Planning for Risk and Change

Geoff Leese Sept 1999 revised Sept 2001, Jan 2003, Jan 2006, Jan 2007, Jan 2008,

Dec 2008(special thanks to Geoff

Leese)

Risk and risk management

Much “risk management” focussed on Health and Safety risks these days

Topic is much bigger than that Business risk Security risk Business continuity

Introduction

Is it worth doing? Cost/benefit analysis

What might affect it if we go ahead? Risk management

Cost-benefit analysis (1)

Cashflow projection Payback period

Time taken to “break even” Return on Investment (Accounting

Rate of Return) average annual profit/total

investment*100

Cost-benefit analysis (2)

Present value value in year t/(1+r)t

“r” is discount rate as decimal value Discount factor tables are available! Net Present Value of a project (NPV)

Sum of discounted values of all cashflows for that project

Assessment of riskRisk Importance Likelihood

Customer cancels contract High Low

Supplier goes bankrupt Low Medium

Budget exceeded by <= 20% Low Medium Budget exceeded by > 20% Medium Low Maintenance costs higher than estimate

Low Low

Response time targets not met

Low High

“Risky” projects less likely to start.

Apply “Risk premium” to discount rates for NPV

Expected Value

Sales Net AnnualIncome (I)

Probability(P)

ExpectedValue (I*P)

Optimistic £800,000 0.1 £80,000

Most Likely £650,000 0.6 £390,000

Pessimistic £100,000 0.3 £30,000

ExpectedIncome

£500,000

Weighted average of all possible outcomes. A useful measure for comparing contracts!

Risk Profile Analysis

Sensitivity analysis Vary each factor (in turn) by + or -

5% Recalculate costs/benefits Indicates sensitivity of project to each

factor Helps with risk assessment

Monte Carlo Method? (see Cotterill. & Hughes Chap 7)

Decision trees (1)Improve or replace machinery?Market will expand, or not expand?

D

Improve

Replace

Expansion

Expansion

No expansion

No expansion

NPV (£)-100,000

75,000

250,000

-50,000

0.2

0.8

0.2

0.8

Decision trees (2)

Improve - (0.2*-100,000) +(0.8*75,000) =£25,600

Replace (0.2*250,000) + (0.8*-50,000) =£10,000

Therefore choose Improvement!

Project Evaluation

Evaluate on economic,strategic and technical grounds

Assess all costs & income over lifetime of project

Discount accordingly Allow for uncertainty! Evaluate expected outcomes and

choose strategies

Risk management (1)

Estimation errors Use historical data and keep records!

Planning assumptions State, and be prepared to revise

them! Eventualities

Identify, and deal with them!

Risk management (2)

Hazard identification Risk analysis Risk prioritisation Risk reduction Risk monitoring

Hazard identification

Contract Factors (is it special or different?) Customer Factors Staff Factors Project Methods Technology Factors Changeover Factors Supplier Factors Environment Factors

Consider for each phase or product!

Risk Analysis (1)

Risk Value = Likelihood * Impact Impact expressed as monetary

values? Likely to be difficult or impossible!

Likelihood AND impact expressed using “arbitrary scale “ (1-10)

Most likely - 10, least likely - 1 Highest impact -10, lowest impact - 1

Risk Analysis (2)

Hazard Likelihood Impact Risk Value

Sickness affecting critical path activities

5 7 35

Production takes longer than expected

5 5 25

Specification takes longer than estimate

3 7 21

Sickness affecting non-critical activities

7 3 21

Changes to requirements during production

2 8 16

Product testing shows up design deficiencies

1 10 10

Risk Prioritisation Prioritise by risk value? Consider

Confidence in assessment Compound risks Number of risks Cost of action

Risk Reduction Leverage (RRL) = (RV(before) - RV(after))/risk reduction cost Use the same units!

Risk Reduction (1)

Hazard prevention Likelihood reduction Risk avoidance Risk transfer Contingency planning

Risk Reduction (2)

Personnel shortfalls get the best, job matching, early

scheduling, personal development, team building

Unrealistic estimating multiple estimates, use of different

techniques, standardisation of methods, use of historical data

Risk Monitoring

Assign INDIVIDUALS to monitor risks Part of “change plan” Use PERT techniques to assess

potential effects of uncertainties on project schedule 3 way estimating Activity standard deviations Probability & “Z” values” (Cott. &

Hughes)

Evaluation and Review

Projects should be reviewed on completion The risk management plan should be

reviewed at the end of the project . Risks were successfully foreseen? Contingencies were properly planned for? Lessons to be learnt? Improvements to be made? should be built into the risk management plan

Change Control Plan

Vital part of the project plan Changes are almost inevitable

Example: the client originally asked for sweetcorn on all sandwiches but now wants sweetcorn on tuna only. What changes will need to be made?

Project roles should include a Project Librarian, responsible for logging change requests and responses.

Controlling Change

Risk of “scope creep” One big change? Lots of little ones? Poorly documented changes make

maintenance and enhancement difficult May comprise the integrity of the design May comprise the profitability and

deliverability of the contract

Change Control Plan

Change Request (CRF) Change Specification Change Analysis Costing & feasibility Change decision (Change Control

Board) Change implementation &

documentation

And the downside -

Perceived as bureaucratic, expensive & time-consuming

Likely to annoy users and may affect their relationship with the company.

Will definitely annoy production staff. Restricts responsiveness to user needs Emphasises costs and control rather

than user needs

Summary

Project evaluation should we do it? How should we do it?

Risk management - what COULD happen if we do? How will we cope if it does?

Change control

Further Reading

http://www.rmri.co.uk/ Link to BSI risk management