TM254/Practice solutions

Practice Examination Paper Solutions

MANAGING IT: THE WHY, THE WHAT AND THE HOW

How to use this document

The following solutions for the Practice Examination paper are given as a guide to how to approach
questions and to the length and depth of answer required to obtain full marks.

In some cases, you should regard our answer as just one way of expressing an acceptable solution.
There may well be other equally acceptable solutions. Note that in some of the solutions below, we
have given more answers than you are asked for in order to demonstrate that there is a range of
possible answers. We have also included references to the appropriate sections of the module materials
which we hope you might find helpful. You do not, of course, need to include such references in your
own answers.

In your solutions to the examination questions, you should try to keep your answers as brief as possible,
particularly for Part 1. It is important to keep your answer focused on what is required by the question,
and not add anything that is irrelevant or distracting.

2221
Part 1

The scenario below is to be used for the service management questions (question numbers
1 and 2).
Scenario

SecureSolutions, a company specialising in installing security systems, sells and maintains

security systems for shopping malls. In the current system, several CCTVs are set up so
major shoplifting hotspots are visible in a control room and mechanisms are available for
shop staff to signal the control room if they suspect a shoplifter. If a possible case of
shoplifting is detected, an operator in the control room will contact the senior security guard
on duty and call the police at the same time. The system is being used by several customers
and is working better than their previous system. However, customers have indicated a few
problems with this arrangement. There are three main difficulties: the police are being called
out unnecessarily; the senior security guard cannot always respond immediately, and when
the control room alerts the senior guard the offender is sometimes alerted as well and has
time to make their escape.
The senior management at SecureSolutions is exploring a change to the system such that
each security guard on duty has a mobile communications device which can be tracked in
the mall by the control centre. This means that when a possible case of shoplifting is
detected, the operator in the control room can alert the nearest security guard, quietly, with
the location and nature of the possible offence. The communications device can also be
used to alert police at a nearby police station if the case requires police intervention.

Question 1
The senior management at SecureSolutions initiate a change proposal.
From a service management perspective:
a. Decide and explain if the proposed change is primarily:
a routine upgrade?
a response to a problem?
an extension of the service portfolio?
in effect, a change in service supplier?
(2 marks)

This could be seen as a routine upgrade; or an extension of the service portfolio. It could also
be seen as a response to a problem as it is the response to customer reported difficulties.
It follows that there may not be a single “correct” answer. So, whichever answer you give, the
important thing is to justify your answer.
(Block 1, Part 7, Sections 1 & 2)
 b. Decide and explain if the change has arisen:
as a consequence of service quality monitoring?
as a result of one or more incidents?
following changes in customer demand (patterns of business activity)?
as the outcome of strategic suggestions?
(3 marks)

This could be either the result of one or more incidents or changes in customer demand.
The difficulties with police called out inappropriately and delays in response time due to the
senior guard being unavailable would have resulted in complaints from the customer which
would have been logged as incidents. These reported difficulties might also have led to
changes in customer demand.
Again, the key point is to give the reasons for your answer.

Question 2

a. What is a Critical Success Factor?

(1 mark)
b. Suggest two Critical Success Factors for the changed system.
(2 marks)
c. For each of your CSFs suggest a suitable KPI.
(2 marks)

a. Critical Success Factors are things that must happen for a vision, or objective, of a
company to be realised. They are needed for the company to know how effective they are
in providing services to their customers.

b. Two sensible CSFs might be something like:

• Shoplifting hotspots are monitored by control room staff during opening hours.
• Security personnel should be alerted when a possible case of shoplifting is detected

c. Two sensible KPIs might be:

• The percentage of time each hotspot is visible on a monitor in the control room while the
store is open.
• The percentage of alerts that reach the security personnel within 10 minutes of the alert
reaching the control room.

(Block 1, Part 3, Section 3)

2221
Question 3

a. What are stakeholders?

Those individuals or organisations with an interest in an activity or undertaking.

(TM254 glossary)
or

A stakeholder is a person, or group of people, who are directly or indirectly affected by the
system, who may influence the system, or who is responsible to accept the system.
(Block 2, Part 1 Section 4)

b. List four different examples of stakeholder roles?

