Chapter 11:

Project Risk
Management
Information Technology Project Management, Ninth
Edition
Note: See the text itself for full citations

Information Technology Project Management, Ninth Edition. © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Learning Objectives (1 of 2)

• Explain the concept of risk as it relates to project

management, and list the advantages of managing
project risks according to best practices
• Discuss the elements of planning risk management and
the contents of a risk management plan
• List common sources of risks on information technology
(IT) projects
• Describe the process of identifying risks and create a risk
register and risk report
• Discuss qualitative risk analysis and explain how to
calculate risk factors, create probability/impact matrixes,
and apply the Top Ten Risk Item Tracking technique to
rank risks
Learning Objectives (2 of 2)

• Explain quantitative risk analysis and how to apply

decision trees, simulation, and sensitivity analysis to
quantify risks
• Provide examples of using different risk response
planning strategies to address both negative and
positive risks
• Discuss how to monitor risks
QUESTION

• What is risk?
QUESTION

• What are current risks to you?

• How are you mitigating this risk?
The Importance of Project Risk Management (1
of 7)

• Project risk management is the art and science of

identifying, analyzing, and responding to risk throughout
the life of a project and in the best interests of meeting
project objectives
• Risk management is often overlooked in projects, but it can
help improve project success by helping select good projects,
determining project scope, and developing realistic estimates
The Importance of Project Risk Management (2
of 7)

• Research shows a need to improve project risk

management
• Study by Ibbs and Kwak shows risk management has the lowest
maturity rating of all knowledge areas
• A similar survey was completed with software development
companies in Mauritius, South Africa, and risk management
also had the lowest maturity
• KLCI study shows the benefits of following good software risk
management practices
Global Issues

• Many people around the world suffered from financial

losses as various financial markets dropped in the fall of
2008, even after the $700 billion bailout bill was passed
by the U.S. Congress
• According to a global survey of 316 financial services
executives, over 70 percent of respondents believed that the
losses stemming from the credit crisis were largely due to
failures to address risk management issues
• Worldwide banking and insurance sectors will spend
about $78.6 billion on risk information technologies and
services in 2015, growing to $96.3 billion by 2018
There are external factors to
risk…
The Importance of Project Risk Management (4
of 7)

• A dictionary definition of risk is “the possibility of loss or

injury”
• General definition of a project risk: an uncertainty that can
have a negative or positive effect on meeting project
objectives
• Managing negative risks involves a number of possible actions
that project managers can take to avoid, lessen, change, or
accept the potential effects of risks on their projects
• Positive risk management is like investing in opportunities
Best Practice

• Some organizations make the mistake of only

addressing tactical and negative risks when
performing project risk management
• David Hillson suggests overcoming this problem by widening
the scope of risk management to encompass both strategic
risks and upside opportunities, which he refers to as integrated
risk management

• Hillson described the importance of good working relationships;

especially between the project sponsor and project manager
The Importance of Project Risk Management (5
of 7)

• Risk utility is the amount of satisfaction or

pleasure received from a potential payoff
• Utility rises at a decreasing rate for people who are risk-averse
• Those who are risk-seeking have a higher tolerance for risk and
their satisfaction increases when more payoff is at stake
• Risk-neutral approach achieves a balance between risk
and payoff
The Importance of Project Risk Management (6
of 7)
QUESTION

• Why is car insurance more expensive for students and

those younger than 21?
Advice for Young Professionals

• Young project professionals are sometimes more willing

to take risks with unique or untested approaches
• Take the time to find out what other, more experienced people
might feel about the circumstances of a project before making
up your mind about potential risks
• Then, taking other views into account, you can determine how best to
plan for the impacts that might occur while balancing the rewards of a
potential payoff from a unique or untested approach
The Importance of Project Risk Management (7
of 7)

