CHAPTER II. THE PROJECT RISK MANAGEMENT PROCESS.

II.1. THE RISK IDENTIFICATION II.1.1. INPUTS TO RISK IDENTIFICATION II.1.2. TOOLS AND TECHNIQUES FOR RISK IDENTIFICATION II.1.3. OUTPUTS FROM RISK IDENTIFICATION II.2. THE RISK EVALUATION II.2.1. QUALITATIVE ANALYSIS II.2.1.1. QUALITATIVE ANALYSIS. GENERAL APPROACH II.2.1.2. STAGES OF THE QUALITATIVE ANALYSIS II.2.2. QUANTITATIVE ANALYSIS II.2.2.1. QUANTITATIVE ANALYSIS. GENERAL APPROACH II.2.2. STAGES OF THE QUANTITATIVE ANALYSIS II.3. DEVELOPING STRATEGIES FOR RISK RESPONSE II.4. THE RISK RESPONSE STRATEGY CONTROL II.4.1. INPUTS TO RISK MONITORING AND CONTROL II.4.2. TOOLS AND TECHNIQUES FOR RISK MONITORING AND CONTROL II.4.3. OUTPUTS FROM RISK MONITORING AND CONTROL

II.1. THE RISK IDENTIFICATION Radu V. considers that risks identification aims to exposure to risk of a property, exposure to risks of human rights and resources, but also hazard and potential dangers that cause these exposures to risk1. In his opinion, identifying risks is made in two phases: risk perception (awareness of a certain risk that threatens the project) and the identification itself. As far as the perception of risk is concerned, there are two elements present in all the decision-making under risk, namely: The inherent risk, namely the sum of all projects involved in each decision situation (hazard will have a real contribution on the consequences of the decisions) Exterior risk, namely, the image that each manager has about inherent risk. According to PMBOK, Risk Identification determines which risks might affect the project and documents their characteristics. Participants in risk identification activities can include the following, where appropriate: project manager, project team members, risk
1

Radu, V, s.a.. (coordonator), Managementul proiectelor, Editura Universitar, Bucureti, 2008, p.210.

management team (if assigned), subject matter experts from outside the project team, customers, end users, other project managers, stakeholders, and risk management experts. While these personnel are often key participants for risk identification, all project personnel should be encouraged to identify risks.2 The identification of risk is very important. Each must be described in detail so that it will not be confused with any other risk or project task that must be done. Each risk should be given an identification number. During the course of the project, as more information is gathered about the risk, all of this information can be consolidated about the particular risk. The first component we need to discuss is the identification of the risk event. In the course of identifying risk events we will call upon the project team, subject matter experts, the stakeholders, and other project managers. Much of the work already done in the project will be utilized in the risk management process. Among these items that will be used are the project charter, the work breakdown structure, project description, project schedule, cost estimates, budgets, resource availability, resource schedules, procurement information, and assumptions that have been made and recorded. Risk identification involves determining which risks might affect the project and documenting their characteristics. This phase consists of identifying all the possible risks which may significantly impact the success of the project. Conceptually, these may range from high-impact/high-probability, through high-impact/low-probability, low-impact/high-probability to low-impact/lowprobability. Obviously, the high and medium risks, including accumulations under any one item of risk, should receive the most attention. Moreover, combinations of risk which together pose a greater threat than each individually should not be overlooked. In order to identify all the potential risks to a particular project, it may be necessary to undertake a risk identification program. This might involve soliciting the considered opinions of knowledgeable persons associated with the project or similar projects, or conducting a "brainstorming" type of workshop amongst the project team. Risk identification is an iterative process3. The first iteration may be performed by a part of the project team, or by the risk management team. The entire project team and primary stakeholders may make a second iteration. To achieve an unbiased analysis, persons who are not involved in the project may perform the final iteration.

***A Guide to the Project Management Body of Knowledge, (PMBOK Guide), Third Edition, Published by: Project Management Institute, Inc., Pennsylvania, 2004, Chapter 11. 3 ***A Guide to the Project Management Body of Knowledge (PMBOK Guide), Project Management Institute, Newtown Square, 2004 Edition, p. 131.

Often simple and effective risk responses can be developed and even implemented as soon as the risk is identified. RISK IDENTIFICATION: INPUTS, TOOLS & TECHNIQUES, AND OUTPUTS 1 Inputs
.1 Inputs .1 Enterprise environmental .2 Organizational process assets .3 Project scope statement .4 Risk management plan .5 Project management plan

2 Tools and techniques

.1 Inputs .1 Documentation reviews .2 Information gathering techniques .3 Checklist analyses .4 Assumptions analyses .5 Diagramming analyses

3 Outputs
.1 Inputs .1 Risk register

Figure 2. Risk Identification: Inputs, Tools & Techniques, and Outputs4 II.1.1. INPUTS TO RISK IDENTIFICATION Before analyzing tools and techniques for risk identification, we must first consider inputs to risk identification: 1. Risk management plan. The risk management plan describes how risk identification, qualitative and quantitative analysis, response planning, monitoring, and control will be structured and performed during the project life cycle. The risk management plan does not address responses to individual risks - this is accomplished in the risk response plan. 2. Project planning outputs. Risk identification requires an understanding of the projects mission, scope, and objectives of the owner, sponsor, or stakeholders. Outputs of other processes should be reviewed to identify possible risks across the entire project. These may include, but are not limited to: 4

Project charter. WBS. Product description. Schedule and cost estimates. Resource plan. Procurement plan. Assumption and constraint lists.

***A Guide to the Project Management Body of Knowledge (PMBOK Guide), Project Management Institute, Newtown Square, 2004 Edition, p. 131.

3. Risk categories. Risks that may affect the project for better or worse can be identified and organized into risk categories. Risk categories should be well defined and should reflect common sources of risk for the industry or application area. Categories include the following: Technical, quality, or performance risks Project-management risks: poor allocation of time and resources, inadequate quality of the project plan, poor use of project management disciplines. Organizational risk: cost, time, and scope objectives that are internally inconsistent, lack of prioritization of projects. External risks: shifting legal or regulatory environment, labor issues, changing owner priorities, country risk, and weather. Several projects have failed because of a risk that members considered ridiculous to appear. During the stage of risk assessment, participants have the opportunity to analyze and remove hazards unlikely to happen5, mentions Langevin.

II.1.2. TOOLS AND TECHNIQUES FOR RISK IDENTIFICATION There are many ways to discover and identify risks. The most important of them are6: 1. Documentation reviews 2. Brainstorming 3. Delphi technique 4. Nominal group technique 5. Crawford slip 6. Expert interviews 7. Checklists 8. Analogy Documentation Reviews Documentation reviews comprise reviewing all of the project materials that have been generated up to the date of this risk review. This includes reviewing lessons learned and risk management plans from previous projects, contract obligations, project baselines for scope, schedule and budget, resource availabilities, staffing plans, suppliers, and assumptions lists. Brainstorming

Langevin, Y, Management de projet, Dunod, Paris, 2007, p. 235 (Adaptare francez: Gray, F. C. i Larson, W E. Project management the managerial process. McGraw-Hill, 2006). 6 Newell, Michael W., Preparing for the Project Management Professional (PMP) Certification Exam, Second Edition, American Management Association, New York, 2002, p. 135-136.

