Chapter 11 - Risk Management
Perform Quantitative Risk Analysis ITTOS
Cost and Schedule management plan - because cost and schedule are easily quantified, these have to be used as input. Although Scope may present important risks, it generally fits better into the qualitative risk analysis Tools 1) Data Gathering and Representation Techniques: a) Interviewing - uses a structured interview to ask experts about the likelihood and impact of identified risks. After interviewing several experts, the PM might create a pessimistic, optimistic and realistic values associated with each risk b) probability distribution - mathematical representations that show the probability of an event occurring and is usually expressed as a table or graph (i.e. flipping a coin 6 times to see how many of the six times it falls on heads). It allows the PM to take a good look at the real probability of an event occurring and to make a rational decision about how to approach the risk 2) (Key) Quantitative Risk Analysis and Modeling Techniques: a) Sensitivity Analysis - used to analyze your project and determine how sensitive it is to risk. You are analyzing whether the occurrence of a particular risk event would ruin the project or merely be an inconvenience b) Expected Monetary Value Analysis (EMV) - statistically calculates the average outcome, and expresses opportunities as a positive amount and risks or threats as negative amounts. Takes uncertain events and assigns them a most likely monetary value (i.e. dollar amount). It is typically calculated by using decision trees. Basically Probability * Impact is the formula (which is % * $ or % * weeks), taking the probability that an event will occurring and multiplying it by impact, and add it to your contingency reserve. Usually applies to you budget and time (so determine how many weeks or how many weeks need to add to budget or schedule, so you will have a contingency in weeks or dollars). Do not confuse this with earned value, EMV and EV (expected value) are related to risk and usually does not cross over to another knowledge area c) Decision tree analysis - (see page 380, don't forget to multiply probability by impact) used to show probability and arrive at a dollar value amount associated with each risk. You are given an initial cost, a risk cost, and a probability percentage. To calculate the total, you multiply the risk cost by the probability percentage and add that value to the initial cost Tornado diagrams - (graphical representation of a sensitivity analysis) named for the funnel shapes of their bars, are a way to analyze project sensitivity to cost or other factors. Risks are represented by horizontal bars and and the up-most and longest bar represents the greatest risks and progressively shorter horizontal bars beneath represent lower ranked risks. shows where a risk could have the biggest effect, used to diagram the sensitivity to different variables that could change in the project. d) Modeling and Simulation - i.e. using the Monte Carlo analysis for simulation (what if). It is a tool that takes details and assembles a big picture. It is performed by a computer and throws large numbers of scenarios at the schedule to see the impact of certain risk events. It will show you what is not always evident by simply looking at the schedule and will often identify tasks that may not appear inherently high risk but in the event they are delayed, the whole project may be adversely affected Output. It shows you where schedule risk exists on the project. Monte Carlo analysis chugs in many variables and spits out a continuum or probability distribution, showing the probability of a certain item occurring by a certain amount. Also tells you if any high risk activity is on your critical path. Modeling, simulation, probabilities (key words) 1) Several documents should be updated as a result of this process - scope or schedule might change in order to account for risk however the most common document update is the risk register. It is updated with the probabilities associated with each risk and the probability of meeting the project's cost and time projections. Priorities of the risks should be updated and any trends that have been observed should be noted. Note: Risk may be beneficial such as when you purchase a lottery ticket, you run the risk of winning money and that risk can be quantified. If you are constructing a building, you would plan for a certain amount of bad weather to impact the construction schedule however you run the risk that the weather will be better than anticipated as well as the risk that the weather will be better than anticipated. The risk is in the uncertainty, not just in the outcome
When is risk highest in your project
In the beginning since there are lots of uncertainties. Think about the definition of risk
When is cost of risk highest in your project
In the end
What if the event has happenned
It is no longer a risk so there so it does not do any good to analyze probability and impact because it has already happened, it is not a risk, it is a fact. So you go to management reserve to get approval to use your contingency reserve. Remember risk is uncertainty of whether something will happen and how will it impact. If it already happens, its an issue. You should immediately update the risk register, find a workaround and dcument lessons learned
Risk Response Strategy
Planned risk responses - your first response in the risk register Fallback plans - things you do after your first response ( Workaround - for when things happen that were not planned and have already happened (thus not a risk), and you don't have anything in the register, you create a workaround and update the register NOTE: Even during Close Project or Phase, identified risks should be added to the risk register
Risk Management
The PM must understand how to anticipate and identify areas of risk, how to quantify and qualify them, and how to plan for them. Your goal is to get as much risk as possible. To be a great PM, you should be good at managing risks.
