pm0016 a

Upload: mahesh-nagarkar

Post on 14-Apr-2018

212 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/29/2019 PM0016 A

    1/6

    SIKKIM MANIPAL UNIVERSITY Assignment format

    1

    Student Name: Praveen Kumar Mandi Course: MBA

    Registration Number:1205033442 LC Code: LC00023

    Subject Name: Project Risk Management Subject Code: PM0016

    Q1. Explain the various inputs and tools and techniques of qualitative risk analysis process.

    (10 marks)

    Ans: Qualitative risk analysis:

    The major inputs required for qualitative risk analysis are:

    Risk register: The outputs obtained from the risk identification process form the initialentries into this risk register. This in turn forms the input to risk qualitative analysis.

    Risk management plan: The roles and responsibilities to perform the risk management,schedule activities, the probability and impact matrix form the main elements forqualitative risk analysis.

    Project scope statement: The project scope statement is used to evaluate the complexprojects which use first of its kind or more advanced technology.

    Organisational process assets: Information and studies about pervious projects and riskdatabase obtained from proprietary sources form the assets that influence the qualitative

    risk analysis.

    The tools and techniques used in qualitative risk analysis are:

    Assessment of risk probability and impact: The risk probability assessment identifies thepossibility of risk occurrence. The risk impact assessment identifies the negative andpositive effects of risk on the project objectives and extent to which it can impact the

    project. The probability and impact of risk can be evaluated by conducting interview with

    experienced professional or meeting with project team members.

    Probability and impact matrix: Since qualitative risk analysis is based on subjectiveevaluation, the rating for each risk may vary from person to person, depending on the bias

    of the person and how risk averse they are. To avoid this difference, most of the

    organisations have a standard rating system, which gives a common understanding of what

    each rating means. This standard is called Probability and impact matrix.

    Risk data quality assessment: A qualitative risk analysis needs accurate data. The risk dataare analysed to make sure that these data

    are accurate for risk management. If data collected has insufficient quality, then higher-quality data are gathered.

    Risk categorisation: This grouping of the various risks together based on their cause willhelp us to know which work package, process, people and other potential causes have the

    most risk associated with them. This data or information will help in appropriate risk

    response planning, allowing us to eliminate many risks by eliminating one cause.

    Risk urgency assessment: Risk that need immediate response comes under risk urgencyassessment. The qualitative risk analysis provide final risk severity rating by combining the

    assessment of risk urgency with risk rating obtained by the probability and impact matrix.

    Such risks may directly move to the risk response planning process, while the rest continuethrough the quantitative risk analysis process.

  • 7/29/2019 PM0016 A

    2/6

    SIKKIM MANIPAL UNIVERSITY Assignment format

    2

    Q2. The risk mitigation methodology describes the approach to control implementation. Explain

    the steps of the methodology. (10 marks)

    Ans: Following are the risk mitigation methodologies:

    1. Prioritise actions:Based on the risk levels presented in the risk assessment report, the implementation actions are

    prioritised. In allocating resources, top priority should be given to risk items with unacceptably

    high risk rankings (example, risk assigned a very high or high risk level). These vulnerability/threat

    pairs will require immediate corrective action to protect an organisations interest and mission.

    This results in ranking of actions from high to low.

    2. Evaluate recommended control options:

    The controls recommended in the risk assessment process may not be the most appropriate and

    feasible options for a specific organisation. During this step, the feasibility (example: compatibility,

    user acceptance) and effectiveness (example: degree of protection and level of risk mitigation) of

    the recommended control options are analysed. The objective is to select the most appropriate

    control option for minimising risk. This results in a list of feasible controls.

    3. Conduct cost-benefit analysis:

    To assist management in decision making and to identify cost-effective controls, a cost benefit

    analysis is conducted. This results in cost-benefit analysis describing the cost and benefits of

    implementing or not implementing the controls.

    4. Select control:

    On the basis of the results of the cost-benefit analysis, management determines the most cost-

    effective control(s) for reducing risk to the organisations mission. The controls selected should

    combine technical, operational, and management control elements to ensure adequate security

    for the organisation. This results in selected control(s).

    5. Assign responsibility:

    Appropriate person (in-house personnel or external contracting staff) who have the appropriate

    expertise and skill-sets to implement the selected control are identified, and responsibility is

    assigned. This results in a list of responsible persons to handle risk situation exclusively.

