Risk Management

Professional
(RMP)®

Eng. Mohamed Raslan

PMP®, PgMP®, PMI-ACP®, PMI-RMP®, P3O®, TQM
Ch-02

Context and Key Concepts

of Risk Management
 Ch - 0 2 C on ten t s

1 Key Concepts and Definitions

2 Risk Management in Organizations

3 Domains of Risk Management

4 Key Success Factors

3
 2.1
Key Concepts
and
Definitions
 Key Concepts and Definitions

01
An individual risk is an uncertain event or condition that, if it occurs, has a
Individual Risk
positive or negative effect on one or more objectives.
02
Overall risk is the effect of uncertainty that affects organizational objectives at
Overall Risk different levels or aspects.
Opportunities are risks that have a positive effect on one or more objectives.
03 Opportunities Opportunity management helps to identify and understand possible ways in
which objectives can be achieved more successfully.

04 Threats Threats are risks that would have a negative effect on one or more objectives.

A chosen mental disposition towards uncertainty, adopted explicitly or implicitly

Risk Attitudes by individuals and groups.
05 The degree of uncertainty an organization or individual is willing to accept in
Risk Appetite anticipation of a reward.

06 Risk Threshold
Risk threshold is the measure of acceptable variation around an objective that
reflects the risk appetite of the organization and its stakeholders.

07
5
 Key Concepts and Definitions

Overall Project Risks

Goal

1 2 Individual Project Risk

1.1 1.2 2.1 2.2 Goal

Individual Project Risk Objectives

1- Individual Project Risks

Risk is an uncertain event or condition that, if occurs, has a positive or negative effect on
one or more project objectives such as scope, cost, and quality.

6
 Key Concepts and Definitions
3- Opportunities
Opportunities are risks that have a
positive effect on one or more
objectives. Opportunity
management helps to identify and
understand possible ways in which
objectives can be achieved more
successfully.
 A consistent portfolio, program,
and project management system
helps to:
 Identify and assess
opportunities that are often
linked.
 Improve the organization's
ability to accept and pursue
opportunities.
7
4- Threats
Threats are risks that would have a
negative effect on one or more
objectives.
 Threat management involves the use
of risk management resources to:
 Describe risks.
 Analyze risk attributes.
 Evaluate the probability of risk
occurrence and impact as well as
other characteristics.
 Implement a planned response,
when appropriate.
 Key Concepts and Definitions
5- Risk Attitudes

A chosen mental disposition towards uncertainty, adopted explicitly or implicitly by individuals and groups.

Risk Seeker Risk Averse Risk Neutral Risk Tolerant

Stakeholders are Stakeholders who Stakeholders are Your organization

risk seeking in does not take neither risk averse is very
nature risks nor risk seeking comfortable with
ignoring risks.
They do not care
and never pay
any attention to a
risk until it
becomes an
issue.

8
 Key Concepts and Definitions

6- Risk Appetite

A degree of uncertainty that your organization is willing to take on in

anticipation of a reward.
Some organizations might take a high risk if the reward is high; others
may want to play it safe or be conservative. If they take risks, it means
that their risk appetite is high, and the organization that plays
conservatively has a low-risk appetite.

7- Risk Threshold

A quantified limit beyond which your organization will not accept the risk.
 The risk threshold is an amount of risk that an organization or
individual is willing to accept. Say for your project, a 10,000 USD cost
overrun is acceptable to your organization, but no more.
 For example, your organization cannot take a risk with an impact of
more than 10,000 USD.

9
 Trigger Condition

An event or situation that

indicates that a risk is
about to occur.

10
 2.2
Risk Management
in
Organizations
 Risk Management in Organizations

 The organization's governance body is ultimately responsible for setting, confirming, and enforcing risk
appetite and risk management principles as part of its governance oversight.

 The definition of risk includes both:

(a) distinct events that are uncertain, but can be clearly described and
(b) more general conditions that are less specific but may also give rise to uncertainty.

 Both uncertain situations are risks when they could have an adverse or positive effect on the achievement of
objectives.

 It is essential to address both situations within an enterprise, portfolio, program, and project risk management
process.

 A risk may have one or more causes and, if it occurs, may have one or more effects.

 Threats that occur are termed issues, and opportunities that occur are benefits to the enterprise.

 Portfolio, program, and project managers are responsible to resolve these issues and manage them effectively.

