1

Chapter 10:
Project Risk Management
adopted from PMIs PMBOK 2000 and
Textbook : Information Technology Project Management
2
Contents
The Importance of Project Risk
Management
Project Risk Management process
Risk management planning
Risk identification
Qualitative risk analysis
Quantitative risk analysis
Risk response planning
Risk monitoring and control
Results of good project risk management
Chapter 10
3
Typical Risk
Management
4
The Importance of Project Risk
Management
Project risk management is the art and science of
identifying, assigning, and responding to risk throughout
the life of a project and in the best interests of meeting
project objectives
Risk management is often overlooked on projects, but it
can help improve project success by helping select good
projects, determining project scope, and developing
realistic estimates
Study by Ibbs and Kwak show how risk management is
neglected, especially on IT projects
KPMG study found that 55 % of runaway projects did no
risk management at all
Chapter 10
5
The goal of project risk management is to
minimize potential risks while maximizing
potential opportunities.
Six processes include
Risk management planning
Risk identification
Qualitative risk analysis
Quantitative risk analysis
Risk response planning
Risk monitoring and control
What is Project Risk Management?
Chapter 10
planning
controlling
6
What is Project Risk Management?
Risk management planning:
deciding how to approach
and plan the risk management
activities for the project
Risk identification:
determining which risks are
likely to affect a project and
documenting their
characteristics
Qualitative risk analysis:
characterizing and analyzing
risks and prioritizing their
effects on project objectives
Quantitative risk analysis:
measuring the probability and
consequences of risks
Risk response planning:
taking steps to enhance
opportunities and reduce
threats to meeting project
objectives
Risk monitoring and
control: monitoring known
risks, identifying new risks,
reducing risks, and evaluating
the effectiveness of risk
reduction
Chapter 10
7
Risk Management Planning
15
th
of 21 planning phase process
The main output of risk management planning is
a risk management plan
The project team should review project
documents and understand the organizations and
the sponsors approach to risk
The level of detail will vary with the needs of the
project
Chapter 10
8
Inputs to Risk Management Planning
Project charter: formally recognizes the existence of a
project
Organizations risk management policies: provide a
predefined approach to risk analysis and response
Defined roles & responsibilities: provide authority levels
for decision-making.
Stakeholder risk tolerances: indicators of how
stakeholders might react in different situations and risk
events
Template for the organizations risk management plan:
pro-forma standard for used by the project
WBS: a deliverable-oriented grouping of project elements
that organized and defines the total scope of the project
9
Tools and technique
Planning meetings
everyone responsible for planning and
executing activities.

10
Output
Risk management plan
It documents procedures for managing risk
throughout the project
It details identification and quantification of
risk, responsibilities for managing risks, how
contingency plans will be implemented, and
how reserves will be allocated.
other associated documents are
Contingency plan, feedback plan

11
Contingency and Fallback Plans,
Contingency Reserves
Contingency plans
provide predefined actions that the project team will
take if an identified risk event occurs
Fallback plans
developed for risks that have a high impact on meeting
project objectives
Contingency reserve or allowances
extra provisions held by the project sponsor that can
be used to mitigate cost or schedule risk if changes in
scope or quality occur
Chapter 10
12
Risk Identification
16th of 21 planning phase process
Risk identification is the process of
understanding what potential unsatisfactory
outcomes are associated with a particular project
Risk identification is a facilitating planning
process
Common Sources of Risk on Information Technology
Projects
Several studies show that IT projects share some
common sources of risk
13
Table 10-3. Information Technology
Success Potential Scoring Sheet
Success Criterion Points
User Involvement 19
Executive Management support 16
Clear Statement of Requirements 15
Proper Planning 11
Realistic Expectations 10
Smaller Project Milestones 9
Competent Staff 8
Ownership 6
Clear Visions and Objectives 3
Hard-Working, Focused Staff 3
Total 100
Chapter 10
14
Other Categories of Risk
Market risk:
Will the new product be useful to the organization or
marketable to others? Will users accept and use the
product or service?
Financial risk:
Can the organization afford to undertake the project?
Is this project the best way to use the companys
financial resources?
Technology risk:
Is the project technically feasible? Could the
technology be obsolete before a useful product can be
produced?
Chapter 10
15
Tools and Techniques
Documentation reviews
provide a structure review of project plans and assumptions
Information gathering
brainstorming, Delphi method, interviewing. SWOT analysis
Checklists
provided by previous projects.
Assumptions analysis
explores the assumptions and identifies potential risks
Diagramming techniques
help to understand various cause-and-effect relationships.
Examples are cause-and-effect diagram. System or process flow-
charts.
16
Outputs
Risks uncertain events or condition
Triggers symptoms of risks; indirect
manifestation or actual risk events such as
poor morale
Inputs to other processes for examples,
constraints or assumptions

