AGOSTINHO PEDRO FERNANDO NEVE

ID UM56375BPR65381

COURSE NAME: PROJECT RISK MANAGEMENT

MASTER IN PROJECT MANAGEMENT

ATLANTIC INTERNATIONAL UNIVERSITY

SCHOOL OF BUSINESS & ECONOMICS
AGOSTINHO PEDRO FERNANDO NEVE
ID UM56375BPR65381
Table of Contents
1. Introduction .......................................................................................................................................... 4
2. Project risk management methodology ............................................................................................... 5
2.1. Basic Concepts .................................................................................................................................. 5
2.2. Methodology in Project Risk Management ...................................................................................... 6
3. Project risk management tools ............................................................................................................. 6
3.1. Market-level (CAP-M) ....................................................................................................................... 7
3.2. Component-level (PRA) ..................................................................................................................... 7
3.3. Notable PRA tools and techniques ................................................................................................... 8
4. Risk Management Framework .............................................................................................................. 8
4.1. Risk Management Plan ..................................................................................................................... 8
4.2. Risk Identification.............................................................................................................................. 8
4.2.1. Risk Sources Example .................................................................................................................... 9
4.2.2. Risk Category................................................................................................................................. 9
4.2.3. Risk Analysis ................................................................................................................................ 10
4.2.4. Probability of Risk Occurrence .................................................................................................... 10
4.2.5. Risk Impact .................................................................................................................................. 10
4.2.6. Risk Exposure .............................................................................................................................. 11
4.2.7. Risk Occurrence Timeframe ........................................................................................................ 12
4.2.8. Risk Classification Examples: ....................................................................................................... 12
4.3. Risk Response Planning ................................................................................................................... 12
4.3.1. Risk Response Plans .................................................................................................................... 13
4.3.2. Risk Triggers ................................................................................................................................ 14
4.3.3. Risk Ownership............................................................................................................................ 14
4.4. Risk Mitigation Through Proper Security Measures ....................................................................... 15
4.5. Risk Monitoring and Control ........................................................................................................... 16
4.6. Risk Threshold ................................................................................................................................. 17
4.7. Risk Efficiency measurement .......................................................................................................... 17
4.7.1. Risk Metrics ................................................................................................................................. 17
4.7.2. Risk Audit .................................................................................................................................... 17
5. ISO 31000 ............................................................................................................................................ 18
5.1. Scope ............................................................................................................................................... 18
5.2. Framework approach ...................................................................................................................... 19
5.3. Implementation .............................................................................................................................. 19
5.4. Quantifying and financing risk ........................................................................................................ 20
6. Conclusion and recomendation .......................................................................................................... 22
7. Bibliography ........................................................................................................................................ 23
1. Introduction
This assignment is regarding the courses of the curriculum designed for the Master
Program of Project Management course in School of Business & Economics at Atlantic
International University.

Risks can come from various sources including uncertainty in financial markets, threats
from project failures (at any phase in design, development, production, or sustainment
life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters, deliberate
attack from an adversary, or events of uncertain or unpredictable root-cause. There are
two types of events i.e. negative events can be classified as risks while positive events
are classified as opportunities.

When considering projects, in general, there are different process cycles one should
understand: (1) the project life cycle, (2) the product life cycle, and (3) the product
development (or product-oriented) cycle. Project risk is an inherent element of all three,
and thus, should be understood by project managers and their organizations because
some of the subtle ramifications may not be that well understood, and may be confused.

The objective of the assignment is to bring knowledge about the PROJECT RISK
MANAGEMENT. In this course, the following aspects will be addressed in detail:
 Project risk management methodology.
 Equipment, schedule and cost required for risk management.
 Main risk identification techniques.
 Main techniques of qualitative and quantitative risk analysis.
 Contingency reserves and project management reserves. Budget and control.
 Software tools for risk management.
 Keys to effective project risk management.

All these aspects will be discussed just to link them in the project management
environment and see how they can affect the achievement of the project objectives.

