Lecture on

RISK MANAGEMENT
 Learning outcomes
To be able to:
– Define risk
– Define risk management
– Identify and evaluate risks
– Utilise checklists and other generic lists to
determine project risks
– Categorise and prioritise action lists for risks
– Discuss strategies for dealing with project risks

PDE4911 - Copyright Middlesex University 2

 Attitudes towards risk
Popular perspective of risk:
• Is the radiation level of phone masts acceptable?
• Should we consume genetically modified food?
• Is climate change threatening our coastline?
• Will a large asteroid strike our planet?
• Was the most recent train accident predictable?
Could it have been prevented?

PDE4911 - Copyright Middlesex University 3

 Attitudes towards risk
Distinguish between objective and subjective risks:
• Objective risk represents what actually
exists: the true magnitude of a given risk
• Subjective risk is what the analyst,
manager or the observer believes to be
the risk

Usually we are dealing with subjective risks

PDE4911 - Copyright Middlesex University 4

 Attitudes towards risk
Tolerance towards risk varies. Individuals and
organisations have different attitudes.
Preferences for risk:
• Risk-averse
• Risk-neutral
• Risk-seeking

PDE4911 - Copyright Middlesex University 5

 Definitions of risk
• Basic dictionary definition:
“chance of bad consequences”
(Pocket Oxford Dictionary, Revised Fourth Edition with corrections, 1961)

• PMI’s PMBOK Guide:

“An uncertain event or condition that, if it occurs, has a
positive or negative effect on a project’s objectives”
(PMBOK Guide 2004)

• Kerzner:
“Risk is a measure of the probability and consequences
of not achieving a defined project goal” (Kerzner 2003)

PDE4911 - Copyright Middlesex University 6

 Definition of risk
• Definitions convey that for a given event,
there are two main components of risk:
– Probability or likelihood of the event occurring
– Impact if the event occurs (what is at stake?)

As either probability or impact increases, so

does the level of risk…

PDE4911 - Copyright Middlesex University 7

 Risk is a function of probability and impact

High

High
Risk
Probability
Moderate
Risk
Low
Risk

High
Size of Impact

PDE4911 - Copyright Middlesex University 8

 Hazards and safeguards
Kerzner (2003) makes the point that risk is also a
matter of knowing about the source of a risk (a
hazard) and taking action to avoid it (a
safeguard).
For example, avoiding a known pothole in a road

PDE4911 - Copyright Middlesex University 9

 How we refer to risk
The varying definitions of risk explain why we
refer to risk in different ways:
• As a probability: for example, ‘the risk that this
will happen is 10%’
• As an impact: for example, ‘the risk is that a
car accident will happen’ or ‘we shall lose 100
monetary units’
• By its source: for example, ‘lack of user
involvement’ or ‘lack of adequate testing’

PDE4911 - Copyright Middlesex University 10

 Costs and benefits associated with risk
Looking at risks in terms of impact: costs and benefits
• Costs:
• (Unexpected) losses
• The cost of uncertainty itself:
– Strain: both physical and mental (for example, stress and
panic)
– Less than optimal performance including improper use of
resources, timing problems, oversupply, undersupply, and
degraded decision quality

• Benefits:
• Performance: the only way to achieve anything is by taking risks
• Potential for opening up creative chances

PDE4911 - Copyright Middlesex University 11

 Approach to risk management
• Risk management implies the ability to
identify, quantify and control risks accurately
• Project managers must be proactive towards
risk management
• Recognise that total elimination of risk is
impossible (and may even be undesirable)

PDE4911 - Copyright Middlesex University 12

 Definition of project risk management

The Project Management Institute (PMI) A Guide to the Project

Management Body of Knowledge (PMBOK) defines project risk
management as:
“The processes concerned with conducting risk
management planning, identification, analysis,
responses, and monitoring and control on a project.
The objectives of Project Risk Management are to
increase the probability and impact of positive events
and decrease the probability and impact of events
adverse to project objectives” (PMBOK Guide 2004)
In outline, risk management involves:
– Identifying risks
– Continuously assessing risks
– Determining what risks need dealing with
– Implementing strategies to deal with those risks