Brainstorming is probably the most popular technique for identifying risk. It is useful in generating any kind of list by mining the ideas of the participants. To use the technique, a meeting is called to make a comprehensive list of risks. It is important that the purpose of the meeting be explained clearly to the participants, and it is helpful if they are prepared when they arrive at the meeting. The meeting should have between ten and fifteen participants. If there are fewer than ten, there is not enough interaction between the participants. If there are more than fifteen people, the meeting tends to be difficult to control and keep focused. The meeting should take less than two hours. In larger projects it may be necessary to have several meetings. Each meeting should deal with a separate part of the project and the risks associated with that project part. By doing this, the number of persons involved can be kept to a reasonable size, and the meetings will be much more productive. When the meeting begins, the participants can name risks that they think are important for consideration in the project. No discussion of the items listed is allowed at this time. As participants see ideas listed, they will think of additional ideas. Each new idea will elicit another from someone, and many ideas for possible risks will be listed. Basic brainstorming rules7: a. Generate as big a list of potential risks as possible. Dont try to evaluate the risks as they are named; let the creativity of the group flow. b. After generating a list of potential risks, combine similar risks and order them all by magnitude and probability. Risks that have little chance of affecting the project can be crossed off. Dont try to solve all the risks at the meeting. If there are easy answers, be sure and capture them, but keep the session focused on risk identification, not response development. Delphi Technique The Delphi technique is similar to brainstorming, but the participants do not know one another. This technique is useful if the participants are some distance away. The Delphi technique is much more efficient and useful today than it has been in the past because of the use of e-mail as a medium for conducting the exercise. Because the participants in this technique are anonymous, there is little to inhibit the flow of ideas. Where the participants are not anonymous, there is a tendency for one or more people to dominate the meeting. If one of the participants is a higher level manager than the others in the meeting, many of the meeting participants will be inhibited or try to show off in front of the upper level manager. All of this is avoided in the Delphi technique.
7

Verzuh, Eric, MBA in Project Management, Published by John Wiley & Sons, Inc., New Jersey, 2003, p. 188.

The process begins with the facilitator using a questionnaire to solicit risk ideas about the project. The responses by the participants are then categorized and clarified by the facilitator. The categorized, clarified list is then circulated to the participants for comments or additions. The members of the group may modify their position, but they must give reasons for doing so. Consensus and a detailed list of the project risks can be obtained in a few rounds. One of the major drawbacks to the brainstorming technique is avoided in the use of the Delphi technique. Peer pressure and the risk of embarrassment from putting forth a silly idea or one that could be ridiculed by others is avoided because the participants are not known to one another. This does not come without cost. The facilitator must do much more work for the Delphi technique than the facilitator in a brainstorming session. It is necessary for the facilitator to frequently nag the participants, who may procrastinate in returning their responses. There is also some risk involved in using this technique. The facilitator is required to analyze and categorize the inputs from the participants. This means that the facilitator impresses much of his or her opinion on the group. Nominal Group Technique In the nominal group technique, the idea is to eliminate some of the problems with other techniques, particularly the problems associated with persons inhibitions and reluctance to participate. In this technique a group size of seven to ten persons is used. The facilitator instructs each of the participants to privately and silently list his or her ideas on a piece of paper8. When this is completed, the facilitator takes each piece of paper and lists the ideas on a flip chart or blackboard. At this time no discussion takes place. Once all of the ideas are listed on the flip chart, the group discusses each idea. During the discussion, clarifications or explanations are made. Each member of the group now ranks the ideas in order of importance, again in secret. The result is an ordered list of the risks in order of their importance. This process not only identifies risks but also does a preliminary evaluation of them. This process reduces the effect of a high-ranking person in the group but does not eliminate it, like the Delphi technique. The nominal group technique is faster and requires less effort on the part of the facilitator than the Delphi technique. Crawford Slip The Crawford slip process has become popular recently. The Crawford slip process does not require as strong a facilitator as the other techniques, and it produces a lot of ideas very quickly. A Crawford slip meeting can take place in less than half an hour.
8

Constantinescu, Dumitru i colaboratorii, Managementul proiectelor., Editura Sitech, Craiova, 2008, p. 158.

The usual number of seven to ten participants is used, but larger groups can be accommodated, since there is a fairly small amount of interaction between the persons in the group. The facilitator begins by instructing the group that he will ask ten questions, one at a time. Each participant must answer each question with a different answer. The same answer cannot be used for more than one question. The participants are to write their answer to each question on a separate piece of paper. (Post-It notes are good for this.) The facilitator tells the participants that they will have one minute to answer each question. When all the participants are ready, the facilitator begins by asking a question such as, What is the most important risk to this project? The participants write down the answer. After one minute, the facilitator repeats the question. This is repeated ten times. The effect is that the participants are forced to think of ten separate risks in the project. Even with duplicates among the members, the number of risks identified is formidable. Expert Interviews Experts or people with experience in this type of project or problem can be of great help in avoiding solving the same problems over and over again. Caution must be exercised whenever using expert opinions. If an expert is trusted implicitly and his or her advice is taken without question, the project can head off in the wrong direction under the influence of one so-called expert. The use of experts, particularly those hired from outside the project organization, can be costly. Care must be taken to ensure that experts are used efficiently and effectively. Before the expert interview is conducted, the input information must be given to the expert and the goals of the interview must be clearly understood. During the interview, the information from the expert must be recorded. If more than one expert is used, the output information from the interviews should be consolidated and circulated to the other experts. Checklists Checklists for risk identification can be developed based on historical information and knowledge that has been accumulated from previous similar projects and from other sources of information9. One advantage of using a checklist is that risk identification is quick and simple. One disadvantage is that it is impossible to build an exhaustive checklist of risks, and the user may be effectively limited to the categories in the list. Care should be taken to explore items that do not appear on a standard checklist if they seem relevant to the specific project. The checklist should itemize all types of possible risks to the project. It is important to review the checklist as a formal step of every project-closing procedure to improve the list of potential risks, to improve the description of risks.
9

***A Guide to the Project Management Body of Knowledge (PMBOK Guide), Project Management Institute, Newtown Square, 2000 Edition, p. 133.

Analogy The analogous method of identifying risks is quite simple. From the lessons learned and the risk management plan of other projects that were similar, an analogy can be formed. By comparing two or more projects, characteristics that are similar for each project can be seen that will give insight into the risks of the new project. Diagramming Techniques Various types of diagramming techniques have been developed that will help in the identification of risks. Cause and effect diagrams are used to organize information and show how various items relate to one another. There are several possible risks that contribute to the main risk in question. Each of the contributing risks can be further diagrammed until there is a complete hierarchy of risks. Once diagrammed, the relationships between the risks can easily be seen. Flowcharts are diagrams that show the sequence of events that take place in a given process. They also show conditional branching. Each point on the flow diagram can be used as a possible point for identifying risks. The risks which generally have to be considered may be10: 1. Technical 2. Environmental 3. Operational 4. Cultural 5. Financial fluctuation; 6. Legal 7. Commercial 8. Resource 9. Economic 10. Political 11. Security Local laws. Lack of clarity of contract; Change in market conditions or customers; Shortage of staff, operatives or materials; Slow-down in economy, change in commodity prices; Change of government or government policy. Safety. Theft. Vandalism. New technology or materials. Test failures; Unforeseen weather conditions. Traffic restrictions; New systems and procedures. Training needs; Established customs and beliefs. Religious holidays; Freeze on capital. Bankruptcy of stakeholder. Currency

II.1.3. OUTPUTS FROM RISK IDENTIFICATION 1. Sources of risk. Sources of risk are categories of possible risk events (e.g., stakeholder actions, unreliable estimates, team turnover) that may affect the project for better or

10

Lester, A, Project Planning and Control, Fourth Edition, Great Britain by Biddles Ltd, Guildford and Kings Lynn, 2003, p. 48.

worse. The list of sources should generally include all identified items regardless of frequency, probability of occurrence, or magnitude of gain or loss. Common sources of risk include: 2. Changes in requirements. Design errors, omissions, and misunderstandings. Poorly defined or understood roles and responsibilities. Poor estimates. Insufficiently skilled staff.

