Software Project Management
Download
Report
Transcript Software Project Management
SW Project Management
Managing Project Risk
INFO 420
Dr. Jennifer Booker
INFO 420
Chapter 8
1
Risk avoided
American culture avoids facing risk
This leads to many problems in project
management
We
want to stick our heads in the sand
Somehow that doesn’t make risks go away
We need to manage risks proactively
INFO 420
Chapter 8
2
Risk Management
“If you don’t actively attack risks, they will
attack you” - Tom Gilb
Risk management is still looked upon as
bad news - and messengers are still shot
INFO 420
Chapter 8
3
What is risk?
A risk is something that might go wrong,
which could affect the project outcome
The key word is might
If
the probability is zero, it isn’t a risk at all
If the probability is one, it’s certain to occur,
and can be treated as a project constraint
So any risk has 0% < p < 100%
INFO 420
Chapter 8
4
Risk management problems
Typical problems in risk management are
Not
Some insist there is no benefit to doing RM
Not
valuing risk management (RM)
allowing time for RM
RM takes time and effort, get over it!
Not
identifying and assessing risks
consistently
INFO 420
Which can waste time and miss opportunities
Chapter 8
5
Risk lessons learned
So a few lessons learned include
Get
commitment by all stakeholders, both to
do RM, and agree on significant risks
Identify an owner for each risk, so someone is
actively managing it
Look for typical risks for your type of project;
patterns vary
INFO 420
Chapter 8
6
RM elements
The main elements in risk management
are
Risk
management planning
Risk identification
Qualitative and Quantitative risk analysis
Risk response planning
Risk monitoring and control
INFO 420
Chapter 8
7
Risk Management Planning
Similar to security analysis:
Identify
threats
Prevent threats
Detect threats (not trivial with
information systems!)
Mitigate (reduce) the effects of the threats
INFO 420
Chapter 8
8
Risk planning
The PMBOK defines risk as
“An
uncertain event or condition that, if it
occurs, has a positive or negative effect on
the project objectives”
So a risk can be a good thing
We
INFO 420
tend to think of the bad ones
Chapter 8
9
Project reserves
A financial reserve is kept for most
projects, in part for risk management
Helps protect against
Flawed
estimates
Minor anomalies (unexpected events)
Permanent variances (unexpected skill levels)
Minor variances (estimates slightly off)
INFO 420
Chapter 8
10
Project risk management steps
Risk planning
Get
commitment from stakeholders
Allocate resources
Develop and approve RM plan
Risk identification
Develop
a list of risks, their causes and
effects
INFO 420
Chapter 8
11
Project risk management steps
Risk assessment
Analyze
the risks for probability and impact
Risk strategies
Document
how to respond to each risk if it
occurs (risk response or mitigation plan)
Risk monitoring and control
During
project, look for known risks to occur,
and identify new risks
INFO 420
Chapter 8
12
Project risk management steps
Risk response
Respond
to risks that have occurred
Risk evaluation
Find
lessons learned, and how to improve
future projects’ RM
INFO 420
Chapter 8
13
Identifying IT project risks
The scope and context of risks can be a
little intimidating at first, so we break the
big problem into little ones
Ultimately,
and risk might affect the project’s
MOV
Which could result from changes in scope,
quality, schedule, or budget
INFO 420
Chapter 8
14
Identifying IT project risks
These
could result from people, legal,
process, environment, technology,
organization, product, or other issues
These could be internal to your organization,
or external
Risks could be known risks, known-unknown
risks (risk is known, extent is unknown), or
completely unknown risks (unimaginable)
INFO 420
Chapter 8
15
Identifying IT project risks
And
finally, risks could affect any part of the
project life cycle:
Conceptualize and initialize the project
Develop project charter and plan
Execute and control the project
Close project
Evaluate project success
INFO 420
Chapter 8
16
All clear?
That only gives:
1x4x7x2x3x5
= 840 ways to classify a risk!
Realistically, we only focus on the issues
most likely to affect our project
Our goal is to identify all the significant
risks, not every conceivable risk!
