CHAPTER 2

2.1 Preview

This chapter provides the reader about the theory and rationale behind the use of Organisational Risk Analysis (ORA) on project management and its methodologies available in the market. It will also cover the work of different authors to afford better understanding of the subjected area i.e. Project management, Risk analysis and Organisational risk analysis. The source of information of this literature review is mainly from books, journals and white papers.

2.2 Introduction

Through this literature review one can know what others understanding about this study i.e. nothing but historical perspectives. First part of the literature focuses on project management and risk analysis and risk analysis types, second part of this literature focuses on Organisational Risk Analysis (ORA) and Role of ORA in Project management. It mainly concentrates on Project management, risk analysis and organisational risk analysis.

2.3 Introduction to Project Management:

PMBOK (Project Management -- Body of Knowledge as defined by the Project Management Institute — PMI):"Project management is the application of knowledge, skills, tools and techniques to project activities to meet project requirements." (PMI 2004)

According to James P. Lewis “The Project management is facilitating the planning, scheduling and controlling of all activities that must be done to achieve project objectives” (James P. Lewis: 2007)

PRINCE 2 project management methodology: "The planning, monitoring and control of all aspects of the project and the motivation of all those involved in it to achieve the project objectives on time and to the specified cost, quality and performance."
A project is usually one time activity with a well defined set of desired and results. It can be divided into subtasks that must be accomplished in order to achieve the project goals.

In this day and age also it is assumed that project management can be enhanced by scientific methods. There is a very strong reason why these beliefs are created, it all accounts to the fact that today's modern world has given professionals numerous amount of opportunities to execute their projects successfully. Such are the kind of investment options that are given to project investors. They are briefed with all the minute details so that they feel that their investment is secure. They also make sure that the estimated time of completion and the end can be calculated at the beginning of the project itself. The decisions that are taken on a technical basis or which are taken looking at the low opportunity costs that it presents are reversible in nature. The demand for resources can also be calculated once the initial parameters such as the duration and time frame of the project are estimated. Due to the advancement in technology even the most terrible consequences can be predicted. “The failure of the project was due to the lack of skills rather than an inappropriate feasibility, suitability or acceptability of the solution. This is a normal–science view of project management.” (Charette and Robert, 1996)

The projection of ideas and activities into new accomplishments are one of the common characteristics of all projects. There are many different definitions of what constitutes project management such as “An unique set of co-ordinated activities, with definite starting and finishing points, undertaken by an individual or a team to meet specific objectives within a definite period of time, cost and performance parameters” (Office of Government Commerce). (Web4, 2009)

J. Pinto and Prescott (1990) stated, “Researchers in project management need to first and most importantly offer a comprehensive, inclusive, and clear definition of project success before attempting to undertake studies of the project implementation process”. (J.Pinto and Prescott, 1990)

The modern project management started in 1950s, before this period projects were executed in an unplanned manner and the methods and tools used for execution were not professional in nature. The importance of project management is a very important topic because all organisations i.e. either be they are small or large organisations, those are involved in implementing new accomplishments. These accomplishments may be diverse, such as, the improvement of an innovative product, introducing a new range of products in a manufacturing base, a promotional advertisement or a major construction project. In the 1980's the focus was more on the quality of work. Globalisation played a huge role in the 1990's as we were trying to improve our economy, the 2000's saw projects with decreased time frames. A new field known as project management was developing from all new areas of application which included construction, engineering, telecommunications, and defence. This emerging field has now become an important part of our economy as it has produced a string of fabulous results. Hence it is now being applied by the corporate world as well as the government. Duncan Haughey (2008) explained some main definitions of what project management is:

“Project management is not a continuous process. It has a definite beginning and end.”
“Project management uses various tools to measure accomplishments and track project tasks. These include Work Breakdown Structures, Gantt charts and PERT charts.”
“Projects frequently need resources on an ad-hoc basis as opposed to organisations that have only dedicated full-time positions.”
“Project management reduces risk and increases the chance of success.”
“Successful project management is delivering your projects on time, to brief and within budget.” (Duncan Haughy, 2008)

2.3.1 Methodology of Project Management:

According to Bradley (2002) Project management methodology means “Project Management Methodology focuses on the project and can be in any industry and any type of projects ranging from construction to aerospace industries and from projects of Financial to IT in nature, it encompasses all projects”

The above diagram shows the main components of one of the main project management methodology. Some of the elements like project start-up and project closure occur only once. The remaining elements like planning, managing and controlling, form an interactive cycle that may repeat many times before the completion of the project. In other words we can also say project management is the discipline of planning, organising and managing resources to bring about the successful completion of specific project's goals and objectives. Each and every project is different in nature. Any project would involve a certain amount of risk and hence require perfect planning and execution if they have to succeed. The main aim of project management is to predict any complications or problems in the project well before hand so that when the project plan is made all these factors can also be taken into consideration and hence the chances of the project being completed successfully would be much higher.

Almost every project we do in today's business world involve a risk of some kind: change in customer needs, unrealistic time scales, inappropriate staff, poor project specifications , failure to manage user expectations could delay the project. Projects need to be performed and delivered under certain constraints. Traditionally these constraints have been listed as scope, time and quality. This is also called as ‘project management triangle'.

One side of the triangle cannot be changed without affecting others. The time constraint refers to the amount of time available to complete a project, scope refers to what must be done to produce the project's end result and cost refers to the budgeted amount available for the project.
Increasing Scope ( Increasing Time + Increasing Cost
Decreasing Time ( Increasing Cost + Reducing Scope
Tight Budget ( Increase Time + Reducing Scope.

If we modify any of the factors, the other two has to be changed, if not the risk may appear high. But formal risk analysis and risk management can help you to assess these risks and decide what action to take to minimize disruptions to your project plans.

According to J. Davidson Frame (2007) the basic outline of project management is described below "Project managers bear ultimate responsibility for making things happen. Traditionally, they have carried out this role as mere implementers. To do their jobs they needed to have basic administrative and technical competencies. Today they play a far broader role. In addition to the traditional skills, they need to have business skills, customer relations skills, and political skills. Psychologically, they must be results-oriented self-starters with a high tolerance for ambiguity, because little is clear-cut in today's tumultuous business environment. Shortcomings in any of these areas can lead to project failure." – (J. Davidson Frame, 2007)

Project management is discipline that applies to any project; every company has their own way of doing their projects. The project management is not very easy it is totally a leadership position and with technical talent it cannot be done. Project manager without enough experience cannot hold for a long-time on the same project if the assumption of the company goes wrong in selecting the project manager it will be in risk. (Sanjay Murthi, Preventive Risk Management for Software Projects)

2.4 Risk Analysis:

The word ‘RISK' derives from the early Italian risicare, which means ‘TO DARE'. (Webster's Dictionary: 1989)

One of the most important activities in project management is to identify and manage the uncertainties and problems during the project tenure. When dealing with research and development projects it must be made note of that the number of events present are very high which could alter the course of the project

The amount of risk involved in the project would mainly depend on the size of the project. The contractors of the project are the people who deal with the risks of the project, their main duties would involve to identify risks. Then they study them and find as solution so that could remove or minimize them. Apart form this they should also have a clear understanding of the different types of risk involved and ways as to how they can be managed and projects can be completed in a risk free manner.

(The Owner's Role in Project Risk Management National Research Council (U.S.A). Committee for Oversight and Assessment of U.S. the national academic press, Washington DC).

A report that shows assets, vulnerabilities, likelihood of damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs and estimated probable savings from better protection. A "risk analysis" is the process of assessing the level of risk involved, this is also known as a "threat and risk assessment." A "threat" is a harmful act such as the deployment of a virus or illegal network penetration. A "risk" is the expectation that a threat may succeed and the potential damage that can occur. (Web1, 2009)

Risk analysis allows you to examine the risks that your organization faces. It is the process of systematically identifying and assessing the potential risks and uncertainties that occur when trying to achieve a certain goal (like reaching a target income or finishing a project), and then finding a feasible strategy for most efficiently controlling those risks.

‘The systematic process to understand the nature of and to deduce the level of risk. It provides the basis for risk evaluation and decisions about risk treatment.' (AS/NZS 4360:2004 (p. 4).

According to Michael R. Greenberg ”Risk Analysis - ranked among the top 10 journals in the ISI Journal Citation Reports under the social sciences, mathematical methods category - is designed to meet the need for organization, integration, and communication and provide a focal point for new developments in the field.” (Michael R. Greenberg: 2008)

Evidence from the literature suggests that project managers perform risk analysis because somebody else, e.g. their client, the parent company or the Government, has demanded it (Boothroyd, 1996; Smith, 1998).

The analysis of risk is being increasingly viewed as a field in itself, and the demand for a more orderly and formal treatment of risk is great. This international journal is committed to publishing critical empirical research, conference proceedings, and commentaries dealing with risk issues. In other terms we can say the measure of risk can be determined as a product of threat, vulnerability and asset value in an organisation.
Risk = Asset * Threat * Vulnerability.

