Projects Risks Which Affect Schedule Or Resources Information Technology Essay Risk management can be defined as identifying risks and drawing up plans to minimize their effect on a project. The term risk is used universally, but different people take different meanings to it. Risk management helps in decision making, but it depends upon the context in which it is used. For example, safety professionals view risk management in terms of reducing the accidents and injuries, while the insurance industry relies on risk management techniques when setting insurance rates. Likewise, each industry uses risk management, there is no universally accepted definition of risk. A risk is a probability that some adverse circumstance will occur. They may be of any type: Projects risks which affect schedule or resources Product risks which affect the quality or performance of the software being developed. Business risks which affect the organization development. Principles of risk management Theà International Organization for Standardizationà (ISO) identifies the following principles of risk management.12 Risk management should: create value be an integral part of organizational processes be part of decision making explicitly address uncertainty be systematic and structured be based on the best available information be tailored take into account human factors be transparent and inclusive be dynamic, iterative and responsive to change be capable of continual improvement and enhancement Defining risk Risks are simply potential problems. For example, every time we walk the street, we have the risk of being hit by the car. Until we make any commitment, the risk does not start. It ends when the problem occurs or the possibility of risk is eliminated. (we safely step on to the other side).A software project may encounter various types of risks: Technical risks include problems with languages, project size, project functionality, and platforms. These risks may result from excessive constraints, lack of experience. Management risks include lack of proper planning, lack of management experience and training, communication problems and control problems. Financial risks include cash flow, capital and budgetary issues and return on investment constraints. Contractual and legal risks include changing requirements, market driven schedules, health safety issues. Personnel risks include staffing lags, experience and training problems, ethical and moral issues, staff conflicts. Other resource risks include unavailability or late delivery of equipment supplies, inadequate tools, distributed locations and slow response times. Three conditions of risk As specific definitions of risk may vary, a few characteristics are common to all definitions. For risk to exist, the following three conditions must be satisfied. (charette, 1990): The potential for loss must exist Uncertainty to the eventual outcome must be present. Some choice or decision may be required to deal with the uncertainty and potential for loss. Basic Definition of risk The above three characteristics can be used to give a basic definition of word risk. Most definitions focus on the first two conditions, because they are the two measurable aspects of risk. Thus the essence of risk, no matter what domain, can be captured by the definition: Risk is the possibility of suffering loss (Dorofee, 1996). There are different definitions presented by many authors: A simple definition of risk is a problem that could cause some loss or threaten the success of the project, but which hasnt happened yet. These potential problems might have an adverse affect on the cost, schedule or technical success of the project, the quality of our software products or project team morale. Risk management is the process of identifying, addressing and eliminating these potential problems before they damage our project. (Wiegers, 1998) Risk is a combination of abnormal event or failure and the consequences of that event or failure to a systems operators, users or environment. A risk can range from catastrophic to negligible. (Glutch, 1994) Components of Risk As shown in figure 2, a risk can be described as a cause-and- effect pair, where the threat is the cause and the resulting consequence is the effect. So here, a threat can be defined as a circumstance with potential to create loss and the consequence is defined as the loss that will occur when a threat is realized (Alberts, 2009). Figure 2. Components of risk Risk Measures Three measures are associated with a risk: Probability Impact Risk exposure The relationships between probability and impact and the components of risk are shown in the figure 2. So here, probability is defined as a measure of likelihood that a threat will occur, while impact is defined as a measure of the loss that will occur if the threat is realized. Risk exposure provides a measure of the magnitude of a risk based on current values of probability and impact. Risk Management Risk management is a systematic approach for minimizing exposure to potential losses. It provides a disciplined environment for Continuously assessing what could go wrong Determining which risks to address. Implementing actions to address high-priority risks and bring those risks within tolerance. Risk management activities The three core risk management activities are Assess risk: transform the concerns people have into distinct, tangible risks that are explicitly documented and analyzed Plan for risk mitigation: determine an approach for addressing or mitigating each risk and prepare a plan for implementing the approach. Mitigate risk: dealing with each risk individually and implementing the appropriate mitigation plan and tracking the plan to completion. These three activities form the foundation of the risk management frame-work. Figure 3. Risk Management Activities Issue/Problem One of the fundamental conditions of risk is uncertainty regarding its occurrence. A risk, by definition, might occur or not. But an issue is a loss or adverse consequence that has occurred or certain to occur. With an issue, no uncertainty