Project Risk Management Best Practices

By Mohamad Boukhari bdm@pmilebanonchapter.org

mohamad.boukhari@cmcs-mena.com

Best Practices in Project Risk Management

• Routine activities that lead to high level of

maturity.

Risk and Uncertainty Risk Uncertainty Risk Uncertainty that affects objectives

What is a risk ? • A Risk is :

“An uncertain event, activity, or situation that can have a positive or a negative effect on any objective” -ARM

• A Project Risk is :

“an uncertain event or condition that, if it occurs, has a positive or negative effect on at least one project objective.” (PMBOK 4th)

Cause Effect

Uncertainty

Risk and Issue

– An Issue is a situation or circumstance that has occurred, is occurring, or has a 100% probability of occurring; and will have a detrimental impact on a program’s schedule, cost, customer satisfaction, technical or quality objectives

– Issues can be initiated as a result of findings or failure to mitigate risks.

Risk and Risks

• Individual risks • Overall project risk

Individual Risks

� Individual risks are the focus of day-to-day Project Risk Management in order to enhance the prospects of a successful project outcome.

� Individual risks refer to specific events or conditions that have the ability to affect project objectives positively or negatively.

� An individual risk may affect one or more project objectives, elements, or tasks.

Overall Project Risk

�The overall project risk is more than the sum of individual risks, and it represents the effect of uncertainty on the project as a whole.

�It represents the exposure of stakeholders to the implications of variations in project outcome.

Chapter 2: Principles and Concepts of Risk Management

Project Risk Management • “Project Risk Management includes the

processes concerned with conducting risk management planning, identification, analysis responses and monitoring & control on a project .”

Organisations are good at identifying Risks, but poor at doing something about them.

Risk Identification

is not

Risk Management.

Project Risk Management Objective

• “The objectives of Project Risk Management are to increase the probability and impact of positive events, and decrease the probability and impact of events adverse to the Project.”

Role of Project Risk Management in Project Management

“Risk management should be embedded in the

planning and operational documents of the project, and should not be considered as an optional activity.”

Chapter 1: Introduction to Risk Management Concepts

General Risk Management

“Continuous Risk Management”

• Identification – Risk sources can be external or internal.

• Assessment – How important? / So what? – What are the current trends?

• Treatment – What can we do / What will we do? – When do we need to manage the risk? Treat

Assess

Identify

Risk Process

Chapter 11 of the PMBOK is the basis for Practice Standard for Project Risk Management

Risk Process

Plan Risk Management • The process concerned with producing the

risk management plan focusing on how risks will be approached on the project.

• This process is high-level and takes place early in the project since the results of this (and other risk processes) can significantly influence decisions made about scope, time, cost, quality, and procurement.

Identify Risks • The process of determining which risks may

affect the project and documenting their characteristics

Perform Qualitative Risk Analysis

• The process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact

• This process helps you rank and prioritize the risks so that you can put the right emphasis on the right risks. It helps to ensure that time and resources are spent in the right risk areas.

QRA can answer the following questions …

• What is the risk? • Why might it occur? • How likely it is ? Probability • How good/bad might it be ? Impact • Does it matter ? • What can we do ? • When should we act ? • Who is responsible?

Critical Success Factors for the Perform Qualitative Risk Analysis Process

Perform Qualitative Risk Analysis

Probability-Impact Matrix

5 -5 -10 -15 -20 -25 25 20 15 10 5 5

4 -4 -8 -12 -16 -20 20 16 12 8 4 4

3 -3 -6 -9 -12 -15 15 12 9 6 3 3

2 -2 -4 -6 -8 -10 10 8 6 4 2 2

1 -1 -2 -3 -4 -5 5 4 3 2 1 1

-1 -2 -3 -4 -5 5 4 3 2 1

LIKE

LIHO

OD

Propability - Impact (P-I) Matrix

THREATS (NEGATIVE IMPACT)

OPPORTUNITIES (POSITIVE IMPACT)

RISK IMPACTS (CONSEQUENCES)

LIKE

LIHO

OD

Perform Qualitative Risk Analysis

Risk Score

Risk Score = Probability X Impact

The higher the Risk score the more serious the risk

Chapter 6: Perform Qualitative Risk Analysis

Qualitative Analysis - Risk Register Updates

Relative ranking or priority list of project risks Risks grouped by categories Causes of risk or project areas requiring

particular attention List of risks requiring response in the near-term List of risks for additional analysis and response Watch lists of low-priority risks Trends in qualitative risk analysis results

Perform Quantitative Risk Analysis • It is the process of numerically analyzing the

effect of identified risks on overall project objectives.

• It assigns a projected value to (quantify) the risks that have been ranked by performing Qualitative Risk Analysis.

