Project Risk Management – A Control Best Practices Perspective

University of Nebraska – Lincoln Operations Analysis August 13, 2010

• Identify “control best practices” for managing project risk • Review Microsoft Excel Risk Assessment Template to assist in identifying & mitigating project risk


• • • • • • • • Purpose Agenda Definition of Terms Manage Projects Why Project Risk Is Important “Project Risk Management” Risk Assessment Template Summary

Definition of Terms
• Risk – Possibility of an event occurring that will have an impact on the achievement of objectives.  Risk is measured in terms of impact and likelihood (Institute of Internal Auditors)


Definition of Terms (continued)
• Control – Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.
 Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. (Institute of Internal Auditors)


Definition of Terms (continued)
• COBiT® – Control Objectives for Information and related Technology  IT governance and control framework  Designed to help optimize IT-enabled investments & ensure IT is successful in delivering business requirements  IT Processes – Thirty-four generally accepted IT activities. Covers IT responsibilities across lifecycle o Example: PO10 Manage Projects  Contains tools to help fulfill business requirements


Definition of Terms (continued)
• COBiT® and PMBOK® complement each other  “PMBOK® provides a model for project management that, whilst not IT-specific, addresses the requirements of PO10, Manage Projects.  COBiT® complements PMBOK® by providing IT-specific control requirements that address PMBOK® process requirements at a more detailed level.”
(COBiT® Mapping: Mapping of PMBOK® With COBiT ® 4.0, page 26)


Manage Projects
• Manage Projects – One of COBiT ‘s® 34 IT processes (Plan & Organize PO10)  A programme & project management framework for the management of all IT projects
o Ensures correct prioritization & coordination of all projects

(COBiT ® 4.1, page 67)


Manage Projects (continued)
• Manage Projects (continued)  Includes: o Master plan o Assignment of resources o Definition of deliverables o Approval by users o Phased approach to delivery o Quality Assurance o Formal test plan o Testing and post-implementation review after installation (COBiT ® 4.1, page 67)

Manage Projects (continued)
• Manage Projects (continued)  This approach o Reduces risk of unexpected costs & project cancellations o Improves communications to & involvement of business & end users o Ensures the value & quality of project deliverables o Maximizes their contribution to IT-enabled investment programmes
(COBiT ® 4.1, page 67)


Manage Projects – COBiT Control Objectives
# Control Objective (High-level best practice requirements)

PO10.1 PO10.2

Programme Management Framework Project Management Framework

PO10.3 PO10.4 PO10.5 PO10.6 P010.7

Project Management Approach Stakeholder Commitment Project Scope Statement Project Phase Initiation Integrated Project Plan


Manage Projects – Control Objectives (continued)
# Control Objective (High-level best practice requirements)

PO10.8 Project Resources PO10.9 Project Risk Management PO10.10 Project Quality Plan PO10.11 Project Change Control PO10.12 Project Planning of Assurance Methods PO10.13 Project Performance Measurement, Reporting & Monitoring P010.14 Project Closure

Why Project Risk Is Important
• Numerous surveys indicate high percentage of projects  Did not meet target requirements  Experienced overruns in time or budget • “Project risks are potential threats to the success of the project.” (Gaulke, 2002)  Many risks associated with projects • “Success or failure (of a project) ultimately depends on how project leadership manage the full range of technical and nontechnical issues.” (Krigsman, 2008)


Why Project Risk Is Important – Risk Examples
• Integration  Inadequate planning (project & operations)  Poor resource allocation  Inadequate integration management  Poor user acceptance
o Example: “Why are we doing this?”

 Business need not defined  Changes in IT infrastructure  Poor post-project reviews

Why Project Risk Is Important – Risk Examples
• Scope
 Scope changes
o Example: Changes in user expectations

 Requirements change
o Example: Additional features

 Requirements not adequately defined
o Example: Security & auditing requirements not considered

 Use of deliverable/solution not clearly defined
o Example: How will users use system?

 Poorly defined metrics
o Example: How measure project success?


Why Project Risk Is Important – Risk Examples
• Time  Timeline changes  Insufficient resources & time  Errors in time estimates  Poor time allocation  Changes in environment
o Examples: Competitive product released, regulatory changes


Why Project Risk Is Important – Risk Examples (continued)
• Cost  Funding uncertainty  Loss of funding  Errors in cost estimates  Price changes  Inadequate productivity  Inadequate contingency planning


Why Project Risk Is Important – Risk Examples (continued)
• Quality  Inadequate attention to quality  Substandard design  Inadequate quality assurance efforts  Poorly defined quality metrics  Changes in development tools  Production disruption


Why Project Risk Is Important – Risk Examples (continued)
• Human Resources  Poor project organization
o Examples: Are team members competent? Do they have proper skills?