    6. Develop a safeguard implementation plan:

    During this step, a safeguard implementation plan (or action plan) is developed. The plan should,

    at the minimum, contain the following information:

    Risks and associated risk levels (output from risk assessment report). Recommended controls (output from risk assessment report).

    Prioritised actions (with priority given to items with very high and high risk levels). Selected planned controls (determined on the basis of feasibility, effectiveness, benefits to

    the organisation, and cost).

    Required resources for implementing the selected planned controls. Lists of responsible teams and staff.

    7. Implement selected control(s):

    Depending on individual situations, the implemented controls may lower the risk level but not

    eliminate the risk. This again results in risk which is called residual risk.

    Residual risks are the risks which exist even after the application of all the proposed risk control

    measures. It is important to note that if the residual risk is high, then additional countermeasures

    need to be implemented.

  • 7/29/2019 PM0016 A

    3/6

    SIKKIM MANIPAL UNIVERSITY Assignment format

    3

    Q3. There are two main strategies to handle risks, negative risks and positive risks. Explain the

    response strategies for threats (Negative Risks). (10 marks)

    Ans:

    Negative risks: There are four main response strategies to deal with threats. They are, Risk

    Avoidance, Risk Transfer, Risk Mitigation and Accept:Avoid: Risk avoidance involves varying the project plan to remove the threat to the project plan.

    Risk avoidance is done by altering the project plan to cut out the risk or the state that causes the

    risk in order to secure the project objectives from its impact.

    Examples of Risk Avoidance include:

    Adding resources or time. Adapting a conventional approach instead of doing something new. Avoiding an unknown subcontractor.

    Transfer: Risk transfer involves shifting the impact of a risk event and the ownership of the risk

    response to a third party. This strategy is common with a financial risk exposure and involves

    payment of a risk premium to the party assuming the risk.

    Examples of risk transfer are:

    Usage of insurance, performance bonds, warranties and guarantees. Contracts which are used to transfer liability for particular risks.

    Mitigate: Risk Mitigation decreases the probability or impact of a potential risk even to a more

    acceptable level. This includes reducing the consequences of the risk.

    Examples of Risk mitigation include: Enforcing a new course of action that lessens the problem, e.g. adapting less complicated

    methods, conducting more seismic or engineering tests, or selecting a more stable

    supplier.

    Altering the status so that the chance of the risk occurring is reduced, e.g. increasing theresources or time of the schedule.

    Accept: Risk acceptance is done by deciding not to make any changes to the project plan in order

    to deal with a risk or where a suitable response strategy cannot be identified. There are two types

    of acceptance:

    Active acceptance: It includes creating an emergency plan to execute when risk occurs. Anemergency plan is developed in advance to respond to the risks that crops up during the

    project.

    Passive acceptance: It requires no action. The project team has to deal with the risk as andwhen it occurs.

    Positive Risks:

    There are three main response strategies to deal with opportunities: Share, Enhance, and Exploit:

    Share: Risk sharing comprises of sharing responsibility and accountability with another to facilitate

    the team the best chance of seizing the opportunity.

    Enhance: Risk enhancement amplifies the probability that an opportunity occurs by focusing on

    the trigger circumstances of the opportunity and anticipate the chances.

    Exploit: Risk exploitation is used on opportunities when the organisation wishes to assure the

    opportunity is realised. Normally used by hiring the best experts or satisfying with the most

    technologically advanced resources that is available to the project team.

    A risk contingency is used only when a risk is realised or effecting the project. A response plan is

    commonly executed when a condition or trigger event occurs. A missing intermediate milestone is

    an example.

  • 7/29/2019 PM0016 A

    4/6

    SIKKIM MANIPAL UNIVERSITY Assignment format

    4

    Q4. What are the tips to remove the top three project estimating risks? Explain in brief.

    (10 marks)

    Ans: Below are some tips to remove the top three project estimating risks:

    Confirm all assumptions (Trust No One):Client confusion often lands the project managers in a messy situation. Never accept a client or

    other project manager's verbal confirmation as final. It is very much possible that clients

    sometimes are not clear about what they say. For example, if a client says that he has 25 32-bit

    Windows XP Professional workstations, do not assume it to be true until you visit the clients site

    and complete your own inventory.

