Chapter 5 Risk Analysis
Tree-based techniques in risk analysis
-Fault-tree analysis (FTA) -Event-tree analysis (ETA) -Cause-consequence analysis (CCA) -Management oversight risk tree (MORT) -Safety management organization review technique (SMORT)
Risk analysis methodologies
-Preliminary risk analysis -Hazard and operability studies (HAZOP) -Failure mode and effects analysis (FMEA/FMECA)
Steps to perform a risk analysis
-The first step is to assess risks and this is performed by assigning a probability rating and an impact rating, based on the documented definitions included within the risk management plan. -In the second step, the probability and impact rating should be combined into an overall score. This is commonly done using a probability and impact matrix. -The third step involves quantifying risks. By using several quantitative risk analysis tools, such as Monte Carlo Technique and Sensitivity Analysis, overall project risks can be derived
Hazard and operability studies
A hazard and operability study (HAZOP) is a qualitative technique for identifying and evaluating problems that may represent risks to personnel or equipment, or prevent efficient operation. This technique is carried out by a multi-disciplinary team (HAZOP team) during a set of meetings
Expert judgment
Because this process determines qualitative values, by its very nature, you must rely on expert judgment to determine the probability, impact, and other information we've derived so far. The more knowledge and similar experience your experts have, the better your assessments will be. Interviews and facilitated workshops are two techniques you can use in conjunction with expert judgment to perform this process.
Cause-consequence analysis
Cause-consequence analysis (CCA) identifies chains of events that can result in undesirable consequences. The probabilities of various consequences can be calculated with the probabilities of various events in the CCA diagram, thus establishing the risk level of the system. This technique is a blend of fault tree and event tree analysis.
Event-tree analysis
Event-tree analysis is a logical method of analyzing how and why a disaster could occur. It is used for illustrating the sequence of outcomes that may arise after the occurrence of a selected initial event.
Failure mode and effects analysis
Failure mode and effects analysis (FMEA/FMECA) is a procedure by which each potential breakdown approach in a system is analyzed to establish its effect on the system and to classify it according to its severity. When the FMEA is extended by a criticality analysis, the technique is then called failure mode and effects criticality analysis (FMECA).
Fault-tree analysis
Fault-tree analysis (FTA) is a logical diagram that shows the relation between system failures. This technique can be used in qualitative or quantitative risk analysis. Qualitative FTA is a deductive (top-down) approach that graphically and logically represents events at a lower level which can lead to a top undesirable event. In quantitative FTA, failure rates or probabilities are input into the tree and the probability of occurrence is computed for the top undesirable event.
Expert Judgment
In quantitative risk analysis, expert judgment can be used for validating the collected risk data and the analysis used for the project at hand. It is an estimating technique and is used in all the other areas of project management, including risk management, procurement management, etc
Management oversight risk tree
Management oversight risk tree (MORT) is a diagram that arranges safety program elements in an orderly and logical manner. Its analysis is carried out by means of fault tree. This technique gives an overview of the causes of the top event from management oversights and omissions or from assumed risks or both.
Risk analysis techniques
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation): It is a strategic assessment based on the risk identified. It is also used as a planning technique for security. COBRA (Collective, Objective, and Bi-Functional Risk Analysis): It is a questionnaire system which is based on system's principle and extensive knowledge to evaluate the relative importance of all threats and vulnerabilities. Delphi: It is a group of experts who used to rate independently and rate business risk of an organization. Each expert analyzes the risk independently and then prioritizes the risk, and the results are combined into a consensus. Brainstorming: It is used extensively in formative project planning. It can also be used to identify and postulate risk scenarios for a particular project. Sensitivity analysis: It examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values. Probability analysis: It overcomes the limitations of a sensitivity analysis technique by specifying a probability distribution for each variable, and then considering situations where any or all of these variables can be modified at the same time. Utility theory: It is an approach that is appropriate to the decision tree analysis for the calculation of expected values, and also for the assessment of results from sensitivity and probability analyses. Decision theory: It is a technique for assisting in reaching decisions under uncertainty and risk.
