Risk Management

Every IT project involves risks that systems analysts and project managers must address. A risk is an event that could affect the project negatively. Risk management is the process of identifying, analyzing, anticipating, and monitoring risks to minimize their impact on the project.

Steps in Risk Management

The first step in risk management is to develop a specific plan. Although project management experts differ with regard to the number of steps or phases, a basic list would include the following tasks:

• Develop a risk management plan. A risk management plan includes a review of the project’s scope, stakeholders, budget, schedule, and any other internal or external factors that might affect the project. The plan should define project roles and responsibilities, risk management methods and procedures, categories of risks, and contingency plans.

• Identify the risks. Risk identification lists each risk and assesses the likelihood that it could affect the project. The details would depend on the specific project,but most lists would include a means of identification, and a brief description of the risk, what might cause it to occur, who would be responsible for responding, and the potential impact of 

the risk.

• Analyze the risks. This typically is a two-step process: Qualitative risk analysis and quantitative risk analysis. Qualitative risk analysis evaluates each risk by estimating the probability that it will occur and the degree of impact. Project managers can use a formula to weigh risk and impact values, or they can display the results in a two-axis grid. For example, a Microsoft Excel XY chart can be used to display the matrix, as shown in Figure 3-33.

In the chart, notice the various combinations of risk and impact ratings for the five sample values. This tool can help a project manager focus on the most critical areas, where risk probability and potential impact are high. The purpose of quantitative risk analysis is to understand the actual impact in terms of dollars, time, project scope, or quality. Quantitative risk analysis can involve a modeling process called what-if analysis, which allows a project manager to vary one or more element(s) in a model to measure the effect on other elements.

• Create a risk response plan. A risk response plan is a proactive effort to anticipate a risk and describe an action plan to deal with it. An effective risk response plan can reduce the overall impact by triggering timely and appropriate action.

• Monitor risks. This activity is ongoing throughout the risk management process. It is important to conduct a continuous tracking process that can identify new risks, notice changes in existing risks, and update any other areas of the risk management plan.

Risk Management Software

Most project management software includes powerful features that allow a project manager to assign specific dates as constraints, align task dependencies, note external factors that might affect a task, track progress, and display tasks that are behind schedule. In addition, some vendors offer risk management add-ons, such as the one shown in Figure 3-34. The enterprise edition of Microsoft Project, Microsoft Project Server 2010, has a built-in risk management capability that can be used for large, corporate-wide projects. Microsoft claims that the software can link risks with specific tasks and projects, specify probability and impact, assign ownership, and track progress to manage projects more efficiently. 

Microsoft’s risk management model includes the following factors:

• Probability, which represents the likelihood that the risk will happen, expressed as a percentage

• Impact, which indicates the degree of adverse effect should the risk occur, on a scale of 1 to 10

• Cost, which indicates the potential financial impact of the risk

• Category, which specifies the risk type

• Description, which specifies the nature of the risk

• Mitigation plan, which identifies plans to control or limit the risk

• Contingency plan, which specifies actions to be taken if the risk occurs

• Trigger, which identifies a condition that would initiate the contingency plan 

Armed with this information, the IT team can make a recommendation regarding the risks associated with the project. 

Depending on the nature and magnitude of the risks, the final decision might be made by management.