Plan Risk Response ITTOS
Tools Risk response strategies (or risk mitigation strategies) 1) (key) Strategies for negative risks or threats: a) Avoid - a very appropriate tool for working with undesirable risk in many circumstances (REMOVE THE CAUSE OF THE RISK SO THAT IT CANNOT HAPPEN). It involves eliminating the threat or risk by eliminating the cause (i.e. avoiding the risk associated with using cutting edge technology in favor of using a slower or more reliable technology, or removing the work package or person). It might also mean expanding the scope of the project (i.e there is a 75% chance of a threat occurring however additional testing is likely to prevent this threat which will expand the scope of the project b) Transfer (Deflect, Allocate) - makes another party responsible for the risk by purchasing insurance performance bonds, warranties, or guarantees or by outsourcing the work. This is where the connection between risks and contracts begin. In PM Land, you complete risk analysis before a contract is signed and transference of the risk is included in the T&C of the contract. (i.e. if there is a 75% risk of having to cover damages to fix a car defect, getting warranty is a form of transfer...the car shop has to pay for it NOTE: Transferring a risk does not take all the risk away, there might be some residual risks (i.e. purchasing insurance for risk of fire may have some residual risks such as schedule delays due to the impact caused by the fire or if you outsourced work to a 3rd party, you now have a risk that if the 3rd party is not good or they have troubles, that can cause schedule delays so you will still need to decide what to do with secondary risks. also, purchasing insurance exchanges an unknown cost impact of a known risk to a known cost impact. For example, cost impact of a risk of fire is unknown but when you buy insurance, the cost impact becomes known as it is the cost of the insurance c) Mitigate - simply means to make it less, reduce the probability and/or impact of a threat thereby making it a smaller risk and removing it from the list of top risks on the project (THE CAUSE COULD STILL HAPPEN). Options for reducing the probability and the impact are looked for separately and any reduction will make a difference however, the option with the most probability and/or impact reduction is often the option selected (i.e. if you were concerned about the weather damage to a construction project, then you construct the building outside of rainy season) d) Accept - Acceptance is often perfectly reasonable strategy for dealing with risk whether positive or negative. You are simply acknowledging that the best strategy may not be to avoid, transfer, mitigate, share or enhance it, instead the best strategy may be to accept it and continue with the project. If the cost or impact of the other strategies are too great, then acceptance is the best strategy (i.e. getting out of bed every day carries risks but these are risks that most people readily accept). You basically do none of the other strategies and say if it happens, it happens. Active acceptance may involve the creation of contingency plans to be implemented if the risk occurs and the allocation of time and cost reserves to the project. Passive acceptance leaves actions to be determined as needed (workarounds) if (after) the risk occurs. Note: workaround is something you do after the risk occurs NOTE: Avoid and Mitigate would generally be used for high priority, high impact risks and Transfer and accept are appropriate for low priority low impact risks 2) Strategies for positive risks or opportunities - The PM wants to take steps to make positive risks more likely (capitalize on it) a) Exploit - you try to remove any uncertainty (i.e. if positive risk of finishing the project is identified, then adding additional people to ensure the project is completed early would exploit the risk. Involves adding work or changing the project to make sure the opportunity occurs (opposite of Avoid) b) Share - seeking to improve the chances of the risk occurring by working with another 3rd party (i.e. if a defense contract identifies a positive risk of getting a large order, they may determine that sharing that risk by partnering with another defense firm or competitor would be an acceptable strategy. Allocating ownership or partial ownership of the opportunity to a 3rd party (forming a partnership, team or joint venture) that is best able to achieve the opportunity c) Enhance - You must first understand the cause of the risk. By working to influence the underlying risk triggers, you can increase the likelihood (probability) of the risk occurring. It is the reverse of mitigate. For example, an airline might add flights to a popular route during holidays in order to enhance traffic and profitability during heavy time d) Accept - see definition above Key - When we plan risks, we identify secondary risks (i.e. by replacing resource A with resource B, you run the a secondary risk if resource B is sick). Not to be confused with residual risk which is what risk remains even after you have transferred a risk (i.e. in a fire, insurance will not pay for it, so you will have a residual risk that more $ due to this) NOTE: -Your possible risk response strategies must be communicated to management, stakeholders and sponsors -A risk is either positive (opportunity) or negative (threat) -avoid spending more money preventing a risk than the impact of the risk would have cost if it occurred - more than one response can be used to address the same risk - a response may address a root cause of risk and thereby address more than one risk -the team, other stakeholders, and experts should be involved in selecting a strategy 3) Contingent Response strategies - generally only activated once a milestone is missed or some key measurement is triggered. The project team may make one decision related to risk but make that decision contingent upon certain conditions (i.e. deciding to mitigate a new technology risk by hiring a firm with expertise in that technology, but that decision might be contingent upon the outside firm meeting intermediate milestones related to that risk Risk trigger - something that activates a risk. Someone should always be looking out for triggers Output 1) Project document updates - updating the risk register with the specific plan on how to respond to the risks (or mitigate the risks). Documents and agreements that reflect risk related contract decisions may also be updated.
