Week 11
Managing Risk
Risk is an uncertain event or condition that,
if it occurs, has a positive or negative effect
on project objectives.
Risk management attempts to recognize
and manage potential and unforeseen
trouble spots that may occur when the
project is implemented.
Risk Management Process
Step 1: Risk Identification- generate a list of
all the possible risks that could affect the
project. Uses brainstorming and other
problem identifying techniques to identify
potential problems.
Organizations use Risk Breakdown
Structures (RBSS) in conjunction with Work
Breakdown Structures (WBSS) to help
management teams identify and eventually
analyze risks.
Figure 1: The Risk Breakdown Structure (RBS)
A risk profile is another useful tool. A risk
profile is a list of questions that address
traditional areas of uncertainty on a project.
Figure 2: Partial Risk Profile for Product
Development Project
Good risk profiles, like RBSs, are tailored to
the type of project in question.
The risk identification process should not be
limited to just the core team. Input from
customers, sponsors, subcontractors,
vendors, and other stakeholders should be
solicited.
Step 2: Risk Assessment- Not all of these
risks deserve attention. Some are trivial and
can be ignored, while others pose serious
threats to the welfare of the project.
Scenario analysis is the easiest and most
commonly used technique for analyzing
risks. Team members assess the
significance of each risk event in terms of:
• Probability of the event.
 risks need to be evaluated in terms of
the likelihood the event is going to
occur and the impact or
consequences of its occurrence.
• Impact of the event
 impact ultimately needs to be
assessed in terms of project
priorities, different kinds of
impact scales are used.
Some scales may simply use
rank-order descriptors, such
as “low,” “moderate,” “high,”
 and “very high,” whereas
others use numeric weights
(1–10)
Figure 3: Defined Conditions for Impact Scales of a
Risk on Major Project Objectives
Often organizations find it useful to
categorize the severity of different risks into
some form of risk assessment matrix. The
matrix is typically structured around the
impact and likelihood of the risk event.
Figure 4: Risk Assessment Form
Figure 5: Risk Severity Matrix
The risk severity matrix provides a basis for
prioritizing which risks to address. Red zone
risks receive first priority followed by Yellow
zone risks. Green zone risks are typically
considered inconsequential and ignored
unless their status changes.
Failure Mode and Effects Analysis (FMEA)
extends the risk severity matrix by including
ease of detection in the equation:
Impact x Probability x Detection = Risk Value
Probability Analysis
1. Decision trees have been used to
assess alternative courses of action
using expected value.
2. Statistical variations of net present
value (NPV) have been used to
assess cash flow risks in projects.
3. Correlations between past projects’
cash flow and S-curves have been
used to assess cash flow risks.
4. PERT (program evaluation and
review technique) and PERT
simulation can be used to review
activity and project risk.
Step 3: Risk Response Development
When a risk event is identified and
assessed, a decision must be made
concerning which response is
appropriate for the specific event.
a. Mitigating Risk
 reduce the likelihood that the
event will occur and/
 reduce the impact that the
adverse event would have on
the project.
Testing and prototyping are frequently
used to prevent problems from surfacing
later in a project.
Identifying the root causes of an event
is useful.
 b. Avoiding Risk
 Risk avoidance is changing the
project plan to eliminate the risk
or condition
c. Transferring Risk
 Passing risk to another party
is common; this transfer does
not change risk. Passing risk
to another party almost
always results in paying a
premium for this exemption.
d. Retaining Risk
 Some risks are so large it is
not feasible to consider
transferring or reducing the
event.
 The risk is retained by
developing a contingency
plan to implement if the risk
materializes.
Contingency Planning
Contingency plan is an alternative plan that
will be used if a possible foreseen risk event
becomes a reality. The contingency plan
represents actions that will reduce or
mitigate the negative impact of the risk event.
Risk response is part of the actual
implementation plan and action is taken
before the risk can materialize.
Contingency plan is not part of the initial
implementation plan and only goes into
effect after the risk is recognized.
The absence of a contingency plan, when a
risk event occurs, can cause a manager to
delay or postpone the decision to implement
a remedy.
Figure 6: Risk Response Matrix
Technical Risks - Technical risks are
normally those that involve specific
knowledge of the technology of the project
deliverables.
Cost Risks- risk that the project costs more
than budgeted. Cost risk may lead to
performance risk if cost overruns lead to
reductions in scope or quality to try to stay
within the baseline budget.
Funding Risks
Opportunity Management
An opportunity is an event that can have a
positive impact on project objectives.
Four different types of response to an
opportunity
1. Exploit
2. Share
3. Enhance
4. Accept
Contingency Funding and Time Buffers
Contingency funds are established to cover
project risks—identified and unknown.
The size and amount of contingency
reserves depend on uncertainty inherent in
the project. Uncertainty is reflected in the
“newness” of the project, inaccurate time and
cost estimates, technical unknowns,
unstable scope, and problems not
anticipated.
Budget Reserves- are identified for specific
work packages or segments of a project
 found in the baseline budget or work
breakdown structure.
Management Reserves- funds are needed
to cover major unforeseen risks and, hence,
are applied to the total project.
Figure 7: Contingency Fund Estimate (Thousands
of Dollars)
Time Buffers
Managers use time buffers to cushion
against potential delays in the project. The
amount of time is dependent upon the
inherent uncertainty of the project
Step 4: Risk Response Control
The results of the first three steps of the risk
management process are summarized in a
formal document often called the risk
register. A risk register details all identified
risks, including descriptions, category, and
probability of occurring, impact, responses,
contingency plans, owners, and current
status.
Risk Control involves executing the risk
response strategy, monitoring triggering
events, initiating contingency plans, and
watching for new risks. Establishing a
change management system to deal with
events that require formal changes in the
scope, budget, and/or schedule of the project
is an essential element of risk control.
Change Control Management
Change management refers to the tools and
processes used to manage change within a
project and its team.
Changes easily fall into three categories:
1. Scope changes in the form of design or
additions represent big changes; for
example, customer requests for a new
feature or a redesign that will improve the
product.
2. Implementation of contingency plans,
when risk events occur, represent changes
in baseline costs and schedules.
3. Improvement changes suggested by
project team members represent another
category.
Change management systems involve
reporting, controlling, and recording changes
to the project baseline. Most change
management systems are designed to
accomplish the following:
1. Identify proposed changes.
2. List expected effects of proposed
change(s) on schedule and budget.
3. Review, evaluate, and approve or
disapprove changes formally.
4. Negotiate and resolve conflicts of change,
conditions, and cost.
5. Communicate changes to parties affected.
6. Assign responsibility for implementing
change.
7. Adjust master schedule and budget.
8. Track all changes that are to be
implemented.
Weekly Task
1. Think of a project. Identify and
assess major and minor risks
inherent to the project. Decide on a
response type. Develop a
contingency plan for two to four
identified risks. Estimate costs.
Assign contingency reserves. How
much reserve your estimate for the
whole project? Justify your choices
and estimates.