WINSEM2020-21 CSE1005 ETH VL2020210504074 Reference Material I 25-Feb-2021 Risk
WINSEM2020-21 CSE1005 ETH VL2020210504074 Reference Material I 25-Feb-2021 Risk
WINSEM2020-21 CSE1005 ETH VL2020210504074 Reference Material I 25-Feb-2021 Risk
Risk Analysis
Risk
Assessment
Risk
Risk Prioritization
Management
Risk
Management Planning
Risk
Risk Control Resolution
Risk
Monitoring
Boehm, 1991
How to Categorize Risk
Risks: known, unknown, unknowable
Known Risks: Risks that can be uncovered after careful evaluation of
the project plan, business and technical environment, and other reliable
sources of information (I.e. unrealistic delivery dates, lack of user input,
etc.)
Refer to those risks that can be estimated from historical information
Can be mitigated by management techniques and through response
plans, should they occur
Example: Potential delay in delivery from third-party vendor
Example: Key personnel leave project
Example: Development systems down
How to Categorize Risk
Predictable Risks [but unknown risks]: Risks that can be extrapolated from
past projects. (Staff turnover, poor communication with the customer)
Refer to those risks that we know have a probability of occurring, but do
not know the precise impact
Cannot be managed directly but can be mitigated by the use of
contingency
Example: Loss of key personnel due to turnover
Unpredictable Risks
“Joker” risks that are hard to predict.
Unknowable risks
Refer to those risks that are outside the scope of historical or
probabilistic models for the project
Are beyond the scope of risk management and usually are addressed by
crisis or disaster management
Examples: Corporate failures, natural disasters, acts of terrorism or war,
major snowstorm and power loss
Risk management model (after Taylor)
Risk Response
Risk Control Risk Monitoring
Planning
Risk Management Planning
Introduction
Risk Management Planning addresses how to approach,
plan, and execute all of the project risk management
activities
The risk management plan is critical to the overall risk
management process
Risk management plan is an input to every other risk-related process
in the Planning Process Group
A well-defined, comprehensive risk management plan enhances the
chances of success of the risk management process
Risk identification input
Enterprise environmental factors
Concerned with aspects of the enterprise outside of
project
One source may be enterprise historical information
Industry or academic research is another excellent
source
» Example: The Gartner Reports
» comp.risks (Usenet discussion group/mailing list, see
reading list)
Input to risk management planning
Enterprise environmental factors
Most critical environmental factors are the risk tolerance levels of the
organization and the stakeholders
» Risk tolerance expresses an inherent trade-off decision between
benefits and cost
» Stakeholders will take a risk if the benefits to be gained outweigh
what could be lost
» Conversely, stakeholder will avoid taking a risk because the cost
or impact is too great for the amount of benefit that can be
derived
Input to risk management planning
Organizational process assets
Organization may already have policies and guidelines that define its
risk tolerance
Project scope statement
Project assumptions, constraints, and initial defined risks in scope
statement
The project scope statement contains several information sources
for risk management planning:
» Project deliverables
» Project constraints
» Project assumptions
» Initial project organization
» Initial defined risks
» Schedule milestones
Risk identification input
Risk management plan
Risk categories (e.g. as defined in RBS) are primary source of input
Budget and schedule for risk management activities
Project management plan
Project management plan contains schedule, budget, and quality
plans which may be sources of risks
Risk management plan becomes an integral part of the project
management plan
All other project management processes and guidelines comprising
the project management plan should be considered in light of
potential risks
Risk management plan should be consistent with the overall
direction and management approach of the project
Risk management planning: tools & output
Risk management planning tools
Planning meetings are the main tool for risk management planning
Attendees should include the project manager, members of the
project management team, and stakeholders who can contribute
risk-related information
Meetings will involve analysis of risk for the project, risk tolerance of
the organization, and calibrating risk to the project and organization
Risk management planning output
The risk management plan is the only output from the risk
management planning process
Risk management plan is detailed on following slides
Risk management plan content
Methodology. How risk management will be performed,
including methods, tools, and sources of data
Roles and responsibilities. Team of people responsible for
managing identified risks and responses, the risk ‘owners’
Budgeting. Assign resources and estimate costs of risk
management and its methods
Timing. Timing and frequency of the risk management
processes
Risk categories. Develop and review during planning. Used
in risk identification
Risk management plan content
Definitions of risk probability and impact. Discussed in detail in
Qualitative Risk Analysis
Probability and impact matrix. Discussed in detail in Qualitative
Risk Analysis
Revised stakeholder tolerances. Risk planning may result in
changes in stakeholder tolerance
Reporting formats. Describes the content and format of the risk
register, the dictionary of risks for project
Tracking. Describes how the risk activity history will be
documented and how risk processes will be audited
Risk categories
Risk categories are identified during risk management
planning
Risk categories systematically classify risks and provide a
context for understanding those risks
Used in successor process, Risk Identification
Starting point list of risk categories:
Technical, quality, or performance risks
Project management risks
Organizational risks
External risks
Risk categories
Technical/quality/performance risks
Unproven or complex technology
Changes to technology anticipated during the course of
the project
Unrealistic quality goals
Unrealistic performance goals
categories
Technology Resource Unrealistic
Analogous to WBS Changes Planning Objectives
Weather
Complex Project
Lack of Funding Labor Issues
Technology Disciplines
Performance Budgets
* Managing Risk: Methods for Software Systems Development. Elaine M. Hall, Addison-Wesley, 1998
Risk identification: tools and techniques
Root cause analysis (cont’d)
Example (based on actual case):
» O-O DB vendor is porting O-O DB to (our) new platform and has
been identified as potential schedule risk
» Why? Vendor has requested additional time to deliver O-O DB
» Why? Vendor did not complete critical intermediate deliverable
required for delivery
» Why? Vendor was unable to get concurrency (threads) to work
properly
» Why? Vendor is using design from another platform with different
OS
» Why? Vendor has no development experience programming with
threads
» Note that this is a capability issue, not a technical issue!
