1

Project Risk Management

Marco Sampietro1. Professor at SDA Bocconi School of Management.

marco.sampietro@sdabocconi.it

Maurizio Poli. Professor at SDA Bocconi School of Management.

maurizio.poli@sdabocconi.it

1 Why Managing Project Risk

Projects are implemented by organizations in order to seize new opportunities that,

according to their Management, may be appreciated by the market or can contribute

to a better internal efficiency in the organization. Projects are characterized by

innovation. Innovation can be implemented in multiple ways: it could mean following a

different pathway that has never been considered before, or it could mean following

the direction taken by other companies, by also treasure and use at best the

experience and the mistakes made by others, or it could also mean applying

improvements to well-known products or services, and so on and so forth. In any case,

innovation implies a certain degree of uncertainty – namely, the fact that there is not a

thorough knowledge of events that might happen in the future. In general terms, the

higher the degree of innovation is, the higher the uncertainty level will be. An

uncertain situation can produce positive as well as negative effects. In the first case,

we are dealing with opportunities which, if properly identified and managed, can bring

some benefits to the project; in the second case, we are faced with risks which, if not

properly identified and managed, can impact the project in negative terms, by making

it more expensive, or with a project that goes beyond the expected and planned

duration or with one that is poorer in qualitative terms with respect to expectations.

Consequently, the fact of non-managing the risk (and opportunities) means

overlooking the innovative feature of projects – more specifically, it means missing a

crucial point that characterizes a project vis-à-vis ordinary operations or recurring

activities within an organization. More specifically, even if we do not want to take into

consideration risk management as a discipline, project management can be viewed as

a tool to decrease the level of uncertainty and, consequently, a tool to decrease risk in

projects. By identifying and clarifying objectives, allocating resources with well defined

competences, clarifying responsibilities, fixing some assessment phases in the project

and so on and so forth, we tend to decrease the uncertainty level in the project.

Where is the difference? By planning, we opt for a pathway (one of the multiple

options available) that will take us to the achievement of pre-set targets. This being

said, such path will not be free of obstacles: via the implementation of risk

management we will try to understand and manage problems and opportunities

derived from the implementation of a specific path / plan. The planning activity tells us

1 Paragraphs from 1 to 5.1 and 6, 7, 8 are by Marco Sampietro. Paragraph 5.2 is by Maurizio Poli.

2

the course to follow; risk management tries to eliminate the turbulence that might

take us off-route.

2 The risk management process

The risk management process is a proactive and systematic approach, which aims at

keeping the project under control as well as at decreasing its uncertainty level.

Managing risks means minimizing the consequences of adverse events, but also

maximizing the effects of positive events (risks and opportunities). In this document,

we will focus on the area that has to do with managing adverse events.

Let’s start by reviewing the typical features of a risk management process. The

definition “systematic” means following a well-defined risk-management process. The

definition “proactive” means bein able to identify and manage risks before they brake

out. This consideration needs to be reviewed more in detail. Proactivity does not mean

being able to see into the future; conversely, it means a timely identification, by

resorting to the most appropriate tools, of the highest number of risks that might

impact a project. It also means that, once identified, some remedial measures will

need to be taken. Just identifying risks and not managing them (managing does not

only mean eradicating them, as we will see later on in this paper) is pointless. The only

value that such a behaviour might have is that, once they actually erupt, we can

recognize them, at least if we were aware about their features (poor consolation!).

A good risk management process is set out in five macro phases (fig. 1):

1. Planning the risk management process, by defining the actual execution

activities linked to the management process, people involved in the process as

well as procedures to be implemented;

2. Risk identification, with specific assessment of project–specific risks, by making

the different information sources taking part in the assessment;

3. Risk analysis, by quantitatively and/or qualitatively reviewing and assessing the

risks identified in the previous phase and also deciding which risks need a

specific attention and focus;

I do not understand: we have devised a perfect plan, we have identified costs right down to the last penny just as we have calculated duration also taking minutes into account, and still we have problems. We are exceeding our budget! Maybe, I have to drill-down information to get to an even more detailed picture! We are late/out by 3% on what was originally planned, that’s not bad, especially if we think that our usual supplier has gone bankrupt and did not deliver our goods. Luckily, I sensed that there was something wrong, and I started to look for another supplier that could replace the original one.

Chi ha gestito il rischio ?

3

4. Planning a response to risks, by defining which measures shall be taken in order

to reduce the project overall risk;

5. Risk monitoring and control, by implementing the risk response plan as soon as

they occur or bypass a given threshold.

In this chapter, focus will mainly be on phases 2 and 3.

The risk management process shall not be viewed as an isolated type of activity.

Conversely, risk management shall take place on a regular base – more specifically, it is

only by making the project develop that new risks can come to light (or some already

existing ones can be fixed) and new useful information can be used for analysis and

new planning.

Figure 1. The risk management process

3 Planning a Risk Management Process

As to this phase, the main target is to provide guidelines for risk management

activities, by setting a structured approach for actually managing the risk.

In order to develop this phase, the following points shall be taken into consideration:

any existing policies and procedures pertaining to risks in general terms,

the implemented approach shall be fine-tuned with the type of project – more

specifically, with its dimensions, its impacts, with the project team experience

as well as with respect to the importance of the project itself vis-à-vis the

organization.

Monitoring & Control

Risk Response

Risk Identification

Risk Analysis

RM Process Planning

4

As to the first point, if the company has already devised some guidelines pertaining to

risk management in more general terms, or to management of some specific risks, the

project risk plan shall also use and include them. It is a useful approach, because it

prevents any duplications of efforts, and it allows for sending a quite consistent

message to co-workers, who are already familiar with such procedures.

As to the second point, it pertains to customization of the implemented approach

based on true needs and on the environment where it is used.

