PGDPM - Project Risk Management

Postgraduate Diploma
in Project Management
v PROJECT RISK MANAGEMENT
Module Guide
Copyright © 2021
MANCOSA
All rights reserved; no part of this book may be reproduced in any form or by any means, including photocopying machines,
without the written permission of the publisher. Please report all errors and omissions to the following email address:
modulefeedback@mancosa.co.za
Project Risk Management
Postgraduate Diploma in Project Management

PROJECT RISK MANAGEMENT
List of Content ......................................................................................................................................................... 2
Preface.................................................................................................................................................................... 3
Unit 1: Introduction to Project Risk Management .................................................................................................. 11
Unit 2: Plan Risk Management.............................................................................................................................. 23
Unit 3: Identify Risks ............................................................................................................................................. 35
Unit 4: Perform Risk Analysis................................................................................................................................ 50
Unit 5: Plan Risk Responses................................................................................................................................. 63
Unit 6: Monitor and Control Risks ......................................................................................................................... 76
Answers to Revision Questions ............................................................................................................................ 91
Bibliography ........................................................................................................................................................ 101
MANCOSA – Postgraduate Diploma in Project Management 1i

List of Content
List of Figures
Figure 2.1: Project Risk Management Process ................................................................................................. 14
Figure 2.1:Plan Risk Management: Inputs, Tools & Techniques, and Outputs ................................................. 27
Figure 2.2:Risks in the Project Life Cycle ......................................................................................................... 27
Figure 3.1: Brainstorming Technique for Identifying Risks................................................................................ 39
Figure 3.2: Example of a Risk Register ............................................................................................................ 46
Figure 3.3: Top 10 South African Country and Industry Level Risks ................................................................ 47
Figure 4.1:Sample Probability/Impact Matrix .................................................................................................... 56
Figure 4.2:Decision Tree and Expected Monetary Value Analysis ................................................................... 59
Figure 4.3:Monte Carlo-based Simulation for Project Schedule ....................................................................... 60
Figure 5.1: Project Risk Strategies to Deal with Negative Risks ....................................................................... 69
Figure 5.2: Example of the Strategies to Respond to a Project Risk ................................................................ 71
List of Tables
Table 1.1: Key Project Risk Management Concepts (PMI, 2017: 310) ............................................................. 15
Table 2.1:Topics Addressed in a Risk Management Plan ................................................................................ 26
Table 3.1:Life Cycle Phase Risk Identification .................................................................................................. 43
Table 3.2:Project Risk Reviews ........................................................................................................................ 44
Table 4.2:Qualitative Analysis for Differentiating Major and Minor Project Risks.............................................. 54
Table 4.3:Top Ten Risk Item Tracking chart ..................................................................................................... 58
Table 5.1:Risk Response Planning Example .................................................................................................... 65
Table 5.2: Common Project Risk Response Strategies .................................................................................... 67
2 MANCOSA – Postgraduate Diploma in Project Management

Preface
A. Welcome
Dear Student
It is a great pleasure to welcome you to Project Risk Management (PRM8). To make sure that you share our
passion about this area of study, we encourage you to read this overview thoroughly. Refer to it as often as you
need to, since it will certainly make studying this module a lot easier. The intention of this module is to develop
both your confidence and proficiency in this module.
The field of Project Risk Management is extremely dynamic and challenging. The learning content, activities and
self- study questions contained in this guide will therefore provide you with opportunities to explore the latest
developments in this field and help you to discover the field of Project Risk Management as it is practiced today.
This is a distance-learning module. Since you do not have a tutor standing next to you while you study, you need
to apply self-discipline. You will have the opportunity to collaborate with each other via social media tools. Your
study skills will include self-direction and responsibility. However, you will gain a lot from the experience! These
study skills will contribute to your life skills, which will help you to succeed in all areas of life.
We hope you enjoy the module.
MANCOSA does not own or purport to own, unless explicitly stated otherwise, any intellectual property
rights in or to multimedia used or provided in this module guide. Such multimedia is copyrighted by the
respective creators thereto and used by MANCOSA for educational purposes only. Should you wish to use
copyrighted material from this guide for purposes of your own that extend beyond fair dealing/use, you
must obtain permission from the copyright owner.
MANCOSA – Postgraduate Diploma in Project Management 3

B. Module Overview
 The module is a 15 credit module at NQF level 8.
Course overview
This module covers the methods that project managers use in risk management which start with identifying as
many risks as possible. Once the risks are identified, each risk is analysed so that the project team can concentrate
their attention on the most critical risks. Analysis always consists of a qualitative or judgmental approach and
sometimes also includes a quantitative approach. In the final risk management process, the project team decides
how to respond to each potential risk. Once all of the risk management planning has initially been accomplished,
the response plans are incorporated into the overall project management plan. Changes may need to be made to
the schedule, budget, scope, or communication plans to account for certain risks. These risk management planning
processes are covered in this chapter.
Purpose of the Module

To facilitate the acquisition of knowledge, skills, tools and techniques in order to effectively manage and control
project risks so as to reduce the overall project risk to a level that is acceptable to the project sponsor and other
stakeholders.

C. Exit Level Outcomes and Associated Assessment Criteria of the Programme
Exit Level Outcomes (ELOs) Associated Assessment Criteria (AACs)
 Demonstrate a systematic and comprehensive  Analyse and interrogate each of the process
understanding of the core principles related to groups and knowledge areas in project
managing projects management
 Link the various process group functionalities to

project performance
 Analyse the status of a project and propose

corrective action
 Analyse problems and propose strategies to  Create and maintain various project management
address complex project management problems plans
drawing on the Project Management Body of
 Develop strategies to manage project constraints
Knowledge
within own organisation
 Determine the appropriate leadership approaches

to be used in different problem scenarios
 Develop risk management matrices to control and

mitigate project risk
 Engage in effective project cost management
 Engage in high-level and successful  Develop and communicate plans and progress
communication with project stakeholders and the reports
wider project network
 Implement and maintain a process of
information sharing and distribution on a project
 Identify and execute communication strategies

aligned to the complexity of the project at hand
 Utilise Project Management software to solve  Use MS Project 2016 to develop a project plan
work-based problems effectively
 Develop activity sequencing documentation
 Create a Work Breakdown
 Structure and Gantt Chart
 Effectively execute all activities required in using

the software package

 Demonstrate the ability to engage in self-directed  Display effective research and report writing skills
learning within the field of project management
 Display a depth of knowledge of project
management
 Take accountability and responsibility for their

work
 Effectively communicate and articulate ideas and

theories related to project management
D. Learning Outcomes and Associated Assessment Criteria of the Module
LEARNING OUTCOMES OF THE MODULE ASSOCIATED ASSESSMENT CRITERIA OF THE MODULE
 Demonstrate a critical understanding of the  Various processes are analysed to conduct processes
various process areas in project risk involved in project risk management
management
 Projects are analysed to determine the risks associated
with a project
 Demonstrate a comprehensive and critical  Project risk plan is examined to demonstrate how the
understanding of the processes, various processes fit together
methodologies and theories involved in
 Various risk management methodologies are identified
planning for project risk management
 Various risk management methodologies and theories
are applied to conduct qualitative and quantitative risk
analyses
 Appropriate theories and methodologies are utilised to

develop a risk response plan
 Critically evaluate and apply theories and  various metrics are analysed with associated project
methodologies associated with monitoring performance
and controlling project risks
 Variances in project performance are determined to
propose strategies to mitigate risks

E. Learning Outcomes of the Units

You will find the Unit Learning Outcomes on the introductory pages of each Unit in the Module Guide. The Unit
Learning Outcomes lists an overview of the areas you must demonstrate knowledge in and the practical skills you
must be able to achieve at the end of each Unit lesson in the Module Guide.
F. Notional Learning Hours

Types of Learning Activities Learning Time
Lectures/Workshops (face to face, limited or technologically mediated) 4
Tutorials: individual groups of 30 or less 0
Syndicate groups 0
Practical workplace experience (experiential learning/work-based learning etc.) 0
Independent self-study of standard texts and references (study guides, books, journal 70
articles)
Independent self-study of specially prepared materials (case studies, multi-media, etc.) 10
Other: Online 16
TOTAL 100
G. How to Use this Module

This Module Guide was compiled to help you work through your units and textbook for this module, by breaking
your studies into manageable parts. The Module Guide gives you extra theory and explanations where necessary,
and so enables you to get the most from your module.
The purpose of the Module Guide is to allow you the opportunity to integrate the theoretical concepts from the
prescribed textbook and recommended readings. We suggest that you briefly skim read through the entire guide
to get an overview of its contents. At the beginning of each Unit, you will find a list of Learning Outcomes and
Associated Assessment Criteria. This outlines the main points that you should understand when you have
completed the Unit/s. Do not attempt to read and study everything at once. Each study session should be 90
minutes without a break

This module should be studied using the prescribed and recommended textbooks/readings and the relevant
sections of this Module Guide. You must read about the topic that you intend to study in the appropriate section
before you start reading the textbook in detail. Ensure that you make your own notes as you work through both the
textbook and this module. In the event that you do not have the prescribed and recommended textbooks/readings,
you must make use of any other source that deals with the sections in this module. If you want to do further reading,
and want to obtain publications that were used as source documents when we wrote this guide, you should look
at the reference list and the bibliography at the end of the Module Guide. In addition, at the end of each Unit there
may be link to the PowerPoint presentation and other useful reading.
H. Study Material
The study material for this module includes tutorial letters, programme handbook, this Module Guide, a list of
prescribed and recommended textbooks/readings which may be supplemented by additional readings.
I. Prescribed / Recommended Reading

The textbook presents a tremendous amount of material in a simple, easy-to-learn format. You should read ahead
during your course. Make a point of it to re-read the learning content in your module textbook. This will increase
your retention of important concepts and skills. You may wish to read more widely than just the Module Guide and
the prescribed / recommended headings, the Bibliography and Reference list provides you with additional reading.
The prescribed and recommended readings for this module are:

Prescribed
• Kloppenborg, T.J. 2015. Contemporary Project Management: Organise/Plan/Perform. 3rd ed. Australia:
Cengage
In addition to the prescribed textbook, the following should be considered for recommended books/readings:
Recommended
 Gido, J and Clements, J.P.2015. Successful Project Management. 6th ed. USA: Cengage Learning
 Larson, E.W. and Gray, C.F.2017.Project Management: The Managerial Process.7th ed. New York: McGraw-
Hill
 PMI. 2017. A Guide to the Project Management Body of Knowledge (PMBOK Guide). 6th ed. Pennsylvania:
Project Management Institute.
 Van der Walt, G. and Williams, F.2015.A Guide to Project Management.2nd ed. SA: Juta and Company Ltd.

J. Special Features
In the Module Guide, you will find the following icons together with a description. These are designed to help you
study. It is imperative that you work through them as they also provide guidelines for examination purposes
Special Feature Icon Explanation
The Learning Outcomes indicate aspects of the particular Unit you have
LEARNING to master.
OUTCOMES
The Associated Assessment Criteria is the evaluation of the students’

ASSOCIATED
understanding which are aligned to the outcomes. The Associated
ASSESSMENT
Assessment Criteria sets the standard for the successful demonstration
CRITERIA
of the understanding of a concept or skill.
A Think Point asks you to stop and think about an issue. Sometimes you
THINK POINT are asked to apply a concept to your own experience or to think of an
example.
You may come across Activities that ask you to carry out specific tasks.
In most cases, there are no right or wrong answers to these activities.
ACTIVITY
The purpose of the activities is to give you an opportunity to apply what
you have learned.
At this point, you should read the references supplied. If you are unable
READINGS to acquire the suggested readings, then you are welcome to consult any
current source that deals with the subject.
PRACTICAL Practical Application or Examples will be discussed to enhance
APPLICATION understanding of this Module.
OR EXAMPLES
KNOWLEDGE You may come across Knowledge Check Questions at the end of each
CHECKS Unit in the form of Knowledge Check Questions (KCQ’s) that will test
QUESTIONS your knowledge. You should refer to the Module Guide or your
textbook(s) for the answers.

You may come across Revision Questions that test your understanding
REVISION
of what you have learned so far. These may be attempted with the aid
QUESTIONS
of your textbooks, journal articles and Module Guide.
Case Studies are included in different sections in this Module Guide.
CASE STUDY This activity provides students with the opportunity to apply theory to
practice.
You may come across links to Videos Activities as well as instructions
VIDEO ACTIVITY on activities to attend to after watching the video.

Unit
1: Introduction to Project Risk
Management

Unit Learning Outcomes
CONTENT LIST LEARNING OUTCOMES OF THIS UNIT:
1.1 Introduction  Place project risk management in context
1.2 Risk Management Concepts.  Build an understanding of key concepts in project risk
management
1.3 Risk Management Principles.  Integrate the various risk management principles into the
project life cycle
1.4 Examples of Project Risks  Understand what constitutes a risk
1.5 The Benefits of Project Risk  Appreciate the benefits of project risk management
Management.
Prescribed / Recommended Readings
 Kloppenborg, T.J. 2015. Contemporary Project Management:

Organise/Plan/Perform. 3rd ed. Australia: Cengage.
 Gido, J and Clements, J.P.2015. Successful Project Management.

6th ed. USA: Cengage Learning
 Larson, E.W. and Gray, C.F.2017.Project Management: The

Managerial Process.7th ed. New York: McGraw-Hill
 PMI. 2017. A Guide to the Project Management Body of Knowledge

(PMBOK Guide). 6th ed. Pennsylvania: Project Management
Institute.
 Van der Walt, G. and Williams, F.2015.A Guide to Project

Management.2nd ed. SA: Juta and Company Ltd.

1.1 Introduction
Projects are enablers of change and change in itself introduces risks. This therefore makes the risk encounter on
projects inevitable. Managing such risks cannot be based on chance but should rather be a systematic process
that proactively identifies, assesses, plans responses and controls the risks that may impact the project. A cost-
effective risk management procedure should be established to “support better decision-making through a good
understanding of risks, their causes, likelihood, impact, timing and the choice of responses to them”, (OGC, 2009:
77)
Project risk management is often overlooked and often results in significant setbacks in the ultimate success of
projects. Risk management can have a positive impact on selecting projects, determining the scope of projects,
and developing realistic schedules and cost estimates. It helps project stakeholders understand the nature of the
project, involves team members in defining strengths and weaknesses, and helps to integrate the other project
management knowledge areas.
Think Point
“Civilization begins with order, grows with liberty and dies with chaos”
Will Durant
The Project Management Institute (PMI, 2017: 395) defines Project Risk Management as “the processes of
conducting risk management planning, identification, analysis, response planning, response implementation, and
monitoring risk on a project. The objectives of project risk management are to increase the probability and/or impact
of positive risks and to decrease the probability and/or impact of negative risks, in order to optimize the chances
of project success”.
This definition of project risk management is similar to the definition presented by the Association for Project
Management (APM, 2006:44): “Project Risk Management is a structured process that allows individual risk events
and overall project risks to be understood and managed proactively, optimising project success by minimising
threats and maximising opportunities”.
A risk is basically an uncertain event that, if it occurs, can jeopardize accomplishing the project objective. Risk
management involves the identification, assessment, control, and response to project risks in order to minimize
the likelihood of occurrence and/or potential impact of adverse events on the accomplishment of the project
objective (PMI, 2017: 395).
The risk management process would therefore include:
• identification - determining which risks may adversely affect the project objective and estimating what the
potential impacts of each risk might be if it occurs.

