Project Risk Management

IT and business project risk management is a subset of the broader processes of business risk management. However in the past, the process of project risk assessment in business and IT projects has tended to be intuitive and hidden.

As shown in Figure 12.3, whenever a software or business guru is asked to estimate how long a project will take, he or she undertakes a most amazing process.In essence, the expert intuitively assesses factors that he or she has learned from bitter experience will influence the length of the project, assesses the impact of those factors depending on the specific tasks , adjusts the estimates by the relative weights of the factors, assesses the probability of the factors actually occurring, and then calculates an adjusted guesstimate . No wonder project people are considered clever!

In effect, project risk management is the formalization of a process that has been covert and subjective . As a result, it has been poorly understood and practiced. (Most contemporary project management texts do not even mention risk management.) Worse, this approach is totally dependent on the project manager's experience.

Of course, because the process of risk assessment and risk management has remained intuitive and covert, most business people and senior management have no idea of project risk assessment and the need for managing risks. The fact that project risk assessment has been a covert process is one of the major reasons so few organizations have adopted a formal approach to project risk management ”they just don't know about it.

Project Risk Assessment

The risk of a project can be assessed by considering the following broad risk categories:

• System or product complexity (risk),

• Client or target environment (risk), and

• Team environment (risk).

Each of these categories considers different risk factors and should be treated as independently as possible. The overall project risk is the aggregation of all three risk categories.

Product or System Risk

It has long been understood that the complexity, size , degree of innovation, and other variables of the system or product being developed are a key factor in risk, estimation, and sizing. For software projects the complexity and therefore the risk of a system can generally be evaluated by considering its data complexity; that is, how many inputs, outputs, enquiries, logical internal files, and shared files are involved in the system. For business products, the internal complexity of the product and the size or organizational impact would be indicators of risk.

Other factors that affect system and product complexity are as follows :

• Function, process, and algorithm complexity;

• Complex control, decision exception, policy considerations, and mathematical operations;

• High performance requirements;

• High quality expectations;

• Innovative technology or processing requirements; and

• The degree of change implicit in the product.

By evaluating the intrinsic system or product complexity, the person or team undertaking risk assessment can predict the risk associated with the product: Is it low, medium, or high risk? As mentioned earlier, it is important that this assessment is undertaken only by considering the software or product, not the team or target environment categories.

Client or Target Environment

For many projects, the most difficult area of risk is the target area or client group for whom the product is being developed. Many of the risks associated with this category are beyond the team's scope of control and, as we discuss later, many of the risk factors in this category defy any form of measurement.

The complexity and risk of the target or user environment are related to the following factors:

• The number of sections and departments, agencies, branches and installations (client sites) involved in developing, implementing, and using the system;

• The level of client knowledge and participation in the application and the project development process;

• The degree of support for the project from the business groups;

• The priority and impact of the application within the client area; and

• The need for physical restructuring of offices, development of new sites, and so on.

Again, as for the other risk categories, when considering the risks associated with the client area, it is important for the project team to consider the client area as independently as possible from the product risks and team risks.

Team Environment

The final category of risk involves the intrinsic risks associated with the project team. As documented by Larry Putnam and Ware Myers (1992), as well as by Boehm (1989) and Jones (1994), the most significant factors affecting project productivity, risk, and effectiveness are the capability, morale , and experience of the team members .

The complexity or risk of the team environment is related to the following factors:

• Schedules, whether fixed or flexible;

• The experience and likely stability of the project team;

• The development and estimated time frame of the project;

• Use of outside vendors or contractors; and

• The physical team and project environment.

Subjective Versus Objective Risk Assessment

Given that there are at least 100 factors that can be included in a risk model, it is difficult to gather objective measures for many of these factors. In the subjective approach, the complexity of the software is determined as simple, average, or complex, depending on the group's experience. However, for example, in a software project, the use of function points (this is a technique for estimating the size of software based on counting inputs, outputs, interfaces, enquiries, and internal files) can provide an objective measure of software complexity where there is an agreement that simply means < 100 adjusted function point (AFD); average means 100 to 1,000 AFP and complex is > 1,000 AFP.

Unfortunately, many of the risk factors are not practically measurable. For example, the risks associated with developing software for four different client groups who are engaged in advanced political warfare are clearly much higher than those associated with a product for one supportive client. To quantify such factors and their impact is beyond the practical limit for most organizations.

A sensible approach is to quantify the factors that are easily measured and use subjective group agreements for the remaining factors. We have found that this combining of subjective and objective assessment works well.

As Bernstein (1996) stated, "Both objective measurement and subjective degrees of belief are essential; neither is sufficient by itself" (p. 100).

The Risk Assessment Process

The process of risk assessment involves the same participative process as we use in all our planning and project management processes. You as the project manager, your team members, and your critical project stakeholders complete a risk questionnaire and, through a series of open discussions, you discuss the ranking of each risk factor and achieve an overall risk assessment for the project.

What is important is the discussion undertaken during the risk assessment process between team members and stakeholders. It is a powerful process for bringing into the open assumptions and different views on the project.

In our experience, it is unlikely that a team will agree on the risk ranking of all factors. Depending on their skills and background, different team members will see the project differently. If after discussion, there is still no agreement, then a voting technique where the majority wins is the best approach. If the votes are tied, the worst case is used for the risk assessment.

When planning a project, it pays to be paranoid .

Ideally within each organization, there should be a standard risk assessment questionnaire for each class of project (e.g., in-house software, package, communications, and operations). However, if there is no standard risk model for your organization, it is reasonably simple to develop one by gathering your most experienced project managers for a brainstorming session in which all factors that have caused their projects trouble are listed, discussed, ranked, and scored by level of impact. The resultant questionnaire can then be compared to the various factors discussed by Jones, Boehm, and others for confirmation of impact.

A simple and very useful risk questionnaire is shown in Figure 12.4.

It is very important that you use the short risk assessment questionnaire only for small projects (i.e., shorter than three months). For larger projects, use this model as a starting point and brainstorm with the RAP participants any additional risks that may apply to your project. ^[5]

^[5] There is an online version of this questionnaire available on our Web site (www.Thomsett.com.au).

Open or Closed Voting?

If there is a high degree of trust among you, your team, and your stakeholders, you can undertake the evaluation and ranking of each risk factor in a open, free-wheeling discussion. If not, then each participant in the planning session completes the questionnaire privately and then you have the open discussion. This generally reduces the likelihood of groupthink .

Overall Project Risk Assessment

At the conclusion of the risk assessment process, there will be an assessment of the risk level associated with the product, the team, the target environment, and the overall project:

• Product: Low risk

• Team: Medium risk

• Target: High risk

• Overall project: Medium risk

In addition, the team will have identified a number of high risk factors that place the project at risk. It is here that the second process of risk management, risk control (or containment), is undertaken.