At this phase, the following issues shall be tackled:

selecting the information sources to be used for risk detection (historical data,

check list, knowledge of people, etc.);

defining the risk identification techniques to be used (interviews,

brainstorming, forms, etc.);

defining roles and responsibilities of people with respect to risk management

(who is responsible for the management of a specific risk area, what are his/her

powers);

Setting the time-frame for risk-maintenance purposes;

Defining how to allocate and interpret values linked to risks (probability, timing

and impacts) (Which are the scales to be used: numerical, qualitative ones?

Down to what detail?);

Setting the attention and action threshold to be used as a reference (within our

organization, is it wise to focus on a risk with medium probability and impact

scores?)

Defining the communication and reporting methods to be implemented.

By focusing on the above listed points, we implement an official mechanism that can

be easily used and communicated; moreover, it makes project risk management more

effective and stable over the time. The project risk plan can then be used in other

projects, if properly customized.

In a mono-functional software development project, the project manager had decided to resort to a pre-defined list of risks devised by a famous University and to personally mark on that list the risks pertaining to the project. He had achieved a good result, as many mistakes had been avoided. That same person, one year later, was appointed as leader of a project focused on the optimization and streamlining of processes involving five organization functions. The project manager, based on his previous experience, decided to use the same check list. Unfortunately, he was not successful this time, as he was able to identify and manage the technology-related risks, but he totally underestimated or overlooked the organizational-related ones. Consequently, the project became highly conflicting and timing and costs went out of control.

5

4 Risk Identification Phase

Apart from drawing up the risk management plan, which sets the framework and the

guidelines to be followed, the risk identification phase is of particular relevance, as it

sets the foundations for truly managing risks (it is a bit like the WBS used for planning

activities). We can have some excellent methods for managing risks, but if we apply

them to the wrong ones or if we are not able to identify the most important ones, the

outcome is a pure expression of style, which will produce poor benefits for the

projects. Consequently, the identification phase shall be a very thorough job.

Identifying risks entails also the following:

understanding the causes generating them,

opting for the most appropriate methods supporting a thorough understanding

of root-causes.

As to the first bullet-point, risk factors are generated by the actual project features and

by its interactions with the environment. By reasoning according to macro-areas, there

might be risks linked to the following:

the intrinsic characteristics of the project to be implemented (the main output);

project management – more specifically, the way events in the project are

planned and controlled. This point includes technical and method-related

issues as well as organizational issues;

the outside environment, by which the following is meant:

o managing communication, contacts, interests and the level of

involvement of all those who are impacted by the project

(stakeholders);

o managing constraints coming from entities that are beyond our control,

like regulations, directives, etc.

I do not understand, do you want to drive me crazy?! In the project that we managed 6 months ago, we rated risk probability on a low, medium/low, medium, medium/high, high and extremely high scale. In the project that we had 3 months ago, we used the 0.2, 0.4, 0.5, 0.6, 0.8, 0.9 rating scale. Now we are rating risk probability by using the words unlikely, quite likely, likely, highly likely. Can’t we identify a standard rating scale that fits all the projects? You are incompetent: now we are late because of you! You have not managed risk by rating it as “medium”, and now we need to find alternative solutions! I am sorry, but in the previous project, risks rated as “medium” were not even taken into consideration!

6

Such macro-areas are linked to the identification methodologies. In fact, there are

methodologies that only cover part of them, and being aware of this is advisable so as

to focus also on the overlooked areas.

The methodologies and the identification tools covered by our paper are the following:

1. WBS

2. Networks

3. Assumption analysis

4. Check list

5. Interviews

6. Brain storming

7. Historical data

The identified risks shall be proposed with a short description, in order to be clear

without any possible misunderstanding. Such description, in order to be as

understandable as possible, shall be organized into three sections: cause, risk, effect

(figure 2).

Just out of clarity: by cause, we mean the event triggering the risk; this being said,

what we consider as being a cause might be viewed as an effect by others. Our ability

to drill down our analysis on causes depends on the available resources and on the

degree of control that we have on events.

Cause Risk Effect

As the supplier has

provisioning problems

The delivery of motors

might be delayed

The project time-frame

might be extended

Figure 2. Example of risk description

The cause “As the supplier has provisioning problems” could actually be determined by

other events, like a financial crisis of upstream suppliers, which might be triggered by

other causes and so on and so forth. Such other causes could also be unknown by us.

Being able to trace back the real causes could only be useful, if people involved in the

project can take measures with respect to them. In the above illustrated example, the

fact of knowing that the provisioning problem is caused by hindrances in getting the

row material used in the manufacturing of motors does not add much to our analysis,

as we do not have powers to find a way out.

The various techniques that we are going to illustrate can jointly be used. Some of

them provide some semi-finished results that can be used as such, others are a

support to further reasoning.

WBS. WBS breaks down the objective into activities that can be planned, managed and

assigned to a unique person. Consequently, WBS is a static representation of the

7

“path” that has been chosen in order to deal with the project and, as such, it can be

useful as starting point for risk identification. More specifically, risks will have an

impact on the activities set in the WBS and, consequently, focus shall be given on

those activities. The major benefit that WBS has is that it allows the analysis to be

carried out against the project-specific background; nevertheless, it also has some

flaws:

it does not tell risks and causes, it only identifies the activities where risks might

develop;

activities often show a granular structure that does not allow for the

identification of truly operative guidelines;

activities “supporting” the project are often not included in the WBS – i.e.:

project management activities or communication management ones – although

they are a risk source too (and they should be included in a good WBS);

in WBS risks and effects connected to time scheduling do not appear, because

the information on dependencies and resources allocation is not included.

Networks. By reviewing the project network, in general, and the CPM diagram, in

particular, some risks can be detected:

activities with multiple input from different paths risk to become a risk-area,

due to the needed synchronization, which is based on a massive coordination

work;

the critical path may produce the risk of non-compliance with the timing;

the semi-critical paths can easily become risk sources with respect to timing

non-compliance;

the quality of resources dedicated to activities identified in the critical and

semi-critical paths shall carefully be evaluated, if we want to avoid a higher risk

of timing non-compliance.

