Professional Documents
Culture Documents
ID UM56375BPR65381
Risks can come from various sources including uncertainty in financial markets, threats
from project failures (at any phase in design, development, production, or sustainment
life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters, deliberate
attack from an adversary, or events of uncertain or unpredictable root-cause. There are
two types of events i.e. negative events can be classified as risks while positive events
are classified as opportunities.
When considering projects, in general, there are different process cycles one should
understand: (1) the project life cycle, (2) the product life cycle, and (3) the product
development (or product-oriented) cycle. Project risk is an inherent element of all three,
and thus, should be understood by project managers and their organizations because
some of the subtle ramifications may not be that well understood, and may be confused.
The objective of the assignment is to bring knowledge about the PROJECT RISK
MANAGEMENT. In this course, the following aspects will be addressed in detail:
Project risk management methodology.
Equipment, schedule and cost required for risk management.
Main risk identification techniques.
Main techniques of qualitative and quantitative risk analysis.
Contingency reserves and project management reserves. Budget and control.
Software tools for risk management.
Keys to effective project risk management.
All these aspects will be discussed just to link them in the project management
environment and see how they can affect the achievement of the project objectives.
4
2. Project risk management methodology
2.1. Basic Concepts
Project risk management is an important aspect of project management. According to the
Project Management Institute's PMBOK, Risk management is one of the ten knowledge
areas in which a project manager must be competent. Project risk is defined by PMI as,
"an uncertain event or condition that, if it occurs, has a positive or negative effect on a
project’s objectives."
Project risk management remains a relatively undeveloped discipline, distinct from the
risk management used by Operational, Financial and Underwriters' risk management.
This gulf is due to several factors: Risk Aversion, especially public understanding and risk
in social activities, confusion in the application of risk management to projects, and the
additional sophistication of probability mechanics above those of accounting, finance and
engineering.
With the above disciplines of Operational, Financial and Underwriting risk management,
the concepts of risk, risk management and individual risks are nearly interchangeable;
being either personnel or monetary impacts respectively. Impacts in project risk
management are more diverse, overlapping monetary, schedule, capability, quality and
engineering disciplines. For this reason, in project risk management, it is necessary to
specify the differences (paraphrased from the "Department of Defence Risk, Issue, and
Opportunity Management Guide for Defence Acquisition Programs"):
Risk Management: Organizational policy for optimizing investments and
(individual) risks to minimize the possibility of failure.
Risk: The likelihood that a project will fail to meet its objectives.
A risk: A single action, event or hardware component that contributes to an effort's
"Risk."
5
dates allows predictive approaches. Good Project Risk Management depends on
supporting organizational factors, having clear roles and responsibilities, and technical
analysis.
6
The project risk management (PRM) system should be based on the competences of the
employees willing to use them to achieve the project’s goal. The system should track
down all the processes and their exposure which occur in the project, as well as the
circumstances that generate risk and determine their effects. Nowadays, the Big Data
(BD) analysis appears an emerging method to create knowledge from the data being
generated by different sources in production processes. According to Górecki, the BD
seems to be the adequate tool for PRM.
There are two distinct types of risk tools identified by their approach: market-level tools
using the capital asset pricing model (CAP-M) and component-level tools with
probabilistic risk assessment (PRA). Market-level tools use market forces to make risk
decisions between securities. Component-level tools use the functions of probability and
impact of individual risks to make decisions between resource allocations.
ISO/IEC 31010 (Risk assessment techniques) has a detailed but non-exhaustive list of
tools and techniques available for assessing risk.
7
Probability-Impact, is based upon single-point estimates of probability of occurrence,
initiating event frequency, and recovery success (e.g., human intervention) of a specific
consequence (e.g., cost or schedule delay).
8
Risks are to be identified and dealt with as early as possible in the project. Risk
identification is done throughout the project life cycle, with special emphasis during the
key milestones.
Risk identification is one of the key topics in the regular project status and reporting
meetings. Some risks may be readily apparent to the project team-known risks; others
will take more rigor to uncover, but are still predictable.
The medium for recording all identified risks throughout the project is the risk register,
which is stored in the central project server. The following tools and guidelines are used
to identify risks in a structured and disciplined way, which ensures that no significant
potential risk is overlooked.
