|
|
|
|
|
Project risk management is the art and science
of identifying, assigning, and responding to risk throughout the life of a
project and in the best interests of meeting project objectives |
|
Risk management is often overlooked on projects,
but it can help improve project success by helping select good projects,
determining project scope, and developing realistic estimates |
|
Study by Ibbs and Kwak show how risk management
is neglected, especially on IT projects |
|
KPMG study found that 55 percent of runaway
projects did no risk management at all |
|
|
|
|
|
|
A dictionary definition of risk is “the
possibility of loss or injury” |
|
Project risk involves understanding potential
problems that might occur on the project and how they might impede project
success |
|
Risk management is like a form of insurance; it
is an investment |
|
|
|
|
|
Risk utility or risk tolerance is the amount of
satisfaction or pleasure received from a potential payoff |
|
Utility rises at a decreasing rate for a person
who is risk-averse |
|
Those who are risk-seeking have a higher
tolerance for risk and their satisfaction increases when more payoff is at
stake |
|
The risk neutral approach achieves a balance
between risk and payoff |
|
|
|
|
|
|
|
The goal of project risk management is to
minimize potential risks while maximizing potential opportunities. Major processes include |
|
Risk management planning: deciding how to
approach and plan the risk management activities for the project |
|
Risk identification: determining which risks are likely to affect a project and
documenting their characteristics |
|
Qualitative risk analysis: characterizing and
analyzing risks and prioritizing their effects on project objectives |
|
Quantitative risk analysis: measuring the
probability and consequences of risks |
|
Risk response planning: taking steps to enhance
opportunities and reduce threats to meeting project objectives |
|
Risk monitoring and control: monitoring known
risks, identifying new risks, reducing risks, and evaluating the
effectiveness of risk reduction |
|
|
|
|
The main output of risk management planning is a
risk management plan |
|
The project team should review project documents
and understand the organization’s and the sponsor’s approach to risk |
|
The level of detail will vary with the needs of
the project |
|
|
|
|
|
|
Contingency plans are predefined actions that
the project team will take if an identified risk event occurs |
|
Fallback plans are developed for risks that have
a high impact on meeting project objectives |
|
Contingency reserve or allowances are provisions
held by the project sponsor that can be used to mitigate cost or schedule
risk if changes in scope or quality occur |
|
|
|
|
Several studies show that IT projects share some
common sources of risk |
|
The Standish Group developed an IT success
potential scoring sheet based on potential risks |
|
McFarlan developed a risk questionnaire to help
assess risk |
|
Other broad categories of risk help identify
potential risks |
|
|
|
|
|
|
|
|
Market risk: Will the new product be useful to
the organization or marketable to others?
Will users accept and use the product or service? |
|
Financial risk: Can the organization afford to
undertake the project? Is this
project the best way to use the company’s financial resources? |
|
Technology risk: Is the project technically
feasible? Could the technology be obsolete before a useful product can be
produced? |
|
|
|
|
|
|
|
Risk identification is the process of
understanding what potential unsatisfactory outcomes are associated with a
particular project |
|
Several risk identification tools and techniques
include |
|
Brainstorming |
|
The Delphi technique |
|
Interviewing |
|
SWOT analysis |
|
|
|
|
|
|
|
Assess the likelihood and impact of identified
risks to determine their magnitude and priority |
|
Risk quantification tools and techniques include |
|
Probability/Impact matrixes |
|
The Top 10 Risk Item Tracking technique |
|
Expert judgment |
|
|
|
|
|
|
|
|
Top 10 Risk Item Tracking is a tool for
maintaining an awareness of risk throughout the life of a project |
|
Establish a periodic review of the top 10
project risk items |
|
List the current ranking, previous ranking,
number of times the risk appears on the list over a period of time, and a
summary of progress made in resolving the risk item |
|
|
|
|
|
|
Many organizations rely on the intuitive
feelings and past experience of experts to help identify potential project
risks |
|
Experts can categorize risks as high, medium, or
low with or without more sophisticated techniques |
|
|
|
|
|
Often follows qualitative risk analysis, but
both can be done together or separately |
|
Large, complex project involving leading edge
technologies often require extensive quantitative risk analysis |
|
Main techniques include |
|
Decision tree analysis |
|
simulation |
|
|
|
|
A decision tree is a diagramming method used to
help you select the best course of action in situations in which future
outcomes are uncertain |
|
EMV is a type of decision tree where you
calculate the expected monetary value of a decision based on its risk event
probability and monetary value |
|
|
|
|
|
|
Simulation uses a representation or model of a
system to analyze the expected behavior or performance of the system |
|
Monte Carlo analysis simulates a model’s outcome
many time to provide a statistical distribution of the calculated results |
|
To use a Monte Carlo simulation, you must have
three estimates (most likely, pessimistic, and optimistic) plus an estimate
of the likelihood of the estimate being between the optimistic and most
likely values |
|
|
|
|
|
|
|
|
|
|
|
After identifying and quantifying risk, you must
decide how to respond to them |
|
Four main strategies: |
|
Risk avoidance: eliminating a specific threat or
risk, usually by eliminating its causes |
|
Risk acceptance: accepting the consequences
should a risk occur |
|
Risk transference: shifting the consequence of a risk and responsibility for its
management to a third party |
|
Risk mitigation: reducing the impact of a risk
event by reducing the probability of its occurrence |
|
|
|
|
|
|
Monitoring risks involves knowing their status |
|
Controlling risks involves carrying out the risk
management plans as risks occur |
|
Workarounds are unplanned responses to risk
events that must be done when there are no contingency plans |
|
The main outputs of risk monitoring and control
are corrective action, project change requests, and updates to other plans |
|
|
|
|
Risk response control involves executing the
risk management processes and the risk management plan to respond to risk
events |
|
Risks must be monitored based on defined
milestones and decisions made regarding risks and mitigation strategies |
|
Sometimes workarounds or unplanned responses to
risk events are needed when there are no contingency plans |
|
|
|
|
Databases can keep track of risks. Many IT departments have issue tracking
databases |
|
Spreadsheets can aid in tracking and quantifying
risks |
|
More sophisticated risk management software,
such as Monte Carlo simulation tools, help in analyzing project risks |
|
|
|
|
Unlike crisis management, good project risk
management often goes unnoticed |
|
Well-run projects appear to be almost
effortless, but a lot of work goes into running a project well |
|
Project managers should strive to make their
jobs look easy to reflect the results of well-run projects |
|
Notes