Risk Management

• Unknown and known risk

• Risk management
1. Identification
2. Analysis and prioritization
3. Develop response plans
4. Establish a contingency fund
5. Continuous risk management

PM4-1
Risk Management
• What can go wrong during projects? Just about everything.
• Risk management is about controlling and reducing risks.
• What are the risks? Let’s start with some risk management vocabulary
• Known unknowns represent identified potential problems. Examples
are rain on a construction site, late delivery by a key supplier, poor
assumptions on capacity loads.
• Unknown unknowns are the problems which arrive unexpectedly.
• The insurance industry is perhaps the most sophisticated in terms of
evaluating risk. Actuaries are constantly researching the probability of
various calamities.
• An insurance company assumes risk in return for a premium. Most of
these risks are known unknowns.

PM4-2
Risk Management
• In fact, we can say that the primary activity of a project manager is
risk management.
• Good planning reduces the risk of being late.
• Careful budgeting reducing the risk of overruns.
• Effective communication reduces the risk of dissatisfied
customers.
• Business versus project risk.
• Selecting the right project is often a business risk and the
responsibility of company directors.
• Project risk is managing uncertainty to meet stakeholder’s
objectives.
• We must admit that there is a blurred area between the two where
responsibilities may be difficult to identify.

PM4-3
Risk Management - Framework
Project Risk Management

Identify Risks
1. Indentify potential risks
2. Review previous low-priority risks

Known risks

Analyze and Prioritize

1. Perform initial prioritization
2. Define each risk probability and potential impact
3. Prioritize known risks
Prioritzed risks

Develop Response Plans

1. Develop a response for high-priority risks

Risk Mgmt Plan

Establish Reserves Continuous Risk Mgmt

1. Allocate risk contingency for known risks 1. Monitor known risks
2. Establish mgmt reserve for unknown 2. Report status at regular internvals
3. In case of risk invent, execute response
Reserves
plan and update entire plan
Updates to Risk Mgmt Plan
PM4-4
Risk Management - Framework
• From the preceding slide.
1. Indentify risks. Find all the factors that threaten project objectives.
2. Analyze and prioritize. Assess each risk in terms of its possible
damage and likelihood of occurrence. Most projects have an
enormous number of potential risks. Quantifying the potential
damage and probability that a risk will occur enables the team to
prioritize the risks, focusing attention where it is most needed.
3. Develop a response. Create strategies for reducing the possible
damage and/or probability.
4. Establish reserves. Set aside additional funding for the project that
will be used in case a specific risk occurs – the known risks – as well
as funding for the unknown risks.
5. Continuous risk management. Implement the risk management
strategies and monitor their effects. Risk management may require
adjustments as the project advances.

PM4-5
1. Identifying Risks
• Indentifying risks is much easier than you would think; devising
response strategies may be the hard part.
• If you want to know what might go wrong with a project, ask the
stakeholders – they have probably been making their own list since the
project was created.
1. Brainstorming sessions. Everyone’s favorite method for generating
ideas works well in identifying risks. Gather the stakeholders and
follow basic brainstorming rules:
• Generate as long a list of potential risk as possible. Do not try to
evaluate them as they are named; let the creativity of the group
flow.
• After generating the list, combine similar risks.
• Do not try to develop responses to all the risks at the meeting. If
there are easy answers, then record them, but keep the meeting
focused on risk identification.

PM4-6
1. Identifying Risks
2. Use a risk profile based on the experience of previous projects. Good
risk profiles follow these basic guidelines:
– They are industry-specific. For example, building an IT systems
is not the same as launching a new product.
– They are organization-specific according to the company or to a
separate department in the company.

PM4-7
1. Identifying Risks
• Example risk profile questions:
Example Risk Profile Questions

Project Team
1 How many people are on the team?
2 What percent of the team is fully dedicated to the project?
3 Which team members will spend 20% or less on the project?
4 What is the experience level of the team?
5 Have the team members worked together before?
6 Is the team spread out geographically
Customer
1 Will the customer change current processes to use the product?
2 Will the project require the customer to reorganize?
3 Are the customers in different departments? Companies?
Technology
1 Will there be technology which is new to the development team?
2 Will there be technology new to customers?
3 Is the technology leading edge?
4 Are the product requirements clearly documented?
5 Are the product requirements stable?
Executive Support
1 Is there a known project sponsor who is actively involved in the project?
2 Is there support at senior management?
3 Is senior management imposing deadlines (or are the project based)?
PM4-8
2. Analyze and Prioritize
• If performed correctly the risk identification exercise would have
generated a long list of risks.
• The next step is to analyze and prioritize risks.
• All risks are comprised of two factors: probability and impact.
• Together they combine to calculate a risk value.
probability X negative impact = risk value
• If the probability that a piece of equipment could be damaged is 40%
and the cost of average repairs is $10,000 then:
40% X $10,000 = $4,000
• $4,000 is the expected value of the risk

