Ch11_Risk Management
TRICKS
As a project manager, you should always do qualitative risk analysis, but quantitative risk analysis is not required for all projects and may be skipped in favor of moving on to risk response planning. You should proceed with quantitative risk analysis only if it is worth the time and money on your project
The Risk Management Process (Con't)
As a result, the project manager has time for efforts such as: • Monitoring and controlling the various aspects of the project, looking for deviations and trends to find them early • Implementing a reward system • Keeping stakeholders informed of project progress • Staying ahead of the project
The Risk Management Process (Con't)
On large, properly managed projects where risk management has been an integral part of planning, the following occurs: • There are no longer huge fires to put out every day—they were eliminated with risk response plans. • Risks are brought up in every meeting to be addressed before they happen. • Normally, if a risk event does occur, there is a plan in place to deal with it. Hectic meetings to develop responses are a rarity, and are only needed when an unknown risk event occurs and requires development of a workaround.
Risk Register Updates
Prioritized list of quantified risks What are the risks that are most likely to cause trouble? To affect the critical path? That need the most contingency reserve?
Trick: Identify Risks - output
Risk register including: • List of risks • List of potential risk responses • Root causes of risks • Updated risk categories
trick
Risks should be continually assessed. For the exam, understand that risk identification is done during such activities as integrated change control, when working with resources, and when dealing with project issues.
Perform Quantitative Risk Analysis Outputs
The Perform Quantitative Risk Analysis process results in updates to the risk register and other project documents.
Perform Qualitative Risk Analysis Outputs - Risk Register Updates
' Risk ranking for the project compared to other projects. . List of prioritized risks and their probability and impact ratings. ' Risks grouped by categories (As previously explained). ' List of risks for additional analysis and response. ' List of risks requiring additional analysis in the near term. ' Watch list (noncritical risks).
the common risk management errors
. Risk identification ends too soon, resulting in a brief list (20 risks) rather than an extensive list (hundreds of risks). . Padding is used instead of a risk management process. • The processes of Identify Risks through Perform Quantitative Risk Analysis are blended, resulting in risks that are evaluated or judged as they come to light. This decreases the number of total risks identified and causes people to stop participating in risk identification.
Tool - Monte Carlo Analysis (Simulation Technique)
A Monte Carlo analysis uses the network diagram and estimates to "perform" the project many times and to simulate the cost or schedule results of the project
Lesson Learn
A contract is a tool to transfer risks. The project management plan could change to include a modified WBS and new work packages related to mitigating risk. The communications management plan could change as a way to address a risk. A change to the charter is a fundamental change to the project and may require a major adjustment to all aspects of the project management plan. It is not a common result of risk management efforts.
Risk Register Updates - Risk owners
A key concept in risk response planning is that the project manager does not have to do it all and neither does the team. Each risk must be assigned to someone who may help develop the risk response and who will be assigned to carry out the risk response or "own" the risk. The risk occurs; the risk owner takes the preapproved action determined in project planning and informs the project manager. No meeting is needed-just action! This can be very powerful.
Lesson Learn
A project manager has just finished the risk response plan for a US $387,000 engineering project. Which of the following should he probably do NEXT? This situation is occurring during project planning. Planning must be completed before moving on. Determining the risk rating of the project is done during Perform Qualitative Risk Analysis, and should have already been done. Project risk reassessment occurs during Control Risks, the next step in the risk management process after Plan Risk Responses. But the question does not ask what is next in the risk management process, just what is next. Adding work packages to the WBS, as part of iterations, comes next in project planning.
Threats and Opportunities
A risk event is something identified in advance that may or may not happen. Up to 90 percent of the threats identified and investigated in the risk management process can be eliminated
Lesson Learn
A risk list, process updates, and sensitivity analysis are not outputs of the Plan Risk Responses process. Residual risks, fallback plans, and contingency reserves are all outputs of the Plan Risk Responses process, making this the correct answer
Risk Appetites, Tolerances, and Thresholds (Cont')
A risk threshold1 is the specific point at which risk becomes unacceptable
trick
A tricky question on the exam might ask, "When in the risk management process are responses documented?" The answer is both during Identify Risks (as potential responses) and during Plan Risk Responses (as selected response plans)!
Lesson Learn
A workaround refers to determining how to handle a risk that has occurred but was not included in the risk register. The project must be in the Control Risks process if risks have occurred
risk identification tools and techniques - Assumptions Analysis
Analyzing what assumptions have been made on the project, and whether they are valid, may lead to the identification of more risks.
Risk Register Updates - Secondary risks
Any new risks created by the implementation of selected risk responses should also be analyzed as part of risk response planning. The discovery of secondary risks may require additional risk response planning.
Outputs of Control Risks
As with the previous risk management processes, updates to the risk register and other project documents are a result of Control Risks, along with the other outputs listed here.
the risk register includes:
At this point in the risk management process, the risk register includes: • List of risks Risks should be stated as clearly and specifically as possible. • List of potential responses Although risk response planning occurs later, one of the things experienced risk managers know is that it is not always logical to separate work on each part of risk management. There will be times when a response is identified at the same time as a risk management. Tnese responses should be added to the risk register as they are identified, and later as part of risk response planning.
Response strategies for THREATS
Avoid Eliminate the threat by eliminating the cause, such as removing the work package or person. Avoiding the threat might even involve expanding the scope of the project
Note
Avoidance and mitigation would generally be used for high-priority, high-impact risks. Transference and acceptance (discussed below) are appropriate for low-priority, low-impact risks.