• Assessment - determining the likelihood that the risk event will occur and the degree of impact the event will
have on the project objective, and then prioritising the risks.
• response – defining a set of actions to prevent or reduce the likelihood of occurrence or the impact of a risk,
or to implement if the risk event occurs.
• Control risks - review and evaluation of risks to determine if there are any changes to the likelihood of
occurrence or the potential impact of any of the risks, or if any new risks have been identified (Gido and
Clements, 2015:).
Figure 1.1 below outlines the various phases of the risk management process that project teams must engage in
to ensure successful delivery of project outcomes.
The APM (2006) states that risk management within a project should not be conducted in isolation but must
interface with the organisation. The go on to say that risks should be escalated to both programme and portfolio
levels as well as “contribute to business risk assessment and corporate governance requirements”.
PROJECT RISK MANAGEMENT

PROCESS
Plan Risk Management
Identify Risks
Perform Risk Analysis
Plan Risk Responses
Control Risks
Figure 1Figure 1 .1: Project Risk Management Process

2

1.2 Risk Management Concepts

Table 1Table 1.1: Key Project Risk Management Concepts (PMI, 2017: 310)
Risk An uncertain event. When you manage risk you are always dealing with uncertainty
because a risk may or may not happen and you will not know for sure until the risk
occurs or it ceases to be a risk. The uncertainty is inherent and cannot be
eliminated. No matter how well you execute risk management some risk events will
still occur. Thus the uncertainty can never be completely eliminated.
Project Risk An uncertain event or condition that, if it occurs, has a positive or negative effect on
a project objective (PMI, 2017: 310).
Project Risk A structured process that allows individual risk events and overall project risks to
Management be understood and managed proactively, optimising project success by minimising
threats and maximising opportunities (APM, 2006:44).
Risk event The happening or state that “triggers” a loss
Risk event driver Something existing in the project environment that leads one to believe that a
particular risk event could occur.
Probability of risk event The likelihood that a risk event will occur
Impact (of a risk) The consequence or potential loss that might result if a risk event occurs.
Impact driver Something existing in the project environment that leads one to believe that a
particular impact could occur.
Probability of impact The likelihood that an impact will occur, given that its risk event occurs.
Total loss The magnitude of the actual loss value accrued when a risk event occurs; it is
measured in days or money.
Risk Appetite An organisation’s unique attitude towards risk taking that in turn dictates the amount
(Organisational) of risk that it considers acceptable.
Risk Tolerance An indication of how sensitive organizations, stakeholders, and people are
towards risks. High tolerance often means that organizations welcome
high risks while tolerance tells otherwise. This element in project management also
describes the willingness of organization and people to avoid or accept risks.
Risk Register Captures and maintains information on all of the identified threats and opportunities
relating to the project.

1.3 Risk Management Principles

Effective risk management involves:
 Commitment to risk management by stakeholders, top management, the project steering committee, the
project manager and project team members.
 An adequate project management approach. A capable project manager should take responsibility for risk
management, and he or she and the project team should have an understanding of the technical and non-
technical issues and/or contingency measures should be considered (PMI, 2017)
The following risk management principles are appropriate in a project context:
 Understand the project’s context
 Involve stakeholders
 Establish clear project objectives
 Develop the project risk management approach
 Report n risks regularly
 Define clear roles and responsibilities
 Establish a support structure and a supportive culture for risk management
 Monitor for early warning indicators
 Establish a review cycle and look for continual improvement (OGC, 2009: 78).
1.4 Examples of Project Risks

Risk management is about maximizing your chances of project success by identifying risks early on and planning
how to manage them. The following examples of risks will get you started down the path of risk identification (Mar,
2018:1).
1.4.1 Executive Support
 Executives fail to support project: The project team may lack the authority to achieve project objectives. In
such cases, executive management support is fundamental to project success. When this doesn't materialize
the project fails.
 Executives become disengaged with project: Executive management disregards project communications
and meetings.
 Conflict between executive stakeholders disrupts project: Members of executive management are combative
to the project or there is a disagreement over project issues at the executive level.
 Executive turnover disrupts project: When a key executive leaves the company, the resulting disruption may
become a project issue (Mar, 2018:1).
1.4.2 Scope
 Scope is ill defined: The general risk of an error or omission in scope definition.
 Scope creep inflates scope: Uncontrolled changes and continuous growth of scope.

 Gold plating inflates scope: The project team add their own product features that aren't in requirements or
change requests (Mar, 2018:1).
1.4.3 Cost
 Cost forecasts are inaccurate: Inaccurate cost estimates and forecasts.
 Exchange rate variability: When costs are incurred in foreign currencies exchange rates can have a dramatic
impact (Mar, 2018:1).
1.4.4 Change Management

 Change management overload: A large number of change requests dramatically raises the complexity of the
project and distracts key resources.
 Stakeholder conflict over proposed changes: Change requests may be the source of stakeholder conflict.
 Perceptions that a project failed because of changes: Large numbers of high priority change requests may
lead to the perception that the project has failed. When the schedule and budget are continually extended —
stakeholders may feel the project missed its original targets.
 Lack of a change management system: Identify any lack of critical tools as a risk.
 Change request conflicts with requirements: Change requests that make no sense in the context of the
requirements (Mar, 2018:1).
1.4.5 Stakeholders
 Stakeholders have inaccurate expectations: Stakeholders develop inaccurate expectations (believe that the
project will achieve something not in the requirements, plan, etc.).
 Stakeholder turnover: Stakeholder turnover can lead to project disruptions.
 Stakeholders fail to support project: When stakeholders have a negative attitude towards the project and
wish to see it fail.
 Stakeholder conflict: Disagreement between stakeholders over project issues (Mar, 2018:1).
1.4.6 Communication
 Project team misunderstand requirements: When requirements are misinterpreted by the project team a gap
develops between expectations, requirements and work packages.
 Communication overhead: When key project resources spend a high percentage of their time engaging
stakeholders on project issues and change requests their work may fall behind.
 Under communication: Communication is a challenge that's not to be underestimated. You may need to
communicate the same idea many times in different ways before people remember it.

 Impacted individuals aren't kept informed: A stakeholder is missing in your communication plan. Anyone who
isn't informed but is impacted has an excellent reason to throw up project roadblocks. For example, if you
build a system but fail to consult the operations group that will be responsible for support (Mar, 2018:1).
1.4.7 Resources & Team

 Resource shortfalls: Inability to secure sufficient resources for the project.
 Learning curves lead to delays and cost overrun: When your project team need to acquire new skills for the
project there's a risk that productivity will be low.
 Training is inadequate: Training is often a poor substitute for professional experience. Projects shouldn't
assume that resources will be fully productive in a new skill.
 Resources are inexperienced: Resources who are just out of school or who are new to your industry or
profession tend to make more mistakes and be less productive.
 Resource performance issues: Resources who perform below expectations.
 Team members with negative attitudes towards the project: Resources who are negative towards the project
may actively or passively sabotage project efforts. (Mar, 2018:1)
The areas of project risks above are not exhaustive and extends to all project management knowledge areas.
Activity
Consider a project in your work/home environment and discuss the various

risks that my impact the successful execution of that project.
1.5 Benefits of Project Risk Management

There are many benefits to project risk management. A few benefits are listed below:
• Proactive rather than reactive approach
• Reduces surprises & negative consequences
• Prepares project manager to take advantage of appropriate risks (opportunities)
• Provides better control over future events.
• Improves chances of reaching project objectives within budget, on time & to quality standards (PMI:2017).

Case Study: Project Risk Management: Challenge Established Practice

(Ole Jonny Klakegg)
The idea behind this Special Issue is based on the observation that project risk management
is presented as a key knowledge area in project management and has become an important
skill for updated project managers [1,2]. It has been around for more than three decades and
there are numerous commercial tools available. Still, projects are delivered too late, over
budget and often with less benefit than expected [3–5]. Project management, including risk
management, has improved significantly but project success rates have failed to improve at
the same rate [6]. Attained improvements are also seen to deteriorate remarkably quickly [7],
and the development is topped with real dilemmas [8].
Johansen, Sandvin, Torp and Okland [9] identified five specific challenges in uncertainty
analysis indicating that even professional risk managers and their teams do not have the right
competences, adequate planning data or effective procedures to properly identify risks and
uncertainties, quantify and analyse them, communicate them to decision makers or take the
consequences into their project management. This clearly indicates that current practices need
to be challenged. Authors from all over the world responded to the call for papers to this Special
Issue, although not all suggested contributions made it into the final result. The selected papers
challenge current practices on a wide range of aspects of project risk management and in
different ways.

Lichtenberg [10] describes successful research results from almost three decades ago, which
successfully challenge the problems that conventional management has with handling risk in
cost estimation and budgeting. The reported results have led to new and improved practices.
The research involved is an unusual mix from psychology, statistical theory and engineering
economy. This mix tells us about the complex and multidisciplinary nature of uncertainty
management. The resulting experiences are reported, focusing on two recent studies, each of
40 infrastructures, and other major projects. In both datasets, the actual final cost largely
equalled the expected project cost. This result is a marked change from international past and
present experience. The principles that Lichtenberg promotes help researchers better
understand the nature of cost estimation under uncertainty and practitioners can draw help
from useful guidelines in this paper to improve their project risk management.
Johansen, Eik-Andresen, Landmark, Ekambaram, and Rolstadås [11] challenge the clear
tendency in project risk management to focus on the negative aspects of uncertainty. Although
uncertainty management theory has become well established, the authors suggest that it does
not fully address why opportunities often remain unexploited. Despite theory that holds risk and
opportunities to be equally important, empirical studies show a stronger focus on mitigating
risks than exploiting opportunities. Several empirical studies reported in this paper indicate that
even within organizations with seemingly high awareness of best practices in the field of project
risk management, potential is lost. There is an obvious gap between what theory tells us and
what people tend to do in practice. The authors then present a theoretical model that explains
why opportunities remain unexploited. They show that the threshold for pursuing a potential
opportunity is high and identify several fundamental reasons for resistance. This should
potentially be of great help for practitioners in pursuit of an improved success rate and benefits
in investment projects. It also contributes to building theory for designing decision making on
complex projects.
Torp and Klakegg [12] directly tackle the list of challenges previously identified by Johansen,
Sandvin, Torp and Okland [9]. Reporting on a single case study, they describe practical
guidelines and share experience from cost estimation and uncertainty analyses that help
mitigate many of the identified challenges in current project risk management practice. The
single case is a unique insight into an extremely complex project: decommissioning of
Barsebäck Nuclear Power Plant. The paper includes an adequate level of detail to make it
possible for practitioners to actually take up and put into use several of the practical working
procedures used in this case. The authors illustrate the importance of combining project risk
management competence with professional knowledge of the actual contents of the project

itself. Good preparations and planning is vital to the quality of the process that follows. The
analysis involves a group of experts in a structured group process. Professional facilitation and
effective communication are two key enablers for enhancing the ability to identify, evaluate,
analyse and respond adequately to the steering signals found in the uncertainty analysis.
Walker and Lloyd-Walker [13] take an even closer look at team collaboration in their paper on
using risks and an uncertainty based perspective in analysing integrated project delivery forms.
The authors help readers to better understand how complex projects may be understood and
successfully managed. Based on interviews with 50 subject matter experts, they have
developed a relationship-based procurement (RBP) framework and a tool in the form of a visual
map. These results help practitioners cope by using visualization and sense-making
mechanisms. The paper also extends theory by taking RBP to the next step, from pure
procurement into a risk-uncertainty project management domain. Practitioners will find these
ideas helpful in managing risks, uncertainty and ambiguity in their complex projects.
All these contributions have one thing in common: They all illustrate that project risk
management may be led into a dead end if theory and practice keep focusing on models, data
processing, decision making algorithms, procedures and tools. The risk focus needs to be
balanced out with focusing on opportunities, even if it is difficult and requires extra effort. The
real challenges are in the head of the individuals involved. They need help to understand,
analyse and adequately respond. All contributions offer, in their own way, a piece of this puzzle.
My simple conclusion is: It is all about people and competence! The contributors have one
more thing in common—they have all previously collaborated in research or publications
together in different constellations. There is a close relation between the ways in which risk
and uncertainty are understood and presented in these papers. This will hopefully build a
picture that helps the readers to take the next step, be it theoretical or practical guidelines or
simply intriguing examples that are needed.
Source: Administrative Sciences. 2016, 6, 21; doi:10.3390/admsci6040021

1. The article states that even though risk management has “been around for more
than three decades”, projects are still “delivered too late, over budget and often with
less benefit than expected”. Drawing on recommendations from the article, critically
discuss how you would advise a project manager to successfully manage risk with
the result of minimising the impact of project threats and maximising opportunities
presented?

Knowledge Check Questions
1. From a project of your choice, discuss 5 potential risks that may negatively impact
the project.
2. Articulate what the benefits of project risk management are using examples from a
project of your choice.
3. What would be the risk of not adhering to the risk management principles when
planning for project risk management?

Unit
2: Plan Risk Management

2.1 Introduction  Understand risk management planning
2.2 Risk Management Planning.  Identify the inputs, tools and techniques and the outputs of
risk management process
2.3 Risks in the Project Life Cycle.  Explain the progression of risks on the project life cycle
2.4 Golden Rules of Project Risk  Interrogate the guidelines and rules for successful risk
Management. management
2.5 Contingency Plans, Fallback Plans,  Understand and examine contingency Plans, Fallback
and Contingency Reserves Plans, and Contingency Reserves




Institute.


2.1 Introduction
The essence of project management is risk management (Larson and Gray, 2017:234). All planning on a project
has its intents on preventing uncertainties, on ensuring that the project objectives are delivered successfully and
ultimately, on increasing stakeholder satisfaction. Larson and Gray (2017:234) support their statement above by
emphasising that:
 project selection tries to reduce the likelihood that projects will not contribute to organisational strategy;
 project scope statements are designed to avoid costly misunderstandings and to reduce scope creep;
 risk breakdown structures reduce the likelihood that important parts of the project will be omitted or that the
budget estimates are unrealistic;
 teambuilding reduces the likelihood of dysfunctional conflict and breakdowns in coordination;
All of the above processes try to increase the probability of project success. Project managers therefore need to
plan for risk management in order to mitigate the uncertainty inherent in project management. Risk management
must be proactive and not reactive so that it can reduce the number of surprises and be better prepared to deal
with potential negative as well as positive uncertain events.
Schwalbe (2015:427) states that planning risk management involves deciding how to approach and plan the risk
management activities for the project by reviewing the project scope statement; cost, schedule, and
communications management plans; enterprise environmental factors; and organizational process assets. The
main output of Plan Risk Management process is a risk management plan which is a subset of the project
management plan.
2.2 Risk Management Planning

Table 2.1 lists the general topics that any risk management plan should address. Importance is placed on role
clarification and responsibilities, budget preparation and schedule estimates for risk-related work, and on
identifying risk categories for consideration. How risk management will be done should also be clearly laid out.
This should include risk probabilities and impacts assessment as well as developing risk related documentation.
The needs of the project will determine the level of detail to be included in the risk management plan.

Table Table 2.1:

2 Topics Addressed in a Risk Management Plan
TOPIC QUESTIONS TO ANSWER
Methodology How will risk management be performed on this project? What tools and
data sources are available and applicable?
Roles and responsibilities? Who are the individuals responsible for implementing specific tasks and
providing deliverables related to risk management
Budget and schedule What are the estimated costs and schedules for performing risk-related
activities?
Risk categories What are the main categories of risks that should be addressed on this
project? Is there a risk breakdown structure for the project?
Risk probability and impact How will the probabilities and impacts of risk items be assessed? What
scoring and interpretation methods will be used for the qualitative and
quantitative analysis of risks? How will the probability and impact matrix be
developed?
Revised stakeholders Have stakeholders’ tolerances for risk changed? How will those changes
tolerances affect the project?
Tracking How will the team track risk management activities? How will lessons
learned be documented and shared? How will risk management processes
be audited?
Risk documentation What reporting formats and processes will be used for risk management
activities?
Source: Schwalbe (2015:429)
The Project Management Institute (PMI, 2017:401), defining Plan Risk Management as the process of defining
how to conduct risk management activities for a project, identify the key benefit of Plan Risk Management process
to be the assurance that “that the degree, type, and visibility of risk management are proportionate to both risks
and the importance of the project to the organization and other stakeholders”. The inputs, tools and techniques,
and outputs of the process are illustrated in Figure 2.1.

