01 Project Risk Management PDF

P ROJECT R ISK M ANAGEMENT
February 2016 Hisham Haridy, PMP, PMI-RMP

Risk Management
Project Risk Management includes the processes of conducting risk management
planning, identification, analysis, response planning, and controlling risk on a
project.
Perform Perform
Plan Risk Identify Qualitative Quantitative Plan Risk Control
Management Risks Risk Risk Responses Risks
Analysis Analysis
Deciding how to Determining Prioritizing risks Numerically Developing Implementing risk
approach, plan, which risks might for subsequent analyzing the options and response plans,
and execute the affect the project further analysis effect on overall actions to tracking identified
risk management and documenting or action by project enhance risks, monitoring
activities for a their assessing and objectives of opportunities, residual risks,
project (Risk characteristics combining their identified risks and to reduce identifying new
management (Risk probability of (Risk Register threats to risks, and
Plan). Who? Register). At occurrence and Update), project evaluating risk
When? What? least 300 risk impact (Risk Watchlist. objectives. process
How? How much? should be Register effectiveness
P, I, PI matrix, identified. Update), throughout the
RBS. Risk Ranking, project.
tolerance. Watchlist.
PROJECT RISK MANAGEMENT February 2016

DEFINATIONS
Project Risk
Project risk in an uncertain event or condition that, if it occurs, has a positive or
negative effect on at least one of the project objectives (scope, schedule, budget,
quality)
Opportunity Threat
A project risk that has a positive A project risk that has a negative
effect is referred to as an effect is referred to as a threat.
opportunity. A project manager will proactively
A project manager will proactively manage threats to the project and
manage opportunities to the project look for ways to reduce the
and look for ways to exploit, probability or impact of the threat
enhance, or share the opportunity. (Mitigate) or eliminate the threat
all together (avoid) or transfer to
another party.

DEFINATIONS
Uncertainty
Uncertainty is a lack of knowledge about an event that reduces confidence in conclusions drawn
from the data.
The investigation of uncertainties may help identify risks.
Under certainty, the outcome can be predicted with a high degree of confidence.
In reality, most decisions are taken without complete information, and therefore give rise to some
degree of uncertainty in the outcome.
Known Risks Unknown Risks Issue
That have been identified and Unknown risks cannot be A negative project risk
analyzed, making it possible to managed proactively and that has occurred is
plan responses for those risks. therefore may be assigned considered an issue.
That cannot be managed a management reserve
proactively, should be assigned a

contingency reserve.

DEFINATIONS
Risk Factors
When looking at risk, one should determine:
The probability that it will occur (what)
The range of possible outcomes (impact or amount at stake)
Expected timing (when) in the project life cycle
The anticipated frequency of risk events from that source (how often).
Risk Attitude
Organizations perceive risk as the effect of uncertainty on projects and organizational objectives.
Organizations and stakeholders are willing to accept varying degrees of risk depending on their risk
attitude.
The risk attitudes of both the organization and the stakeholders may be influenced by a number
of factors, which are broadly classified into three themes:
1. Risk appetite
2. Risk tolerance
3. Risk threshold

DEFINATIONS
Risk Tolerance
Tolerances are the areas of risk that are acceptable or unacceptable OR which is the degree,
amount, or volume of risk that an organization or individual will withstand.
For example, "a risk that affects our reputation will not be tolerated”.
Tolerance areas can include any project constraints (such as scope, time, cost, quality, etc.), as
well as reputation and other intangibles that may affect the customer.
Three common classifications used for describing risk tolerance or risk profile are the risk averse
(or avoider), risk neutral, or risk seeker (or taker).
Averse/Avoider Neutral Seeker/Taker

DEFINATIONS
Risk Threshold
which refers to measures along the level of uncertainty or the level of impact at
which a stakeholder may have a specific interest.
A threshold is the point at which a risk becomes unacceptable.
Below that risk threshold, the organization will accept the risk.
Above that risk threshold, the organization will not tolerate the risk
For example, "If there is a delay, it can be no longer than two weeks.“

Project Life Cycle and Risk

Plan Risk Management
“The process of defining how to conduct risk management activities for a project”
Inputs Tools and Techniques Outputs

1. Project management plan. 1. Analytical techniques 1. Risk management plan
2. Project Charter 2. Expert judgment
3. Stakeholder register 3. Meetings
4. Enterprise environmental
factors
5. Organizational process
assets
The risk management plan is vital to communicate with and obtain

agreement and support from all stakeholders to ensure the risk
management process is supported and performed effectively over the
project life cycle.

INPUTS
1. Project management plan
All approved subsidiary management plans and baselines should be taken into
consideration in order to make the risk management plan consistent with them.
The project management plan provides baseline or current state of risk-affected
areas including scope, schedule, and cost.
2. Project charter
The project charter can provide various inputs such as high-level risks, high-level
project descriptions, and high-level requirements
3. Stakeholder register
The stakeholder register, which contains all details related to the project’s
stakeholders, provides an overview of their roles.

INPUTS
4. Enterprise environmental factors
Risk attitudes, thresholds, and tolerances that describe the degree of risk that
an organization will withstand.
5. Organizational process assets
Risk categories,
Common definitions of concepts and terms,
Risk statement formats,
Standard templates,
Roles and responsibilities,
Authority levels for decision making, and
Lessons learned.
TOOLS AND TECHNIQUES
1. Analytical Techniques
Analytical techniques are used to understand and define the overall risk management
context of the project.
Risk management context is a combination of stakeholder risk attitudes and the
strategic risk exposure of a given project based on the overall project context.
A stakeholder risk profile analysis may be

performed to grade and qualify the project
stakeholder risk appetite and tolerance.
the use of strategic risk scoring sheets, are used

to provide a high-level assessment of the risk
exposure of the project based on the overall
project context.

