ITP-3 - Project Risk Assessment

profilejarfra
RiskandRiskManagement.pdf

Risk and Risk Management

Risk is something we live with every day in every way. I believe that a PM who does not

understand or address risk is headed for sure disaster. A PM can not possibly anticipate every

risk to the project, but having a sound risk management effort is essential. Therefore, we have a

separate weekly lecture so that you may have the benefit of seeing what risk is and how a PM

should be dealing with it.

One book says that uncertainty "decreases as the project moves toward

completion." What happens is that those things a PM didn't know at the beginning of the project

become known as the project moves to completion. The first schedule for the project is little

more than a guess. The number of people required for the project team are estimates. How long

the project should take is never based on some scientific formula; usually the schedule is dictated

by the need for the project to be completed by a certain date. Obviously, as you begin the project

and move through it, you will learn more about what it really costs or how long it really takes or

that you have all the wrong people on your team. So, from that perspective, the author is right

that uncertainty decreases as the project moves toward completion. But you are the PM. You

have just been assigned. What ARE the risks you will be dealing with?? How do you identify

them and how to you eliminate them or at least mitigate (taking action to avoid or minimize the

risk) them?

There are volumes and volumes of literature and techniques for answering these

questions. This lecture is a brief, and very simple, approach to risk that you may find to be a

good start when, as a PM, you need to address risk. You are free to find any source or help you

want to supplement this lecture. A thoughtful student would be able to define and discuss risk as

it relates to project management, in case the subject comes up in your job or with other teams

that you work with.

Risk is defined as the possibility of loss or injury. Identifying and managing risk

allows a PM to lessen the loss or injury to the project. Our first point in dealing with risk is that

managing risk can be expensive. The PM will need to assess identified risks and determine if the

benefits of mitigating the risks outweigh the costs. For example, if you are the project manager

for moving your company to a new building in New Hampshire, you COULD have the building

built to resist earthquake damage. You have identified acts of nature as a potential risk;

earthquakes are a force of nature; and you decide that it is better to be safe than sorry, so you

contract to have the building built using reinforced, flexible materials in case of an earthquake,

probably at great additional expense. But how often do earthquakes strike New Hampshire?

Certainly not often enough to justify the cost of earthquake-proofing the building. But, you have

addressed and mitigated the risk! Now, let's say you are tasked to move your company to

California. Now is the earthquake preventative measures worthwhile? Yes! Earthquakes are a

real risk in California, so the costs involved to mitigate the risk could prove to be money well-

spent. So the first rule of risk managing is to make sure the cost or benefit of mitigating risk

outweigh the risk itself.

As I mentioned, risk needs to be identified at the beginning of the project. Some risks will

be known early enough to include them in the project charters as you did. Otherwise, the project

team will find and identify risks through the life of the project. Obviously, the first risks

identified will affect the cost, schedule and deliverable or outcome of the project. Cost, schedule

and deliverable are not, in and of themselves, RISKS. The risks you identify will AFFECT the

cost, schedule and deliverable. So, if material were delivered late, or experienced a sudden jump

Page 2

in price, this would affect your schedule or your cost. So the RISK is late delivery or suddenly

increasing price – NOT the cost and schedule of the project. This is a fine point, but worth

spending the time thinking about and understanding. WHAT could cause your project to be late,

over budget, or not what the customer ordered? THAT is the risk!

And the whole purpose of the project is to manage the cost, schedule and outcome. Many

project managers have a risk management plan. This risk management plan is updated on a

regular basis to eliminate the risks that have passed and to add the risks that continue to be

identified. There are risks associated with each stage/phase of your project, but as you progress

some of those will go away and new risks will become known. For example, if you are buying a

house, an early risk might be that the house has termites. You have a termite inspection and find

out that the house does not have termites. Therefore, the risk of termites can now come out of

your risk management plan. But then you find out that the house is built on a high water table, so

you now know there is a risk of leaks in the basement - so you add that to your risk management

plan. The Plan should be a living document that is revisited REGULARLY.

All risks will have some cost, schedule or performance impact. To mitigate a risk, you

must address its impact to cost, schedule or performance/outcome. If you are forced to exercise

your contingency plan (what you will do if the risk happens), you must be prepared to pay for the

contingency with cost, schedule or performance/outcome. So now, we must identify the risks we

know as they relate to the cost, schedule and outcome.

The mechanics of how a PM does this varies from PM to PM and from project to project.

As PMs gain more experience, they use more and more sophisticated means. The very first step

is to identify and document everything that threatens the program. My favorite method is with a

series of brainstorming sessions. We, as a team, look at everything we can think of to determine

what we know and what we don't know. For example, has similar work been done before? If yes,

what went wrong and what happened that was unexpected? If no, is the project even feasilble?

Does it push the state of the art into unknown territory? Is it bleeding edge technology? Is the

project the first application of pure lab-based research?

For the purposes of our example, we'll pretend that we are building a software application

to provide a functional capability in the personnel or human resources office. Let's start by

addressing all the things we don't know:

• We don't know if our cost estimates are valid.

• We don't know if we can get the people we need when we need them.

• We don't know if the requirements have been thoroughly documented.