Note
Be careful! Risks are identified and managed starting in initiating and are continually kept up-to-date or added to while the project is underway. The project manager and the team look at what has happen on the project, the current status of the project, and what is yet to come and reassess the potential threats and opportunities.
trick
Because risk identification primarily occurs during project initiating and planning, the exam has often said that the major part of risk identification happens at the onset of the project
Closing of Risks That Are No Longer Applicable
Closing of risks allows the team to focus on managing the risks that are still open. The dosing of a risk will likely result in the associated risk reserve being returned to the company.
Risk Register Updates - Contingency plans
Contingency plans are plans describing the actions that will be taken if the opportunity or threat occurs.
11.6 Control Risks (Monitoring & Controlling)
Control Risks is the process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project. The key benefit of this process is that it improves efficiency of the risk approach throughout the project life cycle to continuously optimize risk responses
Input - Project background information
Correspondence from before the project was approved, articles written about similar projects, and other such information will help identify risks. (Project background information is part of organizational process assets.)
Input - Risk register
Created as an output of Identify Risks, the risk register is an input to all of the remaining risk processes. The risk register is the repository of information on identified risks for the project, and as such is an important input for prioritizing and analyzing risks, planning risk responses, and controlling risks.
Input - Risk management plan
Created as an output of Plan Risk Management, the risk management plan will define how risk management is conducted throughout the project, and is therefore an input to all of the remaining risk processes.
Trick: Plan Risk Responses
Decrease project threats and increase opportunities. Determine secondary and residual risks. Calculate final reserves. Determine risk owners (if not already done). Create contingency and fallback plans. Identify risk triggers. Accept risks, where appropriate.
Trick: Perform Qualitative Risk Analysis
Determine if you will go to quantitative risk analysis or go directly to risk response planning. Document the watch list (noncriticial risks). Determine the overall risk ranking for the project.
trick
Expect the phrases "sources of risk" and "risk categories" to be used interchangeably on the exam
TRICKS
Here are a couple of other points that can be tricky on the exam: • Can you eliminate all threats on a project? Remember that threats can be eliminated and opportunities exploited, but the time and trouble involved in eliminating ALL the risks and exploiting ALL the opportunities identified on a project would probably not be worthwhile.
Input - Procurement document
How many contracts will there likely he on the project? What is the level of expertise of those handling the contracts? Was the project manager involved before any contracts were signed? If not, the project will have more risk and is likely to cost more. Contracts are a way to mitigate or transfer risks in risk response planning. Procurement documents are an input to Identify Risks.
Trick: Plan Risk Management
How will you perform risk management on the project? What risk management policies or procedures exist for use on the project and what new ones are needed? When will the processes and procedures or risk management be performed? How will risks be identified, and what tools will be used? What are stakeholders' roles and responsibilities for risk management? How will you budget for risk management?
work that is part of the Control Risks process - Workarounds
If the project has deviated from the baselines, the team may take corrective action to bring it back in line. Recommendations for such corrective actions may include workarounds. Whereas contingency responses are developed in advance, workarounds are unplanned responses developed to deal with the occurrence of unanticipated events or problems on a project (or to deal with risks that had been accepted because of unlikelihood of occurrence and/or minimal impact). Project managers who do not perform risk management spend a lot of their time creating workarounds
Tool - Decision Tree WITH ILLUSTRATION
If you have to choose between many alternatives, you should analyze how each choice benefits or hurts the project before making the decision. Decision trees can help you in this type of analysis. They are models of real situations and are used to make informed decisions about things like, «Which option should I choose?" or "How will I solve this problem?" by taking into account the associated risks, probabilities, and impacts.
Tools - Risk Urgency Assessment
In addition to creating a short list of risks, qualitative risk analysis includes noting risks that should move more quickly through the process than others. Reasons for this could include the fact that the risk may occur soon or will require a long time to plan a response. Urgent risks may then be moved, independently, right into risk response planning while the rest continue through quantitative risk analysis, or they may simply be the first ones for which you plan a response in risk response planning. A project manager may consider both the urgency of the risk and the risk's probability and impact rating (from the probability and impact matrix) to determine the overall severity of the risk.
-Types of Risk
In addition to risk categories, risks can be classified under two main types: • Business risk Risk of a gain or loss • Pure (insurable) risk Only a risk of loss (e.g., fire, theft, personal injury, etc.)
Input - Project documents
In addition to the project charter and network diagram (previously discussed), project documents include the project schedule, quality checklist, issue log, agreements, and statements of work. Project documents are an input to Identify Risks
TRICKS
Is usually done with a computer-based program because of the intricacies of the calculations • Evaluates the overall risk in the project • Determines the probability of completing the project on any specific day, or for any specific cost • Determines the probability of any activity actually being on the critical path • Takes into account path convergence (places in the network diagram where many paths converge into one activity) • Translates uncertainties into impacts to the total project • Can be used to assess cost and schedule impacts • Results in a probability distribution
Risk Reassessments (cont')
It is important to determine whether any changes or adjustments need to be made to what was planned based on information that becomes apparent once work begins. Reassessing risk is a good topic for a team meeting or even a separate meeting. Many of the actions in the previous exercise relate to this. Remember, the results of such reassessments may include newly identified risks, additional qualitative or quantitative risk analysis of new and/or previously identified risks, and further risk response planning
The Risk Management Process
It is very important to understand the risk management process for the exam. You must MEMORIZE what happens when and know how risk management. done well, can change the way projects are managed and how it can change what happens in a typical day on a project.
