Project Risk Management
Includes the processes of conducting risk management planning, identification, analysis, response planning, and monitoring and control on a project
Objectives of Project Risk Management
Increase the probability and impact of positive events, and decrease the probability and impact of negative events in the project
Characteristics of Risk
• Project risk is always in the future
• A risk may have one or more causes and, if it occurs, it may have one or more impacts. A cause may be a requirement, assumption, constraint, or condition that creates the possibility of negative or positive outcomes.
• Project risk has its origins in the uncertainty present in all projects
• Organizations perceive risk as the effect of uncertainty on their project and organizational objectives
• Individuals and groups adopt attitudes toward risk that influence the way they respond. These risk attitudes are driven by perception, tolerances, and other biases, which should be made explicit wherever possible
• A consistent approach to risk should be developed for each project, and communication about risk and its handling should be open and honest
• A conscious choice must be made at all levels of the organization to actively identify and pursue effective risk management during the life of the project.
• Risk exists the moment a project is conceived.
Moving forward on a project without a proactive focus on risk management increases the impact that a realized risk can have on the project and can potentially lead to project failure
an uncertain event or condition that, if it occurs, has an effect on at least one project objective. Objectives can include scope, schedule, cost, and quality
Risk Conditions can include
aspects of the project’s or organization’s environment that may contribute to project risk, such as
• immature project management practices,
• lack of integrated management systems,
• concurrent multiple projects, or
• dependency on external participants who cannot be controlled
those that have been identified and analyzed, making it possible to plan responses for those risks
Specific Unknown Risks
cannot be managed proactively, which suggests that the project team should create a contingency plan
A project risk that has occurred
Organizations and stakeholders are willing to accept varying degrees of risk. Risks that are threats to the project may be accepted if the risks are within tolerances and are in balance with the rewards that may be gained by taking the risks
reflect an organization’s perceived balance between risk taking and risk avoidance
Project Risk Management Processes
11.1 Plan Risk Management
11.2 Identify Risks
11.3 Perform Qualitative Risk Analysis
11.4 Perform Quantitative Risk Analysis
11.5 Plan Risk Responses
11.6 Monitor and Control Risks
Plan Risk Management Process Group
Planning Process Group
Identify Risks Process Group
Planning Process Group
Perform Qualitative Risk Analysis Process Group
Planning Process Group
Perform Quantitative Risk Analysis Process Group
Planning Process Group
Plan Risk Responses Process Group
Planning Process Group
Monitor and Control Risks Process Group
Monitor and Controlling Process Group
Plan Risk Management
The process of defining how to conduct risk management activities for a project
Characteristics of Plan Risk Management
• Careful and explicit planning enhances the probability of success for the five other risk management processes.
• Is important to ensure that the degree, type, and visibility of risk management are commensurate with both the risks and the importance of the project to the organization.
• Planning is also important to provide sufficient resources and time for risk management activities, and to establish an agreed-upon basis for evaluating risks.
• Should begin as a project is conceived and should be completed early during project planning
Inputs to Plan Risk Management
1. Project Scope Statement
2. Project Cost Management Plan
3. Schedule Management Plan
4. Communications Management Plan
5. Enterprise Environmental Factors
6. Organizational Process Assets
Tools and Techniques for Plan Risk Management
1. Planning Meetings and Analysis
Outputs of Plan Risk Management
1. Risk Management Plan
Project Scope Statement Use in Plan Risk Management
Provides a clear sense of the range of possibilities associated with the project and its deliverables and establishes the framework for how significant the risk management effort may ultimately become
Project Cost Management Plan Use in Plan Risk Management
Defines how risk budgets, contingencies, and management reserves will be reported and accessed
Schedule Management Plan Use in Plan Risk Management
Defines how schedule contingencies will be reported and assessed
Communications Management Plan Use in Plan Risk Management
Defines the interactions that will occur on the project, and determines who will be available to share information on various risks and responses at different times (and locations)
Plan Risk Management: Enterprise Environmental Factors
• Risk attitudes and tolerances that describe the degree of risk that an organization will withstand
Plan Risk Management: Organizational Process Assets
• Risk categories,
• Common definitions of concepts and terms,
• Risk statement formats,
• Standard templates,
• Roles and responsibilities,
• Authority levels for decision-making,
• Lessons learned, and
• Stakeholder registers, which are also critical assets to be reviewed as components of establishing effective risk management plans
Planning Meetings and Analysis
• Project teams hold planning meetings to develop the risk management plan.
• Attendees at these meetings may include the project manager, selected project team members and stakeholders, anyone in the organization with responsibility to manage the risk planning and execution activities, and others, as needed
• High-level plans for conducting the risk management activities are defined in these meetings.
• Risk management cost elements and schedule activities will be developed for inclusion in the project budget and schedule, respectively.
• Risk contingency reserve application approaches may be established or reviewed.
• Risk management responsibilities will be assigned.
• General organizational templates for risk categories and definitions of terms such as levels of risk, probability by type of risk, impact by type of objectives, and the probability and impact matrix will be tailored to the specific project.
• If templates for other steps in the process do not exist they may be generated in these meetings.
• The outputs of these activities will be summarized in the risk management plan
Risk Management Plan
Describes how risk management will be structured and performed on the project. It becomes a subset of the project management plan
Components of the Risk Management Plan
• Roles and responsibilities
• Risk categories
• Definitions of risk probabilities and impact
• Probability and impact matrix
• Revised stakeholders’ tolerances
• Reporting formats
Risk Management Plan: Methodology
Defines the approaches, tools, and data sources that may be used to perform risk management on the project
Risk Management Plan: Roles and Responsibilities
Defines the lead, support, and risk management team members for each type of activity in the risk management plan, and clarifies their responsibilities
Risk Management Plan: Budgeting
Assigns resources, estimates funds needed for risk management for inclusion in the cost performance baseline, and establishes protocols for application of contingency reserve
Risk Management Plan: Timing
Defines when and how often the risk management process will be performed throughout the project life cycle, establishes protocols for application of schedule contingency reserves, and establishes risk management activities to be included in the project schedule
Risk Management Plan: Risk Categories
Provides a structure that ensures a comprehensive process of systematically identifying risks to a consistent level of detail and contributes to the effectiveness and quality of the Identify Risks process
Characteristics of Risk Categories
• An organization can use a previously prepared categorization framework which might take the form of a simple list of categories or might be structured into a Risk Breakdown Structure (RBS).
