8. project risk management

By: Mohamed Salah ElDien Mohamed Aly, MSc, PMP®, DIT, MCAD

8. Project Risk Management As per PMBOK - "The whole point of undertaking a project is to achieve or establish something

new, to venture, to take chances, to risk. Risk may have positive effects or negative effects on

the project “Schedule” and/or “Cost”. Positive risks are Opportunities and negative risks are

losses or threats; remember both risks are uncertain “percentage of occurrence less than 80%”.

Risk Management purpose is to manage (Plan and implement) these uncertainties.

Following are processes defined in Risk Management Knowledge Area:

5 Process Groups

Initiation Planning Execution M & C Closing

Processes

8.1. Plan Risk Management. 8.2. Identify Risks. 8.3. Perform Qualitative Risk Analysis 8.4. Perform Quantitative Risk Analysis 8.5. Plan Risk Response

8.6. Monitor and Control Risk

- We can decide which risks are acceptable and take actions to “Mitigate” or “Avoid”

those risks. If our project risk assessment determines that some risks are excessive,

we may want to consider restructuring the project to within acceptable levels of risk.

- Deliverables which have uncertainty to be completed successfully can be considered

as risk. For example: after finishing the Project planning you still feel that the scope

might change then it is a Risk. Or even if scope is not well defined then it is a Risk.

Known technical difficulty or complexity will increase project risk. Ambitious goals

always result in risk. Unfamiliarity with the process, or inexperienced personnel,

constitutes project risks. Exterior interfaces cause risks because they can change

and, even if they don’t change, their descriptions or specifications may be

inaccurate. Exterior organizational dependencies create project risks. Incomplete

planning or optimistic cost or schedule goals create risk. If the customer is involved

in schedule dependencies for document review and approval or for delivering

process information, this creates project risks.


- Any area over which the project manager does not have control can be project risks.

Anything that is not well understood, anything that is not well documented, and

anything that can change, these all create project risks. Things that haven’t been

tested are always at risk.

- Three steps approach is very important for all your Projects;

Identify all Project Risks through “Risk Identification Sessions”

Analyze that Risk

a. qualitatively – Probability of occurrence

b. quantitatively – Impact if it occurs

Prepare your responses to those identified and analyzed Risks.

- Remember you need not evaluate all identified risks or you need not to take actions

on all responded risks either. For example, you identified airplane hitting in to your

building as a project Risk because your office is next to Airport. Probability of

occurrence is .0001. For such kind of risk you need not to find a Response strategy or

need not implement a solution.

8.1 Plan Risk Management - It is the process of defining how to conduct risk management activities on your

project.

Inputs Tools Outputs

- Enterprise Environmental Factors

- Organizational Process Assets

- Project Scope Statement - Project Management Plan

- Planning Meetings and Analysis

- Risk Management Plan

Important Contents of “Risk Management Plan”

Methodology: Describes the approaches, tools, and data sources to be used

when doing risk management.

Roles and responsibilities: Defines the team of people responsible for managing

the identified risks and responses and outlines their roles. People outside of the

project team may be named, to keep the risk analysis unbiased.

Budgeting: Defines the budget for risk management for the project. This is

included in the cost baseline.


Timing: Defines when and how often the risk management process will be

performed. This process should begin early in the project life cycle and be

revisited throughout project execution.

Risk categories: A good way of providing the structure necessary to identify risks

consistently is to outline the categories of risks in a RBS (Risk Breakdown

Structure.

Definitions of risk probability and impact: Outlines the scales that will be used

during qualitative risk analysis to assess the probability and impact of the risks

that have been identified for a particular project. Scales could be qualitative,

from "very low" to "very high," or quantitative, like a scale from 1 to 5.

Probability and impact matrix: The combination of each risk's probability and

impact will lead to an overall risk rating, which allows the risks to be prioritized.

Revised stakeholder tolerances: Stakeholder tolerances will be defined and

revised as necessary as they pertain to the specific project.

Reporting formats: This component defines the risk register and other risk

reports. Outlines how they will be created and distributed.

Tracking: This component defines how risk will be recorded for the benefit of

this project and future projects, as well as if and how the risk processes will be

audited.

8.2 Identify Risks - It is the process of determining each risk that may affect the project and then

analyze and document those risks.


- Activity Cost Estimates - Activity Duration Estimates - Risk Management Plan - Scope Baseline - Stakeholder Register - Enterprise Environmental

Factors - Organizational Process

Assets - Project Management Plan

- Expert Judgment - Documentation Reviews - Information Gathering

Techniques - Checklist Analysis - Assumptions Analysis - Diagramming Techniques - SWOT analysis

- Risk Register


8.3 Perform Qualitative Risk Analysis - This is the process of prioritizing risks by working out their probability as well as

impact. The result here will be qualitative like “this risk is high, medium, or low impact risk.”


- Organizational Process Assets - Project Scope Statement - Risk Management Plan - Risk Register

- Risk Probability and Impact Assessment

- Probability and Impact Matrix

- Risk Data Quality Assessment

- Risk Categorization - Risk Urgency Assessment

- Risk Register (updates)

8.4 Perform Quantitative Risk Analysis - That is the process of numerically analyzing the effect of these identified risks on the

overall project objectives.


- Risk Register - Risk Management Plan - Cost Management Plan - Schedule Management Plan - Organizational Process

Assets

- Expert Judgment - Data Gathering and

Representation Techniques

- Quantitative Risk Analysis and Modeling Techniques

- Risk Register (updates)

8.5 Plan Risk Response - It is the process of developing actions or defines how to respond to enhance positive

risks and/or to reduce negative risks.


