Presentation content What is risk?

Risk management planning Risk identification scientific

What is a risk? A risk is defined as a possible event or circumstance that can have negative influences on the project in question. Risk can also be defined as the combination of the probability of an event and its consequences. Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. It is therefore important to manage risks in any project as this will determine whether the project will be completed or not. Risk management is a central part of any organizations strategic management. It is the process whereby organizations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities. Risk Management can also be defined as the identification, assessment, and prioritization of risk, followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

Risk Management Planning

Risk Management Planning is about defining the process of how to engage and oversee risk management activities for a project. Risk Management planning is an important part of project management.

The inputs for Risk Management Planning are: Project Scope Statement It documents the project scope including a description, major deliverables, project objectives, project assumptions, project constraints, and a statement of work. In Risk Management Planning, the project scope statement is commonly used for identifying project boundaries and assumptions.

Project Management Plan The Project Management plan contains the Work Breakdown Structure (WBS) which is used in Risk Management Planning to determine possible areas where risks can occur. Organizational process assets The organizations process assets may contain defined standards and policies pertaining to risk management. Process assets included are risk categories, roles and responsibilities, and processes of how to have a decision made. Enterprise environmental factors Enterprise environmental factors reveal the risk tolerance of the organization and the individuals involved in the project. For example, patient billing departments or leaders commonly have absolutely no risk tolerance for any impact to cashflow. Understanding how much risk your stakeholders and organization are comfortable with help with decisions regarding the type, level, and amount of risk management to apply in the project.

Note: The Risk Management Plan documents how the Project Risk Management will be structured and performed on the project.

Risk management should; create value, be an integral part of organizational processes, be part of decision making, explicitly address uncertainty, be systematic and structured, be based on the best available information, be tailored to suite the specific project, take into account human factors, be transparent and inclusive, be dynamic, iterative and responsive to change, be capable of continual improvement and enhancement Communicating risk is very important. There are several rules of communicating risk. These rules were first expressed by the United States Environmental Protection Agency and several of the field's founders, 1988 as; Accepting and involving the public/other consumers as legitimate partners. Planning carefully and evaluating efforts with a focus on strengths, weaknesses, opportunities, and threats. Listening to the public's specific concerns. Being honest, frank, and open. Coordinating and collaborating with other credible sources. Meeting the needs of the media in cases where its a large organization. Speak clearly and with compassion.

Risk is all about the three questions .. ...what can happen? ...what could result? ...what can be done? Although specifics may vary based on the nature and complexity of a project, an effective risk management process will have three key components: Realistic Risk Identification Realistic Risk Analysis & Assessment Realistic Risk Response & Control

1.Documentation reviews 2.Information gathering techniques - Are used to develop lists of risks and risk characteristics. Each technique is helpful for collecting a particular kind of information 3.Checklist analysis 4. Diagramming techniques 5.Assumptions analysis .Cause and effect diagrams .System or process flow charts . Influence diagrams

    

Brainstorming Delphi technique Interviewing Root cause identification Strengths, weaknesses, opportunities, and threats (SWOT) analysis

    

Management Risks Technology Risks Resource Risks Timing Risks Political Risks

Project Risks

Commercial risks

Relationship Risks

Requirement Risks -Requirement not agreed -Requirements incomplete -Requirements not detailed enough -Ambiguity in requirements -No single document of requirements -Stringent nonfunctional requirement -Acceptance criteria not agreed.

Planning and resources risks

Technical Risks

Subcontract Risks

-No poor business case -More than one customer -Inappropriate contract type -Penalties for non-performance -Ill defined scope

-Unclear customer structure -Poor access to stakeholders -Internet customer politics -Multiple stakeholders -Users not committed to project -Unwillingness to change -Management and users disagree

-Project manager not involved in initial planning -project very large with quick build up -Estimates not based on metrics -Excessive reliance on key skills -Inexperience in business area. -Inexperience of technology

-Environment new to development -Development and live environment differ -Restricted access to environment -Unfamiliar system software -Lack of technical support -Unfamiliar tools methods / standards -New / unproven technology used

-No /title, experience of suppliers -Suppliers in poor financial state -Difficult to stage rest of items -No choice of suppliers -Use of proprietary products -Subcontracts not back to back with main contract.

