Risk Assessment - Gunadarma University
Download
Report
Transcript Risk Assessment - Gunadarma University
Risk Assessment
Risk Assessment
Goal:
• being able to prioritize risks according to
their impact and likeness on the project
• Making explicit the information
necessary to define the risk
management strategies (risk
management planning)
Techniques
• Two techniques:
– Qualitative risk analysis
• Simpler
• Can be used when no precise information about
probabilities of risk is available
– Quantitative risk analysis
• More systematic
• Suitable for mathematical analysis
• Provide figures on the (economial) impact of risks
Qualitative Risk Analysis
A three-step process
• Define probability, impact, and score
• Organize risk
• Highlight significant risks
Qualitative Risk Assessment
• Define classes of probabilities and classes of
impact
• Example
– Probability: Very low, low, moderate, high, very
high
– Impact: negligible, low, moderate, severe,
catastrophic
– Risk Score: low, medium, high
Qualitative Risk Assessment
… or numeric:
Very Low
0.1
1
Negligible
0.1
1
Low
0.3
2
Low
0.3
2
Moderata
0.5
3
Moderate
0.5
3
High
0.7
4
Severe
0.7
4
Very High
0.9
5
Catastrophic
0.9
5
Risk Score = P x I
Risk analysis (i)
Risk
Probabi l i ty
Effe cts
Organisat ional financial problems force reduc t ions in
the project budget.
Low
Catast rophic
It is impossible to recruit staff with the skills required
for the project .
High
Catast rophic
Key staff are ill at critical t imes in the project.
Moderat e
Serious
Software component s that should be reused contain
defect s which limit their functionality.
Moderat e
Serious
Changes to requirements t hat require major design
rework are proposed.
Moderat e
Serious
The organisation is rest ructured so that different
management are responsible for t he project.
High
Serious
Risk analysis (ii)
Risk
Probabi l i ty
Effe cts
The dat abase used in the system cannot process as
many transact ions per second as expected.
Moderat e
Serious
The time required to develop the software is
underestimated.
High
Serious
CASE tools cannot be integrated.
High
Tolerable
Customers fail t o understand the impact of
requirements changes.
Moderat e
Tolerable
Required training for staff is not available.
Moderat e
Tolerable
The rate of defect repair is underestimated.
Moderat e
Tolerable
The size of the software is underestimated.
High
Tolerable
The code generated by CASE tools is inefficient.
Moderat e
Insignificant
Risk Matrix
Negligible
Very High
Low
Catastrophic
R5
R2
R6, R7, R8
R3
Low
Very Low
Severe
R1
High
Moderate
Moderate
R4
R9, R10
Risk Matrix
Negligible
Very High
Low
Catastrophic
R5
R2
R6, R7, R8
R3
Low
Very Low
Severe
R1
High
Moderate
Moderate
R4
R9, R10
Risk Matrix
Negligible
Very High
Low
Catastrophic
R5
R2
R6, R7, R8
R3
Low
Very Low
Severe
R1
High
Moderate
Moderate
R4
R9, R10
Socially constructed risk
Two problems with qualitative risk
• People will believe some things are
risk, even when the statistics
indicate they aren't (and vice
versa). We are "risk illiterate”
• Who says what the probabilities
are? How do we calculate the risk
exposures objectively?
Socially Constructed Risk
• When seeking to put people's minds at rest,
qualitative risk assessment may not be
enough
• When assessing risk "objectively", we are in
fact using subjective judgements
… People are emotional!
(and fortunately so)
Some examples of real risks
Did you know:
• you should be more frightened of taking a bath than of
walking down a dark alleyway
• you should be more wary of yourself than of flying in a plane
Chances are your death will be by:
•
•
•
•
•
•
•
being shot by a stranger...1 in 22,500
drowning in the bath...1 in 17,500
plane crash...1 in 800,000
car accident...1 in 300
suicide...1 in 160
accidental fall...1 in 150
cancer...1 in 4
Quantitative Risk Analysis
Similar as qualitative:
• Define probability and impact (in a sense:
which depends on the techniques; how
depends on the domain)
• Use techniques to numerically assess risks
and to visualize data
• Highlight significant risks
Quantitative Risk Assessment
• Approach: Expected monetary value analysis. It
computes the expected monetary outcome (according
to different statistical criteria) of a decision/risk
– Technique: Decision tree analysis. Technique that
helps solving the EMV analysis.
• Approach: Modeling. Provide a model of the project.
– Technique: Sensitivity analysis. Helps determining
which risks have the most impact by examining one
variable at a time. (Tornado diagrams)
– Technique: simulation, monte-carlo technique.
Decision Theory
S1
S2
S3
S4
S5
D1
C11
C12
C13
C14
c15
D2
C21
…
D3
C31
D4
D5
c55
Decision Theory
• Si: states of the system
• Dj: decisions (risks)
• Cij: cost associated to Dj in Si
Decision Theory
Choose cost of decision according to different
strategies:
• Minimax, take the decision which has the
maximum minimum gain associated do D
• Average, take the decision which has the
maximum average gain associated
• Max, take the decision which has the
maximum gain associated
… who’s optimistic, who’s pessimistic?
