13. Project Risk Management
Plan Risk Responses
The process of developing options and actions to enhance opportunities and to reduce threats to project objectives.
Implement Risk Responses
The process of implementing agreed-upon risk response plans.
Monitor Risks
The process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project.
Perform Qualitative Risk Analysis
The process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.
Example of minimal information in a risk register
. It will include a list of the identified risks, the potential responses, and owners. Here's an example of minimal information in a risk register: (See screenshot)
Tornado Diagram
It's a graphical representation of risks or sensitivity to project changes from highest to lowest and looks like a tornado. For example, you can see here that each risk listed on the left has a positive or negative impact on the schedule.
Example of RBS
See Screenshot
Probability and Impact Matrix
The information from the risk probability and impact assessment is then fed into the probability and impact matrix. Here's an example of what this looks like:(See screenshot) -You take the information from the probability and impact assessment and enter it into this table. For example, if the first risk was a high probability and high impact, you would choose 10 for high probability and 10 for high impact and multiply them together. On the table, this equates to a probability and matrix score of 100. The numbers allow the team to put them in priority order based on the highest number. The numbers don't equate to anything. They just help you sort the risk from highest to lowest. You could choose a different set of numbers as long as when you're done, you can prioritize the risks.
Project Risk Management
includes the processes of conducting risk management planning, identification, analysis, response planning, response implementation, and monitoring risk on a project.
Plan Risk Management
is the process of defining how to conduct risk management activities for a project.
11.1 Plan Risk Management
is the process of defining how to conduct risk management activities for a project. · The key benefit of this process is that it ensures that the degree, type, and visibility of risk management are proportionate to both risks and the importance of the project to the organization and other stakeholders. · This process is performed once or at predefined points in the project. · Plan risk management is a critical process in any project. As you know, each project inherently has risks. Some are major while others are minor. Regardless of the risk each one needs to be managed. And this plan identifies how the project team will manage those risks. · The risk management process falls under the planning process group, and it outlines how to perform the risk management activities for a project. · The key benefit of this process is that it describes how the project team will identify, evaluate, rank, and manage each risk. · These risks will then be communicated to the stakeholders. · It's the project manager's responsibility to be proactive about managing risk. Inputs: · There are five inputs to this process, let's start with the two main inputs: 1. The first is a project charter. High level risks may have been identified in the project charter. It's also important to review it for any other information that may lead to project risks. 2. The stakeholder register is another main input since it has the name of each stakeholder. Talking to stakeholders helps provide a risk threshold for the project so you know who is risk averse or who is willing to take risks. 3. The next input is the project management plan. Make sure the risk plan is in alignment with the project management plan. 4 & 5. The last inputs are the EEFs and OPAs. Tools & Techniques · One key tool and technique for this process is data analysis. More specifically stakeholder analysis. This provides details you'll need for risk management like their role on the project, attitudes, what their stake is in the project and more. · The last tools and techniques are expert judgment and meetings. Outputs: The one output for this process is the risk management plan, which is part of the project management plan. It details how each of the other processes in this knowledge area are managed. The risk management plan may include the: -funding for the risks -the methodology for how to manage the risks -There's also roles and responsibilities of the risk management team -Plus the risk categories, which can be illustrated through a risk breakdown structure or RBS. It shows all the project risk at level zero. Then level one breaks them down into categories like technical or management. Then level two is the actual risk. · The last output is the risk management plan. · Risks are inevitable, so it's imperative that your project team identifies them early and throughout the project. There's nothing worse than being broadsided by a risk that could have been mitigated or avoided. This plan will make sure that doesn't happen to you.
Identify Risks
is the process of identifying individual project risks as well as sources of overall project risk and documenting their characteristics.
Perform Quantitative Risk Analysis
is the process of numerically analyzing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives.
