Risk management for ICT project management

Risk Management in International ICT Project Management

Table of Contents Introduction: ........................................................................................................................................... 2 Definition of risk and risk management: .................................................................................................. 3 Why risk management:............................................................................................................................ 4 Risk Management Process: ...................................................................................................................... 5 Risk Management Planning:................................................................................................................. 7 Risk Identification: ............................................................................................................................... 7 Tools and Techniques for Risk Identification: ................................................................................... 7 Qualitative Risk Analysis: ..................................................................................................................... 8 Tools and Techniques for Qualitative Risk Analysis:.......................................................................... 8 Quantitative Risk Analysis:................................................................................................................... 9 Tools and Techniques for Quantitative Risk Analysis: ....................................................................... 9 Risk Response Planning:..................................................................................................................... 10 Monitoring and Control: .................................................................................................................... 11 Issues that are not addressed in PMBOK:............................................................................................... 12 Building a risk-based organization:..................................................................................................... 12 Program and portfolio management: ................................................................................................. 12 Crisis and Crisis Contingency Plan: ......................................................................................................... 12 Case Study:............................................................................................................................................ 13 Analysis of the case study: ................................................................................................................. 14 Conclusion:............................................................................................................................................ 15 References and Bibliography ................................................................................................................. 16

1|Page16

Risk Management in International ICT Project Management

Introduction: Risk management in international ICT project management has a growing concern these days. It is a rapidly growing discipline and has varied description what it actually involves, how it should be conducted and what it is for. For this reason institutions like AIRMIC and IRM (2002) argue that some form of standard is needed to ensure, Terminology related to the words used is risk management or project management as in general. Process by which risk management can be carried out. Organization structure for risk management. Objective for risk management. On the other hand as world advances, many high cost high risk projects are beginning to start off. Astonishingly, most of the big projects are failing. One of the key reasons point out by Matta and Ashkenas (2005), Managers use project plans, timelines and budgets to reduce what we call “execution risk” - the risk that the designated activities won’t be carried out properly – but inevitably neglect these two other critical risks – the “White Space Risk” that some required activities won’t be identified in advance, leaving gaps in the project plan, and the “Integration Risk” that the disparate activities won’t come together at the end. There are also other problems associated with the ICT project risks. Often project managers do not have any risk cost estimation Staw and Ross (2005) and when the project cost grows way beyond budget, they do another mistake which is stated by Davis (2005), Project managers nevertheless attempt to solve the problem by making cuts. In general they rarely perceive hardware cuts such as equipment – as feasible. Rather, they see as the easiest areas to cut those with least obvious benefits – managerial and design overhead, process control software, quality assurance programs and test procedures. Ironically, these are the very areas whose costs are often underestimated in the first place. So we can clearly understand that successful risk management in ICT project has both direct and indirect influence over the project outcome. It is for this reason risk management now is a very important factor in project management. In this paper first I will try to provide an acceptable definition of risk in ICT project management. Then I will give a very brief description of the risk management process proposed by Project Management Body of Knowledge (PMBOK). I will then go on to provide a definition of crisis management, give an analysis of a case study of a project risk management.

2|Page16

Risk Management in International ICT Project Management

Definition of risk and risk management: Every one of us takes risks in daily basis. I car might crash into us while we are walking down the street. This is not something that always happens. But there is always a probability of happening such things. Same is true for any project as well. Risks are events in any projects that are not always occur but there are chances that those events come into effect. Project managers always make project plan, keeping those events in mind. Not only that, being a project manager you also have to have a contingency plan if the risk might occur and for that you have to allocate adequate money and the resources. It is therefore a trade off between actual project and the contingency planning in terms of money, resource and time a project manager is allowed to spend. That’s why risk identification and according management of the risks are crucial factors of project management. Let me present two definition of risk,