exists, the loss or adverse consequence has taken place or is certain to take place. Issues can also lead to other risks by Creating a circumstance that produces a new threat Making an existing threat more likely to occur Aggravating the consequence of the existing risks. Oppourtunity Risk is focused on the potential for loss, it does not address the potential for gain. The concept of oppourtunity is used to address the potential for gain. An oppourtunity is the likelihood of realizing a gain from an allocation or reallocation of resources. Oppourtunity defines a set of circumstances that provides the potential for a designed gain and requires an investment or action to realize that gain. Pursuit of an oppourtunity can produce new risks or issues, and it can also damage existing risks or issues. Risk management framework The risk management framework defines activities that are required to manage risk effectively. The main goal of the framework is to specify the core sequence of activities that must be executed when performing risk management. However, because risk management must be conducted within a broader context or environment, the framework also specifies activities to prepare for risk management as well as to sustain and improve the risk management practice over time. Figure 6 shows the three phases of the framework. Figure 6. Framework structure Phase 1 (prepare for risk management) is used to get ready for the other two phases. Phase 1 activities should be complete before activities in the other phases are executed. Phase 2(perform risk management activities) defines a set of activities for managing risk. Phase 2 activities are continually performed to ensure that the overall risk to key objectives is effectively managed overtime. The activities of phase 3(sustain and improve risk management) are normally performed on periodic basis to ensure that the risk management practice remains effective over time. Phase 3 activities are used to identify improvements to a risk management practice. While phase 1 is generally completed prior to beginning the other two, phases 2 and 3 are typically executed concurrently. The phase 2 of the frame work comprises the following three activities, which will be seen in detail in the risk management process. They are: Assess risk Plan for risk mitigation Mitigate risk The basic structure of the risk management framework can be defined as Phase 1 : prepare for risk management Phase 2 : perform risk management activities Assess risk Plan for risk mitigation Mitigate risk Phase 3 : sustain and improve risk management One of the main objectives of the framework is to provide a basis for evaluating and improving risk management process for a program or organization. Risk Management Process A risk management process is a method by which risks to the project (e.g. to the scope, deliverables, timescales or resources) are formally identified, quantified and managed during the execution of the project. The process entails completing a number of actions to reduce the likelihood of occurrence and severity of impact of each risk. A risk management process is used to ensure that every risk is formally: Identified Quantified Monitored Avoided, transferred or mitigated. 1.When to use a risk management process: Although the risk management process is undertaken during the execution phase of the project, project risks may be identified at any stage of the project lifecycle. In theory, any risk identified during the life of the project will need to be formally managed as part of the risk management process. Without a formal risk management process in place the objective of delivering a solution within time, cost and quality may be compromised. The risk management process is terminated only when the execution phase of the project is completed.(just prior to project closure). 2.Overview An overview of the risk mangement process will give the clear example of how each risk is identified within the project environment and how it is documented, escalated and mitigated as appropriate. Risk mangement will be undertaken on the project through the implementation of five key processes. Risk identification Risk analysis Risk planning Risk monitoring This process starts with the identification of a list of potential risks. Each of these risks is then analyzed and priortized. A risk management plan is created that identifies containment actions that will reduce the probability of the risk occuring and reduce the impact if the risk turns in to a problem. The plan also includes contingency actions that will taken if the risk turns in to a problem. The tracking step involves monitoring the status of know risks as well as the results of the risk redution actions. As new status and information are obtained, the risk management plans are updated accordingly. Tracking may also result in the addition of newly identified risks or in the closure of the known risks. The risk management process is an on-going part of managing the software development process. It is designed to be a continous feedback loop where additional information and risk status are utilized to refine the projects risk list and risk management plans. 5.10 Risk-man-process.eps 000FF90EMacintosh HD B8AA5F2E: Figure 4. The risk management process 2.1 Risk identification During the first step in the risk management process, the risks are identified and added to the list of known risks. The output of this step is a list of project-specific risks that have the potential of damaging the projects success. The following procedures can be undertaken to identify risks. Risk originator identifies a risk applicable to a particular aspect of the project. Risk originator completes a risk form and distributes the form to the project manager. Different types of risks associated with a project : Technology risks. People risks Organisational risks Requirements risks Estimation risks 2.2 Risk analysis During the risk analysis step, each risk is assessed to determine The probability, that the risk will result in loss Impact: the size or cost of that loss if the risk turns into a problem and Timeframe: when the risk needs to be addressed (risk associated with activities in the near future would have a higher priority then similar risks in later activities) The project manager reviews all the risks raised and determines whether or not each risk identified is applicable to the project. If the risk considered by the project manager is related to project, then a formal risk is raised in the risk register. The project manager will assign the level of impact. The list of risks is then prioritized based on the results of our risk analysis. Since resource limitations rarely allow the considerations of all risks, the prioritized list of risks is used to identify risks requiring additional planning and action. 