 Issues may entail actions that are outside the scope of the portfolio, program, and project risk management
process; therefore, these issues are escalated to a higher management level according to the organization's
governance policy.

12
 2.3
Domains
of
Risk Management
 Domains of Risk Management

14
 Domains of Risk Management

Enterprise Risk Management Program Risk Management

Portfolio Risk Management Project Risk Management

15
 Domains of Risk Management

 The primary purpose of risk management is the creation and protection of value.
 ERM is an approach for identifying major risks that confront an organization and
forecasting the significance of those risks to business processes.
 The way in which risks are managed reflects the organization's culture, capability,
and strategy to create and sustain value.
 ERM addresses risks at the organizational level including the aggregation of all risks
associated with the enterprise’s portfolio of programs and projects.
1 ERM provides a systematic, organized, and structured method for:
o Identifying and assessing all risks an organization faces,
Enterprise o Developing suitable responses,
Risk Management o Communicating status with stakeholders,
o Assigning responsibility to monitor and manage risks in alignment with the
strategic objectives of the organization.

 There is no one-size-fits all approach to performing ERM. The ERM function,

structure, and activities vary with each organization. ERM is responsible for
ensuring that all organizational risks are addressed and properly managed and
monitored.

16
 Domains of Risk Management

Risk management in the enterprise management context of integrated portfolio,

program, and project management consists of:

 Elaborating the risk governance framework;

 Identifying both negative risks (threats) and positive risks (opportunities);
 Analyzing the identified risks from both the qualitative and quantitative to manage

1 them according to the escalation rules in place within the portfolio, program, and
project management framework;
 Defining an appropriate risk management strategy based on increasing the
Enterprise probability and/or impact of positive risks and decreasing the probability and/or
Risk Management impact of negative risks (threats);
 Identifying the risk owner and assigning the risk;
 Implementing the corresponding strategies;
 Monitoring the effectiveness and efficiency of the risk management strategies
deployed within the enterprise, portfolio, program, and project management
framework;
 Ensuring alignment between portfolio, program, and project management risk
governance models and the ERM strategy.

17
 Domains of Risk Management

Portfolio Risk Management categorizes Risk as:

1
Structural Risks
Structural risks are risks associated with the
composition of a group of projects and the
2 potential interdependencies among components.

Portfolio
Risk Management
2 Component Risks
Component risks at the portfolio level are risks
that the component manager escalates to the
portfolio level for information or action.

3 Overall Risks
Overall, portfolio risk considers the
interdependencies between components and is,
therefore, more than just the sum of individual
component risks.

18
 Domains of Risk Management

 Planning, designing, and implementing an effective portfolio risk management

system depends on organizational culture, top management commitment,
stakeholder engagement, and open and fair communication processes.

 Portfolio risk management is important for the success of managing portfolios

where the value lost due to component failure is significant, or when the risks of one

2 component impact the risks in another component.

Portfolio  As defined in The Standard for Portfolio Management [2], portfolio risk management
Risk Management ensures that components achieve the best possible success based on the
organizational strategy and business model.

 The result of portfolio risk management strategy is defining and launching new
components or closing other ones. Portfolio components can be responses to
identified threats or opportunities in alignment with the organization's overall
business strategy.

19
 Domains of Risk Management

Program Risks go beyond the sum of the risks from each project within the
program.

 Program risk management strategy ensures effective management of any risk that
can cause misalignment between the program roadmap and its supported
objectives to organizational strategy.

3  It includes defining program risk thresholds, performing the initial program risk
assessment, and developing a program risk response strategy.
Program
Risk Management
 The Standard for Program Management describes program risk management
strategy as:

o Identifying program risk thresholds,

o Performing an initial program risk assessment,
o Developing a high-level program risk response strategy.
o Determining how risks are to be communicated and managed as part
of governance.

20
 Domains of Risk Management

Project Risk Management is a knowledge area of Project Management

 Project Risk Management is a Knowledge Area of Project Management that identifies

and manages project risks that could impact cost, schedule, or scope baselines.

 PMBOK® Guide describes Project Risk Management as the processes of conducting

4
risk management planning, identification, analysis, response planning, response
implementation, and monitoring risk on a project.

Project  The objectives of Project Risk Management are to increase the probability and/or
Risk Management impact of opportunities and to decrease the probability and/or impact of threats in
order to optimize the chances of project success.

