Project Risk Management
§ Project Risk Management is involved in risk identification, management and response strategy impacts every area of the project management lifecycle
§ risk = uncertainty
§ risk management= increase the probability of project success by minimizing/eliminating negative risks (threats) and increasing positive events (opportunities)
§ everyone is responsible for identifying risks for the project
§ risk has one or more causes and has one or more impacts
§ risk attitudes (EEF): risk appetite (willingness to take risks for rewards), tolerance for risk (risk tolerant or risk-averse), risk threshold (level beyond which the organization refuses to tolerate risks and may change its response)
§ pure (insurable) risk vs business risk (can be +ve or -ve)
§ known risks that cannot be dealt with proactively (active acceptance) should be assigned a contingency reserve or if the known risks cannot be analyzed, just wait for its happening and implement the workaround (which is considered passive acceptance)
Plan Risk Management
§ Inputs: Project Charter, Project Management Plan, Project Documents, EEF, OPA
§ Tools & Techniques: Expert Judgement, Data Analysis, Meetings
§ Outputs: Risk Management Plan
§ The Plan Risk Management process is involved in defining and providing resources and time to perform risk management.
§ including methodology, roles and responsibilities, budget, timing (when and how often), risk categories (e.g. risk breakdown structure RBS), definitions, stakeholder tolerances (an EEF), reporting and tracking
§ performed at project initiation and early in the Planning process
§ failure to address risks early on can ultimately be more costly later on in the project
§ Data Analysis techniques include stakeholder risk profile analysis (using the stakeholder register), strategic risk scoring sheets, etc.
§ a risk breakdown structure (RBS) (included in the PM Plan) – risks grouped by categories and occurring areas
§ key risk categories:
§ scope creep
§ inherent schedule flaws
§ employee turnover
§ specification breakdown (conflicts in deliverable specifications)
§ poor productivity
Identify Risks
§ Inputs: Project Management Plan, Project Documents, Agreements, Procurement Documentation, EEF, OPA
§ Tools & Techniques: Expert Judgement, Data Gathering, Data Analysis, Interpersonal and Team Skills, Prompt Lists, Meetings
§ Outputs: Risk Register, Risk Report, Project Document Updates
§ to find out and document all risks affecting the project from all aspects of the project, including:
§ agreements/contracts within/outside of the organization
§ procurements
§ requirements, schedule, cost, resource, quality, scope, etc. from the project management plan
§ Data Gathering Techniques: brainstorming, checklists, interviews, Delphi technique [a panel of independent experts, maintain anonymity, use questionnaire, encourage open critique],
§ Data Analysis Techniques:
§ root cause analysis [performed after an event to gain understanding to prevent similar events from occurring], SWOT analysis, assumption and constraint analysis
§ root cause analysis: safety-based (prevent accidents), production-based, process-based (include business process), failure-based, systems-based (all above)
§ root cause analysis tools: FMEA, Pareto Analysis, Bayesian Inference (conditional probability), Ishikawa Diagrams, Kepner-Tregoe
§ Monte Carlo analysis can identify points of schedule risks
§ Prompt List
§ The prompt list (newly added in PMBOK® Guide 6th Edition) is a predetermined list of risk categories that are at the lowest level of the risk breakdown structure which is used to assist in identifying risks of the projects
§ examples of prompt lists:
§ PESTLE (political, economic, social, technological, legal, environmental)
§ TECOP (technical, environmental, commercial, operations, political)
§ VUCA (volatility, uncertainty, complexity, ambiguity)
§ Risk Register (typically not including the risk reserve)
§ The Risk Register may include a risk statement
§ any risk with a probability of >70% is an issue (to be dealt with proactively and recorded in the issue log)
§ The Risk Report (new in PMBOK® Guide 6th Edition) is a document used to present information (e.g. no. of identified threats and opportunities, distribution of risks across risk categories, metrics and trends) on overall project risk. It also includes a summary information on individual project risks.