• The RBS is a hierarchically organized depiction of the identified project risks arranged by risk category and subcategory that identifies the various areas and causes of potential risks
Risk Management Plan: Definitions of Risk Probabilities and Impact
The quality and credibility of the Perform Qualitative Risk Analysis process requires that different levels of the risks’ probabilities and impacts be defined. General definitions of probability levels and impact levels are tailored to the individual project during the Plan Risk Management process for use in the Perform Qualitative Risk Analysis process
Risk Management Plan: Probability and Impact Matrix
Risks are prioritized according to their potential implications for having an effect on the project’s objectives. A typical approach to prioritizing risks is to use a look-up table or a Probability and Impact Matrix
The specific combinations of probability and impact that lead to a risk being rated as “high,” “moderate,” or “low” importance, with the corresponding importance for planning responses to the risk are usually set by the organization
Risk Management Plan: Revised Stakeholders’ Tolerances
Stakeholders’ tolerances, as they apply to the specific project, may be revised in the Plan Risk Management process
Risk Management Plan: Reporting Formats
Defines how the outcomes of the risk management processes will be documented, analyzed, and communicated. It describes the content and format of the risk register as well as any other risk reports required
Risk Management Plan: Tracking
Documents how risk activities will be recorded for the benefit of the current project, as well as for future needs and lessons learned, as well as whether and how risk management processes will be audited
The process of determining which risks may affect the project and documenting their characteristics
Characteristics of Identify Risks
• Participants in risk identification activities can include the following: project manager, project team members, risk management team (if assigned), customers, subject matter experts from outside the project team, end users, other project managers, stakeholders, and risk management experts.
• While these personnel are often key participants for risk identification, all project personnel should be encouraged to identify risks.
• Identify Risks is an iterative process because new risks may evolve or become known as the project progresses through its life cycle.
• The frequency of iteration and who participates in each cycle will vary by situation.
• The format of the risk statements should be consistent to ensure the ability to compare the relative effect of one risk event against others on the project.
• The process should involve the project team so they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions.
• Stakeholders outside the project team may provide additional objective information
Inputs to Identify Risks
1. Risk Management Plan
2. Activity Cost Estimates
3. Activity Duration Estimates
4. Scope Baseline
5. Stakeholder Register
6. Cost Management Plan
7. Schedule Management Plan
8. Quality Management Plan
9. Project Documents
10. Enterprise Environmental Factors
11. Organizational Process Assets
Tools and Techniques for Identify Risks
1. Documentation Reviews
2. Information Gathering Techniques
3. Checklist Analysis
4. Assumptions Analysis
5. Diagramming Techniques
6. SWOT Analysis
7. Expert Judgement
Outputs of Identify Risks
1. Risk Register
Risk Management Plan Use in Identify Risks
Are the assignments of roles and responsibilities, provision for risk management activities in the budget and schedule, and categories of risk, which are sometimes expressed in a risk breakdown structure
Activity Cost Estimates Use in Identify Risks
• Reviews are useful in identifying risk as they provide a quantitative assessment of the likely cost to complete scheduled activities and ideally are expressed as a range, with the width of the range indicating the degree(s) of risk.
• The review may result in projections indicating the estimate is either sufficient or insufficient to complete the activity (and hence pose a risk to the project)
Activity Duration Estimates Use in Identify Risks
• Reviews are useful in identifying risks related to the time allowances for the activities or project as a whole, again with the width of the range of such estimates indicating the relative degree(s) of risk
Scope Baseline Use in Identify Risks
• Project assumptions are found in the project scope statement
• Uncertainty in project assumptions should be evaluated as potential causes of project risk.
• The WBS is a critical input to identifying risks as it facilitates an understanding of the potential risks at both the micro and macro levels.
• Risks can be identified and subsequently tracked at summary, control account, and/or work package levels
Stakeholder Register Use in Identify Risks
Information about the stakeholders will be useful in soliciting inputs for identifying risks as this will ensure that key stakeholders, especially the customer, are interviewed or otherwise participate during the “Identify Risks” process
Cost Management Plan Use in Identify Risks
The risk identification process requires an understanding of the cost management plans found in the project management plan. The project-specific approach to cost management may generate or alleviate risk by its nature or structure
Schedule Management Plan Use in Identify Risks
The risk identification process also requires an understanding of the schedule management plan found in the project management plan. The project-specific approach to schedule management may generate or alleviate risk by its nature or structure
Quality Management Plan Use in Identify Risks
The risk identification process also requires an understanding of the quality management plan found in the project management plan. The project-specific approach to quality management may generate or alleviate risk by its nature or structure.
Project Documents Use in Identify Risks
• Assumptions log,
• Work performance reports,
• Earned value reports,
• Network diagrams,
• Baselines, and
• Other project information proven to be valuable in identifying risks
Identify Risks: Enterprise Environmental Factors
• Published information, including commercial databases,
• Academic studies,
• Published checklists,
• Industry studies, and
• Risk attitudes
Identify Risks: Organizational Process Assets
• Project files, including actual data,
• Organizational and project process controls,
• Risk statement templates, and
• Lessons learned
Documentation Reviews Use in Identify Risks
• A structured review may be performed of project documentation, including plans, assumptions, previous project files, contracts, and other information.
• The quality of the plans, as well as consistency between those plans and the project requirements and assumptions, can be indicators of risk in the project
Information Gathering Techniques
• Delphi Technique
• Root Cause Analysis
Brainstorming Use in Identify Risks
• The goal of brainstorming is to obtain a comprehensive list of project risks.
• The project team usually performs brainstorming, often with a multidisciplinary set of experts who are not part of the team.
• Ideas about project risk are generated under the leadership of a facilitator, either in a traditional free-form brainstorm session with ideas contributed by participants, or structured using mass interviewing techniques such as the nominal group technique.
