PERFORMING RISK ANALYSIS

2017 ​© RedVector.com, LLC

1
Student Objectives: 2

Chapter 1: Project Management introduction 3

Part 1: Introduction 3

Part 2: Introduction to Qualitative Risk Analysis 9

Part 3: Risk Probability and Impact Assessment 14

Part 4: Risk Quality and Urgency Assessment 19

Part 5: Updating the Risk Register with Qualitative Data 24

Chapter 2: Perform Quantitative Risk Analysis 27

Part 1: Introduction to Quantitative Risk Analysis 27

Part 2: Risk Data Gathering and Representation Techniques 33

Part 3: Quantitative Risk Analysis 38

Part 4: Quantitative Risk Modeling Techniques 40

Part 5: Updating the Risk Register with Quantitative Data 41

Part 6: Summary 43

Student Objectives:
At the completion of this course, you will be able to:

● perform a risk probability and impact assessment

● demonstrate how to develop a probability and impact matrix
● categorize risk based upon known processes developed within the
Project Body of Knowledge, (​PMBOK®​ ​ Guide​)

● develop a risk data quality assessment

2017 ​© RedVector.com, LLC

2
Chapter 1: Project Management introduction
Part 1: Introduction

When it comes to project management——reputation, integrity, brand

recognition, budget, regulatory compliance, livelihood, and
accomplishment——all have something in common. Do you know what it is?
All are subject to risk. If you are part of a project team, or
managing a project, it’s your responsibility to identify risks and
ensure that risks are transparent throughout the project lifecycle.
Transparency reinforces the integrity of the project team by
providing a degree of openness whereby it is understood that issues
will surface, but the project team will have capabilities and subject
matter expertise to execute in such a way that the impact of risks
identified will not interfere with the development of the project or
the project’s end-stage vision.

All projects experience some degree of risk throughout the project

life cycle. Risk can be negative if it’s a threat to a project, or
positive if it serves as an opportunity. Regardless of the type of
risk, the only way that a project team can manage it is through
analysis.

Perform Qualitative Risk Analysis is the process of prioritizing

risks for further analysis or action by combining and assessing the
probability and impact of risk occurrence. One of the primary
benefits of performing qualitative risk analysis is that it permits
the project manager to oversee the degree of uncertainty across all
types of risks. While risk exists within every project, the degree of
risk based upon probability and impact is what helps determine the
type of corrective or preventive action that the project team will

2017 ​© RedVector.com, LLC

3
perform. Within this course, we will review process inputs, tools,
techniques and outputs attributed to the perform qualitative risk
analysis process. By performing qualitative risk analysis, the
project team is able to prioritize identified risks based upon a few
different variables: specifically, the likelihood of occurrence, the
impact on project objectives, and factors like response time, project
costs, schedule, scope and quality. Taking all of these into
consideration requires the project team to identify and manage the
risk approach taken by stakeholders. Now, the approach that
stakeholders take in regard to risk could incorporate certain types
of bias in the way that risk is assessed. Therefore, the project
manager should be aware of this as a potential risk in and of itself
and be able to identify corrective actions to correctly steer
stakeholder perceptions through analytics.

Prior to initiating risk analysis, the project team should work to

define levels of probability and impact so stakeholder bias can be
minimized. Another approach is to continuously evaluate the quality
of information being provided on project risks. Much of how to
approach and conduct this and more is developed in the risk
management plan.

We’ll learn how the risk management plan and it subsidiary plans
provides details and guidance within the project. We’ll also study
the project scope baseline to better understand how it will be used
as a frame of reference to monitor and measure project activities.
How the risk register is used to help us understand how and when risk
activities should be analyzed or managed throughout the project
lifecycle. Also learn about the organizational process assets that
may be applied to this process by virtue of project tools and

2017 ​© RedVector.com, LLC

4
techniques.

As you develop your project management skills, your ability to

articulate project activities and communicate with the project
sponsor and stakeholders will gradually improve. This is a skill that
requires repetition, practice and experience. The more projects that
you participate in, the more comfortable you will become in
demonstrating proficiency with project tools. The same holds true
with performing risk analysis. As you mature as a project manager,
you will come to rely upon risk analysis to support the direction
that you intend to drive the project by. Therefore, your ability to
analyze risk is integral to your success.

At the completion of this course, you will be able to perform a risk

probability and impact assessment which can be used to determine the
risks associated at the activity level of a work package. In
addition, you will also be able to demonstrate how to develop a
probability and impact matrix which provides a qualitative view of
risks identified within certain categories of the project. You will
also learn how to categorize risk based upon known processes
developed within the PMBOK; and finally, you will gain experience in
developing a risk data quality assessment by virtue of applying
expert judgment as a tool or technique. Through the use of tools and
techniques applied to the various inputs to the perform risk analysis
processes, you will generate project artifacts and updates that will
feed future processes as data inputs.

The perform risk analysis process is typically a cost-effective way

to establish priorities and determine the manner in which the project
team can respond to risks within a project. This process is performed
throughout the project lifecycle and is clearly defined and

2017 ​© RedVector.com, LLC

5
articulated in the project’s risk management plan. Risk analysis may
be performed in both qualitative and quantitative measures that
permit the project team the ability to reflect on requirements
provided by the project sponsor and determine, at the activity level,
how those requirements will be managed. As such, we shall examine the
quantitative risk analysis approaches later in this course.

Remember risk is both positive and negative. While you should make
every effort to minimize the negative impact of risk to a project;
you also want to ensure that all positive risks are identified and
carried forward to benefit or optimize the product of the project.

<Scene>

JANET​: A couple of our team members were talking to the installers

for our project and discovered a potential risk. They immediately
informed me of the problem and I asked them to enter it into the
risk register.

It might seem like it makes more sense to just talk about the risk
as soon as it comes up, but it’s best practice to capture all the
identified risks. That way, we have a record so we don’t forget it,
just in case we run out of time to analyze it immediately. Plus,
our list of risks will help us think of potential risks in future
stages of the project or even other future projects.

First, we assess the risk. Then, we determine the probability of it

occurring and project what the impact might be. Then, we want to
communicate the identified risks to others on the team.

So, we review newly raised risks every week during our team
meetings, and some of us review the list fairly frequently on our

2017 ​© RedVector.com, LLC

6
own when we are entering quantitative data or updates to
qualitative impressions. It’s a great way to also spur other ideas
and illuminate other risks that may not of have come to light
otherwise.

Next, we perform analysis on the risks. That can be done in a

qualitative fashion and a quantitative fashion. Simply put,
qualitative is the subjective method and quantitative is the
numerical, objective method. The qualitative analysis is much
easier and faster to complete. In that, we basically talk through
and assess our impressions of the risk possibility and the risk
impact, then determine if the likelihood of the risk occurring is
fairly high or not.

For example, we’ve had a lot of rain lately, so we’re pretty

confident that it will rain at some point in the project. Now,
that’s just the likelihood part of the equation. We also need to
consider the impact if the risk actually did occur. In this case,
we’ve determined that even if it did occur, it really won’t cause
much damage or delay. We don’t know for certain that the risk will
happen. We think it may happen, but there’s no guarantee. Hence, it
is a risk. At this point, we’re simply analyzing the risk. Based on
our assessments, we’ll come up with how we want to respond to the
risk, implement that risk response, and monitor it and update our
analysis of the risk over time.

