Project Risk Management

Compiled by
Muhammad Aleem Habib
June 25, 2013
Information derived from PMBOK & Rita Mulcahy

What is Project Risk Management?

Project risk management is actively
managing the risks on your project
The goal of risk management is to be
more proactive and less reactive

Why Risk Management

A project managers work should not focus
on dealing with problems; it should focus
on preventing them.
How would it feel to say, No problem; we
anticipated this, and we have a plan in
place that will resolve it.
Performing risk management helps
prevent many problems and helps make
other problems less likely

What is a Risk?
A risk is an uncertain event that could have a positive or
negative effect on your project
* This means there is a probability between 1-99% that
the event could occur
If there is a 0% chance of an event occurring, there is no
risk
(example; there is a 0% chance your project will be
adequately funded, this is not a risk, it is a reality).

What is a Risk?
If there is a 100% chance of an event occurring, this
would be an issue, not a risk
Risks with negative consequences are called threats
Risks with positive consequences are called
opportunities (Yes, risk can be good! Stop thinking of risk
as bad, and start thinking of it in terms of probabilities!)

Risk Event Graph

Types of Risk
Risks can be broken out into two primary types
1. Pure Risk (hazard) risk with potential loss only
ex. Fire, theft, personal injury

2. Business Risk (speculative risk) risk with

potential loss or gain
ex. A highly skilled employee becomes available to
work on your project, reducing your schedule time,
the tax rate changes, a new server costs less (or
more) than you budgeted for!

Risk Management Process

Opportunities

Threats

Project Risk Management

Monitoring &
Controlling Processes
Planning
Processes

Enter phase/
Start project

Initiating
Processes

Closing
Processes

Exit phase/
End project

Executing
Processes

Process

Knowledge
Area

Risk

Initiating

Planning
Plan Risk Management
Identify Risk
Perform Qualitative Risk Analysis
Perform Quantitative Risk Analysis
Plan Risk Response

Executing

Monitoring & Contol

Monitor and Control Risks

Closing

5 Overall Project Management

Processes with Risk Management

Risk Management Processes

Risk Planning this is how you plan on conducting risk
management. You wouldnt start managing your project
without a plan, so why would you approach risk
management that way?
Identify Risks this is the phase where you attempt to
identify most of your risks
Qualitative analysis this is a subjective analysis of
your risks that produces a risk ranking, usually in the
order of high, medium, low, or on an ordinal scale.
Rankings are by agreement of your project team,
sponsors and key stakeholders

Risk Management Processes

Quantitative Analysis a numerical analysis of the
probability and impact of the risk on your project
Plan Risk Response a course of action you will take to
deal with your risks should they go from risk to issue
Monitor & Control Risks monitoring your lists (there
are two lists which I will discuss later) of risks to enact a
risk response plan, to move a risk from one list to the
other, or to remove a risk because it is no longer a risk.

Terms & concepts

Uncertainty:alackofknowledgeaboutaneventthatreduces
confidence
Risk averse:someonewhodoesnotwanttotakerisks.
Risk Prone Someonewhoiswillingtotakebigrisk
Risk tolerances:areaofriskthatareacceptable/
unacceptable.
Risk thresholds:thepointatwhichariskbecome
unacceptable
Risk Areas: ProjectConstraints(scope,time,cost,etc)

Risk Factors
1. The probability the risk will occur
2. The range of possible outcomes (impact)
3. When in the project lifecycle the risk is likely to occur
(the timing);
* once the expected timeframe of the risk has passed and it
is no longer a risk, it can be removed from the risk list
4.
How often the risk is expected to occur on the project
(frequency)

11.1 Plan Risk Management

The process of defining how to
conduct risk management activities
for a project
Important to provide sufficient
resources and time for risk
management activities, and to
establish an agreed upon basis for
evaluating risk.

Plan Risk Management DFD. Figure 11-3

Plan Risk Management

How much time should we spend?

Who will be involved?
How should we perform risk
management?