Influence Diagram
which are visuals used for decision-making. Here's an example of one that's looking at risk condition which could effect project estimates for costs and time: Project estimates could then influence project activities. The risk condition and project activities could then influence deliverables
11.2 Identify Risks
· Identify Risks is the process of identifying individual project risks as well as sources of overall project risk and documenting their characteristics. · The key benefit of this process is the documentation of existing individual project risks and the sources of overall project risk. It also brings together information so the project team can respond appropriately to identified risks. · This process is performed throughout the project · Identifying risks is important task for any project team. By doing this early, the team can decide on how to add reserves to the budget and schedule should they happen. · Identifying risks is an iterative process because they can occur at the beginning and also during project execution. · The identify risk process falls under the planning process group and is the process of determining which risks may effect the project and documenting their characteristics. · Risks are uncertainties in any project because how they effect the project may be known or unknown. Inputs: · As you can see, there are six inputs to this process and six tools and techniques: · The first inputs are plans, resource, risk, requirements, cost, quality, and schedule. Here's a mnemonic that might help you remember the plans. Rabbits are really cute and quite soft. Each of these plans may include information on uncertainty and ambiguity in the project. The risk management plan provides details on risk-related roles, and responsibilities, and the categories of risk. · Next are the three baselines, scope, cost, and schedule. Each might identify areas of risk. Cost and duration estimates are the next inputs and are important to review because they may have the most risk in the project. · The next input is the stakeholder register. Stakeholders may have risks they want to add to the risk register. · Other inputs are agreements and procurement documentation. Procuring work from outside the company has its own set of risks that need to be considered. For instance, a contractor might not complete the work on time or it might be substandard. · Assumptions and issue logs, requirements documentation, and resource requirements should all be reviewed because they might identify risks. · The last inputs are the lessons learned register, EEFs, and OPAs. Tools & Techniques: · The first tool is data gathering techniques. There are several techniques used to gather information. The first is brainstorming. This is used to get an exhaustive list of risks. Another is interviews and it's just as it sounds, stakeholders and experts are interviewed to gather a list of risks. And there are checklists that have a list of items to consider for risks. · The second tool is data analysis, which includes a root cause analysis. This is when the root cause of an issue is identified and a preventive action can then be developed. Next, is documentation analysis, which helps to identify risks in the project based on how well the documents were developed. · Another tool is called a SWOT analysis, which stands for strengths, weaknesses, opportunities, and threats. The team uses this technique to identify positive and negative risks. Last, is assumption and constraint analysis. This reviews the assumptions and constraints identified early in the project to see if there are risks. · The third tool is interpersonal and team skills, which uses facilitation to gather a list of risks. · Next is the use of prompt lists that have predefined risk categories used to solicit ideas. Using a risk breakdown structure is one example of this. · The last tools are expert judgment and meetings. Outputs: There are two main outputs. The first is the risk register. It will include a list of the identified risks, the potential responses, and owners. · The last key output is the risk report. This provides information on overall and individual project risks. The remaining output is the project documents updates. The risk register is a key input to other processes in the risk management knowledge area, so it's important to complete it first. Identifying risks in a project is important because it allows the team to plan responses in case they happen. The time and costs associated with the risk are then added as risk reserves. In some cases, a risk may be big enough to shut down a project, that's why it's critical to project success to identify them as soon as possible
11.7 Monitor Risks
· Monitor Risks is the process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project. · The key benefit of this process is that it enables project decisions to be based on current information about overall project risk exposure and individual project risks. · This process is performed throughout the project. · In the monitor risk process you're checking to see if what you planned to do is what actually happened. The team is watching closely to see if there are any risk triggers and whether there's a need to implement one or more responses. The team also identifies new risks so they can be analyzed and added to the list. The project manager tracks the status of existing risks to see if they're outdated and keeps an eye on any that are coming up. · Monitor risks falls under the monitor and control process group, and it implements response plans, tracks identified risks, identifies new issues, and evaluates risk process effectiveness throughout the project. Inputs: · The first key inputs are the risk management plan, risk register, and risk report. Each of these documents provide details about the risks under consideration. · Next are work performance data and reports. Both provide data on how the project is performing and whether the risks have happened, if they're still open, and the effects of those that occurred. · The last inputs are the lessons learned register and issue log. Both should be reviewed to see if there is a need to update the risk register. Tools & Techniques · The first tool and technique in this process is data analysis, which includes technical performance analysis. This is a comparison of planned vs. actual of project technical performance. An example might be tracking the number of defects found at the end of an assembly line. When you're checking to see if defects are within the defined limits. · Reserve analysis looks to see if there are still enough contingency reserves to cover any outstanding risks. · The second tool is audits, which are used by the project manager to check the effectiveness of risk responses and the risk management process. · The next is meetings. It should be common practice for teams to discuss risk openly in meetings with these an update on a current risk or discussing new ones. Outputs · The one key output is work performance information that provides details on how well the risk response planning and implementation processes are doing. · The remaining outputs are change requests, the project management plan, project documents, and OPA updates. · Project managers need to closely monitor risks because decisions need to be based on current information. This ensures you aren't blindsided by a risk, and it keeps your project on track.