 The PMBOK® Guide states that when unmanaged, these risks have the potential to
cause the project to deviate from the plan and fail to achieve the defined project
objectives.

 Consequently, project success is directly related to the effectiveness of Project Risk

Management.

21
 2.4
Key Success Factors
 Key Success Factors

6 2

5 3

23
 Key Success Factors

Recognizing the Value of Risk Management Individual Commitment/Responsibility

Portfolio, program, and project risk Portfolio, program, and project participants and
management is recognized by organizational
management, stakeholders, and team
members as a valuable discipline that
1 4 stakeholders accept responsibility for undertaking
risk-related activities as required. Risk
management is everyone's responsibility.
provides a positive return on investment.

Integration with organizational Project Open and Honest Communication

Management Risk management does not Everyone is involved in the risk management
exist in a vacuum isolated from other process. Any actions or attitudes that hinder
organizational project management
processes. Successful risk management
requires the appropriate execution of
2 5 communication about risk reduce the effectiveness
of risk management regarding proactive
approaches and effective decision making.
organizational project management and
ERM processes, including the allocation of
resources necessary for the effective
application of risk management.

Tailoring Risk Effort Organizational Commitment

3 6
Risk management activities are consistent
with the value of the endeavor to the
organization and with its level of risk, scale,
and other organizational constraints.
Organizational commitment is established only
when risk management is aligned with the
organization's goals, values, and ERM policies. Risk
management actions may require the approval of
or response from others at levels above the
portfolio, program, or project manager.

24
Ch-03
Framework For Risk Management
In Portfolio, Program, and
Project Management
 Ch - 0 3 C on ten t s

Business Context of Risk Management in Portfolio, Program,

41 and Project Management

2 Scope of Accountability, Responsibility, and Authority

3 General Approaches to Risk Management

4 Risk Management Life Cycle

26
 3.1
Business Context of Risk
Management
in Portfolio, Program,
and Project Management
 Business Context of Risk Management in Por tfolio,
Program, and Project Management

 All organizations encounter internal and external factors that influence their ability to achieve
desired objectives. Achieving those objectives is rarely ensured. All organizational activities
involve risk.

 An organization manages risk through people, processes, technology, and information.

 Portfolio, program, and project managers are responsible for risks associated with their
endeavors. These managers are responsible for working with stakeholders at various levels of
the organization and applying a systematic, integrated approach to risk management.

28
 Business Context of Risk Management in Por tfolio,
Program, and Project Management

 Risk permeates throughout the pyramid.

 The organizational strategy sets the direction

through the vision and mission, and strategy
defines specific goals and objectives for the
organization.

 Some threats arise when strategy or business

objectives are not aligned with the organization's
mission, vision, and core values.

 Additional threats arise when business objectives

do not support strategy or when endeavors, such
as portfolios, programs, and projects, are not
aligned with business objectives. Opportunities
could be enhanced when strategy and business
objectives are well aligned.

29
 Business Context of Risk Management in Por tfolio,
Program, and Project Management

ORGANIZATIONAL FRAMEWORK
 Risk management includes all domains of the organization: enterprise,
portfolio, program, and project.
 ERM is an approach to managing risk that reflects the organization's culture,
capability, and strategy to create and sustain value. It covers the policies,
processes, and methods by which organizations manage risks (both threats
and opportunities) to advance the mission and vision of the organization.
 Portfolio risk management derives its policies, processes, methods, and
tolerance from the ERM framework and tailors it for the management of
portfolios.
 Similarly, programs and projects adopt their respective risk management
practices from the portfolio framework.
 The governance board typically oversees ERM with significant and proactive
management engagement.
 The portfolio, program, and project managers manage and monitor
communications with internal and external stakeholders, which is required to
instill the importance and values of risk management, expected culture and
behavior, and risk attitude.

30
 Business Context of Risk Management in Por tfolio,
Program, and Project Management

ORGANIZATIONAL CONTEXT

 The application of ERM is influenced by industry, regulations, and organizational context.

 By understanding the context in which the organization exists, portfolio, program, and
project managers can tailor the optimal approach to risk management for their endeavors.

 Many factors can also impact the extent of risk management practices. Some of these
factors include:

o Capital Availability

o Competitive Landscape

o and Risk Attitude.

