Literature Review on Risk Management

Literature Review on Risk Management Software Project Management (CI6113) Title: Reviewing the Past Research Papers on Risk Management Abstract Risk Management is nowadays the important research topic in the many critical business areas and industrial areas. Project teams do not achieve their projects goals of reducing cost and gaining much profit without assessing risks and managing risks. This term paper analyzes research papers done by many researches in the field of the Risk Management within 2000 and 2007 and describes the results of the analysis of those research papers. Our goal of this paper is to inference and to justify the trend of the Risk management in research areas and business areas. There are many topics in the Risk Management such as Risk Analysis, Risk Assessment, Risk Control and others. This paper’s analysis path is starting from the project risk identification and end with the risk control topic. This paper provides the results what the gaps between researches are. Furthermore, this paper learns briefly what the problems and trends before year 2000 are. Introduction This paper examines the results of the past research papers published from 2000 through 2007. We focus on Risk Management and their related topics. In addition, we also examine the trends of the Risk Management within this period. We analyze which topic had been researched most in a particular year and which methods were used in that year. This paper learns publications issued by year by year and group them in each year. In addition, we analyze the topics which are relating to the specified topic. We found trends of the research in a year while we were learning them. According to the past results came from publications, we can make sense of mind for future of the Risk Management. This paper examines the situation which can become in future according to the study. Background Many project managers and strategic management are concerning about risks in long term strategic basic. So, we need to learn the risks. Risk is the uncertainty in the life cycle of the project. In 2003, Webster’s New Explorer College Dictionary defines the risk as â€Å"the possibility of danger and sufferance of harm or injury†. Risk cannot be seen without any emphasize upon it. In addition, risks can also give hopes to the successful project. So, if risks which cannot be seen before could be found and assessed then the proposed project will be successful. But risks found and assessed can never be avoided. It can be reduced by using the some techniques or adjustments. Some risks can be ignored without any executing. Risk may terrify to some persons related to the project because if it could not be uncovered, the team may incompetent in managing the project. According to the problems, risk management was critical issue of the project management. Researchers were doing researches to reduce and manage the risks which can be encountered in a project. People in the business areas were also finding the ways how to ignore the encountered risks. Some are finding how to control the risks. In addition, they were finding what risks can violate the project management unless they did not control the risks encountered. A risk which encounters in a year is not the same as the problem in another year. Because of the nature of project which depends on the World’s business. As changing the nature of the business, the nature of the risks is becoming change. Furthermore, research area is also changing according to the nature of the risk. So, the research trend for a year may not same as the trend of another year. To learn the research trend turmoil, we need to learn publications issued from 2000 through 2007. The next section will explain the importance of our paper. Situation of the paper There are many researches for the project management. Past research (Timothy Warrren, 2002) had done a research for the whole project management. It covered research published in English from 1960 through 1999. This paper covered within the period of 2000 and 2007 learned the topics of the risk management. We separated the research areas according to the Project Management Body of Knowledge (PMBOK). These are Risk Identification and Assessment, Risk Qualification, Risk Response Development and Risk Control. Objectives of the paper The objective of this paper is to learn the trend of the Risk Management in past research publication. We restricted the period to be learned for each topic. This paper is intended to learn that how the risks emerged during the project time, is handled using which tools and methods. This paper intended to find the gaps between researches in each year and whole period of year 2000 and 2007. The paper learned only risk management out of topics of project management for the period. So, the other topics can be learned like our paper. These are Communication, Cost, Procurement, Human Resource, Outsourcing, Integration, Quality, Scope and Time Management. Literature review In this era, many companies conduct a great portion of their jobs in project form. Traditionally projects were mainly found in the construction industry and sections of the military, but the competitiveness of the markets of today with fast-changing technology encourages almost all companies to adopt project management (Burke 2003). Project management is the application of knowledge, skill, tools and techniques to project activities to meet project requirement. Project management is accomplished through the use of the processes such as: initiating, planning, executing, controlling, and closing (PMBOK guide 2000). Because of global economical pressures, turbulence in the corporate environment and market forces leading to the increasing demands and tougher competition projects have to be implemented at lesser time, cost and with better functionalities. This causes growing demands on the management’s ability to forecast and react to unforeseeable events- risks. Risk is an abstract concept whose measurement is very difficult (Raftery, 1994). The Oxford Advanced Learner’s Dictionary – 5th Edition defines risk as â€Å"The possibility or chance of meeting danger, suffering loss or injury†. The British Standard BS 4778 defines risk as â€Å"A combination of the probability, or frequency, of occurrence of a defined hazard and the magnitude of the consequences of the occurrence†. Risk may be expressed in a mathematical form as follows: Risk = (Probability of the occurrence of a defined event) x (Consequences of the occurrence of that event) Therefore, risk management is nowadays a critical factor to successful project management. Overview of Risk Management Project risk management is the art and science of identifying, analyzing, and responding to risk throughout the life of a project and in the best interests of meeting project objectives. (Schwalbe, 2006) Risk management has been practiced informally by everyone, with or without conscious of it, since the dawn of time. Modern risk management, which had become a widely accepted management function during the period from 1955-1964 (Snider, 1991) has its roots in insurance to which it has been closely aligned for more than three centuries (Ibid). The story of risk management has not all been positive and supports the argument that it is currently ineffective at managing surprise. In the 1960’s project management was under heavy criticism for project failures due to technical uncertainty, contact strategy, community opposition and project environmental impacts (Morris, 1997). A project manager may still today argue that the last two are external project factors and outside the immediate project environment under their control (Ibid) and it may be often assumed that these will be passed up the line to higher management levels (Chapman Ward, 1997). The main objectives of risk management include (Yee et al., 2001): To enable decision-making to be more systematic and less subjective. To provide an improved understanding of the risks facing a project by identifying risks and response scenarios. To assist in deciding which risks require urgent attention and which can be addressed later. To force management to realize that there are many possible outcomes for a project, and appropriate measures should be planned for any adverse consequences. Flanagan and Norman (1993) proposed a risk management framework as shown in Fig.3.1 which depicts the elements of the risk management system – risk identification, risk classification, risk analysis, risk attitude and risk response. Risk Identification Risk Classification Risk Analysis Risk Response Risk Attitude Figure 2.1 Risk management Framework (Source: Flanagan Norman, 1993) According to (PMBOK, PMI 2000) and (Schwalbe 2006), Project Risk Management has following processes Risk Management Planning Risk Identification Qualitative Risk Analysis Quantitative Risk Analysis Risk Response Planning Risk Monitoring and Control The following Fig.3.2 depicts how risk management processes involved in each of the project management process Initiation Planning Executing Controlling Closing Risk Identification Risk Identification Risk Response Control Risk Quantification Risk Response Development Fig 2.2 Risk Management Processes in each Project Management Process (Source: Dan Brandon, 2006) Risk management will not eradicate all the risks. It will enable decision to be made explicitly which will reduce the potential effect of certain risks. It will also assist in rational, defensible decisions regarding the allocation of risk among the parties to the project. Risk analysis is not a substitute for professional judgments and experience. On the other hand, it helps professionals to make use of the full extent of their experience and knowledge by liberating them from the necessity of making simplifying assumptions in order to produce deterministic plans and forecasts. Risk analysis is supplement to, not a substitute for professional judgments. Recent Approaches to Risk Management Project risk management is a topic of major current interest. It is being actively addressed by many government agencies and most of the professional project management associations around the world, and many relevant standards are extant or being developed. Some examples from the many approaches in use include: (Cooper D., Grey S., Raymond G., Walker P., 2005) Project Management Institute (PMI), USA (2003), Project Management Body of Knowledge, Chapter 11 on risk management; Association for Project Management, UK (1997), PRAM Guide; AS/NZS 4360 (2004), Risk Management, Standards Association of Australia; IEC 62198 (2001), Project Risk Management—Application Guidelines; Office of Government Commerce (OGC), UK (2002), Management of Risk; and Treasury Board of Canada (2001), Integrated Risk Management Framework We fill the research gap in risk management field from year 2000 to 2007. Methodology We conduct a quantitative bibliographic study on pass papers published from year 2000 to 2007. We collected papers and journals from electronic databases– ACM, IEEE and ProQuest. Our objective of this paper is to find the current research trend on Risk Management by analyzing and categorizing those research papers. Project Risk Management Research It is the process of finding what current researchers are emphasizing in. It includes defining the current works on project management, particularly on Risk Management articles and papers. Then make generalized conclusion based on collected and analyzed works. This conclusion or judgment is made based on project risk management processes– risk management planning, risk identification, qualitative risk analysis, quantitative risk analysis, risk response planning, risk monitoring and control (PMBOK 2000, Schwalbe 2006). Sources of data We collected articles and papers published in years 2000 to 2007 from these databases which are known to be rich information about project management. ACM Digital Library ACM digital library includes magazines, journals, transactions, publications by affiliated Organizations, SIG news letters, Conference Proceeding Series. ACM digital library provides service for individual, universities, libraries and corporations. We find that risk management is one of the research fields in many businesses and industries. ACM includes diversity of business and industrial processes which enables us to inference the future trend in different fields. IEEE Explore To support our conclusion and get strong analytical results, we also collect articles and papers from IEEE explore which has more technical articles and papers than ACM digital library. It includes 1,682,970 online documents to be referenced. ProQuest Another supporting database which we extracted articles and papers is ProQuest. That includes ABI/INFORM databases, dissertation and theses, etc. Data analysis from that database will be icy on our research cake Data selection from the databases We conduct full text search in above databases using author, title, keywords based on year. Then tasks are separated among us based on years and combined later. Papers and articles are found based on the following criteria: Keywords: Risk Management, Risk Identification, Risk Analysis, Risk Transfer, Risk Control, Risk Response Years: 2000 to 2007 Output format and research data representation Output format will be as the following: Researchers Title Database Risk Category Year Business Category Sub Category Method The papers and articles are attached in the appendix B. We classified each paper into specific risk management processes (PMBOK 2000, Schwalbe 2006). We also analyzed which business category that each paper falls into and which specific method do they use in conducting the specified risk management Process. To get the consistent taxonomy in risk management, we identified the papers and articles into the categories guided by (PMBOK 2000, Schwalbe 2006). They are: Risk Management Planning: This is how businesses and industries plan and handle for risk. Risk Identification: This is how businesses and industries emphasize on identification of risk throughout their organizational processes. Risk Analysis: This involves how organizations conduct quantitative and qualitative risk analysis based on sampling and probability/impact matrixes. Risk Response Planning: This shows how organizations develop risk response strategies like how to avoid, how to have tolerance, how to mitigate risk, how to transfer risk etc. Risk Monitoring and Control: This involves how organizations monitor the identified risks, new risks through out the execution of the projects. Business and industrial categories are identified as follow: Construction Education Finance Healthcare Insurance Information Technology Disaster E-commerce E-banking Internet Business Information Security Software development Maritime Marketing Organizational Process Pure General Research Terrorism We also found that information technology risk management plays a great role in modern businesses and industries because of wider usage of internet and web technologies. Our analyzed data will be represented in pie chart, bar chart and line chart by comparing different categories, different risk manage processes, different years etc. Data Collection and Analysis Data Collection We used digital databases web site – ACM, IEEE and ProQuest for scholar paper and articles and the existing search engines – google and yahoo. But we are not unable to get some papers from the search engines. So, we used these to get only information which papers are located in which databases. Using information returned from the search engines, we search the desired papers in the databases. The following chart, Fig 1 shows the state of the materials found in the three sources – ACM, IEEE and ProQuest. Figure 1 Distribution of papers There are 113 papers found in those databases. We summarized the papers found in the three sources. We categorized by the papers by using PMBOK guide. We provided the Risk Analysis, Risk Assessment, Risk Control, Risk Response and Risk Identification. The following diagrams show the results. We learned that ACM database has more papers related to the risk management as in Fig 2. Other two databases have papers. But some papers are general for risk management. So, we discarded the papers and then we collected the more specified papers which are related to the above titles. We prepared the results with some charts as shown in below figures. Figure 2 Research papers found in ACM database by category Figure 3 Research papers found in IEEE database by category Figure 4 Research papers found in ProQuest database by category The above figures, Fig 2, Fig 3, Fig 4 show that the papers found in the ACM, IEEE, ProQuest database are shown by categories. Risk analysis is mostly conducted by majority of researchers. It was conducted mostly in year 2005 and 2006. Risk assessment and risk response research areas are fewer than other risk management process areas. Research for risk response is very rare, not fairly distributed and found in certain year. Data Analysis The trends of the risk analysis for the year 2000-2007 are shown in graph, Fig 5. We learned that IT project management was highest in recent 7 years. Figure 5 Trends in different business and industries within year 2000-2007 Information Technology We learned that there are varieties of IT projects. We categorized it as follow. Software Development E-Banking Disaster Information Security E-Commerce Internet Business When we categorized these topics, we found that some fields are ambiguous to group them. Some fields are software performance testing and fields emerged after the development phase. We grouped these fields were in the Software Development part. We grouped Networking security and other Internet security fields into the Information Security part. We formed a group for the Internet Banking as a E-Banking. In the Disaster group, we put the some disasters in the Disaster parts. These disasters sometime can be seen when processing some tasks in IT such as software error, hardware crash, and wrong information usages. We collected the potential security risks and group them into the Information Security group. Internet Business can be confused with E-Commerce and E-Banking. We intended the Internet Business to group the fields of the some businesses which are using Internet and make transactions via internet such as Online Registration. We found that Software Development risk analysis is most famous. In 2006, Software Development trend is the more than year 2005 and 2007. But year 2007 is not ended. So we can’t make any decision for that year. Figure 6 Risk management processes in different information technology fields Internet Business is the second thing to be learned. But Information security is down in 2006. Internet Business is coming up. Construction Construction group has the fields of which are architectural fields and construction works. We learned that in 2000 and 2001, there are some interests upon that field. In 2001, the construction field can be seen as a hottest field. Education We grouped the some fields in to Education group that fields are Education fields, learning methods in Education. The research related with the Education can be seen in the year 2004 only. Finance Finance group is wide. We formed the Finance group for some fields that are Cost Estimation, Accounting, Management Accounting and Banking. The finance is most famous in 2004. In the subsequence year, trend for the finance is running down to bottom. Healthcare We collected the data for the healthcare. But it is difficult to collect for the healthcare. We learned that in 2005, healthcare was appropriate level. But later, we cannot see it until 2007. Marketing In 2002 and 2005, marketing was in regular level. In 2003 and 2006, it was high up to 2. So, we learned that marketing was the regular level. Organization In the organization group, we combine the Oil Field, NASA, and some other organization-oriented fields. There are some researches for the organization in every year. There are some researches in the organization group within 2002 and 2006. Terrorism Terrorism was the new emerging fields after 9/11 problem. But later, we were not available for that field later years. This group is an exception for the risk management. But it is one thing to be considered later. Maritime Maritime was the individual fields. We did not combine any fields to that group. This category can be seen in only 2001. Insurance Insurance is the same as the Maritime. We learned that that group is only one field. We learned that the field was in the 2004 and 2005. But Insurance can become an interesting topic in future. General In General group, we combine other fields such as some theory approves and lecture views. Before conclusion section, we intended to present the findings as summary of data collection and analysis. Risk management is the sub-set of Project management. In academic field, risk management researches are becoming increasingly. According to our analysis, risk management researches related to Information Technology are highest topic of the research filed. But one of our exceptional cases is that