Perform Qualitative Risk Analysis
§ Inputs: Project Management Plan, Project Documents, Agreements, Procurement Documentation, EEF, OPA
§ Tools & Techniques: Expert Judgement, Data Gathering, Data Analysis, Interpersonal and Team Skills, Risk Categorization, Data Representation, Meetings
§ Outputs: Project Document Updates (e.g. Risk Register)
§ prioritizing risks for further analysis/action and identify high priority risks
§ risks requiring near-term responses are more urgent to address
§ need to identify bias and correct it (e.g. risk attitude of the stakeholders)
§ Data Analysis Techniques include:
§ Risk data quality assessment
§ Risk probability and impact assessment
§ Assessment of other risk parameters (e.g. urgency, proximity, dormancy, manageability, controllability, detectability, connectivity, strategic impact, propinquity)
§ Data Representation Tools:
§ qualitative risk assessment matrix (format described in the Risk Management Plan)
§ hierarchical-type charts
§ the risk register is updated along the following processes: Perform Qualitative Risk Analysis, Perform Quantitative Analysis, Plan Risk Responses and Monitor & Control Risks
Perform Quantitative Risk Analysis
§ Inputs: Project Management Plan, Project Documents, Agreements, Procurement Documentation, EEF, OPA
§ Tools & Techniques: Expert Judgement, Data Gathering, Interpersonal and Team Skills, Representation of Uncertainty, Data Analysis
§ Outputs: Project Document Updates
§ the cost, schedule and risk management plan contains guidelines on how to quantitatively analyze risks
§ involves mathematical modelling for forecasts and trend analysis
§ Representation of Uncertainty (probability distribution) reflects the risks as a probability distribution, which can be in the following distribution types:
§ Triangular
§ Normal (bell-shaped curve)
§ Lognormal
§ Beta
§ Uniform
§ Discrete
§ Data Analysis Techniques:
§ sensitivity analysis (using the tornado diagram as presentation) for determining the risks that have the most impact on the project
§ Failure Modes Effects Analysis (FMEA)
§ FMEA for manufactured product or where risk may be undetectable, Risk Priority Number (RPN) = severity (1-10) x occurrence ([0.07%] 1-10 [20%]) X detectability (1-10 [undetectable]), also a non-proprietary approach for risk management
§ Expected Value / Expected Monetary Value (EMV), probability x impact (cost/effort lost), opportunities (+ve values), threats (-ve values)
§ Simulations/Monte Carlo Analysis – by running simulations many times over in order to calculate those same probabilities heuristically just like actually playing and recording your results in a real casino situation, ‘S’ curve (cumulative distribution) will result, may use PERT/triangular distribution to model data, may use thousands of data points (a random variable), for budget/schedule analysis
§ Decision Tree Analysis – another form of EMV, branching: decision squares (decision branch – options), circles (uncertainty branch – possible outcomes)
§ Influence Diagram – graphical representations of situations showing causal influences, time ordering of events, and other relationships among variables and outcomes
Plan Risk Responses
§ Inputs: Project Management Plan, Project Documents, Agreements, Procurement Documentation, EEF, OPA
§ Tools & Techniques: Expert Judgement, Data Gathering, Interpersonal and Team Skills, Strategies for Threats, Strategies for Opportunities, Contingent Response Strategies, Strategies for Overall Project Risks, Data Analysis, Decision Making
§ Outputs: Change Requests, Project Management Plan Updates, Project Document Updates
§ plan response to enhance opportunities and reduce threats
§ each risk is owned by a responsible person
§ the watch list is the list of low priority risks items in the risk register
§ Negative Risk Strategies:
§ eliminate/avoid (not to use, extend the schedule)
§ transfer (outsource, warranty, insurance)
§ mitigate (reduce the risk of more testing/precautionary actions/redundancy)
§ accept (passive – do nothing or active – contingency)
§ escalate (escalates a risk to the appropriate party — can be deleted from the risk register or retain in the risk register with a remark)
§ Positive Risk Strategies:
§ exploit (ensure opportunity by using internal resources e.g. reduce cost/use of top talents/new tech)
§ share (contractor with specialized skills, joint venture)
§ enhance (increase likelihood / impact e.g. fast-tracking, add resources etc.)
§ accept
§ passive risk acceptance to be dealt with when the risk occurs
§ Strategies for Overall Project Risk
§ the PM needs to address the overall project risks with one of the following strategies:
§ Avoid
§ Exploit
§ Mitigate/Enhance
§ Accept
§ Contingency Plan (contingent response strategies) (plan A) are developed for specific risk (when you have accepted a risk) with certain triggers vs Fallback Plan (plan B)
§ Residual Risks – risks remain after the risk response strategy was implemented, may be identified in the planning process (may subject to contingency/fallback planning) They don’t need any further analysis because you have already planned the complete response strategy you know in dealing with the risk that came before them.
§ Secondary Risks – risk arises when the risk response strategy was implemented
§ Reserve Types
§ The Risk Register is now completed with: risks and descriptions, triggers, response strategy, persons responsible, results from qualitative and quantitative analysis, residual and secondary risks, contingency and fallback, risk budget/time
Implement Risk Responses (new in PMBOK® Guide 6th Edition)
§ Inputs: Project Management Plan, Project Documents, OPA
§ Tools & Techniques: Expert Judgement, Interpersonal and Team Skills, Project Management Information System
§ Outputs: Change Requests, Project Document Updates
§ in the Executing process group
§ implementing risk responses is the responsibilities of the risk owners
§ to ensure that agreed upon risk responses (as from the Plan Risk Response process) are executed as planned to
§ address overall project risk exposure
§ minimize individual project threats
§ maximize individual project opportunities
§ the Project Management Information System provides the information to allow agreed-upon risk response plans and associated activities to be executed alongside other project activities
Control Risks
§ Inputs: Project Management Plan, Project Documents, Agreements, Work Performance Data, Work Performance Reports
§ Tools & Techniques: Data Analysis, Audits, Meetings
§ Outputs: Work Performance Information, Change Requests, Project Management Plan Updates, Project Document Updates, OPA Updates
§ when all the above risk planning processes have been performed with due diligence, the project is said to have a low-risk profile
§ responsibilities include:
§ to check if assumptions are still valid, procedures are being followed and any deviance
§ to identify new risks and evaluate effectiveness of risk response plan
§ any need to adjust contingency and management reserves
§ to re-assess the individual risk response strategies to see if they are effective
§ risk audits deal with the effectiveness of risk response and the risk management process
§ risk audits are usually performed by experts outside project team for the whole risk management process
§ Data Analysis Techniques:
§ reserve analysis – apply only to the specific risks of the project for which they were set aside
§ technical performance analysis
§ workaround: when no contingency plan exists, executed on-the-fly to address unplanned events – still need to pass through normal change control if change requests are needed
§ determine the workaround is performed in control risks