Risk management for ICT project management

Risk Management in International ICT Project Management

1 | P a g e 1 6

Table of Contents Introduction: ........................................................................................................................................... 2

Definition of risk and risk management: .................................................................................................. 3

Why risk management:............................................................................................................................ 4

Risk Management Process: ...................................................................................................................... 5

Risk Management Planning:................................................................................................................. 7

Risk Identification: ............................................................................................................................... 7

Tools and Techniques for Risk Identification: ................................................................................... 7

Qualitative Risk Analysis: ..................................................................................................................... 8

Tools and Techniques for Qualitative Risk Analysis: .......................................................................... 8

Quantitative Risk Analysis: ................................................................................................................... 9

Tools and Techniques for Quantitative Risk Analysis: ....................................................................... 9

Risk Response Planning:..................................................................................................................... 10

Monitoring and Control: .................................................................................................................... 11

Issues that are not addressed in PMBOK:............................................................................................... 12

Building a risk-based organization:..................................................................................................... 12

Program and portfolio management: ................................................................................................. 12

Crisis and Crisis Contingency Plan: ......................................................................................................... 12

Case Study: ............................................................................................................................................ 13

Analysis of the case study: ................................................................................................................. 14

Conclusion:............................................................................................................................................ 15

References and Bibliography ................................................................................................................. 16


2 | P a g e 1 6

Introduction: Risk management in international ICT project management has a growing concern these days. It is a

rapidly growing discipline and has varied description what it actually involves, how it should be

conducted and what it is for. For this reason institutions like AIRMIC and IRM (2002) argue that some

form of standard is needed to ensure,

Terminology related to the words used is risk management or project management as in general.

Process by which risk management can be carried out.

Organization structure for risk management.

Objective for risk management.

On the other hand as world advances, many high cost high risk projects are beginning to start off.

Astonishingly, most of the big projects are failing. One of the key reasons point out by Matta and

Ashkenas (2005),

Managers use project plans, timelines and budgets to reduce what we call “execution risk” - the

risk that the designated activities won’t be carried out properly – but inevitably neglect these

two other critical risks – the “White Space Risk” that some required activities won’t be identified

in advance, leaving gaps in the project plan, and the “Integration Risk” that the disparate

activities won’t come together at the end.

There are also other problems associated with the ICT project risks. Often project managers do not have

any risk cost estimation Staw and Ross (2005) and when the project cost grows way beyond budget,

they do another mistake which is stated by Davis (2005),

Project managers nevertheless attempt to solve the problem by making cuts. In general they

rarely perceive hardware cuts such as equipment – as feasible. Rather, they see as the easiest

areas to cut those with least obvious benefits – managerial and design overhead, process

control software, quality assurance programs and test procedures. Ironically, these are the very

areas whose costs are often underestimated in the first place.

So we can clearly understand that successful risk management in ICT project has both direct and indirect

influence over the project outcome. It is for this reason risk management now is a very important factor

in project management. In this paper first I will try to provide an acceptable definition of risk in ICT

project management. Then I will give a very brief description of the risk management process proposed

by Project Management Body of Knowledge (PMBOK). I will then go on to provide a definition of crisis

management, give an analysis of a case study of a project risk management.


3 | P a g e 1 6

Definition of risk and risk management: Every one of us takes risks in daily basis. I car might crash into us while we are walking down the street.

This is not something that always happens. But there is always a probability of happening such things.

Same is true for any project as well. Risks are events in any projects that are not always occur but there

are chances that those events come into effect. Project managers always make project plan, keeping

those events in mind. Not only that, being a project manager you also have to have a contingency plan if

the risk might occur and for that you have to allocate adequate money and the resources. It is therefore

a trade off between actual project and the contingency planning in terms of money, resource and time a

project manager is allowed to spend. That’s why risk identification and according management of the

risks are crucial factors of project management.

Let me present two definition of risk,

1. Risk is an event that may occur and when it does it will threaten the successful delivery of the

project. Barker (2007)

2. Risk is any uncertainty in the project plan that you can potentially control or at least track.

Barkley (2004).

So if we combine the two definitions we get following feature of risk in projects. A risk is,

An uncertainty in project.

When it occurs, it threatens the successful delivery of the project in terms of money and time.

