Manual 3-Project Risk Management-Book 2

Manual 3
Project Risk Management
Book 2 of 4
The Risk Management Process
Manual 3: Project Risk Management
Contents
Topic 1: Risk Identification 3
Section A: Introducing Risk Identification 3
Risk Identification 3
Risk Identification: Inputs 4
Risk Identification: Tools and Techniques 4
Section B: An Overview of Risk Identification 6
Defining Risk 6
Upside and Downside Risk 6
Typical Project Risks 7
Defining Risk Identification 7
Inputs, Tools and Techniques, and Outputs of Risk 7
Section C: Risk Identification: In-Depth Analysis 11
Section Objectives 11
Section D: Inputs, Tools and Techniques, and Outputs of Risk Identification 13
Diagramming Techniques 16
Assumptions Analysis 16
Using a Process Approach to Identify Risk 17
Outputs of Risk Identification 17
Topic 2: Risk Monitoring and Control 19
Section A: Introducing Risk Monitoring and Control 19
Risk Monitoring and Control: Inputs 20
Risk Monitoring and Control: Tools and Techniques 20
Risk Monitoring and Control: Outputs 21
Section B: An Overview of Risk Monitoring and Control 22
Risk Monitoring and Control 22
Section C: Inputs, Tools and Techniques, and Outputs of Risk Monitoring and Control 24
Risk Monitoring and Control 24
Inputs to Risk Monitoring and Control 24
Sample Risk Reporting Format 26
Sample Technician Performance Report 26
Outputs from Risk Monitoring and Control 26
Section D: Analytical Tools of Risk Monitoring and Control 28
Analytical Tools 28
Book 2 of 4: The Risk Management Process …Page 2 of 28

Topic 1: Risk Identification

Section A: Introducing Risk Identification
Risk Identification
Risk Identification determines which risks might affect the project and documents their characteristics.
Participants in risk identification activities can include the following, where appropriate: project manager,
project team members, risk management team (if assigned), subject matter experts from outside the
project team, customers, end users, other project managers, stakeholders, and risk management experts.
While these personnel are often key participants for risk identification, all project personnel should be
encouraged to identify risks.
Risk Identification is an iterative process because new risks may become known as the project progresses
through its life cycle. The frequency of iteration and who participates in each cycle will vary from case to
case. The project team should be involved in the process so that they can develop and maintain a sense of
ownership of, and responsibility for, the risks and associated risk response actions. Stakeholders outside
the project team may provide additional objective information. The Risk Identification process usually
leads to the Qualitative Risk Analysis process. Alternatively, it can lead directly to the Quantitative Risk
Analysis process when conducted by an experienced risk manager. On some occasions, simply the
identification of a risk may suggest its response, and these should be recorded for further analysis and
implementation in the Risk Response Planning process.
Inputs Tools & Techniques Outputs
1. Enterprise environmental 1. Documentation review 1. Risk register

factors 2. Information gathering
2. Organizational process techniques
assets 3. Checklist analysis
3. Project scope statement 4. Assumptions analysis
4. Risk management plan 5. Diagramming techniques
5. Project management plan
Figure 1 - Risk Identification: Inputs, Tools & Techniques, and Outputs

Risk Identification: Inputs

• Enterprise Environmental Factors
Published information, including commercial databases, academic studies, benchmarking, or other
industry studies, may also be useful in identifying risks.
• Organizational Process Assets

Information on prior projects may be available from previous project files, including actual data and
lessons learned.
• Project Scope Statement

Project assumptions are found in the project scope statement. Uncertainty in project assumptions
should be evaluated as potential causes of project risk.
• Risk Management Plan

Key inputs from the risk management plan to the Risk Identification process are the assignments of
roles and responsibilities, provision for risk management activities in the budget and schedule, and
categories of risk, which are sometimes expressed in an RBS.
• Project Management Plan

The Risk Identification process also requires an understanding of the schedule, cost, and quality
management plans found in the project management plan. Outputs of other Knowledge Area
processes should be reviewed to identify possible risks across the entire project.
Risk Identification: Tools and Techniques

Documentation Reviews
A structured review may be performed of project documentation, including plans, assumptions, prior
project files, and other information. The quality of the plans, as well as consistency between those plans
and with the project requirements and assumptions, can be indicators of risk in the project.
Information Gathering Techniques

Examples of information gathering techniques used in identifying risk can include:
• Brainstorming. The goal of brainstorming is to obtain a comprehensive list of project risks. The
project team usually performs brainstorming, often with a multidisciplinary set of experts not on the
team. Ideas about project risk are generated under the leadership of a facilitator. Categories of risk
(Section 11.1), such as a risk breakdown structure, can be used as a framework. Risks are then
identified and categorized by type of risk and their definitions are sharpened.
• Delphi technique. The Delphi technique is a way to reach a consensus of experts. Project risk experts
participate in this technique anonymously. A facilitator uses a questionnaire to solicit ideas about the
important project risks. The responses are summarized and are then re-circulated to the experts for
further comment. Consensus may be reached in a few rounds of this process. The Delphi technique
helps reduce bias in the data and keeps any one person from having undue influence on the outcome.
• Interviewing. Interviewing experienced project participants, stakeholders, and subject matter experts
can identify risks. Interviews are one of the main sources of risk identification data gathering.
• Root cause identification. This is an inquiry into the essential causes of a project’s risks. It sharpens
the definition of the risk and allows grouping risks by causes. Effective risk responses can be
developed if the root cause of the risk is addressed.
• Strengths, weaknesses, opportunities, and threats (SWOT) analysis. This technique ensures
examination of the project from each of the SWOT perspectives, to increase the breadth of considered
risks.