4
2. Project risk management methodology
2.1. Basic Concepts
Project risk management is an important aspect of project management. According to the
Project Management Institute's PMBOK, Risk management is one of the ten knowledge
areas in which a project manager must be competent. Project risk is defined by PMI as,
"an uncertain event or condition that, if it occurs, has a positive or negative effect on a
project’s objectives."

Project risk management remains a relatively undeveloped discipline, distinct from the
risk management used by Operational, Financial and Underwriters' risk management.
This gulf is due to several factors: Risk Aversion, especially public understanding and risk
in social activities, confusion in the application of risk management to projects, and the
additional sophistication of probability mechanics above those of accounting, finance and
engineering.

With the above disciplines of Operational, Financial and Underwriting risk management,
the concepts of risk, risk management and individual risks are nearly interchangeable;
being either personnel or monetary impacts respectively. Impacts in project risk
management are more diverse, overlapping monetary, schedule, capability, quality and
engineering disciplines. For this reason, in project risk management, it is necessary to
specify the differences (paraphrased from the "Department of Defence Risk, Issue, and
Opportunity Management Guide for Defence Acquisition Programs"):
 Risk Management: Organizational policy for optimizing investments and
(individual) risks to minimize the possibility of failure.
 Risk: The likelihood that a project will fail to meet its objectives.
 A risk: A single action, event or hardware component that contributes to an effort's
"Risk."

An improvement on the PMBOK definition of risk management is to add a future date to

the definition of a risk. Mathematically, this is expressed as a probability multiplied by an
impact, with the inclusion of a future impact date and critical dates. This addition of future

5
dates allows predictive approaches. Good Project Risk Management depends on
supporting organizational factors, having clear roles and responsibilities, and technical
analysis.

2.2. Methodology in Project Risk Management

Chronologically, Project Risk Management may begin in recognizing a threat, or by
examining an opportunity. For example, these may be competitor developments or novel
products. Due to lack of definition, this is frequently performed qualitatively, or semi-
quantitatively, using product or averaging models. This approach is used to prioritize
possible solutions, where necessary.

In some instances, it is possible to begin an analysis of alternatives, generating cost and

development estimates for potential solutions. An example of the Risk Register that
includes 4 steps: Identify, Analyse, Plan Response, Monitor and Control. Once an
approach is selected, more familiar risk management tools and a general project risk
management process may be used for the new projects:
 A Planning risk management
 Risk identification and monetary identification
 Performing qualitative risk analysis
 Communicating the risk to stakeholders and the funders of the project
 Refining or iterating the risk based on research and new information
 Monitoring and controlling risks

Finally, risks must be integrated to provide a complete picture, so projects should be

integrated into enterprise wide risk management, to seize opportunities related to the
achievement of their objectives.

3. Project risk management tools

In order to make project management effective, the managers use risk management
tools. It is necessary to assume the measures referring to the same risk of the project and
accomplishing its objectives.

6
The project risk management (PRM) system should be based on the competences of the
employees willing to use them to achieve the project’s goal. The system should track
down all the processes and their exposure which occur in the project, as well as the
circumstances that generate risk and determine their effects. Nowadays, the Big Data
(BD) analysis appears an emerging method to create knowledge from the data being
generated by different sources in production processes. According to Górecki, the BD
seems to be the adequate tool for PRM.

Risk management tools allow uncertainty to be addressed by identifying and generating

metrics, parameterizing, prioritizing, and developing responses, and tracking risk. These
activities may be difficult to track without tools and techniques, documentation and
information systems.

There are two distinct types of risk tools identified by their approach: market-level tools
using the capital asset pricing model (CAP-M) and component-level tools with
probabilistic risk assessment (PRA). Market-level tools use market forces to make risk
decisions between securities. Component-level tools use the functions of probability and
impact of individual risks to make decisions between resource allocations.

ISO/IEC 31010 (Risk assessment techniques) has a detailed but non-exhaustive list of
tools and techniques available for assessing risk.

3.1. Market-level (CAP-M)

CAP-M uses market or economic statistics and assumptions to determine the appropriate
required rate of return of an asset, given that asset's non-diversifiable risk.