Risk analysis may play an important role in cost- benefit studies, which compare the costs of a particular action or project against its potential benefits. It is a systematic study of uncertainties and risks we encounter in business, engineering and many other areas. Risk analysts seek to identify the risks faced by an organization or a business unit, understand how and when they arise, and estimate the impact of adverse outcomes. Techniques used in risk analysis include sensitivity analysis, probability analysis, simulation and modeling. Risk analysis may be used to develop an organizational risk profile, and also may be the first stage in risk management program. Risk analysis may be undertaken to varying degrees of detail depending upon the risk, the purpose of the analysis, and the information, data and resources available.

In today's world where competition has become global, it is very important that firms control the different kinds of risk that they are dealing with as it has become an essential part in achieving corporate success. The people who are involved such as customers, investors and others asking companies for complete transparency on their investments. Thus risk analysis is necessary to protect an organisation's competitive position. Most industries are particularly plagued by risks, but it has been slow in realising the potential benefits of sound and systematic risk management (Al-Bahar and Crandall, 1990; Ward et. al. 1991; Thomson and Perry, 1992; Flanagan and Norman, 1993; Raftery, 1994; Fellows, 1996; Edward and Bowen, 1998).While coming for the software industries risk analysis and management are a sequential progression that help in guiding a software team in understanding and managing risks. A risk is a potential problem, it might happen, it might not. But regardless of the outcome it is really good idea to identify it, assess its probability of occurrence, estimate the impact and establish a contingency plan should the problem actually occurs.
According to Bernstein “the mystery of risk is a critical step in the development of modern society. One can discuss the validity of his conclusion, but there should be no doubt that risk and uncertainty are important concepts to address for supporting decision-making in many situations”.

This Risk Analysis may be qualitative, semi-qualitative or quantitative or a combination of these three, depending on the circumstances. The criticality of risk analysis doesn't wholly depend on identifying the risk factors. It also depends on categorizing them according to their threat level. So let us see how the whole concept of risk analysis starts. There are two types of risk analysis. Both these methods are very important in the assessment of risk and can be executed in any order. It is very important to understand the difference between these two risks as there is a very thin line separating them. Those are:
Quantitative Risk Analysis
Qualitative Risk Analysis

(Identification of types of risk analysis)
2.5. Quantitative Risk Analysis:

Quantitative Risk Analysis has become an important component of project management. Quantitative risk analysis attempts to assign independently objective monetary values to the components of the risk assessment and to the assessment of the potential loss.

According to Guide to the Project Management Body of Knowledge (PMBOK ® Guide, Third edition 2004, Project Management Institute) “Quantitative Risk Analysis is performed on risks that have been prioritized by the Qualitative Risk Analysis process as potentially and substantially impacting project ‘s completing demands. The Quantitative Risk Analysis process analyzes the effect of those risk events and assigns a numerical rating to those risks.” (PMBOK Guide, 2004)

This method gives the project manager a foresight as to how the project would progress if risks associated with it would occur. Hence due to this method the project mangers are able to counter these risks and also account to better execution of projects. A quantitative risk analysis offers the following distinct advantages:
much more neutrality is involved in this assessment
offers much more advantages to management when compared to assessment techniques More powerful selling tool to management
It is very flexible in nature and can be moulded to different situations.
It can be adjusted according to the needs of specific industries.
Its appeal is very universal in nature and hence does not give rise to much disagreements
The base facts of the analysis are very convincing ones.

In order to implement quantitative risk analysis, the total estimated value that would account to the losses that would occur due to time delay, theft or loss of data is to be calculated. Then a probability analysis is done so that the chances of the risk occurring can be calculated. After all this is done in the final step the annual loss expectancy is calculated. (Miller).

A quantitative risk analysis analyses the results that certain controversial units would have on outcomes that we are most concerned about such as loss, profit and investment returns. Quantitative risk gives different perspectives on different people:

To the security consultant:
To attract newly started businesses by adapting quantitative analysis to access projects that were out of reach in the past.
If the projects met up to the predicted return on investment then it could serve as a better tool for marketing.
To the company's upper management:
Less vulnerable to company politics
time required for assessing proposal validity is very less
Inter- relates final results to financial aims and goals.

Quantitative risk analysis assists managers in analyzing whether the projects can be completed in a particular time frame and within the required estimated budget. It also helps in finding out the key parameters that would determine the success or failure of the project. It also helps in finding out whether the project is worth investing in for investors. But all these data should have some historical backing otherwise they would be rendered meaningless. These data should be updated from time to time during the due course of the project taking the actual input parameters into consideration. This in other terms is also known as “Garbage In – Garbage Out". Even though all this is done project management is subject to certain biases. The most basic solution is to collect data from qualitative project management software. This kind of integration has already been implemented and has been successful in the past as well.

Quantitative risk analysis tools initiate Monte Carlo process to find out how risks would have an impact on project schedules. The most well known methods for simulating risks and other problems is Event Chain Methodology. In this methodology all the projects tat are present are effected by certain external parameters which could in turn change the face of the project. These events should be analysed with the help of the qualitative risk management software. This is an important aspect as these measures could give rise to event chains that can alter the course of the project. By finding out these event chains the risks involved can be reduced.

Quantitative risk analysis is more related to implementing safety measures when compared to qualitative risk analysis is. This risk analysis when implemented by companies tries to protect the firm from every defined risk. It also helps in determining which counter method can be used for minimizing the risks involved with projects. In this method the risk assessments are generally represented in graphs and probability charts which generates a clear understanding among firms and hence is also favoured by management teams.

2.6 Qualitative Risk Analysis:

Qualitative risk analysis forms as primary source of data for further evaluations. It acts as an initial screening for all activities associated with the project to identify the possible risks that may or may not require further analysis (Quantitative). Sometimes managers tend to overlook simple risks which may cause substantial damage while looking for more complex ones which might not be that important. Also studying the project document and technologies used might help identifying certain generic risks. For example, a project which uses widely used or known components poses minimal threats when compared to using first to use or more advanced technology.

Qualitative analysis helps prioritizing such risks according to the level they affect the final project objectives. This helps the managers with the decision making on how best they can plan the project in a safe way. While doing qualitative risk analysis, managers generally tend to include their personal and previous experiences in dealing with similar kind of projects or tasks. They asses the importance of risk factors according to their experience.

In this process we first identify what are the main sources from where risk can originate. This is done by conducting interviews and getting feedback fro questioners. Then an assessment is done to increase the level of understanding of each risk and the extent to which they could affect the project. For this qualitative risk analysis process there is no probability database required and it is widely used analysis by the organisations.

2.7 Techniques used for Qualitative Analysis:

The most common methods of obtaining necessary data for screening risks are:
To know the stakeholders and shareholders' interests regarding the current project.
Collecting critical information from stakeholders and clients to analyze the final objectives in a realistic way.
Understanding the organizational structure and policies to carry out the task efficiently.
Using effective benchmarking techniques from projects handled previously.
Understanding the key objectives and criticality of each task associated with the project to categorize risks according to their importance.

However, after collecting the information and assigning the risk factors to different grids or categories, the managers need to decide on the need to go for further investigation and to implement effective risk management plans. In order to do this, every manager should ask themselves a few questions such as:
What are the critical phases in the project and where the potential risks are going wrong during that phase?
The effect of that risk in carrying out the tasks related to the respective phases and how it's delaying the overall project.
Weather the potential risks can be eliminated by simple methods or changes in the project plan or they are far too complex to minimize without using further analysis and sophisticated techniques.

When a manager could answer these questions, he would be in a position to effectively plan and implement risk aversion plans by using appropriate tools or techniques. The Qualitative risk analysis gives the manager a true power of information to make his decision.

Generally the qualitative risk analysis will be succeeded by quantitative risk analysis which gives more insight on numbers such as project period, completion dates and budget.

3. Organisational Risk Analysis:

The combination of a threat and the resulting impact to the organisation defines the risk to the organisation. It is an important task that we asses all the intricate issues that the organisation is facing. Only after this assessment we can know the overall risk that the firm is facing and the appropriate counter methods that can be implemented in minimizing these risks. When a risk assessment is carried out we take an over all perspective on behalf of the organisation. We first find out every major business processes that take place in the organisation and then we focus on the situations from where risks would arise. We then provide detailed list to management of the different types of risk involved so that management can counter with them..

The National Audit Office Report 'Managing Risks to Improve Public Services' ( NAO 2004) identified five key aspects of organisational risk analysis and made recommendations for improving organisational risk analysis practice in central government.
Sufficient time, resource and top level commitment needs to be devoted to handling risks in an organisation.
Responsibility and accountability for risks need to be clear, backed up by scrutiny and robust challenge to provide assurance.
In an Organisation, departments need to base their judgements about risks on reliable, timely and up to date information.
Risk analysis needs to be applied throughout departments' delivery networks.
Departments need to continue to develop their understanding of the common risks they share and work together to manage them.

An Organisational Risk Analysis is a tool for governance and getting its …

Students Paper: Direct Quote:


… getting its right is important. Selecting the correct method for performing the analysis is …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… getting it right is important. Selecting the correct method for performing the assessment is …

… analysis is a critical first step. Successful audit staff or risk analysis team creates evaluation criteria that will be used to evaluate the risks to the organisation. The analysis team reviews each risk and assigns it an impact value. Successful audit staff uses some basic approaches to determine which technique will provide the most value for the organisation.

