8.

Project Risk Management

As per PMBOK - "The whole point of undertaking a project is to achieve or
establish something new, to venture, to take chances, to risk. Risk may
have positive effects or negative effects on the project Schedule and/or
Cost. Positive risks are Opportunities and negative risks are losses
or threats; remember both risks are uncertain percentage of occurrence
less than 80%. Risk Management purpose is to manage (Plan and
implement) these uncertainties.

Following are processes defined in Risk Management Knowledge Area:

5
Initiati Planning Executi M&C Closing
Proces
on on
s
8.1. Plan 8.6.
Risk Monitor
Manageme and
nt. Control
Processes 8.2. . Identify Risks. Risk
8.3. Perform
Qualitative Risk
Analysis
8.4. Perform
Quantitative Risk
Analysis
- We can decide which risks are acceptable and take actions to
Mitigate or Avoid those risks. If our project risk assessment
determines that some risks are excessive, we may want to consider
restructuring the project to within acceptable levels of risk.

- Deliverables which have uncertainty to be completed successfully

can be considered as risk. For example: after finishing the Project
planning you still feel that the scope might change then it is a
Risk. Or even if scope is not well defined then it is a Risk. Known
technical difficulty or complexity will increase project risk.
Ambitious goals always result in risk. Unfamiliarity with the
process, or inexperienced personnel, constitutes project risks.
Exterior interfaces cause risks because they can change and,
even if they dont change, their descriptions or specifications
may be inaccurate. Exterior organizational dependencies create
project risks. Incomplete planning or optimistic cost or schedule
goals create risk. If the customer is involved in schedule
dependencies for document review and approval or for delivering
process information, this creates project risks.
- Any area over which the project manager does not have control
can be project risks. Anything that is not well understood,
anything that is not well documented, and anything that can
change, these all create project risks. Things that havent been
tested are always at risk.
- Three steps approach is very important for all your Projects;
Identify all Project Risks through Risk Identification
Sessions
Analyze that Risk
[Link] Probability of occurrence
[Link] Impact if it occurs
Prepare your responses to those identified and analyzed Risks.

- Remember you need not evaluate all identified risks or you need
not to take actions on all responded risks either. For example, you
identified airplane hitting in to your building as a project Risk
because your office is next to Airport. Probability of occurrence is .
0001. For such kind of risk you need not to find a Response
strategy or need not implement a solution.

Very Important Concepts:

1. Difference between Issue and Risk;

- Issue; a point or matter in question or in dispute, or a matter that
is not settled and under discussion or over which there are
opposing views or disagreements.
- Risk; an uncertain event or condition that if it occurs, has a
positive or negative effect on a projects objectives.
- Simply, we can say that a Risk is something that could happen in
the future, while an Issue is that risk has became a reality.

2. Difference between Threats and Opportunities;

- Risks are not necessarily Negative and they can be simply Positive.

- Threats; are simply the Negative risks, while Opportunities are the
Positive risks.

3. Difference between Contingency and Workaround;

- Contingency; a provision in the project management plan to

 mitigate cost risk and/or schedule risk. It is simply an allowance
to deal with a problem, you decide today what your contingency
will be if a risk occurs, this can be budget or schedule oriented.

- Workaround; it is a response to a negative risk that has occurred

and that response was not planned in advance of the occurrence of
the risk event.

- Generally, when contingency is taken into consideration, this refers

to a proactive PM who is following risk management processes to
enhance project success.
 4. Risk Attitudes (Human Factors)

- There are four types of risk attitudes which are;

I. Risk Averse Person; such person always

uncomfortable with uncertainty. Such person prefers
a more certain outcome and demands a premium to accept
projects of high risk.

II. Risk Neutral Person; such person always embraces

risks for future payoffs; he looks to risks as
opportunity or way to gain additional payoffs.

III. Risk Seeker Person; always looks at risks as

challenge.

IV. Risk Tolerant Person; such person doesnt worry

too much about risks. If a risk actually occurs, he
acts all surprised.

5. Utility Theory Basics

- An appropriate method for describing risk tolerance based

on the various
stakeholders' tolerances for risk. This method is depicted using
three
wherestructures
the x-axis denotes the money at stake and the y-axis
denotes utility,
the amount or
of satisfaction the person obtains from
the payoff.
- For Risk Averse stakeholder; such person usually requires a
premium utility to accept a high risk.

- For Risk Neutral stakeholder; such person is more

concerned about the expected return on his investment, not on
thr risk he maybe taking on.

