11.0 Project Risk Management

Project Risk Management includes all the processes involved in risk identification, regulation, and mitigation on a project. The objective is to increase the likelihood of positive risks (opportunities) and decrease the likelihood of negative risks (threats). 
Here are some key concepts for this Knowledge Area:
§  Uncertainty – Uncertainty is a lack of knowledge about an event that reduces confidence in conclusions drawn from the data
§  Risk factors – When looking at risks, one should determine
o    The probability that it will occur (what)
o    The range of possible outcomes (impact and amount at stake)
o    Expected time (when) in the project life cycle
o    The anticipated frequency of risk events from the source (how often)
§  Risk adverse – Someone who does not want to take risks
§  Risk tolerance – How much risk someone can tolerate/withstand
§  Risk threshold – The risk threshold determines at which point the risk becomes unacceptable to stakeholders
§  Risk appetite – Degree of uncertainty an entity is willing to take on in anticipation of a reward
§  Project manager’s role –
o    Monitor and control the various aspects of the project
o    Look for deviations from the trend and react early
o    Keep stakeholders informed of project progress
§  Known risks (Identified)– Risks that have been identified; if known risks cannot be managed, they can be mitigated with the contingency reserve
§  Unknown risks(Unidentified)– Risks that have not been identified; if unknown risks occur on the project, they can be handled with the management reserve
§  Non Event based risks

• Ambiguity Risk – handled by benchmarking, prototyping, simulation
• Variability Risk – represented by monte carlo analysis

There are 6 processes within this Knowledge Area, and they are:
11.1 Plan Risk Management
11.2 Identify Risks
11.3 Perform Qualitative Risk Analysis
11.4 Perform Quantitative Risk Analysis
11.5 Plan Risk Responses
11.6 Implement Risk Responses
11.7 Monitor Risks

11.1 Plan Risk Management
Plan Risk Management is the process of defining how risk management activities will be conducted on the project.
The main output of this process is the Risk Management Plan. The components of this plan include the following:
·         Methodology
o    This section defines how you will perform risk management for the particular project. Remember to adapt to the needs of each project.
o    Low priority projects will likely warrant less of a risk management effort than high priority projects
·         Roles and responsibilities
o    Who will do what?
o    Did you realize that non-team members may have roles and responsibilities regarding risk management?
·         Budgeting
o    This section includes the cost for the risk management process
o    Realize the cost of doing risk management, but also realize risk management saves time and money overall by avoiding and reducing threats
·         Timing
o    This section talks about when to do risk management for the project
o    Risk management should start as soon as you have the appropriate inputs and should be repeated throughout the life of the project, since new risks can be identified as the project progresses and the degree of risk may change
·         Risk categories
·         Definition of probability and impact
o    Would everyone who rates the probability a 7 in qualitative risk analysis mean the same thing?
o    A person who is risk averse might think of 7 as very high, while someone who is risk prone might think 7 as a low figure. The definitions and the probability and impact matrix help standardize these interpretations and also help compare risks between projects
·         Stakeholder tolerances
o    What if the stakeholders have a low risk tolerance for cost overruns? That information would be taken into account to rank cost impacts higher than they would if the low tolerance was in another area
o    Tolerance should not be implied, but uncovered in project initiating and clarified or refined continually
·         Reporting formats
o    This describes any reports related to risk management that will be used and what they will include
·         Tracking
o    Take this to mean how the risk process will be audited, and the documents of what happens with risk management activities
On your project, you may identify hundreds (and maybe even thousands) of risk. When you have a large project with large number of risks, you need to categorize them to make it easier to manage them. Below are some categorizations and types of risks.
Risk categories:
·         External – regulatory, environmental, government, market shifts
·         Internal – time, cost, scope changes; inexperience; poor planning
·         Technical – changes in technology
·         Unforeseeable – only a small portion of risks (some say about 10%) are actually unforeseeable
·         Work package – group risks based on which work package they are in
·         Root cause – group risks based on the same root cause
Types of risk:
Business risk – risk of gain or loss
Pure (insurable) risk – only a risk of loss
11.2 Identify Risks
Identify Risks is the process of determining which risk may affect the project and documenting their characteristics. Everyone on the project team should be encouraged to participate in this process.
The tools and techniques of this process are:
Expert Judgement
Meetings
Interpersonal & Team Skills - Facilitation
Data Analysis

• Document Analysis
• The project artifacts, including the project charter and procurement contracts, can help identify risks.
• Root Cause Analysis
• SWOT analysis
• This analysis identifies the project’s strengths and weaknesses (internal) as well as opportunities and threats (external)
• Assumptions & Constraint analysis
• Analyzing what assumptions have been made on the project may lead to the identification of risks

Data gathering techniques

• Brainstorming
• Delphi technique (Removed from PMBoK)
• A request for information is sent to all experts, their responses are compiled, and the results are sent back to them for further review until consensus is reached
• Interviewing
• Checklist
• Based on historical information
• The lowest level of RBS(risk breakdown structure) can also be used as a risk checklist
• The checklist is used to help identify specific risks within each category

The output of this process is the Risk register & Risk Report. The risk register is the place where most of the risk information is kept. At this point in the risk management process, the risk register includes:
Lists of risks
Root causes or risk

• Root causes of risks are documented

Risk categories
Potential risk responses

• There will be times when a response is identified at the same time as a risk
• These responses should be added to the risk register as they are identified
• The responses are analyzed and finalized during the Plan Risk Responses process