• Categories of risk, such as a risk breakdown structure, can be used as a framework.
• Risks are then identified and categorized by type of risk and their definitions are sharpened
Delphi Technique Use in Identify Risks
• The Delphi technique is a way to reach a consensus of experts.
• Project risk experts participate in this technique anonymously.
• A facilitator uses a questionnaire to solicit ideas about the important project risks.
• The responses are summarized and are then recirculated to the experts for further comment.
• Consensus may be reached in a few rounds of this process.
• The Delphi technique helps reduce bias in the data and keeps any one person from having undue influence on the outcome
Interviewing Use in Identify Risks
Interviewing experienced project participants, stakeholders, and subject matter experts can identify risks
Root Cause Analysis Use in Identify Risks
Root cause analysis is a specific technique to identify a problem, discover the underlying causes that lead to it, and develop preventive action
Checklist Analysis Use in Identify Risks
• Risk identification checklists can be developed based on historical information and knowledge that has been accumulated from previous similar projects and from other sources of information
• The lowest level of the RBS can also be used as a risk checklist.
• While a checklist can be quick and simple, it is impossible to build an exhaustive one.
• The team should make sure to explore items that do not appear on the checklist.
• The checklist should be reviewed during project closure to incorporate new lessons learned and improve it for use on future projects
Assumptions Analysis Use in Identify Risks
• Every project and every identified project risk is conceived and developed based on a set of hypotheses, scenarios, or assumptions.
• Assumptions analysis explores the validity of assumptions as they apply to the project.
• It identifies risks to the project from inaccuracy, instability, inconsistency, or incompleteness of assumptions
Diagramming Techniques for Identify Risks
• Cause and Effect Diagrams
• System or Process Flow Diagrams
• Influence Diagrams
Cause and Effect Diagrams Use in Identify Risks
These are also known as Ishikawa or fishbone diagrams, and are useful for identifying causes of risks
System or Process Flow Diagrams Use in Identify Risks
These show how various elements of a system interrelate, and the mechanism of causation
Influence Diagrams Use in Identify Risks
These are graphical representations of situations showing causal influences, time ordering of events, and other relationships among variables and outcomes
Examines the project from each of the SWOT (strengths, weaknesses, opportunities, and threats) perspectives to increase the breadth of identified risks by including internally generated risks
strengths, weaknesses, opportunities, and threats
SWOT Analysis Use in Identify Risks
• The technique starts with identification of strengths and weaknesses of the organization, focusing on either the project organization or the wider business.
• These factors are often identified using brainstorming.
• SWOT analysis then identifies any opportunities for the project that arise from organizational strengths, and any threats arising from organizational weaknesses.
• SWOT analysis also examines the degree to which organizational strengths offset threats and opportunities that may serve to overcome weaknesses
Identify Risks: Expert Judgement Sources
• Risks can be identified directly by experts with relevant experience of similar projects or business areas.
• Such experts should be identified by the project manager and invited to consider all aspects of the project and suggest possible risks based on their previous experience and areas of expertise.
• The experts’ bias should be taken into account in this process
Contains the outcomes of the other risk management processes as they are conducted, resulting in an increase in the level and type of information contained in the risk register over time
Components of the Risk Register
• List of identified risks
• List of potential responses
• Secondary risks
• Residual risks
List of Identified Risks
• The identified risks are described in as much detail as is reasonable.
• A simple structure for risks in the list may be applied, such as EVENT may occur, causing IMPACT, or If CAUSE, EVENT may occur, leading to EFFECT.
• In addition to the list of identified risks, the root causes of those risks may become more evident.
These are the fundamental conditions or events that may give rise to one or more identified risks. They should be recorded and used to support future risk identification for this and other projects.
List of Potential Responses
• Potential responses to a risk may sometimes be identified during the Identify Risks process.
• These responses, if identified in this process, may be useful as inputs to the Plan Risk Responses process
Perform Qualitative Risk Analysis
The process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact
Characteristics of Perform Qualitative Risk Analysis
• Organizations can improve the project’s performance by focusing on high-priority risks.
• Assesses the priority of identified risks using their relative probability or likelihood of occurrence, the corresponding impact on project objectives if the risks occur, as well as other factors such as the time frame for response and the organization’s risk tolerance associated with the project constraints of cost, schedule, scope, and quality.
• Such assessments reflect the attitude of the project team and other stakeholders to risk.
• Effective assessment therefore requires explicit identification and management of the risk attitudes of key participants in process.
• Where these risk attitudes introduce bias into the assessment of identified risks, attention should be paid to evaluating bias and correcting for it.
• Establishing definitions of the levels of probability and impact can reduce the influence of bias.
• The time criticality of risk-related actions may magnify the importance of a risk.
• An evaluation of the quality of the available information on project risks also helps clarify the assessment of the risk’s importance to the project.
• Is usually a rapid and cost-effective means of establishing priorities for Plan Risk Responses and lays the foundation for Perform Quantitative Risk Analysis, if required.
• Should be revisited during the project’s life cycle to stay current with changes in the project risks.
• This process can lead into Perform Quantitative Risk Analysis or directly into Plan Risk Responses
Inputs to Perform Qualitative Risk Analysis
1. Risk Register
2. Risk Management Plan
3. Project Scope Statement
4. Organizational Process Assets
Tools and Techniques for Perform Qualitative Analysis
1. Risk Probability and Impact Assessment
2. Probability and Impact Matrix
3. Risk Data Quality Assessment
4. Risk Categorization
5. Risk Urgency
6. Expert Judgement
Outputs of Perform Qualitative Analysis
1. Risk Register Updates
Risk Management Plan Use in Perform Qualitative Analysis
• Key elements of the risk management plan for Perform Qualitative Risk Analysis include roles and responsibilities for conducting risk management, budgets, schedule activities for risk management, risk categories, definitions of probability and impact, the probability and impact matrix, and revised stakeholders’ risk tolerances.
• These inputs are usually tailored to the project during the Plan Risk Management process
• If they are not available they can be developed during the process
Project Scope Statement Use in Perform Qualitative Risk Analysis
• Projects of a common or recurrent type tend to have more well-understood risks.
