WISQA: Risk Management for I/S Projects

Paula Duchnowski CQA, CSTEpaula.duchnowski@generalcasualty

.comGeneral Casualty Insurance

May 9, 2002

Risk Management for I/S Projects

Why is Risk Management Important?What is Risk?Risk Management Process

– Identify project goals & objectives– Identify Risk– Analyze Risk– Plan for Risk– Control Risk

Why are we here?

Information Technology Projects are difficult to manage

Project failures occur with alarming frequency

Prudent measures to assess and manage risk can increase probability of project success

What is Risk?

A potential problem waiting to happen

May adversely impact schedule, cost, objectives

Will vary in probability, impact and timeframe

What is Risk Management?Risk Management is

a systematic process of identifying, analyzing and responding to project risk.

PMI’s PMBOK

Step 1: Identify Project Goals and ObjectivesWhat are business objectives? What are technical objectives?What are project constraints?Identify and state risks as they relate

to the ability to achieve objectives within the known constraints

Note: If objectives aren’t well-defined - that is a major risk.

Case Study Introduction

Improving and enforcing the Software Development Life Cycle– Small Shop– Not a process-

oriented culture

Project Objectives:Increase consistency

among all software development projects

Utilize processes that will increase the probability of project success

Step 2: Identify Risks

Encourage input of perceived riskIdentify risk while there is time to

take actionCapture risk in readable formatCommunicate risk to those who

can solve itGoal: Prevent project surprises

Risk Identification: examplesInadequate

Management Commitment

Ambiguous requirements

Inadequate user involvement

New Technology

Undefined or ambiguous Scope

Insufficient or inappropriate staffing

Inadequate tools or technology

Large and dispersed project team

Identifying Risks

Various publications and organizations have developed generic risk categories and generic checklists.

Checklists help assure aren’t overlooking something

Consider three perspectives: – Project

Management and staffing

– Technical– Quality of Product

Project Management Perspective: Tactical Considerations BudgetResource availability

and expertiseAdequacy of

Methodology / process

Project Size & Complexity

Schedule & Estimating risks

Vendor Management

Project Communication

Sponsorship and high-level support

Technical Perspective

Data Conversion: (GIGO) System Interfaces Operations / Post-

implementation Support New or unproven

Technology Implementation & rollout Infrastructure support Adequacy of Infrastructure Legacy Impacts / Support

Quality Risks

How well will product meet expectations?– Ease of Use– Data Integrity– Understand

impact to users

Defects in production

Techniques to Identify Risk

Checklists: Several Checklists are available as reminders of possible risk areas to consider

Interviews: Group or individualWorking Group / WorkshopPeriodic meetings: Dialogue of risk

informationSurveys: Selected categories of

people identify risks quickly

Statement of Risk

May need to “Drill Down” to determine the real risk to the project:– Asking Why?– Why is this situation a risk to the project?– What is the worst case scenario if the risk

is realized?– Some less than ideal circumstances may

not be true risks

Discussion

Case Study: Enhancing and enforcing the Software Development Life Cycle

What are some of the risks?

(be creative- pretend you know this company)

Step 2: Risk Analysis

Quantify two factors: – Probability of a failure– Impact of a failure

Risk Exposure (RE) = P x IExamples:

– Tornado in Wisconsin (low probability, high impact)– My son forgetting to take out garbage (High

probability, low impact)– Others: What risk(s) have you taken today??

Quantifying Risk

Early in Project More difficult to be

precise Establish risk ‘order

of magnitude’ Continue to revisit

as part of risk management process

Quantifying Risk: Tools and Techniques

Decision tree– Identify possible outcomes: associated

likelihood and impactIdentify expected monetary value:

– (probability %) x (Risk event value)Simulation:

– Prototype ‘what if’ scenariosExpert Judgement (Use a

‘judgement’ based scale)

Quantifying Risk

Define scale you will be using for Probability and Impact

Try to define scale to correspond to key objectives and constraints

Look at example Checklist

See GC’s Risk Checklist

Work in ProcessBased on Lessons Learned &

Industry standard risksTool for PMsIncludes a risk ‘scale’ for probability

and impactWeighted factors for size &

complexity

Discussion: Case Study Risks

What is probability of each risk occurring?

What is impact if the risk is realized?

Step 4: Plan for Risk

Develop Risk Management Plan

For each Risk– Determine Time

Frame for action– Define Mitigation

Strategy

Plan for Risk: Risk Management PlanDefine the Process for

tracking and monitoring risk

Roles & Responsibilities What and how risk

information will be tracked

Establish Mitigation Strategies

Possible Mitigation Strategies

Acceptance: Consciously choose to live with the risk consequences

Avoidance: Eliminate the risk. Protection: Backup / contingency

plan, i.e. Redundant system.Reduction: Reduce either the

probability or impact of the risk.

More Mitigation Strategies

Research: Need more information - i.e. market research; prototypes

Risk Reserves: Leave a contingency - or margin for error.

Transfer: Shift risk to another organization, person or group (retain responsibility)

Document Known Risks

Description of riskDate identifiedWho identifiedCategoryStatusRisk OwnerWho is assignedMitigation strategy

Action PlanTime Frame to actRE: Probability &

ImpactOther Measures:

– Quantitative threshold

– Leading indicators– Risk Leverage

Discussion

Discuss possible mitigation strategies for case study risks

Step 5: Control Risk - On-goingPeriodic monitoring and reporting of risk

data– Visibility and accountability regarding risk

status– Reports from risk repository

Periodic meetings / updates regarding risk status

Periodic re-assessment of risk exposureUpdate Risk data and project plan

Summary

Why Risk Management is ImportantSteps of a Risk Management Process

– Identify Project Goals & Objectives– Identify Risk– Analyze Risk– Plan for Risk– Control Risk

Thank you

Bibliography Project Management Institute: Project Management

Body of Knowledge Keil, Mark; Cule, Paul; Lytinen, Kalle; Schmidt, Roy: A

Framework for identifying software project risks: Communications of the ACM, November 1998

Hall, Elaine. Managing Risk. Methods for software systems development. Reading, MA: Addison-Wesley Publishing, 1998.

Jones, Capers. Assessment and Control of Software Risks, 1994.

Mulcahy, Rita, Managing and Estimating Project Risks, September, 1999.