Identify Risks ITTOs
1) Cost Management Plan, schedule management plan, quality management plan and human resource plan - information on these plans may increase or reduce project risk. (i.e. if you need a new sandbox and your cost mgmt plan has stipulations for not spending money on stuff like that, it increase the risk of being able to get another sandbox) 2) (Key) Scope baseline, activity cost estimate, activity duration estimates document scope, schedule and budget and are typically the areas of greatest project risks so it should be reviewed carefully to see if they present risks to this particular project (i.e. did we allow enough time in the activity estimates, if not it could pose a risk) 3) Procurement documents -procurement activities introduce their own unique risks due to the fact that they are using external entities to perform work which may pose more risk (i.e. is the vendor really good at what they say they can do, is our SOW written very well so we would get good feedback back from the vendor) EEF - stakeholder's tolerance for risk OPA - you must go back and look at risks in other parts of your project so that you can consider these risks in your project Tools 1) Documentation review - a review of all project documentation that exists to date. They are reviewed for completeness, correctness, and consistency (i.e. if the plan appears sketchy or quickly thrown together, that could identify a significant risk 2) Information gathering technique - i.e. using techniques like brainstorming (promotes groupthink), delphi technique (prevents group, expert interviews (formal, planned, short interviews), and root cause identification (i.e. fishbone diagram) to create the risk register - used to identify every situation that could cause the risk 3) (Key) Checklist analysis - uses a RBS either from this project or from a previous project to check off items and ensure that all significant risks or categories are being evaluated. May not be exhaustive but provides structure to the Identify risks process. Breaks down all the causes and at the bottom shows the threats. You should do these for the activities on the critical path. RBS is not a separate document, it is in the Risk MP 4) Assumption Analysis - analyzing and challenging documented assumptions. It is used to challenge and test the underlying assumptions the team has made to identify the risks of those assumptions not bearing out 5) (Key) Diagramming techniques - diagramming methods used to identify risks a)key - Ishikawa (cause and effect diagrams) and fishbone diagrams are one way to show how potential causes can lead to risks. b) Influence diagrams - shows how one set of factors may influence another. (i.e. late arrival of material may not be a significant risk by itself but it may influence other factors such as triggering overtime work c) key - Flow charts - graphical representation of complex process which can show areas with risks 6) SWOT Analysis (Strength, Weakness, Opportunities and Threats) - a tool used to measure each risks SWOT and can help you identify your most significant project risk factors. Each risk is plotted and the quadrant where the weaknesses (usually internal) and threats (usually external) are highest and the quadrant where strengths (usually internal) and opportunities (usually external) are highest will represent the highest risk on the project Output 1) Risk Register - provides a list of identified risks, what possible responses (or reaction) to the risks are, what the root cause is and what CATEGORY the root cause falls under. It may be updated throughout the life of the project The RBS can also be updates with the more specific information. You have categories in risk register but you do not have probability yet, it is in Qual/Quan RA
Plan Risk Management ITTO
1) PM Plan - brings in as much info as is known about the project in order to create the risk mgmt plan 2) Charter - may contain information about risk tolerance or constraints and assumptions that need to be factored into Risk Mgmt plan 3) Stakeholder register - lists the stakeholders who may be able to give input about risk approaches and who may be affected by risk management decisions Tools 4) Analytical Techniques - careful analysis to determine the appropriate level of risks for the various areas and the approach warranted on the project Output 5) Risk Management Plan - defines how risks will be categorized (i.e. internal risks > technology risks, external risks), what level of risk will be considered tolerable for the project, how risk will be managed, who will be allotted to risk activities, and how risk findings will be communicated. One tool for creating consistent risk categories is the risk breakdown structure (RBS) which breakdown the categories of risks and not the work. It does not break down the actual risks (since they won't be know until we perform identify risks). Instead we are breaking down the categories of risks that we will evaluate. It may also contain standard vocabulary about probability and impact that apply to the project.