2. Expert Judgment
To ensure a comprehensive establishment of the risk management plan, judgment,

and expertise should be considered from groups or individuals with specialized
training or knowledge on the subject area, such as:
Senior management,
Project stakeholders,
Project managers who have worked on projects in the same area (directly or
through lessons learned),
Subject matter experts (SMEs) in business or project area,
Industry groups and consultants, and
Professional and technical associations.

3. Meetings
Project teams hold planning meetings to develop the risk management plan.
Attendees at these meetings may include the project manager, selected project
team members and stakeholders, anyone in the organization with responsibility to
manage the risk planning and execution activities, and others, as needed.
High-level plans for conducting the risk management activities are defined in these
meetings.
Risk management cost elements and schedule activities will be developed for
inclusion in the project budget and schedule, respectively.

Risk contingency reserve application approaches may be established or reviewed.
Risk management responsibilities will be assigned.
General organizational templates for risk categories and definitions of terms such as
levels of risk, probability by type of risk, impact by type of objectives, and the
probability and impact matrix will be tailored to the specific project.
If templates for other steps in the process do not exist they may be generated in
these meetings.
The outputs of these activities will be
summarized in the risk management
plan.

OUTPUTS
1. Risk management plan
Methodology
Roles and responsibilities
Budgeting
Timing
Risk categories: Provides a structure that ensures a comprehensive process of
systematically identifying risks to a consistent level of detail and contributes to the
effectiveness and quality of the Identify Risks process.
An organization can use a previously prepared categorization framework which might
take the form of a simple list of categories or might be structured into a Risk
Breakdown Structure (RBS).
The RBS is a hierarchically organized depiction of the identified project risks
arranged by risk category and subcategory that identifies the various areas and
causes of potential risks.

OUTPUTS
Example of Risk Breakdown Structure (RBS)
A risk breakdown structure (RBS) helps the project team to look at many sources from which
project risk may arise in a risk identification exercise.

OUTPUTS
Definitions of probability and impact: General definitions of probability levels
and impact levels are tailored to the individual project during the Plan Risk
Management process for use in subsequent processes.
Probability and impact matrix: A probability and impact matrix is a grid for
mapping the probability of each risk occurrence and its impact on project objectives if
that risk occurs.
Risks are prioritized according to their potential implications for having an effect on
the project’s objectives. A typical approach to prioritizing risks is to use a look-up
table or a probability and impact matrix.
Revised stakeholder tolerances
Reporting formats
Tracking: Documents how risk activities will be recorded for the benefit of the
current project, as well as for future needs and lessons learned, as well as whether
and how risk management processes will be audited.

Example (Risk Management Plan)
Project Duration: 36 M
Project Budget: 175 M$
3 5
1 2 4
Who What When How How much ($)
Hisham Identify 4W Brain Storming, Delphi 4000
Ahmed Qualitative 6W Risk Ranking 6000
Aly Response plan 2W Strategies 2000
6 Risk Tolerance : Risk Averse

9
Scale Probability 8Scale Impact (for an
Risk Matrix
7 objective)
Scale Rang Scale Rang

VL < 20 VL < 10
L 20-40 L 10-20
M 40-60 M 20-30
H 60-80 H 30-60
VH >80 VH >60

Identify Risks
“The process of determining which risks may affect the project and documenting their
characteristics”
Inputs Tools and Techniques Outputs
1. Risk management plan 1. Documentation reviews 1. Risk register
2. Cost management plan 2. Information gathering techniques
3. Schedule management plan 3. Checklist analysis
4. Quality management plan
4. Assumptions analysis
5. Human resource management plan
5. Diagramming techniques
6. Scope baseline
6. SWOT analysis
7. Activity cost estimates
7. Expert judgment
8. Activity duration estimates
10. Project documents
11. Procurement documents
12. Enterprise environmental Factors
13. Organizational process assets.
The key benefit of this process is the documentation of existing risks and the knowledge and
ability it provides to the project team to anticipate events.

INPUTS
1. Risk Management Plan
The assignments of roles and responsibilities, provision for risk management

activities in the budget and schedule, and categories of risk (RBS).
2. Cost Management Plan
The cost management plan provides processes and controls that can be used to help
identify risks across the project.
3. Schedule Management Plan
The schedule management plan provides insight to project time/schedule objectives

and expectations which may be impacted by risks (known and unknown).
4. Quality Management Plan
The quality management plan provides a baseline of quality measures and metrics
for use in identifying risks.
INPUTS
5. Human Resource Management Plan
The human resource management plan provides guidance on how project human
resources should be defined, staffed, managed, and eventually released.
It can also contain roles and responsibilities, project organization charts, and the
staffing management plan, which form a key input to identify risk process.
6. Scope baseline
Uncertainty in project assumptions should be evaluated as potential causes of

project risk.
The WBS is a critical input to identifying risks.
7. Activity cost estimates
It provides a quantitative assessment of the likely cost to complete scheduled

activities and ideally are expressed as a range, with the width of the range indicating
the degree(s) of risk.

INPUTS
8. Activity duration estimates
The time allowances for the activities or project as a whole, again with the width of
the range of such estimates indicating the relative degree(s) of risk .
Information about the stakeholders will be useful in soliciting inputs for identifying
risks as this will ensure that key stakeholders, especially the customer, are
interviewed or otherwise participate during the “Identify Risks” process
10. Project documents
Assumptions log,
Work performance reports,
Earned value reports,
Network diagrams,
Baselines, and
Other project information proven to be valuable in identifying risks.
INPUTS
11. Procurement Documents
If the project requires external procurement of resources, procurement documents
become a key input to the Identify Risks process.
The complexity and the level of detail of the procurement documents should be
consistent with the value of, and risks associated with, planned procurement.
12. Enterprise Environmental Factors
Published information, including commercial databases,
Academic studies,
Published checklists,
Benchmarking,
Industry studies, and
Risk attitudes.
13. Organizational Process Assets.
Project files, including actual data,
Organizational and project process controls,
Risk statement templates, and
Lessons learned.
1. Documentation reviews
A structured review may be performed of project documentation, including plans,
assumptions, previous project files, contracts and other information.
The quality of the plans, as well as consistency between those plans and the project
requirements and assumptions, can be indicators of risk in the project.

