- Risk identification, management and response strategy impacts every area of the project management life cycle
- Everyone is responsible for identifying risks
- Risk has one or more causes and has one or more impacts
- Risk = uncertainty; risk management: increase the probability of project success by minimizing/eliminating negative risks (threats) and increasing positive events (opportunities)
- Risk attitudes (EEF): risk appetite (willingness to take risks for rewards), tolerance for risk (risk tolerant or risk averse), risk threshold (level beyond which the org refuses to tolerate risks and may change its response)
- Pure (insurable) risk vs business risk (can be +ve or -ve)
- Known risks that cannot be dealt with proactively (active acceptance) should be assigned a contingency reserve or if the known risks cannot be analyzed, just wait for its happening and implement workaround (passive acceptance)
| Knowledge Area | Process | Input | Tools | Output |
| Risk Management | Plan Risk Management | Project Management Plan | Analytical Techniques | Risk Management Plan |
| Project Charter | ||||
| Stakeholder Register | Expert Judgment | |||
| Enterprise Environment Factors | ||||
| Organization Process Assets | Meetings | |||
| Identify Risks | Risk Management Plan | Documentation Reviews | Risk Register | |
| Cost Management Plan | ||||
| Schedule Management Plan | Information Gathering Techniques | |||
| Quality Management Plan | ||||
| HR Management Plan | Checklist Analysis | |||
| Scope Baseline | ||||
| Activity Cost Estimates | Assumptions Analysis | |||
| Activity Duration Estimates | ||||
| Stakeholder Register | Diagramming Techniques | |||
| Project Documents | SWOT Analysis | |||
| Procurement Documents | ||||
| Enterprise Environment Factors | Expert Judgment | |||
| Organization Process Assets | ||||
| Perform Qualitative Risk Analysis | Risk Management Plan | Risk Probability and Impact Assessment | Project Documents Updates | |
| Scope Statement | Probability and Impact Matrix | |||
| Risk Register | Risk Data Quality Assessment | |||
| Enterprise Environment Factors | Risk Categorization | |||
| Organization Process Assets | Risk Urgency Assessment | |||
| Expert Judgement | ||||
| Perform Quantitative Risk Analysis | Risk Management Plan | Data Gathering and Representation Techniques | Project Documents Updates | |
| Cost Management Plan | ||||
| Schedule Management Plan | Quantitative Risk | |||
| Risk Register | ||||
| Enterprise Environment Factors | Analysis and Modeling Techniques | |||
| Organization Process Assets | Expert Judgment | |||
| Plan Risk Responses | Risk Management Plan | Strategies for Negative Risk (Threats) | PM Plan Updates | |
| Strategies for Positive Risk (Opportunities) | ||||
| Risk Register | Contingent Response Strategies | Project Documents Updates | ||
| Expert Judgment | ||||
| Control Risks | PM Plan | RiskReassessment | Work Performance Info | |
| Risk Audits | Change Requests | |||
| Risk Register | Variance and Trend Analysis | PM Plan Update | ||
| Work Performance Data | Technical Performance Measurement | Project Document Updates | ||
| Work PerformanceReports | Reserve Analysis Meetings | OPA Updates |
Plan Risk Management
- define and provide resources and time to perform risk management, including: methodology, roles and responsibilities, budget, timing (when and how often), risk categories (e.g. RBS), definitions, stakeholder tolerances (a EEF), reporting and tracking
- performed at project initiation and early in the Planning process
- failure to address risks early on can ultimately be more costly
- analytical techniques include stakeholder risk profile analysis, strategic risk scoring sheets
- a risk breakdown structure (RBS) (included in the PM Plan) – risks grouped by categories and occurring areas
- key risk categories: scope creep, inherent schedule flaws, employee turnover, specification breakdown (conflicts in deliverable specifications), poor productivity
Identify Risks
- determine all risks affecting the project
- information-gathering techniques: brainstorming, delphi technique [a panel of independent experts, maintain anonymity, use questionnaire, encourage open critique],root cause analysis [performed after an event to gain understanding to prevent similar events from occurring], expert interviewing, SWOT analysis
- root cause analysis: safety-based (prevent accidents), production-based, process-based (include business process), failure-based, systems-based (all above)
- root cause analysis tools: FMEA, Pareto Analysis, Bayesian Inference (conditional probability), Ishikawa Diagrams, Kepner-Tregoe
- Monte Carlo analysis can identify points of schedule risks
- Influence Diagram – graphical representations of situations showing causal influences, time ordering of events, and other relationships among variables and outcomes.