EMV
• Decision D has probability pj of
generating gain gj (j = 1..N, SUM(pj) =
1)
• Expected Monetary Value associated to
D is
– EMV(D) = SUMj(pj * gj)
• Take decision with maximum EMV
Decision Trees
• A way of computing EMV
• It graphically represents all the possible
outcomes in a tree
• Costs are associated to leaves (and
propagate to nodes)
• Probability are associated to labels
Event Trees
“Software Risk Management: Principles and Practices”
[Boehm IEEE Software 1991]
Modeling
• Define a model for the decision/project
(some formula describing how inputs
are transformed into outputs)
• “Play” with the formula to understand
the main factors (sensitivity analysis) or
to get a global value
Developing a tornado diagram
Second
NPV (Primary Criterion)
Length of bar
indicated impact
Market Share
on NPV
one variable
at a time
Market Size
6%
10%
100,000
120,000
120
Labor Cost
15%
150,000
60
100
Material Cost
Investment
Engineering Budget
Third
Uncertainties are
sorted in descending
order of impact
on NPV
(100)
(50)
-
50
100
Base Value $100
150
200
First
250
Montecarlo Simulation
• Automatically varies input variables
(according to their statistical distribution)
to get a probability distribution of the
outputs
Quantitative Risk Assessment:
Outputs
• Probabilistic Analysis of the project:
estimates of the possible schedule and
cost overruns with their probabilities
• Prioritized list of quantified risks:
risks that pose the greatest threat or the
greatest opportunity to the project
• Trends (by repeating the process,
trends may emerge)
Risk Response Planning
• Risk Response Planning
– Goal: define the strategies for taking
care/exploit risks
Strategies: Menaces
• Avoid.
– Change the plan to eliminate the threat (increase
time, relax objectives, take corrective actions increase time to do requirements)
• Transfer.
– Shift the negative outcome to a third party. It
transfers responsibility, it does not eliminate the
risk (insurance, contracts to transfer liability… they
require to pay you a price)
• Mitigate
– Reduce probability or impact (often better than
trying and repare the damage; prototyping)
Strategies: Opportunities
• Exploit
– Eliminate uncertainty relate to the occurrence of
the opportunity (e.g. assign more talented people,
provide better quality)
• Share
– Allocate responsibility of exploitation to a third
party (joint-ventures, partnerships, …)
• Enhance
– Modify the size of an opportunity by increasing
probability and/or positive impact
Strategy for both Threats and
Opportunities
• Acceptance
– Difficult to deal with all the risks
– May be:
• Passive: just let the team deal with them
• Active: provide some buffer (time, money, …)
• Contingent Response Planning
– Prepare a plan to implement if the risk
occur
Risk management strategies
(i)
Risk
Strategy
Organisat ional
financial problems
Prepare a briefing document for senior management
showing how the project is making a very important
cont ribution to the goals of the business.
Recruit ment
problems
Alert customer of potent ial difficult ies and the
possibility of delays, invest igate buying-in
component s.
Staff illness
Reorganise t eam so that t here is more overlap of work
and people therefore understand each other’s jobs.
Defect ive
component s
Replace potentially defect ive components with bought in components of known reliability.
Risk management strategies
(ii)
Risk
Strategy
Requirement s
changes
Derive traceabilit y informat ion to assess requirement s
change impact , maximise informat ion hiding in the
design.
Organisat ional
rest ructuring
Prepare a briefing document for senior management
showing how the project is making a very important
cont ribution to the goals of the business.
Database
performance
Invest igate the possibility of buying a higherperformance database.
Underestimat ed
development t ime
Invest igate buying in components, invest igate use of a
program generator
Risk Response Planning:
Outputs
• Strategies for dealing with the risks
• Triggers (elements used to monitor and
understand whether a risk has
occurred)
• People responsible of monitoring the
risk
• People responsible of applying
contingency plans
Risk Monitoring and Control
• Process
–
–
–
–
Analyse deviations
Identify causes
Evaluate corrective actions
Modify current plan
• Mind:
– Planned risks dealt with as above
– Unplanned risks require the full process!
Risk Management:
Conclusions
Risk Management Process
Risk homeostasis
People accept a certain degree of risk, regardless
of what you do to reduce it
• Today, life is "safer" than ever before, but mortality rates
remain static (Gerald Wilde, cited in Bryson, 1997)
• Cars with ABS (anti-lock braking systems) no longer attract
insurance discounts because their drivers drive more
recklessly/carelessly
• As we take measures to make our projects more predictable
and safer, we can expect people to ask us to undertake more
risky work
It’s amazing – how many
“intelligent” people take this
approach to understanding
uncertainty/risk
Winners in the business world need to Manage uncertainty/risk
© [email protected]
Risk management Principles
•
•
•
•
•
•
•
Global perspective Viewing software development within the context of the larger systemslevel definition, design, and development. Recognizing both the potential value of
opportunity and the potential impact of adverse effects.
Forward-looking view Thinking toward tomorrow, identifying uncertainties, anticipating
potential outcomes.Managing project resources and activities while anticipating
uncertainties.
Open communication Encouraging free-flowing information at and between all project
levels.Enabling formal, informal, and impromptu communication. Using processes that value
the individual voice (bringing unique knowledge and insight to identifying and managing
risk).
Integrated management Making risk management an integral and vital part of project
management. Adapting risk management methods and tools to a project's infrastructure and
culture.
Continuous process Sustaining constant vigilance. Identifying and managing risks
routinely through all phases of the project's life cycle.
Shared product vision Mutual product vision based on common purpose, shared
ownership, and collective communication. Focusing on results.
Teamwork Working cooperatively to achieve common goal. Pooling talents, skills, and
knowledge.
Most Common Errors
• Do not identify a maximum risk value.
– Give up a project if too risky
• Do not write a balanced risk management
plan
– Not to big, not to simplicistic
• Misinterpret effects as causes
– Being late with the project
– We may be charged 100.000 euros as a penalty
• Do not apply contingency plans
– Dealing with risk when they occur is more errorprone than think about the strategies before they
occur
Most Common Errors
• Do not involve actors
– Make sure stakeholders understand
consequences of the risk (share the risk);
involved stakeholders in dealing with them
• Do not update the plan
– Helps keeping the contingency plans really
applicable
Exercise
• Write the risk management plan for the
digital-divide project
• Write the risk management plan for the
e-procurement project