Risks - Informatics Project Management

GPI - Gestão de Projectos Informáticos
Risk Management
Maria do Rosário Bernardo

1
“if something can go wrong, it will;

If something can’t go wrong it will!”
(Murphy’s law)

Risk
• Hazard
• Chance of bad consequence or loss
• Exposure to mischance

Risk Definition
“the chance of exposure to the adverse consequences

of future events”
PRINCE2
“an uncertain event or condition that, if it occurs, has a

positive or negative effect on a project's objectives”
PMBOK®
“combination of the probability of an event and its

consequence”
ISO/IEC GUIDE 73

4
• Risk is characterized by the relationship between potential events and

consequences.
• Multiple events and multiple consequences can generate multiple risks.
• The consequence is over one Asset.

5
Risk Management
Increase the impact of positive events and
Decrease the impact of events adverse to the project
In 4 Steps:
Identify
• Risk identification risks
• Risk assessment Assess

risks
Risk
• Risk treatment Register
– to develop options and determine Treat
actions to enhance opportunities and risks
reduce threats to the project’s
objectives
Control
• Risk control risks
6
Prince 2 - The Risk Management Process.

7
ISO31000 Risk Management processes

8
Risk Identification Tools & Techniques
• Documents revision
• Learning Cycles
• Brainstorming
• Nominal Group Technique
• Delphi Technique (described in effort estimation)
• Interviews
• SWOT Analysis
• Cause & Effect (a.k.a. Fishbone/Ishikawa)
• Checklists
9
Risk categories
• Business risks
– Chance of profit or lost
• Insurable risks
– Only chance of lost (only negative impact)

– Usually caused by external and unpredictable factor

10
Risk Identification - Classification
• External : Unpredictable
• External : Predictable but Uncertain
• Internal : Technical
• Internal : Non-technical
• Legal

Risk Identification - Tools & Techniques
checklists
Maria do Rosário Bernardo 12

12
Risk Identification Tools & Techniques

PM
Integration
Information
SCOPE Life cycle and
Communic.
Environment variables
Expectations Ideas, Directives,
Feasibility Data exchanges accuracy
Requirements Project Availability Human

Quality
Standards Risk Productivity Resources
Time Objectives, Services, Plant, Materials:
restraints Performance
Cost Objectives
restraints Contract/
TIME
Procurement
COST
The PMBOK Handbook Series – Volume no.6
13
Risk Breakdown Project Risk
Structure
Commercial risks Relationship risks Requirements risks Planning and resource risks Technical risks Subcontract risks
Unclear
No or poor Requirements PM not involved in No / little experience of
customer New environment
business case not agreed initial planning suppliers
structure
More than one Poor access to Requirements Project very large with Development and live Suppliers in poor
customer stakeholders incomplete quick building-up environment differ financial state
Internal Requirements
Inappropriate Estimates not based Restricted access to Difficulty to stage tests
customer not detailed
contract type in metrics environment of items
policies enough
Multiple Ambiguity in Excessive reliance Unfamiliar system

Penalties on key staff No choice of supplier
stakeholders requirements software
No single
Poor scope Users not Developers lack key Lack of technical Use of proprietary
document of
definition committed skills support products
requirements
Unclear Stringent non- Subcontractors not

Unwillingness Inexperience in Unfamiliar tools /
payment functional ‘back-to-back’ with
to change business area methods / standards
schedule requirements main contract
Payments not Management Acceptance

Inexperience in New / unproved
linked to and users criteria not
technology technology
deliverable disagree agreed

14
Risk assessment
Risk of Impact = P(R) * consequence

or
Risk of Impact = P(R) * consequence * Public perception
Consequence (Ri) = €500.000

Probability (Ri) = 0,01
Impact (Ri) = €500.000 * 0,01 = €5.000

15
Risk Impact Table 0 - 100% 0-10 P*I

Ranking
Probability Conseq. Impact
Risk (Threats)
Key project team member leaves project 40% 4 1.6

4
Client unable to define scope and
requirements 50% 6 3.0 3
Client experiences financial problems 10% 9 0.9
Response time not acceptable to users/client 80% 6 4.8

1
Technology does not integrate with existing 2
application 60% 7 4.2
Functional manager deflects resources away
from project 20% 3 0.6
Client unable to obtain licensing agreements 5% 7 0.4

Maria do Rosário Bernardo IT Project Risk Impact Analysis
16
Risk Assess
Risk Impact Matrix

Probability x Consequence Matrix
Use of suitable Scales, for

Consequence vs Probability Scales:
- 3 levels: LOW ; MED ; HIGH

- 5 levels: VLO ; LO ; MED ; HI ; VHI
3 x 3 ; 4 x 4 ; 5 x 5 ...
LOW ; MED ; HIGH
VLO ; LO ; MED ; HI ; VHI
Maria do Rosário Bernardo 17