2. Information Gathering Techniques
Brainstorming
The goal of brainstorming is to obtain a
comprehensible list of project risks.
This is a common technique for risk information
gathering.
A meeting where one idea helps generate another.
It can generate a large number of risks quickly.
One idea will bounce off another.
Post-Mortem
A discussion of
Pre-Mortem an event after it
Like brainstorming session (meeting to come up ideas). has happened,
The assembled group is asked to imagine that the project is especially of what
completed or has been terminated. was wrong with it or
The group is then asked to describe why the project why it failed
failed/success.

Affinity Diagram
This technique allows large numbers of ideas to be sorted into
groups for review and analysis.
It is a way to reach a consensus of experts on a subject.
It helps to expose crucial relationships and patterns in data
that may not be initially apparent.
Nominal group technique

Used when you need a technique to gain a group’s opinion
(group thinking), rather than individual opinions.
This technique enhances brainstorming with a voting process
used to rank the most useful ideas for further brainstorming
or for prioritization.

Delphi Technique
A selected group of experts answers
questionnaires and provides feedback.
Expert Judgment approach.
It is a way to reach a consensus of experts on
a subject.
It involves the following:
– Questionnaire to solicit ideas from the experts.
– Responses are submitted anonymously,
compiled, and then circulated to the experts
for review.
A consensus may be reached in a few rounds.
The Delphi technique helps reduce bias in the data and keeps any one person
from having undue influence on the outcome
Interviewing:
Interviewing experienced project team members, stakeholders, and subject matter
experts (SMEs) can identify risks.
Interviews are another common source of risk identification data gathering.
They are NOT informal discussion.
They need to be planned, organized, and
controlled during delivery in order to be
most effective.
Gain the expert’s support for the project.
Expert interviews take time.

Root Cause Analysis:
Root-cause analysis is a specific technique used to identify a problem, discover the
underlying causes that lead to it, and develop preventive action.
This is a method used to further define the risk event.
Risks should be a specific, but often
the risks that are identified are
general and need more analysis to
determine what the real problem is.

3. Checklist Analysis
Risk identification checklists can be developed based on historical information
and knowledge that has been accumulated from previous similar projects and from
other sources of information.
The lowest level of the RBS can also be used as a risk checklist.
It is a list of risk categories (prompt list)
The team should make sure to explore items that do not
appear on the checklist.
The checklist should be reviewed during project closure to
incorporate new lessons learned and improve it for use on
future projects.

4. Assumptions Analysis
Every project is developed based on a set of hypotheses, scenarios, or assumptions.
Analyzing and exploring the validity of the assumptions can help identify risks due to
inaccuracy, inconsistency, or incompleteness.
5. Diagramming Techniques
Risk diagramming methods can be used to help in risk identification and risk trigger
identification such as;

Cause and effect diagrams:
These are also known as Ishikawa or fishbone diagrams and are useful for
identifying causes of risks.
Hypotheses: “an idea or explanation for something that is based on known facts but has not yet been proved”,

System or process flow charts:
These show how various elements of a system interrelate and the mechanism of
causation.
Influence diagrams:
These are graphical representations of situations showing causal influences,
time ordering of events, and other relationships among variables and
outcomes.

Cause and Effect Diagram Example

Process Flow Chart Example

Influence Diagram Example

6. SWOT analysis
Strengths, weaknesses, opportunities, and threats
(SWOT) technique ensures examination of the project
from each of the SWOT perspectives.
This increases the breadth of considered risks.
7. Expert judgment
Risks can be identified directly by experts with relevant experience of similar projects
or business areas.
Such experts should be identified by the project manager and invited to consider all
aspects of the project and suggest possible risks based on their previous experience
and areas of expertise.
The experts’ bias should be taken into account in this process.

OUTPUTS
1. Risk Register
The outputs from risk identification are typically contained as initial entries into a
document called a risk register.
A template of the risk register can be downloaded from the Project Management
On-Line Guide.
The risk identification part of the template identifies:
Status: Whether a risk is an active risk, a dormant risk, or a retired risk.
ID#: The identification for the risk.
Date Identified & Project Phase: When a risk was identified and what project
phase (preconstruction or construction) the risk was identified in.
Dormant: Something that is dormant is not active or growing but has the ability to be active at a later time:

OUTPUTS
Functional Assignment: The capital delivery functions (planning, design,
environmental, construction, etc.) which are impacted by the risk.
Risk Event: What the risk event is to the project with detailed description using
the SMART technique (Specific, Measurable, Achievable, Realistic, and Time
sensitive)
Risk Trigger: warning signs that indicate the risk is likely to occur or imminent
that used to determine when response strategies will be implemented.
Once the risk has been identified, the project team can conduct further analysis
(qualitative and quantitative) on the risk event.
Imminent; Coming or likely to happen very soon

OUTPUTS
Example of Risk Register

Perform Qualitative Risk Analysis
“The process of prioritizing risks for further analysis or action by assessing and
combining their probability of occurrence and impact”
Tools and
Inputs Outputs
Techniques
1. Risk management plan 1. Risk probability and impact 1. Project documents updates
2. Scope baseline assessment
3. Risk register 2. Probability and impact
4. Enterprise environmental matrix
factors 3. Risk data quality assessment
5. Organizational process 4. Risk categorization
assets 5. Risk urgency assessment
6. Expert judgment
The key benefit of this process is that it enables project managers to reduce the level of uncertainty
and to focus on high-priority risks
INPUTS
Key elements used; roles and responsibilities for conducting risk management,
budgets, schedule activities for risk management, risk categories, definitions of
probability and impact, the probability and impact matrix, and revised stakeholders’ risk
tolerances.
2. Scope Baseline
Projects of a common or recurrent type tend to have more well-understood risks.
Projects using state-of-the-art or first-of-its-kind technology, and highly complex
projects, tend to have more uncertainty.
This can be evaluated by examining the scope baseline.