Assumption analysis. Projects, meant as innovative activities, are not exclusively based

on certainties, they are rather based on hypotheses (assumptions). An assumption

analysis, in terms of incompleteness and inaccuracy, can be a useful source for risk

identification. Examples are assumptions on price growth, assumptions on turnover

etc.

Check list. These are risk precompiled lists that can be used in a quite simple way.

Usually, checklists are summaries based on the experience of multiple projects. Many

are those publicly available and some of them focus on some specific areas. Checklists

have the advantage of speeding up identification of the most-recurring risks. Such

feature makes them also dangerous, because people tend to exclusively focus on the

risks included in such document, or to approach them with condescension (let’s speed

8

up, this checklist is the same as the one we had for our latest project...). Lastly, the fact

of resorting to a check list does not mean that risk identification is to be carried out by

one single person.

Interviews. Interviews are useful for identifying risks as well as for analysing them.

They are used as an alternative to group identification (when such option is not

feasible), or in order to get the opinion of people who are not directly involved in the

project, but who are believed they could provide some useful insights. Interviews to

experts become particularly important – namely, asking the opinion of people who are

thought to be able to provide a high added value, thanks to their experience.

Brain storming. This technique is based on the distinction and separation of the idea-

generation phase from the actual judgement. In a meeting dedicated to risk

identification, this means asking participants to list what are the negative events that

might break out in the project. It is possible to follow incremental detail levels – more

specifically, starting from identification of project risks per area, the analysis can drill

down to individual activities.

Historical information. Resorting to a project-risk database can be a valuable source of

ideas, provided that risks are sorted according to some specific project characteristics

otherwise the result is a thicker and thicker checklist that gets more and more generic.

5 Risk Analysis Phase

The identification phase only produces a list of risks, which, unfortunately, is not useful

for an operative management of the project. As a matter of fact, a long list of risks can

create greater confusion, rather than producing remarkable benefits, as the attempt to

manage all of them would probably result in an actual duplication of work.

Consequently, a further step forward is advisable: analyzing the risks to understand

their characteristics is now necessary so as to focus the attention on the most relevant

ones. The type of attention that takes to risk management depends on each individual

company and sometimes on each individual project.

During the analysis phase, the following measures shall be linked to each individual

risk:

event probability to occur;

timing of the event that could potentially occur;

event frequency (i.e. if the risk is repetitive or not);

identification of the impacted activities;

identification of the impact on individual activities and on the project as a

whole in terms of:

o timing,

9

o costs,

o quality,

o other important performance dimensions.

Usually, such information cannot exclusively be provided by the project manager:

involving all the people who have a thorough knowledge of risks and of what they

entail, similarly to the identification phase, is necessary. In the previous example,

pertaining to provisioning problems experienced by suppliers, the purchase

department could provide some useful indications.

Risk analysis can be developed in quantitative as well as qualitative terms. A qualitative

analysis is useful to understand the general characteristics of individual risks, it is

likewise useful to plan adequate responses and to gain a better understanding of the

overall risk-level in the project. Conversely, a quantitative analysis can be useful to get

a more in-depth reviewing of each individual risk (usually, the most important ones) as

well as to review how the project as a whole will develop different scenarios. A

quantitative analysis provides more comprehensive information about the project

dynamics; this being said, it is more expensive and requires the project manager to

have a higher degree of knowledge and preparation. Project characteristics dictate

what is the best approach to be implemented. As an example, an order with heavy

penalties in case of late delivery could push people involved in the project to opt for a

quantitative approach; conversely, a non-critical internal project can cover risks by

using a qualitative approach. In any case, one approach does not exclude the other,

and they can usefully be used in parallel.

5.1 Qualitative Risk Analysis

A qualitative risk analysis is based on the assignment of general values/measures on

variables pertaining to risks; sometimes it can be based on subjective assumptions,

especially when collecting other types of information is impossible or when collecting

that same information is too expensive with respect to the importance of the risk

itself.

Before carrying out an in-depth analysis of risks, in case we are faced with a high

number of them, understanding accuracy of the collected information can be useful.

As a matter of fact, project people could be facing a case in which many are the risks

originally identified and, in reality, they are just speculations or the information risks

are based on are totally unreliable. Knowing the quantity and the quality of

information that got to the identification of a certain type of risk is crucial, if we want

to understand these issues. This is quite a delicate type of task as, in such cases, the

following reasoning/behaviour might be developed: ”In order to show how good I am, I

will identify a set of risks and I will do my best to make people think that they are all

important so that, once the project is completed, when activities under my

10

responsibility will prove to be all successful, they will think that I am the best, because I

have successfully managed also the most adverse situations”.

Leaving aside these types of behaviours, and thinking in more cooperative terms, we

can obtain a first sorting of risks by resorting to a tool as hereinafter described.

Risk cause Quantity of available data

(from 1 to 10)

Quality of data

(from 1 to 10)

The supplier is about to go bankrupt and,

as a consequence, our supply of row

material could be stopped

5 2

Figure 3. Risk quality analysis

The measurement scale is arbitrary. What really matters is being able to identify some

quantitative and qualitative data scores, so that risk is eliminated or searching for

some additional pieces of information can start. For instance, if the information of a

supplier being close to bankruptcy comes from its direct competitor, maybe the quality

of that specific figure is not to be viewed as excellent. Conversely, if ten suppliers say

the same thing, trying to gain some more insights on that specific information is

advisable. In case the General Manager also recognizes the fact that his/her company

is in financial troubles, data quantity as well as quality are at their maximum

level/scores.

Now we have a list of actual risks, with which the above listed scores shall be matched.