• Projects using state-of-the-art or first-of-its-kind technology, and highly complex projects, tend to have more uncertainty. This can be evaluated by examining the project scope statement
Perform Qualitative Risk Analysis: Organizational Process Assets
• Information on prior, similar completed projects,
• Studies of similar projects by risk specialists, and
• Risk databases that may be available from industry or proprietary sources
Risk Probability Assessment
investigates the likelihood that each specific risk will occur
Risk Impact Assessment
investigates the potential effect on a project objective such as schedule, cost, quality, or performance, including both negative effects for threats and positive effects for opportunities
Risk Probability and Impact Assessment
• Probability and impact are assessed for each identified risk
• Risks can be assessed in interviews or meetings with participants selected for their familiarity with the risk categories on the agenda.
• Project team members and, perhaps, knowledgeable persons from outside the project, are included.
• The level of probability for each risk and its impact on each objective is evaluated during the interview or meeting.
• Explanatory detail, including assumptions justifying the levels assigned, is also recorded.
• Risk probabilities and impacts are rated according to the definitions given in the risk management plan
• Risks with low ratings of probability and impact will be included on a watchlist for future monitoring
Probability and Impact Matrix
• specifies combinations of probability and impact that lead to rating the risks as low, moderate, or high priority.
• The dark gray area (with the largest numbers) represents high risk, the medium gray area (with the smallest numbers) represents low risk, and the light gray area (within-between numbers) represents moderate risk.
• In addition, it can develop ways to determine one overall rating for each risk.
• An overall project rating scheme can be developed to reflect the organization’s preference for one objective over another and using those preferences to develop a weighting of the risks that are assessed by objective.
• Finally, opportunities and threats can be handled in the same matrix using definitions of the different levels of impact that are appropriate for each
• Risks can be prioritized for further quantitative analysis and response based on their risk rating.
• Usually, these risk-rating rules are specified by the organization in advance of the project and included in organizational process assets.
• Risk-rating rules can be tailored to the specific project in the Plan Risk Management process
• Evaluation of each risk’s importance and, hence, priority for attention, is typically conducted using a look-up table or a probability and impact matrix
• Risks that have a negative impact on objectives if they occur(threats), and that are in the high-risk(dark gray) zone of the matrix, may require priority action and aggressive response strategies.
• Threats in the low-risk (medium gray) zone may not require proactive management action beyond being placed on a watchlist or adding a contingency reserve.
• Opportunities in the high-risk (dark gray) zone that can be obtained most easily and offer the greatest benefit should be targeted first.
• Opportunities in the low-risk (medium gray) zone should be monitored
Risk Data Quality Assessment
• A qualitative risk analysis requires accurate and unbiased data if it is to be credible.
• Analysis of the quality of risk data is a technique to evaluate the degree to which the data about risks are useful for risk management.
• It involves examining the degree to which the risk is understood and the accuracy, quality, reliability, and integrity of the data regarding the risk. If data quality is unacceptable, it may be necessary to gather higher-quality data
• Risks to the project can be categorized by sources of risk (e.g., using the RBS), the area of the project affected (e.g., using the WBS), or other useful category (e.g., project phase) to determine areas of the project most exposed to the effects of uncertainty.
• Grouping risks by common root causes can lead to developing effective risk responses
• Risks requiring near-term responses may be considered more urgent to address.
• Indicators of priority can include time to affect a risk response, symptoms and warning signs, and the risk rating.
• In some qualitative analyses the assessment of risk urgency can be combined with the risk ranking determined from the probability and impact matrix to give a final risk severity rating
Perform Qualitative Risk Analysis: Expert Judgement Sources
• Experts generally are those having experience with similar projects that occurred in the not-too-distant past. In addition, those who are planning and managing the specific project are experts, particularly about the specifics of that project.
Perform Qualitative Risk Analysis: Expert Judgement
• Is required to assess the probability and impact of each risk to determine its location in the matrix
• Securing expert judgment is often accomplished with the use of risk facilitation workshops or interviews.
• The experts’ bias should be taken into account in this process
Risk Register Updates
• The risk register is started during the Identify Risks process.
• The risk register is updated with information from Perform Qualitative Risk Analysis and the updated risk register is included in the project documents
Risk Register Updates from Perform Qualitative Risk Analysis include
• Relative ranking or priority list of project risks
• Risks grouped by categories
• Causes of risk or project areas requiring particular attention
• List of risks requiring response in the near-term
• List of risks for additional analysis and response
• Watchlists of low-priority risks
• Trends in qualitative risk analysis results
Relative ranking or priority list of project risks
• The probability and impact matrix can be used to classify risks according to their individual significance
• Using combinations of each risk’s probability of occurring and the impact on objectives if it were to occur, risks will be prioritized relative to each other by sorting them into groups of “high risk,” “moderate risk,” and “low risk.”
• Risks may be listed by priority separately for schedule, cost, and performance since organizations may value one objective over another.
• The project manager can then use the prioritized list of risks to focus attention on those items of high significance (high risk) to the most important objectives, where responses can lead to better project outcomes.
• A description of the basis for the assessed probability and impact should be included for risks assessed as important to the project
Risks grouped by categories
Risk categorization can reveal common root causes of risk or project areas requiring particular attention. Discovering concentrations of risk may improve the effectiveness of risk responses
Causes of risk or project areas requiring particular attention
Discovering concentrations of risk may improve the effectiveness of risk responses
List of risks requiring response in the near-term
Those risks that require an urgent response and those that can be handled at a later date may be put into different groups
List of risks for additional analysis and respon
Some risks might warrant more analysis, including Quantitative Risk Analysis, as well as response action
Watchlists of low-priority risks
Risks that are not assessed as important in the Perform Qualitative Risk Analysis process can be placed on a watchlist for continued monitoring
Trends in qualitative risk analysis results
As the analysis is repeated, a trend for particular risks may become apparent, and can make risk response or further analysis more or less urgent/important
Perform Quantitative Risk Analysis
The process of numerically analyzing the effect of identified risks on overall project objectives
Characteristics of Perform Quantitative Risk Analysis
• Is performed on risks that have been prioritized by the Perform Qualitative Risk Analysis process as potentially and substantially impacting the project’s competing demands.