   

Inadequate leadership (project manager, sponsor) Loss of sponsor Loss of key team members Poor project attitude
o Example: “We don’t plan, we do”


Why Project Risk Is Important – Risk Examples (continued)
• Human Resources (continued)  Team friction  Poor conflict resolution  Poor vendor management  Lack of user involvement in design, testing & implementation


Why Project Risk Is Important – Risk Examples (continued)
• Communications  Poor communication planning  Inadequate communications  Insufficient stakeholder involvement


Why Project Risk Is Important – Risk Examples (continued)
• Procurement  Technology may be immature  Wrong solution delivered  Insufficient/inadequate contract clauses
o Example: Security requirements or right-to-audit clause not included in contract

 Contract clauses unenforceable  Poor relations with vendor


Why Project Risk Is Important – Risk Examples (continued)
• Risk  Undetected project risks  Lack of mitigating action for identified risks  Undetected project showstoppers
(IT Assurance Guide, page 108)


Project Risk Management
• Action-oriented definition:
 “Eliminate or minimize specific risks associated with individual projects through a systematic process of planning, identifying, analyzing, responding to, monitoring and controlling the areas or events that have the potential to cause unwanted change.  Risks faced by the project management process and the project deliverable should be established and centrally recorded.”
(COBiT ® 4.1, page 68)

 Project Risk Management is an essential element of managing a project.

Project Risk Management – Benefits
• Examples of business benefits that can result from managing project risk
 Early identification of potential showstoppers when considering project feasibility & approval  Management able to identify & plan for contingencies & countermeasures to reduce risk impact  Clearly defined risk & issue owners  Mitigating actions monitored  Consistent & efficient approach for risk management within projects aligned to the organization’s risk management framework

(IT Assurance Guide, page 108)

Project Risk Management – Control Practices
• Six Control Practices
 Mechanisms (i.e., how, why, and what to implement for each control objective)


Project Risk Management – Control Practices (continued)
#1 Establish a formal project risk management framework that includes
      Identifying Analyzing Responding to Mitigating Monitoring Controlling risks

 “Make risk management part of your project.” (Jutte, 2008)

Project Risk Management – Control Practices (continued)
#2 Assign appropriately skilled personnel, the responsibility for executing the organization’s project risk management framework within a project  Consider allocating this role to independent team, especially if oObjective viewpoint is required or oProject is considered critical


Project Risk Management – Control Practices (continued)
#3 Perform project risk assessment of identifying & quantifying risks continuously throughout the project
 Sources of information:
o Project team members & project documentation o Individuals & documentation external to project o Current events

 Manage & communicate risk appropriately within the project governance structure
o Include project risk on project team meeting agenda

Project Risk Management – Control Practices (continued)
#4 Reassess project risks periodically, including
 At entry into each major project phase  As part of major change request submissions


Project Risk Management – Control Practices (continued)
#5 Identify risk and issue owners for responses to
    Avoid Mitigate Transfer Accept risks


Project Risk Management – Control Practices (continued)
Avoid Risk

Exit the activities or conditions that give rise to the risk. Do this when no other options are adequate Take action to detect, reduce frequency, and reduce impact of risk

•Terminate difficult team member •Terminate project •Do not use technology because it prevents future growth •Counsel difficult team member • Apply additional controls (e.g., increase monitoring, increase testing, apply stricter change management) •Obtain insurance •Have vendor perform high risk part of project

Mitigate Risk

Transfer Risk

Make someone else responsible for all or part of the risk

Accept Risk

Take no action to avoid, mitigate, or transfer risk

• Done when risk is known and management decides it is acceptable to accept risk


Project Risk Management – Control Practices (continued)
#6 Maintain and review project risk “register” of all potential project risks  Maintain log of all project issues and their resolution
o Risk description o Owner o Cause & effect o Priority o Status o How resolved

 Analyze the log periodically for trends and recurring problems, to ensure root causes are corrected
o Assess specific issue o Assess impact to entire project
(COBiT ® Control Practices, page 64)

Risk Assessment Template
• Risk Assessment Template.xlsx • Location: • Contains:
    Template Overview & Definitions Risk Assessment Steps Blank Template Samples

• Flexible
 Create own risk categories  Modify as appropriate

Risk Assessment Template (continued)
• Risk Assessment Steps
 Identify risks  Assess risks based on estimated impact & likelihood of occurrence  Identify points of contact to mitigate risk  Identify risk mitigation strategy  Identify monitoring in place  Review for accuracy  Reassess periodically

• Project risk management is essential element of managing a project
 Should be done throughout project

• There are several business benefits to managing project risk • There are a number of mechanisms project teams should employ to manage project risk




Sign up to vote on this title
UsefulNot useful