U
Risk payoffs

$
 - For Risk Seeker stakeholder; he prefers uncertain outcomes
and is willing to take the risk; the more the money is that stake,
the greater the utility he gets out of it.

Example:

- If there is a chance of 50% to gain 100$ and another chance of

nd
100% to gain 50$, risk averse person will accept the 2 choice,
st
while the risk seeker person will prefer the 1 choice and finally,
the risk neutral person has no preferences between them

Notes:

- A person can be both risk averse and risk seeking at different

times.

- Risk attitudes of individuals in a company shape the risk attitude

of the company.

- On an individual level, it is important to know the risk attitudes

of the stakeholders to be able to deal with them properly
when talking about Risk list.

6. Project risk management is an iterative process

- PM has to monitor the risks constantly, watches out for triggers

and then, responds to any risk that already happens and turns to
an issue.

- During the life of the project, factors that define and affect risks
will change; you may have scope changes, environment
changes, or even changes in the project team...etc.

- Changes open up possible new risks and required new round of

planning and that is why Risk Management Process is an
Iterative process.
7. Prioritizing risks is done through two steps

- Qualitative Prioritization

1. Prioritize risks according to their potential effect, i.e.

probability and
impact, on the project.
2. Assign each risk a quality like high (H), Medium (M), or low
(L).

3. Focus on risks with high priorities to shorten the risks list

- Quantitative Prioritization
1. Numerically defines probability of each risk, from the
short risk list that comes from qualitative prioritization and
its consequences on the project objective.
2. Calculate risk rating = probability * Impact [ex; 70% * 2000$]
3. Narrow down the risks list to the most important ones.

I mp or tant not es r egar d in g th e Pr oj ect Ri sk Man

agemen t ;

- Young dynamic startup companies are usually risk seekers,

while established companies are usually risk averse.
- Risk Management Plan components are very important for the
PMP Exam.
- Identifying Risks is an Iterative Process
- The Check List tool in Identify Risk process is not a chick
list with expected risks, but a check list that helps to identify
risks based on the RBS.
- Risks types are Business Risks & Pure Risks
- Tools like Sensitivity Analysis ex. Tornado Diagram & What-If
scenarios -, Expected Monetary Value (EMV) and Decision Tree
are important tools regarding Quantitative Risk Analysis.
- Probability of events occurring in sequence must be multiplied
to calculate the accumulative probability of occurring of all the
events together.
- Transfer Risk = Deflection of Risk.
- Mitigation Strategy results in Contingent Response Strategy.
- The main goal of Reserve Analysis as a tool in Monitor &
Control Risks is to determine any Potential Risk
- Project Risk management is considered to be an item in
every Status Meeting.
 - In case of occurrence of surprising unexpected risk,
Workaround is only suitable response which always taken
directly even before issuing the change request needed.

Risk Management: The process involved with identifying, analyzing, and

responding to risk. It includes maximizing the results of positive risks and
minimizing the consequences of negative events.
Risk management is a project management tool for handling events that might
adversely impact the project, thereby increasing the likelihood of success.
A sound process like this removes the uncertainty and empowers the project
manager to complete their project within schedule and within budget
The benefit of good risk management is the ability take advantage of
opportunities that will aid the project while at the same time reduce the
number of issues that may arise within the project. Projects can benefit
greatly when the project team identifies opportunities and plans strategically to
exploit them. The reduction of threats means a reduction in chaos within the
project, which leads to a reduction of negative impacts with resources, cost,
schedule, and other aspects of the project. A project manager that has the
ability to provide good risk management is a real benefit to the project and will
help create an environment for which both the project and the project team can
be successful.

Why Risk Management?

Maximizing the Likelihood of Meeting Time & Budget Goals

Building confidence and credibility in projects plans and

[Link] pro-activity and early planning
Developing targeted mitigation strategies for all anticipated threats
Better allocation of risks and identification of project delivery methods
Ensuring transparency, integrity, and accountability throughout the life-cycle
of the project

When to Use Risk Management?

Early planning and budgeting
Evaluation of project delivery alternatives
Financial Planning Support
Establishing Risk Allocation between parties
Preparation of project contract documents
Throughout Project Delivery Lifecycle

Risk Management Objectives:

to increase the probability and impact of positive events, and decrease the
probability and impact of negative events in the project.*
Make better decisions
Allocate risks to those who can best control them
Increase agency credibility
Foster good relationships with project stakeholders
Risk Management Outcomes:

Validation of Project Cost and Schedule

Managed Risk Response Plan- Identification of high cost and schedule
risk drivers
Managed District Contingency Box- Reduced Contingency as project
evolves
Understand and Communicate Cash Flow- Requirements and Financial
Plans

Project risk Is an uncertain event or condition that, if it occurs, has a

positive or a negative effect on a project objective.