Risk identification: tools and techniques
Checklist analysis
Based on historical information and previous project team
experience – requires one or more similar projects
Risks can be compiled into a checklist
Lowest level of the RBS can be used as a starting point for a
checklist
Checklists for projects cannot ever be exhaustive (remember,
projects are unique)
Risk identification: tools and techniques
Assumptions analysis
Validates the assumptions identified and documented throughout the
project planning processes
Assumptions should be accurate, complete, and consistent
Assumptions are tested against two factors:
Diagramming techniques
Cause-and-effect (fishbone or Ishikawa) diagrams
System or process flowcharts
Influence diagrams
Cause and Effect Diagram
Also known as the Ishikawa (or fishbone) diagram
Show the relationship between the effects of problems and
their causes
Depicts every potential cause and sub-cause of a problem
and the effect that each proposed solution will have on the
problem
Useful as a tool for visually representing and capturing
cause-and-effect relationships
Fishbone Diagram
Moderator Planning
Familiar with
Ensure Key Process Determine
Particpants Select Particpants
are Present Trained
Moderator
Moderator
Checklist Determine
Number of Sessions
Follow-up &
Completion Ensure Procedures Determine if
are Followed Overtime is
Needed Schedule Meetings
Effective
Inspection
Inspection Resolve
Package List of Major All Major
Items for Discussion Determine Defects
at Inspection Defect
Inspectors Origin
Review
Minor Error Defect
Log Recording
Ensure
Coverage
flowcharts
Decision trigger
symbol
Preparation
Familiar diagram to most Risk response
plan
symbol
stakeholders executed?
Depicts cause/response N Y
Assign resources/
implement response
plan
project variables
May also show the
sequencing of events
Used to visually depict risks Quality
track
RISK identify
plan
analyze
How risk averse are you?
Risk averse people: Risk seeking people:
I like being dependable and I’m I like action, and I act impulsively
usually punctual. at times.
I am not likely to take chances. I seek excitement for the thrill of
I am responsible and prefer to the experience.
work efficiently. I am resourceful and prefer not
I am more service oriented than to plan or prepare.
self oriented. I am more self oriented than
I value institutions and observe service oriented.
traditions I like to anticipate another
person’s position.
Risk neutral people:
I trust my intuition, and I am comfortable with unknown.
I think about the future and have long-range objectives.
I am naturally curious and often ask, “Why?”
I enjoy generating new ideas.
I work best when I am inspired.
Elements of Risk Analysis
What are the
risks involved in
getting to work?
Reduce the
occurrence and/or
impact of the risk.