It can be potentially controlled or at least track. Risk management is a central part of any organization’s strategic management. It is the process whereby organizations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all projects. The focus of good risk management is the identification and treatment of these risks. Its objective is to add maximum sustainable value to all the activities of the organization. It marshals the understanding of the potential upside and downside of all those factors which can affect the organization. It increases the probability of success, and reduces both the probability of failure and the uncertainty of achieving the organization’s overall objectives. Let us take look at two definitions,

1. Risk management is an approach to anticipating and dealing with events that can cause

significant deviation from the project plan. On another level, risk management helps you pin point your plan’s weaknesses and gives a useful insight to your project’s health. Barker and Cole (2007).

2. A successful risk management process is one in which risks are continuously identified and

analyzed for relative importance. Risks are mitigated, tracked and controlled to effectively use

program resources. Problems are prevented before they occur and personnel consciously focus

on what could affect product quality and schedules. (Software Engineering Institute, 2003 cited

in Barkley, 2004)


4 | P a g e 1 6

Risk like most of the elements of the other planning processes, changes as the project progresses, and should be monitored throughout the project. As you get close to a risk event, it the time to reassess you original assumptions about the risk and your plans to deal with the risk and to make any adjustments if the risk required it.

Why risk management:

Big projects fail at an astonishing rate - more than half the time. It’s not hard to understand

why. Complicated projects are customarily developed a series of teams working along parallel

tracks. If manager fail to anticipate everything might fall through cracks. Matta and Askkenas

(2005).

There are many examples of projects which encounter drastic failure because they did not have risk

identified prior to the occurrence. We have to keep in mind that project management is after all a

practice. It is a continuous, practical way of learning knowledge. Usually the project managers want to

replicate the best practices of the previous projects, on to the existing projects they are involved in. If

the baseline projects had any bad practices that went undetected, the project managers often tend to

replicate the same mistakes in similar projects. It can happen in the case of identifying risks as well. If a

risk actually occurred in a project and somehow went undetected, then there is a string possibility of the

risk to be repeated in similar projects later on.

According to Barrow (2007) there are four reasons why risk should be managed.

1. To minimize delays.

Project delivery time is very crucial to the stakeholders of the project. If the potential risks are

identified before the outset of the project and appropriate mitigation plan is taken when they

occur, the project results in fewer delays. And the knowledge earned mitigating the risk can be

stored and used in later projects and studies.

2. To reduce cost.

When a potential risk occurs then arranging resource to manage the risk become very much

time and cost consuming. And one of the toughest parts of project management is managing

human resource effectively.

Let us take an example, while working in task A the project team faces a risk. Because the

mitigation plan was not well managed, the project manager calls in Team member X to come

and solve the problem. But at that moment team member X was busy working in task B and

further more this task depends upon the result or outcome of task A. We can easily understand


5 | P a g e 1 6

then the whole project is in dead lock situation. And while team member X is busy doing the

task B, actually he is doing nothing but sitting idle. And the as he does not do anything in incurs

cost for the project.

3. To improve ROI

What happens when projects come in late, over budget or fail entirely? Well the simple answer

is this a project's financial return can be slashed when it delivers late, over budget, or a

combination of both, while a project that is abandoned before completion costs the company

not just the money invested in the project, but also reputation owned by the company achieved

by great hardship.

Risk management provides the means by which companies can ensure a return on investment. Avoiding late delivery means that projects start repaying their investment earlier. Avoiding cost overruns means that profits margins are preserved. Avoiding de-scoping means the full business benefits are achieved as expected. Furthermore allocated budgets for the risk which has not occurred, can be used elsewhere which also helps in a way to increase profit.

4. To increase the number of opportunity.

There is a common proverb in project management. That is, “In a perfect world there is no need

of managers.” The extent of how well the project is planned for risk and change management,

actually determines how much a project manager needs to work when the project is on the go.

When all the risk are effectively indentified and successfully mitigated, then as a project

manager a person may find out that he/she has a lot of time left when project is running. On

that spare time the project manager can concentrate on other opportunities which can enhance

the output of the project furthermore.

Risk Management Process: The figure on the next page shows the steps for risk management in a project according to the PMBOK

2003 cited from Barkley (2004).