11.3 Perform Qualitative Risk Analysis
Perform Qualitative Risk Analysis is the process of prioritizing risks for further analysis. This process assesses the risks’ probability of occurrence and impact (subjective analysis). The key benefit of this process is that it identifies the high priority risks and allows the project team to focus on those.
Here are some key concepts for this process:
·         Risk analysis
o    Qualitative risk analysis is a subjective analysis of risks
o    To perform this analysis, the following is determined:
§  The probability of each risk occurring, using a standard scale such as low, medium, high or 1 to 10
§  The impact (amount at stake or consequences, positive or negative) of each risk occurring, using a standard scale such as low, medium, high or 1 to 10
o    Probability & impact assessments examine:
§  Likelihood that a risk will occur
§  Impact on project objectives (e.g. schedule, cost, quality, etc.)
o    Probability and impact matrix can be used to prioritize risks for quantitative analysis
§  Uses subjective measurements, such as ‘very high’, ‘high’, ‘medium’, ‘low’, or ‘very low’
§ 
o    Risks with low ratingsshould be included on a watch list and tracked to ensure their ratings did not change
o    Risk data quality assessment is a technique of evaluating whether the data available for the risks is comprehensive and useful. Risk data quality assessment may include:
§  Understanding of the risk
§  Data available about the risk
§  Quality of the data
§  Reliability and integrity of the data
11.4 Perform Quantitative Risk Analysis
The Perform Quantitative Risk Analysis process analyzes the numerical impact of identified risk on project deliverables. It is only used for high priority risks.
The purpose of quantitative risk analysis is to:
·         Determine which risk events warrant a response
·         Determine overall project risk (exposure)
·         Determine the quantified probability of meeting project objectives
·         Determine cost and schedule reserves
·         Identify risks requiring the most attention
·         Create realistic and achievable costs, schedule or scope targets
Quantitative probability and impact can be determined in various ways, including the following:
·         Interviewing
·         Cost and time estimation
·         Delphi technique
·         Use of historical records from previous projects
·         Expert judgement
·         Expected monetary value analysis
·         Monte Carlo analysis
·         Decision tree
Quantitative risk analysis and modeling techniques
·         Decision trees – diagram shows key interaction among decisions and associated chance events. Decisions are shown as boxes and chances are shown as circles.
o    Can take future events into account for decision making
·         EMV
o    Sum of probability times the expected outcome
o    Calculates the average outcome
·         Simulation – analyze the behavior of the system. Most common is the schedule simulation which uses the project network as the model based on the Monte Carlo analysis
·         Monte Carlo Analysis – performs the project many times to provide a statistical distribution of the calculated results to quantify the risk of various schedule alternatives
·         Monte Carlo analysis is used for:
o    Evaluating overall risk in the project
o    Determining the probability of completing the project on any specific date or for any specific cost
o    Determining the probability of any activity actually being on the critical path
o    Translating uncertainties into impacts to the total project
o    Calculating in a probability distribution
·         Impact Analysis – what is the likelihood the event will occur vs. the severity of the impact on the project if it does occur
·         Sensitivity analysis
o    Places value on the impact of changing a single variable
o    Helps determine which risks have the most potential impact on the project (Tornado diagram)
11.5 Plan Risk Response
Plan Risk Response process develops options and actions to enhance opportunities and reduces threats to project objectives.
The choices of response strategies for threats include:
·         Avoid
o    Eliminate the threat by eliminating the root cause
o    g. reduce scope or remove the work package
·         Mitigate
o    Reduce probability or the impact of a threat
o    Options for reducing the probability are looked for separately from options for reducing the impact
o    Any reduction will make a difference, but the option with the most probability and/or impact reduction is often the option selected
·         Transfer (deflect – allocate)
o    Make another party responsible for the risk by purchasing insurance, performance bonds, warranties, guarantees, or outsourcing work
o    One must complete risk assessment before a contract can be signed
o    Transfer of risk is included in terms and conditions of the contract
The choices for response strategies for opportunities include:
·         Exploit
o    Add work or change the project to make sure the opportunity occurs
·         Enhance
o    Increase the likelihood (probability) and/or positive impacts of the risk event
·         Share
o    Allocate ownership of the opportunity to a third party (forming a partnership, team, or joint venture) that is best able to achieve the opportunity
A response strategy for both threats and opportunities is:
·         Accept
o    Active acceptance may involve the creation of contingency plans to be implemented if the risk occurs and the allocation of time and cost reserves to the project
o    Passive acceptance leaves actions to be determined as needed, if (after) the risk occurs
o    A decision to accept a risk must be communicated to stakeholders
11.6 Implement Risk Responses
Key concepts for this process:
·         Contingency plans/Fall back plans are plans to follow when the risk becomes an issue.
·         Residual risk – the risk that remains after the contingency plan has been implemented.
·         Low priority tasks are put onto a watch list and revisited periodically.
·         Risk is the most important item during project team meetings.
11.7 Monitor Risk
Monitor Risk is the process of implementing the risk response plans, tracking identified risks, monitoring residual risks, and evaluating the risk processes’ effectiveness.
Here are the key concepts and terms you need to understand for this process:
·         Risk audits
o    An audit that ensures your project team is following the organization’s risk processes, including identifying risks and creating mitigation plans for high priority risks.
o    Examine and document the effectiveness of risk responses.
o    Develop organizational best practices.
·         Workarounds
o    Whereas contingency responses are developed in advance, workarounds are unplanned responses developed to deal with the occurrence of unanticipated risk events.
o    When project deviate from baseline, the team may need to take a corrective action.
·         Risk assessments
o    The project team needs to periodically review the risk management plan and risk register and adjust them as required
o    Risk management is an iterative process
·         Contingency reserve
o    The budget set aside to handle specific risks if they do occur
·         Reserve analysis
Analyzing how much money you have left in the reserves and how much you may need in the future