9
4.2.3. Risk Analysis
Risk analysis involves examining how project outcomes and objectives might change due
to the impact of the risk event. Once the risks are identified, they are analysed to identify
the qualitative and quantitative impact of the risk on the project so that appropriate steps
can be taken to mitigate them. The following guidelines are used to analyse risks.
10
The score represents bottom thresholds for the classification of risks assuming “normal”
conditions. An upgrade of the score to the next or even next + 1 level is necessary, if the
risk is impacted by critical factors such as:
How important the specific customer is;
Whether the project is critical for the further development of the relationship with
the customer;
The risk is already in the focus of the customer;
Specific penalties for deviations from project targets are agreed in the contract with
the customer.
11
4.2.7. Risk Occurrence Timeframe
The timeframe in which this risk will have an impact is identified. This is classified into
one of the following:
12
Therefore, action plans should be worked out to reduce these risks. These action plans
should include:
Risk description with risk assessment
Description of the action to reduce the risk
Owner of the risk action
Committed completion date of the risk action
All risk action plans should be allotted to the person identified to carry out the action plan.
Risk response plans usually impact time and costs. It is therefore mandatory that the time
and cost for the defined response plan are calculated as precisely as possible. This also
assists in selecting a response plan from the alternatives, and in verifying whether the
response plan is costlier or has more impact on one of the project objectives than the risk
itself.
After successfully implementing a set of response plans, the score of a risk could be
lowered in consultation with the stakeholders. Examples:
13
4.3.2. Risk Triggers
For each risk a trigger must be documented in the risk register. The trigger identifies the
risk symptoms or warning signs. It indicates that a risk has occurred or is about to occur.
The risk trigger also gives an indication of when a certain risk is expected to occur.
Examples below:
Based on this ground rule a Risk Owner (who is not necessarily the project manager)
must be determined and named in the Risk Register. The Risk Owner is normally the one
14
who can best monitor the risk trigger, but can also be the one who can best drive the
defined countermeasures. The Risk Owner is responsible for immediately reporting any
changes in the risk trigger status and for driving the defined countermeasures. Examples:
One of the key ingredients of information protection is user access controls, determining
who can access the information and how it can be accessed. To ensure appropriate levels
of access, security measures will be instituted for this project.
The most extensive security products, systems, and procedures can fail at the human
level. To prevent this from happening, project team members are informed at employee
orientation of the importance of protecting the enterprise’s valuable secrets and of the
15
proper security practices. Failure to comply with data security policies, standards, and
procedures constitutes improper conduct and is handled in accordance with personnel
policies concerning disciplinary action, up to and including dismissal. A confidentiality
agreement is signed by each employee and kept in Human Resources.
Risk monitoring and controlling or risk review is an iterative process that uses progress
status reports and deliverable status to monitor and control risks. This is enabled by
various status reports, such as quality reports, progress reports, follow-up reports, and so
forth.
Risk Reviews are a mandatory item of milestone meetings and/or regular project
meetings, but they can also be executed during separately planned risk review meetings.
16
These risk reviews must be held regularly. The frequency could also be determined based
on the overall risk level of a project.
The organizational mandate is that if the projects have at least one “Very High” risk or
more than 3 “High” risks, guidance should be sought from management and stakeholders,
as the project may be at high risk of failure. This is the recommended risk threshold.
Projects can customize the threshold based on project needs.
17
This is not a “process adherence” audit, but an aid to enhance the quality of risk
identification and risk analysis. This is also used as a forum to benchmark and identify
good practices of risk management among various projects in the organization.
The risk audit is done by a group of independent domain or technical experts through
documentation review and interviews. The key deliverables of this risk audit are:
Customized checklist to evaluate the risks of a project
Identify areas of importance for risk analysis for a project (risk taxonomy)
Risk radar – risk-prone areas of the product group
Potential additional risks identified based on the review
Top 10 risks in the organization from key projects, which requires management
attention
5. ISO 31000
ISO 31000 is a family of standards relating to risk management codified by the
International Organization for Standardization. The purpose of ISO 31000:2018 is to
provide principles and generic guidelines on risk management. ISO 31000 seeks to
provide a universally recognised paradigm for practitioners and companies employing risk
management processes to replace the myriad of existing standards, methodologies and
paradigms that differed between industries, subject matters and regions.
