Project Risk Management

Chapter 9: Project Risk Management

Stevbros Training & Consultancy www.stevbros.edu.vn

Copyright@STEVBROS Project Mamagement Fundamentals 1

PMI, PMP and PMBOK are registered marks of the Project Management Ins9tute, Inc.

Overview

Ini%a%ng process group

Planning process group Execu%ng process group

Monitoring & controlling process group

Closing process group

Project risk management

•  Plan Risk Management

•  IdenJfy Risks •  Perform QualitaJve

Risk Analysis •  Perform QuanJtaJve

Risk Analysis •  Plan Risk Responses

•  Control Risks


What is Risk?

•  Risk is an uncertain event or condiJon that, if it occurs, has a posiJve or negaJve effect on a project’s objecJves

•  Example of posiJve events –  You ordered new soVware which is cheaper than your old soVware because of budget constraints. However, the new soVware turns out to be more efficient.

•  Example of negaJve events –  The government mandates a compulsory holiday due to an outbreak of swine flu. The project gets delayed

Copyright@STEVBROS STEVBROS -‐ Global PMI R.E.P 3

Concepts •  Risk appe9te, which is the degree of uncertainty an enJty is willing to take on, in anJcipaJon of a reward.

•  Risk averse, one who does not take risks. •  Risk tolerance, which is the degree, amount, or volume of risk that an organizaJon or individual will withstand.

•  Risk threshold, which refers to measures along the level of uncertainty or the level of impact at which a stakeholder may have a specific interest. Below that risk threshold, the organizaJon will accept the risk. Above that risk threshold, the organizaJon will not tolerate the risk. Copyright@STEVBROS STEVBROS -‐ Global PMI R.E.P 4

Risk categorizaJon examples

•  Example 1: –  External: regulatory, governmental, subcontractors, suppliers, and

environmental –  Internal: funding, resource, and prioriJzaJon –  Technical: requirements, technology, and quality –  Project Management: esJmaJng, planning, schedule, and communicaJon

•  Example 2: –  Schedule risk:? –  Cost Risk? –  Quality Risk? –  Scope Risk: Looks like you have not understood the work properly and you

might have to redo the whole thing! –  Resource Risk: CEO has asked the technical architect to work on another

project. In such cases, who would make design decisions on the projects?

Copyright@STEVBROS STEVBROS -‐ Global PMI R.E.P 5

Plan risk management

•  The process of defining how to conduct risk management acJviJes for a project. The key benefit of this process is it ensures that the degree, type, and visibility of risk management are commensurate with both the risks and the importance of the project to the organizaJon.


A Guide to the Project Management Body of Knowledge, FiEh Edi9on (PMBOK® Guide) ©2013 Project Management Ins9tute, Inc. All Rights Reserved. Figure 11-‐2 Page 313.

Inputs 1.  Project Management Plan

–  all approved subsidiary management plans and baselines should be taken into consideraJon in order to make the risk management plan consistent with them

2.  Project Charter –  can provide various inputs such as high-‐level risks, high-‐level project

descripJons, and high-‐level requirements. 3.  Stakeholder Register 4.  Enterprise Environmental Factors

–  contain risk aetudes, thresholds, and tolerances that describe the degree of risk that an organizaJon will withstand.

5.  OrganizaJonal Process Assets –  contain risk categories, common definiJons of concepts and terms,

risk statement formats, standard templates, roles and responsibiliJes, authority levels for decision making, and lessons learned.


Tools and techniques

1.  AnalyJcal Techniques –  for example, a stakeholder risk profile analysis may be performed to grade and qualify the project stakeholder risk appeJte and tolerance. Other techniques, such as the use of strategic risk scoring sheets, are used to provide a high-‐level assessment of the risk exposure of the project based on the overall project context.

2.  Expert Judgment 3.  MeeJngs


Outputs 1.  Risk Management Plan

–  Methodology: approaches, tools, and data sources that will be used to perform risk management on the project.

–  Roles and responsibiliJes –  BudgeJng –  Timing –  Risk categories –  DefiniJons of risk probability and impact –  Probability and impact matrix (details at next slide). –  Revised stakeholders’ tolerances. –  ReporJng formats –  Tracking: documents how risk acJviJes will be recorded for the benefit of the current project and how risk management processes will be audited.


