Raunak Panchori

Ashish Ghosh(29016)

PROJECT RISK
Introduction
Risk management is the identification, assessment, and prioritization of risks (defined
in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative)
followed by coordinated and economical application of resources to minimize, monitor, and
control the probability and/or impact of unfortunate events or to maximize the realization of
opportunities. Risks can come from uncertainty in financial markets, project failures, legal
liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from
an adversary. Several risk management standards have been developed including the Project
Management Institute, the National Institute of Science and Technology, actuarial societies,
and ISO standards. Methods, definitions and goals vary widely according to whether the risk
management method is in the context of project management, security, engineering, industrial
processes, financial portfolios, actuarial assessments, or public health and safety.

Types of Project Risk

Risk analysis is conducted in two significant ways — qualitative and quantitative risk
analysis. These two type of risk analysis can be conducted simultaneously or in a chosen
order, and even within a defined period gap. Sometimes, business managers and project
leaders are unable to differentiate between these two approaches. It is vital to understand the
basic defining difference between them.

Understanding Qualitative Risk Analysis

The objective of conducting a qualitative risk analysis is to acquire safety against recognized
risks and to increase the alertness of management, team members, and all personnel who are
vulnerable to them. This method of risk analysis is designed to identify issues that are looked
upon as project management impediments, but have the potential to become
definite risk factors.
A detailed qualitative analysis will also delve into the resources which are more susceptible
to such risks. The purpose is to identify rectifying measures that can incorporated to restrict
or remove the causes that have given rise to such risks and to ensure that these safety
measures become a part of risk-related analytical protocol for future reference.

Understanding Quantitative Risk Analysis

Quantitative risk analysis is more focused on the implementation of safety measures that have
been established, in order to protect against every defined risk. By using a quantitative
approach, an organization is able to create a very precise analytical interpretation that can
clearly represent which risk-resolving measures have been most well-suited to various project
needs. This makes the quantitative approach favored by many management teams since risk
assessments can be clearly represented in the empirical forms like percentages or probability
charts, since it emphasizes using tools such as metrics.

Risk Management Plan

There are four stages to risk management planning. They are: ·

• Risk Identification
• Risks Quantification
• Risk Response
• Risk Monitoring and Control

Risk Identification

In this stage, we identify and name the risks. The best approach is a workshop with business
and IT people to carry out the identification. Use a combination of brainstorming and
reviewing of standard risk lists.

There are different sorts of risks and we need to decide on a project by project basis what to
do about each type.Business risks are ongoing risks that are best handled by the business. An
example is that if the project cannot meet end of financial year deadline, the business area
may need to retain their existing accounting system for another year. The response is likely to
be a contingency plan developed by the business, to use the existing system for another year.
Generic risks are risks to all projects. For example the risk that business users might not be
available and requirements may be incomplete. Each organisation will develop standard
responses to generic risks.

Risks should be defined in two parts. The first is the cause of the situation (Vendor not
meeting deadline, Business users not available, etc.). The second part is the impact (Budget
will be exceeded, Milestones not achieved, etc.). Hence a risk might be defined as "The
vendor not meeting deadline will mean that budget will be exceeded". If this format is used, it
is easy to remove duplicates, and understand the risk.

Risk Quantification

Risk need to be quantified in two dimensions. The impact of the risk needs to be assessed.
The probability of the risk occurring needs to be assessed. For simplicity, rate each on a 1 to
4 scale. The larger the number, the larger the impact or probability. By using a matrix, a
priority can be established.

Note that if probability is high, and impact is low, it is a Medium risk. On the other hand if
impact is high, and probability low, it is High priority. A remote chance of a catastrophe
warrants more attention than a high chance of a hiccup.

Risk Response

There are four things you can do about a risk. The strategies are:

• Avoid the risk. Do something to remove it. Use another supplier for example.
 • Transfer the risk. Make someone else responsible. Perhaps a Vendor can be made
responsible for a particularly risky part of the project.
• Mitigate the risk. Take actions to lessen the impact or chance of the risk occurring. If
the risk relates to availability of resources, draw up an agreement and get sign-off for
the resource to be available.
• Accept the risk. The risk might be so small the effort to do anything is not
worthwhile.

