Chapter 11

Risk management has more processes than many other aspects of project management. What are the six major processes involved in risk management?

1. Planning risk management 2. Identifying risks 3. Performing qualitative risk analysis 4. Performing quantitative risk analysis 5. Planning risk responses 6. Implementing risk responses 7. Monitoring risk

Suggestions for identifying risks

Brainstorming, Delphi technique, interviewing, root cause analysis

Management reserves

are funds held for unknown risks that are used for management control purposes. They are not part of the cost baseline, as discussed in Chapter 7, but they are part of the project budget and funding requirements. If the management reserves are used for unforeseen work, they are added to the cost baseline after the change is approved.

Contingency reserves

are funds included inthe cost baseline that can be used to mitigate cost or schedule overrunsif known risks occur. For example, if a project appears to be off course because the staff is not experienced with a new technology and the team had identified that as a risk, the contingency reserves could be used to hire an outside consultant to train and advise the project staff in using the new technology.

risk management plan

documents the procedures for managing risk throughout the project. Project teams should hold several planning meetings early in the project's life cycle to help develop the risk management plan.

risk-seeking

have a higher tolerance for risk, and their satisfaction increases when more payoff is at stake. A risk-seeking person or organization prefers outcomes that are more uncertain and is often willing to pay a penalty to take risks.

What is the primary goal of qualitative risk analysis?

involves assessing the likelihood and impact of identified risks to determine their magnitude and priority. This section describes how to use a probability/ impact matrix to produce a prioritized list of risks. It also provides examples of using the Top Ten Risk Item Tracking technique to produce an overall ranking for project risks and to track trends in qualitative risk analysis. Finally, this section discusses the importance of expert judgment in performing risk analysis.

Planning risk management

involves deciding how to approach and plan risk management activities for the project. The main output of this process is a risk management plan.

Identifying risks

involves determining which risks are likely to affect a project and documenting the characteristics of each. The main outputs of this process are a risk register, risk report, and project documents updates.

Monitoring risk

involves monitoring identified and residual risks, identifying new risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies throughout the life of the project. The main outputs of this process include work performance information, change requests, and updates to the project management plan, project documents, and organizational process assets.

Performing quantitative risk analysis

involves numerically estimating the effects of risks on project objectives. The main outputs of this process are project documents updates.

Performing qualitative risk analysis

involves prioritizing risks based on their probability of occurrence and impact. After identifying risks, project teams can use various tools and techniques to rank risks and update information in the risk register. The main outputs are project documents updates.

Planning risk responses

involves taking steps to enhance opportunities and reduce threats to meeting project objectives. Using outputs from the preced- ing risk management processes, project teams can develop risk response strategies that often result in change requests, updates to the project man- agement plan and project documents.

What types of information is documented in a risk register?

is a document that contains results of various risk management processes; it is often displayed in a table or spreadsheet format. A risk register is a tool for documenting potential risk events and related information.

Interviewing

is a fact-finding technique for collecting information in face-to-face, phone, e-mail, or virtual discussions. Interviewing people with similar project experience is an important tool for identifying potential risks.

Brainstorming

is a technique by which a group attempts to generate ideas or find a solution for a specific problem by amassing ideas spontaneously and without judgment. This approach can help the group create a comprehensive list of risks to address later during qualitative and quantitative risk analysis.

risk breakdown structure

is a useful tool to help project managers consider potential risks in different categories. hierarchy of potential risk categories for a project. Figure 11-4 shows a sample risk breakdown structure that might apply to many IT projects. The highest-level categories are business, technical, organizational, and project management. Competitors, suppliers, and cash flow are categories that fall under business risks. Under technical risks are the categories of hardware, software, and network.

Identifying risks

is the process of understanding what potential events might hurt or enhance a particular project. It is important to identify potential risks early, but you must also continue to identify risks based on the changing project environment. Another consideration for identifying risks is the likelihood of advanced discovery, which is often viewed at a program level rather than a project level. The Department of Defense (DOD) Risk, Issue, and Opportunity Management Guide addresses this concept and emphasizes the need to establish high-level indicators for an entire program.

Delphi Technique

is to derive a consensus among a panel of experts who make predictions about future developments. is a systematic, interactive forecasting procedure based on independent and anonymous input regarding future events. The Delphi technique uses repeated rounds of questioning and written responses, including feedback to responses in earlier rounds, to take advantage of group input while avoiding the possible biasing effects of oral panel deliberations.

Implementing risk responses

just as it sounds, involves implementing the risk response plans. Outputs include change requests and project documents updates.

Risk acceptance

or accepting the consequences if a risk occurs. For example, a project team planning a big project review meeting could take an active approach to risk by having a contingency or backup plan and contingency reserves if the team cannot get approval for a specific meeting site. On the other hand, the team could take a passive approach and accept whatever facility the organization provides.

Risk avoidance

or eliminating a specific threat, usually by eliminating its causes. Of course, not all risks can be eliminated, but specific risk events can be. For example, a project team may decide to continue using a specific piece of hardware or software on a project because the team knows it works.

Risk escalation

or notifying a higher level authority. If the risk is outside of the scope of the project or the proposed response is outside of the project manager's authority, it would make sense to escalate the risk to a higher-level manager within the organization.

Risk mitigation

or reducing the impact of a risk event by reducing the probability of its occurrence. Suggestions for reducing common sources of risk on IT projects were provided at the beginning of this chapter. Other examples of risk mitigation include using proven technology, having competent project personnel,

Risk transference

or shifting the consequence of a risk and responsibility for its management to a third party. For example, risk transference is often used in dealing with financial risk exposure. A project team may purchase special insurance or warranty protection for specific hardware needed for a project.

risk-neutral

person or organization achieves a balance between risk and payoff. might perform a series of analyses to evaluate possible purchase decisions. This type of organization evaluates decisions using a number of factors—risk is just one of them.

risk-averse

person or organization. In other words, when more payoff or money is at stake, a person or organization that is risk-averse gains less satisfaction from the risk, or has lower tolerance for the risk. might not purchase hardware from a vendor who has not been in business for a specified period of time.

project risk

therefore, is an uncertainty that can have a negative or positive effect on meeting project objectives. Managing negative risks involves a number of possible actions that project managers can take to avoid, lessen, change, or accept the potential effects of risks on their projects. Positive risk management is like investing in opportunities. It is important to note that risk management is an investment—costs are associated with it.

What types of analysis can be performed by Monte Carlo analysis? For which types of projects would you consider using Monte Carlo analysis?

Most simulations are based on some form of Monte Carlo analysis. simulates a model's outcome many times to provide a statistical distribution of the calculated results. For example, Monte Carlo analysis can determine that a project will finish by a certain date only 10 percent of the time, and determine another date for which the project will finish 50 percent of the time. Collect the most likely, optimistic, and pessimistic estimates for the variables in the model. Determine the probability distribution of each variable. What is the likelihood of a variable falling between the optimistic and most likely estimates? For each variable, such as the time estimate for a task, select a random value based on the probability distribution for the occurrence of the variable. MOREEEE

What are the five basic response strategies for negative risks?

Risk avoidance Risk acceptance Risk transference Risk mitigation Risk escalation

How does risk utility relate to risk management?

Risk utility is the amount of satisfaction or pleasure received from a potential payoff.