Probability & impact matrix

•  Risk Probability: High: 50 percent or higher (likely); Medium: Between 10 and 50 percent (unlikely); Low: 10 percent or lower (very unlikely).

•  Risk Impact:


A Guide to the Project Management Body of Knowledge, FiEh Edi9on (PMBOK® Guide) ©2013 Project Management Ins9tute, Inc. All Rights Reserved. Table 11-‐1 Page 318.

IdenJfy risks •  The process of determining which risks may affect the project and

documenJng their characterisJcs. The key benefit of this process is the documentaJon of exisJng risks and the knowledge and ability it provides to the project team to anJcipate events.



Inputs(1/3) 1.  Risk Management Plan

–  are the assignments of roles and responsibiliJes, provision for risk management acJviJes in the budget and schedule, and categories of risk, which are someJmes expressed as a risk breakdown structure

2.  Cost Management Plan –  provides processes and controls that can be used to help idenJfy risks across the project.

3.  Schedule Management Plan –  provides insight to project Jme/schedule objecJves and expectaJons which may be impacted by risks (known and unknown).

4.  Quality Management Plan –  provides a baseline of quality measures and metrics for use in idenJfying risks.


Inputs(2/3) 5.  Human Resource Management Plan

–  provides guidance on how project human resources should be defined, staffed, managed, and eventually released.

6.  Scope Baseline –  uncertainty in project assumpJons should be evaluated as potenJal causes of project risk.

–  the WBS is a criJcal input to idenJfying risks as it facilitates an understanding of the potenJal risks at both the micro and macro levels. Risks can be idenJfied and subsequently tracked at summary, control account, and/or work package levels.

7.  AcJvity Cost EsJmates –  acJvity cost esJmate reviews are useful in idenJfying risks

8.  AcJvity DuraJon EsJmates –  acJvity duraJon esJmate reviews are useful in idenJfying risks


Inputs(3/3) 9.  Stakeholder Register

–  ensure that key stakeholders, especially the stakeholder, sponsor, and customer are interviewed or otherwise parJcipate during the IdenJfy Risks process

10.  Project Documents –  include project charter, project schedule, schedule network diagrams, issue

log, quality checklist, and other informaJon proven to be valuable in idenJfying risks.

11.  Procurement Documents –  the complexity and the level of detail of the procurement documents should be

consistent with the value of, and risks associated with, planned procurement. 12.  Enterprise Environmental Factors

–  include published informaJon, including commercial databases, academic studies, published checklists, benchmarking, industry studies, and risk aetudes.

13.  OrganizaJonal Process Assets –  include project files, including actual data, organizaJonal and project process

controls, risk statement formats or templates, and lessons learned.


Tools and techniques(1/2)

1.  DocumentaJon Reviews –  The quality of the plans, as well as consistency between those plans and

the project requirements and assumpJons, may be indicators of risk in the project.

2.  InformaJon Gathering Techniques –  Include brainstorming, Delphi technique, Interviewing, Root cause analysis.

3.  Checklist Analysis –  are developed based on historical informaJon and knowledge that has

been accumulated from previous similar projects and from other sources of informaJon. The lowest level of the RBS can also be used as a risk checklist.

4.  AssumpJons Analysis –  Every project and its plan is conceived and developed based on a set of

hypotheses, scenarios, or assumpJons. AssumpJons analysis explores the validity of assumpJons as they apply to the project. It idenJfies risks to the project from inaccuracy, instability, inconsistency, or incompleteness of assumpJons.



5.  Diagramming Techniques –  Include Cause and effect diagrams, System or process flow charts, Influence diagrams. (details at next slides)

6.  SWOT Analysis –  examines the project from each of the strengths, weaknesses, opportuniJes, and threats (SWOT) perspecJves to increase the breadth of idenJfied risks by including internally generated risks

7.  Expert Judgment –  Risks may be idenJfied directly by experts with relevant experience with similar projects or business areas.