Any four from:

Users of the system;
Clients of the system;
Customers of the system;
Domain expert;
Market researcher;
Lawyers;
Software engineers or technical experts.
Other roles are possible, (e.g. sponsors)
(Block 2, Part 1 Section 4)
c. Look at the following description of part of a new book-loan system.

Peter and Lucy are voracious readers and would like to create a book club so people can take
books on loan to read and participate in discussions. They are planning to commission the
development of an application to allow interested people to become members of the club, reserve
books, be informed when books are available, and arrange for discussions with other members
who also read the same book. The system will be developed with the collaboration and
sponsorship of a publishing company, which has been involved in similar projects in the past.
Identify four of the system stakeholders, with four different roles as stakeholders of the system.
State the role of each stakeholder that you choose.

(any four of the list below. Other roles are possible)

Peter, Lucy, (clients)
Commissioned developers (software engineers)
Interested people/members (users/customers)
Publishing company (domain expert/sponsor)
(Block 2, Part 1 Section 4)
(5 marks)

2221
Question 4

The sentences in the question are completed as follows:

a. An attribute is a property of an entity type.

(Block 2, Part 4, Section 2.3)
b. The SUM function is an SQLaggregation function.
(Block 2, Part 8, Section 1)
c. A Conceptual Data Model is a high level description of a database concentrating on the
structure and constraints of the data to be used, it is used when establishing requirements as it
is easily understood by non-technical stakeholders.
(Block 2, Part 4, Section 1.2)
d. If an entity type has an optionality of optional ‘may’ and degree ‘at most one’ with respect to a
relationship type, this would be shown on an entity relationship diagram as 0..1.
(Block 2, Part 4, Section 3.2.5)
e. GRANT is an SQL command that supports access/security management.
(Block 2, Part 9, Section 2.1.4)

(5 marks)
Question 5

The following diagram shows instances of a relationship type (Owns) between two entity types
(Person and House).
This is representative of the degree and optionality of all instances of the Owns relationship
type.

a. Give the entity-relationship diagram showing these entity types and the relationship type
between them. Include the degree and optionality for the relationship type that matches the
instances.
(2 marks)

Figure Description.
The ERD shows two entity types, named Person and House, and one relationship type labelled
Owns. There is an arrow pointing from Person to House.
Where the relationship line joins the Person entity type is the label: 1..m.
Where the relationship line joins the House entity type is the label: 0..m.
Figure description ends.

Explanation
From the diagram there is one person that is not involved in the Owns relationship, so Person
has optional participation (0..). Every house is shown as involved in the relationship, so has
mandatory participation (1..). P23211 is shown as related to more than one house by the Owns
2221
relationship – so has degree many (..m). 11 Guards Terrace is shown as being related to more
than one person by the Owns relationship – so has degree many (..m).

(The degree and optionality is described in Block 2, Part 4, Section 3.2.)

b. Give the relation-for-relationship representation corresponding to the above entity types and
relationship type. You can use a diagram or textual representation and can assume that ID and
Address are the identifying attributes for the entity types Person and House respectively. Your
answer must show the primary keys, any foreign keys and any additional constraints that are
needed to enforce the optionality and degree you have shown in part a).
(3 marks)

Figure description.
The relation diagram shows three relations: Person, Owns and House. There is a line joining
Person to Owns, and a line joining House to Owns.
The Person relation shows on attribute called Id, which is shown to be the primary key.
The House relation has one attribute called Address, which is shown to be the primary key.
House also has a constraint: Owns Mandatory participation: all values of address must appear
in the address attribute of relation Owns.
The Owns relation has 2 attributes called Id and Address, they are both shown to be the primary
key.
Owns also has two foreign key declarations. The first says: Name(owns) ID references person.
The second says: Name(owns) Address references house.
Figure description ends.

Explanation
Owns is a ‘many-to-many’ relationship, so must be represented by a relation using the relation-
for-relationship representation. The primary keys of Person and House appear as foreign keys
in the Owns relation, and the mandatory participation of House in Owns is shown by the
additional constraint in the House relation.