11.3 Perform Qualitative Risk Analysis
· Perform Qualitative Risk Analysis is the process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics. · The key benefit of this process is that it focuses efforts on high-priority risks. · This process is performed throughout the project. · When I started as a project manager, I didn't identify project risks. If I did, I wasn't sure what to do with them. I soon discovered that identifying risks was just the beginning. There's a lot more to it. You need to analyze and then prioritize them. This is done by choosing the likelihood of the risk occurring and determining the impact if it does. The reason this is done is so the project team can focus on the higher level risks. That's what this process is all about. · Perform qualitative risk analysis falls under the planning process group. It takes the risk list and further analyzes it by assessing the probability of the risk occurring and then the impact if it does. Inputs: · The first input to this process is one that makes sense. It's the risk management plan. It will explain how to qualify the identified risks. · The other main input is the risk register, which lists the identified risks that'll be analyzed and prioritized. · Another input is a stakeholder register, which lists stakeholders who might become risk owners. · The last inputs are the assumption log, EEFs, and OPAs. Tools & Techniques · There are seven tools and techniques in this process. Let's start with data gathering using interviews. Having discussions with team members will help to get the probability and impact ratings for each risk. · The next one is data analysis, which includes risk data quality assessment. This evaluates whether the information about each risk is accurate and reliable. A questionnaire can be given to the stakeholders asking about different characteristics like completeness and relevancy. An overall score can then be calculated. Risk probability and impact assessment is next. This is typically done very quickly and easily. You may do this by asking your team two questions for each risk. First, what is the probability of this risk occurring? Second, what is the impact if it does? The choices for each question can be high, medium, or low. The information from the risk probability and impact assessment is then fed into the probability and impact matrix. · Next, is the assessment of other risk parameters. The team may look at other factors when prioritizing risks like urgency or controllability. The next tool is interpersonal and team skills, which includes facilitation. It's a good idea to have a skill facilitator run the probability and impact sessions. · Another tool is risk categorization. This helps separate the risks into different categories. The use of the risk breakdown structure can be helpful with this. · The last main tool is data representation, which I mentioned earlier as the probability and impact matrix. Another example is hierarchical charts. It's used for risks that have been categorized with more than two parameters. · The last tools are meetings and expert judgment. Outputs: · The only output to this process is the project documents updates. · Remember, identifying risk is just the beginning. You need to continue the evaluation of your risk to make sure they're prioritized and prepare them for quantitative risk analysis.
11.4 Perform Quantitative Risk Analysis
· Perform Quantitative Risk Analysis is the process of numerically analyzing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives. · The key benefit of this process is that it quantifies overall project risk exposure, and it can also provide additional quantitative risk information to support risk response planning. · This process is not required for every project, but where it is used, it is performed throughout the project · I once had a boss who had a spreadsheet that calculated the probability and impact of all risks. In the background, a formula was running that told us the cost implications of that risk to the project. The automation was great and so was having instant visibility to the risk impact. You do the same thing in the perform quantitative risk analysis process. · This process falls under the planning process group and takes the information from the qualitative risk analysis process and continues analyzing it in order to assign a numerical value of cost or time. · Often times, this process is done alongside the performed qualitative risk analysis process since they are so closely tied together. Some people get perform quantitative risk analysis confused with perform qualitative risk analysis. The way I remember the difference, is by putting them in alphabetical order. First, qualitative with an L, comes before quantitative with an N. Inputs: · The first inputs come from the project management plan and are the three baselines, cost, scope, and schedule. Baselines are the starting point from which risk effects are evaluated. The risk management plan provides guidance on whether quantitative risk analysis is needed. If yes, then it states who is performing the analysis. · The next input is the risk register, which contains the list of risks that will be analyzed in this process. · Other inputs include the cost and duration estimates, and resource requirements, which are starting points from which variability is measured. · Cost and schedule forecasts are another input that gauge to confidence level in meeting the forecasted targets. · Then there's the risk register and risk report, which provide information on individual as well as overall project risks. · The remaining inputs are the assumption log, basis of estimates, the milestone list, EEFs, and OPAs. Tools & Techniques · The first is data gathering techniques, which uses interviewing to get information to quantify the probability and impact of risks on the project. · Next is interpersonal and team skills that uses facilitation to quantify the risks. · Representations of uncertainty is next, and is used to show probability distributions. For example, uniform, discreet, triangular, and beta distribution. · The next main tool is the data analysis techniques. There are four techniques. Let's discuss each one, starting with sensitivity analysis, which looks at how your project is affected by certain risks in the project. (One example of this technique is a tornado diagram -It's a graphical representation of risks or sensitivity to project changes from highest to lowest and looks like a tornado. For example, you can see here that each risk listed on the left has a positive or negative impact on the schedule.) · Next is a decision tree analysis, which is used to decide on the best course of action when you have multiple choices. A decision tree is used to show probability in a project and calculate a dollar value associated with each risk. Check out the handout for more details on this. · The third data analysis technique is simulation. A Monte Carlo simulation is an example and it uploads the project schedule into a computer and calculates thousands of probably outcomes by looking at the costs and schedule. It's able to identify risks that might not otherwise be seen. The forth is an influence diagram, which are visuals used for decision-making. · The last tool is expert judgment, which is always a good idea because they may have experience with risk analysis that'll help with this process. Ouputs: · The only output to this process is project documents updates. Once the quantitative analysis is complete, a value is associated with each risk and then they're re-prioritized. The project manager then focuses on the ones at the top. This process is critical so the project manager isn't focusing their efforts on minor risks when there could be a major one that could shut down your project.
