Chapter 11 - Risk Management
by comparing the amount of the contingency reserves remaining to the amount of risk remaining to ensure the reserve is adequate
reserve analyses
Updates should include a list of identified risks, potential risk owners, and list of potential risk responses Each risk may include details such as risk titles, categories, status, causes, objective effects, triggers (events or conditions), WBS reference, and timing information
risk Register
Eliminate the threat by eliminating the cause
Avoid:
Increase the probability of the positive opportunities
Enhance:
Determine to whom to communicate the opportunity and relevant details
Escalate:
Determine to whom to communicate the threat and relevant details
Escalate:
Strategies for Threats
Escalate: Avoid: Transfer: Mitigate: Accept:
1. Project Management Plan (many) 2. Project Documents (many) 3. Agreements 4. Procurement Documentation 5. Enterprise Environmental Factors 6. Organizational Process Assets
Identify Risks -i
Risk management planning Identification of risk Analysis (qualitative and quantitative) Risk Response planning Implement Risk Responses Monitoring risks Goals of Risk Management: Exploit or enhance positive risks (opportunities) Avoid or mitigate negative risks (threats)
Key Concepts
An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives Project objectives can include scope, schedule, cost and quality
Individual Project Risk
Represents a project or situation within the project as a set of entities, outcomes, and influences Example: S-curves and tornado diagrams
Influence Diagrams
A coordinated approach to enterprise-wide risk management ensures alignment and coherence in the way risk is managed across all levels
Integrated risk management:
Effect of uncertainty on the project as a whole, arising from all sources of uncertainty including individual risks, representing the exposure of stakeholders to the implications of variations in project outcome, both positive and negative
Overall Project Risk:
Reduce the probability or consequence of an adverse risk
Mitigate:
The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project. This process can involve choosing alternative strategies, executing contingency plans, taking corrective action and modifying the project management plan Risk response owners report periodically to the project manager on the plan Updating organizational assets, including lessons learned
Monitor Risks
1. Project Management Plan 2. Risk Management Plan 3. Project Documents Issue Log Lessons Learned Register Risk Register Risk Report 4. Work Performance Data 5. Work Performance Reports
Monitor Risks - i
1. Work Performance Information 2. Change Requests 3. Project Management Plan Updates (Many) 4. Project Document Updates Assumption Log Issue Log Lessons Learned Register Risk Register Risk Report 5. Organizational Process Assets Updates
Monitor Risks - o
1. Data Analysis Technical Performance Analysis Reserve Analysis 2. Audits 3. Meetings
Monitor Risks - t
Organizational risk policy Roles and responsibilities Includes risk categories and risk statement formats Templates: Risk management plan Risk Register Risk Report Lessons Learned
Organizational Process Assets
Hierarchical representation of potential sources of risk Helps the project team consider the full range of sources from which individual risks may arise
Risk Breakdown Structure (RBS)*
Risks can be categorized by sources of risk, area of the project affected, or other useful categories specific to the project Used to determine the areas of the project most exposed to the effect of uncertainty
Risk Categorization
Technique to evaluate the degree to which the data about risks is accurate and reliable
Risk Data Quality Assessment
Helps to determine which individual project or other sources of uncertainty risks have the most impact on project outcomes by reviewing how variation in project objectives effect variation in different uncertainties Example: Tornado diagram
Sensitivity analysis
Allocating some or all of the ownership of the opportunity to a third party who is best able to capture the opportunity for the benefit of the project
Share:
Comparison of characteristics and requirements of alternative risk response options
Alternative Analysis:
Being willing to take advantage of it if it comes along, but not actively pursuing it
Accept:
Do nothing
Accept:
High-variability environments incur more uncertainty and risk. To address this, use adaptive approaches including frequent reviews of incremental work products and cross-functional teams to accelerate knowledge Requirements are living documents that are updated regularly and may necessitate the re-prioritizing of work as the project progresses based on an improved understanding of current risk exposure
Agile/adaptive environments
May consider urgency, proximity, dormancy, manageability, controllability, detectability, connectivity, detectability, connectivity, strategic impact, or propinquity (degree to which a risk is perceived)
Assessment of other Risk Parameters
Examine and document the effectiveness of risk responses in dealing with identified risks and their root causes, as well as the effectiveness of the risk management process The project manager is responsible for ensuring that risk audits are done at appropriate intervals
Audits
Responses designed only if certain events occur, often called contingency plans or fallback plans These events should be defined and tracked
Contingent Response Strategies
Quantify impacts and responses in monetary terms and utilize the ratios to determine effective responses
Cost-Benefit Analysis:
Interviews and other information gathering techniques