As to risk likelihood to break out, scales from 1 to 10, from 1 to 7 or a low – medium –

high probability scale can be used. Obviously, using a scale that allows for a little bit of

argumentation is extremely useful; as a matter of fact, only resorting to high, medium

or low is not so much productive or fruitful. There is an important point worth of being

highlighted: the maximum value/score in a scale does not correspond to certainty, as

certainty is not a risk anymore, it is a fact. Consequently, activities relating to such

facts shall be illustrated in the project plan. For instance, if a project envisages diggers

to be used in Greenland, stating that there is the risk that temperatures could be very

low and that fuel could freeze in tanks is not fair, as the weather will be extremely cold

for sure and adding antifreeze additives is a must.

1 2 3 4 5 6 7 8 9 10

1 2 3 4 5

Very low Low Medium High Very high

10% 20% 30% 40% 50% 60% 70% 80% 90% 95%

Figure 4. Examples of scales used for a qualitative risk analysis

The fact that a risk has been identified does not mean that it will immediately come to

the surface; consequently, identifying when its negative effects will break out is

advisable. Also in this case, various types of scales can be used (days, weeks, months;

short-, medium- or long –term scales, and so on and so forth). Moreover, risks can be

11

recurring and, consequently, understanding if a risk will only take place once or

whether it will erupt on a regular base, becomes an important piece of information –

namely, knowing how many times and with what time pattern it will break out is

advisable.

The analysis is completed by assessing the impact of each individual risk factor.

Assessing the impact means identifying where a risk will strike (which activities will be

impacted by a risk), what and for how long – namely, will it mainly impact time, costs

or quality? And what will the size of such impact be?

In fact, assessing the impact of a risk factor is difficult, when it is not put against the

project background. For instance, a possible late delivery of motorbike rims is not a

problem, if bikes are held by a gantry in the final assembly stages and wheels are only

mounted at the very end of the assembling process. Conversely, if in that given

company motorbikes rims are usually assembled when they are already sitting on their

kickstand, the impact can be remarkable.

Sharing the project structure with people involved in risk analysis is the only way to get

some consistent assessment; otherwise, a risk that has a strong impact on the

activities carried out by one single person could be judged by that same person as

strongly impacting the project as a whole.

It is now possible to provide an assessment of risk impact on a given project. Also in

this case a measurement scale can be used but, conversely from the one telling us

probability of a given risk to break out, which is easily readable, associating some

parameters to each value/score is requested. This idea is illustrated in figure 5.

Impact Interpretation

7 The project cannot be viewed as successful

6 Up to 30% increase in costs, or in timing, or quality to be viewed as “borderline” in terms of

acceptability

5 A 20% to 29% increase in costs, or in timing or quite poor quality

4 A 10% to 19% increase in costs, or in timing or remarkable decrease in quality

3 An increase from 3% to 10% in costs, or in timing, or visible decrease in quality

2 Up to 2% increase in costs, or in timing, or a slightly measurable decrease in quality

1 Impact almost unobserved

Figure 5. Example of an impact scale and its related interpretation

Among the three reference parameters (timing, costs and quality), quality is the most

difficult to be judged. As to this parameter, the organization shall try to identify some

measurement methods that are shared for all the projects, or for some categories. For

instance, in case of software development, an ex-ante quality measurement value

could be the number of functionalities provided versus what has been planed. All the

elements needed to get a general overview of risks in a project are now available.

12

Usually people resort to a matrix-based description formula, in order to have an

immediate and easy reading of data.

An easy although a bit simplistic way to get an indicator about the project overall

riskiness/risk level is to sum the probability products with the impact for each risk

divided by the number of risks.

In the following example, where letters correspond to risks, we know that the

maximum risk value is 49 (in case all the risks show a probability accounting for 7, with

an impact amounting to 7 as well), the minimum is 1 (all the risk having probability and

impact accounting for 1). In this case, we get a value of 15.7. Such outcome could be

seen as being high but also low, it depends on the attention thresholds that we’ve pre-

defined.

Imp

act

7 C B

6 L A

5 N H D

4 I E

3 M

2 O Q

1 P G F

1 2 3 4 5 6 7

Probability

Figure 6. Matrix showing project risks.

Risks included in the matrix do not usually need the same type of focus. As a matter of

fact, when they are high in number, managing them by using the same level of

attention becomes more difficult. Consequently, resorting to some methods for

grouping risks is needed. Sometimes we find approaches proposing a ranking based on

multiplying probability by the impact. Such example is proposed in figure 7.

Ranking Risk P X I

1 B 42

2 D 35

3 A 30

4 H 25

….. ….. …..

Figure 7. Risk ranking example

13

At this point, either we opt for a pre-defined number of risks, or we can decide to

focus on all the ones exceeding a given threshold. This way of proceeding is based on a

precise assumption - namely, risk neutrality. In other words, it means that two risks are

viewed as being the same, even when one is the result of high probability times low

impact and, conversely, the other is the result of low probability times high impact.

This being said, we are often faced with risk disinclination, which means that, even

when the P X I product is the same, risks with a higher impact will be handled with

greater attention even when their probability to break out is low.

It has been said that risks cannot be managed in the same way; Consequently, they

shall be sorted in homogeneous risk groups so as to be able to handle them

accordingly. Multiple alternatives are available: figure 8 proposes sorting of risk into

three groups, by starting from the disinclination/hostility to risks assumption.

Pro

bab

ility

7 C B

6 L A

5 N H D

4 I E

3 M

2 O Q

1 P G F

1 2 3 4 5 6 7

Impact

Risk to be analysed in quantitative terms and that shall be included in the risk response plan

Risk to be analysed in qualitative terms and that shall be included in the risk response plan

Risk to be monitored and for which reports shall be produced

Figure 8. Risk Grouping

At this point, we can summarize the above illustrated data in a streamlined form that

includes all the pieces of information that are useful for the phases to follow.

Risk Effect Cause Probability Impact Trigger

Event

Impacted

Activities

Expiration

Date

Analysis

14

5.2 Risk Quantitative Analysis

The qualitative analysis focused on the assignment of probability and impact

values/scores to individual risks, and on the acquisition of a piece of information

summarizing the risk level of a project as a whole. A quantitative analysis can be used

to further investigate the qualitative one, but it is, above all, a useful tool to

understand how the project timing and cost references can change in different

scenarios.

