Project Risk Management

PM 0016

Name: Aju K Panicker Roll number: 530911171 Learning centre: 2542 Assignment No.: Set 1 Date of submission at learning centre: 10/ 07/2011

Q.1

Describe the five phases of risk management process

Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. Several risk management standards have been developed including the Project Management Institute, the National Institute of Science and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety. The strategies to manage risk include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk even though the confidence in estimates and decisions increase. In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled. Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge risk materializes. Relationship risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity. Risk management also faces difficulties in allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been

spent on more profitable activities. Again, ideal risk management minimizes spending and minimizes the negative effects of risks.

Method For the most part, these methods consist of the following elements, performed, more or less, in the following order. 1. Identify, characterize, and assess threats 2. Assess the vulnerability of critical assets to specific threats 3. Determine the risk (i.e. the expected consequences of specific types of attacks on specific assets) 4. Identify ways to reduce those risks 5. Prioritize risk reduction measures based on a strategy Risk management is a process which could be best described as being systematic. Risk management must never be taken lightly by any organization. It is designed to deal with risks that may occur in regards to any aspect of a project. While risk management is crucially important, there are a number of additional things that project teams can do to ensure their projects are completed properly and safely. Risk management can be broken down into a number of different steps, and the first of these steps is to take the time to assess the risks that a project faces. By assessing the risks, you are essentially taking the time to think of the things that could go wrong. Once you have an understanding of all the risks that a project faces, you will next need to prioritize them. By prioritizing the risks, you will essentially take the time to figure out which risks are the most important, in other words, you will rate the risk by how dangerous they are, as well as the probability of the risk actually occurring. Risk priority numbers will generally be used to determine the amount of risk the organization faces. Once this step has been completed, the next step is to take the time to handle the abatement actions. To do this, you will need to take the time to plan and

put in place the actions which are needed to lower the impact or the chance of the risk actually occurring. There are a number of different techniques that can be used within the field of risk management. The techniques will often differ based on the manner in which the risks have been analyzed. For instance, the risk could be evaluated or ranked dependent on the severity, as well as the probability of occurrence. Both effects analysis and failure mode may also be used for the purpose of analyzing and measuring risk. No matter how you look at it, the fact remains that the risk management process is very important when it comes to managing a project in the proper manner. There are often times when the risk management process must be repeated multiple times throughout the life cycle for a given project. The project team must study the risks and then prioritize them. Following are the steps of risk management

Risk Risk Risk Risk Risk Risk

Identification Analysis Planning Tracking Control Communication

Risk Identification: Risk is an undesirable situation or circumstance, which has both a probability of occurring and a potential consequence to project success. Risk has an impact on cost, schedule, and performance. Risk identification is the process of identifying uncertainty within all aspects of a project. In other words: what might go wrong and what happens if it does. For most information system projects, these risks may be grouped in the following categories:

Technical. Risk associated with creating a new capability or capacity Supportability. Risk associated with implementing, operating, and maintaining a new capability Programmatic. Risk caused by events outside the project's control, such as public law changes

Cost and Schedule. Risk that cost or schedule estimates are inaccurate or planned efficiencies are not realized

Risks should be identified continuously by project participants (at all levels) and the project management team should capture these risks in definitive statements of probability and impact. Lessons-Learned from previous projects may be a significant source for identifying potential risks on a new project. Risk identification process goals Encourage input of perceived risk from the team Identify risk while there is time to take action Uncover risk and sources of risk Capture risk in a readable format Communicate risk to those who can resolve it Prevent project surprises Checklist, interview, meeting, review, routine input, survey, working group.