• The Perform Quantitative Risk Analysis process analyzes the effect of those risk events.
• It may be used to assign a numerical rating to those risks individually or to evaluate the aggregate effect of all risks affecting the project.
• It also presents a quantitative approach to making decisions in the presence of uncertainty.
• Generally follows the Perform Qualitative Risk Analysis process. In some cases, Perform Quantitative Risk Analysis may not be required to develop effective risk responses.
• Availability of time and budget, and the need for qualitative or quantitative statements about risk and impacts, will determine which method(s) to use on any particular project.
• Should be repeated after Plan Risk Responses, as well as part of Monitor and Control Risks, to determine if the overall project risk has been satisfactorily decreased.
• Trends can indicate the need for more or less risk management action
Inputs to Perform Quantitative Risk Analysis
1. Risk Register
2. Cost Management Plan
3. Schedule Management Plan
4. Organizational Process Assets
Tools and Techniques for Perform Quantitative Risk Analysis
1. Data Gathering and Representation Techniques
2. Quantitative Risk Analysis and Modelling Techniques
3. Expert Judgement
Outputs of Perform Quantitative Risk Analysis
1. Risk Register Updates
Cost Management Plan Use in Perform Quantitative Risk Analysis
• Sets the format and establishes criteria for planning, structuring, estimating, budgeting, and controlling project costs
• Those controls may help determine the structure and/or application approach for quantitative analysis of the budget or cost plan
Schedule Management Plan Use in Perform Quantitative Risk Analysis
• Sets the format and establishes criteria for developing and controlling the project schedule
• Those controls and the nature of the schedule itself may help determine the structure and/or application approach for quantitative analysis of the schedule
Perform Quantitative Risk Analysis: Organizational Process Assets
• Information on prior, similar completed projects,
• Studies of similar projects by risk specialists, and
• Risk databases that may be available from industry or proprietary sources
Data Gathering and Representation Techniques for Perform Quantitative Analysis
• Probability Distributions
Interviewing Use in Perform Quantitative Analysis
• Interviewing techniques draw on experience and historical data to quantify the probability and impact of risks on project objectives.
• The information needed depends upon the type of probability distributions that will be used. For instance, information would be gathered on the optimistic (low), pessimistic (high), and most likely scenarios for some commonly used distributions.
• Documenting the rationale of the risk ranges and the assumptions behind them are important components of the risk interview because they can provide insight on the reliability and credibility of the analysis
Probability Distributions Types
• Continuous probability distributions
• Discrete probability distributions
• Uniform probability distributions
Discrete Distributions can be used
to represent uncertain events such as the outcome of a test or a possible scenario in a decision tree
Uniform Distributions can be used
only if there is no obvious value that is more likely than any other between specified high and low bounds, such as in the early concept stage of design
Continuous distributions are used
extensively in modeling and simulation represent the uncertainty in values such as durations of schedule activities and costs of project components
Quantiative Risk Analysis and Modelling Techniques
Include both event-oriented and project-oriented analysis approaches including:
• Sensitivity analysis
• Expected monetary value analysis
• Modeling and simulation
Helps to determine which risks have the most potential impact on the project. It examines the extent to which the uncertainty of each project element affects the objective being examined when all other uncertain elements are held at their baseline values
typical type of sensitivity analysis, which is useful for comparing relative importance and impact of variables that have a high degree of uncertainty to those that are more stable
Expected monetary value analysis
A statistical concept that calculates the average outcome when the future includes scenarios that may or may not happen (i.e., analysis under uncertainty)
Expected monetary value
Characteristics of EMV Analysis
• The EMV of opportunities will generally be expressed as positive values, while those of threats will be negative.
• EMV requires a risk neutral assumption, neither risk averse, nor risk seeking.
• A common use of this type of analysis is in decision tree analysis
EMV for a project is calculated by
multiplying the value of each possible outcome by its probability of occurrence and adding the products together
Decision Tree Analysis
common type of EMV analysis
Modeling and Simulation
A project simulation uses a model that translates the specified detailed uncertainties of the project into their potential impact on project objectives
Characteristics of Modeling and Simulation
Iterative simulations are typically performed using the Monte Carlo technique. A simulation that produces distributions of possible outcome values
Monte Carlo technique
• In a simulation, the project model is computed many times (iterated), with the input values (e.g., cost estimates or activity durations) chosen at random for each iteration from the probability distributions of these variables.
• A probability distribution (e.g., total cost or completion date) is calculated from the iterations.
• For a cost risk analysis, a simulation uses cost estimates.
• For a schedule risk analysis, the schedule network diagram and duration estimates are used
Perform Quantitative Analysis: Expert Judgement
• Required to identify potential cost and schedule impacts, to evaluate probability, and to define inputs (such as probability distributions) into the tools.
• Comes into play in the interpretation of the data. Experts should be able to identify the weaknesses of the tools as well as their relative strengths.
• Experts may determine when a specific tool may or may not be more appropriate given the organization’s capabilities and culture
Perform Quantitative Analysis: Risk Register Updates
Updated to include a quantitative risk report detailing quantitative approaches, outputs, and recommendations. Updates include the following main components:
• Probabilistic analysis of the project
• Probability of acheiving time and cost objectives
• Prioritized list of quantified risks
• Trends in quantitative risk analysis results
Probabilistic analysis of the project
• Estimates are made of potential project schedule and cost outcomes listing the possible completion dates and costs with their associated confidence levels
• This output, often expressed as a cumulative distribution, can be used with stakeholder risk tolerances to permit quantification of the cost and time contingency reserves.
• Such contingency reserves are needed to bring the risk of overrunning stated project objectives to a level acceptable to the organization
Probability of acheiving time and cost objectives
With the risks facing the project, the probability of achieving project objectives under the current plan can be estimated using quantitative risk analysis results
Prioritized list of quantified risks
• This list of risks includes those that pose the greatest threat or present the greatest opportunity to the project
• These include the risks that may have the greatest effect on cost contingency and those that are most likely to influence the critical path.
