Chapter 11 Risk Management

PMP, CAPM, PgMP, PMI-SP , PMI-RMP, OPM3 and PMBOK are registered marks of Project Management Institute, Inc

Inov8Solutions Inc – Quality Educational Services For Professionalswww.Inov8Solutions.com

11-1

Chapter 11Risk Management



11-2

Project Risk Management Processes

11.1 – Plan Risk Management

11.2 – Identify Risks

11.3 – Perform Qualitative

Risk analysis

11.4 – Perform Quantitative

Risk Analysis

11.5 – Plan Risk

Responses

11.6 – Monitorand Control

Risks



11-3

Project Risk Management

• What is a Risk?• Risk is the possibility of suffering loss, injury, disadvantage,

or destruction. (Webster's Third New International Dictionary 1981)

OR• An undesired event as a result of uncertainty, complexity,

constraint, or lack of resources – something that can go wrong

– Risk Characteristics• A risk may or may not happen. There is some probability of it

occurring• If it is inevitable, it is not a risk• a risk has unwanted consequences• If there is no impact, its not a risk



11-4

Good Risk Management Practices

• Be a good risk manager or you will become a good crisis manager (SITC)

• If you don't actively attack the risks, they will actively attack you. (Tom Gilb)

• Projects that don't manage risk are at risk (ICE Corp)

• Risk management is not free; prepare to commit resources, define a risk management process, and make a risk reserve available.

• Risk in itself is not bad; risk is essential to progress (Roger Van Scoy)



11-5


Threats and Opportunities • A risk event is something that is identified in

advance that may or may not happen. If it does not happen it can have a positive or negative effect on the project

• A positive impact (good risks) risk is called “Opportunities”.

• Up to 90 percent of threats that are identified and investigated in the risk management process can be eliminated.



11-6


Risk Factors• The probability that it will occur (what)• The range of possible outcomes (impact)• When is it expected to happen (when)• The frequency at which it will happen (how

often) Risk Averse • Someone who does not want to take risk (play it

safe)



11-7


Input to and output of Risk Management

• Perform exercise on page 376, 377 on Rita’s book.



11-8

Plan Risk Management

• Deciding how to approach and plan the risk management activities for a project.• Risk management Plan may include:

– Methodology : Defines the approaches, tools and data sources that may be used to perform risk management on the project.

– Roles and Responsibilities : Defines the lead, support and risk management team membership for each type of action in the risk management plan.

– Budgeting : Establishes a budget for risk management for the project.– Timing : Defines how often the risk management process will be performed throughout the project

life cycle.– Risk Categories : Risks could be internal, external, technical, and unforeseeable. – Risk Probability and Impact : What’s the probability of a risk event happening and its related

impact.– Stakeholders Tolerance and thresholds : Stakeholders tolerance and thresholds criteria for risks

that will be acted upon, by whom, and in what manner.– Scoring and Interpretation: Scoring and interpretation method appropriate for the type and timing

of the qualitative and quantitative risk analysis being performed.– Reporting Formats: Describes the content and format of the risk response plan.– Tracking : Documents how all the facets of risk activities will be recorded for the benefit of the

current project, future needs and lessons learned.– Types of Risks : Business risks (Risk of a gain or loss) and Pure (insurable) risks .i.e. only a risk of

loss (i.e. fire, theft, personal injury, etc.)



11-9

Identify Risks • Defined as “determining which risks might affect the project and documenting their

characteristics”• All stakeholders as well as experts from other parts of the company or outside the company may

be involved in indentifying the risks.• The core team will begin the process and then the other members will become involved , making

risks identification an iterative process.• Project Managers should start looking for risks as soon as possible.

Risk Categories

• Technical, quality , or performance risks – such as reliance on unproven or complex technology, unrealistic performance goals, changes to the technology used or to the industry standards during the project.

• Project Management Risks – such as poor allocation of resources, inadequate quality of the project plan, poor use of the project management disciplines.

• Organizational risks – such as cost, time, and scope objectives that are internally inconsistent, lack of prioritization of the projects, inadequacy or interruption of funding, and resource conflicts with other projects in the organization.

