contained herein.
Managing Project Risk
Chapter 8
2
Managing Project Risk
The baseline project plan is based on a number of
estimates and assumptions
Estimation implies uncertainty so managing the
uncertainty is crucial to project success
Project risk management is an important sub-discipline of
software engineering
Focuses on identifying, analyzing and developing strategies for
responding to project risk efficiently and effectively
The goal is to make well informed decisions as to what risks
are worth taking and to respond to those risks in an
appropriate manner
Provides an early warning system for impending problems that
need to be addressed or resolved
3
Common Mistakes in Managing Project Risk
By not following a formal risk management approach, many
projects end up in a perpetual crisis mode (firefighting) –
reacting rather than being proactive
Not understanding the benefits of risk management
Inability to make effective and timely decisions
Client wants results, not interested in how achieved . Managers
take aggressive risks or may optimistically ignore risks which turn
into threats to the project’s success
Not providing adequate time for risk management
Should not be treated as an add-on but integrated throughout the
project life cycle
Assess and plan for project risk in the earliest stages of the project
4
Common Mistakes in Managing Project Risk
Not identifying and assessing risk using a standardized
approach
Can overlook both threats and opportunities
Time and resources expended on problems that could have been
avoided, opportunities will be missed
Decisions will be made without complete understanding or
information
5
Effective & Successful
Risk Management Requires
Commitment by all stakeholders
Stakeholder responsibility
Otherwise, the process will be sidestepped the moment a
crisis arises and the project is in trouble
Each risk must have an owner who will take responsibility for
monitoring the project in order to identify any new or
increasing risks and report them to the project sponsor
Different risks for different types of projects
You can not manage all projects and risks the same way, this
can lead to disaster
6
Definitions
Risk
An uncertain event or condition that, if occurs, has a positive
or negative effect on the project objectives.
Project Risk Management (PMBOK®)
Includes the processes concerned with conducting risk
management planning, identification, analysis, responses, and
monitoring and control of a project; most of these processes
are updated throughout the project. The objectives of project
risk management are to increase the probability and impact of
positive events and decrease the probability and impact of
events adverse to the project.
7
PMBOK® Risk Management Processes
Risk management planning
Risk identification
Using a quantitative approach for developing a probabilistic model for understanding and
responding to the risks identified.
Risk response planning
Focusing on a qualitative analysis concerning the impact and likelihood of the risks that were
identified.
Quantitative risk analysis
Deciding which risks can impact the project. Risk identification generally includes many of the
project stakeholders and requires an understanding of the project’s goal, as well as the project’s
scope, schedule, budget, and quality objectives.
Qualitative risk analysis
Determining how to approach and plan the project risk management activities. An output of this
process is the development of a risk management plan.
Developing procedures and techniques to reduce the threats of risks, while enhancing the
likelihood of opportunities.
Risk monitoring and control
Providing an early warning system to monitor identified risks and any new risks. This system
ensures that risk responses have been implemented as planned and had the effect as intended. 8
IT Project Risk Management Processes
9
Risk Planning
Requires firm commitment by all stakeholders to a RM
approach
Assures adequate resources are in place to plan properly
for and manage the various risks of the IT project
Stakeholders also must be committed to the process
Focuses on preparation
Systematic preparation and planning can help minimize adverse
effects on the project while taking advantage of opprotunities
as they arise
10
Risk Identification
Once commitment has been obtained and preparations
have been made, the next step entails identifying the
various risks to the project.
Both threats and opportunities must be identified.
They must be identified clearly so that the true problem, not
just a symptom, is addressed.
Causes and effects of each risk must be understood so that
effective strategies and responses can be made.
Project risks are rarely isolated, they tend to be interrelated
and affect the project and its stakeholders differently.
11
Risk Assessment
Once the project risks have been identified and their causes
and effects understood, the next step requires that we analyze
these risks.
Answers to two basic questions are required:
What is the likelihood of a particular risk occurring?
What is the impact on the project if it does occur?
Assessing these risks helps the project manager and other
stakeholders prioritize and formulate responses to those risks
that provide the greatest threat or opportunity to the project.
