Bài giảng PMBOK - Chapter 10: Project Risk Management

Chapter 10:Project Risk Managementadopted from PMI’s PMBOK 2000 and Textbook : Information Technology Project Management 1ContentsThe Importance of Project Risk ManagementProject Risk Management processRisk management planningRisk identificationQualitative risk analysisQuantitative risk analysisRisk response planningRisk monitoring and controlResults of good project risk managementChapter 102Typical Risk Management3The Importance of Project Risk ManagementProject risk management is the art and science of identifying, assigning, and responding to risk throughout the life of a project and in the best interests of meeting project objectivesRisk management is often overlooked on projects, but it can help improve project success by helping select good projects, determining project scope, and developing realistic estimatesStudy by Ibbs and Kwak show how risk management is neglected, especially on IT projectsKPMG study found that 55 % of runaway projects did no risk management at allChapter 104The goal of project risk management is to minimize potential risks while maximizing potential opportunities.Six processes includeRisk management planningRisk identificationQualitative risk analysisQuantitative risk analysisRisk response planningRisk monitoring and controlWhat is Project Risk Management?Chapter 10planningcontrolling5What is Project Risk Management?Risk management planning: deciding how to approach and plan the risk management activities for the projectRisk identification: determining which risks are likely to affect a project and documenting their characteristicsQualitative risk analysis: characterizing and analyzing risks and prioritizing their effects on project objectivesQuantitative risk analysis: measuring the probability and consequences of risksRisk response planning: taking steps to enhance opportunities and reduce threats to meeting project objectivesRisk monitoring and control: monitoring known risks, identifying new risks, reducing risks, and evaluating the effectiveness of risk reductionChapter 106Risk Management Planning15th of 21 planning phase processThe main output of risk management planning is a risk management planThe project team should review project documents and understand the organization’s and the sponsor’s approach to riskThe level of detail will vary with the needs of the projectChapter 107Inputs to Risk Management PlanningProject charter: formally recognizes the existence of a projectOrganization’s risk management policies: provide a predefined approach to risk analysis and responseDefined roles & responsibilities: provide authority levels for decision-making.Stakeholder risk tolerances: indicators of how stakeholders might react in different situations and risk eventsTemplate for the organization’s risk management plan: pro-forma standard for used by the projectWBS: a deliverable-oriented grouping of project elements that organized and defines the total scope of the project8Tools and techniquePlanning meetingseveryone responsible for planning and executing activities.9OutputRisk management planIt documents procedures for managing risk throughout the projectIt details identification and quantification of risk, responsibilities for managing risks, how contingency plans will be implemented, and how reserves will be allocated.other associated documents areContingency plan, feedback plan 10Contingency and Fallback Plans, Contingency ReservesContingency plans provide predefined actions that the project team will take if an identified risk event occursFallback plansdeveloped for risks that have a high impact on meeting project objectivesContingency reserve or allowancesextra provisions held by the project sponsor that can be used to mitigate cost or schedule risk if changes in scope or quality occurChapter 1011Risk Identification16th of 21 planning phase processRisk identification is the process of understanding what potential unsatisfactory outcomes are associated with a particular projectRisk identification is a facilitating planning processCommon Sources of Risk on Information Technology ProjectsSeveral studies show that IT projects share some common sources of risk12Table 10-3. Information Technology Success Potential Scoring SheetChapter 1013Other Categories of RiskMarket risk:Will the new product be useful to the organization or marketable to others? Will users accept and use the product or service?Financial risk:Can the organization afford to undertake the project? Is this project the best way to use the company’s financial resources?Technology risk: Is the project technically feasible? Could the technology be obsolete before a useful product can be produced?Chapter 1014Tools and TechniquesDocumentation reviews provide a structure review of project plans and assumptionsInformation gatheringbrainstorming, Delphi method, interviewing. SWOT analysisChecklistsprovided by previous projects. Assumptions analysisexplores the assumptions and identifies potential risksDiagramming techniqueshelp to understand various cause-and-effect relationships. Examples are cause-and-effect diagram. System or process flow-charts.15OutputsRisks – uncertain events or condition Triggers – symptoms of risks; indirect manifestation or actual risk events such as poor