Now, I didn’t have an opportunity to collect quantitative risk

data, yet. For that, I need to gather weather stats from the last
three weeks and the forecasts for the next five. Then, I also need
to collect data on the erosion and measure the rate related to the
predicted rainfall. Basically, quantitative takes more work, since

2017 ​© RedVector.com, LLC

7
 it requires more hard proof than just what you think based on
experience, current reading of the data, and other forms of expert
judgement. We do have some data that’s readily available to use for
the quantitative analysis. But, for the most part, qualitative risk
analysis is much easier to gather and use.

<END SCENE>

Part 2: Introduction to Qualitative Risk Analysis

Before we take a look at the inputs for qualitative risk analysis,

it’s important to understand exactly what qualitative risk analysis
means. Additionally, we should have a good idea of any other type of
risk analysis used within project management processes. As you begin
the process of performing risk analysis, there are two fields of
analysis that can be undertaken. They are qualitative and
quantitative risk analysis.

Collectively, the two types of analysis promote a holistic view of

the project’s risks, but from different angles. One thing for certain
about risk is that you may have to deal with assumptions until your
analysis delivers more specific facts.

That said, qualitative risk analysis caters to delivering a

subjective view of risk and is typically measured at a high level in
varying degrees such as high, moderate, and low. Risk may also be
measured on a sliding scale. Keep in mind that it is up to the
project manager or their designate ​[dez-ig-nit]​ to define the
parameters ​[pur-am-it-urs] ​by which risk will be measured. They need
to determine the difference between high, moderate, and low; or, they
determine the degree of difference to apply to a sliding scale so
that there is an understanding of the degree of risk, the acceptable

2017 ​© RedVector.com, LLC

8
risk thresholds, and have a common approach that applies to all risks
identified.

While qualitative risk analysis is subjective, quantitative risk

analysis uses a single number to portray the degree of risk
associated to an activity. That number is typically derived through
simulation or decision analysis exercises.

Just like every other process, qualitative risk analysis begins with
process inputs and applies tools and techniques to generate outputs,
which in this case, are updates to project artifacts. Remember
“artifacts” is just a fancy term for project documents. The five
inputs that we will review are: the risk management plan, the scope
baseline, the risk register, enterprise environmental factors and
organizational process assets.

The risk management plan provides key elements that will be used to
perform qualitative risk analysis. These elements include roles and
responsibilities for risk management activities, budgets, schedule
activities for risk management, determining risk categories, and
defining probability and impact. The risk management plan also
provides the probability and impact matrix along with updates to
stakeholders risk tolerance levels.

All of these inputs are part of the risk management plan process, so
the process itself contributes to the project team’s ability to
analyze the data that is the result of those processes. If any of
those processes do not provide information as a result of the risk
management plan process, they may have an opportunity to be developed
during the qualitative analysis process.

The scope baseline delivers the foundation from which productivity,

2017 ​© RedVector.com, LLC

9
quality and risk measurements can be developed for additional
analysis.

As a project manager, you will find that, over time, certain types of
projects will contain activities that recur. The benefit of those
types of projects is that the project team is able to process
information based upon recent experience and draw upon historical
information to analyze data. Because those types of projects
incorporate activities that may have occurred in similar projects in
the past, the risks associated with those activities can be well
understood. Other types of projects that drive strategic imperatives,
integrate new technologies, extend over long periods of time, or are
highly complex in nature, tend to have greater degrees of uncertainty
and, therefore, additional opportunities for risks to surface. Using
the scope baseline as a foundation for analysis, the project team can
draw comparisons that help determine risks.

Beyond the project management plan, there are various project

documents that serve as inputs to the analysis of the identified
risks. For example, the assumption log is a terrific document to
reference stakeholder and project assumptions and constraints. Risk
management is based on the perception of threat or opportunity. How
those risks are analyzed qualitatively and are based on our
perceptions and interpretations. Whereas Quantitative risk analysis
requires numerical and scientific approaches, qualitative risk
analysis depends on our feelings, our experiences.

The risk register acts as a repository for all risks identified by

the project team. Inherent to the risk register is information at the
activity level that often details probability and impact along with
brief information pertaining to the following: category of risk, the

2017 ​© RedVector.com, LLC

10
name of the activity associated to the risk, a reference number that
correlates to the project schedule or the project work breakdown
structure, potential contingencies, and mitigation activities, along
with the owner or person responsible to address the risk if it
surfaces in the timeframes anticipated.

The risk register is a tool that should be reviewed regularly. For

example, during project managers weekly team calls, a block of time
should be set aside on the agenda to review the project risk
register. This way, any activities anticipated to have a risk during
the week can surface for discussions to ensure that all the required
parties have performed the necessary tasks based upon information
detailed within the risk register. Additionally, this provides for
timely updates to the risk register as part of the project’s
communication process.

One more project document that is worth illuminating before we move

on to the enterprise environmental factors and organizational process
assets is the stakeholder register. The stakeholder register is a log
we develop in the project to track and take note of all the
stakeholders involved in or affected by the project and/or its
results. The reason the stakeholder register is an important project
document regularly used as an input to the perform qualitative risk
analysis process is that it details stakeholders and their
impressions——which could be risks in itself. Also, the way we as
stakeholders analyze the identified risks may sway or influence the
analysis. Additionally, any of those stakeholders may be nominated to
be risk owners to take on, lead, and analyze certain risks.

Enterprise environmental factors deliver insight to risk assessment

activities. Keep in mind that qualitative risk analysis provides a

2017 ​© RedVector.com, LLC

11
subjective view aligned towards perceived risks. A project manager
can research and analyse or study based upon information available at
the industry level. For example, a company called The Gartner Group
provides information and analysis relevant to technology. If a
project manager were driving a technology-based project, they may
refer to studies and analysis provided by this group. Typically,
companies like Gartner require a subscription or charge a fee for
access to this type of analysis. However, the cost of this type of
analysis can be a fraction of what it would cost for the project team
to develop individually. In addition, the scope of the analysis is at
the industry level, or may pertain to a specific company that is
similar in nature to the organization that the project manager works
for. Regardless of the size of the company, the ability to capture
this information on a timely basis without expending project
resources is a major benefit to the project team while performing
qualitative risk analysis.

Organizational process assets provide for lessons learned and

artifacts from prior projects that can apply to current project
activities. If you are driving a project that is similar in nature or
has components that are similar to projects completed, it may be able
to extract information in regard to the manner in which risk was
identified and analyzed.

Lessons learned from previous projects are great assets that most
project managers neglect during the project planning process. Value
to appreciate and apply lessons learned can be a risk in and of
itself, because risks identified through prior project activities
could surface again. Additionally, organizational process assets will
provide policies, procedures, and templates that can be used to drive

2017 ​© RedVector.com, LLC

12
risk analysis work. For example, a project manager may use an
organizational template to complete the project risk register. By
doing so, all of the questions and fields are predefined to ensure
consistency across projects. It makes the process easier to adapt and
complete.