Data Gathering
Support selection of the best of several alternative courses of action
Decision Tree Analysis
Used to make decisions regarding individual risk where there is uncertainty Used to gather alternatives in risk response planning Help make informed decisions by accounting for risk, probability, and impact Takes into account future events in trying to make a decision today Can be used to calculate the expected monetary value Involves mutual exclusivity
Decision Tree Analysis
Uncertainty or ambiguity in project documents, as well as inconsistencies within a document or between different documents, may be indicators of risk on the project
Document analysis:
Eliminates the uncertainty of a positive risk not occurring
Exploit:
Used when risk have more than two parameters
Hierarchical Charts
The process of identifying individual project risks as well as sources of overall project risk, and documenting their characteristics. To ensure a complete and accurate risk register to increase the probability/impact of positive events and decrease the probability/impact of negative events leading to overall project success. is an iterative process as risks may evolve or become known as the project progresses All project personnel should be encouraged to identify risks, with key identifiers being project manager, project team, and other stakeholders
Identify Risks
1. Risk Register 2. Risk Report 3. Project document updates Assumption Log Issue Log Lessons learned Register
Identify Risks - o
1. Expert Judgment 2. Data Gathering Brainstorming Checklists Interviews 3. Data Analysis Root cause analysis Assumption and constraint analysis SWOT analysis Document analysis 4. Interpersonal and Team Skills Facilitation 5. Prompt Lists 6. Meetings
Identify Risks - tool
Implementing the agreed-upon risk response plans to the identified threats and opportunities to the project. Addresses risk exposures by mitigating threats and maximizing opportunities, After identifying and analyzing various risks, potentially applicable risk responses are developed, action is taken
Implement Risk Responses
1. Project Management Plan Risk Management Plan 2. Project Documents Lessons Learned Register Risk Register Risk Report 3. Organizational Process Assets
Implement Risk Responses - i
1. Change Requests 2. Project Document Updates Issue Log Lessons Learned Register Project Team Assignments Risk Register Risk Report
Implement Risk Responses - o
1. Expert Judgment Interpersonal and Team Skills Influencing 2. Project Management Information System
Implement Risk Responses - t
Includes but is not limited to facilitation as a skilled facilitator can help participants remain focused on the risk identification task, ensure clear risk descriptions, identify and overcome sources of bias, and resolve any disagreements that may arise
Interpersonal and Team Skills
The process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics. The process should be revisited during the project's life style In an agile development environment it is conducted before the start of each iteration This process is a lead in for performing quantitative analysis or planning risk responses Identifies a risk owner for each risk who will assume the risk responsibility
Perform Qualitative Risk Analysis
1. Project Management Plan Risk Management Plan 2. Project Documents Assumption Log Risk Register Stakeholder Register 3. Enterprise environmental factors 4. Organizational Process Assets
Perform Qualitative Risk Analysis - i
1. Project Documents Updates Assumption Log Issue Log Risk Register Risk Report
Perform Qualitative Risk Analysis - o
1. Expert Judgment 2. Data Gathering Interviews 3. Data Analysis Risk Data Quality Assessment Risk Probability and Impact Assessment Assessment of other risk parameters 4. Interpersonal and team skills Facilitation 5. Risk Categorization 6. Data Representation Probability and Impact Matrix Hierarchical charts 7. Meetings
Perform Qualitative Risk Analysis - t
The process of numerically analyzing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives Used to analyze the effects of risk events Quantifies overall project risk exposure and can provide additional quantitative risk information to support risk response planning Usually used for large and complex projects as it usually requires specialized risk software such as risk models Performed on risk(s) that have been prioritized by qualitative risk analysis
Perform Quantitative Risk Analysis
1. Project Management Plan Risk Management Plan Scope Baseline Schedule Baseline Cost Baseline 2. Project Documents (many) 3. Enterprise Environmental Factors 4. Organizational Process Assets
Perform Quantitative Risk Analysis -i
1. Project Documents Updates Risk Report
Perform Quantitative Risk Analysis -o
1. Expert Judgment 2. Data Gathering Interviews 3. Interpersonal and team skills Facilitation 4. Representations of uncertainty 5. Data Analysis Simulations Sensitivity Analysis Decision Tree Analysis Influence Diagrams
Perform Quantitative Risk Analysis -t
The process of defining how to conduct risk management activities for a project. Planning is important to ensure sufficient resources and time are allocated to addressing risks throughout the project. This process should begin as the project is conceived and should be completed early during project planning May be necessary to revisit this process later in the project life cycle, for example: At a major phase change If the project scope changes significantly Subsequent review of risk management effectiveness determines that the Project Risk Management process requires modification
Plan Risk Management
What is the risk management process?