moraleInputs to other processes – for examples, constraints or assumptions16Qualitative Risk AnalysisQualitative Risk Analysis (17th of 21 planning phase process)It is the process to assess the impact and likelihood of identified risks.determine their magnitude and priorityChapter 1017Inputs:Risk management planIt documents procedures for managing risk throughout the project.Identified risktaken from previous risk identification process. Evaluate these risks for their potential impacts no the project.Project statusidentifies risks through the project life cycleProject typedetermines the amount of risk you can expect. Common or recurrent projects have less risk, while state-of-the-art, first-time technology, or highly complex projects have more uncertainty.18InputsData precisiontests the value of data. Data precision measures the extent of data available, reliability of the data, and source of the dataScales of probabilities and impactassess the two key dimensions of risk (probability and impact)Assumptionsidentified during risk identification process. These are used as part of evaluations.19tools and techniquesRisk probabilities & impact – the two dimensions of specific risks. Risk probability is the likelihood that a risk will occur. Risk consequences (or impact), are the effect of project objectives if the risk event occursProbabilities / Impact risk rating matrix – (also known as PI risk matrix) Project assumptions testing – performed against 2 criteria: assumption stability and the consequences on the project if the assumption is false.Data precision ranking – technique to evaluate the degree to which the data is useful for risk management. Data should be unbiased and accurate20Figure 10-2. Chart Showing High-, Medium-, and Low-Risk Technologies21Top 10 Risk Item TrackingTop 10 Risk Item Tracking is a tool for maintaining an awareness of risk throughout the life of a projectEstablish a periodic review of the top 10 project risk itemsList the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk itemChapter 1022Table 10-7. Example of Top 10 Risk Item Tracking23Expert JudgmentMany organizations rely on the intuitive feelings and past experience of experts to help identify potential project risksExperts can categorize risks as high, medium, or low with or without more sophisticated techniquesChapter 1024OutputOverall risk ranking for the projectList of priorities risks List of risks for additional analysis and management Trends in qualitative risk analysis results25Quantitative Risk Analysis18th of 21 planning phase processA process that numerically analyses the probability of each risk and its consequence on objectives.Often follows qualitative risk analysis, but both can be done together or separatelyLarge, complex project involving leading edge technologies often require extensive quantitative risk analysisChapter 1026InputsRisk management plan Identified risk List of prioritized risk List of risk for additional analysis & management Historical informationExpert judgmentdetermines whether risks have a probability of occurrence (ranked H, M, L) and the level of impact (ranked Severe, moderate or limited)Other planning outputs27Tools and techniquesInterviewing: using projects stakeholders and subject matter experts to quantify the probability and consequences of risk on project objectives.Sensitivities analysis: help to determine which risks have the greatest impact on the project. It is the simplest form of risk analysis. Sensitivity analysis examines the change of a single project variable to analyze its effect on the project plan.Decision tree analysis : identify possible options or outcomes. It forces consideration of the probability of each outcomeSimulation : uses a model of system to analyze the behavior or performance of the system. Examples are Monte Carlo, Critical Path and PERT.28Decision Trees and Expected Monetary Value (EMV)A decision tree is a diagramming method used to help you select the best course of action in situations in which future outcomes are uncertainEMV is a type of decision tree where you calculate the expected monetary value of a decision based on its risk event probability and monetary valueChapter 1029Figure 10-3. Expected Monetary Value (EMV) Example30SimulationSimulation uses a representation or model of a system to analyze the expected behavior or performance of the systemMonte Carlo analysis simulates a model’s outcome many time to provide a statistical distribution of the calculated resultsTo use a Monte Carlo simulation, you must have three estimates (most likely, pessimistic, and optimistic) plus an estimate of the likelihood of the estimate being between the optimistic and most likely valuesChapter 1031Risk Response Planning19th of 21 planning phase processInvolves developing options and determining actions to enhance opportunities to reduce threats to project objectives.After identifying and quantifying risk, you must decide how to respond to themChapter 1032InputsRisk management plan - It documents procedures for managing risk throughout the project.List of prioritized risk - includes those grouped by ranks, WBS level, risks requiring immediate response, risk that can be handled later, and risk that affect cost, schedule, functionality and quality.Risk ranking of the project – indicates