1. Risk is an event that may occur and when it does it will threaten the successful delivery of the project. Barker (2007) 2. Risk is any uncertainty in the project plan that you can potentially control or at least track. Barkley (2004). So if we combine the two definitions we get following feature of risk in projects. A risk is, An uncertainty in project. When it occurs, it threatens the successful delivery of the project in terms of money and time. It can be potentially controlled or at least track. Risk management is a central part of any organization’s strategic management. It is the process whereby organizations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all projects. The focus of good risk management is the identification and treatment of these risks. Its objective is to add maximum sustainable value to all the activities of the organization. It marshals the understanding of the potential upside and downside of all those factors which can affect the organization. It increases the probability of success, and reduces both the probability of failure and the uncertainty of achieving the organization’s overall objectives. Let us take look at two definitions, 1. Risk management is an approach to anticipating and dealing with events that can cause significant deviation from the project plan. On another level, risk management helps you pin point your plan’s weaknesses and gives a useful insight to your project’s health. Barker and Cole (2007). 2. A successful risk management process is one in which risks are continuously identified and analyzed for relative importance. Risks are mitigated, tracked and controlled to effectively use program resources. Problems are prevented before they occur and personnel consciously focus on what could affect product quality and schedules. (Software Engineering Institute, 2003 cited in Barkley, 2004)

3|Page16

Risk Management in International ICT Project Management Risk like most of the elements of the other planning processes, changes as the project progresses, and should be monitored throughout the project. As you get close to a risk event, it the time to reassess you original assumptions about the risk and your plans to deal with the risk and to make any adjustments if the risk required it.

Why risk management: Big projects fail at an astonishing rate - more than half the time. It’s not hard to understand why. Complicated projects are customarily developed a series of teams working along parallel tracks. If manager fail to anticipate everything might fall through cracks. Matta and Askkenas (2005). There are many examples of projects which encounter drastic failure because they did not have risk identified prior to the occurrence. We have to keep in mind that project management is after all a practice. It is a continuous, practical way of learning knowledge. Usually the project managers want to replicate the best practices of the previous projects, on to the existing projects they are involved in. If the baseline projects had any bad practices that went undetected, the project managers often tend to replicate the same mistakes in similar projects. It can happen in the case of identifying risks as well. If a risk actually occurred in a project and somehow went undetected, then there is a string possibility of the risk to be repeated in similar projects later on. According to Barrow (2007) there are four reasons why risk should be managed. 1. To minimize delays. Project delivery time is very crucial to the stakeholders of the project. If the potential risks are identified before the outset of the project and appropriate mitigation plan is taken when they occur, the project results in fewer delays. And the knowledge earned mitigating the risk can be stored and used in later projects and studies. 2. To reduce cost. When a potential risk occurs then arranging resource to manage the risk become very much time and cost consuming. And one of the toughest parts of project management is managing human resource effectively. Let us take an example, while working in task A the project team faces a risk. Because the mitigation plan was not well managed, the project manager calls in Team member X to come and solve the problem. But at that moment team member X was busy working in task B and further more this task depends upon the result or outcome of task A. We can easily understand 4|Page16

Risk Management in International ICT Project Management then the whole project is in dead lock situation. And while team member X is busy doing the task B, actually he is doing nothing but sitting idle. And the as he does not do anything in incurs cost for the project.

3. To improve ROI What happens when projects come in late, over budget or fail entirely? Well the simple answer is this a project's financial return can be slashed when it delivers late, over budget, or a combination of both, while a project that is abandoned before completion costs the company not just the money invested in the project, but also reputation owned by the company achieved by great hardship. Risk management provides the means by which companies can ensure a return on investment. Avoiding late delivery means that projects start repaying their investment earlier. Avoiding cost overruns means that profits margins are preserved. Avoiding de-scoping means the full business benefits are achieved as expected. Furthermore allocated budgets for the risk which has not occurred, can be used elsewhere which also helps in a way to increase profit.

4. To increase the number of opportunity. There is a common proverb in project management. That is, “In a perfect world there is no need of managers.” The extent of how well the project is planned for risk and change management, actually determines how much a project manager needs to work when the project is on the go. When all the risk are effectively indentified and successfully mitigated, then as a project manager a person may find out that he/she has a lot of time left when project is running. On that spare time the project manager can concentrate on other opportunities which can enhance the output of the project furthermore.

Risk Management Process: The figure on the next page shows the steps for risk management in a project according to the PMBOK 2003 cited from Barkley (2004).

