Q1. Explain the various inputs and tools and techniques of qualitative risk analysis process.

Answer Many kinds of risks can be identified in project however it will not be possible to take actions against all those risks. Thus QRA will further short list risks based on the probability of occurrence and impact on the project. The risks shortlisted in this process will be further analysed in the next process and appropriate response planned for each of them. Other factors such as time frame for response and risk tolerance level based on cost, schedule and quality also comes under the qualitative analysis of risks. This analysis reflects stakeholders and team members risk attitude. Hence, the effective analysis requires explicit management of risk attitudes of team members and stakeholders in performing the qualitative risk analysis. If these risk attitudes bring any bias into risk identification process than these attitudes must be evaluated and corrected. Qualitative risk analysis is a cost-effective way of developing priorities for risk responses and thus forms basis for quantitative risk analysis. The major inputs required for qualitative risk analysis are: Risk register: The outputs obtained from the risk identification process form the initial entries into this risk register. This in turn forms the input to risk qualitative analysis. Risk management plan: The roles and responsibilities to perform the risk management, schedule activities, the probability and impact matrix form the main elements for qualitative risk analysis. Project scope statement: The project scope statement is used to evaluate the complex projects which use first of its kind or more advanced technology. Organisational process assets: Information and studies about pervious projects and risk database obtained from proprietary sources form the assets that influence the qualitative risk analysis. Tools and techniques The tools and techniques used in qualitative risk analysis are: Assessment of risk probability and impact: The risk probability assessment identifies the possibility of risk occurrence. The risk impact assessment identifies the negative and positive effects of risk on the project objectives and extent to which it can impact the project. The probability and impact of risk can be evaluated by conducting interview with experienced professional or meeting with project team members. Probability and impact matrix: Since qualitative risk analysis is based on subjective evaluation, the rating for each risk may vary from person to person, depending on the bias of the person and how risk averse they are. To avoid this difference, most of the organisations have a standard rating system, which gives a common understanding of what each rating means. This standard is called Probability and impact matrix. This matrix rates the risk as low, moderate and high priority. The risk rating guides risk responses. This matrix may be used to sort or rate risks to determine which ones warrant an immediate response and which ones should be put on the watch list. Risk data quality assessment: A qualitative risk analysis needs accurate data. The risk data are analysed to make sure that these data are accurate for risk management. If data collected has insufficient quality, then higher-quality data are gathered. A risk data quality assessment may include determining the extent of understanding of the risk, data available for each risk and the quality of data for each risk.

Risk categorisation: This grouping of the various risks together based on their cause will help us to know which work package, process, people and other potential causes have the most risk associated with them. This data or information will help in appropriate risk response planning, allowing us to eliminate many risks by eliminating one cause. Risk urgency assessment: Risk that need immediate response comes under risk urgency assessment. The qualitative risk analysis provide final risk severity rating by combining the assessment of risk urgency with risk rating obtained by the probability and impact matrix. Expert judgment: Experts are those who have previous experience in similar kind of projects. Experts judgement is obtained by interviewing the experts.

Q2 The risk mitigation methodology describes the approach to control implementation. Explain the steps of the methodology. Answer 1. Prioritise actions Based on the risk levels presented in the risk assessment report, the implementation actions are prioritised. In allocating resources, top priority should be given to risk items with unacceptably high risk rankings (example, risk assigned a very high or high risk level). These vulnerability/threat pairs will require immediate corrective action to protect an organisations interest and mission. This results in ranking of actions from high to low. 2. Evaluate recommended control options The controls recommended in the risk assessment process may not be the most appropriate and feasible options for a specific organisation. During this step, the feasibility (example: compatibility, user acceptance) and effectiveness (example: degree of protection and level of risk mitigation) of the recommended control options are analysed. The objective is to select the most appropriate control option for minimising risk. This results in a list of feasible controls. 3. Conduct cost-benefit analysis To assist management in decision making and to identify cost-effective controls, a cost benefit analysis is conducted. This results in cost-benefit analysis describing the cost and benefits of implementing or not implementing the controls. 4. Select control On the basis of the results of the cost-benefit analysis, management determines the most cost-effective control(s) for reducing risk to the organisations mission. The controls selected should combine technical, operational, and management control elements to ensure adequate security for the organisation. This results in selected control(s). 5. Assign responsibility Appropriate person (in-house personnel or external contracting staff) who have the appropriate expertise and skill-sets to implement the selected control are identified, and responsibility is assigned. This results in a list of responsible persons to handle risk situation exclusively. 6. Develop a safeguard implementation plan During this step, a safeguard implementation plan (or action plan) is developed. The plan should, at the minimum, contain the following information: Risks and associated risk levels (output from risk assessment report). Recommended controls (output from risk assessment report). Prioritised actions (with priority given to items with very high and high risk levels).

