PMP 220 Risk Mgmt
Risk Register | I/O
The list and details of identified individual project risks. The detail in the register is added to on completion of various risk processes. Created in: 11.2 Identify Risks (P)
Project Resilience, Integrated Risk Management
* Project Resilience — Resilience is the ability to overcome unknown risks when they occur. * Integrated Risk Management — Integrated risk management provides a coordinated approach to enterprise-wide risk management to ensure alignment and coherence to ensure risks are managed across all levels of the organization.
Data Modeling - Decision Tree Analysis
1. Describes a situation under consideration and the implications of each of the available choices 2. Incorporates cost, probability, result
8 Factors of Qualitative Risk Analysis
1. Impact 2. Probability 3. Tolerance 4. Time frame 5. Risk management plan 6. Risk register 7. Scope statement 8. Lessons learned
10. Trends & Emerging Practices • Non-event risk: 1. variability, ambiguity • 2. Project resilience tackles emergent risks • 3. Right level of budget & schedule contingency • 4. Flexible project processes •
5. Empowered project team • 6. Frequent review of early warning sign • 7. Clear input from stakeholders in scope & strategy adjustments as emergent risk response • 8. Integrated risk management • 9. Coordinated approach to enterprise-wide risk management
Risk Data Quality Assessment | T&T
A data analysis technique used to asses the reliability of the data that has led to the qualitative risk assessment. Used in: 11.3 Perform Qualitative Risk Analysis (P) Part of: Data analysis
Risk Probability and Impact Assessment | T&T
A data analysis technique used to assess each identified risk for the probability that it will occur and the impact that it will have if it does occur. Used in: 11.3 Perform Qualitative Risk Analysis (P) Part of: Data Analysis
Risk Probability and Impact Assessment | T&T
A data analysis technique used to assess each identified risk for the probability that it will occur and the impact that it will have if it does occur. Used in: 11.4 Perform Qualitative Risk Analysis (P) Part of: Data Analysis
Assumption and Constraint Analysis | T&T
A data analysis technique which involves analyzing assumptions and constraints on the project for the purposes of identifying risks. Used in: 11.2 Identify Risks (P) 13.2 Plan Stakeholder Engagement (P) Part of: Data Analysis
Risk Register
A document in which the results of risk analysis and risk response planning are recorded.
A response strategy for BOTH threats and opportunities:
ACCEPT: Passive acceptance leaves action to be determined as needed, in case of a risk event. Active acceptance may involve contingency plans to be implemented if the risk occurs and allocation of time and cost reserves to the project. A decision to accept risk must be communicated to stakeholders.
11.2 Identify Risks
Determine which risks might affect the project and documents their characteristics. > Project Manager > Project Team > Stakeholders > Subject matter experts > People outside the project
Risk Management Plan
Methodology > Roles and Responsibilities > Budgeting > Timing > Risk Categories (RBS) . . . > Revised stakeholder tolerances > Reporting formats > Tracking > Definitions of probability and impact > Matrices . . .
Stakeholder Risk Seekers are
actively pursuing high value rewards, at the expense of high risk exposure. As an example, a pharmaceutical company might be willing to take significant cost risks in the short-term while developing a break-through vaccine.
Risk Parameters 2
* Detectability — The ease with which the results of the risk occurring, or being about to occur, can be detected and recognized. Where the risk occurrence can be detected easily, D is high. * Connectivity — The extent to which the risk is related to other individual project risks. Where a risk is connected to many other risks, C is high. * Strategic impact — The potential for the risk to have a positive or negative effect on the organization's strategic goals. Where the risk has a major effect on strategic goals, SI is high. * Propinquity — The degree to which a risk is perceived to matter by one or more stakeholders. Where a risk is perceived as very significant, propinquity is high.
Brainstorming 1
* Quiet Writing —Individual team members are given time to generate an individual list of ideas before sharing them with the team. This technique has the advantage of limiting peer influence in the initial creation. * Round-Robin Brainstorming — This brain storming technique requires the team to take turns suggesting one or more ideas to address specific project needs.
Key Risk Terms
* Risk Tolerance * Risk Averse * Risk Factors > Probability & impact > The range of possible outcomes > Expected timing in the project life-cycle
11.1 Plan Risk Management
* The process of defining how to conduct risk management activities for a project. * Ensure that the level, type & visibility of risk management are commensurate with both the risk & importance of the project. * Provide sufficient resources & time for risk management activities. * Establish an agreed-upon basis for evaluating risks.