Tool - Decision Tree
Know the following about decision trees for the exam: • A decision tree takes into account future events in a decision today. • It calculates the expected monetary value (probability times impact) in more complex situations than the expected monetary value example previously presented. With a decision tree, you could evaluate the costs and benefits of several risk responses at once to determine which would be the best option. • It involves mutual exclusivity (previously explained in the Quality Management chapter) .
Input - Enterprise environmental factors
Knowing the degree of risk the organization is willing to accept and the areas where there is willingness to accept risk (organizational risk appetites, tolerances, and thresholds) helps to identify the impact of risks, rank risks, and determine which risk response strategies to use. A company's culture can add or diminish risk and should be considered when identifying risks. Enterprise environmental factors are inputs into most of the planning processes of risk management.
Input - Time and cost estimates
Knowing the estimates helps you determine the risk of the project not meeting the time and cost objectives. Initial estimates are an input to risk management, and detailed estimates are an output of risk management.
Transfer (Deflect, Allocate)
Make another party responsible for the risk by purchasing insurance, performance bonds, warranties, or guarantees or by outsourcing the work. Here is where the strong connection between risk and procurement (contracts) begins. In the world of properly practiced project management, you complete risk analysis before a contract is signed, and transference of risk is included in the terms and conditions of the contract.
Risk Register Updates - Reserves
Make sure you realize that reserves are not an additional cost to a project. The risk management process should result in a decrease to the project's estimated time and cost. As risks are eliminated or their probability or impact reduced, there should be a reduction to the project's schedule and budget. Contingency reserves are allocated for the contingency plans and fallback plans to deal with the associated, accepted opportunities and threats that remain after the risk management planning processes have been completed. No matter what you do, risks will remain in the project, and there should be a time or cost allotment for them, just as cost or time is allotted to work activities on the project.
risk identification tools and techniques - Information-Gathering Techniques
Many of these techniques are also used to collect requirements for the project (seethe Scope Management chapter). • Brainstorming Brainstorming is usually done in a meeting where one idea helps generate another. . Delphi technique This technique is used to achieve consensus among experts who participate anonymously. A request for information is sent to the experts their responses are compiled, and the results are sent back to them for further review until consensus is reached. This technique can also be used for analyzing risks as welJ as for collecting requirements and estimating time and cost. • Interviewing Also called expert interviewing on the exam, this technique consists of the team or project manager interviewing project participants, stakeholders, or experts to identify risks on the project or a specific element of work. • Root cause analysis3 In root cause analysis, the identified risks are reorganized by their root causes to help identify more risks.
TRICKS
Many people get confused between qualitative and quantitative risk analysis. Remember that qualitative risk analysis is a subjective evaluation, even though numbers are used for the rating. In contrast, quantitative risk analysis is a more objective or numerical evaluation; the rating of each risk is based on an attempt to measure the actual probability and amount at stake (impact).
trick
Notice that an updated risk register is the main output of several of the risk management processes (for most of these processes, the PMBOK Guide lists the updated risk register as the chief item under "project documents updates"). Read exam questions carefully, as the risk register contains different information depending on when in the risk management process the question is referencing. For example, if the project has just started and you are in the Identify Risks process, the risk register will contain the Identified risks and potential responses, not the response plans actually selected for the project, which come later.
Trick: Perform Quantitative Risk Analysis
Numerically evaluate the top risks. Quantitatively determine which risks warrant a response. Determine initial reserves. Create realistic time and cost objectives. Determine the probability of meeting project objectives.
Trick (cont)
Once project work has begun and the work of Control Risks is being performed, new risks may be identified, or risks may be reassessed based on project knowledge or evaluation of risk processes. When this occurs, the risk planning processes must again be performed appropriately, and the new risks must be evaluated and ranked, which may result in more risk response planning. This will generate change requests to integrated change control for analysis and review. The trick here is to remember that the approved project management plan and baselines are not static while work is performed, but changes to them must go through integrated change control.
Input - Organizational process assets
Organizational process assets are inputs into most of the planning processes of risk management.
Input - Scope baseline
Part of the project management plan, the scope baseline can help you assess how complex the project will be and what level of risk management effort is appropriate. This also contains information about boundaries, constraints, and assumptions, which can indicate risks for the project. The scope baseline is an input to Identify Risks and Perform Qualitative Risk Analysis.
Lesson Learn
Project status reports can be an input to risk management. However, when completing risk management for the first time, you would not have project status reports. Therefore, project status reports are not always an input to risk management.
Risk Register Updates - Reserves
Projects can have both kinds of reserves. As shown in the following diagram (also in the Cost Management chapter), contingency reserves are calculated and become part of the cost baseline. Management reserves are estimated (e.g., 5 percent of the project cost), and then these reserves are added to the cost baseline to get the project budget. The project manager has control of the cost baseline and can approve use of the contingency reserves, but management approval is needed to use management reserves.
TRICKS
Proving the Value of Project Management Project management saves time and money on projects. Getting your organization's executives to understand that fact can be difficult at times. How beneficial would it be if you could prove the value of project management?
TRICKS
Qualitative risk analysis can also be used to: • Compare the risk of the project to the overall risk of other projects. Determine whether the project should be continued or terminated. • Determine whether to proceed to the Perform Quantitative Risk Analysis or Plan Risk Responses processes (depending on the needs of the project and the performing organization).