Perform Quantitative Risk Analysis
Perform quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives. This process generally follows the perform qualitative risk analysis process. It is performed on risks that have been prioritized by the perform qualitative risk analysis process as potentially and substantially impacting the project's competing demands. The perform quantitative risk analysis process evaluates the impacts of risk prioritized during the perform qualitative risk analysis process. It is typically performed for those risks that were identified in perform qualitative risk analysis that could have a significant impact on the project. Perform quantitative risk analysis quantifies the aggregate risk exposure for the project by assigning numeric probabilities to risks and their impacts on project objectives. This quantitative approach is accomplished using techniques such as Monte Carlo simulation and decision tree analysis. According to the PMBOK guide, the purpose of this process is to perform the following: -Quantify the project's possible outcomes and probabilities. -Determine the probability of achieving the project objectives. -Identify risks that need the most attention by quantifying their contribution to overall project risk. Identify realistic and achievable schedule, cost, or scope targets. -Determine the best project management decisions possible when outcomes are uncertain.
Preliminary risk analysis
Preliminary risk analysis (PRA) or hazard analysis is a qualitative risk analysis technique that involves a disciplined analysis of the event sequences that could transform a potential hazard into an accident. This technique first identifies the possible undesirable events and then analyzes the events separately. Also, possible improvements or preventive measures are formulated for each undesirable events or hazards
Project Documents Updates
Project documents are updated with information resulting from quantitative risk analysis. For instance, risk register updates could include: -Probabilistic analysis of the project: This contains the estimates of the project schedule and cost with a confidence level attached to each estimate. It is the forecasted results of the project schedule and costs as determined by the outcomes of risk analysis. These results include projected completion dates and costs, along with a confidence level associated with each. -Probability of achieving cost and time objectives: This helps in assigning a probability of achieving the cost and time objectives of the project. -Prioritized list of quantified risks: This list helps in prioritizing the response plan efforts to eliminate (or minimize) the impact of the threats and capitalize on the opportunities. This list is similar to the list produced during the perform qualitative risk analysis process. The list of risks includes those that present the greatest risk or threat to the project and their impacts. It also lists those risks that present the greatest opportunities to the project. This list should also indicate which risks are most likely to impact the critical path and those that have the largest cost contingency. -Trends in quantitative risk analysis results: A trend for specific risks can be recognized by repeating the analysis several times and by examining the results.
Qualitative vs. Quantitative risk analysis
Qualitative and quantitative risk analysis both offer valuable information. It is recommended that risks be evaluated on a qualitative level first, and then quantitative as needed. Qualitative risk analysis is considered to be a quick and cost effective form of risk analysis, whereas quantitative risk analysis requires additional expertise and tools. Another key difference between qualitative and quantitative risk analysis is that qualitative risk analysis focuses more on individual risks, and quantitative risk analysis focuses more on project risk.
Types of risk analysis
Risk analysis is used in risk management to clarify the threats that are relevant to the operational processes and to identify the risks. The types of risk analysis are as follows: Qualitative risk analysis Quantitative risk analysis
Risk Categorization
Risk categorization tool and technique is used to determine the effects risk has on the project. You can examine not only the categories of risk determined during the plan risk management process but also the project phase and the WBS to determine the elements of the project that are affected by risk. Risks to the projects can be categorized by sources of risk, the area of project affected, and other valuable types to decide the areas of the project most exposed to the effects of uncertainty.
Risk data quality assessment
Risk data quality assessment involves determining the usefulness of the data gathered to evaluate risk. Most importantly, the data must be unbiased and accurate. The following elements can be examined when using this tool and technique: The quality of the data used The availability of data regarding the risks How well the risk is understood The reliability and integrity of the data The accuracy of the data This tool evaluates the data for the accuracy, reliability, integrity, and quality.
Risk Probability and Impact Assessment
Risk probability refers to the likelihood that a risk will occur, and impact refers to the effect the risk will have on a project objective if it occurs. The probability for each risk and the impact of each risk on project objectives, such as cost, quality, scope, and time, must be assessed. Note that probability and impacts are assessed for each identified risk. Methods used in making the probability and impact assessment include holding meetings, interviewing, considering expert judgment, and using an information base from previous projects. A risk with a high probability might have a very low impact, and a risk with a low probability might have a very high impact. To prioritize the risks, you need to look at both probability and impact.
