PMP 11. RISK MANAGEMENT
What are the two main types of non-event risks?
Variability risk and Ambiguity risk.
VUCA
Volatility, Uncertainty, Complexity, Ambiguity
Examples of Technical Performance
Weight, transaction times, number of delivered defects, storage capacity, etc.
When are Hierarchical Charts used?
When risks have been categorized using MORE THAN TWO PARAMETERS, the Probability & Impact Matrix can't be used and other graphical representations are required. BUBBLE CHART.
Risk Management Plan
A component of the project management plan that describes how risk management activities will be structured and performed.
Probability and Impact Matrix
A grid for mapping the probability of each risk occurrence and its impact on project objectives if that risk occurs.
Prompt Lists
A predetermined list of risk categories that might give rise to individual project risks and that could also act as sources of overall project risks.
Pure risk
A risk for which insurance can be purchased, thereby transferring the risk for financial benefit to the party accepting the risk.
Residual Risk
A risk that remains after risk responses have been implemented.
Project resilience
A term that describes an unknowable-unknowns risk; risk that can only be recognized after they have occurred.
Individual project risk
An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. (Risk IN project)
When are preliminary risk responses identified and recorded?
During the Identify Risks process (reviewed and confirmed as part of the Plan Risk Responses process).
What are the two levels of risk in projects?
Individual project risk and Overall project risk
Typical risk categories on an RBS include what?
Internal, external, technological, and organizational.
Risk Categorization
Organization by sources of risk (e.g., using the RBS), the area of the project affected (e.g., using the WBS), or other useful category (e.g., project phase) to determine the areas of the project most exposed to the effects of uncertainty.
When are the Risk Breakdown Structure and the Probabilities & Impact Matrix typically used?
RBS: used during Identify Risks process; P&IM: used during Perform Qualitative Risk Analysis process.
Risk Probability and Impact Assessment
Risk probability assessment considers the likelihood that a specific risk will occur. Risk impact assessment considers the potential effect on one or more project objectives such as schedule, cost, quality, or performance.
Plan Risk Management
The process of defining how to conduct risk management activities for a project.
Plan Risk Responses
The process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure, as well as to treat individual project risks.
Identify Risks
The process of identifying individual project risks as well as sources of overall project risk, and documenting their characteristics.
Implement Risk Responses
The process of implementing agreed-upon risk response plans.
Monitor Risks
The process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project.
Perform Quantitative Risk Analysis
The process of numerically analyzing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives.
Perform Qualitative Risk Analysis
The process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics.
Avoid (Strategies for Overall Project Risk)
This involves taking focused action to reduce the negative effect of uncertainty on the project as a whole and bring the project back within the thresholds. (Remove high-risk elements of the scope) Worst case: Cancel the project.
T or F: Perform Qualitative Risk Analysis establishes the relative priorities of individual project risks for Plan Risk Responses?
True
What's another name for "Definitions for Probability and Impacts" table and where does it go?
"Threat Matrix" and it goes in the Risk Management Plan
How many impact levels are there typically for a more detailed risk approach?
5
How many impact levels are there typically for a simpler process/project?
3
In planning Project Risk Management, what should be taken into consideration?
All approved subsidiary management plans within the Project Management Plan should be taken into consideration in order to make the risk management plan consistent with them.
When is the Risk Management Plan developed?
As part of the project kick-off meeting or a specific planning meeting may be held.
A structured risk statement may be used to distinguish risks from their cause(s) and their effect(s).
Because [blank] leading to [blank] may occur [blank]. (Risk statement)
Integrated Risk Management
Builds risk efficiency into the structure of programs and portfolios, providing the greatest overall value for a given level of risk exposure.
Risk Register
Captures details of identified individual project risks.
Perform Qualitative Risk Analysis is not required for all projects; what does undertaking a robust analysis depend on?
Depends on the availability of high-quality data about individual project risks and other sources of uncertainty, as well as a sound underlying project baseline for scope, schedule, and cost.
What does Criticality Analysis determine (Data Analysis: Simulation)?
Determines which elements of the risk model have the greatest effect on the project CRITICAL PATH.
What does Sensitivity Analysis determine (Data Analysis)?
Determines which individual project risks or other sources of uncertainty have the most potential impact on project outcomes. (Tornado Diagram)
When are risk owners for individual project risks nominated?
During the Identify Risks process (confirmed during the Perform Qualitative Risk Analysis process).
What are the 5 alternative strategies that may be considered for dealing with threats?
Escalate; Avoid; Transfer; Mitigate; Accept.
What are the 5 alternative strategies that may be considered for dealing with opportunities?
Escalate; Exploit; Share; Enhance; Accept
Escalate (Strategies for Threats)
Escalation is appropriate when the project team or the project sponsor agrees that a threat is outside the scope of the project or that the proposed response would exceed the project manager's authority.
Risk data quality assessment (data analysis)
Evaluates the degree to which the data about individual project risks is accurate and reliable as a basis for qualitative risk analysis.
Risk trigger
Events or conditions that indicate that a risk is about to occur.
When is Perform Quantitative Risk Analysis appropriate?
For large or complex projects, strategically important projects, projects for which it is a contractual requirement, or projects in which a key stakeholder requires it.
Contingent Response Strategies
For some risks, it is appropriate for the project team to make a response plan that will only be executed under certain predefined conditions, if it is believed that there will be sufficient warning to implement the plan. (Events that trigger: missing intermediate milestones or gaining higher priority with a seller.)
In a "Probability and Impact Matrix", which is more dangerous - high probability or high impact?
High impact is more dangerous.
When should the contingency plan by implemented?
If the selected strategy turns out not to be fully effective or if an accepted risk occurs.