Part 3: Risk Probability and Impact Assessment

While performing probability assessments within the project the

project team will help determine the likelihood of the occurrence of
specific risk. Risk impact assessments are used to identify the
effect of a risk, should the risk being realized. The effects of risk
typically impact project constraints such as schedule, cost, quality
and performance. Keep in mind that probability and impact assessments
are used to determine negative and positive effects to a project.

Both probability and impact are assessed for each activity within
every work package. So if you have a project that is made up of 10
work packages and each work package has 5 activities associated to
Tampa them then there would be a project risk register that
identifies 50 activities for which risks are analyzed. Each of them
will have a probability and risk assessment. So you may wonder how
these risk assessments come to be. The answer is that they are
facilitated through interviews with stakeholders and project team
participants that are familiar with the risk categories pertinent to
the project. Risk assessments can also include subject matter experts
or individuals external to the project that may have knowledge
applicable to deliverables.

During the interview process, the level of probability for each risk
and its impact on each objective is evaluated. The project team will

2017 ​© RedVector.com, LLC

13
use this information to help explain stakeholder perceptions of risk,
their tolerance levels and acceptance thresholds. In addition,
assumptions relevant to risks can be added to the project plan so the
project team can't analyze activities based upon information that the
stakeholders perceive to be relevant. Remember, probability and
impacts are rated according to definitions developed within the risk
management plan.

Risks with high probability impact ratings will gain the most
attention and be identified within the risk register for contingency
planning and other risk response plans. Risks with low probability
and impact ratings will also be included within the risk register it
may be listed at the lower end of the register. Activities with low
risk ratings may not require contingency planning or mitigation
activities to be considered based on the fact that low risk
activities may require contingency or response plans that could end
up being more costly than the activity itself, whereby a project
manager with exercise discretion in regards to risks that have a low
impact in low probability of occurrence.

Looking back at the project example that we used before, we had 10

work packages identified with five activities associated to each work
package. If you were to review each activity and incorporate them
into a risk register, you would have 50 lines of detail within the
register and each of them would require definition, identification
and all other pertinent details that one would find within a risk
register template. Among them would be the qualitative probability
and impact fields. As you examine each activity and analyze
respective risks, you would place an indicator such as high, moderate
or low within the respective probability and impact fields.

2017 ​© RedVector.com, LLC

14
Let's say you analyzed all 50 activities in your risk register was
configured within a spreadsheet. You would have the ability to sort
the information within your spreadsheet in ascending order and based
upon the probability or impact fields. This would render a listing of
activities with a range of results from high probability and high
impact to low probability and low impact, with varying probability
and impact results between the two. The nice thing about being able
to sort a risk register is that the high impact or high probability
activities will show up at the top of the list while the low impact
and low probability activities will find their way to the bottom of
the list. As a project manager you can then syndicate this
information to the project team highlighting those activities that
require the most amount of attention in ascending order.

While the thought of applying a matrix and performing analysis seems

daunting, it is relatively straight forward in regard to determining
a risk score for a given activity.

Risk analysis uses data gathered during Risk Identification and

converts the detail into information used for analysis. During
analysis, the risk's probability and impact are determined and
ranked. This ranking permits the project to concentrate efforts on
activities that have the highest probability and risk first and then
follow through each activity based upon lower concentrations of
probability and risk.

Probability measures the likelihood that an opportunity or threat

identified in the risk register will occur and is expressed as either
a numerical value or a ranking which is traditionally High, Moderate,
or Low. In order to be considered, the probability must be greater
than zero and less than 100 when using a number scale. If the

2017 ​© RedVector.com, LLC

15
probability equals 100 then the risk is considered to be a known
issue and is addressed directly. If it is 0, then there is no way
that event or condition could happen. No need to waste on something
that cannot happen.

This table demonstrates an example of a three-value division for

probabilities.

Impact estimates the severity and magnitude of a potential gain or

loss. It should correlate directly with the risk consequence defined
in the risk statement. It is typically measured through the use of a
subjective measurement scale, but can also be measured in regard to
project constraints such as cost. If risk impacts are identified in
financial terms, it often provides greater clarity to the sponsor.

For example, if a project manager indicates the probability and an

impact of a delay in construction activities could add two weeks to a
project, the same details may pack a more powerful punch if the cost
of the two week delay were quantified in dollars.

Another way to assess risk is through a numeric scale whereby the

larger the number, the greater risk. Assuming all risks being
assessed use the same units of measure, prioritization of activities
relative to risk is as simple as ranking activities from high to low.
Additionally, translation tables can be set up that convert units
such as time and money into values that can be compared to the
subjective analysis. High values could indicate significant loss.

While Medium values indicate partial loss and low values can indicate
inconsequential loss.

The Risk Score or Exposure measures the overall threat of the risk.

2017 ​© RedVector.com, LLC

16
It combines the probability and the impact into a single number
value. It is among the simplest forms of quantitative analysis that
is calculated by multiplying the qualitative number equivalent for
probability times the qualitative number equivalent representing
impact. Exposure = Probability x Impact. There will be times when
high-probability risk may have a low impact which the project team
may choose to do nothing about relative to risk mitigation. In kind,
there may be times when a high-impact risk can have a low probability
and can also be a candidate for no additional risk planning. For
Effective risk management, the target is risks that have high
probability and high impact. They are the ones that the project teams
need to control due to high levels of exposure.

By using scores to quantify probability and impact, a matrix that

illustrates combinations of scores can be developed within a
spreadsheet that assigns the risks to low, moderate, and high
categories. With a probability score where 1 is low and 3 is high,
the possible results may be expressed in the form of a table where
each cell illustrates a value for risk exposure. In this matrix, it
is easy to classify risks as low, medium, or high based on where it
ends up within the matrix.

Using a spreadsheet to develop a risk register provides for the

ability to easily incorporate the matrix and align the probability
and impact matrix for each activity and along with their associated
score. The illustration shows the qualitative risk assessment as part
of a risk register where all other details pertaining to the risk can
be found.

2017 ​© RedVector.com, LLC

17
Part 4: Risk Quality and Urgency Assessment

The risk data quality assessment evaluates the degree of relevance

and applicability risk information gathered has to project
deliverables. In order to assess risks effectively the project team
needs to engage stakeholders and ensure that they understand the
importance of information provided relevant to risk. The information
needs to be accurate, timely, reliable, based upon quality and
aligned to the overall integrity of the project. Essentially, how
much do you trust the validity of the data or its assessment.

Low-quality or inaccurate risk data will lead to performing

qualitative analysis that is of little or no use to the project team.
In fact it may become a risk in and of itself because of the
requirement for rework that may be necessary to undo decisions made
based upon inaccurate information.

Risks are typically categorized by source where the information can

be derived from the Risk Breakdown Structure. Risks can also be
categorized by the area affected within the project. Details from the
Work Breakdown Structure can be helpful in providing those details.

Based upon size, scale and scope, the project’s phase can contribute
to risk categories as can root cause analysis. Collectively these
types’ processes and techniques permit the project team to develop
work packages, project activities and may even assist in determining
roles and responsibilities within a project or the required phases of
a project. Analysis of risks within categories contributes to the
risk response plan.