5|Page16

Risk Management in International ICT Project Management

Inputs 1. Risk management plan.

Risk Management Planning

1. Organization’s policies 2. Role of the resources 3. WBS

1. Risk management plan. 2. Risk categories. 3. Historical information.

Risk Identification

1.Risks. 2. Triggers.

1. Risk management plan. 2. Identified risks. 3. Project status and type. 4. Scales of probability and impact. 5. Assumptions.

1. Risk management plan. 2. Identified risks. 3. Expert judgement.

Qualitative Risk Analysis

Quantitative Risk Analysis

1.Risk ranking. 2. List of prioritized risk. 3. Trends in qualitative risk analysis results.

1.Risk response plan. 2. inputs to revised project plans.

Desired Outputs 6|Page16

1. Risk management plan. 2. Identified risks. 3. List of quantified risk. 4. Probabilistic analysis of the risk standings of the project. 5. Risk threshold. 6. Common trends on risk,

1. Risk management plan. 2. Risk response plan. 3. Change of the project scope

Risk Response Planning

Risk Monitoring and Control

1.Risk response plan. 2. inputs to revised project plans.

1. Workaround plan. 2. Corrective action. 3. Project change request. 4. Update to risk response plan. 5. Risk database.. 6. Updates to risk identification checklists.

Risk Management in International ICT Project Management Different project management body has defined these steps in different ways. Some renowned authors like Barker and Cole (2007) does not believe that phases such as risk management planning exist in risk management planning. However, guidelines set by Project Management Body of Knowledge is more acclaimed and taken as standards by many project managers. Bellow more elaborate explanation of risk management process taken from PMBOK.

Risk Management Planning: According to Heldman (2005) risk management planning is defined, Risk management planning details how risk management processes will be implemented, monitored and controlled throughout the life of the project. According to PMBOK there is only one technique is of the risk planning process. And that is meeting among the stakeholders of the project. In these risk management planning meetings, the fundamental plan for the risk management activities will be discussed and documented. The key outcomes of these meetings are as follows, 1. 2. 3. 4. 5.

Risk cost elements are developed for inclusion in project budget. Schedule activities are developed for inclusion in project schedule. Ownership for the risks is assigned. Templates for the risk categories are defined and modified for this project. Definitions of terms (i.e probability, impact, risk type, risk levels) are developed and documented. 6. Probability impact matrix is defined and modified according to the project need.

Risk Identification: Risk management process involves all the activities to identify the risks that might have an impact on the project and documenting them. Risk management is an iterative process. As the project progresses, new risks that have not been thought about can appear. Those risks are also documented as the documentation will come in handy in same kind projects later on.

Tools and Techniques for Risk Identification: There are number of tools and techniques available for identifying risk, a brief description of those techniques are provided as follows, Documentation review: This technique involves going through historical data, assumptions, project plans and project’s outcome. After having a clear idea of these factors project managers try to figure out what might appear as a risk in project management.

7|Page16

Risk Management in International ICT Project Management Information gathering: Information gathering is probably the most common risk identification technique. It requires project’s stakeholders to arrange a meeting and from the primary data the group of people comes up with the list of risk. Check list analysis: Check lists are usually developed based on historical data of the similar projects. If the same projects are done again and again then the project managers slowly build a list of risks. And when the list becomes comprehensive then the list is being changed into check list and the impact and monitoring techniques are then accordingly designed. Assumption analysis: Assumptions analysis is a process of validating assumptions that are made previously and then documenting the risks as the project progresses. Diagramming technique: Diagramming technique is also common risk identification process in project risk management. Three types of diagram are used in diagramming technique, a. Fish-bone diagram – To show the cause and effect of risk. b. Process flow chart – To show the cause and impact process of the risk. c. Influence diagram – Casual representation of project variable.

Qualitative Risk Analysis: The qualitative risk analysis is the process where the impact of the risk over the project is identified. It also states what the probability of that risk is to occur. It ranks the risks according to priority. It is the first step towards the quantitative analysis of the risk.

Tools and Techniques for Qualitative Risk Analysis: Qualitative risk analysis include the following tools and techniques, Probability and impact assessment: This techniques helps to determine how much is the probability of the risk to occur and also how much the risk is going to cost in terms of time and money. This part of the risk management depends highly on expert judgement. A veteran project manager is needed to accomplish this part efficiently. Probability and impact matrix: Once the probability of the risk is identified and impact of the risk is being assessed, it is time for making the probability and risk matrix. Once done, this matrix can make the project manager 8|Page16

Risk Management in International ICT Project Management understand on which risk they should concentrate most. The figure bellow is a sample probability and impact matrix created with the help of Elyse (2007) and PMBOK (2000), Probability .80 Risk 1 .60 .40 .20 Risk 7 .05 Impact

Risk 12 Risk 2 Risk 8 Risk 13 .20

Risk 9 Risk 3 .40

Risk 14 Risk 10

Risk 6 Risk 5, Risk 11

Risk 4 .60

.80

Data quality assessment: Data quality assessment involves determining the usefulness of data gathered to evaluate. Most importantly the data should be unbiased. This process work as back checking of the list of risks that are in hand. Risks urgency assessment: Based on the risk probability and impact matrix risk are organized in order of priority in this phase. By the end of this process the project managers can understand which risk they need to look upon first.

Quantitative Risk Analysis: The quantitative risk analysis process evaluates the impacts of the risks prioritized during the qualitative risk analysis process and quantifies risk exposure to the project by assigning numeric probability for each risks and their impact on the project objective.

Tools and Techniques for Quantitative Risk Analysis: Sensitivity Analysis: Sensitivity analysis is a quantitative approach to analyze potential risk event on the project and determining which risk event has greatest potential for impact by examining all the uncertain elements at their baseline value. Expected Monitory Value Analysis: Expected Monitory Value (EMV) Analysis is a statistical technique that calculates average, anticipated impact of the decision. EMV is calculated by multiplying the probability of the risk times its impact and then adding them together. Decision Tree Analysis:

9|Page16

Risk Management in International ICT Project Management The decision tree is a process of determining an outcome in a logical way. There is no black and white definition for decision tree analysis. The figure bellow shows a sample decision tree using EM vans one of its inputs.

Good Outcome Probability .6

£4200

Choice X EMV = £7000 Poor Outcome Probability .4

£2000

Decision start

Choice Y EMV = £6000

Good Outcome Probability .8

Poor Outcome Probability .2

£4000

£1000

Risk Response Planning: Risk response planning is a process which determines which actions to take while risk poses a threat to the project. It also involves the planning to optimize the opportunities that a risk might develop into. There are no set tools and technique for risk response planning but there are number of strategies which can come in handy,

a. Strategies for negative risks: There can be three strategies which can be taken on, o Avoid the risks with appropriate masers. o Transfer or outsource the risk to a person or organization other than the one inside project. o Mitigate the risks is hand. b. Strategies for positive risks or opportunity. 10 | P a g e 1 6

Risk Management in International ICT Project Management There can be also three strategies taken for the risks which have positive impact on the project. o Exploit the opportunity posed by the risk. o Share the risk among different parts of the project. o Enhance the impact of the opportunity. c. Strategies for both threats and opportunity. In this strategy, project managers usually accept the consequences of a risk. Sometime this is also called passive acceptance since the project managers does nothing regarding the risk in hand. d. Contingence response planning. In the contingency planning project managers creates some tasks which will be regarded as alternative of the actual plan. The contingency tasks are managed in a way that when the risk triggers, the contingency tasks starts automatically. And when it does all the procedures are properly documented. Some author like Wiegers (2007) believe that the contingency planning or mitigation planning should be included in the probability-impact matrix. He also gives the structure of the new matrix. The structure is as follows, ID

Description

P

L

E

First Indicator

Mitigation/conting ency Approach

Owner

Date Due

1

2

Monitoring and Control: Monitoring and control is the last phase of the project risk management. According to Barker and Cole (2007), monitoring and control or review is not a something that is done only in the start of the project. It is something that has to be done every single day of the projects existence. Monitoring and control is basically something which involves rechecking the risk log, and project charter and objectives and finding out if already defined risks are managed efficiently or not. And whether there is a chance for a potential risk to turn up.