Organisational Risk Analysis is a very important factor while handling projects for all organisations in today's business world. In any project that is undertaken risk is present. It depends on the nature of the project. Some projects are riskier when compared to others; this is due to the kind of risk, the technology present and the environment in which they are encountered. Project management has been designed to coordinate and be in charge of complicated and different business processes in different field such as IT and industrial sectors. (Web2, 2009)

This above diagram shows how an organisation relates with other departments like software, technology and environment etc. Handling with any of them causes uncertainties or risks. To overcome those risks associated in projects, ORA (Organisational Risk Analysis) helps. Risk is uncertainty of outcome, and good risk analysis allows an organisation to:

Have increased confidence in achieving its desired outcomes
Effectively constrain threats to acceptable levels
Take informed decisions about exploiting opportunities.

When ever we will get a change this risk occurs for those organisations. It is important to understand effect of change and the results of change as these are important in devising an appropriate strategy. Those are

Developmental: “It is a change which enhances or corrects existing aspects of an organisation, often focusing on the progress of a skill or process. “

Transitional: It is episodic, planned and fundamental. Most of the organisational change literature is based on this type of change only.

Transformational: It is radical in nature; it requires a change in assumptions made by the organisation and by its people.

Using these types of changes and its characteristics can be placed beside two scales: radical- incremental and core- peripheral (Pennington 2003).

The diagram above shows us how difficult it is introduce a particular decision into the market and the number of changes that may result in introducing this decision. If major changes are made to the central business then it would initiate a lot of disturbance. The processes that are associated with the core business can be changed as they can be adjusted in the due course of time; this is mostly for firms who are involved with continuous improvement.

Successful audit staff or risk analysis team generally use any of the three basic approaches.
The database approach
The algorithm approach
The matrix approach

Understanding the strengths and weakness of each method is essential for determining which technique will provide the most value for the organisation.

3.1 The Database Approach:

For assessing any kind of organisational risk, compiling a risk database is a popular method. Here each work group is interviewed and the main products and processes are identified where the risks associated with each process are displayed. These are then stocked in a database from where similar reports can be accessed for reference so that the risk faced by the work unit can be analysed.

This database approach is chosen by so many accounting firms and it is favoured by them, which may tag it as “risk profiling …

Students Paper: Direct Quote:


… the analysis is a critical first step. Successful audit staff or risk …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… the assessment is a critical first step. Successful audit staffs generally use …

… or risk analysis team creates evaluation criteria that will be used to evaluate the risks to the organisation. The analysis team reviews each risk and assigns it an impact value. Successful audit staff uses some basic approaches to …

Students Paper: Direct Quote:


… approaches to determine which technique will provide the most value for the organisation.

Organisational …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… is essential for determining which technique will provide the most value for the organization.

THE …

… organisation.

Organisational Risk Analysis is a very important factor while handling projects for all organisations in today's business world. In any project that is undertaken risk is present. It depends on the nature of the project. Some projects are riskier when compared to others; this is due to the kind of risk, the technology present and the environment in which they are encountered. Project management has been designed to coordinate and be in charge of complicated and different business processes in different field such as IT and industrial sectors. (Web2, 2009)

This above diagram shows how an organisation relates with other departments like software, technology and environment etc. Handling with any of them causes uncertainties or risks. To overcome those risks associated in projects, ORA (Organisational Risk Analysis) helps. Risk is uncertainty of outcome, and good risk analysis allows an organisation to:

Have increased confidence in achieving its desired outcomes
Effectively constrain threats to acceptable levels
Take informed decisions about exploiting opportunities.

When ever we will get a change this risk occurs for those organisations. It is important to understand effect of change and the results of change as these are important in devising an appropriate strategy. Those are

Developmental: “It is a change which enhances or corrects existing aspects of an organisation, often focusing on the progress of a skill or process. “

Transitional: It is episodic, planned and fundamental. Most of the organisational change literature is based on this type of change only.

Transformational: It is radical in nature; it requires a change in assumptions made by the organisation and by its people.

Using these types of changes and its characteristics can be placed beside two scales: radical- incremental and core- peripheral (Pennington 2003).

The diagram above shows us how difficult it is introduce a particular decision into the market and the number of changes that may result in introducing this decision. If major changes are made to the central business then it would initiate a lot of disturbance. The processes that are associated with the core business can be changed as they can be adjusted in the due course of time; this is mostly for firms who are involved with continuous improvement.

Successful audit staff or risk analysis team …

Students Paper: Direct Quote:


… analysis team generally use any of the three basic approaches.
The database approach
The algorithm approach
The matrix approach …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… audit staffs generally use any of three basic approaches--the database, algorithm, or matrix …

… …

Students Paper: Direct Quote:


… The algorithm approach
The matrix approach

Understanding the strengths and weakness of each method is essential for determining which technique will provide the most value for the organisation.

3.1 …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… algorithm, or matrix approach. Understanding the strengths and weaknesses of each method is essential for determining which technique will provide the most value for the organization.

THE …

… organisation.

3.1 The Database Approach:

For assessing any kind of organisational risk, compiling a risk database is a popular method. Here each work group is interviewed and the main products and processes are identified where the risks associated with each process are displayed. These are then stocked in a database from where similar reports can be accessed for reference so that the risk faced by the work unit can be analysed.

This database approach is chosen by so many accounting firms and it is favoured by them, which may tag it as “risk profiling” and comprise …

Students Paper:


… and comprise it as part of their “enterprise risk management” product line. This process …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… and include it as part of their "enterprise risk management" product line. The process …

… . This process is mostly adopted by managers in the finance industry. They mostly use this process to encapsulate data that are concerned with financial assets or asset groups. At the end of this we would get a catalogue which would result in a list of assets and the concerned risks involved.

Loss-event databases mainly emphasize on past records and they analyze losses that are mainly financial in nature. Hence they are not the recommended choice by corporate professionals as they expect risk analysis to involve all facets of business. When any database is taken into consideration the approach requires a lot of research data and a huge time frame. In today's world since the environment is changing so fast they become quickly outdated.

3.2 …

Students Paper:


… outdated.

3.2 The Algorithm Approach:

An algorithm is a sequence of steps; generally involves …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… to satisfy.

THE ALGORITHM APPROACH

An algorithm is a sequence of steps, usually involving …

… ; generally …

Students Paper:


… steps; generally involves logic and mathematics that produces a result. Once an algorithm is built to solve a problem, it can be repeatedly used to address different kind …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… steps, usually involving logic and mathematics, that produces a result. Once an algorithm is built to solve a problem, it can be repeatedly used to address like situations …

… different kind of situations. Risk assessment Algorithm approach generally involves applying a mathematical equation to each work unit of the organisations and in calculating their level of risk. These mathematical equations are built using risk factors, and also develop these equations …

Students Paper:


… these equations with measures of risk associated with each factor. Risk factors are recognizable, assessable …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… factors, along with measures of risk associated with each factor. Risk factors are observable ob …

… recognizable, assessable indications of the occurrence …

Students Paper:


… the occurrence of risk. For example, "time factor since last audit" is a common risk factor that explains the …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… the presence of risk. For example, "time since last audit" is a common risk factor that expresses the …

… explains the weakening of control systems eventually.

A risk model is developed by choosing a number of common risk factors from each work unit of the organisation and by measuring their strengths. This risk model …

Students Paper:


… risk model prioritizes and summarizes the overall risk in each work unit of the …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… model, which summarizes and prioritizes the overall risk in each work unit. Experience shows …

… of the organisation. Through experience we can know that most risk …

Students Paper:


… most risk models work best with four to seven factors. Different models …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… shows that models work best with four to seven factors, but never …

… . Different models implement different kinds of weights to differentiate between comparative factors. While some models for this process implement similar weights.
All successful algorithms are built by using …

Students Paper:


… by using static or dynamic risk factors. Static risk factors are steady over …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… built utilizing static or dynamic risk factors. Static risk factors are stable over …

… steady over a period of time and represent the scope of resources like inventory and revenue. Based upon this, …

Students Paper:


… upon this, static factors are not direct indicators of risk. Dynamic risk factors are unstable over …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… revenue. Therefore, static factors are not direct indicators of risk.

Dynamic risk factors represent conditions …

… unstable over time and therefore require stable monitoring. The sources of risk analysis are generally the origins from where the perilous nature of risks can be viewed and analysed.

So …

Students Paper:


… analysed.

So many benefits are associated with the use of the algorithm approach. After checking …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… of time.

Many benefits are associated with the use of the algorithm approach. Risk models …

… . After checking the algorithm and the validation of the business results the formula can then be used for other units of business as well. Any values that are assumed taking the risk levels into consideration can be stated in a simple manner as they are mostly compiled from mathematical formulas. The algorithm can be implemented for risk assessment as well which requires a wide horizon of knowledge. It requires highly skilled staff in order to comprehend this information. The risk factors used to build these algorithms was based information present in the 80's. It only identified the units that did not work and not a complete threat.

3.3 The Matrix Approach:

Students Paper:


… Matrix Approach:

A matrix is formed with the organization's business units on one axis and a set of high-level risks on the other axis. The number of risks is usually between 12 and 16, although viable models with as few as four are known. Strategic planners …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… graphic display of risk. A matrix is formed with the organization's business units on one axis and a set of high-level risks on the other axis. The number of risks is usually between 12 and 16, although viable models with as few as four are known. A team assesses …

… . Strategic planners and senior management often favour …

Students Paper:


… often favour the matrix approach because of its higher-level focus and graphic display of risk. Alternatively, each …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… often favor the matrix approach because of its higher-level focus and graphic display of risk. A matrix …

… …

Students Paper:


… display of risk. Alternatively, each business unit may create its own matrix using the same risks, but applying them against smaller work groups within the business unit. These assessments can then be combined to create the organization's total risk matrix.