Risk Analysis Risk Analysis quantifies the identified risks and conducts detailed sensitivity studies of the most critical variables involved. The outcome of these analyses may be a quantified list of probabilities of occurrence and consequences that may be combined into a single numerical score. This single score allows project risks to be prioritized. Risk analysis process goals - Analyze risk in a cost efficient manner - Refine the risk context - Determine the source of risk - Determine the risk exposure - Determine the time frame for action - Determine the highest-severity risk Analysis process activities - Groups similar and related risk - Determine risk drivers - Determine the source of risk - Use risk analysis techniques and tools - Estimate the risk exposure - Evaluate risk against criteria - Rank risks related to other risks Risk exposure(RE) = Probability x Cost Risk Planning

Risk planning decides what to do about a project risk. Available actions are: Avoid the risk. Assume the risk Transfer the risk

The action selected for each risk will depend on the project phase, the options that are available, and the resources that can be used for risk management. A majority of project activities involve tracking and controlling the project risk. Risk planning process goals Provide visibility for key events and conditions Reuse successful risk resolution strategies Optimize selection criteria Understand the next action for each high severity risk Establish automatic triggering mechanisms Risk planning process activities Develop risk scenarios for high severity risks Develop risk resolution alternatives Select the risk resolution approach Develop a risk action plan Establish thresholds for early warning

Risk Tracking Risk tracking involves gathering and analyzing project information that measures risk. For example, test reports, design reviews, and configuration audits are risk tracking tools used by project management to assess the technical risk of moving forward into the next life cycle phase. Risk tracking process goals Risk Monitor the events and conditions of risk scenarios Track risk indicators for early warning Provide notification for triggering mechanism Capture results of risk resolution efforts Report risk measure and metrics regularly Provide visibility in risk status Control

Risk control takes the results of risk tracking and decides what to do and then does it. For example, if a project design review shows inadequate progress in one area, the decision may be made to change technical approaches or delay the project. Risk Mitigation Techniques

Risk mitigation techniques are used to control or transfer risk until an acceptable risk level is reached. The most common techniques are inherent in good management and engineering practice: Budget management reserve - mitigates cost risk Schedule slack - mitigates schedule risk Parallel development - mitigates technical risk Prototyping - mitigates technical risk

Risk resolution process goals Assign responsibility and authority to the lowest possible level Follow a documented risk action plan Report results of risk resolution efforts Provide for risk aware decision making Determine the cost effectiveness of risk mgmt Is prepared to adapt to changing circumstances Take corrective actions when necessary Improve communication within the team Systematically control the software risk

Risk resolution process activities Respond to notification of triggering event Execute the risk action plan Report action against the plan Correct the deviation from the plan

Risk Communication Risk information should be communicated to all levels of the project organization and to appropriate external organizations. This ensures understanding of the project risks and the planned strategies to address the risk. Risk information then feeds the decision processes within the project and should establish support within external organizations for mitigation activities. For example, an agency comptroller who understands the project risks is more likely to allow the project manager to have a management reserve within the project budget. Communicating risk information in a clear, understandable, balanced, and useful manner is difficult. The ability to state the problem at hand clearly, concisely, and without ambiguity is essential. Force field analysis

Is a technique to help people to understand the positive and negative aspects of change? Force field analysis provides motivation to overcome the barriers. Compelling reasons that change is needed to provide motivation for the use of risk management.

2.

Describe in brief the basic principles followed by the GMP principles Success of a Project greatly depends on adopting. Good Manufacturing Practices (GMP) and help the project meet the overall project quality, timeline, and cost objectives. GMP tries to bring a manufacturing organisation to a level where it can compete effectively in the world market. The World Health Organization (WHO) initiated the concept of GMP in the 1960s for high risk sectors like health, pharmaceuticals, food industry. GMP is that part of Quality Assurance which ensures that products are consistently produced and controlled to the quality standards appropriate to their intended use and as per specified requirements. GMP is nothing but adoption of such methods that try to ensure that quality is built into the organisation and the processes which are involved in manufacturing. The activities involved in achieving quality cover much more that the manufacturing operations themselves. GMPs are like policy programme implemented by manufacturers. They need a written programme, training programme, a maintenance schedule, and above all management commitment in providing funds, guidance, and human resources. Only when the management is committed to implement a programme, other components fall in place. Without this no amount of investment or external assistance can deliver results. Good Manufacturing Practices are enforced in United States by the FDA (Food and Drug Administration) United Kingdom by the Medicines and Healthcare Products

