IT PM Chapter 11: Project Risk Management
State the 2 tools for qualitative risk analysis
1. Probability/impact matrix 2. Top Ten Risk Item Tracking Technique
Identifying Risks is one of the 7 main processes of project risk management. State the 3 Outputs of Identifying Risks
1. Risk Register 2. Risk Report 3. Updates to Project Documents
Planning Risk Management is one of the 7 main processes of project risk management. State the 1 Output of Planning Risk Management
1. Risk management plan
Planning Risk Responses is one of the 7 main processes of project risk management. State the main strategies tool/techniques used in Planning Risk Responses
1. Strategies for threats 2. Strategies for opportunities 3. Contingent response strategies 4. Strategies for overall project risk
Define Decision Tree Analysis Define Estimated Monetary Value (EMV) + ITTO for risk management
A diagramming analysis technique used to help select the best course of action in situations in which future outcomes are uncertain. Estimated monetary value (EMV) is a common application of decision tree analysis. - EMV is the product of a risk event probability and the risk event's monetary value. - You can draw a decision tree to help find the EMV (shown in image) It is a tool/technique used in the performing quantitative risk analysis process.
Define Risk Register + what are risk events? + ITTO for risk management
A document that contains a list of identified potential risk events and related information. - contains the results of various risk management processes and that is often displayed in a table or spreadsheet format Risk events refer to specific, uncertain events that may occur to the detriment or enhancement of the project. - e.g. negative risk event = performance failure of a product - e.g. positive risk event = completing work sooner or cheaper than planned. It is a direct output of the identifying risks process.
Define Brainstorming + ITTO for risk management
A group attempts to generate ideas or find a solution for a specific problem by amassing ideas spontaneously and without judgment. - This approach can help the group create a comprehensive list of risks to address later during qualitative and quantitative risk analysis. - an experienced facilitator should run the brainstorming session. After the ideas are collected, the facilitator can group and categorize the ideas to make them more manageable. It is a tool/technique used in the identifying risks process.
Define risk breakdown structure
A hierarchical chart of potential risk categories for a project. - the risk breakdown structure provides a simple, one-page chart to help ensure that a project team considers important risk categories related to all IT projects In image: a risk breakdown structure - notice that a major category is project management. Risks are associated within each knowledge area.
Define watch list
A list of risks that have low priority but are still identified as potential risks.
Define Risk Management Review
A meeting that keeps management and the customer (if included) aware of major influences that could prevent or enhance the project's success. - it also allows the project team to consider alternative strategies for addressing risks. - the review also promotes confidence in the project team by showcasing awareness of significant risks and assurance that strategies are in place. - a Top Ten Risk Item Tracking chart could be used at a risk management review meeting for a project.
Describe Top Ten Risk Item Tracking + what is a watch list? + ITTO for risk management
A qualitative risk analysis tool that helps to identify risks and maintain an awareness of risks throughout the life of a project by helping to monitor risks - involves establishing a periodic review of the top ten project risk items - includes the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk item A watch list is a list of risks that are low priority, but are still identified as potential risks - Qualitative analysis can also identify risks that should be evaluated quantitatively It is a tool/technique used in the performing qualitative risk analysis process.
How is project risk management different in agile/adaptive environments vs. traditional environments.
High-variability environments, by definition, incur more uncertainty and risk. - to address this, projects managed using adaptive approaches make use of frequent reviews of incremental work products and cross-functional project teams to accelerate knowledge sharing and ensure that risk is understood and managed Risk is considered during each iteration for agile/adaptive projects, which does elevate its importance - it is considered when selecting the content of each iteration - they are identified, analyzed, and managed during each iteration Changing priorities can be addressed more easily by changing the product backlog for each iteration
Define Integrated Risk Management
In addition to addressing tactical and negative risks when performing project risk management, strategic risks and upside opportunities are also considered.
Define Risk Triggers
Indicators or symptoms of actual risk events. - e.g. cost overruns on early activities may be symptoms of poor cost estimates. - e.g. defective products may be symptoms of a low-quality supplier.
Out of the 4 listed industry groups, which group had the lowest maturity rating for risk management? - engineering and construction - telecommunications - information systems/software development - high-tech manufacturing.