The basic advantages …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… not applicable."

Alternatively, each business unit may create its own matrix using the same risks, but applying them against smaller work groups within the business unit. These assessments can then be combined to create the organization's total risk matrix.

One advantage …

… basic advantages of this approach are that it can be moulded and easily implemented. The matrix involves a three dimensional view on how risk can be looked at by including the contents in each cell. It also provides a graphical representation of risk and its impact is on a very huge scale. It is quite similar to the algorithm approach as it involves an assessment team that require to be fully trained and should possess a very high level of business acumen so that they can understand the process. It also must be noted that then it is a very challenging task to maintain the matrix as every time a change occurs an assessment must be performed. Tracking these changes are also very difficult as it depends on the level of systems installed. As a result it is difficult to handle matrix when compared to database.

None of the three approaches is universally favoured by risk analysing professionals all the time, depending on the proposed …

Students Paper:


… the proposed use of the assessment information and on the level of complexity or …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228


… the intended use of the assessment information and on the level of difficulty the …

… complexity or risk that organisation is willing to accept. The data base approach is the best approach for giving detailed guidance to organisation management and this is the most difficult in implementing and maintaining approach. The algorithm approach is the easiest to maintain but fairly difficult to implement and it is mainly used for the operational management. While coming for the matrix method, it is best for strategic management and this is easiest to implement but difficult to maintain. Finally the internal audit team must give attention to these attributes along with that organisation's intend use of the analysis and available resources to determine which approach is the best and right approach for that organisation.

4. Role of ORA in Project Management:

Most part of project management is dependent upon a master plan, common sense and plenty of what we describe is simply a prearranged approach to what we would do intuitively. After using all these planning, organising and managing resources as well, sometimes project fails. There are many reasons that why projects fail, some of them are listed below.

Poor project specifications
Impractical/ unrealistic timescales
Failure to manage user specifications
Failure to manage the changes required by the core user
Insufficient participation by senior management and staff

The success or failure of any project relies mostly on effective project management skills. The ideal manager should assess the scope and outcomes of the project in a realistic mode by assessing all kinds of possible risks that are associated with the project. No project in this corporate world is immune to risks. Irrespective of size and scope, projects will go through several risks and the damage might effect in carrying out critical tasks. Sometimes, risks are associated with manual or technical miscalculations and sometimes they may simply occur due to pre determined assumptions of the management team.

Assessing and avoiding such risks forms the major part in driving the project to success. But today, most of the managers tend to take this on a lighter note. Sometimes they might totally ignore it thinking that it's impossible to assess the 100 % risk factor and to avoid them. However, there are many risk analysis software's available which makes complex things simple to analyze. These are called risks and threats of a project. In every organisation one risk analysis team will be there to analyse these risks and with the help of this analysis, management should be keep out from these risks in order to ensure the smooth running of the organisation.

This risk analysis is nothing but a systematic approach for describing and calculating risks. It is an important feature of business recovery planning. Normally the process begins when a manager gets to approve a project plan or a business case. He / she should observe and assess all the necessary information and do a primary risk analysis. Depending on the risk factors observed, the manager will consider the necessity to further investigate the risk factors to avoid any possible damage. A risk management plan would then be implemented by manager who monitors and controls the process on a timely basis.

Organisational Risk Analysis is essential for management for getting any possible risks in projects. ORA estimate the feasibility of projects. It also helps determining risks associates in projects. Improper risk analysis can lead to failure of the project. Risks linked with the organisational environment may be general or specific. Organisational Risk Analysis is a process which enables the management of the risks associated with a project. It will increase the probability of successful completion of project. This analysis is a perfect process designed to remove or reduce the risks which threaten the success of project objectives.

There are many reasons for using organisational risk analysis in project management; the main reason is to achieve economic benefits such as cost effectiveness and time efficiency. In any organisation the senior management needs a detailed report on the different kinds of risks that are associated with their projects especially when taking major financial decisions regarding the company. This is also important for project managers who want to improve their work standards i.e. to bring their project budgets down and to complete them in the required time frame. Every organisation across the world spends a high amount of money for the success of projects i.e. known as ‘Cost of the Project'. This risk analysis will also help us to decide whether the strategies we could use to control risk are cost-effective or not. Here we define risk as ‘the perceived extent of possible losses'. One way of putting figures to risk is to calculate a value for it as:

Risk = Probability of Event * Cost of Event

By doing this you can compare risks objectively. We can also use this approach formally in decision making with Decision tree. Once you have worked out the value of risks you face, you can start to look at ways of managing them. While doing this, it's very important to choose cost effective approaches. Thankfully there are best practices which are usually to rate and prioritize the project risks in a rapid and cost-effective manner. Those tools and techniques are: 1) Risk probability and assessment, 2) Probability and impact matrix: It illustrates a risk rating assignment for identified risks. Each risk is rated on its probability of occurrence and impact upon objective. From a spotlight analysis reds (0.720, 0.180 etc) are in the high risk area, yellows (0.090 etc) are medium risk, and greens (0.045, 0.035 etc) are low risk which should just be added to the watch list.

Probability Threats Opportunities 0.900 0.045 0.090 0.180 0.360 0.720 0.720 0.360 0.180 0.090 0.045 0.700 0.035 0.070 0.140 0.280 0.560 0.560 0.280 0.140 0.070 0.035 0.500 0.025 0.050 0.100 0.200 0.400 0.400 0.200 0.100 0.050 0.025 0.300 0.015 0.030 0.060 0.120 0.240 0.240 0.120 0.060 0.030 0.015 0.100 0.005 0.010 0.020 0.040 0.080 0.080 0.040 0.020 0.010 0.005 0.050 0.100 0.200 0.400 0.800 0.800 0.400 0.200 0.100 0.050


General risks relate to the organisational culture e.g. are you trying to bring in a revolutionary change into a self important institution? Information of these sorts should be planned for well in advance, it is especially difficult for project managers who have joined the organisation newly and have not come to terms yet with the working of the organisation. Let us say for example that you are planning to implement a project in finance and just some time back a project similar to this has gone badly wrong or you are trying to bring in some innovative new measures when the companies finances are running low. Such kind of things must be analysed carefully as the success and failure of decisions taken in different parts of the organisation may decide the fate of the success or failure of your project.

By providing an outline for carrying out a detailed risk management programme in the project, we can develop the organisational risk analysis policy. One of the major factors involved in risk analysis is that the aim to separate the major risks involved in the project from the minor risks, they also tend to provide the required information so that the company can cope with the different kinds of risk. Organisational Risk Analysis …

Students Paper:


… Risk Analysis is not the responsibility of one person or one function; it is …

http://www.taxguru.in/tag/internal-auditor


… organisation and is not the responsibility of one person or function. Despite this …

… ; it …

Students Paper:


… function; it is a process to be executed throughout the organisation.

The most relevant …

http://www.taxguru.in/tag/internal-auditor


… Risk Management is a process to be executed throughout the organisation and is …

… most relevant sources of information should be used for determining the consequence and likelihood. Certain conditions should prevail so that each level of consequence can be used for developing a risk rating. Sources may include:
“ …

Students Paper: Direct Quote:


… may include:
“Past records — in the organisation, in the group, in the local area, in the country, in the world in similar organisations, in other organisations with similar circumstances.
Relevant experience …

http://www.taxguru.in/tag/internal-auditor


… include :


â Past records — in the organisation, in the group, in the local area, in the country, in the world in similar organisations, in other organisations with similar circumstances.

â Relevant …

… .
Relevant experience — of the consultants, and of persons participating in the assessment process.
Relevant published literature — technical, newspapers, magazines, internet, etc.
Specialist and expert judgements — specific to the organisation or industry.
Experiments and prototypes — specific to the project being considered …

Students Paper: Direct Quote:


… similar circumstances.
Relevant experience — of the consultants, and of persons participating in the assessment process.
Relevant published literature …

http://www.taxguru.in/tag/internal-auditor


… circumstances.

â Relevant experience — of the consultants, and of persons participating in the assessment process.

â Relevant …

… …

Students Paper: Direct Quote:


… assessment process.
Relevant published literature — technical, newspapers, magazines, internet, etc.
Specialist and …

http://www.taxguru.in/tag/internal-auditor


… process.

â Relevant published literature — technical, newspapers, magazines, internet, etc.

â Specialist …

… .

Students Paper: Direct Quote:


… internet, etc.
Specialist and expert judgements — specific to the organisation or industry.
Experiments and …

http://www.taxguru.in/tag/internal-auditor


… etc.

â Specialist and expert judgements — specific to the organisation or industry.

â Experiments …

… .

Students Paper: Direct Quote:


… or industry.
Experiments and prototypes — specific to the project being considered.” (Web3, 2009 …

http://www.taxguru.in/tag/internal-auditor


… industry.

â Experiments and prototypes — specific to the project being considered.


