Post on 22-Mar-2016
description
IT Project Risk
See also Sommerville Chapter 22.1
Risk Management
Ideas of risk management originate in• Probability theory• Insurance mathematicswhich seek to • Quantify and control risk• Make a net profit in the long term• Not be ruined in the short term
Recall the definition of an expectation over a discrete probability distribution.
E = Σ p( event i ) * e( event i )e.g. tossing a fair coin let
event 1 = head event 2 = tailp( event 1 ) = 0.5, p( event 2 ) = 0.5e( event 1 ) = +1€ e(event 2 ) = -1€
Expectation = (0.5 * 1 ) + (0.5 * -1) = 0.0
In the long term we make no gain or loss!But in the short term we might go bankrupt!
For each event εi we need to define:(1) The impact e(εi ) of εi as a gain or loss
(financial, time etc … )(2) The risk r( εi ) associated with εi as the
expressionr( εi ) = p( εi ) * e(εi )
History
During 1990s ideas of risk management spread from insurance to other industries such as• Banking and finance• Information technologyEspecially through support of US legislation
Clinger-Cohen Act 1996
Information Technology Aquistition Reform Act“… assessing and managing the risks of the IT
acquisitions of executive (government) agencies … “
And later … Department of Defence (DoD)Directive 5000.1 (1996, 1999)
Capability Maturity Model (CMM)
• Level 3 accreditation requires structured risk management.
Definitions
A project risk is a project event εi with threedistinguishing features:
(1) Associated loss which could include time, money, quality, control, understanding etc. We try to measure this value which is the risk impact e(εi)
(2) A likelihood that each possible outcome εi event occurs. We try to measure this value which is the risk probability p(εi).
Measuring p(εi) is usually much harder. Often a semiquantitative approach is used e.g.
Unlikely : possible : likely : very likely
gives four quartiles 25 : 50 : 75 : 100
(3) There is some way to influence the impact.
We need only be interested in risks where we can avoid or minimise the impact.
Some risks are always beyond the scope ofinfluence e.g. physics, war, legislation, etc.
Risk Exposure
This is the cumulative exposure over a complete and independent set of events
E = Σ p( event i ) * e( event i )
Risk control is a set of planned actions to reduce the risk exposure.
Example
Consider the risk exposure for testing a new software product.
Delivery of the product yields 300K€.However, if critical bugs are present a penaltypayment of 150K€ is owed to the client.
Probability estimates
By spending 50K€ (6 man month) on testing weestimate that we will find all critical bugs with aprobability of 0.75.
We estimate the probability that the product is free of critical bugs (from the start) to be 0.2
We estimate the probability that we will overlook a critical bug to be 0.05
Outcome tree
P( exists fault) = 0.8 P( exists no fault) = 0.2
P( find no fault) = 0.05 P( find fault) = 0.75
A tree structure naturally produces a complete independent set of outcomes
Risk exposure
Exposure = 0.75 * (300,000 – 50,000 ) +0.05 * (300,0000 – ( 150,000 + 50,000 )) +0.2 * (300,000 – 50,000 )
= 187,500 + 5000 + 50,000 =242,000
What does this calculation actually tell us?
Over the long term we would make a profit of242,000€ on a series of projects with these characteristics.
However, this project is probably unique!
Each summand is positive, and therefore undereach outcome we make some profit.
The result is dominated by the term 0.75 * (300,000 – 50,000 ) = 187,500
To improve the average outcome, we could: (a) Improve testing effectiveness to raise the
value 0.75 (at no cost?)(b) Reduce testing labour to reduce the value 50K
(possible?)(c) Raise the product price above 300K€
(desirable? Possible?)
Risk Leverage
Risk management procedures alter the value ofour exposure …
but they usually cost money to put in place.
When does the gain exceed the expense? (The law of diminishing returns.)
Define the risk leverage of a specific risk reduction to be the value
Leverage = exposure after – exposure before
cost of reduction
Example
In the previous testing scenario, supposedoubling the test budget to 100K€ will halve theprobability
p( find no fault ) = 0.025
so that p( find fault ) = 0.775
while p( exists no fault ) = 0.2 is unchanged.
Exposure after reduction
Exposure after = 0.775 * ( 300,000 – 100000 ) +0.025 * ( 300,000 – (150,000 + 100,000 )) +0.2 * ( 300,000 – 100,000 )= 155,000 + 1250 + 40,000= 196,250
Leverage
Leverage = exposure after – exposure before
cost of reduction
= (196,250 - 242,000 ) / 50,000 = -0.915
A leverage value < 1.0 is an uneconomic reduction!
Risk Management Process
… has its own lifecycle
(1) Identify the risks using previous project histories, similar projects, checklists etc
(2) Analyse risks, try to find the probabilities and impacts, even semi-quantitatively
(3) Plan risk handling actions, prioritise top n risks (e.g. n = 10) in terms of exposure
(4) Make contingency plans (i.e. damage control) for all n risks(5) Monitor and adjust, Update probabilities and recalculate
Risk Reduction Strategies
There are 4 basic strategies for dealing with risk.
1. Accept the risk (i.e. do nothing) This seems most advantageous when the leverage falls below 1.0. Especially if exposure is already low.
(2) Transfer the risk. Negotiate contract so that the risk is accepted or shared by another party, e.g. customer, subcontractor consortium partner, bank , etc.
(3) Reduce probabilities of Negative Outcomes.Invest in project activities which reduce probabilities, e.g. if risk = software bugs, activities = design, test, etc.
(4) Reduce Losses Associated with Negative Outcomes.
Invest in catastrophe management whichreduces negative impact, e.g. insurance againstlaw suites.
Note (3) = “buying smoke alarms”while (4) = “buying fire engines”
Risk Hierarchy
It is useful to structure different types of riskinto a taxonomy, e.g. to perform systemic riskanalysis.
There are many published taxonomies (aka. checklists) see e.g. Sommerville, coursehandouts and course web page.
Generic Project Risks
Generic IT Project Risks
Specific IT Project Risks
Staff shortage
New technology
Equipment failure
Subcontractorfailure
Unknown productTeam risk ….
Böhm’s Top IT project risks
Recall the spiral lifecycle model?Böhm has studied the top IT project risks, andsuggested fixes.
1. Personnel shortfall2. Unrealistic schedules and budgets3. Developing the wrong software functions
IT Risks (continued)
(4) Developing the wrong user interface(5) Gold plating(6) Continuing stream of requirement changes(7) Shortfalls in externally furnished components(8) Shortfalls in externally performed tasks(9) Real time performance shortfalls
Question: What fixes would you suggest?
Implementing Risk Control
Risk management is getting easier to motivatepolitically.
Fire Safety Officer ParadoxWith a good fire safety officer there are neverany fires … but then why hire an officer?