Information systems/software development
Describe known risks vs. unknown risks
Known risks Risks that the project team has identified and analyzed, and therefore can be individually managed. Unknown risks Risks that have not been identified and analyzed, and therefore cannot be managed.
Lists of common risk conditions in ___ can be helpful in identifying risks.
Lists of common risk conditions in project management knowledge areas can be helpful in identifying risks.
Many organizations develop their own risk questionnaires, which include broad categories of risks. Describe the following categories of risk: Market risk Financial risk Technology risk People risk Structure/process risk
Market risk Concerned with the market uncertainties associated with creating new products/services. Financial risk Concerned with financial uncertainties in undertaking projects. Technology risk Concerned with the technological uncertainties with projects. People risk Concerned with whether the organization has people with appropriate skills Structure/process risk Concerned with the uncertainties related to business procedures and user groups.
___ involves monitoring the implementation of risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating the effectiveness of risk management throughout the entire project.
Monitoring risks involves monitoring the implementation of risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating the effectiveness of risk management throughout the entire project.
Monitoring Risks is one of the 7 main processes of project risk management. Describe Monitoring Risks + what are workarounds?
The process of ensuring the appropriate risk responses are performed, tracking identified risks, identifying and analyzing new risk, and evaluating effectiveness of risk management throughout the entire project. - Carrying out individual risk management plans involves monitoring risks based on defined milestones and making decisions regarding risks and their response strategies - Project teams sometimes use workarounds—unplanned responses to risk events—when they do not have contingency plans in place
Performing Quantitative Risk Analysis is one of the 7 main processes of project risk management. Describe Performing Quantitative Risk Analysis
The process of numerically estimating the effects of risks on project objectives.
State the 5 basic responses to negative risks
1. Avoidance 2. Acceptance 3. Transference 4. Mitigation 5. Escalation
List 5 common techniques used to identify risks
1. Brainstorming 2. Delphi technique 3. Interviewing 4. Root cause analysis 5. SWOT analysis
4 Tools/techniques for identifying risks are:
1. Brainstorming 2. Delphi technique 3. Interviewing 4. SWOT analysis
Implementing Risk Responses is one of the 7 main processes of project risk management. State the 2 Outputs of Implementing Risk Responses
1. Change Requests 2. Updates to Project Documents
Planning Risk Responses is one of the 7 main processes of project risk management. What are the 3 Outputs of Planning Risk Responses
1. Change Requests 2. Updates to Project Management Plan 3. Updates to Project Documents
Monitoring Risks is one of the 7 main processes of project risk management. State the 3 main tools/techniques used in monitoring risks
1. Data analysis 2. Audits 3. Meetings
Performing Quantitative Risk Analysis is one of the 7 main processes of project risk management. State the 3 main tool/techniques used in Performing Quantitative Risk Analysis
1. Decision Tree analysis 2. Simulation 3. Sensitivity analysis
State the 3 tools for quantitative risk analysis
1. Decision trees 2. Monte Carlo simulation 3. Sensitivity analysis
State the 5 basic response strategies for positive risks
1. Exploitation 2. Sharing 3. Enhancement 4. Acceptance 5. Esclation/Elevation
State the 7 Main Processes of Project Risk Management
1. Planning Risk Management - deciding how to approach and plan the risk management activities for the project 2. Identifying Risks - determining which risks are likely to affect a project and documenting the characteristics of each 3. Performing Qualitative Risk Analysis - prioritizing risks based on their probability and impact of occurrence 4. Performing Quantitative Risk Analysis - numerically estimating the effects of risks on project objectives 5. Planning Risk Responses - taking steps to enhance opportunities and reduce threats to meeting project objectives 6. Implementing Risk Responses - implementing the risk response plans 7. Monitoring Risks - monitoring identified and residual risks, identifying new risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies throughout the life of the project
State the 7 processes of project risk management
1. Planning risk management 2. Identifying risks 3. Performing qualitative risk analysis 4. Performing quantitative risk analysis 5. Planning risk responses 6. Implementing risk responses 7. Monitoring risks
Performing Qualitative Risk Analysis is one of the 7 main processes of project risk management. State 3 main tool/techniques used in Performing Qualitative Risk Analysis
1. Probability/Impact Matrix - to produce a prioritized list of risks 2. Top Ten Risk Item Tracking - to produce an overall ranking for project risks and to track trends 3. Expert Judgment
Monitoring Risks is one of the 7 main processes of project risk management. State the 5 Outputs of Monitoring Risks
1. Work Performance Information 2. Change Requests 3. Updates to Project Management Plan 4. Updates to Project Documents 5. Updates to OPAs
Define SWOT analysis + ITTO for risk management
A analysis method designed to find: Strengths Weaknesses Opportunities Threats It is a tool/technique used in the identifying risks process. - helps identify the broad negative and positive risks that apply to a project
Define Risk Management Plan + ITTO for project risk management
A component of the project management plan that documents procedures for managing risk throughout a project. - it summarizes how risk management will be performed on a particular project. It is a direct output of the planning risk management process. - The project team should review project documents as well as corporate risk management policies, risk categories, lessons-learned reports from past projects, and templates for creating a risk management plan. - It is also important to review the risk tolerances of various stakeholders - for example, if the project sponsor is risk-averse, the project might require a different approach to risk management than if the project sponsor were a risk seeker.
