Transcript Software Project Management

SW Project Management
Managing Project Risk
INFO 420
Dr. Jennifer Booker
INFO 420
Chapter 8
1
Risk avoided
American culture avoids facing risk
 This leads to many problems in project
management

 We
want to stick our heads in the sand
Somehow that doesn’t make risks go away
 We need to manage risks proactively

INFO 420
Chapter 8
2
Risk Management

“If you don’t actively attack risks, they will
attack you” - Tom Gilb

Risk management is still looked upon as
bad news - and messengers are still shot
INFO 420
Chapter 8
3
What is risk?
A risk is something that might go wrong,
which could affect the project outcome
 The key word is might

 If
the probability is zero, it isn’t a risk at all
 If the probability is one, it’s certain to occur,
and can be treated as a project constraint
 So any risk has 0% < p < 100%
INFO 420
Chapter 8
4
Risk management problems

Typical problems in risk management are
 Not

Some insist there is no benefit to doing RM
 Not

valuing risk management (RM)
allowing time for RM
RM takes time and effort, get over it!
 Not
identifying and assessing risks
consistently

INFO 420
Which can waste time and miss opportunities
Chapter 8
5
Risk lessons learned

So a few lessons learned include
 Get
commitment by all stakeholders, both to
do RM, and agree on significant risks
 Identify an owner for each risk, so someone is
actively managing it
 Look for typical risks for your type of project;
patterns vary
INFO 420
Chapter 8
6
RM elements

The main elements in risk management
are
 Risk
management planning
 Risk identification
 Qualitative and Quantitative risk analysis
 Risk response planning
 Risk monitoring and control
INFO 420
Chapter 8
7
Risk Management Planning

Similar to security analysis:
 Identify
threats
 Prevent threats
 Detect threats (not trivial with
information systems!)
 Mitigate (reduce) the effects of the threats
INFO 420
Chapter 8
8
Risk planning

The PMBOK defines risk as
 “An
uncertain event or condition that, if it
occurs, has a positive or negative effect on
the project objectives”

So a risk can be a good thing
 We
INFO 420
tend to think of the bad ones
Chapter 8
9
Project reserves
A financial reserve is kept for most
projects, in part for risk management
 Helps protect against

 Flawed
estimates
 Minor anomalies (unexpected events)
 Permanent variances (unexpected skill levels)
 Minor variances (estimates slightly off)
INFO 420
Chapter 8
10
Project risk management steps

Risk planning
 Get
commitment from stakeholders
 Allocate resources
 Develop and approve RM plan

Risk identification
 Develop
a list of risks, their causes and
effects
INFO 420
Chapter 8
11
Project risk management steps

Risk assessment
 Analyze

the risks for probability and impact
Risk strategies
 Document
how to respond to each risk if it
occurs (risk response or mitigation plan)

Risk monitoring and control
 During
project, look for known risks to occur,
and identify new risks
INFO 420
Chapter 8
12
Project risk management steps

Risk response
 Respond

to risks that have occurred
Risk evaluation
 Find
lessons learned, and how to improve
future projects’ RM
INFO 420
Chapter 8
13
Identifying IT project risks

The scope and context of risks can be a
little intimidating at first, so we break the
big problem into little ones
 Ultimately,
and risk might affect the project’s
MOV
 Which could result from changes in scope,
quality, schedule, or budget
INFO 420
Chapter 8
14
Identifying IT project risks
 These
could result from people, legal,
process, environment, technology,
organization, product, or other issues
 These could be internal to your organization,
or external
 Risks could be known risks, known-unknown
risks (risk is known, extent is unknown), or
completely unknown risks (unimaginable)
INFO 420
Chapter 8
15
Identifying IT project risks
 And
finally, risks could affect any part of the
project life cycle:
Conceptualize and initialize the project
 Develop project charter and plan
 Execute and control the project
 Close project
 Evaluate project success

INFO 420
Chapter 8
16
All clear?

That only gives:
 1x4x7x2x3x5
= 840 ways to classify a risk!
Realistically, we only focus on the issues
most likely to affect our project
 Our goal is to identify all the significant
risks, not every conceivable risk!