A risk response plan should include the strategy and action items to address the strategy. The
actions should include what needs to be done, who is doing it, and when it should be
completed.

Risk Control

The final step is to continually monitor risks to identify any change in the status, or if they
turn into an issue. It is best to hold regular risk reviews to identify actions outstanding, risk
probability and impact, remove risks that have passed, and identify new risks.

AREAS OF RISK MANAGEMENT

Enterprise Risk Management

In enterprise risk management, a risk is defined as a possible event or circumstance that can
have negative influences on the enterprise in question. Its impact can be on the very
existence, the resources (human and capital), the products and services, or the customers of
the enterprise, as well as external impacts on society, markets, or the environment. In a
financial institution, enterprise risk management is normally thought of as the combination of
credit risk, interest rate risk or asset liability management, market risk, and operational risk.

Risk management activities as applied to project management

In project management, risk management includes the following activities:

 Planning how risk will be managed in the particular project. Plans should include risk
management tasks, responsibilities, activities and budget.
  Assigning a risk officer - a team member other than a project manager who is
responsible for foreseeing potential project problems. Typical characteristic of risk officer
is a healthy skepticism.
 Maintaining live project risk database. Each risk should have the following attributes:
opening date, title, short description, probability and importance. Optionally a risk may
have an assigned person responsible for its resolution and a date by which the risk must
be resolved.
 Creating anonymous risk reporting channel. Each team member should have
possibility to report risk that he/she foresees in the project.
 Preparing mitigation plans for risks that are chosen to be mitigated. The purpose of
the mitigation plan is to describe how this particular risk will be handled – what, when, by
who and how will it be done to avoid it or minimize consequences if it becomes a
liability.
 Summarizing planned and faced risks, effectiveness of mitigation activities, and effort
spent for the risk management.

Risk management for megaprojects

Megaprojects (sometimes also called "major programs") are extremely large-scale investment
projects, typically costing more than US$1 billion per project. Megaprojects include bridges,
tunnels, highways, railways, airports, seaports, power plants, dams, wastewater projects,
coastal flood protection schemes, oil and natural gas extraction projects, public buildings,
information technology systems, aerospace projects, and defence systems. Megaprojects have
been shown to be particularly risky in terms of finance, safety, and social and environmental
impacts. Risk management is therefore particularly pertinent for megaprojects and special
methods and special education have been developed for such risk management.

Risk management of Information Technology

Information technology is increasing pervasive in modern life in every sector. IT risk is a risk
related to information technology. This relatively new term due to an increasing awareness
that information security is simply one facet of a multitude of risks that are relevant to IT and
the real world processes it supports.A number of methodologies have been developed to deal
with this kind of risk.ISACA's Risk IT framework ties IT risk to Enterprise risk management.
Risk management techniques in petroleum and natural gas

For the offshore oil and gas industry, operational risk management is regulated by the safety
case regime in many countries. Hazard identification and risk assessment tools and
techniques are described in the international standard ISO 17776:2000, and organisations
such as the IADC (International Association of Drilling Contractors) publish guidelines for
HSE Case development which are based on the ISO standard. Further, diagrammatic
representations of hazardous events are often expected by governmental regulators as part of
risk management in safety case submissions; these are known as bow-tie diagrams. The
technique is also used by organisations and regulators in mining, aviation, health, defence,
industrial and finance

Risk Management and Business continuity

Risk management is simply a practice of systematically selecting cost effective approaches
for minimising the effect of threat realization to the organization. All risks can never be fully
avoided or mitigated simply because of financial and practical limitations. Therefore all
organizations have to accept some level of residual risks.

Whereas risk management tends to be pre-emptive, business continuity planning (BCP) was
invented to deal with the consequences of realised residual risks. The necessity to have BCP
in place arises because even very unlikely events will occur if given enough time. Risk
management and BCP are often mistakenly seen as rivals or overlapping practices. In fact
these processes are so tightly tied together that such separation seems artificial. For example,
the risk management process creates important inputs for the BCP (assets, impact
assessments, cost estimates etc.). Risk management also proposes applicable controls for the
observed risks. Therefore, risk management covers several areas that are vital for the BCP
process. However, the BCP process goes beyond risk management's preemptive approach and
assumes that the disaster will happen at some point.