Because there is a cost associated with responding to a
particular risk, risk management must function within the
constraints of the project’s available resources.
12
Risk Strategies
The next step of the risk planning process is to determine
how to deal with the various project risks.
In addition to resource constraints, an appropriate
strategy will be determined by the project stakeholders’
perceptions of risk and their willingness to take on a
particular risk.
Essentially, a project risk strategy will focus on one of the
following approaches:
Accept or ignore the risk.
Avoid the risk completely.
Reduce the likelihood or impact of the risk (or both) if the risk
occurs.
Transfer the risk to someone else (i.e., insurance).
13
Risk Strategies
In addition, triggers or flags in the form of metrics should
be identified to draw attention to a particular risk when it
occurs.
This system requires that each risk have an owner to
monitor the risk and to ensure that resources are made
available in order to respond to the risk appropriately.
Once the risks, the risk triggers, and strategies or
responses are documented, this document then becomes
the risk response plan.
14
Risk Monitoring & Control
Once the salient project risks have been identified and
appropriate responses formulated, the next step entails
scanning the project environment so that both identified and
unidentified threats and opportunities can be followed, much
like a radar screen follows ships.
Risk owners should monitor the various risk triggers so that
well informed decisions and appropriate actions can take
place.
Risk Response
Provides a mechanism for scanning the project environment
for risks, but the risk owner must commit resources and take
action once a risk threat or opportunity is made known. This
15
action normally follows the planned risk strategy
Risk Evaluation
Responses to risks and the experience gained provide keys to
learning .
A formal and documented evaluation of a risk episode provides the
basis for lessons learned and lays the foundation for identifying best
practices.
This evaluation should consider the entire risk management process
from planning through evaluation.
It should focus on the following questions:
How did we do?
What can we do better next time?
What lessons did we learn?
What best practices can be incorporated in the risk management process?
The risk planning process is cyclical because the evaluation of the risk
responses and the risk planning process can influence how an
organization will plan, prepare, and commit to IT risk management.16
Risk Identification
Framework
IT Project Risk Identification Framework
17
IT Project Risk Identification Framework
At the core of the framework is the MOV
Next layer includes the project objectives – scope,
budget, schedule and quality. They play a critical role in
supporting the MOV
The third layer focuses on the sources of IT project risk
The next layer focuses on whether the risks are internal
or external
If a team member is not properly trained to use a technology,
the risk can be mitigated or avoided by additional training or
assigning the task to a more experienced team member
A PM may not be accountable for project cancellation if the
project sponsor went bankrupt
A poorly performing external vendor is still the responsibility
of the PM if s/he chose that vendor
18
IT Project Risk Identification Framework
The fifth layer includes known risks, known-unknown
risks and unknown-unknown risks
Known: events that are going to occur
Known-unknown: identifiable uncertainty
You pay an electricity bill each month, but the amount changes
based on usage
Unknown-unknown: known only after they occur
19
IT Project Risk Identification Framework
The final layer shows that though risk management is
critical at the start of a project, vigilance for
opportunities and problems is required throughout
the entire project life cycle
20
Applying the IT Project
Risk Identification Framework
The framework can be used to understand a risk after
it occurs
Vendor is hired to develop a BI system, client is sued and
has to cut back on project. Due to importance of project,
break it into two phases (basic and bells-and-whistles).
Threat occurred in Develop Project Charter and Project Plan
Phase
Unknown-unknown risk
External risk, PM and project team not responsible
Sources of risk – environment (economic), organizational (client)
and people (if management is to blame)
Impact on scope, budget and schedule
MOV changes due to phased approach
21
Applying the IT Project
Risk Identification Framework
The framework can be used to proactively identify IT
risks
Start from the outer core of the framework, analyzing the
WBS and work packages to identify risks for each work
package under the various project phases
Categorize known/unknown types
Categorize external/internal
Identify sources of risk (may be inter-related)
Assess how a particular risk will impact the project
objectives and in turn the MOV
See paper on website “Performing a Project Premortem”
Can also be used going from inner core and working out
22
Risk Identification Tools & Techniques
Learning Cycles
Brainstorming
Identify facts (what is known), assumptions (what they think they
know) and research (things to find out) to identify various risks
Use IT risk framework and the WBS to identify risks
Nominal Group Technique
Structured technique for identifying risks that attempts to balance
and increase participation
Ideas discussed, prioritized, priorities discussed, prioritized again and
summarized
Delphi Technique
Group of experts assembled to identify potential risks and their
impact on the project
23
Risk Identification Tools & Techniques
Interviews
Checklists
Strengths, weaknesses, opportunities and threats
Identify threats and opportunities as well as their nature in terms of
the project or organizational strengths and weaknesses
Cause & Effect (a.k.a. Fishbone/Ishikawa)
Structured tool for identifying risks that have occurred in the past
Be aware of things not on the list
SWOT Analysis
Gain alternative opinions from stakeholders about risks
Can be used to for understanding the causes and factors of a
particular risk as well as its effects
Past Projects
Lessons learned from earlier projects
24
Nominal Group Technique (NGT)
1. Each individual silently writes their ideas on a piece of paper
2. Each idea is then written on a board or flip chart one at a
time in a round-robin fashion until each individual has listed
all of his or her ideas
3. The group then discusses and clarifies each of the ideas
4. Each individual then silently ranks and prioritizes the ideas
5. The group then discusses the rankings and priorities
6. Each individual ranks and prioritizes the ideas again
7. The rankings and prioritizations are then summarized for the
group
25
Risk Check List
Funding for the project has been secured
Funding for the project is sufficient
Funding for the project has been approved by senior
management
The project team has the requisite skills to complete the
project
The project has adequate manpower to complete the
project
The project charter and project plan have been approved
by senior management or the project sponsor
The project’s goal is realistic and achievable
The project’s schedule is realistic and achievable
The project’s scope has been clearly defined
Processes for scope changes have been clearly defined
26
Cause & Effect Diagram
27
Risk Analysis & Assessment
Risk = f(Probability * Impact)
•Risk analysis – determine each identified risk’s
probability and impact on the project
•Risk assessment - focuses on prioritizing risks so
that an effective strategy can be formulated for those
risks that require a response.
Depends on
Stakeholder risk
tolerances
28
Can’t respond to all
risks!
Risk Analysis & Assessment
Qualitative Approaches
Expected Value & Payoff Tables
Decision Trees
Graphical view of various decisions and outcomes
Risk Impact Table & Ranking
Determine return or profit the project will return
Analyze and prioritize various IT project risks
Tusler’s Risk Classification
29
Expected Value & Payoff Tables
Expected value is an average, taking into account the probability
and impact of various outcomes
Expected return on the project
Schedule Risk
Project completed 20 days early
A
B
A*B
Probability
Payoff
Prob * Payoff
(In thousands)
(In thousands)
5%
$ 200
$10
Project completed 10 days early
20%
$ 150
$30
Project completed on Schedule
50%
$ 100
$50
Project completed 10 days late
20%
$
Project completed 20 days late
5%
100%
30
-
$0
$ (50)
($3)
$88
The
Expected
Value
Decision Trees
$10,000+.
05*$2,000
Least cost but
small
probabiltiy of
success
31
Risk Impact Table
0 - 100%
0-10
P*I
Probability
Impact
Score
Key project team member leaves project
40%
4
1.6
Client unable to define scope and requirements
50%
6
3.0
Client experiences financial problems
10%
9
0.9
Response time not acceptable to users/client
80%
6
4.8
Technology does not integrate with existing application
60%
7
4.2
Functional manager deflects resources away from project
20%
3
0.6
Client unable to obtain licensing agreements
5%
7
0.4
Risk (Threats)
32
Risk
Rankings
33
Risk (Threats)
Ranking
Response time not acceptable to users/client
1
Technology does not integrate with existing application
2
Client unable to define scope and requirements
3
Key project team member leaves project
4
Client experiences financial problems
5
Functional manager deflects resources away from project
6
Client unable to obtain licensing agreements
7
Risk Analysis & Assessment
Qualitative Approaches
Tusler’s Risk Classification
Risk scores can be further analyzed using the following
quadrants
Kittens – low probability of occurring and low impact. Don’t spend
much time or resources on them whether positive or negative
Puppies – low impact but high probability of occurring. Must be
watched so corrective action can be taken before they get out of
hand
Tigers – high impact and high probability. Deal with them tout de
suite.
