UNIT III

Chapter 2

Risk Management
Risk Management
 Introduction
‘the chance of exposure to the adverse
consequences of future events’ PRINCE2
‘an uncertain event or condition that, if it
occurs, has a positive or negative effect on a
project’s objectives’ PM-BOK
• Risks relate to possible future problems,
not current ones
• They involve a possible cause and its
effect(s) e.g. developer leaves > task delayed

Risk Management
  Categories of risk

Risk Management
  Risk Management Approaches
• Reactive:
– Reactive approaches take no action until an unfavourable
event occurs.
– Once an unfavourable event occurs, these approaches try to
contain the adverse effects associated with the risk and
take steps to prevent future occurrence of the same risk
events.

• Proactive:
– The proactive approaches try to anticipate the possible risks
that the project is susceptible to.
– After identifying the possible risks, actions are taken to
eliminate the risks.
Risk Management
  A framework for dealing with risk
The planning for risk includes these steps:
• Risk identification – what risks might there
be?
• Risk analysis and prioritization – which are
the most serious risks?
• Risk planning – what are we going to do
about them?
• Risk monitoring – what is the current state
of the risk?
Risk Management
  Risk identification
Approaches to identifying risks include:
• Use of checklists – usually based on the
experience of past projects
• Brainstorming – getting knowledgeable
stakeholders together to pool concerns
• Causal mapping – identifying possible chains
of cause and effect

Risk Management
  Boehm’s top 10 development risks
Risk Risk reduction techniques
Staffing with top talent; job matching; teambuilding;
1. Personnel shortfalls training and career development; early scheduling
of key personnel

Multiple estimation techniques; design to cost;

2. Unrealistic time and incremental development; recording and analysis
cost estimates of past projects; standardization of methods

Improved software evaluation; formal specification

3. Developing the wrong methods; user surveys; prototyping; early user
software functions manuals

Prototyping; task analysis; user involvement

4. Developing the wrong

user interface
Risk Management
 Requirements scrubbing, prototyping,
5. Gold plating design to cost

Change control, incremental development

6. Late changes to
requirements
Benchmarking, inspections, formal
7. Shortfalls in externally specifications, contractual agreements,
supplied components quality controls

Quality assurance procedures, competitive

8. Shortfalls in externally design etc.
performed tasks
Simulation, prototyping, tuning
9. Real time performance
problems
Technical analysis, cost-benefit analysis,
10. Development technically prototyping , training
too difficult
Risk Management
  Risk Assessment
Risk exposure (RE)
= (potential damage) x (probability of occurrence)
Ideally
Potential damage: a money value e.g. a flood would cause £0.5
millions of damage
Probability 0.00 (absolutely no chance) to 1.00 (absolutely
certain) e.g. 0.01 (one in hundred chance)

RE = £0.5m x 0.01 = £5,000

Crudely analogous to the amount needed for an insurance
premium

Risk Management
Risk Management
 Risk probability: qualitative descriptors

Probability Range
level
High Greater than 50% chance of happening

Significant 30-50% chance of happening

Moderate 10-29% chance of happening

Low Less than 10% chance of happening

Risk Management
 Qualitative descriptors of impact on cost and
associated range values
Impact level Range

High Greater than 30% above budgeted

expenditure

Significant 20 to 29% above budgeted expenditure

Moderate 10 to 19% above budgeted expenditure

Low Within 10% of budgeted expenditure.

Risk Management
 Probability impact matrix
• Risk that appear within this zone have a
degree of seriousness that calls for particular
attention .

Risk Management
 Risk planning
Risks can be dealt with by:
• Risk acceptance
• Risk avoidance
• Risk reduction
• Risk transfer
• Risk mitigation/contingency measures

Risk Management
 Risk reduction leverage
Risk reduction leverage =
(REbefore- REafter)/ (cost of risk reduction)
REbefore is risk exposure before risk reduction e.g. 1%
chance of a fire causing £200k damage

REafter is risk exposure after risk reduction e.g. fire

alarm costing £500 reduces probability of fire
damage to 0.5%

RRL = (1% of £200k)-(0.5% of £200k)/£500 = 2

RRL > 1.00 therefore worth doing
Risk Management
  Evaluating Risk to Schedule

Risk Management
Risk Management
 Apply : : Using PERT to evaluate the
effects of uncertainty
Three estimates are produced for each activity
• Most likely time (m)
• Optimistic time (a) – task to undertake in
normal circumstances
• Pessimistic (b) -worst possible time
• ‘expected time’ te Or Mean = (a + 4m +b) / 6
• ‘activity standard deviation’ S or Variation =
(b-a)/6

Risk Management
 A chain of activities
Question :
1. What would be the expected
duration of the chain A + B + C?
Answer:
12.66 + 10.33 + 25.66

i.e. 48.65

2. What would be the standard

deviation for A + B+ C?
Answer:
square root of (12 + 12 + 32)

i.e. 3.32

Risk Management
Risk Management
Risk Management
 PERT event Labelling

Risk Management
 1. Calculate Expected Duration
te (a + 4m +b) / 6

Risk Management
 2. Calculate Standard Deviation
S (b-a)/6

Risk Management
Risk Management
Risk Management
Risk Management
Risk Management
 • If you are involved in risk management.

• Is a quantitative risk analysis technique

which is used to identify the risk level of
completing the project.

Risk Management
 Monte Carlo Simulation

• An alternative to PERT.
• A class of general analysis techniques:
– Valuable to solve any problem that is
complex, nonlinear, or involves more than
just a couple of uncertain parameters.
• Monte Carlo simulations involve repeated
random sampling to compute the results.
• Gives more realistic results as compared to
manual approaches.
Risk Management
 Steps of a Monte Carlo Analysis
1. Assess the range for the variables being
considered.
2. Determine the probability distribution of each
variable.
3. For each variable, select a random value based on
the probability distribution.
4. Run a deterministic analysis or one pass through
the model.
5. Repeat steps 3 and 4 many times to obtain the
probability distribution of the model’s results.
Risk Management
 Process

Risk Management
 Example

• To perform the Monte Carlo simulation to

determine the schedule, you must have
duration estimates for each activity.

Risk Management
Risk Management
 n- activities

Risk Management
 CRITICAL CHAIN CONCEPTS

Risk Management
 Traditional planning approach

Risk Management
 Critical chain approach
One problem with estimates of task duration:
• Estimators add a safety zone to estimate to
take account of possible difficulties
• Developers work to the estimate + safety
zone, so time is lost
• No advantage is taken of opportunities where
tasks can finish early – and provide a buffer
for later activities

Risk Management
 One answer to this:
1. Ask the estimators for two estimates
1. Most likely duration: 50% chance of
meeting this
2. Comfort zone: additional time needed to
have 95% chance
2. Schedule all activities using most likely
values and starting all activities on latest
start dates

Risk Management
 Most likely and comfort zone estimates

Risk Management
 Executing the critical chain-based plan
• No chain of tasks is started earlier than
scheduled, but once it has started is finished
as soon as possible
• This means the activity following the current
one starts as soon as the current one is
completed, even if this is early – the relay
race principle

Risk Management
 Buffers are divided into three zones:

• Green: the first 33%. No action required

• Amber : the next 33%. Plan is formulated
• Red : last 33%. Plan is executed.

Risk Management