22 22 project risk analysis and management

7/29/2019 22 22 Project Risk Analysis and Management

1/24

Risk Analysis in IT Projects


2/24

What Is Project Risk Analysis And

Management?

Project Risk Analysis and Management is a

process which enables the analysis andmanagement of the risks associated with a

project. Properly undertaken it will increase the

likelihood of successful completion of a project to

cost, time and performance objectives.


3/24

Objectives

The objective of performing risk management is to enablethe organization to accomplish its missions:

(1) by better securing the IT systems that store, process, ortransmit organizational information;

(2) by enabling management to make well-informed riskmanagement decisions to justify the expenditures thatare part of an IT budget;

(3) by assisting management in authorizing (oraccrediting) the IT systemson the basis of the supportingdocumentation resulting from the performance of riskmanagement.


4/24

The Importance of Project Risk

Management

Project risk management is the art and science of

identifying, analyzing, and responding to riskthroughout the life of a project and in the bestinterests of meeting project objectives

Risk management is often overlooked in projects,

but it can help improve project success by helpingselect good projects, determining project scope, anddeveloping realistic estimates


5/24

Integration of Risk Management into theSDLC

SDLC Phases Phase CharacteristicsSupport from Risk

Management Activities

Phase 1Initiation The need for an IT system is

expressed and the purpose and

scope of the IT system is

Documented

Identified risks are used to

support the development of the

system requirements.

Phase 2Development or

Acquisition

The IT system is designed,

purchased, programmed,

developed, or otherwise

Constructed

The risks identified during this

phase can be used to support

the security analyses of the IT

System.

Phase 3Implementation The system security features

should be configured, enabled,

tested, and verified

The risk management process

supports the assessment of the

system implementation against

its requirements.

Phase 4Operation or

Maintenance

The system performs its

functions.

Risk management activities are

performed for periodic system

Reauthorization.

Phase 5Disposal This phase may involve the

disposition of information,hardware, and software.

Risk management activities

are performed for systemComponents.


6/24

Project Risk ManagementProcesses

Risk identification: determining which risks are likelyto affect a project and documenting the characteristics ofeach.

Risk analysis: prioritizing risks based on theirprobability and impact of occurrence.

Risk planning:taking steps to enhance opportunitiesand reduce threats to meeting project objectives.

Risk monitoring and control: monitoring identifiedand residual risks, identifying new risks, carrying outrisk response plans, and evaluating the effectiveness ofrisk strategies throughout the life of the project.


7/24

Risk Breakdown Structure

Arisk breakdown structure is a hierarchy ofpotential risk categories for a project.

Similar to a work breakdown structure but usedto identify and categorize risks.


8/24


9/24

Risk Identification

Risk identification is the process ofunderstanding what potential events might hurt orenhance a particular project.

Risk identification tools and techniques include:

Brainstorming

The Delphi Technique

Interviewing

SWOT analysis


10/24Contd.

Risk Assessment Methodology Flowchart


11/24


12/24

Qualitative Risk Analysis

Assess the likelihood and impact ofidentified risks to determine their

magnitude and priority.

Risk quantification tools and techniquesinclude:

Risk-Level matrixes


13/24

Risk-Level Matrix

ARisk-Level matrix or chart lists the relative probabilityof a risk occurring on one side of a matrix or axis on a chartand the relative impact of the risk occurring on the other


14/24

Risk Scale and NecessaryActions


15/24

Quantitative Risk Analysis

A Qualitative Analysis allows the main risk

sources or factors to be identified.

It enables the impacts of the risks to bequantified against the three basic projectsuccess criteria: cost, time andperformance.


16/24

Quantitative Techniques

Sensitivity Analysis simply determines the effect on the whole

project of changing one of its risk variables such as delays in designor the cost of materials .

Probabilistic Analysis specifies a probability distribution for eachrisk and then considers the effect of risks in combination. This is

perhaps the most common method of performing a quantitative riskanalysis.

Influence Diagrams are a relatively new technique for riskanalysis. They provide a powerful means of constructing models of

the issues in a project which are subject to risk .

Decision Trees are another graphical method of structuringmodels. They bring together the information needed to make projectdecisions and show the present possible courses of action and all

future possible outcomes.


17/24

Risk Mitigation

Risk mitigation, involves prioritizing, evaluating, andimplementing the appropriate risk-reducing controlsrecommended from the risk assessmentprocess.

Risk mitigation can be achieved through any of thefollowing risk mitigation options: Risk Assumption.

Risk Avoidance. Risk Limitation. Research and Acknowledgment. Risk Transference.


18/24

Risk Mitigation Strategy


19/24

Risk Monitoring and Control

In most organizations, the components change, and itssoftware applications replaced or updated with newerversions. In addition, personnel changes will occur andsecurity policies are likely to change over time.

These changes mean that new risks will surface and risks

previously mitigated may again become a concern. Thus, thereis a need for an ongoing risk evaluation andassessment.

In implementing recommended controls to mitigate risk, an

organization should consider: Technical

Management

Operational security controls

to maximize the effectiveness of controls for their IT systemsand organization.


20/24

Risk Analysis Using an Enhanced FMEATECHNIQUE The TCS Way.

Failure Mode and Effects Analysis (FMEA) is astructured, proactive technique to identify the ways inwhich a product or process can fail and to prevent such

failure.

It is a systematic technique to analyze potential failuremodes and assist in mitigating them.

It systematically anticipates and studies the cause andeffect of failure.


21/24

TCS Risk Management Circle


22/24

FMEA The Driver Model

The power of FMEA is four-fold. Firstly, all FMEAartifacts are dynamic, living documents. Continuousimprovement and risk level reduction drive FMEA.

Next, the technique identifies high-priority, vital fewrisks because, in real life, not all problems are equallyimportant.

Thirdly, FMEA is customer-oriented although acustomerrepresentative may not be an end-user.

Fourthly, FMEA offers audit trails, i.e. a welldocumented record of improvements arising out ofcorrective action implemented.

In sum, FMEA gives one a mechanism to document andmonitor all data elements required to meet businessdrivers.


23/24

REFERENCES

www.openseminar.orgRisk Management, Author: Laurie Williams andSarah Smith

www.sei.cmu.edu The Software Engineering Institute for riskmanagement.

Effective Risk Management: Risk Analysis Using an enhancedFMEA technique -Vijaya Deepti Nimmagadda Ramanamurthy and K.Uma Balasubramania (Tata Consultancy Services) Bangalore, KarnatakaIndia

Risk Analysis Techniques - By Geoffrey H. Wold and Robert F. Shriver
http://www.openseminar.org/http://www.sei.cmu.edu/http://www.openseminar.org/http://www.sei.cmu.edu/http://www.sei.cmu.edu/http://www.sei.cmu.edu/http://www.sei.cmu.edu/http://www.openseminar.org/


24/24

22 22 project risk analysis and management

Documents