Potential risk events. Potential risk events are discrete occurrences such as a

natural disaster or the departure of a specific team member that may affect the project. Potential risk events should be identified in addition to sources of risk when the probability of occurrence or magnitude of loss is large. 3. Risk symptoms. Risk symptoms, sometimes called triggers, are indirect manifestations of actual risk events. For example, poor morale may be an early warning signal of an impending schedule delay or cost overruns on early activities may be indicative of poor estimating. 4. assumptions. Inputs to other processes. The risk identification process may identify a need for further activity in another area. Risks are often input to the other processes as constraints or

II.2. THE RISK EVALUATION Without risk analysis, a project manager and a team never develop a realistic project plan11. If the team members are asked for task time estimates and they know that their estimates will be a matter of record, this is considered when they estimate the task duration; if they are even a little uneasy about the tasks, they can be expected to give padded time estimates. Knowledge of the worst case estimate in past experiences will drive up the estimate. In fact the worst case estimate provides for the most comfortable time buffer. The risk evaluation is the qualitative stage at which the two main attributes of a risk, probability and impact, are examined. The probability of a risk becoming a reality has to be assessed using experience and/or statistical data such as historical weather charts or close-out reports from previous projects. Each risk can then be given a probability rating of HIGH, MEDIUM or LOW. In a similar way, by taking into account all the available statistical data, past project histories and expert opinion, the impact or effect on the project can be rated as SEVERE, MEDIUM or LOW.
11

Hall, Earl, Johnson, Juliane, Integrated Project Management, Chapter VIII, Publisher, Prentice Hall, 2003, p. 167.

Once all the possible things that could go wrong during the project have been identified, its time to define how likely it is that each of those potential problems might occur and, if they were to do so, the impact or damage that would be caused by the occurrence. The chance that something might occur is called the risk probability. The damage that would occur is called the risk impact12. The potential for serious risk can bring about a couple of reactions - we avoid the risk altogether, we take steps to minimize the risk, or we make plans to deal with the risk event in case it occurs. The potential that a risk will happen during the course of your project depends on the nature of the risk. According to Paul Dinsmore, risk analysis includes a detailed discussion of the risk, including both internal and external factors. An impact table is prepared with factors assigned based on technology status, planning status, and design/project status. Finally, the potential cost and schedule impact is assessed. The impact table includes a worst-case cost estimate for each of the project elements included13. Another definition is given by Kim Heldman, who considers that risk analysis takes into consideration the probability that the risk will occur and its impact if it does. The end result of this process is a prioritized list of risks that you can use to determine which risks need response plans14. One of the easiest ways to rank the risks is using the Nominal Group technique that we talked about in the last section. After identifying the risks, the group should be asked to rank them in their order of importance. This technique does work for very small projects, but for all other projects its important examining probability and impact. Risk identification generates a list of the risks that might impact on the project. Often the list will be extensive, and it is necessary to separate the important items from the less important ones. This process is called risk assessment. Risk assessment has several objectives: it gives an overview of the general level and pattern of risk facing the project; it focuses management attention on the high-risk items in the list; it helps to decide where action is needed immediately, and where action plans should be developed for future activities; and it facilitates the allocation of resources to support managements action decisions.

12

Martin, Paula and Tate, Karen, Getting Started in Project Management, Published by John Wiley & Sons, Inc., 2001, p. 120. 13 Dinsmore, Paul C., The AMA Handbook of Project Management, AMACOM Books , p. 162. 14 Heldman, Kim, Project Management JumpStart, SYBEX Inc., Alameda, 2003, p. 198.

The risk analysis step may use forms of analysis that range from simple qualitative methods to more sophisticated quantitative approaches. Qualitative analysis is based on nominal or descriptive scales for describing the likelihoods and consequences of risks. This is particularly useful for an initial review or screening or when a quick assessment is required. Semi-quantitative analysis extends the qualitative analysis process by allocating numerical values to the descriptive scales. The numbers are then used to derive quantitative risk factors. Quantitative analysis uses numerical ratio scales for likelihoods and consequences, rather than descriptive scales. The analysis stage assigns each risk a priority rating, taking into account existing activities, processes or plans that operate to reduce or control the risk. II.2.1. QUALITATIVE ANALYSIS II.2.1.1. QUALITATIVE ANALYSIS. GENERAL APPROACH Qualitative Risk Analysis includes methods for prioritizing the identified risks for further action, such as Quantitative Risk Analysis or Risk Response Planning. Organizations can improve the projects performance effectively by focusing on high-priority risks. Qualitative Risk Analysis assesses the priority of identified risks using their probability of occurring, the corresponding impact on project objectives if the risks do occur, as well as other factors such as the time frame and risk tolerance of the project constraints of cost, schedule, scope, and quality. Sometimes experts or functional units assess the risks in their respective fields and share these assessments with the team. Across the same project the definitions that will be used for levels of probability and impact should be the same. The organizations management, project customer or sponsor has an important role in the Qualitative Risk Analysis process. The project sponsor defines for the risk analysis lead and team the levels of impact on time, cost, scope and quality that would qualify a risk as having a very low, low, moderate, high or very high impact on each objective. mentioned. Once the definitions are in place, team members assess the identified risks probability and impact and then put them into high, moderate, and low risk categories for each The project sponsor determines the combinations of probability and impact that make a risk low, moderate and high priority for each objective in light of the definitions just

project objective (time, cost, scope, quality). They rank risks by degrees of probability and impact, using the definitions in place, and include their assessment rationale. Team members revisit qualitative risk analysis during the projects lifecycle. When the team repeats qualitative analysis for individual risks, trends may emerge in the results. These trends can indicate the need for more or less risk management action on particular risks, or whether a risk mitigation plan is working. II.2.1.2. STAGES OF THE QUALITATIVE ANALYSIS The significance of a risk can be expressed as a combination of its consequences or impacts on project objectives, and the likelihood of those consequences arising. This can be accomplished with qualitative consequence and likelihood scales and a matrix defining the significance of various combinations of these. Table II.1 illustrates the general principle contained in most priority-setting processes: risks are high-priority if problems are likely to arise and if they have large potential consequences. So, in the first stage, the project team prepares a list of potential risks to these risks deserve to be given full attention. Some will be ignored because they are insignificant and. therefore, only some will be included in the analysis of the project manager must develop methods to remove dm list of risks that will not cause or redundant, and "shell" others in their importance and need for intervention. Scenario analysis is a technique easiest and most common risk assessment. Team members evaluate each risk according to the following: Undesirable event; The event (does not happen, is not); Scale or impact event; The likelihood of the event to happen; Project phase during which the event can occur; Interaction with other parts of the project or another project.

Generally, organizations consider it useful to classify the seriousness of the risk matrix in the form of risk assessment. Matrix contains two axes: the impact of risk and probability of realization. The matrix is divided into three zones, each zone representing a level of severity: major risks, modest risk, and negligible risk like Tabel II.1. Tabel II.1. Basic priority-setting matrix Likelihood V High Consequence Low High Medium risk High risk

Low

Low risk

Medium risk

This is a very simple structure. In practice, it is often too simple, because the two-way distinctions between high and low likelihood and high and low consequence produce only four combinations. This is rarely enough discrimination for effective decision making. Based on the matrix of priority-setting of the risks we can determine priorities in addressing the risks. It considers, first, the risks of major risks, then the area of moderate risks. In general, the risks of the third area considered risks without consequences, and they are ignored. Table II.2 shows an extension of the structure to a five-by-five matrix. This provides greater discrimination, and allows more classifications of priority. A matrix like Table II.2 can be structured according to the kinds of risks involved in the project and the organizations objectives, criteria and attitudes to risk. For example, the specific example in Table II.2 is not symmetric, indicating that the organization is concerned about most catastrophic events, even if they are rare. This might be appropriate where human safety is threatened and the organization needs to ensure the associated risks are being managed whatever the likelihood of their occurrence. Where the impacts of potential risks are purely economic, and particularly where there may be a cap or limit to the potential exposure, catastrophic but rare events may be viewed as moderate risks and not treated in such detail. To implement a structure like this, it is important that clear and consistent definitions of the consequence and likelihood scales are used. These are likely to depend on the nature of the project, its objectives and criteria, and the kinds of risks anticipated. Table II.2More detailed priority-setting matrix15

Likelihood Almost certain Likely Possible Unlikely Rare

Insignificant Medium Low Low Low Low

Minor Medium Medium Medium Low Low

Moderate High Medium Medium Medium Low

Major High High Medium Medium Medium

Catastrophic High High High High Medium

15

Cooper, Dale F., Stephen Grey, Project risk management guidelines, John Wiley & Sons Ltd, Southern Gate, West Sussex, 2005, p. 47.

Each risk can now be given a risk number, so that it is now possible to draw up a simple chart which lists all the risks so far considered. This chart will show the risk number, a short description, the risk category, the probability rating, the impact rating (in terms of high, medium or low) and the risk owner who is charged with monitoring and managing the risk during the life of the project. As far as consequences are concerned, they are rated in terms of the potential impact on the criteria, often on five-point descriptive scales linked to the criteria identified in the context step. Where a risk has several consequences on different parts of the scale, the highest consequence is used to generate the rating. This generates a conservative view of the overall consequence of the risk. Scales like these often generate considerable discussion amongst senior managers and the project team. The numerical limits in a financial impacts scale are often linked to the size of the There is often a trade-off between risk and opportunity, the resolution to which In some organizations, the health and safety scale is adjusted so that a single project, the size of the organization undertaking it, or the amount it can afford to lose. must usually take place at managerial levels well above that of the project. fatality falls in the most severe consequence category. This reflects the organizations attention to employee safety as a core part of its vision and duty of care. Generally, you should review carefully the consequence scales you intend to use for each project, to ensure they reflect the organizations objectives and criteria for success. By all means use the examples in this chapter as a guide, but remember they are only examples, and if they are not agreed and accepted by senior management the outcomes from the risk assessment may not be accepted readily. For smaller, less complex or routine projects or procurement activities, a simpler consequence scale might be appropriate. It is important to remember that the scales are to be used for assessing priorities, so comparability and consistency are often more important than absolute numbers. Risk evaluation is about deciding whether risks are tolerable or not to the project, taking into account:

the controls already in place or included in project plans; the likely effectiveness of those controls; the cost impact of managing the risks or leaving them untreated; benefits and opportunities presented by the risks; and the risks borne by other stakeholders. The evaluation step compares risk priorities from the initial analysis against all the other

risks and the organizations known priorities and requirements. Any risks that have been accorded too high or too low a rating are adjusted, with a record of the adjustment being retained for tracking purposes. The outcome is a list of risks with agreed priority ratings. Adjustments to the initial priorities may be made for several reasons. Risks may be moved down. Typically these will be routine, well-anticipated risks that are highly likely to occur, but with few adverse consequences, and for which standard responses exist. Risks may be moved up. Typically there will be two categories of risks like this: those risks that the project team feel are more important than the initial classification indicates; and those risks that are similar to other high-priority risks to the project and hence should be considered jointly with them. Some risks may be moved up to provide additional visibility if the project team feels they should be dealt with explicitly. The two-stage process of assessment followed by evaluation makes best use of the specialized knowledge of the team dealing with the project. It also avoids errors associated with risks or elements that do not fit exactly into the indicators and scales used for the initial ranking. For each risk, the name of the manager responsible for the development of treatment options should be recorded. The project manager has overall responsibility for ensuring all risks are managed; the intent here is to specify to whom each risk treatment task has been delegated. Probability is a term with a precise statistical meaning, as a measure of the relative frequency of occurrence of an event whose values are between zero (impossible) and one (certainty). The probability is obtained from a theoretical distribution or observations. In decision theory, this makes the difference between the methods of approach to decisions under uncertainty and under risk, since only the second category involves knowing the likelihood of manifestation of natures states. Risk analysis can be costly, which makes the level of accuracy in the expression of probabilities to be different, according to necessities. There are supposed to be three types of accuracy16:
16

Constantinescu, Dumitru i colaboratorii, Managementul proiectelor., Editura Sitech, Craiova, 2008, p. 164.

a basic level (the probability is expressed as low / medium / high): an intermediate level (with the probability expressed by values between 0 and 1 or percentage): a higher level (probabilities are described by a function of distribution - normal, triangular, beta, or its parameters).

It is now possible to give comparative values, often on a scale 1 to 10, to the probability and impact of each risk and by drawing up a matrix of the risks, an order of importance or priority can be established. By multiplying the impact rating by the probability rating, the exposure rating is obtained. This is a convenient indicator which may be used to reduce the list to only the top dozen that require serious attention, but an eye should nevertheless be kept on even the minor ones, some of which may suddenly become serious if unforeseen circumstances arise. An example of such a matrix is shown in Figure II.3. Clearly the higher the value, the greater the risk and the more attention it must receive to manage it. Exposure table
Exposure table Rating Impact Very high 0.8 High Medium Low Very Low 0.5 0.2 0.1 0.05 Value Probability Very low Low 0.1 0.2 Medium 0.5 High 0.7 Very high 0.9

Figure II.3. Exposure table. Another way to quantify both the impact and probability is to number the ratings from 1 for very low to 5 for very high. By multiplying the appropriate numbers in the boxes, a numerical (or quantitative) exposure rating is obtained, which gives a measure of seriousness and hence importance for further investigation. For example, if the impact is rated 3 (i.e. medium) and the probability 5 (very high), the exposure rating is 3 x 5 = 15.

