Professional Documents
Culture Documents
Book 2 of 4
The Risk Management Process
Manual 3: Project Risk Management
Contents
Topic 1: Risk Identification 3
Section A: Introducing Risk Identification 3
Risk Identification 3
Risk Identification: Inputs 4
Risk Identification: Tools and Techniques 4
Section B: An Overview of Risk Identification 6
Defining Risk 6
Upside and Downside Risk 6
Typical Project Risks 7
Defining Risk Identification 7
Inputs, Tools and Techniques, and Outputs of Risk 7
Section C: Risk Identification: In-Depth Analysis 11
Section Objectives 11
Risk Identification 11
Section D: Inputs, Tools and Techniques, and Outputs of Risk Identification 13
Risk Identification 13
Diagramming Techniques 16
Assumptions Analysis 16
Using a Process Approach to Identify Risk 17
Outputs of Risk Identification 17
Topic 2: Risk Monitoring and Control 19
Section A: Introducing Risk Monitoring and Control 19
Risk Monitoring and Control: Inputs 20
Risk Monitoring and Control: Tools and Techniques 20
Risk Monitoring and Control: Outputs 21
Section B: An Overview of Risk Monitoring and Control 22
Risk Monitoring and Control 22
Section C: Inputs, Tools and Techniques, and Outputs of Risk Monitoring and Control 24
Risk Monitoring and Control 24
Inputs to Risk Monitoring and Control 24
Sample Risk Reporting Format 26
Sample Technician Performance Report 26
Outputs from Risk Monitoring and Control 26
Section D: Analytical Tools of Risk Monitoring and Control 28
Analytical Tools 28
Risk Identification is an iterative process because new risks may become known as the project progresses
through its life cycle. The frequency of iteration and who participates in each cycle will vary from case to
case. The project team should be involved in the process so that they can develop and maintain a sense of
ownership of, and responsibility for, the risks and associated risk response actions. Stakeholders outside
the project team may provide additional objective information. The Risk Identification process usually
leads to the Qualitative Risk Analysis process. Alternatively, it can lead directly to the Quantitative Risk
Analysis process when conducted by an experienced risk manager. On some occasions, simply the
identification of a risk may suggest its response, and these should be recorded for further analysis and
implementation in the Risk Response Planning process.
• Brainstorming. The goal of brainstorming is to obtain a comprehensive list of project risks. The
project team usually performs brainstorming, often with a multidisciplinary set of experts not on the
team. Ideas about project risk are generated under the leadership of a facilitator. Categories of risk
(Section 11.1), such as a risk breakdown structure, can be used as a framework. Risks are then
identified and categorized by type of risk and their definitions are sharpened.
• Delphi technique. The Delphi technique is a way to reach a consensus of experts. Project risk experts
participate in this technique anonymously. A facilitator uses a questionnaire to solicit ideas about the
important project risks. The responses are summarized and are then re-circulated to the experts for
further comment. Consensus may be reached in a few rounds of this process. The Delphi technique
helps reduce bias in the data and keeps any one person from having undue influence on the outcome.
• Interviewing. Interviewing experienced project participants, stakeholders, and subject matter experts
can identify risks. Interviews are one of the main sources of risk identification data gathering.
• Root cause identification. This is an inquiry into the essential causes of a project’s risks. It sharpens
the definition of the risk and allows grouping risks by causes. Effective risk responses can be
developed if the root cause of the risk is addressed.
• Strengths, weaknesses, opportunities, and threats (SWOT) analysis. This technique ensures
examination of the project from each of the SWOT perspectives, to increase the breadth of considered
risks.
Checklist Analysis
Risk identification checklists can be developed based on historical information and knowledge that has
been accumulated from previous similar projects and from other sources of information. The lowest level
of the RBS can also be used as a risk checklist. While a checklist can be quick and simple, it is impossible
to build an exhaustive one. Care should be taken to explore items that do not appear on the checklist. The
checklist should be reviewed during project closure to improve it for use on future projects.
Assumptions Analysis
Every project is conceived and developed based on a set of hypotheses, scenarios, or assumptions.
Assumptions analysis is a tool that explores the validity of assumptions as they apply to the project. It
identifies risks to the project from inaccuracy, inconsistency, or incompleteness of assumptions.