INPUTS
3. Risk Register
The risk register contains the information that will be used to assess and prioritize
risks.
Industry studies of similar projects by risk specialists, and
Risk databases that may be available from industry or proprietary sources.
5. Organizational Process Assets
The organizational process assets that can influence the Perform Qualitative Risk
Analysis process include information on prior, similar completed projects.

1. Risk Probability and Impact Assessment
Risk probability assessment investigates the likelihood that each specific risk will
occur.
The probability of an event is defined, for risk management purposes, as the
probability of that event occurring in the absence of any actions to forestall it.
Risk impact (consequence) assessment investigates the potential effect on a
project objective such as schedule, cost, quality, or performance, including both
negative effects for threats and positive effects for opportunities.
It is important that all those who are evaluating the risks use a standard
interpretation for risk assessment of probability and impact, in order to achieve
consistent evaluation of risk across multiple projects.
If risk scales are NOT already standardized in your organization, you must decided
which scales to use to determine probability and impact qualitatively.
2. Probability and Impact Matrix (PIM)
Risks can be prioritized for further quantitative analysis and response, based on their
risk rating/ranking.
Rankings are assigned to risks based on their assessed probability and impact
ratings
Risk score helps put the risk into a category that will guide risk response actions.
Risk score = Probability X Impact
Evaluation of each risk’s importance and, hence, priority for attention is typically
conducted using a look-up table or a probability and impact matrix.
P-I matrix can be based on ordinal (very low, low, medium, high, and very high ) or
cardinal (.1/ .3/ .5/ .7/ .9 or 1/ 2/ 3/ 4/ 5) scales.
Risk score helps put the risk into a category that will guide risk response actions.

The organization should determine which combinations of probability and impact
result in a classification of high risk “red condition”, moderate risk “yellow condition”,
and low risk “green condition”.
For consistency with other risk assessment terms, a 1-5 scale for probability is used.
Project Risk Threshold is the

total amount of risk acceptable on the
project and usually takes the form of
maximum project risk score on
predetermined scale (e.g., a risk
score of no more than 50 on a scale
of 1 to 80).
Project Risk Score = ∑ risks score/ no. of risks.

3. Risk Data Quality Assessment
A qualitative risk analysis requires accurate and unbiased data if it is to be credible.
Analysis of the quality of risk data is a technique to evaluate the degree to which the
data about risks is useful for risk management.
It involves examining the degree to which the risk is understood and the accuracy,
quality, reliability, and integrity of the data about the risk.
The use of low-quality risk data may lead to a qualitative risk analysis of little use to
the project.
If data quality is unacceptable, it may be necessary to gather better data.
Often, collection of information about risks is difficult, and consumes time and resources
beyond that originally planned.

Sometimes it is difficult for people who are evaluating risks to be objective due to
BIAS.
Motivational Bias Cognitive Bias
People may attempt to bias the People evaluation may be biased

results in one direction or due to difference in perception.
another.
Having a description for 1 to 10 for example in the matrix will help eliminate some of
theses biases.

4. Risk Categorization
Risks to the project can be categorized by:
Sources of risk (using RBS).
The area of the project affected (using WBS).
Other useful category (project phase).
To determine areas of the project most exposed to the effects of uncertainty.
Grouping risks by common root causes can lead to developing effective risk
responses.
5. Risk Urgency Assessment
Risks requiring near-term responses may be considered more urgent to address.
Indicators of priority can include time to affect a risk response, symptoms and
warning signs, and the risk rating.
6. Expert Judgment
Assess the probability and impact of each risk to determine its location in the matrix.

OUTPUTS
1. Project Documents Updates
Risk register updates
Relative ranking or priority list of project risks.
Risks grouped by categories.
Causes of risk or project areas requiring particular attention.
List of risks requiring response in the near-term: Those risks that require an
urgent response and those that can be handled at a later date may be put into
different groups.
List of risks for additional analysis and response: Some risks might warrant more
analysis, including Quantitative Risk Analysis, as well as response action.
Watchlists of low-priority risks;
Risks that are NOT assessed as important in the Perform Qualitative Risk
Analysis process can be placed on a watchlist for continued monitoring.
Trends in qualitative risk analysis results.

OUTPUTS
Assumption log updates

Relative ranking or priority list of project risks.
The assumptions log needs to be revisited to accommodate this new information.
Assumptions may be incorporated into the project scope statement or in a separate
assumptions log.
The specific objectives of perform Qualitative Risk Analysis are to:

1. Subjectively evaluate the probability and impact of each risk.
2. Create a short list of risks by determining the top or critical risks that you
will quantify further and/or address in Plan Risk Responses process.
3. Assess the quality and reliability of the information you are working with.
4. Make a go/no-go decision.

Perform Quantitative Risk Analysis
“The process of numerically analyzing the effect of identified risks on overall

project objectives”
Tools and
Inputs Outputs
Techniques
1. Risk management plan 1. Data gathering and 1. Project documents updates
2. Cost management plan representation techniques
3. Schedule management plan 2. Quantitative risk analysis
4. Risk register and modeling techniques
5. Enterprise environmental 3. Expert judgment
factors
6. Organizational process
assets
The key benefit of this process is that it produces quantitative risk information to support
decision making in order to reduce project uncertainty.
INPUTS
Provides guidelines, methods, and tools to be used in quantitative risk analysis.
2. Cost Management Plan
Provides guidelines on establishing and managing risk reserves.
3. Schedule Management Plan
Provides guidelines on establishing and managing risk reserves.
4. Risk Register
Used as a reference point for performing quantitative risk analysis.
Industry studies of similar projects by risk specialists, and
Risk databases that may be available from industry or proprietary sources.
6. Organizational Process Assets
Information on prior, similar completed projects.