II.2.2. QUANTITATIVE ANALYSIS II.2.2.1. QUANTITATIVE ANALYSIS. GENERAL APPROACH Quantitative risk analysis is a way of numerically estimating the probability that a project will meet its cost and time objectives. Quantitative analysis is based on a simultaneous evaluation of the impact of all identified and quantified risks. The result is a probability distribution of the projects cost and completion date based on the identified risks in the project. Quantitative risk analysis involves statistical techniques, primarily Monte Carlo simulation that is most widely and easily used with specialized software. Quantitative risk analysis starts with the model of the project, either its project schedule or its cost estimate depending on the objective. The degree of uncertainty in each schedule activity and each line-item cost element is represented by a probability distribution. The probability distribution is usually specified by determining the optimistic, the most likely and the pessimistic values for the activity or cost element, this is typically called the 3-point estimate. The three points are estimated during an interview with subject matter experts who usually focus on the schedule or cost elements one at a time. The risks that lead to the three points are recorded for the quantitative risk analysis report and for risk response planning. For each activity or cost element a probability distribution type is chosen that best represents the risks discussed in the interview. Typical distributions usually include the triangular, beta, normal and uniform. II.2.2.2. STAGES OF THE QUANTITATIVE ANALYSIS A high level of analysis is necessary in rare circumstances, especially if its involved the called quantitative models for risk assessment using the Monte Carlo method17. So, further sophistication in evaluating risks is possible by using some of the computer software developed specifically to determine the probability of occurrence. These programs use sampling techniques like the one already mentioned, which carry out hundreds of iterative sampling calculations to obtain a probability distribution of the outcome18. One application of the Monte Carlo simulation is determining the probability to meet a specific milestone (like the completion date) by giving three time estimates to every activity. The program will then carry out a great number of iterations resulting in a frequency/time histogram and a cumulative S curve from which the probability of meeting the milestone can be read off. A specialized Monte Carlo simulation software program runs (iterates) the project schedule or cost estimate many times, drawing duration or cost values for each iteration at random from the probability distribution derived from the 3-point estimates and probability
17 18

Giard, V., Gestion de projets, Economica. Paris, 2004. Lester, A, Project Planning and Control, Fourth Edition, Great Britain by Biddles Ltd, Guildford and Kings Lynn, 2003, p. 52.

distribution types selected for each element. The Monte Carlo software develops from the results of the simulation a probability distribution of possible completion dates and project costs. From this distribution it is possible to answer such questions as19: How likely is the current plan to come in on schedule or on budget? How much contingency reserve of time or money is needed to provide the agency with a sufficient degree of certainty? Using sensitivity analysis, which activities or line-item cost elements contribute the most to the possibility of overrunning schedule or cost targets? Another technique for assessing and tracking projects is PERT (Program Evaluation and Review Technique). The PERT technique and its variants adopt a wider perspective considering all related risks costs and timing of work. The technique highlights the likeliness that the project is finished on time and within budget and not on individual events. It is a useful technique for the assessment of a project risk profile and needs for the eventuality of funds, resources and time. Scenario analysis is a semi-risk assessment. The project manager is often reluctant to the idea of use or to provide probabilities for risk analysis. Instead, enter the challenge that the project team should formulate risk in words. It is an attitude that proves very practical and on this occasion, there is some advantage when not using probability theory. Scenario analysis is a method that calls through four steps. In the first, scenario analysis starts with developing a calendar of reference is about the execution of the project. It is estimated20 that the chances to end the project before or after the maturity date wont exceed 50%. Managers verify that the team members of risk management are confident that there are chances of 90% or 95% during the work schedule to be close to average. Second, the team members set a timetable of reference assuming that everything would hold good. They then prepare a schedule after a successful scenario. The Project Manager requires confirming that they are sure that there is probability of 90% for a schedule of the most favorable case to have 10% chance of being realized to the extent that everything will be fine. To note that this schedule allows compression and that measures are taken to avoid or reduce certain risks. Thirdly, the team risk management imagines the most pessimistic scenario, which considers that the risks can not be avoided. The project is subject to Murphys law. Team members develop the calendar of the most unfavorable case. The Project Manager requires

19

***Office of Statewide Project Management Improvement (OSPMI), Project Risk Management Handbook, Threats and Opportunities, Second Edition, 2007, p. 14. 20 Gray. F.C., Larson, W.E., Project management: the managerial process, McGraw-Hill, Irwin, 2006.

confirming that they are sure that there is probability of 90% for a schedule of the most unfavorable case to have 90% chance to succeed if the risk materializes. Fourth, the team faces credibility calendars at the earliest, not later than and the provided. The project Manager requires indicating the amount of money that they wager on each calendar. This open process entails, usually a widening of the amendments, but it also confirms to the team members that little probabilities approach the credibility calendars. Inclination to semi-quantitative analysis scenarios extends further. The numerical values will serve to assess impacts and the possibility to check the relevance of established risk and to facilitate their analysis. This process has the right to block the major risks and to outline possible terms. Setting the three calendars before the start of the project, the scenario provides the opportunity to consider which team decisions to take and answer the following questions: What should I do if ....?, If ever, the organization was exposed a risk, which has been its impact on other projects ?. Inclination to semi-quantitative analysis scenarios proves also very useful when explaining the risks of project team members. Other techniques such as sensitivity diagrams, influence diagrams and decision trees have all been developed in an attempt to make risk analysis more accurate or more reliable. It must be remembered, however, that any answer is only as good as the initial assumptions and input data, and the project manager must give serious consideration as to the cost effectiveness of theses methods for his/her particular project.

II.3. DEVELOPING STRATEGIES FOR RISK RESPONSE Risk strategies are the techniques that will be used to reduce the effect or probability of the identified or even the unidentified risks21. In terms of the risk strategy that should be employed, a qualitative or quantitative evaluation of the severity of the risk will be a guideline as to how much time, money, and effort should be spent on the strategy to limit the risk. After it was established and evaluated a risk, team risk management determines the best way to counter it. Risk treatment consists of determining what will be done in response to the risks that have been identified, for the purpose of reducing the potential risk exposure. Any controls and plans in place before the risk management process began are augmented with Risk Action Plans to deal with risks before they arise and contingency plans with which to recover if a risk comes to pass. At the end of successful risk treatment planning, detailed ideas will have
21

Newell, Michael W., Preparing for the Project Management Professional (PMP) Certification Exam, Second Edition, American Management Association, New York, 2002, p. 159.

been developed and documented about the best ways of dealing with each major risk, and Risk Action Plans will have been formulated for putting the responses into effect. In addition to these project-specific plans, risk treatment might also include alteration of the base plans of the business, for example, what should the business do if a planned manufacturing plant extension is not commissioned on time? Occasionally the best way to treat a risk might be to adopt an alternative strategy, to avoid a risk or make the organization less vulnerable to its consequences. Trade-offs will often be required when selecting treatment options: for example, between scope, cost and schedule. The process of selecting and developing effective risk treatments involves: identifying the options for reducing the likelihood or consequences of each determining the potential benefits and costs of each option, including the possible Extreme or High risk; impact on the organization if the risk occurred, the reduced level of risk if the option were implemented, the potential benefits of the reduced level of risk, and the costs of achieving those benefits, including both direct and indirect costs and the effects of any schedule delays; and developing detailed Risk Action Plans. The particular Risk Action Plans developed and implemented to treat an identified risk will depend on the nature of the project and the nature of the risk. They cannot be specified in detail in guidelines like these. However, some general suggestions can be provided. During the response identification and assessment process, it is often helpful to think about responses in terms of broad risk management strategies22: 1. risk prevention (including risk avoidance); 2. impact mitigation; 3. risk sharing; 4. insurance; and 5. risk retention. In practice, these categories overlap to some extent. Nevertheless, they provide a useful framework for thinking about how to deal with risks.
22

selecting the best options for the project; for options that have the form of contingency plans, specifying the symptoms or identifying links to related processes or activities within or outside the project;

trigger points at which the option might be implemented;

Cooper, Dale F., Stephen Grey, Project risk management guidelines, John Wiley & Sons Ltd, Southern Gate, West Sussex, 2005, p. 75.

