Risk Analysis in IT Projects

 Smita Sharma (07030141018)

 Mitaali Pandey (07030141020)
 Nitin Marwal (07030141023)
 Manish Kamal(07030141026)
 K.R.Alok(07030141028)
 Prasad Bokil(07030141029)
 What Is Project Risk Analysis And
Management?

Project Risk Analysis and Management is a

process which enables the analysis and
management of the risks associated with a
project. Properly undertaken it will increase the
likelihood of successful completion of a project to
cost, time and performance objectives.
 Objectives
The objective of performing risk management is to enable
the organization to accomplish its missions:

(1) by better securing the IT systems that store, process, or

transmit organizational information;

(2) by enabling management to make well-informed risk

management decisions to justify the expenditures that
are part of an IT budget;

(3) by assisting management in authorizing (or

accrediting) the IT systems on the basis of the supporting
documentation resulting from the performance of risk
management.
 The Importance of Project Risk
Management

 Project risk management is the art and science of

identifying, analyzing, and responding to risk
throughout the life of a project and in the best
interests of meeting project objectives

 Risk management is often overlooked in projects, but

it can help improve project success by helping select
good projects, determining project scope, and
developing realistic estimates
 Integration of Risk Management into the
SDLC
SDLC Phases Phase Characteristics
Phase 1—Initiation The need for an IT system is
expressed and the purpose and
scope of the IT system is
Documented
Phase 2—Development or The IT system is designed,
Acquisition purchased, programmed,
developed, or otherwise
Constructed
Phase 3—Implementation The system security features
should be configured, enabled,
tested, and verified
Phase 4—Operation or The system performs its
Maintenance functions.
Phase 5—Disposal This phase may involve the
disposition of information,
hardware, and software.
Support from Risk
Management Activities
• Identified risks are used to
support the development of the
system requirements.
• The risks identified during this
phase can be used to support
the security analyses of the IT
System.
• The risk management process
supports the assessment of the
system implementation against
its requirements.
• Risk management activities are
performed for periodic system
Reauthorization.
• Risk management activities
are performed for system
Components.
 Project Risk Management
Processes
 Risk identification: determining which risks are likely to affect a
project and documenting the characteristics of each.

 Risk analysis: prioritizing risks based on their probability and impact of

occurrence.

 Risk planning: taking steps to enhance opportunities and reduce

threats to meeting project objectives.

 Risk monitoring and control: monitoring identified and residual

risks, identifying new risks, carrying out risk response plans, and
evaluating the effectiveness of risk strategies throughout the life of the
project.
 Risk Breakdown Structure
 A risk breakdown structure is a hierarchy of
potential risk categories for a project.

 Similar to a work breakdown structure but used

to identify and categorize risks.
Sample Risk Breakdown
Structure
 Risk Identification

 Risk identification is the process of

understanding what potential events might hurt or
enhance a particular project.
 Risk identification tools and techniques include:
 Brainstorming
 The Delphi Technique
 Interviewing
 SWOT analysis
Risk Assessment Methodology Flowchart

Contd.
 Qualitative Risk Analysis

 Assess the likelihood and impact of

identified risks to determine their
magnitude and priority.

 Risk quantification tools and techniques

include:
 Risk-Level matrixes
 Risk-Level Matrix
A Risk-Level matrix or chart lists the relative probability
of a risk occurring on one side of a matrix or axis on a chart
and the relative impact of the risk occurring on the other
Risk Scale and Necessary
Actions
 Quantitative Risk Analysis

 A Qualitative Analysis allows the main risk

sources or factors to be identified.

 It enables the impacts of the risks to be

quantified against the three basic project
success criteria: cost, time and performance.
 Quantitative Techniques
 Sensitivity Analysis simply determines the effect on the whole project of changing
one of its risk variables such as delays in design or the cost of materials .

 Probabilistic Analysis specifies a probability distribution for each risk and then
considers the effect of risks in combination. This is perhaps the most common
method of performing a quantitative risk analysis.

 Influence Diagrams are a relatively new technique for risk analysis. They provide
a powerful means of constructing models of the issues in a project which are subject
to risk .

 Decision Trees are another graphical method of structuring models. They bring
together the information needed to make project decisions and show the present
possible courses of action and all future possible outcomes.
 Risk Mitigation
Risk mitigation, involves prioritizing, evaluating, and
implementing the appropriate risk-reducing controls
recommended from the risk assessment
process.

Risk mitigation can be achieved through any of the

following risk mitigation options:
• Risk Assumption.
• Risk Avoidance.
• Risk Limitation.
• Research and Acknowledgment.
• Risk Transference.
Risk Mitigation Strategy
 Risk Monitoring and Control
 In most organizations, the components change, and its software
applications replaced or updated with newer versions. In addition,
personnel changes will occur and security policies are likely to
change over time.

 These changes mean that new risks will surface and risks previously
mitigated may again become a concern. Thus, there is a need for an
ongoing risk evaluation and assessment.

In implementing recommended controls to mitigate risk, an

organization should consider:
 Technical

 Management

 Operational security controls

to maximize the effectiveness of controls for their IT systems and

organization.
 Risk Analysis Using an Enhanced FMEA
TECHNIQUE – The TCS Way….

 Failure Mode and Effects Analysis (FMEA) is a structured, proactive

technique to identify the ways in which a product or process can fail and
to prevent such failure.

 It is a systematic technique to analyze potential failure modes and assist

in mitigating them.

 It systematically anticipates and studies the cause and effect of failure.

TCS – Risk Management Circle
 FMEA – The Driver Model
 The power of FMEA is four-fold. Firstly, all FMEA artifacts are
dynamic, living documents. Continuous improvement and risk level
reduction drive FMEA.
 Next, the technique identifies high-priority, ‘vital few’ risks because, in
real life, not all problems are equally important.
 Thirdly, FMEA is customer-oriented although a customer
representative may not be an end-user.
 Fourthly, FMEA offers audit trails, i.e. a well documented record of
improvements arising out of corrective action implemented.

 In sum, FMEA gives one a mechanism to document and monitor all

data elements required to meet business drivers.
 REFERENCES
 www.openseminar.org “Risk Management”, Author: Laurie
Williams and Sarah Smith
 www.sei.cmu.edu The Software Engineering Institute for risk
management.
 Effective Risk Management: Risk Analysis Using an
enhanced FMEA technique - Vijaya Deepti Nimmagadda
Ramanamurthy and K. Uma Balasubramania (Tata Consultancy
Services) Bangalore, Karnataka India
 Risk Analysis Techniques - By Geoffrey H. Wold and Robert F.
Shriver