17
Qualitative Risk Analysis
Qualitative Risk Analysis (17th of 21
planning phase process)
It is the process to assess the impact and
likelihood of identified risks.
determine their magnitude and priority
Chapter 10
18
Inputs:
Risk management plan
It documents procedures for managing risk throughout the
project.
Identified risk
taken from previous risk identification process. Evaluate these
risks for their potential impacts no the project.
Project status
identifies risks through the project life cycle
Project type
determines the amount of risk you can expect. Common or
recurrent projects have less risk, while state-of-the-art, first-time
technology, or highly complex projects have more uncertainty.
19
Inputs
Data precision
tests the value of data. Data precision
measures the extent of data available,
reliability of the data, and source of the data
Scales of probabilities and impact
assess the two key dimensions of risk
(probability and impact)
Assumptions
identified during risk identification process.
These are used as part of evaluations.
20
tools and techniques
Risk probabilities & impact the two dimensions of
specific risks. Risk probability is the likelihood that a risk
will occur. Risk consequences (or impact), are the effect
of project objectives if the risk event occurs
Probabilities / Impact risk rating matrix (also known as
PI risk matrix)
Project assumptions testing performed against 2 criteria:
assumption stability and the consequences on the project
if the assumption is false.
Data precision ranking technique to evaluate the degree
to which the data is useful for risk management. Data
should be unbiased and accurate
21
Figure 10-2. Chart Showing High-,
Medium-, and Low-Risk Technologies
22
Top 10 Risk Item Tracking
Top 10 Risk Item Tracking is a tool for
maintaining an awareness of risk
throughout the life of a project
Establish a periodic review of the top 10
project risk items
List the current ranking, previous ranking,
number of times the risk appears on the list
over a period of time, and a summary of
progress made in resolving the risk item
Chapter 10
23
Table 10-7. Example of Top 10
Risk Item Tracking
Monthly Ranking
Risk Item This
Month
Last
Month
Number
of Months
Risk Resolution
Progress
Inadequate
planning
1 2 4 Working on revising the
entire project plan
Poor definition
of scope
2 3 3 Holding meetings with
project customer and
sponsor to clarify scope
Absence of
leadership
3 1 2 Just assigned a new
project manager to lead
the project after old one
quit
Poor cost
estimates
4 4 3 Revising cost estimates
Poor time
estimates
5 5 3 Revising schedule
estimates
24
Expert Judgment
Many organizations rely on the intuitive
feelings and past experience of experts to
help identify potential project risks
Experts can categorize risks as high,
medium, or low with or without more
sophisticated techniques
Chapter 10
25
Output
Overall risk ranking for the project
List of priorities risks
List of risks for additional analysis and
management
Trends in qualitative risk analysis results
26
Quantitative Risk Analysis
18th of 21 planning phase process
A process that numerically analyses the
probability of each risk and its consequence on
objectives.
Often follows qualitative risk analysis, but both
can be done together or separately
Large, complex project involving leading edge
technologies often require extensive quantitative
risk analysis
Chapter 10
27
Inputs
Risk management plan
Identified risk
List of prioritized risk
List of risk for additional analysis & management
Historical information
Expert judgment
determines whether risks have a probability of
occurrence (ranked H, M, L) and the level of impact
(ranked Severe, moderate or limited)
Other planning outputs
28
Tools and techniques
Interviewing: using projects stakeholders and subject
matter experts to quantify the probability and
consequences of risk on project objectives.
Sensitivities analysis: help to determine which risks have
the greatest impact on the project. It is the simplest form
of risk analysis. Sensitivity analysis examines the change
of a single project variable to analyze its effect on the
project plan.
Decision tree analysis : identify possible options or
outcomes. It forces consideration of the probability of
each outcome
Simulation : uses a model of system to analyze the
behavior or performance of the system. Examples are
Monte Carlo, Critical Path and PERT.
29
Decision Trees and Expected
Monetary Value (EMV)
A decision tree is a diagramming method
used to help you select the best course of
action in situations in which future
outcomes are uncertain
EMV is a type of decision tree where you
calculate the expected monetary value of a
decision based on its risk event probability
and monetary value
Chapter 10
30
Figure 10-3. Expected Monetary
Value (EMV) Example
31
Simulation
Simulation uses a representation or model of a
system to analyze the expected behavior or
performance of the system
Monte Carlo analysis simulates a models
outcome many time to provide a statistical
distribution of the calculated results
To use a Monte Carlo simulation, you must have
three estimates (most likely, pessimistic, and
optimistic) plus an estimate of the likelihood of
the estimate being between the optimistic and
most likely values
Chapter 10
32
Risk Response Planning
19th of 21 planning phase process
Involves developing options and
determining actions to enhance
opportunities to reduce threats to project
objectives.
After identifying and quantifying risk, you
must decide how to respond to them
Chapter 10
33
Inputs
Risk management plan - It documents procedures for
managing risk throughout the project.
List of prioritized risk - includes those grouped by ranks,
WBS level, risks requiring immediate response, risk that
can be handled later, and risk that affect cost, schedule,
functionality and quality.
Risk ranking of the project indicates that overall risk
position of a project relative to other projects by
comparing risk scores.
Prioritized list of quantified risks identifies those that
pose the greatest threat or opportunity to the project and
proposes some means of measuring their impact
34
Inputs
Probabilities analysis of achieving the cost and time objective
assessed under the current project plan and with the current
knowledge of the project risks
List of potential response identifies specific risks or categories of
risk. These list specify the actions the team will take.
Risk thresholds the acceptable level of risk to the organization,
which influences risk response planning
Risk owners identifies staff to provide accountabilities for
managing responses.
Common risk causes several risks driven by a common causes. This
reveals opportunities to mitigate many risks with one response.
Trends in qualitative & quantitative risk analysis result - become
apparent as the analysis is repeated can make risk response more or
less urgent and important.