Diagramming Techniques
Risk diagramming techniques may include:
• Cause-and-effect diagrams. These are also known as Ishikawa or fishbone diagrams, and are useful
for identifying causes of risks.
• System or process flow charts. These show how various elements of a system interrelate, and the
mechanism of causation.
• Influence diagrams. These are graphical representations of situations showing causal influences,
time ordering of events, and other relationships among variables and outcomes.
Facilitating Processes
Human Human Procurement Procurement
Quality Resources Resources
Defining Risk
Risk is inherent in any project and may impact one or more elements of the project baseline, such as
technical scope, schedule, or cost objectives. Risks can be driven by internal or external influences. A
project team has the choice of allowing risks to strike, or taking charge and constraining the behavior of
these risks. A project risk analysis assists the project manager and project team in identifying risks and
preparing for risk management and mitigation. Successfully identifying risks, and then mitigating and
managing them, will contribute directly to the ultimate success of the project by ensuring on-time, on-
budget completion of stated project technical objectives.
Definition: Risk
An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s
objectives.
Determining which risks might affect the project and documenting their characteristics. Tools
used include brainstorming and checklists.
Although risk identification is noted early in the risk processes, it realistically will occur at several stages
of a project. Managing the project, and managing existing risks, leads to the identification of new risks.
The progress of the project unearths new unknowns and assumptions. A project manager may learn very
late in a project about problems that could not be anticipated; e.g., regulatory changes, changes in
personnel, or issues with manufacturing.
Risk identification uses many different tools and techniques to identify risks, and their triggers, for a
project. Different tools and techniques are used based on the characteristics of a project.
Inputs
Risk identification uses the risk management plan to guide the process of risk identification. Project
planning outputs are evaluated to consider where risks are inherent in the project plan. Risk categories
are helpful to provide a project manager different perspectives on the types of risks which may occur in a
project (technology, budget, schedule, human resources). Historical information is used to evaluate what
types of risks and triggers were experienced in past projects.
Inputs
Tools and Techniques
Risk Management
Documentation reviews
plan Information-gathering techniques
Project planning Checklists
outputs Assumptions analysis
Risk categories Diagramming techniques
Historical Information
Outputs
Risks
Triggers
Inputs to other processes
Documentation Review
The first step in identifying risks is to conduct a Documentation Review. Once team members have
reviewed existing documentation, they can hold meetings with subject- matter experts to gain insight as to
what went well, and what went poorly with prior projects.
Once this process is complete, teams should use Information Gathering Techniques to substantiate or
eliminate project risk assumptions.
• During the generation of ideas, members suspend judgment in excluding or including any items
• This results in a large list of ideas that can be posted for review and further analysis
Delphi Technique: A panel of experts circulates and revises ideas until consensus is reached.
Interviewing/Surveys: Face-to-face, telephone, focus groups, or other interview or survey techniques can
be used to gather data on risks.
SWOT Analysis Technique: SWOT Analysis entails looking at the project goals, and the Strengths,
Weaknesses, Opportunities, and Threats of the project.
Checklists
One tool for facilitating more thorough risk identification is a Checklist. One or more project members
should be assigned to complete portions of the checklist. The screening questions are designed to assist
the risk analysis participants to determine areas of the project where the potential for risk exists.
The checklist is divided into types of risk or risk categories; questions are included that require a positive
or negative response. Typically, positive responses to screening questions indicate a risk potential that
would trigger further evaluation by the team. The screening checklist is not designed to indicate what the
risks are; it is designed to identify risk potential. Organizations utilizing project management techniques
should modify this checklist to meet their specific needs, including precise lessons learned and warning
flags.
A. Technology
New Technology?
B. Time
Project schedule uncertainties or constraints that may impact project
completion or milestone dates?
Long lead procurement items that may affect the completion of the critical
path or milestones?
C. Contractor Capabilities
Potential for unavailability of qualified vendors or contractors?
D. Interfaces
Significant transportation or infrastructure impacts?
E. Safety
Risks to worker safety during construction?
Assumptions Analysis
Another approach to identifying risks is to review assumptions in the project; what simplifying
assumptions were previously made that need to be validated? One structured approach is a full review of
the current project baseline. Is each element of the Work Breakdown Structure fully understood? Is the
project schedule network correct? Are the proper task dependencies included?