Selected planned controls (determined on the basis of feasibility, effectiveness, benefits to the organisation, and cost). Required resources for implementing the selected planned controls. Lists of responsible teams and staff. Start date for implementation. Target completion date for implementation. Maintenance requirements.

7. Implement selected control(s) Depending on individual situations, the implemented controls may lower the risk level but not eliminate the risk. This again results in risk which is called residual risk. Residual risks are the risks which exist even after the application of all the proposed risk control measures. It is important to note that if the residual risk is high, then additional countermeasures need to be implemented. Q3 There are two main strategies to handle risks, negative risks and positive risks. Explain the Response strategies for threats (Negative Risks). Answer There are four main response strategies to deal with threats. They are, Risk Avoidance, Risk Transfer, Risk Mitigation and Accept. Avoid: Risk avoidance involves varying the project plan to remove the threat to the project plan. Risk avoidance is done by altering the project plan to cut out the risk or the state that causes the risk in order to secure the project objectives from its impact. It involves planning different ways in which you can deal with an event if and when it occurs, instead of trying to maintain its probability or impact. Depending on the project angle, this may be a strategy of choice in situations where the effects of a given risk may be known to be restricted in a manner which is competent and acceptable. Relaxing the related objective (extends the schedule, lessen the specification requirements, reduce scope). Not all risks can be avoided, but some risks can certainly be avoided. Examples of Risk Avoidance include: Adding resources or time. Adapting a conventional approach instead of doing something new. Avoiding an unknown subcontractor. Clarifying requirements. Developing communication. Retrieving information. Achieving expertise. Shrinking the scope to avoid high-risk activities. Transfer: Risk transfer involves shifting the impact of a risk event and the ownership of the risk response to a third party. This strategy is common with a financial risk exposure and involves payment of a risk premium to the party assuming the risk. Risk transfer is done by transferring the risk to a third party who is capable of shielding the project in whole or in part, from any risks which could endanger the

project. Risk Transfer is most efficient in dealing with financial risks and always involves payment of a risk premium to the party acquiring the risk. Examples of risk transfer are: Usage of insurance, performance bonds, warranties and guarantees Contracts which are used to transfer liability for particular risks Mitigate: Risk Mitigation decreases the probability or impact of a potential risk even to a more acceptable level. This includes reducing the consequences of the risk. Mitigation involves adapting a less complex process, conducting extra test on the product, designing redundancy into a system, and devising a quality control or reconciliation. Risk mitigation is done to: Reduce the anticipation and/or impact of a risk to within a tolerable threshold. Mitigate the impact before the risk takes place to avoid dealing with the after-effects. Mitigate costs appropriate given the likely impact and probability of the risk. Examples of Risk mitigation include: Enforcing a new course of action that lessens the problem, e.g. adapting less complicated methods, conducting more seismic or engineering tests, or selecting a more stable supplier Altering the status so that the chance of the risk occurring is reduced, e.g. increasing the resources or time of the schedule. Making a prototype for growth to lessen the risk of scaling up from a bench scale model A mitigation response might address the risk impact by targeting linkages that verifies the impact severity, when it is not possible to reduce probability. For example, scheming redundancy into a subsystem may decrease the impact that results from a failure of the original component. Accept: Risk acceptance is done by deciding not to make any changes to the project plan in order to deal with a risk or where a suitable response strategy cannot be identified. This strategy can be applied for both negative and positive risks. There are two types of acceptance: Active acceptance: It includes creating an emergency plan to execute when risk occurs. An emergency plan is developed in advance to respond to the risks that crops up during the project. Planning would lessen the cost of an action. When risk such as missing intermediate milestones triggers, the risk should be defined and tracked. The normal risk acceptance response is to create an emergency allowance or reserve including amount of time, money and resources to account for known risks. The allowance should be structured by the impacts, computed at an acceptable level of risk exposure. Passive acceptance: It requires no action. The project team has to deal with the risk as and when it occurs.