we need to learn many research papers from many databases. We studied only three databases and 113 research papers. If we learned more papers, we can get more perfect result. In this paper, we categorized only 11 fields. It is general for the risk management. To get the better result, we also need to categorize the exact fields out of many fields. We can also categorize the risk management fields more according to the PMBOK guide. Conclusion and recommendation Business organization and industries suffer from lost and harm because of poor handling in risk management. They have been enduring the agonizing outcomes of failure in the form of unusual delays in project completion, with cost surpassing the budgeted cost and sometimes failed to meet quality standards and functional requirements. Competition among rivals makes the companies to deliver projects in less time and cost with better functionality. Risk management is a predefined and structured approach for identifying and analyzing potential risks associated with a project so that effective risk treatment can be done at the lowest cost. It is not impossible to eliminate all risk and costly to overdo risk management, but it is also unwise to think of eliminating risk. There will be, sometimes, positive risks those will lead to profit if properly analyzed and identified. Our term paper provides an analysis on papers and articles and conduct bibliographic study by particular risk management process and business category. Risk management researches are mostly done in mission critical environments and risky projects. As internet booms, information security and e-business issues are associated with a lot of risks. We found that majority of research papers are related to information technology in last decade. Risk in credit portfolio management, supply chain, pricing and insurance fields are also researched as they are related to financial lost and harm. Though risk management can offer significant benefits to a project in order to reduce nasty surprises and identify and act upon opportunities, it is, however, not a ‘panacea’ for the problems and surprises which befall many projects and should not be seen as the ‘silver bullet of project management’ (Pavyer, 2004) as Murphy’s Law is the governing law of project management: if something can go wrong, will go wrong. As we collected from three databases, mainly from ACM, our result can be a little affected by other finding and papers. Results will be slightly different as we go though several databases. Even thought we titled to 2007, we believe that other findings and papers will come out during this year. But based on our analysis, some inferences and emerging trends can be seen. Recommendations As people and management are aware of the importance of risk management processes, it would be more affective and appropriate to put more emphasis on formal and or informal education and training to further enhance their awareness of risk management. Formal education could be graduate studies in financial project management, software project management and construction project management etc. Informal education and training could be in the form of career development programs or workshops within organization or organized by academic institutions or professional seminars. Each organization should have own risk management plan, risk response plan, and human risk factors plan. Risk management team should be formed according to project manager’s guidelines and organizational goals. Project manager must aware of current risk management trends and technological trends for long term strategic planning. Researchers on risk management should cooperate and conduct on research areas which have been done less like autonomous agent systems, spacecraft systems, information security management. Appendix A. Reference Burke, R. (2003). â€Å"Product Management.† Biddles Ltd, Guildford. Brandon, D. (2006) â€Å"Project Management for Modern Information Systems† IRM Press Cooper D., Grey S., Raymond G., Walker P., (2005) Managing Risk in Large Projects and Complex Procurements. Chapman, R. J., and Ward, S. (1997). â€Å"Project Risk Management Processes, Techniques and Insights† John Wiley Sons, Chichester, UK. Flanagan, R., and Norman, G. (1993). Risk Management and Construction, Blackwell, Oxford, UK. Pavyer, E. (2004). â€Å"Evaluating Project Risk.† Strategic Risk Management, Auguest 2004, 24-25 Project management institute (2000). â€Å"A Gide to Project Management Body of Knowledge† Project management institute, 6 Raftery, J. (1994). Risk Analysis in Project Management, E FN SPON, London, UK. Snider, H. W. (1991). â€Å"Risk Management: A Retrospective View.† Risk Management April, 47-54 Schwalbe, K. (2006). â€Å"Information Technology Project Management.† Thomson Course Technology, 425 Yee, C. W., Chan, P., and Hu, G. (2001). Construction Insurance and Risk Management- A Practical Guide for Construction Professionals, The Singapore Contractors Association Ltd., Singapore. Appendix B. List of papers Researchers Title Database Risk Category Year Business Category Sub Category Steven L. Cornford, Martin S. Feather,John C. Kelly, Timothy W. Larson, Burton Sigal,James D. Kiper Design and Development Assessment ACM Risk Assessment 2000 IT Mary Sumner Enterprise Wide Information Man