Diagramming Techniques
Diagramming techniques are used to visually display project information to locate specific areas where
risk may be encountered.
System/Process flowcharts: Systems flowcharts follow the same principles of the cause-and-effect
diagram; by outlining the flow within a system, potential causes can be identified for consideration
Influence Diagrams: Influence diagrams are used to show decision problems, and deploy essential
elements and discussions, uncertainties, objectives, and how they influence each other.
Some of these diagramming techniques will be explored in the section on quality planning.
• Complete list of potential risks and their triggers (list of events that are symptoms of risks being
realized). This includes an initial assessment of relative severity/sorting of risks.
• Inputs to other processes.
• Assignment of risks to specific team members for further action.
Section Objectives
• Define risk identification
• Identify the inputs, tools and techniques, and outputs of risk identification
• Document identified risks and triggers
• Use checklist and diagram methods in identifying risks
Risk Identification
Definition: Risk Identification
Determining which risks might affect the project and documenting their characteristics.
Risk Identification
At the beginning of every project, when the sponsor is considering initiating a project, the risks associated
with undertaking the project must be identified. The risk management plan guides the process of risk
identification. Risk identification is a process to gain an understanding of the potential risks associated
with a project or project phase. The potential dangers in the project must be known so that they can be
managed appropriately to ensure the greatest likelihood of project success. In the course of planning the
project, opportunities must be identified for the most efficient implementation of the project to reduce
costs and schedule while providing the highest possible performance and quality. In order to manage
risks, they must be known.
The recognized best practice is to conduct a formal identification of risks, normally by holding a meeting
or working session known as a risk assessment. This is not the last time the project manager should
undertake the identification of risks; indeed, it is a continuous practice throughout the project life cycle.
Risk categories are helpful to give a project manager different perspectives on the types of risks that may
occur on a project. Risks that may affect the project should be organized into categories. Some typical risk
categories are:
• Technical
• Organizational risks
• Project management risks
• External risks
Technical risks include the reliance on any cutting edge technology, or technology under development, or
impacts that changes in technology can have on a project.
Organizational risks include cost, time, and scope objectives.
Project management risks include the poor allocation of cost and time resources, or the poor use of
project management disciplines. External risks include legal or regulatory changes, labor issues, or
issues in dealing with the public.
The first action step in risk planning is the identification of risks. You should collect all project planning
documents to help in identifying risks.
Each of these inputs aids the project manager in determining the Who, What, Where, When, Why, and How
of the risk identification process.
The following pages explain how to determine risk categories, and how historical information is used.
Once the list of identified risks is developed, it must be organized. This helps you manage the risks. Risk
categories may be broken down further into very specific category types such as:
• Time • Financial
• Business • Internal
• People • External
Historical Information
Historical information is used to evaluate what types of risk and triggers were experienced in past
projects. Historical information is only useful if it is documented and available. Examples of historical
information include:
• Lessons learned
• Project archives
• Published information
• Expert judgment
Lessons learned from previous project efforts can provide ongoing value to the organization in subsequent
projects. It’s the information that “keeps on giving”.
Expert judgment can provide valuable input, but requires some discernment by the project manager to
filter through expertise for bias or influences based in organizational politics.
Documentation Review
• Documentation reviews
• Information gathering techniques
• Checklists
• Diagramming techniques
• Assumptions analysis
The first step in identifying risks is to conduct a documentation review. Once team members have
reviewed existing documentation, they can hold meetings with subject- matter experts to gain insight as to
what went well, and what went poorly with prior projects.
Once this process is complete, teams should use information-gathering techniques to substantiate or
eliminate project risk assumptions.
Brainstorming: This technique is where members generate a comprehensive list of potential risks.
During the generation of ideas, members suspend judgment in excluding or including any items. It is
important to capture all ideas or suggestions. Remember to reserve judgment in excluding or including an
item until all ideas have been documented. Once all the ideas have been submitted, prepare a list and
discuss each item, clarify and modify it as required. This process will produce a large list of ideas that can
be posted for review and further analysis.
