Chapter 7: Managing Risk

In practice, most change management systems are designed to accomplish the following:

(1) Identify proposed changes, (2) list expected effects of proposed change(s) on schedule and budget, (3) review, evaluate, and approve or disapprove changes formally, (4) negotiate and resolve conflicts of change, conditions, and cost, (5) communicate changes to parties affected, (6) assign responsibility for implementing change, (7) adjust master schedule and budget, (8) track all changes that are to be implemented

The Project management profession has identified 4 different types of response to an opportunity

(1) exploit, (2) share, (3) enhance, (4) accept

The (8) benefits derived from change control systems are the following:

(1) inconsequential changes are discouraged by the formal process, (2) costs of changes are maintained in a log, (3) integrity of the WBS and performance measures is maintained, (4) allocation and use of budget and management reserve funds are tracked, (5) responsibility for implementation is clarified, (6) effect of changes is visible to all parties involved, (7) implementation of change is monitored, (8) scope changes will be quickly reflected in baseline and performance measures

Most changes easily fall into 3 categories:

(1) scope changes in the form of design or additions represent big changes, (2) implementation of contingency plans, when risk events occur, represent changes in baseline costs and schedules, (3) improvement changes suggested by project team members represent another category; because change is inevitable, a well-defined change review and control process should be set up early in the project planning cycle

Accept

Accepting an opportunity is being willing to take advantage of it if it occurs, but not taking action to pursue it

Insurance

Another, more obvious way to transfer risk; however, in most cases, this is impractical because defining the project risk event and conditions to an insurance broker who is unfamiliar with the project is difficult and usually expensive; low-probability and high-consequence risk events are more easily defined and insured; performance bonds, warranties, and guarantees are other financial instruments used to transfer risk

Contingency Funds

Are established to cover project risks - identified and unknown; Changes in the supply of funds for the project can dramatically affect the likelihood of implementation or successful completion of a project; when, where, and how much money will be spent is not known until the risk event occurs

Testing and Prototyping

Are frequently used to prevent problems from surfacing later in a project; often identifying the root causes of an event is useful

Technical Risks

Are problematic; they can often be the kind that cause the project to be shut down

Budget Reserves

Are set up to cover identified risks; these reserves are those allocated to specific segments or deliverables of the project

Management Reserves

Are set up to cover unidentified risks and are allocated to risks associated with the total project

Risk Response Matrices

Are useful for summarizing how the project team plans to manage risks that have been identified; the first step is to identify whether to reduce, share, transfer, or accept the risk; the next step is to identify contingency plans in case the risk still occurs

One of the Keys to Success in Risk Identification is:

Attitude

Conditions for Activating the Implementation of the Contingency plan should be:

Decided and clearly documented; the plan should include a cost estimate and identify the source of funding; all parties affected should agree to the contingency plan and have authority to make commitments; because implementation of a contingency plan embodies disruption in the sequence of work, all contingency plans should be communicated to team members so that surprise and resistance are minimized

Risk Register

Details all identified risks, including descriptions, categories, and probability of occurring, impact, responses, contingency plans, owners, and current status

The Quality and Credibility of the Risk Analysis Process require that:

Different levels of risk probabilities and impacts be defined; these definitions vary and should be tailored to the specific nature and needs of the project

Keys to a Successful Change Control Process:

Document, document, document!

A second key for controlling the costs of risks is:

Documenting responsibility; this can be problematic in projects involving multiple organizations and contractors; responsibility for risk is frequently passed on to others with the statement; each identified risk should be assigned (or shared) by mutual agreement of the owner, project manager, and the contractor or person having line responsibility for the work package or segment of the project

Failure Mode and Effects Analysis (FMEA)

Extends the risk severity matrix by including ease of detection in the equation: impact x probability x detection = risk value

Example of a Cost Risk

If inflation has been running about 3%, some managers add 3% for all resources used in the project; this lump-sum approach does not address exactly where price protection is needed and fails to provide for tracking and control

On large complex projects:

It may be wise to repeat the risk identification/assessment exercise with fresh information; risk profiles should be reviewed to test to see if the original responses held true

Project Control depends heavily on:

