Professional Documents
Culture Documents
Book 3 of 4
Identifying Monitoring and Controlling
Manual 3: Project Risk Management
Contents
Topic 1: Risk Management Process 4
Section A: Introducing Risk Management Process 4
Risk Management Processes 4
Project Risk Management 4
Risk Management Process Group 4
Fundamental Principles of Risk Management 5
Basis for Grading 6
Section C: Inputs, Tools and Techniques, and Outputs of Risk Management Planning 13
Risk Management Planning 13
Inputs to Risk Management Planning 13
Tools and Techniques of Risk Management Planning 14
CASE STUDY: DREAM BUILDERS INC. 15
CURRENT PROJECT 16
CONSTRAINTS & ASSUMPTIONS 19
Section C: Inputs, Tools and Techniques, and Outputs of Risk Response Planning 27
Inputs to Risk Response Planning 27
Tools and Techniques of Risk Response Planning 27
Transference Using Contracts 28
Inputs: Can We Answer the Questions? 28
Schedule Mitigation Strategies 29
Cost Mitigation Strategies 29
Technical Mitigation Strategies 29
Suggested Risk Management and Mitigation Strategies 30
Using a Graded Approach in Determining Risk Response Strategies 31
Low and Medium Risks 31
High Risks 31
Application of a Graded Approach 32
Factors Affecting Choice of Control Techniques 32
Benefits of Balancing Controls 33
Benefits of Balancing Controls with Risk 33
Minimum techniques 34
Outputs from Risk Response Planning 34
Reserve Management vs. Contingency Reserve 36
Similarly, the project manager should actively seek opportunities to introduce positive events, thereby
enhancing project performance. Although risk management may mean different things depending on the
industry in question, this course covers all aspects of risk management as defined by the Project
Management Institute. Despite differences across industries, the fundamentals of risk management are
universally recognized.
The risk management process should begin even before the project initiation phase, as it should be rooted
in the organization’s culture and policy. Without a well-established expectation and modeled behavior by
senior management, attempts by individual project managers to manage risk are likely to be
misunderstood and unfruitful.
Planning for risk management is similar to the other processes in the planning phase (quality planning,
communications planning, human resource planning). In these processes, organizational standards and
policies often provide guidance to ensure a degree of consistency across projects. Likewise, planning for
risk management on the project involves choosing the best application of organizational policies
commensurate with the overall risk of the project.
The risk management plan is the project manager’s commitment to the sponsor and organization
concerning standards for risk management.
Risk Identification: The process of determining which risks might affect the project and documenting
their characteristics.
Qualitative Risk Analysis: The process of assessing the impact and likelihood of identified risks.
Quantitative Risk Analysis: The process of analyzing numerically the probability of each risk and its
consequence on project objectives, as well as the extent of overall project risk.
Risk Response Planning: The process of developing options and determining actions to enhance
opportunities and reduce threats to the project objectives.
Risk Monitoring and Control: The process of keeping track of the identified risks, monitoring residual
risks, and identifying new risks, ensuring the execution of risk plans, and evaluating their effectiveness in
reducing risk.
What do we mean by realized risk? Simply stated, this term describes the impact to the project should the
risk actually occur in an unmitigated manner. An illustration would be the development of a work-around
strategy that adds five days to the project schedule in order to avoid a prospective risk, but implementing
the strategy causes an additional schedule delay of three days. This is not wise risk management.
In some project domains, the idea of realized risk is replaced by the value of the risk factored by the
probability of it occurring. Statistically, a risk with an impact of $50,000 but only 10% likely to occur is
worth, or has an expected value of, $5,000. Using the above illustration, you should not spend more than
$5,000 to defeat such a risk. In a given project you will have dozens of risks, and only a portion of them will
actually occur. You could not reasonably spend up to the full value of each risk in order to defend your
project. Additional discussion of the statistical basis of risk will be seen in the material on Monte Carlo
analysis covered in the concept: Quantitative Risk Analysis.
A formal, documented process should be used in determining the application of the graded approach.
Such a process should be documented in the risk management plan. This process normally begins with an
analysis of the risk to the project’s successful completion as conceived and planned. It is an analysis of
those potential problems that may interfere with the successful completion of the project. In one sense,
project management is the art and skill of bringing a project to successful completion through the
management and mitigation of risk. Project managers are risk managers.
Select a flexible process, or one that permits the project manager to choose a more or less rigorous
project management approach and use:
The project dollar value, complexity, visibility, and stake, i.e., what is at stake if this project fails, are the
basis for determining the application of a graded approach. Typically, dollar value, complexity, and
visibility are just other types or forms of the idea of project stake or project risk.
When determining and applying the graded approach, project stake should be the only basis. This could
lead to a clearer definition of the application of the graded approach: the risk-based graded approach.
Whether participating in the initial, formal risk assessments, or contributing to the follow-up analysis and
control of risks, each participant must be fully involved. This may require the project manager to exercise
the soft skills to draw out the quiet team members and to gracefully control the more outspoken
members.
When doing a formal assessment, thought must be given to establishing a meeting that encourages input
from all perspectives on the project. This may include the customer and other stakeholders not normally
considered as having direct or valid input. The feedback from other individuals in an organization that have
timely and vital lessons learned from similar experiences is extremely valuable and should be included.