Checklist Analysis
Risk identification checklists can be developed based on historical information and knowledge that has
been accumulated from previous similar projects and from other sources of information. The lowest level
of the RBS can also be used as a risk checklist. While a checklist can be quick and simple, it is impossible
to build an exhaustive one. Care should be taken to explore items that do not appear on the checklist. The
checklist should be reviewed during project closure to improve it for use on future projects.
Assumptions Analysis
Every project is conceived and developed based on a set of hypotheses, scenarios, or assumptions.
Assumptions analysis is a tool that explores the validity of assumptions as they apply to the project. It
identifies risks to the project from inaccuracy, inconsistency, or incompleteness of assumptions.
Diagramming Techniques
Risk diagramming techniques may include:
• Cause-and-effect diagrams. These are also known as Ishikawa or fishbone diagrams, and are useful
for identifying causes of risks.
• System or process flow charts. These show how various elements of a system interrelate, and the
mechanism of causation.
• Influence diagrams. These are graphical representations of situations showing causal influences,
time ordering of events, and other relationships among variables and outcomes.

Section B: An Overview of Risk

Identification
Risk identification is another facilitating process of the planning process group. Risk identification should
be performed in accordance with the risk management plan; it occurs as needed, based on the
characteristics of the project and level of risk associated with the project.
Facilitating Processes
Human Human Procurement Procurement
Quality Resources Resources
Organizational Procurement Solicitation

Quality Planning Planning Staff Acquisition Planning Planning
Communications Risk Risk Risk Risk
Communications Risk Qualitative Risk Quantitative Risk Risk response

Planning Identification Analysis Analysis Planning
Defining Risk
Risk is inherent in any project and may impact one or more elements of the project baseline, such as
technical scope, schedule, or cost objectives. Risks can be driven by internal or external influences. A
project team has the choice of allowing risks to strike, or taking charge and constraining the behavior of
these risks. A project risk analysis assists the project manager and project team in identifying risks and
preparing for risk management and mitigation. Successfully identifying risks, and then mitigating and
managing them, will contribute directly to the ultimate success of the project by ensuring on-time, on-
budget completion of stated project technical objectives.
Definition: Risk
An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s
objectives.
Upside and Downside Risk

Risk is not always an event or occurrence that adversely or negatively affects a project. Some types of risk
may result in a positive opportunity with a gain for the project and company. This type of risk is known as
Upside Risk. Conversely, risk that has a negative impact on a project may be considered Downside Risk.
Upside risks may represent steps taken to reduce cost or schedule, or to increase profit.

Typical Project Risks

There may be times when other risks exist that are unique to a given project, but most risks that can be
identified will typically fall into one of these broader categories. It is important not to overlook or fail to
identify, manage, and mitigate unique risks simply because they are not those typically found on more
routine projects.
• Technology: Technology or technical approach chosen to achieve the project objectives

• Time: Schedule or project completion objectives, other project time-related issues
• Contractor Capabilities: Ability of contractors or other vendors to achieve project objectives.
• Interfaces: Work in a multi-project environment, interfaces with existing operational activities
• Environmental: Environmental laws, licenses, and permits.
• Regulatory Involvement: Involvement by any regulatory agency such as the EPA or DHEC, or by
national, state, and local governments
• Political Visibility: Significance or visibility politically by national, state, or local governments
• Number of Project Participants: Involvement by someone other than a primary owner for decision-
making and management
• Complexity: Issues with design criteria, functional requirements, complex design features, or existing
as-built condition documents
• Labor Skills Availability and Productivity: Adequate resources, specialty resources, rapid labor
force build-up, and exposure to environmental extremes
• Number of Locations/Site Access/Site Ownership: Site ownership and access issues
• Funding/Cost Sharing: Project duration and involvement/funding by other parties
• Magnitude/Type of Contamination: Presence of hazardous or mixed waste
• Quality Requirements: Requirement for precision work or other QA requirements
• Public Involvement: Citizen interest or involvement
Defining Risk Identification

At the beginning of every project, when the sponsor is considering initiating a project, the risks associated
with undertaking the project must be identified. Risk identification is a process to gain an understanding of
the potential risks associated with a project, or project phase. The potential dangers in the project must be
known so that they can be managed appropriately to ensure the greatest likelihood of project success. In
the course of planning the project, opportunities must be identified for the most efficient implementation
of the project to reduce costs and schedule while providing the highest possible performance and quality.
Risks must be known in order to be managed.
Definition: Risk Identification
Determining which risks might affect the project and documenting their characteristics. Tools
used include brainstorming and checklists.
Although risk identification is noted early in the risk processes, it realistically will occur at several stages
of a project. Managing the project, and managing existing risks, leads to the identification of new risks.
The progress of the project unearths new unknowns and assumptions. A project manager may learn very
late in a project about problems that could not be anticipated; e.g., regulatory changes, changes in
personnel, or issues with manufacturing.
Inputs, Tools and Techniques, and Outputs of Risk

Identification
Risk identification uses many different tools and techniques to identify risks, and their triggers, for a
project. Different tools and techniques are used based on the characteristics of a project.

Inputs
Risk identification uses the risk management plan to guide the process of risk identification. Project
planning outputs are evaluated to consider where risks are inherent in the project plan. Risk categories
are helpful to provide a project manager different perspectives on the types of risks which may occur in a
project (technology, budget, schedule, human resources). Historical information is used to evaluate what
types of risks and triggers were experienced in past projects.
Inputs
Tools and Techniques
Risk Management
Documentation reviews
plan Information-gathering techniques
Project planning Checklists
outputs Assumptions analysis
Risk categories Diagramming techniques
Historical Information
Outputs
Risks
Triggers
Inputs to other processes
Tools and Techniques of Risk Identification
Tools and Techniques of risk identification include:

• Documentation reviews.
• Information gathering techniques.
• Checklists.
• Assumptions analysis.
• Diagramming techniques.
Documentation Review
The first step in identifying risks is to conduct a Documentation Review. Once team members have
reviewed existing documentation, they can hold meetings with subject- matter experts to gain insight as to
what went well, and what went poorly with prior projects.
Once this process is complete, teams should use Information Gathering Techniques to substantiate or
eliminate project risk assumptions.
Information Gathering Techniques
Brainstorming: Team members generate a comprehensive list of potential risks
• During the generation of ideas, members suspend judgment in excluding or including any items
• This results in a large list of ideas that can be posted for review and further analysis
Delphi Technique: A panel of experts circulates and revises ideas until consensus is reached.
Interviewing/Surveys: Face-to-face, telephone, focus groups, or other interview or survey techniques can
be used to gather data on risks.