1. Data Gathering and Representation Techniques
Interviewing:
Draw on experience and historical data to quantify the probability and impact of
risks on project objectives.
The information needed depends upon the type of probability distributions that
will be used.
For instance, information would be gathered on the optimistic (low), pessimistic

(high), and most likely scenarios for some commonly used distributions.
Documenting the rationale of the risk ranges and the assumptions behind them
are important components of the risk interview because they can provide insight
on the reliability and credibility of the analysis.

Probability: The likelihood that a risk, or an event, will occur.
Probability = 0-1
Probability distributions:
Continuous probability distributions, used extensively in modeling and
simulation represent the uncertainty in values such as durations of schedule
activities and costs of project components.
Probability distribution are used to plot range of cost and schedule associated with
a risk.
This data can also be built from the three-point technique you use while
interviewing people, and try to get a range of cost and schedule that is possible if
a risk is materialized.
Once this data is collected you can draw one of the shape distribution graphs.
Commonly used ones are beta distribution that uses two value parameters
(alpha and beta), and triangular distribution which uses three parameters
(most-likely, best-case, worst-case).
Cost and time values are represented on x-axis and probability values on y-axis.

Continuous Distribution Discrete Distribution
Includes the probabilities of a full range of possible Includes the probabilities of a fixed number
outcomes. of outcomes (based on a whole number).
Typically used for cost, time and quality metrics. Used to show uncertain events where the
Show uncertainty in values. probability of occurrence can be calculated.
Values are infinitely divisible (time, mass, distance). May NOT have a probability of ZERO.
May have a probability of ZERO. Used to represent possible scenarios in a
Frequently use for modeling and simulation. decision tree, result of a prototype, and
Usually represented as a curve. result of tests.
There are five different types of Continuous For example, represented in a bar chart e.g.
Distribution: assessing the probability of a task - like the
1. Normal Distribution (standard deviations) installation of plumbing - taking from four to
2. Uniform Distribution (values equally probable, nine days to complete.
scenarios where no obvious)
3. Beta Distribution
4. Triangular Distribution (three-point estimates)
5. Lognormal distribution (standard deviations,
random values)

2. Quantitative Risk Analysis and Modeling Techniques
Sensitivity analysis:
Sensitivity analysis helps to determine which risks have the most potential impact
on the project.
It examines the extent to which the uncertainty of each project element affects
the objective being examined when all other uncertain elements are held at their
baseline values.
Tornado diagram is the most useful way to represent the results of a Sensitivity
Analysis.
A tornado diagram in which a bar represents
each risk and the range of the impact it could
have, from negative to positive impact.
The length of each bar represents the relative
impact of each risk - the bars are ordered in
sequence from greatest impact to least.

Expected monetary value analysis:
Expected monetary value (EMV) analysis is a statistical concept that calculates the
average outcome when the future includes scenarios that may or may not
happen.
The EMV of opportunities will generally be expressed as positive values, while
those of threats will be negative.
EMV is calculated by multiplying the value of each possible outcome by its
probability of occurrence, and adding them together.

Decision tree analysis
Decision tree analysis is usually structured using a decision tree diagram that
describes a situation under consideration, and the implications of each of the
available choices and possible scenarios.
Solving the decision tree

provides the Expected Monetary
Value for each alternative, when
all the rewards and subsequent
decisions are quantified.
The decision tree analysis
technique for making decisions in
the presence of uncertainty can
be applied to many different
project management situations


Modeling and simulation
A project simulation uses a model that translates the uncertainties specified at a
detailed level of the project into their potential impact on project objectives.
Simulations are typically performed using the Monte Carlo technique.
The Monte Carlo process, as applied to risk management,
• Create a series of Date: 7/11/2004 2:24:06 PM Completion Std Deviation: 8.36 d

Samples: 1000 95% Confidence Interval: 0.52 d
probability distributions for Unique ID: 1 Each bar represents 3 d
Name: Project
potential risk items.
0.16 1.0 Completion Probability Table
• Randomly sample these 0.14
0.9
Cum ulative Probability

Prob Date Prob Date
0.8
distributions. 0.12
0.7
0.05 2/10 0.55 3/2
0.10 2/15 0.60 3/3
F requency
0.10
• Transform these numbers 0.6 0.15 2/17 0.65 3/4
0.08 0.5 0.20 2/18 0.70 3/7
into useful information that 0.4 0.25 2/22 0.75 3/9
0.06
0.3 0.30 2/23 0.80 3/11
reflects quantification of 0.04 0.35 2/24 0.85 3/14
0.2
0.02
0.40 2/25 0.90 3/17
the potential risks of a real- 0.1 0.45 2/28 0.95 3/21
0.50 3/1 1.00 4/5
world situation. 1/31 3/1 4/5
Completion Date

Monte Carlo technique

1. It usually done with a computer-based program.
2. Evaluates the overall risk in the project.
3. Determines the probability of completing the project on any specific day, or for any specific
cost.
4. Determines the probability of any activity actually being on the critical path.
5. Takes into account path convergence.
6. Translates uncertainties into impacts to the total project.
7. Can be used to assess cost and schedule impacts.
8. Results in a probability distribution.
3. Expert Judgment
This is used to analyze and prepare input data to be used for the tools that does
modeling and simulation.

Quantitative Risk Analysis and Modeling Techniques:
1. Sensitivity Analysis: Determines which risks have the most potential impact on
the project.
2. Expected Monetary Value Analysis (EMV): multiplying the value of each
outcome by the probability of its occurrence.
3. Decision Tree Analysis: Incorporates probabilities of risks and costs or rewards
of each logical path.
4. Modeling & Simulation: Translates how uncertainties specified in a detailed level
of the project may affect its objectives.

OUTPUTS
1. Project Documents updates
The risk register updates from Perform Quantitative Risk Analysis include:
Probabilistic analysis of the project.
Probability of achieving cost and time objectives.
Prioritized list of quantified risks.
• Those that pose greater threats come at the top.
• Risks with big buffers most likely influences the critical path.
Trends in quantitative risk analysis results: showing conclusions that make affect
risk response.

