ArticlePDF Available

Increasing flexibility of risk management in it projects with isorisk curves and risk mapping

Authors:
Grigory Bubnov at Moscow Technological Institute
Grigory Bubnov
B. P. Titarenko at mgsu Russia
B. P. Titarenko
  • mgsu Russia
Sergei Titov at Moscow Technological Institute
Sergei Titov
R. Titarenko
R. Titarenko
R. Titarenko
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

The article deals with problem of prioritizing IT project risks. The widely used tool of risk prioritization is so called risk matrix which sometimes called also as probability and impact matrix. This matrix includes two dimensions-probability of risks and impact of risks on a project. In many situations the more flexible approach can be applied with the help of the risk maps that are describe in the text below. The risk maps seem to be especially useful for IT projects which are characterized by the big number of various risks and very dynamic environments.
Figures - uploaded by Sergei Titov
Author content
All figure content in this area was uploaded by Sergei Titov
Content may be subject to copyright.
Content uploaded by Sergei Titov
Author content
All content in this area was uploaded by Sergei Titov on Nov 09, 2015
Content may be subject to copyright.
Increasing flexibility of risk management in IT
projects with isorisk curves and risk mapping
G. Bubnov1, B. Titarenko2, S. Titov1 & R. Titarenko3
1 Moscow Technological Institute, Moscow, 119334, Russia.
2Moscow State Civil Engineering University, Moscow, 129337, Russia.
3Moscow State University for Economics, Statistics and Informatics,
Moscow, 119501, Russia.
Abstract
The article deals with problem of prioritizing IT project risks. The widely used
tool of risk prioritization is so called risk matrix which sometimes called also as
probability and impact matrix. This matrix includes two dimensions probability
of risks and impact of risks on a project. In many situations the more flexible
approach can be applied with the help of the risk maps that are describe in the
text below. The risk maps seem to be especially useful for IT projects which are
characterized by the big number of various risks and very dynamic
environments.
Keywords: Risk management, risk prioritizing, risk matrix, risk maps, IT project
risks, isorisk curve.
1. Introduction
Tools and techniques of project management are highly used in the high-tech
industries of the modern economy, especially in IT industry [4]. One of the most
important areas of IT project management is risk management. Within this area
one of the most crucial tasks is risk prioritization. Even in simple IT projects the
number of the identified risks can easily amount to as many as several hundreds.
Obviously, all the identified risks have different potential impact on a project and
should be treated differently. One group of risks can be considered as rather
immaterial and therefore ignored. Some other risks may become the most
important issues for the whole process of project management, despite of their
initial seeming unimportance. The process of prioritizing allows distinguishing
various risk categories in terms of their significance for the project and the most
appropriate managerial approaches to dealing with them.
Currently, the widely used tool of risk prioritization is so called risk matrix
which sometimes called also as probability and impact matrix (or chart). This
matrix includes two dimensions probability of risks and impact of risks on a
project. According to the assessments each risk is plotted on this two-
dimensional matrix [1]. Risks with insignificant probability and impact can be
considered as unimportant. Risks with high probability and impact will be of
high priority.
2. Limitations of the risk matrix
Despite the popularity of the risk matrix it has some limitations. First, the risk
matrix implies that project managers have to define the risk categories
(significant, moderate, unimportant and so on) before assessing and plotting the
risks onto the matrix. Second, the risk matrix does not provide opportunities to
map the risks and compare their probability and impact, especially if the project
manager has to deal with dozens of different risks. And third, the risk matrix
offers only discrete diapasons for different types of project risks. In some
situations, especially when it is difficult to define in advance the possible risks
categories (cells of the risk matrix) and the number of risks in each category, the
risk matrix becomes not very flexible for practical use [2].
In such situations the more flexible approach can be applied with the help of
the risk maps that are describe in the text below.
3. Risk maps and isorisk curves
The risk map is the space with two dimensions probability and impact of risks.
But in contrast to the risk matrix there are no cells that are established in
advance. The impact of risks is usually depicted as a horizontal axis. The impact
of risks can be measured in terms of the negative (or positive) consequences for
the project if the risk takes place. For example, these consequences can be
associated with the potential additional expenses, or time delays, or deterioration
of the quality. But only one measure should be selected in advance and applied
to all of the project risks. Usually, the impact of the risks is measured in terms of
the additional expenses occurring in the case of the risk happens. The vertical
axis is used to measure the probability of risk occurrence. The standard approach
here is to measure the risk probability along the scale from 0 (the risk is
impossibly to happen) to 1 (the risk will definitely occur).
Each risk is plotted as a dot on this two-dimensional space according to its
probability and impact estimations. In situations when it is very difficult to
estimate the probability and impact of the risk with only two exact numbers the
diapasons can be used. In this case the risk will be depicted not as a dot, but as a
rectangle.
