Project Risk Management Module 2

Risk Management Plan

 Traditional Risk management is about finding potential problems before they

occur, developing strategies to eliminate or minimize the probability of their
occurrence, and implementing strategies to monitor the outcomes on the project.
 Contemporary Risk Management includes finding opportunities and developing
strategies to ensure that they occur, or at least to enhance the probability of the
opportunities occurring.
 The risk management plan describes how risk management will be structured and
performed.
o It determines what will happen throughout the rest of the process.
o It even describes how the process will occur, but not necessarily what will happen
because no details have been gathered yet
o . It is after the creation of the risk management plan has been created does the
work of at risk identification begin.

Process Main Goal

Plan Risk Defining how to conduct risk management activities for a project happens
Management right at the start and before the event occurs.
Identify Risks Identifying which risks may occur and documenting their key characteristics
is an essential next step.
Perform Conceptually analyzing the effects of identified risks on overall project
Qualitative objectives is an important analysis to perform. Qualitative analysis is done
Risk Analysis using words and can occur quickly.
Perform Numerically analyzing the effects of identified risks on overall project
Quantitative objectives is also a key analysis to perform. Quantitative analysis is done
Risk Analysis through counting and measuring and can take longer to complete.
Plan Risk Developing options and actions to enhance opportunities and reduce
Responses threats to project objectives is important. Risk response planning outlines
how the risk will be managed if it occurs
Implement Implementing risk response plans is also important. This occurs after the
Risk Responses planning, while the project is occurring.
Monitor Risk Monitoring residual risks, identifying new risks, and evaluating risk process
effectiveness throughout the project is always beneficial.

Defining the Risk

 The traditional Risk is "the potential of loss resulting from a given action, activity, and/or
inaction." This definition emphasizes two words:
 o Potential: Within the context of project risk management, the word "potential" is
typically replaced with the word "likelihood" or "probability."
o Loss: The word "loss" is typically replaced with either the word "consequence" or
"impact," both of which allude to negative outcomes.
 Risk- "An uncertain event or condition that, if it occurs, has a positive or a negative
effect on a project's objectives."
o Threats: Events that have potentially negative impacts are referred to as threats
o Opportunities: Events that have potentially positive impacts are referred to
as opportunities.

1. Threats and Opportunities in Project Risk Management:

o Emphasizes that managing project risk involves considering both threats and
opportunities, not just potential losses.
o Acknowledges that opportunities play a significant role in a comprehensive risk
management plan.
2. Categorizing Risks:
o Suggests that initial thinking about project risks is documented in the Project
Charter.
o Emphasizes the importance of exhaustive identification of risk events at the
project outset.
o Highlights the need for documenting identified risk events.
3. Organizing Risk Events:
o Recommends categorizing risk events to narrow the focus of analysis.
o Stresses the importance of assigning responsibility for handling different
types/categories of risk events.
4. Risk Register:
o Describes the risk register as the central working document for managing project
risks.
o Clarifies that the risk register documents all identified risk events, providing a
comprehensive record of potential project challenges.
Risk Breakdown Structure
 Risk Breakdown Structure (RBS) is a hierarchical tool used for categorizing project risks.
o It provides a structured framework to identify and group risks based on specific
causes that may lead to unsuccessful project execution.
o The RBS is organized hierarchically, with a top-level box labeled "Project"
branching into four main structures: Technical, External, Organizational, and
Project Management.
 Technical Branch:
 Breaks down into Requirements, Technology, Complexity and
Interfaces, Performances and Reliability, and Quality.
 External Branch:
  Breaks down into Subcontractors and Suppliers, Regulations, Market,
Customer, and Weather.
 Organizational Branch:
 Breaks down into Project Dependencies, Resources, Funding, and
Prioritization.
 Project Management Branch:
 Breaks down into Estimating, Planning, Controlling, and
Communication.
 This hierarchical structure allows for a detailed analysis of various aspects contributing
to project risk.
o The RBS can be used as a template, becoming an organizational asset for all
projects.
 it is versatile enough to be tailored to specific project needs. The RBS can
serve as a checklist, aiding in the identification and management of risks
throughout the project lifecycle.

Root Cause Analysis:

 After categorizing and describing risks, determining the root cause becomes essential.
 The "root cause" column in the risk register identifies the primary cause of risk events.
 Root cause analysis involves delving deeper into problems to understand why they occur.
Cause, Risk, and Effect:
 Cause is a fact or condition, risk is an uncertain event, and effect is a possible result or
impact on project objectives.
 Describes a cause-and-effect relationship where a cause leads to a risk, resulting in a
specific effect.
Risk Metalanguage:
  Introduces the concept of a "risk metalanguage," a language about language for
describing risk events.
 Enables effective communication in the project risk register, including severity ratings
and impacted project objectives.
Alternative Metalanguage for Describing Risks:
 Offers an alternative format: "<Risk> due to <Cause>" to articulate risks more succinctly.
 Examples include describing mobile phone test failures and COVID-19 disruptions using
this format.
Trigger:
 A trigger is an event or situation indicating an imminent risk occurrence, serving as a
warning.
 Illustrated with an example of a weather report warning about an upcoming snowstorm.