SWOT Analysis Technique: SWOT Analysis entails looking at the project goals, and the Strengths,
Weaknesses, Opportunities, and Threats of the project.
Checklists
One tool for facilitating more thorough risk identification is a Checklist. One or more project members
should be assigned to complete portions of the checklist. The screening questions are designed to assist
the risk analysis participants to determine areas of the project where the potential for risk exists.
The checklist is divided into types of risk or risk categories; questions are included that require a positive
or negative response. Typically, positive responses to screening questions indicate a risk potential that
would trigger further evaluation by the team. The screening checklist is not designed to indicate what the
risks are; it is designed to identify risk potential. Organizations utilizing project management techniques
should modify this checklist to meet their specific needs, including precise lessons learned and warning
flags.
Project Risk Categories and Screening Questions (Sample)
Project Risk Categories and Screening Questions Yes No
A. Technology
New Technology?
Unknown or unclear technology?
New application of existing technology?
Modernize advanced technology in existing application?
B. Time
Project schedule uncertainties or constraints that may impact project
completion or milestone dates?
Long lead procurement items that may affect the completion of the critical
path or milestones?
C. Contractor Capabilities
Potential for unavailability of qualified vendors or contractors?
D. Interfaces
Significant transportation or infrastructure impacts?
Multiple project interfaces?
Significant interfaces with an operational facility?
E. Safety
Risks to worker safety during construction?
Significant contamination potential?
Accidents due to new design or other non-reviewed safety questions?
Involvement of hazardous material?
Another approach to identifying risks is to review assumptions in the project; what simplifying
assumptions were previously made that need to be validated? One structured approach is a full review of
the current project baseline. Is each element of the Work Breakdown Structure fully understood? Is the
project schedule network correct? Are the proper task dependencies included?

Diagramming techniques are used to visually display project information to locate specific areas where
risk may be encountered.
Diagramming techniques include:

Ishikawa, or Cause-and-Effect Diagrams (also known as Fishbone Diagrams): Tracks problems to the
root cause by exploring each potential cause, leading to the effect it produces.
System/Process flowcharts: Systems flowcharts follow the same principles of the cause-and-effect
diagram; by outlining the flow within a system, potential causes can be identified for consideration
Influence Diagrams: Influence diagrams are used to show decision problems, and deploy essential
elements and discussions, uncertainties, objectives, and how they influence each other.
Some of these diagramming techniques will be explored in the section on quality planning.
Expected Outputs of Risk Identification
Expected outputs of risk identification include:
• Complete list of potential risks and their triggers (list of events that are symptoms of risks being
realized). This includes an initial assessment of relative severity/sorting of risks.
• Inputs to other processes.
• Assignment of risks to specific team members for further action.

Section C: Risk Identification: In-Depth

Analysis
In this lesson, you will learn how to identify and categorize risks for a project, using the step-by-step
procedure. Additionally, the inputs, tools and techniques, and outputs of risk identification are reviewed
along with the specific techniques available for finding risk. You will use various methods to identify risks
and also participate in an exercise to identify project risk. The step-by-step learning style utilizes a
“building block” approach for presenting concepts in a step-by-step procedural learning style. This
approach is particularly appropriate and used in this manual for the task-oriented areas that have clear
step-by- step procedures involved in them.
Section Objectives
• Define risk identification
• Identify the inputs, tools and techniques, and outputs of risk identification
• Document identified risks and triggers
• Use checklist and diagram methods in identifying risks
Risk Identification
Definition: Risk Identification
Determining which risks might affect the project and documenting their characteristics.
Risk Identification
At the beginning of every project, when the sponsor is considering initiating a project, the risks associated
with undertaking the project must be identified. The risk management plan guides the process of risk
identification. Risk identification is a process to gain an understanding of the potential risks associated
with a project or project phase. The potential dangers in the project must be known so that they can be
managed appropriately to ensure the greatest likelihood of project success. In the course of planning the
project, opportunities must be identified for the most efficient implementation of the project to reduce
costs and schedule while providing the highest possible performance and quality. In order to manage
risks, they must be known.
The recognized best practice is to conduct a formal identification of risks, normally by holding a meeting
or working session known as a risk assessment. This is not the last time the project manager should
undertake the identification of risks; indeed, it is a continuous practice throughout the project life cycle.
Risk Identification - Categories
Risk categories are helpful to give a project manager different perspectives on the types of risks that may
occur on a project. Risks that may affect the project should be organized into categories. Some typical risk
categories are:
• Technical
• Organizational risks
• Project management risks
• External risks
Technical risks include the reliance on any cutting edge technology, or technology under development, or
impacts that changes in technology can have on a project.
Organizational risks include cost, time, and scope objectives.

Project management risks include the poor allocation of cost and time resources, or the poor use of
project management disciplines. External risks include legal or regulatory changes, labor issues, or
issues in dealing with the public.

Section D: Inputs, Tools and Techniques,

and Outputs of Risk Identification
Risk Identification
Inputs to Risk Identification
The first action step in risk planning is the identification of risks. You should collect all project planning
documents to help in identifying risks.
• Risk management plan

• Project planning outputs
• Risk categories
• Historical information
Each of these inputs aids the project manager in determining the Who, What, Where, When, Why, and How
of the risk identification process.
The following pages explain how to determine risk categories, and how historical information is used.
Determine Risk Categories
Once the list of identified risks is developed, it must be organized. This helps you manage the risks. Risk
categories may be broken down further into very specific category types such as:
• Time • Financial
• Business • Internal
• People • External
Historical Information
Historical information is used to evaluate what types of risk and triggers were experienced in past
projects. Historical information is only useful if it is documented and available. Examples of historical
information include:
• Lessons learned
• Project archives
• Published information
• Expert judgment
Lessons learned from previous project efforts can provide ongoing value to the organization in subsequent
projects. It’s the information that “keeps on giving”.
Expert judgment can provide valuable input, but requires some discernment by the project manager to
filter through expertise for bias or influences based in organizational politics.