17
Risks Impact Evaluation

VHI
High
Project Revaluation
HI IF "GO" ==>
R2 Reduction actions
Probability
MED
Medium
R1
==>
LO Reduction actions
R3
VLO
Low
Only Control
VLO LO MED HI VHI
Consequence
Risk assessment
Evaluation scale example
Base : IT Project – 1 year; 1.000 K€
Consequences
Grade P(R) Time Cost (K€) Performance

(weeks)
VHI > 70% >8 > 80 System
HI 50 – 70% 4a8 50 – 80 Some important parameters
MED 30 – 50% 2a4 20 – 50 One important parameter
LO 10 – 30% 1a2 5 – 10 Some less important parameters
VLO 5 – 10% <1 5 One no important parameter
NIL -- 0 0

19
Risk Assessment
Prabability
Team assessment Historical Recors
VL Not Identified But sporadic occurrence
L Not probable and sporadic occurrence
M Lower Probability and “some” frequent occurrence
H High Probability or frequent occurrence
VH Very High Probability and frequent occurrence

20
Risk Assessment
Impact on other
Direct Consequence elements of the Impact on project Impact on business
project
VL 1 project activity No No No
Set of activities
L Reduced No No
or 1 WP
May compromise one

May impact on
M More than 1 WP or more project Reduced
other WPs
components
May compromise limited to project

H
project implementation success
Significant number Significantly affects
of WPs overall project may compromise
Compromise project
VH other projects or the
realization
company image

21
Combining the impact of several risks
• Individual risks can interact

• The WBS is a key tool in the integration of the risk
Top-down approach
– Key risk factors are identify and assessed at high level of WBS
– Allows to analyse interrelationships
Bottom-up approach
– Risks are identified at a low level of WBS
– Prepare contingency plans

Risk Treatment
• Avoidance:
– decision not to become involved in, or action to withdraw from, a risk
situation
• Mitigation:
– actions taken to lessen the probability, negative consequences, or
both, associated with a risk
• Deflection:
– sharing with another party the burden of loss or benefit of gain, for a
risk (deflect the risk)
• Contingency:
– Create a plan to react to the risk, if it occurs
23
Risk Avoidance
“decision not to become involved in, or action to

withdraw from, a risk situation”:
Under avoidance we change the project plan :

• Scope
• Time
• Costs
• Quality
• Organization

24
Risk Transfer
sharing with another party the burden of loss or

benefit of gain, for a risk
3 ways of deflecting a risk:

Insurance
Bonding (using secure account)
Contract
We only can transfer risks within a limit.
Risks transfer has additional costs.

25
Risk - Contingency
 Make an allowance (provisão), by increasing

time and/or cost budgets
 Plan to change the scope, by drawing up
contingency plans to implement if the risks occur
Allowances (provisões)
• Add it to WBS level – where the risk was identified
• Project
• Work Package
• Activity
Risk – Contingency
Example : Allowance
Activity Requirement identification

Duration 10 days
Cost (resources) Senior 50% a € 400/d+
Junior 100% a € 200/d
Risk Users unavailability
Probability High
Consequence High
ID Task Name Duration
January 2007 February 2007
01 04 07 10 13 16 19 22 25 28 31 03 06 09
1 PT1 20 d
2 a1 2d
3 a2 3d
4 Levantamento Requisitos 10 d
5 a3 2d
6 a4 3d

Risk – Contingency
Example : Allowance
To calculate an allowance we need a quantitative

approach, e.g.
Grade Probability Consequence

VHI 0.9 0.8
HI 0.7 0.4
MED 0.5 0.2
LO 0.3 0.1
VLO 0.1 0.05

28
0,9
VHI
0,045 0,09 0,18 0,36 0,72 HIGH
Proj Reevaluation
0,7 IF "GO" ==>
0,035 0,07 0,14 0,28 0,56 reduction actions
HI
Probability
0,5
MED
0,025 0,05 0,1 0,2 0,4 MED
==>
0,3 reduction actions
0,015 0,03 0,06 0,12 0,24
LO
0,01
VLO
0,005 0,01 0,02 0,04 0,08 LOW
0,05 0,1 0,2 0,4 0,8 Only control