Regulatory Agency (MHRA) Australia by the Therapeutical Goods Administration (TGA) India by the Ministry of Health, multinational and/or foreign enterprises For a GMP, there must be clear written specifications for the materials, the packaging, processing and testing, handling, storage, receipt and dispatch. Suitable infrastructure, location, equipment and trained employees must be made available to effectively implementaGMP program. It also requires regular audit and review of the GMP along with analysis of customer complaints and feedback. GMP must also be applied to sub contractors. In addition to these key aspects being addressed by any GMP program in an organisation, there are some practical aspects of GMP which need to be considered while adopting them. Adoption of GMP requires elaborate documentation of all the procedures and guidelines. Even results of procedures must be documented and analysed regularly. Also, to be able to implement GMP, the employees must be rigorously trained in GMP. Only then it can be effective point in the outsourcing chain can compromise the business objectives of all involved. Therefore it must be ensured that each stakeholder properly adheres to the additional regulatory stipulations for the GMPs to be fully effective.

3.

Write short note on the following risk categories

a. Operational risks b. Schedule risks c. Budget risks d. Business risks e. Technical environment risk
Ans: Risk Categories

Risk management is an essential activity of project management. It is important to classify risks into appropriate categories. Risks can be classified into following 13 categories:

1. Operational Risk: Risks of loss due to improper process implementation, failed system or some external events risks. Examples can be Failure to address priority conflicts, Insufficient resources or No proper subject training etc.

2. Schedule Risk: Project schedule get slip when project tasks and schedule release risks are not addressed properly. Schedule risks mainly affect on project and finally on company economy and may lead to project failure

3. Budget Risk: Wrong budget estimation or Project scope expansion leads to Budget / Cost Risk. This risk may lead to either a delay in the delivery of the project or sometimes even an incomplete closure of the project.

4. Business Risk: Non-availability of contracts or purchase order at the start of the project or delay in receiving proper inputs from the customer or business analyst may lead to business risks.

5. Technical Environment Risk: These are the risks related to the environment under which both the client and the customer work. For example, constantly changing development or production or testing environment can lead to this risk.

Q 4. Describe Risk assessment cycle.

Ans:
Risk Assessment Cycle The Risk Assessment Cycle is pictorially represented in the following diagram.

The Risk Assessment Cycle has the following seven stages: 1. Set the Limits / Scope of the Analysis While doing Risk Assessment, the Limits/Scope of the Analysis should be set to provide the project manager very clear direction on what should be done. There are many instances where clear direction is lacking or the steps are unnecessarily confusing or ambiguous. 2. Identify Tasks and Hazards Identifying Hazards is critical because if hazards are omitted the associated risks will remain unknown. A task-based approach to identifying hazards has been shown to be very effective and is recommended where applicable. After the hazards are identified you need to determine two things: Is the associated risk minor? If yes, fix it straight away and move on. Is there a Regulation, Advisory Standard, Industry Code of Practice or guidance material associated with this hazard? If yes, the Regulation must be followed. 3. Asses Risk (Initial) Initial Risk Assessment is very important step to find out the initial risks which consume more time. 4. Reduce Risk There is no point in assessing the risks of a project unless one plans to perform risk reduction. The risk reduction effort is always completed even though not every residual risk requires further risk reduction since the risk may already be acceptable. This implies that risk reduction is a necessary part of, and should be included in the overall risk assessment process. 5. Assess Risk (Residual) Assessment of Residual Risks is very important to make the risk assessment process complete. In a way it helps in reducing the risks. 6. Subjective Judgments need to be accepted Subjectivity is a necessary part of risk assessment. Even in quantitative risk assessments subjective judgment occurs. However, the subjectivity does not diminish the value or credibility of the risk assessment process and subjective risk assessments do offer value.

7. Document the Results Documenting the Results obtained is very important for the future reference and use. This can be of help in upcoming projects.

Q.5. Describe strategies.

in

brief

the

major

risk

handling

Ans: Risk Handling Strategies Risk handling is nothing but risk treatment. This involves identifying various options for treating risk, analysing those options, preparing risk treatment plans based on the assessments made, and implementing the plans. Some of the options available for risk treatment include: Retaining/accepting risk: Organisations identify potential risks and put effective controls in place to eliminate them. However, an element of risk can be retained if it is deemed acceptable to the organisation after putting controls in place. However, standby plans must be in place to manage/fund the consequences of the retained risk, should it occur. Reducing risk occurrence: Organisations devise comprehensive plans to reduce the risk occurrence to the bare minimum. The plans include policies and procedures, testing, technical controls, training of staff, preventative maintenance, supervision, contract conditions, quality assurance programs, audit compliance programs etc.

