Project Risk Management

Includes identifying, analyzing, and responding to risk areas; maximizing results of positive events and minimizing consequences of adverse events
  • Risk Identification – which are likely to affect the project
  • Risk Quantification – evaluation of risk to assess the range of possible outcomes
    • Sometimes treated as single process; risk analysis/assessment
  • Risk Response Development – defining enhancement steps for opportunities and response
    • Sometimes called response planning/mitigation
  • Risk Response Control – responding to changes in risk over course of project 
    • May be combined as risk management
Risk Identification
  • Determining which risks are likely to affect the project and documenting them
  • Performed on a regular basis; address internal and external risks
    • Internal –project team has control/influence over
    • External – beyond project team’s control
  • Identify cause and effect and effects and causes; what could happen vs. what outcomes should be avoided
Inputs to Risk Identification
  • Product Description – more risk associated with unproven technologies (innovation/invention).  Often described in terms of cost and schedule impact
  • Other Planning Reports
    •  WBS (any non-traditional approaches)
    • Cost/Duration Estimates – aggressive schedules; limited amount of information
    • Staffing Plan – hard to replace/source skill sets
    • Procurement Management Plan – market conditions
  • Historical Information – previous projects
    • Project Files
    • Commercial Databases
    • Project Team Knowledge – member experiences
Tools & Techniques for Risk Identification
  • Checklists – organized by source of risk, included project context, process outputs, product and technology issues, internal sources
  • Flowcharting – understand cause and effect relationships
  • Interviewing – conversations with stakeholders
Outputs from Risk Identification
  • Sources of Risk – categories of possible risk events, all-inclusive
    • Changes in requirements
    • Design errors, omissions, misunderstanding
    • Poorly defined roles and responsibilities
    • Insufficiently skilled staff
      • Include estimate of probability, range of possible outcomes, expected timing, anticipated frequency
  • Potential Risk Events – discrete occurrences that may affect project
    • Identified when probability/magnitude of loss is high (e.g. turnover)
      • New technologies obsolete need of product
      • Socio, Political and Economic events
      • Include estimate of probability, range of possible outcomes, expected timing, anticipated frequency
  • Risk Symptoms – triggers that are indirect manifestations of actual risk events (e.g. poor morale)
  • Inputs to other processes – identify need in another area; constraints and assumptions
Risk Quantification
  • Evaluation of possible project outcomes and determining which events warrant response
    • Opportunities and threats can provide unanticipated results (e.g. schedule delay considers a new strategy)
    • Multiple effects from a single event
    • Singular Stakeholder opportunities may force suffering in other areas
    • Reliance on statistics and forecasting (mathematical errors)
Inputs to Risk Quantification
  • Stakeholder risk tolerance
    • More capital to expend; perceptions of severity
  • Sources of Risk
  • Potential Risk Events
  • Cost Estimates
  • Activity Duration Estimates
Tools & Techniques for Risk Quantification
  • Expected Monetary Value – product of 2 numbers
    • Risk Event Probability – estimate that event will occur
    • Risk Event Value – estimate of gain or loss
  • Statistical Sums – calculate range of total costs from cost estimates for individual work items
  • Simulation – representation or model; provide statistical distribution of calculated results.
    • Monte Carlo, Critical Path, PERT techniques
  • Decision Trees – depicts key interactions among decisions and possible outcomes
  • Expert Judgment 
Outputs from Risk Quantification
  • Opportunities to pursue; threats to respond
  • Opportunities to ignore; threats to accept
Risk Response Development
  • Defining enhancement steps for opportunities and responses to threats
    • Avoidance – eliminating threat by eliminating the cause
    • Mitigation – reducing expected monetary value of event by reducing the probability of occurrence
    • Acceptance – accept the consequences (active -  contingency plan - or passive response)
Inputs to Risk Response Development
  • Opportunities to pursue, threats to respond
  • Opportunities to ignore, threats to accept

Tools & Techniques for Risk Response Development
  • Procurement – acquire resources (exchange 1 risk for another)
  • Contingency Planning – defining action steps should a risk event occur
  • Alternative Strategies – change planned approach
  • Insurance 
Outputs from Risk Response Development
  • Risk Management Plan – document procedures to manage risk events.  Addresses risk identification and quantification processes, personnel responsible for managing areas of risk, maintenance of identification and quantification process, implementation of contingency plans and allocation of reserve
  • Inputs to other processes – alternative strategies, contingency plans, anticipated procurements
  • Contingency Plans 
  • Reserves – provision in project plan to mitigate costs and schedule risks.  Used with a  modifier (management, schedule, budget) to provide further detail when type of reserve can be used
  • Contractual Agreements – insurance, services and other functions to avoid and mitigate threats.