INFO 420
Chapter 8
17
Risk tools

Learning cycles
 For
each suspected risk area, identify facts
known about it, assumptions being made, and
what needs to be researched in that area
 Test assumptions, and conduct research to
identify specific risks

Brainstorming
INFO 420
Chapter 8
18
Nominal Group Technique (NGT)
 Have
everyone write down ideas on paper
 Write on flip chart, one idea from each
person, until all are recorded
 Discuss and clarify the ideas
 Each person ranks and prioritizes the ideas
 Group discusses ranking and priorities
 Redo personal ranking and prioritization
 Summarize for the group
INFO 420
Chapter 8
19
Risk tools
Delphi technique – same as used for
estimation, but use for identifying risks and
their probability and impact
 Interviewing
 Checklists, typically from past projects or
industry common risks

INFO 420
Chapter 8
20
Risk tools
SWOT analysis – look at organization and
project’s strengths, weaknesses,
opportunities and threats
 Past projects – the ideal solution for all
project management problems!

 Use
INFO 420
lessons learned from previous projects
Chapter 8
21
Risk tools

Cause and effect diagram, or fishbone diagram
 Start
with a major type of risk
 Identify 4-6 categories of causes of that risk
 Brainstorm about ‘what could cause’ that risk to
occur, based on the categories
 Fill in details until you’re bored
 Then eliminate known minimal risks areas or causes
INFO 420
Chapter 8
22
Risk analysis and assessment
Risk analysis estimates the probability and
impact of each risk
 Risk assessment prioritizes risks to help
define your risk strategy

 Which
risks are significant enough to prevent
actively?
 Which will require effort if they occur?
INFO 420
Chapter 8
23
Qualitative vs quantitative

Both kinds of assessment can be done
 Use
the former most of the time
 Use the latter for key risks in a steady environment

Caveat: the text is misleading about qualitative
vs quantitative assessment
 What
they call qualitative is really quantitative
 What they call quantitative is statistical process
control (SPC)
INFO 420
Chapter 8
24
Expected value

Think of ‘deal or no deal’
 If
we have several possible outcomes, can
calculate for each the probability and resulting
payoff (or cost)
 Multiply probability and payoff to get the
impact of each outcome
 Add impact outcomes to determine the overall
expected value of all possible results
INFO 420
Chapter 8
25
Decision Tree

This is a graphic form of a payoff table
 Nodes
represent choices (and their costs) or
probabilities
 Map out possible choices, and what their
impact outcomes are
 Pick the highest impact outcome
INFO 420
Chapter 8
26
Risk Impact Table

Great for analysis and prioritization of risks
 Define

each risk, its probability, and impact
Impact could be in $ or effort to resolve the risk
 Multiply
the latter to get the impact outcomes
(P-I score)
 Sort risks by descending P-I score  instant
prioritization! (risk rankings)
INFO 420
Chapter 8
27
Risk Impact Table

You could* categorize risks by their
general impact and probability
– low probability and impact
 Puppies – high prob, low impact
 Alligators – low prob, high impact
 Tigers – high prob and impact, was good at
golf
 Kittens
* I wouldn’t, but you could…
INFO 420
Chapter 8
28
“Quantitative” approaches
Those approaches will cover most
situations and needs
 These approaches might apply if you have
more extensive data on specific risks
 All are based on various types of
probability distributions

INFO 420
Chapter 8
29
Discrete probability distribution

When you’re measuring discrete events (it
happens, or not) then a family of discrete
probability distributions come into play
 In
these cases, calculate the probability of
each individual event happening (x=0, x=1,
etc.), and add them up
 A subset of these are binomial distributions,
where events either happen, or not (like a
coin flip, or someone dies)
INFO 420
Chapter 8
30
Continuous probability distribution
Often of interest is when a measurement
can have real values (not just integers)
 This results in a continuous probability
distribution

 There
are dozens of them: Gaussian,
Poisson, Chi-square, F, Student T, etc.
INFO 420
Chapter 8
31
Normal distribution

A normal (Gaussian) distribution is a bell curve
has a mean value m and a standard deviation s
 The probability of an event occurring is the area
under the curve
 It

If we know a risk follows a normal distribution,
we can predict how likely it is to occur within a
given range (e.g. of time)
INFO 420
Chapter 8
32
PERT distribution

