Project Risk Management

Compiled by Muhammad Aleem Habib June 25, 2013 Information derived from PMBOK & Rita Mulcahy

What is Project Risk Management?

Project risk management is actively managing the risks on your project The goal of risk management is to be more proactive and less reactive

Why Risk Management

A project managers work should not focus on dealing with problems; it should focus on preventing them. How would it feel to say, No problem; we anticipated this, and we have a plan in place that will resolve it. Performing risk management helps prevent many problems and helps make other problems less likely

What is a Risk?
A risk is an uncertain event that could have a positive or negative effect on your project * This means there is a probability between 1-99% that the event could occur If there is a 0% chance of an event occurring, there is no risk (example; there is a 0% chance your project will be adequately funded, this is not a risk, it is a reality).

What is a Risk?
If there is a 100% chance of an event occurring, this would be an issue, not a risk Risks with negative consequences are called threats Risks with positive consequences are called opportunities (Yes, risk can be good! Stop thinking of risk as bad, and start thinking of it in terms of probabilities!)

Risk Event Graph

Types of Risk
Risks can be broken out into two primary types 1. Pure Risk (hazard) risk with potential loss only
ex. Fire, theft, personal injury

2. Business Risk (speculative risk) risk with potential loss or gain

ex. A highly skilled employee becomes available to work on your project, reducing your schedule time, the tax rate changes, a new server costs less (or more) than you budgeted for!

Risk Management Process

Opportunities

Threats

Project Risk Management

Monitoring & Controlling Processes Planning Processes

Enter phase/ Start project

Initiating Processes

Closing Processes

Exit phase/ End project

Executing Processes

Knowledge Area

Process Initiating Planning

Plan Risk Management Identify Risk Perform Qualitative Risk Analysis Perform Quantitative Risk Analysis Plan Risk Response

Executing

Monitoring & Contol

Closing

Risk

Monitor and Control Risks

5 Overall Project Management Processes with Risk Management

Risk Management Processes

Risk Planning this is how you plan on conducting risk management. You wouldnt start managing your project without a plan, so why would you approach risk management that way? Identify Risks this is the phase where you attempt to identify most of your risks Qualitative analysis this is a subjective analysis of your risks that produces a risk ranking, usually in the order of high, medium, low, or on an ordinal scale. Rankings are by agreement of your project team, sponsors and key stakeholders

Risk Management Processes

Quantitative Analysis a numerical analysis of the probability and impact of the risk on your project Plan Risk Response a course of action you will take to deal with your risks should they go from risk to issue Monitor & Control Risks monitoring your lists (there are two lists which I will discuss later) of risks to enact a risk response plan, to move a risk from one list to the other, or to remove a risk because it is no longer a risk.

Terms & concepts

Uncertainty: a lack of knowledge about an event that reduces confidence Risk averse: someone who does not want to take risks. Risk Prone Someone who is willing to take big risk Risk tolerances: area of risk that are acceptable / unacceptable. Risk thresholds: the point at which a risk become unacceptable Risk Areas: Project Constraints (scope, time, cost, etc)

Risk Factors
1. The probability the risk will occur 2. The range of possible outcomes (impact)

3. When in the project lifecycle the risk is likely to occur (the timing); * once the expected timeframe of the risk has passed and it is no longer a risk, it can be removed from the risk list 4. How often the risk is expected to occur on the project (frequency)

11.1 Plan Risk Management

The process of defining how to conduct risk management activities for a project

Important to provide sufficient resources and time for risk management activities, and to establish an agreed upon basis for evaluating risk.

Plan Risk Management DFD. Figure 11-3

Plan Risk Management

How much time should we spend? Who will be involved? How should we perform risk management?

Plan Risk Management: Tools & Techniques

Planning Meetings and Analysis
Project teams meet with stakeholders
High level plans for risk management are define in these meetings

Plan Risk Management: Outputs

Methodology Defines the tools, approaches, and data sources that may be used to perform risk management on the project. Budgeting A budget for project risk management should be established and included in the risk management plan. Role & Responsibility Defines the lead, support, and risk management team membership for each type of action in the risk management plan.

Plan Risk Management: Outputs

Timing Defines how often the risk management activities will be performed throughout the project life cycle. Risk categories Documentation such as risk breakdown structures (RBSes) or categories from previous projects will help identify and organize risks. Definitions of risk Risks and their probabilities are probability & impact defined for use in Qualitative Risk Analysis using a scale of very Unlikely to almost certain.

Risk Breakdown Structure

A risk breakdown structure (RBS) organizes potential sources of risk to the project. Functioning much like a work breakdown structure, an RBS arranges categories into a hierarchy. This approach allows the project team to define risk at very detailed levels.

Risk Breakdown Structure for a Software Development Project

Software Dev Project

Business

Technical

Organizational

Project Management

Competitors Suppliers Cash Flow

Hardware Software Network

Executive Support User Support Team Support

Estimates Communication Resources

RBS Example

Risk Profile
A risk profile is a list of questions that address traditional areas of uncertainty on a project. These questions has been designed and developed from the experience of past projects.

Risk Profile Questions

Probability Impact Matrix

No 1

Category Resource

Description of Risk Testing environment not available Documentation approval took longer time

IMPACT 4

PROBA BILITY B

RISK LEVEL ORANGE

Schedule

RED

Risk Management Plan(Contd.)

Stakeholder tolerances Stakeholders have a low risk tolerance than impact is high. That information should be taken into account to rank cost impacts higher than if the low tolerance was in another area. Tolerances should not be implied, but uncovered in project initiating and clarified or refined continually. Reporting Describes reports related to RM and how they will be used and what they will include. Tracking Auditing, documentation regarding RM

Q: An uncommon state of nature, characterized by the absence of any information related to a desired outcome , is a common definition for:

A. An act of God B. An amount at stake C. Uncertainty D. Risk aversion

11.2 Identify Risks

This is the phase where you work with your team to identify as many risks as possible.

Identify Risks: Things to remember

Identify Risks cant be completed without the project scope statement and Work Breakdown Structure (WBS) Identify Risks happens at the onset of the project and throughout the project Risks can be identified at any time and during any phase of the project Risk management is an iterative process, you should work to identify risk during any changes to the project, working with resources, and when dealing with issues

Question ?
Who should be involved in Risk Identification?

Identify Risk: Tools & Tech

Documentation Reviews including charter, contracts, and planning documentation, can help identify risks. Those involved in risk identification might look at this documentation, as well as lessons learned, articles, and other documents, to help uncover risks.

Identify Risk: tools & tech

Brainstorming: One idea generates another Delphi technique: Expert participate anonymously; facilitator use questionnaire; consensus may be reached in a few rounds; Help reduce bias in the data and prevent influence each others. Interviewing: interviewing experts, stakeholders, experienced PM Root cause analysis: Reorganizing the identified risk by their root cause may help identify more risks

Identify Risk: Tools & Tech

Checklist analysis: checklist developed based on accumulated historical information from previous similar project Assumption analysis: identify risk from inaccuracy, instability, inconsistency, incompleteness. SWOT analysis Strengths, Weaknesses, Opportunities, Threats

Identify Risk: tools & tech

Influence diagrams
show the casual influences among project variables, the timing or time ordering of events, and the relationships among other project variables and their outcomes.

Cause and Effect Diagrams

Flowcharts

Output: Risk Register

Output is initial entries into the risk register. It includes:
List of risk List of POTENTIAL responses Root causes of risks Updated risk categories

Risk Register Example

 Q: Risk tolerances are determined in order to help: A. The team rank the project risks B. The project manager estimate the project C. The team schedule the project D. Management know how other managers will act to the project

11.2 Perform Qualitative Risk Analysis

This is the phase where you rank the risks youve identified from Identify Risks to come up with a list of risks you will create plans for dealing with

Perform Qualitative Risk Analysis

Things to remember
Perform Qualitative Risk Analysis is subjective
What is the probability of the risk occurring? High, medium, low? 1-10? What is the impact if the risk does occur? High, medium, low? 1-10?

Tools and Techniques of Qualitative Analysis

Probability & Impact Matrix a matrix that creates a consistent evaluation of high, medium, or low for your projects. This helps to make the risk rating process more repeatable between projects.

Risk Data Quality Assessment What is the quality of the data used to determine or assess the risk? Think about the following
Extent of the understanding of the risk Data available about the risk Quality of the data Reliability & Integrity of the data

Tools and Techniques of Qualitative Analysis

Risk Categorization Which of your categories has more risk than others? Which of your work packages could be most affected by risk? Risk Urgency Assessment Which of your risks could occur soon, or require a longer planning time? Risk urgency assessment helps move these risks more quickly through the rest of the project management process

Output: Risk Register Updates

Risk ranking for the project compared to other projects List of prioritized risks and their probability and impact ratings Risks grouped by categories List of risks for additional analysis and response Watchlist (non-critical risks) Trends

Perform Quantitative Risk Analysis

A numerical analysis of the probability and impact of the risks with the highest risk rating score determined from qualitative analysis

Is a numerical evaluation (more objective)

This process may be skipped.

Perform Quantitative Risk Analysis

Purpose of this process Determine which risk events warrant a response. Determine overall project risk (risk exposure). Determine the quantified probability of meeting project objectives. Determine cost and schedule reserves. Identify risks requiring the most attention. Create realistic and achievable cost, schedule, or scope targets.