The project manager is ultimately responsible for the risk management, but needs participation from all
team members. Gaining that commitment to participate is a project manager’s responsibility.
Project Team
The project management team typically consists of the following members:
• Project manager
• Team leaders
• Team members
• Subject matter experts
• Engineers and other employees
• Project sponsors
• Customers
• Others as required
All project managers are essentially risk managers, using their skill to mitigate risk. Project managers
typically:
Discussion Topic
Think about the organization where you work.
1. Identify the typical phases of the project life cycle in your industry or business.
2. Identify the deciding points between the phases and who makes the decision to proceed to the
next phase.
3. Does your company use a standard life cycle for projects?
• Methodology. Defines the approaches, tools, and data sources that may be used to perform risk
management on the project.
• Roles and responsibilities. Defines the lead, support, and risk management team membership for
each type of activity in the risk management plan, assigns people to these roles, and clarifies their
responsibilities.
• Budgeting. Assigns resources and estimates costs needed for risk management for inclusion in the
project cost baseline.
• Timing. Defines when and how often the risk management process will be performed throughout the
project life cycle, and establishes risk management activities to be included in the project schedule.
• Risk categories. Provides a structure that ensures a comprehensive process of systematically
identifying risk to a consistent level of detail and contributes to the effectiveness and quality of Risk
Identification. An organization can use a previously prepared categorization of typical risks. A risk
breakdown structure (RBS) (Figure 2) is one approach to providing such a structure, but it can also be
addressed by simply listing the various aspects of the project. The risk categories may be revisited
during the Risk Identification process. A good practice is to review the risk categories during the Risk
Management Planning process prior to their use in the Risk Identification process. Risk categories
based on prior projects may need to be tailored, adjusted, or extended to new situations before those
categories can be used on the current project.
• Definitions of risk probability and impact. The quality and credibility of the Qualitative Risk Analysis
process requires that different levels of the risks’ probabilities and impacts be defined. General
definitions of probability levels and impact levels are tailored to the individual project during the Risk
Management Planning process for use in the Qualitative Risk Analysis process.
Project
Project
Technical External Organizational Management
The Risk Breakdown Structure (RBS) lists the categories and sub-categories within which risks may arise for
a typical project. Different RBSs will be appropriate for different types of projects and different types of
organizations. One benefit of this approach is to remind participants in a risk identification exercise of the
Figureproject
many sources from which 2 - Example of aarise.
risk may Risk Breakdown Structure (RBS)
A relative scale representing probability values from “very unlikely” to “almost certainty” could be used.
Alternatively, assigned numerical probabilities on a general scale (e.g., 0.1, 0.3, 0.5, 0.7, 0.9) can be used.
Another approach to calibrating probability involves developing descriptions of the state of the project that
relate to the risk under consideration (e.g., the degree of maturity of the project design).
The impact scale reflects the significance of impact, either negative for threats or positive for
opportunities, on each project objective if a risk occurs. Impact scales are specific to the objective
potentially impacted, the type and size of the project, the organization’s strategies and financial state, and
the organization’s sensitivity to particular impacts. Relative scales for impact are simply rank-ordered
descriptors such as “very low,” “low,” “moderate,” “high,” and “very high,” reflecting increasingly extreme
impacts as defined by the organization. Alternatively, numeric scales assign values to these impacts.
These values may be linear (e.g., 0.1, 0.3, 0.5, 0.7, 0.9) or nonlinear (e.g., 0.05, 0.1, 0.2, 0.4, 0.8). Nonlinear
scales may represent the organization’s desire to avoid high-impact threats or exploit high-impact
opportunities, even if they have relatively low probability. In using nonlinear scales, it is important to
understand what is meant by the numbers and their relationship to each other, how they were derived,
and the effect they may have on the different objectives of the project.
Figure 3 is an example of negative impacts of definitions that might be used in evaluating risk impacts
related to four project objectives. That figure illustrates both relative and numeric (in this case, nonlinear)
approaches. The figure is not intended to imply that the relative and numeric terms are equivalent, but to
show the two alternatives in one figure rather than two.
• Probability and impact matrix. Risks are prioritized according to their potential implications for
meeting the project’s objectives. The typical approach to prioritizing risks is to use a look-up table or a
Probability and Impact Matrix. The specific combinations of probability and impact that lead to a risk
being rated as “high,” “moderate,” or “low” importance—with the corresponding importance for
planning responses to the risk—are usually set by the organization. They are reviewed and can be
tailored to the specific project during the Risk Management Planning process.
This table presents examples of risk impact definitions for four different project objectives. They should be tailored in the Risk
Management Planning process to the individual project and to the organization’s risk thresholds. Impact definitions can be
developed for opportunities in a similar way.
• Revised stakeholders’ tolerances. Stakeholders’ tolerances may be revised in the Risk Management
Planning process, as they apply to the specific project.
• Reporting formats. Describes the content and format of the risk register as well as any other risk
reports required. Defines how the outcomes of the risk management processes will be documented,
analyzed, and communicated.
• Tracking. Documents how all facets of risk activities will be recorded for the benefit of the current
project, future needs, and lessons learned. Documents whether and how risk management processes
will be audited.
