What is Risk?

 The Effect of Uncertainty on Objectives (ISO 31000)

 May be a positive or negative “deviation” from expectation
 Objectives may exist for a range of aspects of a business (financial, operational,
technological, reputational) and at multiple levels (strategic, enterprise-wide, project
...)
 Typically expressed in terms of likelihood and consequences of an event
 Likelihood: “chance of something happening”
 Objective or subjective, quantitative or qualitative.
 Consequence: “the outcome of an event affecting objectives”
Threats vs. Risks:

 Threats: Immediate, well-defined challenges to survival (“clear & present

dangers”). Treating a threat is not a price-sensitive activity – worry about the bill
later.
 Risks: Less completely defined - essentially a categorisation scheme for all
potential threats.
The Importance of Project Risk Management

 Project risk management is the art and science of identifying, assigning, and
responding to risk throughout the life of a project and in the best interests of
meeting project objectives
 Risk management is often overlooked on projects, but it can help improve project
success by helping select good projects, determining project scope, and
developing realistic estimates
What is Project Risk Management?

 The goal of project risk management is to minimize potential risks while maximizing
potential opportunities. Major processes include
 Risk management planning: deciding how to approach and plan the risk management
activities for the project
 Risk identification: determining which risks are likely to affect a project and documenting
their characteristics
 Qualitative risk analysis: characterizing and analyzing risks and prioritizing their effects on
project objectives
 Quantitative risk analysis: measuring the probability and consequences of risks
 Risk response planning: taking steps to enhance opportunities and reduce threats to
meeting project objectives
 Risk monitoring and control: monitoring known risks, identifying new risks, reducing
risks, and evaluating the effectiveness of risk reduction
Risk Management Planning

 The main output of risk management planning is a risk management plan

 The project team should review project documents and understand the
organization’s and the sponsor’s approach to risk
 The level of detail will vary with the needs of the project
Questions Addressed in a Risk Management Plan
Contingency and Fallback Plans, Contingency Reserves

 Contingency plans are predefined actions that the project team will take if an
identified risk event occurs
 Fallback plans are developed for risks that have a high impact on meeting project
objectives
 Contingency reserve or allowances are provisions held by the project sponsor
that can be used to mitigate cost or schedule risk if changes in scope or quality
occur
Risk Identification

 Risk identification is the process of understanding what potential unsatisfactory

outcomes are associated with a particular project
 Several risk identification tools and techniques include
 Brainstorming

 The Delphi technique

 Interviewing

 SWOT analysis
Potential Risk Conditions Associated With Each
Knowledge Area
Knowledge Area Risk Conditions
Integration Inadequate planning; poor resource allocation; poor integration
management; lack of post-project review
Scope Poor definition of scope or work packages; incomplete definition
of quality requirements; inadequate scope control
Time Errors in estimating time or resource availability; poor allocation
and management of float; early release of competitive products
Cost Estimating errors; inadequate productivity, cost, change, or
contingency control; poor maintenance, security, purchasing, etc.
Quality Poor attitude toward quality; substandard
design/materials/workmanship; inadequate quality assurance
program
Human Resources Poor conflict management; poor project organization and
definition of responsibilities; absence of leadership
Communications Carelessness in planning or communicating; lack of consultation
with key stakeholders
Risk Ignoring risk; unclear assignment of risk; poor insurance
management
Procurement Unenforceable conditions or contract clauses; adversarial relations
 Some key related PM outcomes

 Project Management Plan

 Risk Management Plan that incorporates detailed risk registers, solutions, scenarios
and options for improvement and/or closing out of risks
 Stakeholder Management Plan
 Communication and Engagement Strategy
 Governance Arrangements
 Typical project execution plan

 Project definition and brief;

 Roles, responsibilities and authorities;
 Project cost plan and cost management procedures;
 Risk and sensitivity analysis;
 Program management;
 Contracting and procurement;
 Administrative systems and procedures;
 Safety and environmental issues, such as the construction design and management regulations;
 Quality assurance;
 Commissioning; and
 Post project evaluation
 Risk Profile

 The risk profile is a description of the set of risks faced by an organization, business
unit, project, process, or task of interest
 The risk profile is documented in a “risk register” or similar which specifies:
 The nature of the risk
 The likelihood
 The consequence
 The mitigation or controls in place (or to be put in place)
 The risk owner
 Risk: Taxonomy & Tools

 A Risk Taxonomy:
 Reputational Risk
 Credit Risk
 Operational Risk
 Market Risks
 Technology Risk

 Tools & Perspectives:

 Enterprise Risk Management
 The Psychology of Risk
 Risk Scenario Planning
 Risk Measurement/Models
 What is risk management

 Coordinated activities to direct and control an organization with regard to risk.