Mitigating consequences of risk occurrence: It is important to mitigate the consequences of the risk occurrence if it cannot be eliminated altogether. Some of the risk mitigating measures include effective contingency plan, disaster recovery and business continuity plans, off-site backup, public relations, emergency procedures and staff training etc. Transferring risk: Organisations can distribute the perceived risks to another involved party by the use of contracts, insurance, outsourcing, joint ventures or partnerships etc. Avoiding risk: Organisation can avoid risks completely, wherever practicable, by deciding not to proceed with the activity likely to throw risks. There are various factors that must be considered in choosing a risk handling strategy. Some of the factors include: Payoff (or gains) for undertaking the risk

 Costs of risk management Extent of the impact of the risk 5.3 Objectives of Risk Handling Strategies Risk handling is a critical aspect in achieving fundamental and overall objectives of the project. It includes developing project objectives and communicating risk information to every stakeholder of the project in the organization. Strategies and objectives must be in alignment with overall organizational objectives. It is, therefore, very important to understand the objectives of the project clearly. After articulating the project goals and constraints, which are also agreed upon, comprehensive risk management plan is prepared to handle the risks effectively. This plan includes a common risk language and appropriate enablement through systems, tools, and skills. Well documented and comprehensive risk handling strategies achieve the following objectives: Perform accurate risk assessments. Establish risk handling priorities. Develop risk handling plans. Monitor the status of risk handling actions. Determine and implement appropriate risk management strategies. Elements of Risk Handling There are several other key elements in implementing an effective risk handling process and each is necessary for risk management planning. These key elements are: Risk Tracking (Monitoring) Risk Acceptance Risk Mitigation Risk Transfer Risk Avoidance

 Contingency Reserves Risk Process Implementation Risk Documentation Another important element of Risk Handling is the preparation of effective risk handling strategies. Functional Specialists prepare risk handling strategies for the organisation. They adopt various strategies to achieve the stated goals. They identify high and moderate areas of risk, assign risk ratings, and determine recommendations. Based on that information, they create Risk Treatment Plans (RTPs). The process of producing the RTPs consists of a series of steps as explained here:

Creating Risk Treatment Plan Identify the events: The events can cause trouble are identified. Identify the assets: The assets of the organisation that are most prone to the potential risks are identified. Identify the impacts: The impact of the occurrence of a risk, or the probability of triggering other risks, is identified. Identify the threats: Threats that may arise out of the perceived risk and the extent of damage the threat can cause are identified. Produce the RTPs: This is the final step in producing the Risk Treatment Plans. Benefits of Risk Handling Strategies

Risk handling strategies are normally level-of-effort tasks while being developed and give no true assessment of value. As such, it is difficult to exactly measure the benefits that accrue through implementation of risk management strategies. However, there are few tangible benefits of implementing effective risk handling strategies.

Q7. Define change and the various types of changes

Ans: Change Organisational change management requires understanding the sentiments of the target population and working with them to promote efficient delivery of the change. Organisational change management issues are often under-estimated or ignored entirely. Organisational change management is a vital aspect of almost every project. It should, therefore, be seen as a discrete and specialised work stream. Unfortunately, it is common to find that the human component of the project is not recognised as a separate element of the work. The project management team frequently has to do their best to ensure that a technological change is successfully implanted into the business. In the worst-case scenario, the project leadership do not see this as part of their responsibility and blame the organisations line management when their new technical solution is not fully successful when put to use. There are two related aspects of organisational change that are often confused. Organisational change management is concerned with winning the hearts and minds of participants and the target population to bring about changed behaviour and culture. The key skills required in this are business psychology and people management skills. The objectives of change are: To know how people are meeting a given need now and alternative ways they prefer to meet that need. To develop new understanding of a target market by identifying what is important or potentially relevant. To identify why some customers prefer your product and others do not.