Plan Risk Management:

Tools & Techniques
Planning Meetings and Analysis
Project teams meet with stakeholders
High level plans for risk management are
define in these meetings

Plan Risk Management: Outputs

Methodology Defines the tools, approaches,
and data sources that may be used to perform
risk management on the project.
Budgeting A budget for project risk
management should be established and
included in the risk management plan.
Role & Responsibility Defines the lead,
support, and risk management team
membership for each type of action in the risk
management plan.

Plan Risk Management: Outputs

Timing Defines how often the risk management
activities will be performed throughout the
project life cycle.
Risk categories Documentation such as risk
breakdown structures (RBSes) or categories
from previous projects will help identify and
organize risks.
Definitions of risk Risks and their probabilities
are probability & impact defined for use in
Qualitative Risk Analysis using a scale of very
Unlikely to almost certain.

Risk Breakdown Structure

A risk breakdown structure (RBS)
organizes potential sources of risk to the
project.
Functioning much like a work breakdown
structure, an RBS arranges categories
into a hierarchy.
This approach allows the project team to
define risk at very detailed levels.

Risk Breakdown Structure for a Software

Development Project
Software Dev
Project

Business

Technical

Organizational

Project
Management

Competitors
Suppliers
Cash Flow

Hardware
Software
Network

Executive Support
User Support
Team Support

Estimates
Communication
Resources

RBS Example

Risk Profile
A risk profile is a list of questions that
address traditional areas of uncertainty on
a project.
These questions has been designed and
developed from the experience of past
projects.

Risk Profile Questions

ProbabilityImpactMatrix

No

Category

Resource

Schedule

IMPACT

PROBA
BILITY

RISK
LEVEL

Testingenvironmentnotavailable

ORANGE

Documentationapprovaltooklonger
time

RED

Description of Risk

Risk Management Plan(Contd.)

Stakeholder tolerances Stakeholders have a low risk
tolerance than impact is high. That information should be
taken into account to rank cost impacts higher than if the
low tolerance was in another area. Tolerances should not
be implied, but uncovered in project initiating and clarified
or refined continually.
Reporting Describes reports related to RM and how
they will be used and what they will include.
Tracking Auditing, documentation regarding RM

Q: An uncommon state of nature,

characterized by the absence of any
information related to a desired outcome ,
is a common definition for:
A. An act of God
B. An amount at stake
C. Uncertainty
D. Risk aversion

11.2 Identify Risks

This is the phase where you work with
your team to identify as many risks as
possible.

Identify Risks: Things to remember

Identify Risks cant be completed without the project
scope statement and Work Breakdown Structure
(WBS)
Identify Risks happens at the onset of the project
and throughout the project
Risks can be identified at any time and during any
phase of the project
Risk management is an iterative process, you
should work to identify risk during any changes to
the project, working with resources, and when
dealing with issues

Question ?
Who should be involved in Risk
Identification?

Identify Risk: Tools & Tech

Documentation Reviews including charter,
contracts, and planning documentation, can help
identify risks.
Those involved in risk identification might look at
this documentation, as well as lessons learned,
articles, and other documents, to help uncover
risks.

Identify Risk: tools & tech

Brainstorming: One idea generates another
Delphi technique: Expert participate
anonymously; facilitator use questionnaire;
consensus may be reached in a few rounds; Help
reduce bias in the data and prevent influence
each others.
Interviewing: interviewing experts, stakeholders,
experienced PM
Root cause analysis: Reorganizing the identified
risk by their root cause may help identify more
risks

Identify Risk: Tools & Tech

Checklist analysis: checklist developed based
on accumulated historical information from
previous similar project
Assumption analysis: identify risk from
inaccuracy, instability, inconsistency,
incompleteness.
SWOT analysis Strengths, Weaknesses,
Opportunities, Threats

Identify Risk: tools & tech

Influence diagrams
show the casual influences among project variables,
the timing or time ordering of events, and the
relationships among other project variables and their
outcomes.

