Chapter 8 - Managing Project Risk

Question 1

What leads to uncertainty in an IT project?

Answer 1

The fact that we must estimate implies a degree

of uncertainty in predicting the outcome of future events.

Question 2

How does a project risk management approach provide an early warning signal for impending problems or
issues?

Answer 2

Project risk management includes the processes of conducting risk management
planning, identification, analysis, response planning, and monitoring and control
on a project; most of these processes are updated throughout the project. The
objectives of Project Risk Management are to increase the probability and
impact of positive events, and decrease the probability and impact of events
adverse to the project

Question 3

What is meant by crisis management? And why do many organizations find themselves in this mode?

Answer 3

a state of perpetual crisis characterized by an inability to make effective and
timely decisions. Many people call this approach crisis management or fire fighting because the
project stakeholders take a reactive approach or only address the project risks after they have
become problems. Too often plans are disregarded at the first sign of trouble, and instinctive reactions to situations can
lead to perpetual crisis management

Question 4

Describe some of the common mistakes in project risk management.

Answer 4

• Not understanding the benefits of risk management (may optimistically ignore risks or be pressured into risk taking by sponsor)
• Not providing adequate time for risk management (not planning ahead. risk management should be more than an add on)
• Not identifying and assessing risk using a standardized approach (waste of time and cost by not having a set way to identify and evaluate risks)
• Commitment by all stakeholders (allow impulses to override risk management procedures)
• Stakeholder responsibility (each risk should have a clear owner)
• Different risks for different types of projects (not all risks can be dealt with in the same manner)

Question 5

Briefly describe what is required for effective and successful project risk management.

Answer 5

Plan Risk Management—Determining how to approach and plan the project risk man-
agement activities. An output of this process is the development of a risk management
plan.
■ Identify Risks—Deciding which risks can impact the project. Risk identification generally
includes many of the project stakeholders and requires an understanding of the project’s
goal, as well as the project’s scope, schedule, budget, and quality objectives.
■ Perform Qualitative Risk Analysis—Focusing on a qualitative analysis concerning the
impact and likelihood of the risks that were identified.
■ Perform Quantitative Risk Analysis—Using a quantitative approach for developing a
probabilistic model for understanding and responding to the risks identified.
■ Plan Risk Responses—Developing procedures and techniques to reduce the threats of
risks, while enhancing the likelihood of opportunities.
■ Monitor and Control Risks—Providing an early warning system to monitor identified
risks and any new risks. This system ensures that risk responses have been implemented
as planned and had the effect as intended.

Question 6

What is project risk?

Answer 6

An uncertain event or condition that, if it occurs, has a positive or negative
effect on the project objectives

Question 7

What is project risk management?

Answer 7

Project risk management includes the processes of conducting risk management
planning, identification, analysis, response planning, and monitoring and control
on a project; most of these processes are updated throughout the project. The
objectives of Project Risk Management are to increase the probability and
impact of positive events, and decrease the probability and impact of events
adverse to the project

Question 8

Why can identifying IT project risks be difficult?

Answer 8

Many risks can affect a project in different ways and during different phases of the project
life cycle. Therefore, the process and techniques used to identify risks must include a broad
view of the project and attempt to understand a particular risk’s cause and impact among the
various project components.

Question 9

What is a “known” risk? Give an example of one.

Answer 9

known risks as events that are going to occur. In short, these events are like death and
taxes—they will happen and there is no uncertainty about it.

Question 10

What is a “known-unknown” risk? Give an example of one.

Answer 10

known-unknowns are of identifiable uncertainty. For example, if you own a home or rent an
apartment, you know that you will receive a bill next month for the utilities you use. Although you know the past amount for these bills, the precise amount you will owe the utility company
will be unknown until you receive the actual bill.

Question 11

. What is an “unknown-unknown” risk? Give an example of one.

Answer 11

unknown-unknown risks are residual
risks and reflect what we don’t know. Unknown-unknown risks are really just a way to remind us that there may be a few risks remaining even after we think we have identified them all. In general, these are the
risks that we identify after they have occurred

Question 12

What is the difference between an internal and external risk? Give an example of each.

Answer 12

In short, a project manager will (or should) have control over internal
risks, but not external risks. That distinction does not mean the project manager can ignore
external risks. These risks can have a significant impact on the project, as well as the project
manager’s employment!

Question 13

Describe some of the tools and techniques that can be used to identify IT project risks.