There are a variety of methods to brainstorm effectively. One method uses lists that are created by writing
down an idea and then handing it off every few minutes. Others use a go-around-the-room approach, with
each person offering ONE idea or saying, “pass”, until all have said “pass” or time expires. This tends to
generate a large list, manages restraint on those wanting to offer multiple suggestions at once, and brings
order to the process.
Delphi Technique: The Delphi technique is a consensus of experts on a subject like project risk. It is a
group technique that extracts and summarizes the knowledge of the group to arrive at a consensus. A
facilitator may use a questionnaire to solicit ideas about the important project risks. Responses are
submitted and are then circulated to the team for further comment. Each individual makes his or her
comments secretly, based on their experience. The results are tabulated and presented to the group in
the form of a histogram (sometimes along with all individual estimates). Participants who fall on the outer
quartiles of the group are asked to provide a rationale for their recommendation. This process is repeated
until consensus is reached.
Interviewing/Surveys: Interviewing is asking questions, the purpose of which may be known only to the
person conducting the interview. Interviews will be most successful and useful when the information
needed for a research project can be obtained in no other way. This may hold true when you need a rich,
detailed picture of people’s experience and the meaning they attach to it; when your topic is so new or
understudied that published information is unavailable or inadequate; or when, because the questions of
interest are sensitive, technical, or complicated, your physical presence is required to guide people
through the process of answering questions. Use of personal interviews should also generally be reserved
for situations when detailed, narrative information is required. If simple factual information or quantitative
judgments are desired, they can be collected much more efficiently and accurately through a telephone or
mail survey.
Focus Groups: Focus groups are a variation of in-depth qualitative interviews in which several people are
interviewed together in a flexible and exploratory group discussion format. In focus groups the emphasis
is on interactions between participants rather than between the researcher and the participants, and the
researcher adopts a role that is more like a moderator than a questioner. The purpose of focus groups is
to explore people’s ideas in a public setting so that you can observe how they react to each other’s ideas,
when they challenge each other’s views, and how their opinions are formed.
Focus groups are most appropriately used when it is important to obtain opinions after they have gone
through a public process in which they are shared with and commented on by peers.
This may be important, for example, when you are studying people’s reactions to a new program, policy, or
product for which people’s opinions are not yet fully formed - in such cases the focus group serves to
accelerate the natural social processes by which individuals compare opinions with each other before
making up their minds. Focus groups are not appropriate unless you are studying a topic that can be
expected to generate a lot of discussion and lively debate.
The primary advantages of focus groups are that they tend to be more convenient and less time-
consuming for both researchers and participants, and they are less likely than individual interviews to be
subject to bias introduced by the researcher, since the researcher takes a less active role in guiding the
discussion.
SWOT analysis entails looking at the project goals, and the strengths, weaknesses, opportunities, and
threats of the project. The project team considers the broad goals of the project to identify risks. The
organization itself may have to be considered for a SWOT analysis, and how the characteristics of the
organization relate to the project’s successful completion. SWOT is a strategic planning technique that
may be useful in identifying risks associated with a corporate view of goals and objectives. The objective of
a project is to realize value for the organization, and the intended outcome needs to be in sync with
corporate direction.
Checklists
Checklists can be especially helpful if they reflect lessons learned from previous projects. But they can
also be limiting if the team automatically assumes the checklist is comprehensive and complete.
Standards, tolerances, policies, etc. that the checklist was originally devised with may have changed as
well as all triggers associated with the risk. Validate the checklist in light of the initiative. One or more
project members should be assigned to complete portions of the checklist.
The screening questions are designed to assist the risk analysis participants in determining areas of the
project where risk potential exists. The checklist is divided into types of risk or risk categories and
questions are included that require a positive or negative response. Typically, positive responses to
screening questions would indicate a risk potential that would trigger further evaluation by the team.
Remember, the screening checklist is not designed to indicate what the risks are, simply to identify risk
potential. An organization involved in project management should consider developing a screening
checklist specific to their needs; however, use of the one offered below may be sufficient.
A. Technology
New Technology?
• Unknown or unclear technology?
• New application of existing technology?
• Modernize advanced technology in existing application?
B. Time
• Project schedule uncertainties or constraints that may impact project completion or
milestone dates?
• Long lead procurement items that may affect the completion of the critical path or
milestones?