that overall risk position of a project relative to other projects by comparing risk scores.Prioritized list of quantified risks – identifies those that pose the greatest threat or opportunity to the project and proposes some means of measuring their impact33InputsProbabilities analysis of achieving the cost and time objective – assessed under the current project plan and with the current knowledge of the project risksList of potential response – identifies specific risks or categories of risk. These list specify the actions the team will take.Risk thresholds – the acceptable level of risk to the organization, which influences risk response planningRisk owners – identifies staff to provide accountabilities for managing responses.Common risk causes – several risks driven by a common causes. This reveals opportunities to mitigate many risks with one response.Trends in qualitative & quantitative risk analysis result - become apparent as the analysis is repeated can make risk response more or less urgent and important.34Table 10-8. General Risk Mitigation Strategies for Technical, Cost, and Schedule RisksChapter 1035Tools and techniquesRisk avoidance: eliminating a specific threat or risk, usually by eliminating its causesRisk acceptance: accepting the consequences should a risk occurRisk transference: shifting the consequence of a risk and responsibility for its management to a third partyRisk mitigation: reducing the impact of a risk event by reducing the probability of its occurrence36OutputsRisk response plan Residual risks remain after avoidance, transfer, or mitigation responses have been taken.Secondary risk – arise in direct result of implementing a risk response.Contractual agreements Contingency reserve amounts needed Inputs to other processes Inputs to a revised plan37Risk Monitoring and Control8 of 8 controlling phase processThis is the process of keeping track of the identified risks, monitoring residual risk and identify new risks, ensuring the execution of risk plans, and evaluating the plans’ effectiveness in reducing risk.Monitoring risks involves knowing their statusControlling risks involves carrying out the risk management plans as risks occurWorkarounds are unplanned responses to risk events that must be done when there are no contingency plansChapter 1038Risk Response ControlRisk response control involves executing the risk management processes and the risk management plan to respond to risk eventsRisks must be monitored based on defined milestones and decisions made regarding risks and mitigation strategiesSometimes workarounds or unplanned responses to risk events are needed when there are no contingency plansChapter 1039Using Software to Assist in Project Risk ManagementDatabases can keep track of risks. Many IT departments have issue tracking databasesSpreadsheets can aid in tracking and quantifying risksMore sophisticated risk management software, such as Monte Carlo simulation tools, help in analyzing project risksChapter 1040Results of Good Project Risk ManagementUnlike crisis management, good project risk management often goes unnoticedWell-run projects appear to be almost effortless, but a lot of work goes into running a project wellProject managers should strive to make their jobs look easy to reflect the results of well-run projectsChapter 1041OutputsThe main outputs of risk monitoring and control are corrective action, project change requests, and updates to other plans Corrective action: This encompasses anything that brings your expected performance back in line with the project plan. At this stage, it involves carrying out either your contingency plan or workaround.Project change requests: Implementing a contingency plan or workaround frequently requires changing the risk responses described in the project plan. Know the process flow and feedback loop.42Outputs (2)Updates to risk response plan: Document the risks that occur. Risks that don't occur should also be noted and closed out in the risk response plan. It's important to keep this up-to-date, and it becomes a permanent addition to project records, eventually feeding into lessons learned.Workaround plansRisk databaseUpdates to risk identification checklists43SummaryProject Risk Management is the art and science of identifying, assigning, and responding to riskProject Risk Management processRisk management planning: deciding how to approach and plan the risk management activities for the projectRisk identification: determining which risks are likely to affect a project and documenting their characteristicsQualitative risk analysis: characterizing and analyzing risks and prioritizing their effects on project objectivesQuantitative risk analysis: measuring the probability and consequences of risksRisk response planning: taking steps to enhance opportunities and reduce threats to meeting project objectivesRisk monitoring and control: monitoring known risks, identifying new risks, reducing risks, and evaluating the effectiveness of risk reduction44Summary 2Toolscharts risk item tracking expert judgmentdecision treesexpected monetary value (EMV)Using software to assist project risk managementdatabase, simulation, Monte CarloResults of good project risk managementunusually un-notice, look easy but require a lot of good risk management45