11 | P a g e 1 6

Risk Management in International ICT Project Management

Issues that are not addressed in PMBOK: According to Barkley (2004) some issues are not addressed in PMBOK’s risk management process but worth gaining full understanding by the project managers. Project managers actually do all the procedures but PMBOK does not concentrate upon the issues. Most important two issues are

Building a risk-based organization: Building an organization which always protects itself from risks through good organization planning requires strong leadership. PMBOK ignores this human factor of the risk management.

Program and portfolio management: The risks management process proposed by PMBOK is very good for the single projects. But it fails to describe the managers’ role when they come to manage a group of projects called programs or even a group of program called portfolio.

Crisis and Crisis Contingency Plan: Many authors like Lock (2003) believe that crisis is a state of project where/when many identified or unidentified risks trigger in very short span of time. Lock also argues that in this period there should be special crisis contingency plan made. He also outlines the steps necessary for what he called crisis contingency plan. These steps are discussed in the following points, a. The first and the foremost step is estimating probability of crisis in an ICT project. It will help the project planners to estimate how much budget and effort are needed to be allocated for the crisis. b. Secondly, a crisis contingency management team should be created. A team who will take charge during the crisis. These people will constitute a sleeping organization, ready to be awake at the moment’s notice. These people have to be very hard working, devoted to organization, self motivated and last but not the least very good, veteran project managers. c. Once the people is selected for the action committee for the crisis management, they must meet in a focus group meeting to make a contingency plan for the crisis. They also need to sit in short intervals to keep the plan up to date and evaluate the trigger condition of the project, if any. Lock’s outline crisis contingency management in my point of view lacks one key thing. To my point of view, there should be provision for small pilot testing for the crisis. Then the steering committee will know the effectiveness of the crisis contingency plan they have created.

12 | P a g e 1 6

Risk Management in International ICT Project Management

Case Study: SCOPING DIGITAL REPOSITORIES SERVICES FOR RESEARCH DATA MANAGEMENT 1. Background The Federated Digital Repository at the University of Oxford An increasing amount of digital materials are being produced on a daily basis by researchers at the University of Oxford. These materials include journal articles, theses, images and datasets. The University has the responsibility for providing services to store, curate, disseminate and preserve outputs from research activities. . These services are increasingly made available at Oxford through digital repositories. There are also digital materials produced outside of the University, that are nonetheless required within Oxford for research purposes, and that are efficiently managed through repositories. This observation, together with strategic decisions such as the cessation of funding for the Arts and Humanities Data Service (AHDS), are compelling reasons for institutions to take responsibility for the curation and preservation of their own research data. Aims and Objectives: The project’s overall aim is to scope the requirements, including for the underlying infrastructure and interoperability, for digital repositories services to store, curate, disseminate and preserve research data generated at Oxford.

Objectives: Capture document researchers’ requirements for digital repository services to handle research data. Participate actively in the development of an interoperability framework for the federated digital repository at Oxford. Make recommendations to improve and coordinate the provision of digital repository services for research data. Initiate and develop collaborations with the different repository activities already occurring to ensure that communication takes place in between them. Raise awareness at Oxford of the importance and advantages of the active management of research data. Communicate significant national and international developments in repositories to relevant Oxford stakeholders, in order to stimulate the adoption of best practices.

13 | P a g e 1 6

Risk Management in International ICT Project Management

Risk

Probability Severity Score Action to mitigate risk (1-5) (1-5) =pXs

Staffing Loss of key stuff before the end of the project

2

Organizational Difficulties in arranging 2 interviews with relevant members of research community Delays in achieving task 2 for project plan

Technical Problems is agreeing 3 and identifying valid standards for the interoperability plan

4

8

Ensure the project is embedded in institutional practices by spreading the practices to number of individual. Ensure that planning for sustainability begins early.

4

8

3

6

The engagement of OeRC, OUCS and OULS in project offers wide set of contacts in academic divisions and expertise in undertaking the requirements gathering exercise. Tasks will be prioritized and in the case of delays, project plan will be reprofiled to focus the highest priority activities.