Documentation Review
Tools and techniques used for risk identification include:
• Documentation reviews
• Information gathering techniques
• Checklists
• Diagramming techniques
• Assumptions analysis
The first step in identifying risks is to conduct a documentation review. Once team members have
reviewed existing documentation, they can hold meetings with subject- matter experts to gain insight as to
what went well, and what went poorly with prior projects.
Once this process is complete, teams should use information-gathering techniques to substantiate or
eliminate project risk assumptions.
The following page will explain how information is gathered.
Brainstorming: This technique is where members generate a comprehensive list of potential risks.
During the generation of ideas, members suspend judgment in excluding or including any items. It is
important to capture all ideas or suggestions. Remember to reserve judgment in excluding or including an
item until all ideas have been documented. Once all the ideas have been submitted, prepare a list and
discuss each item, clarify and modify it as required. This process will produce a large list of ideas that can
be posted for review and further analysis.
There are a variety of methods to brainstorm effectively. One method uses lists that are created by writing
down an idea and then handing it off every few minutes. Others use a go-around-the-room approach, with
each person offering ONE idea or saying, “pass”, until all have said “pass” or time expires. This tends to
generate a large list, manages restraint on those wanting to offer multiple suggestions at once, and brings
order to the process.
Delphi Technique: The Delphi technique is a consensus of experts on a subject like project risk. It is a
group technique that extracts and summarizes the knowledge of the group to arrive at a consensus. A
facilitator may use a questionnaire to solicit ideas about the important project risks. Responses are
submitted and are then circulated to the team for further comment. Each individual makes his or her
comments secretly, based on their experience. The results are tabulated and presented to the group in
the form of a histogram (sometimes along with all individual estimates). Participants who fall on the outer
quartiles of the group are asked to provide a rationale for their recommendation. This process is repeated
until consensus is reached.
Interviewing/Surveys: Interviewing is asking questions, the purpose of which may be known only to the
person conducting the interview. Interviews will be most successful and useful when the information
needed for a research project can be obtained in no other way. This may hold true when you need a rich,
detailed picture of people’s experience and the meaning they attach to it; when your topic is so new or
understudied that published information is unavailable or inadequate; or when, because the questions of
interest are sensitive, technical, or complicated, your physical presence is required to guide people
through the process of answering questions. Use of personal interviews should also generally be reserved
for situations when detailed, narrative information is required. If simple factual information or quantitative
judgments are desired, they can be collected much more efficiently and accurately through a telephone or
mail survey.
Focus Groups: Focus groups are a variation of in-depth qualitative interviews in which several people are
interviewed together in a flexible and exploratory group discussion format. In focus groups the emphasis
is on interactions between participants rather than between the researcher and the participants, and the
researcher adopts a role that is more like a moderator than a questioner. The purpose of focus groups is
to explore people’s ideas in a public setting so that you can observe how they react to each other’s ideas,
when they challenge each other’s views, and how their opinions are formed.
Focus groups are most appropriately used when it is important to obtain opinions after they have gone
through a public process in which they are shared with and commented on by peers.

This may be important, for example, when you are studying people’s reactions to a new program, policy, or
product for which people’s opinions are not yet fully formed - in such cases the focus group serves to
accelerate the natural social processes by which individuals compare opinions with each other before
making up their minds. Focus groups are not appropriate unless you are studying a topic that can be
expected to generate a lot of discussion and lively debate.
The primary advantages of focus groups are that they tend to be more convenient and less time-
consuming for both researchers and participants, and they are less likely than individual interviews to be
subject to bias introduced by the researcher, since the researcher takes a less active role in guiding the
discussion.
Strengths, Weaknesses, Opportunities, and Threats (SWOT) Analysis:
SWOT analysis entails looking at the project goals, and the strengths, weaknesses, opportunities, and
threats of the project. The project team considers the broad goals of the project to identify risks. The
organization itself may have to be considered for a SWOT analysis, and how the characteristics of the
organization relate to the project’s successful completion. SWOT is a strategic planning technique that
may be useful in identifying risks associated with a corporate view of goals and objectives. The objective of
a project is to realize value for the organization, and the intended outcome needs to be in sync with
corporate direction.
Note: SWOT analysis is seldom used today as a risk identification tool.
Checklists
Checklists can be especially helpful if they reflect lessons learned from previous projects. But they can
also be limiting if the team automatically assumes the checklist is comprehensive and complete.
Standards, tolerances, policies, etc. that the checklist was originally devised with may have changed as
well as all triggers associated with the risk. Validate the checklist in light of the initiative. One or more
project members should be assigned to complete portions of the checklist.
The screening questions are designed to assist the risk analysis participants in determining areas of the
project where risk potential exists. The checklist is divided into types of risk or risk categories and
questions are included that require a positive or negative response. Typically, positive responses to
screening questions would indicate a risk potential that would trigger further evaluation by the team.
Remember, the screening checklist is not designed to indicate what the risks are, simply to identify risk
potential. An organization involved in project management should consider developing a screening
checklist specific to their needs; however, use of the one offered below may be sufficient.
Check list example
Risk Screening Criteria Potential Risk

1 2 3 4
Technology
Time
Contractors
Interfaces
Safety
A. Technology
New Technology?
• Unknown or unclear technology?
• New application of existing technology?
• Modernize advanced technology in existing application?