Quantitative Analysis - Risk Register

Updates: Probabilistic analysis of the project

Probability of achieving cost and time objectives Prioritized list of quantified risks Trends in quantitative risk analysis results

Plan Risk Responses

• The process of developing options and actions to enhance opportunities and to reduce threats to project objectives

• It includes the identification and assignment of one person (the “risk response owner”) to take responsibility for each agreed-to and funded risk response.

Response Plan Strategies for Negative Risk

CAUSE

RISK

EFFECT

X

X

CAUSE

RISK

EFFECT

CAUSE

RISK

EFFECT

CAUSE

RISK

EFFECT

Avoid

Avoid

Transfer

=

=

Mitigate

Mitigate

Accept

Accept

Response Plan Strategies for Positive Risks

CAUSE

RISK

EFFECT

CAUSE

RISK

EFFECT

CAUSE

RISK

EFFECT

CAUSE

RISK

EFFECT

Exploit

Exploit

Share

+

+

Enhance

Enhance

Ignore

Ignore

Monitor and Control Risks

• The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project

• The project work should be continuously monitored for new, changing, and outdated risks.

Risk Identification- The Iterative Process

• Risk Identification should be repeated to find risks which were not evident earlier in the project.

• Input is required from a wide range of project stakeholders, since each will have a different perspective on the risks facing the project.

• Historical records and project documents are reviewed.

• Identified risks are not filtered, screened, or assessed at this stage; all identified risks are recorded.

• A risk owner is designated for each identified risk. It is the responsibility of the risk owner to manage the corresponding risk through all of the subsequent risk management processes.

Chapter 3: Introduction to Project Risk Management Processes

Risk Assessment

• Prioritizes • Evaluates the level of overall project risk • Determine appropriate responses

• Risk evaluation can be performed using:

– Qualitative techniques to address individual risks – Quantitative techniques for overall effect of risk on the

project outcome. – Integrated approach for both - requires different types of

data

Chapter 3: Introduction to Project Risk Management Processes

Qualitative Techniques • Gaining better understanding of individual risks, understanding and

prioritizing risks is a prerequisite to managing them • Qualitative techniques are used on most projects. • Outputs:

– Probability of occurrence – Degree of impact on project objectives – Manageability – Timing of possible impacts – Relationships with other risks – Common causes or effects

• Outputs are documented and communicated to key project stakeholders and form a basis for determining appropriate responses.

Chapter 3: Introduction to Project Risk Management Processes

Quantitative Techniques • May not be required for all projects • Provide combined effect of identified risks on the project

outcome by taking into account probabilistic or project-wide effects, such as: – Correlation between risks – Interdependency – Feedback loops – Degree of overall risk faced by the project.

• Outputs of quantitative analysis provide: – Focus for development of appropriate responses – The calculation of required contingency reserve levels – Documented and communicated to inform subsequent actions

Chapter 3: Introduction to Project Risk Management Processes

Risk Responses • Appropriate risk responses must be developed using an

iterative process which continues until an optimal set of responses has been developed.

• Strategies exists for both threats and opportunities.

• The risk owner should select an achievable, affordable, and appropriate strategy for each individual risk, based on its characteristics and assessed priority

• The use of a single strategy that addresses several related risks should be considered whenever possible.

Chapter 3: Introduction to Project Risk Management Processes

What is ERM ? (Enterprise Risk Management)

• The simple definition – Integrated risk management working as a co-ordinated activity

across the whole organisation. – Bringing together all risk management activities – Sharing them with all parts of the organisation – Using an an appropriate framework

• ERM is about the entire organisation not just bits of it and it is about performing all activities, not just some of them.

• COSO (Committee of Sponsoring Organisations)

– See’s ERM as appropriate level of controls being exercised in a series of interconnected functional layers

The COSO ERM Framework

What is ISO 31000 Risk Management ISO 31000:2009 sets out principles, a framework and a process for the management of risk that are applicable to any type of organization in public or private sector. It does not mandate a "one size fits all" approach, but rather emphasizes the fact that the management of risk must be tailored to the specific needs and structure of the particular organization.

ISO 31000 • ISO 31000:2009 has been received as a replacement to the existing

standard on risk management, AS/NZS 4360:2004 • Risk is the “effect of uncertainty on objectives” • Principles:

a) Risk management creates value. b) Risk management is an integral part of organizational processes. c) Risk management is part of decision making. d) Risk management explicitly addresses uncertainty. e) Risk management is systematic, structured and timely. f) Risk management is based on the best available information. g) Risk management is tailored. h) Risk management takes human and cultural factors into account. i) Risk management is transparent and inclusive. j) Risk management is dynamic, iterative and responsive to change. k) Risk management facilitates continual improvement and enhancement of the organization.

Thank You