Mitigate (Strategies for Threats)
In risk mitigation, action is taken to reduce the probability of occurrence and/or impact of a threat. (Adopt less complex processes, conduct more tests, choose a mores table seller.) Prototype development.
Where should the risk appetites of key stakeholders on the project be recorded?
In the Risk Management Plan.
Where are the results of Perform Qualitative Risk Analysis, Plan Risk Responses, Implement Risk Responses, and Monitor Risks recorded?
In the Risk Register and the Risk Report
What is the key benefit of the Plan Risk Management process?
It ensures that the degree, type, and visibility of risk management are proportionate to both the risks and the importance of the project to the organization and other stakeholders.
QuaLItative
Likelihood & Impact
What does the Risk Register include?
List of identified risks; Potential risk owners; List of potential risk responses. (May also include: short risk title, risk category, current risk status, one or more causes, one or more effects on objectives, risk triggers, WBS reference of affected activities, and timing information.)
How can Ambiguity Risks be addressed?
Managed by defining those areas where there is a deficit of knowledge or understanding, then filling the gap by obtaining expert external input or benchmarking against best practices. Also addressed through incremental development, prototyping, or simulation.
What is the Risk Owner responsible for?
Planning an appropriate risk response and reporting progress on managing the risk.
PESTLE
Political, Economic, Social, Technological, Legal, Environmental
Risk Report
Presents information on sources of overall project risk, together with summary information on identified individual risks.
What does the Tornado Diagram present?
Presents the calculated correlation coefficient for each element of the quantitative risk analysis model that can influence the project outcome. (Sideways histogram)
Project Risk Management
Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response implementation, and monitoring risk on a project.
What are the tailoring considerations for Project Risk Management?
Project size, complexity, importance, and development approach (waterfall or agile).
What are the two types of risk?
Pure risk and Business risk
Measurable risk thresholds
Reflect the risk appetite of the organization and project stakeholders. Risk thresholds express the degree of acceptable variation around a project objective. They are explicitly stated and communicated to the project team and reflected in the definitions of risk impact levels for the project.
Mitigate/Enhance (Strategies for Overall Project Risk)
Replan the project, change the scope and boundaries, modify project priority, change resource allocations, adjust delivery times, etc.
Reserve Analysis
Reserve analysis compares the amount of the contingency reserves remaining to the amount of risk remaining at any time in the project in order to determine if the remaining reserve is adequate.
What are the 5 components of Project Resilience that tackle emergent risks?
Right level of budget and schedule contingency; Flexible project processes; Empowered project team; Frequent review of early warning signs; Clear input from stakeholders.
Accept (Strategies for Threats)
Risk acceptance acknowledges the existence of a threat, but no proactive action is taken. (Active: contingency reserve; Passive: No proactive action apart from periodic review).
Avoid (Strategies for Threats)
Risk avoidance is when the project team acts to eliminate the threat or protect the project from its impact. (Remove the cause; extend the schedule; change the project strategy; reduce the scope.)
What elements does the Risk Management Plan include?
Risk strategy; Methodology; Roles and responsibilities; Funding; Timing; Risk categories.
What are secondary risks?
Risks that arise as a direct result of implementing a risk response.
What does the Risk Register contain?
Risks, Triggers, Probability & Impact, Planned Responses, and Risk Owners.
Share (Strategies for Opportunities)
Sharing involves transferring ownership of an opportunity to a third party so that it shares some of the benefit if the opportunity occurs. (Risk-sharing partnerships, teams, special-purpose companies, or joint ventures.)
If a company out-sources a piece of work, is it true that the provider assumes the risk and the purchaser has no risk exposure?
THIS IS NOT THE CASE. When outsourcing, a buyer can minimize risk exposure (some risk remains) and there is a new risk exposure (e.g. seller fails to provide the services as promised.)
What's the difference between the Risk Register and the Risk Report?
The Risk Register focuses on individual risks and the Risk Report summarizes the Risk Register AND overall project risk.
What document identifies the nominated risk owner for each risk?
The Risk Register.
Overall project risk
The effect of uncertainty on the project as a whole, arising from all sources of uncertainty including individual risks, representing the exposure of stakeholders to the implications of variations in project outcome, both positive and negative. (Risk OF project)
Enhance (Strategies for Opportunities)
The enhance strategy is used to increase the probability and/or impact of an opportunity. (Adding more resources to an activity to finish early.)
Exploit (Strategies for Opportunities)
The exploit strategy may be selected for high-priority opportunities where the organization wants to ensure that the opportunity is realized (increase probability to 100%). Examples: assigning the most talented resources to the project, or using new technologies.
What are the objectives of Project Risk Management?
To increase the probability and/or impact of positive risks and to decrease the probability and/or impact of negative risks, in order to optimize the chances of project success.
Transfer (Strategies for Threats)
Transfer involves shifting ownership of a threat to a third party to manage the risk and to bear the impact if the threat occurs. (Insurance, performance bonds, warranties, guarantees, etc.)
What are the most commonly used probability distributions for representations of uncertainty?
Triangular, normal, lognormal, beta, uniform, or discrete distributions
Business risk
Typically uninsurable. It is an event that can occur during the process of doing business. An example is the forecast of sales over the next six months.
Assessment of other risk parameters (in addition to probability and impact):
Urgency, Proximity, Dormancy, Manageability, Controllability, Detectability, Connectivity, Strategic impact, Propinquity
What is Decision Tree Analysis used for (Data Analysis)?
Used to support selection of the best of several alternative courses of action.
How can Variability Risks be addressed?
Using Monte Carlo analysis, with the range of variation reflected in probability distributions, followed by actions to reduce the spread of possible outcomes.
What are the trends and emerging practices in Project Risk Management?
a) Non-event risks: Variability Risk & Ambiguity Risk; b) Project Resilience; c) Integrated Risk Management