• These risks may be identified, in some cases, through a tornado diagram generated as a result of the simulation analyses
Trends in quantitative risk analysis results
• As the analysis is repeated, a trend may become apparent that leads to conclusions affecting risk responses
• Organizational historical information on project schedule, cost, quality, and performance should reflect new insights gained through the Perform Quantitative Risk Analysis process.
• Such history may take the form of a quantitative risk analysis report.
• This report may be separate from, or linked to, the risk register
Plan Risk Responses
The process of developing options and actions to enhance opportunities and to reduce threats to project objectives
Characteristics of Plan Risk Responses
• It follows the Perform Qualitative Risk Analysis process and the Perform Quantitative Risk Analysis process (if used).
• It includes the identification and assignment of one person (the “risk response owner”) to take responsibility for each agreed-to and funded risk response.
• Addresses the risks by their priority, inserting resources and activities into the budget, schedule and project management plan as needed.
• Selecting the best risk response from several options is often required.
• The Plan Risk Responses section presents commonly used approaches to planning responses to the risks.
Planned risk responses must be
• appropriate to the significance of the risk,
• cost effective in meeting the challenge,
• realistic within the project context,
• agreed upon by all parties involved,
• owned by a responsible person.
threats and opportunities that can affect project success, and responses are discussed for each
Inputs to Plan Risk Responses
1. Risk Register
2. Risk Management Plan
Tools and Techniques for Plan Risk Responses
1. Strategies for Negative Risks or Threats
2. Strategies for Postive Risks or Opportunities
3. Contingent Response Strategies
4. Expert Judgement
Outputs of Plan Risk Responses
1. Risk Register Updates
2. Risk-related Contract Decisions
3. Project Management Plan Updates
4. Project Document Updates
Risk Register Use in Plan Risk Responses
Refers to identified risks, root causes of risks, lists of potential responses, risk owners, symptoms and warning signs, the relative rating or priority list of project risks, a list of risks requiring response in the near term, a list of risks for additional analysis and response, trends in qualitative analysis results, and a watchlist of low-priority risks
Risk Management Plan Use in Plan Risk Responses
• Important components of the risk management plan include roles and responsibilities, risk analysis definitions, timing for reviews (and for eliminating risks from review) and risk thresholds for low, moderate, and high risks.
• Risk thresholds help identify those risks for which specific responses are needed
Risk Response Strategies and Tools
• The strategy or mix of strategies most likely to be effective should be selected for each risk.
• Risk analysis tools, such as decision tree analysis can be used to choose the most appropriate responses.
• Specific actions are developed to implement that strategy, including primary and backup strategies, as necessary.
• A fallback plan can be developed for implementation if the selected strategy turns out not to be fully effective or if an accepted risk occurs.
• Secondary risks (risks driven by the strategies) should also be reviewed.
• A contingency reserve is often allocated for time or cost.
• If developed, it may include identification of the conditions that trigger its use
Strategies for Negative Risks or Threats
Avoid (Risk Avoidance)
Risk avoidance involves changing the project management plan to eliminate the threat entirely. The project manager may also isolate the project objectives from the risk’s impact or change the objective that is in jeopardy.
Examples of Risk Avoidance
• extending the schedule,
• changing the strategy, or
• reducing scope
The most radical avoidance strategy is to shut down the project entirely
Some risks that arise early in the project can be avoided by
• clarifying requirements,
• obtaining information,
• improving communication, or
• acquiring expertise
Transfer (Risk Transfer)
Risk transfer requires shifting some or all of the negative impact of a threat, along with ownership of the response, to a third party. Transferring the risk simply gives another party responsibility for its management—it does not eliminate it
Characteristics of Risk Transfer
• Transferring liability for risk is most effective in dealing with financial risk exposure.
• Risk transference nearly always involves payment of a risk premium to the party taking on the risk.
• Transference tools can be quite diverse and include, but are not limited to, the use of insurance, performance bonds, warranties, guarantees, etc.
• Contracts may be used to transfer liability for specified risks to another party.
• In many cases, use of a cost-plus contract may transfer the cost risk to the buyer, while a fixed-price contract may transfer risk to the seller
Mitigate (Risk Mitigation)
Risk mitigation implies a reduction in the probability and/or impact of an adverse risk event to be within acceptable threshold limits
Characteristics of Risk Mitigation
• Taking early action to reduce the probability and/or impact of a risk occurring on the project is often more effective than trying to repair the damage after the risk has occurred.
• Adopting less complex processes, conducting more tests, or choosing a more stable supplier are examples of mitigation actions.
• Mitigation may require prototype development to reduce the risk of scaling up from a bench-scale model of a process or product.
• Where it is not possible to reduce probability, a mitigation response might address the risk impact by targeting linkages that determine the severity
Accept (Risk Acceptance)
This strategy is adopted because it is seldom possible to eliminate all threats from a project.
Characteristics of Risk Acceptance (Threats)
• This strategy indicates that the project team has decided not to change the project management plan to deal with a risk, or is unable to identify any other suitable response strategy
• This strategy can be either passive or active
requires no action except to document the strategy, leaving the project team to deal with the risks as they occur
the most common strategy is to establish a contingency reserve, including amounts of time, money, or resources to handle the risks
Strategies for Positive Risks and Opportunities
This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. This strategy seeks to eliminate the uncertainty associated with a particular upside risk by ensuring the opportunity definitely happens
Examples of Exploiting Actions
• assigning an organization’s most talented resources to the project to reduce the time to completion or
• to provide lower cost than originally planned
Sharing a positive risk involves allocating some or all of the ownership of the opportunity to a third party who is best able to capture the opportunity for the benefit of the project
Examples of Sharing Actions
forming risk-sharing partnerships, teams, special-purpose companies, or joint ventures, which can be established with the express purpose of taking advantage of the opportunity so that all parties gain from their actions
This strategy is used to increase the probability and/or the positive impacts of an opportunity. Identifying and maximizing key drivers of these positive-impact risks may increase the probability of their occurrence
Examples of Enhancing Actions
adding more resources to an activity to finish early
Accepting an Opportunity
Accepting an opportunity is being willing to take advantage of it if it comes along, but not actively pursuing it
Contingent Response Strategies
• Some responses are designed for use only if certain events occur.