5.1. Scope
ISO 31000:2009 provides generic guidelines for the design, implementation and
maintenance of risk management processes throughout an organization. This approach
to formalizing risk management practices will facilitate broader adoption by companies
who require an enterprise risk management standard that accommodates multiple ‘silo-
centric’ management systems.
The scope of this approach to risk management is to enable all strategic, management
and operational tasks of an organization throughout projects, functions, and processes to
18
be aligned to a common set of risk management objectives. Accordingly, ISO 31000:2009
is intended for a broad stakeholder group including:
Executive level stakeholders;
Appointment holders in the enterprise risk management group;
Risk analysts and management officers;
Line managers and project managers;
Compliance and internal auditors;
Independent practitioners.
5.3. Implementation
The intent of ISO 31000 is to be applied within existing management systems to formalize
and improve risk management processes as opposed to wholesale substitution of legacy
management practices. Subsequently, when implementing ISO 31000, attention is to be
given to integrating existing risk management processes in the new paradigm addressed
in the standard.
The focus of many ISO 31000 'harmonization' programmes have centred on:
Transferring accountability gaps in enterprise risk management;
Aligning objectives of the governance frameworks with ISO 31000;
Embedding management system reporting mechanisms;
Creating uniform risk criteria and evaluation metrics.
19
5.4. Quantifying and financing risk
After risks have been identified, they must be quantified in some way so that decisions
can be made about financing losses either through retention or transfer techniques (such
as insurance). Determining the proper insurance policy deductibles is an important
exercise, but risk measurement is done for many other reasons. For example, once risks
are measured, individuals can make more informed financial planning decisions, and
business managers can use the risk assessment to plan strategies or select among risk
control projects.
Quantification of risk factors is an inexact science – but it is still one of the best methods
available to help guide decisions about transferring or retaining risk. The quantitative
assessment measures the exposure’s value – the expected outcome and associated
possible changes in value, and the likelihood of each possibility over time. The result is a
probability distribution of possible outcomes.
In a business context, the risk manager will obtain valuable information from this
quantification exercise, including the:
Time of the occurrence;
Length or duration;
Expected outcome (arithmetic mean);
Mode;
Median;
Standard deviation from the mean;
Range; and
The coefficient of variation.
This data may be obtained from the organization’s own loss experience, the industry loss
experience, a combination of the two, or from data simulation. The risk management and
insurance industries are saddled with some unfortunate choices of “terms of art” which
may confuse new risk managers and stakeholders in other disciplines:
20
Exposure. An exposure is defined as “an asset or person that may have a loss in
value.” Examples include real property, money, and key personnel. However, this
same term is used to describe the physical conditions surrounding real property.
Risk managers must consider what types of hazards are located nearby? What
problems – such as fire or explosion – could the nearby hazards create for the
organization?
Guaranteed rate. In assessing the cash flows associated with risk-financing plans,
it is important to accurately describe that plan. One such plan is misleadingly
named a “guaranteed cost” plan. This name infers that the price (cost) is a fixed
expense and will not change during the policy period. In reality, this plan charges
a rate per exposure unit, multiplied by the actual exposure units during the policy
period, as determined by an audit at the policy expiration.
With a guaranteed costly plan, the rate – not the total cost – is guaranteed. This confusing
term has resulted in potentially unethical behaviour by the rare, unscrupulous
intermediaries who solicit new accounts on a guaranteed-cost basis using an unrealistic
low-exposure basis (also called low-balling), hoping the purchaser will not realize the true
cost is based on the audited exposure basis and the guaranteed rate.
21
6. Conclusion and recomendation
Risk management not only helps in avoiding crisis situations but also aids in remembering
and learning from past mistakes. This improves the chance of successful project
completion and reduces the consequences of those risks.
This certainly is not the end of the journey for us on the effective risk management. It is a
constant learning process to be able to constantly improve our practices to increase our
process efficiency in project management.
Several risk management standards have been developed including the Project
Management Institute, the National Institute of Standards and Technology, actuarial
societies, and ISO standards. Methods, definitions and goals vary widely according to
whether the risk management method is in the context of project management, security,
engineering, industrial processes, financial portfolios, actuarial assessments, or public
health and safety.
There are set of software available in the market to the efficiency in the project risk
management.
22
7. Bibliography
23