A risk is a potential problem it might happen and it might not

Conceptual definition of risk

Risk concerns future happenings

Risk involves change in mind, opinion, actions, places, etc.
Risk involves choice and the uncertainty that choice entails
Two characteristics of risk

Uncertainty the risk may or may not happen, that is, there are
no 100% risks (those, instead, are called constraints)
Loss the risk becomes a reality and unwanted consequences or
losses occur
A risk has a cause and, if it occurs, a consequence. Risk identification is an
iterative process. (Just like core process). Objective is to decrease the
probability and impact of negative events and vice versa.

Goals of Risk Assessment:

 Risks have been thoroughly examined and included in project plans,
resulting in risk reduction. Information about possible risks is available
throughout the project, resulting in a better decision-making process
Project objectives might be affected by certain risks, allowing the
objectives to be improved
Many of the project weaknesses have been identified in advance and are
incorporated into the project plan.
Decrease the number of changes made to the project plan during project
execution, resulting in higher chances of project success

Benefits of Risk Assessment:

Protects project investments
Proactive management early warning
Achieve project objectives

Risk Level of Occurrence:

High Risk: Substantial impact on cost, technical performance, or schedule.

Substantial action required to alleviate issue. High-priority management
attention is required.

Medium Risk: Some impact on cost, technical performance, or schedule.

Special action may be required to alleviate issue. Additional management
attention may be needed.

Low Risk: Minimal impact on cost, technical performance, or schedule. Normal

management oversight is sufficient.

1. Risk Tolerance The amount of acceptable risk

2. Risk Adverse Someone that does not want to take risks
3. Risk Factors
Probability of occurrence
Range of possible outcomes (impact or amount at stake
Expected Timing of event
Anticipated frequency of risk events from that source

Risk Categorization Approach #1

Project risks

They threaten the project plan

If they become real, it is likely that the project schedule will slip
and that costs will increase

Technical risks

They threaten the quality and timeliness of the software to be

produced

If they become real, implementation may become difficult or

impossible
 Business risks

They threaten the viability of the software to be built

If they become real, they jeopardize the project or the product

Sub-categories of Business risks

Market risk building an excellent product or system that no one

really wants

Strategic risk building a product that no longer fits into the

overall business strategy for the company

Sales risk building a product that the sales force doesn't

understand how to sell

Management risk losing the support of senior management

due to a change in focus or a change in people

Budget risk losing budgetary or personnel commitment

Risk Categorization Approach #2

Known risks

Those risks that can be uncovered after careful evaluation of the

project plan, the business and technical environment in which the
project is being developed, and other reliable information sources
(e.g., unrealistic delivery date)

Predictable risks

Those risks that are extrapolated from past project experience

(e.g., past turnover)

Unpredictable risks

Those risks that can and do occur, but are extremely difficult to
identify in advance

Reactive vs. Proactive Risk Strategies:

Reactive risk strategies

"Don't worry, I'll think of something"

The majority of software teams and managers rely on this

approach

Nothing is done about risks until something goes wrong

The team then flies into action in an attempt to correct the

problem rapidly (fire fighting)
 Crisis management is the choice of management techniques

Proactive risk strategies

Steps for risk management are followed (see next slide)

Primary objective is to avoid risk and to have a contingency plan in

place to handle unavoidable risks in a controlled and effective
manner

Why Do We Manage Risk?

Project problems can be reduced as much as 90% by using risk analysis

Positives:

More info available during planning

Improved probability of success/optimum project

Negatives:

Belief that all risks are accounted for

Project cut due to risk level

Perception of the risk:

The perception of risk as a threat is the system most often used in order
to identify it. In this context, managing the risk signifies installing control
systems that will minimize both the likelihood that adverse events will
occur as well as the severity of such events (the financial loss that would
be involved for the entrepreneur). It is a focus of a defensive nature; its
aim is to allocate resources in order to reduce the likelihood of sustaining
adverse impacts.

From the perception of risk as an opportunity, risk management signifies

using techniques that will maximize the results, limiting the possible
damages or costs. The focus is aggressive in nature.

Risk management from the perspective of risk as uncertainty is aimed at

minimizing the deviation between the results that en entrepreneur
wishes to obtain and those that he or she actually does obtain.

