Software Project Risk Management

Forrester Defines Risk as: A coordinated set of activities to not only manage the adverse impacts of IT on business operations, but to also realize the opportunities that IT brings to increase business value.

COSO defines Enterprise Risk Management as: Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value.

Risk Management - Definition

Risk Management - Framework

Risk Management - Framework

Risk Management 4 A Framework

Risk Management 4 A Framework

Risk Management Framework

Info- Security
Network Security Data Security Physical access Security HR Process

Location
Business continuity Location risk Other environmental and security risks

Transition
Non- cooperative incumbent Inadequate documentation Non- availability of SMEs Delay in overall transition Handoff during transition Infrastructure issues

Steady State
Delay in Ticket Resolution Inadequate documentation Impact to service level Non- cooperative incumbent Non- availability of SMEs Infrastructure issues Reduced or no opportunity for reverse shadowing Country Risks

Sourcing Risk

Operational Risk

Mature Risk Management

Risk Classification and Identification

y y y y

Identification define the risks that are likely for the project Projection attempt to indicate the quantitative likelihood that a risk will occur Assessment evaluate accuracy of projections and prioritize risks Management & Monitoring move to avert those risks that are of concern and monitor all circumstances that may lead to risk

Risk Management

Team Inexperienced project leader, project team Project team members working part-time Multi-departmental project team High turnover Customer / User Client with low confidence in developer Users are threatened by application Users wont spend the time to define Multi-departmental users Client project rep is part-time

Risk Management

Business Issues  Highly volatile business area  Users unsure of their needs  Users have little computer experience  Very tight deadline has been demanded Application  Complex problem or environment  New business area  Complex data environment  New technology will be used  Limited development environment  Part of application to be subcontracted  High dependency on others

Risk Management

Risk Projection
 Establish a scale that reflects the perceived likelihood of the risk (probability is often used)  Define the consequences of the risk  Estimate the impact of the risk on the project and / or the product (usually on scale of 1 to 10)  Note the overall accuracy of the estimates

Risk Management

The RMMM Plan Mitigation how do we avoid the risk? Monitoring What do we track to determine whether the risk is becoming more or less likely Management What contingency plan do we put into place should the risk become a reality?

Risk Management

Example : Risk Management

Assume that high staff turnover is noted as a project risk, r1. Based on past history and management intuition, the likelihood, l1, of high turnover is estimated to be 0.7 (70 percent, rather high), and the impact, x1, is projected to increase project duration by 15% and overall cost by 12%. Given these data the following risk management steps are proposed: Meet with current staff to determine causes for turnover (e.g., poor working conditions, low pay, competitive job market); Act to mitigate those causes that are under our control before the project starts

Risk Management

Example : Risk Management

 Once project commences, assume turnover will occur and develop techniques to ensure continuity when people leave;  Organize project teams so that information about each development activity is widely dispersed;  Define documentation standards and establish mechanisms to be sure that documents are developed in a timely manner;  Conduct peer reviews of all work (so that more than one person is up to speed);  Define a back-up staff member for every critical technologist

Risk Management

Risks involved in different project typesy y y y y

Pure Development Projects Application Development & Maintenance Projects Production Support Project of Transition process of Outsourcing Etc.

Risk Management

Step 1

Identify & Categorize Risks across Pre Transition, Transition and Steady State phases Assign appropriate Probability and Impact Values

Step 2

Step 3

Assign appropriate Probability Impact Quadrant

Step 4

Compute Value at Risk values after making suitable assumptions

Step 5

Determine mitigation plan from Syntels and Comericas perspectives for every identified Risk

Risk Assessment: Quantification Framework

Risk Assessment - Quantification Framework contd contd

Probability Grid
Grid Probability of Occurrence Above 0.75 0.50 0.75 Below 0.5 Assumes Median Value 0.8 0.6 0.4

Impact Grid
Grid High Medium Low Impact of Occurrence Above 7 7-5 Below 5

High Medium Low

2 Monetary Value of Risk

Value at Risk (VAR) = (Probability * Impact Score * $ value of Impact) / 10
Risk Logistic and Infrastructure Issues at Clients end Impact 7 Probability 0.6 Impact Probability position MM (Amber Quadrant)

