1. Actuality
2. Literature review
3. Project management
4. Risk managemment cycle
   • Identification
   • Analysis
   • Priority
   • Plan
   • Monitor
5. Multiple projects
6. Resume
7. References

Actuality

With great inspiration Charles S. Sanford, Jr., the retired chairman and chief executive officer of Bankers Trust Corporation, talks about necessity of risk management.

“I am here to tell you today about the revolution happening right under our noses, on trading floors and in boardrooms and offices all over the world, a revolution that has been sparked by the competitive pressures of doing business in an increasingly global, technologically sophisticated world. Companies are under pressure to improve performance for their shareholders, governments are under pressure to increase economic growth and stability, investment managers are under pressure to do a better job of meeting the objectives of their clients, and individuals are under pressure to create their own financial safety nets. These pressures cannot be adequately addressed by old ways of managing risks—and avoiding risk is not a realistic choice.”

But not only the words of respected people prove necessity of risk management but also rapidly growing risk software market. According to McManus by 2004 there were more than 40 programs that deal with risk. Their quality varies noticeably – starting from MS Excel applications and ending up with serious projects.
TOP

Literature review

If talk about Ukrainian or Russian researches most them are made for banks and insurance companies. Not enough managers paying attention to risk management.
TOP

Project management

Research indicates that 85 - 90% of projects fail to deliver on time, on budget and to the quality of performance expected. The causes include:

• Lack of a valid business case justifying the project
• Objectives not properly defined and agreed
• Lack of communication and stakeholder management
• Outcomes/benefits not properly defined in measurable terms
• Lack of quality control
• Poor estimation of duration and cost
• Inadequate definition and acceptance of roles (governance)
• Insufficient planning and coordination of resources
• All of these causes could be addressed by the application of project management tools and techniques.

Most of the problems could be avoided if key elements were used. Key Elements that the Project Manager needs to consider, no matter what the size or complexity of the project. The extent to which each of these elements is managed and documented depends on the size and complexity of the project.

Many of these Key Elements exist in an embryonic state in the initiation phase, and are further developed if the project progresses. The Key Elements, or lack of application of, are often referred to in reports regarding reasons why projects fail:

• Planning and Scoping
• Governance
• Organisation Change Management / Outcome/Benefit Realisation
• Stakeholder Management
• Risk Management
• Issues Management
• Resource Management
• Quality Management
• Status Reporting
• Evaluation
• Closure

Risk Management describes the processes concerned with identifying, analyzing and responding to project risk. It consists of risk identification, risk analysis, risk evaluation and risk treatment. The processes are iterative throughout the life of the project and should be built into the project management planning and activities.

For small projects, a brief scan and ongoing monitoring may be all that is required. For large and/or more complex projects, a formalized system for analyzing, managing and reporting should be established.
TOP

Risk management cycle

Identification

A first step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, will cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.

• Source analysis Risk sources may be internal or external to the system that is the target of risk management. Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.
• Problem analysis Risks are related to fear. For example: the fear of losing money, the fear of abuse of privacy information or the fear of accidents and casualties. The fear may exist with various entities, most important with shareholder, customers and legislative bodies such as the government.

When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: stakeholders withdrawing during a project may endanger funding of the project; privacy information may be stolen by employees even within a closed network; lightning striking a B747 during takeoff may make all people onboard immediate casualties.

The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:

• Objectives-based Risk Identification Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk.
• Scenario-based Risk Identification In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk.
• Taxonomy-based Risk Identification The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled. The answers to the questions reveal risks.
• Common-risk Checking In several industries lists with known risks are available. Each risk in the list can be checked for application to a particular situation.

Analysis

After risks are identified, they should be partitioned into categories such as technical, cost, schedule, management, etc. Note that some risks may fall into multiple categories.

Why do risks need to be partitioned? First of all, some risks are more important than others. Also, different stakeholders may be concerned about different risks, or different personnel may bear responsibility for tracking/monitoring different risks. Finally, different risk types may require different mitigation strategies.

The initial activity in risk analysis is to identify contributing factors, then establish a hierarchy of those contributing factors.

There are any number of ways that risk can be partitioned, analyzed and quantified. The approach taken and method(s) used should always be tailored to meet the needs of the business, the customer and the project.

Another way is to rate impact and likelihood on an agreed numerical scale. By multiplying each pair of ratings, all those risks above the median score can be classified as 'red zone' risks. An example of this approach is shown in figure below.

Graph representing risk assessment
TOP

Prioritization

Risk prioritization is a critical characteristic of the formal risk management process, as it provides the opportunity to apply what are typically limited project resources to those risks having the largest potential impact on the project. For many risk prioritization approaches, risks are ranked and prioritized based on some combination of probability (i.e., how likely is it that the risk will occur) and impact (i.e., what are the consequences if the risk does occur).