31
 Business Context of Risk Management in Por tfolio,
Program, and Project Management

STRATEGIC AND ORGANIZATIONAL PLANNING

 Strategic goals and business objectives are

developed to realize the organization's vision and
mission in line with core values.

 Once these goals and objectives are set, they

become inputs for risk management.

 If there are potential conflicts between strategic goals

and the portfolio of work, then the risk is escalated to
the proper level of management. See Figure 3-1.

32
 Business Context of Risk Management in Por tfolio,
Program, and Project Management

LINKING PLANNING WITH EXECUTION THROUGH PORTFOLIO, PROGRAM, AND

PROJECT MANAGEMENT

 Portfolio management serves as the bridge that connects strategic planning with business
execution. By focusing on selecting the right portfolio components (e.g., programs, projects,
and operational initiatives), portfolio management enables organizations to achieve alignment
with strategy and to invest their resources wisely and effectively.

 Program and project management are then responsible for the implementation.

 Portfolio, program, and project managers work to:

o (a) identify, analyze, evaluate, prioritize, recommend, plan, and implement risk responses

o (b) monitor progress

o (c) adjust risk responses as appropriate.

33
 3.2
Scope of Accountability,
Responsibility,
and Authority
 Scope of Accountability, Responsibility, and Authority
01. Accountability
is individual by nature and derived from a position held in the
organization. Accountability is related to authority in that one is
usually held accountable within one's limits of authority.
However, one still may be held accountable beyond one's The Accountability,
authority to act. Responsibility, and Authority
Management are shared by
02. Responsibility
stakeholders involved in
resides in an individual by the assignment of a function or task.
portfolio, program, and project
By accepting the assignment, an individual takes on the
associated responsibility. The fact that others higher in the
management.
organization may also be held responsible or accountable does
not diminish the responsibility held by the individual. The
assigning individual still is held accountable for the delegated
task, but responsibility is passed to the assigned individual.

03. Authority
like responsibility, may be delegated and gives an individual the
ability to make decisions within defined bounds.

35
 Scope of Accountability, Responsibility, and Authority

Accountability at the Enterprise Level

Accountability at the Portfolio Level

Accountability at the Program Level Accountability at the Project Level

36
 Scope of Accountability, Responsibility, and Authority

ACCOUNTABILITY AT THE ENTERPRISE LEVEL

 The objective of risk management is to apply knowledge, skills, and good practices to
manage the area of focus within the risk threshold that is acceptable to the organization,
whether at the enterprise, portfolio, program, or project level.

 The purpose is to minimize the impact of threats to protect the organization from loss and to
embrace opportunities that translate to value.

 The management of risk across the continuum of portfolios, programs, and projects requires
collaboration throughout the enterprise, and the recognition that failure to allocate the
appropriate amount of resources could jeopardize the organization's strategic objectives.

 Portfolio, program, and project management are responsible for supporting management
policies, defining roles and responsibilities, setting targets, and overseeing implementation.

 The managers of the work are responsible for keeping senior management apprised of
ongoing risk exposure and corresponding actions.

37
 Scope of Accountability, Responsibility, and Authority

ACCOUNTABILITY AT THE PORTFOLIO LEVEL

 In some cases, portfolios may exist for brief periods; however, portfolios often exist for as
long as the organization itself exists. As a result, portfolio managers may oversee activities
or authorize components that may take several years for the organization to realize the
value of the investment.

 Portfolio risk management considers risks that could impact unrelated components and
operational activities within the portfolio.

 As a result, portfolio managers address several challenges when managing risk because
portfolio-level risks encompass both external and internal factors by bridging organizational
strategy to implementation.

38
 Scope of Accountability, Responsibility, and Authority

ACCOUNTABILITY AT THE PROGRAM LEVEL

 At the program level, the risks that are evaluated span the related components and, if
triggered, could have a positive or negative impact on one or more other components.

 Working with the component managers, it is the responsibility of the program manager to
identify and manage these risks. Rather than manage these risks individually within the
component, program managers ensure that program risks are managed through coordination.

 Within the program, risks can affect the delivery of specific components. The program
managers advise their component managers of any shared risks and response plans that
relate to individual components.

 There may be economies of scale and scope in that the shared risks may be managed by
initiating one risk response at the program level.