-Unclear payment schedule -Payment not linked to deliverables

Risk Analysis is often conducted in two different ways Qualitative and Quantitative. For a proper risk assessment of any project plan or project management system, it is vital to understand the basic defining difference between them.

Qualitative Risk Analysis

The objective of conducting a qualitative risk analysis is to acquire safety against recognized risks and to increase the alertness of management, team members, and all personnel who are vulnerable to them. This method of risk analysis is designed to identify issues that are looked upon as project management impediments, but have the potential to become definite risk factors. Qualitative Risk Analysis includes methods for prioritizing the identified risks for further action, such as risk response planning. Organizations can improve the project's performance effectively by focusing on high-priority risks. It assesses the priority of identified risks using their probability of occurring, the corresponding impact on project objectives if the risks do occur, as well as other factors such as the time frame and risk tolerance of the project constraints of cost, schedule, scope, and quality. Qualitative Risk Analysis is usually a rapid and cost-effective means of establishing priorities for Risk Response Planning, and lays the foundation for Quantitative Risk Analysis, if this is required. It should be regularly revisited during the project's life cycle to stay current with changes in the project risks. Qualitative Risk Analysis requires outputs of the Risk Management Planning and Risk Identification processes. This process can lead into Quantitative Risk Analysis or directly into Risk Response Planning.

The inputs of Qualitative risk assessment will include; the organizational process assets, the project scope statement, the risk management plan, and a risk register. (As explained in the risk management plan) The Tools and Techniques of Qualitative risk analysis include;

.1 Risk Probability and Impact Assessment; Risk probability assessment investigates the likelihood that each specific risk will occur. Risk impact assessment investigates the potential effect on a project objective such as time, cost, scope, or quality, including both negative effects for threats and positive effects for opportunities. 2 Probability and Impact Matrix; Risks can be prioritized for further quantitative analysis and response, based on their risk rating. Ratings are assigned to risks based on their assessed probability and impact. Evaluation of each risk's importance and, hence, priority for attention is typically conducted using a lookup table or a probability and impact matrix. Such a matrix specifies combinations of probability and impact that lead to rating the risks as low, moderate, or high priority. .3 Risk Data Quality Assessment; A qualitative risk analysis requires accurate and unbiased data if it is to be credible. Analysis of the quality of risk data is a technique to evaluate the degree to which the data about risks is useful for risk management. It involves examining the degree to which the risk is understood and the accuracy, quality, reliability, and integrity of the data about the risk.

.4 Risk Categorization; Risks to the project can be categorized by sources of risk, the area of the project affected, or other useful category e.g., project phase to determine areas of the project most exposed to the effects of uncertainty. Grouping risks by common root causes can lead to developing effective risk responses. .5 Risk Urgency Assessment; Risks requiring near-term responses may be considered more urgent to address. Indicators of priority can include time to affect a risk response, symptoms and warning signs, and the risk rating.

Outputs .1 Risk Register (Updates); The risk register is initiated during the Risk Identification process. The risk register is updated with information from Qualitative Risk Analysis and the updated risk register is included in the project management plan. The risk register updates from Qualitative Risk Analysis include:  Relative ranking or priority list of project risks. The probability and impact matrix can be used to classify risks according to their individual significance.. Risks may be listed by priority separately for cost, time, scope, and quality, since organizations may value one objective over another. A description of the basis for the assessed probability and impact should be included for risks assessed as important to the project.

 

Risks grouped by categories. Risk categorization can reveal common root causes of risk or project areas requiring particular attention. Discovering concentrations of risk may improve the effectiveness of risk responses. List of risks requiring response in the near-term. Those risks that require an urgent response and those that can be handled at a later date may be put into different groups. List of risks for additional analysis and response. Some risks might warrant more analysis, including Quantitative Risk Analysis, as well as response action. Watch lists of low priority risks. Risks that are not assessed as important in the Qualitative Risk Analysis process can be placed on a watch list for continued monitoring. Trends in qualitative risk analysis results. As the analysis is repeated, a trend for particular risks may become apparent, and can make risk response or further analysis more or less urgent/important.