So what are the typical types of categories that one might find
within a project? The answer is: It all depends upon the project

2017 ​© RedVector.com, LLC

18
itself and the discretion of the project manager. The Journal of
Manufacturing Technology management published an article about a Risk
management Tool known as Intelligent Risk Mapping and Assessment
System, or IRMAS™. IRMAS is an application designed to manage sources
of risks that pertain to engineering activities. It compiles
information based upon decision making processes and assists in
retrieving, storing, sharing and updating processes. Here are some
interesting finding based on IRMAS activities. The tool identified
over 589 risk items from a variety of projects and acquired 4372 risk
items and over 135 lessons learned. It is a Web-based application
that helps provide proactive support for risk management activities.

This is one example of a tool that can be acquired and use to

determine risk by categories. Some of the risk categories identified
within the tool are: Schedule, Technical, External, Organizational,
Communication, Location, Resources and Financial. Think about that
list of categories. Are there any other’s that come to mind that can
be added? What about Vendors? How about Bureaucracy or Regulatory
risks? What about Weather? How about War or International conflict?
Recently the country of Japan was impacted by a Tsunami; that type of
risk is called a Force Majeure which occurs when something, like a
large scale natural disaster, occurs to a project outside of the
control of the project team. The point to understand here is that
risks can be categorized by a multitude of topics and the project
team needs to determine where the concentration of risk is aligned
within the project and incorporate a finite number or risk categories
to help contain the risk activities within a manageable group.

Let’s take a look at some of the qualitative risk analysis techniques

that I use to manage risk. As we discussed, the risk probability and

2017 ​© RedVector.com, LLC

19
impact assessment identifies the likelihood of a risk occurring in
the effect that risk will have on project. Cost, quality, scope, and
time are typically the areas or constraints that impacted by risks. A
risk probability and impact assessment is usually the product of
project team meetings and interviews with project stakeholders. The
tool or technique known as expert judgment is applied along with
organizational process assets including projects that have been
completed and lessons learned.

An example of how this process might work could be a typical project

management team meeting. Depending upon the timing of the meeting and
the events that are scheduled to take place as part of the project
lifecycle, the project manager will put the project team to task by
delegating scheduled interviews and information gathering sessions.
The results of those tasks are to be compiled and analyzed by the
project team.

Data quality assessments, as has been discussed, are used to ensure

the reliability, integrity, and accuracy of the information that will
be used for analysis. It is equally important for the project team to
double check the source of their information before they apply it to
any type of analysis. Checks and balances such as using information
from verified resources such as previous projects that completed a
post implementation audit can be deemed to be a valid resource based
upon that type of review. External information derived from either
professional service organizations or no research organizations can
be another source of verifiable information based upon the degree of
integrity of the source. Companies like The Gartner Group provide
technology-based information as a service that companies can
incorporate into their risk analysis.

2017 ​© RedVector.com, LLC

20
Risk urgency assessment is a prioritization technique predicated on
time. For example, if project scheduling activities identify risks
based upon product development that takes place today will get
preference over assessment activities that pertain to project
deliverables scheduled for development in the future. In essence,
risk urgency assessments ensure project resources meet turndown
requirements based upon project need. Beyond urgency, there could be
other risk parameters you and your team should assess, such as:

- Proximity – assessing how near or far away in time the risk may be
realized or require an implemented risk response

- Dormancy – assessing how much time has transpired since the risk
was discovered. A longer time period equates to a higher the
dormancy.

- Manageability – assessing the ease or the struggle to which it

might take the risk owner or organization to manage the risk
response implementation or the risk occurrence.

- Controllability – assessing the degree to which the risk owner or

organization is about to control the risk’s outcome.

- Detectability – assessing the ease or struggle the results of the

risk from being noticed, felt, and detected by the stakeholders
being analyzed.

- Connectivity – assessing the extent to which the risk is connected

or related to other risks in the project or other projects.

- Propinquity ​[pru-pingk-wed-ee]​ – assessing the perceptions of

stakeholders. The more a risk is considered very significant, the

2017 ​© RedVector.com, LLC

21
 higher the propinquity.

- And strategic impact – which is assessing the potential for the

risk occurrence to have an impact on the organization’s strategic
objectives. Those impacts could be positive or negative to those
goals.

The probability and impact matrix identifies and helps prioritize

risks for quantitative analysis and response planning. Typically,
prioritization and impact matrix is set up in the form of a table
that identifies the risk based upon the convergence between
probability, which is typically on the vertical axis of the table,
and impact, which is aligned to the horizontal axis.

Qualitative analysis is applied by a predetermined rating

representing the degree of risk, such as high, moderate, and low.
Those ratings can be aligned to a quantitative scale, such as three,
two, and one. While the calculation in numerical scales for a
probability and impact matrix typically depend upon the project and
the organization, the overall meaning relative to the numbers where
higher values on the probability scale typically represent a greater
probability of occurrence; and, the higher number on the impact scale
typically indicates a greater effect on the project. How to calculate
the numerical scales for the probability and impact matrix and what
they mean depends upon the project and the organization. However,
remember the relative meaning: Higher value of a risk on the
probability scale means greater likelihood of risk occurrence, and
higher value on the impact scale means a greater effect on the
project’s objectives.

2017 ​© RedVector.com, LLC

22
Part 5: Updating the Risk Register with Qualitative Data

For qualitative risk analysis there are four process inputs that you
should be aware of. The major one being the risk register which is
the source of all identified or known risks subject to analysis.

Next, the risk management plan which is basically the playbook for
the project when it comes to managing risk. It clarifies the approach
to managing risk that the project manager intends to drive and
expects the team to follow. It also serves to determine the appetite
for risk and the thresholds that the sponsor and stakeholders are
willing to abide by.

The project scope statement details project and product deliverables

and helps decompose tasks to work package level where activities can
be aligned to a work breakdown structure and the project schedule.
During the initial defined scope process, known risks were
identified. These risks will be incorporated into the qualitative
risk analysis process. Organizational process assets used to carry
out qualitative risk analysis incorporate corporate policies and
procedures along with process controls and guidelines for risk
management. To ensure consistency, organizational process assets
provide templates and historical information that can be used for
qualitative analysis.

Updates to the risk register are the outputs of this process. The
risk register contains information at the activity level that
provides a comprehensive line-item view of risks that pertain to an
activity. In order to fill in some of the details of the risk
register the project team can refer to the work breakdown structure,
the risk breakdown structure and the project schedule to provide

2017 ​© RedVector.com, LLC

23
information such as the work breakdown structure reference number,
the current status of the activity, the category or group that the
activity belongs within, the event which could be an opportunity or
threat, the cause of the risk, determination of a threat or an
opportunity and the constraint impacted.

Upon completion of qualitative analysis, the risk management register

should be updated to indicate the degree of probability and impact
identified for the activity. Typically probability and impact are
measured with a qualitative assessment ranging from high to moderate
and low. Those ratings are then applied to a probability and impact
matrix that provides visualization in regard to the risk. Based upon
numeric equivalents applied to qualitative assessments a risk score
that indicates the activities risk exposure can be determined by
multiplying the probability value by the impact value.

