risk strategies presentation
TRANSCRIPT
Project Risk & Project Risk
ManagementProject Risk: An uncertain event or condition that, if it occurs,
has a positive or negative effect on the project objectives
Project risk management includes the processes of conducting
risk management planning, identification, analysis, response
planning, and monitoring and control on a project; most of these
processes are updated throughout the project.
The objectives of Project Risk Management are to increase the
probability and impact of positive events, and decrease the
probability and impact of events adverse to the project
IT Risk Management Frameworks
IT Project Risk
Identification Framework
IT Project Risk
Management Process
Risk management
suggests that a
systematic process
is needed to manage
effectively the risk of
a project
To help the project stakeholders identify & understand the nature and influence of various IT project risks
Steps Include:
Step 1: Risk Planning
Step 2: Risk Identification
Step 3: Risk Assessment
Step 4: Risk Strategies
Step 5: Risk Monitoring
and Control
Step 6: Risk Response
Step 7: Risk Evaluation
Project Risk Management Process
Includes:
Core: MOV (Measurable
Organizational Value)
Second Layer: Project
objectives (scope,
quality, schedule, and
budget)
Third Layer: Sources
(People/stakeholders
involved with project)
Fourth Layer:
Internal/External
Fifth Layer: Known
Risks, Known-Unknown
Risks, Unknown-
Unknown Risks
Outer Layer: Time
Element
Steps in Risk Planning Process
Step 1: Risk Planning
Begins with a firm commitment by all the project
stakeholders to a risk management approach. A
great deal of this commitment should be in
terms of commitments to following the
processes and to provide adequate resources
when responding to risk events.
Steps in Risk Planning Process
Step 2: Risk Identification
Should include identifying both threats and
opportunities. Since most risks are interrelated
and can affect the project in different ways, the
project stakeholders should take a broad view of
project risks
Steps in Risk Planning Process
Step 3: Risk Assessment
Once the project risks have been identified and their causes and effects understood, the next step requires that we analyze these risks. Answers to two basic questions are required: What is the likelihood of a particular risk occurring? What is the impact on the project if it does occur? Risk assessment provides a basis for understanding how to deal with project risks. To answer the two questions, qualitative and quantitative approaches can be used. Several tools and techniques for each approach will be introduced later. Assessing these risks helps the project manager and other stakeholders prioritize and formulate responses to those risks that provide the greatest threat or opportunity to the project. Because there is a cost associated with responding to a particular risk, risk management must function within the constraints of the project’s available resources.
Steps in Risk Planning Process
Step 4: Risk Strategies
Risk strategies define how the project
stakeholders will respond to risk.
Two Types of Risk Response
Strategies
Negative Risks/Threats
A project risk strategy will focus on one of the following for negative risks or threats:
(1) Accepting or ignoring the risk
(2) Avoiding the risk
(3) Mitigating or reducing the likelihood and/or impact of the risk (Either Reduce Likelihood OR Impact) OR [Both: Reduce likelihood & Reduce impact]
(4) Transferring the risk to someone else
Positive Risks/Opportunities
Approaches for positive risks or opportunities may include:
(1) Exploitation: Remove a troublesome resource from the project
(2) Sharing Ownership: Ask client to do some of the work
(3) Enhancement of the probability of the impact or probability of the positive events: Start negotiations earlier than planned to get a better price
Accept and take advantage: Assign contingency reserves
Avoid Risk
Avoidance is the risk control strategy that attempts to prevent the exploitation of the vulnerability.
Remove a work package or activity from the project
Eliminate cause of risk
Avoidance is accomplished through:
Application of policy
Application of training and education
Countering threats
Implementation of technical security controls and safeguards
https://www.youtube.com/watch?v=2Ky7udhRU00
Reducing Likelihood/Impact
Mitigation is the control approach that attempts to reduce, by means of planning and preparation, the damage caused by the exploitation of vulnerability.
Provide training to a team member
Reduce probability or impact of risk
This approach includes three types of plans:
the disaster recovery plan (DRP),
incident response plan (IRP), and
business continuity plan (BCP).
Mitigation depends upon the ability to detect and respond to an attack as quickly as possible.
https://www.youtube.com/watch?v=LoEic9oaE9w
Transfer Risk
Have third party take on responsibility for the risk (Ex. Insurance)
Outsource a work package/project
Transference is the control approach that attempts to shift the risk to other assets, other processes, or other organizations.
This may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or by implementing service contracts with providers.
https://www.youtube.com/watch?v=v9YiTIYO-2A
Accept/Ignore
Choosing to accept or ignore a particular risk is a more passive approach to risk response. The project stakeholders can either be hopeful that the risk will not occur or just not worry about it unless it does. This can make sense for risks that have a low probability of occurring or a low impact. However, reserves and contingency plans can be active approaches for risks that may have a low probability of occurring but with a high impact.
Notify management about a project increase
Contingency plans for risk
Management Reserves, Contingency Reserves, Contingency Plans
Management makes the final decision
Project manager decides within guidelines
Contingency plans – Ready-made "Plan B”
https://www.youtube.com/watch?v=H9CQscwXBt0
Summary of Positive and Negative
Risk Response Strategies
Risk Strategies Depend On:
The Nature Of The Risk: Is the risk really a threat or an opportunity?
Impact of the risk on MOV and Project Objectives: What is the probability and impact of a risk?
Project Constraints in terms of Scope, Schedule, Budget, and Quality: Can a response be made with existing resources and/or constraints?
Risk Tolerances or Preferences of the Project Stakeholders: How much risk is tolerable?
Steps in Risk Planning Process
Step 5: Risk Monitoring and Control
Once the salient project risks have been identified and appropriate responses formulated, the next step entails scanning the project environment so that both identified and unidentified threats and opportunities can be followed, much like a radar screen follows ships. Risk owners should monitor the various risk triggers so that well informed decisions and appropriate actions can take place.
Tools for monitoring and controlling project risk:
Risk Audits by external people,
Risk Reviews by internal team members, and
Risk Status meeting and reports
Steps in Risk Planning Process
Step 6: Risk Response
Risk monitoring and control provide a
mechanism for scanning the project
environment for risks, but the risk owner must
commit resources and take action once a risk
threat or opportunity is made known. This action
normally follows the planned risk strategy.
Steps in Risk Planning Process
Step 7: Risk Evaluation
Responses to risks and the experience gained provide keys to learning. A formal and documented evaluation of a risk episode provides the basis for lessons learned and lays the foundation for identifying best practices. This evaluation should consider the entire risk management process from planning through evaluation. It should focus on the following questions:
How did we do?
What can we do better next time?
What lessons did we learn?
What best practices can be incorporated in the risk management process?
The risk planning process is cyclical because the evaluation of the risk responses and the risk planning process can influence how an organization will plan, prepare, and commit to IT risk management