Professional Documents
Culture Documents
1
Student Objectives: 2
Part 1: Introduction 3
Part 6: Summary 43
Student Objectives:
At the completion of this course, you will be able to:
2
Chapter 1: Project Management introduction
Part 1: Introduction
3
perform. Within this course, we will review process inputs, tools,
techniques and outputs attributed to the perform qualitative risk
analysis process. By performing qualitative risk analysis, the
project team is able to prioritize identified risks based upon a few
different variables: specifically, the likelihood of occurrence, the
impact on project objectives, and factors like response time, project
costs, schedule, scope and quality. Taking all of these into
consideration requires the project team to identify and manage the
risk approach taken by stakeholders. Now, the approach that
stakeholders take in regard to risk could incorporate certain types
of bias in the way that risk is assessed. Therefore, the project
manager should be aware of this as a potential risk in and of itself
and be able to identify corrective actions to correctly steer
stakeholder perceptions through analytics.
We’ll learn how the risk management plan and it subsidiary plans
provides details and guidance within the project. We’ll also study
the project scope baseline to better understand how it will be used
as a frame of reference to monitor and measure project activities.
How the risk register is used to help us understand how and when risk
activities should be analyzed or managed throughout the project
lifecycle. Also learn about the organizational process assets that
may be applied to this process by virtue of project tools and
4
techniques.
5
articulated in the project’s risk management plan. Risk analysis may
be performed in both qualitative and quantitative measures that
permit the project team the ability to reflect on requirements
provided by the project sponsor and determine, at the activity level,
how those requirements will be managed. As such, we shall examine the
quantitative risk analysis approaches later in this course.
Remember risk is both positive and negative. While you should make
every effort to minimize the negative impact of risk to a project;
you also want to ensure that all positive risks are identified and
carried forward to benefit or optimize the product of the project.
<Scene>
It might seem like it makes more sense to just talk about the risk
as soon as it comes up, but it’s best practice to capture all the
identified risks. That way, we have a record so we don’t forget it,
just in case we run out of time to analyze it immediately. Plus,
our list of risks will help us think of potential risks in future
stages of the project or even other future projects.
So, we review newly raised risks every week during our team
meetings, and some of us review the list fairly frequently on our
6
own when we are entering quantitative data or updates to
qualitative impressions. It’s a great way to also spur other ideas
and illuminate other risks that may not of have come to light
otherwise.
7
it requires more hard proof than just what you think based on
experience, current reading of the data, and other forms of expert
judgement. We do have some data that’s readily available to use for
the quantitative analysis. But, for the most part, qualitative risk
analysis is much easier to gather and use.
<END SCENE>
8
risk thresholds, and have a common approach that applies to all risks
identified.
Just like every other process, qualitative risk analysis begins with
process inputs and applies tools and techniques to generate outputs,
which in this case, are updates to project artifacts. Remember
“artifacts” is just a fancy term for project documents. The five
inputs that we will review are: the risk management plan, the scope
baseline, the risk register, enterprise environmental factors and
organizational process assets.
The risk management plan provides key elements that will be used to
perform qualitative risk analysis. These elements include roles and
responsibilities for risk management activities, budgets, schedule
activities for risk management, determining risk categories, and
defining probability and impact. The risk management plan also
provides the probability and impact matrix along with updates to
stakeholders risk tolerance levels.
All of these inputs are part of the risk management plan process, so
the process itself contributes to the project team’s ability to
analyze the data that is the result of those processes. If any of
those processes do not provide information as a result of the risk
management plan process, they may have an opportunity to be developed
during the qualitative analysis process.
9
quality and risk measurements can be developed for additional
analysis.
As a project manager, you will find that, over time, certain types of
projects will contain activities that recur. The benefit of those
types of projects is that the project team is able to process
information based upon recent experience and draw upon historical
information to analyze data. Because those types of projects
incorporate activities that may have occurred in similar projects in
the past, the risks associated with those activities can be well
understood. Other types of projects that drive strategic imperatives,
integrate new technologies, extend over long periods of time, or are
highly complex in nature, tend to have greater degrees of uncertainty
and, therefore, additional opportunities for risks to surface. Using
the scope baseline as a foundation for analysis, the project team can
draw comparisons that help determine risks.
10
name of the activity associated to the risk, a reference number that
correlates to the project schedule or the project work breakdown
structure, potential contingencies, and mitigation activities, along
with the owner or person responsible to address the risk if it
surfaces in the timeframes anticipated.