Special analytical …

… .” (Web3, 2009)

2.4 Summary:
In this chapter we have discussed briefly about the main objectives of this research. Studied about organisational risk analysis and other main parts of this literature review by referring various books, e-books and journals. The post project review is mainly to look at lessons learned and for further improvements of future projects in project management. Unexpected risks may cause major delays and escalating costs. Organisational risk analysis can help in reducing these unpleasant surprises and through my case study I have seen it implemented successfully in many cases. This organisational risk analysis …

Students Paper:


… risk analysis was highly successful and resulted in substantial savings and structured decision making with learning's for …

http://www.taxguru.in/tag/internal-auditor


… risk management was highly successful and resulted in substantial savings and structured decision-making with learnings for …

… learning's for the organisation. Flexible development practices and different methodologies using organisational risk analysis make it easier to plan for and handle risk as they occur in organisation while handling the projects. To implement flexible development practices and methodologies, organisations must improve team skills, and review and improve their process for software development and deployment. With these kinds of practices, one organisation can deliver better applications with fewer delays in spite of unexpected problems and many requirements and strategy changes that can happen along the way.
In the next chapter we are going to explore our knowledge towards different research methodologies and briefly describe the methods used for this research.
TIME

COST

SCOPE

4% http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228
3% http://people.stfx.ca/x2006/x2006pcl/An%20Introduction%20to%20Project%20Management.doc
3% http://www.peoplesoft-planet.com/General-Project-Management.html
3% http://www.projectsmart.co.uk/introduction-to-project-management.html
2% http://www.sagarkasar.com/index.php?option=com_content&task=view&id=12&Itemid=1
2% http://www.taxguru.in/tag/internal-auditor
2% http://www.rodp.org/faculty/presentations/taylor-presentation-10-28-05/RODP%20Fall%20Workshop/Examples/templates2/mod1/mod1b.htm
2% http://www.taxguru.in/tag/internet
2% http://findarticles.com/p/articles/mi_m4153/is_3_57/ai_63326228/
2% http://www.scotland.gov.uk/Publications/2008/08/25142353/4
1% http://dictionary.bnet.com/definition/risk+analysis.html
1% http://www.intaver.com/Articles/RP_Art_MSProjectRiskAnalysis.html
1% http://port.inst.cl.uh.edu/JacobsS1503/portfolio/inst5131/JacobsS_Assign5.doc
1% http://www.easyarticles.com/article-361445.htm
1% http://www.articlesalley.com/article.detail.php/87233/10/Management/Business/1/Project_Management_training_a_step_for_PMP_Certification
1% http://projectdecisions.org/index-whitepapers.html
1% http://www.blackwellpublishing.com:443/aims.asp?ref=0272-4332&site=1
1% http://www.articlecube.com/Article/Jump-start-your-career-with-a-PMP-certification-/544210
1% http://www.projectmanagementlog.com/project-management-training-a-step-for-pmp-certification/
1% http://interpret.co.za/art/Business/Management/project_management_training_a_step_for_pmp_certification.php
1% http://www.factbites.com/search.php?kp=mortality+anthrax
1% http://www.articlecube.com/printarticle.php?id=544210
1% http://lesbianforum.velvet-club.com/showpost.php?p=3266&postcount=12
1% http://www.swirl.nhs.uk/skillsarea/10/
1% http://www.wiley.com/bw/aims.asp?ref=0272-4332&site=1
1% http://www.camdennewjersey.org/project_management.htm
1% http://www.mindtools.com/pages/article/newTMC_07.htm
1% http://www10.mcadcafe.com/link/display_detail.php?link_id=25323
1% http://lesbianforum.velvet-club.com/showthread.php?t=2406&page=2
1% http://www.anticlue.net/archives/000817.htm
1% http://www.projectmanagementlog.com/jump-start-your-career-with-a-pmp-certification/
1% http://www.nao.org.uk/pn/03-04/03041078.htm
1% http://www.wiley.com/bw/aims.asp?ref=0272-4332&site=21
0% http://www.yementimes.com/01/iss03/focus.htm
0% http://www.scribd.com/doc/7369598/Foundations-of-Risk-Analysis
0% http://headphonecommute.blogspot.com/2009_02_01_archive.html
0% http://www.woodrow.org/teachers/bi/1992/endangered_study.html
0% http://www.nomechamber.org/energy-rpt-1.html
0% http://www.pmigno.org/index.php?option=com_docman&task=doc_download&gid=28&Itemid=124
0% http://www.cs.york.ac.uk/hise/safety-critical-archive/2007/0008.html
0% http://reviews.headphonecommute.com/2009/02/04/two-and-a-half-questions-with-aidan-baker/
0% http://www.student.euv-frankfurt-o.de/~euv36784/kurbel/VoiceXML2008/text.php?no=104&to=1
0% http://www.slideshare.net/vibhamittal/project-intro
0% http://www.jiscinfonet.ac.uk/InfoKits/risk-management/org-environment
0% http://www.buzzle.com/articles/synthetic-lifeforms-what-are-the-types.html
0% http://seattlebubble.com/blog/2008/01/24/consumers-wish-list/
0% http://www.chembiotek.com/ChemBioTek-HTML/Press%20Clips%20-%202007/EP-16-30%20June'07.htm
0% http://www.regulatorysolutionsgroup.com/regulatory-solutions-approach.shtml
0% http://www.irmi.com/Expert/Articles/2000/Schoenfeld09.aspx
0% http://www.qualityplanning.org.nz/plan-topics/natural-hazards/appendix-1.php
0% http://www.mallaighigh.highland.sch.uk/Mallaig%20High%20Brochure%20Dec.%2020042005.doc
0% http://www.att.org.au/ATT_Risk_Management_Manual.htm
0% http://www.risksol.co.uk/resources/definitions.php
0% http://www.amazon.com/phrase/Fundamentals-of-Project-Management
0% http://www.itgovernance.co.uk/frameworks.aspx
0% http://www3.hants.gov.uk/risk_assessment_guide_for_laa_target_setting.doc
0% http://202.148.151.113/skillsEDIT/clientuploads/48/Appendix%20A-%20Risk%20management%20glossary.doc
0% http://pmiconference.wellington.net.nz/index.php/PMI/CallForPapers
0% http://www.cs.york.ac.uk/hise/safety-critical-archive/2007/0007.html


CHAPTER 2

2.1 Preview

This chapter provides the reader about the theory and rationale behind the use of Organisational Risk Analysis (ORA) on project management and its methodologies available in the market. It will also cover the work of different authors to afford better understanding of the subjected area i.e. Project management, Risk analysis and Organisational risk analysis. The source of information of this literature review is mainly from books, journals and white papers.

2.2 Introduction

Through this literature review one can know what others understanding about this study i.e. nothing but historical perspectives. First part of the literature focuses on project management and risk analysis and risk analysis types, second part of this literature focuses on Organisational Risk Analysis (ORA) and Role of ORA in Project management. It mainly concentrates on Project management, risk analysis and organisational risk analysis.

2.3 Introduction to Project Management:

PMBOK (Project Management -- Body of Knowledge as defined by the Project Management Institute — PMI):"Project management is the application of knowledge, skills, tools and techniques to project activities to meet project requirements." (PMI 2004)

According to James P. Lewis “The Project management is facilitating the planning, scheduling and controlling of all activities that must be done to achieve project objectives” (James P. Lewis: 2007)

PRINCE 2 project management methodology: "The planning, monitoring and control of all aspects of the project and the motivation of all those involved in it to achieve the project objectives on time and to the specified cost, quality and performance."
A project is usually one time activity with a well defined set of desired and results. It can be divided into subtasks that must be accomplished in order to achieve the project goals.

In this day and age also it is assumed that project management can be enhanced by scientific methods. There is a very strong reason why these beliefs are created, it all accounts to the fact that today's modern world has given professionals numerous amount of opportunities to execute their projects successfully. Such are the kind of investment options that are given to project investors. They are briefed with all the minute details so that they feel that their investment is secure. They also make sure that the estimated time of completion and the end can be calculated at the beginning of the project itself. The decisions that are taken on a technical basis or which are taken looking at the low opportunity costs that it presents are reversible in nature. The demand for resources can also be calculated once the initial parameters such as the duration and time frame of the project are estimated. Due to the advancement in technology even the most terrible consequences can be predicted. “The failure of the project was due to the lack of skills rather than an inappropriate feasibility, suitability or acceptability of the solution. This is a normal–science view of project management.” (Charette and Robert, 1996)

The projection of ideas and activities into new accomplishments are one of the common characteristics of all projects. There are many different definitions of what constitutes project management such as “An unique set of co-ordinated activities, with definite starting and finishing points, undertaken by an individual or a team to meet specific objectives within a definite period of time, cost and performance parameters” (Office of Government Commerce). (Web4, 2009)

J. Pinto and Prescott (1990) stated, “Researchers in project management need to first and most importantly offer a comprehensive, inclusive, and clear definition of project success before attempting to undertake studies of the project implementation process”. (J.Pinto and Prescott, 1990)