Impact is rated on a 10 point scoring scale

Value At Risk (Indicative) 8 Vendor and Client resources each will be part of transition. For each day delay due to connectivity issues 8 hrs. per Vendor resource and 4 hrs. per Client resource will be lost. Total hrs. per day for Vendor = 8*8 = 64. Total hrs. per day for Client = 8*4 = 32. Value at Risk (per day) = 0.6*7*(96*65)/10 = $2,620 (per day)

Key Risks
Inadequate Transition Planning Inadequate Resource Planning

Risk Mitigation At Service Providers End

Plan and proactively manage the Knowledge Transition activities Collaboratively develop a detailed resource plan for Transition and Steady state phases Pro actively plan for resource movements (onsite & offshore) before transition kick off Ensuring all the infrastructure is in place (onsite & offshore) before transition kick off

Risk Mitigation At Customers End

Collaboratively develop a detailed transition plan including steady-state readiness check Collaboratively develop a detailed resource plan for Transition and Steady state phases Ensuring all the connectivity issues are resolved and connectivity is in place (onsite & offshore) before the transition kick off

Logistics & Infrastructure issues

Risk Treatment Operational Risks Pre Transition

Key Risks
Delays in Knowledge Acquisition due to loss of key personnel Non Availability of SME. Inadequate Knowledge Transfer

Risk Mitigation At Service Providers End

Issue Communication and pro-active resolution Assessment of Specific Knowledge or capability of key resources

Risk Mitigation At Customers End

Ensure availability of sufficient number of SMEs

Time-tested IntelliTransfer process Shadowing & Reverse Shadowing Joint Walkthroughs and Reviews Syntel will publish dates for environment readiness and if task on critical path impact on schedule to be jointly assessed

Sign-Off to ensure all critical systems has been identified and verifies completeness of the operation Handbook

Infrastructure/ Application Accessibility challenges.

Need to do impact Analysis to rollout schedule

Risk Treatment Operational Risks Transition

Key Risks
Resource Mobility

Risk Mitigation At Service Providers End

Better Knowledge Management, Resource Assimilation, Artifact Mgmt Effective monitoring, onsite to step to the challenge, critical projects to be switched to backup ISDN line Critical activities would be delegated to onsite Team

Risk Mitigation At Customers End

Better Knowledge Management, Ensuring Compliance with processes to minimize impact of mobility Prompt Notification to Syntel Offshore Alternate Link Availability

Link Failure

Restricted Access to offshore resources

Risk Treatment Operational Risks Steady State

Risk Management Cycle

Risk

Mitigation

Client should assign a fulltime Project Manager to this project. Lack of project communication This PM will be responsible for coordinating all Client tasks and with other communicating frequently with the teams. Stakeholders should projects/departments, which in be identified up-front and should participate in weekly status turn delays dependant tasks. meetings. Decisions on Requirements finalization, interface mapping Client should allocate sufficient number of SMEs at high priority and communication protocol to the development teams queries. get delayed Service Provider Project Manager will assess the impact and provide impact analysis documents to Project Steering Changes to the Interfacing Committee. The cost and schedule will be revised as strategy or new business appropriate; Project Plan will be updated and submitted for requirements are uncovered approval. No work will be undertaken on the new scope or after the start of the project. requirements until both parties come to an agreement on the cost and schedule. Clients Infrastructure/middleware/development tools/versions and run-time environment change during the project life-cycle

Any changes should be communicated to Service provider promptly and a joint assessment will be made on the impact to project schedule. Only upon mutual agreement would the new tools or versions be implemented in the project.

Project Risks

Multiple dependencies exist between security tasks, interfaces built, data structure changes etc. These changes may result in impact to schedule

Strong coordination is required between all parties involved to ensure a successful implementation. Clients Project Manager will take a lead role in this activity. Service Provider Project Manager will keep track of the schedule impact due to any changes or failure due to dependencies, update project plan and schedule and submit to Clients Project Manager.

Service Provider Project Manager will publish the dates on Test/QA environments are not which these environments are required in the project plan. If this made available as per task gets in the critical path, Both Parties will assess the impact schedule. on the project schedule. Clients Subject Matter Experts are not available to provide inputs to Service Provider in a timely manner or to respond to Provider queries Service Provider Project Manager will bring this to the attention of the Clients Project Manager. If the Client Project Manager is unable to address this adequately, they will jointly escalate it to the Project Steering Committee, per the published escalation procedure. Strong project management, combined with proactive communication will enable clear understanding and set the right expectations for both parties.

Schedule Overrun

Project Risks