Inputs and Outputs of the Perform Quantitative Risk Analysis
Risk register: It includes list of identified risks, priority list of risks if qualitative risk analysis was performed, and risks with categories. -Risk management plan: It provides guidelines, methods, and tools to be used in quantitative risk analysis. -Cost management plan: It provides guidelines on establishing and managing risk reserves. -Schedule management plan: It describes how the project schedule will be developed and controlled and how changes will be incorporated into the project schedule. -Enterprise environmental factors: They include industry studies of similar projects by risk specialists, and risk databases that may be available from industry or proprietary sources. -Organizational process assets: The elements of the organizational process assets input include historical information from previous projects of a similar nature. The output of this process is project documents updates
Risk Urgency Assessment
Risk urgency assessment is a risk prioritization technique based on time urgency. For example, a risk that is going to occur now is more urgent to address than a risk that might occur a month from now
Probability and impact matrix
Risks need to be prioritized for quantitative analysis, response planning, or both. The prioritization can be performed by using the probability and impact matrix: a lookup table that can be used to rate a risk based on where it falls both on the probability scale and on the impact scale. The outcome of a probability and impact matrix is an overall risk rating for each of the project's identified risks. The combination of probability and impact results in a classification usually expressed as high, medium, or low. Typically, high risks are considered a red condition, medium risks are considered a yellow condition, and low risks are considered a green condition. This type of ranking is known as an ordinal scale because the values are ordered by rank from high to low.
Safety management organization review technique
Safety management organization review technique (SMORT) includes data collection based on the checklists and their related questions, in addition to evaluation of results. This technique is a simplified modification of MORT and is structured by means of analysis levels with associated checklists.
Data Gathering and Representation Techniques
The following are the data gathering and representation techniques: -Interviewing: It is used to collect data for assessing the probability of achieving specific project objectives. Project team members, stakeholders, and subject-matter experts are prime candidates for risk interviews. -Probability distribution: Continuous probability distributions (particularly beta and triangular distributions) are commonly used in perform quantitative risk analysis. According to the PMBOK guide, continuous probability distributions include normal, lognormal, triangular, beta, and uniform distributions. Distributions are graphically displayed and represent both the probability and time or cost elements. Triangular distributions use estimates based on the three-point estimate (the pessimistic, most likely, and optimistic values). Normal and lognormal distributions use mean and standard deviations to quantify risk, which also require gathering the optimistic, most likely, and pessimistic estimates. Discrete distributions represent possible scenarios in a decision tree, outcomes of a test, results of a prototype, and other uncertain events. After a user has collected the data on meeting the project objectives, he/she can present it in a probability distribution for each objective under study.
Inputs and Outputs of the Perform Qualitative Risk Analysis Process
The following are the inputs to this process: -Risk register: It contains the list of identified risks that will be the key input to qualitative risk analysis. -Risk management plan: It contains the elements, such as roles and responsibilities for performing risk management, budgeting, risk categories, risk timing and scheduling, etc. for generating the output of qualitative risk analysis. -Scope baseline: It describes the deliverables of the project. -Enterprise environmental factors: They may provide insight and context to the risk assessment, such as industry studies of similar projects by risk specialists, and risk databases that may be available from industry or proprietary sources. -Organizational process assets: Organizational process assets will make use of the risk-related components of the knowledge base from previous projects, such as data about risks and lessons learned. The output of this process is project documents updates
Quantitative Risk Analysis and Modeling Techniques
The following are the quantitative risk analysis and modeling techniques: -Sensitivity analysis: It is used to determine which risk has the greatest impact on the project. It is a quantitative method of analyzing the potential impact of risk events on the project and determining which risk event (or events) has the greatest potential for impact by examining all the uncertain elements at their baseline values. One of the ways sensitivity analysis data is displayed is a tornado diagram. -Expected monetary value (EMV) analysis: It is a statistical technique that calculates the average, anticipated future impact of the decision. EMV is calculated by multiplying the probability of the risk by its impact for two or more potential outcomes (for example, a good outcome and a poor outcome) and then adding the results of the potential outcomes together. EMV is used in conjunction with the decision tree analysis