These categories are in the nature of tactical responses. The organization should determine how they should be combined into its overall strategy, according to the extent to which it is prepared to accept or tolerate risk. Policy decisions such as this must be made at senior levels in the organization, not left to individual managers. According to another specialist, the risks are grouped into four categories. Langevin mentions the ways of countering the risks: reduction, avoidance, transfer, sharing or acceptance23. Radu, V.24 considers the ways: avoid, transfer, reduction and risk acceptance. We can recognize options similar to those suggested by Langevin. All these form the basis of specific strategies. The amount of effort youll put into the development of risk response plans depends on the nature of the risk. Some risks require extensive plans, some may need only to be noted and accounted for in an overall plan, and others need only to be listed on the risk list. Risk response planning is a matter of deciding what steps to take should the risk event occur. It also includes assigning individuals (or departments) the responsibility of carrying out the risk response plan if the risk event occurs. Be sure to note the individuals or department thats responsible for enacting the response plan in the plan documentation. The organizations risk management policies contain the guidelines you should follow for determining which risks need response plans. Generally speaking, those risks with a high probability of occurring that also have a medium-to-high impact should have a plan. There are several recognized strategies you can use to reduce or control risks: accepting, avoiding, transferring, and mitigating. Its important to use the right strategy for each risk so that each risk impact is dealt with adequately and in the most efficient way possible. Its not a bad idea to designate a secondary strategy for the highest impact risks. Well look at each of the strategies in more depth below. Accepting - Strategy for both Threats and Opportunities: 1. Acceptance. A strategy that is adopted because it is either not possible to eliminate that risk from a project or the cost in time or money of the response is not warranted by the importance of the risk. When the project manager and the project team decide to accept a certain risk(s), they do not need to change the project plan to deal with that certain risk, or identify any response strategy other than agreeing to address the risk if and when it occurs. A workaround plan may be developed for that eventuality. There are two types of acceptance strategy:

23

Langevin, Y, Management de projet, Dunod, Paris, 2007, p. 230 (Adaptare francez: Gray, F. C. i Larson, W E., Project management the managerial process. McGraw-Hill, 2006). 24 Radu, V, s.a.. (coordonator), Managementul proiectelor, Editura Universitar, Bucureti, 2008, p. 224.

1- Active acceptance. The most common active acceptance strategy is to establish a contingency reserve, including amounts of time, money, or resources to handle the threat or opportunity. Contingency Plan: Some responses are designed for use only if certain events occur. In this case, a response plan, also known as Contingency Plan, is developed by the project team that will only be executed under certain predefined conditions commonly called triggers. 2- Passive acceptance. Requires no action leaving the project team to deal with the threats or opportunities as they occur25. Workaround: Workaround is distinguished from contingency plan in that a workaround is a recovery plan that is implemented if the event occurs, whereas a contingency plan is to be implemented if a trigger event indicates that the risk is very likely to occur. As with risk identification process, the team should also consider residual risks, secondary risks, and risk interaction in the risk response planning process. This first strategy is straightforward. Accepting the risk means that you wont make any plans to deal with the impacts of the risk event, and if it occurs, youll let nature take its course. If we used this strategy when dealing with the snow risk event, for example, we would leave all the existing arrangements in place, we wouldnt investigate alternative locations for the event, and we would do nothing if snow occurred on the evening of the event. As already said, there are two kinds of acceptance, active and passive. Passive acceptance is when the project team does nothing at all about the risk. If the risk actually occurs, the project team will develop a way to work around the risk or to correct its effects. Active acceptance is when the project team develops a plan of action to be taken in anticipation of the risk occurring. This action will result in a contingency plan. The contingency plan can be implemented if triggers occur indicating the possibility of the risk occurring. In addition to the contingency plan, a fallback plan may be made as well. A fallback plan is an additional contingency plan to use in the event that the first contingency plan fails. Avoiding, Transferring, Mitigate - Strategies for Negative Risks or Threats include: Avoid. Risk avoidance involves changing the project plan to eliminate the risk or to protect the project objectives (time, cost, scope, quality) from its impact. The team might achieve this by changing scope, adding time, or adding resources (thus relaxing the so-called triple constraint).
25

***Office of Statewide Project Management Improvement (OSPMI), Project Risk Management Handbook, Threats and Opportunities, Second Edition, 2007, p. 18.

These changes may require a Programming Change Request (PCR). Some negative risks (threats) that arise early in the project can be avoided by clarifying requirements, obtaining information, improving communication, or acquiring expertise. Thus, risk avoidance involves taking steps to avoid the impact of the risk event or eliminating the cause of the risk altogether. This is different than the acceptance strategy because plans are developed to avoid the risk or its impact whereas the acceptance strategy does nothing. So, the strategy is to avoid the risk completely. The project plan or the nature of the project is actually changed to make it impossible for the risk to occur. Some risks, such as the risk of not having a clearly defined set of user requirements, can be avoided by expending the effort to more clearly define the requirements. This may increase the time and effort previously allowed for this activity, but it will have the result of eliminating the risk26. Transfer. Risk transference requires shifting the negative impact of a threat, along with ownership of the response, to a third party. An example would be the team transfers the financial impact of risk by contracting out some aspect of the work. Transference reduces the risk only if the contractor is more capable of taking steps to reduce the risk and does so. Risk transference nearly always involves payment of a risk premium to the party taking on the risk. Transference tools can be quite diverse and include, but are not limited to the use of: insurance, performance bonds, warranties, guarantees, incentive/disincentive clauses, A+B Contracts, etc. Risk transference doesnt eliminate the risk or its impacts; it transfers the responsibility for the management of the risk event to a third party. When risks are transferred to another party, there is usually some sort of payment involved to induce the third party to take on the risk. The classic example of risk transference is insurance. Your own car insurance policy is a perfect example. The insurance company takes on the risk of paying for damages caused by an accident in exchange for money. Keep this in mind because risk transference almost always involves the exchange of money. Youll want to account for transference costs in the project estimates and the project budget. Mitigate. Mitigate is jargon for work hard at reducing the risk.27 Risk mitigation implies a reduction in the probability and/or impact of an adverse risk event to an acceptable threshold. Taking early action to reduce the probability and/or impact of a risk is often more effective than trying to repair the damage after the risk has occurred.
26

Newell, Michael W., Preparing for the Project Management Professional (PMP) Certification Exam, Second Edition, American Management Association, New York, 2002, p. 159. 27 Verzuh, Eric, MBA in Project Management, Published by John Wiley & Sons, Inc., New Jersey, 2003, p. 199.