Section Objectives
• Define risk management planning
• Identify the inputs, tools and techniques, and outputs of risk management planning
• Define what should be included in planning meetings
Organizational policies such as specific risk management policies and other definitions of functional
(matrix) roles and responsibilities must be known prior to effectively planning for risk management.
Stakeholder tolerances for risk should be documented. The undocumented expectations or rules of
behavior of senior management should be understood, such as the expectation that certain reports will be
made.
A risk management plan template will probably exist in organizations with standards for quality systems
such as the ISO 9000 series. Applying the template ensures consistency, allowing individuals from
different projects to easily comprehend the risk plans on a specific project.
Information in the documents already contained as part of the project plan (charter, scope statement,
roles and responsibilities matrix (RAM), and the WBS) helps provide an understanding of:
Charter: Defines scope, project deliverables, and risks; what can be planned for based on issues
regarding risks to scope changes or the nature of deliverables.
Organization’s risk management policies: Organizations may have legal regulations or organizational
policies for specific types of risks; hazardous materials handling and disposal are good examples.
Defined roles and responsibilities: Dependent upon the organizational structure, certain types of risks
may be accountable to specific parties in an organization, and the responsibility for dealing with these
risks is the responsibility of the assigned parties.
Stakeholder risk tolerances: In working with stakeholders, the project manager should discover what
their risk tolerance is to certain types of risk. The project manager should consider any documentation
and historical data to determine risk tolerances as they relate to project scope, quality, budget, schedule,
or other risks specific to their project.
Template for the organization’s risk management plan: An organization may have a well-defined
approach and template for risk management planning. A template from previous project efforts can be
used and helps define and explain the organization’s methodology regarding risk tolerance. Company risk
tolerance can be described as one of the following:
Remember that it is important for the project manager and project team to know the risk tolerance of a
company early in the risk-planning phase.
Work Breakdown Structure (WBS): The WBS breaks down the project into work packages; risks can be
identified, managed, and planned by analyzing the nature of the work packages in the WBS.
• Project manager
• Project team leaders
• Key stakeholders
• Others in organization responsible for risk activities
The project team, stakeholders, and participants from regulatory agencies may be involved in the project
planning meeting. The preparation of the plan is not simply acquiring the standard template and filling in
the paragraphs. The goal is to review the project charter (project objectives, goals, assumptions and
constraints), which leads to a definition of the overall project risk. The meeting also documents all of the
planning assumptions, which lend themselves to early identification of risks.
The planning meeting should establish an understanding of the types and extent of project controls that
will be in place for project monitoring and control. This leads to an understanding of the risk controls for
low and medium risks, which are typically sufficiently covered (under the graded approach) by prudent use
of available controls.
• Who will lead, support, and identify team members for each type of risk action
• What approaches, tools, and data sources will be used
• What scoring and interpretation methods will be used
• What threshold criteria will be acted upon and by whom
• How much it will cost
• How often the risk management process will be performed
• How reports will be generated and what standard content will be included, analyzed, and
communicated
• How all the risk activities will be recorded and/or tracked
The single output of the process is a risk management plan that describes how the risk management
process will be structured and performed during the project life cycle. Typical topics covered in a risk
management plan are as follows:
• Methodology
• Roles and responsibilities
• Budgeting
• Timing
• Scoring and interpretation
• Thresholds
• Reporting formats
• Tracking
The risk management plan also describes how you will implement and carry out the various risk
processes: risk identification, qualitative and quantitative analysis, risk response planning, and risk
monitoring and control during the life of the project.
The plan does not note the responses to specific risks (which is the purpose of the risk response plan), but
notes the broader methodology of how risk will be planned for and managed during the life cycle of the
project. The project team signs off on the risk management plan. This ensures that they have a
commitment to the plan and feel empowered to actively participate in risk management activities.
The risk management plan should be part of the project baseline. Cost and budget segments of a project
plan are not complete until risk is accounted for. As project managers progress through subsequent
stages of risk management, they should adapt the risk management plan to meet the different risk
environments they encounter. This course explores the different processes of risk management. You will
adapt a risk management plan to address the risks of your course project. A template for the risk
management plan using a standard outline is normally used in an organization and distributed to all
relevant project stakeholders.
Joe Dreamer, the President of Dream Builders, Inc., has been building affordable homes since 1972. His
vision is to provide affordable housing to everyone. The pride of Joe Dreamer and Dream Builders Inc. is
their ability to provide the “American Dream” to all Americans by providing them with quality affordable
homes. Their homes are considered “starter homes” for young couples and first-time homebuyers.
Joe Dreamer is an incredible visionary. Back in 1979 Joe purchased four large parcels of land in Southern
California all in close proximity to each other. As of today, Joe has developed two of those four parcels of
land, resulting, in 8,000 homes built and sold to date. The interesting approach Joe has is to leave a few
choice parcels of undeveloped land in each neighborhood. The few choice parcels of land will be utilized
as model homes for the developments yet to be built. The idea is that new home shoppers will not have to
visualize what an established neighborhood will look like in years to come, but to the contrary they will be
able to see their choice model home in a real life setting. Once the adjacent neighborhood is completely
sold, the model homes in the existing neighborhoods will be sold as well.