Root-‐cause analysis


Influence diagram


Outputs

1.  Risk Register – List of idenJfied risks: •  A structure for describing risks using risk statements may be applied, for example, EVENT may occur causing IMPACT, or If CAUSE exists, EVENT may occur leading to EFFECT. •  In addiJon to the list of idenJfied risks, the root causes of those risks may become more evident.

– List of potenJal responses


Perform qualitaJve risk analysis

•  The process of prioriJzing risks for further analysis or acJon by assessing and combining their probability of occurrence and impact. The key benefit of this process is that it enables project managers to reduce the level of uncertainty and to focus on high-‐priority risks.



Inputs 1.  Risk Management Plan

–  Analysis process include roles and responsibiliJes for conducJng risk management, budgets, schedule acJviJes for risk management, risk categories, definiJons of probability and impact, the probability and impact matrix, and revised stakeholders’ risk tolerances

2.  Scope Baseline –  E.g. Projects of a common or recurrent type tend to have more well-‐

understood risks. Projects using state-‐of-‐the-‐art or first-‐of-‐its-‐kind technology, and highly complex projects, tend to have more uncertainty.

3.  Risk Register –  contains the informaJon that will be used to assess and prioriJze risks.

4.  Enterprise Environmental Factors –  include industry studies of similar projects by risk specialists, and risk

databases that may be available from industry or proprietary sources. 5.  OrganizaJonal Process Assets

–  include informaJon on prior, similar completed projects



1.  Risk Probability and Impact Assessment (next slides) 2.  Probability and Impact Matrix (next slides) 3.  Risk Data Quality Assessment

–  assessment is a technique to evaluate the degree to which the data about risks is useful for risk management. It involves examining the degree to which the risk is understood and the accuracy, quality, reliability, and integrity of the data about the risk.

4.  Risk CategorizaJon –  risks to the project can be categorized by sources of risk (e.g., using the RBS), the

area of the project affected (e.g., using the WBS), or other useful categories (e.g., project phase) to determine the areas of the project most exposed to the effects of uncertainty. Risks can also be categorized by common root causes.

5.  Risk Urgency Assessment –  risks requiring near-‐term responses may be considered more urgent to address.

Indicators of priority may include probability of detecJng the risk, Jme to affect a risk response, symptoms and warning signs, and the risk raJng.

6.  Expert Judgment



•  Risk Probability: High: 50 percent or higher (likely); Medium: Between 10 and 50 percent (unlikely); Low: 10 percent or lower (very unlikely).

•  Risk Impact:


A Guide to the Project Management Body of Knowledge, FiEh Edi9on (PMBOK® Guide) ©2013 Project Management Ins9tute, Inc. All Rights Reserved. Table 11-‐1 Page 318.

Outputs 1.  Project Documents Updates –  Risk register updates.

•  As new informaJon becomes available through the qualitaJve risk assessment, the risk register is updated.

•  Updates to the risk register may include assessments of probability and impacts for each risk, risk ranking or scores, risk urgency informaJon or risk categorizaJon, and a watch list for low probability risks or risks requiring further analysis.

– AssumpJons log updates. •  As new informaJon becomes available through the qualitaJve risk assessment, assumpJons could change.

•  The assumpJons log needs to be revisited to accommodate this new informaJon. AssumpJons may be incorporated into the project scope statement or in a separate assumpJons log.


Perform quanJtaJve risk analysis

•  The process of numerically analyzing the effect of idenJfied risks on overall project objecJves. The key benefit of this process is that it produces quanJtaJve risk informaJon to support decision making in order to reduce project uncertainty. This process isn’t applied for projects with low complexity, low dollar value.




–  provides guidelines, methods, and tools to be used in quanJtaJve risk analysis.

2.  Cost Management Plan –  provides guidelines on establishing and managing risk reserves.

3.  Schedule Management Plan –  plan provides guidelines on establishing and managing risk reserves.

4.  Risk Register –  register is used as a reference point for performing quanJtaJve risk

analysis. 5.  Enterprise Environmental Factors

–  include industry studies of similar projects by risk specialists, and risk databases that may be available from industry or proprietary sources.