Risk is an uncertainty that matters; it can affect project objectives negatively or

positively.
RISK can be defined as the threat or probability that an action or event,
will adversely or beneficially affect an organization's ability to achieve its
objectives*.
 In simple terms risk is Uncertainty of Outcome, either from pursuing a
future positive opportunity, or an existing negative threat in trying to
achieve a current objective.

Thus, a risk is characterized by its probability of occurrence and its uncertain

impact on project objectives.

Throughout the project life cycle, a future event that may occur at any
time in a projects lifecycle is a risk. It has a probability of occurrence and
an uncertain impact if it does occur.

During Planning and Design, uncertainty in the total cost estimate, due
to uncertain quantities and unit prices is a risk. In this case the
probability is 100% (the estimate and its uncertainties exist), and the
uncertainties impact the project cost.

Risk and issue are two words that are often confused when it comes to their
usage. Actually there is some difference between them.

A risk is an uncertain event that has a probability associated with it. An issue
does not have this attribute. Issues are problems right now that the project
team has to do something about.
Think of risk management as a proactive activity, while issue management is
reactive.

Issue : If not fixed today, task stops, Issue already impacting the cost, time
or quality
Risk: If not identified, may become issue later Risk POTENTIAL negative
impact to project

Risks during the Project/idea Initiation phase:

Unavailable subject matter experts
Poor definition of problem or project
No feasibility study
No or unclear objectives

Risks during the Project Planning phase:

No risk management plan
Spotty planning
Underdeveloped requirements and specifications
Unclear statement of work
No management or stakeholder support
Poor role definition
Inexperienced team
Lack of skills

Risks during the Project Execution phase

Changes in schedule
No control systems in place
Unskilled labour
Material availability or poor quality material
 Unreliable suppliers
Unexpected price increase (not budget for it)
Strikes
Weather
Regulatory requirements

Risks during the Project Close-out / termination phase:

Unacceptable to customer
Poor quality product/project
Budget problems
Penalties to be paid for exceeding the time parameter of the project

Use the five tips below to help deliver projects on time, on budget, and with the
highest quality results.

Tip 1: End the Walk on by Culture and Involve the Entire Project
Team
Risk management must be a part of your project embraced by all team
members. Rather than teams looking blindly to the project manager and
assuming he is managing all risk for the project, the entire team must be
involved. In my experience, the organizations that are the most
successful at project risk management have both a top down and a
bottom up approach risk management is mandated and supported from
senior management, and each team member is empowered to speak up
and take action. Employees who identify risks early are recognized and
rewarded.

Tip 2: Identify Risks Early Even in the Bid-Phase

Before the project even begins, your team should be already working to
identify risks. Begin by gathering all project members (and other
employees and partners who have worked on related projects) into
workshops and brainstorm a list of potential risks and opportunities.
Consult the project plan, old project plans, online resources, and outside
experts to make sure your list of probable risks is as complete as
possible.

Tip 3: Communicate, Communicate, Communicate

To ensure risks are continuously identified and communicated
appropriately, add project risks and opportunity discussions as a
standing topic to the teams regular meetings. The benefits of open
communication trickle up, as the project manager will have better
information to report to the project sponsor or principal, ensuring that
the customer doesnt have unexpected surprises. Open communication
also allows for the identification of interrelated risks risks that appear
small on their own, but may act as a catalyst for larger problems.
 Tip 4: Analyze and Prioritize then Reprioritize
As risks are identified during a project, teams must decide how to
prioritize them. Overall, risks should be measured by the impact they
could have on the project goals, and start with those that could cause
the biggest losses and gains, and those with the highest probability of
occurrence. Once you have a set of risk criteria, use it to assess all risks
as they are identified during a project.
Risks may be rescored and reprioritized as they pass up the project
hierarchy and organization, based on the different priorities at each
level. What may be seen as a less important risk by a single project
might be viewed as more important at the program or organizational
level. Here a wider picture becomes clear across multiple projects and
strategic priorities, rather than operational needs, apply. For example, a
lack of skills seen in multiple projects may be best addressed by a
company-wide training program.

Tip 5: Plan and Implement Risk Responses

Once your risks are identified, analyzed, and prioritized, the risk
response is the activity that adds value to your project. The right
response can prevent a risk from occurring or minimize its negative
effects. Responses include risk avoidance, risk minimization, risk transfer
and risk acceptance.
By implementing risk management into a project early, and ensuring
risks are openly communicated throughout the project, teams can be
more successful in delivering on time and on budget, by avoiding
unexpected risks and sticking to the project timeline. And last of all,
share what worked and what didnt, throughout the business so the
future bids and projects have a library of best practices to call on.
How has risk management helped your organization complete projects
successfully? Are you sharing best practices across the business?