B. Time
• Project schedule uncertainties or constraints that may impact project completion or
milestone dates?
• Long lead procurement items that may affect the completion of the critical path or
milestones?
• Potential for unavailability of qualified vendors or contractors?
D. Interfaces
• Significant transportation or infrastructure impacts?
• Multiple project interfaces?
• Significant interfaces with an operational facility?
E. Safety
• Risks to worker safety during construction?
• Significant contamination potential?
• Accidents due to new design or other non-reviewed safety questions?
• Involvement of hazardous material?
The following interactive module explains diagramming techniques. It might take a few seconds to load;
please wait until the full module is displayed.
Diagramming techniques are types of flowcharts that show how various elements relate to one another.
They are used to visually display project information to locate specific areas where risk may be
encountered.
Cause-and effect diagrams: Cause and effect diagrams, also called Ishikawa diagrams or fishbone
diagrams - This technique is useful to identify causes of risks because it tracks problems to the root cause
by exploring each potential cause, leading to the effect it produces.
Cause-and-effect diagrams track problems to the root cause. By exploring each potential cause, it can
lead to the effect it produces as shown below. The example show below is from PMBOK Guide, 2000
Edition.
System or process flowchart: Follow the same principles of the cause-and-effect diagram. By outlining
the flow within a system, the display allows potential causes to be identified for consideration.
Influence diagrams (graphical representation): A graphical representation of a problem showing causal

influences, time ordering of events, and other relationships among variables.
Assumptions are factors that, for planning purposes, are considered true, real, or certain. These
assumptions may be positive or negative. Every project is based on a set of hypotheses, scenarios, or
assumptions. Documentation sources for assumptions includes:
• Project Charter
• Scope Statement
Assumptions analysis explores the validity of each assumption. The purpose of assumptions analysis is to
identify risk to the project from inaccuracy, inconsistency or incompleteness of assumptions. One
structured approach is a full review of the current project baseline. Is each element of the Work
Breakdown Structure fully understood? Is the project schedule network correct? Are the proper task
dependencies included?
Using a Process Approach to Identify Risk

In addition to identifying risks based on the project itself, risk identification can occur in project
management processes such as cost, schedule, human resource management, or quality.
• Start with current baseline

• Roll risk plans back into the baseline
• Assess baseline changes for new risk
To conduct an effective identification, the review should include the requirements of the organization’s
risk management plans and policy. These should provide useful guidelines and parameters for conducting
the session. There may be standard forms or templates to ensure compliance with the organization’s ISO
or quality system framework.
The important thing to remember is that the information needed already exists in the form of the current
project baseline information. This factual data changes as the project plan matures and then as the
project commences. It is important to identify the assumptions and the basis for estimation that resulted
in the current project information.
Any assumption should be treated as a risk. Historical information such as closed project files and
lessons-learned reports must be considered. It is important to consider this process as iterative where
risk planning will redefine the baseline and the subsequent risks will continue to impact baseline
measures.
Outputs of Risk Identification

The outputs from risk identification are:
• A list of risks
• A list of triggers or symptoms and warning signs indicating that a risk has occurred or may be an early
warning signal of an impending schedule delay.
• Inputs to other processes-that may identify a need for further action in another area.
Risk identification is an iterative process of identifying which risks might affect the project and
documenting their characteristics. Risk identification results in a written list of risks and triggers. When it
comes to risk identification, if risks and triggers are not written down, they do not exist OR they may exist
in many forms in the minds of many!
Remember, your thoroughness will determine effectiveness of overall risk management effort, and
upfront project planning has a direct effect on the risk management process. Use the following tools to
help identify and document project risks:
• Checklists
• Diagramming methods
• Assumptions analysis

Checklist Example
Risk Screening Criteria Potential for Risk

0 1 2 3
Technology
Time
Contractors
Interfaces
Safety
A. Technology
• New technology?
• Unknown or unclear technology?
• New application of existing technology?
• Modernize advanced technology in existing application?
B. Time
• Project schedule uncertainties or constraints that may impact project completion or
milestone dates?
• Long lead procurement items that may affect the completion of the critical path or
milestones?
• Potential for unavailability of qualified vendors or contractors?
D. Interfaces
• Significant transportation of infrastructure impacts?
• Multiple project interfaces?
• Significant interfaces with an operational facility?
E. Safety
• Risk to worker safety during construction?
• Significant contamination potential?
• Accidents due to new design of other non-reviewed safety questions?
• Involvement of hazardous material?

Topic 2: Risk Monitoring and

Control
Section A: Introducing Risk Monitoring and
Control
Planned risk responses that are included in the project management plan are executed during the life
cycle of the project, but the project work should be continuously monitored for new and changing risks.
Risk Monitoring and Control is the process of identifying, analyzing, and planning for newly arising risks,
keeping track of the identified risks and those on the watch list, reanalyzing existing risks, monitoring
trigger conditions for contingency plans, monitoring residual risks, and reviewing the execution of risk
responses while evaluating their effectiveness. The Risk Monitoring and Control process applies
techniques, such as variance and trend analysis, which require the use of performance data generated
during project execution. Risk Monitoring and Control, as well as the other risk management processes, is
an ongoing process for the life of the project. Other purposes of Risk Monitoring and Control are to
determine if:
• Project assumptions are still valid

• Risk, as assessed, has changed from its prior state, with analysis of trends
• Proper risk management policies and procedures are being followed
• Contingency reserves of cost or schedule should be modified in line with the risks of the project.
1
Risk Monitoring and Control can involve choosing alternative strategies, executing a contingency or
fallback plan, taking corrective action, and modifying the project management plan. The risk response
owner reports periodically to the project manager on the effectiveness of the plan, any unanticipated
effects, and any mid-course correction needed to handle the risk appropriately. Risk Monitoring and
Control also includes updating the organizational process assets, including project lessons-learned
databases and risk management templates for the benefit of future projects.
Inputs Tools & Techniques Outputs
1. Risk management plan 1. Risk reassessment 1. Risk register (updates)

2. Risk register 2. Risk audits 2. Requested changes
3. Approved change 3. Variance and trend 3. Recommended corrective
requests analysis actions
4. Work performance 4. Technical performance 4. Recommended preventive
information measurement actions
5. Performance reports 5. Reserve analysis 5. Organizational process
6. Status meetings assets (updates)
6. Project management plan
(updates)
Figure 1 - Risk Monitoring and Control: Inputs,

Tools & Techniques and Outputs

Risk Monitoring and Control: Inputs

Risk Management Plan
This plan has key inputs that include the assignment of people, including the risk owners, time, and other
resources to project risk management.
Risk Register
The risk register has key inputs that include identified risks and risk owners, agreed-upon risk responses,
specific implementation actions, symptoms and warning signs of risk, residual and secondary risks, a
watch list of low priority risks, and the time and cost contingency reserves.
Approved Change Requests