VLO LO MED HI VHI
Consequence

29
Activity Requirement identification I(R) = 0,28

Duration 10 days Allowance = 10d*0,28=
2,28 aprox 3 days
Cost Senior 50% a € 400/d+ Allowance =
(resources) Junior 100% a € 200/d 3d *( 0,5 * €400 + €200 ) =
€1.200
Risk Users unavailability
Probability High
Consequence High
ID Task Name Duration
January 2007 February 2007
01 04 07 10 13 16 19 22 25 28 31 03 06 09
1 PT1 23 d
2 a1 2d
3 a2 3d
4 Levantamento Requisitos 10 d
5 Provisão 3d
6 a3 2d
7 a4 3d
Risk management plan
Identifies the risks associated with a project, the means

by which they be assessed, and the strategy for their
reduction. 4 W + 2 H
• Why • Why the risk is significant
• What • What is to be done to reduce it
• When • When the risk will have its impact
• Who • Who is responsible to resolving it
• How • How the reduction will be archived
• How much • How much it will cost to resolve it

Risk Register

32
Risk register example

Risk Description Assumptions Probability Consequence Probability/Consequence Treatment Risk
ID VL L M H VH VL L M H VH Justification Type Measure(s) Owner
Why should we
consider this Risk Description

33 33
Risk communication
• Customer (evaluation and value)

• Sponsors (commitment and support)
• Project Manager (project strategy)
• Integrators (implementation risks management)
• Team (knowledge)
• Users (commitment and limits understanding)

Risk Response Plan should include:
• A trigger which flags that the risk has occurred

• An owner of the risk (i.e., the person or group responsible
for monitoring the risk and ensuring that the appropriate
risk response is carried out)
• A response based on one of the four basic risk responses
• Adequate resources
We can add a column : when

35
Control Risks
Purpose
minimise disruption to the project by determining
whether the risk responses are executed and
whether they have the desired effect
Source: ISO DIS 21500

36
Control Risks
Control is achieved by
– keeping track of the identified risks,
– identification and analysis of newly arising risks,
– monitoring trigger conditions for contingency plans
– reviewing progress on risk responses,
– evaluating risk responses effectiveness
Project risks should be periodically evaluated when

– a new risk arises or
– a milestone is reached
Source: ISO DIS 21500
37
Risks re-evaluation
Should be done when new risks are identified
Should be done when a milestone is achieved

Risks - Informatics Project Management

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Risks - Informatics Project Management

Caricato da

Copyright:

Formati disponibili

GPI - Gestão de Projectos Informáticos

Maria do Rosário Bernardo

“if something can go wrong, it will;

Maria do Rosário Bernardo

Maria do Rosário Bernardo

“the chance of exposure to the adverse consequences

“an uncertain event or condition that, if it occurs, has a

“combination of the probability of an event and its

Maria do Rosário Bernardo

• Risk is characterized by the relationship between potential events and

Maria do Rosário Bernardo

• Risk assessment Assess

Prince 2 - The Risk Management Process.

Maria do Rosário Bernardo

ISO31000 Risk Management processes

Risk Identification Tools & Techniques

– Chance of profit or lost

– Only chance of lost (only negative impact)

Maria do Rosário Bernardo

Risk Identification - Classification

Maria do Rosário Bernardo

Risk Identification - Tools & Techniques

Maria do Rosário Bernardo 12

Risk Identification Tools & Techniques

Requirements Project Availability Human

Multiple Ambiguity in Excessive reliance Unfamiliar system

Unclear Stringent non- Subcontractors not

Payments not Management Acceptance

Maria do Rosário Bernardo

Risk of Impact = P(R) * consequence

Risk of Impact = P(R) * consequence * Public perception

Consequence (Ri) = €500.000

Maria do Rosário Bernardo

Risk Impact Table 0 - 100% 0-10 P*I

Probability Conseq. Impact

Key project team member leaves project 40% 4 1.6

Client experiences financial problems 10% 9 0.9

Response time not acceptable to users/client 80% 6 4.8

Client unable to obtain licensing agreements 5% 7 0.4

Risk Impact Matrix

Use of suitable Scales, for

- 3 levels: LOW ; MED ; HIGH

Maria do Rosário Bernardo 17

Risks Impact Evaluation

Grade P(R) Time Cost (K€) Performance

HI 50 – 70% 4a8 50 – 80 Some important parameters

MED 30 – 50% 2a4 20 – 50 One important parameter

LO 10 – 30% 1a2 5 – 10 Some less important parameters

VLO 5 – 10% <1 5 One no important parameter

Maria do Rosário Bernardo

VL Not Identified But sporadic occurrence

L Not probable and sporadic occurrence

M Lower Probability and “some” frequent occurrence

H High Probability or frequent occurrence

VH Very High Probability and frequent occurrence

Maria do Rosário Bernardo

May compromise one

May compromise limited to project

Maria do Rosário Bernardo

Combining the impact of several risks

• Individual risks can interact

Maria do Rosário Bernardo

“decision not to become involved in, or action to

Under avoidance we change the project plan :