Trick: Perform Qualitative Risk Analysis
Qualitatively determine which risk events warrant a response. Assess the quality of the risk data. Complete a risk urgency assessment. Subjectively determine the probability and impact of all risks.
additional examples of sources of risk:
Quality "The concrete may dry to our quality standards before winter weather sets in, allowing us to start successor work packages earlier than planned. • Scope "We might not have correctly defined the scope for the computer installation. If that proves true, we will have to add work packages at a cost of $20,000.
Risk Reassessments
Questions always seem to come up on the exam that require you to know that the team needs to periodically review the risk management plan and risk register and adjust the documentation as required.
Trick
Read situational questions describing suggested changes resulting from risk processes to determine whether the actual work of the project has begun. If the project work has not begun, these suggested changes are likely part of the Plan Risk Responses update outputs. Otherwise, these suggested changes will be the Control Risks output of change requests.
Mitigate
Reduce the probability and/ or impact of a threat, thereby making it a smaller risk and possibly removing it from the list of top risks on the project. Options for reducing the probability are looked for separately from options for reducing the impact. Any reduction will make a difference
Project Management Plan Updates
Remember also that planning is iterative. To help you answer questions correctly on the exam and understand the flow of the planning processes, Rita's Process Chart represents this analysis, evaluation, and integration of the management plan changes during project planning as part of "Go back-iterations:'
Reserve Analysis
Reserve analysis while the work is being done is simply a matter of checking to see how much reserve remains and how much might be needed. It is like checking the balance in your bank account. Reserves must be guarded throughout the project life cycle. If you are inexperienced with risk management, make sure you understand how reserves are used and protected
Risk Appetites, Tolerances, and Thresholds (Cont')
Risk appetites, tolerances, and thresholds vary depending on the individual or organization and the risk area.
Risk Audits
Risk audits are performed to assess the overall process of risk management on the project, as well as the effectiveness of specific risk responses that have been implemented. The auditing process is documented in the risk management plan.
Tools - Risk Categorization
Risk categorization examines the questions of "What will we find if we regroup the risks by categories? By work packages?" Think about how useful it would be to not only have a subjective assessment of the total amount of risk on the project, but also to group the risks by cause to know which work packages, processes, people, or other potential causes have the most risk associated with them. Such data will be helpful in risk response planning, allowing you to eliminate many risks at once by eliminating one cause. Risk categories or sources of risks can be organized in a risk breakdown structure
Trick: Plan Risk Management - output
Risk management plan
Trick: Perform Quantitative Risk Analysis output
Risk register including: • Prioritized list of quantified risks • Initial reserves • Project completion dates and costs • Probability of achieving project objectives • Trends
Trick: Perform Qualitative Risk Analysis Output
Risk register including: • Risk ran king of the project as compared to other projects • List of prioritized risks • Risks by category ' Risks needing additional analysis and response • Watch list • Trends
Meetings
Risk should be a major point of discussion at such meetings to keep the focus on risks, to continue to identify new risks, and to make sure response plans remain appropriate.
11.6 Control Risks (Cont')
Risk- related questions on the exam are asked assuming the project manager has done proper project management, including assigning risk owners, putting contingency plans in place, and taking other such actions. The exam also assumes the project is substantially less risky than it would have been if the project manager had not planned the project
Risk Management Plan - Roles and responsibilities
Roles and responsibilities This section answers the question of "Who will do what?" Did you realize that stakeholders outside the project team may have roles and responsibilities regarding risk management?
the risk register includes:
Root causes of risks The root causes of risks are documented. This information is valuable in later efforts to reassess risk on the project and for historical records to be used for future projects. • Updated risk categories You will notice a lot of places where historical records and company records are updated throughout the project management process. Make sure you are aware that lessons learned and communicating information to other projects do not just happen at the end of the project. As part of the risk identification effort, the project provides feedback to the rest of the company regarding new categories of risk to add to the checklist.
additional examples of sources of risk:
Schedule "The hardware may arrive earlier than planned, allowing work package XYZ to start three days earlier. Cost "Because the hardware may arrive later than planned, we may need to extend our lease on the staging area at a cost of $20,000."
Tool - Sensitivity Analysis
Sensitivity analysis is a technique to analyze and compare the potential impacts of identified risks. A tornado diagram9 may be used to graphically depict the results of that analysis. Risks are represented by horizontal bars: the longest and uppermost bar represents the greatest risk, and progressively shorter horizontal bars beneath represent lower-ranked risks.
trick
Smart project managers begin looking for risks as soon as a project is first discussed. In fact, the PMBOK® Guide lists high-level risks as an output of the creation of the project charter in integration management. However, the major risk identification effort occurs during planning
TRICKS
Some examples of decision trees have the costs occurring only at the end of the project, while others have costs occurring early or in the middle of the project. Because a decision tree models all the possible choices to resolve an issue, costs can appear anywhere in the diagram, not just at the end. On the exam, don't get confused when you look at examples of decision trees. Pay attention to the data provided in the question in order to correctly interpret the answer.
risk identification tools and techniques - Diagramming Techniques
Some of the tools described in the Quality Management chapter can also be used to analyze the root causes of issues. These include cause and effect diagrams and flowcharts. When used as part of risk identification, they help identify additional risks for the project.
Risk Averse
Someone who does not want to take risks is said to he risk averse.