As the issue is quite broad, this paragraph does not aim at reviewing in a

comprehensive way all the methods that can be used to develop a quantitative

analysis for risk management in a project, it rather offers useful hints in order to have

a better understanding of logics and issues proposed by this further in-depth analysis.

As already specified, quantitative methodologies are mainly applied to timing and cost

analysis of projects, as these are aspects that perfectly fit a “quantitative”

measurement and approach. This paragraph is dedicated to this specific focus, and its

starting point is the project operational plan illustrated in the previous chapters.

5.2.1 Uncertainty, variability and risk

In the first place, we shall try to define how quantitative analysis can be useful by

identifying the right terminology. In the standard practice, terms like variability,

uncertainty and risk are used as synonyms as, in the everyday language, they give the

idea of “non-peace of mind” of the decision-maker or of the phenomenon under

review. Conversely, the quantitative methodologies provide different meanings to

such words.

Variability is a system feature, it is intrinsic in the system itself and, in order to take

variability measures, we have to act on the system. When we toss two coins, we do

know that the possible outcome is fourfold: (H= heads, T= tails): HH, HT, TH, TT, and

they all have the same probability to break out (25%). If we want to change such

results, we need to act on the coins by modifying their structure.

Uncertainty is a state of knowledge regarding those who have to make decisions (or,

generally speaking, those who have to tackle a problem). If we want to influence

uncertainty, we can try to improve our knowledge. In the previous example,

uncertainty could be linked to our poor knowledge of the two coins (we do not know,

for instance, if they are regular coins or if they are “loaded”, if they truly have two

facets, or if their weight is evenly distributed). Uncertainty adds up to variability of the

decision-maker anxiety level, but it is possible to decrease its impact without

intervening on the physical state of the system – for instance, by examining the coins,

and deciding to have the decision-maker state as the only variability.

15

Lastly, risk, is an individual perception of a situation, by which a set of variabilities,

uncertainty and decision consequences is meant. In the above illustrated example,

accepting, or not , to bet

€ 100.00 on the “two heads” result (HH) can produce the perception of a completely

different outcome in two different players (and, as a consequence, the decision will be

different), even though they are dealing with the same system (coins and sum to bet)

and have the same knowledge (coins are regular). The difference in perception is

determined by human nature. We can identify a sort of scale in the attitude of those

who are faced with a variable and uncertain situation (that is to say, in everyday

language, a “risky” situation); it ranges from strong disinclination to something up to

high propensity to risk, passing through a condition or attitude of indifference.

Nevertheless, also the magnitude of consequences and the incidental/situation are

important – more specifically, the same player could make two opposed decisions, if

faced with the following problem: “is it better to bet € 100.00?” or “is it better to bet €

10.00?” (the magnitude of consequences). By the same token, he/she could decide for

a different third option, if he/she had just found € 200.00 in the street

(incidental/fortuitous situation). In operative practices, the quantitative analysis

supporting planning and project control mainly focuses on managing the first two

illustrated elements – namely, variability and uncertainty, which are defined as

“overall uncertainty” 2. Conversely, in literature, quantitative approaches to such issues

are much wider in range3. This being said, this paper will only focus on risk analysis

methods, where risk shall only be meant as variability and uncertainty. There are

some risk management issues – namely, the ones linked to uncertainty – on which

measures can be taken, and separating them from other issues is advisable. Any

attempt to foresee and plan, in whatever domain, is impacted by variability and

uncertainty, by isolating the latter, we could be able to gain a better understanding on

how to reduce it and, consequently, we could increase the overall degree of

confidence in the system.

The project manager thought that the test phase would last from 2 to 4 weeks, based

on the relevant data collected on previous project. Nevertheless, he also knew that

this was the first time they had to work in parallel with the client, and this could

produce a slow down in their work; consequently, he thought that an estimation that

was twice as much could have been more reasonable – namely, from 2 to 8 weeks.

This “risk” of time extension worried him, then he recalled he got into contact with

another project manager who had already worked with that same client and decided

to call him....

2 See Vose D., Risk Analysis - A Quantitative Guide, John Wiley & Sons, 2000.

3 As to the individual risk perception, there are many quantitative theories and mathematical approaches

(utility functions, risk disinclination curves, determination of the equivalent certainty, etc.), which have

not been included in the focus of this short paper.

16

The steps needed in order to “quantify” uncertainty and variability in a project are

going to be briefly touched upon in the following section. They can be summarised as

follows:

input definition, in order to introduce variability and uncertainty:

probability distributions;

resorting to quantitative techniques to measure risk: decision-making trees,

PERT (Program Evaluation & Review Technique), Monte Carlo

method/simulation.

output interpretation - namely, reading results (probability and scenarios)

based on project risk analysis.

5.2.2 Input: Probability Distributions

Making reference to probability is quite normal, when we talk about variability and

uncertainty. Probability, meant as the measurement of the likelihood of a given

scenario to occur, describes, in a methodologically correct way, the first part of the

problem, which is then completed by matching the result of each individual scenario

with the identified probability.

An organized set of these two pieces of information (probability and results) is called

probability distribution.

In the previous example, the probability distribution for the “I bet € 100.00 on two

heads (HH)” variable is the following:

Result 100 -100

Probability 25% 75%

If we add uncertainty (for instance, there is a 10% probability that one of the two coins

is “loaded” and, as a consequence, has two TAILS facets) to variability – which has

properly been illustrated by distribution and, as already mentioned, is in-built in the

system - this fact will change distribution by reducing our probabilities to be successful.

The new distribution, which now aims at giving an outline of what we have defined as

overall uncertainty, is as follows:

Result 100 -100

Probability 22,5% 77,5%

In reality, we will very rarely be faced with phenomena that can be defined in a

“moderate” way , as the above illustrated case – namely, a limited number of possible

results, to which probabilities are matched. Usually, we are faced with situations that

can more easily be described as value ranges .