Define Interviewing + ITTO for risk management
A fact-finding technique for collecting information in face-to-face, phone, e-mail, or virtual discussions - interviewing people with similar project experience is an important tool for identifying potential risks It is a tool/technique used in the identifying risks process.
A risk register is a tool for documenting potential ___ and related information.
A risk register is a tool for documenting potential risk events and related information.
Describe the Titanic Factor
An analysis of the interdependence of risks. - for example, the probability of one risk event occurring might change if another one materializes, and the response to one risk event might affect another
Define Root cause analysis + ITTO for risk management
An analysis to determine the root cause(s) of a problem. - Before suggesting courses of action, it is important to identify the root cause of a problem or opportunity. it is a tool/technique used in the identifying risks process.
Define Risk
An uncertainty that can have a negative or positive effect on meeting project objectives.
Describe the following additional plans that may be included in a risk management plan: Contingency plans Fallback plans Contingency reserves/allowances Management reserves
Contingency plans Predefined actions that the project team will take if an identified risk event occurs. Fallback plans Plans for risks that have a high impact on meeting project objectives, and are put into effect if attempts to reduce the risk are not effective. - the plan used if the contingency plans fail Contingency reserves/allowances Funds included in the cost baseline that can be used to mitigate cost or schedule overruns if known risks occur. Management reserves Funds held for unknown risks that are used for management control purposes. - they are not part of the cost baseline, but they are part of the project budget and funding requirements
___ uses decision trees to evaluate potential projects based on their expected value.
Expected monetary value (EMV) uses decision trees to evaluate potential projects based on their expected value.
True or False: All industries, especially the software development industry, tend to overestimate the importance of project risk management.
False All industries, especially the software development industry, tend to underestimate the importance of project risk management.
True or False: Psychology literature shows that brainstorming in small, face-to-face groups produces a greater number of ideas than individual people working alone.
False Psychology literature shows that individual people working alone produces a greater number of ideas than brainstorming in small, face-to-face groups. - Group effects, such as fear of social disapproval, the effects of authority hierarchy, and domination of the session by one or two vocal people, often inhibit idea generation for many participants.
True or False: Quantitative Risk Analysis should always follow Qualitative Risk Analysis
False Quantitative risk analysis often follows qualitative risk analysis, yet both processes can be done together or separately. - some project may only require qualitative risk analysis, skipping quantitative risk analysis altogether.
___ involves putting the appropriate risk response plans into action
Implementing risk responses involves putting the appropriate risk response plans into action
What Microsoft product is a common tool for performing quantitative risk analysis?
Microsoft Excel
What is PMI's certification for risk management?
PMI Risk Management Professional (PMI-RMP)
___ is the process of deciding how to approach risk management activities and plan for them in a project
Planning risk management is the process of deciding how to approach risk management activities and plan for them in a project
___ is a process in which the project team continually assesses what risks may negatively or positively affect the project, determines the probability of such events occurring, and determines the impact if such events occur
Project risk management is a process in which the project team continually assesses what risks may negatively or positively affect the project, determines the probability of such events occurring, and determines the impact if such events occur
When planning risk responses, it is also important to identify residual and secondary risks. Describe the two.