2.3 Risk planning Taking the prioritized risk list as input, plans are developed for the risks chosen for action. Considering each risk, an appropriate strategy is developed to manage the risk. Different strategies are Avoidance strategies: the probability that the risk will arise is reduced. Minimisation strategies: The impact of the risk on the project or product will be reduced. Contingency plans: if the risk arises, contingency plans are plans to deal with that risk. After a formal review of each risk listed in the risk register, the project review group decides for action on it. Some of the risk management strategies: Prepare a briefing document for senior management showing how the project is making a very important contribution to the goals of the buziness to compensate for the organisational financial problems. Alert the customer of potential difficulties and the possibility of delays, investigate buying-in components to sustain any recruitment problems. Reorganize team so that there is more overlap of work and people therefore understand each others job, in case of staff illness. Replace potentially defective components with bought-in components of known reliability, incase of any defective components. Derive traceability information to assess requirements change impact, maximize information hiding in the design, in case if any requirements change. Investigate the possibility of buying a higher-performance database for database performance. Investigate buying in components and also the use of a program generator to compensate for the underestimated development time. 2.4 Risk monitoring The risk mitigating strategies assigned by the project review group are then implemented. These may include: Scheduling each action for implementation Implementing each action scheduled Reviewing the success of each action implemented Communicating the success of each action implemented. The monitoring step involves gathering data, compiling that data into information, and then reporting and analyzing that information. The results of the monitoring can be: Identification of new risks that need to be added to the risk list. Validation of known risk resolutions so risks can be removed from the risk list because they are no longer threat to project success. Information that dictates additional planning requirements Implementation of contingency plan. 3 Risk roles Define the roles and responsibilities for all human resources, both internal and external to the project who are involved with identification, review and mitigation of risks within the project. 3.1 Risk originator The risk originator identifies the risk and formally communicates the risk to the project manager. The risk originator is reponsible for: Identifying the risk within project Documenting the risk by completing the risk form Submitting the risk form to the project manager for review 3.2 Project manager The project manager receives each risk form and records and monitors the progress of all risks within the project. The project manager is responsible for: Receiving all risk forms and identifying whether the risk is appropriate to the project Recording all risks in the risk register Presenting all risks to the project review group Communicating all decisions made by the project review group Monitoring the progress of all risk mitigating actions assigned 3.3 Project review group The project review group confirms the risk likelihood and impact and assign risk mitigating actions where appropriate. The project review group is responsible for: The regular review of all risks recorded in the risk register Identifying change requests required to mitigate risks raised. Allocating risk mitigating actions Closing risks which are no longer likely to impact on the project. 3.4 Project team The project team undertake all risk mitigating actions delegated by the project review group. 4. Risk documents List any other documentation used to identify, track and control risks to the project. 4.1 Risk register The risk register is the log / datebase where all risks are registered and tracked through to closure. 4.2 Risk form The risk form is used to identify and describe a risk to the project. The below figure shows the data flow between various entities in the risk management process. Risk Management Process Figure 5. Dataflow between various entities in a risk management process Risk communication Risk communication is a complex cross-disciplinary academic field. Problems for risk communicators involve how to reach the intended audience, to make the risk comprehensible and relatable to other risks, how to pay appropriate respect to the audiences values related to the risk, how to predict the audiences response to the communication, etc. A main goal of risk communication is to improve collective and individual decision making. Risk communication is somewhat related to crisis communication. (Frederick, 1988) Seven cardinal rules for the practice of risk communication are Accept and involve the public/other consumers as legitimate partners. Plan carefully and evaluate your efforts with a focus on your strengths, weaknesses, opportunities, and threats. Listen to the publics specific concerns. Be honest, frank, and open. Coordinate and collaborate with other credible sources. Meet the needs of the media. Speak clearly and with compassion. .