Quantitative Risk Analysis Quantitative risk analysis is more focused on the implementation of safety measures that have been established, in order to protect against every defined risk. By using a quantitative approach, an organization is able to create a very precise analytical interpretation that can clearly represent which risk-resolving measures have been most well-suited to various project needs. Quantitative Risk Analysis is performed on risks that have been prioritized by the Qualitative Risk Analysis process as potentially and substantially impacting the project's competing demands

The Quantitative Risk Analysis process analyzes the effect of those risk events and assigns a numerical rating to those risks. It also presents a quantitative approach to making decisions in the presence of uncertainty. This process uses techniques such as Monte Carlo simulation and decision tree analysis to:
    

Quantify the possible outcomes for the project and their probabilities Assess the probability of achieving specific project objectives Identify risks requiring the most attention by quantifying their relative contribution to overall project risk Identify realistic and achievable cost, schedule, or scope targets, given the project risks Determine the best project management decision when some conditions or outcomes are uncertain.

Quantitative Risk Analysis: Inputs, Tools & Techniques, and Outputs Like the Qualitative risk Analysis, the inputs of the Quantitative analysis will include; organizational process asset, project scope statement, risk management plan, risk register and the project management plan.

The Tools and Techniques required in Quantitative Risk Analysis are: .1 Data Gathering and Representation Techniques  Interviewing. Interviewing techniques are used to quantify the probability and impact of risks on project objectives. The information needed depends upon the type of probability distributions that will be used. For instance, information would be gathered on the optimistic (low), pessimistic (high), and most likely scenarios for some commonly used distributions, and the mean and standard deviation for others.  Probability distributions. Continuous probability distributions represent the uncertainty in values, such as durations of schedule activities and costs of project components. Discrete distributions can be used to represent uncertain events, such as the outcome of a test or a possible scenario in a decision tree.  Expert judgment. Subject matter experts internal or external to the organization, such as engineering or statistical experts, validate data and techniques.

2 Quantitative Risk Analysis and Modeling Techniques Commonly used techniques in Quantitative Risk Analysis include:  Sensitivity analysis. Sensitivity analysis helps to determine which risks have the most potential impact on the project. It examines the extent to which the uncertainty of each project element affects the objective being examined when all other uncertain elements are held at their baseline values.  Expected monetary value analysis. Expected monetary value (EMV) analysis is a statistical concept that calculates the average outcome when the future includes scenarios that may or may not happen (i.e., analysis under uncertainty).  Decision tree analysis. Decision tree analysis is usually structured using a decision tree diagram that describes a situation under consideration, and the implications of each of the available choices and possible scenarios. It incorporates the cost of each available choice, the probabilities of each possible scenario, and the rewards of each alternative logical path.  Modeling and simulation. A project simulation uses a model that translates the uncertainties specified at a detailed level of the project into their potential impact on project objectives. Simulations are typically performed using the Monte Carlo technique.

Outputs .1 Risk Register (Updates) The risk register is initiated in the Risk Identification process and updated in Qualitative Risk Analysis. It is further updated in Quantitative Risk Analysis. The risk register is a component of the project management plan. Updates include the following main components:  Probabilistic analysis of the project. Estimates are made of potential project schedule and cost outcomes, listing the possible completion dates and costs with their associated confidence levels. This output, typically expressed as a cumulative distribution, is used with stakeholder risk tolerances to permit quantification of the cost and time contingency reserves. Such contingency reserves are needed to bring the risk of overrunning stated project objectives to a level acceptable to the organization.  Probability of achieving cost and time objectives. With the risks facing the project, the probability of achieving project objectives under the current plan can be estimated using quantitative risk analysis results.  Prioritized list of quantified risks. This list of risks includes those that pose the greatest threat or present the greatest opportunity to the project. These include the risks that require the greatest cost contingency and those that are most likely to influence the critical path.  Trends in quantitative risk analysis results. As the analysis is repeated, a trend may become apparent that leads to conclusions affecting risk responses.

Risk response planning is the process of developing options to minimize threats and maximize opportunities. The risk response should be in line with the significance of the risk, cost-effective, and realistic. Normally a collaborative discussion needs to occur to assure the best option is the response.

Risk Management Plan Risk Register

The strategies for handling risk comprise of two main types: negative risks, and positive risks. The goal of the plan is to minimize threats and maximize opportunities.

 Avoid Risk avoidance involves changing the project plan to remove the threat to the project plan. This can be done by changing or reducing the scope of the project. Transfer Risk transference involves shifting the impact of a risk event and the ownership of the risk response to a third party. This strategy is common with a financial risk exposure and involves payment of a risk premium to the party assuming the risk. Mitigate Risk Mitigation reduces the probability or impact of a potential risk even to a more acceptable level. This included reducing the consequences of the risk. Mitigation could involve adopting a less complicated process, conducting additional test on the product, designing redundancy into a system, and designing a quality control or reconciliation.