PDE4911 - Copyright Middlesex University 13

 Project risk management
• Must be an ongoing activity throughout the
life of a project
• Must be fully integrated into the work of the
project team
• Needs a process…

PDE4911 - Copyright Middlesex University 14

 The risk management process
Risk
Management

Iteration

Risk Organizational Risk Risk Risk Risk Risk Risk Reflection &
Policy Context Identification Assessment Evaluation Planning Control Monitoring Communication

Description of Quantified Lessons

Project Organizational Risk Prioritised Risk Plans & Revised Learnt
Potential
Risk Objectives & Assessments: Risk Contingency Feedback Risk & Process
Risks
Policy Background & Probability Action List Plans Assessments Improvement
Environment & Impact Suggestions

PDE4911 - Copyright Middlesex University 15

 Risk policy
Risk policy involves deciding how the project should approach
risk:
• What is the organizational risk policy? Are there any
standard policies and templates? Is there any previous risk
data?
• What is the risk tolerance of the sponsors of this project?
• How ambitious is this project? What is at stake with this
project? What level of risk should be taken on?
• What methods for risk management are to be adopted?
• Who is to take main responsibility for risk management?
• What level of contingency planning is needed? What
contingency resources are required?

• What specific risk policy should this project adopt?

PDE4911 - Copyright Middlesex University 16

 Organizational context
• Organizational context: the organizational
context in which the project exists, which
includes investigating such things as:
– The organization’s mission statement, the
organizational objectives and strategic plans
– Any specific strategies: For example, IS plans
and security plans that will impact?
– The historical background to the project being
initiated
– Other current projects

PDE4911 - Copyright Middlesex University 17

 Risk identification
Risk identification involves identifying, categorising and
characterising risks.
What are the risks? What kinds of risks are they?
Useful means of identifying risks include:
• Using checklists (identifying generic risks)
• Using critical success/failure lists (highlighting generic problems or
issues)
• Examining task decomposition (your WBS can reveal specific
problems)
• Investigating decisions, rationales and assumptions already made
on the project
• Detailed reading of activity plans (with a particular emphasis on the
critical path and events close to being on the critical path, as well
as making sure that events off the path are not likely to be exposed
to major problems)
• Examining project specifications to uncover other problems
• Interviewing people with recent experience on similar projects
• Asking a panel of experts (Delphi technique)

PDE4911 - Copyright Middlesex University 18

 Checklist of generic risks
Generic risks include:

• Personnel shortfalls: for example, loss of key staff;

difficulty in recruiting specialists
• Unrealistic budgets and schedules: for example,
deadlines with little regard to reality
• Continuing stream of requirements changes: for
example, users who should have been consulted, but
were not
• Use of unproven technologies: for example, a new
programming language

PDE4911 - Copyright Middlesex University 19

 Critical success factor lists
Critical success factors include:
• User involvement
• Clear statement of requirements
• Proper planning
• Realistic expectations
• Smaller project milestones
• Competent staff
• Ownership
• Clear vision and objectives
• Hard working, focused staff
• Technical feasibility

PDE4911 - Copyright Middlesex University 20

 Failure factor lists
Failure factors include:
• Changes to requirements
• Unrealistic deadlines
• Inaccurate estimation
• Ignored risks
• Weak design
• Lack of motivation
• Poor progress tracking due to lack of visibility
• Inexperienced management
• Insufficient or late testing
• Failure of suppliers
• New technology

PDE4911 - Copyright Middlesex University 21

 Risk categories
Risks can be categorized into risk categories such
as:
• Personnel
• Organisational
• Environment
• Process
• Technology
• Tools and equipment
• Costings, measurement and schedules