C. Contractor Capabilities
• Potential for unavailability of qualified vendors or contractors?
D. Interfaces
• Significant transportation or infrastructure impacts?
• Multiple project interfaces?
• Significant interfaces with an operational facility?
E. Safety
• Risks to worker safety during construction?
• Significant contamination potential?
• Accidents due to new design or other non-reviewed safety questions?
• Involvement of hazardous material?
Diagramming Techniques
The following interactive module explains diagramming techniques. It might take a few seconds to load;
please wait until the full module is displayed.
Diagramming techniques are types of flowcharts that show how various elements relate to one another.
They are used to visually display project information to locate specific areas where risk may be
encountered.
Cause-and effect diagrams: Cause and effect diagrams, also called Ishikawa diagrams or fishbone
diagrams - This technique is useful to identify causes of risks because it tracks problems to the root cause
by exploring each potential cause, leading to the effect it produces.
Cause-and-effect diagrams track problems to the root cause. By exploring each potential cause, it can
lead to the effect it produces as shown below. The example show below is from PMBOK Guide, 2000
Edition.
System or process flowchart: Follow the same principles of the cause-and-effect diagram. By outlining
the flow within a system, the display allows potential causes to be identified for consideration.
Assumptions Analysis
Assumptions are factors that, for planning purposes, are considered true, real, or certain. These
assumptions may be positive or negative. Every project is based on a set of hypotheses, scenarios, or
assumptions. Documentation sources for assumptions includes:
• Project Charter
• Scope Statement
Assumptions analysis explores the validity of each assumption. The purpose of assumptions analysis is to
identify risk to the project from inaccuracy, inconsistency or incompleteness of assumptions. One
structured approach is a full review of the current project baseline. Is each element of the Work
Breakdown Structure fully understood? Is the project schedule network correct? Are the proper task
dependencies included?
Book 2 of 4: The Risk Management Process …Page 16 of 28
Manual 3: Project Risk Management
To conduct an effective identification, the review should include the requirements of the organization’s
risk management plans and policy. These should provide useful guidelines and parameters for conducting
the session. There may be standard forms or templates to ensure compliance with the organization’s ISO
or quality system framework.
The important thing to remember is that the information needed already exists in the form of the current
project baseline information. This factual data changes as the project plan matures and then as the
project commences. It is important to identify the assumptions and the basis for estimation that resulted
in the current project information.
Any assumption should be treated as a risk. Historical information such as closed project files and
lessons-learned reports must be considered. It is important to consider this process as iterative where
risk planning will redefine the baseline and the subsequent risks will continue to impact baseline
measures.
• A list of risks
• A list of triggers or symptoms and warning signs indicating that a risk has occurred or may be an early
warning signal of an impending schedule delay.
• Inputs to other processes-that may identify a need for further action in another area.
Risk identification is an iterative process of identifying which risks might affect the project and
documenting their characteristics. Risk identification results in a written list of risks and triggers. When it
comes to risk identification, if risks and triggers are not written down, they do not exist OR they may exist
in many forms in the minds of many!
Remember, your thoroughness will determine effectiveness of overall risk management effort, and
upfront project planning has a direct effect on the risk management process. Use the following tools to
help identify and document project risks:
• Checklists
• Diagramming methods
• Assumptions analysis
Checklist Example
A. Technology
• New technology?
• Unknown or unclear technology?
• New application of existing technology?
• Modernize advanced technology in existing application?
B. Time
• Project schedule uncertainties or constraints that may impact project completion or
milestone dates?
• Long lead procurement items that may affect the completion of the critical path or
milestones?
C. Contractor Capabilities
• Potential for unavailability of qualified vendors or contractors?
D. Interfaces
• Significant transportation of infrastructure impacts?
• Multiple project interfaces?
• Significant interfaces with an operational facility?
E. Safety
• Risk to worker safety during construction?
• Significant contamination potential?
• Accidents due to new design of other non-reviewed safety questions?
• Involvement of hazardous material?
Risk Register
The risk register has key inputs that include identified risks and risk owners, agreed-upon risk responses,
specific implementation actions, symptoms and warning signs of risk, residual and secondary risks, a
watch list of low priority risks, and the time and cost contingency reserves.