OUTPUTS

Plan Risk Responses
“The process of developing options and actions to enhance opportunities
and to reduce threats to project objectives.
Tools and
Inputs Outputs
Techniques
1. Risk management plan 1. Strategies for negative risks 1. Project management plan
2. Risk register or threats updates
2. Strategies for positive risks 2. Project document updates
or opportunities
3. Contingent response
strategies
4. Expert judgment
The key benefit of this process is that it addresses the risks by their priority, inserting resources
and activities into the budget, schedule and project management plan as needed.

INPUTS
Important components of the risk management plan include roles and
responsibilities, risk analysis definitions, timing for reviews (and for eliminating risks
from review) and risk thresholds for low, moderate, and high risks.
Risk thresholds help identify those risks for which specific responses are needed.
2. Risk Register
The risk register refers to identified risks, root causes of risks, lists of potential
responses, risk owners, symptoms and warning signs, the relative rating or priority
list of project risks, a list of risks requiring response in the near term, a list of risks
for additional analysis and response, trends in qualitative analysis results, and a
watchlist of low-priority risks.

1. Strategies for negative risks or threats
Avoidance or Eliminate
Risk avoidance involves changing a project objective to eliminate the threat
posed by the risk event.
It usually involves changing the project management plan to eliminate the
threat entirely.
The project manager may also isolate the project objectives from the risk’s
impact or change the objective that is in jeopardy.
Examples of this include extending the schedule, changing the strategy, or
reducing scope.
The most radical avoidance strategy is to shut down the project entirely.
Some risks that arise early in the project can be avoided by clarifying
requirements, obtaining information, improving communication, or acquiring
expertise.

Transference or Deflect
Risk transference requires shifting the negative impact of a threat, along with
the ownership of the response, to a third party.
Transferring the risk DOES NOT eliminate the risk.
Transferring liability for a risk is most effective in dealing with financial risk
exposure.
Risk transference nearly always involves payment of a risk premium to the party
taking on the risk.
Some examples of risk transference are insurance, performance bonds,
warranties, guarantees, etc.
The best response strategy for fire or theft.

Mitigation
Risk mitigation implies a reduction in the probability and/or impact of a threat
posed by the risk event to an acceptable threshold.
Taking early action to reduce the probability and/or impact of a risk event
occurring on a project is often more effective than trying to repair the damage
after the risk has occurred.
Adopting less complex processes, conducting more tests, or choosing a
more stable supplier are examples of mitigation actions.
Mitigation may require prototype development to reduce the risk of scaling up
from a bench-scale model of a process or product

Acceptance
This strategy is adopted because it is seldom possible to eliminate all risk from a
project.
This strategy is used when the project team has decided not to change the
project management plan to address or deal with the identified risk event, or the
project team is unable to identify any other suitable response strategy.
Acceptance is a risk response strategy used for both threats and opportunities.
This strategy can be either passive or active.
Passive Acceptance Active Acceptance
Requires no action except to document the strategy. To establish a contingency reserve,

Leaving the project team to deal with the risks as they including amounts of time, money, or
occur. resources to handle the risks.
To periodically review the threat to ensure that it
does not change significantly.


2. Strategies for positive risks or opportunities
Exploit
This strategy may be selected for risks with positive impacts where the
organization wishes to ensure that the opportunity is realized.
This strategy seeks to eliminate the uncertainty associated with an opportunity
by making sure it happens.
Examples of directly exploiting responses include

assigning an organization’s most talented
resources to the project to reduce the time to
completion or using new technologies or
technology upgrades to reduce cost and duration
required to realize project objectives.

Share
Sharing a positive risk involves allocating ownership
to a third party who is best able to capture the
opportunity for the project.
One example of a share risk strategy is forming of
partnerships or joint ventures.
Enhance
This strategy, similar to mitigation, increased the
probability and/or positive impacts of an opportunity.
Identifying and maximizing key drivers of these
positive-impact risks may increase the probability of
their occurrence.
Examples of enhancing opportunities include adding
more resources / crashing to an activity to finish early.

Accept
Accepting an opportunity is being willing to take advantage of the opportunity if
it arises, but not actively pursuing it.

3. Contingent response strategies
Contingency reserve is not a risk response strategy; it is an output of risk planning.
When a project team chooses to actively accept a project risk event, a

contingency reserve is established.
This is the amount of funds or budget needed above the estimate to reduce the risk
of overruns of project objectives to a level acceptable to the organization (within/
below threshold limit).
4. Expert judgment
Expert judgment is input from knowledgeable parties pertaining to the actions to be

taken on a specific and defined risk.
Expertise may be provided by any group or person with specialized education,

knowledge, skill, experience, or training in establishing risk responses.

OUTPUTS
1. Project Management Plan Updates
Schedule management plan: This may include changes in tolerance or behavior related to
resource loading and leveling, as well as updates to the schedule strategy.
Cost management plan: This may include changes in tolerance or behavior related to cost
accounting, tracking, and reports, as well as updates to the budget strategy and how
contingency reserves are consumed.
Quality management plan: This may include changes in tolerance or behavior related to
requirements, quality assurance, or quality control, as well as updates to the requirements
documentation.
Procurement management plan: The procurement management plan may be updated to

reflect changes in strategy, such as alterations in the make-or-buy decision or contract type(s)
driven by the risk responses.

OUTPUTS
Human resource management plan: The staffing management plan, part of the human
resource management plan, is updated to reflect changes in project organizational structure and
resource applications driven by the risk responses. This may include changes in tolerance or
behavior related to staff allocation, as well as updates to the resource loading.
Scope baseline: Because of new, modified or omitted work generated by the risk responses,
the scope baseline may be updated to reflect those changes.
Schedule baseline: Because of new work (or omitted work) generated by the risk responses,
the schedule baseline may be updated to reflect those changes.
Cost baseline: Because of new work (or omitted work) generated by the risk responses, the
cost baseline may be updated to reflect those changes.