Risk Response Control
  • Involves executing the risk management plan in order to respond to risk events during the project
    • Control and iteration are required; not all risks can be identified
Inputs to Risk Response Control
  • Risk Management Plan
  • Actual Risk Events – recognize occurrence
  • Additional Risk Identification – surfacing of potential or actual risk sources
Tools & Techniques for Risk Response Control
  • Workarounds – unplanned responses to negative risk events (response was not defined in advance)
  • Additional Risk Response Development – planned response may not be adequate
Outputs from Risk Response Control
  • Corrective Action – performing the planned risk response
  • Updates to Risk Management Plan
Tips from Review Guide
  • Definition of risk: a discrete occurrence that may affect the project for good or bad
  • Definition of uncertainty: an uncommon state of nature, characterized by the absence of any information related to a desired outcome
  • Definition of risk management: The processed involved with identifying, analyzing, and responding to risk. Maximize results of positive events; minimizing consequences of negative events
Tips from Review Guide
  • Inputs to Risk Management:
    • All project background information
    • Historical records
    • Past Lessons Learned
    • Project Charter
    • Scope Statement
    • Scope of work
    • WBS
    • Network Diagram
    • Cost and Time estimates
    • Staffing Plan
Tips from Review Guide
  • Risk Management Process
    • Risk Identification – majority during Planning; onset of project to close of project
      • 2 Types
        • Business: Risk of a gain or loss
        • Pure (insurable): only a risk of loss
      • Sources:
        • External: Regulatory, environmental, government
        • Internal: Schedule, cost, scope change, inexperience, planning, people, staffing, materials, equipment
        • Technical: Changes in  technology
        • Unforeseeable: small (only about 10%)
    • Risk Factors – determine:
      • Probability that it will occur (what)
      • Range of possible outcomes (impact, amount at stake)
      • Expected Timing (when)
      • Anticipated frequency (how often)
    • Symptoms – early warning signs determined by PM
    • Risk Tolerances – amount of risk that is acceptable
    • Common Stumbling Blocks
      • Risk identification is completed without knowing enough about the project
      • Project Risk evaluated only by questionnaire, interview or Monte Carlo; does not provided a per task analysis  of risk
      • Risk identification ends too soon
      • Project Risk identification and Evaluation are combined – results in risks that are evaluated when they appear; decreased total number of risks and stops identification process
      • Risks are identified too generally
      • Categories of risks are forgotten (technology, culture)
      • Only 1 identification method is used
      • First risk response strategy is used without other consideration
      • Risks are not devoted enough attention during the Execution phase
    • Risk Quantification – assess risks to determine range of possible outcomes; which risk events warrant a response
      • Probability
      • Amount at stake (impact)
      • Develop a ranking (priority) of risks
        • Qualitative – take an educated guess
        • Quantitative – estimation by calculation
    • Risk Assessment = Risk Identification + Risk Quantification
    • Monte Carlo simulation – simulates cost and schedule results of project
      • Indicates risk of a project and each task by providing a percent probability that each task will be on the critical path
      • Accounts for path convergence (where tasks in a Network diagram converge into 1 task – more risk)
    • Expected Monetary Value – multiply probability by impact
      • Helps define and prove what the project reserve should be
    • Decision Trees
      • Takes into account future events when making a decision today
      • Makes use of expected value calculations and mutual exclusivity
      • Be able to draw one; boxes are decisions, circles are what can happen as a result of the decision 
    • Outputs from Risk Quantification
      • Determination of top risks
      • Opportunities to pursue
      • Opportunities to ignore
      • Threats to respond to 
      • Threats to ignore
    • Risk Response Development (what will be done, how to make risk smaller or eliminate)
      • Not all risks can be eliminated
      • Alternative Strategies (risk mitigation)
        • Avoidance – eliminate the cause
        • Mitigation – effect the probability or impact of risk
        • Acceptance – do nothing
        • Deflection (transfer, allocate) – make another party responsible, insurance, outsourcing
    • Outputs from Risk Response Development
      • Insurance – exchange an unknown risk for a known risk (response to pure risks)
      • Contracting – hire experience to perform work
      • Contingency Planning – specific actions to take if risk event occurs
      • Reserves (contingency) – recommended total of 10% to account for known and unknown risks
    • Risk Management Plan – documents risks identified and how they are addressed; non-critical risks should be recorded to revisit during the execution phase
    • Risk Mitigation – does not involve ID of risks (they are already known)
    • Self Insurance – can lead to failure to ensure funds for low probability events and confuse business risks with pure risks
    • Risk mitigation – can purchase insurance
    • Schedule Risk – critical path adjusted by High Risk activity float
    • Sensitivity Analysis – estimate the effect of change of one project variable on overall project
    • Standard Deviation of project completion – relationship of uncertainty of critical path activities; indicator of project end target confidence
          Subscribe to: Posts (Atom)