INFO 420
Chapter 8
17
Risk tools
Learning cycles
For
each suspected risk area, identify facts
known about it, assumptions being made, and
what needs to be researched in that area
Test assumptions, and conduct research to
identify specific risks
Brainstorming
INFO 420
Chapter 8
18
Nominal Group Technique (NGT)
Have
everyone write down ideas on paper
Write on flip chart, one idea from each
person, until all are recorded
Discuss and clarify the ideas
Each person ranks and prioritizes the ideas
Group discusses ranking and priorities
Redo personal ranking and prioritization
Summarize for the group
INFO 420
Chapter 8
19
Risk tools
Delphi technique – same as used for
estimation, but use for identifying risks and
their probability and impact
Interviewing
Checklists, typically from past projects or
industry common risks
INFO 420
Chapter 8
20
Risk tools
SWOT analysis – look at organization and
project’s strengths, weaknesses,
opportunities and threats
Past projects – the ideal solution for all
project management problems!
Use
INFO 420
lessons learned from previous projects
Chapter 8
21
Risk tools
Cause and effect diagram, or fishbone diagram
Start
with a major type of risk
Identify 4-6 categories of causes of that risk
Brainstorm about ‘what could cause’ that risk to
occur, based on the categories
Fill in details until you’re bored
Then eliminate known minimal risks areas or causes
INFO 420
Chapter 8
22
Risk analysis and assessment
Risk analysis estimates the probability and
impact of each risk
Risk assessment prioritizes risks to help
define your risk strategy
Which
risks are significant enough to prevent
actively?
Which will require effort if they occur?
INFO 420
Chapter 8
23
Qualitative vs quantitative
Both kinds of assessment can be done
Use
the former most of the time
Use the latter for key risks in a steady environment
Caveat: the text is misleading about qualitative
vs quantitative assessment
What
they call qualitative is really quantitative
What they call quantitative is statistical process
control (SPC)
INFO 420
Chapter 8
24
Expected value
Think of ‘deal or no deal’
If
we have several possible outcomes, can
calculate for each the probability and resulting
payoff (or cost)
Multiply probability and payoff to get the
impact of each outcome
Add impact outcomes to determine the overall
expected value of all possible results
INFO 420
Chapter 8
25
Decision Tree
This is a graphic form of a payoff table
Nodes
represent choices (and their costs) or
probabilities
Map out possible choices, and what their
impact outcomes are
Pick the highest impact outcome
INFO 420
Chapter 8
26
Risk Impact Table
Great for analysis and prioritization of risks
Define
each risk, its probability, and impact
Impact could be in $ or effort to resolve the risk
Multiply
the latter to get the impact outcomes
(P-I score)
Sort risks by descending P-I score instant
prioritization! (risk rankings)
INFO 420
Chapter 8
27
Risk Impact Table
You could* categorize risks by their
general impact and probability
– low probability and impact
Puppies – high prob, low impact
Alligators – low prob, high impact
Tigers – high prob and impact, was good at
golf
Kittens
* I wouldn’t, but you could…
INFO 420
Chapter 8
28
“Quantitative” approaches
Those approaches will cover most
situations and needs
These approaches might apply if you have
more extensive data on specific risks
All are based on various types of
probability distributions
INFO 420
Chapter 8
29
Discrete probability distribution
When you’re measuring discrete events (it
happens, or not) then a family of discrete
probability distributions come into play
In
these cases, calculate the probability of
each individual event happening (x=0, x=1,
etc.), and add them up
A subset of these are binomial distributions,
where events either happen, or not (like a
coin flip, or someone dies)
INFO 420
Chapter 8
30
Continuous probability distribution
Often of interest is when a measurement
can have real values (not just integers)
This results in a continuous probability
distribution
There
are dozens of them: Gaussian,
Poisson, Chi-square, F, Student T, etc.