After all project risks are plotted on the map the risk categories can be defined
and put on the map. The risk category definition should be based on the analysis
of the number of the project risks in each areas of the map, the necessity to
establish more detailed category system (project manager can easily introduce
two, three or even more different categories), the scope and boundaries of each
category. The risk categories can be put on the map with the help of the isorisk
curves. The isorisk curve is a curve that consists of the dots with the same
product of probability and impact. These curves comprise the potential risks with
the same expected consequences for the project and can be used as the
boundaries of different risk categories. Let us illustrate the application of the risk
maps for a IT project.
In Table 1 the main estimations of the ten different project risks are given.
These estimations include the probability of risk occurrence, the probability of
the risks influence on the project, the overall probability of risks (the product of
the probability of the risk occurrence and the risk influence), and risk impact on
the project (defined in terms of the additional labor time needed to deal with the
risk consequences).
Table 1: Data for the risk map for a typical IT project
Risk event
Probability of
risk
occurrence
Probability of
risk influence
Overall
probability of
risk (2x3)
Impact of risk
on project
(additional
man-days)
1
2
3
4
5
R1
0,7
0,9
0,63
25
R2
0,7
0,7
0,49
15
R4
0,7
0,9
0,63
5
R5
0,5
0,9
0,45
22
R7
0,3
0,7
0,21
13
R9
0,3
0,5
0,15
4
R10
0,1
0,5
0,05
25
R13
0,9
0,9
0,81
17
R16
0,9
1
0,9
22
R18
0,3
0,9
0,63
5
All risks are plotted on the risk map. The overall probability of risks is used to
define position of a risk along the vertical axis and the impact of the risk on the
project to define horizontal coordinates of the risks.
Assume that after the consideration of the data shown in Table 1 and the risk
map the project manager decided to use only two risk categories significant
and insignificant risks. The risks with the expected additional labor time above 5
man-days should be considered as significant and the manager should elaborate
the contingency plan to deal with these risks. The risks with the expected impact
below 5 man-days can be considered as insignificant and due to this fact the
project manager can ignore them and concentrate his efforts only on the
significant risks.
The isorisk curve in this case goes through all the dots which coordinates on
the risk map have the product equal 5. The coordinated of these dots are (5; 1),
(10; 0,5), (20; 0,25) and so on. The resulting risk map with the isorisk curve
separating significant risks from insignificant is shown on Fig.1.
Overall probability of risk
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1,0
Additional labor time needed to deal with risks (man-days)
255 10 15 20
Risk 1
Risk 16
Risk 13
Risk 2
Risk 5
Risk 4
Risk 9
Risk 18
Risk 7
Risk 10
Isorisk curve 5 additional man-
days
Area of significant risks
Area of insignificant risks
Fig.1: Example of the risk map with two risk categories
From Fig.1 it is clear that such risks as R4, R7, R9, R10 and R18 are in the
category of the insignificant risks. Risks R1, R2, R5, R13 and R16. But actually,
all these conclusions could be made with the help of the risk matrix. The
advantages of the risk map are connected with its flexibility. For example, if the
project manager has significant reasons to change the boundaries between
different risk categories, he or she can easily do it without the necessity to re-
map the risks. The project manager can easily fine-tune the risk category
boundary. For instance, the threshold between categories can be not 5 man-days,
but 6 or 4 man-day. For changing the threshold the project manager can just
change the position of the isorisk curve and see the result. In the case of the risk
matrix the project manager has to change the whole risk matrix and introduce
additional columns and rows into it.
Besides, it is not difficult to establish additional risk categories. If the project
manager finds the necessity to distinguish all risks into four categories, he should
define the boundaries between them. For instance, by depicting the isorisk curves
associated with the thresholds of 5, 10 and 15 additional man-days he can
identify insignificant, controllable, dangerous and extreme risks as it is shown in
Fig.2. If it is needed, the categories with different scope (different areas) can be
introduced, so that the zone of controllable risks would be larger than any other
zones.
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1,0
255 10 15 20
Risk 1
Risk 16
Risk 13
Risk 2
Risk 5
Risk 4
Risk 9
Risk 18
Risk 7
Risk 10
Insignficant risks
Controllable risks
Dangerous risks
Extreme risks
Overall probability of risk
Additional labor time needed to deal with risks (man-days)
Fig.2: Example of the risk map with four risk categories
In order to introduce new and different terms of the scope risk categories in
the risk matrix the whole matrix should be changed which can be very time-
consuming task, especially in the case with big number of different project risks
which is usually the case for IT projects.
4. Summary
To conclude, the risk maps can be considered as more flexible and more robust
tools for analysis and prioritization of project risks [3, 5]. The risk maps can be
used instead of or in addition to the more traditional risk matrix. The risk maps
seem to be especially useful for IT projects which are characterized by the big
number of various risks and very dynamic environments.