Risk
* Uncertain event or condition that, if realized, has a positive or negative impact on at least one project objective (such as time, cost, scope or quality) * Risks can have one or more causes and one or more impacts.
Risk Parameters 1
* Urgency — The period of time within which a response to the risk is to be implemented in order to be effective. A short period of time indicates high urgency. * Proximity — The period of time before the risk might have an impact on one or more project objectives. A short period indicates high proximity. * Dormancy — The period of time that may elapse after a risk has occurred before its impact is discovered. A short period indicates low dormancy. * Manageability — The ease with which the risk owner (or owning organization) can manage the occurrence or impact of a risk. * Controllability — The degree to which the risk owner (or owning organization) is able to control the risk's outcome.
Variability Risk, Ambiguity Risk
* Variability Risk — Uncertainty exists about some key characteristics of a planned event, activity, or decision. Examples include: productivity being above or below a target, or weather conditions impacting construction. * Ambiguity Risk — What might happen in the future. This risk deals with the fact that there are areas of imperfect knowledge. Examples changes in regulation or law, or inherent systemic complexity.
Types of Risk
*Known Risks - Can be analyzed, possible to plan. Contingency reserve or other plans. *Unknown Risks - Cannot be managed proactively. General contingency or management reserve.
Risk identification is a somewhat natural byproduct of generating the project WBS in 2 Ways:
1. As project teams are compelled to define WBS element descriptions, schedule, and cost estimates, a typical response is, "I can't define it because of all the uncertainty" 2. The challenge for the project manager is to get project team members to document these uncertainties in a systematic way
The choices of response strategies for OPPORTUNITIES include:
1. EXPLOIT: Add work or change the project to make sure the opportunity occurs 2. ENHANCE: Increase the probability and positive impact of risk events 3. SHARE: Allocate ownership of opportunity to a third-party
4. Risk Types Examples •
1. Event risk • A key supplier may go out of business during project. 2. Variability risk • Unseasonal weather conditions may occur during construction phase. 3. Ambiguity risk • Inherent systemic complexity in the project • 4. Emergent • (things outside of our current mind set or cognizance).
Whenever the project manager is responding to threats or opportunities (4):
1. Execution of strategies must be time-bound 2. Effort selected must be appropriate to the severity of the risk 3. A single response can be an act of multiple risk events 4. A strategy can be selected not only by the project manager but also by the team, the stakeholders and experts
Classification of risks is based on the level of knowledge about a risk event's occurrence (either known or unknown) and the level of knowledge about its impact (either known or unknown). This leads to four possibilities:
1. Known-Knowns (knowledge), 2. Unknown-Knowns (impact is unknown but existence is known, i.e., untapped knowledge), 3. Known-Unknowns (risks), and 4. Unknown-Unknowns (unfathomable uncertainty).
PMBOK's Project Risk Management knowledge area contains 7 processes:
1. Plan Risk Management 2. Identify Risks 3. Perform Qualitative Risk Analysis 4. Perform Quantitative Risk Analysis 5. Plan Risk Responses 6. Implement Risk Responses 7. Monitor Risks
Risk Register Updates from Perform Qualitative Risk Analysis include
1. Probabilistic analysis of the project ◦ Develop contingency reserves 2. Probability of achieving cost and time objectives 3. Prioritized list of quantified risks
Project Risk Types • Event risk
1. Something that has not yet happened & it may not happen at all, but if it does happen then it has an impact on one or more objectives. 2. Variability risk Uncertainty exists about some key characteristics of a planned event or activity or decision. 3. Ambiguity risk Uncertainty exists about what might happen in the future arising from lack of knowledge or understanding. 4. Emergent risk Risks that emerge from our blind-spots arising from limitations in our conceptual frameworks or world-view. Also known as unknowable-unknowns.
Risk Data Quality Assessment | Definition
A data analysis technique used to asses the reliability of the data that has led to the qualitative risk assessment, that has: 1. Integrity of risk data 2. Unbiased 3. Credibility 4. Usefulness
Probability and Impact Matrix
A grid for mapping the probability of each risk occurrence and its impact on project objectives if that risk occurs. There may be several risks in any project. Depending on the size and complexity of the project in hand, the risks may vary somewhere from double digits to triple digits.