INFO 420
Chapter 8
31
Normal distribution
A normal (Gaussian) distribution is a bell curve
has a mean value m and a standard deviation s
The probability of an event occurring is the area
under the curve
It
If we know a risk follows a normal distribution,
we can predict how likely it is to occur within a
given range (e.g. of time)
INFO 420
Chapter 8
32
PERT distribution
This goes with the PERT estimation
technique
The
mean is (low + 4*likely + high)/6
Std deviation is (high – low)/6
The PERT distribution is lopsided, since
we know zero can’t occur
INFO 420
Chapter 8
33
Triangular distribution
This is similar to a simplified PERT
distribution
The
mean is (low + likely + high)/3
Std dev = { [ (high-low)2 +
(likely-low)*(likely-high) ]/18 }1/2
INFO 420
Chapter 8
34
Simulations
In studying the behavior of projects, we
could try to determine how they are
affected by changes in inputs
(assumptions, task durations, etc.)
The output of interest might be the
project’s cost, schedule, customer
satisfaction, etc.
INFO 420
Chapter 8
35
Monte Carlo simulations
If we automate this kind of analysis, one
approach is using a Monte Carlo
simulation
(Monte
Carlo is the Las Vegas of Europe)
In a MC simulation, we define the
probability distribution of the inputs we’ve
defined
INFO 420
Chapter 8
36
Monte Carlo simulations
Then the project results are simulated to
see how they turn out
This
produces a histogram of outputs, with the
mean duration, and can find the probability of
finishing within a range of times
Tools exist (e.g. @Risk) to automate this
kind of analysis
INFO 420
Chapter 8
37
Tornado graph
This type of analysis can also produce a
tornado graph, which is a bar chart
emphasizing the highest risk tasks
This
is like a Pareto diagram
Here the ‘highest risk’ also implies ‘has the
highest probability of affecting the project
schedule’
INFO 420
Chapter 8
38
Risk strategies
Ok, so we have defined risks, and
analyzed them to find the biggest threats
Now we answer a big question: so what?
If
these risks occur, what, if anything, will we
do about it?
That’s our risk strategy, which is different for
each risk
INFO 420
Chapter 8
39
Risk strategies
How we select a strategy depends on
Is
the risk a threat or opportunity?
How and when will the project be affected?
How do we know if the risk is occurring
(triggers or risk detection)?
What impact does the risk have on MOV?
INFO 420
Chapter 8
40
Risk strategies
How
many resources do we have to deal with
this risk?
Remember the balance among scope, schedule,
budget, and quality
Can
we modify a contract or assign resources
or otherwise mitigate a risk?
How tolerant are the stakeholders of this risk?
INFO 420
Chapter 8
41
Risk strategy choices
In response to a risk, we can
Accept
or ignore the risk, if the impact is
minimal, or we can’t do anything about it
Use financial reserves to deal with it
Have a contingency plan in place
Avoid
INFO 420
the risk (prevention)
Change the project to reduce the chance of the
risk occurring
Chapter 8
42
Risk strategy choices
the risk – lessen the impact of the risk
after it has occurred
Transfer the risk – give the problem to
someone else!
Mitigate
INFO 420
Buy insurance, subcontract something out, etc.
Chapter 8
43
Risk response plan
Once key risks have been identified, and
your strategies selected, put all this in a
risk response plan
For each risk, identify
What
trigger tells you the risk has occurred
The owner of the risk (person, not group)
The risk response strategy
INFO 420
Chapter 8
44
Risk monitoring and control
Now your job is to monitor the risk triggers
to see which ones go off
And
then follow up with appropriate
responses
Tools exist, such as Risk Radar to help do this
Can also conduct risk audits, reviews, or
status meetings
INFO 420
Chapter 8
45
Risk response
When a risk is triggered, your response
plan is put into action
May
include following your mitigation strategy
Could include assigning resources to deal
with the risk
INFO 420
Chapter 8
46
Risk evaluation
The process of risk management can be
improved like any other through keeping
lessons learned
What
risks did you identify?
Which ones occurred?
How severe was their impact?
Did you risk strategy work or not? Why?
INFO 420
Chapter 8
47
Summary
Manage risks, or they will manage you
Identify plausible risks
Quantify
Identify significant risks
Develop
their probability and impact
strategies for dealing with them
Keep an eye out for risks which occur, and
follow your strategies for dealing with them
INFO 420
Chapter 8
48