Risk Management

Risk Management is about anticipating risks and having a plan in place that will resolve it when it occurs. Risk management saves time, money and efforts. It reduces unnecessary stress on project team. Risk management helps prevent many problems and helps make other problems less likely.

Risk Management activities are integral to a project manager’s daily work. Through risk management, the project changes from being in control of the project manager to the project manager being in control of the project.

Risk management includes risk management planning, risk identification, the qualitative and quantitative analysis of risks, risk response planning, and monitoring and controlling the risk responses. Risk management helps in increasing the possibility of positive events on the project and effectively reduces the possibility of negative events on the project.

Threats are events when occurred can negatively impact the project, whereas opportunities are events when occurred can positively impact the project.

Threats and Opportunities

Up to 90% of threats identified and investigated in risk management process can be eliminated.

Lack of knowledge about an event that may occur and reduce confidence in the conclusions drawn from the data is termed as uncertainty.

Risks can have various factors such as:
  • How likely is the probability that the risk event will occur?
  • The impact of the risk
  • When will the risk occur during the course of this project?
  • How many times will this risk occur?
An individual who avoids risk and thus, does not want to take risks is known as Risk Averse.

The degree or level of risk that is acceptable is known as Risk Tolerance. The specific point where risk becomes unacceptable is known as Risk Thresholds.

In processes where risk management is effectively carried out, we see:
  • Risk response planning is very robust. Hence, even if risks occur, they are eliminated.
  • An agenda is set to discuss risk items in every meeting.
  • There is always a plan to deal with any risk events.
This results in getting additional time for the project manager to perform other critical activities related to his project.
We will be studying six management processes, namely:
  1. Plan Risk Management
  2. Identify Risks
  3. Perform Qualitative Risk
  4. Perform Quantitative Risk
  5. Plan Risk Responses
  6. Monitor and Control Risks
The individuals involved in Planning Risk Management include:
  • Project Manager
  • Sponsor
  • Team
  • Customer
  • Other Stakeholders
  • And Experts
Risk management process is structured and performed for the process. Risk management efforts are not limited to creating a standardized checklist basis the experience gained from past projects. Risk management efforts should be based on the size, complexity and the skill levels of the project and project members.

Plan Risk Management process involves planning the total time to be spent on risk management based on the needs of the project. It involves identifying the resources and the process of performing risk management. Organizational process assets are used effectively by the project manager to plan risk management.

The risk management plan may include:
  • Methodology: The process of performing risk management is defined.
  • Roles and responsibilities: Individuals involved in performing risk managements are identified.
  • Budgeting: Cost of risk management process is determined.
  • Timing: The time when risk management process should start is determined.
  • Risk categories
  • Definitions of probability and impact: The probability and impact of any risk is generally rated on a scale of 1 to 10. 1 being the lowest and 10 being the highest. However, since this is a subjective assessment of risk, even if different individuals rate the risk as 6, they may have different definitions. Thus, the definitions of probability and impact help in standardizing these interpretations and also help compare risks between projects.
  • Stakeholder tolerances: For a successful project, tolerance levels of stakeholders for different risk categories such as cost, quality, etc should be identified during project initiation and clarified regularly.
  • Reporting formats: Reporting formats of any reports related to risk management are identified and finalized.
  • Tracking: Risk management requires regular traction by those involved in the project. Hence, a tracking mechanism is to be defined for effective risk management.
Risk categories can be broad including the sources of risks that the organization has experienced. Some of the categories could be:
  • External: Government related, Regulatory, environmental, market related.
  • Internal: Service related, Customer Satisfaction related, Cost related, Quality related.
  • Technical: any change in technology related.
  • Unforeseeable: Some risks about 9-10% can be unforeseeable risks.
In addition to risk categories, there are more classification of risk types:
  • Business Risk: It could be a gain or loss
  • Pure (Insurable) Risk: It only results in a loss (example: robbery, fire, etc)
This process involves talking to all stakeholders and non-stakeholders. It also involves reviewing organizational process assets. Project managers generally start risk identification from the onset of the project. High-level risks are identified during the project charter creation phase. Detailed risk identification occurs during planning process. The project scope statement, WBS and WBS dictionary (scope baseline) are critical inputs for risk identification. Some of the risk identification tools and techniques include:

The standard practice to identify risks is reviewing project related documents such as lessons learned, articles, organizational process assets, etc.

The given techniques are similar to the techniques used to collect requirements. Let’s look at a few of them.