Risk Management Process
1) Plan Risk Management - Planning - Risk Management Plan 2) Identify Risks - Planning - Risk Register 3) Perform Qualitative Risk Analysis - Planning - Project Document Updates 4) Perform Quantitative Risk Analysis - Planning - Project Document Updates 5) Plan Risk Responses - Planning - Project Document Updates 6) Control Risks - M&C - Work Performance Information and Change Requests
Perform Qualitative Risk Analysis ITTOs
1) Scope baseline - items in the scope that are well known and understood will have less uncertainty while items that are not understood will have higher uncertainty Tools 2) (Key) Risk Probability and Impact Assessment / Probability and Impact Matrix - each risk in the risk register is evaluated for its likelihood of occurring and its potential impact on the project. Each of these two values is given a ranking (such as low, medium, high, or 1 through 10) and are multiplied together to get a risk score. The resulting score is used to set priorities 3) Risk Data Quality Assessment - the data used should be objectively evaluated to determine whether or not it is accurate and of acceptable quality. (i.e. if you are evaluating weather risk, you would need to evaluate the quality of the weather you are using 4) Risk Categorization - categorizing the detailed risks to help you build a better picture of the risks which may help you understand which parts of the project have the highest degree of uncertainty. RBS is a common way to help organize risks into categories 5) Risk Urgency assessment - urgent risks are those that cannot wait so it is important to determine which risks are most urgent and requiring immediate attention. (i.e. bad scope might be urgent since it could delay progress on project but a risk about the weather may be less urgent even if equally important Output 1) Project document updates - especially the risk register are updated as part of the analysis. This involves adding more details that are now known to the regiter, including the priority of the risks, the urgency of the risks, the categorization of the risks and any trends that were notices while performing this process
Control Risk ITTOs
Input 1) You should analyze the risk register to ensure that the risks were identified properly, and that weights and responses that were anticipated actually match what is really occurring on the project 2) Work performance data - provides information on the results i.e. looking at the status of a deliverable. focuses on what has been done 3) Work performance report - focuses on how the work was done. It focuses on costs, time and quality performance and are compared to the baselines Tools 1) (Key) Risk Reassessment - as you perform the project, your nature of risks change so you should reassess this information as often as necessary to make sure that the risk needs of the project are current and accurate. It is not required, some may perform a lot and some may perform infrequently 2) (Key) Risk Audit - focused on overall risk management. more about the top down processes than they are about individual risks. Periodic risk audits evaluate how the risk management plan and the risk response plan are working as the project progresses and also whether or not the risks that were identifies and prioritized are actually occurring 3) (Key) Variance and Trend analysis - Variance analysis focuses on the difference between what was planned and what was executed and trend analysis shows how performance is trending. Trend analysis is important because a one time snapshot may not cause concern but a trend showing worsening conditions may indicate that a problem is imminent 4) Technical Performance Measurement - focuses on functionality, looking at how the project has met its goals for delivering the scope over time 5) (Key) Reserve analysis - the project reserve (contingency) should be evaluated to ensure that it is sufficient to address the amount of risk the project expects to encounter 6) Meetings - does not suggest that you have socially called status meetings related to risks but that you create a project culture where bringing up items related to risk is always acceptable and risk is discussed regularly Output 1) Change Request - when risk event occur, change requests to the project are a normal outcome. Even when the event does not occur, the project may be changed as a result of new risk related information gathered during the process 2) Project Document updates - new risk information, whether it is changes to your risk estimates or actual numbers (such as costs related to weather damage) should be regularly updated in the risk register
Definition of risks
Risks has two characteristics: 1) Risk is related to an uncertain event 2) A risk may affect the project for good or for bad. Although risk usually has negative connotations, it may well have an upside. Think of positive risks as opportunities (for example, if in doing a project you have a way of creating a testing method, you might be able to exploit it and make it an opportunity (or new business for your company)