• Project risk management processes

• Planning risk management: deciding how to approach and
plan the risk management activities for the project
• Identifying risks: determining which risks are likely to affect a
project and documenting the characteristics of each
• Performing qualitative risk analysis: prioritizing risks based
on their probability and impact of occurrence
• Performing quantitative risk analysis: numerically
estimating the effects of risks on project objectives
• Planning risk responses: taking steps to enhance
opportunities and reduce threats to meeting project objectives
• Implementing risk responses: implementing the risk
response plans
• Monitoring risk: monitoring identified and residual risks,
identifying new risks, carrying out risk response plans, and
evaluating the effectiveness of risk strategies throughout the
life of the project
Planning Risk Management (1 of 3)

• Main output of this process is a risk management

plan
• Documents the procedures for managing risk throughout a
project
• The project team should review project documents as
well as corporate risk management policies, risk
categories, lessons-learned reports from past projects,
and templates for creating a risk management plan
• It is also important to review the risk tolerances of various
stakeholders
Planning Risk Management (2 of 3)

• Additional plans
• Contingency plans: predefined actions that the project team
will take if an identified risk event occurs
• Fallback plans: developed for risks that have a high impact on
meeting project objectives, and are put into effect if attempts
to reduce the risk are not effective
• Contingency reserves or allowances: funds included in the
cost baseline that can be used to mitigate cost or schedule
overruns if known risks occur
• Management reserves: funds held for unknown risks that
are used for management control purposes
Common Sources of Risk on IT Projects (1 of 3)

• Several studies show that IT projects share some

common sources of risk
• The Standish Group developed an IT success potential scoring
sheet based on potential risks
• Other broad categories of risk help identify potential
risks
• Market risk
• Financial risk
• Technology risk
• People risk
• Structure/process risk
• A risk breakdown structure is a hierarchy of potential risk
categories for a project
Identifying Risks (1 of 5)

• Understanding what potential events might hurt or

enhance a particular project
• You cannot manage risks if you do not identify them first
• Another consideration is the likelihood of advanced
discovery
• Often viewed at a program level rather than a project level
• Suggestions for identifying risks: tools and techniques
• Brainstorming
• The Delphi Technique
• Interviewing
• SWOT analysis
Identifying Risks (2 of 5)

• Brainstorming
• Group attempts to generate ideas or find a solution for a
specific problem by amassing ideas spontaneously and without
judgment
• An experienced facilitator should run the brainstorming session
• Be careful not to overuse or misuse brainstorming
• Psychology literature shows that individuals produce a greater number of
ideas working alone than they do through brainstorming in small, face-
to-face groups
• Group effects often inhibit idea generation
Identifying Risks (3 of 5)

• Delphi Technique
• Used to derive a consensus among a panel of experts who
make predictions about future developments
• Provides independent and anonymous input regarding future
events
• Uses repeated rounds of questioning and written responses and
avoids the biasing effects possible in oral methods
Identifying Risks (4 of 5)

• Interviewing
• Fact-finding technique for collecting information in face-to-face,
phone, e-mail, or virtual discussions
• Interviewing people with similar project experience is an
important tool for identifying potential risks
Identifying Risks (5 of 5)

• SWOT analysis
• Strengths, weaknesses, opportunities, and threats
• Helps identify the broad negative and positive risks that apply
to a project
The Risk Register (1 of 4)

• Important output of the risk identification process

• List of identified risks and other information needed to begin
creating a risk register
• Contains the results of various risk management processes
and that is often displayed in a table or spreadsheet format
• Tool for documenting potential risk events and related
information
• Risk events refer to specific, uncertain events that may occur to
the detriment or enhancement of the project
The Risk Register (2 of 4)

• Risk register contents

• Identification number for each risk event
• Rank for each risk event
• Name of each risk event
• Description of each risk event
• Category under which each risk event falls
• Root cause of each risk
• Triggers for each risk; indicators or symptoms of actual risk
events
• Potential responses to each risk
• Risk owner or person who will own or take responsibility for
each risk
• Probability and impact of each risk occurring
• Status of each risk
The Risk Register (4 of 4)