39
 Scope of Accountability, Responsibility, and Authority

ACCOUNTABILITY AT THE PROJECT LEVEL

 At the project level, the objective of risk management is to:

o (a) decrease the probability and impact of negative risks and
o (b) increase the probability and impact of positive risks specific to project deliverables or
objectives.

 Project managers are accountable for evaluating, reporting, and managing both individual
and overall project risks within the constraints of the project. They may escalate certain risks
to, or receive guidance from, the program manager, portfolio manager, project management
office, governance board, and other leadership entities, depending on the complexity of the
initiative and organizational inputs.

 All project team members have the responsibility for managing risk, for example:
o The identification of risk during initiation,
o Clarification of the trigger events,
o Awareness of potential new risks that could affect the endeavor.

40
 3.3
General Approaches
to
Risk Management
 General Approaches to Risk Management

FACTORS FOR EVALUATING RISKS

 In order for risk management to take place, portfolio,
program, and project managers need to identify the
risk probability and impact.

Probability
The chance of a risk occurring can range from slightly
above 0% to just below 100%.

Impact
Risks, should they occur, can have either a positive or
negative consequence for the organization.

 There are additional factors to consider when

evaluating risks. Some are included in Appendix X6
on Techniques for the Risk Management Framework.

42
 3.4
Risk Management
Life Cycle
 Risk Management Life Cycle

 The risk management life cycle described in this section

illustrates a structured approach for undertaking a
comprehensive view of risk throughout the enterprise, portfolio,
program, and project domains.

 Even though the way of managing risks differs between these

domains and from one organization to another, an overall life
cycle approach outlines a sequence of logical phases that can be
iterated.

 The risk management life cycle is shown in Figure 4-1. It has a

dedicated, procedural, and iterative workflow of activities and
processes, supported and performed across the enterprise and
within the portfolio, program, and project domains.

 Because of the evolutionary nature of risk, the risk management

life cycle ensures a repeatable workflow of processes that
supports strategic decision making.

 All these activities are performed in an integrated way within and

across the portfolio, program, and project domains.

44
 Question 1

• Members of a project team are not taking their risk management responsibilities
seriously.Uncertainty Complexity
They do not consider risk management as primary to the project's success
Program vs Project
and do not believe that the benefits are significant. What should the risk manager do?

A. Ensure that risk management responsibilities are clearly identified in the risk
management plan.

B. Schedule a meeting to review and develop realistic risk thresholds with the project
team.

C. Motivate and influence the project team with risk engagement activities like
workshops.

D. Ensure that the risk language used by all stakeholders is consistent with the risk
management plan.

46
 Question 2

• A risk manager faces resistance as they try to implement the project's risk
Uncertainty
strategy.
Complexity
Some members of the project team believe that it is a waste of time
Program vs Project
and money. What should the risk manager do?

A. Meet with team members to address their concerns.

B. Reduce the number of risk management activities.

C. Continue to implement the risk strategy.

D. Raise the concerns with the project sponsor.

47
 Question 3

• Jack is a project manager, and he wants to introduce a new technology to

Uncertainty
improve
Complexity
a project's performance. However, there are some costs associated
Program vs Project
that are beyond the current budget, and the proposed technology has not
been applied to any previous company projects. What should Jack do in this
situation?

A. Accept the fact that there is a risk associated with this new technology.

B. Take advantage of this opportunity of improving the project performance.

C. Outsource the implementation of the new technology as soon as possible.

D. Escalate this initiative to project decision-makers and sponsors.

48
 Question 4

• What are THREE examples of Risk Thresholds? (Choose THREE)

Uncertainty Complexity
Program vs Project
A. A project has defined the project level risk rating matrix based on the
likelihood of occurrence and possible consequences of schedule and cost.

B. A Construction company walks away from a joint venture project

proposal due to a 30% chance of loss.

C. A risk with a less than one-month schedule delay will be communicated

through the areas of concerns section in the project status report instead
of the risk register.

D. An organization seeks to establish a consistent method for evaluating

and responding to risk across the enterprise.

E. A business unit agreed that top project risks with more than US$100
million impacts would be escalated.

49
 Question 5

• Andrew is a risk manager facilitating risk planning activities with the team.
Uncertainty
The team is documenting all the checkpoints along the way that might
Complexity
Program vs Project
indicate delays on critical deliverables. What is this an example of?

A. Risk Triggers

B. Risk Responses

C. Risk Categories

D. Risk Registers

50
Thank you!