IT Project Risk

See also Sommerville Chapter 22.1

Risk Management

Ideas of risk management originate in• Probability theory• Insurance mathematicswhich seek to • Quantify and control risk• Make a net profit in the long term• Not be ruined in the short term

Recall the definition of an expectation over a discrete probability distribution.

E = Σ p( event i ) * e( event i )e.g. tossing a fair coin let

event 1 = head event 2 = tailp( event 1 ) = 0.5, p( event 2 ) = 0.5e( event 1 ) = +1€ e(event 2 ) = -1€

Expectation = (0.5 * 1 ) + (0.5 * -1) = 0.0

In the long term we make no gain or loss!But in the short term we might go bankrupt!

For each event εi we need to define:(1) The impact e(εi ) of εi as a gain or loss

(financial, time etc … )(2) The risk r( εi ) associated with εi as the

expressionr( εi ) = p( εi ) * e(εi )

History

During 1990s ideas of risk management spread from insurance to other industries such as• Banking and finance• Information technologyEspecially through support of US legislation

Clinger-Cohen Act 1996

Information Technology Aquistition Reform Act“… assessing and managing the risks of the IT

acquisitions of executive (government) agencies … “

And later … Department of Defence (DoD)Directive 5000.1 (1996, 1999)

Capability Maturity Model (CMM)

• Level 3 accreditation requires structured risk management.

Definitions

A project risk is a project event εi with threedistinguishing features:

(1) Associated loss which could include time, money, quality, control, understanding etc. We try to measure this value which is the risk impact e(εi)

(2) A likelihood that each possible outcome εi event occurs. We try to measure this value which is the risk probability p(εi).

Measuring p(εi) is usually much harder. Often a semiquantitative approach is used e.g.

Unlikely : possible : likely : very likely

gives four quartiles 25 : 50 : 75 : 100

(3) There is some way to influence the impact.

We need only be interested in risks where we can avoid or minimise the impact.

Some risks are always beyond the scope ofinfluence e.g. physics, war, legislation, etc.

Risk Exposure

This is the cumulative exposure over a complete and independent set of events

E = Σ p( event i ) * e( event i )

Risk control is a set of planned actions to reduce the risk exposure.

Example

Consider the risk exposure for testing a new software product.

Delivery of the product yields 300K€.However, if critical bugs are present a penaltypayment of 150K€ is owed to the client.

Probability estimates

By spending 50K€ (6 man month) on testing weestimate that we will find all critical bugs with aprobability of 0.75.

We estimate the probability that the product is free of critical bugs (from the start) to be 0.2

We estimate the probability that we will overlook a critical bug to be 0.05

Outcome tree

P( exists fault) = 0.8 P( exists no fault) = 0.2

P( find no fault) = 0.05 P( find fault) = 0.75

A tree structure naturally produces a complete independent set of outcomes

Risk exposure

Exposure = 0.75 * (300,000 – 50,000 ) +0.05 * (300,0000 – ( 150,000 + 50,000 )) +0.2 * (300,000 – 50,000 )

= 187,500 + 5000 + 50,000 =242,000

What does this calculation actually tell us?

Over the long term we would make a profit of242,000€ on a series of projects with these characteristics.

However, this project is probably unique!

Each summand is positive, and therefore undereach outcome we make some profit.

The result is dominated by the term 0.75 * (300,000 – 50,000 ) = 187,500

To improve the average outcome, we could: (a) Improve testing effectiveness to raise the

value 0.75 (at no cost?)(b) Reduce testing labour to reduce the value 50K

(possible?)(c) Raise the product price above 300K€

(desirable? Possible?)

Risk Leverage

Risk management procedures alter the value ofour exposure …

but they usually cost money to put in place.

When does the gain exceed the expense? (The law of diminishing returns.)

Define the risk leverage of a specific risk reduction to be the value

Leverage = exposure after – exposure before

cost of reduction

Example

In the previous testing scenario, supposedoubling the test budget to 100K€ will halve theprobability

p( find no fault ) = 0.025

so that p( find fault ) = 0.775

while p( exists no fault ) = 0.2 is unchanged.

Exposure after reduction

Exposure after = 0.775 * ( 300,000 – 100000 ) +0.025 * ( 300,000 – (150,000 + 100,000 )) +0.2 * ( 300,000 – 100,000 )= 155,000 + 1250 + 40,000= 196,250

Leverage

Leverage = exposure after – exposure before

cost of reduction

= (196,250 - 242,000 ) / 50,000 = -0.915

A leverage value < 1.0 is an uneconomic reduction!

Risk Management Process

… has its own lifecycle

(1) Identify the risks using previous project histories, similar projects, checklists etc

(2) Analyse risks, try to find the probabilities and impacts, even semi-quantitatively

(3) Plan risk handling actions, prioritise top n risks (e.g. n = 10) in terms of exposure

(4) Make contingency plans (i.e. damage control) for all n risks(5) Monitor and adjust, Update probabilities and recalculate

Risk Reduction Strategies

There are 4 basic strategies for dealing with risk.

1. Accept the risk (i.e. do nothing) This seems most advantageous when the leverage falls below 1.0. Especially if exposure is already low.

(2) Transfer the risk. Negotiate contract so that the risk is accepted or shared by another party, e.g. customer, subcontractor consortium partner, bank , etc.

(3) Reduce probabilities of Negative Outcomes.Invest in project activities which reduce probabilities, e.g. if risk = software bugs, activities = design, test, etc.

(4) Reduce Losses Associated with Negative Outcomes.

Invest in catastrophe management whichreduces negative impact, e.g. insurance againstlaw suites.

Note (3) = “buying smoke alarms”while (4) = “buying fire engines”

Risk Hierarchy

It is useful to structure different types of riskinto a taxonomy, e.g. to perform systemic riskanalysis.

There are many published taxonomies (aka. checklists) see e.g. Sommerville, coursehandouts and course web page.

Generic Project Risks

Generic IT Project Risks

Specific IT Project Risks

Staff shortage

New technology

Equipment failure

Subcontractorfailure

Unknown productTeam risk ….

Böhm’s Top IT project risks

Recall the spiral lifecycle model?Böhm has studied the top IT project risks, andsuggested fixes.

1. Personnel shortfall2. Unrealistic schedules and budgets3. Developing the wrong software functions

IT Risks (continued)

(4) Developing the wrong user interface(5) Gold plating(6) Continuing stream of requirement changes(7) Shortfalls in externally furnished components(8) Shortfalls in externally performed tasks(9) Real time performance shortfalls

Question: What fixes would you suggest?

Implementing Risk Control

Risk management is getting easier to motivatepolitically.

Fire Safety Officer ParadoxWith a good fire safety officer there are neverany fires … but then why hire an officer?