4. Definition of Risk Management
Risk management is a process for identifying,
assessing, and prioritizing risks of different kinds. Once
the risks are identified, the risk manager will create a
plan to minimize or eliminate the impact of negative
events. A variety of strategies is available, depending
on the type of risk and the type of business. There are a
number of risk management standards, including those
developed by the Project Management Institute, the
International Organization for Standardization (ISO),
the National Institute of Science and Technology, and
actuarial societies.
11/24/2015 4
6. What is Risk?
• Risks are potential problems that may affect
successful completion of a software project.
• Risks involve uncertainty and potential
losses.
• Risk analysis and management are intended
to help a software team understand and
manage uncertainty during the development
process.
11/24/2015 6
9. Seven Principles of Risk Management
• Maintain a global perspective
– View software risks within the context of a system and the business
problem that is is intended to solve
• Take a forward-looking view
– Think about risks that may arise in the future; establish contingency plans
• Encourage open communication
– Encourage all stakeholders and users to point out risks at any time
• Integrate risk management
– Integrate the consideration of risk into the software process
• Emphasize a continuous process of risk management
– Modify identified risks as more becomes known and add new risks as
better insight is achieved
• Develop a shared product vision
– A shared vision by all stakeholders facilitates better risk identification and
assessment
• Encourage teamwork when managing risk
– Pool the skills and experience of all stakeholders when conducting risk
management activities
11. What is the Risk Management process?
The Risk Management Process consists of a series of steps that,
when undertaken in sequence, enable continual improvement
in decision-making
The Importance of Risk Management to Business
Success
Risk management is an important part of planning for
businesses. The process of risk management is
designed to reduce or eliminate the risk of certain kinds
of events happening or having an impact on the
business.
. 11/24/2015 11
12. Steps of the Risk Management
Process?
Step 1. Communicate and consult.
Step 2. Establish the context.
Step 3. Identify the risks.
Step 4. Analyze the risks.
Step 5. Evaluate the risks.
Step 6. Treat the risks.
Step 7. Monitor and review.
11/24/2015 12
13. Steps for Risk Management
1) Identify possible risks; recognize what can go wrong
2) Analyze each risk to estimate the probability that it will occur and
the impact (i.e., damage) that it will do if it does occur
3) Rank the risks by probability and impact
- Impact may be negligible, marginal, critical, and catastrophic
4) Develop a contingency plan to manage those risks having high
probability and high impact
11/24/2015 13
30. Risk Categorization – Approach #1
• Project risks
– They threaten the project plan
– If they become real, it is likely that the project schedule will slip and that
costs will increase
• Technical risks
– They threaten the quality and timeliness of the software to be produced
– If they become real, implementation may become difficult or impossible
• Business risks
– They threaten the viability of the software to be built
– If they become real, they jeopardize the project or the product
(More on next slide)
11/24/2015 31
31. Risk Categorization – Approach #1
(continued)
• Sub-categories of Business risks
– Market risk – building an excellent product or system that no one really
wants
– Strategic risk – building a product that no longer fits into the overall
business strategy for the company
– Sales risk – building a product that the sales force doesn't understand how
to sell
– Management risk – losing the support of senior management due to a
change in focus or a change in people
– Budget risk – losing budgetary or personnel commitment
11/24/2015 32
32. Risk Categorization – Approach #2
• Known risks
– Those risks that can be uncovered after careful evaluation of the project plan,
the business and technical environment in which the project is being
developed, and other reliable information sources (e.g., unrealistic delivery
date)
• Predictable risks
– Those risks that are extrapolated from past project experience (e.g., past
turnover)
• Unpredictable risks
– Those risks that can and do occur, but are extremely difficult to identify in
advance
11/24/2015 33
33. Steps for Risk Management
1) Identify possible risks; recognize what can go wrong
2) Analyze each risk to estimate the probability that it will occur and
the impact (i.e., damage) that it will do if it does occur
3) Rank the risks by probability and impact
- Impact may be negligible, marginal, critical, and catastrophic
4) Develop a contingency plan to manage those risks having high
probability and high impact
11/24/2015 34
38. RISK RESPONSE PLANNING
• Each major risk (those falling in the Red & Yellow zones) will be assigned to a
project team member for monitoring purposes to ensure that the risk will not “fall
through the cracks”.
• For each major risk, one of the following approaches will be selected to address it:
Avoid – eliminate the threat by eliminating the cause
Mitigate – Identify ways to reduce the probability or the impact of the risk
Accept – Nothing will be done
Transfer – Make another party responsible for the risk (buy insurance, outsourcing,
etc.)
• For each risk that will be mitigated, the project team will identify ways to prevent
the risk from occurring or reduce its impact or probability of occurring. This may
include prototyping, adding tasks to the project schedule, adding resources, etc.
• For each major risk that is to be mitigated or that is accepted, a course of action
will be outlined for the event that the risk does materialize in order to minimize its
impact.
11/24/2015 39
40. Definition of Risk
• A risk is a potential problem – it might happen and it might not
• Conceptual definition of risk
– Risk concerns future happenings
– Risk involves change in mind, opinion, actions, places, etc.
– Risk involves choice and the uncertainty that choice entails
• Two characteristics of risk
– Uncertainty – the risk may or may not happen, that is, there are no 100%
risks (those, instead, are called constraints)
– Loss – the risk becomes a reality and unwanted consequences or losses
occur
11/24/2015 41
42. Contents of a Risk Table
• A risk table provides a project manager with a simple technique for
risk projection
• It consists of five columns
– Risk Summary – short description of the risk
– Risk Category – one of seven risk categories (slide 12)
– Probability – estimation of risk occurrence based on group input
– Impact – (1) catastrophic (2) critical (3) marginal (4) negligible
– RMMM – Pointer to a paragraph in the Risk Mitigation, Monitoring, and
Management Plan
Risk Summary Risk Category Probability Impact (1-4) RMMM
(More on next slide)
11/24/2015 43
43. Developing a Risk Table
• List all risks in the first column (by way of the help of the risk item
checklists)
• Mark the category of each risk
• Estimate the probability of each risk occurring
• Assess the impact of each risk based on an averaging of the four risk
components to determine an overall impact value (See next slide)
• Sort the rows by probability and impact in descending order
• Draw a horizontal cutoff line in the table that indicates the risks that
will be given further attention
11/24/2015 44
44. 11/24/2015 45
1.1.1 Qualitative Risk Analysis
The probability and impact of occurrence for each identified risk will be assessed by
the project manager, with input from the project team using the following approach:
Probability
High – Greater than <70%> probability of occurrence
Medium – Between <30%> and <70%> probability of occurrence
Low – Below <30%> probability of occurrence
Impact
High – Risk that has the potential to greatly impact project cost,
project schedule or performance
Medium – Risk that has the potential to slightly impact project
cost, project schedule or performance
Low – Risk that has relatively little impact on cost, schedule or
performance
Risks that fall within the RED and YELLOW zones will have risk response planning
which may include both a risk mitigation and a risk contingency plan.
1.1.2 Quantitative Risk Analysis
Analysis of risk events that have been prioritized using the qualitative risk analysis
process and their affect on project activities will be estimated, a numerical rating
applied to each risk based on this analysis, and then documented in this section of the
risk management plan.
Impact
H
M
L
L M H
Probability