Cause and Effect Diagrams

Flowcharts

Output: Risk Register

Output is initial entries into the risk
register. It includes:
List of risk
List of POTENTIAL responses
Root causes of risks
Updated risk categories

Risk Register Example

 Q: Risk tolerances are determined in order

to help:
A. The team rank the project risks
B. The project manager estimate the project
C. The team schedule the project
D. Management know how other managers
will act to the project

11.2 Perform Qualitative Risk Analysis

This is the phase where you rank the risks
youve identified from Identify Risks to come up
with a list of risks you will create plans for
dealing with

Perform Qualitative Risk Analysis

Things to remember
Perform Qualitative Risk Analysis is subjective
What is the probability of the risk occurring? High,
medium, low? 1-10?
What is the impact if the risk does occur? High,
medium, low? 1-10?

Tools and Techniques of Qualitative

Analysis
Probability & Impact Matrix a matrix that creates a
consistent evaluation of high, medium, or low for your
projects. This helps to make the risk rating process more
repeatable between projects.
Risk Data Quality Assessment What is the quality of
the data used to determine or assess the risk? Think
about the following

Extent of the understanding of the risk

Data available about the risk
Quality of the data
Reliability & Integrity of the data

Tools and Techniques of Qualitative

Analysis
Risk Categorization Which of your categories has
more risk than others? Which of your work packages
could be most affected by risk?
Risk Urgency Assessment Which of your risks could
occur soon, or require a longer planning time? Risk
urgency assessment helps move these risks more
quickly through the rest of the project management
process

Output: Risk Register Updates

Risk ranking for the project compared to other
projects
List of prioritized risks and their probability and
impact ratings
Risks grouped by categories
List of risks for additional analysis and
response
Watchlist (non-critical risks)
Trends

Perform Quantitative Risk Analysis

A numerical analysis of the probability and
impact of the risks with the highest risk rating
score determined from qualitative analysis
Is a numerical evaluation (more objective)
This process may be skipped.

Perform Quantitative Risk Analysis

Purpose of this process
Determine which risk events warrant a response.
Determine overall project risk (risk exposure).
Determine the quantified probability of meeting
project objectives.
Determine cost and schedule reserves.
Identify risks requiring the most attention.
Create realistic and achievable cost, schedule,
or scope targets.

Tools and Techniques of

Quantitative Analysis
EMV Expected Monetary Value What is the
probability of the risk occurring multiplied by the impact if
the risk does occur? If the risk occurs, what could the
financial or time loss be to your project?
In the example below, this project has an EMV of
($58,250), this means that you need to put aside
$58,250 in your risk reserve account for potential risks
Risk

Probability

Impact

EMV

20%

$ (100,000.00)

$(20,000.00)

90%

10,000.00

9,000.00

5%

30,000.00

1,500.00

65%

(75,000.00)
Total

$(48,750.00)
$(58,250.00)

Q: If a project has a 60% chance of a US $

100,000 profit and a 40% chance of a US $
100,000 loss, the expected monetary value
for the project is :
A. $ 100,000 profit
B. $ 60,000 loss
C. $ 20,000 profit
D. $ 40,000 loss

Tools and Techniques of

Quantitative Analysis
Decision Tree used for planning on individual
risks instead of planning for the whole project
Takes into account future events to make a decision
today
Can calculate the EMV in more complex situations
Involves mutual exclusivity

Airline A has a 90% chance to reach at time and Airline B has a

60% chance to reach at time. If you dont reach at time, it will
cost you 100,000. Use EMV to find which airline you should
choose?

Decision tree /EMV example

Airline A EMV: 10,000 + (10% * 100,000) = 20,000

Airline B EMV: 8000 + (40%*100,000) = 48,000

Tools and Techniques of

Quantitative Analysis
Monte Carlo Analysis A technique that uses
simulation to show the probability of completing your
project on time and within budget.
Determines the overall risk of the project, not the task
Determines the probability of completing the project on a specific
day and for a specific cost
Takes into account path convergence (places in the network
diagram where many paths converge into one activity)
Used to evaluate the impact to your schedule and budget
Due to the complicated mathematical computations used, Monte
Carlo analysis is usually done with a computer program
Creates a probability distribution triangular, normal, beta,
uniform or lognormal (learn these)

Sensitivity Analysis
To determine which risks have the most potential impact
to the project
Changing one or more elements/variables and set other
elements to its baseline then see the impact.
One typical display of sensitivity analysis is the tornado
diagram
Tornado diagram is useful in analyzing risk taking
scenarios.
They provide the positive and negative impact of each
risk on the project and let you decide to choose which
risk to take.