Performance Reports
Performance reports provide information on project work performance, such as an analysis that may
influence the risk management processes.
Risk Audits
Risk audits examine and document the effectiveness of risk responses in dealing with identified risks and
their root causes, as well as the effectiveness of the risk management process.
Reserve Analysis
Throughout execution of the project, some risks may occur, with positive or negative impacts on budget or
schedule contingency reserves. Reserve analysis compares the amount of the contingency reserves
remaining to the amount of risk remaining at any time in the project, in order to determine if the
remaining reserve is adequate.
11
Status Meetings
Project risk management can be an agenda item at periodic status meetings. That item may take no time
or a long time, depending on the risks that have been identified, their priority, and difficulty of response.
Risk management becomes easier the more often it is practiced, and frequent discussions about risk
make talking about risks, particularly threats, easier and more accurate.
• Outcomes of risk reassessments, risk audits, and periodic risk reviews. These outcomes may include
updates to probability, impact, priority, response plans, ownership, and other elements of the risk
register. Outcomes can also include closing risks that are no longer applicable.
• The actual outcomes of the project’s risks, and of risk responses that can help project managers plan
for risk throughout the organization, as well as on future projects. This completes the record of risk
management on the project, is an input to the Close Project process, and becomes part of the project
closure documents.
Requested Changes
Implementing contingency plans or workarounds frequently results in a requirement to change the
project management plan to respond to risks. Requested changes are prepared and submitted to the
Integrated Change Control process as an output of the Risk Monitoring and Control process. Approved
change requests are issued and become inputs to the Direct and Manage Project Execution process and to
the Risk Monitoring and Control process.
The step-by-step learning style utilizes a “building block” approach for presenting concepts in a step-by-
step procedural learning style. This approach is particularly appropriate and used in this manual for the
task-oriented areas that have clear step-by- step procedures involved in them.
Section Objectives
Risk monitoring and control is a continuous process for the project. A key component is recording risk
metrics to compare against associated contingency plans for each risk. The data gathered from good risk
monitoring helps team members make effective decisions about risks before they occur.
Good monitoring and control processes provide data to help make effective decisions in advance of the
occurrence of risk. Risk monitoring and control record risk metrics that are associated with implementing
contingency plans. It is an ongoing process that lasts the entire life of the project:
Risk Control: Risk control involves choosing alternative strategies, implementing a contingency plan,
taking corrective action, re-planning the project, and:
• Ensuring risk awareness is an ongoing activity throughout the life of the project
• Redistributing resources devoted to risk management
The project’s overall change control process is linked to the risk identification and control processes. If a
stakeholder introduces a scope change, the risks of doing so at a particular time of the project life cycle
must be understood before authorizing the change. Such changes could introduce new risks or impact
plans that are in place to control existing risks. Here, the value of a good risk response plan pays off -
what is never written down usually becomes forgotten later, at a time when it is most needed.
The main indication of this process being successfully applied is a smoothly running project. The team is
working well and the project tasks are being completed on time and within budget. There is no unusual
stress, frustration, and exhaustion from working long hours. These desirable outcomes result, ideally,
when the project team properly performs risk management, or when the project is either extremely lucky
or improperly planned with too much reserve (wasting valuable time and resources). The primary output
of the risk monitoring and control process is a risk response plan or, if maintained electronically, a risk
database that is updated regularly. This will show that response plans are complete and are on track,
producing the intended results. If indications are that the risk is changing or not responding to the
response plan, then the project manager must ensure that the plan is adjusted to meet the need.
• What approach and rules have we agreed to follow as part of our risk management plan?
• What risks have we identified, analyzed, assigned owners with responsibilities, and have agreed to
response actions?
• What results are we looking for, how are they being tracked and communicated?
• Have new risks surfaced?
• Have there been scope changes (which may require new risk analysis and response plans?)
Risk monitoring and control, corresponds to the controlling phase of the project. As the project is
executed, the project controls are in place to ensure that results are meeting expectations, and if they are
not, corrective action is initiated. Similarly, in risk management, each individual risk response plan is a
miniature or sub-project with planned scope, budget, and schedule. The project manager must ensure
that these plans are not overlooked or pushed out of the way. Doing this would be like planning for a fire
department but never actually checking for fires, nor observing the regulations that prevent them.
