320 likes | 456 Views
IT Project Risk. See also Sommerville Chapter 22.1. Risk Management. Ideas of risk management originate in Probability theory Insurance mathematics w hich seek to Quantify and control risk Make a net profit in the long term Not be ruined in the short term.
E N D
IT Project Risk See also Sommerville Chapter 22.1
Risk Management Ideas of risk management originate in • Probability theory • Insurance mathematics which seek to • Quantify and control risk • Make a net profit in the long term • Not be ruined in the short term
Recall the definition of an expectation over a discrete probability distribution. E = Σp( event i ) * e( event i ) e.g. tossing a fair coin let event 1 = head event 2 = tail p( event 1 ) = 0.5, p( event 2 ) = 0.5 e( event 1 ) = +1€ e(event 2 ) = -1€
Expectation = (0.5 * 1 ) + (0.5 * -1) = 0.0 In the long term we make no gain or loss! But in the short term we might go bankrupt!
For each eventεi we need to define: • The impacte(εi ) of εi as a gain or loss (financial, time etc … ) • The riskr( εi ) associated with εias the expression r( εi ) = p( εi ) * e(εi )
History During 1990s ideas of risk management spread from insurance to other industries such as • Banking and finance • Information technology Especially through support of US legislation
Clinger-Cohen Act 1996 Information Technology Aquistition Reform Act “… assessing and managing the risks of the IT acquisitions of executive (government) agencies … “ And later … Department of Defence (DoD) Directive 5000.1 (1996, 1999)
Capability Maturity Model (CMM) • Level 3 accreditation requires structured risk management.
Definitions A project risk is a project event εi with three distinguishing features: • Associated loss which could include time, money, quality, control, understanding etc. We try to measure this value which is the risk impact e(εi)
(2) A likelihood that each possible outcome εi event occurs. We try to measure this value which is the risk probability p(εi). Measuring p(εi) is usually much harder. Often a semiquantitative approach is used e.g. Unlikely : possible : likely : very likely gives four quartiles 25 : 50 : 75 : 100
(3) There is some way to influence the impact. We need only be interested in risks where we can avoid or minimise the impact. Some risks are always beyond the scope of influence e.g. physics, war, legislation, etc.
Risk Exposure This is the cumulative exposure over a complete and independent set of events E = Σp( event i ) * e( event i ) Risk control is a set of planned actions to reduce the risk exposure.
Example Consider the risk exposure for testing a new software product. Delivery of the product yields 300K€. However, if critical bugs are present a penalty payment of 150K€ is owed to the client.
Probability estimates By spending 50K€ (6 man month) on testing we estimate that we will find all critical bugs with a probability of 0.75. We estimate the probability that the product is free of critical bugs (from the start) to be 0.2 We estimate the probability that we will overlook a critical bug to be 0.05
Outcome tree P( exists no fault) = 0.2 P( exists fault) = 0.8 P( find no fault) = 0.05 P( find fault) = 0.75 A tree structure naturally produces a complete independent set of outcomes
Risk exposure Exposure = 0.75 * (300,000 – 50,000 ) + 0.05 * (300,0000 – ( 150,000 + 50,000 )) + 0.2 * (300,000 – 50,000 ) = 187,500 + 5000 + 50,000 =242,000
What does this calculation actually tell us? Over the long term we would make a profit of 242,000€ on a series of projects with these characteristics. However, this project is probably unique! Each summand is positive, and therefore under each outcome we make some profit.
The result is dominated by the term 0.75 * (300,000 – 50,000 ) = 187,500 To improve the average outcome, we could: • Improve testing effectiveness to raise the value 0.75 (at no cost?) • Reduce testing labour to reduce the value 50K (possible?) • Raise the product price above 300K€ (desirable? Possible?)
Risk Leverage Risk management procedures alter the value of our exposure … but they usually cost money to put in place. When does the gain exceed the expense? (The law of diminishing returns.)
Define the risk leverage of a specific risk reduction to be the value Leverage = exposure after – exposure before cost of reduction
Example In the previous testing scenario, suppose doubling the test budget to 100K€ will halve the probability p( find no fault ) = 0.025 so that p( find fault ) = 0.775 while p( exists no fault ) = 0.2 is unchanged.
Exposure after reduction Exposure after = 0.775 * ( 300,000 – 100000 ) + 0.025 * ( 300,000 – (150,000 + 100,000 )) + 0.2 * ( 300,000 – 100,000 ) = 155,000 + 1250 + 40,000 = 196,250
Leverage Leverage = exposure after – exposure before cost of reduction = (196,250 - 242,000 ) / 50,000 = -0.915 A leverage value < 1.0 is an uneconomic reduction!
Risk Management Process … has its own lifecycle • Identify the risks using previous project histories, similar projects, checklists etc • Analyse risks, try to find the probabilities and impacts, even semi-quantitatively • Plan risk handling actions, prioritisetop n risks (e.g. n = 10) in terms of exposure • Make contingency plans (i.e. damage control) for all n risks • Monitor and adjust, Update probabilities and recalculate
Risk Reduction Strategies There are 4 basic strategies for dealing with risk. 1. Accept the risk (i.e. do nothing) This seems most advantageous when the leverage falls below 1.0. Especially if exposure is already low.
(2) Transfer the risk. Negotiate contract so that the risk is accepted or shared by another party, e.g. customer, subcontractor consortium partner, bank , etc. (3) Reduce probabilities of Negative Outcomes. Invest in project activities which reduce probabilities, e.g. if risk = software bugs, activities = design, test, etc.
(4) Reduce Losses Associated with Negative Outcomes. Invest in catastrophe management which reduces negative impact, e.g. insurance against law suites. Note (3) = “buying smoke alarms” while (4) = “buying fire engines”
Risk Hierarchy It is useful to structure different types of risk into a taxonomy, e.g. to perform systemic risk analysis. There are many published taxonomies (aka. checklists) see e.g. Sommerville, course handouts and course web page.
Generic Project Risks Generic IT Project Risks Staff shortage Subcontractor failure Specific IT Project Risks New technology Equipment failure Unknown product Team risk ….
Böhm’s Top IT project risks Recall the spiral lifecycle model? Böhm has studied the top IT project risks, and suggested fixes. • Personnel shortfall • Unrealistic schedules and budgets • Developing the wrong software functions
IT Risks (continued) (4) Developing the wrong user interface (5) Gold plating (6) Continuing stream of requirement changes (7) Shortfalls in externally furnished components (8) Shortfalls in externally performed tasks (9) Real time performance shortfalls Question: What fixes would you suggest?
ImplementingRisk Control Risk management is getting easier to motivate politically. Fire Safety Officer Paradox With a good fire safety officer there are never any fires … but then why hire an officer?