Q4 What are the tips to remove the top three project estimating risks? Explain in brief. Answer Estimation is another important activity for projects. The complete budgeting allocation and planning is based on estimates. Any errors in estimates could lead to cost, time and effort overruns which in turn gives rise to risks. To reduce the risks of failure in a project due to errors in estimation, it is necessary to

act to improve the systems and capacities of both project management and of quantitative estimation. Thus it is better to get familiar with the type of errors one could land up during estimation so that they can be overcome at the estimation stage itself and further risks can be avoided. During planning, teams conduct the project estimates using either bottom-up or top-down estimates. Bottom-up estimates: This requires an important investment in time to define scope and build an accurate estimate. Top-down estimates: This uses similar estimates and relies on expert opinion to estimate duration at a high level. Resources have to be assigned correctly to the project being executed. If you start collecting actual performance data and compare actual results against baseline estimates, you can achieve an analogous estimation that is based on bottom-up data from past projects. Estimating projects are always a heavy activity since the technology is complex, changing customer requirements, and other reasons which do not make the work as planned. This is true in all approaches. Estimation error is the error caused by observing a sample instead of the whole project. The sample data is matched with the data that involves the entire project. If the sample data does not match with the expected results, we can say that a risk has been triggered. From a practical viewpoint, the exact findings can be used as guidelines for better duration and effort. Expectations regarding estimate accuracy can be effectively managed by implementing measures based on specific criteria. Some of such measures to reduce estimation errors include: Keeping track of project uncertainty and risks. Investing more in detailed planning. Selecting estimators based on the number of projects that can be managed rather than on cumulative project management experience. At the end of the project, organisations often spend time to document the lessons learnt. However, few organisations measure their actual performance and record it for future estimation or guidance. One of the important reasons for inaccurate estimates is the strong tendency to perceive factors outside the respondents own control. Reasons for accurate estimates are typically the factors that are within the respondents own control and are determined by the estimators' skill or experience. This bias in types of reason refers to the collection of issues that are based only of project managers viewpoints. Confirm all assumptions (Trust No One) Client confusion often lands the project managers in a messy situation. Never accept a client or other project manager's verbal confirmation as final. It is very much possible that clients sometimes are not clear about what they say. For example, if a client says that he has 25 32-bit Windows XP Professional workstations, do not assume it to be true until you visit the clients site and complete your own inventory. Otherwise, discovering a handful of 64-bit Windows Vista workstations during the deployment stages can put you in a situation where your client expects you to manage this changed configuration without spending extra. By eliminating these potential project loopholes, you can mitigate "known unknowns" or elements that can commonly trigger risks. Do not expect trouble-free projects (Plan for Unknown unknowns) You have certain amount of information only upon which you can base project estimates. It is important that time is allotted for unpredicted problems, changes, incompatibilities, and other issues as project cost estimates is a combination of time and material. Since it is complicated to provide a simple standard or calculation that you can apply to all projects, you need to determine the bare minimum amount of time that is required to complete a project. Look for years of experience and real lessons