Perform Quantitative Risk Analysis
Seeks to assign a projected value to QUANTIFY the risks that have been ranked by Perform Qualitative Risk Analysis. This likely value is more often specified in terms of cost or time. It updates the risk register and the information will be used in the subsequent 2 processes (plan risk response and control risks). Without completing this step, the information about the identified risk is less complete and less useful. It relies on the prioritized list from previous process so it is usually performed after perform qualitative..... however in some cases they may be done at the same time
Plan Risk Responsesf
a detailed plan for managing the risk (a plan for how each risk will be handled, whether it is positive or negative). Difference with this and the Risk Mgmt plan is that the Risk Mgmt plan focuses on the approach to risk. All the previous steps focused on identifying and analyzing the risks, but this process focuses on creating a specific plan that is actionable and assigns specific tasks and responsibilities to specific team members. It is performed after all of the other risk planning processes are complete and the updated risk register flows in as an input and emerges as its primary output
Plan Risk Management
focuses on creating the risk management plan. It does not focus on specific project risks but instead focuses on how risk will be approached on the project and creates a roadmap for the five remaining processes. It is generally high level in nature and therefore takes place early on the project usually before any of the other planning processes are performed because the results of this and other risk processes can significantly influence decisions made about scope, time, cost, quality, and procurement
uncertain event, unexpected event, opportunity/threat show up
go to the plan/register, because you have already planned, use your contingency reserve to pay for this. Used for known unknowns, use it to pay for risks that you've planned for
Perform Qualitative Risk Analysis
usually done rapidly in order to see which risks are the highest priority of the project (it is a subjective analysis). It takes each risks on the risk register and analyzes the probability of occurring and impact to the project if it did occur. It uses a probability and impact matrix (PIM) so that a prioritization and ranking can be created, which is updated on the risk register. PIM shows high to low probabilities and high to low impacts in a grid (could be shaded/colored). This process helps you rank and prioritize the risks so that you can put the right emphasis on the right risks and it helps to ensure that time and resources are spent in the right risk areas. It is usually performed more than once on a project reason being; a) it can usually be performed fairly quickly relative to other planning processes b) It is normal for risks and their underlying characteristics to change often over the life of the project, making this process important to revisit often Rank them high, medium, low and your definition of HML have been identified in your Risk MP. Coming out of it, you should have a prioritized list of risk. Output - project document updates, which means update to the risk register which is not part of the PM Plan but part of project doc
Control Risk
Look back to evaluate how all of the risk planning is lining up with execution that has taken place. It is performed almost continually throughout the project. 1) As risk occurs, compare it to the RMP and issue a change req due to the risk and implement the response in executing 2) Also compare the results of the risks that have happened and response have been executed 2) New risks (every status mtg you ask them with new risks)
Identify Risks
evaluates the project to identify which risks could impact the project and to understand the nature of these risks. For example, what could cause us to have a schedule delay. The only output is the risk register which lists all risks, their causes and any possible responses to those risks that can be identified at this point in the project. The risk register is needed for the remaining processes and the Identify risks process is typically performed early on in the project but can be performed multiple times
expected event
not a risk, (i.e. does not fix a schedule that is unrealistic). You need to deal with that, it is a fact, and you need to deal with it in another way
previously unidentified, (unknown/unknown), new risks that were not previously identified
not in risk register, so call team to plan and go through all risk processes to address it, called workaround. This is the only time you use a workaround because a risk occurred that was not identified or you can say because problems that you didn't plan for but which came up anyway so you use your unknown unknown. You can get permission from mgmt to use the management reserve for this. This means you have failed to meet your cost objective. Remember that your cost baseline does not include mgmt reserve.