11
subjective view aligned towards perceived risks. A project manager
can research and analyse or study based upon information available at
the industry level. For example, a company called The Gartner Group
provides information and analysis relevant to technology. If a
project manager were driving a technology-based project, they may
refer to studies and analysis provided by this group. Typically,
companies like Gartner require a subscription or charge a fee for
access to this type of analysis. However, the cost of this type of
analysis can be a fraction of what it would cost for the project team
to develop individually. In addition, the scope of the analysis is at
the industry level, or may pertain to a specific company that is
similar in nature to the organization that the project manager works
for. Regardless of the size of the company, the ability to capture
this information on a timely basis without expending project
resources is a major benefit to the project team while performing
qualitative risk analysis.
Lessons learned from previous projects are great assets that most
project managers neglect during the project planning process. Value
to appreciate and apply lessons learned can be a risk in and of
itself, because risks identified through prior project activities
could surface again. Additionally, organizational process assets will
provide policies, procedures, and templates that can be used to drive
12
risk analysis work. For example, a project manager may use an
organizational template to complete the project risk register. By
doing so, all of the questions and fields are predefined to ensure
consistency across projects. It makes the process easier to adapt and
complete.
Both probability and impact are assessed for each activity within
every work package. So if you have a project that is made up of 10
work packages and each work package has 5 activities associated to
Tampa them then there would be a project risk register that
identifies 50 activities for which risks are analyzed. Each of them
will have a probability and risk assessment. So you may wonder how
these risk assessments come to be. The answer is that they are
facilitated through interviews with stakeholders and project team
participants that are familiar with the risk categories pertinent to
the project. Risk assessments can also include subject matter experts
or individuals external to the project that may have knowledge
applicable to deliverables.
During the interview process, the level of probability for each risk
and its impact on each objective is evaluated. The project team will
13
use this information to help explain stakeholder perceptions of risk,
their tolerance levels and acceptance thresholds. In addition,
assumptions relevant to risks can be added to the project plan so the
project team can't analyze activities based upon information that the
stakeholders perceive to be relevant. Remember, probability and
impacts are rated according to definitions developed within the risk
management plan.
Risks with high probability impact ratings will gain the most
attention and be identified within the risk register for contingency
planning and other risk response plans. Risks with low probability
and impact ratings will also be included within the risk register it
may be listed at the lower end of the register. Activities with low
risk ratings may not require contingency planning or mitigation
activities to be considered based on the fact that low risk
activities may require contingency or response plans that could end
up being more costly than the activity itself, whereby a project
manager with exercise discretion in regards to risks that have a low
impact in low probability of occurrence.
14
Let's say you analyzed all 50 activities in your risk register was
configured within a spreadsheet. You would have the ability to sort
the information within your spreadsheet in ascending order and based
upon the probability or impact fields. This would render a listing of
activities with a range of results from high probability and high
impact to low probability and low impact, with varying probability
and impact results between the two. The nice thing about being able
to sort a risk register is that the high impact or high probability
activities will show up at the top of the list while the low impact
and low probability activities will find their way to the bottom of
the list. As a project manager you can then syndicate this
information to the project team highlighting those activities that
require the most amount of attention in ascending order.
15
probability equals 100 then the risk is considered to be a known
issue and is addressed directly. If it is 0, then there is no way
that event or condition could happen. No need to waste on something
that cannot happen.
While Medium values indicate partial loss and low values can indicate
inconsequential loss.
The Risk Score or Exposure measures the overall threat of the risk.
16
It combines the probability and the impact into a single number
value. It is among the simplest forms of quantitative analysis that
is calculated by multiplying the qualitative number equivalent for
probability times the qualitative number equivalent representing
impact. Exposure = Probability x Impact. There will be times when
high-probability risk may have a low impact which the project team
may choose to do nothing about relative to risk mitigation. In kind,
there may be times when a high-impact risk can have a low probability
and can also be a candidate for no additional risk planning. For
Effective risk management, the target is risks that have high
probability and high impact. They are the ones that the project teams
need to control due to high levels of exposure.
17
Part 4: Risk Quality and Urgency Assessment
Based upon size, scale and scope, the project’s phase can contribute
to risk categories as can root cause analysis. Collectively these
types’ processes and techniques permit the project team to develop
work packages, project activities and may even assist in determining
roles and responsibilities within a project or the required phases of
a project. Analysis of risks within categories contributes to the
risk response plan.