Risk Management Plan | Process
A subsidiary of the PMP which determines how to conduct risk management activities for a project. It outlines the methodology you will use, the roles and responsibilities, the budget, the timing of the risk management activities, the risk categories you will use, the stakeholder risk tolerances, and how you will track and report risk. Created in: 11.1 Plan Risk Management (P)
Project Escalation
Risks or Issues related to project objectives, resource and inter-group conflicts, ambiguous roles and responsibilities, scope disagreements, third party dependencies are some known situations calling for escalations. Such issues require higher level intervention because many times the authority, decision making, resources or effort required to resolve them are beyond a project manager's horizon.
What are Residual Risks?
The PMBOK Guide defines residual risks as "those risks that are expected to remain after the planned response of risk has been taken, as well as those that have been deliberately accepted." ... These risks are identified during the process of planning. A contingency reserve is set up to manage risks such as these.
Risk Appetite
The degree of uncertainty an entity is willing to take on, in anticipation of a reward. For an Organization it shows how much an org is willing to take a risk to grow itself; it is the amount of risk that an organization is willing to accept to attain its business objective.
What is the difference between Workaround and Contingency Plan?
The difference between the two terms is related to whether the problems being handled were identified ahead of time or not. * Contingency plans are made based on potential risks that are identified that could derail a project. * Workarounds are responses to problems that develop while the project is being worked that were never identified.
Risk Report | Definition
The document that outlines overall project risk, together with summary information on identified individual project risks. The risk report may include: * Sources of overall project risk, indicating which are the most important drivers of overall project risk exposure * Summary information on identified individual project risks, such as number of identified threats and opportunities, distribution of risks across risk categories, metrics and trends, etc. Created in: 11.2 Identify Risks (P)
Risk Categorization | T&T
The grouping of risks by category to better understand the risks and determine any common root causes. Used in: 11.3 Perform Qualitative Risk Analysis (P)
11.7 Monitor Risks
The key benefit of this process is that it enables project decisions to be made on current information about overall project risk exposure and individual project risks.
11.6 Implement Risk Responses
The key benefit of this process is that it ensures that agreed-upon risk responses are executed as planned in order to address overall project risk exposure, minimize individual project threats, and maximize individual project opportunities.
11.4 Perform Quantitative Risk Analysis
The process of numerically analyzing the effect of identified risks on overall project objectives.
S-Curve for Quantitative Risk Analysis
The results of a schedule risk analysis are typically displayed as a histogram (an approximation to a probability density function) providing the frequency of schedule outcomes (dates) and an S-Curve (a cumulative distribution function) providing the cumulative probability of achieving dates associated with given milestones or overall project completion.
Risk Averse Stakeholders'
are not willing to accept any risk exposure. As an example, a pharmaceutical company that adopted a Six Sigma approach may be focused on eliminating any level of quality risk exposure.
Individual project risk is uncertain event or condition that, if it occurs,
has a positive or negative effect on one or more project objectives. [PMBOK6] •
Risk Exposure Theory
high prevalence of social and environmental health risk in predominantly minority communities lead to higher prevalence's of diseases and death
What is an Influence Diagram?
is an intuitive visual display of a decision problem. It depicts the key elements, including decisions, uncertainties, and objectives as nodes of various shapes and colors. It shows influences among them as arrows. This simple influence diagram depicts a variable describing the situation: 1. a decision - What do we do? 2. a chance variable - What's the outcome? 3. a final valuation - How do we like it?
Neutral Risk Stakeholder
will assess available project options, balancing existing risks with potential rewards. As an example, a software development company might be willing to consider eliminating some scope requirements, or accepting schedule delays, while considering schedule risks in its new development project.
Brainstorming 2
* Free-For-All — Most common brain storming technique. Team members shout out ideas without any rules or constructs. In many cases team members shout out over each other. * Green Zone / Red Zone — It represents a way of establishing organizational guidelines for positive performance.
11.3 Perform Qualitative Risk Analysis
* Prioritizing the identified risks for further action (including further analysis or response planning). * Uses the probability and impact scoring defined in Plan Risk Management.
Risk Management
1. The processes concerned with conducting risk management planning, identification, analysis, responses & monitoring and control on a project 2. Updated throughout the project. 3. Increase the probability and impact of positive risks & decrease the probability and impact of negative risks.