OUTPUTS
2. Project Document Updates
Updates to the risk register
Risk owners and assigned responsibilities;
Agreed-upon response strategies;
Specific actions to implement the chosen response strategy;
Trigger conditions, symptoms, and warning signs of a risk occurrence;
Budget and schedule activities required to implement the chosen responses;
Contingency plans and triggers that call for their execution;
Fallback plans for use as a reaction to a risk that has occurred and the primary response
proves to be inadequate;
Residual risks that are expected to remain after planned responses have been taken, as
well as those that have been deliberately accepted;
Secondary risks that arise as a direct outcome of implementing a risk response; and
Contingency reserves that are calculated based on the quantitative risk analysis of the
project and the organization’s risk thresholds.

OUTPUTS
Risk triggers;
Trigger conditions, symptoms, and warning signs of a risk occurrence;
These are events that trigger the contingency response.
A project manager should identify the early warning signs (indirect
manifestations of actual risk events) for each risk on a project so that he or she
will know when to take action.
A risk may have one or more causes, and if the event occurs, one or more
impacts.
Identifying the causes of risk events help define the risk trigger.
A risk trigger indicates that a risk event in imminent.
Occurs, one or more impacts.
Risk response owners;
Each risk must be assigned to someone who may help develop the risk
response and who will be assigned to carry out the risk response or “own” the
risk and MUST keep the project manager informed of any changes.
OUTPUTS
Contingency plans
Contingency plans are plans describing the specific actions that will be taken if
the opportunity or threat occurs.
Fallback plans;
These are specific actions that will be taken if the contingency plan is NOT
effective.
Residual risk; “ a leftover risk”
After implemented a risk response strategy, minor risk might still remain.
The contingency reserve is set up to handle situations like this.
Secondary risks;
Risks that come about as a result of implementing a risk response.
When planning for risk, identify and plan responses for secondary risks that
could occur.
Reserves (contingency)
Having reserves for time and cost is a required part of project management.

OUTPUTS
Other project documents updated could include:
Assumptions log updates: The assumptions log needs to be revisited to accommodate
this new information.
Technical documentation updates: As new information becomes available through the
application of risk responses, technical approaches and physical deliverables may change.
Any supporting documentation needs to be revisited to accommodate this new information.
Change requests: Planning for possible risk responses can often result in
recommendations for changes to the resources, activities, cost estimates, and other items
identified during other planning processes.

OUTPUTS

Control Risks
“The process of implementing risk response plans, tracking identified risks, monitoring
residual risks, identifying new risks, and evaluating risk process effectiveness throughout the
project”
Tools and
Inputs Outputs
Techniques
1. Project management plan 1. Risk reassessment 1. Work performance
2. Risk register 2. Risk audits information
3. Work performance data 3. Variance and trend analysis 2. Change requests
4. Work performance reports 4. Technical performance 3. Project management plan
measurement updates
5. Reserve analysis 4. Project document updates
6. Meetings 5. Organizational process
assets updates
The key benefit of this process is that it improves efficiency of the risk approach throughout the
project life cycle to continuously optimize risk responses
INPUTS
1. Project Management Plan
The project management plan described contains the risk management plan which
include;
Risk tolerances
Protocols and the assignment of people (including the risk owners),
Time, and other resources to project risk management.
2. Risk Register
The risk register has key inputs that include
Identified risks
Risk owners
Agreed-upon risk responses
Specific implementation actions
Symptoms and warning signs of risk,
Residual and secondary risks
A watchlist of low-priority risks
The time and cost contingency reserves.

INPUTS
3. Work Performance Data
Work performance information related to various performance results includes:
Deliverable status.
Schedule progress.
Costs incurred.
4. Performance Reports
Performance reports take information from performance measurements and analyze
it to provide project work performance information including variance analysis,
earned value data, and forecasting data.

1. Risk Reassessment
Control Risks often results in identification of new risks, reassessment of current
risks, and the closing of risks that are outdated.
Project risk reassessments should be regularly scheduled.
The results of such reassessments may include newly identifications, additional
qualitative or quantitative risk analysis, and further risk response planning.
Closing of Risks That Are NO Longer Applicable

The time when each identified risk can logically occur will eventually pass.
Closing of risks allows the team to focus on managing those risks that are still open.
The closing of a risk will likely result in the risk reserve being returned to the company.

2. Risk Audits
Risk audits examine and document the effectiveness of risk responses in

dealing with identified risks and their root causes, as well as the effectiveness of
the risk management process.
It is arranged by project manager and results in identification of lessons learned

for the project and for other project in the organization.
Risk audits are evidence of how seriously risk should be taken on a project.
3. Variance and Trend Analysis
Compare the planned results to the actual results.
Trends in the project’s execution should be reviewed using performance data.
Earned value analysis and other methods of project variance and trend analysis may
be used for monitoring overall project performance.
4. Technical performance measurement
Technical performance measurement compares technical accomplishments during
project execution to the project management plan’s schedule of technical
achievement.
Technical performance measures may include weight, transaction times, number of
delivered defects, storage capacity, etc.
Deviation, such as demonstrating more or less functionality than planned at a
milestone, can help to forecast the degree of success in achieving the project’s
scope.
5. Reserve analysis
Reserve analysis compares the amount of the contingency reserves remaining to
the amount of risk remaining at any time in the project, in order to determine if the
remaining reserve is adequate.
Throughout execution of the project, some risks may occur, with positive or negative
impacts on budget or schedule contingency reserves.
6. Meetings
Project risk management should be an agenda item at periodic status meetings.
The amount of time required for that item will vary, depending upon the risks that
have been identified, their priority, and difficulty of response.
Risk management becomes easier the more often it is practiced.
Frequent discussions about risk make it more likely that people will identify risks and
opportunities.
Risk should be a major topic at status

meetings to keep focus on risks, to continue
to identify new risks, and to make sure plans
remain appropriate.