Residual risks Risks that remain after all of the response strategies have been implemented. Secondary risks Risks that emerge as a direct result of implementing a risk response.
Risk ___ means accepting the consequences of a risk if it occurs.
Risk acceptance means accepting the consequences of a risk if it occurs.
State and Describe the 5 basic response strategies for negative risks:
Risk avoidance Eliminating a specific threat, usually be eliminating its causes. - not all risks can be eliminated, but specific risk events can be. Risk acceptance Accepting the consequences if a risk occurs. Risk transference Shifting the consequence of a risk and responsibility for its management to a third party. Risk mitigation Reducing the impact of a risk event by reducing the probability of its occurrence. Risk escalation Notifying a higher level authority.
Risk ___ involves eliminating a specific threat or risk
Risk avoidance involves eliminating a specific threat or risk
Risk ___ is elevating the risk event to a higher-level authority.
Risk escalation is elevating the risk event to a higher-level authority
___ refer to specific, uncertain events that may occur to the detriment or enhancement of the project.
Risk events refer to specific, uncertain events that may occur to the detriment or enhancement of the project.
State and Describe the 5 basic response strategies for positive risks:
Risk exploitation Doing whatever you can to make sure the positive risk happens Risk sharing Allocating ownership of the risk to another party Risk enhancement Changing the size of the opportunity by identifying and maximizing key drivers of the positive risk Risk acceptance Abstaining from taking actions toward a risk, and accepting the outcomes. Risk escalation Notifying a higher level authority
___ is an uncertainty that can have a negative or positive effect on meeting project objectives.
Risk is an uncertainty that can have a negative or positive effect on meeting project objectives.
Studies show that companies have the lowest maturity rating for which knowledge area?
Risk management
Describe the difference between risk management and crisis management
Risk management focuses on risks to the project, no matter how big or small. Crisis management focuses on an obvious danger to the success of the project. - therefore, the crisis receives the intense interest of the entire project team.
Risk management is an ___, rather than a cost.
Risk management is an investment, rather than a cost. - costs are associated with identifying risks, analyzing those risks, and establishing plans to address them
Risk ___ is reducing the impact of a risk event by reducing the probability of its occurrence.
Risk mitigation is reducing the impact of a risk event by reducing the probability of its occurrence.
Define Risk Owner
The person who will take responsibility for the risk.
Planning Risk Responses is one of the 7 main processes of project risk management. Describe Planning Risk Responses
The process of taking steps to enhance opportunities and reduce threats to meeting project objectives. - After identifying and quantifying risks, the organization must decide how to respond to them.
Identifying Risks is one of the 7 main processes of project risk management. Describe Identifying Risks
The process of understanding what potential events might hurt or enhance a particular project. - it is important to identify risks early, but you must also continuously identify risks as the project changes.
Define Project Risk Management
The processes associated with identifying, analyzing, and responding to risk throughout the life of a project and in the best interests of meeting project objectives. - Risk management is often overlooked in projects, but it can help improve project success by helping select good projects, determining project scope, and developing realistic estimates
Define Simulation + ITTO for risk management
The use of a representation or model of a system to analyze its expected behavior or performance. - most simulations are based on some form of Monte Carlo analysis It is a tool/technique used in the performing quantitative risk analysis process.
After identifying risks, what is the next step?
Understand which risks are most important by performing qualitative risk analysis.
What are the main outputs of quantitative risk analysis?
Updates to project documents, such as the risk report and risk register.
What is the main output of qualitative risk analysis?
Updating the risk register.
Define Delphi Technique + ITTO for risk management
Used to derive a consensus among a panel of experts who make predictions about future developments - a systematic, interactive forecasting procedure based on independent and anonymous input regarding future events. - an approach to gathering information that helps prevent some of the negative group effects found - Uses repeated rounds of questioning and written responses and avoids the biasing effects possible in oral methods. It is an iterative technique that continues until the group responses converge to a specific solution. It is a tool/technique used in the identifying risks process.