6 | P a g e 1 6

Risk Management

Planning

Risk

Identification

Qualitative Risk

Analysis

Quantitative Risk

Analysis

Risk Response

Planning

Risk Monitoring

and Control

1. Risk management

plan.

2. Identified risks.

3. Project status and

type.

4. Scales of

probability and

impact.

5. Assumptions.

1. Organization’s

policies

2. Role of the

resources

3. WBS

1. Risk management

plan.

2. Risk categories.

3. Historical

information.

1. Risk management

plan.


3. Expert judgement.

1. Risk management

plan.


3. List of quantified

risk.

4. Probabilistic analysis

of the risk standings of

the project.

5. Risk threshold.

6. Common trends on

risk,

1. Risk management

plan.

2. Risk response

plan.

3. Change of the

project scope

1. Workaround plan.

2. Corrective action.

3. Project change

request.

4. Update to risk

response plan.

5. Risk database..

6. Updates to risk

identification

checklists.

1.Risk response

plan.

2. inputs to revised

project plans.

1.Risk response

plan.

2. inputs to revised

project plans.

1.Risk ranking.

2. List of prioritized

risk.

3. Trends in

qualitative risk

analysis results.

1. Risk management

plan.

1.Risks.

2. Triggers.

Inputs

Desired Outputs


7 | P a g e 1 6

Different project management body has defined these steps in different ways. Some renowned authors

like Barker and Cole (2007) does not believe that phases such as risk management planning exist in risk

management planning. However, guidelines set by Project Management Body of Knowledge is more

acclaimed and taken as standards by many project managers. Bellow more elaborate explanation of risk

management process taken from PMBOK.

Risk Management Planning: According to Heldman (2005) risk management planning is defined,

Risk management planning details how risk management processes will be implemented,

monitored and controlled throughout the life of the project.

According to PMBOK there is only one technique is of the risk planning process. And that is meeting

among the stakeholders of the project. In these risk management planning meetings, the fundamental

plan for the risk management activities will be discussed and documented. The key outcomes of these

meetings are as follows,

1. Risk cost elements are developed for inclusion in project budget.

2. Schedule activities are developed for inclusion in project schedule.

3. Ownership for the risks is assigned.

4. Templates for the risk categories are defined and modified for this project.

5. Definitions of terms (i.e probability, impact, risk type, risk levels) are developed and

documented.

6. Probability impact matrix is defined and modified according to the project need.

Risk Identification: Risk management process involves all the activities to identify the risks that might have an impact on the

project and documenting them. Risk management is an iterative process. As the project progresses, new

risks that have not been thought about can appear. Those risks are also documented as the

documentation will come in handy in same kind projects later on.

Tools and Techniques for Risk Identification:

There are number of tools and techniques available for identifying risk, a brief description of those

techniques are provided as follows,

Documentation review:

This technique involves going through historical data, assumptions, project plans and project’s

outcome. After having a clear idea of these factors project managers try to figure out what

might appear as a risk in project management.


8 | P a g e 1 6

Information gathering:

Information gathering is probably the most common risk identification technique. It requires

project’s stakeholders to arrange a meeting and from the primary data the group of people

comes up with the list of risk.

Check list analysis:

Check lists are usually developed based on historical data of the similar projects. If the same

projects are done again and again then the project managers slowly build a list of risks. And

when the list becomes comprehensive then the list is being changed into check list and the

impact and monitoring techniques are then accordingly designed.

Assumption analysis:

Assumptions analysis is a process of validating assumptions that are made previously and then

documenting the risks as the project progresses.

Diagramming technique:

Diagramming technique is also common risk identification process in project risk management.

Three types of diagram are used in diagramming technique,

a. Fish-bone diagram – To show the cause and effect of risk.

b. Process flow chart – To show the cause and impact process of the risk.

c. Influence diagram – Casual representation of project variable.

Qualitative Risk Analysis: The qualitative risk analysis is the process where the impact of the risk over the project is identified. It

also states what the probability of that risk is to occur. It ranks the risks according to priority. It is the

first step towards the quantitative analysis of the risk.

Tools and Techniques for Qualitative Risk Analysis:

Qualitative risk analysis include the following tools and techniques,

Probability and impact assessment:

This techniques helps to determine how much is the probability of the risk to occur and also

how much the risk is going to cost in terms of time and money. This part of the risk management

depends highly on expert judgement. A veteran project manager is needed to accomplish this

part efficiently.