Project charter
Meetings
Stakeholder register
Figure 3Figure 2.1: Plan Risk Management: Inputs, Tools & Techniques, and Outputs
Source: PMI (2017:401)
2.3 Risks in the Project Life Cycle

Risk management planning should begin as early as possible when a project is conceived and should be completed
early in the project (PMI. 2017:401). The process should be continuously engaged in throughout the project life
cycle as new or un-identified risks emerge.
Figure 4Figure 2.2: Risks in the Project Life Cycle

Source: Bobade (2015:1)
Figure 2.2 presents a graphic model of the risk management challenge. The chances of a risk event occurring are
greatest in the concept, planning, and start-up phases of the project (Larson and Gray, 2017:212). A risk occurring
early in the project life cycle has a lower cost than a risk occurring later in the project life cycle. The cost of a risk

event occurring increases rapidly and is at its highest as the project passes halfway through the project life cycle
during implementation.
Larson and Gray (2017:212) quote an example as follows: the risk event of a design flaw occurring after a prototype
has been made has a greater cost or time impact than if the event occurred in the start-up phase of the project. It
is therefore, prudent for the project team to plan for risk events and decide on appropriate responses before the
project begins.
2.4 Golden Rules of Project Risk Management

The benefits of risk management in projects are huge. You can gain a lot of money if you deal with uncertain project
events in a proactive manner. The result will be that you minimize the impact of project threats and seize the
opportunities that occur. This allows you to deliver your project on time, on budget and with the quality results your
project sponsor demands. Also your team members will be much happier if they do not enter a "fire-fighting" mode
needed to repair the failures that could have been prevented (Jutte, 2018:1).
The ten golden rules of project risk management provide a set of guidelines on how to implement risk management
successfully in projects.
Rule 1: Make Risk Management Part of Your Project:

The first rule is essential to the success of project risk management. If you don't truly embed risk management in
your project, you cannot reap the full benefits of this approach. You can encounter a number of faulty approaches
in companies. Some projects use no approach whatsoever to risk management. They are either ignorant, running
their first project or they are somehow confident that no risks will occur in their project (which of course will happen).
Some people blindly trust the project manager, especially if he (usually it is a man) looks like a battered army
veteran who has been in the trenches for the last two decades. Professional companies make risk management
part of their day to day operations and include it in project meetings and the training of staff (Jutte, 2018:1).
Rule 2: Identify Risks Early in Your Project:

The first step in project risk management is to identify the risks that are present in your project. This requires an
open mind set that focuses on future scenarios that may occur. Two main sources exist to identify risks: people
and paper. People are your team members that each bring along their personal experiences and expertise. Other
people to talk to are experts outside your project that have a track record with the type of project or work you are
facing. They can reveal some booby traps you will encounter or some golden opportunities that may not have
crossed your mind. Interviews and team sessions (risk brainstorming) are the common methods to discover the
risks people know. Paper is a different story. Projects tend to generate a significant number of (electronic)
documents that contain project risks. They may not always have that name, but someone who reads carefully

(between the lines) will find them. The project plan, business case and resource planning are good starters. Other
categories are old project plans, your company Intranet and specialized websites (Jutte, 2018:1).
Are you able to identify all project risks before they occur? Probably not! However, if you combine a number of
different identification methods, you are likely to find the large majority. If you deal with them properly, you have
enough time left for the unexpected risks that take place (Jutte, 2018:1).
Rule 3: Communicate About Risks:

Failed projects show that project managers in such projects were frequently unaware of the big hammer that was
about to hit them. The frightening finding was that frequently someone of the project organisation actually did see
that hammer, but didn't inform the project manager of its existence. If you don't want this to happen in your project,
you better pay attention to risk communication (Jutte, 2018:1).
A good approach is to consistently include risk communication in the tasks you carry out. If you have a team
meeting, make project risks part of the default agenda (and not the final item on the list!). This shows risks are
important to the project manager and gives team members a "natural moment" to discuss them and report new
ones (Jutte, 2018:1).
Another important line of communication is that of the project manager and project sponsor or principal. Focus
your communication efforts on the big risks here and make sure you don't surprise the boss or the customer! Also
take care that the sponsor makes decisions on the top risks, because usually some of them exceed the mandate
of the project manager (Jutte, 2018:1).
Rule 4: Consider Both Threats and Opportunities:

Project risks have a negative connotation: they are the "bad guys" that can harm your project. However modern
risk approaches also focus on positive risks, the project opportunities. These are the uncertain events that are
beneficial to your project and organisation. These "good guys" make your project faster, better and more profitable
(Jutte, 2018:1).
Unfortunately, lots of project teams struggle to cross the finish line, being overloaded with work that needs to be
done quickly. This creates project dynamics where only negative risks matter (if the team considers any risks at
all). Make sure you create some time to deal with the opportunities in your project, even if it is only half an hour.
Chances are that you see a couple of opportunities with a high pay-off that don't require a big investment in time
or resources (Jutte, 2018:1).
Rule 5: Clarify Ownership Issues:

Some project managers think they are done once they have created a list with risks. However, this is only a starting
point. The next step is to make clear who is responsible for what risk! Someone has to feel the heat if a risk is not
taken care of properly. The trick is simple: assign a risk owner for each risk that you have found. The risk owner is

the person in your team that has the responsibility to optimise this risk for the project. The effects are really positive.
At first people usually feel uncomfortable that they are actually responsible for certain risks, but as time passes
they will act and carry out tasks to decrease threats and enhance opportunities (Jutte, 2018:1).
Ownership also exists on another level. If a project threat occurs, someone has to pay the bill. This sounds logical,
but it is an issue you have to address before a risk occurs. Especially if different business units, departments and
suppliers are involved in your project, it becomes important who bears the consequences and has to empty his
wallet. An important side effect of clarifying the ownership of risk effects is that line managers start to pay attention
to a project, especially when a lot of money is at stake. The ownership issue is equally important with project
opportunities. Fights over (unexpected) revenues can become a long-term pastime of management (Jutte, 2018:1).
Rule 6: Prioritise Risks:

A project manager once told me "I treat all risks equally." This makes project life really simple. However, it doesn't
deliver the best results possible. Some risks have a higher impact than others. Therefore, you better spend your
time on the risks that can cause the biggest losses and gains. Check if you have any showstoppers in your project
that could derail your project. If so, these are your number 1 priority. The other risks can be prioritised on gut feeling
or, more objectively, on a set of criteria. The criteria most project teams use is to consider the effects of a risk and
the likelihood that it will occur (Jutte, 2018:1).
Whatever, prioritisation measure you use, use it consistently and focus on the big risks.
Rule 7: Analyse Risks:

Understanding the nature of a risk is a precondition for a good response. Therefore, take some time to have a
closer look at individual risks and don't jump to conclusions without knowing what a risk is about.
Risk analysis occurs at different levels. If you want to understand a risk at an individual level it is most fruitful to
think about the effects that it has and the causes that can make it happen. Looking at the effects, you can describe
what effects take place immediately after a risk occurs and what effects happen as a result of the primary effects
or because time elapses. A more detailed analysis may show the order of magnitude effect in a certain effect
category like costs, lead time or product quality. Another angle to look at risks is to focus on the events that precede
a risk occurrence, the risk causes. List the different causes and the circumstances that decrease or increase the
likelihood (Jutte, 2018:1).
Another level of risk analysis is investigating the entire project. Each project manager needs to answer the usual
questions about the total budget needed or the date the project will finish. If you take risks into account, you can
do a simulation to show your project sponsor how likely it is that you finish on a given date or within a certain time
frame. A similar exercise can be done for project costs.

The information you gather in a risk analysis will provide valuable insights in your project and the necessary input
to find effective responses to optimise the risks (Jutte, 2018:1).
Rule 8: Plan and Implement Risk Responses:

Implementing a risk response is the activity that actually adds value to your project. You prevent a threat occurring
or minimise negative effects. Execution is key here. The other rules have helped you to map, prioritise and
understand risks. This will help you to make a sound risk response plan that focuses on the big wins (Jutte, 2018:1).
If you deal with threats you basically have three options, risk avoidance, risk minimisation and risk acceptance.
Avoiding risks means you organise your project in such a way that you don't encounter a risk anymore. This could
mean changing supplier or adopting a different technology or, if you deal with a fatal risk, terminating a project.
Spending more money on a doomed project is a bad investment (Jutte, 2018:1).
The biggest category of responses is the ones to minimise risks. You can try to prevent a risk occurring by
influencing the causes or decreasing the negative effects that could result. If you have carried out rule 7 properly
(risk analysis) you will have plenty of opportunities to influence it. A final response is to accept a risk. This is a good
choice if the effects on the project are minimal or the possibilities to influence it prove to be very difficult, time
consuming or relatively expensive. Just make sure that it is a conscious choice to accept a certain risk (Jutte,
2018:1).
Responses for risk opportunities are the reverse of the ones for threats. They will focus on seeking risks,
maximising them or ignoring them (if opportunities prove to be too small).
Rule 9: Register Project Risks:
This rule is about bookkeeping (however don't stop reading). Maintaining a risk log enables you to view progress
and make sure that you won't forget a risk or two. It is also a perfect communication tool that informs your team
members and stakeholders what is going on (rule 3).
A good risk log contains risks descriptions, clarifies ownership issues (rule 5) and enables you to carry out some
basic analyses with regard to causes and effects (rule 7). Most project managers aren't really fond of administrative
tasks, but doing your bookkeeping with regards to risks pays off, especially if the number of risks is large. Some
project managers don't want to record risks, because they feel this makes it easier to blame them in case things
go wrong. However, the reverse is true. If you record project risks and the effective responses you have
implemented, you create a track record that no one can deny. Even if a risk happens that derails the project. Doing
projects is taking risks (Jutte, 2018:1).

Rule 10: Track Risks and Associated Tasks:

The risk register you have created as a result of rule 9, will help you to track risks and their associated tasks.
Tracking tasks is a day-to-day job for each project manager. Integrating risk tasks into that daily routine is the
easiest solution. Risk tasks may be carried out to identify or analyse risks or to generate, select and implement
responses (Jutte, 2018:1).
Tracking risks differs from tracking tasks. It focuses on the current situation of risks. Which risks are more likely to
happen? Has the relative importance of risks changed? Answering these questions will help to pay attention to the
risks that matter most for your project value (Jutte, 2018:1).
These ten golden rules can always be improved upon. Therefore, rule number eleven would be to use the
Japanese Kaizen approach: measure the effects of your risk management efforts and continuously implement
improvements to make it even better.
2.5 Contingency Plans, Fallback Plans, and Contingency Reserves

Many projects, apart from a risk management plan, also include contingency plans, fallback plans, and contingency
reserves (Scwhalbe, 2015:430).
 Contingency Plans:
These are planned actions that the project team will take if an identified risk event occurs.
Example: A project team may have a contingency plan to use the existing, older version of the software if they
know that a new version may not be available in time for them to use in their project (Scwhalbe, 2015:430).
 Fallback Plans:
These plans are developed for risks with high impact on meeting project objectives. Such plans take effect
when the project team fails to reduce the risk as originally planned.
Example: If not one of a new college graduate’s main plan and contingency plans on where to live after
graduation pan out then a fallback plan may be to live at home until appropriate accommodation can be sourced
(Scwhalbe, 2015:430).
Sometimes the terms contingency plan and fallback plan are used interchangeably.
 Contingency Reserves:
Also known as contingency allowances are provisions held by the project sponsor or organization to reduce
the risk of cost or schedule overruns to an acceptable level.

Example: The project sponsor may provide additional funds from contingency reserves to hire an outside
consultant to train and advise the project staff in using the new technology if a project appears to be off course
because the staff is inexperienced with some new technology and this was not identified as a risk (Scwhalbe,
2015:430).
Case Study:
Feds and Contractor Share Blame for Afghan Plant Delays
Scheduled to be completed in April 2009, the 105-megawatt, dual-fuel Tarakhil Power
Plant near Kabul has experienced many delays and cost overruns. The U.S. Special
Inspector General of Afghanistan Reconstruction blamed federal and contractor
management failures in a January 2010 report. The expected completion date was delayed
for over a year from the April 2009 date.
The original statement of work lacked specific deliverables and deadlines, which resulted in
the project’s being a string of task orders without an established schedule and secured
resources. The initial costs of the project were estimated at $125 million for 18 diesel
generators in an existing plant. Fifteen contract modifications resulted in scope changes and
budget increases. The final plan was estimated to cost $260 million with the construction of

a new facility. The typical cost estimate for diesel plant construction in the Middle East and
Asia has been $105 million, $1 million per megawatt planned. Modifications and issue
resolutions would take months and years, resulting in a six-month delay for site work. To
fast-track the project, turbines were built in Germany at an increased expense and flown to
the site. The total project costs were nearing $300 million, a $40 million overrun of the final
plan. Critics of the project suggest that the power plant may never be used due to the high
costs of operation; this project is expected to cost Afghan taxpayers three times as much as
comparable projects for operation. It has been suggested that the U.S. Agency for
International Development and its contractors made the same mistakes that they had made
in similar projects because they did not apply what they had learned on the other projects.
Planners ignored alternative recommendations from local officials that were less expensive,
selected expensive technologies that may not be sustainable, and hired a complex system
of multiple contractors with unrealistic time expectations for completion and high costs. The
original contract guaranteed a profit for the Kansas-based contractor through cost-plus
contracting. Subcontracts were awarded on fixed price bases to a network of firms.
Subcontractors may never be fully reimbursed for changes or delays that the original
contractor caused. The contractor’s failure to properly identify needs, examine and secure
resources, manage risks, and secure a schedule of performance put the project at risk.
These failures lie in the critical components of planning, scheduling, organization, teamwork,
communication, and leadership.
Source: Buckley (2010:16) and Chatterjee (2010:1)
1. Clearly articulate whether each of the 10 golden rules of project risk management
were adhered to on the project in the case study above.
1. Justify the statement that “The essence of project management is risk

management”
2. What are the general topics that any project risk management plan should
address?
3. Discuss the inputs, tools and techniques, and the outputs of the risk management
process as prescribed by the PMI.
4. Explain the curve on the Risks in the Project Life Cycle graph.
5. Discuss the guidelines for ensuring the successful implementation of project risk
management.

Unit
3: Identify Risks

3.1 Introduction  Identify project risks
3.2 Information Gathering.  Understand various tools and techniques for information
gathering during risk identification processes
3.3 Risk Identification Techniques.  Utilise the various project risks identification methodologies in
a project life cycle
3.4 Risk Register.  Compile a risk register




Institute.


3.1 Introduction
The purpose of undertaking a project is to achieve or establish something new, to venture or to take chances.
However, in today’s markets, with heavy competition, advanced technology and tough economic conditions, risk
has assumed significantly greater proportions. Identifying hazard and risk exposures is probably the most important
step in the risk management process.
Before risks can be identified, mitigated or managed, certain preliminary work must be done to form the foundation
for structured project information. This preliminary work encompasses the identification of work, creating a
schedule, and pinpointing resources, cost elements and performance measures. One of the most effective
methods of defining work is the development of the work break down schedule (WBS). The WBS displays the
products, services and data items that must be developed for a project in hierarchical arrangement. This
arrangement relates the WBS elements to each other and to the end product. It provides an essential definition for
schedule and cost baselines, exchange control mechanisms, cost tracking, contractual actions and the logical
execution of work. These baselines are the foundation for measuring project performance, managing risk and
calculating resource availability and consumption (PMI: 2017).
This step launches the process hence planning and preparation is required at the beginning. A facilitator will be
needed, especially one without a stake in the outcome; an amply supplied meeting room; a solid definition of the
project, specifically any unusual features; and a schedule, development process chart, prompt list, or other means
of eliciting specific project risks.
Risk identification should be performed as part of a project’s initial definition process, along with project planning,
budgeting, and scheduling. Actually these other activities cannot be realistically performed without performing risk
analysis. Sometimes identified risks may lead to abandoning the project altogether. Besides, scan for new risks
throughout the project at team meetings, project updates, and at major milestones and phase completions (PMI:
2017).
A risk event should exactly describe a happening that could occur, together with the associated time component
or condition so that one can tell if the risk event has occurred. The risk description should be specific such as “A
graphical user interface software engineer will not be available to review the system requirements until 15 days
past the scheduled review on August 7” rather than “Engineering may not have enough resources to complete the
project on time”. Each risk should be accompanied by its impact; that is, the loss that the risk event could cause.
An impact could be stated as “since our contract with our customer contains a penalty clause for missed programme
milestones, a 15-day slip in reviewing the system requirements will result in R750 00 penalties!’ The R750 000
would represent the total loss.

