Risk Management

Computer Engineering 203 R Smith Risk Management 7/20091

Risk Management

The future can never be predicted with 100% accuracy.

Failure to plan for risks leads crisis management or firefighting

The lure of crisis management– Attention and visibility– Access to resources– Rewards

Computer Engineering 203 R Smith Risk Management 7/20092

What is a Risk?

Risk is a measure of the probability and consequence of not achieving a defined project goal.

A probability of occurrence of that event. Impact of the event occurring Risks change though out the life of a project

Computer Engineering 203 R Smith Risk Management 7/20093

Risk Management

Risk management is the act or practice of dealing with risk.

Risk management is proactive rather than reactive.

Risk management is not a separate activity but rather on aspect of sound project management.

Computer Engineering 203 R Smith Risk Management 7/20094

Common Mistakes in Risk Management

Not understanding the benefits of Risk Management

Not providing adequate time or resources for Risk Management

Not identifying and assessing risk using a standardized approach

Computer Engineering 203 R Smith Risk Management 7/20095

Requirements for successful risk management

Commitment by stakeholders Stakeholder responsibility Planning for risk management Creation of a risk management plan Committing resources to risk management Top 10 risk list

– Determine a manageable number of risks

Computer Engineering 203 R Smith Risk Management 7/20096

Resources for Risk Management

When looking at the resources to commit to risk management, one needs to consider the overall project size and the impacts of the risks.

The Survival Guide recommends about 5% of the total project resources on specific risk management activities.

Computer Engineering 203 R Smith Risk Management 7/20097

Risk Management Planning

Risk management planning is a on going process.

Develop a plan for risk identification. Determine the resources available for risks.

– What is available beyond the ordinary?– This is a good time for out of the box thinking

Computer Engineering 203 R Smith Risk Management 7/20098

Simplified Risk Management Process

Risk identification Risk analysis/evaluation Risk planning strategies Risk monitoring and control Risk response

Computer Engineering 203 R Smith Risk Management 7/20099

Risk Identification

The need to proactively identify risks.– When an event happens it is too late to plan.

Tools for identifying risk– Brainstorming– Nominal Group Technique

Each member identifies their ideas Each member writes an idea on the board until all ideas

are listed

Computer Engineering 203 R Smith Risk Management 7/200910

Risk Identification

The group discusses each idea Each individual ranks each of the ideas The group then ranks all the ideas Each individual ranks all the ideas again Rankings are summarized

– Delphi technique Experts asked individually to provide input Input summarized and distributed Experts rank input

Computer Engineering 203 R Smith Risk Management 7/200911

Risk Identification

– Strength, Weakness, Opportunities, Threats– Cause and effect diagrams– Past Projects

Computer Engineering 203 R Smith Risk Management 7/200912

Possible Risks

Creeping user requirements Excessive schedule pressure Low quality Cost overruns Poor estimates Low customer satisfaction Long schedules

Computer Engineering 203 R Smith Risk Management 7/200913

Qualitative Risk Analysis

Probability and Impact– Impacts a Software Project Manager is most likely

to face: Costs Schedule Quality

– Probability is most often determined by expert opinion and historical data

Computer Engineering 203 R Smith Risk Management 7/200914

Qualitative Analysis

Cause and Effect Diagrams Risk Impact Tables

Computer Engineering 203 R Smith Risk Management 7/200915

Quantitative Risk Analysis

Discrete probability distributions– Coin toss

Continuous probability distributions– Normal distribution or bell shaped curve

Running simulations– Using PERT to study the impact.

PERT does identify risks it only helps understand the impact

Computer Engineering 203 R Smith Risk Management 7/200916

Risk Response Planning

Who is going to detect when the risk occurs? Who has the responsibility to respond and

communicate? What is the response?

Computer Engineering 203 R Smith Risk Management 7/200917

Risk Strategies

Factors impacting the strategy– Impact of the risk– Project constraints– Tolerances

Strategy– Accept or Ignore

Provide reserves

– Contingency plans Natural disaster/backup plans

Computer Engineering 203 R Smith Risk Management 7/200918

Risk Strategies

– Avoidance, eliminate the risk – Mitigate, lessen the impact of the risk

Performance impact, provide extra hardware

– Transfer the risk Offsite backup planning Server farms Outside management

Computer Engineering 203 R Smith Risk Management 7/200919

Risk Monitoring and Control

Risk monitoring– Determine who is responsible for monitoring– How are risks monitored?

Project tracking, resources, quality, etc

– Communicating the status of identified risks Reviews and Audits

Once a risk is identified as occurring – Communicate– Take action

Computer Engineering 203 R Smith Risk Management 7/200920

Risk Response and Evaluation

Trigger the defined risk response plan– Identify the risk owner– Assign resources– Understand the impacts

PERTs, Dependencies Communicate

Evaluate once action is taken– Is more action needed?– What additional risks are triggered?

Computer Engineering 203 R Smith Risk Management 7/200921

Common Software Project Risks

Discussion of common risks– Requirements:

Feature creep Developer gold plating

– Quality Low quality Squeeze on testing time

– Over optimism Schedules Tools

Computer Engineering 203 R Smith Risk Management 7/200922

Common Software Project Risks

– Resources Not enough Weak personnel Contractor issues

– Customer Customer developer friction Customer acceptance