6.  OrganizaJonal Process Assets –  include informaJon from prior, similar completed projects.



1.  Data Gathering and RepresentaJon Techniques –  Such as interviewing, probability distribuJons (PERT)

2.  QuanJtaJve Risk Analysis and Modeling Techniques –  Such as sensiJvity analysis, expected monetary value analysis, modeling and simulaJon (next slides)

3.  Expert Judgment –  Expert judgment also comes into play in the interpretaJon of the data. Experts should be able to idenJfy the weaknesses of the tools as well as their strengths. Experts may determine when a specific tool may or may not be more appropriate given the organizaJon’s capabiliJes and culture.


Decision Tree and EMV

•  EVM used with Decision Tree to choose between many alternative which take into account the future events

•  Example:

[ ]∑ ×= (Impact) ty)(ProbabiliEVM

Example Source: Copyright@STEVBROS Project Mamagement Fundamentals 29

SensiJvity Analysis

•  To determine which risks have the most potential impact to the project •  Changing one or more elements/variables and set other elements to its

baseline then see the impact. •  One typical display of sensitivity analysis is the tornado diagram


Modeling and simulaJon

A Guide to the Project Management B o d y o f Knowledge, FiEh Edi9on ( P M B O K ® G u i d e ) © 2 0 1 3 P r o j e c t Management Ins9tute, Inc. A l l R i g h t s Reserved. Figure 11-‐17 Page 340.


Outputs 1.  Project Documents Updates –  ProbabilisJc analysis of the project: EsJmates are made of potenJal project schedule and cost outcomes lisJng the possible compleJon dates and costs with their associated confidence levels.

–  Probability of achieving cost and Jme objecJves: For instance, in Figure 11-‐17, the likelihood of achieving the cost esJmate of US$41 million is about 12%

–  PrioriJzed list of quanJfied risks –  Trends in quanJtaJve risk analysis results: As the analysis is repeated, a trend may become apparent that leads to conclusions affecJng risk responses


Plan risk response •  The process of developing opJons and acJons to enhance

opportuniJes and to reduce threats to project objecJves. The key benefit of this process is that it addresses the risks by their priority, inserJng resources and acJviJes into the budget, schedule and project management plan as needed.




–  include roles and responsibiliJes, risk analysis definiJons, Jming for reviews (and for eliminaJng risks from review), and risk thresholds for low, moderate, and high risks. Risk thresholds help idenJfy those risks for which specific responses are needed.

2.  Risk Register –  refers to idenJfied risks, root causes of risks, lists of potenJal responses, risk owners, symptoms and warning signs, the relaJve raJng or priority list of project risks, risks requiring responses in the near term, risks for addiJonal analysis and response, trends in qualitaJve analysis results, and a watch list, which is a list of low-‐ priority risks within the risk register.


Tools and techniques (1/3)

1. Strategies for NegaJve Risk or Threats: –  Avoid: Eliminate the threat enJrely, isolate project objecJves from the risk’s impact.

–  Transfer (Deflect, Allocate): shiV some or all the negaJve impact of a threat to a third party

– MiJgate: implies a reducJon in the probability and/or impact of an adverse risk event to be within acceptable threshold limits

–  Accept: deal with the risks, project management plan is not changed


Tools and techniques (2/3)

2. Strategies for PosiJve Risks or OpportuniJes: – Exploit: seek to ensure the opportuniJes definitely happen

– Share: allocate some or all of the ownership of the opportunity to a third party who is best able to capture the opportunity for the project benefit.

– Enhance: increase the probability and/or the posiJve impacts of an opportunity.

– Accept: not acJvely pursuing an opportunity



3.  ConJngent Response Strategies –  contain events that trigger the conJngency response, such as missing intermediate milestones or gaining higher priority with a supplier, should be defined and tracked. Risk responses idenJfied using this technique are oVen called conJngency plans or fallback plans and include idenJfied triggering events that set the plans in effect.

4.  Expert Judgment –  is input from knowledgeable parJes pertaining to the acJons to be taken on a specific and defined risk. ExperJse may be provided by any group or person with specialized educaJon, knowledge, skill, experience, or training in establishing risk responses.


Outputs(1/2)

•  Project Management Plan Updates Include schedule management plan, cost management plan, quality management plan, procurement management plan, human resource management plan, scope baseline, schedule baseline, cost baseline.