Updates to the plan of action, or strategy, to apply to the activity

such as avoid, mitigate, accept or transfer are included as well as a
brief commentary in regard to actions that the project team will
undertake relevant to the strategy identified in the risk exposure.

Additionally, updates to identify the person, people or group

responsible for carrying out actions required based upon intended
strategy along with target dates and milestones. The last area to
update within the risk register is to incorporate the date of the
latest update along with comments relevant to actions performed.

A good point to make note of is the importance of the risk register

relevant to documenting risk activities in a comprehensive manner so
that the majority of the risks that require attention can be viewed
by the project team in one place at one time. This register is

2017 ​© RedVector.com, LLC

24
intended to be a living document that should be viewed, modified and
updated throughout the lifecycle of the project. Once the milestone
relevant to the risk has been achieved or the time period within
which the risk is expected to occur has transpired the risk itself
may have a status change from active to retired. This way, the
project team can continue to concentrate their efforts only on active
risks that require attention.

Failure to tend to the risk register on a regular basis can lead to

risk oversight or mismanagement of activities intended to mitigate
project risk. Additionally the risk register is only as good as the
project team makes it. Some companies that did not use the risk
register correctly have found that it can be a risk in and of itself
or it may contribute to dis-functionality where known risks that have
been identified and analyzed do not have the appropriate strategy or
actions applied to them on a timely basis. Risk registers have also
been known for promoting decision- making activities that are more of
a rubberstamp process than an actual risk analysis.

The project team needs to be careful about falling into complacency

while managing and analyzing risk. Such is the case with project
activities are repetitive in nature or redundant to projects that
have already been completed. It is the responsibility of the project
manager to use the risk register as a tool that fosters debate and
fuels collaboration within the project team.

A good practice for a project manager in regard to the risk register

is to allocate time for a risk register review during every weekly
team meeting. This way the importance of the register is maintained
by the project manager and the project team will work to ensure that
their deliverables are updated on a regular basis if the tool is used

2017 ​© RedVector.com, LLC

25
appropriately. During the weekly call, the project manager should
provide time for, and request an update from, the group or individual
accountable for each respective risk. The accountable individual or
group should be able to provide an update predicated upon scheduled
activities and work performed to analyze, mitigate and manage their
respective activities relative to risk.

Chapter 2: Perform Quantitative Risk Analysis

Part 1: Introduction to Quantitative Risk Analysis

Up until now we have discussed the aspects of qualitative analysis in

regard to identifying and measuring risk. As mentioned, there are two
primary types of analysis with the second one being quantitative risk
analysis. While qualitative risk analysis provided a high level
subjective view relative to risks associated with activities,
quantitative risk analysis permits the project team to numerically
analyze the effects of identified risks to overall project
activities. The benefit of quantitative analysis is very much the
same as qualitative risk analysis however the results of quantitative
analysis may be based upon mathematical formulas, simulation methods
and statistical analysis. Because of this, quantitative analysis can
hold more weight when it comes to making risk-based decisions due to
the fact that the output is based upon facts derived from best
practice analytical processes.

In order to perform quantitative analysis, the usual process practice

of generating inputs and applying those inputs to tools and
techniques to generate project artifacts or project document updates.
This is similar to the outputs of the qualitative analysis process.

However, a project manager should work to ensure that quantitative

2017 ​© RedVector.com, LLC

26
analysis takes place after qualitative analysis is completed, and
here’s why. You want to use the high level qualitative analysis to
subjectively analyze all activities. Once qualitative analysis is
complete, you now know the population of activities that are in scope
for quantitative analysis. In other words qualitative analysis can
qualify those activities that may have a higher risk probability and
impact which could then be eligible for additional quantitative
analysis. This helps ensure that the project team is not wasting time
performing additional analysis on activities that may not require it.
It is a common sense approach that helps zero in on risks that may
have an impact. The use of expert judgment as a tool helps the
project team determine the need for quantitative risk analysis. This
will be based upon the availability of time and budget to carry out
the analysis. Additionally, there may be a need to repeat
quantitative analysis on an activity to determine the reduction in
risk based upon actions carried out as per plan. Depending on the
results of the analysis and trending over time, the project team may
need to adjust their approach based on risk tolerance levels, project
budget and timing. For example, in a hypothetical manufacturing
environment, products are mass produced off an assembly line and
during the assembly process there are known defects at a rate of two
defects per one thousand items. Quantitative analysis, as we will go
into greater detail in a moment, may determine that if a specific
adjustment were made, the defect rate would be reduced to one in one
thousand. Quantitative analysis applied after the adjustments are
made indicates that there are now three defects per one thousand
items as compared to the one defect per one thousand items planned.
Obviously the risk mitigation plan pertaining to this activity did
not work to meet expectations so additional adjustments would be made

2017 ​© RedVector.com, LLC

27
to determine the cause and develop a revision to the plan. Once the
revision is actioned, another round of quantitative analysis would be
performed to determine if the anticipated results are now in place.
Assuming the defect rate of one part per thousand is achieved, the
risk identified has been mitigated.

Let's take a look at some of the inputs required for quantitative

analysis. The risk management plan, similar to qualitative analysis
activities provides the “how.” In other words it provides the project
team the set of instructions to carry out quantitative analysis. It
will include guidelines for when this type of analysis should be
used, as well as when it shouldn’t be used. It can also provide the
types of tools and techniques that are deemed to be applicable to the
project.

The Cost Management Plan helps deliver guidance in regard to

contingency and management reserves. While risks are always
identified within projects, it is imperative to ensure that the
impact to the project’s cost constraint is managed. So it is more
than just the process of identifying and analyzing the risk. The
project team needs to understand the cost impact of changes or rework
to a project’s budget. Reserves are often factored into a budget to
cover known and unknown risks. The reserves can be typically five to
ten percent of the overall budget and are funds that the project
sponsor agrees to provide in the event that risks are realized and
effective actions with associated costs need to be taken. These
reserves do not increase the planned budget and may only be called
upon with the review and approval of the project sponsor. The details
in regard to managing reserves should be a component of the project’s
cost management plan.

2017 ​© RedVector.com, LLC

28
The schedule management plan, similar to the cost management plan
will provide guidance in regard to managing reserves. The project
schedule will have within it non-project activities known as
milestones that are used to measure project productivity in terms of
cost and schedule. These milestones permit the project team to
perform Earned Value analysis which can be used to illustrate project
productivity when compared to scheduled milestones. The importance of
this type of analysis is that the release and availability of funds
for a project are typically predicated on the achievement of
milestones throughout the project lifecycle. For example, in order to
fund the second month’s worth of activities for a project, the first
month’s milestone must be met in conformance to the project plan.
This serves to ensure that project has adequate funding in support of
all lifecycles and the burn rate or amount of money spent within a
specific period of time equals what has been earned through project
development activities.

The risk register is used as a reference point for both types of risk
analysis. It provides the underlying details and results of
quantitative and qualitative risk analysis. The risk register also
promotes actions in regard to strategies assumed based on risk
analysis. It helps determine the plan of action and can provide
scenarios that are aligned to the sponsor’s risk appetite and the
project’s risk thresholds. The risk register also details the
individual or groups accountable for the activities that are expected
to be executed in regard to the risk strategy.