How Do We Manage Risk?

Use the six risk management processes

Plan Risk Management

Identify Risks
Perform Qualitative Risk Analysis
Perform Quantitative Risk Analysis
Plan Risk Responses
Monitor and Control Risks

Risk Management process

Risk Management is a five step process:

Step 1 Establish the context
Step 2 Identify the risks
Step 3 Analyse the risks
Step 4 Evaluate the risks
Step 5 Treat the risks
Throughout each step it is essential that there is consultation and communication with
everyone in your organisations functions, activities and events (refer to diagram).

1. Risk Management Planning: deciding on how to approach, plan

and execute risk mgmt activities for a project.
2. Risk Identification: determining which risk can effect the project
and documenting their characteristics. What risks might negatively
(threats) or positively (opportunities) affect achieving the project
objectives? (Risk identification)
3. Qualitative Risk Analysis Prioritizing risks for subsequent further
analysis or action by assessing and combining their probability of
occurrence and impact. Which of these are most important?
(Qualitative risk analysis)
4. Quantitative Risk Analysis Numerically analyzing the effect on
overall project objectives of identified risks. How could these affect the
overall outcome of the project in probabilistic terms of cost and
schedule? (Quantitative risk analysis)
5. Risk Response Planning: developing options and actions to
enhance opps and reduce threats to project objectives. What can be
done about it? (Risk response)
6. Risk Monitoring and Control: tracking identified risk, monitoring
residual risks, identifying new risks, executing risk response plans and
evaluating their effectiveness though the project life cycle. Having
taken action, how did the responses effect change, and where is the
 project now? (Risk monitoring). Who needs to know about this?
(Communication)

Residual Risks Risks that are expected to remain after planned responses
have been taken, as well as those have been deliberately accepted.

Secondary Risks Risks that arise as a direct outcome of implementing a risk

response.

Recommended Corrective Actions For Risk monitor and Control include

Contingency plans and workaround plans.

Workaround Unplanned response to negative risk events (requires to be

impacted by the risk first).Work around plans are not initially planned but are
required to deal with emerging risks that were previously unidentified or
accepted.

Contingency Plan Planned action steps to be taken if an identified residual

risk occurs. (e.g. developing alternative activity sequences). It is for the risks
which are accepted.

Contingency Reserve: calculated based on the quantitative analysis of the

project and organization risk thresholds.

Fall Back Plan: It is plan executed when contingency plan is not effective.

Risk database A repository that provides for collection, maintenance, and

analysis of data gathered and used in the risk management processes.

Types of Risk

Business Normal risks that offer gain and loss

Pure / Insurable Only loss: property damage, indirect consequential loss,
legal liability, personnel. For risk we can outsource, we
have contract. For pure risks, we obtain insurance.
Statistical Occurrence of one event is not related to occurrence of
Independence the other
Data Precision Purpose is to test the value of data (input to Qualitative
Ranking Analysis)
Path Convergence Tendency of parallel paths of equal duration to delay the
completion of the milestone where they meet. It is
characterized by schedule activity with more than one
predecessor activity
Uncertainty An uncommon state of nature, characterized by the
absence of any information related to a desired outcome.
Expected = Probability * Monetary Impact (used in Decision Tree
Monetary Value Analysis)
Risk Event A discrete occurrence that may affect the project for
better or worse. After a risk event, the project managers
role is to reassess the risk ranking. The risk owner is
responsible to take action when an identified risk occurs.
Risk Trigger A symptom of risk; indirect manifestation of actual risk
event; output of risk identification; example is poor
morale
Risk Portfolio Risk data assembled for the management of the project
Utility Theory Technique that characterizes an individuals willingness to
take risk
Sensitivity Places a value on the impact to the project plan by
Analysis adjusting a single project variable; simplest form of
analysis
Role is to investigate the effectiveness of the risk owner
Risk Auditor (which can cause potential conflict with risk owner)

Numbers to
Know
Cost Estimates:
Order of -25%
Magnitude
(ballpark
estimate)

Budget -10% +75%

Definitive -5% +25%
+10%
1 sigma 68.3%
2 sigma 95.5%
3 sigma 99.7%
6 sigma 99.99%