Information Technology

Project Management

Unit 9
Project Risk Management

BCS1104 11/11/2025
 Introduction

 Project risk management is the art and science of identifying, analyzing, and
responding to risk throughout the life of a project and in the best interests of meeting
project objectives.
 Risk management can have a positive impact on selecting projects, determining their
scope, and developing realistic schedules and cost estimates.
 It helps project stakeholders understand the nature of the project, involves team
members in defining strengths and weaknesses, and helps to integrate the other
project management knowledge areas.
 Project risk management involves understanding potential problems that might occur
on the project and how they might impede project success. However, there are also
positive risks or opportunities, which can result in good outcomes for a project .
ICT 1101 - Computer Applications 11/11/2025
 Risk Can Be Positive
3

 Positive risks are risks that result in good things happening; sometimes called
opportunities

 A general definition of project risk is an uncertainty that can have a negative or

positive effect on meeting project objectives

 The goal of project risk management is to minimize potential negative risks

while maximizing potential positive risks
 Research Shows Need to Improve Project Risk
4
Management

 Study by Ibbs and Kwak shows risk has the lowest maturity rating of all
knowledge areas
 A similar survey was completed with software development companies in
Mauritius, South Africa in 2003, and risk management also had the lowest
maturity
 KLCI study shows the benefits of following good software risk management
practices
5 Risk Utility

 Risk utility or risk tolerance is the amount of satisfaction or pleasure

received from a potential payoff
 Utility rises at a decreasing rate for people who are risk-averse
 Those who are risk-seeking have a higher tolerance for risk and their
satisfaction increases when more payoff is at stake
 The risk-neutral approach achieves a balance between risk and payoff
 Figure 9-1: Risk Utility Function and Risk Preference
6
 Project Risk Management Processes
7

 Risk management planning: deciding how to approach and plan the risk
management activities for the project

 Risk identification: determining which risks are likely to affect a project and
documenting the characteristics of each

 Qualitative risk analysis: prioritizing risks based on their probability and impact
of occurrence
8
Project Risk Management Processes (continued)

 Quantitative risk analysis: numerically estimating the effects of risks on project

objectives

 Risk response planning: taking steps to enhance opportunities and reduce

threats to meeting project objectives

 Risk monitoring and control: monitoring identified and residual risks,

identifying new risks, carrying out risk response plans, and evaluating the
effectiveness of risk strategies throughout the life of the project
 Project Risk Management Summary
9
 Risk Management Planning
10

 The main output of risk management planning is a risk management plan—a

plan that documents the procedures for managing risk throughout a project

 The project team should review project documents and understand the
organization’s and the sponsor’s approaches to risk

 The level of detail will vary with the needs of the project
 Topics Addressed in a Risk Management Plan
11

 Methodology

 Roles and responsibilities

 Budget and schedule

 Risk categories

 Risk probability and impact

 Risk documentation
 Contingency, Fallback Plans, Contingency Reserves and
12 management reserves

 Contingency plans are predefined actions that the project team will take if an
identified risk event occurs
 Fallback plans are developed for risks that have a high impact on meeting project
objectives, and are put into effect if attempts to reduce the risk are not effective
 Contingency reserves or allowances are provisions held by the project sponsor
or organization to reduce the risk of cost or schedule overruns to an acceptable
level
 Common Sources of Risk in Information Technology
13 Projects

 Several studies show that IT projects share some common sources of risk

 The Standish Group developed an IT success potential scoring sheet based on

potential risks

 Other broad categories of risk help identify potential risks

14
Broad Categories of Risks described in questionnaires

 Market risk: If the IT project will create a new product or service, will it be
use ful to the organization or marketable to others? Will users accept and use
the product or service? Will someone else create a better product or service
faster, making the project a waste of time and money?

 Financial risk: Can the organization afford to undertake the project? How
confident are stakeholders in the financial projections? Will the project meet
NPV, ROI, and payback estimates? If not, can the organization afford to
continue the project? Is this project the best way to use the organization’s
financial resources?