Project managers are ultimately responsible for identifying all risks, but often they rely upon subject matter experts
to take a lead in identifying certain technical risks (Kloppenborg, 2015: 275). The objective of this risk identification
step is to get any identified risks on the table for discussion. Chances are high that you might identify more risks
than you can pursue.
Think Point
Identifying hazard and risk exposures is probably the most important step in
the PROJECT MANAGEMENT process.
3.2 Information Gathering

Gathering information makes up the larger part of the risk identification process. Either the project manager or
another person (with technical expertise) needs to act as a facilitator for information gathering. The question “what
could go wrong?” is repeatedly asked of all participating in the process (Kloppenborg, 2015:275). Brainstorming,
amongst several other techniques, may be used in risk identification. Sometimes, team members interview
stakeholders. Other times SWOT analysis is “analysis of strengths, weaknesses, opportunities, and threats to a
project” might be used. Kloppenborg (2015:275) advises to keep in mind that risks can be both threats to overcome
and opportunities to exploit. Further methods to identify risks include the expert judgement techniques such as the
Delphi technique and the Nominal Group technique. The project team can even use a structured review to identify
risks.
3.3 Risk Identification Techniques

Having defined your business objectives by the work breakdown structure, the next step is to identify what areas
of risk, uncertainty and triggers could prevent you from achieving these stated objectives.
Techniques for identifying risk include:
 Brainstorming  Structured Questionnaires
 Problem Solving Approach  Risk Categories
 Expert Judgement Based on Knowledge  Structured Checklists (WBS)
 Life Cycle Risk Identification  Flow Charts
 Analysing Historical Records and Closeout  System Analysis (SWOT)

Reports
 Root Cause Identification  Scenario Analysis

 Safety Reports (Health and Safety  Structured Review

Requirements)
(PMI: 2017).
The success of these techniques depends on how the risk management team have been selected and brought
together.
3.3.1 Brainstorming
Figure 3.1 illustrates the most common approach to identifying the sources of risks, brainstorming. The project
manager should involve key project team members in identifying potential sources of risk. In this step you identify
risk events and their consequences that could prevent the project from meeting its defined goals of scope,
schedule, cost, resource consumption, or quality. This is a brainstorming activity. Even though we have to keep in
mind the fact that a manageable risk involves uncertainty, the possibility of loss and a time element, this should be
a freewheeling activity rather than one that judge’s contributions at this time (PMI: 2017).
One way to identify risk is via posting a large copy of the project schedule on the wall and having the whole team
place stickers in areas of the schedule where they see risks. To get a broad view of the project, be sure to involve
a cross-functional team.
Schedule
 Tim Budget Team is under-

Tasks omitted from
 Cost resourced
Unanticipated
Opportunity to compress
Materials shortage
Poor communications
 Communicati Identify Risks  Resourc Machinery
(Stakeholder es
Positive & timely Industrial Action
communications (positive Bad weather results Skills gap

 Scop in re-work
Scope
 Environment Weather delays progress
Scope poorly
Adverse environmental effects
Project change poorly
Environmental approval not complied
with
Figure 5Figure 3.1: Brainstorming Technique for Identifying Risks

Source: Pintinterest (2018:1)
Since with brainstorming quality lies in quantity, strive for quantity first and later sift through the results looking for
the risks most likely to threaten the project.

3.3.2 Problem Solving Approach

The following is a nine step problem solving approach which is made possible by a brainstorming technique.
Steps
• Develop a problem statement.
• Identify potential causes of the problem.
• Gather data and verify the most likely causes.
• Identify possible solutions.
• Evaluate the alternative solutions.
• Determine the best solution.
• Revise the project plan.
• Implement the solution.
• Determine whether the problem has been solved (PMI: 2017).
Think Point
Risk is an uncertain event or condition that, if it occurs, has a positive or

negative effect on project objectives (Larson and Gray, 2017).
3.3.3 Expert Judgement Techniques

Expert judgement techniques are applicable not only for risk identification, but also for forecasting and decision
making. Two expert judgement techniques are the Delphi method and the nominal group technique.
a) The Delphi Method:

 The Delphi method has the following general steps:
Step 1: A panel of experts is selected from both inside and outside the organisation. The experts do not
interact on face to face basis and may not even know who else sits on the panel.
Step 2: Each expert is asked to make an anonymous prediction on a particular subject.
Step 3: Each expert receives a composite feedback of the entire panel’s answers and is asked to make new
predictions based upon the feedback.

The process is then repeated as necessary (Haughey, 2018:1).

 Advantages of the Delphi method:
o The Delphi technique is versatile in terms of its potential application and can, therefore, be used to tackle a
very wide variety of issues, subjects, and situations.
o Through this technique, you have the option of setting up a broad and dynamic panel of experts from a
variety of disciplines and professional sectors (for example, donors, community organizations, government
officials, and academia).
o Location is not a constraint in terms of access to expert insight. This technique accommodates data
collection through either postal or electronic mail, making it possible to involve experts from almost any part
of the world.
o The iterative process of the Delphi technique promotes reflective and evaluative contributions from experts.
o The technique enables the natural group process of sharing and evaluating ideas and expert insight without
the need for an in-person meeting format. Because the objective of the Delphi technique is to achieve
convergence, as opposed to divergence, in expert perspectives, it promotes a non-confrontational format
for communication and exchange. Expert contributions also remain anonymous to other participants in the
expert panel, which may help participants to feel more at ease with fully and honestly providing their insights
and opinions.
o The structured and step-by-step nature of the technique makes it very democratic in nature, giving each
invited participant an equal opportunity for contribution. Quantitative analysis of the data from a Delphi study
is relatively simple and can be done using spreadsheet software (such as Microsoft Excel) (Haughey,
2018:1).
 Disadvantages of the Delphi method:

o If the coordinator of a Delphi activity fails to (a) select a representative expert panel, (b) select a good initial
question, or (c) follow the recommended implementation steps for the technique, the outcomes of the
activity may be compromised.
o If the Delphi technique is conducted through postal mail, the time required for the process can be lengthy,
particularly if the panel of expert participants is located in a variety of different countries. If you decide to
use the Delphi approach with postal mail, you should expect to allocate between one and three months for
data collection.
o The technique requires sustained involvement from the participants. Participant dropout is, therefore, a risk.
o The viewpoints and judgments that are collected through the Delphi technique are subjective in nature.
Thus, the extent of accuracy and comprehensiveness of the data may, in some instances, be uncertain.
o The Delphi technique, although generating valuable information, should not be used as the sole source of
information for making definitive decisions about needs or future strategies (Haughey, 2018:1).

b) The Nominal Group Technique:

Closely related to the Delphi method is the nominal group technique, which allows for face to face contact and
direct communication.
 The steps in the nominal group technique are as follows:
Step 1: A panel is convened and asked to generate ideas in writing.
Step 2: The ideas are listed on a board or a flip chart. Each idea is discussed among the panellists.
Step 3: Each panel list prioritises the ideas, which are then ranked mathematically. Steps 2 and 3 may be
repeated as necessary (Haughey, 2018:1).
 Advantages of the Nominal Group Technique:
o One major advantage of NGT is that it avoids two problems caused by group interaction. First, some
members are reluctant to suggest ideas because they are concerned about being criticized, or are reticent
and shy. Second, some members are reluctant to create conflict in groups. (Many people want to maintain
a pleasant climate.) NGT overcomes these problems (e.g.[12]). NGT has the clear advantage in ensuring
relatively equal participation. It may also, in many cases be a time-saving technique.
o Other advantages include producing a large number of ideas and providing a sense of closure that is
often not found in less-structured group methods (Haughey, 2018:1).
 Disadvantages of the Nominal Group Technique:

o A major disadvantage of NGT is that the method lacks flexibility by being able to deal with only one
problem at a time.
o Also, there must be a certain amount of conformity on the part of the members involved in NGT. Everyone
must feel comfortable with the amount of structure involved.
o Another disadvantage is the amount of time needed to prepare for the activity. There is no spontaneity
involved with this method. Facilities must be arranged and carefully planned.
o Opinions may not converge in the voting process, cross-fertilization of ideas may be constrained, and the
process may appear to be too mechanical.
o One of the key issues about 'nominal' group technique is that it does not depend on normal group
processes. It is a method to work with a collection of people and involve them in decision making but does
not depend on existing group processes. This is according to the originators an advantage in decision
making using this tool (Haughey, 2018:1).
Activity
Which of the two popular expert judgement risk identification techniques is

better suited to comprehensive risk identification?

c) Potential for Bias in Risk Identification:

Expert judgement techniques have the potential for bias in risk identification. Factors affecting the bias
include:
 Overconfidence in one’s ability.
 Insensitivity to the problem or risk.
 Motivation.
 Proximity to project.
 Recent event recall.
 Availability of time.
 Relationship with other experts (Haughey, 2018:1).
3.3.4 Life Cycle Phase Risk Identification

Risks can also be identified according to life-cycle phases, as shown in the following Table 3.1. In the early life-
cycle phases, the total project risk is high because of lack of information. In the later phases, the financial risk is
the greatest (Kloppenborg:2015).
INITIATION PLANNING EXECUTION CLOSEOUT
 Unavailable subject  No risk management plan  Unskilled labour  Poor quality

matter experts
 Poor definition of  Hasty planning  Material availability  Unacceptable to

problem. customer
 No feasibility study  Poor specifications.  Strikes.  As built changes
 Unclear objectives.  Unclear SOW  Weather  Cash flow problems
 Buy-in (competitive  No management support.  Changes in scope.

bidding)  Poor role definition
  Inexperienced team
 Changes in schedule
 Regulatory requirements
 Osha Compliance
 No control systems in place.
Table 3Table 3.1: Life Cycle Phase Risk Identification

Source: Kloppenborg (2015)

3.3.5 Structured Review Risk Identification

A variety of project documents can be review to uncover possible risks by the project manager and team. Table
3.2 lists some of the documents that may be used and typical questions that could be asked for each (Kloppenborg,
2015:276). As with the brainstorming mentioned previously, it is better to identify many possible risks and later
determine that some of them are not major, rather than to not identify what does turn out to be a big risk
(Kloppenborg, 2015:276).
TYPE OF REVIEW QUESTION
Charter Is there clarity and common understanding in each section?
Stakeholder register What could upset any of them?
Communication plan Where could poor communications cause trouble?
Assumptions Can you verify that each assumption is correct?
Constraints How does each constraint make the project more difficult?
WBS What risks can you find going through the WBS item by item?
Schedule What milestones and other merge points might be troublesome?
Resource demands At what points are certain people overloaded?
Touchpoints What difficulties may arise when some project work is handed off from one
person to another?
Literature What problems and opportunities have been published concerning similar
projects?
Previous projects What projects & opportunities have similar projects in your own
organisation?
Peers Can your peers identify any additional risks?
Senior management Can senior management identify any additional risks?
Table 4Table 3.2: Project Risk Reviews

Source: Kloppenborg (2015:276)
3.3.6 Risk Identification Through Understanding Relationships

Risks can also be identified by learning the cause-and-effect relationships of risk events. The flowchart is a useful
technique that shows how people, money, data, or materials flow from one person or location to another. This is
essentially what the team does when it reviews the project schedule, provided it looks at the arrows that show
which activities must precede others (Kloppenborg, 2015:276).

Asking why a certain risk event may happen is a second method of understanding risk relationships. Root-cause-
analysis is used to determine the basic underlying reason that causes a variance or defect or risk. A root cause
may underlie more than one variance or defect or risk.” A simple approach to root-cause-analysis is to simply
consider each risk one at a time and ask, “Why might this happen?” The risks designated as major risks during
risk are the ones that the project team should perform more detailed root cause analysis of.
Another relationship that project teams need to understand is trigger conditions that indicates whether a risk is
about to occur. “A trigger can be specific to an individual risk, such as when a key supplier stops returning phone
calls, which may jeopardize their delivery of materials” (Kloppenborg, 2015:276).
3.3.7 Risk Categories

According to Gido and Clement (2015:287), another approach is to establish risk categories. These a groupings
of potential sources of risk that might occur for each category.
The following are examples of risk categories and risks within them:
 Technical:
o Failure to meet customer performance requirements
o New application for technology
o May not be able to meet quality standards
 Schedule:
o Vendor delay in delivery of critical equipment
 Cost:
o Material costs escalate more than anticipated
 Human Resources:
o May not have people available when required to staff the project
 External:
o Inclement weather
o Change in consumer preference
o Local community protests
o Changes in government regulations
 Sponsor/Customer:
o Delays in approval
o Security of sponsor funding (Gido and Clements, 2015:287).

3.4 Risk Register

The primary output of risk identification is the risk register. When complete, the risk register is “a document in which
the results of risk analysis and risk response planning are recorded.” At this point (the end of risk identification),
the risk register includes only the risk categories, identified risks, potential causes, and potential responses. The
other items are developed during the remainder of risk planning (Schwalbe: 2015).
Figure 6Figure 3.2: Example of a Risk Register

Source: Schwalbe (2015)
The contents of a risk register, as illustrated in Figure 3.2 above, are described as:
 List of identified risks:
All potential events and their subsequent consequences as identified during the risk identification process
 List of potential responses:

Potential responses to risk may be identified during the identification process
 Root causes of risk:

If possible, identify the root causes of risks
 Update Risk Categories:

Some categories of risk may need to be changed or updated to better reflect the risks associated with the
current project
 Triggers:
Signals or precursors that help in determining I a risk event I about to occur (Schwalbe: 2015).
The risk register is a living document. As a risk is identified, it is added. More information regarding a risk can
be added as it is discovered. As risks are handled, they can be removed because they are no longer of the

same level of concern. On smaller projects, a spreadsheet works fine for a risk register. On larger, more
complex projects, some organizations use databases (Schwalbe: 2015).
Think Point
Figure 3.3 below illustrates the Top 10 South African country and industry level
risks as identified by the Institute of Risk Management South Africa (IRMSA,
2017:3). All ranked risks negatively impact the successful achievement of project
objectives.
Figure 7

Figure 3.3: Top 10 South African Country and Industry Level Risks
Source: Institute of Risk Management (2017:3)
1. Generate a list of all possible risks that can occur during the project tenure in a project
of your choice using the brainstorming risk identification method.
2. Categorise the identified risks into the different risk classification areas.
3. Google what a Risk Breakdown Structure is and compile one for the project chosen in
question one.
4. Expert judgement techniques have the potential for bias in risk identification. What are
the various factors affecting the bias?


Unit
4: Perform Risk Analysis

4.1 Introduction  Understand risk analysis processes
4.2 Risk Assessment Techniques  Elaborate on risk assessment process
 Differentiate the qualitative from quantitative risk assessment

methodologies
 Utilise the various risk assessment techniques
 Conduct risk register updates




Institute.


4.1 Introduction
Having identified the various possible risks inherent in the project, the next step is to assess these risks. Not all
risks deserve attention and some risk(s) may be ignored. There are those risks, however, that pose serious threats
to the welfare of the project. According to Kloppenborg (2015:277), the project team now needs to decide which
risks are major and need to be managed carefully, as opposed to those minor risks that can be handled more
casually. Kloppenborg (2015:277) states further that the project team should determine how well they understand
each risk and whether they have the necessary reliable data. They must ultimately be able to report the major
risks to decision makers.
Risk assessment involves determining the likelihood that the risk event will occur and the degree of impact the
event will have on the project objective. Risks can then be prioritized based on the likelihood of occurrence and
degree of impact. Assign high priority to managing risks that have a high likelihood of occurrence and a high
potential impact on the project outcome. Risks on the critical path should be given higher priority because, if the
risk occurs, it would have a greater impact on the schedule than if it was associated with activities on a path that
has a large positive value of total slack (Larson & Gray, 2014).
Scenario analysis is the most commonly used technique for analysing risk. In this technique, every risk is assessed
in terms of (1) probability of the risk occurring, and (2) the impact of the risk should it occur. Using this technique,
a quantification of the various risks can be determined. Thereafter the different risks are ranked in terms of
importance (and attention). This allows the project manager to derive a typical risk assessment form (Larson &
Gray, 2014).
Risk Event Likelihood Impact Detection Difficulty When
Interface Problems 4 4 4 Conversion
System Freezing 2 5 5 Start-up
User Backlash 4 3 3 Post Installation
Hardware
1 5 5 Installation
Malfunctioning
Table 4.1: Risk Assessment for an IT Installation Project
Source: Larson and Gray (2017:217)
Table 4.1 above is an example of a risk assessment form for an IT Installation Project. It basically captures the
risk event, the likelihood, the impact, detection difficulty and when during the project life cycle the risk may occur.
The risk assessment process may be summarised as follows:
• Determine the likelihood the risk event will occur

• Evaluate degree of impact on the project objective. Involve the project team or experts in assessing risks.
• Prioritize
• Likelihood of occurrence and degree of impact
• Position relative to the critical path
Think Point
All risks, even the ones with the smallest likelihood of occurring, are important
to project success.
4.2 Risk Assessment Techniques

Risks can be assessed qualitatively and quantitatively (Schwalbe, 2015:452):
 Qualitative Risk Analysis:
The process of prioritizing risks for further analysis or action by assessing and combining their probability and
impact.
 Quantitative Risk Analysis:

The process of numerically analysing the effect of identified risks on overall project objectives.
Quantitative risk analysis often follows qualitative risk analysis, yet both processes can be done together or
separately. On some projects, the team may only perform qualitative risk analysis. The nature of the project
and availability of time and money affect the type of risk analysis techniques used.
Tools for qualitative risk analysis include a probability/impact matrix and the Top Ten Risk Item Tracking
technique. Tools for quantitative risk analysis include decision trees and Monte Carlo simulation. Expected
monetary value (EMV) uses decision trees to evaluate potential projects based on their expected value.
Simulations are a more sophisticated method for creating estimates to help you determine the likelihood of
meeting specific project schedule or cost goals. Sensitivity analysis is used to show the effects of changing
one or more variables on an outcome (Schwalbe, 2015:452).
Each of the risk analysis techniques will be discussed under the separate headings of Qualitative Risk
Analysis and Quantitative Risk Analysis.