17

When we have to introduce variability and uncertainty in the duration of a project

activity, we will feel more comfortable by indicating a variation range (this activity can

have a duration between 10 and 20 days), rather than indicating fixed durations, to

which specific probabilities are matched (this activity may have a 10-day duration with

a 20% probability, or a 13-day duration with a 30% duration, or a 16-day duration with

a 35% probability, or a 20-day duration with a 15% probability rate). The same holds

true when estimating a cost4.

This approach, which we call “continuous”, will generate probability distributions

different from the previous ones (which we called “discrete”) by allowing us to take

into consideration all the possible values within the range, something that will produce

a more realistic description.

Obviously, just resorting to the range could be of poor significance (minimum –

maximum), and this would make us miss some pieces of information, even though they

could be extremely useful: What does happen within a range? Are there any values, or

small ranges, to which the related probability to happen could be higher? Are such

values, or ranges, closer to the minimum or maximum limit? and so on and so forth.

In order to fix such situation, we can use continuous probability distributions with

different features based on the available input. Obviously, each distribution shall be

characterized by a different set and type of initial information (parameters).

Among the very many probability distributions in literature, we hereby illustrate, as an

example, the ones that are most commonly used in project risk analysis5.

Normal Distribution (o Gaussian)

It is the most famous type of distribution, it is “bell shaped”, and it is used in the

measurement of many phenomena as it is characterized by a central value (the mean

value), which in the Normal Distribution is also median and most probable value, or

mode and by a “random disturbance” (which can be quantified via a standard

deviation, ). Sometimes, its symmetrical shape causes it to be unfit, when non-

recurring representation of varied types of situations are needed, while a possible

technical problem (the density function that describes it is defined between -∞ and

+∞) is bypassed in practice by interrupting distribution at an acceptable probability

value, which can even be higher than 99% (see figure 9).

4 Obviously, in many cases durations and costs can be linked. Nevertheless, in practice, the two types of

analyses remain separated due to a need for less complexity as well as for a balanced allocation of

competences.

5 For a more in-depth dissertation, we suggest to use as refernce one of the many publications on

Statistics or Theory of Probabilities lik, for instance, Mood A.M., Graybill F.A., Boes D.C., Introduction

to the Theory of Statistics, McGraw-Hill, 1987.

18

Normale(20;5)

Normale(20;2)

Normale(35;3)

0 5 10 15 20 25 30 35 40 45

Figure 9. Normal Distibution

Beta modified Distribution (or Beta PERT)

The Beta modified distribution owes its reputation to the crucial relevance it has within

the PERT methodology (Program Evaluation & Review Technique), one of the

stochastic network techniques used for time scheduling, which have been developed

starting from the CPM methodology. The main characteristics for this type of

distribution are its versatility (Beta distribution can have very different

representations) and the intuitive way with which the three parameters defining it are

expressed: minimum, most probable value (mode) and maximum. Such second

peculiarity makes it extremely useful, as it allows for changing a scenario-based

qualitative approach (pessimistic, base, optimistic) into a quantitative approach

defined by a probability distribution that can be expressed by means of all the values

included in the pessimism-to-optimism range, and where break-out probabilities

increase, the closest they get to a base value (the most likely scenario) and, conversely,

they decrease, the farthest they get from a base value, and the closest they get to one

of the two extremes in a totally consistent way with respect to the qualitative

hypothesis adopted.

Pro

bab

ilit

y

19

BetaPERT(5;10;35)

BetaPERT(1;35;40)

BetaPERT(0;20;45)

0 5 10 15 20 25 30 35 40 45

Figure 10. BetaPERT Distribution

Triangular Distribution

The triangular distribution could be considered as the most popular and used type of

distribution in the risk analysis models, as it is intuitively simple. Also this distribution is

defined by three parameters (minimum, mode, maximum), which can easily find their

parallel in the ways used to define scenarios. Compared to the BetaPERT distribution,

it shows it is much more impacted by extreme values, especially if they are very distant

from the mode value (base scenario), and this produces a higher degree of variability.

Maybe this is also the reason why it is the mostly used in cases where scenario setting

is poorly supported by historic data or it is completely based on subjective views.

Triangolare(5;10;35)

Triangolare(0;20;45)

Triangolare(1;35;40)

0 5 10 15 20 25 30 35 40 45

Figure 11. Triangular Probability Distribution

20

Uniform Distribution

This distribution, which is also called Rectangular Distribution due to the shape of the

density function describing it, is the easiest and, consequently, the roughest way to

use a continuous probability distribution for analysing risks. By means of this

assumption, the same probability level is assigned to all the results/values within a

minimum to maximum range. Uniform distribution could be seen as “the last chance”,

each time there is the willingness to approach in a quantitative way variability and

uncertainty in an assessment (for instance, duration or cost for a given activity), when

only the extremes can be assessed (as said, minimum and maximum values) and

without having the possibility or the willingness to add some further information (the

most probable value, mean, etc.).

Uniforme(5;20)

Uniforme(1;8)

Uniforme(15;40)

0 5 10 15 20 25 30 35 40 45

Figure 12. Uniform Distribution

Generic Continuous Distribution

It is the most flexible way to assign a probability distribution, also allowing for the

definition of many “shades” that could not be identified by using classic distribution

methods. It is normally used when historic and research-based data are availble6.

The Project Manager tried to collect some data about trends in the duration of the

“Assembly” activity in similar projects, he realized that the minimum time reference

was 6 days, the maximum time reference was 18 days, but he also noticed that most of

the reviewed projects reported an 11-day duration. He decided that variability had to

be included and opted for adding a probability distribution that had also to take into

consideration that information.

6 Another possibilty in this case is fitting, that is to say the possibility of matching to the observed

empirical distribution a theoretical distribution (similar to the ones illustrated in this paragraph) reviewing

similarities via statistical tests analizzando la somiglianza attraverso analisi statistiche (test).