___ is a quantitative risk analysis tool that uses a model of a system to analyze its expected behavior or performance. a. Simulation b. Sensitivity analysis c. Monte Carlo analysis d. EMV
a. Simulation
Your project involves using a new release of a common software application, but if that release is not available, your team has ___ plans to use the current release. a. contingency b. fallback c. reserve d. mitigation
a. contingency
A ___ risk is a document that contains results of various risk management processes, and is often displayed in a table or spreadsheet format. a. management plan b. register c. breakdown structure d. probability/impact matrix
b. register
A person who is risk-___ receives greater satisfaction when more payoff is at stake and is willing to pay a penalty to take risks. a. averse b. seeking c. neutral d. aware
b. seeking
Suppose there is a 30 percent chance that you will lose $10,000 and a 70 percent chance that you will earn $100,000 on a particular project. What is the project's estimated monetary value? a. −$30,000 b. $70,000 c. $67,000 d. −$67,000
c. $67,000 30% * -10,000 = -3000 70% * +100,000 = +70,000 +70,000 - 3000 = 67,000
Which risk management process involves prioritizing risks based on their probability and impact of occurrence? a. Planning risk management b. Identifying risks c. Performing qualitative risk analysis d. Performing quantitative risk analysis
c. Performing qualitative risk analysis
Which risk identification tool involves deriving a consensus among a panel of experts by using anonymous input regarding future events? a. Risk breakdown structure b. Brainstorming c. Interviewing d. Delphi technique
d. Delphi technique
___ is an uncertainty that can have a negative or positive effect on meeting project objectives. a. Risk utility b. Risk tolerance c. Risk management d. Risk
d. Risk
___ are indicators or symptoms of actual risk events, such as a cost overrun on early activities being a symptom of poor cost estimates. a. Probabilities b. Impacts c. Watch list items d. Trigger
d. Trigger
IT projects often involve several risks, including: lack of user ___ lack of ___ support ___ requirements poor ___
lack of user involvement lack of executive management support unclear requirements poor planning
Describe Monte Carlo Analysis + ITTO for risk management
A simulation technique that simulates a model's outcome many times to provide a statistical distribution of the calculated results. It can help reduce schedule risk on projects. - for example, Monte Carlo analysis can determine that a project will finish by a certain date only 10 percent of the time, and determine another date for which the project will finish 50 percent of the time. Steps of a Monte Carlo Analysis: 1. Collect the most likely, optimistic, and pessimistic estimates for the variables in the model 2. Determine the probability distribution of each variable 3. Select a random value based on the probability distribution for each variable 4. Run a deterministic analysis or one pass through the model 5. Repeat steps three and four many times to obtain the probability distribution of the model's results It is a tool/technique used in the performing quantitative risk analysis process
Define Sensitivity Analysis + ITTO for risk management
An analysis used to show the effects of changing one or more variables of an outcome. - for example, many people use it to determine what the monthly payments for a loan will be given different interest rates or periods of the loan - e.g. What will your monthly mortgage payment be if you borrow $100,000 for 30 years at a 6 percent rate? - e.g. What will the payment be if the interest rate is 7 percent? - spreadsheet software, such as Microsoft Excel, is a common tool for performing sensitivity analysis It is a tool/technique used in the performing quantitative risk analysis process.
Complete the following elements of a risk register: An ___ for each risk event. A ___ for each risk event. The ___ of the risk event. A ___ of the risk event. The ___ under which the risk event falls. The ___ cause of the risk. ___ for each risk. Potential ___ to each risk. The ___, or person who will take responsibility for the risk. The ___ of the risk occurring. The ___ to the project if the risk occurs. The ___ of the risk.
An identification number for each risk event. A rank for each risk event. The name of the risk event. A description of the risk event. The category under which the risk event falls. The root cause of the risk. Triggers for each risk. Potential responses to each risk. The risk owner, or person who will take responsibility for the risk. The probability of the risk occurring. The impact to the project if the risk occurs. The status of the risk.
Define Probability/Impact Matrices + what are risk factors? + ITTO for risk management
A qualitative risk analysis tool that lists relative probability of a risk occurring on one side of a matrix or axis on a chart and the relative impact of the risk occurring on the other side. - charts the probability and impact of risks To make a probability/impact matrix: - list the risks that might occur during a project - label each risk as high, medium, or low in terms of its probability of occurrence and its impact if it did occur - summarize the results in a matrix or chart. A more sophisticated approach to using probability/impact information is to calculate risk factors - Numbers that represent the overall risk of specific events based on their probability of occurring and the consequences to the project if they do occur It is a tool/technique of the performing qualitative risk analysis process.
