Risk Management Overview

Khaled Shams
Agenda

• Session Objectives
• Definition of Risk and Risk Management Processes and their
mapping to CMMI Goals and Practices
• Overview on Organization Risk management Assets, and
Changes due to EDGE deployment
Course Objectives

• Gain an awareness of the Risk Management

• Understand the mapping between Risk Management
processes and CMMI Goals and Practices
 Definitions

Definitions
Some common terms that need to be understood include:
• Issues An issue is something currently happening that
needs resolution to avoid negative impact to
• Assumptions scope, timing, requirements, cost, quality,
resources, or progress according to the plan.
• Risk An assumption is something that is believed to be
true. Assumptions can be about such things as
• Project Risk the deliverables, estimates, technical
environment, experience level of staff, and end-
• Risk Management user responsibilities
 Risk Management Definitions

Definitions
Some common terms that need to be understood include:
• Issues A risk is a possible future event which, if it occurs, will
lead to an undesirable outcome.
• Assumptions
• Risk Project risk refers to the cumulative effect of the
chances of an uncertain occurrence that will
• Project Risk adversely affect project objectives. What is the
overall risk of the project?
• Risk Management Risk Management is a systematic and explicit
approach used for identifying, analyzing, and
controlling (project) risk.
Risk Management Major processes

• Risk management Planning (SG 1 Prepare for Risk Management, SP 1.3

Establish a Risk Management Strategy)
Risk management planning is the process of deciding how to approach and plan the risk
management activities for a project. (methodology, Roles and responsibility, Budgeting,
Scoring, Thresholds, reporting format, tracking)

• Risk identification (SG 2 Identify and Analyze Risks, SP 2.1 Identify Risks)
Risk identification involves determining which risks might the project and documenting their
characteristics (Documentation review, brainstorming, interviewing, checklist)

• Qualitative Risk Analysis (SG 2 Identify and Analyze Risks, Evaluate, SP

2.2 Categorize, and Prioritize Risks)

Is the process of of accessing the impact and the likelihood of the identified risk. This
process Prioritise risks according to their effect on the project objectives (Risk
probability, and impact, Probability/impact risk rating)
Risk Management Major processes (Cont..)

• Quantitative Risk Analysis (SG 2 Identify and Analyze, SG 2 Identify

and Analyze Risks, Evaluate, SP 2.2 Categorize, and Prioritize Risks)
Risks)

Aims to analyse numerically the probability of each risk and its consequence on the
project objective (Simulation, Decision tree analysis)

• Risk response planning (SG 3 Mitigate Risks, SP 3.1 Develop Risk

Mitigation Plans)
Developing procedures and techniques to enhance opportunities and reduce threats to
project deliverables (Avoidance, Transference, Mitigation, Acceptance)

• Risk Monitoring and control (SG 3 Mitigate Risks, SP 3.2 Implement

Risk Mitigation Plans)
Monitoring residual risks, identifying new risks, execution risk reduction plan (mitigation
plan)
Attributes of Risk (SP 1.2 Define Risk Parameters)

• The attributes for risk are the Probability

(possibility, Stability, likelihood) and Consequence
(Loss, effect, sensitivity)
• Risk exposure is the multiplication of likelihood
times loss
Risk Management Abbreviations (SP 1.1
Determine Risk Sources and Categories)

Risk Sources:
Risk sources are the fundamental drivers that cause risks within a project or
organization. There are many sources of risks, both internal and external, to a
project. Risk sources identify common areas where risks may originate. Typical
internal and external risk sources include the following:

• Uncertain requirements
• Unprecedented efforts—estimates unavailable
• Infeasible design
• Unavailable technology
• Unrealistic schedule estimates or allocation
• Inadequate staffing and skills
• Cost or funding issues
• Uncertain or inadequate subcontractor capability
• Uncertain or inadequate vendor capability
• Inadequate communication with actual or potential customers or with their
representatives
• Disruptions to continuity of operations
Risk Management Abbreviations (SP 1.1
Determine Risk Sources and Categories)

The following factors may be considered when determining risk

categories:
• • The phases of the project’s lifecycle model (e.g.,
requirements, design,
• manufacturing, test and evaluation, delivery, and disposal)
• • The types of processes used
• • The types of products used
• • Program management risks (e.g., contract risks, budget/cost
risks, schedule risks,
• resources risks, performance risks, and supportability risks)
 Why do Risk Management?

There are several reasons why risk management is sometimes

not undertaken including:
• There is an unwillingness to admit risks exists.
• There is a lack of understanding of the benefits.
• There is a natural tendency to postpone the hard parts of a
project. (i.e., Do the easy things first.)
• Some believe that it costs time up front without adding value
overall.
• It is difficult to prove that it’s necessary (e.g., like insurance).

Now let’s discuss why risk management is important and should be undertaken.
 Why do Risk Management? … cont

Risk management is important because…

“It forces us to focus on the future where

uncertainty exists and develop suitable
plans of action to prevent potential issues
from adversely impacting the project.”
Harold Kerzner, PhD.

Let’s take a look at objectives of risk management and some of the many benefits to
proactively addressing project risk.
 Why do Risk Management?

Benefits of risk management include: “What is not on paper has not

been said.” Documenting risks
• Improved communications ensures that everyone a
consistent understanding.
• Higher probability of project
success This is a result of better
information available during
• Meet or exceed customer planning and decision making.
expectations
The success of the project supports
• Higher quality products and good client relationships.
services This helps to provide the opportunity for
additional business.
EgSC Projects Critical Risk Report

Project Name No. Risk Description Controllability Criticality Current Position Required Action

- Action By
If the Business design documents (BDDs)will not [Mitigate] EgSC team needs
be detailed enough and consistent with the screens to review iteration 4 BDDs
eCVMS 1 shots and database scripts then EgSC team will not C Red The Quality of BDDs are very poor and resolve their issues
deliver the application on time and with the required before setting Commitments.
quality.

If proper backup\restore is not done for the Unix IMF and LT to ensure that
Improper restore has been done for
2 Machine then this will affect the work that has been C Red proper backup and restore
the unix server
done by the EgSC team are performed

[Mitigate] The PPIL send

to the PMs and DLs that
the assessment may be
If the second readiness review results in more postponed, if they will not
Findings from first readiness
findings by 10 August, then CMMI L3 SCAMPI will complete the readiness
review to be resolved by the PMs
PPI 1 be postponed, hence the Org. Object (CMMI L3 C Red review findings by 04th of
of participating projects by COB
certification by end of August) will not be achieved. August 2004. The PPIL
4 Aug.
will send the SCM detailed
information. SCM will then
decide on action to be
taken
Questions & Answers

Thank You…