Project Risk Management

Compiled by Muhammad Aleem Habib June 25, 2013 Information derived from PMBOK & Rita Mulcahy

What is Project Risk Management?
• Project risk management is actively managing the risks on your project • The goal of risk management is to be more proactive and less reactive

Why Risk Management
• A project manager‟s work should not focus on dealing with problems; it should focus on preventing them. • How would it feel to say, “No problem; we anticipated this, and we have a plan in place that will resolve it”. • Performing risk management helps prevent many problems and helps make other problems less likely

it is a reality). there is a 0% chance your project will be adequately funded. this is not a risk. there is no risk • (example.What is a Risk? • A risk is an uncertain event that could have a positive or negative effect on your project • * This means there is a probability between 1-99% that the event could occur • If there is a 0% chance of an event occurring. .

risk can be good! Stop thinking of risk as bad. not a risk • Risks with negative consequences are called threats • Risks with positive consequences are called opportunities (Yes.What is a Risk? • If there is a 100% chance of an event occurring. this would be an issue. and start thinking of it in terms of probabilities!) .

Risk Event Graph .

Pure Risk (hazard)– risk with potential loss only – ex. reducing your schedule time. personal injury 2.Types of Risk Risks can be broken out into two primary types 1. a new server costs less (or more) than you budgeted for! . Fire. the tax rate changes. A highly skilled employee becomes available to work on your project. theft. Business Risk (speculative risk) – risk with potential loss or gain – ex.

Risk Management Process Opportunities Threats .

Project Risk Management Monitoring & Controlling Processes Planning Processes Enter phase/ Start project Initiating Processes Closing Processes Exit phase/ End project Executing Processes Knowledge Area Process Initiating Planning Plan Risk Management Identify Risk Perform Qualitative Risk Analysis Perform Quantitative Risk Analysis Plan Risk Response Executing Monitoring & Contol Closing Risk Monitor and Control Risks .

5 Overall Project Management Processes with Risk Management .


so why would you approach risk management that way? • Identify Risks – this is the phase where you attempt to identify most of your risks • Qualitative analysis – this is a subjective analysis of your risks that produces a risk ranking. You wouldn‟t start managing your project without a plan. usually in the order of high. Rankings are by agreement of your project team. sponsors and key stakeholders . or on an ordinal scale. medium. low.Risk Management Processes • Risk Planning – this is how you plan on conducting risk management.

Risk Management Processes • Quantitative Analysis – a numerical analysis of the probability and impact of the risk on your project • Plan Risk Response– a course of action you will take to deal with your risks should they go from risk to issue • Monitor & Control Risks – monitoring your lists (there are two lists which I will discuss later) of risks to enact a risk response plan. or to remove a risk because it is no longer a risk. to move a risk from one list to the other. .

• Risk Prone – Someone who is willing to take big risk • Risk tolerances: area of risk that are acceptable / unacceptable. cost. time.Terms & concepts • Uncertainty: a lack of knowledge about an event that reduces confidence • Risk averse: someone who does not want to take risks. • Risk thresholds: the point at which a risk become unacceptable • Risk Areas: Project Constraints (scope. etc) .

When in the project lifecycle the risk is likely to occur (the timing). The range of possible outcomes (impact) 3. * once the expected timeframe of the risk has passed and it is no longer a risk. How often the risk is expected to occur on the project (frequency) .Risk Factors 1. it can be removed from the risk list 4. The probability the risk will occur 2.

and to establish an agreed upon basis for evaluating risk.11. .1 Plan Risk Management • The process of defining how to conduct risk management activities for a project • Important to provide sufficient resources and time for risk management activities.


Plan Risk Management DFD. Figure 11-3 .

Plan Risk Management •How much time should we spend? •Who will be involved? •How should we perform risk management? .

Plan Risk Management: Tools & Techniques • Planning Meetings and Analysis – Project teams meet with stakeholders – High level plans for risk management are define in these meetings .

Plan Risk Management: Outputs • Methodology Defines the tools. support. and risk management team membership for each type of action in the risk management plan. • Role & Responsibility Defines the lead. . and data sources that may be used to perform risk management on the project. • Budgeting A budget for project risk management should be established and included in the risk management plan. approaches.

Plan Risk Management: Outputs
• Timing Defines how often the risk management activities will be performed throughout the project life cycle. • Risk categories Documentation such as risk breakdown structures (RBSes) or categories from previous projects will help identify and organize risks. • Definitions of risk Risks and their probabilities are probability & impact defined for use in Qualitative Risk Analysis using a scale of ―very Unlikely to ―almost certain.

Risk Breakdown Structure
• A risk breakdown structure (RBS) organizes potential sources of risk to the project. • Functioning much like a work breakdown structure, an RBS arranges categories into a hierarchy. • This approach allows the project team to define risk at very detailed levels.

