Part 7: Steps to manage risk

Primary tabs

 


Risk Identification

Risk Analysis

Risk Planning

Risk Tracking

Risk Control

Risk Communication
 


Risk Identification: 

Risk is an undesirable situation or circumstance, which has both a
probability of occurring and a potential consequence to project success.
Risk has an impact on cost, schedule, and performance. Risk identification
is the process of identifying uncertainty within all aspects of a project.
In other words: what might go wrong and what happens if it does. For most
information system projects, these risks may be grouped in the following
categories:

- Technical. Risk associated with creating a new capability or capacity

- Supportability. Risk associated with implementing, operating, and
maintaining a new capability

- Programmatic. Risk caused by events outside the project's control, such as
public law changes

- Cost and Schedule. Risk that cost or schedule estimates are inaccurate or
planned efficiencies are not realized



Risks should be identified continuously by project participants (at all levels)
and the project management team should capture these risks in definitive
statements of probability and impact. Lessons-Learned from previous projects may
be a significant source for identifying potential risks on a new project.

Risk identification process goals

Encourage input of perceived risk from the team

Identify risk while there is time to take action

Uncover risk and sources of risk

Capture risk in a readable format

Communicate risk to those who can resolve it

Prevent project surprises

checklist, interview,meeting, review, routine input, survey, working group.


Risk Analysis

Risk Analysis quantifies the identified risks and conducts detailed
sensitivity studies of the most critical variables involved. The outcome of
these analyses may be a quantified list of probabilities of occurrence and
consequences that may be combined into a single numerical score. This single
score allows project risks to be prioritized.

 

Risk analysis process goals

Analyze risk in a cost efficient manner

Refine the risk context

Determine the source of risk

Determine the risk exposure

Determine the time frame for action

Determine the highest-severity risk

 

Analysis process activities

Groups similar and related risk

Determine risk drivers

Determine the source of risk

Use risk analysis techniques and tools

Estimate the risk exposure

Evaluate risk against criteria

Rank risks related to other risks

 

Risk exposure(RE) =
Probability x Cost


Risk Planning


Risk planning decides what to do about a project risk. Available actions are:


- Avoid the risk.

- Assume the risk

- Transfer the risk

The action selected for each risk will depend on the project phase, the options
that are available, and the resources that can be used for risk management. A
majority of project activities involve tracking and controlling the project
risk.

 

Risk planning process goals

Provide visibility for key events and conditions

Reuse successful risk resolution strategies

Optimize selection criteria

Understand the next action for each high severity risk

Establish automatic triggering mechanisms

Risk planning process activities

Develop risk scenarios for high severity risks

Develop risk resolution alternatives

Select the risk resolution approach

Develop a risk action plan

Establish thresholds for early warning


Risk Tracking


Risk tracking involves gathering and analyzing project information that measures
risk. For example, test reports, design reviews, and configuration audits are
risk tracking tools used by project management to assess the technical risk of
moving forward into the next life cycle phase.

 

Risk tracking process goals

Monitor the events and conditions of risk scenarios

Track risk indicators for early warning

Provide notification for triggering mechanism

Capture results of risk resolution efforts

Report risk measure and metrics regularly

Provide visibility in risk status


Risk Control


Risk control takes the results of risk tracking and decides what to do and then
does it. For example, if a project design review shows inadequate progress in
one area, the decision may be made to change technical approaches or delay the
project.


Risk Mitigation Techniques


Risk mitigation techniques are used to control or transfer risk until an
acceptable risk level is reached. The most common techniques are inherent in
good management and engineering practice:

- Budget management reserve - mitigates cost risk

- Schedule slack - mitigates schedule risk

- Parallel development - mitigates technical risk

- Prototyping - mitigates technical
risk

Incentive fee and incentive-firm contract

types - mitigates cost risk

Incremental deliveries mitigates …

- Entrance and exit criteria for major design reviews - mitigates cost, schedule
and technical risks


Risk resolution process goals


Assign responsibility and authority to the lowest possible level

Follow a documented risk action plan

Report results of risk resolution efforts

Provide for risk aware decision making

Determine the cost effectiveness of risk mgmt

Is prepared to adapt to changing circumstances

Take corrective actions when necessary

Improve communication within the team

Systematically control the software risk

 

Risk resolution process
activities


Respond to notification of triggering event

Execute the risk action plan

Report action against the plan

Correct the deviation from the plan

Risk
Communication


Risk information should be communicated to all levels of the project
organization and to appropriate external organizations. This ensures
understanding of the project risks and the planned strategies to address the
risk. Risk information then feeds the decision processes within the project and
should establish support within external organizations for mitigation
activities. For example, an agency comptroller who understands the project risks
is more likely to allow the project manager to have a management reserve within
the project budget.

Communicating risk information in a clear, understandable, balanced, and useful
manner is difficult. The ability to state the problem at hand clearly,
concisely, and without ambiguity is essential.

 

Force field analysis

Is a technique to help people to understand the positive and negative aspects of
change.

Force field analysis provides motivation to overcome the barriers. Compelling
reasons that change is needed to provide motivation for the use of risk
management


Force field for Risk Management adoption


Driving forces


Restraining forces


Provides a focus on goals


Management lacks commitment


Satisfies customer requirement


People are resistant to change


Increases visibility for high
risk areas


The team has no time for training


Promotes communication of risks


The process levies extra work


Provides a risk-aware decision


There is lack of available tools


Helps resolve difficult issues


Attitudes towards risk is
negative


Contributes to a more realistic
plan


People are already to busy


Helps avoid surprises


Staff support is lacking


Helps prevent problems


Individuals fear retribution


Reduces work


People fear failure



The power pyramid

 

Admit weakness

Eliminate waste

Discuss failures

Expand knowledge

Show appreciation

Take chances

 


Any questions?

Join Forums at http://CSQA.info