Brainstorming is done with a group of people who focus on identification of risk for the project.

Brainstorming Results

A team of experts is consulted anonymously. A list of required information is sent to experts, responses are compiled, and results are sent back to them for further review until a consensus is reached.

An interview is conducted with project participants, stakeholders, experts, etc to identify risks.

Root causes are determined for the identified risks. These root causes are further used to identify additional risks.

Strengths and weaknesses are identified for the project and thus, risks are determined.

SWOT Analysis

The checklist of risk categories is used to come up with additional risks for the project.

Identification of different assumptions of the project and determining their validity, further helps in identifying risks for the project.

Diagramming techniques such as Cause and Effect Diagram, Process Flow Charts, etc can be used for identification of risks.

This process of Risk Identification results in creation of Risk Register.

A Risk Register is a living document that is updated regularly throughout the life cycle of the project. It becomes a part of project documents and is included in the historical records that are used for future projects.

Risk Register

The risk register includes:
  • List of Risks
  • List of Potential Responses
  • Root Causes of Risks
  • Updated Risk Categories
Qualitative risk analysis is a subjective analysis of the identified risks. In this process of Perform Qualitative Risk Analysis, a list of risks is identified by analyzing the process for possibilities of risk that may occur during the project phases. The probability of each risk is identified. Some project managers prefer using a Low, Medium and High scale and the others rate on a scale of 1 to 10. Likewise, the impact of each risk is also rated using an appropriate scale. Some of the tools that can be used for qualitative risk analysis include:

The matrix helps in identifying those risks which require an immediate response. The matrix may be customized according to the needs of the project. Most companies do have a standardized template for this matrix and project managers could leverage those templates as well. Use of standardized matrix makes the matrix list more repeatable between projects.

Probability and Impact Matrix

Data is collated for the identified risks. The project manager tries to find the precision of the data that must be analyzed for completing the qualitative analysis of risks.

For each risk, in Risk Data Quality Assessment, the project manager needs to determine:
  • Extent of the understanding of the risk
  • Data available
  • Quality and reliability of the data
  • Integrity of the data
Risk categorization means adding a category name to each risk or creating groups of identified risks. It helps in clear identification of the category of work packages, processes, people or other potential causes having most risks.

A project manager’s should not only identify risks and determine responses to these risks, but also identify which of these risks require urgent attention. Some project managers may look at the urgency of the risk and the probability / impact rating of the project risks.

Risk register is updated with:
  • Risk ranking for the project compared to other projects
  • List of prioritized risks and their probability and impact ratings
  • Risks grouped by categories
  • List of risks for additional analysis and response
  • List of risks requiring additional analysis in the near term
  • Watch-list (non-critical risks)
  • Trends
The next step of Qualitative risk analysis is to analyze the probability and impact of risks in Perform Quantitative Risk. The purpose of Quantitative Risk Analysis is:
  • Identification of risk response that requires urgent attention
  • Identify the exposure of risk on the project
  • Identify the impact of risk on the objective of the project
  • Determine cost and schedule reserves that could be required if risk occurs
  • Identify risks requiring more attention
A few actions are a part of Quantitative risk analysis. They include: DETERMINING QUANTITATIVE PROBABILITY AND IMPACT
Some of the techniques of quantitatively determining probability and impact of a risk include:
  • Interviewing
  • Cost and time estimating
  • Delphi technique
  • Historical Records
  • Expert judgment
  • Expected monetary value analysis
  • Monte Carlo Analysis
  • Decision tree
The Monte Carlo analysis simulates the cost or schedule results of the project. The primary inputs for this analysis are the “network diagram” and “estimates to perform the project”.

A Monte Carlo analysis:
  • Requires a computer based program
  • Evaluates the overall risk in the project
  • Determines the probability of completing the project on any specific day, or for any specific cost
  • Determines the probability of any activity actually being on critical path
  • Path convergence is taken into account
  • Cost and schedule impacts can be assessed
  • Results in a probability distribution
Decision tree helps analyze many alternatives at one single point of time. They are models of real situation. A decision tree takes into account future events in making the decision today. It helps calculate Expected Monetary Value in more complex situations. It also involves Mutual Exclusivity.
  • Prioritized list of quantified risks
  • Amount of contingency time and cost reserves needed
  • Possible realistic and achievable completion dates and project costs, with confidence levels, versus the time and cost objectives for the project
  • The quantified probability of meeting the project objectives
  • Trends in quantitative risk analysis
The risk response planning involves determining ways to reduce or eliminate any threats to the project, and also the opportunities to increase their impact.