So what are the typical types of categories that one might find
within a project? The answer is: It all depends upon the project
18
itself and the discretion of the project manager. The Journal of
Manufacturing Technology management published an article about a Risk
management Tool known as Intelligent Risk Mapping and Assessment
System, or IRMAS™. IRMAS is an application designed to manage sources
of risks that pertain to engineering activities. It compiles
information based upon decision making processes and assists in
retrieving, storing, sharing and updating processes. Here are some
interesting finding based on IRMAS activities. The tool identified
over 589 risk items from a variety of projects and acquired 4372 risk
items and over 135 lessons learned. It is a Web-based application
that helps provide proactive support for risk management activities.
19
impact assessment identifies the likelihood of a risk occurring in
the effect that risk will have on project. Cost, quality, scope, and
time are typically the areas or constraints that impacted by risks. A
risk probability and impact assessment is usually the product of
project team meetings and interviews with project stakeholders. The
tool or technique known as expert judgment is applied along with
organizational process assets including projects that have been
completed and lessons learned.
20
Risk urgency assessment is a prioritization technique predicated on
time. For example, if project scheduling activities identify risks
based upon product development that takes place today will get
preference over assessment activities that pertain to project
deliverables scheduled for development in the future. In essence,
risk urgency assessments ensure project resources meet turndown
requirements based upon project need. Beyond urgency, there could be
other risk parameters you and your team should assess, such as:
- Proximity – assessing how near or far away in time the risk may be
realized or require an implemented risk response
- Dormancy – assessing how much time has transpired since the risk
was discovered. A longer time period equates to a higher the
dormancy.
21
higher the propinquity.
22
Part 5: Updating the Risk Register with Qualitative Data
For qualitative risk analysis there are four process inputs that you
should be aware of. The major one being the risk register which is
the source of all identified or known risks subject to analysis.
Next, the risk management plan which is basically the playbook for
the project when it comes to managing risk. It clarifies the approach
to managing risk that the project manager intends to drive and
expects the team to follow. It also serves to determine the appetite
for risk and the thresholds that the sponsor and stakeholders are
willing to abide by.
Updates to the risk register are the outputs of this process. The
risk register contains information at the activity level that
provides a comprehensive line-item view of risks that pertain to an
activity. In order to fill in some of the details of the risk
register the project team can refer to the work breakdown structure,
the risk breakdown structure and the project schedule to provide
23
information such as the work breakdown structure reference number,
the current status of the activity, the category or group that the
activity belongs within, the event which could be an opportunity or
threat, the cause of the risk, determination of a threat or an
opportunity and the constraint impacted.
24
intended to be a living document that should be viewed, modified and
updated throughout the lifecycle of the project. Once the milestone
relevant to the risk has been achieved or the time period within
which the risk is expected to occur has transpired the risk itself
may have a status change from active to retired. This way, the
project team can continue to concentrate their efforts only on active
risks that require attention.
25
appropriately. During the weekly call, the project manager should
provide time for, and request an update from, the group or individual
accountable for each respective risk. The accountable individual or
group should be able to provide an update predicated upon scheduled
activities and work performed to analyze, mitigate and manage their
respective activities relative to risk.
26
analysis takes place after qualitative analysis is completed, and
here’s why. You want to use the high level qualitative analysis to
subjectively analyze all activities. Once qualitative analysis is
complete, you now know the population of activities that are in scope
for quantitative analysis. In other words qualitative analysis can
qualify those activities that may have a higher risk probability and
impact which could then be eligible for additional quantitative
analysis. This helps ensure that the project team is not wasting time
performing additional analysis on activities that may not require it.
It is a common sense approach that helps zero in on risks that may
have an impact. The use of expert judgment as a tool helps the
project team determine the need for quantitative risk analysis. This
will be based upon the availability of time and budget to carry out
the analysis. Additionally, there may be a need to repeat
quantitative analysis on an activity to determine the reduction in
risk based upon actions carried out as per plan. Depending on the
results of the analysis and trending over time, the project team may
need to adjust their approach based on risk tolerance levels, project
budget and timing. For example, in a hypothetical manufacturing
environment, products are mass produced off an assembly line and
during the assembly process there are known defects at a rate of two
defects per one thousand items. Quantitative analysis, as we will go
into greater detail in a moment, may determine that if a specific
adjustment were made, the defect rate would be reduced to one in one
thousand. Quantitative analysis applied after the adjustments are
made indicates that there are now three defects per one thousand
items as compared to the one defect per one thousand items planned.