4.2.1 Qualitative Risk Analysis

Project teams, according to Kloppenborg (2015:277) need to make a distinction between major and minor risks.
The two basic questions to be asked are: “how likely is this risk to happen?” and “if it does happen, how big will
the impact be?”. Table 4.2 shows a scale of 1 to 5 is used with descriptions for each dimension: probability and
impact. Any scale may be utilised as long as it is applied consistently.
Table 5Table 4.2: Qualitative Analysis for Differentiating Major and Minor Project Risks
The dark line in Table 4.2 above separates the major and catastrophic risks that need either further analysis and/or
specific contingency plans from minor and moderate risks that can just be listed and informally monitored. This
distinction between major and minor risks is required as project teams may be tempted to either ignore all risks -
which almost guarantees the project has problems or to make contingency plans for all risks - which may be a
terrible waste of time drawing focus away from the really big risks.
It is also prudent for project teams to ask when each risk is likely to occur in the project. The usefulness of this
exercise is seen in the fact that those risks that are likely to occur earlier often need to be assigned a higher priority.
Think Point
A catastrophic risk with the smallest probability of occurring may, if it occurs,

have the greatest impact on the success of the project. An example to note is
100 year rain experienced in the province of KwaZulu Natal in 2016.

Schwalbe (2015:438) states that qualitative risk analysis involves assessing the likelihood and impact of identified
risks, to determine their magnitude and priority. The two major techniques under this section include the
Probability/Impact Matrix to produce a prioritized list of risks, as well as the Top Ten Risk Item Tracking technique
to produce an overall ranking for project risks and to track trends in qualitative risk analysis.
a) Probability/Impact Matrix
A risk probability or consequence is often described as being, low, medium or high.
Example: a meteorologist might predict that there is a high probability/likelihood, of severe rain showers on a
certain day. If that day happens to be your wedding day and you are planning a large outdoor
wedding, the consequences or impact of severe showers might also be high.
The probability and impact of risks can be charted by a project manager on a probability/impact matrix or chart. A
probability/impact matrix or chart lists the relative probability of a risk occurring on one side of a matrix or axis on
a chart and the relative impact of the risk occurring on the other (Schwalbe, 2015:438). To use this approach,
project stakeholders list the risks they think might occur on their projects. They then label each risk as being high,
medium, or low in terms of its probability of occurrence and its impact if it did occur.
The results are then summarized by the project manager in a probability/impact matrix or chart, as shown in Figure
4.1. Here, all risks are plotted on a matrix or chart and focus is placed on any risks that fall in the high sections of
the probability/impact matrix or chart. For example, Risks 1 and 4 are listed as high in both categories of probability
and impact. Risk 6 is high in the probability category but low in the impact category. Risk 9 is high in the probability
category and medium in the impact category, and so on. The severity of the risk is then calculated by simply
multiplying a numeric score for probability by a numeric score for impact (Schwalbe: 2015:439).

Risk Severity = Impact x Probability
Risk 1
High Risk 1 Risk 9
Risk 4
PROBABILITY Risk 2
Risk 3
Medium Risk 5
Risk 7
Risk 11
Risk 8
Low Risk 12
Risk 10
Low Medium High
IMPACT
Figure 8Figure 4.1: Sample Probability/Impact Matrix

Based on the value of the severity of the risks, risks are prioritised for contingency planning. The purpose of this
action is to cull from a long list of risks a short list that will be managed actively. Expected loss is the prime criterion
for conducting this culling, because it measures the damage that you can expect to inflict on the project by each
risk. Other criteria, such as urgency, the cost of mitigation, or the catastrophic nature of a risk, may influence this
short list. The list of prioritised risks are then updated on the risk register. Less severe risks are placed onto a risk
watch list. The next step would be for the team to discuss how they plan to respond to those risks if they occur
(Schwalbe: 2015:439).
The project team has to prioritise because resources are limited to be able to work on all the risks. To minimise
and focus efforts, only risks that make the shortlist will be managed. A catastrophic risk may be added to the list,
even though its probability is quite low. The point is to manage the risks that could cause the greatest damage to
the project. It may be unsettling to know that there are quite real significant project risks that have been identified
but will not be resolved. On the other hand, each risk on the managed list will need significant resources, so the
line needs to be drawn somewhere. By prioritising risk, resources are applied most cost effectively according to
the requirements of the project (Schwalbe: 2015:439).

Activity
Using a project of your choice, identify five potential risks and analyse them
using the probability/impact matrix.
b) Top Ten Risk Item Tracking

This is a qualitative risk analysis tool that maintains an awareness of risks throughout the project life cycle by also
helping to monitor risks. The project’s most significant risk items are periodically reviewed with management and/or
the customer. The status of the top-ten sources of risk on the project show risks with their current ranking, previous
ranking, number of times appearing on the list over a period of time, and progress made in resolving the risk since
the previous review (Schwalbe, 2015:441).
Table 4.1 illustrates the Top Ten Risk Item Tracking chart that could be used at a management review meeting for
a project. Only the top five negative risk events are included here. Each risk event is ranked based on the current
month, previous month, and how many months it has been in the top ten. The last column describes progress on
resolving each risk item.

MONTHLY RANKING
Rank This Number of
Month Rank Last Risk Resolution Progress
Risk Event Months in
Rank Month
Top Ten
1 2 4 Working on revising the entire project

Inadequate planning
management plan
3 3 Holding meetings with project customer

Poor definition 2
and sponsor to clarify scope
1 2 After previous project manager quit,

Absence of leadership 3
assigned a new one to lead the project
4
Poor cost estimates 4 3 Revising cost estimates
Poor time estimates 5 5 3 Revising schedule estimates
Table 6Table 4.3: Top Ten Risk Item Tracking chart

c) Risk Register Updates

Updating the risk register is the main output of qualitative risk analysis. On the risk register, the ranking column
as well as a numeric value or high/medium/low rating for the probability and impact of the risk event should be
completed. Risks that need more attention or those that can be placed on a watch list, may be the additional
information that is often added to each risk event. A watch list is a list of risks that are low priority, but are still
identified as potential risks (Schwalbe, 2015:442). Qualitative analysis can also identify risks that should be
evaluated on a quantitative basis.
4.2.2 Quantitative Risk Analysis

“While all projects use qualitative risk analysis, quantitative risk analysis is only used when necessary. Bigger,
more complex, riskier, and more expensive projects often can benefit from the additional rigor of these more
structured techniques. Quantitative risk analysis is often used when being able to predict with confidence what the
probability is of completing a project on time, on budget, and with the agreed upon scope and/or the agreed upon
quality is critical” (Kloppenborg, 2015:280).
a) Selecting a Suitable Quantitative Risk Technique

Criteria to help select a suitable quantitative risk technique include the following:
 The methodology should utilize the explicit knowledge of the project team members.
• The methodology should allow quick response.
• The methodology should help determine project cost and schedule contingency.

• The methodology should help foster clear communication.

• The methodology should be easy to use and understand (Kloppenborg, 2015:280).
b) Quantitative Risk Techniques

Some of the more frequently used quantitative techniques are:
• Decision tree analysis: a diagramming and calculation technique for evaluating the implications of a chain of
multiple options in the presence of uncertainty. A common application of decision tree analysis involves
calculating expected monetary value – Figure 4.2. Expected monetary value (EVA) analysis is a statistical
technique that calculates the average outcome when the future includes scenarios that may or may not happen.
Figure 9Figure 4.2: Decision Tree and Expected Monetary Value Analysis
• Failure mode and effect analysis (FMEA): an analytical procedure in which each potential failure mode in
every component is analysed to determine its effect on reliability and for all ways a failure may occur. For
each potential failure, an estimate is made on its effect on the total system.
• Sensitivity analysis: a quantitative risk analysis and modeling technique used to help determine which
risks have the most powerful impact on the project. It examines the extent to which the uncertainty in each
project element affects the objective. The typical display is in the form of a tornado diagram.
• Simulation: a technique that uses a project model that translates the uncertainties specified as a detailed
level into their potential impact on objectives. Usually uses probability distributions of possible costs or
durations and typically use Monte Carlo analysis (Kloppenborg, 2015:280).

Figure 10Figure 4.3: Monte Carlo-based Simulation for Project Schedule

c) Risk Register Updates
The risk register is updated with the probability of each risk occurring and the impact if it does happen. The priority
for each risk is also listed. To call attention to the highest priority risks, organisations use a “Top 10” list whilst
others place higher priority on risks that are likely to happen soon. Yet other organisations focus on risks that are
difficult to detect. Any of these means of calling attention to certain risks are also listed in the risk register
(Kloppenborg, 2015:281). Any quantitative risk analysis performed should also be documented in the risk register.

Case Study: What Went Right?

A large aerospace company used Monte Carlo analysis to help quantify risks on several
advanced-design engineering projects. The U.S. National Aerospace Plane (NASP)
project involved many risks. The purpose of this multibillion-dollar project was to design
and develop a vehicle that could fly into space using a single-stage-to-orbit approach. A
single-stage-to-orbit approach meant the vehicle would have to achieve a speed of Mach
25 (25 times the speed of sound) without a rocket booster. A team of engineers and
business professionals worked together in the mid-1980s to develop a software model for
estimating the time and cost of developing the NASP project. This model was then linked
with simulation software to determine the sources of cost and schedule risk for the project.
The company then used the results of the Monte Carlo analysis to determine how it would
invest its internal research and development funds. Although the NASP project was
terminated, the resulting research has helped develop more advanced materials and
propulsion systems used on many modern aircraft.
Microsoft Excel is a common tool for performing quantitative risk analysis. Microsoft
provides examples of how to use Excel to perform Monte Carlo simulation from its Web
site, and explains how several companies use Monte Carlo simulation as an important tool
for decision-making:
• General Motors uses simulation for forecasting net income for the corporation,
predicting structural costs and purchasing costs of vehicles, and determining the
company s susceptibility to different kinds of risk, such as interest rate changes and
exchange rate fluctuations.
• Eli Lilly uses simulation to determine the optimal plant capacity that should be built
for each drug.
• Procter & Gamble uses simulation to model and optimally hedge foreign exchange
risk.
Source: Microsoft Corporation (2008:1)
1. Is the Monte Carlo Analysis technique a quantitative or qualitative technique? Justify
your response.
2. Research the process of Monte Carlo Analysis on the internet to investigate how it can
be used to analyse the sources of cost and schedule risks for the project in the case
study.
3. The case study lists a few major organisations who use the Monte Carlo Analysis
technique. Discover for yourself which other major companies use this risk analysis
technique.

1. Describe what needs to be done to manage risk on a project.

3. When should this be done?
4. How can a risk assessment matrix help in this process?
5. What risks for a project have the highest priority?
6. Does the priority for a risk change as the project progresses? Google
what a Risk Breakdown Structure is and compile one for the project
chosen in question one.
7. Expert judgement techniques have the potential for bias in risk
identification. What are the various factors affecting the bias?

Unit
5: Plan Risk Responses

5.1 Introduction  Understand risk response planning process
5.2 Plan Risk Response Process  Develop a risk response plan
5.3 Strategies for Responding to Risks  Differentiate between the negative and positive risk response
strategies
5.4 Risk Register Update  Update the risk register
5.5 Risk Response Matrix  Develop a risk response matrix
5.6 Risk Response Planning that Don’t  Create strategies to avoid risk responses that do not work
Work




Institute.


5.1 Introduction
Having identified, quantified and prioritised the risk, a risk response plan or a risk handling plan would need to be
developed. Plan Risk Response is the process of devising risk response strategies and establishing contingency
plans to develop actions in order to increase opportunities and to decrease threats. It also includes the
identification and assignment of one or more persons to take responsibility for each agreed to and funded risk
response.
After all risks are assessed, the team needs to decide which of the risks should be considered major risks. That
is, which are important enough to require a formal response plan with someone assigned responsibility? The other,
more minor risks are not formally considered further in the charter, but very well may get more attention in the
planning and executing stages. The project team constructs a table depicting each major risk, with its contingency
plan and “owner.” (Kloppenborg: 2015:96).
Examples of risk assessment and major risk response planning for a hardware upgrade project in an Irish factory
are shown in Table 5.1.
Table 7Table 5.1: Risk Response Planning Example

Kloppenborg (2015:281) believes that this is often a creative time for project teams as they decide how they will
respond to each major risk. A team may develop multiple strategies for a single risk because one strategy may not
be sufficient to reduce the threat or exploit the opportunity as much as the stakeholders would like.
Alternatively, the team may decide that it is not worth the effort to completely eliminate a threat and make it their
goal to reduce the threat to a level that the sponsor and other stakeholders deem acceptable.

5.2 Plan Risk Response Process

Planning the risk response process involves the following:
• Set of actions
• Prevent or reduce the likelihood of occurrence or the impact of a risk
• Implement if the risk event occurs
• Establishes a trigger point for implementing an action
• Assigns responsibility for implementation
• Response strategies for negative and positive risks
Include a contingency fund to cover implementation cost (Kloppenborg: 2015).

A risk response plan is a defined set of actions that seek to prevent or reduce the likelihood of occurrence or the
impact of a risk. The risk response plan is implemented if the risk event occurs. Risk response planning involves
establishing a trigger point for when to implement the actions to address each risk. It assigns responsibility to
specific individuals for implementing the response plan. A risk response plan can be helpful in avoiding, mitigating,
or accepting the risk (Kloppenborg: 2015). Project prices and budgets should include a contingency or
management reserve to pay for additional costs associated with implementing response plans.
5.3 Strategies for Responding to Risk

Various strategies exist for dealing with negative and positive project risks. Common risk strategies are classified
in Table 5.2.
5.3.1 Strategies to Deal with Negative Risks (Threats)

There are three strategies to deal exclusively with negative risks that impact the achievement of project objectives
and these should be reduced – Avoid, Mitigate and transfer. Two other strategies deal with both negative and
positive risks and will be discussed here – Accept and Research. Figure 5.1 highlights four strategies to deal with
negative project risks.

able 8Table 5.2: Common Project Risk Response Strategies
Source: Kloppenborg (2015: 281)
a) Avoid Risk
Many people prefer to avoid a risk if possible, and sometimes that is the best strategy. Sometimes, a project plan
can be altered to avoid a risk by deleting the risky section. Kloppenborg (2015:282) gives an example of the
organizers of a parade who alter their route when told by the local police that traffic patterns on one section of their
route are very difficult to control.
Project risk response strategy decisions are based on an understanding of the priorities key stakeholders have of
cost, schedule, scope, and quality. The example presented may allow the change to be easily executed if no major
stakeholder had a strong interest in the original route. Project managers need to understand, however, that every
decision regarding risk response strategies may impact something else. Another avoidance strategy especially
concerning risky issues, is to ensure communications are good. “Many risks can be more easily addressed with

prompt and accurate information” (Kloppenborg, 2015:282). The avoidance strategy of not performing the project
at all is a choice sometimes made when the risks far out-weigh the potential benefits. Such a decision is a last
resort decision when all other options have been explored and considered.
b) Transfer Risk
Various risk transfer strategies exist for both the project manager and the owner/developer/supplier.
 A common means to transfer a risk is through insurance. A premium is paid to another better equipped
organization to assume a level of risk. A second transfer strategy deals with the type of contract used. For
example, an owner may want to use a fixed-price contract that will transfer the risk to the supplier/developer.
The developer accepting the risk should insist on a higher price to cover the risk.
 Alternatively, a developer wanting to transfer risk to the owner would prefer a cost-plus contract under which
includes compensation for cost plus a percentage of profit. In this case the owner should drive for a low cost
in such an arrangement because he is assuming the risk. Other types of contracts can be written so that both
parties share the project risk (Kloppenborg, 2015:282).
 Hire an expert to perform the risk and hold that person accountable.
None of the transfer strategies eliminate risk; they just force someone else to assume it (Kloppenborg, 2015:282).
c) Mitigate Risk
Mitigation strategies are those in which an effort is made to lower risk. One can reduce the risk’s probability or its
impact if it occurs. One can generally mitigate a risk by conducting more thorough project planning. Mitigate
involves making alternate choices that can be less than ideal. To reduce the risk’s probability one could develop
prototypes, simulate or conduct model testing (Kloppenborg:2015).
d) Accept Risk
This is often used for the risks deemed to be minor. The project team deals with them if and when they happen.
There may be little that one can do except to let the risk occur. Acceptance is an option for risk with low probability,
low impact or those that have no reasonable action that can be taken (Kloppenborg:2015).