3.2. Component-level (PRA)

Probabilistic risk assessment is often used in project risk management. These tools are
applications of PRA and allow planners to explicitly address uncertainty by identifying and
generating metrics, parameterizing, prioritizing, and developing responses, and tracking
risk from components, tasks or costs. PRA, also called Likelihood-Consequence or

7
Probability-Impact, is based upon single-point estimates of probability of occurrence,
initiating event frequency, and recovery success (e.g., human intervention) of a specific
consequence (e.g., cost or schedule delay).

3.3. Notable PRA tools and techniques

Event chain methodology – A method of managing risk and uncertainties affecting
project schedules;
Risk register – A project planning and organizational risk assessment tool. It is often
referred to as a Risk Log;
Systems Analysis Programs for Hands-on Integrated Reliability Evaluations
(SAPHIRE) – A probabilistic safety and reliability engineering assessment software tool.

4. Risk Management Framework

4.1. Risk Management Plan
The organization-mandated risk management framework is reviewed and tailored to
define the project risk management plan when the project is initiated. The risk
management plan includes these definitions and guidelines:
 List of possible risk sources and categories
 Impact and probability matrix
 Risk reduction and action plan
 Contingency plan
 Risk threshold and metrics

4.2. Risk Identification

According for Leimberg, S. R., Price, K. W., & Pedre, J. M. (2016), most risk management
authorities agree that there are four categories of traditional (pure) exposures (subjects
or objects that may sustain a loss in value): (i) assets (real and personal, including
financial and intangible assets); (ii) third-party liabilities (legal obligations to others);
Human resources (including the company’s intellectual capital); and net income (earnings
losses, decreased revenues, or increased expenses).

8
Risks are to be identified and dealt with as early as possible in the project. Risk
identification is done throughout the project life cycle, with special emphasis during the
key milestones.

Risk identification is one of the key topics in the regular project status and reporting
meetings. Some risks may be readily apparent to the project team-known risks; others
will take more rigor to uncover, but are still predictable.
The medium for recording all identified risks throughout the project is the risk register,
which is stored in the central project server. The following tools and guidelines are used
to identify risks in a structured and disciplined way, which ensures that no significant
potential risk is overlooked.

4.2.1. Risk Sources Example

4.2.2. Risk Category

Risk category provides a list of areas that are prone to risk events. The organization
recommends high-level, standard categories, which have to be extended based on the
project type.

9
 4.2.3. Risk Analysis
Risk analysis involves examining how project outcomes and objectives might change due
to the impact of the risk event. Once the risks are identified, they are analysed to identify
the qualitative and quantitative impact of the risk on the project so that appropriate steps
can be taken to mitigate them. The following guidelines are used to analyse risks.

4.2.4. Probability of Risk Occurrence

 High probability – (80 % ≤ x ≤ 100%)
 Medium-high probability – (60 % ≤ x < 80%)
 Medium-Low probability – (30 % ≤ x < 60%)
 Low probability (0 % < x < 30%)

4.2.5. Risk Impact

 High – Catastrophic (Rating A – 100)
 Medium – Critical (Rating B – 50)
 Low – Marginal (Rating C – 10)

As a guideline for Impact Classification the following matrix is used:

10
The score represents bottom thresholds for the classification of risks assuming “normal”
conditions. An upgrade of the score to the next or even next + 1 level is necessary, if the
risk is impacted by critical factors such as:
 How important the specific customer is;
 Whether the project is critical for the further development of the relationship with
the customer;
 The risk is already in the focus of the customer;
 Specific penalties for deviations from project targets are agreed in the contract with
the customer.

4.2.6. Risk Exposure

Risk Exposure or Risk Score is the value determined by multiplying the Impact Rating
with Risk Probability as shown in the table below.

11
 4.2.7. Risk Occurrence Timeframe
The timeframe in which this risk will have an impact is identified. This is classified into
one of the following:

In addition to classifying risks according to the above guidelines, it is also necessary to

describe the impact on cost, schedule, scope, and quality in as much detail as possible
based on the nature of the risk.
4.2.8. Risk Classification Examples:

4.3. Risk Response Planning

There may not be quick solutions to reduce or eliminate all the risks facing a project.
Some risks may need to be managed and reduced strategically over longer periods.