Risk Breakdown Structure for a Software Development Project
Software Dev Project




Project Management

Competitors Suppliers Cash Flow

Hardware Software Network

Executive Support User Support Team Support

Estimates Communication Resources

RBS Example .

Risk Profile • A risk profile is a list of questions that address traditional areas of uncertainty on a project. . • These questions has been designed and developed from the experience of past projects.

Risk Profile Questions .


Probability Impact Matrix No 1 Category Resource Description of Risk Testing environment not available Documentation approval took longer time IMPACT 4 PROBA BILITY B RISK LEVEL ORANGE 2 Schedule 4 A RED .


• Reporting – Describes reports related to RM and how they will be used and what they will include. documentation regarding RM . That information should be taken into account to rank cost impacts higher than if the low tolerance was in another area. but uncovered in project initiating and clarified or refined continually. • Tracking – Auditing. Tolerances should not be implied.Risk Management Plan(Contd.) • Stakeholder tolerances – Stakeholders have a low risk tolerance than impact is high.

Q: “ An uncommon state of nature. An act of God B. Risk aversion . characterized by the absence of any information related to a desired outcome” . Uncertainty D. An amount at stake C. is a common definition for: A.


11. .2 Identify Risks • This is the phase where you work with your team to identify as many risks as possible.


Identify Risks: Things to remember
• Identify Risks can‟t be completed without the project scope statement and Work Breakdown Structure (WBS) • Identify Risks happens at the onset of the project and throughout the project • Risks can be identified at any time and during any phase of the project • Risk management is an iterative process, you should work to identify risk during any changes to the project, working with resources, and when dealing with issues

Question ?
• Who should be involved in Risk Identification?

can help identify risks. as well as lessons learned. to help uncover risks.Identify Risk: Tools & Tech • Documentation Reviews – including charter. and planning documentation. contracts. • Those involved in risk identification might look at this documentation. . and other documents. articles.

stakeholders. facilitator use questionnaire. Help reduce bias in the data and prevent influence each others. • Interviewing: interviewing experts.Identify Risk: tools & tech • Brainstorming: One idea generates another • Delphi technique: Expert participate anonymously. experienced PM • Root cause analysis: Reorganizing the identified risk by their root cause may help identify more risks . consensus may be reached in a few rounds.

inconsistency.Identify Risk: Tools & Tech • Checklist analysis: checklist developed based on accumulated historical information from previous similar project • Assumption analysis: identify risk from inaccuracy. instability. Weaknesses. incompleteness. Opportunities. • SWOT analysis – Strengths. Threats .

and the relationships among other project variables and their outcomes.Identify Risk: tools & tech • Influence diagrams – show the casual influences among project variables. the timing or time ordering of events. • Cause and Effect Diagrams • Flowcharts .


It includes: – List of risk – List of POTENTIAL responses – Root causes of risks – Updated risk categories .Output: Risk Register • Output is initial entries into the risk register.

Risk Register Example .

• Q: Risk tolerances are determined in order to help: A. Management know how other managers will act to the project . The team schedule the project D. The project manager estimate the project C. The team rank the project risks B.

11.2 Perform Qualitative Risk Analysis • This is the phase where you rank the risks you‟ve identified from Identify Risks to come up with a list of risks you will create plans for dealing with .



Perform Qualitative Risk Analysis • Things to remember – Perform Qualitative Risk Analysis is subjective – What is the probability of the risk occurring? High. low? 1-10? – What is the impact if the risk does occur? High. medium. medium. low? 1-10? .

medium. or low for your projects. • Risk Data Quality Assessment – What is the quality of the data used to determine or assess the risk? Think about the following – – – – Extent of the understanding of the risk Data available about the risk Quality of the data Reliability & Integrity of the data . This helps to make the risk rating process more repeatable between projects.Tools and Techniques of Qualitative Analysis • Probability & Impact Matrix – a matrix that creates a consistent evaluation of high.

Tools and Techniques of Qualitative Analysis • Risk Categorization – Which of your categories has more risk than others? Which of your work packages could be most affected by risk? • Risk Urgency Assessment – Which of your risks could occur soon. or require a longer planning time? Risk urgency assessment helps move these risks more quickly through the rest of the project management process .

Output: Risk Register Updates • Risk ranking for the project compared to other projects • List of prioritized risks and their probability and impact ratings • Risks grouped by categories • List of risks for additional analysis and response • Watchlist (non-critical risks) • Trends .

.Perform Quantitative Risk Analysis • A numerical analysis of the probability and impact of the risks with the highest risk rating score determined from qualitative analysis • Is a numerical evaluation (more objective) • This process may be skipped.



schedule. • Determine overall project risk (risk exposure).Perform Quantitative Risk Analysis Purpose of this process • Determine which risk events warrant a response. • Identify risks requiring the most attention. • Determine cost and schedule reserves. or scope targets. • Create realistic and achievable cost. • Determine the quantified probability of meeting project objectives. .