Risk Exposure [Risk Score for Each Specific Risk]
= Impact Value x Probability of Occurrence
Fault Tree Analysis
A Fault Tree Analysis is the analysis of a structured diagram which identifies elements that can cause system failure. The effective application of this technique requires a detailed description of the area being discussed. The undesired outcome is first identified and then all possible conditions/failures which lead to that event are identified. This reveals potentially dangerous elements at each phase of the project.
Sensitivity Analysis | T&T
A data analysis technique in which key quantitative assumptions and computations are changed systematically to assess their effect on the final outcome. Employed commonly in evaluation of the overall risk or in identification of critical factors, it attempts to predict alternative outcomes of the same course of action. See also what-if analysis. Used in: 11.4 Perform Quantitative Risk Analysis (P) Part of: Data Analysis
Root Cause Analysis | T&T
A data analysis technique to determine the basic underlying reason that causes a variance, defect, or risk. Used in: 11.2 Identify Risks (P) 13.2 Plan Stakeholder Engagement (P) 8.2 Manage Quality (E) 4.5 Monitor and Control Project Work (M&C) 8.3 Control Quality (M&C) 13.4 Monitor Stakeholder Engagement (M&C) Part of: Data Analysis
A common approach is to describe Stakeholders' Risk Appetite
Either averse, minimal, cautious, neutral or seeker.
Risk Tolerance
Is the specified range of acceptable results. Risk tolerance tells you how sensitive the organization or people are to risks. High tolerance means that people are willing to take a high risk, and low tolerance means that people are not willing to take many risks.
11.6 Implement Risk Response
It is the process of implementing the consensus risk response plans identified in plan risk management and identify risks processes during the project timeline.
Risk Threshold
Measure of the level of uncertainty or the level of impact at which a stakeholder may have a specific interest. Below that risk threshold, the organization will accept the risk. Above that risk threshold, the organization will not tolerate the risk.
Risk Categorization
Organization by sources of risk (e.g., using the RBS), the area of the project affected (e.g., using the WBS), or other useful category (e.g., project phase) to determine the areas of the project most exposed to the effects of uncertainty.
Prompt Lists | T&T
Predetermined lists of risk categories that might give rise to individual project risks and that could also act as sources of overall project risk.
Prompt Lists
Predetermined lists of risk categories. * They provide the team with a head start on the process of brainstorming. > PESTLE — Political, economic, social, technological, legal, environmental. > TECOP — Technical, environmental, commercial, operational, political. > VUCA — Volatility, uncertainty, complexity, ambiguity.
Definition of Risk
Risk is effect of uncertainty on objectives, and an effect is a positive or negative deviation from what is expected. [ISO31000]
Contingent Response Strategies | T&T
Risk responses that will only occur if certain events occur (triggers). Used in: 11.5 Plan Risk Responses (P)
11.5 Plan Risk Responses
The process of developing options and actions to enhance opportunities and to reduce threats to project objectives.
Overall project risk is the effect of
Uncertainty on the project as a whole, arising from all sources of uncertainty, including individual project risks, representing the exposure of stakeholders to the implications of variations in project outcome, both positive & negative. [PMBOK6]
Assessment of Other Risk Parameters | T&T
Using other characteristics of risk (in addition to probability and impact) when prioritizing individual project risks for further analysis and action. Used in: 11.3 Perform Qualitative Risk Analysis (P)
Delphi Technique
a decision-making method in which members of a panel of experts respond to questions and to each other until reaching agreement on an issue
Minimal Risk Stakeholders
believe that the less risk the better. They would require a lot of benefits to compensate for any small level of risk exposure. As an example, a health care organization might be extremely reluctant to accept risks that can negatively impact critical patients waiting time.
Representations of Uncertainty
is one of the Tools & Techniques used in Quantitative Risk Analysis. It is basically the probability model you select to represent the unknowns (whether it be schedule, cost or resource requirements) for the quantitative risk analysis. For example, if this is a new project without previous lessons learned and not much reliable data available, I would choose a triangle distribution as my Representations of Uncertainty.
Risk Cautious Stakeholders favor
safer options, even if it sacrifices benefits. As an example, a consulting company working in an economically challenged country can be reluctant to accept cost risks.