• For some risks, it is appropriate for the project team to make a response plan that will only be executed under certain predefined conditions, if it is believed that there will be sufficient warning to implement the plan.
• Events that trigger the contingency response, such as missing intermediate milestones or gaining higher priority with a supplier, should be defined and tracked
Plan Risk Responses: Expert Judgement
• Input from knowledgeable parties pertaining to the actions to be taken on a specific and defined risk.
• Expertise may be provided by any group or person with specialized education, knowledge, skill, experience, or training in establishing risk responses
Plan Risk Responses: Risk Register Updates
Appropriate responses are chosen, agreed upon, and included in the risk register
Plan Risk Responses: Risk Register Detail
• The risk register should be written to a level of detail that corresponds with the priority ranking and the planned response.
• Often, the high and moderate risks are addressed in detail.
• Risks judged to be of low priority are included in a “watchlist” for periodic monitoring
Plan Risk Responses: Components of Risk Register
• Identified risks, their descriptions, area(s) of the project (e.g., WBS element) affected, their causes (e.g., RBS element), and how they may affect project objectives;
• Risk owners and assigned responsibilities;
• Outputs from the Perform Qualitative Analysis process including prioritized lists of project risks;
• Agreed-upon response strategies;
• Specific actions to implement the chosen response strategy;
• Triggers, symptoms, and warning signs of risks’ occurrence;
• Budget and schedule activities required to implement the chosen responses;
• Contingency plans and triggers that call for their execution;
• Fallback plans for use as a reaction to a risk that has occurred and the primary response proves to be inadequate;
• Residual risks that are expected to remain after planned responses have been taken, as well as those that have been deliberately accepted;
• Secondary risks that arise as a direct outcome of implementing a risk response; and
• Contingency reserves that are calculated based on the quantitative risk analysis of the project and the organization’s risk thresholds
Plan Risk Responses: Risk-Related Contract Decisions
• Decisions to transfer risk, such as agreements for insurance, services, and other items as appropriate are selected in this process.
• This may happen as a result of mitigating or transferring part or all of the threat or enhancing or sharing part or all of the opportunity.
• The contract type selected also provides a mechanism for sharing the risks.
• These decisions are inputs to the Plan Procurements process
Plan Risk Responses: Project Management Plan Updates
• Schedule management plan
• Cost management plan
• Quality management plan
• Procurement management plan
• Human resource management plan
• Work breakdown structure
• Schedule baseline
• Cost performance baseline
Plan Risk Responses: Schedule Management Plan Updates
is updated to reflect changes in process and practice driven by the risk responses. This may include changes in tolerance or behavior related to resource loading and leveling, as well as updates to the schedule itself
Plan Risk Responses: Cost Management Plan Updates
is updated to reflect changes in process and practice driven by the risk responses. This may include changes in tolerance or behavior related to cost accounting, tracking, and reports, as well as updates to the budget and the consumption of contingency reserves
Plan Risk Responses: Quality Management Plan Updates
is updated to reflect changes in process and practice driven by the risk responses. This may include changes in tolerance or behavior related to requirements, quality assurance, or quality control, as well as updates to the requirements documentation
Plan Risk Responses: Procurement Management Plan Updates
May be updated to reflect changes in strategy, such as alterations in the make-or-buy decision or contract type(s) driven by the risk responses
Plan Risk Responses: Human Resource Management Plan Updates
part of the human resource plan, is updated to reflect changes in project organizational structure and resource applications driven by the risk responses. This may include changes in tolerance or behavior related to staff allocation, as well as updates to the resource loading
Plan Risk Responses: Work Breakdown Structure
Because of new work (or omitted work) generated by the risk responses, the WBS may be updated to reflect those changes
Plan Risk Responses: Schedule Baseline
Because of new work (or omitted work) generated by the risk responses, the schedule baseline may be updated to reflect those changes.
Plan Risk Responses: Cost Performance Baseline
Because of new work (or omitted work) generated by the risk responses, the cost performance baseline may be updated to reflect those changes
Plan Risk Responses: Project Document Updates
• Assumptions log updates
• Technical documentation updates
Plan Risk Responses: Assumptions Log Updates
• As new information becomes available through the application of risk responses, assumptions will inherently change.
• The assumptions log must be revisited to accommodate this new information.
• Assumptions may be incorporated in the scope statement or in a separate assumptions log
Plan Risk Responses: Technical Documentation Updates
As new information becomes available through the application of risk responses, technical approaches and physical deliverables may change.
• Any supporting documentation must be revisited to accommodate this new information
Monitor and Control Risks
The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project
Characteristics of Monitor and Control Risks
• Planned risk responses that are included in the project management plan are executed during the life cycle of the project, but the project work should be continuously monitored for new, changing, and outdated risks.
• Applies techniques, such as variance and trend analysis, which require the use of performance information generated during project execution.
• Can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan.
• The risk response owner reports periodically to the project manager on the effectiveness of the plan, any unanticipated effects, and any correction needed to handle the risk appropriately.
• Also includes updating the organizational process assets, including project lessons learned databases and risk management templates, for the benefit of future projects.
Other purposes of the Monitor and Control Risks process
• Project assumptions are still valid,
• Analysis shows an assessed risk has changed or can be retired,
• Risk management policies and procedures are being followed,
• Contingency reserves of cost or schedule should be modified in alignment with the current risk assessment.
Inputs to Monitor and Control Risks
1. Risk Register
2. Project Management Plan
3. Work Performance Information
4. Performance Reports
Tools and Techniques for Monitor and Control Risks
1. Risk Assessment
2. Risk Audits
3. Variance and Trend Analysis
4. Technical Performance Measurement
5. Reserve Analysis
6. Status Meeting
Outputs of Monitor and Control Risks
1. Risk Register Updates
2. Organizational Process Assets Updates
3. Change Requests
4. Project Management Plan Updates
5. Project Document Updates
Risk Register Use in Monitor and Control Risks
Has key inputs that include identified risks and risk owners, agreed-upon risk responses, specific implementation actions, symptoms and warning signs of risk, residual and secondary risks, a watchlist of low-priority risks, and the time and cost contingency reserves
Project Management Plan Use in Monitor and Control Risks
Contains the risk management plan, which includes risk tolerances, protocols and the assignment of people (including the risk owners), time, and other resources to project risk management
Work Performance Information Use in Monitor and Control Risks
• Deliverable status,
• Schedule progress, and
• Costs incurred
Performance Reports Use in Monitor and Control Risks
Take information from performance measurements and analyze it to provide project work performance information including variance analysis, earned value data, and forecasting data.