Recently, Dream Builders has concentrated their building in Southern California. This is due to
demographic reports and feasibility studies that indicate that there is a high interest by newly married
couple for housing in that region. Through further research with banks and other lending institutions
regarding loan qualification requirements for affordable housing, Dream Builders has confirmed that their
affordable housing program fits well within the scope of requirements for this demographic group.
Dream Builders has kept their costs low by developing strong relationships with contractors (such as
plumbers, electricians, etc) and ensuring they pass on substantial business to these individuals. This has
enabled Dream Builders to be able to rely on the contractors to work with Dream Builders whenever
Dream Builders needs them. Unfortunately, both Dream Builders and another large construction company
have kept the plumbing contractor exceptionally busy lately and some work has been delayed. Dream
Builders is working on developing relationships with other plumbing contractors in order to ensure no
delays occur on their projects, but these relationships will take some time to cultivate.
Given that Dream Builders has concentrated their business in California, they are well known for
developing high-quality housing that fits well into existing neighborhoods. Dream Builders also works well
with surrounding property owners, ensuring they are kept updated on progress and getting their buy- in
for future development efforts in their community. Dream Builders is known for maintaining the
landscaping around housing built, including cutting down minimal trees and investing a significant amount
into lawn, flowers, and shrubs. The materials Dream Builders uses in building homes are above the
requirements of the building codes for an area where earthquakes are of concern to residents.
CURRENT PROJECT
Dream Builders Prototype 63a is Dream Builders, Inc., most recent project. This project entails building
a 1,500 square foot ranch style home on a pre-existing developed 100 foot by 200 foot building lot within a
previously developed neighborhood. If this project goes well, Dream Builders can expect to build similar
homes in other previously developed neighborhoods throughout Southern California.
GOALS
Dream Builders is planning on having the home ready to be showcased at the annual spring housing
convention, which premieres available new homes to local realty companies.
Dream Builders has developed strong relationships with local realtors by working with them to develop
affordable homes for their clients. They know that if this new home receives a favorable review at the
annual spring housing convention, Dream Builders Inc. can expect a quick sale and support for doing
additional similar projects in other neighborhoods in Southern California. Within five years, Dream
Builders would like to expand to other areas of California and eventually develop their business nationally.
PROJECT CHARTER
This Project Charter was completed during the Project Initiation phase. It is an executive overview
intended to facilitate discussion, and to provide formal authorization to proceed. This entire document is
typically between two and four pages when complete. It is not a detailed planning document. Information
wilt likely be limited in terms of reliability and completeness. It is written with the intent on supplying
information at the level of the people reading it.
EXECUTIVE OVERVIEW
Dream Builders will construct a 1,500 sq. ft. ranch style home on a pre-existing developed 100 foot by 200
foot building lot within a previously developed neighborhood. The house will consist of three bedrooms,
one kitchen, one bathroom, one laundry room, and a one-car garage. All electrical, plumbing, and heating
will be installed in conformance with local codes.
BUSINESS JUSTIFICATION
Dream Builders have been building affordable homes since 1972. The southern California demographics
report and our own independent feasibility study indicates a high interest by newly married couples for
housing in this region, and loan qualification records indicate Dream Builders housing program fits well
within the scope of requirements of this baby boomer generation. A significant advantage is directly
related to the rate at which Dream Builders bulk purchased land in this region. High profit margins are
well within reach based on the initial reports.
Book 3 of 4: Identifying, Monitoring and Controlling Page 16 of 36
Manual 3: Project Risk Management
GENERAL STRATEGY
The overall approach to the project will be to segment the project into five phases, allowing dose
monitoring of progress. Subcontractors will do all work with the exception of the framing and finish work.
KEY OBJECTIVES
Dream Builders must start construction within the next four weeks in order to meet the deadline for the
annual spring housing convention, which premieres available new homes to local realty companies. This
is a key driver for success of a quick sale and return on investment. Strict adherence to the approved
plans is critical, as the neighborhood development committee has required Dream Builders to maintain
the original likeness of the adjoining homes.
KEY DELIVERABLES
QUALITY STATEMENT
Dream Builders will utilize our home development methodology as an integral framework for our Quality
Plan regarding this initiative. Additionally, local code enforcement agencies will perform inspections in
respect to local code standards.
FINANCIAL ESTIMATES
This estimate is based on current run rates of homes built by Dream Builders within the last 12 months.
Based on this data we are using a parametric model of $90.00 per square foot. This excludes the cost of
the land and associated developed costs. The accuracy of this estimate is +1- 25%. 1500 sq. ft * $90.00 =
$135,000.00.
INITIAL ASSUMPTIONS
• Based on previous experience, we expect to be able to have permit approvals within 30 days.
• We assume inspections can be completed in 48 hours.
• We expect a minimal amount of rain, based on long-range forecasts and the Farmers Almanac.
• We expect to have our internal resources available during the project. We expect to have approval for
a booth at the Spring Realtors Convention.
• We expect economic indicators to remain stable, and lending rates to remain consistent.
INITIAL CONSTRAINTS
• There is a fixed end date of April 20. This is the day of the Realtors Convention.