Tools and Techniques of Quantitative Analysis

EMV Expected Monetary Value What is the probability of the risk occurring multiplied by the impact if the risk does occur? If the risk occurs, what could the financial or time loss be to your project?

In the example below, this project has an EMV of ($58,250), this means that you need to put aside $58,250 in your risk reserve account for potential risks
Risk A B C D Probability 20% 90% 5% 65% Impact $ (100,000.00) $ $ 10,000.00 30,000.00 EMV $(20,000.00) $ 9,000.00 $ 1,500.00 $(48,750.00) $(58,250.00)

$ (75,000.00) Total

Q: If a project has a 60% chance of a US $ 100,000 profit and a 40% chance of a US $ 100,000 loss, the expected monetary value for the project is :

A. $ 100,000 profit B. $ 60,000 loss C. $ 20,000 profit D. $ 40,000 loss

Tools and Techniques of Quantitative Analysis

Decision Tree used for planning on individual risks instead of planning for the whole project
Takes into account future events to make a decision today Can calculate the EMV in more complex situations Involves mutual exclusivity

Airline A has a 90% chance to reach at time and Airline B has a 60% chance to reach at time. If you dont reach at time, it will cost you 100,000. Use EMV to find which airline you should choose?

Decision tree /EMV example

Airline A EMV: 10,000 + (10% * 100,000) = 20,000 Airline B EMV: 8000 + (40%*100,000) = 48,000

Tools and Techniques of Quantitative Analysis

Monte Carlo Analysis A technique that uses simulation to show the probability of completing your project on time and within budget.
Determines the overall risk of the project, not the task Determines the probability of completing the project on a specific day and for a specific cost Takes into account path convergence (places in the network diagram where many paths converge into one activity) Used to evaluate the impact to your schedule and budget Due to the complicated mathematical computations used, Monte Carlo analysis is usually done with a computer program Creates a probability distribution triangular, normal, beta, uniform or lognormal (learn these)

Sensitivity Analysis
To determine which risks have the most potential impact to the project Changing one or more elements/variables and set other elements to its baseline then see the impact. One typical display of sensitivity analysis is the tornado diagram Tornado diagram is useful in analyzing risk taking scenarios. They provide the positive and negative impact of each risk on the project and let you decide to choose which risk to take.

Sample Sensitivity Analysis

Outcome of Quantitative RA
Risk Register Updates Prioritized list of quantified risks Amount needed for contingency reserves for time and cost Confidence levels of completing the project on a certain date for a certain amount of money The probability of delivering the project objectives Trends - risk management is an iterative process; as you repeat the process you can track your overall project risk and determine the trend (if you are decreasing or increasing the level of risk on your project)

Outcome of Quantitative RA: Examples

What are the risks that are most likely to cause trouble? To affect the critical path? That need the most contingency reserve? The project requires another 50,000 and two months of time to accommodate the risks on the project? We are 95 percent confident that we can complete this project on May 25th for $989,000 budget? We only have a 75 percent chance of completing the project within the $800,000 budget.

What are we going to do now about each top risk?

Risk Response Planning

Eliminate the threats before they happen Make sure opportunities happen Decrease the probability and/or impact of threats Increase the probability and/or impact of opportunities For Residual Threats
Contingency Plans Fallback Plans

Risk Response Strategies

Risk Opportunities Threats

Exploit

Accept

Avoid

Enhance

Transfer

Active Share

Passive

Mitigate

Contingency Plan

Fallback Plan

Workaround

STRATEGIES FOR NEGATIVE RISKS OR THREATS

Avoidance
Risk prevention Changing the plan to eliminate a risk by avoiding the cause/source of risk Protect project from impact of risk Examples:
Change the supplier / engineer Do it ourselves (do not subcontract) Reduce scope to avoid high risk deliverables Adopt a familiar technology or product

Mitigation
Seeks to reduce the impact or probability of the risk event to an acceptable threshold Be proactive: Take early actions to reduce impact/probability and dont wait until the risk hits your project Examples:
Staging - More testing - Prototype Redundancy planning Use more qualified resources

Transfer
Shift responsibility of risk consequence to another party Does NOT eliminate risk Most effective in dealing with financial exposure Examples:
Buy/subcontract: move liabilities Selecting type of Procurement contracts: Fixed Price Insurance: liabilities + bonds + Warranties

STRATEGIES FOR POSTIVE RISKS OR OPPORTUNITIES

Strategies for Opportunities

Exploit: Ensure opportunity is realized Ex: Assigning organization most talented resources to the project to reduce cost lower than originally planned. Enhance: Increase the probability and/or the positive impact of the opportunity Ex: Adding more resources to finish early