Potential Risks to Major Project Objectives:

 Project risks are linked to activities that could impact major project objectives, including
Schedule, Budget, Scope, and Quality.
 An impact on one objective may introduce risks to other objectives, creating
interdependencies.
Examples of Interdependencies:
 Quality (Technical) issues typically lead to scope changes, impacting schedule risk,
especially if near the critical path.
 Required Scope Changes usually result in project cost adjustments or risks.
 Schedule Issues can lead to cost risk, particularly if they affect the total project duration,
necessitating fast-tracking.
Decision-Making for Risk Response:
 To aid decision-making in responding to risks, having organizational process assets, such
as guidelines, is beneficial.
 The diagram outlines guidelines for
dealing with risks, suggesting that if the
probability is low but the impact is high,
avoiding the cause is a prudent response.
Qualitative and Quantitative Analysis

Risk Severity:
 Risk severity measures the relative importance of individual project risks, indicating their
seriousness or urgency.
 Severity is determined by two key components: the probability of occurrence and the
expected impact if the risk materializes.
 A quantitative equation exists to calculate risk severity based on known probability and
impact.
 Risk Severity = Probability x Impact
Components of Severity:
 Severity is a function of probability and impact, emphasizing the importance of
considering both factors in risk assessment.
Qualitative Assessment:
 Severity is often assessed qualitatively, using words like low, medium, or high.
 A table outlines project objectives and their qualitative severity levels, providing a
descriptive understanding of terms such as low, medium, or high in the context of cost,
schedule, scope, etc.
Importance of Qualitative Measures:
 Qualitative measures, expressed through words, offer a nuanced understanding of
severity and are commonly used to describe risk levels.
 The table enhances clarity by associating qualitative terms with specific project
objectives.

Project Very Low Low Moderate High Very High

Objective 0.05 0.10 0.20 0.40 0.80
Cost Insignificant Less than 5% 5–10% cost 10–20% cost Greater than
cost increase cost increase increase increase 20% cost
increase
Schedule Insignificant Schedule Overall Overall project Overall
schedule slippage less project slippage 10– project
slippage than 5% slippage 5– 20% schedule
10% slips greater
than 20%
Scope Scope Minor areas of Major areas Scope reduction Project end
decrease scope are of scope are unacceptable to item is
barely affected affected the client effectively
noticeable useless
Quality Quality Only very Quality Quality Project end
degradation demanding reduction reduction item is
 barely applications requires unacceptable to effectively
noticeable are affected client the client unusable
approval

How to Determine Risk Severity

Determining Risk Severity:

 Numerical assessment of risk severity involves assigning values to the probability and
impact of each risk event (Low-L, Medium-M, or High-H).
 The severity rating is obtained by multiplying the assigned probability rating with the
impact rating.
Challenges in Multiplying Words:
 Emphasizes the impossibility of directly multiplying words (e.g., LH), necessitating the
creation of tables that assign numeric values to word combinations (e.g., LH = M).
Establishing Probability and Impact Scales:
 Before assessing severity, organizations establish probability and impact scales, ensuring
consistency across projects.
 These scales may be standardized by the organization or developed by project
stakeholders, such as the project manager, sponsor, or customer.
 The scales provide guidelines for assigning relative risk-severity ratings to project risks.
Applicability of Scales:
 Emphasizes the importance of using the same set of scales for all risk events to ensure
relative comparisons.
 Different sets of scales would hinder the ability to compare risks as they are no longer
relative to each other.
Assessing Risk on the Risk Register:
 Once risk events are entered on the risk register, probability, impact, and severity can be
determined.
 Steps involve entering L, M, and H probabilities and impacts on the risk register, and
then determining severity using the established probability and impact scales.

Probability Impact Severity

Low Low Low
Low Medium Low
Low High Medium
Medium Low Low
Medium Medium Medium
Medium High High
igh Low Medium
 High Medium High
High High High

Assessing Risk Quantitatively:

 Quantitative risk analysis involves numerically analyzing the combined effect of
identified project risks and uncertainties on overall project objectives.
 Key benefit: Quantifies overall project risk exposure.
 Typically more suitable for large or complex projects rather than every project.
Process Similar to Qualitative Analysis:
 The steps for quantitative analysis are similar to qualitative analysis, with probability and
impact represented numerically.
Numerical Risk Severity:
 In quantitative analysis, risk severity is expressed as a numerical value, contrasting with
qualitative analysis where severity is assessed using words.
Objective of Quantitative Analysis:
 One objective is to analyze higher severity events and assign a dollar value to their
occurrence.
 Only high severity events (filtered from the initial risk events) proceed to quantitative
analysis, allowing for a more focused and detailed examination.
Selective Analysis:
 Not every risk event undergoes quantitative analysis; it is reserved for the subset of high
severity events identified during qualitative analysis.

Risk Responses
Responding to Risk:
 Responding to risk involves developing options, selecting strategies, and agreeing on
actions to address individual risk events and overall project risk exposure.
 Strategies are required for managing both negative and positive risks.
Risk Register Completion:
 The risk register serves as the main document for managing risks, with the risk response
being the final component in the register.
 The risk response column in the risk register is essential for understanding and
implementing strategies to address identified risks.
Responsibilities for Project Risk Management:
 Project Risk Management is everyone's responsibility and should be integrated into all
project processes.
 Roles and responsibilities for Project Risk Management must be clearly defined and
communicated to ensure accountability and results.
Project Manager's Role:
 The project manager has overall responsibility for delivering a successful project meeting
defined objectives.
 Key responsibilities include:
o Encouraging senior management support for Project Risk Management.
o Determining acceptable levels of risk in consultation with stakeholders.
o Developing and approving the risk management plan.
o Promoting the Project Risk Management process.
o Facilitating open communication about risk within the project team.
o Participating in all aspects of the Project Risk Management process.
o Approving risk responses and associated actions.
o Applying contingency funds to deal with identified risks.
o Overseeing risk management by subcontractors and suppliers.
o Monitoring the efficiency and effectiveness of the Project Risk Management
process.
o Auditing risk responses for effectiveness and documenting lessons learned.