21

In figure 13 specific information is proposed as an example for structuring a risk

quantitative analysis for project scheduling.

Activity Probability Distribution Duration (weeks)

Activity A Triangular

min, optimistic = 3

mode, most probable = 5

max, pessimistic = 8

Activity B BetaPERT

min, optimistic = 8

mode, most probable = 11

max, pessimistic = 20

Activity C Normal

mean, most probable = 12

standard deviation = 2

(min, max ± 6 from mean value)

Activity D Triangular

min, optimistic = 7

mode, most probable = 9

max, pessimistic = 15

… …

Figure 13. Example of input data (time scheduling)

5.2.3 Use of Quantitative Techniques for Measuring Risk

Once we have completed the input framework, as the uncertain variables have been

assigned an appropriate probability distribution, we need to tackle the problem of how

to “transfer” such information to the output, that is to say on the analysis targets.

The most common methodologies, the ones based on simulations, envisage the use of

a model that, as to risk management in a project, is nothing more than the model

included in the project operative plan: a “solid” network (which includes allocation of

resources and costs) or, as an alternative, a network exclusively dedicated to time

scheduling (which is obtained by means of Project Management application tools) and

a budget model for reviewing costs (which is developed in an electronic sheet).

Procedures used to build up a model are like the ones illustrated in the previous

chapters, when we were talking about the project operative plan. The only difference

is that some deterministic input (activity duration and costs) have been changed into

random variables (namely, having assigned to them probability distributions). Such

measures produced a more realistic model.

At this point, we can observe the effects of overall uncertainty (variability and

uncertainty) included in the model against the variables that are the target of the

22

model itself: project timing and costs. The technique that, thanks to the development

of hardware and software tools and to its conceptual straightforwardness, is mostly

used in this type of analysis is a stochastic simulation technique called “Monte Carlo

simulation technique/method”.

The Monte Carlo simulation method resorts to random sampling to create a set of

possible scenarios and then it reviews, ex-post, the distribution of results. Via the

random sampling, a possible value is selected from each probability distribution input;

the data obtained by means of this procedure are used to make a calculation – via the

deterministic model at the base of the simulation (for instance, CPM for scheduling a

project timing) – of the values obtained for the variables under analysis, which are

then saved/stored.

By repeating this procedure for a significant number of times (sample size),7 an

empirical distribution of results is obtained; it properly represents consequences on

variability and uncertainty output given to input8.

5.2.4 Output: Measuring the Overall Uncertainty for Target Variables

Now that we have completed the calculation part, we can tackle the third final part in

our analysis: interpretation of results. As for each statistical sample, also the one

obtained via the Monte Carlo simulation for the target variables can be described by

summarizing indicators (statistic indexes) and by an overall reading of data

distribution.

The example proposed in Figure 14 shows summary-data identified for the Project

Duration target variable (the time unit is expressed in weeks) after having carried out

10000 iterations (that is to say, after having built up a sample made up of 10000

scenarios). Obviously, the type of reviewing that we are about to propose can also be

carried out for each target variable under analysis (namely, overall costs, duration of

each individual activity, milestones, etc.)9.

7 The high number of software available for this type of analysis ( @Risk, Crystal Ball, Risk+, among

many others), makes this part based on repetition of the algorithm quite easy in its execution, and allows

to have a very high number of cases included in the sample so as to ensure reliability (from a statistic

view point) of the resulting distributions (Law of Large Numbers or Empirical Law on Chance).

8 For further insights on the Monte Carlo simulation method, reviewed under an applicative profile,

reference shall be made, among other authors, to J.Mun, Applied Risk Analysis, Wiley Finance, 2004 and

D.Vose op. cit., while for insights on its origins, reference shall be made to the “historian” Metropolis N.,

Ulam S., The Monte Carlo method, in Journal of the American Statistical Association, 1949.

9 Even in this case, we suggest to refer to a more specific bibliography for gaining more in-depth

knowledge (for instance, Vose D. op.cit., Mun J. op.cit.), as in this paper we prefer to provide an

example of the logics used for interpreting results.

23

Indici statistici Percentile Valore

Iterazioni 10000 0% 43,47

Media 54,58 10% 50,51

Mediana 54,49 20% 51,83

Moda --- 30% 52,83

Standard Deviation 3,23 40% 53,66

Varianza 10,45 50% 54,49

Coeff. of Variazione 0,06 60% 55,31

Min 43,47 70% 56,21

Max 68,70 80% 57,28

Range 25,23 90% 58,73

100% 68,70

Figure 14. Project Duration: example of summarising output

The main information that we can deduct from the table is the following:

On average, the project is going to last a bit less than 55 weeks (54,58);

There are two possible extreme scenarios: one is pessimistic, the other is

optimistic (max and min) accounting for 68.7 and 43.47 weeks respectively;

within such range, variability is not extremely high (Standard Deviation

amounting to 3,23 weeks);

we actually have only a 10% probability (10% percentile) to go down below a

50.51 week duration and a 90% probability (90% percentile) of not exceeding

58.73 weeks.

We have quantified the overall uncertainty, which is a consequence of the input data

(in this case, duration estimates for each individual project activity), and we have

obtained a first set of numerical indications supporting our risk analysis.

Even though we do not aim, in this specific paper, at drilling down this matter in

quantitative terms, we can see that, apart from summarizing information that has just

been reviewed, the simulation offers us the opportunity of analysing in detail all the

results derived from the N iterations (10000, in the example), that is to say the

complete sample.

In Figure 15, we see the complete distribution of the scenarios resulting for the target

variable, which are represented via probability distribution and cumulative

distribution10.

10

The cumulative probability (frequency) distribution is, avoiding to resort to extremely rigorous

definitions, an alternative representation, through which we want to highlight probability (frequency) with

which a random variable results to be lower or equal to a given value. It is obtained by adding up each

time (by cumulating) probabilities (frequencies) up to reaching the value of interest.

24

0,0%

5,0%

10,0%

15,0%

20,0%

25,0%

42 44 46 48 50 52 54 56 58 60 62 64 66 68

Durata (settimane)

Pro

babili

tà

(60; 95,06%)

(50; 7,24%)

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

40 45 50 55 60 65 70

Durata (settimane)

Pro

babili

tà c

um

ula

ta

Figure15. Project duration: probability distribution and cumulative distribution

At this detail level, we can obtain further information like, for instance, the probability

to remain within a certain target duration: in the example we only have a 7.24%

probability for the project to last less than/or as much as 50 weeks, while we are quite

confident that it will last 60 weeks, for which we have a less than 5% probability to

exceed such reference (4.94%= 100% - 95.06%).

As already mentioned, this analysis pertaining to project duration is an example, or –

better – an aspect, of the quantitative risk analysis that can be carried out. As a matter

of fact, by applying the proposed methodology, it is possible to structure a type of

analysis impacting multiple project management aspects (timing, costs, but also use of

resources, sequence of activities, milestone compliance, etc.). This further drilling

down enriches the information needed not only for a comprehensive definition of the

project plan, but also for an effective execution and control activity.

The Project Manager looked at the result of the simulation he had launched and a chill

ran down his spine: according to those calculations, the project showed more than

30% probability to exceed the cost target and, even worse, for quite remarkable sums.

He was not used to run this type of risk, and he was quite worried about such

information. He drew up a detailed report on the information produced by that

simulation getting down to individual Work Package details in the WBS, and he

immediately asked to have a meeting with the project team. They had to prepare

some countermeasures (in the planning, execution and control phases) in order to

reduce variability and uncertainty impacting the project up to that moment.

25

6 The Phase Dedicated to Planning a Risk Response

From quantitative and qualitative analyses some useful pieces of information can be

identified, in order to understand what risks will influence the project as well as how

the project could be impacted by such potential events.

In this phase, we want to identify measures to be taken in order to reduce the overall

project risk so as to reduce, as a consequence, the likelihood for each potential risk to

break out (and, by the same token, increasing probabilities and the positive influence

of opportunities).

Many are the options available to reach this goal. In any case, three response levels

shall be devised. They are the following:

actions to be taken in order to manage risks or impacts before they occur;

actions to be taken when risks have occurred (contingency plan);

actions to be taken when the contingency plan did not produced the desired

effects (fallback plan).

The fallback plan is only envisaged in rare cases, when risks are so much impacting that

thinking about any possible alternative is required.

Usually, when reviewing the type of possible responses to risk, people immediately

think about reducing their probability or impact. In reality, this is one of the many

possible response. In fact, the following options are available:

avoiding risk by not implementing the activity it could have an impact on;

rationally accepting risk by understanding (using rationality) that any response

can be more negative than actually experience damage;

transferring risk - that is to say, assigning risk to external third parties

(insurance companies or outsourcing);

mitigating risk – more specifically, reducing its probability or its impact, which

might mean acting on risks or, even better, acting on causes.

The above listed actions can produce an impact on a project structure; consequently,

the project plan might need to be modified.

So far, we have talked about risk management making little reference to people

involved in such procedure. The risk identification phase shall be the focus of a group

of people – namely, a team that includes a project manager, project team members

and, where possible, stakeholders. In the analysis phase, group activities are still

relevant and needed, but assigning probability dimensions and impact is based on

rooted knowledge of each individual risk entity. In this case, analysis shall be started by

one single person: the work of a group can only provide some additional contributions.

Planning responses to risks is a phase similar to risk analysis: the expert for each risk

26

can offer his/her idea, the team can review and improve it. This being said, when

acting on risks is needed, allocating responsibilities to individuals is advisable in order

to have a better and more effective type of management. A Risk Owner is the person

accountable for implementing actions decided for an individual risk. A Risk Owner

must have the power needed for carrying out such task. By identifying a Risk Owner,

the management of a project is streamlined as, once risks and actions have been

defined by the team, the individual can act in order to implement such decisions.

When such role is not assigned, frequent meeting are needed to fix contingent

problems.

7 The Risk Monitoring and Control Phase

The monitoring phase aims at assessing whether actions on risks have produced the

desired results, while the control phase focuses on implementing the changes needed

for an appropriate project management.

During such phase, positive – i.e.: risks that get fixed without taking actions - as well as

unexpected negative events – i.e.: the surfacing of previously non-identified risks - can

occur. In this case, some immediate corrective measures shall be taken. The control

phase closes and starts a new risk management process; in fact, by assessing how good

the actions taken up to that moment are, elements and information for deciding new

actions to be taken can be identified.

8 Conclusions

Risk Management is a crucial activity to “professionally” manage projects. Projects, by

nature, are exposed to risky events, and not taking such events into consideration

means underestimating the true essence of projects themselves. Risk management can

vary from basic activities that do not require some specific knowledge or skills to much

more complex types of approach. The type of approach depends on values at stake.

27

Bibliography Greenfield M.A., Risk as a Resource, Langley Research Center, 1998 Greenfield M.A., Risk Management Tools, Langley Research Center, 2000 Grey S., Pratical Risk Assesment for Project Management, John Wiley & Sons, 1995 Metropolis N., Ulam S., The Monte Carlo method, in Journal of the American Statistical Association, 1949 Mood A.M., Graybill F.A., Boes D.C., Introduction to the Theory of Statistics, McGraw-Hill, 1987 Mulcahy R., Risk Management, RMC Publications, 2003 Mun J., Applied Risk Analysis, Wiley Finance, 2004 Rosenberg L., Hammer T., Gallo A., Continuos Tisk Management at NASA, 1999 Vose D., Risk Analysis - A Quantitative Guide, John Wiley & Sons, 2000 PMI, A guide to project management body of knowledge. Project Management Institute PMBOK Guide, 2000