Figure 11Figure 5.1: Project Risk Strategies to Deal with Negative Risks
Source: Kloppenborg (2015: 281)
e) Research Risk
Kloppenborg (2015:283) maintains that the best way to handle a risk may sometimes be to learn more about it.
 The first research strategy - secure better and/or more information so the project team
understands what they are dealing with. Projects often are conducted in a rapidly changing environment
in which decisions need to be made quickly, often based upon imperfect and incomplete information.
 Another research strategy - verify assumptions made. Assumptions that prove to be false become risks.
 Yet another research strategy - perform project on a small scale first to see if it works. This can include
constructing a prototype, test marketing a new product, running new software in one department first,
piloting and so on.
These research strategies work well for both reducing threats and capitalizing on opportunities.
5.3.2 Strategies to Deal with Positive Risks (Opportunities)

There are three strategies to deal exclusively with positive risks that enhance the achievement of project objectives
and these should be increased or encouraged – Exploit, Share and Enhance.

a) Exploit Risk
Exploitation means to ensure that the risk event definitely occurs so that its benefits can be realised. Trigger
conditions may be identified that, if reached, will allow the project manager to request that the project become a
higher priority. To exploit opportunities, an organization must assign more or better resources to the project, remove
barriers, and give it more visibility in management reviews (Kloppenborg:2015).
Think Point
A major pharmaceutical company discovers the cure for the common flu. Do
they exploit the competitive advantage or shelve the discovery so that the
current line of flu medication continues to generate profits?
b) Share Risk
Sharing is similar to transference but its aim is to share the opportunity with the third party who is best able to
capitalize on it. For example, the project team develops a new product or service so revolutionary that the parent
organization is not capable of fully exploiting it. In such a case, the parent organisation may:
 spin off a nimble subsidiary,
 form a joint venture with another firm, or
 sell the rights to the product (Kloppenborg:2015).
c) Enhance Risk
If actions cannot be taken to guarantee that the opportunity will occur, then responses might be taken to enhance
its probability or its beneficial impact if it does transpire. The project manager should identify key drivers of these
positive impacts and develop strategies to capitalise on them. Adding more or better resources is one way of
enhancing opportunities (Kloppenborg:2015). Figure 5.2 shows how a single project risk may be responded to
using a variety of risk response strategies.

Figure 12Figure 5.2: Example of the Strategies to Respond to a Project Risk
Activity
Determine the name of each risk response strategy described in the table below

5.4 Risk Register Updates

The risk register needs to be updated with the results of the response planning. The response strategy must be
noted for each risk. An individual is assigned as the “owner” of each risk. That person is responsible for
understanding the trigger and for implementing the strategy (Kloppenborg, 2015:284). Any changes that need to
be made to the project schedule, budget, resource assignments, and communications plan should also be
included.
5.5 Risk Response Matrix

The output for the Risk Response Planning process is the Risk Response Matrix. Table 5.3 (Gido and Clements,
2015: 289) clearly outlines the content of the risk response matrix/plan.
Table 5.3: Risk Response Matrix

Source: Gido and Clements (2015: 289)
The risk response matrix is a tool for assessing and responding to risks. It helps to:
• List the impact of the risk
• Evaluate the likelihood of occurrence
• Determine the degree of impact
• Identify the action trigger
• Name a person responsible
• Create a response plan to avoid, mitigate, or accept the risk (Gido and Clements, 2015: 289).

5.6 Risk Response Planning that Don’t Work

The following approaches are NOT recommended as they do not work:
a) The Ostrich Approach
Ignore the risk or pretend that they do not exist.
b) The Prayer Approach

Look to a higher being to solve the problem or make the risk disappear.
c) The Denial Approach

Refusing to acknowledge the risk or situation that may cause problems for your project (Kloppenborg:2015).
Practical Application or Examples
Real examples or cases may be discussed to enhance understanding.

Practical Application or Examples
Business example:
Tony and his team identified some risks during the first month of the Recreation and
Wellness Intranet Project. However, all they did was document them in a list. They never
ranked them or developed any response strategies. Since several problems have been
occurring on the project, such as key team members leaving the company, users being
uncooperative, and team members not providing good status information, Tony has decided
to be more proactive in managing risks. He also wants to address positive as well as
negative risks.
1. Create a risk register for the project, using Table and the data below it as a guide.
Identify six potential risks, including risks related to the problems described above.
Include negative and positive risks.
No.: R44
Rank: 1
Risk: New customer
Description: We have never done a project for this organization before and don t know too
much about them. One of our company s strengths is building good customer
relationships, which often leads to further projects with that customer. We
might have trouble working with this customer since they are new to us.
Category: People risk
Root cause: We won a contract to work on a project without really getting to know the
customer.
Triggers: The project manager and other senior managers realize that we don’t know much
about this customer and could easily misunderstand their needs or expectations.
Risk responses: Make sure the project manager is sensitive to the fact that this is a new
customer and takes the time to understand them. Have the PM set
up a meeting to get to know the customer and clarify their expectations. Have Cliff attend
the meeting, too.
Risk owner: Our project manager

Probability: Medium
Impact: High
Status: PM will set up the meeting within the week.
2. Develop a response strategy for one of the negative risks and one of the positive
risks. Enter the information in the risk register.
1. For a project in which you are planning a campus event with a well-known speaker,
identify and quantify risks and develop contingency plans for the major risks.
2. What is an example of transferring risk?
3. In the risk register, why should only one person be assigned “owner” of a risk?
4. Which three risk strategies are used specifically for dealing with opportunities?
5. You are hosting a large dinner party. What are two possible risks you would
encounter? Identify at least one trigger condition for each.
6. List and briefly explain the eight common risk responses that are used. Describe
how you might use two or three of them together on a project.
7. For the risks identified in question 1, identify trigger conditions that indicate each
risk may be about to happen.

Unit
6: Monitor and Control Risks

6.1 Introduction  Understand and discuss risk monitoring and control
6.2 Previously Unidentified Risks.  Understand processes to identify previously unidentified risks
6.3 Tools and Techniques for Risk  Utilise tools and techniques for risk monitoring and control
Monitoring & Control.
6.4 Common Errors in Project Risk  Avoid common errors in project risk management
Management.




Institute.


6.1 Introduction
All too often, project managers and team members get caught up in the day-to-day tasks of implementing new
projects and forget the critical need to monitor and assess progress. Planned risk responses that are included in
the project management plan are executed during the life cycle of the project, but the project work should be
continuously monitored for new, changing, and outdated risks. Throughout the implementation process (and after
it), managers must periodically assess progress against implementation milestones and project goals. Project risks
do not remain static once the risk planning processes are completed. New risks crop up, responses may not work
as planned and the characteristics of the risk might change. It is therefore imperative to continually monitor and
control the project risks.
Project monitoring and risk control is the process of implementing risk response plans, tracking identified risks,
monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project
(PMI, 2017). A risk management plan is developed during project planning to guide risk monitoring and controlling
activities. A risk register is also generated to record each identified risk, its priority, potential causes, and potential
responses. Both the risk management plan and the risk register are used to monitor and control project risks, and
to resolve them when they occur (Kloppenborg, 2015:387).
Performance information generated during project execution is used to determine if:

 Implemented risk responses are effective,
 Level of overall project risk has changed,
 Status of identified individual project risks has changed,
 New individual project risks have arisen,
 Risk management approach is still appropriate,
 Project assumptions are still valid,
 Risk management policies and procedures are being followed,
 Contingency reserves for cost or schedule require modification, and
 Project strategy is still valid (PMI, 2017:454)
The outcomes of this ongoing process are:

• identified, analysed & planned new risks,
• identified risks are tracked,
• existing risks are reanalysed,
• trigger conditions for contingency plans are monitored,
• execution of risk responses is reviewed, &
• Change is managed (PMBOK 2017: 264).

The resulting outputs of the process are:

 risk register updates,
 organizational process assets updates (such as lessons-learned information that might help future projects),
 change requests, and
 updates to the project management plan and other project documents. (Kloppenborg, 2015:285).
6.2 Previously Unidentified Risks

On some projects, the majority of risk events that materialize are ones that the project team has previously
identified. Efforts needed on these risks largely include (Kloppenborg, 2015:387):
 tracking the identified risks,
 executing the response plans, and
 evaluating their effectiveness.
On other projects, however, many unanticipated risks may materialize partly because risk planning was not at the
appropriate level. It could also be as a result of a risk being so improbable that planning for them could not have
been foreseen. In either event, specific contingency plans may not be in place to deal with these risks. Identifying
these new risks is vital—and the sooner the better (Kloppenborg, 2015:387).
Two categories of project management methods can help to deal with previously unidentified risks:
 the project team may recognize that unknown risks may surface, and may add contingency reserve of time,
budget, and/or other resources to cover these unknowns. Good project practice suggests a need for this. The
amount of cost and budget reserves that are included can vary extensively. Competitive pressures often
dictate a lower limit on reserves than project managers may prefer.
 There are many good practices that project managers often utilise. Classification or these practices are
classified according to whether the team has
o Full control,
o Partial control, or
o no control over the events,
as illustrated in Figure 6.1. The second column deals with risks partially within a project manager’s control -
a project manager cannot completely control many situations, but good leadership and ethics come in handy
in getting the team and stakeholders to take ownership of dealing with the risks.

Figure 6.1: Example of the Strategies to Respond to a Project Risk
6.3 Tools and Techniques for Risk Monitoring and Control

Project teams often have to work around unplanned responses to risk events when they do not have contingency
plans in place. Other tools and techniques to effect risk monitoring and control include:
 process flow charts
 risk audits,
 variance and trend analysis,
 technical performance measurements,
 reserve analysis,
 status meetings, and
 periodic risk reviews such as the Top Ten Risk Item Tracking method (Kloppenborg, 2015:285).

6.3.1 Process Flow Charts

The key to effective project control is to:
 measure actual progress & compare to planned progress on a timely & regular basis
 take corrective action immediately if necessary
Figure 6.2: Process Flow Chart for Monitoring and Controlling Project Risks
.
6.3.2 Risk Audits
Risk audits review the overall risk management policies, procedures and processes. Audits review the
effectiveness of the project risk management plan. It also assesses if the risk response actions have been effective
and what impact they had on the project’s overall risk level (Kloppenborg, 2015:285).
6.3.3 Variance and Trend Analysis

This activity uses performance data to indicate or confirm that threats or opportunities are occurring and can also
be used to forecast project success in meeting budget, time or quality objectives based on risk factors.
Variance analysis reviews the differences (or variance) between planned and actual performance - duration
estimates, cost estimates, resources utilization, resources rates, technical performance, and other metrics. It may
be conducted in each Knowledge Area based on particular variables. Variances are reviewed from an integrated
perspective considering cost, time, technical, and resource variances in relation to each other to get an overall
view of project variance. This allows for the appropriate preventive or corrective actions to be initiated (PMI,
2017:111).
Trend analysis is used to forecast future performance based on past results (PMI, 2017:111). Expected slippages
are identified ahead of time and the project manager is warned that there may be problems later in the schedule if

established trends persist. Any anomalies may be corrected by the project team time if presented to them early
enough in the project life cycle. The results of trend analysis can be used to recommend preventive actions if
necessary (PMI, 2017:111).
6.3.4 Technical Performance Measurements

This activity compares the project objectives with what is actually being displayed in the deliverables and looks for
deviation. Deviations can be caused by the deliverable progress being ahead or behind schedule or it can be due
to extra or missing requirements. A regular check of the external environment is also important to ensure that you
know if your plans are being affected by it (PMI, 2017:111). Also remember that the environment in which you
operate changes continually, potentially exposing new risks that you have not noticed before. Thus, you should
execute a condensed version of the risk identification step on a regular basis. You need to build this re-identification
into your plans.
The following types of metrics may be used to monitor progress on risk management plans:
 Monitoring expected losses for your managed risks (if the action plans are working, expected losses should
be declining);
 Reviewing the number of risks successfully being prevented, which provides a reliable method of determining
prevention plans’ effectiveness;
 Reviewing the number of impacts successfully being mitigated when risk events do occur, which indicates
the health of your contingency plans; and
 Noting new risks appearing in your analyses, which indicate that you are remaining in touch with changes in
your project environment (PMI, 2017:111).
6.3.5 Reserve Analysis

Reserve analysis makes sure that an adequate contingency reserve is available of risks. Contingency reserves
(schedule reserves) are tapped for risk contingency and fall-back plans and one or two costly risks may deplete
the reserve making the project susceptible to funding or scheduling deficiencies if additional problems arise. The
contingency reserve may be a percentage of the estimated activity duration or a fixed number of work periods.
Contingency reserves may be separated from the individual activities and aggregated. As more precise information
about the project becomes available, the contingency reserve may be used, reduced, or eliminated. Contingency
should be clearly identified in the schedule documentation (PMI, 2017:202).
Estimates may also be produced for the amount of management reserve - a specified amount of the project budget
withheld for management control purposes and reserved for unforeseen work within the project scope. They are
intended to address the unknown-unknowns that can affect a project. This reserve is not included in the schedule
baseline, but is part of the overall project duration requirements. Use of management reserves may require a
change to the schedule baseline as the contract terms dictate (PMI, 2017:202).

6.3.6 Status Meetings

Risk discussions should be embedded in all regular project meetings as the first signs of change in risk levels or
identification of new risks is usually discovered by the project team.
The project team may hold meetings to estimate activity durations. “When using an agile approach, it is necessary
to conduct sprint or iteration planning meetings to discuss prioritized product backlog items (user stories) and
decide which of these items the team will commit to work on in the upcoming iteration. The team breaks down user
stories to low-level tasks, with estimates in hours, and then validates that the estimates are achievable based on
team capacity over the duration (iteration)” (PMI, 2017:203). This meeting is usually held on the first day of the
iteration and is attended by the product owner, the Scrum team, and the project manager. The outcome of the
meeting includes an iteration backlog, as well as assumptions, concerns, risks, dependencies, decisions, and
actions (PMI, 2017:203).
6.4 Common Errors in Project Risk Management

Several common errors in project risk management often result in delayed or unsuccessful achievement of project
objectives. The project team should be mindful of these common errors by ensuring that they use past projects
lessons learnt as a guide to ensuring best practice. The following are the major common project risk management
errors:
• Greatest risks are often overlooked;
• Inappropriate attention given to one risk over another;
• Risk ID – most critical step in risk management - poorly done;
• Risks identified general & not specific in nature;
• Contracts usually signed off before project risks discussed;
• No support for risk management from management & other stakeholders; and
• No lessons learnt report is generated (PMI: 2017).

Case Study: Risk Policies in Project Russia

This case study reviews some of the major risk management tactics used in a typical war
project Napoleon’s war with Russia in 1812. The war outcome had a stunning end and
caused turbulent ramifications for the European map. A lot of ink was poured to explain
the destruction of Napoleon’s forces, known as the Grand
Army, and experts only agreed on the fact that the Russian winter had a major impact on
the war outcome. In the study, we take a risk view of the war conflict.
Misery and Death Waited the Grand Army

For Napoleon, many dilemmas stayed unresolved even after entering Russia. He looked
amazed by the glory awaiting conquerors of Russia but at the same time he was painfully
aware that he might make the same error Charles XII, Swedish military genius, committed
one century earlier — attacking the Russians in the winter. Listen to what Count de Segur,
who was with him in Russia, has to say about that. “The last days of July and the first
ones of August in 1812 were stiflingly hot in Vitebsk. In the old city palace Napoleon
Bonaparte, Emperor of the French, prowled restlessly from room to room in his
undergarments. His mind, brilliant author of 12 years of triumphs and 20 famous victories,
was torn between prudent counsel to encamp now against the coming winter and bold
counsel to march straight on to Moscow. So he paced . . . in this state of perplexity he
spoke a few disconnected words . . . ‘Well, what are we going to do?’ ‘Shall we stay here?’
‘Shall we advance?’ ‘How can we stop on the road to glory?’
For 15 torrid days, Napoleon groaned under the weight of his thoughts. By night he tossed
his coat, arising frequently from his biography of Charles XII — he would never . . . He
shouted, ‘I’ll never repeat the folly of Charles.’ “Instead of the glory, misery and death
were awaiting the Grand Army by the time it exited the “sacred soil of Russia”, as the
Russians had the habit of saying in Kovno, December 13, 1812. Segur was a witness:
“Instead of the four hundred thousand soldiers who fought so many successful battles with
them, who had rushed so valiantly into Russia, they saw issuing from the white, ice-bound
desert only one thousand soldiers and troopers still armed and twenty thousand being
clothed in rags, with bowed head, dull eyes, ashy, cadaverous faces, and long ice -
stiffened beards . . . And, this was the Grand Army!” So, 380,000 soldiers of the Grand
Army perished. How was this possible? Do the risk planning practices of Napoleon have
anything to do with this? Let’s review major events and practices in turn.