Risk categorizations
Entries in the RBS can help identify the project phase
and determine the elements of the project that are
affected by risk
Risk urgency assessment
Do not try to deal with all risks at the same time
Analogous to rolling wave planning: determine how
soon potential risks might occur
Develop risk response plan for those risks that
might occur soon
For greater efficiency and effectiveness, only the
top ten risks should be actively managed
Maintain a watch list of the remaining risks to
replace those on the 'top 10’ list that are mitigated,
controlled, eliminated, or that don't materialize
Outputs: Updates to the risk register
Update risk register with the following information:
Risk ranking of identified risks. Order the identified risks by risk
rating
Risks grouped by categories. Identify low, medium, and high risk
groups to allow easier risk urgency assessment and planning
List of risks requiring near-term responses
List of risks for additional analysis and response
Watch list of low-priority risks. Low-priority risks can still impact a
project – monitor them
Qualitative Risk Analysis trends. Look for patterns that might help in
response planning
Risk Response Planning: Introduction
Risk response planning is concerned with developing
options and possible reactions to mitigate threats and
exploit opportunities discovered during the risk analysis
processes
The severity of the risk dictates the level of risk response
planning that should be performed
A risk with low severity is not worth the time it takes to
develop a detailed risk response plan
Risk responses should be cost effective
If the response cost is more than the cost of the risk,
formulate a less-costly risk response
Risk Response Planning: Introduction
Risk responses must be timely
An untimely risk response itself becomes a risk
Risk responses must be agreed to by all the project
stakeholders
Risk responses must be assigned to an individual (the risk
owner) who is responsible for monitoring the risk and
executing the risk response plan if needed
Tools and Techniques
Strategies for negative risks or threats
Avoidance
Risk avoidance evades a risk, eliminates the cause of the
risk event, or changes the project plan to protect the
project objectives from the risk event
Risk avoidance eradicates the risk by removing the risk
or its cause
Risk avoidance is most suitable in the early stages of a
project, through improved communications, additional
resources, or more-clearly defined scope
Example: Risk of interfacing Membership Management
System (MMS) to external art museum membership
systems can be avoided by eliminating requirement to do
so
Strategies for negative risks or threats
Risk transfer
Risk transfer moves the risk and the consequences of
that risk to a third party
Responsibility for the management of that risk now rests
with another party
Risk transfer comes in many forms but is most effective
for financial risks
» Example: Insurance is one form of risk transfer
Strategies for negative risks or threats
Contracting
Contracting is another form of risk transfer
The contractor accepts certain aspects of the risk and
responsibility for the cost of failure
Types of contracts:
» Fixed-price contract. Contractor increases cost of the
contract to compensate for the level of risk they are
accepting
» Cost reimbursable contract. Contractor receives
compensation for additional costs. Majority of the risk
remains with the buyer [remember the VCF]
Risk Mitigation, Monitoring, and Management
Mitigation – how can we avoid the risk?
Monitoring – what factors can we track that will enable us
to determine if the risk is becoming more or less likely?
Management – what contingency plans do we have if the
risk becomes a reality?
Strategies for negative risks or threats
Mitigation
Risk mitigation attempts to reduce the probability of a risk event
and/or its impacts to an acceptable level
Risk mitigation takes the viewpoint that fixing a problem earlier in a
project is less costly than fixing it later
Examples: Performing more tests, using simpler processes, perform
simulations, choose vendors for reliability over cost
Risk acceptance
The risk is acknowledged, but no action is taken unless the risk
occurs
Appropriate when it is not possible or cost-effective to address a
specific risk in any other way
Passive acceptance simply documents that the acceptance strategy
has been adopted and leaves the project team to deal with the risks
Active acceptance establishes risk reserves, such as a pool of funds,
time, or resources to be held for use in response to a risk event
Strategies for negative risks or threats
Risk contingency plans
Contingency planning involves planning alternatives to deal with the
risks should they occur
Contingency plans do not seek to reduce the probability or impact of
risks—the strategy accepts that the risk may occur and plans ways
to respond to the risk
A contingency plan is executed when the risk event occurs
Contingency plans must be in place well before the time the risk may
occur
Contingency (fallback) plans are developed for risks:
» With very high impact or:
» With response strategies that may themselves be risky
Contingency plans usually entail a significant alternative path
through part of the project
Example: disaster recovery plan
Contingency planning tools
Contingency allowances (or reserves). Contingency allowances provide
a pool of funds, time, or resources that are held for use in response to
an unavoidable risk event
Example: Including contingency time in case of loss of key personnel
Fallback plans. Fallback (or ‘Plan B’) plans are developed for risks with
high impact or for risks with strategies that may in themselves be risky
Fallback plans may be used to address secondary risks
Example: Use of a relational database plus object-oriented interface
in place of pure O-O database
Strategies for positive risks or opportunities
Exploitation
Exploitation involves looking for opportunities for positive impacts
Example: Reduce project duration by using more experienced
resources on critical tasks
Sharing
Sharing is the positive analog to transferring
Sharing assigns risk to a third-party owner who is better able to use
the opportunity the risk presents
Example: Form a joint venture between a technical software
company and marketing and sales firm
Sidebar: Residual and secondary risks
Secondary risks arise as a result of implementing a risk
response – they are the risks inherent in the response
Identify and plan responses for secondary risks using tools such as
fallback plans
Example: O-O/RDB expert consultant becomes ill
Residual risks are those that cannot be effectively dealt
with within the rest of the risk plan
Example: Some risk may remain as a result of other response plans.
Residual risks are usually dealt with through contingency reserves
Example: Developer skills risks (resource planning risk) associated
with alternate database solution
Risk response planning outputs
Risk register updates
List of identified risks, including:
Descriptions
WBS element or area of the project impacted
Categories (RBS)
Root causes
Project objectives impacted by the risk impacts
Risk owners and their responsibilities
Risk triggers – precursors to risk event; Trigger conditions,
symptoms, and warning signs of a risk occurrence
Response plans and strategies
Specific actions to implement the chosen response strategy
Fallback plans if the primary response strategy proves inadequate
Risk response planning outputs
Risk register updates
Cost and schedule activities needed to implement risk
responses
Contingency plans
Contingency plans and triggers for their execution
Contingency reserves for cost, time, and resources
Fallback plans