Keeping the change control process current

Good Risk Profiles

Like RBSs. are tailored to the type of project in question; they are organization specific; risk profiles recognize the unique strengths and weaknesses of the firm; risk profiles address both technical and management risks; are usually generated and maintained by personnel from the project office; they are updated and refined during the postproject audit; these profiles, when kept up to date, can be a powerful resource in the risk management process; the collective experience of the firm's past projects resides in their questions

Step 2: Risk Assessment

Managers have to develop methods for sifting through the list of risks, eliminating inconsequential or redundant ones and straying worthy ones in terms of importance and need for attention

Project Managers need to:

Monitor risks just like they track project progress; risk assessment and updating needs to be part of every status meeting and progress report system; the project team needs to be on constant alert for new, unforeseen risks; management needs to be sensitive that others may not be forthright in acknowledging new risks and problems; admitting that there might be a bug in the design code or that different components are not compatible reflects poorly on individual performance; they need to establish an environment in which participant feel comfortable raising concerns and admitting mistakes; the norm should be that mistakes are acceptable, hiding mistakes is intolerable

Examples of reducing the probability of risks occurring are:

Scheduling outdoor work during the summer months, investing in up-front safety training, and choosing high-quality materials and equipment; an alternative mitigation strategy is to reduce the impact of the risk if it occurs

Risk Identification Process

Should not be limited to just the core team; input from customers, sponsors, subcontractors, vendors, and other stakeholders should be solicited; relevant stakeholders can be formally interviewed or included on the risk management team; not only do these players have a valuable perspective, but by involving them in the risk management process they also become more committed to project success

PERT (program evaluation and review technique)

Simulation assumes a statistical distribution (range between optimistic and pessimistic) for each activity duration; it then simulates the network using a random number generator; the outcome is the relative probability, called a criticality index, of an activity becoming critical under the many different, possible activity durations for each activity; PERT simulation also provides a list of potential critical paths and their respective probabilities of occurring; having this information available can greatly facilitate identifying and assessing schedule risk

4 Steps in the Risk Management Process

Step 1: Risk Identification, Step 2: Risk Assessment. Step 3: Risk Response Development, Step 4: Response Control

A Key Distinction between a Risk Response and a Contingency Plan is:

That a response is part of the actual implementation plan and action is taken before the risk can materialize, while a contingency plan is not part of the initial implementation plan and only goes into effect after the risk is recognized

Risk Management Process

The chances of a risk event occurring (e.g. an error in time estimates, cost estimates, or design technology) are greatest during the early stage of a project; this is when uncertainty is highest and many questions remain unanswered; as the project progresses toward completion, risk declines as the answers to critical issues are resolved; the cost impact of a risk event, however, increases over the life of the project

Scenario Analysis

The easiest and most commonly used technique for analyzing risks; team members assess the significance of each risk event in terms of: probability of the event and impact of the event; risks need to be evaluated in terms of the likelihood the event is going to occur and the impact or consequences of its occurrence

RBS

The focus at the beginning should be on risks that can affect the whole project as opposed to a specific section of the project or network; after the macro risks have been identified, specific areas can be checked; an effective tool for identifying specific risks is the work breakdown structure; use of the RBS reduces the chance a risk event will be missed; on large projects, multiple risk teams are organized around specific deliverables and submit their risk management reports to the project manager

The Yellow Zone

The moderate risk; extends down the middle of the matrix; priority follows red zone risks

Enhance

The opposite of mitigation, in that action is taken to increase the probability and/or the positive impact of an opportunity

Build-Own-Operate-Transfer (BOOT)

The prime project organization is expected not only to build the facility, but also to take over ownership until its operation capacity has been proven and all the debugging has occurred before final transfer of ownership to the client

Step 1: Risk Identification

The risk management process begins by trying to generate a list of all the possible risks that could affect the project; typically the project manager pulls together, during the planning phase, a risk management team considering of core team members and other relevant stakeholders; the team uses brainstorming and other problem identifying techniques to identify potential problems; participants are encouraged to keep an open mind and generate as many probable risks as possible; during the assessment phase, participants will have a chance to analyze and filter out unreasonable risks