Outputs (2/2) •  Project Documents Updates

–  Update to risk register •  Risk owners and assigned responsibiliJes; •  Agreed-‐upon response strategies; •  Specific acJons to implement the chosen response strategy; •  Trigger condiJons, symptoms, and warning signs of a risk occurrence; •  Budget and schedule acJviJes required to implement the chosen responses; •  ConJngency plans and triggers that call for their execuJon; •  Fallback plans for use as a reacJon to a risk that has occurred and the primary

response proves to be inadequate; •  Residual risks that are expected to remain aVer planned responses have been

taken, as well as those that have been deliberately accepted; •  Secondary risks that arise as a direct outcome of implemenJng a risk response; and •  ConJngency reserves that are calculated based on the quanJtaJve risk analysis of

the project and the organizaJon’s risk thresholds. –  Other updates: assumpJons log updates, technical documentaJon

updates, change requests


Control risks •  The process of implemenJng risk response plans, tracking idenJfied risks,

monitoring residual risks, idenJfying new risks, and evaluaJng risk process effecJveness throughout the project. The key benefit of this process is that it improves efficiency of the risk approach throughout the project life cycle to conJnuously opJmize risk responses.



Inputs 1.  Project Management Plan

–  includes the risk management plan, provides guidance for risk monitoring and controlling.

2.  Risk Register –  has key inputs that include idenJfied risks and risk owners, agreed-‐upon

risk responses, control acJons for assessing the effecJveness of response plans, risk responses, specific implementaJon acJons, symptoms and warning signs of risk, residual and secondary risks, a watch list of low-‐priority risks, and the Jme and cost conJngency reserves

3.  Work Performance Data –  deliverable status, schedule progress, and costs incurred

4.  Work Performance Reports –  take informaJon from performance measurements and analyze it to

provide project work performance informaJon including variance analysis, earned value data, and forecasJng data. These data points could be impacsul in controlling performance related risks.



1.  Risk Reassessment –  oVen results in idenJficaJon of new risks, reassessment of current risks, and the

closing of risks that are outdated. Risk reassessments should be regularly scheduled 2.  Risk Audits

–  examine and document the effecJveness of risk responses in dealing with idenJfied risks and their root causes, as well as the effecJveness of the risk management process.

3.  Variance and Trend Analysis 4.  Technical Performance Measurement

–  compares technical accomplishments during project execuJon to the schedule of technical achievement. Such technical performance measures may include weight, transacJon Jmes, number of delivered defects, storage capacity, etc. DeviaJon, such as demonstraJng more or less funcJonality than planned at a milestone, can help to forecast the degree of success in achieving the project’s scope.

5.  Reserve Analysis –  compares the amount of the conJngency reserves remaining to the amount of risk

remaining at any Jme in the project in order to determine if the remaining reserve is adequate.

6.  MeeJngs Copyright@STEVBROS Project Mamagement Fundamentals 42

Outputs 1.  Work Performance InformaJon 2.  Change Requests

–  ImplemenJng conJngency plans or workarounds someJmes results in a change request. It includes recommended correcJve acJons, recommended prevenJve acJons

3.  Project Management Plan Updates 4.  Project Documents Updates

–  outcomes of risk reassessments, risk audits, and periodic risk reviews. 5.  Actual outcomes of the project’s risks and of the risk responses 6.  OrganizaJonal Process Assets Updates

–  include templates for the risk management plan, including the probability and impact matrix and risk register; risk breakdown structure; and lessons learned from the project risk management acJviJes.


Summary

IdenJfy Risk

• Input: uncertainJes • Output: risk register

QualitaJve/QuanJtaJve Analysis

• Input: risk register • Output: updated risk register, watch-‐list

Plan Risk Response

• Input: risk register • Output: conJngency plan, fallback plan, residual risk, secondary risk

Control Risk

• Input: risk register • Output: workaround, correcJve acJons, prevenJve acJons


Summary

•  Watch list, residual risk, secondary risk, fallback plan, conJngency plan, conJngency reserve, workarounds.

•  4 response strategies for threads. •  4 response strategies for opportunity.


QuesJons for review


•  You did the good job at this chapter. Please complete quesJons for review before moving to next chapter.

Project Risk Management

Education

Transcript of Project Risk Management