12
Therefore, action plans should be worked out to reduce these risks. These action plans
should include:
 Risk description with risk assessment
 Description of the action to reduce the risk
 Owner of the risk action
 Committed completion date of the risk action
All risk action plans should be allotted to the person identified to carry out the action plan.

4.3.1. Risk Response Plans

For each risk, a risk response must be documented in the risk register in agreement with
the stakeholders. This should be ensured by the project manager. Risk response plans
are aimed at the following targets:
 Eliminating the risk;
 Lowering the probability of risk occurrence;
 Lowering the impact of the risk on the project objectives.

Risk response plans usually impact time and costs. It is therefore mandatory that the time
and cost for the defined response plan are calculated as precisely as possible. This also
assists in selecting a response plan from the alternatives, and in verifying whether the
response plan is costlier or has more impact on one of the project objectives than the risk
itself.

After successfully implementing a set of response plans, the score of a risk could be
lowered in consultation with the stakeholders. Examples:

13
 4.3.2. Risk Triggers
For each risk a trigger must be documented in the risk register. The trigger identifies the
risk symptoms or warning signs. It indicates that a risk has occurred or is about to occur.
The risk trigger also gives an indication of when a certain risk is expected to occur.
Examples below:

4.3.3. Risk Ownership

The ground rule is that responsibility for managing all risks in the project lies with the
project manager.

Based on this ground rule a Risk Owner (who is not necessarily the project manager)
must be determined and named in the Risk Register. The Risk Owner is normally the one
14
who can best monitor the risk trigger, but can also be the one who can best drive the
defined countermeasures. The Risk Owner is responsible for immediately reporting any
changes in the risk trigger status and for driving the defined countermeasures. Examples:

4.4. Risk Mitigation Through Proper Security Measures

Data in all its forms (electronic, paper, or other) and throughout its life cycle (creation,
entry, storage, processing, and disposal) will be protected from unauthorized access,
modification, destruction, and disclosure, whether accidental or intentional, at project.
Security risks can no longer be addressed through an unplanned series of spot checks
or an uncoordinated patchwork of technical fixes. Security risks and tools have become
too complex for ad hoc administration. Protecting the integrity of our data is of vital
importance at project. This protection is provided through user access controls, password
management, employee awareness programs, and monitoring/reporting.

One of the key ingredients of information protection is user access controls, determining
who can access the information and how it can be accessed. To ensure appropriate levels
of access, security measures will be instituted for this project.

Security will be controlled by menu design as well as by security levels attached to

individual items. A complete analysis of existing application access and security will be
done and adjustments made to ensure all existing users have access specific to their job
requirements. Passwords are not displayed when entered.

The most extensive security products, systems, and procedures can fail at the human
level. To prevent this from happening, project team members are informed at employee
orientation of the importance of protecting the enterprise’s valuable secrets and of the

15
proper security practices. Failure to comply with data security policies, standards, and
procedures constitutes improper conduct and is handled in accordance with personnel
policies concerning disciplinary action, up to and including dismissal. A confidentiality
agreement is signed by each employee and kept in Human Resources.

4.5. Risk Monitoring and Control

Risk monitoring and control includes:
 Identifying new risks and planning for them
 Keeping track of existing risks to check if:
o Reassessment of risks is necessary
o Any of risk conditions have been triggered
o Monitor any risks that could become more critical over time
o Tackle the remaining risks that require a longer-term, planned, and
managed approach with risk action plans
 Risk reclassification
For the risks that cannot be closed, the criticality has to go down over a period of time
due to implementing the action plan. If this is not the case, then the action plan might
not be effective and should be re-examined.
 Risk reporting
The risk register is continuously updated, from risk identification through risk response
planning and status update during risk monitoring and control. This project risk register
is the primary risk reporting tool and is available in the central project server, which is
accessible to all stakeholders.

Risk monitoring and controlling or risk review is an iterative process that uses progress
status reports and deliverable status to monitor and control risks. This is enabled by
various status reports, such as quality reports, progress reports, follow-up reports, and so
forth.

Risk Reviews are a mandatory item of milestone meetings and/or regular project
meetings, but they can also be executed during separately planned risk review meetings.

16
These risk reviews must be held regularly. The frequency could also be determined based
on the overall risk level of a project.

4.6. Risk Threshold

The risk priorities have to be set to direct focus where it is most critical. The risks with the
highest risk exposure rating are the highest priority. Risks with Exposure Low can be
dropped from the mitigation plans, but may need to be revisited later in the project.

The organizational mandate is that if the projects have at least one “Very High” risk or
more than 3 “High” risks, guidance should be sought from management and stakeholders,
as the project may be at high risk of failure. This is the recommended risk threshold.
Projects can customize the threshold based on project needs.

4.7. Risk Efficiency measurement

4.7.1. Risk Metrics
The efficiency of risk analysis and management is measured by capturing the following
metrics during project closure. The analysis results are used to decipher lessons learned,
which is updated in the organization's lessons learned database.
 Number of risks that occurred / Number of risks that were identified
 Was the impact of the risks as severe as originally thought?
 How many risks recurred?
 How do the actual problems and issues faced in a project differ from the anticipated
risks?

4.7.2. Risk Audit

This is an independent expert analysis of risks, with recommendations to enhance
maturity or effectiveness of risk management in the organization. This evaluates:
 How good are we at identifying risk?
 Exhaustiveness and granularity of risks identified
 Effectiveness of mitigation or contingency plan
 Linkage of project risks to organizational risks

17
This is not a “process adherence” audit, but an aid to enhance the quality of risk
identification and risk analysis. This is also used as a forum to benchmark and identify
good practices of risk management among various projects in the organization.

The risk audit is done by a group of independent domain or technical experts through
documentation review and interviews. The key deliverables of this risk audit are:
 Customized checklist to evaluate the risks of a project
 Identify areas of importance for risk analysis for a project (risk taxonomy)
 Risk radar – risk-prone areas of the product group
 Potential additional risks identified based on the review
 Top 10 risks in the organization from key projects, which requires management
attention

5. ISO 31000
ISO 31000 is a family of standards relating to risk management codified by the
International Organization for Standardization. The purpose of ISO 31000:2018 is to
provide principles and generic guidelines on risk management. ISO 31000 seeks to
provide a universally recognised paradigm for practitioners and companies employing risk
management processes to replace the myriad of existing standards, methodologies and
paradigms that differed between industries, subject matters and regions.

5.1. Scope
ISO 31000:2009 provides generic guidelines for the design, implementation and
maintenance of risk management processes throughout an organization. This approach
to formalizing risk management practices will facilitate broader adoption by companies
who require an enterprise risk management standard that accommodates multiple ‘silo-
centric’ management systems.

The scope of this approach to risk management is to enable all strategic, management
and operational tasks of an organization throughout projects, functions, and processes to

18
be aligned to a common set of risk management objectives. Accordingly, ISO 31000:2009
is intended for a broad stakeholder group including:
 Executive level stakeholders;
 Appointment holders in the enterprise risk management group;
 Risk analysts and management officers;
 Line managers and project managers;
 Compliance and internal auditors;
 Independent practitioners.

5.2. Framework approach

ISO 31000:2009 has been developed on the basis of an existing standard on risk
management, AS/NZS 4360:2004 (In the form of AS/NZS ISO 31000:2009). Whereas the
initial Standards Australia approach provided a process by which risk management could
be undertaken, ISO 31000:2009 addresses the entire management system that supports
the design, implementation, maintenance and improvement of risk management
processes.

5.3. Implementation
The intent of ISO 31000 is to be applied within existing management systems to formalize
and improve risk management processes as opposed to wholesale substitution of legacy
management practices. Subsequently, when implementing ISO 31000, attention is to be
given to integrating existing risk management processes in the new paradigm addressed
in the standard.

The focus of many ISO 31000 'harmonization' programmes have centred on:
 Transferring accountability gaps in enterprise risk management;
 Aligning objectives of the governance frameworks with ISO 31000;
 Embedding management system reporting mechanisms;
 Creating uniform risk criteria and evaluation metrics.