References
[1] PMI. A Guide to the Project Management Body of Knowledge. Project
Management Institute Standards Committee, 2013
[2] Titarenko, B., Titov, S. & Titarenko, R. Risk management in innovation
projects. Applied Mechanics and Materials, 638-640, pp. 2338-2314, 2014
[3] Titarenko, B.P. Robust technology in risk management. International Journal
of Project management, 15 (1), pp. 11-14, 1997
[4] Titov, S.A. Projects and project management in the high-tech industries of
the modern economy. Cloud of Science, 1 (1), pp. 155-176, 2014
[5] Nikulchev, E. Simulation of robust chaotic signal with given properties.
Advanced Studies in Theoretical Physics, 21 (8), pp. 939-944, 2014
... In order to prioritize project risks their potential impact on project and probability of their occurrence are to be estimated and on the basis of these estimation risks can be put into different categories [2,3,5]. Though there are traditional methods of risk probability estimation and practical tools for visual categorization of risk these methods and tools have some limitations in the context of engineering project risk management [8][9][10]. ...
... In the article by B. Titarenko, S. Titov and R. Titarenko it was indicated that the robust methods of risk probability estimation imply the change in the practical tools of project risk prioritization [8]. G. Bubnov, B. Titarenko, S. Titov, R. Titarenko demonstrated that the more appropriate for robust methods tools of project prioritization can be risk maps and isorisk curves [10]. Risk maps and isorisk curves are more flexible and allow depicting project risks in more detail than traditional practical tools of project risk prioritization such as a risk matrix. ...
Isorisk Curves as a Tool for Increasing Flexibility of Risk Management in Engineering Projects
Article
Full-text available
  • Oct 2015
Engineering projects are characterized by high significance of the risk management. One of the most important tasks of the project risk management is risk prioritization. Prioritization implies that the probability and impact of risks on a project are estimated. The risk probability can be calculated with the help of different methods of random variable estimation. The article shows that though the probabilistic, scenario , expert and statistical methods can be used in practice of project risk management , in the projects characterized by the high uncertainty, such as engineering projects, the robust methods proved to be more productive and reliable. One of the widely used practical tools of risk prioritization is risk matrix which sometimes called also as probability and impact matrix. The risk matrix includes two dimensions – probability of risks and impact of risks on a project. The article suggests that instead of the risk matrix in engineering projects the more flexible 992 G. Bubnov et al. approach can be applied. This approach is based on the application of the risk maps and isorisk curves. The isorisk curves and risk maps seem to be especially useful for engineering projects with big number of various risks and very dynamic environments .
View
Motivation of Project Teams in the Conditions of Remote Work
Chapter
  • Jan 2022
This contribution is devoted to the consideration of issues on the project team motivation in the conditions of remote work. Specific features of companies are revealed, the authors discuss aspects of falling motivation in project teams during remote work and the possibility of increasing it due to non-monetary incentives, analyze the scientific literature of domestic and foreign scientists in the field of project management. As a result of the study, the authors come to the conclusion that project teams in the framework of remote work reduce their motivation. It is necessary to increase motivation both in advance (before switching to remote work or before the start of the project), while working on the project.
View
Risk Management in Innovation Projects
Article
Full-text available
  • Sep 2014
The report deals with projects risk management approaches and methods. The methods are based upon the main provisions of the following standards: International Competence Baseline, published by International Project Management Association – IPMA and National Competence Baseline published by Russian Project Management Association – SOVNET. It is known two types of risk management methods: qualitative and quantitative. Qualitative methods deal with procedures that reduce the risk of risk situations and the quantitative methods allow to produce quantitative estimates of the proposed activities using SOVNET system methodology.
View
Simulation of Robust Chaotic Signal with Given Properties
Article
Full-text available
  • Oct 2014
Task simulation of dynamic chaos in the observed time series is given a lot of attention. Strange attractors are observed in many application processes. Therefore, the task of simulation is important for controlling and predicting in the dynamic behavior. In the article we consider the problem of constructing the model on the properties of the observed data. Requirements for the model are simulating signal quality with adequate properties of the original process. An efficient model that allows you to build a robust chaos developed. Computational examples are given here.
View
‘Robust technology’ in risk management
Article
  • Feb 1997
  • Int J Proj Manag
This paper deals with ‘robust technology’—the special technique for simulation, investigation, forecasting and estimation of parameters of the stochastic models in project management. The risk problems can be investigated with modern methods of mathematical statistics. The socalled ‘robust approach’ is a powerful tool to receive stable (robust) estimates of parameters of stochastic models in situations where the models are known approximately. The problems of risk management are considered in terms of the theory of decision analysis. Robust methods of management in situations of uncertainty are discussed.
View
Projects and project management in the high-tech industries of the modern economy
  • Jan 2014
  • 155-176
  • S A Titov
Titov, S.A. Projects and project management in the high-tech industries of the modern economy. Cloud of Science, 1 (1), pp. 155-176, 2014
Guide to the Project Management Body of Knowledge. Project Management Institute Standards Committee
  • Jan 2013
  • Pmi
PMI. A Guide to the Project Management Body of Knowledge. Project Management Institute Standards Committee, 2013