• There are new codes in regards to earthquakes; they require new materials and extended periods for
inspections.
• The local building department is currently short staffed; inspections have typically been delaying our
schedules.
MAJOR RISKS
• Seismic activity in the region has been high; based on research compiled at U.C. Berkeley in the
earthquake catalog, there are indications of a significant earthquake.
• Recently our plumbing contractor has been too busy to keep with the fast pace scheduling, causing
delays in other projects.
• Research of Lessons Learned during the original construction of the neighborhood back in 1976
showed some inconsistency in soil density, resulting in significant settling of the concrete slabs. This
settling caused significant increase in costs related to rework. The property proposed for development
is next door to one of the original houses that experienced this problem.
PROJECT TEAM
Project Team (Sub Contractors) Perform work package tasks as directed and within the
defined scope and time. Communicate results.
APPROVALS
At a minimum, the Project Sponsor, Senior Manager, and the Project Manager should sign this document.
It may be advisable to include providers of key resources (functional managers, for example) and / or key
stakeholders.
SCOPE STATEMENT
The scope statement provides a documented basis for making future project decisions and for confirming
or developing common understanding of project scope among the stakeholders. As the project
progresses, the scope statement may need to be revised or refined to reflect approved changes to the
scope of the project.
Dream Builders Prototype 63a - 15334 Sunny Street, Laguna Beach, California
PROJECT JUSTIFICATION
Dream Builders have been building affordable homes since 1972. The southern California demographics
report and our own independent feasibility study indicates a high interest in newly married couples for
housing in this region, and loan qualification records indicate Dream Builders housing program fits well
within the scope of requirements of this baby boomer generation. A significant advantage is directly
related to the rate at which Dream Builders bulk purchased land in this region. High profit margins are
well within reach based on the initial reports.
PRODUCT DESCRIPTION
Dream Builders final product as a result of this project is a 1,500 sq. ft. ranch style home on a pre-existing
developed 100 foot by 200 foot building lot within a previously developed neighborhood. The house will
consist of three bedrooms, one kitchen, one bathroom, one laundry room, and a one-car garage. All
electrical, plumbing, and heating will be installed in conformance with local codes. The exterior of the
home will match the existing neighborhood, vinyl siding with vinyl builders’ grade windows.
PROJECT OBJECTIVES
SUPPORTING DETAIL
• Based on previous experience, we expect to be able to have permit approvals within 30 days.
• We assume inspections can be completed in 48 hours.
• We expect a minimal amount of rain, based on long-range forecasts and the Farmers Almanac.
• We expect to have our internal resources available during the project.
• We expect to have approval for a booth at the Spring Realtors Convention.
• We expect economic indicators to remain stable, and lending rates to remain consistent.
CONSTRAINTS
• There is a fixed end date of April 20. This is the day of the Realtors Convention.
• There are new codes in regards to earthquakes; they require new materials and extended periods for
inspections.
• The local building department is currently short staffed; inspections have typically been delaying our
schedules.
SCOPE MANAGEMENT
The scope of the project will be managed against the approved building plans and specifications. The
schedule, as well as estimated costs, roles and responsibilities, and risk responses will be managed from
the project plan. Any changes in scope are subject to approval. The Project Manager for Dream Builders is
responsible for all change requests, and must follow Dream Builders policies and procedures for change.
Noncompliance or unauthorized changes may result in disciplinary action.
• Seismic activity in the region has been high, based on research compiled at U.C. Berkeley in the
earthquake catalog, there are indications of a significant earthquake.
• Recently our plumbing contractor has been too busy to keep with the fast pace scheduling, causing
delays in other projects.
• Research of Lessons Learned during the original construction of the neighborhood back in 1976
showed some inconsistency in soil density, resulting in significant settling of the concrete slabs. This
settling caused significant increase in costs related to rework. The property proposed for development
is next door to one of the original houses that experienced this problem.
1. Risk management plan 1. Strategies for negative risk 1. Risk register (updates)
2. Risk register or threats 2. Project management plan
2. Strategies for positive risk (updates)
or opportunities 3. Risk-related contractual
3. Strategy for both threats agreements
and opportunities
4. Contingent response
strategy
Some components of the Risk Management Plan that are important inputs to Risk Response Planning may
include risk thresholds for low, moderate, and high risks to help understand those risks for which
responses are needed, assignment of personnel and scheduling and budgeting for risk response planning.
Risk Register
The risk register is first developed in the Risk Identification process, and is updated during the Qualitative
and Quantitative Risk Analysis processes. The Risk Response Planning process may have to refer back to
identified risks, root causes of risks, lists of potential responses, risk owners, symptoms, and warning
signs in developing risk responses. Important inputs to Risk Response Planning include the relative rating
or priority list of project risks, a list of risks requiring response in the near term, a list of risks for
additional analysis and response, trends in qualitative risk analysis results, root causes, risks grouped by
categories, and a watch list of low priority risks. The risk register is further updated during the
Quantitative Risk Analysis process.
• Avoid. Risk avoidance involves changing the project management plan to eliminate the threat posed
by an adverse risk, to isolate the project objectives from the risk’s impact, or to relax the objective that
is in jeopardy, such as extending the schedule or reducing scope. Some risks that arise early in the
project can be avoided by clarifying requirements, obtaining information, improving communication, or
acquiring expertise.
• Transfer. Risk transference requires shifting the negative impact of a threat, along with ownership of
the response, to a third party. Transferring the risk simply gives another party responsibility for its
management; it does not eliminate it. Transferring liability for risk is most effective in dealing with
financial risk exposure. Risk transference nearly always involves payment of a risk premium to the
party taking on the risk. Transference tools can be quite diverse and include, but are not limited to, the
use of insurance, performance bonds, warranties, guarantees, etc. Contracts may be used to transfer
liability for specified risks to another party. In many cases, use of a cost-type contract may transfer
the cost risk to the buyer, while a fixed-price contract may transfer risk to the seller, if the project’s
design is stable.
• Mitigate. Risk mitigation implies a reduction in the probability and/or impact of an adverse risk event
to an acceptable threshold. Taking early action to reduce the probability and/or impact of a risk
occurring on the project is often more effective than trying to repair the damage after the risk has
occurred. Adopting less complex processes, conducting more tests, or choosing a more stable
supplier are examples of mitigation actions. Mitigation may require prototype development to reduce
the risk of scaling up from a bench-scale model of a process or product. Where it is not possible to
reduce probability, a mitigation response might address the risk impact by targeting linkages that
determine the severity. For example, designing redundancy into a subsystem may reduce the impact
from a failure of the original component.
• Exploit. This strategy may be selected for risks with positive impacts where the organization wishes to
ensure that the opportunity is realized. This strategy seeks to eliminate the uncertainty associated
with a particular upside risk by making the opportunity definitely happen. Directly exploiting
responses include assigning more talented resources to the project to reduce the time to completion,
or to provide better quality than originally planned.
• Share. Sharing a positive risk involves allocating ownership to a third party who is best able to
capture the opportunity for the benefit of the project. Examples of sharing actions include forming
risk-sharing partnerships, teams, special-purpose companies, or joint ventures, which can be
established with the express purpose of managing opportunities.
• Enhance. This strategy modifies the “size” of an opportunity by increasing probability and/or positive
impacts, and by identifying and maximizing key drivers of these positive-impact risks. Seeking to
facilitate or strengthen the cause of the opportunity, and proactively targeting and reinforcing its
trigger conditions, might increase probability. Impact drivers can also be targeted, seeking to increase
the project’s susceptibility to the opportunity.
• Identified risks, their descriptions, area(s) of the project (e.g., WBS element) affected, their causes
(e.g., RBS element), and how they may affect project objectives
• Risk owners and assigned responsibilities
• Outputs from the Qualitative and Quantitative Risk Analysis processes, including prioritized lists of
project risks and probabilistic analysis of the project
• Agreed-upon response strategies
• Specific actions to implement the chosen response strategy
• Symptoms and warning signs of risks’ occurrence
• Budget and schedule activities required to implement the chosen responses
• Contingency reserves of time and cost designed to provide for stakeholders’ risk tolerances
• Contingency plans and triggers that call for their execution
• Fallback plans for use as a reaction to a risk that has occurred, and the primary response proves to be
inadequate
• Residual risks that are expected to remain after planned responses have been taken, as well as those
that have been deliberately accepted
• Secondary risks that arise as a direct outcome of implementing a risk response
• Contingency reserves that are calculated based on the quantitative analysis of the project and the
organization’s risk thresholds.
The step-by-step learning style utilizes a “building block” approach for presenting concepts in a step-by-
step procedural learning style. This approach is particularly appropriate and used in this lesson for the
task-oriented areas that have clear step-by step procedures involved in them.
Section Objectives
• Describe the factors affecting the choice of strategies chosen to respond to risks
• Determine appropriate response strategies for identified risks
• Apply a graded approach in the development or risk responses
• Evaluate risk responses and contingency plans against the project baseline
• Apply risk response techniques and tools to the course project
Risk Response Planning is the natural successor to the processes of identifying and analyzing risks.
Knowledge without a plan of action may have the same result as ignorance of the risk. It is a common
pitfall for a team to perform a risk analysis, but then fail to plan a response, due to lack of diligence. A
second pitfall is that project team members fail to conceive effective response actions. The team may lack
the creativity or experience to devise actions that are practical, efficient, and perhaps credible.
For the risks naturally encountered in life, such as accidents or illnesses, it is normally most effective to
prevent the undesired event from happening. Rarely do we ignore taking backup action should our
attempts to prevent the risk be unsuccessful. The same is time for responding to project risks.
• Avoidance
• Transference
• Mitigation
• Acceptance
Avoidance: Avoidance is the act of changing the project plan to eliminate the risk or to protect the project
objectives from its impact. Project scope, schedule, budget, or quality requirements might be redesigned.
The project manager may arrange with stakeholders to change the intended design to a less risky one (or
perhaps engage a more risky design in expectation of significantly improving the cost, schedule, or quality
performance of the project). It is best to:
• Clarify requirements
• Improve communication
• Acquire expertise
Transference: Transference is the act of shifting the consequence and responsibility of a risk to another
party. It is not always clear that the project team is relieved of the responsibility for the risk but, in effect,
transference is a strategy to give the task, and its inherent risk, to another party. It is important to
remember that transference does not eliminate the risk.
Transferring liability is effective for financial risk. This usually involves paying a fee to the party taking on
the risk and may be fixed price or cost reimbursement. Types of fees include:
• Insurance
• Performance bonds
• Guarantees
Mitigation: Mitigation is the most commonly understood strategy. It attempts to prevent the risk by
reducing its probability and consequence of risk to an acceptable level. A strategy using mitigation also
has contingency plan in place to limit the impact to the project should preventative measures fail. If
reducing risk is not possible, the risk impact is addressed by targeting linkages that determine the
severity of the risk. Some examples of mitigation include:
• Developing a prototype
• Considering an alternative path
• Adopting less complex processes
• Conducting more engineering tests
• Selecting a more reliable seller
• Changing conditions to reduce the probability of the risk occurring
• Selecting better vendors
Acceptance: Acceptance is a conscious decision to allow the impact of the risk to occur if the risk is
realized. This might be chosen if the costs of mitigation, transference, or avoidance are too high in
proportion to the cost of the risk or no other suitable response strategy available. Acceptance means team
knows the risks exist, and are aware of the consequences and are willing to wait and see what happens.
• What approach and rules have we agreed to follow as part of our risk management plan?
• What risks have we identified and ranked?
• Are the prioritized risks based on quantitative analysis?
• Do we have probabilistic analysis of the project and its time and cost objectives?
• Who will be owning the risk responses?
• Are several risks driven by a single cause?
High or medium risks with low probability to Accept risk and document basis
low consequence where the team feels no
special mitigation is required (e.g., not cost
effective)
Code used as the design criteria for safety Formal Design Review
class structure, system and component
Facility outage required for project Integrated program and project schedule
implementation with additional milestones
More
High risk:
Most rigorous controls
Low risk:
Minimum controls
Less
Less Risk More
Grading the application of project control tools is very effective in dealing with most low and medium
risks. This simply means choosing a less rigorous application of cost, schedule, performance, and
reporting techniques.
If the risk analysis process yields no high-risk areas, a rigorous management plan is not warranted.
However, the results of the process should be attached to the project planning documentation.
Project schedule uncertainties or restraints that may impact project milestones
High Risks
For high risks and some medium risks, the development of a risk management or mitigation strategy is
highly recommended.
It is not always possible to develop a risk mitigation strategy for every risk. In these cases, it is best to
simply accept and document the risk. It may be more cost effective to concentrate management attention
on the mitigation of other medium risks that can be controlled.
Larger risks deserve much greater expenditure of effort and control. Practical experience shows that this
is a pitfall for teams. They may identify risks but never develop appropriate action plans. A good plan
should strive to prevent or reduce the risk, but address the backup plan that may be necessary if
prevention does not work. The plan should demonstrate good leverage - what the team spends to mitigate
the risk should yield a proper return for the investment into managing the risk. Avoid spending more than
the risk is worth. Give the plan a critical review:
• What is appropriate?
• Is it practical?
• Is it likely to produce the desired result?
The project manager needs a strategy to deal with all the risks on the project. The process begins by
identifying and analyzing each risk in order to understand it in terms of probability and impact. The best
strategy is to deal with each variable of probability and impact in an independent manner.
First, project managers should focus on dealing with the probability of a given risk by striving to reduce
that probability to as small a value as possible. This, intuitively, can be termed prevention. Next, in spite of
preventive measures taken, the team cannot prevent the risk, the response plan must include a
contingency, designed to reduce the impact value to be as small as possible. The goal for any risk
response plan should be to address both variables of this model.
Given a framework for planning the response, where do those ideas come from? Project managers can
utilize the familiar techniques of brainstorming, experience, and lessons learned. The collective
experience of senior management and staff members on other projects in the organization is a valuable
resource. If the project manager lacks experience or expertise in a specific area, hiring a consultant may
be helpful. The cost should yield many times its worth in risk reduction.
Medium and low risks might be controlled through the application of good project management
disciplines. Project managers may have spent significant time developing a detailed work breakdown
structure, project schedule, change control system, or communications plan, but all of these elements
will be impacted by risk. Diligence with these project management practices up front may suffice to keep
these risks under control. These practices are recommended for use on all projects. Just because a
project may seem to have low risks, they should not be discarded. Remember to apply these tools in a
graded fashion. Some tools are considered minimum, with no exception as to how they are applied,
because they are sound management practice, not specific to a type of risk.
• Degree of detail provided at the level needed to obtain the desired status or performance information.
Example - Due to an identified project risk potential, schedules may be at a lower level than spend
plans.
• Frequency of the feedback is the periodicity of needed information about project status or
performance.
Example - Status/performance cutoff points can range from real time measures to weekly, monthly,
quarterly, annual, or at completion.
• Accuracy of the feedback is the accuracy of the measurement required to provide the desired status or
performance information.
Example - Is it more desirable to receive actual cost data showing approximate costs (plus or minus
1-5 percent) with 2-3 days of accounting closeout or 100 percent accurate data 2 months after the
fact?
• Timeliness of the feedback is a measure of how soon the data is desired in order to support decision-
making.
Example - In the example above, is 2-3 days more important to support decisions or is 2 months
acceptable?
• Formality of the feedback is a reference to the level of management attention (signature authority)
required to obtain the information.
Example - What type of records must be maintained of the information and whether information must
be provided in writing or verbally communicated.
• Costs of producing the information/feedback is a function of how much it costs to produce and use the
data.
Example - Generally, the more frequently the information is provided, the greater the detail, the more
accurate the information, the more timely the feedback, and the greater the cost.
Proper tool selection focuses controls and management on risk issues that could significantly affect the
project. This allows the project manager to provide appropriate feedback in these areas. Effective and
appropriate selection of tools provides the greatest cost benefit for every project dollar spent on control
tools. While project control is not necessarily a significant project cost, it is an area where efficiencies can
be realized through effective selection of techniques. Streamlining control tools can reduce cost be
minimizing unnecessary data collection and reporting.
Minimum techniques
For each project control area, there are certain minimum requirements that are suggested to assist in
managing project risk. Additional techniques or a more rigorous application of the techniques are added
based on their utility in managing risk. Suggested techniques are:
Item Description
Risk Response Plan: the risk response plan is the primary output of this process. It differs significantly
from the risk management plan because it lists specific risks and targeted responses for a risk. The risk
management plan is a general methodology in managing risks. The risk response plan outlines identified
risks, responses, and contingencies for the risks, risk ownership and responsibilities, and residual and
secondary risks arising from risk responses.
Risk response plans vary according to company policies, standards, and forms. Risk response plans also
vary depending on the types or risks identified. However, a risk response plan generally contains:
• Identified risk, its description including the area of the project it affects
• Risk owners and assigned responsibilities
• Results from the qualitative and quantitative risk analysis processes
• Agreed responses
• Level of residual risk
• Budgeted and times responses
• Contingency plans
• List of residual risks – Risks remaining after avoidance, transfer, or mitigation responses have been
taken, Minor risks that have been accepted or addressed
• Secondary risks – Risks that arise as a result of implementing a risk response are identified and have
responses planned
• Contractual agreements – Specified responsibilities of the contracted policy for risks pertaining to
their area of responsibility
Residual and Secondary Risks: residual risks are those risks that may surface as project performance is
measured, or those risks that have been accepted and addressed (risks without mitigation strategies). It is
critical to reevaluate or reanalyze these risks using the cycle of the six risk processes. This process is on
going throughout the life of the project.
Secondary risks are those risks that result from implementing a risk response.
After creating the response plan, the risk database or register is updated to reflect the new information
(that can legitimately reduce the probability or the impact). Over time, with response plans being
executed, the risk impact should be minimized, or the probability of occurrence should be controlled. A
project risk should continually improve as response actions are completed.
Many risks are never entirely prevented; residual risks may remain in place of the original risk, or
secondary risk, which have been caused, or recognized, in the response. None of these should be ignored,
although the threshold for these risks may be more tolerant.
Another potential output from this process is a revision to the overall project. The project plan must be
updated to reflect risk response planning. Most likely, the project manager will be reallocating budget
funds from other tasks and adding new schedule events to be managed. The project manager may also
expand the use of procured services or contractual agreements to formally acknowledge risks and either
limit them or transfer liability for some of them.
Contractual Agreements: Contractual agreements may be entered into to specify each party’s
responsibility for specified risks, should they occur, and for insurance services and other items as
appropriate to avoid or mitigate risk. As a project manager, it is important for you to know who is talking
the most risk in a fixed-price contract, the buyer or seller. You should also know this when you dealing
with a cost-plus contract.
Contingency Reserve Amounts Needed: Contingency plans are predetermined actions that the project
team will take if the risk occurs. Part of the planning is to include a contingency reserve, or a specified
dollar amount, in the overall budget, the cost estimate, and in the project baseline. Sometimes this is
called “known unknowns”. The contingency reserve fund can be used to mitigate cost or schedule risk, if
changes in the scope or quality occur. For example, if the project begins to fall behind schedule due to a
lack of skilled workers, funds could be allocated to hire a consultant/contractor to provide training to the
staff. Fail back plans are alternative strategies that can be implemented should a high risk be realized or
planned risk reduction efforts are failing.
Book 3 of 4: Identifying, Monitoring and Controlling Page 35 of 36
Manual 3: Project Risk Management
While the entire project may have an overall risk response plan, it is important to understand that the
previously developed plan is an overall methodology. It is reconsidered during risk response planning to
document details for responding to each specific risk.
Probabilistic analysis and identified risk thresholds help the project manager determine the amount of
buffer or contingency needed to reduce the risk of overruns of project objectives to an acceptable level.
Inputs to Other Processes: Most responses to risk involve expenditures of additional time, cost,
resources, and lead to changes in the project plan. Organizations require assurance that spending is
justified for the level of risk reduction. Alternative strategies must be fed back into the appropriate
processes in other knowledge areas.
To offset this, there is management reserve. Contingency reserve is for the “known unknowns,” usually in
terms of money or time, to support contingency plans. For example, the price of fuel or the availability of a
resource may not be known, but must be planned into the project budget or schedule. Contingency is often
calculated as a percentage of the total project cost.
Contingency should not be used to compensate for poor planning nor should it be used for major events or
changes in scope.