• We don't know if we will be able to get the people and equipment for a thorough testing of the developed software.

• We don't know if we will be able to build the interfaces with the existing applications or be able to migrate data to the new application, for starters.

I'm sure as you sit with your team, you will discover lists and lists of risks, those things

that are unknown or could threaten your project. As you build your work breakdown structure,

you will continue to find areas, items and actions that need to be documented so you can manage

the uncertainty. After you make the list (and you will revisit, revamp and revise the list

continually through the project), you may go through the list to prioritize the risks you have

Page 3

identified. WE have to determine the level of importance, so we know what to do with the risk.

We will mitigate the risk (take action to AVOID the risk happening), or we will avoid the risk

(do nothing and hope it doesn’t happen). If we ignore the risk, we still should have a

contingency plan so that we know what to do if the risk really DOES happen. It’s important to

understand the difference between mitigation and contingency – mitigation is what we do

BEFORE a risk happens; it is the PLAN to avoid or minimize the impact of the risk.

Contingency is what we do AFTER the risk happens – our Plan B and how we minimize the

damage or harm.

You will go through a process of determining what will have the greatest impact on your

project if it really happens. If you are in New Hampshire, the likelihood of not having a good

requirement is more probable than the likelihood of an earthquake. So your requirement ranks

higher on your list (I hope!). You may use a very quantifiable method of ranking, like assessing

and assigning probability, or you may rank based a a simple process like "high, medium or low"

risk, or any other methodology for ranking and rating. Like the list itself, the ranking of the

items on the list may change from time to time. For example, say a vague or changing

requirement ranks high as a very real, very probable risk but senior level management

sponsorship for the project is a low risk because you are sure you have total support for your

project. Six months or a year later, you have been able to develop software against the

requirement you had, but the senior level management has changed because of a corporate

merger. NOW the senior sponsorship and approval is a high risk but the requirement is a low

risk.

So, risks are looked at from TWO perspectives – (1) how likely is this risk? In other

words what are the chances this risk will really happen? And, (2) if the risk happens, what is the

impact to my project? So, if we think about having a big party as soon as our newly constructed

house is finished, we would have to consider (1) is the house likely to be finished on schedule;

and, (2) if the house is not finished on schedule, what happens to the party? Another example, if

we are planning a cruise for a special even in September, we would have to consider hurricanes.

How likely is it that a hurricane would affect the cruise? And, if a hurricane DOES happen and

results in the cruise being cancelled, what happens to the money we paid for the cruise tickets?

Look at the likelihood and then the impact. Is it likely that a building in Kansas will be destroyed

by a tornado? No. But if the building IS destroyed by a tornado and this is the backup facility for

all of our archived data storage, what is the IMPACT on our company and its ability to do

business?

After the PM identifies and documents all risks, and then prioritizes the list from most

important, or critical to the program, the PM will address what actions could be taken to

eliminate or mitigate the risks. This is where reality comes in. To mitigate the risk of earthquake,

you could build an earthquake resistant building or you could move to a less earthquake prone

area, or you could increase your earthquake insurance. In the case of the vague requirement risk,

you could take more time for requirement development, include people from the requirement

activity on the team, compare the requirement to similar efforts, and benchmark the requirement

by comparing it with others done elsewhere, among other possible ways to mitigate the risk of

vague requirements. Now, how many ways are there to mitigate the risk of data migration?

So now, the PM has identified the risks, ranked them based on priorities or what can do

the most damage to his/her project and what is most likely to happen, and identified several

Page 4

different ways to keep the risk from occurring or minimizing the impact of the risk on the

project.

The next step is to identify what you will do if the risk really happens. What will you do

if your building is damaged by an earthquake? What will you do if your number one researcher

takes another job? What will you do if the merger goes through? The contingency is what will

happen next. In Information Technology, we usually build "continuity of operations" (COOP)

plans - what we will do if our systems break for one reason or another. We MITIGATE problems

by building back-up systems and if our systems really breakdown, our CONTINGENCY is to

switch to those back-up systems to continue our business.

And then as a PM, you may only be able to manage the "high" priorities. What you may

find is that your top priorities all have costs associated with the mitigation actions. Obviously,

you will only mitigate those risks you can afford. You can't put your software development

organization in a fireproof building to avoid the risk of fire, for example, because it would cost

too much..

Now for a real life example: A few years back, I worked on a software program that

required multi-level security access. In other words, the users might have secret, top secret or no

clearance when they got into our system. The software needed to determine what level the user

had and would only give that user information that the user had security clearance for. At the

time, the capability for multi-level security was early bleeding edge - only a few vendors had

attempted to build it, and none had been certified by the National Security Agency or the

National Institute of Standards and Technology, both of which were required. Therefore, we had

a requirement with a high risk rating and the only mitigating actions possible were to cancel that

part of the requirement to avoid project delay OR delay the project. We HOPED that by the time

we needed the capability, the capability would be there. And the technology was rapidly moving

in that direction - it was a race against time! Let me know if you want to know the outcome!

So, as you finish this lesson, you should be able to describe the difference between

mitigation and contingency, and be able to discuss the risk management process.