Probability and impact matrix:

Once the probability of the risk is identified and impact of the risk is being assessed, it is time for

making the probability and risk matrix. Once done, this matrix can make the project manager


9 | P a g e 1 6

understand on which risk they should concentrate most. The figure bellow is a sample

probability and impact matrix created with the help of Elyse (2007) and PMBOK (2000),

Probability

.80 Risk 1 Risk 12 Risk 14 Risk 6

.60 Risk 2 Risk 9 Risk 10

.40 Risk 8 Risk 3 Risk 5, Risk 11

.20 Risk 7 Risk 13 Risk 4

.05 .20 .40 .60 .80 Impact

Data quality assessment:

Data quality assessment involves determining the usefulness of data gathered to evaluate. Most

importantly the data should be unbiased. This process work as back checking of the list of risks

that are in hand.

Risks urgency assessment:

Based on the risk probability and impact matrix risk are organized in order of priority in this

phase. By the end of this process the project managers can understand which risk they need to

look upon first.

Quantitative Risk Analysis: The quantitative risk analysis process evaluates the impacts of the risks prioritized during the qualitative

risk analysis process and quantifies risk exposure to the project by assigning numeric probability for each

risks and their impact on the project objective.

Tools and Techniques for Quantitative Risk Analysis:

Sensitivity Analysis:

Sensitivity analysis is a quantitative approach to analyze potential risk event on the project and

determining which risk event has greatest potential for impact by examining all the uncertain

elements at their baseline value.

Expected Monitory Value Analysis:

Expected Monitory Value (EMV) Analysis is a statistical technique that calculates average,

anticipated impact of the decision. EMV is calculated by multiplying the probability of the risk

times its impact and then adding them together.

Decision Tree Analysis:


10 | P a g e 1 6

The decision tree is a process of determining an outcome in a logical way. There is no black and

white definition for decision tree analysis. The figure bellow shows a sample decision tree using

EM vans one of its inputs.

Decision start

£4200

£2000

£4000

£1000

Good Outcome

Probability .6

Choice Y

EMV = £6000

Good Outcome

Probability .8

Poor Outcome

Probability .4

Poor Outcome

Probability .2

Choice X

EMV = £7000

Risk Response Planning: Risk response planning is a process which determines which actions to take while risk poses a threat to

the project. It also involves the planning to optimize the opportunities that a risk might develop into.

There are no set tools and technique for risk response planning but there are number of strategies

which can come in handy,

a. Strategies for negative risks:

There can be three strategies which can be taken on,

o Avoid the risks with appropriate masers.

o Transfer or outsource the risk to a person or organization other than the one inside

project.

o Mitigate the risks is hand.

b. Strategies for positive risks or opportunity.


11 | P a g e 1 6

There can be also three strategies taken for the risks which have positive impact on the project.

o Exploit the opportunity posed by the risk.

o Share the risk among different parts of the project.

o Enhance the impact of the opportunity.

c. Strategies for both threats and opportunity.

In this strategy, project managers usually accept the consequences of a risk. Sometime this is

also called passive acceptance since the project managers does nothing regarding the risk in

hand.

d. Contingence response planning.

In the contingency planning project managers creates some tasks which will be regarded as

alternative of the actual plan. The contingency tasks are managed in a way that when the risk

triggers, the contingency tasks starts automatically. And when it does all the procedures are

properly documented. Some author like Wiegers (2007) believe that the contingency planning

or mitigation planning should be included in the probability-impact matrix. He also gives the

structure of the new matrix. The structure is as follows,

ID Description P L E First Indicator Mitigation/contingency Approach

Owner Date Due

1

2

Monitoring and Control: Monitoring and control is the last phase of the project risk management. According to Barker and Cole

(2007), monitoring and control or review is not a something that is done only in the start of the project.

It is something that has to be done every single day of the projects existence.

Monitoring and control is basically something which involves rechecking the risk log, and project charter

and objectives and finding out if already defined risks are managed efficiently or not. And whether there

is a chance for a potential risk to turn up.


