Risk and Risk Management. Risk and Risk Management. Martin Schedlbauer, Ph.D., CBAP, OCUP Version 1.1

Transcription

1 Risk and Risk Management Risk and Risk Management Martin Schedlbauer, Ph.D., CBAP, OCUP Version 1.1

2

3 Risk and Risk Management Copyright 2012 by Martin Schedlbauer ALL RIGHTS RESERVED. Printed in the United States of America IIBA, CBAP, CCBA, BABOK, and Business Analysis Body of Knowledge are registered trademarks of the International Institute of Business Analysis.

4

5 Table of Contents RISK ANALYSIS... 7 RATIONALE... 7 RISK STATEMENTS... 7 RISK TEAM MEMBERS... 8 TOLERANCE FOR UNCERTAINTY... 8 COMMON RISKS... 8 RISK ASSESSMENT PROCESS... 8 DOCUMENTING RISKS... 9 RISK CATALOG... 9 ASSESSING RISK PROBABILITY RISK IMPACT RISK SCORE RISK RESPONSE RISK MATRIX ACCOUNTING FOR RISK BABOK CROSS REFERENCE SUMMARY... 12

6

7 Risk Analysis Risk Analysis Upon completion of this chapter, you will be able to: Identify and manage areas of uncertainty that may impact a project. Assess risks and provide a plan to manage them. Quantitatively rank risks. Rationale The project manager and business analyst knows all too well that projects are risky business. At every turn there is a chance that something will cause the project to go off track and to perhaps even fail outright. The prudent analyst is always aware of the dangers that lurk in dark corners of the projects and brings those dangers to light for everyone to see. Once the analyst shines a light on these risks they can be proactively managed and perhaps even made to go away. Risk identification, analysis, management, and communication are key responsibilities of the business analyst and the project manager. At its core, risks are uncertain events that may adversely affect the likelihood of delivering business value or the probability of meeting cost and schedule targets. Any event that could jeopardize the return-on-investment (ROI) of a project must be documented and analyzed. Risks are cataloged and should be included in the business case for the project. For each risk, the business analyst must clearly specify the danger, the likelihood of occurrence, the likely consequences, and the strategy and cost for dealing with the risk. Risk Statements Risks are generally found when eliciting requirements and when assembling the justification for the project. They can be identified at any time during a project and by anyone stakeholders, business analysts, implementation team members, project manager, and third party vendors and consultants. When a risk has been identified it needs to be documented in a risk catalog maintained by the project manager. Each risk statement includes a condition followed by a consequence. For example: The consulting partner has a history of changing resources on the project, therefore additional learning time may be required. The stakeholders are not willing to be interviewed, therefore requirements may not be fully identified. Each risk is identified through a unique identifier, such as a number or combination of numbers and text. For example, K001 would be a useful risk identifier.

8 Risk Team Members Enlist an experienced project manager or ensure team members have a working knowledge of: Risk management principles and concepts Financial analysis and project projection models Business analysis structure, operations Organizational readiness for the change initiative Technical feasibility of the proposed solution both to build and maintain the technology The members of the risk team are relied upon to assess and analyze the risk and develop a risk management strategy. Tolerance for Uncertainty Risk tolerance reflects an organization s and stakeholder s attitude toward risk and the amount of risk an organization wants to take. Risk capacity is the amount of risk an organization needs to take to reach its goals. Some organizations are risk averse while other are willing to take risks to realize potentially large rewards. The tolerance for risk is an important consideration when recommending a strategy on how to deal with risks. Common Risks Among the most common risks particularly among information technology projects are: Uncertain/Creeping requirements Inadequate communication with stakeholders Software that meets requirements but fails to meet the true business need Inability for products to grow to meet future needs High maintenance costs and effort Friction between contractor and clients Disruption to operational continuity Risk Assessment Process Once a risk has been identified, it must be assessed. The risk assessment process is summarized in the chart below. 8

9 Risk Analysis FIGURE 1. RISK ASSESSMENT PROCESS Documenting Risks Risk Catalog The risk catalog is a matrix of identified risks along with relevant attributes that assist in the management of the risk. The risk catalog is continually updated and reviewed periodically. It also forms the basis of calculating risk reserves for the cost-benefit analysis. TABLE 1. RISK CATALOG Risk Attribute Description Unique Identifier A unique identifier for the risk, such as R001 or K001. Description Prior Probability Impact A narrative risk statement defining the condition and the consequence. The probability or likelihood of the risk occurring before any remediation is attempted. A quantification of the relative impact on the project should the risk materialize. Score Impact Prior Probability 10 Rank Response Owner Posterior Probability Cost of Response Cost of Impact The relative rank of the risk based on its score. Risks with high scores are addressed immediately. One of mitigation, avoidance, acceptance, or transfer. Person, group, department, or third party tasked with addressing the risk. The estimated likelihood of the risk occurring after a risk response has been applied. The cost of mitigating or avoiding the risk. There is no cost to acceptance, although there is a cost to the consequence. The cost to the project should the risk materialize.

10 Expected Cost Cost of Impact Posterior Probability Assessing Risk Probability The risk s prior probability is the likelihood of risk occurring before any attempt has been made to address the risk through mitigation or avoidance. The posterior probability is the likelihood that the risk might still occur after mitigation. The posterior probability is zero if the risk has been avoided. Probability thresholds help ensure consistent interpretation. These are subjective, but could be improved with a Delphi estimate. The table below summarizes the numeric risk probabilities. TABLE 2. RISK PROBABILITY Risk Impact The impact of the risk is a quantification of the effect that the risk would have on the project should it materialize. The table below provides guidelines for assessing impact. TABLE 3. RISK IMPACT Risk Score The risk score is the product of the risk s probability and its impact. 10

11 Risk Analysis The score is used to establish the relative ranking of risks so that severe risks can be addressed immediately. Risk Response There are four basic strategies for dealing with negative risks: Avoid: redefine the strategy so that the risk cannot occur Transfer: assign the consequence of the risk to a 3 rd party, e.g., insurance or contractual obligation Mitigate: find ways to reduce likelihood of occurrence or severity of impact Accept: deal with the consequence once the risk materializes Transfer is often difficult to implement, so project teams generally focus on avoidance, mitigation, or acceptance. Risk Matrix The risk matrix shows the risk scores and the associated risk level. Accounting for Risk For each risk calculate the expected risk impact cost which is the impact cost times the posterior probability. Then add all of these expected risk impact costs to arrive at the total expected risk impact cost for the initiative. This cost is then subtracted from the net benefit for the project. Alternatively, expected risks costs can also be added to the cost-benefit analysis as costs if the occurrence of the risk is time-bound, i.e., we can estimate during which time period the risk is likely to occur. If the risk can occur at different times periods (at different probabilities), the expected impact cost is accounted for as a cost in each time period. The probabilities for the risks across all time periods must add to 1.

12 BABOK Cross Reference This topic aligns with Section 9.24 of the BABOK Guide Version 2.0. Summary Risks are assessments of uncertain events that may impact a project Risks must be quantified through their risk score which is the product of the risk s probability and its impact Risks have an associated expected cost that must be accounted for in a costbenefit analysis concisely 12

13 BUSINESS ANALYSIS INFORMATION SYSTEMS DEVELOPMENT EDUCATION RESEARCH ANALYSIS