Sample Sensitivity Analysis

Outcome of Quantitative RA
Risk Register Updates
Prioritized list of quantified risks
Amount needed for contingency reserves for time and
cost
Confidence levels of completing the project on a certain
date for a certain amount of money
The probability of delivering the project objectives
Trends - risk management is an iterative process; as
you repeat the process you can track your overall project
risk and determine the trend (if you are decreasing or
increasing the level of risk on your project)

Outcome of Quantitative RA: Examples

What are the risks that are most likely to cause
trouble? To affect the critical path? That need the
most contingency reserve?
The project requires another 50,000 and two
months of time to accommodate the risks on the
project?
We are 95 percent confident that we can
complete this project on May 25th for $989,000
budget?
We only have a 75 percent chance of
completing the project within the $800,000
budget.

What are we going to do now

about each top risk?

Risk Response Planning

Eliminate the threats before they happen
Make sure opportunities happen
Decrease the probability and/or impact of
threats
Increase the probability and/or impact of
opportunities
For Residual Threats
Contingency Plans
Fallback Plans

Risk Response Strategies

Risk

Opportunities

Threats

Accept

Exploit

Avoid

Transfer

Enhance

Active

Share

Contingency
Plan

Passive

Fallback Plan

Workaround

Mitigate

STRATEGIES FOR NEGATIVE

RISKS OR THREATS

Avoidance
Risk prevention
Changing the plan to eliminate a risk by avoiding
the cause/source of risk
Protect project from impact of risk
Examples:

Change the supplier / engineer

Do it ourselves (do not subcontract)
Reduce scope to avoid high risk deliverables
Adopt a familiar technology or product

Mitigation
Seeks to reduce the impact or probability of the
risk event to an acceptable threshold
Be proactive: Take early actions to reduce
impact/probability and dont wait until the risk
hits your project
Examples:
Staging - More testing - Prototype
Redundancy planning
Use more qualified resources

Transfer
Shift responsibility of risk consequence to
another party
Does NOT eliminate risk
Most effective in dealing with financial exposure
Examples:
Buy/subcontract: move liabilities
Selecting type of Procurement contracts: Fixed Price
Insurance: liabilities + bonds + Warranties

STRATEGIES FOR POSTIVE

RISKS OR OPPORTUNITIES

Strategies for Opportunities

Exploit: Ensure opportunity is realized
Ex: Assigning organization most talented
resources to the project to reduce cost
lower than originally planned.
Enhance: Increase the probability and/or
the positive impact of the opportunity
Ex: Adding more resources to finish early

Strategies for Opportunities

Share: Allocating some or all of the
ownership to third part best able to capture
the opportunity
Ex: Joint ventures, special-purpose
companies

Acceptance
(Both for Threats & opportunities)
Active Acceptance
Develop a contingency plan to execute if the risk
occur
Contingency plan = be ready with Plan B
Fall back plan = plan C if B fails

Passive Acceptance
Deal with the risks as they occur = Workarounds
Usually for low ranked risks

Risk Response Matrix

Risk Event

Response

Contingency
Plan

Trigger

Who is
responsible

Interface
Problems

Mitigate: Test
Prototype

Workaround
until help
comes

Not solved within

24 hours

Asif

System
freezing

Mitigate: Test
Prototype

Reinstall OS

Still frozen after 1 Khalid

hour

User backlash

Mitigate:
Prototype
demonstration

Increase staff
support

Cell from top

management

Javed

Equipment
malfunction

Mitigate: Select Order

reliable vendor replacement
Transfer:
Warranty

Equipment fails

Aleem

Outputs of Risk Response Planning

Updates to Risk Register
Residual Risks risks that are left over after Plan Risk
Response
Contingency Plans plans of action in case the risk
does occur
Risk Response Owners the person on the team
responsible for monitoring the risk, risk triggers,
developing a response strategy, and implementing the
strategy should the risk occur
Secondary Risks new risks that result from the
implementation of the contingency plans for the primary
risks

