The Facts

• The objectives of risk management for IT projects are to identify all risks that might be a threat to the success of the project, minimize those risks where possible and provide a formal project management plan for assessing risks and creating risk-reducing actions.
  
  

Types

• There are five main types of risk in project management: external risks, cost risks, schedule risks, technology risks and operational risks. External risks are outside of the control of the company and include items such as marketplace developments, government regulatory changes, legal issues and natural disasters. Cost risks include cost overruns by vendors or subcontractors, budget overruns and poor estimating. Many cost risks fall directly or indirectly under the control of the project manager. Schedule risks can cause a product to fail by missing or delaying a market opportunity. These risks are usually caused by inaccurate estimating, increased effort to solve technical, operational or external problems and resource shortfalls. When a system fails to meet target functionality, it is usually due to technology risks. Technology risks include items such as undocumented requirement changes, use of the wrong tools, integration problems and software/hardware performance issues. Operational risks are more closely associated with organizational structure and personnel. These risks include failure to give authority to key people, insufficient communication and inadequate resolution of conflicts.
  
  

Identification

• Proper identification of risks is crucial to a successful risk management plan. Once risks have been identified, they are evaluated by likelihood of occurrence, severity of impact and level of controllability. Risk likelihood is rated on a 1 to 5 scale from very unlikely to nearly certain. Severity is rated on a 1 to 5 scale from minor impact on cost, schedule or performance to total project failure. Controllability is rated on a 1 to 5 scale from avoidable to completely uncontrollable.
  
  

Prevention/Solution

• Where possible, actions should be taken to mitigate identified risks before they can occur. For risks that can't be accurately predicted or avoided, a contingency plan needs to be in place. A good contingency plan includes detailed guidelines, checklists and worksheets that clearly explain how to implement the plan when necessary.
  
  

Potential

• Once several projects have made it through to completion, the company can develop an enterprise risk profile. An enterprise risk profile is a documented set of management techniques and solutions for specific recurring problems. The company determines the recurring problems by performing trend analysis from their past projects' risk history. An enterprise risk profile offers immediate guidance or solutions for some of the more problematic issues that arise during product development.