(Relation-for-relationship representation is described in Block 2, Part 5, Section 2 and an

example is shown in Block 2, Part 5, Activity 5.1 in the document Logical Schema 1 in the
databases resources area.)
 Question 6
A shipping company packs packages. Its database contains what was in each package (a single
item), and who packed it, among other data. Part of the database consists of two SQL tables:
Packed and Employee.
Consider the data given in Table 1 and Table 2 for which package_number and employee_number
are the respective primary keys and, in Packed, packer is a foreign key referencing Employee.

Table 1 the SQL table, Packed

package_number content packer date

P0001 Paint E1321 01/02/2019

P0002 Brush E2324 02/02/2019
P0004 Bucket E2324 02/02/2019
P0006 Paint E5223 03/03/2019
P0007 Bucket E1321 03/03/2019
P0017 Mixer E5223 04/03/2019
P0022 Brush E5223 04/03/2019
P0035 Tin E1321 04/03/2019

Table 2 the SQL table, Employee

employee_number name
E1321 Joan
E2324 Paul
E1122 Haki
E5223 Damien

Write SQL queries to answer the following requests based on the data in the tables.
a. a. List the package_number and date for each package that contains Paint.
(1 mark)
B

SELECT package_number, date

FROM Packed
WHERE content = 'Paint';

(SELECT, FROM and WHERE are covered in Block 2, Part 7 Sections 2 and 3.)

2221
b. List the package_number and content for each package that was packed by an employee called
Joan.
(2 marks)
SELECT package_number, content
FROM Packed, Employee
WHERE packer = employee_number AND name = 'Joan';
OR
SELECT package_number, content
FROM Packed JOIN Employee ON packer = employee_number
WHERE name = 'Joan';

(Cartesian product is introduced in Block 2, Part 7, Section 2.5.

JOIN conditions are described in Block 2, Part 8, Section 3.)

c. For each date on which packages were packed, give the total number of packages packed on that
date.
(2 marks)

SELECT date, COUNT(package_number) AS total_packed

FROM Packed
GROUP BY date;

(Column naming in SELECT is described in Block 2, Part 7, Section 2.1

Aggregation functions are described in Block 2, Part 8, Section 1.
GROUP BY is described in Block 2, Part 8, Section 2.)
The scenario below is to be used for the project management questions (question numbers 7
and 8).
Scenario
A chain of department stores operates a wedding list system so that couples can select
products for the list and their friends and relations can buy presents from it. The system is
operated by store staff who enter the details into a system which is integrated with the stock
catalogue and stock control systems. Customers can view a particular wedding list and select
purchases at any branch of the store.
A focus group of customers has proposed an extension to this system which has been agreed
by the management. This extension will enable customers to view a particular wedding list, see
details about items on the list, and pay for selected items, all online.
A project steering group to oversee the implementation of this extension has been set up at
head office of the department store chain by the management.
You work in the IT department at head office and support the current stock catalogue and stock
control systems. The steering group have asked you to act as the internal project manager.
The steering group have also awarded the contract for the implementation to a small software
company called Solutions258. The senior managers at Solutions258 have set up a project
team to implement the extension.
All staff will need to be trained in the use of the system. The department stores each have a
designated trainer and it has been agreed that you and the Solution258 project team will train
those trainers using what is known as a train-the-trainer approach.
It is envisaged that prototypes of the online user interface will need to be produced for
evaluation by a small group of store staff and the customer focus group.
The project will be delivered in two stages:
1 An initial version of the extended system will be delivered as an interim product that will
enable store staff to provide the existing service via the new online user interface, enhancing
the service provided to customers”.
2. The final version allowing customers access to the online system to view wedding lists
and pay deposits on selected items.
Question 7
Explain the difference between a project risk and a business risk using examples from the
scenario to illustrate your answer. (5 marks)

A business risk is one that affects the business if the project is not successful or if key
requirements are missed. In the case of the scenario, if the project is not successful the
department stores might lose customers and reputation. If key requirements around security or
resilience are missed or incorrectly implemented, then there could be a risk of reputational
damage or even fines from the ICO.