Background
The underlying cause of almost each war tends to be of an economic nature. This war, in
Europe from the beginning of the 19th century, is no exception. The three strategic players
to the conflict are the great powers of England, France, and Russia. France and England
are major rivals and contenders for the central place in Europe. One more power is
involved — Russia. The main hero of this conflict who was heavily favoured to win this war
was France. How was the strategic triangle formed? The French wanted to execute their
economic blockade of England, reduce their goods from European markets, and thus stifle
the economy of the country. The French threatened to attack any country that would
violate the blockade. Candidates for such a violation risked war with Napoleon’ s Grand
Army, the most famous army of its time.
To beat Russia was a big feat for each army; a trophy for every general. Napoleon had
already defeated all armies he could dream of. But nobody had beat Russia! To be truthful,
many had famous warriors had tried but the Russian winter proved to be an invincible
opponent and a major ally of Russia. Some lived to send the message about what they
learned to potential invaders. Swedish King Charles XII, known as Charles the Madman,
the warrior with the pedigree, in 1709 attacked Russia in the winter, lost the whole army,
and proclaimed in writing: Don’ t attack Russia in the winter! But future invaders did not
listen.
Napoleon saw Russia as a great trophy. Yes, alleged Russian violation of the blockade
was used for the proxy cause of his attack, but this had not been proven. Some rumours
circulated that said that Napoleon, the second most successful general of all time
(Alexander the Great was considered the first), dreamed of overtaking Alexander the
Great, and becoming number 1. Possible, but such were ambitions of Napoleon, who was
often called the Anti - Christ and the tormentor of Europe. In truth, the Grand Army was
made up of all European nations. There were, for example, 79,000 Bavarian, Italian, and
French soldiers and 34,000 Austrian soldiers. The Grand Army was a microcosm of
European armies. But they did not volunteer in the army; they had to serve because their
country was subdued by France. In case of Napoleon’s serious defeat, his army could face
the rebellion of the foreign soldiers which meant that war carried the potential for freeing
Europe from the domination of Napoleon.
Lastly, winds of bourgeois revolution were felt throughout Europe. Napoleon’s

expectations were that Russian farmers would accept their own revolution and that they

would take his side. He was incorrect, although he hoped to export the revolution and
expand its ideas.
It Started Long Before the War Began

Paris balls and parties as social gatherings were very much appreciated and among the
best of their kind in Europe. The winter balls were especially good. People who typically
frequented the balls were nobility and the politically elite. If you had gone to a classy Paris
ball you would have had a chance to see some very well-known and powerful people.
There was a hierarchy of balls, that depended on the power of or historic strength
(tradition) of the host or the list of invitees. The higher those were, the higher significance
of the ball. If Napoleon was in attendance, the ball would be of the first level of hierarchy.
Such are the reasons that balls and parties of a higher rank were used to host the people
with high intelligence knowledge, and so were automatically suitable for gathering
intelligence data.
People of Russian nobility and the politically elite used to be frequent guests of these balls
and parties. And they fit very well. Be reminded that that the higher class in Russia had
spoken French as a first language. So, Russians felt at home in Paris. As people with
strong social capital they liked to mingle with the French crowd of high social standing, and
were constantly invited to the balls. Napoleon liked to frequent the balls. He had a specific
question for the high military visitors from Russia who were there: “What would you do if
you commandeered the Russian Army and I attacked you (with the Grand Army)?”
Different visitors gave him different answers, often made up. But some replied extremely
truthfully like general Beniggsen, who happened to be the commanding officer of the
Russian army at the time of Napoleon’s attack. He was asked by Napoleon and his answer
was exactly what he would do a few years later: “I would never fight your army back, it is
too strong; I would retreat and retreat, waiting for the winter to finish you.” It is not clear
how Napoleon processed this information nor whether he believed it. But it is a fact that
Napoleon had a sparrow in his hand, whether consciously knowing it or not.
Lessons of The Past

During the times of Charles XII, one of the greatest secrets was the size of the population
of Sweden. Why? The King did not want anyone outside the country to know just how
many people lived in his country who were available to fight in a war. That number would
actually show a small country that does not have the population that supports its war
policies. Despite a ferocious reputation, Swedish soldiers, whose ancestors the Vikings

also enjoyed standing of exceptional fighters, would be defeated more frequently should
their enemies know how many Swedish opponents they faced in the long term.
In the beginning of the 18th century, Charles found himself in the long war with Peter the
Great, the Russian tsar. Charles dominated the Baltics, where Peter wanted to build the
Russian fleet which would become the influential force. After several smaller victories of
Charles’ army, the major battle took place in 1709 near the river Poltava. Charles’ army
was not only defeated but it was destroyed. The ruler Charles managed to flee southward
to Russian arch nemesis Turkey. He published a book (actually his aid authored the book)
whose major message to future invaders of Russia was very simple: “Don’t attack Russia
in the winter . . .” Napoleon not only read the book carefully but liked to be seen reading
it over and over. He tried to serve as an example to his generals and made sure they read
the book and understood the experiences of Charles. In fact, the book had immeasurable
value for the Grand Army. In terms of risk planning processes, Napoleon used the book in
a proper way, at least initially.
Russian Winter
In a simplified manner, first, judging by the campaigns before Russia, e.g., Egypt, as usual,
Napoleon did not have but the slightest of sketches about how to direct the war against
Russia. Troops were told that Napoleon was burning from desire to have the decisive battle
against Russians as soon as possible, defeat them, and make them surrender. Over! And
all of that was to happen before the infamous Russian winter came. The Russian strategy
was diametrically opposed. Exactly like general Beniggsen — German by origin at the time
of the vision — the commander of the Russian army predicted they would retreat, retreat,
and retreat (surprisingly Segur observed that “there was more order in their victory than in
our victory.”) and told his troops to avoid a decisive battle as much as possible, and wait
for the Russian winter to come and help finish off French forces. Well, two strategies look
very mutually exclusive, if one happens, that one excludes the other. Let’s see how the
two strategies unfolded in several risk events.
On June 20, 1812, unknown to the Russians, the multinational Grand Army entered
Russian territory. To their surprise they were able to set foot on Russian soil without
meeting with any resistance. They found peace there: they had left war on their side.
However, a single Russian officer commanding a night patrol soon appeared. He asked
the intruders who they were. ‘Frenchmen,’ they told him. ‘What do you want?’ he
questioned further. ‘And why have you come to Russia?’ One of the sappers answered

bluntly, ‘To make war on you!’ While a stealthy entry was favourable to the Grand Army
from the aspect of having the opposing army surrender, it was not so. Namely, for an army
to surrender, it has to be formed, which the Russian Army was not.
The battle of Borodino lasted one day and was the only battle in the war of greater interest,
but was not the decisive battle. That occurred on September 7, 1812, 79 days after entry
of the Grand Army into Russia. The battle had an enormous number of casualties — 43
generals of the Grand Army were wounded or killed; 20,000 killed or wounded troops —
but failed to produce a clear winner, although the Russians went back to their retreating
strategy and disappeared for a time. In strategy terms, Napoleon’s officers believed that
their army made a big mistake, not keeping in contact, chasing the opponent and trying to
destroy them. Instead, they regrouped allowing the Russians to take off. So Napoleon had
a chance to finish the war early enough to avoid the trouble of winter. Apparently, Napoleon
had no great desire to accelerate his army and force a decisive battle.
So the Russians continued to buy time and kept waiting for winter to do its job, increasing
Napoleon’s war risk.
Napoleon entered a burned and deserted Moscow on September 14, 1812. The Russians
destroyed the city in order to prevent the Grand Army from using Moscow supplies. At this
season of the year, Russia is
fully aware of his advantage. From there they continued to negotiate the Russian
surrender who did not
intend to surrender but again, buy time. As Segur says, “Thus far Napoleon had conquered
only space.” The retreating Russian armies were in front of him and Moscow was but 20
days away. In a situation, when every date meant a lot for survival of the Grand Army, the
Russians outsmarted Napoleon and opened the possibility of winning the war. Again,
Napoleon did not show a willingness to change strategy and catch the Russians, thus
reducing their risk. Amazing was the French lack of attention to details and no contingency
plan.
Risk Treatment
It is interesting to observe how the best of the best, for instance, the Grand Army, follow
the normal risk policy which, in this case, would be among one of the widely accepted

policies such as PMBoK. It has six processes: risk management planning, risk
identification, qualitative risk analysis, quantitative risk analysis,
risk response planning, and risk monitoring and control.

Grand parties and balls, as a place for top intelligence, probably covered the processes of
risk management planning and risk identification, more so than, say, qualitative risk
analysis. There were no indications that risk events like a retreating strategy and the
Russian winter were subjected to risk analysis, risk response planning, or risk monitoring
and control. No details in Segur’s book hint to a mitigation or adaptation of the military
strategy to account for Russian continuous retreating as a valid military strategy. Hence,
at best, the French heard about Russian intentions in terms of a Russian approach, but
did not take the action to prevent that or learn to move the soldiers faster.
As for the writings of Charles XII, they had significant influence among the top officers of
the Grand Army. How significant? He did some sort of risk management planning and
identified risks such as those offered in the book and he assessed risks qualitatively by
describing the heavy impact of the season. However, we don’t see that Napoleon did any
risk analysis, let alone response planning or taking any risk monitoring and control steps.
Napoleon didn’t make any adaptation in his military strategy to not be facing the Russians
during winter.
Nor did he quit after studying the message of Charles to not attack Russians during winter.
If we take Napoleon’s approach as insufficient, we conclude that he didn’t really listen to
Charles’ advice. Probably, he saw the quality of his Grand Army as incomparably higher
than the one of the Swedish. The fact is, then, that
the analysts considered the French advantage to be a better army, but the Russians had
familiarity of terrain and climate. Maybe Napoleon was right, maybe not, in leading his
solders to death. Speaking of the Borodino, the battle there had enormous importance.
Technically viewed, it is not known whether any steps in a risk analysis were even
considered.
This means that risk management planning, risk identification, qualitative risk analysis,
quantitative
risk analysis, risk response planning, and risk monitoring and control were not considered
relevant. But wait a minute, Napoleon’s decision at Borodino to allow the Russians to run

away made some of his generals angry and some spoke of treason. Maybe French
nationalism played a role, or maybe Napoleon thought there had to be one more battle to
settle the account, but the mistake to let the Russians go and not make it the central piece
of their risk strategy were blunders.
The French didn’t have the luxury of seeing such a chance again. The importance of an
empty and burned Moscow, aside from public relations, had one more cause of
importance. This was a time for diplomatic
moves, to have a Russian surrender. Napoleon thought that the Russians did not want to
surrender but only pretended to. He believed, and some French generals as well, that at
this point Russians had the advantage. “Napoleon entered Moscow with only 90,000
troops.” Russians played this negotiation game, just for one reason — to buy time and
prolong the French stay on Russian soil until the winter would finish them off. In such
conditions, PMBOK ‘s six risk policies did not have their usual significance. More
accurately, the French ship had already sunk enough by then, and it was time for the
Russians to secure the win.
Source: Milosevic (2014)
1. Identify major risk events, perform risk analyses, and develop risk response plans.
2. In your opinion, how did Napoleon control each of the major risk events on your list?
3. Do you think the way in which Napoleon controlled risks related to major risks
influenced the war outcome?
1. What is the purpose of project risk monitoring and control?

2. Discuss the outcomes of the project risk monitoring and control process.
3. Where will a project team member find the common errors in project risk
management?
4. Discuss any three tools and techniques used for project risk monitoring and
control.

Answers to Revision Questions

Unit One: Introduction to Project Risk Management
1. From a project of your choice, discuss 5 potential risks that may negatively impact the project.
Responses may vary.
2. Articulate what the benefits of project risk management are using examples from a project of your choice.
There are many benefits to project risk management. A few benefits are listed below:
• Proactive rather than reactive approach
• Reduces surprises & negative consequences
• Prepares project manager to take advantage of appropriate risks (opportunities)
• Provides better control over future events.
• Improves chances of reaching project objectives within budget, on time & to quality standards
3. What would be the risk of not adhering to the risk management principles when planning for project risk
management?
Common errors in risk management will be engaged in resulting either in project delays, increases in costs and
quality defects or project failure.
Unit Two: Plan Risk Management
1. Justify the statement that “The essence of project management is risk management”
All planning on a project has its intents on preventing uncertainties, on ensuring that the project objectives are
delivered successfully and ultimately, on increasing stakeholder satisfaction. Larson and Gray (2017:234) support
their statement above by emphasising that:
o project selection tries to reduce the likelihood that projects will not contribute to organisational strategy;
o project scope statements are designed to avoid costly misunderstandings and to reduce scope creep;
o risk breakdown structures reduce the likelihood that important parts of the project will be omitted or that the
budget estimates are unrealistic;
o teambuilding reduces the likelihood of dysfunctional conflict and breakdowns in coordination;
All of the above processes try to increase the probability of project success. Project managers therefore
need to plan for risk management in order to mitigate the uncertainty inherent in project management.
2. What are the general topics that any project risk management plan should address?
Importance is placed on role clarification and responsibilities, budget preparation and schedule estimates for risk-
related work, and on identifying risk categories for consideration. How risk management will be done should also
be clearly laid out. This should include risk probabilities and impacts assessment as well as developing risk
related documentation. The needs of the project will determine the level of detail to be included in the risk
management plan.

3. Discuss the inputs, tools and techniques, and the outputs of the risk management process as prescribed by
the PMI.
Project charter
Meetings
Stakeholder register
4. Explain the curve on the Risks in the Project Life Cycle graph.
The chances of a risk event occurring are greatest in the concept, planning, and start-up phases of the project
(Larson and Gray, 2017:212). A risk occurring early in the project life cycle has a lower cost than a risk occurring
later in the project life cycle. The cost of a risk event occurring increases rapidly and is at its highest as the project
passes halfway through the project life cycle during implementation.
Larson and Gray (2017:212) quote an example as follows: the risk event of a design flaw occurring after a prototype
has been made has a greater cost or time impact than if the event occurred in the start-up phase of the project. It
is therefore, prudent for the project team to plan for risk events and decide on appropriate responses before the
project begins
5. Discuss the guidelines for ensuring the successful implementation of project risk management.
The ten golden rules of project risk management provide a set of guidelines on how to implement risk management
successfully in projects.
Rule 1: Make Risk Management Part of Your Project:

The first rule is essential to the success of project risk management. If you don't truly embed risk management in
your project, you cannot reap the full benefits of this approach. You can encounter a number of faulty approaches
in companies. Some projects use no approach whatsoever to risk management. They are either ignorant, running
their first project or they are somehow confident that no risks will occur in their project (which of course will happen).
Some people blindly trust the project manager, especially if he (usually it is a man) looks like a battered army

veteran who has been in the trenches for the last two decades. Professional companies make risk management
part of their day to day operations and include it in project meetings and the training of staff.
Rule 2: Identify Risks Early in Your Project:

The first step in project risk management is to identify the risks that are present in your project. This requires an
open mind set that focuses on future scenarios that may occur. Two main sources exist to identify risks: people
and paper. People are your team members that each bring along their personal experiences and expertise. Other
people to talk to are experts outside your project that have a track record with the type of project or work you are
facing. They can reveal some booby traps you will encounter or some golden opportunities that may not have
crossed your mind. Interviews and team sessions (risk brainstorming) are the common methods to discover the
risks people know. Paper is a different story. Projects tend to generate a significant number of (electronic)
documents that contain project risks. They may not always have that name, but someone who reads carefully
(between the lines) will find them. The project plan, business case and resource planning are good starters. Other
categories are old project plans, your company Intranet and specialized websites.
Are you able to identify all project risks before they occur? Probably not! However, if you combine a number of
different identification methods, you are likely to find the large majority. If you deal with them properly, you have
enough time left for the unexpected risks that take place.
Rule 3: Communicate About Risks:

Failed projects show that project managers in such projects were frequently unaware of the big hammer that was
about to hit them. The frightening finding was that frequently someone of the project organisation actually did see
that hammer, but didn't inform the project manager of its existence. If you don't want this to happen in your project,
you better pay attention to risk communication.
A good approach is to consistently include risk communication in the tasks you carry out. If you have a team
meeting, make project risks part of the default agenda (and not the final item on the list!). This shows risks are
important to the project manager and gives team members a "natural moment" to discuss them and report new
ones.
Another important line of communication is that of the project manager and project sponsor or principal. Focus
your communication efforts on the big risks here and make sure you don't surprise the boss or the customer! Also
take care that the sponsor makes decisions on the top risks, because usually some of them exceed the mandate
of the project manager.

Rule 4: Consider Both Threats and Opportunities:

Project risks have a negative connotation: they are the "bad guys" that can harm your project. However modern
risk approaches also focus on positive risks, the project opportunities. These are the uncertain events that are
beneficial to your project and organisation. These "good guys" make your project faster, better and more profitable.
Unfortunately, lots of project teams struggle to cross the finish line, being overloaded with work that needs to be
done quickly. This creates project dynamics where only negative risks matter (if the team considers any risks at
all). Make sure you create some time to deal with the opportunities in your project, even if it is only half an hour.
Chances are that you see a couple of opportunities with a high pay-off that don't require a big investment in time
or resources.
Rule 5: Clarify Ownership Issues:

Some project managers think they are done once they have created a list with risks. However, this is only a starting
point. The next step is to make clear who is responsible for what risk! Someone has to feel the heat if a risk is not
taken care of properly. The trick is simple: assign a risk owner for each risk that you have found. The risk owner
is the person in your team that has the responsibility to optimise this risk for the project. The effects are really
positive. At first people usually feel uncomfortable that they are actually responsible for certain risks, but as time
passes they will act and carry out tasks to decrease threats and enhance opportunities.
Ownership also exists on another level. If a project threat occurs, someone has to pay the bill. This sounds logical,
but it is an issue you have to address before a risk occurs. Especially if different business units, departments and
suppliers are involved in your project, it becomes important who bears the consequences and has to empty his
wallet. An important side effect of clarifying the ownership of risk effects is that line managers start to pay attention
to a project, especially when a lot of money is at stake. The ownership issue is equally important with project
opportunities. Fights over (unexpected) revenues can become a long-term pastime of management.
Rule 6: Prioritise Risks:

A project manager once told me "I treat all risks equally." This makes project life really simple. However, it doesn't
deliver the best results possible. Some risks have a higher impact than others. Therefore, you better spend your
time on the risks that can cause the biggest losses and gains. Check if you have any showstoppers in your project
that could derail your project. If so, these are your number 1 priority. The other risks can be prioritised on gut
feeling or, more objectively, on a set of criteria. The criteria most project teams use is to consider the effects of a
risk and the likelihood that it will occur.
Whatever, prioritisation measure you use, use it consistently and focus on the big risks.

Rule 7: Analyse Risks:

Understanding the nature of a risk is a precondition for a good response. Therefore, take some time to have a
closer look at individual risks and don't jump to conclusions without knowing what a risk is about.
Risk analysis occurs at different levels. If you want to understand a risk at an individual level it is most fruitful to
think about the effects that it has and the causes that can make it happen. Looking at the effects, you can describe
what effects take place immediately after a risk occurs and what effects happen as a result of the primary effects
or because time elapses. A more detailed analysis may show the order of magnitude effect in a certain effect
category like costs, lead time or product quality. Another angle to look at risks is to focus on the events that
precede a risk occurrence, the risk causes. List the different causes and the circumstances that decrease or
increase the likelihood.
Another level of risk analysis is investigating the entire project. Each project manager needs to answer the usual
questions about the total budget needed or the date the project will finish. If you take risks into account, you can
do a simulation to show your project sponsor how likely it is that you finish on a given date or within a certain time
frame. A similar exercise can be done for project costs.
The information you gather in a risk analysis will provide valuable insights in your project and the necessary input
to find effective responses to optimise the risks.
Rule 8: Plan and Implement Risk Responses:

Implementing a risk response is the activity that actually adds value to your project. You prevent a threat occurring
or minimise negative effects. Execution is key here. The other rules have helped you to map, prioritise and
understand risks. This will help you to make a sound risk response plan that focuses on the big wins.
If you deal with threats you basically have three options, risk avoidance, risk minimisation and risk acceptance.
Avoiding risks means you organise your project in such a way that you don't encounter a risk anymore. This could
mean changing supplier or adopting a different technology or, if you deal with a fatal risk, terminating a project.
Spending more money on a doomed project is a bad investment.
The biggest category of responses is the ones to minimise risks. You can try to prevent a risk occurring by
influencing the causes or decreasing the negative effects that could result. If you have carried out rule 7 properly
(risk analysis) you will have plenty of opportunities to influence it. A final response is to accept a risk. This is a
good choice if the effects on the project are minimal or the possibilities to influence it prove to be very difficult,
time consuming or relatively expensive. Just make sure that it is a conscious choice to accept a certain risk.

Responses for risk opportunities are the reverse of the ones for threats. They will focus on seeking risks,
maximising them or ignoring them (if opportunities prove to be too small).
Rule 9: Register Project Risks:

This rule is about bookkeeping (however don't stop reading). Maintaining a risk log enables you to view progress
and make sure that you won't forget a risk or two. It is also a perfect communication tool that informs your team
members and stakeholders what is going on (rule 3).
A good risk log contains risks descriptions, clarifies ownership issues (rule 5) and enables you to carry out some
basic analyses with regard to causes and effects (rule 7). Most project managers aren't really fond of
administrative tasks, but doing your bookkeeping with regards to risks pays off, especially if the number of risks
is large. Some project managers don't want to record risks, because they feel this makes it easier to blame them
in case things go wrong. However, the reverse is true. If you record project risks and the effective responses you
have implemented, you create a track record that no one can deny. Even if a risk happens that derails the project.
Doing projects is taking risks.
Rule 10: Track Risks and Associated Tasks:

The risk register you have created as a result of rule 9, will help you to track risks and their associated tasks.
Tracking tasks is a day-to-day job for each project manager. Integrating risk tasks into that daily routine is the
easiest solution. Risk tasks may be carried out to identify or analyse risks or to generate, select and implement
responses.
Tracking risks differs from tracking tasks. It focuses on the current situation of risks. Which risks are more likely
to happen? Has the relative importance of risks changed? Answering these questions will help to pay attention to
the risks that matter most for your project value.
These ten golden rules can always be improved upon. Therefore, rule number eleven would be to use the
Japanese Kaizen approach: measure the effects of your risk management efforts and continuously implement
improvements to make it even better.

Unit Three: Identify Risks
1. Generate a list of all possible risks that can occur during the project tenure in a project of your choice using
the brainstorming risk identification method.
Responses may vary.
2. Categorise the identified risks into the different risk classification areas.
Responses may vary.
3. Google what a Risk Breakdown Structure is and compile one for the project chosen in question one.
4. Expert judgement techniques have the potential for bias in risk identification. What are the various factors
affecting the bias?
Factors affecting the bias include:
 Overconfidence in one’s ability.
 Insensitivity to the problem or risk.
 Motivation.
 Proximity to project.
 Recent event recall.
 Availability of time.
 Relationship with other experts.
Unit Four: Perform Risk Analysis

To manage risk on a project, the risks need identified and assessed to determine the impact and likelihood of the
risk's occurrence.

Identification and assessment of risk occurs throughout the project.

3. When should this be done?

Project team meetings are good times to review risks and the risk management plan.
4. How can a risk assessment matrix help in this process?

The risk assessment matrix helps the process by organizing the identified risks and assessing the risks' impact,
likelihood, degree of impact, and the action trigger for the risk. It also identifies who is responsible and the
response plan.
5. What risks for a project have the highest priority?

Risks that have the highest priority are those on the critical path and those that have high degree of impact and
high likelihood of occurrence.
6. Does the priority for a risk change as the project progresses?

Yes, the priority of a risk can change as the project progresses by increasing in priority or decreasing in priority
due to project changes related to the risk.
Unit Five: Plan Risk Responses
1. For a project in which you are planning a campus event with a well-known speaker, identify and quantify
risks and develop contingency plans for the major risks.
Responses may vary but should include the following headings:
RISK RESPONSE PLAN

Risk Risk Element Risk Responsible
Contingency Plan Risk Trigger
No. (Description) Response Person
2. What is an example of transferring risk?

Insurance.
3. In the risk register, why should only one person be assigned “owner” of a risk?
For accountability.
4. Which three risk strategies are used specifically for dealing with opportunities?

Enhance, Share, Exploit Risks

5. You are hosting a large dinner party. What are two possible risks you would encounter? Identify at least one
trigger condition for each.
Responses may vary.
6. List and briefly explain the eight common risk responses that are used. Describe how you might use two or
three of them together on a project.
Accept, Mitigate, Transfer, Avoid, Research, Enhance, Exploit and Share.
7. For the risks identified in question 1, identify trigger conditions that indicate each risk may be about to happen.
Responses may vary.
Unit Six: Monitor and Control Risks
1. What is the purpose of project risk monitoring and control?

The purpose of project risk monitoring and control is:
 Implemented risk responses are effective,
 Level of overall project risk has changed,
 Status of identified individual project risks has changed,
 New individual project risks have arisen,
 Risk management approach is still appropriate,
 Project assumptions are still valid,
 Risk management policies and procedures are being followed,
 Contingency reserves for cost or schedule require modification, and
 Project strategy is still valid (PMI, 2017:454)
2. Discuss the outcomes of the project risk monitoring and control process.
The outcomes of this ongoing process are:
 identified, analysed & planned new risks,
 identified risks are tracked,
 existing risks are reanalysed,
 trigger conditions for contingency plans are monitored,
 execution of risk responses is reviewed, &
 Change is managed (PMBOK 2017: 264).
3. Where will a project team member find the common errors in project risk management?
In a lessons learnt report and in the reports of past projects.
4. Discuss any three tools and techniques used for project risk monitoring and control.
Any three of the following tools and techniques may be discussed:

 process flow charts

 risk audits,
 variance and trend analysis,
 technical performance measurements,
 reserve analysis,
 status meetings, and
 periodic risk reviews such as the Top Ten Risk Item Tracking method (Kloppenborg, 2015:285).

Bibliography
Bobade, A. 2015. Organisational Influence and Project Life Cycle. Available from:
https://www.slideshare.net/anandbobade/pmp-chap-2-org-influence-and-project-life-cycle [Accessed: 10 February
2018]
Buckley, B. 2010. Feds and Contractor Share Blame for Afghan Delays. Engineering News-Record 264. no.
4(2010):16.
Chatterjee, P. 2010. Iraq Lessons Ignored at Kabul Power Plant. [online]. Available from:
http://ipsnews.net/news.asp?idnews=50219. [Accessed:22 March 2018].
Gido, J and Clements, J.P.2015. Successful Project Management. 6th ed. USA: Cengage Learning
Haughey, D. 2018. Delphi Technique A Step by Step Guide. Available from: https://www.projectsmart.co.uk/delphi-
technique-a-step-by-step-guide.php. [Accessed: 10 February 2018]
IRMSA. 2017. South Africa Risks 2017. Sunninghill: IRMSA.
Jutte, B 2018. 10 Golden Rules of Project Risk Management. Available from: https://www.projectsmart.co.uk/10-
golden-rules-of-project-risk-management.php [Accessed: 10 February 2018]
Kloppenborg, T.J. 2015. Contemporary Project Management: Organise/Plan/Perform. 3rd ed. Australia: Cengage.
Larson, E.W. and Gray, C.F.2017.Project Management: The Managerial Process.7th ed. New York: McGraw-Hill
Mar, M. 2018. Project Risks. Available from: https://management.simplicable.com/management/new/130-project-

risks [Accessed: 10 February 2018]
Microsoft Corporation. 2008. Introduction to Monte Carlo simulation[online]. Available from:

http://office.microsoft.com/en-us/excel/HA011118931033.aspx. [Accessed 20 February 2018].
Pintinterest. 2018. Identify Risk. Available from:

https://www.google.co.za/dentify+risks+mindmap&oq=identify+risks+mindmap&gs [Accessed: 10 February 2018)
PMI. 2017. A Guide to the Project Management Body of Knowledge (PMBOK Guide). 6th ed. Pennsylvania:
Project Management Institute.
OGC. 2009. Managing Successful Projects with PRINCE2. London: TSO.
Van der Walt, G. and Williams, F.2015.A Guide to Project Management.2nd ed. SA: Juta and Company Ltd.


PGDPM - Project Risk Management

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PGDPM - Project Risk Management

Uploaded by

Copyright:

Available Formats

Postgraduate Diploma

v PROJECT RISK MANAGEMENT

Postgraduate Diploma in Project Management

List of Content ......................................................................................................................................................... 2

Unit 1: Introduction to Project Risk Management .................................................................................................. 11

Unit 2: Plan Risk Management.............................................................................................................................. 23

Unit 3: Identify Risks ............................................................................................................................................. 35

Unit 4: Perform Risk Analysis................................................................................................................................ 50

Unit 5: Plan Risk Responses................................................................................................................................. 63

Unit 6: Monitor and Control Risks ......................................................................................................................... 76

Answers to Revision Questions ............................................................................................................................ 91

Bibliography ........................................................................................................................................................ 101

MANCOSA – Postgraduate Diploma in Project Management 1i

Figure 2.1: Project Risk Management Process ................................................................................................. 14

Figure 2.2:Risks in the Project Life Cycle ......................................................................................................... 27

Figure 3.1: Brainstorming Technique for Identifying Risks................................................................................ 39

Figure 3.2: Example of a Risk Register ............................................................................................................ 46

Figure 4.1:Sample Probability/Impact Matrix .................................................................................................... 56

Figure 4.2:Decision Tree and Expected Monetary Value Analysis ................................................................... 59

Figure 4.3:Monte Carlo-based Simulation for Project Schedule ....................................................................... 60

Figure 5.2: Example of the Strategies to Respond to a Project Risk ................................................................ 71

Table 2.1:Topics Addressed in a Risk Management Plan ................................................................................ 26

Table 3.1:Life Cycle Phase Risk Identification .................................................................................................. 43

Table 3.2:Project Risk Reviews ........................................................................................................................ 44

Table 4.3:Top Ten Risk Item Tracking chart ..................................................................................................... 58

Table 5.1:Risk Response Planning Example .................................................................................................... 65

Table 5.2: Common Project Risk Response Strategies .................................................................................... 67

2 MANCOSA – Postgraduate Diploma in Project Management

We hope you enjoy the module.

MANCOSA – Postgraduate Diploma in Project Management 3

Purpose of the Module

4 MANCOSA – Postgraduate Diploma in Project Management

C. Exit Level Outcomes and Associated Assessment Criteria of the Programme

Exit Level Outcomes (ELOs) Associated Assessment Criteria (AACs)

 Link the various process group functionalities to

 Analyse the status of a project and propose

 Determine the appropriate leadership approaches

 Develop risk management matrices to control and

 Engage in effective project cost management

 Identify and execute communication strategies

 Create a Work Breakdown

 Structure and Gantt Chart

 Effectively execute all activities required in using

MANCOSA – Postgraduate Diploma in Project Management 5

 Take accountability and responsibility for their

 Effectively communicate and articulate ideas and

D. Learning Outcomes and Associated Assessment Criteria of the Module

LEARNING OUTCOMES OF THE MODULE ASSOCIATED ASSESSMENT CRITERIA OF THE MODULE

 Appropriate theories and methodologies are utilised to

6 MANCOSA – Postgraduate Diploma in Project Management

E. Learning Outcomes of the Units

F. Notional Learning Hours

Lectures/Workshops (face to face, limited or technologically mediated) 4

Tutorials: individual groups of 30 or less 0

Practical workplace experience (experiential learning/work-based learning etc.) 0

Independent self-study of specially prepared materials (case studies, multi-media, etc.) 10

G. How to Use this Module

MANCOSA – Postgraduate Diploma in Project Management 7

I. Prescribed / Recommended Reading

The prescribed and recommended readings for this module are:

8 MANCOSA – Postgraduate Diploma in Project Management

Special Feature Icon Explanation

The Associated Assessment Criteria is the evaluation of the students’

PRACTICAL Practical Application or Examples will be discussed to enhance