Enterprise environmental factors can be used to provide insight by

virtue of studies and analysis performed at the industry level or
through subject matter experts and even project that are similar in

2017 ​© RedVector.com, LLC

29
nature. Companies can subscribe to services provided where risk
information is available for analysis via an external database.

Information available in this manner can serve to support positions

in regard to driving project activities or corporate strategies. The
information available at this level may be strategic in nature and
can permit activities such as purchasing decisions or corporate
directions. For instance, a company with a mission to drive “green”
technologies may use enterprise environmental factors to determine
companies as a source for raw materials. They would use external
database information to ensure that the companies they partner with
shared their environmentally friendly or “green” vision. If they were
to choose a company without this knowledge, there could be a
reputational risk or impact to a company’s integrity. Other
information such as the liquidity or solvency of a company can be
analyzed through these methods to help ensure that the contracts or
partnerships entered into are with reliable resources.

Organizational process assets can provide the tools, templates,

processes and protocols for quantitative risk analysis. By using
organizational process assets, the project manager ensures that
project management activities are in alignment with expected
corporate practices. Additionally, when process changes occur, the
corporation has one single set of assets to apply all the changes to
which help promote consistency in approach and ensure that project
teams use the most current documents, templates and process for
project activities. Process control manuals are also a part of
organizational process assets. They provide explicit directions in
regard to performing tasks such as quantitative analysis.

Data gathering techniques for quantitative analysis are similar to

2017 ​© RedVector.com, LLC

30
those used for qualitative analysis whereby interviews of
stakeholders and subject matter experts draws details from prior
projects to help quantify data to determine the probability and
impact of risks. The information required depends upon the
probability distributions that will be used. For instance, if the
project team wanted to use the PERT technique for analysis,
information in regard to optimistic, pessimistic and most likely
scenarios would need to be gathered. Gathering details from the
estimate of activity durations and estimate cost processes would also
be applied to this type of process. Within the PERT or three point
process, the project manager adds the optimistic representation along
with four times the most likely representation and then incorporates,
or adds, the pessimistic representation to determine a numerator that
will be divided by the number six to arrive at a quantitative
estimate.

Another technique used for quantitative analysis is the Delphi

technique where a small group of subject matter experts are given a
series of questions and their responses are collated and shared. The
combined results are incorporated into a graph to show a distribution
of their results. Initially the results will have varying
distributions. A second round of questioning will follow after the
information is shared and discussed. The tabulation process will
again illustrate their response and third round of questioning will
take place. By the end of the third round, the responses typically
normalize within the boundaries of a typical bell-shaped curve. The
answer within the mean of that curve is chosen based on the highest
probability of occurrence. The Delphi technique is typically limited
to a small group of known subject matter experts; however, a
technique known as the Wideband Delphi technique can be applied to a

2017 ​© RedVector.com, LLC

31
larger audience providing that there is substantial significance that
warrants including a larger base of participants.

Part 2: Risk Data Gathering and Representation Techniques

For this exercise we will examine a Beta distribution to address a

problem or risk identified within a project. Beta distributions are
used to model events that are constrained by minimums and maximums
such as time. The distribution calculates probability of an event
occurring up to a predetermined point in time that is typically
within the minimums and maximums identified within the project plan
for a particular activity. Beta distribution analysis works very well
with PERT technique where estimates or analysis is performed on three
unique assumptions: Optimistic, Most Likely and Pessimistic.

In order to perform a Beta Distribution analysis the following

parameters need to be in place:

A.) X – The value between the Min. and the Max. to be evaluated.
Typically this value is in terms of time.

B.) Alpha – A distribution parameter ( Cannot be Negative in value)

C.) Beta – A distribution parameter (cannot be Negative in value)

D.) A - Lower boundary of the interval of X – Min.

E.) B – Upper boundary of the interval of X – Max.

Now that we have this detail available for analysis, here is the
problem to manage:

Calculate the probability of delivering a project activity before

Time equals 5. The following parameters would apply:

2017 ​© RedVector.com, LLC

32
Alpha = 7, Beta = 9, A the Min. =3 and B the Max. = 7. Having this
information available, the project manager can use Excel formulas to
determine the Beta Distribution. The formula to use within Excel is
called “Betadist” as in Beta Distribution.

The formula within Excel would read: Betadist(5,7,9,3,7). By running

this formula within a spreadsheet, you will get 0.6964 as an answer,
which rounds up to .70, which equates to a 70 percent probability
that the activity will be completed within the time frame.

When plotting probability distributions on a graph, the vertical axis

represents probability while the horizontal axis represents its
distribution. While numerical values can change from plot to plot the
pattern of plots is usually recognizable. The patterns of these plots
are aptly named. Here are a few:

Normal distribution – The normal distribution, also known as the

“Bell Shaped Curve” is used in project management to determine where
the risk analysis identifies an activity based upon analysis
undertaken. Typically the normal distribution illustrates where
consensus is reached and is representative of the statistical average
or mean. Take for example the Delphi technique where risk is analyzed
and scored with an empirical number provided by subject matter
experts. As the experts drive to consensus, typically three
iterations, the normal distribution tends to produce a quantitative
result that typically represents the mean or average of the responses
provided. Whenever the outcome is the mean or average of the outcomes
of a number of uncertain quantities, the probability distribution of
the outcome is typically a normal distribution.

The Normal distribution graph is dependent on two factors which are

2017 ​© RedVector.com, LLC

33
mean and standard deviation where the mean determines the center of
the graph and the standard deviation determines the height and width
of the graph. For large standard deviations, the graph’s curve is
short and wide and for probabilities where the standard deviation is
small the graph’s curve is tall and narrow. All Normal distributions
have the shape of a bell shaped curve. Implications relating to the
normal distribution are: The total under the curve equals 1.
Sixty-eight percent of the area under the normal curve falls within
one standard deviation. Ninety-five percent of the area under the
curve falls within 2 standard deviations and 99.7 percent of the area
under the normal curve falls within 3 standard deviations. This is
known as the 68-95-99.7 rule. Suffice it to say, within a normal
distribution the majority of the risk outcomes will be within 3
standard deviations from the average or mean.

The graph illustrates a normal distribution with a standard deviation

of 3 and the mean equal to 1.

BETA distribution, frequently used in quantitative analysis, is a

distribution that has two parameters that are usually called “A” and
“B.” Depending on the risk values identified. A Beta distribution can
appear in the form of curve slightly more asymmetrical with the
distribution skewing more to one side than an equal distribution. For
risk related activities, Beta distribution can help identify the
duration of a task or activity. If the project team is given the
minimum and maximum durations the Beta distribution method can be
used to estimate the likely amount of time it will take to complete a
project activity. By using either the mean and standard deviation, or
the minimum and maximum durations, the project team can use that data
to calculate parameters for beta distribution.

