Risk Management is about anticipating risks and having a plan in place that will resolve it when it occurs. Risk management saves time, money and efforts. It reduces unnecessary stress on project team. Risk management helps prevent many problems and helps make other problems less likely.
Risk Management activities are integral to a project manager’s daily work. Through risk management, the project changes from being in control of the project manager to the project manager being in control of the project.
Risk management includes risk management planning, risk identification, the qualitative and quantitative analysis of risks, risk response planning, and monitoring and controlling the risk responses. Risk management helps in increasing the possibility of positive events on the project and effectively reduces the possibility of negative events on the project.
THREATS AND OPPORTUNITIES
Threats are events when occurred can negatively impact the project, whereas opportunities are events when occurred can positively impact the project.
Threats and Opportunities
Up to 90% of threats identified and investigated in risk management process can be eliminated.
Lack of knowledge about an event that may occur and reduce confidence in the conclusions drawn from the data is termed as uncertainty.
Risks can have various factors such as:
How likely is the probability that the risk event will occur?
The impact of the risk
When will the risk occur during the course of this project?
How many times will this risk occur?
An individual who avoids risk and thus, does not want to take risks is known as Risk Averse.
RISK TOLERANCES AND THRESHOLDS
The degree or level of risk that is acceptable is known as Risk Tolerance. The specific point where risk becomes unacceptable is known as Risk Thresholds.
THE RISK MANAGEMENT PROCESS
In processes where risk management is effectively carried out, we see:
Risk response planning is very robust. Hence, even if risks occur, they are eliminated.
An agenda is set to discuss risk items in every meeting.
There is always a plan to deal with any risk events.
This results in getting additional time for the project manager to perform other critical activities related to his project.
We will be studying six management processes, namely:
Plan Risk Management
Perform Qualitative Risk
Perform Quantitative Risk
Plan Risk Responses
Monitor and Control Risks
PLAN RISK MANAGEMENT
The individuals involved in Planning Risk Management include:
Risk management process is structured and performed for the process. Risk management efforts are not limited to creating a standardized checklist basis the experience gained from past projects. Risk management efforts should be based on the size, complexity and the skill levels of the project and project members.
Plan Risk Management process involves planning the total time to be spent on risk management based on the needs of the project. It involves identifying the resources and the process of performing risk management. Organizational process assets are used effectively by the project manager to plan risk management.
OUTPUTS OF RISK MANAGEMENT PLAN
The risk management plan may include:
Methodology: The process of performing risk management is defined.
Roles and responsibilities: Individuals involved in performing risk managements are identified.
Budgeting: Cost of risk management process is determined.
Timing: The time when risk management process should start is determined.
Definitions of probability and impact: The probability and impact of any risk is generally rated on a scale of 1 to 10. 1 being the lowest and 10 being the highest. However, since this is a subjective assessment of risk, even if different individuals rate the risk as 6, they may have different definitions. Thus, the definitions of probability and impact help in standardizing these interpretations and also help compare risks between projects.
Stakeholder tolerances: For a successful project, tolerance levels of stakeholders for different risk categories such as cost, quality, etc should be identified during project initiation and clarified regularly.
Reporting formats: Reporting formats of any reports related to risk management are identified and finalized.
Tracking: Risk management requires regular traction by those involved in the project. Hence, a tracking mechanism is to be defined for effective risk management.
Risk categories can be broad including the sources of risks that the organization has experienced. Some of the categories could be:
External: Government related, Regulatory, environmental, market related.
Internal: Service related, Customer Satisfaction related, Cost related, Quality related.
Technical: any change in technology related.
Unforeseeable: Some risks about 9-10% can be unforeseeable risks.
TYPES OF RISK
In addition to risk categories, there are more classification of risk types:
Business Risk: It could be a gain or loss
Pure (Insurable) Risk: It only results in a loss (example: robbery, fire, etc)
This process involves talking to all stakeholders and non-stakeholders. It also involves reviewing organizational process assets. Project managers generally start risk identification from the onset of the project. High-level risks are identified during the project charter creation phase. Detailed risk identification occurs during planning process. The project scope statement, WBS and WBS dictionary (scope baseline) are critical inputs for risk identification. Some of the risk identification tools and techniques include:
The standard practice to identify risks is reviewing project related documents such as lessons learned, articles, organizational process assets, etc.
INFORMATION GATHERING TECHNIQUES
The given techniques are similar to the techniques used to collect requirements. Let’s look at a few of them.
Brainstorming is done with a group of people who focus on identification of risk for the project.