12 | P a g e 1 6

Issues that are not addressed in PMBOK: According to Barkley (2004) some issues are not addressed in PMBOK’s risk management process but

worth gaining full understanding by the project managers. Project managers actually do all the

procedures but PMBOK does not concentrate upon the issues. Most important two issues are

Building a risk-based organization: Building an organization which always protects itself from risks through good organization planning

requires strong leadership. PMBOK ignores this human factor of the risk management.

Program and portfolio management: The risks management process proposed by PMBOK is very good for the single projects. But it fails to

describe the managers’ role when they come to manage a group of projects called programs or even a

group of program called portfolio.

Crisis and Crisis Contingency Plan: Many authors like Lock (2003) believe that crisis is a state of project where/when many identified or

unidentified risks trigger in very short span of time. Lock also argues that in this period there should be

special crisis contingency plan made. He also outlines the steps necessary for what he called crisis

contingency plan. These steps are discussed in the following points,

a. The first and the foremost step is estimating probability of crisis in an ICT project. It will help the

project planners to estimate how much budget and effort are needed to be allocated for the

crisis.

b. Secondly, a crisis contingency management team should be created. A team who will take

charge during the crisis. These people will constitute a sleeping organization, ready to be awake

at the moment’s notice. These people have to be very hard working, devoted to organization,

self motivated and last but not the least very good, veteran project managers.

c. Once the people is selected for the action committee for the crisis management, they must

meet in a focus group meeting to make a contingency plan for the crisis. They also need to sit in

short intervals to keep the plan up to date and evaluate the trigger condition of the project, if

any.

Lock’s outline crisis contingency management in my point of view lacks one key thing. To my point of

view, there should be provision for small pilot testing for the crisis. Then the steering committee will

know the effectiveness of the crisis contingency plan they have created.


13 | P a g e 1 6

Case Study:

SCOPING DIGITAL REPOSITORIES SERVICES FOR RESEARCH DATA MANAGEMENT 1. Background The Federated Digital Repository at the University of Oxford An increasing amount of digital materials are being produced on a daily basis by researchers at the University of Oxford. These materials include journal articles, theses, images and datasets. The University has the responsibility for providing services to store, curate, disseminate and preserve outputs from research activities. . These services are increasingly made available at Oxford through digital repositories. There are also digital materials produced outside of the University, that are nonetheless required within Oxford for research purposes, and that are efficiently managed through repositories. This observation, together with strategic decisions such as the cessation of funding for the Arts and Humanities Data Service (AHDS), are compelling reasons for institutions to take responsibility for the curation and preservation of their own research data. Aims and Objectives: The project’s overall aim is to scope the requirements, including for the underlying infrastructure and interoperability, for digital repositories services to store, curate, disseminate and preserve research data generated at Oxford. Objectives:

Capture document researchers’ requirements for digital repository services to handle research data.

Participate actively in the development of an interoperability framework for the federated digital repository at Oxford.

Make recommendations to improve and coordinate the provision of digital repository services

for research data.

Initiate and develop collaborations with the different repository activities already occurring to ensure that communication takes place in between them.

Raise awareness at Oxford of the importance and advantages of the active management of

research data.

Communicate significant national and international developments in repositories to relevant Oxford stakeholders, in order to stimulate the adoption of best practices.


14 | P a g e 1 6

Risk Probability (1-5)

Severity (1-5)

Score = p X s

Action to mitigate risk

Staffing

Loss of key stuff before the end of the project

2 4 8 Ensure the project is embedded in institutional practices by spreading the practices to number of individual. Ensure that planning for sustainability begins early.

Organizational Difficulties in arranging interviews with relevant members of research community

2 4 8 The engagement of OeRC, OUCS and OULS in project offers wide set of contacts in academic divisions and expertise in undertaking the requirements gathering exercise.

Delays in achieving task for project plan

2 3 6 Tasks will be prioritized and in the case of delays, project plan will be re-profiled to focus the highest priority activities.

Technical Problems is agreeing and identifying valid standards for the interoperability plan

3 2 6 Establishing the membership of Digital Repositories Standards Working Group and close collaboration with technical stuff from existing repository both inside and outside Oxford

*Taken from Uribe (2008)

Analysis of the case study: The project is still on the run. Therefore, it is really hard to predict whether the risks in the project have

been managed efficiently or not. However some of the key points on the project are as follows,

All the risks are very high level. There is no breakdown of the risk steps. The document also fails

to show the source of the risk.