00) $ $ 10.00 $(48.00 $ 1.250).00) $ 9. what could the financial or time loss be to your project? • In the example below.00) Total . this means that you need to put aside $58.Tools and Techniques of Quantitative Analysis • EMV – Expected Monetary Value – What is the probability of the risk occurring multiplied by the impact if the risk does occur? If the risk occurs.00 30.00) $(58.750.000.000.500.250 in your risk reserve account for potential risks Risk A B C D Probability 20% 90% 5% 65% Impact $ ( $ (75.00 EMV $(20. this project has an EMV of ($58.250.000.

$ 40. $ 100.000 loss.Q: If a project has a 60% chance of a US $ 100.000 loss .000 profit D. the expected monetary value for the project is : A. $ 60.000 loss C.000 profit B.000 profit and a 40% chance of a US $ 100. $ 20.

Tools and Techniques of Quantitative Analysis • Decision Tree – used for planning on individual risks instead of planning for the whole project – Takes into account future events to make a decision today – Can calculate the EMV in more complex situations – Involves mutual exclusivity .


Use EMV to find which airline you should choose? . If you don‟t reach at time. it will cost you 100.000.Airline A has a 90% chance to reach at time and Airline B has a 60% chance to reach at time.

000 + (10% * 100.Decision tree /EMV example Airline A EMV: 10.000) = 48.000 .000) = 20.000 Airline B EMV: 8000 + (40%*100.

uniform or lognormal (learn these) . not the task – Determines the probability of completing the project on a specific day and for a specific cost – Takes into account path convergence (places in the network diagram where many paths converge into one activity) – Used to evaluate the impact to your schedule and budget – Due to the complicated mathematical computations used. – Determines the overall risk of the project. beta. Monte Carlo analysis is usually done with a computer program – Creates a probability distribution – triangular. normal.Tools and Techniques of Quantitative Analysis • Monte Carlo Analysis – A technique that uses simulation to show the probability of completing your project on time and within budget.

• They provide the positive and negative impact of each risk on the project and let you decide to choose which risk to take. .Sensitivity Analysis • To determine which risks have the most potential impact to the project • Changing one or more elements/variables and set other elements to its baseline then see the impact. • One typical display of sensitivity analysis is the tornado diagram • Tornado diagram is useful in analyzing risk taking scenarios.


Sample Sensitivity Analysis .


risk management is an iterative process. as you repeat the process you can track your overall project risk and determine the trend (if you are decreasing or increasing the level of risk on your project) .Outcome of Quantitative RA Risk Register Updates • Prioritized list of quantified risks • Amount needed for contingency reserves for time and cost • Confidence levels of completing the project on a certain date for a certain amount of money • The probability of delivering the project objectives • Trends .

Outcome of Quantitative RA: Examples • What are the risks that are most likely to cause trouble? To affect the critical path? That need the most contingency reserve? • “The project requires another 50.000 and two months of time to accommodate the risks on the project?” • “We are 95 percent confident that we can complete this project on May 25th for $989.000 budget.000 budget?” • “We only have a 75 percent chance of completing the project within the $800.” .

“What are we going to do now about each top risk?” .

Risk Response Planning • Eliminate the threats before they happen • Make sure opportunities happen • Decrease the probability and/or impact of threats • Increase the probability and/or impact of opportunities • For Residual Threats – Contingency Plans – Fallback Plans .



Risk Response Strategies Risk Opportunities Threats Exploit Accept Avoid Enhance Transfer Active Share Passive Mitigate Contingency Plan Fallback Plan Workaround .


Avoidance • Risk prevention • Changing the plan to eliminate a risk by avoiding the cause/source of risk • Protect project from impact of risk • Examples: – – – – Change the supplier / engineer Do it ourselves (do not subcontract) Reduce scope to avoid high risk deliverables Adopt a familiar technology or product .

More testing .Prototype – Redundancy planning – Use more qualified resources .Mitigation • Seeks to reduce the impact or probability of the risk event to an acceptable threshold • Be proactive: Take early actions to reduce impact/probability and don‟t wait until the risk hits your project • Examples: – Staging .

Transfer • Shift responsibility of risk consequence to another party • Does NOT eliminate risk • Most effective in dealing with financial exposure • Examples: – Buy/subcontract: move liabilities – Selecting type of Procurement contracts: Fixed Price – Insurance: liabilities + bonds + Warranties .


Enhance: Increase the probability and/or the positive impact of the opportunity • Ex: Adding more resources to finish early .Strategies for Opportunities Exploit: Ensure opportunity is realized • Ex: Assigning organization most talented resources to the project to reduce cost lower than originally planned.

special-purpose companies .Strategies for Opportunities Share: Allocating some or all of the ownership to third part best able to capture the opportunity • Ex: Joint ventures.