 People risk: Does the organization have people with appropriate skills to
complete the project successfully? If not, can the organization find such
people? Do people have the proper managerial and technical skills? Do they
have enough experience? Does senior management support the project? Is
there a project champion? Is the organization familiar with the sponsor or
customer for the project? How good is the relationship with the sponsor or
customer?
15
Broad Categories of Risks described in questionnaires

 Technology risk: Is the project technically feasible? Will it use mature,

leading-edge, or bleeding-edge technologies? When will decisions be made
on which technology to use? Will hardware, software, and networks function
properly? Will the technology be available in time to meet project objectives?
Could the technology be obsolete before a useful product can be created?
You can also break down the technology risk category into hardware,
software, and network technology, if desired.

 Structure/process risk: What degree of change will the new project

introduce into user areas and business procedures? How many distinct user
groups does the project need to satisfy? With how many other systems does
the new project or system need to interact? Does the organization have
processes in place to complete the project successfully?
 Risk Identification
16

 Risk identification is the process of understanding what potential events

might hurt or enhance a particular project
 Risk identification tools and techniques include:
 Brainstorming
 The Delphi Technique
 Interviewing
 SWOT analysis
 Brainstorming
17

 Brainstorming is a technique by which a group attempts to generate ideas or

find a solution for a specific problem by amassing ideas spontaneously and
without judgment
 An experienced facilitator should run the brainstorming session

 Be careful not to overuse or misuse brainstorming

 Psychology literature shows that individuals produce a greater number of ideas

working alone than they do through brainstorming in small, face-to-face groups
 Group effects often inhibit idea generation
 Delphi Technique
18

 The Delphi Technique is used to derive a consensus among a panel of

experts who make predictions about future developments

 Provides independent and anonymous input regarding future events

 Uses repeated rounds of questioning and written responses and avoids the
biasing effects possible in oral methods, such as brainstorming
 Interviewing
19

 Interviewing is a fact-finding technique for collecting

information in face-to-face, phone, e-mail, or instant-
messaging discussions

 Interviewing people with similar project experience is an

important tool for identifying potential risks

 SWOT analysis (strengths, weaknesses, opportunities,

and threats) can also be used during risk identification

 Helps identify the broad negative and positive risks that

apply to a project
 Risk Register
20

 The main output of the risk identification process is a list of identified risks and
other information needed to begin creating a risk register
 A risk register is:

 A document that contains the results of various risk management processes

and that is often displayed in a table or spreadsheet format
 A tool for documenting potential risk events and related information

 Risk events refer to specific, uncertain events that may occur to the detriment
or enhancement of the project
 Risk Register Contents
21

 An identification number for each risk event

 A rank for each risk event

 The name of each risk event

 A description of each risk event

 The category under which each risk event falls

 The root cause of each risk

 Risk Register Contents (continued)
22

 Triggers for each risk; triggers are indicators or symptoms of actual risk
events
 Potential responses to each risk

 The risk owner or person who will own or take responsibility for each risk

 The probability and impact of each risk occurring

 The status of each risk

Sample Risk Register

2
3
 Qualitative Risk Analysis
24

 Assess the likelihood and impact of identified risks to determine their

magnitude and priority
 Risk quantification tools and techniques include:

 Probability/impact matrixes

 The Top Ten Risk Item Tracking

 Expert judgment
25 Probability/Impact Matrix

 A probability/impact matrix or chart lists the relative probability of a risk

occurring on one side of a matrix or axis on a chart and the relative impact of the
risk occurring on the other
 List the risks and then label each one as high, medium, or low in terms of its
probability of occurrence and its impact if it did occur
 Can also calculate risk factors

 Numbers that represent the overall risk of specific events based on their
probability of occurring and the consequences to the project if they do occur
 Sample Probability/Impact Matrix
26
27 Top Ten Risk Item Tracking

 Top Ten Risk Item Tracking is a qualitative risk analysis tool that helps to
identify risks and maintain an awareness of risks throughout the life of a
project
 Establish a periodic review of the top ten project risk items