Lesson Learn
Stakeholders should be included in the Identify Risks process. Some triggers may be identified in the Identify Risks process, but they are generally identified and added to the risk register in the Plan Risk Responses process. Workarounds are created as unidentified risk events occur. The project manager's error was not including others in the Plan Risk Responses process. Plan Risk Responses must include the involvement of all risk owners and possibly other stakeholders.
Input - Stakeholder register
Stakeholders will view the project from different perspectives and thus will be able to see risks that the team cannot. Stakeholders are involved in many aspects of risk management. The stakeholder register is an input to Plan Risk Management and Identify Risks.
risk identification tools and techniques - SWOT
Strengths, Weaknesses, Opportunities, and Threats (SWOT) Analysis This analysis looks at the project to identify its strengths and weaknesses and thereby identify risks (opportunities and threats).
Risk Register Updates
The Control Risks process will add the following to the risk register: • Outcomes of the risk reassessments and risk audits • Results of implemented risk responses • Updates to previous parts of risk management, including the identification of new risks • Closing of risks that are no longer applicable . Details of what happened when risks occurred • Lessons learned
Change Requests, Recommended Preventive and Corrective Actions
The Control Risks process will uncover changes needed to the project. As noted actions may include workarounds.
Lesson Learn
The Delphi technique is commonly used to obtain expert opinions on technical issues, the necessary project or product scope, or the risks
Lesson Learn
The Delphi technique uses experts and builds consensus; therefore, expert opinion is the chief characteristic.
Input - Communications management plan
The PMBOK® Guide doesn't specifically list the communications management plan as an input to risk management, but it is part of the project management plan, which is an input to Plan Risk Management and Control Risks. The communications management plan can be used to structure communications around risk. It can also help identify risk. The communications management plan helps answer questions such as: Are there a lot of people to communicate with? Where in the project are communications so important that communication errors can actually add risk to the project? Is your communications management plan effective? Since the number one problem many people have on projects is poor communication, there is a strong connection between planning communications and decreasing risk.
11.3 Perform Qualitative Risk Analysis (Planning)
The Perform Qualitative Risk Analysis process involves doing this analysis and creating a short list of the previously identified risks. The short-listed risks may then be further analyzed in the Perform Quantitative Risk Analysis process, or they may move into the Plan Risk Responses process
11.4 The Perform Quantitative Risk Analysis (planning)
The Perform Quantitative Risk Analysis process involves numerically analyzing the probability and impact (the amount at stake or the consequences) of risks moved forward from qualitative risk analysis. Quantitative risk analysis also looks at how risks could affect the objectives of the project
11.5 The Plan Risk Responses
The Plan Risk Responses process involves figuring out "What are we going to do about each top risk?" In risk response planning, you find ways to reduce or eliminate threats, and you find ways to make opportunities more likely or increase their impact.
Input - Schedule management plan
The aggressiveness of the schedule objectives provides an indication of the risk of meeting those objectives. The schedule management plan is an input to Identify Risks and Perform Quantitative Risk Analysis.
Project Management Plan Updates
The efforts spent in risk management can result in updates to the project management plan. Spend a moment now thinking about how risk response planning might lead to updates to the schedule, cost, quality, procurement, communications, and human resource management plans, as well as the scope, time, and cost baselines for the project. This concept is critical for understanding the impact risk management has on projects
Input - Project management plan
The entire project management plan is an input to the Plan Risk Management and Control Risks processes, as all of the management plans must be taken into account. Additionally, specific management plans are inputs to other risk management processes. They are listed separately within this table.
Input - Human resource management plan
The human resource management plan describes what resources are needed (roles and responsibilities), identifies the resources available to the project, and explains how the resources will be managed, including how they will be moved on and off the project. Knowing this information will help you identify risks related to resources. The human resource management plan is an input to Identify Risks.
Input - Quality management plan
The metrics documented in this plan, an input to Identify Risks, will help you identify quality risks. The documented processes in this plan can also help minimize threats or enhance opportunities, and can help you manage risks. The process improvement plan is another output of quality management that can be useful in risk management: although the PMBOK® Guide doesn't specifically list this plan as an input to Identify Risks, it can be used to proactively identify risks while the project is underway
Input - Network diagram
The network diagram is the only place where paths that converge into one activity can be easily seen. Such path convergence makes the activity riskier than if there were no path convergence. The network diagram also helps determine the critical path and any near-critical paths. The "tighter" the schedule, the more risk the project has. The network diagram (part of project documents) is an input to Identify Risks.
Project Documents Updates
The other documents a project manager has created to help manage the project may also change. Can you imagine how risk response planning might affect the roles and responsibilities on a project, your stakeholder management strategy, or your quality metrics?
Plan Risk Responses Outputs
The outputs of the Plan Risk Responses process are the updates to the project management plan, risk register, and other project documents
Tools -Probability and Impact MatriX
The probability and impact matrix may be used to sort or rate risks to determine which ones warrant an immediate response (and will therefore be moved on through the risk process) and which ones should be put on the watch list (described later)
11 .1 PLAN RISK MANAGEMENT (Planning)
The process of defining how to conduct risk management activities for a project. The Plan Risk Management process answers the question of how much time should be spent on risk management based on the needs of the project. It also answers questions such as who will be involved and how the team will go about performing risk management
Input - project charter
The project charter indicates the initial, high-level risks identified on the project and helps you see if the overall project objectives and constraints are generally risky or not. The charter also helps identify risks based on what is and what is not included in the project.