A project risk is a risk to the successful completion of the project or a risk that could mean the
project fails to meet one of more of its time, quality or cost objectives. In this case there could
2221
be a risk if one of the developers is ill and the project is delayed. Also if the contracted company
misunderstands the requirements so what is built isn’t what was required.
Risks from the perspective of Solutions258 such as the department store chain goes bankrupt,
rejects the solution during UAT, or refuses to pay for the development work should not be
accepted.
(PMIP 7.1)
Question 8
(a) Which process model is being followed for the project? (Waterfall, iterative, incremental or
iterative + incremental). Justify your answer.
(3 marks)

Example solution (This is only an example. Iterative and incremental is assumed. Marks would also
be gained for a good justification for stating a different process model).
Iterative+ Incremental. The project has been split into stages which are related but which have clearly
separate deliverables, there will be at least one prototype which will be evaluated and further
developed before the final delivery.

(PMIP 1.7)
(Block 3, Part 2, Section 4.5)

(b) Give two possible contributing factors to the company deciding on this approach.
(2 marks)

Any two of:

• Easier to control/manage series of sub-projects (stages)

• Store staff get used to the system before they need to support the customers

• Final step stage involves customers making payments which might be more difficult to
implement and needs a different level of security.

2221
Part 2

Question 9

Puddletown Cloud Services (PCS) are located in a sprawling single-storey farm building in
idyllic surroundings on the bank of the river that flows past the town, just upstream of the
sixteenth century packhorse bridge.
PCS provides data storage facilities to a growing number of medical general practices,
and offers both online data access and secure backup. Being sited in a rural area, PCS
were acutely aware of the risk of interruptions to the electricity supply, and have installed
an emergency generator. Furthermore, the computers controlling PCS’s disk farm are all
laptops, which can run for several hours if their batteries are charged, and there is an
uninterruptible power supply (UPS) for the disk units which can keep them running
sufficiently long to allow a “clean shutdown” in the event of a power failure.
PCS has been growing rapidly, and has added ever more disk units to accommodate the
burgeoning volume of data, and has needed also to install increased network switch
capacity to ensure that service levels for retrieving and updating data can be achieved.
To keep everything cool, the air conditioning has also needed successive upgrades. PCS
have recently realised that the emergency generator is now too small, as it can run only
the disk farm, the network switches or the air conditioning, but not all three of them. They
have worked out that they can just about run a degraded service, with much greater
response times, and lower data rates, provided that an electricity failure does not occur in
the heat of summer. However, there can be no budget to replace the generator either this
year or next, so PCS are just hoping that the electricity will continue not to fail.
Secure backup is a key aspect of the services offered by PCS. All data is backed up,
heavily encrypted, onto USB devices, which are stored in a vault in the cellar under one
section of the building. The air is a bit damp down there (it’s only a few feet from the
river…), but the devices are kept in sealed plastic containers, and have thus far shown no
signs of degradation. To increase the security for what are small, portable devices that
could easily be misplaced or even stolen, each is encrypted to the particular laptop on
which it was created, and can be decrypted only on that same laptop.
All is going well, and PCS’s business continues to grow, until one autumn when there is a
terrible storm in the hills a few miles up the river from Puddletown. The first that PCS
know is that there is an increase in data traffic from the various medical services that are
treating those injured in the storm. Then the lights – and the power to the cloud room – go
out. It takes quite a while to get the backup generator started (it hasn’t been serviced for
some time, to save money, as it’s (over)due for replacement anyway), and, when it does
start, PCS find that they have to implement the degraded service immediately. But at
least it isn’t too hot.
So much water is flowing down the river that it can’t get through the tiny arches in the
ancient pack-horse bridge, which is acting now as a fairly effective dam. As the water
rises and trickles over the front door step, the first place it runs to is the basement – which
houses the vault. Fortunately, a member of PCS staff realises that this means that the
vault will flood, and, with great presence of mind, manages to rescue about half of the
USB backup devices before the vault becomes inaccessible.
By this time, the water outside is up to about knee level, and the emergency services are
outside – in a boat! – urging PCS staff to leave. And this is when they discover that the
keys to the anti-theft locks on the laptops are in the (flooded) vault.
 So, the laptops are abandoned, and the PCS staff leave, clutching half of the USB
devices. Which they will never be able to decrypt anyway, because they were encrypted
to the now drowned laptops.

General advice on how to approach the scenario reading

Before you start trying to answer this kind of question, it will be worth your while spending
several minutes making sure you understand the scenario. The question will usually be
asking you why some service(s) have gone wrong, so a good way to approach it is to note
down:

• what services were intended, for whom;

• what risks are mentioned in the scenario;
• which services, if any, have failed, why, and who is affected.
• Finally, whether there are any glaring oversights or over-optimistic assumptions – these will
often be key to any disaster that plays out in the scenario.
Even if these points are not asked for explicitly in the question, noting them down will help to
give you the insight you need to answer the question and will also probably identify
examples that you can use to support your answer.
Your notes might be something like the following:
PCS were offering just two services:

• Online data storage for medical practices

• Secure data backup
Identified risks included

• Likely power failures (mitigated by generator, laptops to control disk farm; UPS to allow safe
shutdown; need for degraded online service when on generator)
• Power failures in hot weather (generator not large enough)
• Possible loss/theft of backup USB sticks (encrypted to specific laptops)
• Impact of damp air on usb drives (kept in sealed plastic boxes)
• Theft of laptops (anti-theft locks)
Failed services – note that these might not include every possible failure – just those
described explicitly in the scenario

• Loss of online data storage – disks drowned – all clients affected

• Loss of backup – half of the usb sticks submerged in vault; laptops needed to decrypt the
others also lost because keys also lost in vault – all clients affected.
Glaring oversights

• Proximity to river, with risk of flooding

• No evacuation plan
• Size of generator has not kept pace with expansion of equipment (aircon, disks etc)
• No fallback in case any encrypting laptop lost
• Maintenance for generator
These lists need not be exhaustive, nor grammatical – they are just to help you organise
your thoughts.

2221
 Now, you are in a position to answer the question.

a. By giving examples from the above scenario, explain the kinds of difficulty which are
supposed to be avoided by following the processes associated with the service
design stage of the ITIL service lifecycle.
(6 marks)

The question doesn’t ask for any formal definition of what the service design lifecycle stage is
for: it asks you to explain, “the kinds of difficulty which are supposed to be avoided…”
The module materials portrayed service design as thinking ahead to the way that a service will
be delivered, in order to anticipate risks/difficulties and develop appropriate
responses/mitigations. So, service design is about planning to keep the service running, when
its needed, under even abnormal conditions – or at least having a way of turning the service off
tidily so that it can be restarted after a crisis.
So, the sorts of difficulties that the service design processes might have avoided could include
any of the glaring oversights in the “notes” above. Even the risks identified have not all been
addressed in the most appropriate way – for example, the sizing of the backup generator (and,
of course, its maintenance!).
The number of marks available for this part of the question is a clue. Marks are typically given
for examples AND for saying why they are relevant. So, you might try to give three examples,
explaining briefly how they should have been thought about during service design.
For example, you might describe the need to keep the backups secure even in the event of a
disaster such as flooding (or fire, theft…), and that the solution that PCS has adopted assumes
the continued accessibility of both the backup USB sticks and the corresponding laptops; this is
not a safe strategy. (This example is about continuity management.)
And a second example might be ensuring that there is sufficient power to run all the equipment
and the air cooling, however hot the weather – the situation described in the scenario seems to
have been responsive and ad-hoc rather than planned. (This example is about availability
management).
And the over-elaborate security for the data backup actually introduces too many points of
failure – it looks good, but, as the scenario illustrates, the loss of either the usb sticks or the
corresponding laptops means that excessive security has taken precedence over reliability.
And you might also comment on the choice to store the backup data on the same premises as
the live data…
You could finish this part question by mentioning some of the other glaring oversights – such as
the lack of an evacuation plan or no apparent contingency plans for flooding.
You will notice that two of the examples suggested above are explored further in later parts of
the question. That doesn’t matter – in this part, you are asked to give examples to explain the
kinds of difficulty that should be avoided; in later parts, you are asked what might have been
done to avoid them.
(Block 1, Part 5)
 b. Identify (at least) three important aspects of service design that appear to have been
neglected in the scenario? Justify your answer.
(6 marks)

If you have remembered the names of the service design processes, they might help you with
this part of the question – mainly as a checklist. However, you don’t need them – you have all
the examples in your notes.
Three aspects of service design that have been overlooked could be:

• There are too many points of failure, any of which could lead to the loss of both the service and
its backup – the backups are kept on site, there is no mechanism for recovering a backup if the
required laptop has failed, if the power fails in hot weather the whole site fails, and so on. Oh,
and if the river floods……
• A different point is that whatever risk assessments were conducted have been inadequate.
There is little evidence that there has been any real planning to mitigate risks other than the
initial recognition that a generator might be needed. The development of the business seems to
have been ad-hoc and responsive, rather than planned.
• Following on from the poor risk assessments, there appear to be few contingency plans –
beyond running a degraded service, provided it isn’t too hot. But even that seems to be
responsive rather than planned.
If you wish, you could phrase these aspects in terms of capacity management, availability
management and continuity management. But they really all come down to thinking ahead
about what could go wrong, and planning ahead to address those risks. And it’s showing that
you understand that summary that will get you the marks, not the naming of the ITIL processes.
(Block 1, Part 5)

c. Explain the terms ‘pattern of business activity’ and ‘vital business function’. Identify one
example of a pattern of business activity, and one example of a vital business function that
appears to have been ignored in the scenario.
(6 marks)

This is the first part of the question that refers explicitly to ITIL terminology – and you are given
the terms, rather than having to remember them.

Pattern of business activity: A recognisable profile of the interaction (business) between a

customer and a service provider.
From your notes above, access by medical general practices during typical opening hours will
define a normal pattern of activity for the business.

Vital business function: a function that is so important that its availability is vital to the business.
Secure backups are identified as a key aspect of the services offered by PCS, and the backups
need to be available in all circumstances. This latter point – the continued availability of the
backups even after a disaster – seems not to have been given sufficient thought in the design of
the service.
(Block 1, Part 4, Section 3.4 & Block 1, Part 5, Section 2.4)

2221
 d. The USB devices that were used for backup purposes were encrypted on a particular laptop
computer and had to be decrypted on the very same laptop computer before the data could
be accessed. This assumes that the laptop computers will always be available.

Discuss this assumption in the light of the apparent tension between information security
management and IT service continuity management
(6 marks)

Tying the backups to particular laptops enhances data security to the extent that the backups
cannot be decrypted on another laptop.

However, when laptops are replaced, as they should be through a process of managed
renewal, the backups become useless. Unless there is a process whereby the backup can be
migrated to a new laptop. Again, this would have to be a managed process. As we have seen in
the scenario, laptops could be stolen, damaged or fail catastrophically. In each of these cases,
the backup is useless since it cannot be read on another laptop.
While the encryption plan may enhance security, it does nothing for maintaining continuity of
access to the backups. Indeed, it makes this much harder and introduces multiple ways in
which access to the backups is denied. As demonstrated by the catastrophe in the scenario,
that trade-off between IT security and service continuity was probably somewhat inappropriate.
(Block 1, Part 5, Sections 2.6, 2.7)
e. Capacity management and availability management are two other processes within the
service design life cycle phase of ITIL. How might proper consideration of each of these
processes have led PCS to design their services differently?

Illustrate your answer by using one example taken from the scenario for each of capacity
management and availability management.
(6 marks)

Capacity management has to ‘provide IT capacity coinciding with both the current and future
needs of the customers balanced against justifiable costs.’
Availability management is intended to ensure that ‘the delivered availability levels for all
services comply with or exceed the agreed requirements’.

As with most of the aspects of PCS described in the scenario, there is a suggestion that
expansions to the capacity have been made reactively to keep pace with demand, rather than
there having been a planned expansions to accommodate future demand. Better consideration
of capacity management might have ensured that all the required hardware – disks, aircon and
generator – would have been expanded in a planned manner, rather than ending up with a
generator that hasn’t kept pace with the other expansions.

Indeed, we are told that in the event of a power failure, PCS can run a degraded service with
much greater response times and lower data rates. The company should have done something
about the generator earlier since the company cannot operate all services (the disk farm the
network switches and the air conditioning) at the same time. This means that availability
management has not been given due consideration – even if the need to increase the generator
capacity had not been picked up as part of capacity management, it should have been by
availability management.
Finally, the encryption of the backup devices so that they can only be decrypted on the laptop on
which they were encrypted means that backups are not available once the laptops become
unavailable. Paying attention to availability management would almost certainly have led to a
better plan for backup maintenance and security.