A team of experts is consulted anonymously. A list of required information is sent to experts, responses are compiled, and results are sent back to them for further review until a consensus is reached.
An interview is conducted with project participants, stakeholders, experts, etc to identify risks.
ROOT CAUSE ANALYSIS
Root causes are determined for the identified risks. These root causes are further used to identify additional risks.
SWOT ANALYSIS (STRENGTH, WEAKNESS, OPPORTUNITIES AND THREATS)
Strengths and weaknesses are identified for the project and thus, risks are determined.
The checklist of risk categories is used to come up with additional risks for the project.
Identification of different assumptions of the project and determining their validity, further helps in identifying risks for the project.
Diagramming techniques such as Cause and Effect Diagram, Process Flow Charts, etc can be used for identification of risks.
OUTPUTS TO IDENTIFY RISKS
This process of Risk Identification results in creation of Risk Register.
A Risk Register is a living document that is updated regularly throughout the life cycle of the project. It becomes a part of project documents and is included in the historical records that are used for future projects.
The risk register includes:
List of Risks
List of Potential Responses
Root Causes of Risks
Updated Risk Categories
PERFORM QUALITATIVE RISK ANALYSIS
Qualitative risk analysis is a subjective analysis of the identified risks. In this process of Perform Qualitative Risk Analysis, a list of risks is identified by analyzing the process for possibilities of risk that may occur during the project phases.
The probability of each risk is identified. Some project managers prefer using a Low, Medium and High scale and the others rate on a scale of 1 to 10. Likewise, the impact of each risk is also rated using an appropriate scale. Some of the tools that can be used for qualitative risk analysis include:
PROBABILITY AND IMPACT MATRIX
The matrix helps in identifying those risks which require an immediate response. The matrix may be customized according to the needs of the project. Most companies do have a standardized template for this matrix and project managers could leverage those templates as well. Use of standardized matrix makes the matrix list more repeatable between projects.
Probability and Impact Matrix
RISK DATA QUALITY ASSESSMENT
Data is collated for the identified risks. The project manager tries to find the precision of the data that must be analyzed for completing the qualitative analysis of risks.
For each risk, in Risk Data Quality Assessment, the project manager needs to determine:
Extent of the understanding of the risk
Quality and reliability of the data
Integrity of the data
Risk categorization means adding a category name to each risk or creating groups of identified risks. It helps in clear identification of the category of work packages, processes, people or other potential causes having most risks.
RISK URGENCY ASSESSMENT
A project manager’s should not only identify risks and determine responses to these risks, but also identify which of these risks require urgent attention. Some project managers may look at the urgency of the risk and the probability / impact rating of the project risks.
RISK REGISTER UPDATES
Risk register is updated with:
Risk ranking for the project compared to other projects
List of prioritized risks and their probability and impact ratings
Risks grouped by categories
List of risks for additional analysis and response
List of risks requiring additional analysis in the near term
Watch-list (non-critical risks)
PERFORM QUANTITATIVE RISK ANALYSIS
The next step of Qualitative risk analysis is to analyze the probability and impact of risks in Perform Quantitative Risk. The purpose of Quantitative Risk Analysis is:
Identification of risk response that requires urgent attention
Identify the exposure of risk on the project
Identify the impact of risk on the objective of the project
Determine cost and schedule reserves that could be required if risk occurs
Identify risks requiring more attention
A few actions are a part of Quantitative risk analysis. They include:
DETERMINING QUANTITATIVE PROBABILITY AND IMPACT
Some of the techniques of quantitatively determining probability and impact of a risk include:
Cost and time estimating
Expected monetary value analysis
Monte Carlo Analysis
MONTE CARLO ANALYSIS (SIMULATION TECHNIQUE)
The Monte Carlo analysis simulates the cost or schedule results of the project. The primary inputs for this analysis are the “network diagram” and “estimates to perform the project”.
A Monte Carlo analysis:
Requires a computer based program
Evaluates the overall risk in the project
Determines the probability of completing the project on any specific day, or for any specific cost
Determines the probability of any activity actually being on critical path
Path convergence is taken into account
Cost and schedule impacts can be assessed
Results in a probability distribution
Decision tree helps analyze many alternatives at one single point of time. They are models of real situation. A decision tree takes into account future events in making the decision today. It helps calculate Expected Monetary Value in more complex situations. It also involves Mutual Exclusivity.