(ISO 31000)
 The culture, processes and structures that are directed towards realizing potential
opportunities whilst managing adverse effects (AZ/NZS 4360:2004)
 “Companies must take risks if they are to survive and prosper. The risk
management function’s primary responsibility is to understand the portfolio of
risks that the company is currently taking and the risks it plans to take in the
future. It must decide whether the risks are acceptable and, if they are not
acceptable, what action should be taken.” (Hull 2012, “Risk Management and
Financial Institutions”, p.1).
 Managing Risk: Risk v Return

 The unavoidable trade-off: Expected returns vs Risk

 Evaluated in the context of a firm’s risk appetite (attitude)
 Accepting higher risk must be compensated with higher expected return.
 Expected return = Σ probability x outcomes
 But Actual Return ≠ Expected Return
 Can win or lose bigger than expected!
 Where do the probabilities come from?
 (Risk Modeling? Judgment?)
 Risk vs. Return: A Simple Numerical
Example

 You have $100,000 to invest for 1 year in either (a) or (b):

 a)Treasury bills = Yielding 5% per annum, no risk
 b)Stock = probability based return, risk
 Probabilistically the expected return is:
 0.05 x 0.50 + 0.25 x 0.30 + 0.40 x 0.10 +
 0.25 x (-0.10) + 0.05 x (-0.30) = 0.10 or 10%
continuation

 By taking greater risk:

 Your expected return increases from 5% to 10%.
 At best you may make 50%, at worst you could lose 30%.
 But how do we come up with accurate probabilities?
 What about risks that can’t be quantified?
 How Much Risk is Acceptable?

 Determined by the firm’s risk attitude or appetite

 Issue: an individual may not have the same attitude to risk as the firm!
 Where does a firm aim to be in terms of the risk/return trade-off?
 The Role of Risk Management

 Risk management is the area that assists the business to determining whether the
risk/return proposition meets the business requirements
 Risk management is an oversight role to help ensure that appropriate risk
frameworks, including policies, procedures and governance, are in place for
business decisions to occur
 Who “owns” the risk in a business?
 Who is accountable for the risks taken?
 Establish the Context

 What is the business about?

 Strategy/Objectives
 External:
 PESTEL (Political, Social, Economic, Technological, Environmental, Legal)
 Stakeholders and what they want
 Exogenous influences on objectives
Continuation

 Internal:
 Governance, Policies, Capabilities, Internal stakeholders
 Defining the Risk Framework:
 Broadly how do we define & measure risk (likelihood, consequence, timeframes
etc.)
 What is acceptable/tolerable
 Taxonomy of what risks we consider.
 Risk Identification and Analysis

 Identification of Risks
 What can happen, where and when?
 Why and how it can happen?
 Is it under our control?
 Think of the risk without any controls in place.
 Must be comprehensive:
 e.g. risks of missed opportunity
continuation

 Analysis of Risks
 Evaluate existing controls
 Control: “measure that is modifying risk” (ISO31000)
 “process, policy, device, practice, or other actions which modify risk”
 They don’t always work!
 Consequences and likelihood
 Types of analysis: Qualitative vs. Quantitative
 Analysing Risks:

Qualitative Analysis: Uses words to describe the magnitude of and likelihood of

potential consequences. Used for:
 Initial screening activity to identify risks requiring more analysis
 Where the nature of the risk is such that it cannot be quantified.
 Where the numerical data or resources are inadequate for a quantitative
analysis.
Continuation

Quantitative Analysis: Uses numerical values using data from a historical, internal
and external sources
 Depends on the accuracy and comprehensiveness of the historical data and
the validity of the models
 Consequences can be determined by modelling the outcomes of event(s), or
by extrapolating from simulations or past data.
 Consequences may be expressed in terms of monetary, technical or human
impact criteria
Analyse Risks – Consequence Scale
Example Only
Analyse Risks – Likelihood Scale
Analyse Risks – Level of Risk
Hierarchy for Risk Treatment
 Residual Risk

 The “risk remaining after risk treatment” is known as residual risk. Why can’t we
get rid of residual risk?
 Some aspects of risk can’t (feasibly) be controlled. Controls may fail.
 The decision to invest in a “treatment”/control is a challenging cost/benefit
decision. Controls do not come for free. Rationally:
 Control Costs < Expected Consequence of Risk.
 But how much less?
 To make this assessment requires:
 1.Understanding the risk and it potential consequences
 2.Understanding controls: costs and effectiveness.
 3.Strategic choices in attitude to risk
 4.Ongoing monitoring to help ensure the judgments in (1) to (3) above are
appropriate, or in need of revision.
Risk Response Planning

 After identifying and quantifying risk, you must decide how to respond to them
 Four main strategies:
 Risk avoidance: eliminating a specific threat or risk, usually by eliminating
its causes
 Risk acceptance: accepting the consequences should a risk occur
 Risk transference: shifting the consequence of a risk and responsibility for its
management to a third party
 Risk mitigation: reducing the impact of a risk event by reducing the
probability of its occurrence
General Risk Mitigation Strategies for Technical,
Cost, and Schedule Risks