2

6

Establishing the membership of Digital Repositories Standards Working Group and close collaboration with technical stuff from existing repository both inside and outside Oxford *Taken from Uribe (2008)

Analysis of the case study: The project is still on the run. Therefore, it is really hard to predict whether the risks in the project have been managed efficiently or not. However some of the key points on the project are as follows,

All the risks are very high level. There is no breakdown of the risk steps. The document also fails to show the source of the risk. Though probability and impact has been determined but there is no cost estimate for the impact. For this reason I think there is no use of the column Score. There is no trigger condition defined for the risk. Though mitigation plan is well defined but there is no cost there is no cost estimate involved for

14 | P a g e 1 6

Risk Management in International ICT Project Management

Conclusion: As Walewski and Gibson (2003) have rightly pointed out the fact like many others, Risk analysis and management is most effective when deployed early. A properly structured risk identification, analysis, and mitigation process can moderate the risks associated with international construction projects. An organisation’s risk management policy should set out its approach and appetite for risk and its approach to risk management. The policy should also set out responsibilities for risk management throughout the organisation. Furthermore, it should refer to any legal requirements for policy statements. Different stake-holding body for the project play important role in successful management of risk in organization. Bodies like project management unit and different business units when proactive can do a great deal to identify risk and propose a mitigation plan. Project managers today has to accept the fact that risk assessment and management is not a substitute for adequate pre-project planning, project controls, or other management and technical requirements. The most effective risk management process is coordinated with all aspects of project development and management. Project managers have to become more dynamic in terms of project management. They have to have some idea about project portfolio management and program management. Because small negligible risk in the project if not managed can cost very big deal in the program. Project risk management is still a practice in present world. There is no set rule for the risk management yet. Often organization manages their own risk in their own set way. And when there is a change in the business rule or the project itself, it becomes really tough for the project managers track the previous risk of the project. For this reason I believe there should be set standards for project risk management as it is there for project management itself. Institutions like PMI, RMI and AIRMIC should come forward to address the problem.

15 | P a g e 1 6

Risk Management in International ICT Project Management

References and Bibliography AIRMIC, IRM and ALARM, (2002) Risk Management www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf 07/04/08)

Standard. (accessed

Barker, Stephen and Cole, Rob (2007) Brilliant project management: What the best project managers know, say and do. Pearson Prentice Hall. Barkley, Bruce T. (2004) Project Risk Management. McGraw-Hill. Barrow, Bryan (2007) Four Reasons to Use Project Risk http://www.bcs.org/server.php?show=ConWebDoc.16427 (Accessed 04/04/08)

Management.

Davis, David (2005) ‘Beware of False Economics’ in Harvard Business Review on Managing Projects 2005. Harvard Business School Publishing Corporation. Elyse (2007) Qualitative Risk Analysis. http://www.anticlue.net/archives/000817.htm (accessed 04-0408) Heldman, Kim (2005) Project Management Professional Study Guide. Wiley Publishing, Inc. Lock, Dennins (2003) Project Management. Gower 8th Edition. Matta, Nadim F and Ashkenas, Ronald N. (2005) ‘Why Good Projects Fail Anyway’ in Harvard Business Review on Managing Projects 2005. Harvard Business School Publishing Corporation. PMBOK (2000) The New PMBOK Risk Management http://facweb.cs.depaul.edu/yele/Course/IS372/IS372w3-2.ppt (accessed 05/04/08)

Concept.

Staw, Barry M. and Ross, Jerry (2005) ‘Knowing When to Pull the Plug’ in Harvard Business Review on Managing Projects 2005. Harvard Business School Publishing Corporation. Uribe, Luis Martinez (2008) SCOPING DIGITAL REPOSITORIES SERVICES FOR RESEARCH DATA MANAGEMENT. 27th February, 2008. University of Oxford. WALEWSKI, JOHN and GIBSON, G. EDWARD, JR. (2003) ‘International Project Risk Assessment: Methods, Procedures, and Critical Factors’ in Center Construction Industry Studies September 2003. The University of Texas Austin. Wiegers, Karl E. (2007) Practical Project Initiation: A Handbook with Tools. Microsoft Press.

16 | P a g e 1 6