The modern project management started in 1950s, before this period projects were executed in an unplanned manner and the methods and tools used for execution were not professional in nature. The importance of project management is a very important topic because all organisations i.e. either be they are small or large organisations, those are involved in implementing new accomplishments. These accomplishments may be diverse, such as, the improvement of an innovative product, introducing a new range of products in a manufacturing base, a promotional advertisement or a major construction project. In the 1980's the focus was more on the quality of work. Globalisation played a huge role in the 1990's as we were trying to improve our economy, the 2000's saw projects with decreased time frames. A new field known as project management was developing from all new areas of application which included construction, engineering, telecommunications, and defence. This emerging field has now become an important part of our economy as it has produced a string of fabulous results. Hence it is now being applied by the corporate world as well as the government. Duncan Haughey (2008) explained some main definitions of what project management is:

“Project management is not a continuous process. It has a definite beginning and end.”
“Project management uses various tools to measure accomplishments and track project tasks. These include Work Breakdown Structures, Gantt charts and PERT charts.”
“Projects frequently need resources on an ad-hoc basis as opposed to organisations that have only dedicated full-time positions.”
“Project management reduces risk and increases the chance of success.”
“Successful project management is delivering your projects on time, to brief and within budget.” (Duncan Haughy, 2008)

2.3.1 Methodology of Project Management:

According to Bradley (2002) Project management methodology means “Project Management Methodology focuses on the project and can be in any industry and any type of projects ranging from construction to aerospace industries and from projects of Financial to IT in nature, it encompasses all projects”

The above diagram shows the main components of one of the main project management methodology. Some of the elements like project start-up and project closure occur only once. The remaining elements like planning, managing and controlling, form an interactive cycle that may repeat many times before the completion of the project. In other words we can also say project management is the discipline of planning, organising and managing resources to bring about the successful completion of specific project's goals and objectives. Each and every project is different in nature. Any project would involve a certain amount of risk and hence require perfect planning and execution if they have to succeed. The main aim of project management is to predict any complications or problems in the project well before hand so that when the project plan is made all these factors can also be taken into consideration and hence the chances of the project being completed successfully would be much higher.

Almost every project we do in today's business world involve a risk of some kind: change in customer needs, unrealistic time scales, inappropriate staff, poor project specifications , failure to manage user expectations could delay the project. Projects need to be performed and delivered under certain constraints. Traditionally these constraints have been listed as scope, time and quality. This is also called as ‘project management triangle'.

One side of the triangle cannot be changed without affecting others. The time constraint refers to the amount of time available to complete a project, scope refers to what must be done to produce the project's end result and cost refers to the budgeted amount available for the project.
Increasing Scope ( Increasing Time + Increasing Cost
Decreasing Time ( Increasing Cost + Reducing Scope
Tight Budget ( Increase Time + Reducing Scope.

If we modify any of the factors, the other two has to be changed, if not the risk may appear high. But formal risk analysis and risk management can help you to assess these risks and decide what action to take to minimize disruptions to your project plans.

According to J. Davidson Frame (2007) the basic outline of project management is described below "Project managers bear ultimate responsibility for making things happen. Traditionally, they have carried out this role as mere implementers. To do their jobs they needed to have basic administrative and technical competencies. Today they play a far broader role. In addition to the traditional skills, they need to have business skills, customer relations skills, and political skills. Psychologically, they must be results-oriented self-starters with a high tolerance for ambiguity, because little is clear-cut in today's tumultuous business environment. Shortcomings in any of these areas can lead to project failure." – (J. Davidson Frame, 2007)

Project management is discipline that applies to any project; every company has their own way of doing their projects. The project management is not very easy it is totally a leadership position and with technical talent it cannot be done. Project manager without enough experience cannot hold for a long-time on the same project if the assumption of the company goes wrong in selecting the project manager it will be in risk. (Sanjay Murthi, Preventive Risk Management for Software Projects)

2.4 Risk Analysis:

The word ‘RISK' derives from the early Italian risicare, which means ‘TO DARE'. (Webster's Dictionary: 1989)

One of the most important activities in project management is to identify and manage the uncertainties and problems during the project tenure. When dealing with research and development projects it must be made note of that the number of events present are very high which could alter the course of the project

The amount of risk involved in the project would mainly depend on the size of the project. The contractors of the project are the people who deal with the risks of the project, their main duties would involve to identify risks. Then they study them and find as solution so that could remove or minimize them. Apart form this they should also have a clear understanding of the different types of risk involved and ways as to how they can be managed and projects can be completed in a risk free manner.

(The Owner's Role in Project Risk Management National Research Council (U.S.A). Committee for Oversight and Assessment of U.S. the national academic press, Washington DC).

A report that shows assets, vulnerabilities, likelihood of damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs and estimated probable savings from better protection. A "risk analysis" is the process of assessing the level of risk involved, this is also known as a "threat and risk assessment." A "threat" is a harmful act such as the deployment of a virus or illegal network penetration. A "risk" is the expectation that a threat may succeed and the potential damage that can occur. (Web1, 2009)

Risk analysis allows you to examine the risks that your organization faces. It is the process of systematically identifying and assessing the potential risks and uncertainties that occur when trying to achieve a certain goal (like reaching a target income or finishing a project), and then finding a feasible strategy for most efficiently controlling those risks.

‘The systematic process to understand the nature of and to deduce the level of risk. It provides the basis for risk evaluation and decisions about risk treatment.' (AS/NZS 4360:2004 (p. 4).

According to Michael R. Greenberg ”Risk Analysis - ranked among the top 10 journals in the ISI Journal Citation Reports under the social sciences, mathematical methods category - is designed to meet the need for organization, integration, and communication and provide a focal point for new developments in the field.” (Michael R. Greenberg: 2008)

Evidence from the literature suggests that project managers perform risk analysis because somebody else, e.g. their client, the parent company or the Government, has demanded it (Boothroyd, 1996; Smith, 1998).

The analysis of risk is being increasingly viewed as a field in itself, and the demand for a more orderly and formal treatment of risk is great. This international journal is committed to publishing critical empirical research, conference proceedings, and commentaries dealing with risk issues. In other terms we can say the measure of risk can be determined as a product of threat, vulnerability and asset value in an organisation.
Risk = Asset * Threat * Vulnerability.

Risk analysis may play an important role in cost- benefit studies, which compare the costs of a particular action or project against its potential benefits. It is a systematic study of uncertainties and risks we encounter in business, engineering and many other areas. Risk analysts seek to identify the risks faced by an organization or a business unit, understand how and when they arise, and estimate the impact of adverse outcomes. Techniques used in risk analysis include sensitivity analysis, probability analysis, simulation and modeling. Risk analysis may be used to develop an organizational risk profile, and also may be the first stage in risk management program. Risk analysis may be undertaken to varying degrees of detail depending upon the risk, the purpose of the analysis, and the information, data and resources available.

In today's world where competition has become global, it is very important that firms control the different kinds of risk that they are dealing with as it has become an essential part in achieving corporate success. The people who are involved such as customers, investors and others asking companies for complete transparency on their investments. Thus risk analysis is necessary to protect an organisation's competitive position. Most industries are particularly plagued by risks, but it has been slow in realising the potential benefits of sound and systematic risk management (Al-Bahar and Crandall, 1990; Ward et. al. 1991; Thomson and Perry, 1992; Flanagan and Norman, 1993; Raftery, 1994; Fellows, 1996; Edward and Bowen, 1998).While coming for the software industries risk analysis and management are a sequential progression that help in guiding a software team in understanding and managing risks. A risk is a potential problem, it might happen, it might not. But regardless of the outcome it is really good idea to identify it, assess its probability of occurrence, estimate the impact and establish a contingency plan should the problem actually occurs.
According to Bernstein “the mystery of risk is a critical step in the development of modern society. One can discuss the validity of his conclusion, but there should be no doubt that risk and uncertainty are important concepts to address for supporting decision-making in many situations”.

This Risk Analysis may be qualitative, semi-qualitative or quantitative or a combination of these three, depending on the circumstances. The criticality of risk analysis doesn't wholly depend on identifying the risk factors. It also depends on categorizing them according to their threat level. So let us see how the whole concept of risk analysis starts. There are two types of risk analysis. Both these methods are very important in the assessment of risk and can be executed in any order. It is very important to understand the difference between these two risks as there is a very thin line separating them. Those are:
Quantitative Risk Analysis
Qualitative Risk Analysis

(Identification of types of risk analysis)
2.5. Quantitative Risk Analysis:

Quantitative Risk Analysis has become an important component of project management. Quantitative risk analysis attempts to assign independently objective monetary values to the components of the risk assessment and to the assessment of the potential loss.

According to Guide to the Project Management Body of Knowledge (PMBOK ® Guide, Third edition 2004, Project Management Institute) “Quantitative Risk Analysis is performed on risks that have been prioritized by the Qualitative Risk Analysis process as potentially and substantially impacting project ‘s completing demands. The Quantitative Risk Analysis process analyzes the effect of those risk events and assigns a numerical rating to those risks.” (PMBOK Guide, 2004)

This method gives the project manager a foresight as to how the project would progress if risks associated with it would occur. Hence due to this method the project mangers are able to counter these risks and also account to better execution of projects. A quantitative risk analysis offers the following distinct advantages:
much more neutrality is involved in this assessment
offers much more advantages to management when compared to assessment techniques More powerful selling tool to management
It is very flexible in nature and can be moulded to different situations.
It can be adjusted according to the needs of specific industries.
Its appeal is very universal in nature and hence does not give rise to much disagreements
The base facts of the analysis are very convincing ones.