technique. It is used to calculate the expected value of an outcome when different possible scenarios exist for different values of the outcome with some probabilities assigned to them. -Decision tree analysis: It is used when there are multiple possible outcomes with different threats or opportunities with certain probabilities assigned to them. Decision tree is a diagram that shows the sequence of interrelated decisions and the expected results of choosing one alternative over the other. -Modeling and simulation: A model is a set of rule that helps in describing how something works; it takes input and makes predictions as output. A simulation is any analytical method used for imitating a real-life system. Monte Carlo analysis is an example of a simulation technique. Monte Carlo analysis is replicated many times, typically using cost or schedule variables. Every time the analysis is performed, the values for the variable are changed using a probability distribution for each variable. Monte Carlo analysis can also be used during the develop schedule process. Expected Monetary Value (EMV or risk score) Calculation
Tools and Techniques of the Perform Qualitative Risk Analysis Process
The following are the tools and techniques of the perform qualitative analysis process: -Risk probability and impact assessment: Risk probability assessment investigates the chances of a particular risk to occur. Risk impact assessment investigates the possible effects on the project objectives such as cost, quality, schedule, or performance, including positive opportunities and negative threats. -Probability and impact matrix: Estimation of risk's consequence and priority for awareness is conducted by using a look-up table or the probability and impact matrix. This matrix specifies the mixture of probability and impact that directs to rating the risks as low, moderate, or high priority. -Risk data quality assessment: Investigation of quality of risk data is a technique to calculate the degree to which the data about risks are useful for risk management. -Risk categorization: Risks to the projects can be categorized by sources of risk, the area of project affected and other valuable types to decide the areas of the project most exposed to the effects of uncertainty. -Risk urgency assessment: Risks that require near-term responses are considered more urgent to address. -Expert judgment: It is required to categorize the probability and impact of each risk to determine its location in the matrix.
Tools and Techniques of the Perform Quantitative Risk Analysis Process
The following are the tools and techniques of the perform quantitative risk analysis process: -Data gathering and representation techniques -Quantitative risk analysis and modeling techniques -Expert judgment
Ranking Risks in the Risk Register
The goal of "perform qualitative risk analysis" process is to rank risks and determine which need further analysis and, eventually, risk response plans. The output of this process is project documents updates, which involves updating the risk register. According to the PMBOK guide, the risk register is updated with the following information: -Risk ranking (or priority) for the identified risksRisk scoresUpdated probability and impact analysis -Risk urgency informationCauses of riskList of risks requiring near-term responses -List of risks that need additional analysis and response -Watch list of low-priority risks -Trends in qualitative risk analysis results
Risk impact/probability chart
The risk impact/probability chart provides a useful framework that helps in deciding which risks need attention. It is based on the principle that a risk has two main dimensions: -Probability: A risk is defined as an event that may occur. The probability of its occurrence can range anywhere from just above 0 percent to just below 100 percent. -Impact: A risk, by its very nature, always shows a negative impact. However, the size of the impact varies in terms of cost and impact on health, human life, or some other critical factor. The chart permits a user to rate potential risks on these two dimensions. The probability that a risk will occur is represented on one axis of the chart while the impact of the risk, if it occurs, on the other axis.
Risk analysis
a method or a technique that can be used to identify and assess factors that may hinder the successful completion of a project or the achievement of a goal. Risk analysis can also be used to determine business needs to start a project. It is a procedure to identify threats and vulnerabilities, analyze them for ascertaining the exposures and highlighting how the impact can be eliminated or reduced.
When to use a risk analysis
he following are situations when risk analysis is useful, for instance: -Planning projects to anticipate and neutralize possible problems -Deciding whether or not to move forward with a project -Improving safety and managing potential risks in the workplace -Preparing for events, such as equipment or technology failure, theft, staff sickness, or natural disasters -Planning for changes in the environment, such as new competitors coming into the market, or changes to government policy
Perform qualitative risk analysis
the process of prioritizing risks for further analysis and action. It combines risks and their probability of occurrences and ranks them accordingly. It enables organizations to improve the project's performance by focusing on high-priority risks. Perform qualitative risk analysis is usually a rapid and cost-effective means of establishing priorities for plan risk responses. It also lays the foundation to perform quantitative risk analysis.