- Risk Management Plan - Risk Register

- Expert Judgment - Strategies for Negative

Risks - Strategies for Positive

Risks - Contingent Response

Strategy

- Risk Related Contract Decisions

- Risk Register (updates) - Project Management Plan

(updates) - Project Document updates


8.6 Risk Monitoring and Control - It is the process of implementing all those risks plans, tracking the identified risks,

insuring risk management effectiveness through the project life, and monitoring and

identifying new / residual risks.

Very Important Concepts: 1. Difference between “Issue” and “Risk”;

- Issue; a point or matter in question or in dispute, or a matter that is not settled and

under discussion or over which there are opposing views or disagreements.

- Risk; an uncertain event or condition that if it occurs, has a positive or negative

effect on a project’s objectives.

- Simply, we can say that a “Risk is something that could happen in the future”, while

an “Issue is that risk has became a reality”.

2. Difference between “Threats” and “Opportunities”;

- Risks are not necessarily “Negative” and they can be simply “Positive”.

- Threats; are simply the “Negative” risks, while Opportunities are the “Positive” risks.

3. Difference between “Contingency” and “Workaround”;

- Contingency; a provision in the project management plan to mitigate cost risk

and/or schedule risk. It is simply “an allowance to deal with a problem”, you decide

today “what your contingency will be if a risk occurs”, this can be budget or schedule

oriented.

- Workaround; it is a response to a negative risk that has occurred and that response

was not planned in advance of the occurrence of the risk event.

- Generally, when contingency is taken into consideration, this refers to a proactive

PM who is following risk management processes to enhance project success.


- Project Management Plan (Risk Management Plan)

- Risk Register - Work Performance

Information - Performance Reports

- Risk Reassessment - Risk Audits - Variance and Trend

Analysis - Technical Performance

Information - Reserve Analysis - Status Meetings

- Risk Register (updates) - Change Requests - Organizational Process

Assets (updates) - Project Management Plan

(updates) - Project Document (Updates)


4. Risk Attitudes (Human Factors)

- There are four types of risk attitudes which are;

I. Risk Averse Person; such person always uncomfortable with

uncertainty. Such person prefers a more certain outcome and

demands a premium to accept projects of high risk.

II. Risk Neutral Person; such person always embraces risks for future

payoffs; he looks to risks as opportunity or way to gain additional

payoffs.

III. Risk Seeker Person; always looks at risks as challenge.

IV. Risk Tolerant Person; such person doesn’t worry too much about

risks. If a risk actually occurs, he acts all surprised.

5. Utility Theory Basics

- An appropriate method for describing risk tolerance based on the various

stakeholders' tolerances for risk. This method is depicted using three structures

where the x-axis denotes the money at stake and the y-axis denotes utility, or

the amount of satisfaction the person obtains from the payoff.

- For “Risk Averse” stakeholder; such person usually requires a premium utility to

accept a high risk.

U

Risk payoffs $

- For “Risk Neutral” stakeholder; such person is more concerned about the

expected return on his investment, not on thr risk he maybe taking on.

U

$


- For “Risk Seeker” stakeholder; he prefers uncertain outcomes and is willing to

take the risk; the more the money is that stake, the greater the utility he gets out

of it.

U

$

Example:

- If there is a chance of 50% to gain 100$ and another chance of 100% to gain 50$, risk

averse person will accept the 2nd choice, while the risk seeker person will prefer the

1st choice and finally, the risk neutral person has no preferences between them

Notes:

- A person can be both risk averse and risk seeking at different times.

- Risk attitudes of individuals in a company shape the risk attitude of the company.

- On an individual level, it is important to know the risk attitudes of the

stakeholders to be able to deal with them properly when talking about “Risk

list”.

6. Project risk management is an iterative process

- PM has to monitor the risks constantly, watches out for triggers and then,

responds to any risk that already happens and turns to an issue.

- During the life of the project, factors that define and affect risks will change; you

may have scope changes, environment changes, or even changes in the project

team...etc.

- Changes open up possible new risks and required new round of planning and

that is why “Risk Management Process is an Iterative process”.


7. Prioritizing risks is done through two steps

- “Qualitative Prioritization”

1. Prioritize risks according to their potential effect, i.e. probability and impact, on the project.

2. Assign each risk a quality like high (H), Medium (M), or low (L).

3. Focus on risks with high priorities to shorten the risks list

- “Quantitative Prioritization”

1. Numerically defines probability of each risk, from the short risk list that comes from qualitative prioritization and its consequences on the project objective.

2. Calculate risk rating = probability * Impact [ex; 70% * 2000$]

3. Narrow down the risks list to the most important ones.

Important notes regarding the “Project Risk Management”;

- Young dynamic startup companies are usually risk seekers, while established companies are usually risk averse.

- “Risk Management Plan” components are very important for the PMP Exam.

- “Identifying Risks” is an “Iterative Process”

- The “Check List” tool in “Identify Risk” process is not a chick list with expected risks, but a check list that helps to identify risks based on the RBS.

- Risks types are “Business Risks” & “Pure Risks”

- Tools like Sensitivity Analysis – ex. Tornado Diagram & What-If scenarios -, Expected Monetary Value (EMV) and Decision Tree are important tools regarding “Quantitative Risk Analysis”.

- Probability of events occurring in sequence must be multiplied to calculate the accumulative probability of occurring of all the events together.

- Transfer Risk = Deflection of Risk.

- Mitigation Strategy results in Contingent Response Strategy.

- The main goal of “Reserve Analysis” as a tool in “Monitor & Control Risks” is to determine any “Potential Risk”

- “Project Risk management” is considered to be an item in every “Status Meeting”.

- In case of occurrence of surprising unexpected risk, “Workaround” is only suitable response which always taken directly even before issuing the change request needed.