OUTPUTS
1. Work Performance Information
Work performance information, as a Control Risks output, provides a mechanism to
communicate and support project decision making.
Risk s can be identified anytime during the project lifecycle.

OUTPUTS
2. Change requests
Implementing contingency plans or workarounds frequently results in a requirement
to change the project management plan to respond to risks.
Recommended corrective actions: These are activities that realign the performance
of the project work with the project management plan. They include contingency
plans and workarounds. The latter are responses that were not initially planned, but
are required to deal with emerging risks that were previously unidentified or
accepted passively.
Recommended preventive actions: These are activities that ensure that future
performance of the project work is aligned with the project management plan.
Workaround;
Workarounds are unplanned responses developed to deal with the
occurrence of unanticipated risk event.
Project managers who do not perform risk management spend most of their
time creating workarounds.
OUTPUTS
3. Project management plan updates
If the approved change requests have an effect on the risk management processes,
then the corresponding component documents of the project management plan are
revised and reissued to reflect the approved changes.
4. Project document updates
Actual outcomes of risk reassessments, risk audits, and periodic risk reviews.
Actual outcomes of the project’s risks and of the risk responses.
5. Organizational process assets updates
Templates for the risk management plan, including the probability and impact
matrix, and risk register.
Risk breakdown structure.
Lessons learned from the project risk management activities.

Refreshments
Q1: All of the following are factors in the assessment of project risk EXCEPT:
A. Risk event.
B. Risk probability.
C. Amount at stake.
D. Insurance premiums.
Q2: If a project has a 60 percent chance of a US $100,000 profit and a 40 percent chance of a
US $100,000 loss, the expected monetary value for the project is:
A. $100,000 profit.
B. $60,000 loss.
C. $20,000 profit.
D. $40,000 loss.

Refreshments
Q3:You have been appointed as the manager of a new, large, and complex project. Because
this project is business-critical and very visible, senior management has told you to analyze
the project's risks and prepare response strategies for them as soon as possible. The
organization has risk management procedures that are seldom used or followed, and has had
a history of handling risks badly. The project's first milestone is in two weeks. In preparing the
risk response plan, input from which of the following is generally LEAST important?
A. Project team members
B. Project sponsor
C. Individuals responsible for risk management policies and templates
D. Key stakeholders

Refreshments
Q4: A project team is creating a project management plan when management asks
them to identify project risks and provide some form of qualitative output as soon as
possible, What should the project team provide?
A. Prioritized list of project risks
B. Risk triggers
C. Contingency reserves
D. Probability of achieving the time and cost objectives

Refreshments
Q5: During the Identify Risks process, a project manager made a long list of risks
identified by all the stakeholders using various methods. He then made sure that all the
risks were understood and that triggers had been identified. Later, in the Plan Risk
Responses process, he took all the risks identified by the stakeholders and determined
ways to mitigate them. What has he done wrong?
A. The project manager should have waited until the Perform Qualitative Risk Analysis
process to get the stakeholders involved.
B. More people should be involved in the Plan Risk Responses process.
C. The project manager should have created workarounds.
D. Triggers are not identified until the Identify Risks process.

THANK YOU

01 Project Risk Management PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01 Project Risk Management PDF

Uploaded by

Copyright:

Available Formats

P ROJECT R ISK M ANAGEMENT

February 2016 Hisham Haridy, PMP, PMI-RMP

PROJECT RISK MANAGEMENT February 2016

PROJECT RISK MANAGEMENT February 2016

Known Risks Unknown Risks Issue

That cannot be managed a management reserve

proactively, should be assigned a

PROJECT RISK MANAGEMENT February 2016

PROJECT RISK MANAGEMENT February 2016

amount, or volume of risk that an organization or individual will withstand.

(or avoider), risk neutral, or risk seeker (or taker).

Averse/Avoider Neutral Seeker/Taker

PROJECT RISK MANAGEMENT February 2016

PROJECT RISK MANAGEMENT February 2016

PROJECT RISK MANAGEMENT February 2016

Inputs Tools and Techniques Outputs

The risk management plan is vital to communicate with and obtain

PROJECT RISK MANAGEMENT February 2016

1. Project management plan

The project management plan provides baseline or current state of risk-affected

areas including scope, schedule, and cost.

project descriptions, and high-level requirements

stakeholders, provides an overview of their roles.

4. Enterprise environmental factors

an organization will withstand.

5. Organizational process assets

Common definitions of concepts and terms,

Risk statement formats,

Roles and responsibilities,

Authority levels for decision making, and

context of the project.

Risk management context is a combination of stakeholder risk attitudes and the

A stakeholder risk profile analysis may be

the use of strategic risk scoring sheets, are used

PROJECT RISK MANAGEMENT February 2016

To ensure a comprehensive establishment of the risk management plan, judgment,

Subject matter experts (SMEs) in business or project area,

Industry groups and consultants, and

Professional and technical associations.

PROJECT RISK MANAGEMENT February 2016

PROJECT RISK MANAGEMENT February 2016

Risk contingency reserve application approaches may be established or reviewed.

Risk management responsibilities will be assigned.

probability and impact matrix will be tailored to the specific project.

The outputs of these activities will be

summarized in the risk management

PROJECT RISK MANAGEMENT February 2016

PROJECT RISK MANAGEMENT February 2016

Example of Risk Breakdown Structure (RBS)

PROJECT RISK MANAGEMENT February 2016

PROJECT RISK MANAGEMENT February 2016

6 Risk Tolerance : Risk Averse

Scale Rang Scale Rang

PROJECT RISK MANAGEMENT February 2016

PROJECT RISK MANAGEMENT February 2016

The assignments of roles and responsibilities, provision for risk management

2. Cost Management Plan

3. Schedule Management Plan

The schedule management plan provides insight to project time/schedule objectives

4. Quality Management Plan

Uncertainty in project assumptions should be evaluated as potential causes of

The WBS is a critical input to identifying risks.

7. Activity cost estimates