Project managers should work to eliminate the threats before they occur. Similarly, the project managers should work to ensure that opportunities occur. Likewise, the project manager is also responsible to decrease the probability and impact of threats and increase the probability and impact of opportunities.

For the threats that cannot be mitigated, the project manager needs to have a robust contingency plan and also a response plan if contingencies do not work.

It is not required to eliminate all the risks of the project due to resource and time constraints. A project manager should review risk throughout the project. Planning for risks is iterative. Qualitative risk, quantitative risk and risk response planning do not end ones you begin work on the project.

The choices of response strategies for THREATS include:
  • AVOID; Focus on eliminating the cause and thus, eliminating the threat.
  • MITIGATE; there are certain risks that cannot be eliminated. However, their impact can be reduced. This is termed as mitigation of risks.
  • TRANSFER; Transfer the risk to some other party. Insurance purchases, warranties, guarantees, etc are examples of risk transfers.
The choices of response strategies for OPPORTUNITIES include:
  • EXPLOIT; add work or change the project to make sure the opportunity occurs
  • ENHANCE; increase the probability and positive impact of risk events
  • SHARE; allocate ownership of opportunity to a third-party
A response strategy for BOTH threats and opportunities:
  • ACCEPT; passive acceptance leaves action to be determined as needed, in case of a risk event. Active acceptance may involve contingency plans to be implemented if risk occurs and allocation of time and cost reserves to the project. A decision to accept risk must be communicated to stakeholders.
Whenever the project manager is responding to threats or opportunities:
  • Execution of strategies must be time-bound
  • Effort selected must be appropriate to the severity of the risk
  • A single response can be an action of multiple risk events
  • A strategy can be selected not only by the project manager, but also by the team, the stakeholders and experts
Risk register, project management plans and project documents need to be updated as outputs of Plan Risk Responses.

Project Management Plan can be updated by new work activities / packages that could be added, removed, or assigned to different resources, thus, making planning an iterative process.

Other documents that the project manager uses for the projects also need to be changed/updated.

Residual risks; there are risks that remain after completion of risk response planning. Residual risks are those risks that are accepted and contingency plans are developed.

Contingency plans; they describe the specific actions that can be taken if specific opportunity or threats occur. Risk response owners; Risks can be assigned to individuals who can develop risk responses and also who will implement risk responses if those opportunities or threats occur.

Secondary risks; these are those risks which may be created due to implementation of current risk responses.
Risk triggers; the events that trigger the contingency response are risk triggers.
Contracts; the contracts issued to deal with risks should be noted in risk register.
Fall back plans; specific actions that are taken if contingency plans (or risk response plans) are not effective.
Reserves (contingency); reserves are necessary for both time and cost risks.

The list of actions involved in monitoring and controlling risks are:
  • Determine the occurrences of risk triggers
  • Identify and monitor residual risks
  • Keep risk identification, analysis and monitoring an iterative process in the project
  • Evaluate the effectiveness of risk response plan
  • Risk status should be collected and communicated
  • Monitor the rigor of risk management procedures
  • Identify if additional risk responses need to be determined
  • Recommend corrective actions
  • Look for unexpected effects or consequences
  • Update risk management and risk response plans
  • Perform variance and trend analysis
  • Use contingency reserves and adjust for approved changes
WORKAROUNDS; these are unplanned responses developed to deal with the occurrence of unanticipated events or problems on a project.
RISK REASSESSMENTS; The process of periodically reviewing the risk management plan and risk register and adjust the documentation as required is termed as risk reassessment.
RISK AUDITS; Risk audits helps the project manager prove that all the risks are identified, a plan of mitigation for each major risk is available and risk response owners are prepared to take action.
RESERVE ANALYSIS; while the work is being done, reserve analysis is simply checking to see how much reserve remains and how much might be needed.
STATUS MEETINGS; Risks should be a major point of discussion in all team (project status) meetings.
CLOSING OF RISKS THAT ARE NO LONGER APPLICABLE; it allows the team to focus on managing the risks that are still open.

The outputs are:
  • Risk register updates
  • Change requests, recommended preventive and corrective actions
  • Project management plan updates
  • Project document updates
  • Organizational process assets updates

Your Project Management Training
Table of Contents