Project Risk Management

In this lesson, you’re expected to learn about:
– types of project management risks
– following a risk management plan

There are several risks facing a project due to cost, time, quality, and performance uncertainties. Risk mitigation strategies can be developed to reduce or minimize project risks.

Having a strategy to deal with the risk that is inherent in large projects, say IT projects, is critical. One of the greatest risk factors to the success of IT projects is the amount of development that is planned.

Full-scale development is where the potential is greater for significant cost and schedule overruns and lowered performance goals. In a project environment, cost, benefit, and schedule estimates are typically uncertain.

The types of risks in a project, along with risk mitigation strategies, include the following:

1) Technology Risk

Technology risk is considered as the risk that a product or service may not meet its intended objectives to be able to interface with current processes or software correctly.

This form of risk can include both technical feasibility and technical obsolescence.

Risk mitigation strategies can include: maximum use of commercial software, practicing open competition, and performing pilot or prototype testing.

A risk exists when these technology risk items are not in place: 

• Plan for validating that user needs are met
• Existence of load test in accordance with industry standards
• Evaluation of technology options
• Availability of track record for system
• Maintainability and ability to upgrade key technologies
• Vendor’s ability to implement technology

2) Implementation and Operational Risk

Implementation and operational risk deals with time constraints. This form of risk includes both the amount of time necessary to complete the task and the compatibility between computing platforms. Another risk is whether the project becomes operational in nature.

Risk mitigation strategies can include phased implementation, cross-organization involvement, and proven integrated management team.

A risk exists when these operational risk items are not in place: 

• Organization’s familiarity with proposed hardware and software environment.
• Development of system operating procedures
• Experience and ability of existing staff to support a new system
• Impact to organization of a system failure
• Number of business units impacted

3) Project Management Risk

Project management risk speaks directly to management risk. This human element is difficult to accurately incorporate into a risk assessment but is a critical factor nonetheless.

Risk mitigation strategies can include cost estimates prepared by a neutral third party, use of earned value management (EVM) techniques, use of open competition, use of financial incentives for contractor performance, distributing risk between the contractor and the organization, and implementing a sound acquisition plan using modular contracting.

A risk exists when these project management risk items are not in place:

• Experience levels of project management teams
• Number of training days for each team member
• Existence of work plan for the entire project lifecycle
• Degree of development of measurable milestones
• Length of time allowed for project implementation
• Existence of system for tracking unresolved issues
• Definition of user and system development skill requirements
• Number of project milestone reviews

4) Economic and Financial Risks

Economic risk encompasses such events as miscalculating a discount factor or failing to appropriately quantify other risks such as technology risk.

Financial risk becomes an issue if budgeted dollars are not available when they are scheduled to be.

A risk exists when these financial risk items are not in place: 

• Size of expenditure required
• Existence of cost-benefit analysis
• Existence of defined payback and timeframe of payback
• Reputation and financial status of vendor(s)

5) Strategic Risk

Strategic risk determines how closely a project is linked with its mission and risks. It is important to be comprehensive and include all risk sources regardless of frequency, probability of occurrence, or magnitude of gain or loss.

Risk mitigation strategies can include cross-department or cross-organization efforts, project goals mapped directly to organizational strategic plans, and consistent execution of plans.

A risk exists when these strategic risk items are not in place: 

• Alignment with the organization’s overall business strategy
• Clarity of expression of anticipated project outcomes
• Presence of metrics to verify the successful completion of each project phase
• Number of or percent of stakeholder participation in projects

6) Change Management Risk

Change management risk attempts to estimate how easily pilots and prototypes could be incorporated into existing systems. This type of risk also addresses how severely a business would potentially be impacted by a system failure.

Risk mitigation strategies can include employee involvement in the project planning process, training and implementation schedules, incentives to use the new system, management leadership, phased implementation, responsive support functions, and outreach communication plan.

A risk exists when these change management risk items are not in place:

• Development of an acceptance plan for new system
• Magnitude and nature of change introduced by system
• Institutionalizing the change risk

7) Human Capital Risk

Human capital risk results from users’ lack of experience with a given technology (i.e., first data warehouse project and first system implementation project).

8) Dependency Risk

Dependency risk deals with risks between a new project and other projects.

9) Cost and Schedule Risk

Cost and schedule risk deals with risks where actual cost is more than the budgeted cost and where the actual schedule is longer than the budgeted schedule.

10) Privacy and Security Risks

Privacy and security risks deal with disclosing sensitive information to unauthorized individuals and unauthorized individuals accessing computer data and information, respectively.

Risk mitigation strategies for privacy risk can include authentication method, controlled-access channels and authorization policies, firewalls, and use of secure electronic delivery channels.

Risk mitigation strategies for security risk include security plan, consistency with standards, authentication method matching the risk level, and use of secure electronic delivery channels.

Risk mitigation strategies for related data and information include use of a data warehouse concept, implementing a backup plan, performing process mapping, and leveraging data-collection efforts.

A risk exists when these security risk items are not in place: 

• Performance of risk assessment
• Implementation of security controls
• Security training and awareness
• Contingency planning and disaster recovery
• Compliance with security policy

[Optional] What is Risk Management on Projects?
risk management plan should be developed that includes information on the types, probability, and impact of risks pertinent to the project.

This plan should also include the risk that the funding request will not be approved or not approved in its entirety and plans for how to treat and manage the risk, including how to respond to lower funding.

Furthermore, risk can be accommodated by requesting a higher return for projects determined to be of higher risk.

Also, risk analysis estimates of the probability that an investment project will fail and the impact this would have on the business can be subtracted from the expected benefits to adjust the return on investment (ROI) or net present value (NPV) calculations to reflect risk.

Sophisticated risk assessment methodologies such as probabilistic simulation can be used to estimate ranges for total annual cash flows and other key variables. Probability distributions can then be assigned to the outcomes for each of the variables.
Example of a Risk Scale and Risk-Adjusted Cost and Value

An organization has established the following risk scale consisting of risk levels (High, Medium, and Low) and associated probabilities along with cost and benefit (value) impacts for the risk factor “failure to maintain project schedule”.
Note that cost impacts and benefit impacts have opposite signs because the cost impact causes the costs to increase and the benefit impact causes the benefits to decrease.

Management has estimated the expected cost to be $10,000 with medium probability and high cost impact. It has also estimated the expected value score as 90 with medium probability and medium benefit impact.

[Optional] 10 Golden Rules of Project Risk Management
Jim Rohn Sứ mệnh khởi nghiệp