Project Risk Analysis for Information Systems



By Lev Virine, Eugenia Virine, Michael Trumper

Calgary, Alberta, Canada




Development and operation of information systems has significant risks and uncertainties.  To minimize the impact and reduce the probability of such risks organizations involved in development of information systems applied project risk analysis and risk management processes. The paper describes how the project risk analysis process is tailored for information system projects. It expands the scope of traditional project risk analysis by utilizing an enterprise risk register. Risks are assigned to different projects within a portfolio, and to different tasks within projects. Quantitative risk analysis using Monte Carlo simulations helps to determine risk adjusted project schedules, rank risks within risk register, and determine efficiency of risk mitigation and response efforts. The process was applied as part of the project management of multiple information system projects worldwide.


Most information system projects include significant research and development components. Such projects have substantial risks and uncertainties. Such risks can affect project schedules and costs, as well as other objectives such as security, technical performance, and others. Many information system projects are delayed, completed over budget or even canceled and lead to significant losses for organizations     .

One of the solutions to improve management of information system projects is project risk analysis using Monte Carlo simulations (Agarwal and Virine 2017). Monte Carlo simulations of project schedules have become one of the foundations of quantitative project risk analysis (Salkeld 2016, Vanhoucke 2016, Wanner 2013). Monte Carlo method is used to approximate the distribution of potential results based on probabilistic inputs. Each simulation is generated by randomly pulling a sample value for each input variable, such as task duration or cost from its probability distribution. These input sample values are then used to calculate the results: project duration, start and finish times, success rate, work, cost, and others. This procedure is iterated until the probability distributions are adequate enough to represent the full range of possible outcomes (Kashyap, H. 2016).

This ‘traditional’ Monte Carlo method for schedule risk analysis based on statistical distributions of task durations, cost and other parameters has a number of short comings (Vose 2008). Particularly defining distributions is not a trivial process. It is difficult to elicit distribution parameters from subject matter experts. Also project managers perform certain recovery actions when a project slips. These actions in most cases are not taken into account by Monte Carlo (Williams, 2004).

The one of the solutions is to combine risk events with statistical distributions. Project risk analysis with events has been used since the early 2000s (Virine & Trumper 2013). This approach is sometimes referred to as “Risk Drivers” (Hulett 2009, Hulett 2011). From the computational perspective, using statistical distributions and risk events are very similar. Such event-driven project risk analysis based on Monte Carlo simulation would be applicable for the analysis of information system projects.

Quantitative Risk Analysis Process

Quantitative schedule and cost risk analysis involves five basic steps:

  1. Risk identification and determining risk properties including risk probability and impact
  2. Assigning risks and uncertainties to project activities and resources
  3. Running Monte Carlo simulation of project schedules using critical path method
  4. Analyzing the results: creating a risk adjusted project schedule, determining critical tasks and critical risks, determining the probability that the project will be completed on time and on budget.
  5. Measuring effectiveness of project controls with risks and uncertainties.

Figure 1 shows quantitative schedule and cost risk analysis.

Figure 1.  Quantitative schedule and cost risk analysis

The process is actively used in different industries, including aerospace and defense, pharmaceutical, construction, oil and gas, financial services, and others. However application of project risk analysis to management of information systems remains limited because of the following reasons (Sherer, Susan & Alter, Steven 2004):



To read entire article, click here


How to cite this paper: Virine, L.; Virine, E.; Trumper, M. (2020). Project Risk Analysis for Information Systems; PM World Journal, Vol. IX, Issue VI, June.  Available online at https://pmworldlibrary.net/wp-content/uploads/2020/05/pmwj94-Jun2020-Virines-Trumper-project-risk-analysis-for-information-systems.pdf



About the Authors


Lev Virine, PhD

Intaver Institute
Alberta, Canada


Lev D. Virine, Ph.D. has more than 25 years of experience as a structural engineer, software developer, and project manager. He has been involved in major projects performed by Fortune 500 companies and government agencies to establish effective decision analysis and risk management processes as well as to conduct risk analyses of complex projects. Lev’s current research interests include the application of decision analysis and risk management to project management. He writes and speaks around the world on the decision analysis process, the psychology of judgment and decision-making and risk management. Lev can be contacted at lvirine@intaver.com


Eugenia Virine, PMP

Alberta, Canada


Eugenia Virine, PMP, is a senior manager for revenue development at Greyhound Canada. Over the past 12 years Eugenia has managed many complex projects in the areas of transportation and information technology. Her current research interests include project risk and decision analysis, project performance management, and project metrics. Eugenia holds B. Comm. degree from University of Calgary.


Michael Trumper

Alberta, Canada


Michael Trumper has over 20 years’ experience in communications, software design, and project risk and management. Michael is a partner at Intaver Institute Inc., a vendor of project risk management and analysis software. Michael has authored papers on quantitative methods in project estimation and risk analysis. He is a co-author of two books on project risk management and decision analysis. He has developed and delivered project risk analysis and management solutions to clients that include NASA, DOE, and Lockheed Martin.