• Risk report contents

• Sources of overall project risk
• Important drivers of overall project risk exposure
• Summary information on risk events
Performing Qualitative Risk Analysis

• Assess the likelihood and impact of identified risks

to determine their magnitude and priority
• Risk quantification tools and techniques
• Probability/impact matrixes
• The Top Ten Risk Item Tracking
• Expert judgment
Using Probability/Impact Matrixes to
Calculate Risk Factors (1 of 3)

• Lists relative probability of a risk occurring on one

side of a matrix or axis on a chart and the relative
impact of the risk occurring
• List the risks and then label each one as high, medium, or low
in terms of its probability of occurrence and its impact if it did
occur
• Calculates risk factors
• Numbers that represent the overall risk of specific events based
on their probability of occurring and the consequences to the
project if they do occur
Using Probability/Impact Matrixes to Calculate
Risk Factors (2 of 3)
Using Probability/Impact Matrixes to Calculate
Risk Factors (3 of 3)
QUESTION

• What is the difference between qualitative and

quantitative?
Top Ten Risk Item Tracking (1 of 2)

• Qualitative risk analysis tool that helps to identify risks

and maintain an awareness of risks throughout the life of
a project
• Involves establishing a periodic review of the top ten project
risk items
• Includes the current ranking, previous ranking, number of times
the risk appears on the list over a period of time, and a
summary of progress made in resolving the risk item
• A watch list is a list of risks that are low priority, but are
still identified as potential risks
• Qualitative analysis can also identify risks that should be
evaluated quantitatively
Media Snapshot

• The story of the Titanic is known throughout the world,

and on April 15, 2012, people acknowledged the
anniversary of the Titanic’s sinking
• A recent article in PMI’s Virtual Library explains how to avoid
“the Titanic factor” in your projects by analyzing the
interdependence of risks
• For example, the probability of one risk event occurring might change if
another one materializes, and the response to one risk event might
affect another
Performing Quantitative Risk Analysis

• Often follows qualitative risk analysis, but both can be

done together
• Large, complex projects involving leading edge technologies
often require extensive quantitative risk analysis
• Main techniques
• Decision tree analysis
• Simulation
• Sensitivity analysis
Decision Trees and Expected Monetary Value
(EMV) (1 of 2)

• A decision tree is a diagramming analysis technique

used to help select the best course of action in
situations in which future outcomes are uncertain
• Estimated monetary value (EMV) is the product of a risk event
probability and the risk event’s monetary value
• You can draw a decision tree to help find the EMV
Simulation (1 of 3)

• Uses a representation or model of a system to

analyze the expected behavior or performance of the
system
• Monte Carlo analysis simulates a model’s outcome many times
to provide a statistical distribution of the calculated results
• Predict the probability of finishing by a certain date or the probability
that the cost will be equal to or less than a certain value
• You can use several different types of distribution functions when
performing a Monte Carlo analysis
Simulation (2 of 3)

• Steps of a Monte Carlo analysis

• Collect the most likely, optimistic, and pessimistic estimates for
the variables in the model
• Determine the probability distribution of each variable
• Select a random value based on the probability distribution for
each variable
• Run a deterministic analysis or one pass through the model
• Repeat steps three and four many times to obtain the
probability distribution of the model’s results
Simulation (3 of 3)
What Went Right?

• Microsoft Excel is a common tool for performing

quantitative risk analysis
• General Motors uses simulation for forecasting its net income,
predicting structural costs and purchasing costs of vehicles,
and determining the company’s susceptibility to different kinds
of risk
• Eli Lilly uses simulation to determine the optimal plant
capacity that should be built for developing each drug
• Procter & Gamble uses simulation to model foreign exchange
risk
• Monte Carlo simulation can also help reduce schedule
risk on agile projects
Sensitivity Analysis (1 of 2)