Though probability and impact has been determined but there is no cost estimate for the

impact. For this reason I think there is no use of the column Score.

There is no trigger condition defined for the risk.

Though mitigation plan is well defined but there is no cost there is no cost estimate involved for


15 | P a g e 1 6

Conclusion: As Walewski and Gibson (2003) have rightly pointed out the fact like many others,

Risk analysis and management is most effective when deployed early. A properly structured risk identification, analysis, and mitigation process can moderate the risks associated with international construction projects.

An organisation’s risk management policy should set out its approach and appetite for risk and its approach to risk management. The policy should also set out responsibilities for risk management throughout the organisation. Furthermore, it should refer to any legal requirements for policy statements. Different stake-holding body for the project play important role in successful management of risk in organization. Bodies like project management unit and different business units when proactive can do a great deal to identify risk and propose a mitigation plan. Project managers today has to accept the fact that risk assessment and management is not a substitute for adequate pre-project planning, project controls, or other management and technical requirements. The most effective risk management process is coordinated with all aspects of project development and management. Project managers have to become more dynamic in terms of project management. They have to have some idea about project portfolio management and program management. Because small negligible risk in the project if not managed can cost very big deal in the program. Project risk management is still a practice in present world. There is no set rule for the risk management yet. Often organization manages their own risk in their own set way. And when there is a change in the business rule or the project itself, it becomes really tough for the project managers track the previous risk of the project. For this reason I believe there should be set standards for project risk management as it is there for project management itself. Institutions like PMI, RMI and AIRMIC should come forward to address the problem.


16 | P a g e 1 6

References and Bibliography

AIRMIC, IRM and ALARM, (2002) Risk Management Standard. www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf (accessed 07/04/08)

Barker, Stephen and Cole, Rob (2007) Brilliant project management: What the best project managers

know, say and do. Pearson Prentice Hall.

Barkley, Bruce T. (2004) Project Risk Management. McGraw-Hill.

Barrow, Bryan (2007) Four Reasons to Use Project Risk Management.

http://www.bcs.org/server.php?show=ConWebDoc.16427 (Accessed 04/04/08)

Davis, David (2005) ‘Beware of False Economics’ in Harvard Business Review on Managing Projects 2005.

Harvard Business School Publishing Corporation.

Elyse (2007) Qualitative Risk Analysis. http://www.anticlue.net/archives/000817.htm (accessed 04-04-08)

Heldman, Kim (2005) Project Management Professional Study Guide. Wiley Publishing, Inc.

Lock, Dennins (2003) Project Management. Gower 8th Edition.

Matta, Nadim F and Ashkenas, Ronald N. (2005) ‘Why Good Projects Fail Anyway’ in Harvard Business

Review on Managing Projects 2005. Harvard Business School Publishing Corporation.

PMBOK (2000) The New PMBOK Risk Management Concept.

http://facweb.cs.depaul.edu/yele/Course/IS372/IS372w3-2.ppt (accessed 05/04/08)

Staw, Barry M. and Ross, Jerry (2005) ‘Knowing When to Pull the Plug’ in Harvard Business Review on

Managing Projects 2005. Harvard Business School Publishing Corporation.

Uribe, Luis Martinez (2008) SCOPING DIGITAL REPOSITORIES SERVICES FOR RESEARCH DATA MANAGEMENT. 27th February, 2008. University of Oxford. WALEWSKI, JOHN and GIBSON, G. EDWARD, JR. (2003) ‘International Project Risk Assessment: Methods, Procedures, and Critical Factors’ in Center Construction Industry Studies September 2003. The University of Texas Austin. Wiegers, Karl E. (2007) Practical Project Initiation: A Handbook with Tools. Microsoft Press.

http://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf

http://www.bcs.org/server.php?show=ConWebDoc.16427

http://www.anticlue.net/archives/000817.htm

http://facweb.cs.depaul.edu/yele/Course/IS372/IS372w3-2.ppt

Risk management for ICT project management

Documents

federated digital repository

harvard business review

digital repository services

risk response planning

risk response plan

decision tree analysis

qualitative risk analysis

revised project plans