The Sources of Project Risks are Unlimited

There are external sources, such as inflation, market acceptance, exchange rates, and government regulations; in practice, these risk events are often referred to as "threats" to differentiate them from those that are not within the project manager's or team's responsibility area; such external risks are usually considered before the decision to go ahead with the project; however, external risks are extremely important and must be addressed

Step 4: Risk Response Control

Typically, the results of the first 3 steps of the risk management process are summarized in a formal document often called the risk register; the register is the backbone for the last step in the risk management process: risk control

Change Request Forms and Logs

Used to track proposed changes; change request forms include a description of the change, the impact of not approving the change, the impact of the change on project scope/schedule/cost, and defined signature paths for review as well as tracking log number

The Contingency Plan answers the question of:

What, where, when, and how much action will take place

The Absence of a Contingency Plan

When a risk event occurs, can cause a manger to delay or postpone the decision to implement a remedy

Step 3: Risk Response Development

When a risk is identified and assessed, a decision must be made concerning which response is appropriate for the specific event; responses to risk can be classified as mitigating, avoiding, transferring, or retaining

The Matrix

Often organizations find it useful to categorize the severity of different risks into some form of risk assessment matrix; the matrix is typically structured around the impact and likelihood of the risk event; the matrix is divided into red, yellow, and green zones representing major, moderate, and minor risks, respectively

Schedule Risks

Often organizations will defer the threat of a project coming in late until it surfaces; here, contingency funds are set aside to expedite or "crash" the project to get it back on track

Risk Breakdown Structures (RBSs)

Organizations use these in conjunction with work breakdown structures (WBSs) to help management teams identify and eventually analyze risks

Transferring Risk

Passing risk to another party is common; this transfer does not change risk; passing risk to another party always results in paying a premium for this exemption; Fixed price contracts are the classic example of transferring risk from an owner to a contractor; clearly identifying and documenting responsibility for absorbing risk is imperative

On Cost Sensitive Projects

Price risks should be evaluated item by item; some purchases and contracts will not change over the life of the project; those that may change should be identified and estimates made of the magnitude of change; this approach ensures control of the contingency funds as the project is implemented

Cost Risks

Projects of long duration needs some contingency for price changes - which are usually upward; the important point to remember when reviewing price, is to avoid the trap of using one lump sum to cover rice risks

Risk Severity Matrix

Provides a basis for prioritizing which risks to address

Crashing

Reducing project duration; is accomplished by shortening (compressing) one or more activities on the critical path; this comes with additional costs and risk; some contingency plans can avoid costly procedures

Mitigating Risk

Reducing risk is usually the first alternative considered; there are two strategies for mitigating risk: (1) reduce the likelihood that the event will occur and/or (2) reduce the impact that the adverse event would have on the project; most risk teams focus first on reducing the likelihood of risk events since, if successful, this may eliminate the need to consider the potentially costly second strategy

The Contingency Plan

Represents actions that will reduce or mitigate the negative impact of the risk event

Change Management Systems

Involve reporting, controlling, and recording changes to the project baseline; some organizations consider change control systems part of configuration management

Risk Control

Involves executing the risk response strategy, monitoring triggering events, initiating contingency plans, and watching for new risks; establishing a change management system to deal with events that require formal changes in the scope, budget, and/or schedule of the deal with events that require formal changes in the scope, budget, and/or schedule of the project is an essential element of risk control

Risk Management

Is a proactive approach rather than reactive; it is a preventive process designed to ensure that surprises are reduced and that negative consequences associated with undesirable events are minimized; it also prepares the project manager to take action when a time, cost, and/or technical advantage is possible; successful management of project risk gives the project manager better control over the future and can significantly improve chances of reaching project objectives on time, within budget, and meeting required technical (functional) performance

One Common Mistake that is made early in the Risk Identification Process

Is to focus on objectives and not on the events that could produce consequences; only by focusing on actual events can potential solutions be found

Risk Profile

A list of questions that address traditional areas of uncertainty on a project; these questions have been developed and refined from previous, similar projects

Change Control Management

A major element of the risk control process is change management; every detail of a project will not materialize as expected; coping with and controlling project changes present a formidable challenge for most project managers; changes come from many sources such as the project customer, owner, project manager, team members, and occurrence of risk events