Alligators – low probability but high impact if they get loose. Make
sure you know where they are
34
Tusler’s Risk Classification
Tusler’s Risk Identification Scheme
Can be troublesome
Low prob/low impact
35
Must be
neutralized
Not a problem
(if you know where they are)
Risk Analysis & Assessment
Quantitative Approaches
Quantitative Probability Distributions
Discrete
Binomial
Continuous
Normal
PERT
TRIANG
36
Binomial Probability Distribution
Discrete Probability Distribution
37
Normal Distribution
Continuous Probability Distribution
38
Useful when an event has an infinite number of possible values in a
state range
Normal Distribution
Properties
Distribution shaped by its mean (μ ) and standard deviation (σ)
Probability is associated area under the curve .
Area between any two points is obtained via a z score z=(x- μ)/σ
Since the normal distribution is symmetrical around the mean, outcome
between - and μ has the same prob of falling between μ and
Rules of thumb with respect to observations
Approximately….
68% + 1 standard deviations of mean
95% + 2 standard deviations of the mean
99% + 3 standard deviations of the mean
39
PERT Distribution
PERT MEAN = (a + 4m + b)/6
Where:
a = optimistic estimate
m = most likely
b = pessimistic
40
PERT Distribution
PERT Mean = (a + 4m + b)/6
Where:
a = optimistic estimate
m = most likely
b = pessimistic
41
Triangular Distribution
TRAING Mean = (a + m + b)/3
Where:
a = optimistic estimate
m = most likely
b = pessimistic
42
Simulations
Monte Carlo
Technique that randomly generates specific values for a variable with a
specific probability distribution
Goes through a number of trials or iterations and records the
outcome
@RISK®
An MS Project® add in that provides a useful tool for conducting risk analysis
of your project plan
Uses Monte Carlo simulation to show you many possible outcomes in your
project – and tells you how likely they are to occur.
You can determine which tasks are most important and then manage those
risks appropriately. Helps you choose the best strategy based on the available
information.
http://www.palisade.com/riskproject/default.asp
43
Monte Carlo Simulation
44
Output From Monte Carlo Simulation
90.4% chance of completing between 13.8 and 21.7 days
45
Cumulative Probability Distribution
40% chance of completing in 17 days
46
Sensitivity Analysis Using a Tornado Graph
Tornado
Graph
47
Risk Strategies Depend On
The nature of the risk
Impact on MOV and project objectives
Probability? Impact?
Project constraints
Really an opportunity or threat?
Available resources?
Risk tolerances or preferences of the project
stakeholders
48
Risk Strategies Responses
Accept or Ignore
Management Reserves
Contingency Reserves
Disaster recovery plan in case of a natural disaster
Avoidance – eliminate the risk from occurring
Mitigate
Part of project’s budget
Contingency Plans (Plan B)
Released by senior management, usually not included in project’s budget
Reduce the likelihood or impact (or both)
Transfer
e.g. insurance, subcontract to someone who has more
expertise
49
Risk Response Plan should include:
A trigger which flags that the risk has occurred
An owner of the risk (i.e., the person or group responsible
for monitoring the risk and ensuring that the appropriate
risk response is carried out)
A response based on one of the four basic risk strategies
Adequate resources
50
Risk Monitoring & Control
Risk Audits
Risk Reviews
External to project team
Internal but outside the project team
Risk Status Meetings & Reports
51
Project Risk Radar
Monitoring project
risks is analogous
to a radar scope
where threat and
opportunities may
present themselves
at different times over
the project
52
Risk Evaluation
Lessons learned and best practices help us to:
Increase our understanding of IT project risk in general.
Understand what information was available to managing
risks and for making risk-related decisions.
Understand how and why a particular decision was made.
Understand the implications not only of the risks, but also
the decisions that were made.
Learn from our experience so that others may not have to
repeat our mistakes.
53