Risk mitigation may take resources or time and hence may represent a tradeoff of one objective for another. However, it may still be preferable to going forward with an unmitigated risk. Monitoring the deliverables closely, increasing the number of parallel activities in the schedule, early involvement of regulatory agencies in the project, early and continuous outreach to communities/advocacy groups, implementing value engineering, performing corridor studies, adopting less complex processes, conducting more tests, or choosing a more stable supplier are examples of mitigation actions. According to the above presented explanations, the last technique involves risk mitigation. This strategy attempts to reduce the impact of the risk event by reducing the probability of the risk occurrence or reducing the impact of the risk event to an acceptable level. The important difference in risk mitigation is that it reduces the risk to a level where we can accept it and its consequences. Adding specific work to the project plan employs the mitigation strategy. This work will always be done regardless of whether the risk occurs. The mitigation tasks are specific project tasks that are added to the project plan to reduce the impact or probability of the risk. It should be clear that an overall risk strategy should be designed to deal with risks by accepting them as they are, avoiding them by eliminating them from being possible, transferring them to anothers responsibility, or reducing their impact and/or probability to a level where they can be accepted28. If its important to hold your employee meeting at the resort location and changing locations isnt an option, you could consider moving the meeting to a later date when there is no chance of snow in the resort area to mitigate the impact of the risk. You could also reduce the impact of the risk by requiring all employees to be at the meeting location two hours prior to the start of the meeting, which gives everyone time to deal with bad weather conditions should they occur and still get the meeting started on time. Strategies for Positive Risks or Opportunities include: 1. Exploit. The organization wishes to ensure that the opportunity is realized. This strategy seeks to eliminate the uncertainty associated with a particular upside risk by making the opportunity definitely happen. Examples include securing talented resources that may become available for the project. 2. Share. Allocating ownership to a third party who is best able to capture the opportunity for the benefit of the project. Examples include: forming risk-sharing partnerships, teams, working with elected officials, special-purpose companies, joint ventures. Some risks can be
28

Newell, Michael W., Preparing for the Project Management Professional (PMP) Certification Exam, Second Edition, American Management Association, New York, 2002, p. 160.

transferred in part from the purchasing organization to another party, so the other party bears the initial consequences if the risk arises. Sharing a risk with another party usually incurs a cost for the organization. A general principle of risk management is that risks should be the responsibility of those best able to control and manage them. Risk assessment, in identifying how risks might arise, can provide the initial guide to which party is best able to manage the risks. Risk sharing occurs when contracts are negotiated between an organization and its suppliers or sub-contractors. Contracts are the primary means of allocating risk between the parties involved in most projects. However, sharing a risk with a contractor or supplier does not transfer it fully, and it may not really eliminate the risk, it just transforms it into a contractor failure or contractor performance risk. In these circumstances it is critical to ensure the contractor has a system in place for managing risk effectively, otherwise the project may end up with additional risks. In many projects, procurement contracts require sound risk management processes to be developed and implemented by the contractors, sub-contractors or suppliers of products or services, as part of prudential control and oversight procedures29. This process of allocation is called risk sharing rather than risk transfer because risks are rarely transferred completely or shed entirely. In many circumstances the contract between the buyer and the supplier is viewed as an explicit mechanism for sharing risk between them, rather than transferring risk from one to another. The risk assessment process, in identifying how risks might arise, can provide the initial guide to which party is best able to manage risks and the most appropriate form of contract. The analysis also identifies the potential consequences, and so may aid in determining a fair price for taking the risks involved. 3. Enhance. This strategy modifies the size of an opportunity by increasing probability and/or positive impacts, and by identifying and maximizing key drivers of these positive-impact risks. Seeking to facilitate or strengthen the cause of the opportunity, and proactively targeting and reinforcing its trigger conditions, might increase probability. Impact drivers can also be targeted, seeking to increase the projects susceptibility to the opportunity.

II.4. THE RISK RESPONSE STRATEGY CONTROL The process of monitoring and controlling and keeping track of the identified and the unidentified risks is risk control. In this process we hope to identify risks that are no longer
29

Cooper, Dale F., Stephen Grey, Project risk management guidelines, John Wiley & Sons Ltd, Southern Gate, West Sussex, 2005, p. 76.

possible and risks that are coming due, as well as any new risks that may become evident. We will also monitor risk activity to make sure the risk plans have been carried out successfully. Problems that have been found out in the risk plan can help us adjust the plans for future risk activities. Risk control and monitoring are part of the risk management process and must be started early in the project and continued until the end. As the project progresses, we will find that many of the risks will change, some will no longer be possible, others will happen and be disposed of, and new risks will be identified. In addition we will learn about the project and the risks associated with it and adjust our vision of individual risks. The level of risk tolerance should be monitored as well. The attitude of the stakeholders will change during the course of the project. Communication with all stakeholders is important since it gives us a means of assessing changes in their risk tolerance. In all projects, as we gain knowledge and experience about the project and its risks, we will change our attitude toward the risks in the project. This is natural and important. As we learn, we must change the level of effort we spend in certain areas or we will never have the resources, time, or money to complete any project. A control system for risk is influenced by the organization the project is being managed under as well. In a project that is high in risk, we might have a person who is at a high level and is exclusively responsible for managing risks. On projects that are relatively routine by comparison, the risk manager may be the person responsible for the tasks that are most affected by the occurrence of a risk. These persons are responsible for communicating risk progress to the project manager and other affected stakeholders. Risk audits can be used to document the effectiveness of the risk plans and the strategies that were used to mitigate, avoid, or transfer risks. A judgment can be made as to whether it was cost-effective to ignore the risks that were ignored30. Deviations in the project performance may indicate the effect of risks on the project. The earned value reporting system is helpful in identifying trends in performance on the project. Generally, schedule slippage and cost overruns are the result of some problems that have occurred. Trends in certain areas may indicate that risks are more severe than was anticipated or that new risks have taken place. One important product of the earned value reporting system is the indication of the cost and completion date at the end of the project. The sooner these slips in schedule or budget overruns can be communicated to the stakeholders, the better it will be for the project. Schedule slides and budget overruns that are severe enough can result in project termination.
30

Newell, Michael W., Grasihna, Marina, N., The Project Management Question and Answer Book, Amacom, 2004, p. 180.

A workaround is an unplanned response to a risk that was previously unidentified. These are the unknown risks that were discussed at the beginning of this chapter. They are also the risks that were passively accepted since these were deemed to be risks that would be ignored. Workarounds are paid for from funds from the contingency reserve or the management reserve, depending on whether the risk was identified and accepted or whether it was unknown until it occurred. In any case, the funding for the workaround comes out of these accounts and is put into the operating budget of the project, and a new baseline is created. Since contingency plans and workarounds are not part of the project baselines until they occur, they should be initiated and approved by the execution of an official change notification. Remember that changes to the baselines should require an official change notification as the vehicle for showing the change in funding, schedules, and scope resulting in a new and current baseline. Risk monitoring and control keeps track of the identified risks, residual risks, and new risks. It also monitors the execution of planned strategies on the identified risks and evaluates their effectiveness. Risk monitoring and control continues for the life of the project. The list of project risks changes as the project matures, new risks develop, or anticipated risks disappear. Typically during project execution there should be regularly held risk meetings during which all or a part of the Risk Register is reviewed for the effectiveness of their handling and new risks are discussed and assigned owners. Periodic project risk reviews repeat the process of identification, analysis, and response planning. The project manager ensures that project risk is an agenda item at all PDT meetings. Risk ratings and prioritization commonly change during the project lifecycle. If an unanticipated risk emerges, or a risks impact is greater than expected, the planned response may not be adequate. The project manager and the PDT must perform additional response planning to control the risk. Risk control involves31: 1. Choosing alternative response strategies 2. Implementing a contingency plan 3. Taking corrective actions 4. Re-planning the project, as applicable The individual or a group assigned to each risk (risk owner) reports periodically to the project manager and the risk team leader on the status of the risk and the effectiveness of the
31