11.5 Plan Risk Responses
· Plan Risk Responses is the process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure, as well as to treat individual project risks. · The key benefit of this process is that it identifies appropriate ways to address overall project risk and individual project risks. · This process also allocates resources and inserts activities into project documents and the project management plan as needed. · This process is performed throughout the project. · Recently, I was teaching a class on risk and I asked my students whether they go through the process of identifying risks. Only three said they did. Of the three, none of them did anything beyond identifying risks. While it's great they started the process, it's important to follow up with a strategy for how to handle each risk. That's where this process comes in. · The Plan Risk Responses process falls under the Planning Process group and is the process for developing options and actions to reduce or enhance the project's risks. · The key outcome is that there's a plan for how to handle each risk. · Also, resources and funding will be assigned to each risk and any actions will be added to the project's schedule. Inputs · The first key inputs are the risk management plan, the risk register, and risk report. Each of these documents provide details about the risks under consideration. · Second are the risk management plan, project team assignments, stakeholder register, and resource calendars that provide information on resources assigned to risks and their availability. · Another key input is the cost baseline which has information on the contingency reserve allocated to risks such as additional funds or time in the schedule. · The remaining inputs are the lessons learned register, EEFs, and OPAs. Tools & Techniques: · The tools and techniques for this process are favorites for the exam, so be prepared for a question or two. · Let's start with the strategies for threats: -The first is to avoid the risk. This is when the project team works to eliminate the risk by 100%. For instance, buying a piece of equipment in case it's not available for rent. -The next one is to transfer the responsibility of the risk to a third party. The risk doesn't go away, it's just handled by somebody else. An example of this is buying insurance or contracting with somebody. -The third one is to mitigate the risk by reducing the likelihood of it happening or reducing its potential impact. For example, if there's a risk of guests getting wet at a wedding, then you'd rent a tent. · Now, let's discuss the strategies for opportunities: -The first is to exploit the risk. This means doing what you can to make the risk happen by 100%. An example might be using the latest technology to get the job done faster so you can win the bid of another project. -The second is to enhance the risk by influencing the factors that'll make the risk happen. For instance, if there's a positive effect by completing the project early, then you may add resources to make it happen. -Another strategy would be to share the risk with a third party. An example might be if you're launching a new product line, you may share the production with a third party to ensure the product gets to customers on time. · Let's also discuss the strategies for both opportunities and threats: -The first is acceptance, which is when the project team accepts that the risk may happen and if it does, employs an ad hoc solution at that time. -The team may also add contingency reserves to cover the risk if it happens. -The last is to escalate the risk to the program or portfolio level when it's outside the scope of the project or beyond the project manager's authority. These strategies can also be used for overall project risk. · Up until now, we've been discussing individual risks, but it's important to collectively look at the overall risk of the project and come up with a response. · The next tool is contingent response strategies. These are the responses that may be used in the event that a specific trigger occurs, like a rainstorm would be the trigger to a response to put up a tent so guests don't get wet. · Data analysis is another tool used to identify alternatives to responses and the cost and benefits of each. · The next tools and techniques, expert judgment, facilitation, interviews, and decision making are used to gather information from stakeholders to help make decisions on how to manage risks. Outputs: · The outputs are change requests, the project management plan, and project documents updates. · There are a few other key terms you should know since you may see questions on the exam about them. The first is residual risk. This is a risk that remains after risk responses have been implemented. Let's use the example from earlier about renting a tent for the wedding. There is a residual risk that guests may trip over the tent pegs. A secondary risk is one that arises as a direct result of implementing a risk response. In the example of sharing the risk with a third party for production, there is a secondary risk that the third party won't meet expectations. And a fallback plan is an alternative set of actions in case the primary response was abandoned or not effective. · In your projects, be sure to not only identify risks, but develop a strategy for dealing with each one. Not planning for risks is a surefire way to sideline a project.
