Universidad Andrés Bello=—— Risk Management ourrencicven ‘Staffing management plan] This plan describes what resources are avaiable, {partof the human resource their sil sets, and how they willbe moved on and plan) off the project. Knowing this information will help _— you identify risks elated to resources, Procurement management | How many contracts will there likely be onthe plan ‘project? Wht is the level of expertise in handling contracts? Was the project manager involved before any contracts were signed? Ifnot, the project will have more rsk and therefore likely cost more, | Contracts area way to mitigate or transfer rsks in. | risk response planning, Stakeholders ‘Stakeholders will view the project from different perspectives and thus will be able to see risks that | the team cannot. Stakeholders are involved in many aspects of risk menagement. Tie Risk MANAGED POC GSS 2 “Thisis an important topic. You must MEMORIZE what happens when and know how risk management, done wel, can change the way projects are managed and how it can change whet happens ina typical day on a project. Ifyou think about large, well-managed projects where risk management has been an integrel part of planning: » There are no longer huge fires to put out every day—they were eliminated inthe risk response plan » Risks are brought up in every meeting tobe addressed before they happen » Ifthe risk events do happen, there isa plan in place to del with thers, meaning no moreectic meetings to develop a response “The project manager has time to » Monitor and conte the various aspects ofthe projec, lookin fr deviations and trendsto find them early » Implement a reward system » Keep stkeholdersinformed of project progress » Stay ahead of the project ‘The six sequential risk management processes ae: 1. Plan Risk Management 2. Identify Risks 3. Perform Qualitative Risk Analysis 4 Perform Quantitative Risk Analysis 5. lan Risk Responses 6. Monitor and Contra Risk Responses Although the processesare done in sequence, remember that they are done often during the course of the project, staring in initiating all the way through the end of the project. Risks canbe identified any time, as can the responses for what to do about the new risk. So if risk i uncovered after the inital ris identification process, it must be analyze, responses must be planned, etc. The rsk management process is very iterative. 380 (0200 AC Palais, «95.48.44» seep + wenocoupreaaeven Risk Management sume “The project manager sponsor, team, customer, other stakeholders, and experts can be involved in the Plan Risk Management process to define how risk management wil be structured and performed for the project. Sincerisk management isso critica, wouldn't be wis to think bout how you will approach risk management before you do it? Plan before you act, Risk management efforts chould be appropriate to the size and complexity ofthe project, as wel asthe experience and ski evel of the project team, Sucesful risk management cannot be done with usta standardized checklist of iaks from pat projects, though such a checklist cen be helpful in creating a plan and identifying risks, the risk management effort needs to happen for each project. “The Plan Risk Management process answers the question of how much time should be spent on risk management based on the needs ofthe project. It also answers questions suchas who willbe involved and how you wil go sbout performing isk management. Company procedures for risk, such a3 standard probability ind impact matrices, are identified as part ofthis process and then adapted to the needs ofthe project. Outputs of Plan Risk Management PAGE 279 When you have completed risk management planning, you should have the following: » Risk Management Plan The risk management plan may include: » Methodolegy This section defines how you will perform risk management for the particular project. Remember to adapt to the needs ofeach project. Low priority projects will likely ‘warrant les ofa risk management effort than high priority projects. > Roles and responsibilities Who will do what? Did you realize that non-team members may have roles and responsibilities regarding risk management? > Budgeting This section includes the cost forthe risk management process. Yes, you must realize the cost of doing risk management, but know that risk management saves the project tim: and money overall by avoiding or reducing threats and taking advantage of ‘opportunites. > Timing Tris section talks about when to do risk management for the project. Risk management should stat as soon as you have the appropriate inputs and should be repeated throughout the life ofthe project, since new risks can be identified asthe project progresses and the degree of risk may change. Risk categories See the following section for more detail. > Definitions of probability and impact Would everyone who rates the probability a “seven” ‘in qualitative risk analysis mean the same thing? A person who is risk averse might think of seven as very high, while someone who is risk prone might think of seven as a low figure. The definitions and the probability and impact matrix help standardize these interpretations and also help compare risks between projects. » Stakeholder tolerances What if the stakeholders have a low risk tolerance for cost overruns? ‘That information would be taken into account to rank cost impacts higher than they would ifthe low tlerance was in another area. Tolerances should not be implied, but uncovered in project initiating and clarified or refined continually. » Reporting formats This describes any reports related to risk management that will be used ‘and what they will include. » Tracking Take this to mean how the risk process will be audited, and the documentation of ‘what happens with risk management activites. Risk Categories Ihave long advocated the use of a standard list of risk categories to make sure areas of risk re not forgotten, Risk cetegores ae lists of broad, common aeas or sources of risk ‘experienced by the company or on similar projects. These categories can include things like technology (© 200 AMC Pca n 052848 84 witeGrncpetcom = wneimepretcom 381== Risk Management courte evsen changes, lack of resources, or cultural issues. Companies and project management offices should have standard lists ofrisk categories that all projects can use to help identi risks. The people leading risk identification efforts should make sure each category is considered when looking for risks. ‘There are many ways to classify or categorize risk, such as: » External Reguletory environmental, government, market shifts » Internal Time, cos, or scope changes inexperience; poor planning: people; stalfing: materials; equipment Technical Changes in technology » Unforeseeable Only a small portion of risks (some say about 10 percent) are actually unforeseeable [Abetter way is based on specific categories of risk that may occur on your company’s projects. My risk research shows over 300 potential categories of risk. These include risks caused by or generated by: > The customer > Lack of project management effort (es, your lack of project management effort can add risk) » Lack of knowledge of project management by the project manager and stakeholders » The customer's customers » Suppliers » Resistance to change > Coltural diferences Another way to categorize rsks is by source: “Where do risks come frome” at shown. » Schedule “The hardware may arrive earlier than planned, allowing work package XYZ to start three days earlier? » Cost “Because the hardware may arrive later than planned, we may need to extend our lease on the stagingarea ata cost of $20,000" Quality “The concrete mey dry before winter weather ses in, allowing as to start successor work packages earlier than planne » Scope “Wemight not have correctly defined the scope forthe computer installation. If that proves tre, we will have to add work packages at cost of $20,000." » Resources “Kimberly is such an excellent designer that he may be called away to work onthe new projet everyone is so excited cbout If that occurs, we wil hve to use someone ese and our schedule wl slip between 100 and 275 hours” » Costomer stisfaction (stakeholder satisfaction) “There i «chance thatthe customer will ot tellus they ae unhappy with the XYZ deliverable, causing at least a 20 percent increase in time to rework custome testing” “Expect the phrases "sources of isk” an “risk categories” tobe used interchangeably onthe exam Risk categories or sources of risks canbe organized in an organizational chart or WBSlike format called a risk breakdown structure, also referred to as an RBS. Types of Risk In addition to risk categories, risks can be classified under two main types: » Business Risk of gain or loss » Pure (Insurable) Risk® Only a risk of loss (ie, fie, theft, personal injury, etc.) AML iS i reed Project risks forthe project are identified inthis process. This effort should involve all stakeholders and right even involve literature reviews, research, and talking to nonstakeholders. Sometimes the core team will begin the process and then the other members will become involved, making Identify Risks an iterative process 382 (© 700 AC Paton» 952.46 444 wre cam wo meet| | currence Risk Management == a ‘When you get a question about who should be involved in risk identification the best answer is everyone! Everyone has a different perspective ofthe project and can provide thoughts on ‘opportunities and threats. ‘Smart project managers begin looking fr risks as soon as projects fist discussed. Infact, the ‘PMBOK" Guide iss bigh-level risks as an outpot of the creation ofthe project charter in integration management, However, the major rik identification effort occurs daring planing, as the scope baseline (the project scope statement, WBS, and WBS dictionary) isan important input to risk identification. Because is identification primarily occurs during the initiating and planing process groups, the exam has often sud that the major part of risk identification heppens a the onset ofthe project. But smaller ‘numbers of risks may algo be identified during late parts ofthe project. Risks should be continually reassessed. Te exam will specifically lok for you to include risk identification during such activities as integrated change control, when working with resources, and when dealing with project issues. ‘As tated earlier, the exam deals with rsk on 2 sophisticated level and tests your knowledge about how your daly activites ee diffrent if you have done risk management well versus not having practiced ‘proper risk management on your project. The exam weights the questions toward project executing and project monitoring ad consoling .ather than the identification of risks. You will need tobe generally familiar with how risks ae identified The following are some rsk identification tools and techniques. Documentation Reviews PAGE 286 | What is and what is not part of the documentation, including the charter, contracts, and planning documentation, can help identify risks. Those involved in risk identification might look at this documentation, as well as lessons learned, articles, and other documents, to help uncover risks. This used to bea trick for risk management and now has become standard practice, Information Gathering Techniques PAGE 286 Another way to identify risks is to use one of the following techniques. Many of these techniques ae als used to collect requirements forthe project. » Brainstorming Brainstorming is usually done in a meeting where one idea helps generate another » Delphi technique’ his technique is used to build consensus of experts who participate ‘anonymously. A request fr information is sent to the experts, ther responses are compiled, and the results are sent back to them for further review until consensus is reached. This technique can also be used for estimating time and cost. » Interviewing Also called expert interviewing onthe exam, this consists ofthe tem or project ‘manager interviewing project participants, stakeholders, or expert to identify risks on the project ora specific element of work. » Root cause analysis* Reorganizing the identified risks by their root causes will help you identify rote risks. Strengths, Weaknesses, Opportunities, and Threats (SWOT) Analysis’ This analysis Jools at the project to identify ts strengths and weaknesses and thereby identify risks (opportunities and threats), Checklist Analysis PAGE 287 The checklist of risk categories was previously described in the Plan Risk Management proces. This checklist is used to help to identify speci risks within each category Assumptions Analysis PAGE 287 Analyzing what assumptions have been made on the project and if they are valid may lead tothe identification of more risks. (© 208AMC Pbicaors + 952 EKG AAA «lmepetcom + werner 383— Risk Management cussren cieven Diagramming Techniques PAcE 287 Some ofthe tools described in the Quality Management chapter can also be used to analyze the root causes of issues. These include cause and effect diagrams and flowcharts, When used as part of risk identification, they help identify additional risks forthe project. Outputs of Identify Risks pace 282 » Risk Register’ The risk register is the place where most of the risk information is kept. Think of ‘tas one document for the whole rsk management proces that willbe constant updated with information a8 Identify Risks and later risk managernent processes ae completed. The risk register becomes pat ofthe project documents and is also inchuded in historical records that will be used foe Future projects. Notice thet an updated risk register isthe only output of several ofthe risk management processes, ead exam questions carefull asthe risk register contains diferent information depending on wen in the risk management process the question is referencing, For example if the project bas just started and you are in the Identify Riss proces, the risk register will only contain the identified risk, not respons plans, which come later. At this point in the risk management process, the risk register includes: > List of risks » List of potential responses ‘Though risk response planning occurs later, one ofthe things experienced risk managers know is that tis not always logical to separate work on exch part of, slsk management. There will be times when a response is identified a the same time asa risk. ‘These responses should be added to the risk register as they ae identified, and analyzed late as part of risk response planning. Root causes of risks ‘The root causes of risks are documented. Updated risk categories You will noice alot of places where historical records and company records are updated throughout the project management process. Make sure you are aware that lessons learned and communicating information to other projects doesnot just happen at the end ‘ofthe project. Here, the project is providing feedback tothe rest ofthe company regarding new categories of risk to add tothe checklist previously described. ‘FL was writing a tricky question forthe exam, t might be, “When in the risk management process ae responses documented?” The answer isin both the Ideatfy Risks and Plan Risk Responses processes! You might remember that one of che later pats of risk management isto determine what you ae going to do about risks. Would you went todo something about all risks identified? Ofcourse not. That would be too expensive, and you would not have enough time, Therefore, qualitative risk analysis involves creating shortlist ofthe previously identified risks, The shortlisted risks wil then be further analyzed in the Perform Quantitative Rsk Analysis processor wll move into the Plan Risk Responses proces. Remember that qualitative risk analysis is subjective analysis ofthe risks identified. To perform this analysis, the following are determined: » The probability ofeach risk occurring using standard scale suchas Low, Medium, High or 1 to 10. » The impact (amount at sake, or consequences, positive or negative) ofeach risk occurring, using @ standard scale such a5 Low, Mediu, High or | to 10. 384 © 20S AMG bios. 528 ita con menome 1 ts a 7 ower eeen Risk Management —= ‘The following are tools you can use to perform qualitative risk analy Probability and Impact Matrix PAGE 291 Because qualitative risk analysis is based on subjective evaluation, the rating of anyone risk can vary depending on the bias ofthe person doing the rating and how rsk averse they ae (eg, one persots score ofa 3 might be another persont 7) Therefore, onganizations frequently hve a standard rating system to promote a common understanding of what each risk ating means. Tis standard is shown in a probability and impact matrix. ‘A probability and impact matrix might look ike: [fo] Probability 1 2 3 4 5 6 7 8 9 10 LC Impact ‘This matrix may be used to sort or rat risks to determine which ones warrant an immediate response (and will therefore be moved on through the rsk process) and which ones should be put on the vwatchlse (described later. Te matrix may be standardized within the company or department, or ‘customized tothe needs ofthe project. Such a matrix results ina consistent evaluation of low, medium ‘or high (or some other scale) for the project and forall projects. Use ofa standerdized matrix makes the risk rating process more repeatable between projects. Different matrices can be used for cos, time, and scope if the project’ threshold for each typeof risk axe different. Risk Data Quality Assessment PAGE 293 This assessment asks, “How accurate and well ‘understood is the risk information?” Belore the project manager can use the risk information collected so far, he or she must analyze the precision of the data (asking, “How good isthe data?). Is more research needed to understand te rik before a qualitative assessment can be done? Imagine, for example, a risk given to you anonymously on a notepad. Smart project managers might allow for ‘anonymous contributions during rsk identification, but all of the identified risks must be defined well ‘enough to perform a qualitative assessment. Ariskdata quality assessment may include determining the folowing for ech risk » Extent ofthe understanding ofthe risk » Data avilable about the risk ofthe data and integrity ofthe dat {© 7009 AE cans» 8526 448 itera» wnwimepgeetcam== Risk Management cwerecicen Risk Categorization PAGE 293 Risk categorization asks, “What will we find if we regroup the risks by categories? By work packages?” Think about how useful it would be to not only havea subjective assessment of the total amount of risk on the project, but also to group the risks by cause to know which ‘work packages, processes, people, or other potential causes have the most risk associated with them. ‘Such data will be helpful in risk response planning, allowing you to eliminate many risks at once by eliminating one cause. Risk Urgency Assessment PAGE 293 In addition to creating a shortlist of risks, qualitative risk analysis includes noting risks that should move more quickly through the process than others. Reasons for this could include the fact that the risk may occur soon or will require along tre to plan aresponse. Urgent risks may then move, independent) right into risk respons planning while the rest continue through quentitaive risk analysis, or they may simply be the frst ones for which you plan a response in risk response planning. A project manager may consider both the urgency of the risk and the risk’ probability and impact rting (from the probability and impact matrix) to determine the overall severity ofthe risk, Outputs of Perform Qualitative Risk Analysis pase 293 > Risk register updates ‘The rsk epster is updated to add the results of qualitative risk analysis, You can er ore induding toa concet js i ; nnybok aa » Risk ranking forthe project compared to other projects Qualitative risk analysis can lead Masaemen Tks (Cough means not explained here) to number to be used to rank the project in comparison Fade to others (eg, this project ha a risk score of 83). The impact of this is that once you complete Pret Manages risk response planning, you can then edo qualitative risk analysis and PROVE the value of your efforts. You can report, “The project now has arsk score of 4.8" Think how ths wll help you prove the value of project management! > List of prioritized risks and their probability and impact > Risks grouped by categories (As previously explained) > List of risks requiring additional analysis in the near term > List of risks for additional analysis and response ‘These ae the risk that wll move forward into quantitative risk analysis and/or response planning. > Watchlist (non-critical or non-tp risks) ‘These risks are documented fr later review during risk monitoring and controlling » Trends Qualitative risk analysis may be redone in planning (as previously explained) or hil the project work is being done. ‘The project manager should know if risks increasing, decreasing or staying the same, so that trends can be analyzed. 8 ‘Qualitative risk analysis can also be used to: » Compare the risk ofthe project to the overall risk of other projects » Determine whether the project shouldbe selected, continued, or terminated > Determine whether to proceed tothe Perform Quantitative Risk Analysis or Plan Risk Responses processes (depending on the needs ofthe project andthe performing organization) PROD QUAIL BS iE ‘Thisinvoives« oumerical analysis ofthe probability and impact (amount a stake or consequences) of the risks moved forward to this process from qualitative risk analysis. Quantitative risk analysis aso looks at how risks aft the objectives ofthe project The purpose of quantitative risk analysis sto: » Determine which isk events warrant response + Determine overall project rsk csk exposure) 386 © 208 FMC Pits, 6256 444+ doen « aw eel coM