Input - project charter
The project charter is an input to the Plan Risk Management process and the Identify Risks process (included as part of project documents in Identify Risks).
Lesson Learn
The project manager is in the Perform Qualitative Risk Analysis process. This process includes risk data quality assessment and probability and impact matrix development. It appears the project manager has not yet completed the matrix, which is used to sort risks based on their probability and impact ratings. Trend analysis, the identification of triggers, and development of fallback plans will occur later in risk management.
11.5 The Plan Risk Responses
The project's risk responses may include doing one or a combination of the following for each top risk: • Do something to eliminate the threats before they happen. • Do something to make sure the opportunities happen. • Decrease the probability and/ or impact of threats. • Increase the probability and/ or impact of opportunities. For the remaining (residual) threats that cannot be eliminated: • Do something if the risk happens (contingency plans). Contingency plans should be measurable so you can evaluate their effectiveness. • Do something if contingency plans are not effective or are only partially effective (fallback plans).
Lesson Learn
The risk is the loss of data due to a power outage. Purchasing insurance is not related to preventing the problem. It transfers the risk. Creating a reserve fund is acceptance of the risk, and would help address the cost factors after the power failure, but would not reduce the probability or impact of it. Avoiding the hurricane by scheduling the installation at a different time reduces the power outage risk, but could have a large negative impact on the project schedule and so is not the best choice. The better choice of the options is to monitor the weather and know when to implement the contingency plan.
Organizational Process Assets Updates
The risk process will lead to the creation of risk templates (such as a risk register including project risks and risk responses), checklists, and other data to be used as historical records for future projects
Risk Registers
The risk register is where most of the risk information is kept. Think of it as one document for the whole risk management process that will be constantly updated with information as Identify Risks and the later risk management processes are completed. The risk register becomes part of the project documents and is included in historical records that will be used for future projects
memorize!
The six sequential risk management processes are: 1. Plan Risk Management 2. Identify Risks 3. Perform Qualitative Risk Analysis 4. Perform Quantitative Risk Analysis 5. Plan Risk Responses 6. Control Risks
Risk Management Plan - Tracking
The tracking section of the plan describes how the risk process will be audited, and how information will be documented regarding what happens with risk management activities.
Risk Register Updates - Reserves
There can be two kinds of reserves for time and cost: contingency reserves and management reserves. Contingency reserves account for "knowns"; these are items you identified in risk management. Management reserves account for "unknown"; these are items you did not or could not identify in risk management.
Input - Work performance data and reports
These are both inputs to the Control Risks process. Project work will generate raw data and measurements (work performance data), which are analyzed in Control Risks to evaluate the impact of variance and its relationship to identified risks. The work performance reports are the outputs of other control processes, such as Control Schedule, Control Scope, etc. These reports provide the analyzed data from these processes in a format that can be used to do risk reassessment, reserve analysis, analysis of trends and variance, etc.
Risk Register Updates - Risk triggers
These are events that trigger the contingency response. The early warning signs for each risk on a project should be identified so risk owners know when to take action.
Risk Register Updates - Residual
These are the risks that remain after risk response planning. Those residual risks that are passively accepted should be properly documented and reviewed throughout the project to see if their ranking has changed
Risk Management Plan - Risk categories
These categories are broad, common areas or sources of risk that the company or similar projects have experienced. They can include things like technology changes, lack of resources, regulatory, or cultural issues. When leading risk identification efforts, you should make sure each category is considered. A risk breakdown structure (RBS) is an organizational chart that can help you identify and document risk categories.
Risk Register Updates - Fallback plans
These plans are specific actions that will be taken if the contingency plans are not effective. Think how prepared you will feel if you have plans for what to do if a risk occurs and what to do if the original plan does not work
Risk Appetites, Tolerances, and Thresholds
These three terms each refer to the level of risk an individual or group is willing to accept. Risk appetite is a general, high-level description of the acceptable level of risk
Tools -Risk Data Quality Assessment
This assessment answers the question of "How accurate and well understood is the risk information?" A risk data quality assessment may include determining the following for each risk: • Extent of the understanding of the risk • Data available about the risk • Quality of the data • Reliability and integrity of the data
11.2 IDENTIFY RISKS ( Planning)
This effort should involve all stakeholders and might even include literature reviews, research, and talking to non-stakeholders. Sometimes the core team will begin the process and then other team members will become involved, making Identify Risks an iterative process
Work Performance Information
This is the analysis of the work performance data gathered during project work. Examples include results of risk audits, assessment of how well risk processes are working for the project, performance measurements on schedule progress to determine which risks can be closed or are likely to close in the near future, and risk reassessments, which would include variance analysis of the planned risk responses to actual time and cost. This information may be entered as updates into the risk register, other project documents, and the project management plan, or it could be the basis of change requests.
Input - Cost management plan
This plan details cost processes that may help identify risks to achieving the project budget. The cost management plan is an input to Identify Risks and Perform Quantitative Risk Analysis.
Project Management Plan Updates
This process can result in updates (from approved changes or additional information gathered) to the schedule, cost, quality, and procurement management plans, as well as the human resource management plan and the scope baseline for the project.
Lesson Learn
This question essentially asks, "What is an output of Perform Qualitative Risk Analysis?" . A prioritized list of risks is an output of Perform Qualitative Risk Analysis. The probability for achieving time and cost objectives is determined during the Perform Quantitative Risk Analysis process. Risk triggers and contingency reserves are parts of the Plan Risk Responses process.