Risk Management

A risk has a cause and, if it occurs, a consequence; some potential risk events can be identified before the project starts - such as equipment malfunction or change in technical requirements; risks can be anticipated consequences, like schedule slippages or cost overruns; risk management attempts to recognize and manage potential and unforeseen trouble spots that may occur when the project is implemented; risk management identifies as many risk events as possible (what can go wrong), minimizes their impact (what can be done about the event before the project begins), manages responses to those events that do materialize (contingency plans), and provides contingency funds to cover risk events that actually materialize

Time Buffers

Amounts of time used to compensate for unplanned delays in the project schedule; buffers are added to: (1) activities with severe risks, (2) merge activities that are prone to delays due to one or more preceding activities being late, (3) noncritical activities to reduce the likelihood that they will create another critical path, (4) activities that require scarce resources to ensure that the resources are available when needed

Contingency Plan

An alternative plan that will be used if a possible foreseen risk event becomes a reality

Opportunity

An event that can have a positive impact on project objectives; opportunities are identified, assessed in terms of likelihood and impact, responses are determined, and even contingency plans and funds can be established to take advantage of the opportunity if it occurs

Risk

An uncertain event or condition that, if it occurs, has a positive or negative effect on project objectives

Impact Scales

Can be a bit more problematic since adverse risks affect project objectives differently; because impact ultimately needs to be assessed in terms of project priorities, different kinds of impact scales are used; some scales may simply use rank-order descriptors, such as low, moderate, high, and very high, whereas others use numeric weights (e.g. 1-10); some may focus on the project in general while others focus on specific project objectives; the risk management team needs to establish up front what distinguished a 1 from a 3 or moderate impact from severe impact; impact scales could be defined given the project objectives of cost, time, scope, and quality

Postponement

Can lead to to panic, and acceptance of the first remedy suggested; such after-the-event decision making under pressure can be potentially dangerous and costly; contingency planning evaluates alternative remedies for possible foreseen events before the risk event occurs and selects the best plan among alternatives; this early contingency planning facilitates a smooth transition to the remedy or work-around plan; the availability of a contingency plan can significantly increase the chances for project success

The Green Zone

Centered on the bottom left corner; low impact/low likelihood; risks are typically considered inconsequential and ignored unless their status changes

The Red Zone

Centered on the top right corner of the matrix; high impact/high likelihood; means major risks; extends farther down the high impact column; receive first priority

Documentation of Scenario Analyses can be seen in Various Risk Assessment forms used by companies

In addition to evaluating the severity and probability of risk events the team also assesses when the event might occur and its detection difficulty; detection difficulty is a measure of how easy it would be to detect that the event was going to occur in time to take mitigating action, that is, how much warning would we have?

Accepting Risk

In some cases a conscious decision is made to accept the risk of an event occurring; some risks are so large it is not feasible to consider transferring or reducing the event (e.g., an earthquake or flood); the project owner assumes the risk because the chance of such an event occurring is slim; in other cases, risk identified in the budget reserve can simply be absorbed if they materialize; the risk is retained by developing a contingency plan to implement if the risk materializes; the more effort given to risk response before the project begins, the better the chances are for minimizing project surprises; knowing that the response to a risk event will be retained, transferred, or mitigated greatly reduces stress and uncertainty

The Major Exception between managing negative risks and opportunity is:

In the responses

Avoiding Risk

Risk avoidance is changing the project plan to eliminate the risk or condition; although it is impossible to eliminate all risk events, some specific risks may be avoided before you launch the project

Probability Analysis

There are many statistical techniques available to the project manager that can assist in assessing project risk, PERT (program evaluation can review technique) and PERT simulation can be used to review activity and project risk; PERT and related techniques take a more macro perspective by looking at overall cost and schedule risks; here the focus is not on individual events but on the likelihood the project will be completed on time and within budget; these methods are useful in assessing the overall risk of the project and the need for such things as contingency funds, resources, and time; the use of PERT simulation is increasing because it uses the same data required for PERT, and software to perform the simulation is readily available

Share

This strategy involves allocating some or all of the ownership of an opportunity to another party who is best able to capture the opportunity for the benefit of the project

Exploit

This tactic seeks to eliminate the uncertainty associated with an opportunity to ensure that it definitely happens