• Used to show the effects of changing one or more

variables on an outcome
• For example, many people use it to determine what the
monthly payments for a loan will be given different interest
rates or periods of the loan
• Spreadsheet software, such as Microsoft Excel, is a
common tool for performing sensitivity analysis (pivot
tables)
Sensitivity Analysis (2 of 2)
Planning Risk Responses (1 of 3)

• After identifying and quantifying risks, the organization

must decide how to respond to them
• Basic response strategies for negative risks
• Risk avoidance
• Risk acceptance
• Risk transference
• Risk mitigation
• Risk escalation
• Basic response strategies for positive risks
• Risk exploitation
• Risk sharing
• Risk enhancement
• Risk acceptance
• Risk escalation
Planning Risk Responses (3 of 3)

• It’s also important to identify residual and secondary

risks
• Residual risks: risks that remain after all of the response
strategies have been implemented
• Secondary risks: direct result of implementing a risk response
Implementing Risk Responses

• Main executing process performed as part of project risk

management is implementing risk responses
• Key outputs
• Change requests
• Project documents updates
CLASSROOM EXERCISE

Determining Personal Risk Tolerance

• Part #1 - Divide students into groups of three to five to

discuss what they think is their own personal tolerance
for risk in a certain area, such as finances, personal
relationships, lifestyles, etc.
• Have them pick the area and the category they believe
they fall under (risk-seeking, risk-averse, or risk-neutral).
CLASSROOM EXERCISE

Determining Personal Risk Tolerance

• Part #2 - Create a list of criteria to help determine risk

tolerance more systematically.
• For example, list five to ten questions and determine risk
tolerance based on the answers.
• The group can also research the availability of tools that
help determine risk tolerance. For example - many
financial planners offer such tools.
QUICK REVIEW

• What are the most important success criteria for

information technology projects according to the
Standish Group?
QUICK REVIEW

• What are the most important success criteria for

information technology projects according to the
Standish Group?
• User involvement, executive management support, and
a clear statement of requirements.
QUICK REVIEW

• If a project has a 50 percent probability of making $100

and a 50 percent probability of making no money at all,
what is its expected monetary value?
QUICK REVIEW

• If a project has a 50 percent probability of making $100

and a 50 percent probability of making no money at all,
what is its expected monetary value?
• $50
QUICK REVIEW

• What does risk mitigation mean? Provide an example of

how to mitigate risk in a project.
QUICK REVIEW

• What does risk mitigation mean? Provide an example of

how to mitigate risk in a project.
• Risk mitigation means reducing the impact of a risk
event by reducing its probability of occurrence. For
example, you could assign a very experienced project
manager to a project to mitigate the risk of poor
management.
Discussion Questions

1 - Discuss the risk utility function and risk preference

chart in Figure 11-Would you rate yourself as being risk-
averse, risk-neutral, or risk-seeking? Give examples of
each approach from different aspects of your life, such as
your current job, your personal finances, romances, and
eating habits.
Discussion Questions

1 - Discuss the risk utility function and risk preference

chart in Figure 11-Would you rate yourself as being risk-
averse, risk-neutral, or risk-seeking? Give examples of
each approach from different aspects of your life, such as
your current job, your personal finances, romances, and
eating habits.

• Answers will vary.

Discussion Questions

2 - What are some questions that should be addressed in

a risk management plan?
Discussion Questions

2 - What are some questions that should be addressed in

a risk management plan?

• Answers will vary. See Table 11-2 for possible questions.

Discussion Questions

3 - Discuss the common sources of risk on IT projects and

suggestions for managing them. Which suggestions do
you find most useful? Which do you feel would not work
in your organization? Why?
Discussion Questions

3 - Discuss the common sources of risk on IT projects and

suggestions for managing them. Which suggestions do
you find most useful? Which do you feel would not work
in your organization? Why?

• Answers will vary. Tables 11-3 and 11-4 provide some

potential risk conditions.
Discussion Questions

4 - What is the difference between using brainstorming

and the Delphi technique for risk identification? What are
some of the advantages and disadvantages of each
approach? Describe the contents of a risk register and
how the risk register is used in several risk management
processes.
Discussion Questions

4 - What is the difference between using brainstorming

and the Delphi technique for risk identification? What are
some of the advantages and disadvantages of each
approach? Describe the contents of a risk register and
how the risk register is used in several risk management
processes.