McManus identifies numerous techniques for performing both qualitative and quantitative analyses of risk exposure, including brainstorming, checklists, questionnaires and peer interviews in the qualitative category, and symbolic models, probability analysis, consequence analysis, decision trees, Monte Carlo analysis and cost-benefit analysis in the quantitative category. Of particular interest in the qualitative analysis of risk exposure is SWOT (Strengths, Weaknesses, Opportunities and Threats) Analysis, which can be used to analyze and prioritize threats and resultant risks within a project.
TOP

Planning

Risk management planning provides the basis for the identification of the monitoring procedures that should be put in place for each risk, including how to tell if a risk is going to manifest as a real problem, and how frequently each identified risk should be monitored. Risk planning also takes into account risk aversion planning (i.e., what actions will be taken to mitigate risk before it occurs) and contingency planning (i.e., how to react if a risk actually manifests).

The purpose of a Risk Management Plan is to define how risk management activities are implemented and supported during a project. It is a key output of the planning process, and serves as the mechanism for implementing software risk management.

The Risk Action Request serves as a mechanism by which risk information can be captured and communicated to the stakeholders. An effective risk management process requires the creation of risk action requests for any risks that exceed their quantified risk threshold value.

Finally, the Risk Treatment Plan is used to define how risks that are found to be unacceptable are to be treated. It serves as the mechanism for implementing a selected recommended alternative defined within a risk action request.

Activities may include:

• Risk Avoidance
  • Choose an Alternative Approach with Lower Risk
  • Results in Risk Reduction, Not Elimination
  • Possible Consequences of Inaction Must Be Assessed, Rated and Decided On • What are benefits of acting on risk vs. expense
  • All Risk-Handling Actions Documented with Supporting Rationale
• Risk Control
  • Continual Monitoring and Correcting of Risk Conditions
    • Use of reviews, inspections, risk reduction milestones, contingency planning
  • Risk Control Requires a Risk Reduction Plan
• Risk Assumption
  • Conscious Decision to Accept Risk Consequences if Risk Occurs
  • Some risk assumption always occurs
  • Determine appropriate level of risk that can be tolerated
• Risk Transference
  • Reduce Risk by Sharing It
  • Transfer risk within the organization, or outside of it

Monitoring

When monitoring think of:

• What Do We Monitor?
  High Priority Risk Items
• How?
  Reviews
  Metrics
• When?
  Depends on Risk Priority
  Key Milestones
• Beware…
  Don’t Measure Too Precisely
  Don’t Measure Too Frequently
  Track All Actions to Closure

Multiple projects

In today’s fast-paced, knowledge-based business world, it’s not uncommon to see project managers juggling as many as 10 IT projects simultaneously—with all types of complexities, durations, and sizes. Often, project managers handling multiple projects are simply overloaded or frustrated, and some wish for better days. But how successful are you when you face the juggling act? For starters, success in managing multiple IT projects (i.e., program management) requires that you look at three key strategies:

• Managing time effectively
• Leveraging group skills or dynamics
• Using your individual project management skills to successfully deliver multiple projects

The challenges of multiple projects here include:

• Not enough visibility on the detail being performed by project teams (i.e., developers, testers, etc.).
• Not enough time to attend to meetings and still track tasks and milestones (i.e., tight deadlines).
• Managing multiple risks and resolving multiple issues.
• Lack of experience in juggling multiple tasks and meetings (e.g., gets too crazy).
• Limited resources within the resource pool.
• Conflicting priorities among projects.
• Integration of all projects and their target dates not always clear.
• Communications among too many people affecting performance.

Resume

Academics have been working on risk problem since 1989. And now there are lots of technics and frameworks to deal with risk. Every now new approaches appear, however, new problems do as well. 10 top risk management problems can be identified and classified into 3 grops:
- risk management implementation
- types of risks
- accuracy in assesment

This problems exposure risk management as a separate school whereas it is part of project management. This adds up additional problems. And if we take a look at reality – most of the companies work in multiple project environment. That’s why it’s so important to solve problems that risk managers face in their everyday work.
TOP

References

1. Software acquisition Gold Practice. Formal Risk Management http://www.goldpractices.com/practices/frm/index.php
2. Carr, M.J., Konda, S.L., Monarch, I., Ulrich, F.C., Walker, C.F., “Taxonomy-Based Risk Identification”, Software Engineering Institute, Èþíü 1993
3. Data and Analysis Center for Software (DACS) Risk Management Topic Area. www.dacs.dtic.mil
4. Boehm, B.W., “Software Risk Management”, IEEE Computer Society, Äåêàáðü 1990