Periodic Project Risk Reviews: The primary technique of the monitor and control process is to conduct
regularly scheduled risk reviews. In such a meeting, the project manager, or the assigned risk manager,
reports to the project team and stakeholders on the progress of each risk. Any inconsistencies between
the response plan and the accompanying action should be identified and addressed.
Further monitoring and control occur as part of the normal project controls that have been established in
the project plan. Regular review and analysis of earned value is a key risk indicator. Cost or schedule
variances or trends may be considered risk indications. For example, a project may have been defined as
under control if the variances are within 5% of the plan. Exceeding 5% is a risk trigger, which should
require some form of preplanned corrective action.
In this process, project management and risk management are in many ways synonymous terms. A good
project manager is a good risk manager, and vice versa. The same disciplines of good common sense,
alertness, planning, and follow-through apply to both. Periodic risk reviews controls high risks by:
• Conducting regular reviews, the periodicity is based on the severity of the risk and includes progress
on mitigation actions
• Monitoring risk metrics and triggers
• Escalating responses as required
An approach to consider when you set up the process for risk review is to select one of the following risks
to review.
Note. Add the risk review as a regular agenda item at all team meetings.
During execution of the project, risk monitoring and control is evident when the project manager and team
meet regularly to review the project and the status of its associated risks. A quality assurance audit
intended to verify the risk management practices would look for evidence of regular meeting minutes, a
risk database that was kept up-to-date, and metrics reports that showed that the overall trend of the risk
profile (of probability and impact) was decreasing throughout the project life cycle.
A current risk list should be posted on the project room status board. Risk response action plans show
that assigned tasks were performed and closed out. New risks are identified on a regular basis and added
to the risk response planning cycle.
Risk Response Audits: Throughout the project life cycle, the project manager should perform an audit to
examine and document the effectiveness of the risk response to identify:
• Avoidance
• Transference
• Mitigating risk occurrence
• Effectiveness of the risk owner
Technical Performance Measurement: Another type of control is the regular use of project metrics and
technical performance measures. A technical measure might be the weight limit of the module for a
communications satellite, or the capacity of a computer network. These are normally planned with a
reserve capacity, and deterioration of this reserve serves as a risk indication.
It is important for you to understand how technical performance data is reported and how it gives a
measure of risk control. Technical performance measurement compares technical accomplishments
during project execution to the project plan’s schedule of technical achievements. This includes:
• Performance goals
• Milestones, and schedules listed in project plan
Deviations to a planned milestone schedule may imply a potential or realized risk exists in achieving the
project objectives.
• Workaround plans
• Corrective action
• Project change requests
• Updates to risk response plan
• Risk database
• Updates to risk identification checklists
Any decision to alter the project plan must be dealt with as a project change and must be implemented in
a controlled fashion. How does it affect the current work breakdown structure, cost baseline, and
schedule? Rather than make quick assumptions, and thereby generate new risk, it is more valuable to
take time to make sure the change is properly integrated.
Book 2 of 4: The Risk Management Process …Page 26 of 28
Manual 3: Project Risk Management
Workaround Plans: Workarounds are unplanned responses to emerging risks that were previously
unidentified or accepted. Workaround plans must be properly documented and incorporated into a:
• Project plan
• Risk response plan
Project Change Requests: Changes frequently result from workarounds and contingency actions. These
changes must be analyzed, their impact determined, and corrective action taken when necessary. Change
requests are required to ensure:
Updates to the Risk Response Plan: Risks may or may not occur. Updates will provide a revised listing of
realized risks. Realized risks should be documented and evaluated in risk response plan. Risk rankings
must be reassessed to ensure most important risks are being addressed. Risks not occurring should be
documented and closed in the risk response plan.
Risk Database: A data repository is used in the collection, maintenance, and analysis of data used in the
risk management process. This database will be used by the project team and other members of the
organization and, over time, will form the basis for the lessons learned program. The risk database can be
as simple as keeping data in an MS Access or Excel document or as complex as using specific risk
management software.
Analytical Tools
There needs to be careful consideration in the selection and use of software as an analytical tool. The
project manager and the project team should understand their requirements and determine what they
need, rather than let a software package force them into a particular direction. First, define the
requirements; then select the tool.