35
Table 10-8. General Risk Mitigation Strategies for
Technical, Cost, and Schedule Risks
Chapter 10
36
Tools and techniques
Risk avoidance: eliminating a specific threat or
risk, usually by eliminating its causes
Risk acceptance: accepting the consequences
should a risk occur
Risk transference: shifting the consequence of a
risk and responsibility for its management to a
third party
Risk mitigation: reducing the impact of a risk
event by reducing the probability of its
occurrence

37
Outputs
Risk response plan
Residual risks
remain after avoidance, transfer, or mitigation
responses have been taken.
Secondary risk arise in direct result of
implementing a risk response.
Contractual agreements
Contingency reserve amounts needed
Inputs to other processes
Inputs to a revised plan
38
Risk Monitoring and Control
8 of 8 controlling phase process
This is the process of keeping track of the
identified risks, monitoring residual risk and
identify new risks, ensuring the execution of risk
plans, and evaluating the plans effectiveness in
reducing risk.
Monitoring risks involves knowing their status
Controlling risks involves carrying out the risk
management plans as risks occur
Workarounds are unplanned responses to risk events
that must be done when there are no contingency plans
Chapter 10
39
Risk Response Control
Risk response control involves executing
the risk management processes and the risk
management plan to respond to risk events
Risks must be monitored based on defined
milestones and decisions made regarding
risks and mitigation strategies
Sometimes workarounds or unplanned
responses to risk events are needed when
there are no contingency plans
Chapter 10
40
Using Software to Assist in
Project Risk Management
Databases can keep track of risks. Many
IT departments have issue tracking
databases
Spreadsheets can aid in tracking and
quantifying risks
More sophisticated risk management
software, such as Monte Carlo simulation
tools, help in analyzing project risks
Chapter 10
41
Results of Good Project Risk
Management
Unlike crisis management, good project
risk management often goes unnoticed
Well-run projects appear to be almost
effortless, but a lot of work goes into
running a project well
Project managers should strive to make
their jobs look easy to reflect the results of
well-run projects
Chapter 10
42
Outputs
The main outputs of risk monitoring and control
are corrective action, project change requests,
and updates to other plans
Corrective action: This encompasses anything that
brings your expected performance back in line with
the project plan. At this stage, it involves carrying out
either your contingency plan or workaround.
Project change requests: Implementing a contingency
plan or workaround frequently requires changing the
risk responses described in the project plan. Know the
process flow and feedback loop.
43
Outputs (2)
Updates to risk response plan: Document the risks that
occur. Risks that don't occur should also be noted and
closed out in the risk response plan. It's important to
keep this up-to-date, and it becomes a permanent
addition to project records, eventually feeding into
lessons learned.
Workaround plans
Risk database
Updates to risk identification checklists

44
Summary
Project Risk Management
is the art and science of identifying, assigning, and responding to risk
Project Risk Management process
Risk management planning: deciding how to approach and plan
the risk management activities for the project
Risk identification: determining which risks are likely to affect a
project and documenting their characteristics
Qualitative risk analysis: characterizing and analyzing risks and
prioritizing their effects on project objectives
Quantitative risk analysis: measuring the probability and
consequences of risks
Risk response planning: taking steps to enhance opportunities
and reduce threats to meeting project objectives
Risk monitoring and control: monitoring known risks,
identifying new risks, reducing risks, and evaluating the
effectiveness of risk reduction
45
Summary 2
Tools
charts
risk item tracking
expert judgment
decision trees
expected monetary value (EMV)
Using software to assist project risk management
database, simulation, Monte Carlo
Results of good project risk management
unusually un-notice, look easy but require a lot of
good risk management