This goes with the PERT estimation
technique
 The
mean is (low + 4*likely + high)/6
 Std deviation is (high – low)/6

The PERT distribution is lopsided, since
we know zero can’t occur
INFO 420
Chapter 8
33
Triangular distribution

This is similar to a simplified PERT
distribution
 The
mean is (low + likely + high)/3
 Std dev = { [ (high-low)2 +
(likely-low)*(likely-high) ]/18 }1/2
INFO 420
Chapter 8
34
Simulations
In studying the behavior of projects, we
could try to determine how they are
affected by changes in inputs
(assumptions, task durations, etc.)
 The output of interest might be the
project’s cost, schedule, customer
satisfaction, etc.

INFO 420
Chapter 8
35
Monte Carlo simulations

If we automate this kind of analysis, one
approach is using a Monte Carlo
simulation
 (Monte

Carlo is the Las Vegas of Europe)
In a MC simulation, we define the
probability distribution of the inputs we’ve
defined
INFO 420
Chapter 8
36
Monte Carlo simulations

Then the project results are simulated to
see how they turn out
 This
produces a histogram of outputs, with the
mean duration, and can find the probability of
finishing within a range of times

Tools exist (e.g. @Risk) to automate this
kind of analysis
INFO 420
Chapter 8
37
Tornado graph

This type of analysis can also produce a
tornado graph, which is a bar chart
emphasizing the highest risk tasks
 This
is like a Pareto diagram
 Here the ‘highest risk’ also implies ‘has the
highest probability of affecting the project
schedule’
INFO 420
Chapter 8
38
Risk strategies
Ok, so we have defined risks, and
analyzed them to find the biggest threats
 Now we answer a big question: so what?

 If
these risks occur, what, if anything, will we
do about it?
 That’s our risk strategy, which is different for
each risk
INFO 420
Chapter 8
39
Risk strategies

How we select a strategy depends on
 Is
the risk a threat or opportunity?
 How and when will the project be affected?
 How do we know if the risk is occurring
(triggers or risk detection)?
 What impact does the risk have on MOV?
INFO 420
Chapter 8
40
Risk strategies
 How
many resources do we have to deal with
this risk?

Remember the balance among scope, schedule,
budget, and quality
 Can
we modify a contract or assign resources
or otherwise mitigate a risk?
 How tolerant are the stakeholders of this risk?
INFO 420
Chapter 8
41
Risk strategy choices

In response to a risk, we can
 Accept
or ignore the risk, if the impact is
minimal, or we can’t do anything about it
Use financial reserves to deal with it
 Have a contingency plan in place

 Avoid

INFO 420
the risk (prevention)
Change the project to reduce the chance of the
risk occurring
Chapter 8
42
Risk strategy choices
the risk – lessen the impact of the risk
after it has occurred
 Transfer the risk – give the problem to
someone else!
 Mitigate

INFO 420
Buy insurance, subcontract something out, etc.
Chapter 8
43
Risk response plan
Once key risks have been identified, and
your strategies selected, put all this in a
risk response plan
 For each risk, identify

 What
trigger tells you the risk has occurred
 The owner of the risk (person, not group)
 The risk response strategy
INFO 420
Chapter 8
44
Risk monitoring and control

Now your job is to monitor the risk triggers
to see which ones go off
 And
then follow up with appropriate
responses
 Tools exist, such as Risk Radar to help do this

Can also conduct risk audits, reviews, or
status meetings
INFO 420
Chapter 8
45
Risk response

When a risk is triggered, your response
plan is put into action
 May
include following your mitigation strategy
 Could include assigning resources to deal
with the risk
INFO 420
Chapter 8
46
Risk evaluation

The process of risk management can be
improved like any other through keeping
lessons learned
 What
risks did you identify?
 Which ones occurred?
 How severe was their impact?
 Did you risk strategy work or not? Why?
INFO 420
Chapter 8
47
Summary
Manage risks, or they will manage you
 Identify plausible risks

 Quantify

Identify significant risks
 Develop

their probability and impact
strategies for dealing with them
Keep an eye out for risks which occur, and
follow your strategies for dealing with them
INFO 420
Chapter 8
48