Obviously the risk mitigation plan pertaining to this activity did
not work to meet expectations so additional adjustments would be made
27
to determine the cause and develop a revision to the plan. Once the
revision is actioned, another round of quantitative analysis would be
performed to determine if the anticipated results are now in place.
Assuming the defect rate of one part per thousand is achieved, the
risk identified has been mitigated.
28
The schedule management plan, similar to the cost management plan
will provide guidance in regard to managing reserves. The project
schedule will have within it non-project activities known as
milestones that are used to measure project productivity in terms of
cost and schedule. These milestones permit the project team to
perform Earned Value analysis which can be used to illustrate project
productivity when compared to scheduled milestones. The importance of
this type of analysis is that the release and availability of funds
for a project are typically predicated on the achievement of
milestones throughout the project lifecycle. For example, in order to
fund the second month’s worth of activities for a project, the first
month’s milestone must be met in conformance to the project plan.
This serves to ensure that project has adequate funding in support of
all lifecycles and the burn rate or amount of money spent within a
specific period of time equals what has been earned through project
development activities.
The risk register is used as a reference point for both types of risk
analysis. It provides the underlying details and results of
quantitative and qualitative risk analysis. The risk register also
promotes actions in regard to strategies assumed based on risk
analysis. It helps determine the plan of action and can provide
scenarios that are aligned to the sponsor’s risk appetite and the
project’s risk thresholds. The risk register also details the
individual or groups accountable for the activities that are expected
to be executed in regard to the risk strategy.
29
nature. Companies can subscribe to services provided where risk
information is available for analysis via an external database.
30
those used for qualitative analysis whereby interviews of
stakeholders and subject matter experts draws details from prior
projects to help quantify data to determine the probability and
impact of risks. The information required depends upon the
probability distributions that will be used. For instance, if the
project team wanted to use the PERT technique for analysis,
information in regard to optimistic, pessimistic and most likely
scenarios would need to be gathered. Gathering details from the
estimate of activity durations and estimate cost processes would also
be applied to this type of process. Within the PERT or three point
process, the project manager adds the optimistic representation along
with four times the most likely representation and then incorporates,
or adds, the pessimistic representation to determine a numerator that
will be divided by the number six to arrive at a quantitative
estimate.
31
larger audience providing that there is substantial significance that
warrants including a larger base of participants.
A.) X – The value between the Min. and the Max. to be evaluated.
Typically this value is in terms of time.
Now that we have this detail available for analysis, here is the
problem to manage:
32
Alpha = 7, Beta = 9, A the Min. =3 and B the Max. = 7. Having this
information available, the project manager can use Excel formulas to
determine the Beta Distribution. The formula to use within Excel is
called “Betadist” as in Beta Distribution.
33
mean and standard deviation where the mean determines the center of
the graph and the standard deviation determines the height and width
of the graph. For large standard deviations, the graph’s curve is
short and wide and for probabilities where the standard deviation is
small the graph’s curve is tall and narrow. All Normal distributions
have the shape of a bell shaped curve. Implications relating to the
normal distribution are: The total under the curve equals 1.
Sixty-eight percent of the area under the normal curve falls within
one standard deviation. Ninety-five percent of the area under the
curve falls within 2 standard deviations and 99.7 percent of the area
under the normal curve falls within 3 standard deviations. This is
known as the 68-95-99.7 rule. Suffice it to say, within a normal
distribution the majority of the risk outcomes will be within 3
standard deviations from the average or mean.
34
Going back to our Beta Distribution problem that had a timeframe of 5
days to complete an activity, the Excel spreadsheet formula indicated
a 70 percent probability for completion based on the numbers
provided. If we plug those numbers into the Cumulative distribution
function graph, you will see that the time frame of 5 coincides with
a probability between 6 and 8, which validates our assumptions. As
you can see by changing the data inputs relative to the Beta
Distribution, the project team can use this analysis in regard to
time constraints associated to activities.
35
change in variables.
While Normal, Beta and Triangle distributions are used within project
management to estimate risks and plan project activities, they are
not the only distributions available as tools. In fact there are a
variety of distribution tools that cover a variety of instances. It
is up to the project manager to acquaint themselves with the tools
needed to deliver a product and gain sufficient knowledge and
expertise to use them. It is also their responsibility to share those
tools and techniques with the project team so less experienced team
members can acquaint themselves and gain experience in their use.