Risk Management Plan - Budget
This section includes the cost of the risk management process. Yes, there is a cost of doing risk management, but risk management saves the project time and money overall by avoiding or reducing threats and taking advantage of opportunities.
Risk Management Plan - Reporting
This section of the plan describes any reports related to risk management that will be created and what they will include.
Risk Management Plan - Timing
This section of the plan talks about when to do risk management for the project. Risk management should start as soon as you have the appropriate inputs and should be repeated throughout the life of the project, since new risks can be identified as the project progresses and the degree of risk can change over the course of a project.
risk identification tools and techniques - Checklist Analysis
This technique looks at the checklist of risk categories that we discussed in the Plan Risk Management section of this chapter. The checklist is used to help identify specific risks within each category.
Concepts -Risk Management
Through risk management, you work to increase the probability and impact of opportunities on the project (positive events), while decreasing the probability and impact of threats to the project (negative events)
Tool - Expected Monetary Value Analysis
To evaluate a risk, you can look at the probability or the impact, but calculating the expected monetary value is a better measure to determine an overall ranking of risks. The formula for expected monetary value (EMV) is simply probability (P) times impact (I). EMV= p X I
Lesson Learn
To mitigate risk, we either reduce the probability of the event happening or reduce its impact. Acceptance of risk means doing nothing (if it happens, it happens, or contingency plans are created). Avoidance of risk means we change the way we will execute the project so the risk is no longer a factor. Transference is passing the risk off to another party. Many people think of using insurance as a way of decreasing impact. However, purchasing insurance transfers the risk to another party.
How?
To perform this analysis, the following are determined: • The probability of each risk occurring, using a standard scale such as Low, Medium, High or 1 to 10 • The impact (amount at stake, or consequences, positive or negative) of each risk occurring, using a standard scale such as Low, Medium, High or 1 to 10
Uncertainty
Uncertainty is a lack of knowledge about an event that reduces confidence in conclusions drawn from the data. The work that needs to be done, the cost, the time, the quality needs, the communications needs, etc., can be uncertain. The investigation of uncertainties may help identify risks.
Trick: Plan Risk Responses Output
Updates to the project management plan and project documents Risk register including: • Residual and secondary risks • Contingency and fallback plans • Risk owners • Triggers . Final reserves • Contracts • Accepted risks
trick
Watch out for questions about communicating information on the exam! Your possible risk response strategies must be communicated to management, stakeholders, and the sponsor. These parties will need to know that you are in control of the project, even if there is a problem, and they may need to approve the resources to make the risk response strategies happen. Communicating about risk is essential in order to gain buy-in to the strategy.
Risk Management Plan - • Stakeholder tolerances
What if the stakeholders have a low risk tolerance for cost overruns? That information would be taken into account to rank cost impacts higher than if the low tolerance was in another area. Tolerances should not be implied, but uncovered in project initiating and clarified or refined continually.
risk identification tools and techniques - Documentation Reviews
What is and is not included in the documentation, including the charter, contracts, and planning documentation, can help identify risks. Those involved in risk identification might look at this documentation, as well as lessons learned, articles, and other documents, to help uncover risks. This technique used to be a trick for risk management and has proven to be so beneficial that it has now become standard practice.
Risk Factors
When looking at risk, it's necessary to determine the following: • The probability that a risk event will occur (how likely) • The range of possible outcomes (impact or amount at stake) • Expected timing for it to occur in the project life cycle (when) • The anticipated frequency of risk events from that source (how often)
Lesson Learn
When new risks are identified, they should go through the risk management process. You need to determine the probability and impact of the risks and then try to diminish them through the Plan Risk Responses process. Only after these efforts should you consider adding reserves for time and/ or cost. Any reserves should be based on a detailed analysis of risk. Calculating the expected monetary value of the risks is an important part of the risk management process, and the best choice presented here
trick
When you get a question about who should be involved in risk identification, the best answer is everyone! Everyone has a different perspective of the project and can provide thoughts on opportunities and threats
Risk Management Plan - Definitions of probability and impact
Would everyone who rates the probability of a risk a 7 in qualitative risk analysis mean the same thing? A person who is risk averse might think of 7 as very high, while someone who is risk prone might think of 7 as a low figure. The definitions and the probability and impact matrix (discussed in Perform Qualitative Risk Analysis) help standardize these interpretations and also help compare risks between projects.
TRICKS
You need to know the following actions are part of quantitative risk analysis • Further investigate the highest rated risks on the project. ' Perform sensitivi analysis to determine which risks have the most impact on the project. . Determine how much quantified risk the project ha through expected monetary value analysis or Monte Carlo analysis (described later in this section).
Tool - Decision Tree
You should know what a decision tree is and be able to calculate a simple one from provided data. The exam could also ask you to calculate the expected monetary value (or just "value") of a path or the value of your decision
Trick: Identify Risks
identify "all» the risks on the project. Use tools such as brainstorming, root cause analysis, and documentation review to facilitate risk identification. Involve the stakeholders.
Input to and Outputs of Risk management
is a very step-by-step, process-oriented part of project management. keep in mind that many of the inputs to each individual risk management process are the outputs of the processes that came before it. Remember, inputs are merely, "What do I need to do this well?" or "What do I need before I can begin...?" Outputs are merely, "What will I have when I am done with...?"
Identify Risks Output
risk register.