In order to implement quantitative risk analysis, the total estimated value that would account to the losses that would occur due to time delay, theft or loss of data is to be calculated. Then a probability analysis is done so that the chances of the risk occurring can be calculated. After all this is done in the final step the annual loss expectancy is calculated. (Miller).

A quantitative risk analysis analyses the results that certain controversial units would have on outcomes that we are most concerned about such as loss, profit and investment returns. Quantitative risk gives different perspectives on different people:

To the security consultant:
To attract newly started businesses by adapting quantitative analysis to access projects that were out of reach in the past.
If the projects met up to the predicted return on investment then it could serve as a better tool for marketing.
To the company's upper management:
Less vulnerable to company politics
time required for assessing proposal validity is very less
Inter- relates final results to financial aims and goals.

Quantitative risk analysis assists managers in analyzing whether the projects can be completed in a particular time frame and within the required estimated budget. It also helps in finding out the key parameters that would determine the success or failure of the project. It also helps in finding out whether the project is worth investing in for investors. But all these data should have some historical backing otherwise they would be rendered meaningless. These data should be updated from time to time during the due course of the project taking the actual input parameters into consideration. This in other terms is also known as “Garbage In – Garbage Out". Even though all this is done project management is subject to certain biases. The most basic solution is to collect data from qualitative project management software. This kind of integration has already been implemented and has been successful in the past as well.

Quantitative risk analysis tools initiate Monte Carlo process to find out how risks would have an impact on project schedules. The most well known methods for simulating risks and other problems is Event Chain Methodology. In this methodology all the projects tat are present are effected by certain external parameters which could in turn change the face of the project. These events should be analysed with the help of the qualitative risk management software. This is an important aspect as these measures could give rise to event chains that can alter the course of the project. By finding out these event chains the risks involved can be reduced.

Quantitative risk analysis is more related to implementing safety measures when compared to qualitative risk analysis is. This risk analysis when implemented by companies tries to protect the firm from every defined risk. It also helps in determining which counter method can be used for minimizing the risks involved with projects. In this method the risk assessments are generally represented in graphs and probability charts which generates a clear understanding among firms and hence is also favoured by management teams.

2.6 Qualitative Risk Analysis:

Qualitative risk analysis forms as primary source of data for further evaluations. It acts as an initial screening for all activities associated with the project to identify the possible risks that may or may not require further analysis (Quantitative). Sometimes managers tend to overlook simple risks which may cause substantial damage while looking for more complex ones which might not be that important. Also studying the project document and technologies used might help identifying certain generic risks. For example, a project which uses widely used or known components poses minimal threats when compared to using first to use or more advanced technology.

Qualitative analysis helps prioritizing such risks according to the level they affect the final project objectives. This helps the managers with the decision making on how best they can plan the project in a safe way. While doing qualitative risk analysis, managers generally tend to include their personal and previous experiences in dealing with similar kind of projects or tasks. They asses the importance of risk factors according to their experience.

In this process we first identify what are the main sources from where risk can originate. This is done by conducting interviews and getting feedback fro questioners. Then an assessment is done to increase the level of understanding of each risk and the extent to which they could affect the project. For this qualitative risk analysis process there is no probability database required and it is widely used analysis by the organisations.

2.7 Techniques used for Qualitative Analysis:

The most common methods of obtaining necessary data for screening risks are:
To know the stakeholders and shareholders' interests regarding the current project.
Collecting critical information from stakeholders and clients to analyze the final objectives in a realistic way.
Understanding the organizational structure and policies to carry out the task efficiently.
Using effective benchmarking techniques from projects handled previously.
Understanding the key objectives and criticality of each task associated with the project to categorize risks according to their importance.

However, after collecting the information and assigning the risk factors to different grids or categories, the managers need to decide on the need to go for further investigation and to implement effective risk management plans. In order to do this, every manager should ask themselves a few questions such as:
What are the critical phases in the project and where the potential risks are going wrong during that phase?
The effect of that risk in carrying out the tasks related to the respective phases and how it's delaying the overall project.
Weather the potential risks can be eliminated by simple methods or changes in the project plan or they are far too complex to minimize without using further analysis and sophisticated techniques.

When a manager could answer these questions, he would be in a position to effectively plan and implement risk aversion plans by using appropriate tools or techniques. The Qualitative risk analysis gives the manager a true power of information to make his decision.

Generally the qualitative risk analysis will be succeeded by quantitative risk analysis which gives more insight on numbers such as project period, completion dates and budget.

3. Organisational Risk Analysis:

The combination of a threat and the resulting impact to the organisation defines the risk to the organisation. It is an important task that we asses all the intricate issues that the organisation is facing. Only after this assessment we can know the overall risk that the firm is facing and the appropriate counter methods that can be implemented in minimizing these risks. When a risk assessment is carried out we take an over all perspective on behalf of the organisation. We first find out every major business processes that take place in the organisation and then we focus on the situations from where risks would arise. We then provide detailed list to management of the different types of risk involved so that management can counter with them..

The National Audit Office Report 'Managing Risks to Improve Public Services' ( NAO 2004) identified five key aspects of organisational risk analysis and made recommendations for improving organisational risk analysis practice in central government.
Sufficient time, resource and top level commitment needs to be devoted to handling risks in an organisation.
Responsibility and accountability for risks need to be clear, backed up by scrutiny and robust challenge to provide assurance.
In an Organisation, departments need to base their judgements about risks on reliable, timely and up to date information.
Risk analysis needs to be applied throughout departments' delivery networks.
Departments need to continue to develop their understanding of the common risks they share and work together to manage them.

An Organisational Risk Analysis is a tool for governance and getting its right is important. Selecting the correct method for performing the analysis is a critical first step. Successful audit staff or risk analysis team creates evaluation criteria that will be used to evaluate the risks to the organisation. The analysis team reviews each risk and assigns it an impact value. Successful audit staff uses some basic approaches to determine which technique will provide the most value for the organisation.

Organisational Risk Analysis is a very important factor while handling projects for all organisations in today's business world. In any project that is undertaken risk is present. It depends on the nature of the project. Some projects are riskier when compared to others; this is due to the kind of risk, the technology present and the environment in which they are encountered. Project management has been designed to coordinate and be in charge of complicated and different business processes in different field such as IT and industrial sectors. (Web2, 2009)

This above diagram shows how an organisation relates with other departments like software, technology and environment etc. Handling with any of them causes uncertainties or risks. To overcome those risks associated in projects, ORA (Organisational Risk Analysis) helps. Risk is uncertainty of outcome, and good risk analysis allows an organisation to:

Have increased confidence in achieving its desired outcomes
Effectively constrain threats to acceptable levels
Take informed decisions about exploiting opportunities.

When ever we will get a change this risk occurs for those organisations. It is important to understand effect of change and the results of change as these are important in devising an appropriate strategy. Those are

Developmental: “It is a change which enhances or corrects existing aspects of an organisation, often focusing on the progress of a skill or process. “

Transitional: It is episodic, planned and fundamental. Most of the organisational change literature is based on this type of change only.

Transformational: It is radical in nature; it requires a change in assumptions made by the organisation and by its people.

Using these types of changes and its characteristics can be placed beside two scales: radical- incremental and core- peripheral (Pennington 2003).

The diagram above shows us how difficult it is introduce a particular decision into the market and the number of changes that may result in introducing this decision. If major changes are made to the central business then it would initiate a lot of disturbance. The processes that are associated with the core business can be changed as they can be adjusted in the due course of time; this is mostly for firms who are involved with continuous improvement.

Successful audit staff or risk analysis team generally use any of the three basic approaches.
The database approach
The algorithm approach
The matrix approach

Understanding the strengths and weakness of each method is essential for determining which technique will provide the most value for the organisation.

3.1 The Database Approach:

For assessing any kind of organisational risk, compiling a risk database is a popular method. Here each work group is interviewed and the main products and processes are identified where the risks associated with each process are displayed. These are then stocked in a database from where similar reports can be accessed for reference so that the risk faced by the work unit can be analysed.

This database approach is chosen by so many accounting firms and it is favoured by them, which may tag it as “risk profiling” and comprise it as part of their “enterprise risk management” product line. This process is mostly adopted by managers in the finance industry. They mostly use this process to encapsulate data that are concerned with financial assets or asset groups. At the end of this we would get a catalogue which would result in a list of assets and the concerned risks involved.

Loss-event databases mainly emphasize on past records and they analyze losses that are mainly financial in nature. Hence they are not the recommended choice by corporate professionals as they expect risk analysis to involve all facets of business. When any database is taken into consideration the approach requires a lot of research data and a huge time frame. In today's world since the environment is changing so fast they become quickly outdated.

3.2 The Algorithm Approach:

An algorithm is a sequence of steps; generally involves logic and mathematics that produces a result. Once an algorithm is built to solve a problem, it can be repeatedly used to address different kind of situations. Risk assessment Algorithm approach generally involves applying a mathematical equation to each work unit of the organisations and in calculating their level of risk. These mathematical equations are built using risk factors, and also develop these equations with measures of risk associated with each factor. Risk factors are recognizable, assessable indications of the occurrence of risk. For example, "time factor since last audit" is a common risk factor that explains the weakening of control systems eventually.

