SIDEBAR: Get a Grip on Risk
How one IT department tracks 43 risks
Sandy Lazar, director of key systems for the District of Columbia, hasn't yet applied statistical analysis to his major software project, but he could. He's done all the prep work. His project management-based risk analysis is good, and it even includes some rough quantifications. Lazar has gone far with his risk management, and you'd do well to imitate his process.
Lazar and his team did all the basics. They researched risks from published literature, brainstormed for other risks, catalogued them in a standard format, planned mitigation and so on. They placed risks into three categories: risks to budget, risks to benefit realisation and risks to schedule.
The severity assigned to these risks is low, medium and high. The severity is further defined by a money or time scale. For example, a medium budget risk might equal 21 per cent to 60 per cent overrun on annual project costs. A high schedule risk might equal nine months or more delay.
Each risk is also given a probability of actually happening. This is derived in the research and brainstorming phase. Probabilities are high (51 per cent to 100 per cent likely), medium (16 per cent to 50 per cent) and low (0 per cent to 15 per cent).
Right now, Lazar's project tracks 43 risks. One local risk is "scope and complexity". One global risk is "political climate". Scope and complexity carries the potential to delay the entire project. Understandably, Lazar assigns this a high severity, although the probability of this risk materialising is medium, based on conversations with his team and research. For political climate - the risk of a change in DC's leadership - he assigned a medium severity and a low probability based on his team's knowledge of the current government's popularity and the chances a new administration could pull back on the project.
Each risk has a mitigation target and proposed mitigation, and there is a risk meeting each week to revisit and track risks. "The eye opener has not been the intellectual realisation of what risk is or how you use it, but the actual practice of it makes you realise how it has to be ingrained," says Lazar. "Really doing risk is work. Most IT departments don't want to do more work. They want to hit deadlines."
There are few IT departments that get beyond this, but with the data Lazar has, he easily could start quantifying his risks and running probability simulations. When you get to this point, we suggest you keep going.
SIDEBAR: Bookshelf Essentials
A short reading list for your crash-course in risk analysis
Title: Waltzing with Bears: Managing Risk on Software Projects
Authors: Tom DeMarco and Timothy Lister
The Skinny: A good introduction to statistical risk analysis written accessibly and humorously.
Excerpt: "First we need to take on a bit of organisational folklore that will otherwise get in the way - the notion that initiating a project without slack is the sign of really gutsy management. On the contrary, it's a sign of cowardice."
Title: Decision Making with Insight
Author: Sam Savage
The Skinny: An authoritative textbook with accompanying software on using Excel add-ons for statistical risk analysis. It's practical and helps visualise risk, but be prepared for some statistical rigour.
Excerpt: "When you have estimates of a low, most likely and high value for an uncertainty, it is often reasonable to use a random number generator with what is known as a Triangular Distribution."
Title: Risk and Decision Analysis in Projects
Author: John R Schuyler
The Skinny: Comprehensive overview of several types of methodologies including Monte Carlo simulation and decision tree analysis. Technical but accessible, it's more focused on concept, less focused on practice than Savage's book.
Excerpt: "The triangle distribution is very popular, though I've never seen a system in business or in nature generate values with a triangular shape. Simplicity is the appeal."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.