Approved change requests can include modifications such as work methods, contract terms, scope, and
schedule. Approved changes can generate risks or changes in identified risks, and those changes need to
be analyzed for any effects upon the risk register, risk response plan, or risk management plan. All
changes should be formally documented. Any verbally discussed, but undocumented, changes should not
be processed or implemented.
Work Performance Information

Work performance information, including project deliverables’ status, corrective actions, and performance
reports, are important inputs to Risk Monitoring and Control.
Performance Reports
Performance reports provide information on project work performance, such as an analysis that may
influence the risk management processes.
Risk Monitoring and Control: Tools and Techniques

Risk Reassessment
Risk Monitoring and Control often requires identification of new risks and reassessment of risks, using the
processes of this chapter as appropriate. Project risk reassessments should be regularly scheduled.
Project Risk Management should be an agenda item at project team status meetings. The amount and
detail of repetition that is appropriate depends on how the project progresses relative to its objectives. For
instance, if a risk emerges that was not anticipated in the risk register or included on the watch list, or if
its impact on objectives is different from what was expected, the planned response may not be adequate. It
will then be necessary to perform additional response planning to control the risk.
Risk Audits
Risk audits examine and document the effectiveness of risk responses in dealing with identified risks and
their root causes, as well as the effectiveness of the risk management process.
Variance and Trend Analysis

Trends in the project’s execution should be reviewed using performance data. Earned value analysis and
other methods of project variance and trend analysis may be used for monitoring overall project
performance. Outcomes from these analyses may forecast potential deviation of the project at completion
from cost and schedule targets. Deviation from the baseline plan may indicate the potential impact of
threats or opportunities.
Technical Performance Measurement

Technical performance measurement compares technical accomplishments during project execution to
the project management plan’s schedule of technical achievement. Deviation, such as demonstrating
more or less functionality than planned at a milestone, can help to forecast the degree of success in
achieving the project’s scope.
Reserve Analysis
Throughout execution of the project, some risks may occur, with positive or negative impacts on budget or
schedule contingency reserves. Reserve analysis compares the amount of the contingency reserves
remaining to the amount of risk remaining at any time in the project, in order to determine if the
remaining reserve is adequate.
11

Status Meetings
Project risk management can be an agenda item at periodic status meetings. That item may take no time
or a long time, depending on the risks that have been identified, their priority, and difficulty of response.
Risk management becomes easier the more often it is practiced, and frequent discussions about risk
make talking about risks, particularly threats, easier and more accurate.
Risk Monitoring and Control: Outputs

Risk Register (Updates)
An updated risk register contains:
• Outcomes of risk reassessments, risk audits, and periodic risk reviews. These outcomes may include
updates to probability, impact, priority, response plans, ownership, and other elements of the risk
register. Outcomes can also include closing risks that are no longer applicable.
• The actual outcomes of the project’s risks, and of risk responses that can help project managers plan
for risk throughout the organization, as well as on future projects. This completes the record of risk
management on the project, is an input to the Close Project process, and becomes part of the project
closure documents.
Requested Changes
Implementing contingency plans or workarounds frequently results in a requirement to change the
project management plan to respond to risks. Requested changes are prepared and submitted to the
Integrated Change Control process as an output of the Risk Monitoring and Control process. Approved
change requests are issued and become inputs to the Direct and Manage Project Execution process and to
the Risk Monitoring and Control process.
Recommended Corrective Actions

Recommended corrective actions include contingency plans and workaround plans. The latter are
responses that were not initially planned, but are required to deal with emerging risks that were
previously unidentified or accepted passively. Workarounds should be properly documented and included
in both the Direct and Manage Project Execution and Monitor and Control Project Work processes.
Recommended corrective actions are inputs to the Integrated Change Control process.
Recommended Preventive Actions

Recommended preventive actions are used to bring the project into compliance with the project
management plan.
Organizational Process Assets (Updates)

The six Project Risk Management processes produce information that can be used for future projects, and
should be captured in the organizational process assets. The templates for the risk management plan,
including the probability and impact matrix, and risk register, can be updated at project closure. Risks can
be documented and the RBS updated. Lessons learned from the project risk management activities can
contribute to the lessons learned knowledge database of the organization. Data on the actual costs and
durations of project activities can be added to the organization’s databases. The final versions of the risk
register and the risk management plan templates, checklists, and RBSs are included.
Project Management Plan (Updates)

If the approved change requests have an effect on the risk management processes, then the
corresponding component documents of the project management plan are revised and reissued to reflect
the approved changes. 12

Section B: An Overview of Risk Monitoring

and Control
Risk monitoring and control is the process of tracking identified risks, monitoring residual risks, and
identifying new risks. The project manager is responsible for ensuring the risk plan is properly executed
and for evaluating the effectiveness of the entire risk management process. It is important to remember
that risk monitoring and control is an ongoing process through the life of the project, because risks
change as the project matures; new risks develop, and other risks may disappear. In this lesson, you will
review risk monitoring and control, using the step-by-step procedure.
The step-by-step learning style utilizes a “building block” approach for presenting concepts in a step-by-
step procedural learning style. This approach is particularly appropriate and used in this manual for the
task-oriented areas that have clear step-by- step procedures involved in them.
Section Objectives
• Track risk throughout project execution

• Correlate risk monitoring and project control
• Evaluate the impact of remaining potential risks
• Determine Estimate At Completion (EAC) with consideration of remaining potential risks
• Analyze remaining project contingencies
Risk Monitoring and Control
Definition: Risk Monitoring and Control

Risk monitoring and control is the process of keeping track of the identified risks, monitoring
residual risks and identifying new risks, ensuring the execution of risk plans, and evaluating their
effectiveness in reducing risk.
Risk monitoring and control is a continuous process for the project. A key component is recording risk
metrics to compare against associated contingency plans for each risk. The data gathered from good risk
monitoring helps team members make effective decisions about risks before they occur.
Good monitoring and control processes provide data to help make effective decisions in advance of the
occurrence of risk. Risk monitoring and control record risk metrics that are associated with implementing
contingency plans. It is an ongoing process that lasts the entire life of the project:
• Risks change as the project matures