Risk Appetites, Tolerances, and Thresholds (Cont')
the term risk tolerance is more specific, as it refers to a measurable amount of acceptable risk
Enhance
• (the reverse of mitigate) Increase the likelihood (probability) and/or positive impacts of the risk event.
Risk Register Updates - Contracts
• A project manager must be involved before a contract is signed. Before the contract is finalized, the project manager should have completed a risk analysis and included contract terms and conditions required to mitigate or allocate threats and to enhance opportunities. Any contracts issued to deal with risks should be noted in the risk register.
Share
• Allocate ownership or partial ownership of the opportunity to a third party (forming a partnership, team, or joint venture) that is best able to achieve the opportunity.
The purpose of quantitative risk analysis is to:
• Determine which risk events warrant a response. • Determine overall project risk (risk exposure). • Determine the quantified probability of meeting project objectives (e.g., "We only have an 80 percent chance of completing the project within the six months required by the customer;' or "We only have a 75 percent chance of completing the project within the $80,000 budget"). • Determine cost and schedule reserves. • Identify risks requiring the most attention. • Create realistic and achievable cost, schedule, or scope targets.
A response strategy for both THREATS and OPPORTUNITIES is: Accept
• Do nothing and say, "If it happens, it happens:' Active acceptance may involve the creation of contingency plans to be implemented if the risk occurs and the allocation of time and cost reserves to the project. Passive acceptance leaves actions to be determined as needed (workarounds), if (after) the risk occurs. A decision to accept a risk must be communicated to stakeholders
Response strategies for OPPORTUNITIES
• Exploit (the reverse of avoid) Add work or change the project to make sure the opportunity occurs.
Risk categories - ways to classify or categorize risk
• External Regulatory, environmental, government, market shifts • Internal Time, cost, or scope changes; inexperience; poor planning; people; staffing; materials; equipment * Technical Changes in technology * Unforeseeable Only a small portion of risks (some say about 10 percent) are actually unforeseeable
Risk Register Updates - Reserves
• Having reserves for time and cost is a required part of project management. You cannot come up with a schedule or budget for the project without them. Reserves are covered in the Cost Management chapter, but let's look at them again here as well
Risk Register Updates
• Initial amount of contingency time and cost reserves needed For example, "The project requires an additional $50,000 and two months of time to accommodate the risks on the project:' Reserves will be finalized next, in Plan Risk Responses.
Risk Management Plan - Methodology
• Methodology This section of the plan defines how you will perform risk management for the particular project. Remember to adapt the methods to the needs of each project. Low-priority projects will likely warrant less of a risk management effort than high-priority projects.
the common risk management errors
• Only one method is used to identify risks (e.g. only using a checklist) rather than a combination of methods. A combination helps ensure that more risks are identified. • The first risk response strategy identified is selected without looking at other options and finding the best option or combination of options.
Risk Register Updates
• Possible realistic and achievable completion dates and project costs, with confidence levels, versus the time and cost objectives for the project . For example, "We are 95 percent confident that we can complete this project on May 25th for $989,000:'
additional examples of sources of risk:
• Resources "Stephanie is such an excellent designer that she may be called away to work on the new project everyone is so excited about. If that occurs, we will have to use someone else and our schedule will slip between 100 and 275 hours:' • Customer satisfaction (stakeholder satisfaction) "There is a chance the customer will not tell us they are unhappy with the XYZ deliverable, causing at least a 20 percent increase in time to rework the deliverable and test plans:'
the common risk management errors
• Risk identification is completed without knowing enough about the project. . Project risk is evaluated using only a questionnaire, interview, or Monte Carlo analysis and thus does not provide specific risks.
the common risk management errors
• Risk management is not given enough attention. • Project managers do not explain the risk management process to their team during project planning. • Contracts are signed long BEFORE risks to the project are discussed.
the common risk management errors
• Some things considered to be risks are not uncertain; they are facts, and are therefore not risks. . Whole categories of risks (such as technology, cultural, marketplace, etc.) are missed.
Whether responding to threats or opportunities:
• Strategies must be timely. . The effort selected must be appropriate to the severity of the risk—avoid spending more money preventing the risk than the impact of the risk would have cost if it occurred. • One response can be used to address more than one risk. • More than one response can be used to address the same risk. • A response can address a root cause of risk and thereby address more than one risk. • The team, other stakeholders, and experts should be involved in selecting a strategy.
Risk categories - Rita's categories of risk
• The customer • Lack of project management effort (yes, a lack of project management effort can add risk) • Lack of knowledge of project management by the project manager and stakeholders • The customer's customers • Suppliers • Resistance to change Cultural differences
Risk Register Updates
• The quantified probability of meeting project objectives For example, "We only have an 80 percent chance of completing the project within the six months required by the customer:' Or, "We only have a 75 percent chance of completing the project within the $800,000 budget:'
the common risk management errors
• The risks identified are general rather than specific (e.g., "communications" rather than "poor communication of customer's needs regarding installation of system XYZ could cause two weeks of rework").
Risk Register Updates
• Trends in quantitative risk analysis As you repeat quantitative risk analysis during project planning and when changes are proposed, you can track changes to the overall risk of the project and see any trends.
Tool - Determining Quantitative Probability and Impact
• interviewing • Cost and time estimating • Delphi technique • Use of historical records from previous projects • Expert judgment • Sensitivity analysis (described next) • Expected monetary value analysis (described later in this • Monte Carlo analysis (described later in this • Decision trees (described later in this section)