 Share Risk sharing involves sharing responsibility and accountability with another to enable the team the best chance of seizing the opportunity.

Enhance Risk enhancement increases the probability an opportunity will occur by focusing on the trigger conditions of the opportunity and optimizing the chances.

Exploit Risk exploitation is used on opportunities when the organization wishes to assure the opportunity is realized. Commonly used by hiring the best experts or assuring the most technologically advanced resources are available to the project team.

Response Strategies for Both Threats and Opportunities Risk acceptance is any decision not to change to deal with a risk. Risk acceptance is either passively accepted by doing nothing or actively by establishing a contingency reserve. Contingent Response Strategy A risk contingency is used only when a risk is realized or impacting. A response plan is commonly executed when a condition or trigger event occurs. For example missing an intermediate milestone or gaining higher priority with a supplier, should be defined and tracked. Risk Response Planning is the most important risk management process. It places a plan in place of how to deal with risk.

Risk Register (updates) - The risk register

should be written to a level of detail that corresponds with the priority ranking and the planned response.

Project Management Plan (updates)

Project Management Plan updates occur as response actions are added after being processed though integrated change control.

Risk-Related Contractual Agreements

Risk related contractual agreements for insurance, partnerships and services will generate language specifying each partys responsibilities.

The inputs to Risk Monitoring and Control are: Risk Management Plan Risk Register Approved Change Requests Work Performance Information Performance Reports

Risk Reassessment Status Meetings Risk Audits Variance and Trend Analysis Technical Performance Measurement Reserve Analysis

Updates to the Risk Register Updates to Organizational Process Assets. Updates to the Project Management Plan Recommend Corrective Actions Recommend Preventative Actions Requested Changes

During the planning stage, Richard Vaughan, the E- Con Project Manager, carries out a comprehensive review of the risks facing the France vacancies project. He decides to use a workshop format for this, inviting the following participants: i. Peter Clay ,France vacancies IT Manager in charge of the MIS development ii. Siobhan Reid ,in charge of the internet development iii. An E- con principal consultant and expert on internet technologies and their problems iv. The project assurance team consisting of Winter , Southern ,Hadie and Pierce

Using brainstorming technique , the group identifies 65 potential risks to the project, some technical , some commercial and some to do with resources .They categorize these by scale of input ( large , moderate , small) and by likelihood of occurrence ( high, medium, low) and conclude that six risks come into dangerous large / high category. One of these is risks 15 which relates to Econ ability to find enough skilled internet resources quickly enough. It will be noticed that E-con is being extremely candid in admitting to this risk and to its difficulties in finding resources .Richard Vaughan however, believes in working openly with his clients and the risk management process will not work properly without such openness. In return, France vacancies staff also admit to some risks about their own lack of clarity in being able to define what they want their system to do, and this creates good working relationship Avoidance actions and fallback measures are identified for e4ach risk and owners assigned to deal with them.

Risk ID:RO 13 Date raised :11 April

Title: Inability to find enough skilled internet resources Date closed :5 May

Description : The success of this project is critically dependent on quickly gaining access to sufficient skilled internet resources. Although E-con is a specialist company in this area, recent successes in winning work have meant that its resource pool is stretched and there is a possibility that resort will have to be made to contract staff ( of less known quality ) to fill any gaps. Impact description Delay in developing internet aspects of the project : delay to overall timescale of project Impact assessment Likelihood Urgency Risk owner Action History Date April Action Establish final resource requirement and negotiate with E- con resources manager, ideally switch resources from other projects and replace with contractors 19 April Experienced staff obtained from less urgent projects: gaps to be back filled by experienced contract staff 5 May Risk reviewed at check point meeting .Retired Large High Very urgent as project has short time Siobnan Reid

Hubbard, Douglas (2009). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley & Sons. p. 46. ISO/IEC Guide 73:2009 (2009). Risk management Vocabulary. International Organization for Standardization. Lock Dennis, (2010) The essentials of project management, Burlington, USA Cadle and Yeates D. (2004) Project Management for Information Systems, England Project management Body of Knowledge, Guide book. ( 2003)