Chapter 11 - Project Risk Management
Strategies for Threats
1. Escalate 2. Avoid 3. Transfer 4. Mitigate 5. Accept
Strategies for Opportunities
1. Escalate 2. Exploit 3. Share 4. Enhance 5. Accept
Tools and Techniques of Plan Risk Management
1. Expert Judgement 2. Data Analysis (stakeholder analysis) 3. Meetings
Tools and Techniques of Perform Qualitative Risk Analysis
1. Expert Judgement 2. Data Gathering (interviews) 3. Data Analysis (risk data quality assessment, risk probability and impact assessment, assessment of other risk parameters 4. Interpersonal and Team Skills (facilitation) 5. Risk Categorization 6. Data Representation (probability and impact matrix, hierarchical charts (eg. bubble charts)) 7. Meetings
Tools and Techniques of Implement Risk Responses
1. Expert Judgement 2. Interpersonal and Team Skills (influencing) 3. PMIS
Tools and Techniques of Identify Risks
1. Expert Judgement 2. Data Gathering (brainstorming, checklists, interviews) 3. Data Analysis (root cause analysis, assumption and constraint analysis, SWOT analysis, document analysis) 4. Interpersonal and Team Skills (facilitation) 5. Prompt Lists 6. Meetings
Tools and Techniques of Perform Quantitative Risk Analysis
1. Expert Judgement 2. Data Gathering (interviews) 3. Interpersonal and Team Skills (facilitation) 4. Representations of Uncertainty 5. Data Analysis (simulation, sensitivity analysis, decision tree analysis, influence diagrams)
Tools and Techniques of Plan Risk Responses
1. Expert Judgement 2. Data Gathering (interviews) 3. Interpersonal and Team Skills (facilitation) 4. Strategies for Threats 5. Strategies for Opportunities 6. Contingent Response Strategies 7. Strategies for Overall Project Risk 8. Data Analysis (alternatives analysis, cost-benefit analysis) 9. Decision Making (multicriteria decision analysis)
Perform Qualitative Risk Analysis assesses
The priority of identified individual project risks using their probability of occurrence, the corresponding impact on project objectives if the risks occur, and other factors.
Perform Qualitative Risk Analysis
The process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics.
Project Risk Management
The processes of conducting risk management planning, identification, analysis, response planning, response implementation, and monitoring risk on a project. It aims to exploit or enhance positive risks (opportunities) while avoiding or mitigating negative risks (threats).
Measurable Risk Thresholds
- what level of risk exposure is acceptable in pursuit of project objectives - measurable risk thresholds reflect the risk appetite of the organization and project stakeholders - risk thresholds express the degree of acceptable variation around a project objective
Risk exists at two levels.
- Individual Project Risk - is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives - Overall Project Risk - is the effect of uncertainty on the project as a whole, arising from all sources of uncertainty including individual risks, representing the exposure of stakeholders to the implications of variations in project outcome, both positive and negative.
The use of Perform Quantitative Risk Analysis is most likely appropriate for:
- large or complex projects - strategically important projects - projects for which it is a contractual agreement - projects in which a key stakeholder requires it
On completion of the Identify Risks process, the content of the risk register may include but is not limited to:
- list of identified risks - potential risk owners - list of potential risk responses
Considerations for tailoring include but are not limited to:
- project size - project complexity - project importance - development approach
Emergent risks can be tackled through developing project resilience. This requires each project to have:
- right level of budget and schedule contingency for emergent risks, in addition to a specific risk budget for known risks; - flexible project processes that can cope with emergent risk while maintaining overall direction toward project goals, including strong change management; - empowered project team that has clear objectives and that is trusted to get the job done within agreed-upon limits; - frequent review of early warning signs to identify emergent risks as early as possible; and - clear input from stakeholders to clarify areas where the project scope or strategy can be adjusted in response to emergent risks
Strategies for Overall Project Risk
1. Avoid 2. Exploit 3. Transfer/Share 4. Mitigate/Enhance 5. Accept
Outputs to Implement Risk Responses
1. Change Requests 2. Project Documents Updates (issue log, lessons learned register, project team assignments, risk register, risk report)
Outputs for Plan Risk Responses
1. Change Requests 2. Project Management Plan Updates (schedule management plan, cost management plan, quality management plan, resource management plan, procurement management plan, scope baseline, schedule baseline, cost baseline) 3. Project Documents Updates (assumption log, cost forecasts, lessons learned register, project schedule, project team assignments, risk register, risk report)
Tools and Techniques for Monitor Risks
1. Data Analysis (technical performance analysis and reserve analysis) 2. Audits 3. Meetings (risk reviews)
Trends and Emerging Practices for Project Risk Management include but are not limited to:
1. Non-Event Risks 2. Project Resilience 3. integrated Risk Management
Inputs to Plan Risk Management
1. Project Charter 2. Project Management Plan (all components) 3. Project Documents (stakeholder register) 4. Enterprise Environmental Factors (overall risk thresholds set by the organization or key stakeholders) 5. Organizational Process Assets (organizational risk policy; risk categories, possibly organized into a risk breakdown structure; common definitions of risk concepts and terms; risk statement formats; templates for the risk management plan, risk register, and risk report; roles and responsibilities; authority levels for decision-making; and lessons learned repository from previous similar projects)
Outputs of Perform Quantitative Risk Analysis
1. Project Documents Updates a) risk report - assessment of overall project risk exposure - detailed probabilistic analysis of the project - prioritized list of individual project risks - trends in quantitative risk analysis results - recommended risk responses
Outputs of Perform Qualitative Risk Analysis
1. Project Documents Updates (assumption log, issue log, risk register, risk report)
Inputs for the Identify Risks process:
1. Project Management Plan (requirements management plan, cost management plan, schedule management plan, quality management plan, resource management plan, risk management plan, scope baseline, schedule baseline, and cost baseline) 2. Project documents (assumption log, cost estimates, duration estimates, issue log, lessons learned register, requirements documentation, resource requirements, stakeholder register) 3. Agreements 4. Procurement documentation 5. EEF (published material, including commercial risk databases or checklists; academic studies; benchmarking results; and industry studies of similar projects) 6. OPA (project files, including actual data; organizational and project process controls; risk statement formats; and checklists from previous similar projects)
Inputs to Plan Risk Responses
1. Project Management Plan (resource management plan, risk management plan, cost baseline) 2. Project Documents (lessons learned register, project schedule, project team assignments, resource calendars, risk register, risk report, stakeholder register) 3. EEF (risk appetite and thresholds of key stakeholders) 4. OPA (templates for the risk management plan, risk register, and risk report; historical databases; and lessons learned repositories from similar projects)
Inputs to Perform Qualitative Risk Analysis
1. Project Management Plan (risk management plan) 2. Project Documents (assumption log, risk register, stakeholder register) 3. EEF (industry studies of similar projects, and published material, including commercial risk databases or checklists) 4. OPA (information from similar completed projects)
Inputs to Monitor Risks
1. Project Management Plan (risk management plan) 2. Project Documents (issue log, lessons learned register. risk register, risk report) 3. Work Performance Data 4. Work Performance Reports
Inputs to Implement Risk Responses
1. Project Management Plan (risk management plan) 2. Project Documents (lessons learned register, risk register, risk report) 3. OPA (lessons learned repository from similar completed projects that indicate the effectiveness of particular risk responses)
Inputs to Perform Quantitative Risk Analysis
1. Project Management Plan (risk management plan, scope baseline, schedule baseline, cost baseline) 2. Project Documents (assumption log, basis of estimates, cost estimates, cost forecasts, duration estimates, milestone list, resource requirements, risk register, risk report, schedule forecasts) 3. EEF (industry studies of similar projects, and published material, including commercial risk databases or checklists) 4. OPA (information from similar completed projects)
Outputs of Identify Risks
1. Risk Register - captures details of identified individual project risks. 2. Risk Report 3. Project Documents Updates (assumption log, issue log, and lessons learned register)
The Risk Management plan may include some or all of the following elements:
1. Risk Strategy 2. Methodology 3. Roles and Responsibilities 4. Funding 5. Timing 6. Risk Categories 7. Stakeholder risk appetite 8. Definitions of risk probability and impacts 9. Probability and impact matrix 10. Reporting formats 11. Tracking
Outputs of Plan Risk Management
1. Risk management plan - describes his risk management activities will be structured and performed
Assessment of Other Risk Parameters: The project team may consider other characteristics of risk when prioritizing individual project risks for further analysis and action. These characteristics may include but are not limited to:
1. Urgency - The period of time within which a response to the risk is to be implemented in order to be effective. A short period indicates high urgency. 2. Proximity - The period of time before the risk might have an impact on one or more project objectives. A short period indicates high proximity. 3. Dormancy - The period of time that may elapse after a risk has occurred before its impact is discovered. A short period indicates low dormancy. 4. Manageability - the ease with which the risk owner (or owning organization) can manage the occurrence or impact of a risk. When management is easy, manageability is high. 5. Controllability - The degree to which the risk owner (or owning organization) is able to control the risk's outcome. Where the outcome can be easily controlled, controllability is high. 6. Detectability - the ease with which the results of the risk occurring, or being about to occur, can be detected and recognized. Where the risk occurrence can be detected easily, detectability is high. 7. Connectivity - The extent to which the risk is related to other individual project risks. Where a risk is connected to many other risks, connectivity is high. 8. Strategic Impact - the potential for the risk to have a positive or negative effect on the organization's strategic goals. Where the risk has a major effect on strategic goals, strategic impact is high. 9. Propinquity - the degree to which a risk is perceived to matter by one or more stakeholders. Where a risk is perceived as very significant, propinquity is high.
Two main types of non-event risks:
1. Variability Risk - Uncertainty exists about some key characteristics of a planned event or activity or decision. Examples of variability risks include: productivity may be above or below target, the number of errors found during testing may be higher or lower than expected, or unseasonal weather conditions may occur during the construction phase. 2. Ambiguity Risk - uncertainty exists about what might happen in the future. Areas of the project where imperfect knowledge might affect the project's ability to achieve its objectives include: elements of the requirement or technical solution, future developments in regulatory frameworks, or inherent systemic complexity in the project.
Outputs of Monitor Risks
1. Work Performance Information 2. Change Requests 3. Project Management Plan Updates 4. Project Document Updates (assumption log, issue log, lessons learned register, risk register, risk report) 5. OPA Updates (templates for the risk management plan, risk register, and risk report; and risk breakdown structure)
Integrated Risk Management
A coordinated approach to enterprise-wide risk management ensures alignment and coherence in the way risk is managed across all levels. This builds risk efficiency into the structure of programs and portfolios, providing the greatest overall value for a given level of risk exposure. Some risks are managed by the project team while others may be escalated to higher levels if they are best managed outside the project.
Probability and Impact Matrix
A grid for mapping the probability of each risk occurrence and its impact on project objectives if that risk occurs. This matrix specifies combinations of probability and impact that allow individual project risks to be divided into priority groups. - Individual project risks are assigned to a priority level based on the combination of their assessed probability and impact, using a probability and impact matrix.
Risk Breakdown Structure (RBS)
A hierarchical representation of potential sources of risks. It helps the project team consider the full range of sources from which individual project risks may arise. This can be useful when identifying risks or when categorizing identified risks.
Project Resilience
A term that describes an unknowable-unknowns risk; risk that can only be recognized after they have occurred
Prompt Lists
A predetermined list of risk categories that might give rise to individual project risks and that could also act as sources of overall project risk. The prompt list can be used as a framework to aid the project team in idea generation when using risk identification techniques. The risk categories in the lowest level of the risk breakdown structure can be used as a prompt list for individual project risks
Sensitivity Analysis
A quantitative risk analysis and modeling technique used to help determine which risks or other sources of uncertainty have the most potential impact on the project. It correlates variations in project outcomes with variations in elements of the quantitative risk analysis model. The typical display of results is in the form of a tornado diagram.
Technical Performance Analysis
Compares technical accomplishments during project execution to the schedule of technical achievement, i.e. transaction times, # of delivered defects, storage capacity, weight, etc. Deviation can indicate the potential impact of threats or opportunities.
The Key Benefit of the Identify Risks process is the
Documentation of existing individual project risks and the sources of overall project risk. It also brings together information so the project team can respond appropriately to identified risks.
The Key Benefit of the Implement Risk Responses process is that it
Ensures that agreed-upon risk responses are executed as planned in order to address overall project risk exposure, minimize individual project threats, and maximize individual project opportunities.
The objectives of project risk management are to
Increase the probability and/or impact of positive risks and to decrease the probability and/or impact of negative risks, in order to optimize the chances of project success
Most projects focus only on risks that are uncertain future events that may or may not occur.
Examples: a key seller may go out of business during the project; the customer may change the requirement after design is complete; or a subcontractor may propose enhancements to the standard operating processes.
The Key Benefit of the Perform Qualitative Risk Analysis process is that it
Focuses efforts in high-priority risks
The Key Benefit of the Plan Risk Responses process is that it
Identifies appropriate ways to address overall project risk and individual project risks. It also allocates resources and inserts activities into project documents and the project management plan as needed.
The Key Benefit of the Plan Risk Management process is that
It ensures that the degree, type, and visibility of risk management are proportionate to both risks and the importance of the project to the organization and other stakeholders
Management of overall project risk aims to
Keep project risk exposure within an acceptable range by reducing drivers of negative variation, promoting drivers of positive variation, and maximizing the probability of achieving overall project objectives.
The Plan Risk Management process is performed
Once or at predefined points in the project
Quantitative risk analysis is the only reliable method to assess
Overall project risk through evaluating the aggregated effect on project outcomes of all individual project risks and other sources of uncertainty.
The Key Benefit of the Perform Quantitative Risk Analysis process is that it
Quantifies overall project risk exposure, and it can also provide additional quantitative risk information to support risk response planning
Simulation
Quantitative risk analysis uses a model that simulates the combined effects of individual project risks and other sources of uncertainty to evaluate their potential impact on achieving project objectives. Simulations are typically performed using a Monte Carlo analysis.
Risk Data Quality Assessment
Technique to evaluate the degree to which the data about individual project risks is accurate and reliable as a basis for qualitative risk analysis
Plan Risk Management
The process of defining how to conduct risk management activities for a project.
Plan Risk Responses
The process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure, as well as to treat individual project risks.
Identify Risks
The process of identifying individual project risks as well as sources of overall risk, and documenting their characteristics.
Implement Risk Responses
The process of implementing agreed-upon risk response plans.
Monitor Risks
The process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project.
Perform Quantitative Risk Analysis
The process of numerically analyzing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives.
Risk Report
The risk report presents information on sources of overall project risk and provides summary information on identified individual project risks. - sources of overall project risk, indicating which are the most important drivers of overall project risk exposure; and - summary information on identified individual project risks, such as number of identified threats and opportunities, distribution of risks across risk categories, metrics and trends, etc.
Influence Diagrams
These are graphical aids to decision making under uncertainty. They represent a project or situation within the project as a set of entities, outcomes, and influences, together with the relationships and effects between them.
Reserve Analysis
Throughout execution of the project, some individual project risks may occur with positive or negative impacts on budget or schedule contingency reserves. Reserve analysis compares the amount of the contingency reserves remaining to the amount of risk remaining at any time in the project in order to determine if the remaining reserve is adequate.
The Identify Risks process is performed
Throughout the project
The Implement Risk Responses process is performed
Throughout the project
The Perform Qualitative Risk Analysis process is performed
Throughout the project
The Plan Risk Responses process is performed
Throughout the project
The Perform Quantitative Risk Analysis process is performed
Throughout the project but this process is not required for every project when it is used.
Decision Tree Analysis
Used to support selection of the best of several alternative courses of action.
Representations of Uncertainty
Where the duration, cost, or resource requirement for a planned activity is uncertain, the range of possible values can be represented in the model as a probability distribution. This may take several forms. The most commonly used are triangular, normal, lognormal, beta, uniform, or discrete distributions.
The Key Benefit of the Monitor Risks process is that it
enables project decisions to be based on current information about overall project risk exposure and individual project risks
Risk data quality may be assessed via a
questionnaire measuring the project's stakeholder perceptions of various characteristics, which may include completeness, objectivity, relevancy, and timeliness. A weighted average of selected data quality characteristics can then be generated to give an overall quality score.
Perform Qualitative Risk Analysis establishes the
relative priorities of individual project risks for plan risk responses. It identifies a risk owner for each risk who will take responsibility for planning an appropriate risk response and ensuring that it is implemented.
Risk Categorization
risks can be categorized into sources of risks, area of the project, common root causes or other useful categories. - Grouping risks into categories can lead to the development of more effective risk responses by focusing attention and effort on the areas of highest risk exposure, or by developing generic risk responses to address groups of related risks.
The Monitor Risks process is performed
throughout the project.
Risk Probability and Impact Assessment
• Risk probability assessment considers the likelihood that a specific risk will occur. Risk impact assessment considers the potential effect on one or more project objectives such as schedule, cost, quality, or performance. Impacts will be negative for threats and positive for opportunities. • Probability and impact are assessed for each identified risk • Risks can be assessed in interviews or meetings with participants selected for their familiarity with the risk categories recorded in the risk register. • Project team members and knowledgeable persons from outside the project, are included. • The level of probability for each risk and its impact on each objective is evaluated during the interview or meeting. • Risk probabilities and impacts are assessed according to the definitions given in the risk management plan • Risks with low probability and impact will be included on a watchlist for future monitoring
Contingent Response Strategies
• Some responses are designed for use only if certain events occur. • For some risks, it is appropriate for the project team to make a response plan that will only be executed under certain predefined conditions, if it is believed that there will be sufficient warning to implement the plan. • Events that trigger the contingency response, such as missing intermediate milestones or gaining higher priority with a supplier, should be defined and tracked