A risk model is developed by choosing a number of common risk factors from each work unit of the organisation and by measuring their strengths. This risk model prioritizes and summarizes the overall risk in each work unit of the organisation. Through experience we can know that most risk models work best with four to seven factors. Different models implement different kinds of weights to differentiate between comparative factors. While some models for this process implement similar weights.
All successful algorithms are built by using static or dynamic risk factors. Static risk factors are steady over a period of time and represent the scope of resources like inventory and revenue. Based upon this, static factors are not direct indicators of risk. Dynamic risk factors are unstable over time and therefore require stable monitoring. The sources of risk analysis are generally the origins from where the perilous nature of risks can be viewed and analysed.

So many benefits are associated with the use of the algorithm approach. After checking the algorithm and the validation of the business results the formula can then be used for other units of business as well. Any values that are assumed taking the risk levels into consideration can be stated in a simple manner as they are mostly compiled from mathematical formulas. The algorithm can be implemented for risk assessment as well which requires a wide horizon of knowledge. It requires highly skilled staff in order to comprehend this information. The risk factors used to build these algorithms was based information present in the 80's. It only identified the units that did not work and not a complete threat.

3.3 The Matrix Approach:

A matrix is formed with the organization's business units on one axis and a set of high-level risks on the other axis. The number of risks is usually between 12 and 16, although viable models with as few as four are known. Strategic planners and senior management often favour the matrix approach because of its higher-level focus and graphic display of risk. Alternatively, each business unit may create its own matrix using the same risks, but applying them against smaller work groups within the business unit. These assessments can then be combined to create the organization's total risk matrix.

The basic advantages of this approach are that it can be moulded and easily implemented. The matrix involves a three dimensional view on how risk can be looked at by including the contents in each cell. It also provides a graphical representation of risk and its impact is on a very huge scale. It is quite similar to the algorithm approach as it involves an assessment team that require to be fully trained and should possess a very high level of business acumen so that they can understand the process. It also must be noted that then it is a very challenging task to maintain the matrix as every time a change occurs an assessment must be performed. Tracking these changes are also very difficult as it depends on the level of systems installed. As a result it is difficult to handle matrix when compared to database.

None of the three approaches is universally favoured by risk analysing professionals all the time, depending on the proposed use of the assessment information and on the level of complexity or risk that organisation is willing to accept. The data base approach is the best approach for giving detailed guidance to organisation management and this is the most difficult in implementing and maintaining approach. The algorithm approach is the easiest to maintain but fairly difficult to implement and it is mainly used for the operational management. While coming for the matrix method, it is best for strategic management and this is easiest to implement but difficult to maintain. Finally the internal audit team must give attention to these attributes along with that organisation's intend use of the analysis and available resources to determine which approach is the best and right approach for that organisation.

4. Role of ORA in Project Management:

Most part of project management is dependent upon a master plan, common sense and plenty of what we describe is simply a prearranged approach to what we would do intuitively. After using all these planning, organising and managing resources as well, sometimes project fails. There are many reasons that why projects fail, some of them are listed below.

Poor project specifications
Impractical/ unrealistic timescales
Failure to manage user specifications
Failure to manage the changes required by the core user
Insufficient participation by senior management and staff

The success or failure of any project relies mostly on effective project management skills. The ideal manager should assess the scope and outcomes of the project in a realistic mode by assessing all kinds of possible risks that are associated with the project. No project in this corporate world is immune to risks. Irrespective of size and scope, projects will go through several risks and the damage might effect in carrying out critical tasks. Sometimes, risks are associated with manual or technical miscalculations and sometimes they may simply occur due to pre determined assumptions of the management team.

Assessing and avoiding such risks forms the major part in driving the project to success. But today, most of the managers tend to take this on a lighter note. Sometimes they might totally ignore it thinking that it's impossible to assess the 100 % risk factor and to avoid them. However, there are many risk analysis software's available which makes complex things simple to analyze. These are called risks and threats of a project. In every organisation one risk analysis team will be there to analyse these risks and with the help of this analysis, management should be keep out from these risks in order to ensure the smooth running of the organisation.

This risk analysis is nothing but a systematic approach for describing and calculating risks. It is an important feature of business recovery planning. Normally the process begins when a manager gets to approve a project plan or a business case. He / she should observe and assess all the necessary information and do a primary risk analysis. Depending on the risk factors observed, the manager will consider the necessity to further investigate the risk factors to avoid any possible damage. A risk management plan would then be implemented by manager who monitors and controls the process on a timely basis.

Organisational Risk Analysis is essential for management for getting any possible risks in projects. ORA estimate the feasibility of projects. It also helps determining risks associates in projects. Improper risk analysis can lead to failure of the project. Risks linked with the organisational environment may be general or specific. Organisational Risk Analysis is a process which enables the management of the risks associated with a project. It will increase the probability of successful completion of project. This analysis is a perfect process designed to remove or reduce the risks which threaten the success of project objectives.

There are many reasons for using organisational risk analysis in project management; the main reason is to achieve economic benefits such as cost effectiveness and time efficiency. In any organisation the senior management needs a detailed report on the different kinds of risks that are associated with their projects especially when taking major financial decisions regarding the company. This is also important for project managers who want to improve their work standards i.e. to bring their project budgets down and to complete them in the required time frame. Every organisation across the world spends a high amount of money for the success of projects i.e. known as ‘Cost of the Project'. This risk analysis will also help us to decide whether the strategies we could use to control risk are cost-effective or not. Here we define risk as ‘the perceived extent of possible losses'. One way of putting figures to risk is to calculate a value for it as:

Risk = Probability of Event * Cost of Event

By doing this you can compare risks objectively. We can also use this approach formally in decision making with Decision tree. Once you have worked out the value of risks you face, you can start to look at ways of managing them. While doing this, it's very important to choose cost effective approaches. Thankfully there are best practices which are usually to rate and prioritize the project risks in a rapid and cost-effective manner. Those tools and techniques are: 1) Risk probability and assessment, 2) Probability and impact matrix: It illustrates a risk rating assignment for identified risks. Each risk is rated on its probability of occurrence and impact upon objective. From a spotlight analysis reds (0.720, 0.180 etc) are in the high risk area, yellows (0.090 etc) are medium risk, and greens (0.045, 0.035 etc) are low risk which should just be added to the watch list.

Probability Threats Opportunities 0.900 0.045 0.090 0.180 0.360 0.720 0.720 0.360 0.180 0.090 0.045 0.700 0.035 0.070 0.140 0.280 0.560 0.560 0.280 0.140 0.070 0.035 0.500 0.025 0.050 0.100 0.200 0.400 0.400 0.200 0.100 0.050 0.025 0.300 0.015 0.030 0.060 0.120 0.240 0.240 0.120 0.060 0.030 0.015 0.100 0.005 0.010 0.020 0.040 0.080 0.080 0.040 0.020 0.010 0.005 0.050 0.100 0.200 0.400 0.800 0.800 0.400 0.200 0.100 0.050

General risks relate to the organisational culture e.g. are you trying to bring in a revolutionary change into a self important institution? Information of these sorts should be planned for well in advance, it is especially difficult for project managers who have joined the organisation newly and have not come to terms yet with the working of the organisation. Let us say for example that you are planning to implement a project in finance and just some time back a project similar to this has gone badly wrong or you are trying to bring in some innovative new measures when the companies finances are running low. Such kind of things must be analysed carefully as the success and failure of decisions taken in different parts of the organisation may decide the fate of the success or failure of your project.

By providing an outline for carrying out a detailed risk management programme in the project, we can develop the organisational risk analysis policy. One of the major factors involved in risk analysis is that the aim to separate the major risks involved in the project from the minor risks, they also tend to provide the required information so that the company can cope with the different kinds of risk. Organisational Risk Analysis is not the responsibility of one person or one function; it is a process to be executed throughout the organisation.

The most relevant sources of information should be used for determining the consequence and likelihood. Certain conditions should prevail so that each level of consequence can be used for developing a risk rating. Sources may include:
“Past records — in the organisation, in the group, in the local area, in the country, in the world in similar organisations, in other organisations with similar circumstances.
Relevant experience — of the consultants, and of persons participating in the assessment process.
Relevant published literature — technical, newspapers, magazines, internet, etc.
Specialist and expert judgements — specific to the organisation or industry.
Experiments and prototypes — specific to the project being considered.” (Web3, 2009)

2.4 Summary:
In this chapter we have discussed briefly about the main objectives of this research. Studied about organisational risk analysis and other main parts of this literature review by referring various books, e-books and journals. The post project review is mainly to look at lessons learned and for further improvements of future projects in project management. Unexpected risks may cause major delays and escalating costs. Organisational risk analysis can help in reducing these unpleasant surprises and through my case study I have seen it implemented successfully in many cases. This organisational risk analysis was highly successful and resulted in substantial savings and structured decision making with learning's for the organisation. Flexible development practices and different methodologies using organisational risk analysis make it easier to plan for and handle risk as they occur in organisation while handling the projects. To implement flexible development practices and methodologies, organisations must improve team skills, and review and improve their process for software development and deployment. With these kinds of practices, one organisation can deliver better applications with fewer delays in spite of unexpected problems and many requirements and strategy changes that can happen along the way.
In the next chapter we are going to explore our knowledge towards different research methodologies and briefly describe the methods used for this research.
TIME

COST

SCOPE