The Chi-square distribution, named after the Greek letter Chi is used
for hypothesis testing and helps determine the distribution of a
36
sample variance.
37
between different groups.
38
The end of each branch illustrates the net effect of a decision which
is the payoff less the costs.
For all decision branches, all effects are added to determine the
Expected Monetary value, or EMV. Investment costs must also be
factored in. Based upon the calculations noted within the gray shaded
areas, the upgraded plant has a higher EMV of $46M which is also the
EMV of the overall decision. This choice also illustrates the lowest
risk by avoiding potential for a possible loss of $30M.
Cost Risk analysis uses cost estimates for simulation data input
variables. For schedule risk analysis, duration estimates based upon
the project schedule would be used to provide variables.
39
Cost Risk Simulation.
Based upon the WBS data ranges and triangular distributions the
project has a 12 percent likelihood of meeting the $41M Most Likely
Cost Estimate. In order to achieve a 75 percent likelihood, a budget
of $50M would be needed. If you take the $50M and subtract the $41
Most Likely Cost Estimate to get $9M. Divide that by the $41M you
would be able to visualize a 22 percent contingency requirement,
which for most projects exceeds the typical 5 percent threshold for
contingency planning.
40
can be determined based upon the current project plan. As we
identified in our previous interpretation, the cost estimate of $41
million dollars had a likelihood of success equivalent to 12 percent.
These also include risks that could have the biggest effect on
contingencies for the project and those that are most likely to have
a negative influence on the project critical path. A tornado diagram
analysis can be used to evaluate these types of risks.
41
project activities. In addition to quantitative risk analysis and the
ability to prioritize quantified risks, the risk register will
provide additional details relevant to the status and strategies for
each activity that will be worked with any project. This is important
because the project team should concentrate our efforts only on
activities that are active within the project.
Part 6: Summary
Now it's time to take a brief look back to absorb all the new
pertinent information that you have learned about performing risk
analysis. As a project manager is imperative for you to develop the
skills, aptitude and capabilities that will permit you to apply tools
and techniques to analyze risk throughout the lifecycle of the
project. Throughout history there are countless major project
initiatives that have failed due to inexperience, poor management and
42
the inability to analyze risk. While the tools and techniques
available to you through this process may seem daunting at first, you
need to accept the challenge and use the tools to think about risk.
Once you seriously apply your efforts and thought to the manner in
which risks can impact your project, you will see the process as less
of a challenge and more of an opportunity. This comes naturally to
project managers once they fully apply themselves and appreciates the
messages that analysis can provide. One of the most rewarding aspects
of gaining an appreciation for risk management is that it changes the
way you think about project deliverables. It also can change the way
you think about life, because the tools that you use and apply to
determine risks within projects are subjective enough to apply to
day-to-day activities. A seasoned project manager should be able to
understand the types of risks inherent to specific projects and apply
appropriate tools and techniques based upon experience attained over
time.
43
difference between qualitative inputs and quantitative inputs is that
the scope baseline is listed within qualitative risk analysis and not
quantitative while the cost management plan and schedule management
plan are listed within quantitative risk analysis but not
qualitative. However, as project manager you have the right and the
ability to determine the inputs that you will use for required
processes.
We also talked about risk probability and impact assessment with the
quantification and prioritization of risks based upon probability and
impact ratings. From a qualitative perspective, the probability and
impact assessment is predicated on ranking events within a range from
low to moderate to high. For quantitative perspective, those
qualitative rankings can be transformed into numeric representations
whereby the multiplication of a probability score times an impact
score can provide a risk exposure rating for project activity. We
also talked about risk quality and urgency assessments whereby the
need to have substance and integrity aligned to information gathered
relevant to risk as well as the ability to address risks based upon
present needs.
We also learned about the risk register for both the qualitative and
quantitative perspective. We learned of the risk register is a key
document that contains vital information down to the accessory level
of work packages. We learned about the correlation of the project
schedule and the work breakdown structure to a project risk breakdown
structure to ensure that timed events specific to risk analysis
resynchronize with project deliverables. We covered risk data-
gathering techniques that helped us predict probability distributions
and we ventured into detail around distributions to better understand
44
why they are used and the types of information they can deliver.
45