• The Delphi technique uses a moderator and keeps the

inputs anonymous, while brainstorming has everyone
state ideas out in the open.
• Brainstorming is often faster, easier, and less expensive
to do, but the Delphi technique can help avoid bias and
political problems. Risk register contents are provided in
the text. It is used in several risk management process
to help identify, rank, quantify, and monitor and control
risks.
Discussion Questions

5 - Describe how to use a probability/impact matrix and

the Top Ten Risk Item Tracking approaches for performing
qualitative risk analysis. How could you use each
technique on a project?
Discussion Questions

5 - Describe how to use a probability/impact matrix and

the Top Ten Risk Item Tracking approaches for performing
qualitative risk analysis. How could you use each
technique on a project?

• The text gives detailed examples of each technique. See

the figures and tables in that section for several
examples.
Discussion Questions

6 - Explain how to use decision trees and Monte Carlo

analysis for quantifying risk. Give an example of how you
could use each technique on an information technology
project.
Discussion Questions

6 - Explain how to use decision trees and Monte Carlo

analysis for quantifying risk. Give an example of how you
could use each technique on an information technology
project.

• Answers will vary. Figure 11-7 shows an example of

using a decision tree with the EMV calculations. Figure
11-8 shows the results of a Monte Carlo simulation with
Project 2016 to help understand schedule risk.
Discussion Questions

7 - Provide realistic examples of each of the risk response

strategies for both negative and positive risks.
Discussion Questions

7 - Provide realistic examples of each of the risk response

strategies for both negative and positive risks.

• Answers will vary. One example for avoiding negative

risk might be that you could use an existing piece of
hardware to avoid the risk of waiting for a newer
product. You could take your chances that the new
product will be available as an example of risk
acceptance, and if it’s not, then deal with the problem.
You could make a contractor bear the risk of providing
the new hardware on time or suffer some type of
consequences as an example of risk transference.
(more)
Discussion Questions

7 - Provide realistic examples of each of the risk response

strategies for both negative and positive risks.

• For risk mitigation, you could lessen the probability of a

risk event occurring, such as moving the date back to be
more certain the new hardware will be available. For
positive risk strategies, such as making money on a new
product, you could use risk exploitation by pursuing
venture capital, risk sharing by partnering with another
firm, risk enhancement by providing incentives to make
the positive risk happen,, and risk acceptance by just
accepting the risk if it occurred.
Discussion Questions

8 - List the tools and techniques for performing risk

control.
Discussion Questions

8 - List the tools and techniques for performing risk

control.

• Tools and techniques for performing risk control include

risk reassessment, risk audits, variance and trend
analysis, technical performance measurements, reserve
analysis, and status meetings or periodic risk reviews
such as the Top Ten Risk Item Tracking method.
Discussion Questions

9 - How can you use Excel to assist in project risk

management? What other software can help project
teams make better risk management decisions?
Discussion Questions

9 - How can you use Excel to assist in project risk

management? What other software can help project
teams make better risk management decisions?

• You can use Excel to help calculate risk factors, expected

monetary value, and to perform sensitivity analysis.
• Other software products that can assist in risk
management include project management software, risk
management software, and simulation software.
Chapter Summary

• Risk is an uncertainty that can have a negative or positive

effect on meeting project objectives
• Many organizations do a poor job of project risk management, if
they do any at all
• Successful organizations realize the value of good project risk
management
• Risk management is an investment
• Costs are associated with identifying risks, analyzing those risks,
and establishing plans to address them
• Implementing risk responses involves putting the
appropriate risk response plans into action
• Monitoring risks involves monitoring implementation of risk
response plans, tracking identified risks, identifying and analyzing
new risks, and evaluating effectiveness of risk management
throughout the entire project