• External Risks – such as shifting legal or regulatory environment, labor issues, changing owner priorities, weather related risks (earthquake, flooding etc)



11-10

Risk Identification Tools and Techniques

• Information Gathering Techniques:– Brainstorming- Usually done in a meeting where one idea helps generate

another.– Delphi technique - Way to reach a consensus of experts on a subject.– Interviewing – Consists of a team or project manager interviewing an expert to

identify risks on the project or a specific element of work.– Strengths, weaknesses, opportunities and threats (SWOT) Analysis – An

analysis that looks at the project to identify its strengths etc and thereby identify risks.

– Checklist Analysis – Checklist is used to help identify specific risks within each category.

– Assumptions Analysis – Analyzing what assumptions have been made on the project which may help identity more risks.

– Diagramming Techniques – Similar diagramming techniques can be used to identify risks as used in Quality Management.

• Triggers:– Sometimes called risk symptoms or warning signs, are indications that a risk has

occurred or is about to occur. Example: Missing a deadline on an activity on critical path means there is a chance that you will miss the project deadline.



11-11

Qualitative Risk Analysis

• Process of accessing the impact and likelihood of identified risks.• Determine which risk events warrant a response.• Document non-critical, or non-stop risks.• Prioritizes risks according to their potential effect on project objectives.

• Probability and Impact:

– One of the ways to help rank risks is to analyze the probability of a risk occurring and the effect of the risk on the project.

– Determine the probability of each risk occurring - usually in the form of taking and educated guess. (e.g. low, medium, high)

– Determine the consequences of each risk occurring – also in the form of an educated guess. (low, medium, high)

• Assumption Testing:

– “What assumptions have been made?”– Before the project manager can use the risk information collected, assumptions made must

be identified.



11-12

Quantitative Risk Analysis

• Quantitative risk analysis process is to analyze numerically the probability of each risk and its consequences on project objectives.

• Determine which risks warrant a response.• Determine the quantified probability of meeting project objectives

e.g. “We only have an 80% chance of completing the project within 6 months.”

• Identify risks requiring most attention.• Create realistic and achievable cost, schedule or scope targets.• PMI suggests that quantitative method is preferable to

qualification because it is less subjective and is a better approximations of actual probabilities and consequences.



11-13

Qualitative Risk Analysis

• Data Precision Ranking– “How well understood is the risk?”– Before the project manager can use the risk information collected, they must also analyze

the precision of the data – how good is the data?• Risk Rating Matrix:

– In order to sort or rate risks so a determination can be made as to which risks will move on through the risk process, a risk rating matrix may be used.

• Outputs from Qualitative Risk Analysis:– Risk rating of the project.– List of prioritized risks.– List of risks created for additional analysis in risk quantification or risk response planning.– Non-critical or non-stop risks documented for later revisit during risk monitoring and control.– The project can be compared to the overall risks of other projects.– The project could be selected, continued, or terminated.– Resources could be moved between the projects.



11-14


• Decision Tree:– A decision tree takes into account future

events in trying to make a decision today.– It calculates expected value (probability time

consequences) in more complex situations than the expected value.

– Perform exercise Rita’s Pg 389/390



11-15


• Monte Carlo Simulation:– Evaluates the project and not the task.– Provides the probability of completing the project on any specific day, or any specific

account of cost.– Provides the probability of any task actually being on the critical path.– Provides a percent probability that each task will be on the critical path.– Translates uncertainties into impacts to the total project.– Can be sue to assess cost and schedule impacts.– Is usually done with a computer-based Monte Carol program.– Results in a probability distribution.

• Outputs from Quantitative Risk Analysis:– Prioritized list of quantified risks– Forecasts of potential project costs or schedule.– Listing of the possible project completion dates and costs with their confidence levels.– Probability of achieving the required project cost or schedules objectives. – Documented list of not-critical, not-top risks.



11-16

Risk Response Planning

• Involves finding out ”What are we going to do about it”• It involves finding ways to make the negative risk smaller or

eliminate it, as well as finding ways to make positive risks more likely or greater in impact.