Prioritized list of quantified risks
Amount of contingency time and cost reserves needed
Possible realistic and achievable completion dates and project costs, with confidence levels, versus the time and cost objectives for the project
The quantified probability of meeting the project objectives
Trends in quantitative risk analysis
PLAN RISK RESPONSES
The risk response planning involves determining ways to reduce or eliminate any threats to the project, and also the opportunities to increase their impact.
Project managers should work to eliminate the threats before they occur. Similarly, the project managers should work to ensure that opportunities occur. Likewise, the project manager is also responsible to decrease the probability and impact of threats and increase the probability and impact of opportunities.
For the threats that cannot be mitigated, the project manager needs to have a robust contingency plan and also a response plan if contingencies do not work.
It is not required to eliminate all the risks of the project due to resource and time constraints. A project manager should review risk throughout the project. Planning for risks is iterative. Qualitative risk, quantitative risk and risk response planning do not end ones you begin work on the project.
RISK RESPONSE STRATEGIES
The choices of response strategies for THREATS include:
AVOID; Focus on eliminating the cause and thus, eliminating the threat.
MITIGATE; there are certain risks that cannot be eliminated. However, their impact can be reduced. This is termed as mitigation of risks.
TRANSFER; Transfer the risk to some other party. Insurance purchases, warranties, guarantees, etc are examples of risk transfers.
The choices of response strategies for OPPORTUNITIES include:
EXPLOIT; add work or change the project to make sure the opportunity occurs
ENHANCE; increase the probability and positive impact of risk events
SHARE; allocate ownership of opportunity to a third-party
A response strategy for BOTH threats and opportunities:
ACCEPT; passive acceptance leaves action to be determined as needed, in case of a risk event. Active acceptance may involve contingency plans to be implemented if risk occurs and allocation of time and cost reserves to the project. A decision to accept risk must be communicated to stakeholders.
Whenever the project manager is responding to threats or opportunities:
Execution of strategies must be time-bound
Effort selected must be appropriate to the severity of the risk
A single response can be an action of multiple risk events
A strategy can be selected not only by the project manager, but also by the team, the stakeholders and experts
OUTPUTS OF PLAN RISK RESPONSES
Risk register, project management plans and project documents need to be updated as outputs of Plan Risk Responses.
PROJECT MANAGEMENT PLAN UPDATES
Project Management Plan can be updated by new work activities / packages that could be added, removed, or assigned to different resources, thus, making planning an iterative process.
PROJECT DOCUMENTS UPDATES
Other documents that the project manager uses for the projects also need to be changed/updated.
Residual risks; there are risks that remain after completion of risk response planning. Residual risks are those risks that are accepted and contingency plans are developed.
Contingency plans; they describe the specific actions that can be taken if specific opportunity or threats occur.
Risk response owners; Risks can be assigned to individuals who can develop risk responses and also who will implement risk responses if those opportunities or threats occur.
Secondary risks; these are those risks which may be created due to implementation of current risk responses.
Risk triggers; the events that trigger the contingency response are risk triggers.
Contracts; the contracts issued to deal with risks should be noted in risk register.
Fall back plans; specific actions that are taken if contingency plans (or risk response plans) are not effective.
Reserves (contingency); reserves are necessary for both time and cost risks.
MONITOR AND CONTROL RISKS
The list of actions involved in monitoring and controlling risks are:
Determine the occurrences of risk triggers
Identify and monitor residual risks
Keep risk identification, analysis and monitoring an iterative process in the project
Evaluate the effectiveness of risk response plan
Risk status should be collected and communicated
Monitor the rigor of risk management procedures
Identify if additional risk responses need to be determined
Recommend corrective actions
Look for unexpected effects or consequences
Update risk management and risk response plans
Perform variance and trend analysis
Use contingency reserves and adjust for approved changes
WORKAROUNDS; these are unplanned responses developed to deal with the occurrence of unanticipated events or problems on a project. RISK REASSESSMENTS; The process of periodically reviewing the risk management plan and risk register and adjust the documentation as required is termed as risk reassessment. RISK AUDITS; Risk audits helps the project manager prove that all the risks are identified, a plan of mitigation for each major risk is available and risk response owners are prepared to take action. RESERVE ANALYSIS; while the work is being done, reserve analysis is simply checking to see how much reserve remains and how much might be needed. STATUS MEETINGS; Risks should be a major point of discussion in all team (project status) meetings. CLOSING OF RISKS THAT ARE NO LONGER APPLICABLE; it allows the team to focus on managing the risks that are still open.
OUTPUTS OF MONITOR AND CONTROL RISKS
The outputs are:
Risk register updates
Change requests, recommended preventive and corrective actions