Answer 13

Learning cycles—The concept of learning cycles was introduced in Chapter 4. The
project team and stakeholders can use this technique, whereby they identify facts
Brainstorming—Brainstorming is a less structured activity than learning cycles. Here
the team could use the IT risk framework and the WBS to identify risks
Nominal group technique (NGT)—The NGT is a structured technique for identifying
risks that attempts to balance and increase participation Each individual silently writes her or his ideas on a piece of paper.
b. Each idea is then written on a board or flip chart one at a time in a round-robin
fashion until each individual has listed all of his or her ideas.
c. The group then discusses and clarifies each of the ideas.
d. Each individual then silently ranks and prioritizes the ideas.
e. The group then discusses the rankings and priorities of the ideas.
f. Each individual ranks and prioritizes the ideas again.
g. The rankings and prioritizations are then summarized for the group.
Delphi technique—If the time and resources are available, a group of experts can be
assembled—without ever having to meet face to face. Using the Delphi technique, a
group of experts are asked to identify potential risks or discuss the impact of a particular
risk.
Interviewing—Another useful technique for iden-
tifying and understanding the nature of IT project
risks is to interview various project stakeholders.
This technique can prove useful for determining
alternative points of view;
Checklists—Checklists provide a structured tool
for identifying risks that have occurred in the past.
They allow the current project team to learn from
past mistakes or to identify risks that are known to
a particular organization or industry.
WOT analysis—SWOT stands for Strengths,
Weaknesses, Opportunities, and Threats. Brainstorm-
ing, NGT, or the Delphi technique could be used to
identify and understand the nature of IT project risks
by categorizing risks using the framework illustrated
Cause-and-effect diagrams— analyze the causes of poor quality . The diagram can also be
used for understanding the causes or factors of a
particular risk, as well as its effects.
Past projects—One of the themes in this text has been the integration of knowledge
management to support the project management processes. Lessons learned from past
projects can provide insight and best practices for identifying and understanding the
nature of IT project risks.

Question 14

. What is the purpose of risk analysis and assessment?

Answer 14

The purpose of risk analysis is to determine each identified risk’s probability and
impact on the project. Risk assessment, on the other hand, focuses on prioritizing risks so that
an effective risk strategy can be formulated.

Question 15

What is the difference between qualitative and quantitative risk analysis?

Answer 15

Qualitative risk analysis focuses on a subjective analysis of risks based upon a project stake-
holder’s experience or judgment. Quantitative approaches to project risk analysis include
mathematical or statistical techniques that allow us to
model a particular risk situation.

Question 16

Define and discuss the four risk strategies described in this chapter.

Answer 16

Risk strategies define how the project stakeholders
will respond to risk. In general, risk strategies include
(1) accepting or ignoring the risk, (2) avoiding the risk,
(3) mitigating or reducing the likelihood and/or impact
of the risk, and (4) transferring the risk to someone else.
A set of risk metrics should be defined to act as triggers,
or flags, when a particular risk event occurs. The risks,
the risk triggers, risk owners, and strategies should be
formalized in a risk response plan.

Question 17

What is the difference between a management reserve and a contingency reserve?

Answer 17

Management reserves—These are reserves that are controlled and released by senior
management at its discretion. These reserves are not usually included in the project’s
budget, but provide a cushion for dealing with the unexpected.
■ Contingency reserves—A contingency reserve is usually controlled and released within
specific guidelines by the project manager when a particular risk occurs. This reserve
is usually included in the project’s budget.

Question 18

What is a contingency plan?

Answer 18

Contingency plans—Sometimes called an alternative plan, or plan B, this plan can be
initiated in the event a particular risk occurs. Although these types of plans are viewed
as plans of last resort, they can be useful in a variety of ways. For example, a project
team should have a disaster recovery plan in place should a natural disaster, such as a
hurricane or earthquake, occur. This plan may have procedures and processes in place
that would allow the project team to continue to work should its present workplace
become unusable or unavailable. This type of disaster recovery plan is only useful if
it is up to date and communicated to the various project stakeholders.

Question 19

Why can’t a project team respond to all project risks?

Answer 19

Adequate resources must

be available and used to respond to the risk.

Question 20

What is a risk response plan? What should be included?

Answer 20

■ The project risk
■ The trigger that flags whether the risk has occurred
■ The owner of the risk (i.e., the person or group responsible for monitoring the risk and
ensuring that the appropriate risk response is carried out)
■ The risk response based on one of the four basic risk strategies

Question 21

. What are risk triggers or flags?

Answer 21

The risk triggers defined in the risk response plan provide risk metrics for determining whether
a particular threat or opportunity has occurred. A system for monitoring and controlling risk
provides a mechanism for monitoring these triggers and for supporting communication among
the various risk owners. The risk owners must be vigilant in watching for these triggers.

Question 22

Why is having a risk owner a good idea? What role does a risk owner play?

Answer 22

The owner of the risk (i.e., the person or group responsible for monitoring the risk and
ensuring that the appropriate risk response is carried out)

Question 23

What is risk monitoring and control?

Answer 23

Risk monitoring and control should be part of the overall monitoring and control of the
project. Monitoring and control focus on metrics to help identify when a risk occurs, and also
on communication.

Question 24

What is the purpose of evaluating a response to a particular risk?

Answer 24

The outcome of the risk response will either be favorable or unfavorable. Therefore, a great
deal can be learned about the entire process of risk management (i.e., the preparedness of risk
planning, identifying risks, analyzing and assessing risks, risk responses, and so forth). Lessons
learned can lead to the identification of best practices that can be shared throughout the project
organization. In summary, lessons learned and best practices help us to:
■ Increase our understanding of IT project risk in general
■ Understand what information was available to managing risks and for making risk-related
decisions
■ Understand how and why a particular decision was made
■ Understand the implications not only of the risks but also the decisions that were made
■ Learn from our experience so that others may not have to repeat our mistakes