Project Risk Management Overview
· Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response planning, response implementation, and monitoring risk on a project. The objectives of project risk management are to increase the probability and/or impact of positive risks and to decrease the probability and/or impact of negative risks, in order to optimize the chances of project success The Project Risk Management processes are: 11.1 Plan Risk Management—The process of defining how to conduct risk management activities for a project. 11.2 Identify Risks—The process of identifying individual project risks as well as sources of overall project risk, and documenting their characteristics. 11.3 Perform Qualitative Risk Analysis—The process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics. 11.4 Perform Quantitative Risk Analysis—The process of numerically analyzing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives. 11.5 Plan Risk Responses—The process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure, as well as to treat individual project risks. 11.6 Implement Risk Responses—The process of implementing agreed-upon risk response plans. 11.7 Monitor Risks—The process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project. · Risks are considered uncertainties in a project. You may or may not know what will happen if a risk occurs, but it's important to identify risks as early as possible so the team can decide how to handle them and request risk reserves in case they happen. · Risks can affect a project negatively or positively. · The intent of risk management is to increase the chance of positive risks and reduce the impact of negative risks. It's important to identify the impact of individual risks as well as the overall project risk, which might come from a collection of individual risks. · Organizations now need to expand their focus from not only capturing event-based risks like the substandard quality of a vendor to tracking non-event risks. These fall into four categories: 1. The first is variability risk, which looks at uncertainty in a planned event like there being more errors than expected or production is below target. 2. The second is ambiguity risk - This is about what might be uncertain in the future. An example could be the complexity in the project. 3. The third is project resilience, which deals with how well a project can bounce back from unknown risks. The project team might include extra contingency reserves for unknown risks and be flexible if they do happen. 4. The last is integrated risk management - This goes beyond the project into the program or portfolio. These types of risks need to be looked at collectively so the organization can plan for them. · Here you can see this knowledge area has a lot of ITTOs, 21 to be exact. Instead of trying to memorize all of them, I recommend understanding how the processes flow into each other and which ones make sense for each process. As you can see, there is a lot involved in risk management. It's one of the biggest knowledge areas we'll cover. You'll want to pay special attention to this chapter so you don't end up with a risk that shuts down your project.
Example of Definitions for Probability and Impact
· There's definitions of risk probability and impacts, which can be seen here: -You set these parameters for your team and define them so they know how to categorize risks. -These definitions can then be used in the Proability & impact matrix with scoring scheme It shows how probable a risk is to happen, and what the impact to the project would be if it does
11.6 Implement Risk Responses
· is the process of implementing agreed-upon risk response plans. · The key benefit of this process is that it ensures that agreed-upon risk responses are executed as planned in order to address overall project risk exposure, minimize individual project threats, and maximize individual project opportunities. · This process is performed throughout the project. · Once you have a response plan in place for all identified risks, you might be wondering, what comes next? Well, you'd think that's an easy answer. What generally happens is that project teams spend a lot of time developing a plan, but then they don't execute it. And this, surprisingly, adds more risk to the project. · The implement risk responses process falls under the executing process group and it does exactly what it says. You execute the strategies in place for each risk. Inputs: · The first key inputs are the risk management plan, the risk register, and risk report. Each of these documents provide details about the risks under consideration. · The remaining inputs are the lessons learned register, and OPAs. Tools & Techniques: · One main tool and technique is influencing. The project manager should use their influence to get stakeholders to take action on a risk if it happens. · Another is talking with experts to validate or modify risk responses based on their feedback. · The last tool and technique is the PMIS. Outputs: · The outputs are change requests and project documents updates. · As you can see, this process is a fairly easy one to follow. By executing the plan developed by the team, this ensures the project team will be better prepared for risks if they happen.