Risk Assessment Use in Monitor and Control Risks
• Often results in identification of new risks, reassessment of current risks, and the closing of risks that are outdated.
• Project risk reassessments should be regularly scheduled.
• The amount and detail of repetition that is appropriate depends on how the project progresses relative to its objectives
Examine and document the effectiveness of risk responses in dealing with identified risks and their root causes, as well as the effectiveness of the risk management process.
Variance and Trend Analysis Use in Monitor and Control Risks
• Many control processes employ variance analysis to compare the planned results to the actual results.
• For the purposes of monitoring and controlling risk events, trends in the project’s execution should be reviewed using performance information.
• Earned value analysis and other methods of project variance and trend analysis may be used for monitoring overall project performance.
• Outcomes from these analyses may forecast potential deviation of the project at completion from cost and schedule targets.
• Deviation from the baseline plan may indicate the potential impact of threats or opportunities
Technical Performance Measurement Use in Monitor and Control Risks
• It requires definition of objective quantifiable measures of technical performance which can be used to compare actual results against targets.
• Such technical performance measures might include weight, transaction times, number of delivered defects, storage capacity, etc.
• Deviation, such as demonstrating more or less functionality than planned at a milestone, can help to forecast the degree of success in achieving the project’s scope, and it may expose the degree of technical risk faced by the project
Reserve Analysis Use in Monitor and Control Risks
• Throughout execution of the project some risks may occur, with positive or negative impacts on budget or schedule contingency reserves.
• Reserve analysis compares the amount of the contingency reserves remaining to the amount of risk remaining at any time in the project in order to determine if the remaining reserve is adequate
Status Meetings Use in Monitor and Control Risks
• Project risk management should be an agenda item at periodic status meetings.
• The amount of time required for that item will vary, depending upon the risks that have been identified, their priority, and difficulty of response.
• Risk management becomes easier the more often it is practiced.
• Frequent discussions about risk makes it more likely that people will identify risks and opportunities
Characteristics of Risk Audits
• The project manager is responsible for ensuring that risk audits are performed at an appropriate frequency, as defined in the project’s risk management plan.
• Risk audits may be included during routine project review meetings, or separate risk audit meetings may be held.
• The format for the audit and its objectives should be clearly defined before the audit is conducted
Technical Performance Measurement
Compares technical accomplishments during project execution to the project management plan’s schedule of technical achievement
Monitor and Control Risks: Risk Register Updates
• Outcomes of risk reassessments, risk audits, and periodic risk reviews
• Actual outcomes of the project’s risks and of the risk responses.
Examples of Outcomes of risk reassessments, risk audits, and periodic risk reviews
• identification of new risk events,
• updates to probability, impact, priority, response plans, ownership, and other elements of the risk register.
• closing risks that are no longer applicable and releasing their associated reserves
Monitor and Control Risks: Organizational Process Assets Updates
The six Project Risk Management processes produce information that can be used for future projects, and should be captured in the organizational process assets.
• Templates for the risk management plan, including the probability and impact matrix, and risk register;
• Risk breakdown structure; and
• Lessons learned from the project risk management activities.
• These documents should be updated as needed and at project closure.
• Final versions of the risk register and the risk management plan templates, checklists, and risk breakdown structure are included
Monitor and Control Risks: Change Requests
• Implementing contingency plans or workarounds sometimes results in a change request.
• Are prepared and submitted to the Perform Integrated Change Control process
• Can include recommended corrective and preventive actions as well
Monitor and Control Risks: Project Management Plan Updates
• If the approved change requests have an effect on the risk management processes, the corresponding component documents of the project management plan are revised and reissued to reflect the approved changes.
• The elements of the project management plan that may be updated are the same as those in the Plan Risk Responses process
Monitor and Control Risks: Project Document Updates
Project documents that may be updated as a result of the Monitor and Control Risks process are the same as those in the Plan Risk Responses process
Monitor and Control Risks: Recommended corrective actions
Include contingency plans and workarounds. The latter are responses that were not initially planned, but are required to deal with emerging risks that were previously unidentified or accepted passively
Monitor and Control Risks: Recommended preventive actions
Are documented directions to perform on activity that can reduce the probability of negative consequences associated with project risks
• Indications that a risk has occurred or is about to occur.
• Triggers may be discovered in the risk identification process and watched in the risk monitoring and control process.
• Triggers are sometimes called risk symptoms or warning signs
Risk Symptoms or Warning Signs
arise as a direct outcome of implementing a risk response
A fixed price contract transfers risk to the seller if
requirements are well defined and seller has the capacity to handle the risk
Participants in risk identification activities can include
• project manager,
• project team members,
• risk management team (if assigned),
• subject matter experts from outside the project team,
• end users,
• other project managers,
• stakeholders, and
• risk management experts.
While these personnel are often key participants for risk identification, all project personnel should be encouraged to identify risks
are expected to remain after planned responses have been taken, as well as those that have been deliberately accepted
are needed to bring the risk of overrunning stated project objectives to a level acceptable to the organization
is a graphic display of cumulative costs, labor hours, percentage of work, or other quantities, plotted against time. The name derives from the S-like shape of the curve
Importance of Planning Risk Mangament Processes
• to ensure that the degree, type, and visibility of risk management are commensurate with both the risks and the importance of the project to the organization.
• to provide sufficient resources and time for risk management activities, and to establish an agreed-upon basis for evaluating risks
A response to a negative risk that has occurred. Distinguished from contingency plan in that a workaround is not planned in advance of the occurrence of the risk event
When EV = 0
you cannot take a decision whether to continue with the project or not