Outputs of Risk Response Planning

Updates to Risk Register
Risk Triggers early warning signs that there is a high
probability the risk will occur
Fallback Plans a secondary contingency plan, in case
the contingency plan does not work or is not effective
Reserves
Contingency reserves - covers the cost for known unknowns
discovered during risk management; covers the residual risks.
The contingency reserve is calculated and made part of the
baseline.
Management reserves these are estimated and made part of
the project budget, not the baseline. Management approval is
needed to use the management reserve.

Outputs of Risk Response Planning

Project Management Plan Updates
Changes made due to risk management
will be changes made to the project and
should be updated in the project
management plan

Q: Replacing a doubtful supplier with an

expensive but reliable one is an example of:
A. Mitigation
B. Transference
C. Acceptance
D. Avoidance

Q: A Reserve is generally intended to be

used for:
A. Rework activities.
B. Compensate for inaccurate project cost
estimates.
C. Reducing the risk of missing the cost or
schedule objectives.
D. Compensate for inaccurate project
schedule estimates.

Some important points:

What do you do with non-critical risks?
Would you choose only one risk response
strategy?
What risk management activities are done
during execution of the project?
What is the most important item to be discussed
in project team meetings?
How would risk be addressed in project
meetings?

Some important points:

What do you do with non-critical risks?
Put them in a watch-list and revisit them periodically.

Would you choose only one risk response

strategy?
You may select a combination of strategies.
Response of one risk might address another risk as
well!

What risk management activities are done during

execution of the project?
Watch-out risks on watch-list and looking for new risks.

Some important points:

What is the most important item to be discussed
in project team meetings?
Off course, Risk!

How would risk be addressed in project

meetings?
Asking, what is the status of risks? Is their any new
risk? Is the rank of any risk goes up and down?

Monitor and Control Risk

The process of
implementing risk response plans
tracking identified risks
monitoring residual risks
identifying new risks and
evaluating risk process effectiveness
throughout the project risk audit.

Inputs to Monitor & Control Risk

Risk Management Plan

Risk Register
Approved Change Requests
Work performance information
Deliverable status
Schedule progress
Costs incurred

Performance reports

Monitor & Control Risk:

Tools
Workaround a response to a risk that has
occurred when no contingency plan exists.
Risk audit a team of experienced project team
members reviews the risk management process
and response strategies to see if youve
effectively identified the major risks on the
project and developed effective strategies for
dealing with them.

Monitor & Control Risk:

Tools
Risk Reassessment Risk management is
iterative, you should review the risks on your
project throughout the project to update their
qualitative and quantitative values.
Status meetings status meetings should be
used to identify new risks or changes to existing
risks. This is a great opportunity to discuss with
your team and stakeholders existing risks and
new risks.

Monitor & Control Risk:

Tools
Reserve analysis has the reserve kept up
with changes to the risk list? Does the reserve
still cover the costs of these risks should they
occur?
Closing of risks Risks are expected to
happen during a particular phase of the project.
When that phase has passed and the risk is no
longer probable, the risk should be removed
from the risk list and any reserve associated
should be freed up.

Outputs of Monitor & Control Risks

Updates to Risk Register
Outcomes of the risk reassessments and risk
audits
Closing of risks that are no longer applicable
Details of what happened when risks occurred
Lessons learned

Outputs of Monitor & Control Risks

Requested Changes
Recommended Corrective & Preventive
Actions
Updates to the Project Management Plan
Organizational Process Assets Updates

Practice Exam

Answers

Practice Exam

Answers

Practice Exam

Answers

Practice Exam

Answers

Practice Exam

Answers

Practice Exam

Answers