• New risks develop
• Anticipated risks disappear

Risk Monitoring: The purpose of risk monitoring is to determine if:
• Risk responses have been implemented as planned

• Risk response actions are as effective as expected, or if new responses should be developed
• Project assumptions are still valid
• Risk exposure has changed
• A risk trigger has occurred
• The proper policies and procedures have been followed
• Risks have occurred that were not previously identified

Risk Control: Risk control involves choosing alternative strategies, implementing a contingency plan,
taking corrective action, re-planning the project, and:
• Ensuring risk awareness is an ongoing activity throughout the life of the project
• Redistributing resources devoted to risk management

Section C: Inputs, Tools and Techniques,

and Outputs of Risk Monitoring and Control
This interactive module will explain the inputs, tools and techniques, and outputs of Risk Monitoring and
Control. After the audio is finished playing for the Inputs object, click on that object to get to the Tools and
Techniques information and listen to that audio. When the audio for the Tools and Techniques information
is complete, click on that object to learn more about the Outputs for this process.
Inputs to Risk Monitoring and Control

Inputs to Risk Monitoring and Control include:
• Risk management plan
• Risk response plan
• Project communication
• Additional risk identification and analysis
• Scope changes
The project’s overall change control process is linked to the risk identification and control processes. If a
stakeholder introduces a scope change, the risks of doing so at a particular time of the project life cycle
must be understood before authorizing the change. Such changes could introduce new risks or impact
plans that are in place to control existing risks. Here, the value of a good risk response plan pays off -
what is never written down usually becomes forgotten later, at a time when it is most needed.
The main indication of this process being successfully applied is a smoothly running project. The team is
working well and the project tasks are being completed on time and within budget. There is no unusual
stress, frustration, and exhaustion from working long hours. These desirable outcomes result, ideally,
when the project team properly performs risk management, or when the project is either extremely lucky
or improperly planned with too much reserve (wasting valuable time and resources). The primary output
of the risk monitoring and control process is a risk response plan or, if maintained electronically, a risk
database that is updated regularly. This will show that response plans are complete and are on track,
producing the intended results. If indications are that the risk is changing or not responding to the
response plan, then the project manager must ensure that the plan is adjusted to meet the need.
Can We Answer the Questions?
Here are some questions to think about:
• What approach and rules have we agreed to follow as part of our risk management plan?
• What risks have we identified, analyzed, assigned owners with responsibilities, and have agreed to
response actions?
• What results are we looking for, how are they being tracked and communicated?
• Have new risks surfaced?
• Have there been scope changes (which may require new risk analysis and response plans?)
Tools and Techniques of Risk Monitoring and Control
Tools and techniques of Risk Monitoring and Control include:
• Project risk response audits

• Periodic project risk reviews
• Earned value analysis
• Technical performance measurement
• Additional risk response planning
Risk monitoring and control, corresponds to the controlling phase of the project. As the project is
executed, the project controls are in place to ensure that results are meeting expectations, and if they are
not, corrective action is initiated. Similarly, in risk management, each individual risk response plan is a
miniature or sub-project with planned scope, budget, and schedule. The project manager must ensure
that these plans are not overlooked or pushed out of the way. Doing this would be like planning for a fire
department but never actually checking for fires, nor observing the regulations that prevent them.
The factors affecting the choice of control techniques are:
• Degree of detail needed

• Frequency of feedback
• Accuracy of feedback
• Timeliness of feedback
• Formality of feedback
• Cost of producing information/feedback
Periodic Project Risk Reviews: The primary technique of the monitor and control process is to conduct
regularly scheduled risk reviews. In such a meeting, the project manager, or the assigned risk manager,
reports to the project team and stakeholders on the progress of each risk. Any inconsistencies between
the response plan and the accompanying action should be identified and addressed.
Further monitoring and control occur as part of the normal project controls that have been established in
the project plan. Regular review and analysis of earned value is a key risk indicator. Cost or schedule
variances or trends may be considered risk indications. For example, a project may have been defined as
under control if the variances are within 5% of the plan. Exceeding 5% is a risk trigger, which should
require some form of preplanned corrective action.
In this process, project management and risk management are in many ways synonymous terms. A good
project manager is a good risk manager, and vice versa. The same disciplines of good common sense,
alertness, planning, and follow-through apply to both. Periodic risk reviews controls high risks by:
• Conducting regular reviews, the periodicity is based on the severity of the risk and includes progress
on mitigation actions
• Monitoring risk metrics and triggers
• Escalating responses as required
An approach to consider when you set up the process for risk review is to select one of the following risks
to review.
• Top 10 on the review list

• Top 20 percent
• Red and yellow risks
Note. Add the risk review as a regular agenda item at all team meetings.
During execution of the project, risk monitoring and control is evident when the project manager and team
meet regularly to review the project and the status of its associated risks. A quality assurance audit
intended to verify the risk management practices would look for evidence of regular meeting minutes, a
risk database that was kept up-to-date, and metrics reports that showed that the overall trend of the risk
profile (of probability and impact) was decreasing throughout the project life cycle.
A current risk list should be posted on the project room status board. Risk response action plans show
that assigned tasks were performed and closed out. New risks are identified on a regular basis and added
to the risk response planning cycle.