Plan Risk Management Identify Risks Perform Qualitative Risk Analysis Perform Quantitative Risk Analysis Plan Risk Responses Implement Risk Response Monitor Risk
1. Project Charter 2.Project Management Plan (All) 3. Project Documents 4.Stakeholder Register 5. Enterprise Environmental Factors 6. Organizational Process Assets
Plan Risk Management - INPUTS
Risk Management Plan
Plan Risk Management - output
1. Expert Judgment 2. Data analysis Stakeholder Analysis 3. Meetings
Plan Risk Management - tools
The process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure, as well as to treat individual project risks. Improves projects performance by minimizing threats, maximizing individual opportunities, and reducing overall project risk exposure. Addresses the risks by their priority, inserting resources and activities into the budget, schedule and project management plan as needed Risk responses must be appropriate to the significance of the risk Risk responses must be timely May utilize the contingency reserve established for the project
Plan Risk Responses
1. Project Management Plan Resource Management Plan Risk Management Plan Cost Baseline 2, Project Documents Lessons Learned Register Project Schedule Project Team Assignments Resource Calendars Risk Register Risk Report Stakeholder Register 3. Enterprise Environmental Factors 4. Organizational Process Assets
Plan Risk Responses - i
1. Change Requests 2. Project Management Plan Updates (Many) 3. Project Documents Updates (Many)
Plan Risk Responses - o
1. Expert Judgment 2. Data Gathering Interviews 3. Interpersonal and Team Skills Facilitation 4. Strategies for Threats 5. Strategies for Opportunities 6. Contingent Response Strategies 7. Strategies for Overall Project Risk 8. Data Analysis Alternatives Analysis Cost-benefit Analysis 9. Decision Making Multicriteria Decision Analysis
Plan Risk Responses - t
A grid for mapping the probability of each risk occurrence and its impact on project objectives if that risk occurs Used to sort risks that require a response Consistent evaluation of low, medium, and high risks Use of a standard matrix makes the risk rating process repeatable between projects
Probability and Impact Matrix*
Specifies combinations of probability and impact that allow individual project risks to be divided into priority groups
Probability and impact matrix :
Processes of conducting risk management planning, identification, analysis, response planning, response implementation, and monitoring risk on a project
Project Risk Management
Emergent risks, unknowable-unknowns, can be tackled through resilience Budget Flexible project processes Empowered project teams Frequent review of early warning signs Clear input from stakeholders to clarify areas where project scope or strategy can be adjusted
Project resilience:
Predetermined list of risk categories that might give rise to individual project risks and that could also act as sources of overall project risk
Prompt Lists
Uncertainty can be scaled through models such as triangular, normal, lognormal, beta, uniform, or discrete distributions Individual project risks may be included in models as probabilistic branches where optional activities are added to the model to represent the time and/or cost impact
Representations of Uncertainty
A subsidiary plan that is part of the Project Management Plan Describes how risk management will be structured and performed on the project This document is key to risk management and includes: Risk strategy Methodology Roles and responsibilities Funding Timing Risk categories: Risk breakdown structure Probability and impact matrix Revised stakeholders' tolerances Reporting formats and tracking
Risk Management Plan
Considers likelihood that a specific risk (threat or opportunity) will occur and its potential effect on the project objectives such as schedule, cost, quality, or performance
Risk Probability and Impact Assessment
Identified risks (threats and opportunities) Root causes of risks Lists of potential responses Risk owners Symptoms and warning signs The relative rating or priority list of project risks Risks requiring responses in the near term Risks for additional analysis and response Trends in qualitative analysis results A watch list, which is a list of low priority risks
Risk Register Details
Overall project risk inclusive of individual project risks
Risk Report:
used to discover underlying causes that lead to a problem Assumption and constraint analysis: explores the validity of assumptions and constraints to determine which pose a risk to the project
Root cause analysis:
Examines strengths, weaknesses, opportunities, and threats perspectives to increase the breadth of identified risk by including internally generated risks Examines the degree to which organizational strengths offset threats, as well as identifying opportunities that may serve to overcome weaknesses
SWOT analysis
Models translate the specified detailed uncertainties of the project into their potential impact on its objectives by computing the model using random values multiple times Example: Monte Carlo analysis
Simulation
Project size Project complexity Project importance Development—Sequential or iterative?
Tailoring considerations
compares technical accomplishments during project execution to the project managements plan's schedule of technical achievement Compare the planned results to the actual results of variance analysis
Technical performance analysis
Make another party responsible for the risk (e.g., Insurance, warranties, outsourcing)
Transfer:
Non-event risks: Most projects focus only on specific events but non-event risks may include: Variability Risk: Uncertainty exists about some key characteristics of a planned event, activity or decision. Ex. productivity at or below targeted levels, or unseasonal weather may occur during construction Can be addressed by using Monte Carlo analysis Ambiguity risk: Uncertainty about what may happen in the future Managed by defining areas where there is a deficit of knowledge or understanding and obtaining expert external input or benchmarking against best practices May also be addressed through incremental development, prototyping, or simulation
Trends/Emerging Practices
Assessment of overall project risk exposure Detailed probabilistic analysis of the project Prioritized list of quantified risks Trends in quantified risk analysis results Recommended risk responses
Updates are made to the risk report to reflect the results of the quantitative risk analysis process and can include:
Prioritized risks with Probability and Impact Ratings Risks grouped by categories List of risks requiring additional analysis/response Nominated risk owners Risk urgency information or categorization Watch-list, non-critical or non-top risks
Updates to the risk register should include: