#11 Project Risk Management
Project risk
is an uncertain event or condition that, if it occurs, has a positive or
negative effect on one or more project objectives such as scope, schedule,
cost, and quality. A risk may have one or more causes and, if it occurs, it may
have one or more impacts.
Project risk
has its origins in the uncertainty present in all projects. Known risks are
those that have been identified and analyzed, making it possible to plan
responses for those risks. Known risks that cannot be managed proactively,
should be assigned a contingency reserve. Unknown risks cannot be managed
proactively and therefore may be assigned a management reserve. A negative
project risk that has occurred is considered an issue.
Organizations
perceive risk as the effect of uncertainty on projects and organizational
objectives. Organizations and stakeholders are willing to accept varying
degrees of risk depending on their risk attitude. The risk attitudes of both
the organization and the stakeholders may be influenced by a number of factors,
which are broadly classified into three themes:
-
Risk appetite, which is the degree of uncertainty an
entity is willing to take on in anticipation of a reward.
-
Risk tolerance, which is the degree, amount, or volume
of risk that an organization or individual will withstand.
-
Risk threshold, which refers to measures along the level
of uncertainty or the level of impact at which a stakeholder may have a
specific interest. Below that risk threshold, the organization will accept the
risk. Above that risk threshold, the organization will not tolerate the risk.
Project Risk
Management
The knowledge area of Project Risk
Management consists of the following processes -
Process
|
Project Phase
|
Key Deliverables
|
Plan Risk
Management
|
Planning
|
Risk Management Plan
|
Identify Risks
|
Planning
|
Risk register
|
Perform
Qualitative Risk Analysis
|
Planning
|
Risk register updates
|
Perform
Quantitative Risk Analysis
|
Planning
|
Risk register updates
|
Plan Risk
Responses
|
Planning
|
Risk related contract decisions
|
Monitor and
Control Risks
|
Monitoring and Controlling
|
Risk register updates
|
Plan Risk
Management
Plan Risk
Management is the process of defining how to conduct risk management activities
for a project. The key benefit of this process is it ensures that the degree,
type, and visibility of risk management are commensurate with both the risks
and the importance of the project to the organization. he inputs, tools and
techniques, and outputs of this process are
Input
|
Tools and Techniques
|
Output
|
Project
management plan
|
Analytical techniques
|
Risk Management Plan
|
Project charter
|
Expert judgment
|
|
Stakeholder
register
|
Meetings
|
|
Enterprise
environmental factors
|
||
Organizational
process assets
|
Analytical
techniques are used
to understand and define the overall risk management context of the project.
Risk management context is a combination of stakeholder risk attitudes and the
strategic risk exposure of a given project based on the overall project
context.
The risk
management plan is a
component of the project management plan and describes how risk management
activities will be structured and performed. The risk management plan includes
the following:
-
Methodology. Defines the approaches, tools, and data
sources that will be used to perform risk management on the project.
-
Roles and responsibilities. Defines the lead, support,
and risk management team members for each type of activity in the risk
management plan, and clarifies their responsibilities.
-
Budgeting. Estimates funds needed, based on assigned
resources, for inclusion in the cost baseline and establishes protocols for
application of contingency and management reserves.
-
Timing. Defines when and how often the risk management
processes will be performed throughout the project life cycle, establishes
protocols for application of schedule contingency reserves, and establishes
risk management activities for inclusion in the project schedule.
-
Risk categories. Provide a means for grouping potential
causes of risk. Several approaches can be used, for example, a structure based
on project objectives by category. A risk breakdown structure (RBS) helps the
project team to look at many sources from which project risk may arise in a
risk identification exercise.
-
Definitions of risk probability and impact. The quality
and credibility of the risk analysis requires that different levels of risk
probability and impact be defined that are specific to the project context.
-
Probability and impact matrix. A probability and impact
matrix is a grid for mapping the probability of each risk occurrence and its
impact on project objectives if that risk occurs. Risks are prioritized
according to their potential implications for having an effect on the project’s
objectives.
-
Revised stakeholders’ tolerances.
-
Reporting formats. Reporting formats define how the
outcomes of the risk management process will be documented, analyzed, and
communicated.
-
Tracking. Tracking documents how risk activities will be
recorded for the benefit of the current project and how risk management
processes will be audited.
Identify
Risks
Identify
Risks is the process of determining which risks may affect the project and
documenting their characteristics. The key benefit of this process is the
documentation of existing risks and the knowledge and ability it provides to
the project team to anticipate events. The inputs, tools and techniques, and
outputs of this process are
Input
|
Tools and Techniques
|
Output
|
Risk management
plan
|
Documentation reviews
|
Risk register
|
Cost management
plan
|
Information gathering
techniques
|
|
Schedule
management plan
|
Checklist analysis
|
|
Quality
management plan
|
Assumptions analysis
|
|
Human
resource management plan
|
Diagramming
techniques
|
|
Scope
baseline
|
SWOT analysis
|
|
Activity
cost estimates
|
Expert judgment
|
|
Activity
duration estimates
|
||
Stakeholder
register
|
||
Project
documents
|
||
Procurement
documents
|
||
Enterprise
environmental factors
|
||
Organizational
process assets
|
Participants
in risk identification activities may include the following: project manager,
project team members, risk management team (if assigned), customers, subject
matter experts from outside the project team, end users, other project
managers, stakeholders, and risk management experts. While these personnel are
often key participants for risk identification, all project personnel should be
encouraged to identify potential risks.
Information
Gathering Techniques
Examples of
information gathering techniques used in identifying risks can include:
-
Brainstorming. The goal of brainstorming is to obtain a
comprehensive list of project risks.
-
Delphi technique. The Delphi technique is a way to reach
a consensus of experts. Project risk experts participate in this technique
anonymously. A facilitator uses a questionnaire to solicit ideas about the
important project risks. The responses are summarized and are then recirculated
to the experts for further comment. Consensus may be reached in a few rounds of
this process. The Delphi technique helps reduce bias in the data and keeps any
one person from having undue influence on the outcome
-
Interviewing. Interviewing experienced project
participants, stakeholders, and subject matter experts helps to identify risks.
-
Root cause analysis. Root-cause analysis is a specific
technique used to identify a problem, discover the underlying causes that lead
to it, and develop preventive action.
Checklist
Analysis. Risk
identification checklists are developed based on historical information and
knowledge that has been accumulated from previous similar projects and from
other sources of information.
Diagramming
Techniques Risk
diagramming techniques may include:
-
Cause and effect diagrams. These are also known as
Ishikawa or fishbone diagrams and are useful for identifying causes of risks.
-
System or process flow charts.
-
Influence diagrams. These are graphical representations
of situations showing causal influences, time ordering of events, and other
relationships among variables and outcomes.
SWOT
Analysis. This
technique examines the project from each of the strengths, weaknesses,
opportunities, and threats (SWOT) perspectives to increase the breadth of
identified risks by including internally generated risks.
Risk
Register. The risk
register is a document in which the results of risk analysis and risk response
planning are recorded. The preparation of the risk register begins in the
Identify Risks process with the following information, and then becomes
available to other project management and risk management processes:
-
List of identified risks. The identified risks are
described in as much detail as is reasonable.
-
List of potential responses. Potential responses to a
risk may sometimes be identified during the Identify Risks process. These
responses, if identified in this process, should be used as inputs to the Plan
Risk Responses process.
Perform Qualitative
Risk Analysis
Perform
Qualitative Risk Analysis is the process of prioritizing risks for further
analysis or action by assessing and combining their probability of occurrence
and impact. The key benefit of this process is that it enables project managers
to reduce the level of uncertainty and to focus on high-priority risks. The
inputs, tools and techniques, and outputs of this process are
Input
|
Tools and Techniques
|
Output
|
Risk management
plan
|
Risk Probability and impact assessment
|
Project document updates
|
Scope baseline
|
Probability and impact matrix
|
|
Risk register
|
Risk data quality assessment
|
|
Enterprise
environmental factors
|
Risk categorization
|
|
Organizational
process assets
|
Risk urgency assessment
|
|
Expert judgment
|
Risk
probability assessment
investigates the likelihood that each specific risk will occur.
Probability
and Impact Matrix
Risks can be prioritized for further quantitative analysis and planning risk
responses based on their risk rating. Ratings are assigned to risks based on
their assessed probability and impact. Evaluation of each risk’s importance and
priority for attention is typically conducted using a look-up table or a
probability and impact matrix.
Risk data
quality assessment
is a technique to evaluate the degree to which the data about risks is useful
for risk management.
Risk
Categorization. Risks
to the project can be categorized by sources of risk (e.g., using the RBS), the
area of the project affected (e.g., using the WBS), or other useful categories
(e.g., project phase) to determine the areas of the project most exposed to the
effects of uncertainty. Risks can also be categorized by common root causes.
Risk
Urgency Assessment.
Risks requiring near-term responses may be considered more urgent to address.
Indicators of priority may include probability of detecting the risk, time to
affect a risk response, symptoms and warning signs, and the risk rating
Perform
Quantitative Risk Analysis
Perform
Quantitative Risk Analysis is the process of numerically analyzing the effect
of identified risks on overall project objectives. The key benefit of this
process is that it produces quantitative risk information to support decision
making in order to reduce project uncertainty. The inputs, tools and
techniques, and outputs of this process are
Input
|
Tools and Techniques
|
Output
|
Risk management
plan
|
Data gathering and representation
techniques
|
Project document updates
|
Cost management
plan
|
Quantitative risk analysis and modeling
techniques
|
|
Schedule
management plan
|
Expert judgment
|
|
Risk register
|
||
Enterprise
environmental factors
|
||
Organizational
process assets
|
Data
Gathering and Representation Techniques.
-
Interviewing. Interviewing techniques draw on experience
and historical data to quantify the probability and impact of risks on project
objectives.
-
Probability distributions. Continuous probability
distributions, which are used extensively in modeling and simulation, represent
the uncertainty in values such as durations of schedule activities and costs of
project components.
Quantitative
Risk Analysis and Modeling Techniques
Commonly
used techniques use both event-oriented and project-oriented analysis
approaches, including:
-
Sensitivity analysis. Sensitivity analysis helps to
determine which risks have the most potential impact on the project. One
typical display of sensitivity analysis is the tornado diagram, which is useful
for comparing relative importance and impact of variables that have a high
degree of uncertainty to those that are more stable.
Example of Tornado Diagram:
-
Expected monetary value analysis. Expected monetary
value (EMV) analysis is a statistical concept that calculates the average
outcome when the future includes scenarios that may or may not happen (i.e.,
analysis under uncertainty). The EMV of opportunities are generally expressed
as positive values, while those of threats are expressed as negative values.
EMV requires a risk-neutral assumption— neither risk averse nor risk seeking.
EMV for a project is calculated by multiplying the value of each possible
outcome by its probability of occurrence and adding the products together. A
common use of this type of analysis is a decision tree analysis.
-
Modeling and simulation. A project simulation uses a
model that translates the specified detailed uncertainties of the project into
their potential impact on project objectives. Simulations are typically
performed using the Monte Carlo technique. In a simulation, the project model
is computed many times (iterated), with the input values (e.g., cost estimates
or activity durations) chosen at random for each iteration from the probability
distributions of these variables. A histogram (e.g., total cost or completion
date) is calculated from the iterations. For a cost risk analysis, a simulation
uses cost estimates. For a schedule risk analysis, the schedule network diagram
and duration estimates are used. The output from a cost risk simulation using
the three-element model and risk ranges is shown
in Figure. It
illustrates the respective probability of achieving specific cost targets.
Similar curves can be developed for other project objectives.
Project
Documents Updates. Project
documents are updated with information resulting from quantitative risk
analysis. For example, risk register updates could include:
-
Probabilistic analysis of the project. Estimates are
made of potential project schedule and cost outcomes listing the possible
completion dates and costs with their associated confidence levels.
-
Probability of achieving cost and time objectives. With
the risks facing the project, the probability of achieving project objectives
under the current plan can be estimated using quantitative risk analysis
results.
-
Prioritized list of quantified risks. This list includes
those risks that pose the greatest threat or present the greatest opportunity
to the project
-
Trends in quantitative risk analysis results. As the
analysis is repeated, a trend may become apparent that leads to conclusions
affecting risk responses.
Plan Risk Response
Plan Risk
Responses is the process of developing options and actions to enhance
opportunities and to reduce threats to project objectives. The key benefit of
this process is that it addresses the risks by their priority, inserting
resources and activities into the budget, schedule and project management plan
as needed. The inputs, tools and techniques, and outputs of this process are
Input
|
Tools and Techniques
|
Output
|
Risk management
plan
|
Strategies for negative risk or threats
|
Project management plan updates
|
Risk register
|
Strategies for positive risks or
opportunities
|
Project document updates
|
Contingent response strategies
|
||
Expert judgment
|
Strategies
for Negative Risks or
Threats. Three strategies, which typically deal with threats or risks that
may have negative impacts on project objectives if they occur, are: avoid,
transfer, and mitigate. The fourth strategy, accept, can be used for negative
risks or threats as well as positive risks or opportunities. Avoidance and
mitigation strategies are usually good strategies for critical risks with high
impact, while transference and acceptance are usually good strategies for
threats that are less critical and with low overall impact. The four strategies
for dealing with negative risks or threats are further described as follows:
-
Avoid. Risk avoidance is a risk response strategy
whereby the project team acts to eliminate the threat or protect the project
from its impact. It usually involves changing the project management plan to
eliminate the threat entirely. The project manager may also isolate the project
objectives from the risk’s impact or change the objective that is in jeopardy.
-
Transfer. Risk transference is a risk response strategy
whereby the project team shifts the impact of a threat to a third party, together
with ownership of the response. Transferring the risk simply gives another
party responsibility for its management—it does not eliminate it.
-
Mitigate. Risk mitigation is a risk response strategy
whereby the project team acts to reduce the probability of occurrence or impact
of a risk. It implies a reduction in the probability and/or impact of an
adverse risk to be within acceptable threshold limits. Taking early action to
reduce the probability and/or impact of a risk occurring on the project is often
more effective than trying to repair the damage after the risk has occurred.
-
Accept. Risk acceptance is a risk response strategy
whereby the project team decides to acknowledge the risk and not take any
action unless the risk occurs. This strategy is adopted where it is not
possible or cost-effective to address a specific risk in any other way.
Strategies
for Positive Risks or Opportunities. Three
of the four responses are suggested to deal with risks with potentially
positive impacts on project objectives. The fourth strategy, accept, can be
used for negative risks or threats as well as positive risks or opportunities.
These strategies, described below, are to exploit, share, enhance, and accept.
-
Exploit. The exploit strategy may be selected for risks
with positive impacts where the organization wishes to ensure that the
opportunity is realized.
-
Enhance. The enhance strategy is used to increase the
probability and/or the positive impacts of an opportunity.
-
Share. Sharing a positive risk involves allocating some
or all of the ownership of the opportunity to a third party who is best able to
capture the opportunity for the benefit of the project.
-
Accept. Accepting an opportunity is being willing to
take advantage of the opportunity if it arises, but not actively pursuing it.
Control Risks
Control
Risks is the process of implementing risk response plans, tracking identified
risks, monitoring residual risks, identifying new risks, and evaluating risk
process effectiveness throughout the project. The key benefit of this process
is that it improves efficiency of the risk approach throughout the project life
cycle to continuously optimize risk responses. The inputs, tools and
techniques, and outputs of this process are
Input
|
Tools and Techniques
|
Output
|
Project
management plan
|
Risk reassessment
|
Work performance information
|
Risk register
|
Risk audits
|
Change requests
|
Work performance data
|
Variance and trend analysis
|
Project management
plan updates
|
Work performance
reports
|
Technical performance measurement
|
Project documents
updates
|
Reserve analysis
|
Organizational
process assets updates
|
|
Meetings
|