 To design better products and services and identify new opportunities. To assess the lives and environment of your customers, their motivations, their patterns of behaviour, perceptions, and desires. To identify the non-rational drivers of behaviour and put in place appropriate methods to address diverse behaviour patterns. To arrive at the things that everyone agrees on, and find the things that have a wide range of differing opinion. Types of Change Different types of change require different strategies and plans to effectively gain employee engagement and acceptance of change. There are three types[1] of change that occur most frequently in organisations, they are: developmental, transitional, and transformational. Organisational change management theories effectively support how to deal with developmental and transitional change, but are less effective at dealing with successfully implementing transformational change. A critical step in determining which approach to use in overcoming resistance to implementing organisation change is to determine which type of change the organisation is experiencing. Developmental Change Developmental change is a method of maintaining a competitive edge in business. It enhances or corrects existing aspects of an organisation, often by focusing on the improvement of a skill or process. It may be either planned or emergent. When an organisation decides to improve its processes, methods or performance standards, then this process is considered as developmental change. This type of change should cause little stress to current employees as long as the rationale for the new process is clearly conveyed and the employees are educated on the new techniques. If an organisation decides to close a division to implement developmental change, and still finds little success, then employees may be more likely to accept the change. The employees would see that the company attempted different strategies before determining that closing the division was the

only option. Transitional Change Transitional change replaces existing processes or procedures with something that is completely new to the organisation. It is, therefore, more intrusive than developmental change. The period when the old process is being dismantled and the new process is being implemented is called the transitional phase. Few examples of transitional change are: corporate reorganisation, merger, acquisition, creating new products or services, and implementing new technology. Transitional change develops a level of discomfort in employees because the outcome of the change is unknown. It may not require a significant shift in culture or behaviour. But it is more challenging to implement than developmental change. Employees may feel that their job is unstable and their own personal insecurities may increase. Educating employees on the new procedures allows employees to feel that they are actively involved and engaged in the change. This reduces the resistance to the change. Lewin (1951) conceptualised change as a three-stage process involving: Unfreezing the existing organisational equilibrium Moving to a new position Refreezing in a new equilibrium position Schein in 1987 further explored these three stages. He suggested that unfreezing involves: Disconfirmation of expectations Creation of guilt or anxiety Provision of psychological safety that converts anxiety into motivation to change Transformational Change Sometimes when organisations face emergence of radically different technologies, significant changes in supply and demand, unexpected competition, lack of revenue or other major shifts in business, developmental or transitional change may not offer the solution they need to stay competitive. Instead of methodically implementing new processes, the

organisation prefers to drastically transform the existing processes. Transformational change occurs after the transition period. Transformational change may involve both developmental and transitional change. It is common for transitional and transformation change to occur in turns.

Categorizing Change There are a number of ways in which change can be categorised. Most of them are related to the extent of the change. Planned versus Emergent Change Sometimes change is deliberate, a product of conscious reasoning and actions. This type of change is called planned change. In contrast, change sometimes unfolds in an apparently spontaneous and unplanned way. This type of change is known as emergent change. Change can be emergent in cases where: Managers make a number of decisions apparently unrelated to the change that emerges. The change is therefore unplanned. However, these decisions may be sometimes based on unconscious assumptions about the organisation, its environment and the future and are, therefore, not as unrelated as they initially seem. External factors such as the economy, competitors behaviour, and political climate or internal features such as the relative power of different interest groups, distribution of knowledge, and uncertainty influence the change in directions beyond the control of managers. Even the most carefully planned and executed change programme can have some emergent impacts. Thus the two important aspects of managing change are to identify, explore and if necessary challenge the assumptions that underlie managerial decisions. Episodic versus continuous change Another distinction is between episodic and continuous change. Episodic change, according to Weick and Quinn (1999), is infrequent, discontinuous and intentional. Sometimes termed radical or second order change, episodic change often involves replacement of one strategy or programme with another. Continuous change, in contrast, is ongoing, evolving and cumulative. Also

referred to as first order or incremental change, continuous change is characterised by people constantly adapting and editing ideas they acquire from different sources. The distinction between episodic and continuous change helps clarify thinking about an organisations future development and evolution in relation to its long-term goals. Few organisations decide unilaterally that they adopt an exclusively continuous change approach. They can, however, capitalise upon many of the principles of continuous change by being flexible to accommodate and experiment with everyday contingencies, breakdowns, exceptions, opportunities, and unintended consequences that punctuate organisational life[3].