2017 ​© RedVector.com, LLC

34
Going back to our Beta Distribution problem that had a timeframe of 5
days to complete an activity, the Excel spreadsheet formula indicated
a 70 percent probability for completion based on the numbers
provided. If we plug those numbers into the Cumulative distribution
function graph, you will see that the time frame of 5 coincides with
a probability between 6 and 8, which validates our assumptions. As
you can see by changing the data inputs relative to the Beta
Distribution, the project team can use this analysis in regard to
time constraints associated to activities.

Triangular distribution method is applied to random variables and it

is used to portray the fact that not all outcomes are equally likely
as compared to a uniform distribution. Triangular distribution
methods provide graphical approximation to many events that occur in
projects. Because project management activities can change on a daily
basis due to impacts or constraints, triangular distribution analysis
can aid in estimating behaviors aligned to the project schedule or
work package development. Within triangular distribution analysis,
any type of skew could be indicative of incorrect assumptions
relevant to optimistic or pessimistic estimates.

Triangular Distribution is a statistical distribution that increases

linearly from a minimum to a maximum based upon an arbitrary value of
“X”, and then decreases from the maximum to a minimum. “A” is defined
as the minimum, “C” is defined as the peak and “B” is defined as the
maximum. The triangular distribution provides the project team with a
probability density for each value of X.

The graph illustrates triangular distribution of three variables: A,

B and C. Notice the change in graphical distribution based on a

2017 ​© RedVector.com, LLC

35
change in variables.

While Normal, Beta and Triangle distributions are used within project
management to estimate risks and plan project activities, they are
not the only distributions available as tools. In fact there are a
variety of distribution tools that cover a variety of instances. It
is up to the project manager to acquaint themselves with the tools
needed to deliver a product and gain sufficient knowledge and
expertise to use them. It is also their responsibility to share those
tools and techniques with the project team so less experienced team
members can acquaint themselves and gain experience in their use.

Here are a few more distributions for consideration:

Poisson distribution is used to determine the random occurrence of a

project constraint such as a period of time or an event. For example,
random hits to an internet Web search engine could be Poisson
distributed.

Binomial Distribution is used with events or occurrences that have

two outcomes. A good example is a coin toss where an outcome is
identified by a true or false or success or failure measurement.

The Rayleigh Distribution illustrates asymmetrically all positive

outcomes. Outcomes typically cluster around a value identified to be
a most likely outcome.

The t-distribution, or Student’s t, is used to estimate a degree of

confidence when the variance of a population is not known and the
sample size is not large.

The Chi-square distribution, named after the Greek letter Chi is used
for hypothesis testing and helps determine the distribution of a

2017 ​© RedVector.com, LLC

36
sample variance.

So as you can see, there are a variety of distributions intended for

different types of analysis. You should be aware of them as Project
management exam questions such as: “Which distribution is used
specifically for hypothesis testing? Will serve to ensure that you
are aware of the different distributions available and what their
intended use is. The correct answer for that question would be Chi-
square distribution.

Part 3: Quantitative Risk Analysis

Quantitative risk analysis techniques capitalize on event oriented

and project oriented analysis approaches such as:

Sensitivity analysis, which is used to determine risks with the

highest potential to impact a project, also enables the project team
to determine how variations to project objectives correlate with
variations in different uncertainties. Sensitivity analysis examines
the risk of each activity in a project in relation to baseline
project activities. A risk analysis tool known as tornado diagram is
helpful in the analysis of risk-based scenarios whose quantitative
analysis indicates benefits in excess of potential negative impacts.
The tornado diagram, appropriately named because its appearance
resembles the final of a tornado, is simply a bar chart used for
comparative analysis. Within the tornado diagram the vertical axis
contains uncertainty at base values and the horizontal axis contains
the correlation of the uncertainty to anticipated output. Each
uncertainty is represented by a horizontal bar and the order of
uncertainties illustrates a decreasing spread between base values. A
common use of Tornado diagram is to illustrate the distribution

2017 ​© RedVector.com, LLC

37
between different groups.

Tornado diagrams compare characteristics between two populations. The

first population – Series in the Excel Graph – has negative numbers,
because they originate from zero to the left.

Expected Monetary Value Analysis is a statistical concept that

calculates the average outcome when future activities include
scenarios that may or may not happen. Expected Monetary values of
opportunities are typically expressed as positive values while
threats are expressed as negative values while the analysis itself
takes a risk neutral assumption. It is calculated by multiplying the
value of each possible outcome by its probability of occurrence. And
adding the products together. A common illustration of this type of
analysis is known as decision tree analysis. Decision Tree analysis
illustrates how a decision can be made between alternate
opportunities or risks where each scenario or strategy is represented
by a decision node (typically illustrated with a diamond or block).

Uncertain elements within a decision tree are represented as chance

notes (typically illustrated with a circle). Let’s take a look at an

example where a decision tree analysis is applied as illustrated by A
Guide to the Project Management Body of Knowledge (​PMBOK®​ ​Guide​).

This decision tree analysis illustrates the decision criteria

pertaining to investing $120M to build a new plant vs. invest $50M to
upgrade an existing facility. Relative to each decision, the demand,
represented by a chance node due to uncertainty, has to be accounted.
Strong demand can deliver $200M in revenue for the new plant but only
$120M for the upgraded plant. The lower revenue for the upgraded
plant may be due to capacity limitations of the existing facility.

2017 ​© RedVector.com, LLC

38
The end of each branch illustrates the net effect of a decision which
is the payoff less the costs.

For all decision branches, all effects are added to determine the
Expected Monetary value, or EMV. Investment costs must also be
factored in. Based upon the calculations noted within the gray shaded
areas, the upgraded plant has a higher EMV of $46M which is also the
EMV of the overall decision. This choice also illustrates the lowest
risk by avoiding potential for a possible loss of $30M.

Part 4: Quantitative Risk Modeling Techniques

Modeling and simulation techniques translate specified uncertainties

into a potential impact. One example is the Monte Carlo technique
where the project model is computed multiple times on an iterative
basis with input values chosen randomly for each iteration from
probability distributions of the variables. The product of the
simulation is a histogram that is calculated from the iterations.

Cost Risk analysis uses cost estimates for simulation data input
variables. For schedule risk analysis, duration estimates based upon
the project schedule would be used to provide variables.

Here’s an example of a Cost Risk. We have a range of project

estimates that is the result of interviews conducted with various
stakeholders. Three point estimates have been applied to deliver low,
likely and high estimates for the respective Work Breakdown Structure
Element that will be used for distribution analysis; such as Beta,
triangular, normal, etc… Based upon these numbers and the cost risk
simulation results, the likelihood of completing the project below
the most likely estimate (41M) is very low. Let’s take a look at the

2017 ​© RedVector.com, LLC

39
Cost Risk Simulation.

Based upon the WBS data ranges and triangular distributions the
project has a 12 percent likelihood of meeting the $41M Most Likely
Cost Estimate. In order to achieve a 75 percent likelihood, a budget
of $50M would be needed. If you take the $50M and subtract the $41
Most Likely Cost Estimate to get $9M. Divide that by the $41M you
would be able to visualize a 22 percent contingency requirement,
which for most projects exceeds the typical 5 percent threshold for
contingency planning.