19
 5.4. Quantifying and financing risk
After risks have been identified, they must be quantified in some way so that decisions
can be made about financing losses either through retention or transfer techniques (such
as insurance). Determining the proper insurance policy deductibles is an important
exercise, but risk measurement is done for many other reasons. For example, once risks
are measured, individuals can make more informed financial planning decisions, and
business managers can use the risk assessment to plan strategies or select among risk
control projects.

Quantification of risk factors is an inexact science – but it is still one of the best methods
available to help guide decisions about transferring or retaining risk. The quantitative
assessment measures the exposure’s value – the expected outcome and associated
possible changes in value, and the likelihood of each possibility over time. The result is a
probability distribution of possible outcomes.

In a business context, the risk manager will obtain valuable information from this
quantification exercise, including the:
 Time of the occurrence;
 Length or duration;
 Expected outcome (arithmetic mean);
 Mode;
 Median;
 Standard deviation from the mean;
 Range; and
 The coefficient of variation.

This data may be obtained from the organization’s own loss experience, the industry loss
experience, a combination of the two, or from data simulation. The risk management and
insurance industries are saddled with some unfortunate choices of “terms of art” which
may confuse new risk managers and stakeholders in other disciplines:

20
  Exposure. An exposure is defined as “an asset or person that may have a loss in
value.” Examples include real property, money, and key personnel. However, this
same term is used to describe the physical conditions surrounding real property.
Risk managers must consider what types of hazards are located nearby? What
problems – such as fire or explosion – could the nearby hazards create for the
organization?
 Guaranteed rate. In assessing the cash flows associated with risk-financing plans,
it is important to accurately describe that plan. One such plan is misleadingly
named a “guaranteed cost” plan. This name infers that the price (cost) is a fixed
expense and will not change during the policy period. In reality, this plan charges
a rate per exposure unit, multiplied by the actual exposure units during the policy
period, as determined by an audit at the policy expiration.

With a guaranteed costly plan, the rate – not the total cost – is guaranteed. This confusing
term has resulted in potentially unethical behaviour by the rare, unscrupulous
intermediaries who solicit new accounts on a guaranteed-cost basis using an unrealistic
low-exposure basis (also called low-balling), hoping the purchaser will not realize the true
cost is based on the audited exposure basis and the guaranteed rate.

Self-funding. The term self-insurance is usually used to suggest that an organization is

funding losses through a form of retention. By definition, insurance is a transfer and
pooling of pure risks. However, if the organization pays for its own losses then no risk
financing transfer to another distinct party occurs. A more accurate and simpler term is
self-funding. Alternatively, the risk manager may wish to call these types of risk financing
plans retention.

21
6. Conclusion and recomendation

Risk management is becoming the most challenging aspect of managing software

projects. While we can never predict the future with certainty, we can apply a simple and
streamlined risk management process to predict the uncertainties in the projects and
minimize the occurrence or impact of these uncertainties.

Risk management not only helps in avoiding crisis situations but also aids in remembering
and learning from past mistakes. This improves the chance of successful project
completion and reduces the consequences of those risks.

This certainly is not the end of the journey for us on the effective risk management. It is a
constant learning process to be able to constantly improve our practices to increase our
process efficiency in project management.

Several risk management standards have been developed including the Project
Management Institute, the National Institute of Standards and Technology, actuarial
societies, and ISO standards. Methods, definitions and goals vary widely according to
whether the risk management method is in the context of project management, security,
engineering, industrial processes, financial portfolios, actuarial assessments, or public
health and safety.

There are set of software available in the market to the efficiency in the project risk
management.

22
7. Bibliography

 Bissonette, M. (2016). Project Risk Management: A Practical Implementation

Approach. Newtown Square, Pennsylvania: Project Management Institute.
 Leimberg, S. R., Price, K. W., & Pedre, J. M. (2016). The Tools & Techniques of
Insurance Planning and Risk Management, 3rd Edition (Vol. 3rd edition). Erlanger,
KY: The National Underwriter Company.
 Project Management Institute. (2017). The PMI Guide to Business Analysis.
Newtown Square, Pennsylvania: Project Management Institute.
 https://www.pmi.org/learning/library/risk-analysis-project-management-7070.
 https://www.softwareadvice.com/risk-
management/?segments=4722&sizes=2502

23