Strategies for Opportunities

Share: Allocating some or all of the ownership to third part best able to capture the opportunity Ex: Joint ventures, special-purpose companies

Acceptance (Both for Threats & opportunities)

Active Acceptance
Develop a contingency plan to execute if the risk occur Contingency plan = be ready with Plan B Fall back plan = plan C if B fails

Passive Acceptance
Deal with the risks as they occur = Workarounds Usually for low ranked risks

Risk Response Matrix

Risk Event Response Contingency Plan Trigger Who is responsible

Interface Problems
System freezing User backlash

Mitigate: Test Prototype

Mitigate: Test Prototype Mitigate: Prototype demonstration

Workaround until help comes

Reinstall OS Increase staff support

Not solved within 24 hours

Asif

Still frozen after 1 Khalid hour Cell from top management Equipment fails Javed

Equipment malfunction

Mitigate: Select Order reliable vendor replacement Transfer: Warranty

Aleem

Outputs of Risk Response Planning

Updates to Risk Register
Residual Risks risks that are left over after Plan Risk Response Contingency Plans plans of action in case the risk does occur Risk Response Owners the person on the team responsible for monitoring the risk, risk triggers, developing a response strategy, and implementing the strategy should the risk occur Secondary Risks new risks that result from the implementation of the contingency plans for the primary risks

Outputs of Risk Response Planning

Updates to Risk Register
Risk Triggers early warning signs that there is a high probability the risk will occur Fallback Plans a secondary contingency plan, in case the contingency plan does not work or is not effective Reserves
Contingency reserves - covers the cost for known unknowns discovered during risk management; covers the residual risks. The contingency reserve is calculated and made part of the baseline. Management reserves these are estimated and made part of the project budget, not the baseline. Management approval is needed to use the management reserve.

Outputs of Risk Response Planning

Project Management Plan Updates Changes made due to risk management will be changes made to the project and should be updated in the project management plan

Q: Replacing a doubtful supplier with an expensive but reliable one is an example of: A. Mitigation B. Transference C. Acceptance D. Avoidance

Q: A Reserve is generally intended to be used for:

A. Rework activities. B. Compensate for inaccurate project cost estimates. C. Reducing the risk of missing the cost or schedule objectives. D. Compensate for inaccurate project schedule estimates.

Some important points:

What do you do with non-critical risks? Would you choose only one risk response strategy? What risk management activities are done during execution of the project? What is the most important item to be discussed in project team meetings? How would risk be addressed in project meetings?

Some important points:

What do you do with non-critical risks?
Put them in a watch-list and revisit them periodically.

Would you choose only one risk response strategy?

You may select a combination of strategies. Response of one risk might address another risk as well!

What risk management activities are done during execution of the project?
Watch-out risks on watch-list and looking for new risks.

Some important points:

What is the most important item to be discussed in project team meetings?
Off course, Risk!

How would risk be addressed in project meetings?

Asking, what is the status of risks? Is their any new risk? Is the rank of any risk goes up and down?

Monitor and Control Risk

The process of
implementing risk response plans tracking identified risks monitoring residual risks identifying new risks and evaluating risk process effectiveness throughout the project risk audit.

Inputs to Monitor & Control Risk

Risk Management Plan Risk Register Approved Change Requests Work performance information
Deliverable status Schedule progress Costs incurred

Performance reports

Monitor & Control Risk: Tools

Workaround a response to a risk that has occurred when no contingency plan exists. Risk audit a team of experienced project team members reviews the risk management process and response strategies to see if youve effectively identified the major risks on the project and developed effective strategies for dealing with them.

Monitor & Control Risk: Tools

Risk Reassessment Risk management is iterative, you should review the risks on your project throughout the project to update their qualitative and quantitative values. Status meetings status meetings should be used to identify new risks or changes to existing risks. This is a great opportunity to discuss with your team and stakeholders existing risks and new risks.

Monitor & Control Risk: Tools

Reserve analysis has the reserve kept up with changes to the risk list? Does the reserve still cover the costs of these risks should they occur? Closing of risks Risks are expected to happen during a particular phase of the project. When that phase has passed and the risk is no longer probable, the risk should be removed from the risk list and any reserve associated should be freed up.

Outputs of Monitor & Control Risks

Updates to Risk Register
Outcomes of the risk reassessments and risk audits Closing of risks that are no longer applicable Details of what happened when risks occurred Lessons learned

Outputs of Monitor & Control Risks

Requested Changes Recommended Corrective & Preventive Actions Updates to the Project Management Plan Organizational Process Assets Updates

Practice Exam

Answers

Practice Exam

Answers

Practice Exam

Answers

Practice Exam

Answers

Practice Exam

Answers

Practice Exam

Answers