***Office of Statewide Project Management Improvement (OSPMI), Project Risk Management Handbook, Threats and Opportunities, Second Edition, 2007, p. 19.

response plan. The risk owner also reports on any unanticipated effects, and any mid-course correction that the PDT must consider in order to mitigate the risk. The purpose of risk monitoring is to determine if32: developed. Project assumptions are still valid. Risk exposure has changed from its prior state, with analysis of trends. A risk trigger has occurred. Proper policies and procedures are followed. Risks have occurred or arisen that were not previously identified. II.4.1. INPUTS TO RISK MONITORING AND CONTROL 1. 2. 3. 4. Risk management plan. Risk response plan. Project communication. Reports commonly used to monitor and control risks Additional risk identification and analysis. As project performance is measured Risk responses have been implemented as planned. Risk response actions are as effective as expected, or if new responses should be

include Issues Logs, Action-Item Lists, Jeopardy Warnings, or Escalation Notices. and reported, potential risks not previously identified may surface. The cycle of the six risk processes should be implemented for these risks. 5. Scope changes. Scope changes often require new risk analysis and response plans. II.4.2. TOOLS AND TECHNIQUES FOR RISK MONITORING AND CONTROL 1. Project risk response audits. Risk auditors examine and document the effectiveness of the risk response in avoiding, transferring, or mitigating risk occurrence as well as the effectiveness of the risk owner. Risk audits are performed during the project life cycle to control risk. 2. Periodic project risk reviews. Project risk reviews should be regularly scheduled. Project risk should be an agenda item at all team meetings. Risk ratings and prioritization may change during the life of the project. Any changes may require additional qualitative or quantitative analysis. 3. Earned value analysis. Earned value is used for monitoring over a project performance against a baseline plan. Results from an earned value analysis may indicate
32

***A Guide to the Project Management Body of Knowledge, (PMBOK Guide), Third Edition, Published by: Project Management Institute, Inc., Pennsylvania, 2004, Chapter 11.

potential deviation of the project at completion from cost and schedule targets. When a project deviates significantly from the baseline, updated risk identification and analysis should be performed. 4. Technical performance measurement. Technical performance measurement compares technical accomplishments during project execution to the project plans schedule of technical achievement. Deviation, such as not demonstrating functionality as planned at a milestone, can imply a risk to achieving the projects scope. 5. Additional risk response planning. If a risk emerges that was not anticipated in the risk response plan, or its impact on objectives is greater than expected, the planned response may not be adequate. It will be necessary to perform additional response planning to control the risk. II.4.3. OUTPUTS FROM RISK MONITORING AND CONTROL 1. Workaround plans. Workarounds are unplanned responses to emerging risks that were previously unidentified or accepted. Workarounds must be properly documented and incorporated into the project plan and risk response plan. Corrective action. Corrective action consists of performing the contingency plan or workaround. 2. Project change requests. Implementing contingency plans or workarounds frequently results in a requirement to change the project plan to respond to risks. The result is issuance of a change request that is managed by integrated change control. 3. Updates to the risk response plan. Risks may occur or not. Risks that do occur should be documented and evaluated. Implementation of risk controls may reduce the impact or probability of identified risks. Risk rankings must be reassessed so that new, important risks may be properly controlled. Risks that do not occur should be documented and closed in the risk response plan. Risk database. A repository that provides for collection, maintenance, and analysis of data gathered and used in the risk management processes. Use of this database will assist risk management throughout the organization and, over time, form the basis of a risk lessons learned program. 4. Updates to risk identification checklists. Checklists updated from experience will No matter how rigorous, thorough, and diligent the initial risk planning activities, it is the ongoing risk management activities that ultimately put the plans in motion and produce the results. The continuous risk management activities fall into three categories: ongoing risk planning, performance of specific risk response plans, and reporting risk status to management. This part of the study explores each of these activities in detail. Ongoing Risk Planning help risk management of future projects.

Our risk plan is based on the best information available when the project began. As the project is performed, new information emerges, some favorable and some unfavorable. From a risk management perspective, we want to know how that affects our known risks and whether any new risks emerge. Therefore, the project team should schedule the following activities on a regular basis: Monitor known risks. Each known risk has a probability and expected time frame. Since there is a person responsible for each risk, we can ask that person to stay aware of the factors affecting the probability of the risk, particularly as the time frame for the risk event nears. Each risk in the risk log can simply be updated before every project status meeting to reflect the most recent information, even if that means no change. Check for new risks at regular status meetings. Add a standing item to the project team meeting to ask for new risks. This activity wont have the same level of thoroughness that the first risk identification activities had, but by routinely asking for new risks the project develops a climate of risk awareness. When team members do sense a risk theyll know where to report it. Repeat the major risk identification activities at preplanned milestones within the project. These can be temporal, such as every six to nine weeks, or at the beginning of a new phase. The key is that these are planned in advance and that they are actually performed, otherwise it isnt likely to happen. If there is reluctance on the part of project team members to repeat these activities during the project, remember that investing in risk identification is the ounce of prevention. During these activities you will look for new risks and revisit the list of low-priority risks that were previously identified to see if their probability or impact has risen. When new risks are identified, prepare response plans and check whether Perform Risk Response Plans It almost goes without saying that you have to implement the risk response strategy, but there are a few guidelines worth noting: Whether the response was mitigation, monitoring, transfer, or avoidance, it resulted in some specific tasks that can be tied to the work breakdown structure and/or project schedule. By tying the response plan into the project schedule, you increase the likelihood the plan will be executed. When a risk event occurs, invoke the contingency plan. Make sure that the Some risks dont materialize. When that happens, retire them from the risk log but additional costs associated with reacting to the risk are drawn from the contingency reserve. be sure to record why they didnt materialize, was it good luck or good risk management? sufficient contingency or management reserve exists.

Reporting Risk Status Involving management in the project is always a good idea33. The more they know about the project, the better able they are to support the project team. So add some risk management information to your regular status report or produce a risk summary report with the following information: Near-term risks. The team will confront these in the next two reporting periods. By including these, the project manager ensures his or her management wont be caught off guard if one of these risks occur. Risks needing executive action. If management has the capability to reduce the The current contingency and management reserve amounts. If the project is using probability or impact of a risk, make sure that is clearly communicated. more or less contingency or management reserve than planned, management may want to either increase the reserves or take some of that reserve and allocate it to other uses. Recently retired or experienced risks. Management will want to know what happened to the risks that were near term on the last few reports. Continuous risk management is essentially the practice of repeating the major risk management processes throughout the life of the project. Through constant vigilance we continuously find problems before they find us. Modern day project managers and the executives of project-driven organizations must confront risk as a reality of the project environment; yet they mustnt let risks deter them from our goal. Systematic assessment of possible problems and reasoned responses are common sense and the epitome of proactive, success-oriented leadership.

33

Verzuh, Eric, MBA in Project Management, Published by John Wiley & Sons, Inc., New Jersey, 2003, p. 205.