PDE4911 - Copyright Middlesex University 22

 Risk assessment
• Risk assessment attempts to characterise, qualify
and quantify these threats (and opportunities) to
enable effective decision-making
• One approach towards prioritising risks is to
estimate ‘risk exposure’

Risk exposure = Probability x Impact

(of a risk) (Loss as a result of
the risk
materialising)

• The risk exposure information can be captured as a

decision tree
PDE4911 - Copyright Middlesex University 23
A decision tree showing risk exposure
20%?
Project Late 3000mu
No Penalty

Recruit
only
80%? 3000mu
50% Project Late
Penalty
+ Penalty

Technical
Specialist
3000mu +
Leaves
Subcontractor
Recruit &
100% Costs
Sub-contract

Technical
Specialist 100% 0mu
Stays

50%

PDE4911 - Copyright Middlesex University 24

As shown in the earlier slide:
Risk is a function of probability and impact

High

High
Risk
Probability
Moderate
Risk
Low
Risk

High
Size of Impact

PDE4911 - Copyright Middlesex University 25

 Problems with risk exposure
• How do you equate two risks with the same
risk exposure when one has a low probability
and huge impact and the other has a higher
probability and a lower impact? Where are
your resources better spent?
• You can plot percentage probability against
impact to identify the highest risks

PDE4911 - Copyright Middlesex University 26

 Risk evaluation
• Risk evaluation looks at potential options for
overcoming the effects of risk culminating in the
selection of the most suitable strategies
• Four basic risk strategies are:
– Risk avoidance
– Risk acceptance
– Risk transference
– Risk reduction

• Risk reduction leverage (RRL)

RRL = Reduction / Cost
where Reduction is RE (before the solution) - RE (after)

PDE4911 - Copyright Middlesex University 27

 Risk planning
• Risk planning plans the implementation of the strategies to
deal with the risk prior to the risks adversely affecting the
project’s progress

• Need to ensure the planned tactics do not clash or

duplicate

• Risks you are to deal with upfront need resources allocating

• Risks you are to deal with when they happen need

contingency funding

PDE4911 - Copyright Middlesex University 28

 Risk control, risk monitoring,
and reflection and communication
• Risk control is the actual execution of the selected risk
management strategies

• Risk monitoring tracks the project and the success of the

selected strategies and specific tactics in dealing with the
effects of identified risks, while also monitoring for new or
revised risks (threats and opportunities)

• Reflection and communication attempt to learn the lessons

from the present to improve organisational (and personal)
ability to address risks in the future

PDE4911 - Copyright Middlesex University 29

PRINCE2 RISK MANAGEMENT
 PRINCE2 Principles
The seven PRINCE2 principles can be summarized
as:
• Continued business justification
• Learn from experience
• Defined roles and responsibilities
• Manage by stages
• Manage by exception
• Focus on products
• Tailor to suit the project environment
PDE4911 - Copyright Middlesex University 31
 PRINCE2 Principles
• Continued business justification
• Learn from experience
• Defined roles and responsibilities
• Manage by stages Can you see
• Manage by exception why these
reduce risk?
• Focus on products
• Tailor to suit the project environment

PDE4911 - Copyright Middlesex University 32

Six PRINCE2 Performance Variables

• Timescales
• Costs (Financial Budget)
• Scope
• Quality
• Risk
• Benefits

PDE4911 - Copyright Middlesex University 33

The PRINCE 2 Themes

PDE4911 - Copyright Middlesex University 34

 Overview of PRINCE2 Processes

Can you see

why these
reduce risk?