- Risk Register (typically not including the risk reserve)
- The Risk Register may include a risk statement
- any risk with a probability of >70% is an issue (to be dealt with proactively and recorded in the issue log)
Perform Qualitative Risk Analysis
- prioritizing risks for further analysis/action and identify high priority risks
- need to identify bias and correct it (e.g. risk attitude of the stakeholders)
- qualitative risk assessment matrix (format described in the Risk Management Plan)
- update to risk register and other related documents
- risk register update are output of Perform Qualitative Risk Analysis, Perform Quantitative Analysis, Plan Risk Responses and Monitor & Control Risks
- the scope baseline is used to understand whether the project is a recurrent type or a state-of-the-art type (more risks)
- risks requiring near-term responses are more urgent to address
Perform Quantitative Risk Analysis
- the cost, schedule and risk management plan contains guidelines on establishing and managing risks
- involves mathematical modeling for forecasts and trend analysis
- data gathering and representation techniques: interviewing, probability distributions [normal distribution (bell shaped curve)],
- sensitivity analysis (using the tornado diagram as presentation) for determining the risks that have the most impact on the project
- Failure Modes Effects Analysis (FMEA)
- FMEA for manufactured product or where risk may be undetectable, Risk Priority Number (RPN) = severity (1-10) x occurrence ([0.07%] 1-10 [20%]) X detectability (1-10 [undetectable]), also a non-proprietary approach for risk management
- Expected Value / Expected Monetary Value (EMV), probability x impact (cost/effort lost), opportunities (+ve values), threats (-ve values)
- Monte Carlo Analysis – by running simulations many times over in order to calculate those same probabilities heuristically just like actually playing and recording your results in a real casino situation, ‘S’ curve (cumulative distribution) will result, may use PERT/triangular distribution to model data, may use thousands of data points (a random variable), for budget/schedule analysis
- Decision Tree Analysis – another form of EMV, branching: decision squares (decision branch – options), circles (uncertainty branch – possible outcomes)
Plan Risk Responses
- plan response to enhance opportunities and reduce threats
- each risk is owned by a responsible person
- the watch list is the list of low priority risks items in the risk register
- a fallback plan will be used if 1) risk response not effective, 2) accepted risk occurs
- risk strategies: 1) prevent risk, 2) response to risk, 3) reduce risk, 4) promote opportunities, 5) fallback if risk response fails
- negative risk strategies: eliminate/avoid (not to use, extend the schedule), transfer (outsource, warranty, insurance), mitigate (reduce the risk by more testing/precautionary actions/redundancy), accept (passive – do nothing or active – contingency)
- positive risk strategies: exploit (ensure opportunity by using internal resources e.g. reduce cost/use of top talents/new tech), share (contractor with specialized skills, joint venture), enhance (increase likelihood / impact e.g. fast-tracking, add resources etc.), accept
- passive risk acceptance to be dealt with when the risk occurs
- Contingency Plan (contingent response strategies) (plan A) are developed for specific risk (when you have accepted a risk) with certain triggers vs Fallback Plan (plan B)
- Residual Risks – risks remains after the risk response strategy was implemented, may be identified in the planning process (may subject to contingency/fallback planning) They don’t need any further analysis because you have already planned the most complete response strategy you know in dealing with the risk that came before them.
- Secondary Risks – risk arises when the risk response strategy was implemented
- Contingency Reserve: known unknowns (determined risk), part of cost baseline
- Management Reserve: unknown unknowns (discovery risk), part of project budget
- The Risk Register is now completed with: risks and descriptions, triggers, response strategy, persons responsible, results from qualitative and quantitative analysis, residual and secondary risks, contingency and fallback, risk budget/time
Control Risks
- when the above risk planning processes have been performed with due diligence, the project is said to have a low risk profile
- to check if assumptions are still valid, procedures are being followed and any deviance
- to identify new risks and evaluate effectiveness of risk response plan
- any need to adjust contingency and management reserves
- to re-assess the individual risk response strategies to see if they are effective
- risk audits deal with effectiveness of risk response and the risk management process
- risk audits are usually performed by experts outside project team for the whole risk management process
- reserve analysis and fund for contingencies apply only to the specific risks on the project for which they were set aside
- workaround: when no contingency plan exists, executed on-the-fly to addressunplanned events – still need to pass through normal change control if change requests are needed
Determine the workaround is performed in control risks