learnt in completing similar projects; identify steps or stages that are likely to encounter trouble, and how long such delays might require to get resolved. Be sure to build appropriate time into original project planning documents, recommendations, proposals, and costs to accommodate inevitable problems. While you cannot compensate for all "unknown unknowns, risks you can at least take steps to responsibly plan to mitigate contingencies. Specify exactly what estimates include (Put it all in Writing) Miscommunication triggers a series of problems. You may say to clients that a project estimate includes the time, equipment, and software to deploy a new customised database. Clients do not distinguish between all the needs. The items covered while building project estimates and proposals must be clearly stated. Be sure to include all requirements clearly in a contract or project agreement and state additional labour, equipment, and software covered by the project's cost estimate which may be required to complete the project. For example, for a custom database roll-out, the costs of a new server include one new server with a specific CPU, RAM, disk configuration, operating system, license count, and other additional software. Specify all these requirements in the contract in order to avoid discrepancies between you and the clients in the future (if it arises). If any discrepancy occurs in future, the client would be responsible and this indeed covers you. If you do the homework discussed earlier; you can avoid the potential "known unknown risks. If you review dependencies carefully, allow time for unforeseen issues, and document the project's specifics in writing, you will be much better positioned to accommodate "unknown unknowns" risks when they arise. Q5 An organisation building a risk-based culture must offer incentives for incorporating risk into the project planning and control process. Analyse the concept of performance incentive. Answer Incentives are offered to motivate the employees to build a risk culture in the organisation. It is an expectation that encourages people to behave in a certain way. Incentives aim at providing value for money and add to organisational success. Pay for performance is a payment device in which organisations are rewarded for achieving performance-based targets.

An organisation building a risk-based culture must offer incentives for incorporating risk into the project planning and control process. The senior management supports when project management identifies and foresees business risk that saves company time and money. Project managers who manage risks effectively are likely to be more successful in acquiring additional
resources because they tend to have backup and contingency plans ready when risks occur. Categories of incentive Incentives can be classified in different ways in which they motivate employees to take a particular course of action. One common and useful classification divides incentives into three broad classes: Remunerative incentives (or financial incentives): It exists where an employee can expect some form of material reward especially money in exchange for acting in a particular way. Moral incentives: These exist where a particular choice is widely regarded as the right thing to do, or where the failure to act in a certain way is condemned as indecent. Example: A person acting on a moral incentive can anticipate a sense of self-esteem, and approval or even

admiration from his community; a person acting against a moral incentive can expect a sense of guilt, and condemnation or even ostracism from the community. Coercive incentives: A person can expect that the failure to act in a particular way will result in physical force being used against them (or their loved ones) by others in the community for example, by inflicting pain in punishment, or by imprisonment, or by confiscating or destroying their possessions.

Some of the other classifications are as follows: Straight piece rate: An employee is paid immediately for the number of pieces produced per day. In this plan, quality may suffer. Straight piece rate with a guaranteed base wage: An employee is paid immediately for output set by management even if employee produces less than the target level output. If employee exceeds this target output, he is given wage in direct percentage to the number of pieces produced by him at the straight piece rate. Q6 Explain project reviews and risk reassessment briefly Answer In order to revalidate the project objectives, plans and assumption, projects require cycles of reviews and regular reassessment to keep the project on track. Another reason is for co-located teams, the project review is an opportunity to reinforce the value of the project, recognise and reward significant accomplishments and motivate the team members. Loss of interest on very long projects is one of the reasons that these projects are at higher-risks. Reminding the team that why the project matters is an effective way to reduce this risk. The limited planning and technical complexity also contributes to project risks of lengthy projects and project reviews is a better way to manage it. During the review some reviews find few issues, requiring minimal attention and the project continues as planned. Other reviews reveal changes or additional planning that is necessary and the project continues but only after the changes is made. The third possible outcome of a project review is a recommendation to cancel future project work. Few things are important for this: Schedule the review: Every six months a project review should be implemented to check the status of the project. The best way to review a project is to get away from the usual work place and assemble all key project team members face-to-face. Before the review starts assign an owner to prepare it. Objectives for the review: 1. Review of cumulative impact of project changes. 2. Through review of project objectives and specifications. 3. Recognition of significant project accomplishments. Conduct the review: During the review, assign participants responsibility for capturing decisions and action items in writing and maintain a separate list of any project issues that require later attention but are beyond the scope of the review meeting. Discuss the positives the project then

the problems an risks you have encountered in the project, also capture all suggestions, recommendation during the review finally close the review by summarising the results. Follow up after the review: Document what was discussed in the review. Submit all recommendations requiring changes to your projects. When changes are approved, implement them. Finally personally thank your team members for their contributions.

THANK YOU