Source: Colin Bentley’s PRINCE2: A Practical Handbook

PDE4911 - Copyright Middlesex University 35
 PRINCE2 Risk Management
• Risk is the uncertainty of outcome
– Will impact in the future
– Some risks are acceptable, others are not
– Too much risk is bad

• Risks must be managed

– Achieve benefits
– Prevent cost overruns, quality problems
– Prevent project from being overwhelmed by Project Issues

• Risk Management is:

– Agreeing right level of risk for project
– Identifying risks
– Eliminating or making acceptable any big risks
– Forming potential responses to them

PDE4911 - Copyright Middlesex University 36

 PRINCE2 and Risk
Identify
The risks

Risk Management
Risk Analysis

Evaluate Monitor
the risks And report

Identify
Suitable Plan and
responses Resource

Select
responses

PDE4911 - Copyright Middlesex University 37

PRINCE2 Risk Analysis Template for Threats
Risk Identifier

Description

Risk Category

Impact □ High □ Medium □ Low

Probability □ High □ Medium □ Low

Proximity □ Long term □ Medium term □ Short term

Countermeasure(s) □ Prevention □ Reduction □ Transference □ Acceptance □ Contingency

Owner

Author

Date Identified

Date Updated

Current Status
PDE4911 - Copyright Middlesex University 38
PRINCE2 Risk Analysis Template for Threats
Risk Identifier

Description

Risk Category

Impact □ High □ Medium □ Low

Probability □ High □ Medium □ Low

Proximity □ Long term □ Medium term □ Short term

Countermeasure(s) □ Prevention □ Reduction □ Transference □ Acceptance □ Contingency

Note the
Owner countermeasures
are only for
Author
threats here
Date Identified

Date Updated

Current Status
PDE4911 - Copyright Middlesex University 39
 Risk Threat Countermeasures
A risk could have appropriate actions in any or all of these categories:-

1 PREVENTION: terminates or removes the risk completely. This either

stops the threat from occurring or prevents it from having any impact on
the project.

2 REDUCTION: either reduces the likelihood of the risk occurring or limits

the impact on the project to acceptable levels.

3 TRANSFERENCE: risk/responsibility is ‘transferred’ to a third party

(e.g. penalty clauses). The risk is then no longer an issue for the project.

4 ACCEPTANCE: Tolerate the risk. Either nothing can be done, or the

likelihood and impact of risk occurring are acceptable.

5 CONTINGENCY: specific actions to be carried out when the risk occurs

and detailed in a Contingency Plan.

PDE4911 - Copyright Middlesex University 40

 Source: Colin Bentley’s PRINCE2: A practical handbook

PDE4911 - Copyright Middlesex University 41

Threats continued:

Source: Colin Bentley’s PRINCE2: A practical handbook

PDE4911 - Copyright Middlesex University 42
 Source: Colin Bentley’s PRINCE2: A practical handbook
PDE4911 - Copyright Middlesex University 43
As shown in the earlier slide:
Risk is a function of probability and impact

High

High
Risk
Probability
Moderate
Risk
Low
Risk

High
Size of Impact

PDE4911 - Copyright Middlesex University 44

 Risk Profile
Risk Tolerance Line

High 1,2 5
Probability

Medium 4 3

Low 6,9 7,8

Low Medium High

Impact

Each number is an identified risk. So Risk Number 5 above needs to be addressed

As it is above the tolerance level
PDE4911 - Copyright Middlesex University 45
 Summary

• This lecture has discussed:

– Definitions of risk and risk management
– The risk management process
• In the past, too few projects managed risk in a
systematic way. Often approaches tended to be ad
hoc, undocumented and incomplete
• Risk management is increasingly becoming part of
mainstream project management. Increasingly the
use of structured and controlled risk management is
being demanded

PDE4911 - Copyright Middlesex University 46

Evolutionary / Iterative Approaches
Can be said to adopt a proactive approach towards
handling risk management

Consider how such methods assist with risk

Management – can you list at least five ways in
which the evolutionary/iterative approach
compared to a sequential, traditional approach
assists with risk management?

PDE4911 - Copyright Middlesex University 47

End of Slides

PDE4911 - Copyright Middlesex University 48