Risk Response Audits: Throughout the project life cycle, the project manager should perform an audit to
examine and document the effectiveness of the risk response to identify:
• Avoidance
• Transference
• Mitigating risk occurrence
• Effectiveness of the risk owner
Sample Risk Reporting Format

Earned Value Analysis: Earned value analysis is used for monitoring overall project performance against
the baseline plan. Results from an earned value analysis may indicate potential deviation of the project at
completion from cost schedule targets. When a project deviates significantly from the baseline, updated
risk identification and analysis should be performed.
Technical Performance Measurement: Another type of control is the regular use of project metrics and
technical performance measures. A technical measure might be the weight limit of the module for a
communications satellite, or the capacity of a computer network. These are normally planned with a
reserve capacity, and deterioration of this reserve serves as a risk indication.
It is important for you to understand how technical performance data is reported and how it gives a
measure of risk control. Technical performance measurement compares technical accomplishments
during project execution to the project plan’s schedule of technical achievements. This includes:
• Performance goals
• Milestones, and schedules listed in project plan
Deviations to a planned milestone schedule may imply a potential or realized risk exists in achieving the
project objectives.
Sample Technician Performance Report

Additional Risk Response Planning: Additional risk response planning may be required when an
unanticipated risk emerges that was not documented in the risk response plan, or its impact on objectives
is greater than anticipated. This may require “emergency action” or additional planning. When you are
developing the risk management plan, check to see if it has:
• An agreed course of action

• A process for handling
• Ownership
• A stated level of authority
Outputs from Risk Monitoring and Control

Outputs from Risk Monitoring and Control include:
• Workaround plans
• Corrective action
• Project change requests
• Updates to risk response plan
• Risk database
• Updates to risk identification checklists
Any decision to alter the project plan must be dealt with as a project change and must be implemented in
a controlled fashion. How does it affect the current work breakdown structure, cost baseline, and
schedule? Rather than make quick assumptions, and thereby generate new risk, it is more valuable to
take time to make sure the change is properly integrated.
Workaround Plans: Workarounds are unplanned responses to emerging risks that were previously
unidentified or accepted. Workaround plans must be properly documented and incorporated into a:
• Project plan
• Risk response plan
Corrective Action: Corrective action consists of performing the contingency or workarounds.
Project Change Requests: Changes frequently result from workarounds and contingency actions. These
changes must be analyzed, their impact determined, and corrective action taken when necessary. Change
requests are required to ensure:
• Performance measurement baseline integrity is maintained

• Scope affecting changes are documented
• Changes are coordinated across entire project
Updates to the Risk Response Plan: Risks may or may not occur. Updates will provide a revised listing of
realized risks. Realized risks should be documented and evaluated in risk response plan. Risk rankings
must be reassessed to ensure most important risks are being addressed. Risks not occurring should be
documented and closed in the risk response plan.
Risk Database: A data repository is used in the collection, maintenance, and analysis of data used in the
risk management process. This database will be used by the project team and other members of the
organization and, over time, will form the basis for the lessons learned program. The risk database can be
as simple as keeping data in an MS Access or Excel document or as complex as using specific risk
management software.

Section D: Analytical Tools of Risk

Monitoring and Control
The availability of technology and software for risk analysis continues to grow. Tools evolve as
technological capabilities increase. Project managers with many years of experience can remember when
many of these activities were paper-driven and paper- stored. Analytical tools can be useful for the
following:
• To capture corporate knowledge

• Prepare team for subsequent actions
• Drive calculations
• Organize documentation
• Internal/external communications
• As a perception driver
Analytical Tools
There needs to be careful consideration in the selection and use of software as an analytical tool. The
project manager and the project team should understand their requirements and determine what they
need, rather than let a software package force them into a particular direction. First, define the
requirements; then select the tool.
Concerns using Analytical Tools Advantages for using Analytical Tools

Organization of large amount of data
Expert judgment chosen over techniques
Inputs are deficient or erroneous Technical sophistication

Poor assumptions Calculations
Requires system or tool expertise Sophistication and consistency of output

Manual 3-Project Risk Management-Book 2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Manual 3-Project Risk Management-Book 2

Uploaded by

Copyright:

Available Formats

Manual 3

Project Risk Management

Book 2 of 4: The Risk Management Process …Page 2 of 28

Topic 1: Risk Identification

Inputs Tools & Techniques Outputs

1. Enterprise environmental 1. Documentation review 1. Risk register

Figure 1 - Risk Identification: Inputs, Tools & Techniques, and Outputs

Book 2 of 4: The Risk Management Process …Page 3 of 28

Risk Identification: Inputs

• Organizational Process Assets

• Project Scope Statement

• Risk Management Plan

• Project Management Plan

Risk Identification: Tools and Techniques

Information Gathering Techniques

Book 2 of 4: The Risk Management Process …Page 4 of 28

Book 2 of 4: The Risk Management Process …Page 5 of 28

Section B: An Overview of Risk

Organizational Procurement Solicitation

Communications Risk Risk Risk Risk

Communications Risk Qualitative Risk Quantitative Risk Risk response

Upside and Downside Risk

Book 2 of 4: The Risk Management Process …Page 6 of 28

Typical Project Risks

• Technology: Technology or technical approach chosen to achieve the project objectives

Defining Risk Identification

Definition: Risk Identification

Inputs, Tools and Techniques, and Outputs of Risk

Book 2 of 4: The Risk Management Process …Page 7 of 28

Tools and Techniques of Risk Identification

Tools and Techniques of risk identification include:

Information Gathering Techniques

Brainstorming: Team members generate a comprehensive list of potential risks

Book 2 of 4: The Risk Management Process …Page 8 of 28

Project Risk Categories and Screening Questions (Sample)

Project Risk Categories and Screening Questions Yes No

Unknown or unclear technology?

New application of existing technology?

Modernize advanced technology in existing application?

Multiple project interfaces?

Significant interfaces with an operational facility?

Significant contamination potential?

Accidents due to new design or other non-reviewed safety questions?

Involvement of hazardous material?

Book 2 of 4: The Risk Management Process …Page 9 of 28

Diagramming techniques include:

Expected Outputs of Risk Identification

Expected outputs of risk identification include:

Book 2 of 4: The Risk Management Process …Page 10 of 28

Section C: Risk Identification: In-Depth

Risk Identification - Categories

Book 2 of 4: The Risk Management Process …Page 11 of 28

Book 2 of 4: The Risk Management Process …Page 12 of 28

Section D: Inputs, Tools and Techniques,

• Risk management plan

Determine Risk Categories

Book 2 of 4: The Risk Management Process …Page 13 of 28

Tools and techniques used for risk identification include:

The following page will explain how information is gathered.

Book 2 of 4: The Risk Management Process …Page 14 of 28

Strengths, Weaknesses, Opportunities, and Threats (SWOT) Analysis:

Note: SWOT analysis is seldom used today as a risk identification tool.

Check list example

Risk Screening Criteria Potential Risk