Define Risk Report + ITTO for risk management
A report that provides information on overall project risk. - the effect of uncertainty on the project as a whole. - It contains: - sources of overall project risk - important drivers of overall project risk exposure - summary information on risk events. - The risk report is developed progressively during the entire risk planning processes It is an output of the identifying risks process.
A ___ is a useful tool that can help project managers consider potential risks in different categories.
A risk breakdown structure is a useful tool that can help project managers consider potential risks in different categories.
A ___ is a document that contains results of various risk management processes; it is often displayed in a table or spreadsheet format.
A risk register is a document that contains results of various risk management processes; it is often displayed in a table or spreadsheet format.
___ are predefined actions that a project team will take if an identified risk event occurs. ___ are developed for risks that have a high impact on meeting project objectives and are implemented if attempts to reduce the risk are not effective. ___ are provisions held by the project sponsor or organization to reduce the risk of cost or schedule overruns to an acceptable level.
Contingency plans are predefined actions that a project team will take if an identified risk event occurs. Fallback plans are developed for risks that have a high impact on meeting project objectives and are implemented if attempts to reduce the risk are not effective. - the plans used if contingency plans fail Contingency reserves or contingency allowances are provisions held by the project sponsor or organization to reduce the risk of cost or schedule overruns to an acceptable level.
___ is a good method for understanding common sources of risk on IT projects.
Risk questionnaires is a good method for understanding common sources of risk on IT projects.
Risk ___ is shifting the consequence of a risk and responsibility for its management to a third party.
Risk transference is shifting the consequence of a risk and responsibility for its management to a third party.
___ or ___ is the amount of satisfaction or pleasure received from a potential payoff. ___ enjoy high risks. ___ people do not like to take risks. ___ people seek to balance risks and potential payoff.
Risk utility or risk tolerance is the amount of satisfaction or pleasure received from a potential payoff. Risk seekers enjoy high risks. Risk-averse people do not like to take risks. Risk-neutral people seek to balance risks and potential payoff.
Describe the following preferences towards risk: Risk-averse Risk-seeking Risk-neutral
Risk-averse People who avoid risk at high costs. - Risk Utility rises at a decreasing rate for people who are risk-averse. - In other words, when more payoff or money is at stake, a person or organization that is risk-averse gains less satisfaction from the risk, or has lower tolerance for the risk. Risk-seeking People who have a higher tolerance for risk and their satisfaction increases when more payoff is at stake. - A risk-seeking person or organization prefers outcomes that are more uncertain and is often willing to pay a penalty to take risks Risk-neutral Achieves a balance between risk and payoff. Examples: - A risk-averse organization might not purchase hardware from a vendor who has not been in business for a specified period of time. - A risk-seeking organization might deliberately choose start-up vendors for hardware purchases to gain new products with unusual features that provide an advantage. - A risk-neutral organization might perform a series of analyses to evaluate possible purchase decisions.
___ is used to show the effects of changing one or more variables on an outcome.
Sensitivity analysis is used to show the effects of changing one or more variables on an outcome.
___ are a more sophisticated method for creating estimates to help you determine the likelihood of meeting specific project schedule or cost goals.
Simulations are a more sophisticated method for creating estimates to help you determine the likelihood of meeting specific project schedule or cost goals.
Define Risk Utility
The amount of satisfaction or pleasure received from a potential payoff.
Implementing Risk Responses is one of the 7 main processes of project risk management. Describe Implementing Risk Responses
The executing process of putting the appropriate risk response plans into action.
Performing Qualitative Risk Analysis is one of the 7 main processes of project risk management. Describe Performing Qualitative Risk Analysis
The process of assessing the likelihood and impact of identified risks to determine their magnitude and priority.
Planning Risk Management is one of the 7 main processes of project risk management. Describe Planning Risk Management
The process of deciding how to approach and plan risk management activities for the project. - main output of this process is a risk management plan