PM4-9
2. Analyze and Prioritize
Risk Analysis Example:
• Condition: The new product requires a complex drilling machine with
which we have little experience
• Consequence: Incorrectly operating machine will damage it and/or the
product.
• Probabilities:
Probability of $75k equipment and product damage - 20%
Probability of $200k equipment and product damage - 20%
Probability of no damage - 60%
Risk value = ($75k X 20% + $200k X 20% + 0 X 60%) = 55k
• Strategy: The drilling machine provider will provide an experience
operator at a cost of $10k and cover any losses to the equipment or to
the product. The provider is financially healthy.
• The project reduces a risk of $55k by investing in $10k of third party
expertise.
• To note, the risk of damage has been transferred to an outside party.
PM4-10
2. Analyze and Prioritize
• But all risks cannot be analyzed in such a precise method.
• A common method is to use a qualitative risk matrix
• It uses subjective assessments to place risks in one of nine areas in a
matrix.
• The same matrix should be used throughout the project because it is
subjective and it will allow project team to make relative judgments.
• Larger matrixes are also possible. 5 = High
3 = Medium
• Team members can assign a 5
5 15 25
1 = Low
ranking of 1, 3, or 5 to both
probability and negative
impact. 3 Probability 3 9 15

• Any risk whose total score

is 5 or greater should
analyzed further. 1
1 3 5

Impact
1 3 5
PM4-11
3. Develop Response Plans
• The output of the Analysis and Prioritization step is a list of prioritized
risks with their risk values.
• The next step is to develop response plans for the most important ones.
• What is the best way to reduce risk? Reduce the probability, reduce
the negative impact or both.
• If an event is out of my control, but I can prepare for that event, then I
have reduced its impact. That is why I take a first aid kit on a camping
trip.
• In the previous example with the drilling machine, the response was to
hire an expert operator to reduce the probability of the event and to
transfer equipment damage risk to the operator to reduce the negative
impact.

PM4-12
3. Develop Response Plans
• Faced with risk we can develop response plans based on the following:
1. Accepting Risk. Accepting a risk means that you understand its
consequences and choose to do nothing about it. If the risk were to
occur, then the project team would react. Low probability and low
negative impact risks are often dealt with this way.

2. Avoid Risk. Simply by choosing not to do part of the project or by

choosing a lower probability alternative is the most common way to
avoid risk. It is possible that by avoiding the risk the project may take
longer or cost more, but it would be an acceptable tradeoff.

3. Mitigate the Risk. Mitigate is a term for reducing the impact. It will
be difficult to reduce the probability of rain tomorrow, but bringing an
umbrella will reduce the impact.

PM4-13
3. Develop Response Plans
4. Transfer of Risk. The most common method of risk transfer is through
insurance. In exchange for a premium, insurance companies insure
against some of the more “classic” risks of weather, fire and accident.
Business risk insurance is also available for damaged goods during
transit, political risk, sovereign risk, bankruptcy of a supplier, etc.
Another form of risk transfer is to use an outside supplier and a fixed-
price contract with or without penalties for late delivery.

5. Contingency Plans are alternative courses of action and are prepared

before the risk event occurs.
When a risk cannot be avoided, the project team integrates a special
monitoring of the risk so that it can be prepared to take action if it were
to occur.
The monitoring requires the ability to detect in time to respond. It also
requires a trigger level to know when to declare the risk has happened.

PM4-14
4. Establish a Contingency Fund
• Contingency budgets, reserves, buffers, safety factors are all terms
for that extra amount in case something goes wrong.
• The project team needs to decide how much to contribute to the
contingency fund and perhaps even more important what triggers the
use of the fund.
• The use of contingency fund is not secret nor is it hidden. It is
specific budget which normally requires approval from the Project
Management Supervisor and/or the Sponsor.
• When determining the amount of the fund, the project team needs to
integrate safety factors that are already included in each task in the
plan. It is not necessary to have a contingency fund if each project
task includes a 30% buffer.
• Some projects are inherently more risky than others. A predictable
one could have a 5% contingency fund. The development of a new
laser technology may require higher percentages.

PM4-15
5. Continuous Risk Management
• No matter how vigorous, thorough and diligent the initial risk
planning, it is on-going risk management which produces results.
• The initial risk plan is based on all the available information when the
project begins. As it progresses new information emerges – some
favorable some unfavorable.
• From a risk management perspective we need to:
• Monitor risk by keeping a record of them. Some can be retired
because the project has moved beyond that point and some may be
imminent.
• Check for new risks at regular staff meetings. In the event of new
risks, redo the five-step risk management starting with identification.

PM4-16
Questions and Problems

PM4-17
 Expected Value

1. The probability of an event is 40%, the negative impact is 15,000 € how

much is the expected value?

40% X 15,000 € = 6 000 €

PM4-18
 Reducing Risk

2. In terms of probability and negative impact how can you reduce risk?

Reduce the probability and/or reduce negative impact

PM4-19
 Risk Matrix

3. Your project team has identified a long list of risks, but has trouble
assigning probability and negative impact to each one. What could you
do?

The situation is common. Assigning probabilities and negative impact is difficult

for many risks.
Have the team assign risk and impact using a risk matrix where risks that are
more than 5 would received special attention. A probability of 3 with an impact
of 1 = expected value of 3; less than the threshold of developing a plan for the
risk
5 = High
3 = Medium
5 15 25
5 1 = Low
Probability

3 3 9 15

1 3 5
1

Impact
1 3 5 PM4-20
 Contingency Funds

4. You know that most of the tasks in your project have a built in safety
margin of 30%. Do you need a contingency fund?

If all the tasks really have a safety margin of 30%, then there is a problem in
planning (unless the project is of extremely high risk). If there really is that level
of safety margin, then it is unlikely that a contingency fund is required. The risk
is that always programming such a large safety margin causes the team to lose
credibility.

PM4-21