(Block 1, Part 5, Sections 2.4, 2.5)

2221
Question 10
You are the project manager responsible for organising and then running a unique version of an
international football tournament. It will be the next version of the European championship for
national teams in the under 21 age group, which takes place over two weeks. The new
requirement for the project is to use some innovative media technology in order to support the
match officials’ decision making. The project relies on the expertise of one or two key members
of the team as well as the installation and maintenance of the audio and video technology for
the tournament, which has been sub-contracted to a supplier based in Asia.

a. Outline any four significant project risks associated with the above scenario, each of which
requires a different type of risk planning and management strategy. These risks should be
specific to this project and not just general risks like the project being late or over budget.
Outline an appropriate strategy to manage each of these four risks and state which type of risk
management strategy it is.
(12 marks)

Examples of risks could include problems encountered with using the innovative technology,
communication problems with remote sub-contractors, key member of staff leaving, sub-
contractor goes out of business.

Examples of risk management strategies include: incorporating extra time into the schedule in
order to allow for difficulties with the technical developments; writing and using communication
plans with key stakeholders, including subcontractors; shadowing key staff to ensure that other
staff can step in at short notice; evaluating the risk of sub-contractors going out of business and
identifying alternative sub-contractors.

The type of risk management strategy could include: contingency plan, reduce probability,
reduce impact, risk acceptance, risk transfer and risk avoidance.

(PMIP 7.2 to 7.7)

b. Use the project described above to illustrate one method of software estimation that has
been described in the module. The method chosen should be appropriate for this project.
What additional risks would be introduced by your chosen method of estimation?
(6 marks)

Valid estimation techniques could include bottom-up, top-down, expert judgement and
estimation by analogy. Students should give a short summary of the technique that includes the
main points. Each of the techniques described should relate to the football tournament project.

For example, there is going to be a lot of historical data from previous sporting tournaments that
can be used to support estimation by analogy. So, data from previous projects (a similar project)
could be used to estimate the usual tasks of organising the accommodation for the teams. Or, a
component method could be used to estimate the unique activity of installing the audio and
video technology at the football ground, and the experienced supplier could use expert
judgement to estimate the time required to configure the technology for the specific
requirements of this project.
The difficulty with using estimation by analogy is that the scenario states that it is a unique
version of an international football tournament. The tournament’s uniqueness may make it
difficult to find a suitably analogous tournament that can be used as the basis for estimation.
This introduces the risk of the resultant estimate being unreliable.
(PMIP 6.3 to 6.6)

2221
c. Routine project monitoring has shown that the project is now running several weeks late.
Suggest three strategies that the project manager could adopt in order to help bring the
project back on track and explain the implications of these strategies for the project.
(9 marks)

Any three of (there may be others):

Working harder, longer, faster
Implications: all of the above may work short term. If the limits have already been reached these
may not be possible. They may also affect staff morale and motivation. Project costs may
increase.
Increase resources
Implications: This usually means adding people in software development context. Although
extra staff might help bring the timescale back on track, it might be a self-defeating strategy.
New staff may need to be inducted/trained by current staff and the project complexity (e.g.
communications) could be increased. (See Block 3, Part 4, 2.5.1 The ‘mythical man-month’, or
why more people can slow things down)
Replan: redeploy staff from other project activities.
Implications: Redeployed staff may need induction/training (similar implications to increasing
resources). Other activities might be put at risk of delay.
Reduce the project scope
Implications: the value of the project to client and users is likely to be reduced. This may be
reflected in project revenue. Changes in requirements to be satisfied will need to be negotiated
with stakeholders.
(PMIP 3.6)
(Block 3, Part 5,.Sections 1.2 & 3.3)

d. As the project progresses, a previously unidentified risk occurs that is likely to impact on
the cost and timescale of the project. What action should the project manager take on
discovering the problem?
(3 marks)

Example actions could include identifying and informing the client and/or sponsor (who may be
identified as a single stakeholder) of the problem. Or, initiating a study of the options to deal
with the problem.

[END OF SOLUTIONS]