• Strategies are agreed upon by all parties.• Primary and backup strategies are selected.• Risks are assigned to individuals or group to take responsibilities.

• Risk Owner:

– Each risk must be assigned to someone who will help develop the risk response and who will be assigned to carry it out or “own” the risk.

– The risk owner is then free to take predetermined action when risks occur resulting in faster action, and less cost, time and other impacts on the project.



11-17


• Risk Response Strategies:– Developing options and determining actions to enhance opportunities and reduce threats.

• Avoidance : Changing the project plan to eliminate the risk or condition or to protect objective from its impact.

• Mitigation : Reduce the probability or the consequences of an adverse risk and increase the probability or consequences of an opportunity.

• Acceptance : Do nothing and say. “If it happens it happens”. Active acceptance may include developing a contingency plan to execute, should a risk occur. Passive acceptance requires no action, leaving the project team to deal with the risks as they occur.

• Transference : Risk transference is seeking to shift the consequence of a risk to a third party together with ownership of the response. Transferring the risk simply gives another party responsibility for its management, it does not eliminate it. For e.g. purchasing of insurance, warranties, guarantees, or outsourcing the work.

• Perform exercise Rita’s pg 394

• When Selecting risk strategies, it is important to remember:– Strategies must be timely.– The effort selected must be appropriate to the severity of the risk – avoid spending more

money preventing the risk than the impact of the risk would cost if it occurred.– One response can be used to address more than one risk.– Involve the team, stakeholders, and experts in selecting a strategy.



11-18


Outputs from Risk Response • Planning: Developing options and determining actions to enhance

opportunities and reduce threats.– Residual Risks : Are those that remain after avoidance, transfer or mitigation

responses have been taken.– Secondary Risks : Arise as a direct result of implementing a risk response.– Contingency Planning : Planning the specific actions that will be taken if a risk

event occurs or planned response.– Fallback Planning : Specific actions that will be taken if the contingency plan is

not effective.– Risk Response Plan : A written document that captures the risks you identified

and what you plan to do about them. The project manager should also record non-critical risks so that they can easily be revisited during the executed phase.

– Revised Project Plan : The efforts spent in risk management will result in changes to the project plan. Tasks could be added, removed, or assigned to different resources.

– Reserves : Formulating the amount of time or cost that needs to be added to the project to account for risk.



11-19

Risk Monitoring & Control

• Keeping track of the identified risks• Implementing risk responses• Looking for the occurrence of risk triggers• Monitoring residual risks• Identifying new risks• Ensuring the execution of risk plans.• Evaluating the effectiveness of risk plans.• Developing new risk responses.• Communicating risk status and collecting risk status.• Communicating with stakeholders about risks.• Determining if assumptions are still valid.• Revisiting low ranking or non-critical risks to see if risk responses need to be determined.• Taking corrective action to adjust to the severity of actual risk events.• Looking for any unexpected effects or consequences of risk events.• Reevaluating risk identification, qualification, and quantification when the project deviates from

the baseline.• Updating risk plans• Making changes to the project plan when new risk responses are developed.• Creating a database of risk data that may be used throughout the organization on other projects.



11-20

Risk Monitoring And Control

• Risk Response Audits:– Examining and documenting the effectiveness of the risk response and the person

managing the risk. This is an important step in order to see if the plans put in place are effective and if changes are needed.

• Risk Reviews:– Team needs to periodically review risk plans and adjust as required. Risk should be a major

topic at team meetings to keep focus on risks and to make sure plans remain appropriate.• Outputs from Risk Monitoring and Control:

– Workarounds: Unplanned responses to risks or dealing with risks that you could not or did not anticipate.

– Corrective action: consists of performing the contingency plans or workaround.– Changes to the Project: Implementing contingency plans or workarounds frequently results

in a requirement to change the project plan to respond to risks.– Updates to risk response plan: It is wise to always re-evaluate whether the plans need

any correcting or adjusting after each unidentified ir identified risk occurs.– Risk Database: A repository that provides for collection, maintenance and analysis of data

gathered and used in the risk management process.

Questions

Chapter 11 Risk Management

Documents

Transcript of Chapter 11 Risk Management