Acceptance (Both for Threats & opportunities) • Active Acceptance – Develop a contingency plan to execute if the risk occur – Contingency plan = be ready with Plan B – Fall back plan = plan C if B fails • Passive Acceptance – Deal with the risks as they occur = Workarounds – Usually for low ranked risks .

Risk Response Matrix Risk Event Response Contingency Plan Trigger Who is responsible Interface Problems System freezing User backlash Mitigate: Test Prototype Mitigate: Test Prototype Mitigate: Prototype demonstration Workaround until help comes Reinstall OS Increase staff support Not solved within 24 hours Asif Still frozen after 1 Khalid hour Cell from top management Equipment fails Javed Equipment malfunction Mitigate: Select Order reliable vendor replacement Transfer: Warranty Aleem .

Outputs of Risk Response Planning Updates to Risk Register • Residual Risks – risks that are left over after Plan Risk Response • Contingency Plans – plans of action in case the risk does occur • Risk Response Owners – the person on the team responsible for monitoring the risk. and implementing the strategy should the risk occur • Secondary Risks – new risks that result from the implementation of the contingency plans for the primary risks . risk triggers. developing a response strategy.

– Management reserves – these are estimated and made part of the project budget. Management approval is needed to use the management reserve.Outputs of Risk Response Planning Updates to Risk Register • Risk Triggers – early warning signs that there is a high probability the risk will occur • Fallback Plans – a secondary contingency plan. not the baseline. covers the residual risks. in case the contingency plan does not work or is not effective • Reserves – Contingency reserves . The contingency reserve is calculated and made part of the baseline.covers the cost for „known unknowns‟ discovered during risk management. .

Outputs of Risk Response Planning Project Management Plan Updates • Changes made due to risk management will be changes made to the project and should be updated in the project management plan .

Transference C.Q: Replacing a doubtful supplier with an expensive but reliable one is an example of: A. Acceptance D. Avoidance . Mitigation B.

B. Rework activities.Q: A Reserve is generally intended to be used for: A. C. Compensate for inaccurate project cost estimates. . Compensate for inaccurate project schedule estimates. D. Reducing the risk of missing the cost or schedule objectives.


Some important points: • What do you do with non-critical risks? • Would you choose only one risk response strategy? • What risk management activities are done during execution of the project? • What is the most important item to be discussed in project team meetings? • How would risk be addressed in project meetings? .

• Would you choose only one risk response strategy? – You may select a combination of strategies. . – Response of one risk might address another risk as well! • What risk management activities are done during execution of the project? – Watch-out risks on watch-list and looking for new risks.Some important points: • What do you do with non-critical risks? – Put them in a watch-list and revisit them periodically.

Some important points: • What is the most important item to be discussed in project team meetings? – Off course. Risk! • How would risk be addressed in project meetings? – Asking. what is the status of risks? Is their any new risk? Is the rank of any risk goes up and down? .


.Monitor and Control Risk • The process of – implementing risk response plans – tracking identified risks – monitoring residual risks – identifying new risks and – evaluating risk process effectiveness throughout the project – risk audit.



Inputs to Monitor & Control Risk • • • • Risk Management Plan Risk Register Approved Change Requests Work performance information – Deliverable status – Schedule progress – Costs incurred • Performance reports .

. • Risk audit – a team of experienced project team members reviews the risk management process and response strategies to see if you‟ve effectively identified the major risks on the project and developed effective strategies for dealing with them.Monitor & Control Risk: Tools • Workaround – a response to a risk that has occurred when no contingency plan exists.

Monitor & Control Risk: Tools • Risk Reassessment – Risk management is iterative. . you should review the risks on your project throughout the project to update their qualitative and quantitative values. This is a great opportunity to discuss with your team and stakeholders existing risks and new risks. • Status meetings – status meetings should be used to identify new risks or changes to existing risks.

. When that phase has passed and the risk is no longer probable.Monitor & Control Risk: Tools • Reserve analysis – has the reserve kept up with changes to the risk list? Does the reserve still cover the costs of these risks should they occur? • Closing of risks – Risks are expected to happen during a particular phase of the project. the risk should be removed from the risk list and any reserve associated should be freed up.

Outputs of Monitor & Control Risks • Updates to Risk Register – Outcomes of the risk reassessments and risk audits – Closing of risks that are no longer applicable – Details of what happened when risks occurred – Lessons learned .

Outputs of Monitor & Control Risks • Requested Changes • Recommended Corrective & Preventive Actions • Updates to the Project Management Plan • Organizational Process Assets Updates .

Practice Exam .

Answers .

Practice Exam .

Answers .

Practice Exam .

Answers .

Practice Exam .

Answers .

Practice Exam .

Answers .

Practice Exam .

Answers .

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.