Part 5: Updating the Risk Register with Quantitative Data

Project documents are updated with information resulting from

quantitative risk analysis. The project risk register will benefit by
the proceeds of quantitative risk analysis to the degree that project
artifacts and updates will be added to the register. Some of these
updates include: a probabilistic analysis of the project; what
estimates are made of potential project schedule and cost outcomes
listing completion dates and costs associated with degrees of
confidence.

This analysis ties in the stakeholders risk tolerances along with a

cumulative frequency distribution that permits the quantification of
cost and time contingency reserves. Contingencies are used to manage
project overruns and are typically established at the beginning of
the project based upon a percentage of the total project cost.
Project contingencies are usually planned at the level of 5 to 10
percent.

Probability of achieving cost and time objectives. Once all risks

have been identified, the probability of achieving project objectives

2017 ​© RedVector.com, LLC

40
can be determined based upon the current project plan. As we
identified in our previous interpretation, the cost estimate of $41
million dollars had a likelihood of success equivalent to 12 percent.

The prioritized list of quantified risks incorporate those risk that

pose the largest threat or the greatest opportunities for project.

These also include risks that could have the biggest effect on
contingencies for the project and those that are most likely to have
a negative influence on the project critical path. A tornado diagram
analysis can be used to evaluate these types of risks.

Trends in quantitative risk analysis results are developed as

analysis iterations are applied to the project. Trends that become
apparent are usually indicative of a risk that requires an effective
response. Organizational process assets such as historical
information and lessons learned can provide detailed information
relevant to the project schedule and other project constraints such
as cost and quality. This type of information is typically
incorporated into a quantitative risk analysis report. Reports like
these can be linked to or may be supplements to the risk register.

The risk register is intended to be a living document that enables

the project team to easily and effectively review project risks. Each
activity within a work package should be subject to reviews and risk
analysis on an ongoing basis until the activity is fully developed
and signed off as complete. The risk register should contain
information that correlates risks to activities within work packages
that further correlate to the project schedule and the project work
breakdown structure. This way an audit trail exists that permits the
project team to understand where the risk identified is associated to

2017 ​© RedVector.com, LLC

41
project activities. In addition to quantitative risk analysis and the
ability to prioritize quantified risks, the risk register will
provide additional details relevant to the status and strategies for
each activity that will be worked with any project. This is important
because the project team should concentrate our efforts only on
activities that are active within the project.

The risk register can readily illustrate the status of an activity

does not waste time tending to activities that may not be active.
Additionally strategies that pertain to risk activities can help
determine whether or not the risk requires mitigation. If the risk is
low enough in probability and impact, the project team may choose to
do nothing relevant to managing risk.

Keep in mind that project managers need to understand the associated

costs to managing risk for each and every activity. If resources and
time are aligned to risks that do not need to be mitigated,
additional costs and potential impacts to the project schedule may be
experienced by the project manager and the project team. Effective
use of the risk register will ensure timely updates across the board
for qualitative, quantitative, status and strategic updates.

Part 6: Summary

Now it's time to take a brief look back to absorb all the new
pertinent information that you have learned about performing risk
analysis. As a project manager is imperative for you to develop the
skills, aptitude and capabilities that will permit you to apply tools
and techniques to analyze risk throughout the lifecycle of the
project. Throughout history there are countless major project
initiatives that have failed due to inexperience, poor management and

2017 ​© RedVector.com, LLC

42
the inability to analyze risk. While the tools and techniques
available to you through this process may seem daunting at first, you
need to accept the challenge and use the tools to think about risk.

Once you seriously apply your efforts and thought to the manner in
which risks can impact your project, you will see the process as less
of a challenge and more of an opportunity. This comes naturally to
project managers once they fully apply themselves and appreciates the
messages that analysis can provide. One of the most rewarding aspects
of gaining an appreciation for risk management is that it changes the
way you think about project deliverables. It also can change the way
you think about life, because the tools that you use and apply to
determine risks within projects are subjective enough to apply to
day-to-day activities. A seasoned project manager should be able to
understand the types of risks inherent to specific projects and apply
appropriate tools and techniques based upon experience attained over
time.

During this course we talked about both qualitative and quantitative

risk analysis. Do you remember what some of the inputs for
qualitative risk analysis are? Are they different from the inputs
used for quantitative risk analysis? Do you remember? Don't be
concerned if you don't remember them all; as you shouldn’t be
expected to absorb the entire process within one hour’s worth of
instruction. Information that you received today should be used as a
baseline for future studies and built upon so that you have a solid
foundation in understanding and applying risk analysis. To recap, the
inputs for risk analysis, both qualitative and quantitative are: the
project risk management plan, the risk register, enterprise
environmental factors and organizational process assets. The

2017 ​© RedVector.com, LLC

43
difference between qualitative inputs and quantitative inputs is that
the scope baseline is listed within qualitative risk analysis and not
quantitative while the cost management plan and schedule management
plan are listed within quantitative risk analysis but not
qualitative. However, as project manager you have the right and the
ability to determine the inputs that you will use for required
processes.

We also talked about risk probability and impact assessment with the
quantification and prioritization of risks based upon probability and
impact ratings. From a qualitative perspective, the probability and
impact assessment is predicated on ranking events within a range from
low to moderate to high. For quantitative perspective, those
qualitative rankings can be transformed into numeric representations
whereby the multiplication of a probability score times an impact
score can provide a risk exposure rating for project activity. We
also talked about risk quality and urgency assessments whereby the
need to have substance and integrity aligned to information gathered
relevant to risk as well as the ability to address risks based upon
present needs.

We also learned about the risk register for both the qualitative and
quantitative perspective. We learned of the risk register is a key
document that contains vital information down to the accessory level
of work packages. We learned about the correlation of the project
schedule and the work breakdown structure to a project risk breakdown
structure to ensure that timed events specific to risk analysis
resynchronize with project deliverables. We covered risk data-
gathering techniques that helped us predict probability distributions
and we ventured into detail around distributions to better understand

2017 ​© RedVector.com, LLC

44
why they are used and the types of information they can deliver.

While normal distributions, beta distributions and triangle

distributions are often applied to project management activities,
there are a variety of distributions available to the project manager
for consideration and risk analysis. Each distribution may cover a
specific core competency and each of those should be reviewed
relevant to the type of project that is being managed.

We talked about quantitative risk analysis techniques including

tornado diagrams and decision tree analysis that determines risk
probabilities. We also discussed risk simulation activities such as
Monte Carlo technique. We reviewed cost and risk simulation results
that helped us determine estimates and their likelihood for
delivering successful outcomes; and finally we tied up the subject of
performing risk analysis by reviewing the outputs of quantitative
risk analysis that should be added to the project risk register as
artifacts for action in future review activities.

Congratulations! You're on your way. Having gained some experience in

what it takes to perform risk analysis, you now have the ability to
practice and apply the skills to current project activities. If you
aren't doing so already, you should find a mentor that can assist you
with gaining experience in the use and application of these processes
tools and techniques. Once you get the hang of it risk analysis can
be intriguing and even fun at times based upon applying yourself to
gain insight and subject matter expertise. Having completed this
course, you are now ready to progress to our next course which is
risk response monitor and control.

2017 ​© RedVector.com, LLC

45