 List the current ranking, previous ranking, number of times the risk appears
on the list over a period of time, and a summary of progress made in
resolving the risk item
 Example of Top Ten Risk Item Tracking
28
29 Watch List

 A watch list is a list of risks that are low priority, but are still identified as
potential risks
 Qualitative analysis can also identify risks that should be evaluated on a
quantitative basis
30
Quantitative Risk Analysis

 Often follows qualitative risk analysis, but both can be done together

 Large, complex projects involving leading edge technologies often require

extensive quantitative risk analysis
 Main techniques include:

 Decision tree analysis

 Simulation

 Sensitivity analysis
31
Decision Trees and Expected Monetary Value (EMV)

 A decision tree is a diagramming analysis technique used to help select the

best course of action in situations in which future outcomes are uncertain
 Estimated monetary value (EMV) is the product of a risk event probability and
the risk event’s monetary value
 You can draw a decision tree to help find the EMV
32
Expected Monetary Value (EMV) Example
 Simulation
33

 Simulation uses a representation or model of a system to analyze the expected

behavior or performance of the system
 Monte Carlo analysis simulates a model’s outcome many times to provide a
statistical distribution of the calculated results
 To use a Monte Carlo simulation, you must have three estimates (most likely,
pessimistic, and optimistic) plus an estimate of the likelihood of the estimate
being between the most likely and optimistic values
34 Steps of a Monte Carlo Analysis

1. Assess the range for the variables being considered

2. Determine the probability distribution of each variable

3. For each variable, select a random value based on the probability

distribution

4. Run a deterministic analysis or one pass through the model

5. Repeat steps 3 and 4 many times to obtain the probability distribution of the
model’s results
 Sensitivity Analysis
35

 Sensitivity analysis is a technique used to show the effects of changing one or

more variables on an outcome
 For example, many people use it to determine what the monthly payments for a
loan will be given different interest rates or periods of the loan, or for determining
break-even points based on different assumptions
 Spreadsheet software, such as Excel, is a common tool for performing sensitivity
analysis
 Sample Sensitivity Analysis for Determining Break-Even
36 Point
 Risk Response Planning
37

 After identifying and quantifying risks, you must decide how to respond to them

 Four main response strategies for negative risks:

 Risk avoidance

 Risk acceptance

 Risk transference

 Risk mitigation
 General Risk Mitigation Strategies for Technical, Cost, and
38 Schedule Risks
 Response Strategies for Positive Risks
39

 Risk exploitation

 Risk sharing

 Risk enhancement

 Risk acceptance
 Residual and Secondary Risks
40

 It’s also important to identify residual and secondary risks

 Residual risks are risks that remain after all of the response strategies have
been implemented
 Secondary risks are a direct result of implementing a risk response
41 Risk Monitoring and Control

 Involves executing the risk management process to respond to risk events

 Workarounds are unplanned responses to risk events that must be done when
there are no contingency plans
 Main outputs of risk monitoring and control are:

 Requested changes

 Recommended corrective and preventive actions

 Updates to the risk register, project management plan, and organizational

process assets
 Using Software to Assist in Project Risk Management
42

 Risk registers can be created in a simple Word or Excel file or as part of a

database
 More sophisticated risk management software, such as Monte Carlo simulation
tools, help in analyzing project risks
 The PMI Risk Specific Interest Group’s Web site at [Link] has a
detailed list of software products to assist in risk management
 Results of Good Project Risk Management
43

 Unlike crisis management, good project risk management often goes unnoticed

 Well-run projects appear to be almost effortless, but a lot of work goes into
running a project well
 Project managers should strive to make their jobs look easy to reflect the results
of well-run projects
 Chapter Summary
44

 Project risk management is the art and science of identifying, analyzing, and
responding to risk throughout the life of a project and in the best interests of
meeting project objectives
 Main processes include:

 Risk management planning

 Risk identification

 Qualitative risk analysis

 Quantitative risk analysis

 Risk response planning

 Risk monitoring and control