    Do not expect trouble-free projects (Plan for Unknown unknowns):

    You have certain amount of information only upon which you can base project estimates. It is

    important that time is allotted for unpredicted problems, changes, incompatibilities, and other

    issues as project cost estimates is a combination of time and material. Since it is complicated to

    provide a simple standard or calculation that you can apply to all projects, you need to determine

    the bare minimum amount of time that is required to complete a project. Look for years of

    experience and real lessons learnt in completing similar projects; identify steps or stages that are

    likely to encounter trouble, and how long such delays might require to get resolved. Be sure to

    build appropriate time into original project planning documents, recommendations, proposals,

    and costs to accommodate inevitable problems. While you cannot compensate for all "unknown

    unknowns, risks you can at least take steps to responsibly plan to mitigate contingencies.

    Specify exactly what estimates include (Put it all in Writing):

    Miscommunication triggers a series of problems. You may say to clients that a project estimate

    includes the time, equipment, and software to deploy a new customised database. Clients do not

    distinguish between all the needs. The items covered while building project estimates and

    proposals must be clearly stated. Be sure to include all requirements clearly in a contract or

    project agreement and state additional labour, equipment, and software covered by the project's

    cost estimate which may be required to complete the project. For example, for a custom database

    roll-out, the costs of a new server include one new server with a specific CPU, RAM, disk

    configuration, operating system, license count, and other additional software. Specify all these

    requirements in the contract in order to avoid discrepancies between you and the clients in the

    future (if it arises). If any discrepancy occurs in future, the client would be responsible and this

    indeed covers you. If you do the homework discussed earlier; you can avoid the potential "known

    unknown risks. If you review dependencies carefully, allow time for unforeseen issues, anddocument the project's specifics in writing, you will be much better positioned to accommodate

    "unknown unknowns" risks when they arise.

    Q5. An organization building a risk-based culture must offer incentives for incorporating risk

    into the project planning and control process. Analyse the concept performance incentive.

    (10 marks)

    Ans: An organisation building a risk-based culture must offer incentives for incorporating risk into

    the project planning and control process. The senior management supports when project

    management identifies and foresees business risk that saves company time and money. Project

  • 7/29/2019 PM0016 A

    5/6

    SIKKIM MANIPAL UNIVERSITY Assignment format

    5

    managers who manage risks effectively are likely to be more successful in acquiring additional

    resources because they tend to have backup and contingency plans ready when risks occur.

    Categories of incentive:

    Incentives can be classified in different ways in which they motivate employees to take a

    particular course of action. One common and useful classification divides incentives into threebroad classes:

    Remunerative incentives (or financial incentives): It exist where an employee can expectsome form of material reward especially money in exchange for acting in a particular

    way.

    Moral incentives: These exist where a particular choice is widely regarded as the rightthing to do, or where the failure to act in a certain way is condemned as indecent.

    Example: A person acting on a moral incentive can anticipate a sense of self-esteem, and

    approval or even admiration from his community; a person acting against a moral

    incentive can expect a sense of guilt, and condemnation or even ostracism from the

    community. Coercive incentives: A person can expect that the failure to act in a particular way will

    result in physical force being used against them (or their loved ones) by others in the

    community for example, by inflicting pain in punishment, or by imprisonment, or by

    confiscating or destroying their possessions.

    Some of the other classifications are as follows:

    Straight piece rate: An employee is paid immediately for the number of pieces producedper day. In this plan, quality may suffer.

    Straight piece rate with a guaranteed base wage: An employee is paid immediately foroutput set by management even if employee produces less than the target level output. Ifemployee exceeds this target output, he is given wage in direct percentage to the number

    of pieces produced by him at the straight piece rate.

    Q6. Explain project reviews and risk reassessment briefly. (10 marks)

    Ans: In order to revalidate the project objectives, plans and assumption, projects require cycles of

    reviews and regular reassessment to keep the project on track. Another reason is for co-located

    teams, the project review is an opportunity to reinforce the value of the project, recognise and

    reward significant accomplishments and motivate the team members. Loss of interest on very

    long projects is one of the reasons that these projects are at higher-risks. Reminding the team thatwhy the project matters is an effective way to reduce this risk.

    The limited planning and technical complexity also contributes to project risks of lengthy projects

    and project reviews is a better way to manage it. During the review some reviews find few issues,

    requiring minimal attention and the project continues as planned. Other reviews reveal changes

    or additional planning that is necessary and the project continues but only after the changes is

    made. The third possible outcome of a project review is a recommendation to cancel future

    project work.

    Few things are important for this:

    Schedule the review: Every six months a project review should be implemented to check thestatus of the project. The best way to review a project is to get away from the usual work place

  • 7/29/2019 PM0016 A

    6/6