1. TM
Frederic L. Casagrande, PMP®

2.  Introduction
 Risk Management Governance
 Risk Management Culture
 Key elements of a Risk Register
 Risk Assessment Approaches

3. The Speaker
What is a Risk?

4.  2009 – Vice-Chair (PMI® PMO Specific Interest Group)
 2011 – Vice-President (PMI® PMO Community of Practice)
 2011 & 2012 – Program Chair (PMI® PMO Symposium)
 2013 – Judge (PMI® PMO of the Year® Award)
 2007 – Director of PMO (Interoute)
 2008 – Head of PMO (Universal Studios)
 2009 – PMO Director (AMER Group)
 2011 – Head of PMO (Emiraje Systems)
 2014 – Program Governance & Controls (ENEC)

5. An uncertain event or condition that, if
it occurs, has a positive or negative
effect on a project’s objectives
Practice Standard for Project Risk Management
PMI (2009)

6. An
Dr. David Hillson “The Risk Doctor” (2007)

7. Governance Key Objectives
Constitutive Elements

8.  Governance defines actions, grants power and verifies
performance. In Risk Management, it has several key Objectives:
◦ Define Project Specific Risk Scorecard
◦ Determine Project Risk Categories (and eventually sub-categories)
◦ Prepare the Risk Register Structure (aligned to the Project WBS)
◦ Ensure a Known Estimate at Completion (EAC) is given for the Project
◦ Define the Risk Appetite and the level of Project Risk Management effort
◦ Break down the Risk Impact into further categories – at minimum –
Financial Impact, Schedule Impact and Performance Impact (but additional
impact categories may be added, should they be required for Enterprise
Risk Management purposes, e.g. Reputation or Health & Safety)

9.  Governance can be established through a series of linked
documents that flow-down the requirements:
◦ A Policy Framework (e.g. a Project Specific Risk Management Policy,
and/or an Enterprise Risk Management Policy)
◦ An Enterprise Risk Management Guideline (that defines company-
wide mechanisms for dealing with risks)
◦ A Project Risk Management Plan (based on a project specific
customization of the Enterprise Guideline, if available)
◦ A Risk Management Process and its relevant Process Assets (forms,
templates, risk register, etc)

10.  Keep it simple
◦ A single Policy is enough
◦ Two pages is enough
 Define a clear purpose
◦ “To enforce Risk Management best practices”
 Define a scope of application
◦ Project Specific; Portfolio Related or All Company Operations
 Define Roles & Responsibilities
 Empower the Risk Manager
 SIGN-OFF BY CEO

11.  A more elaborated document, describing the Risk
Management Process in greater detail
 If the Risk Management Policy is established for a single
project, this might be combined with the Risk Management
Plan
 Otherwise, provides general rules that are not project
specific:
◦ How to operate within the Risk Management Process
◦ How to use the Risk Management Process Assets
◦ How to communicate Risks at various stakeholders level

12. Level Very Low Low Medium High Very High
Probability 1 to 20% 21 to 40% 41 to 60% 61 to 80% 81 to 99%
Financial Impact
Insignificant cost
increase
x < 0.25%
(of contract value)
Minor cost
increase
0.25% <= x < 0.5%
(of contract value)
Moderate cost
increase
0.5% <= x < 1%
(of contract value)
Critical cost
increase
1% <= x < 2%
(of contract value)
Catastrophic cost
increase
x >= 2%
(of contract value)
Schedule Impact
Insignificant time
increase to the
most critical
milestone or very
low time impact
Time increase to
the most critical
milestone(s) or
minor schedule
delays
Time increase to
the most critical
milestone(s) or
moderate
schedule delays
Time increase to
the most critical
milestone(s) or
critical schedule
delays
Time increase to
the most critical
milestone(s) or
catastrophic
schedule delay
Performance
Impact
Very minor scope
decrease, quality
degradation
barely noticeable
Only very
demanding
scenarios or minor
areas of scope
affected
Quality reduction
requires customer
approval, major
areas of scope
affected
Scope/Quality
reduction
unacceptable to
customer
Final project
deliverable is
useless

13.  In a multi-project environment, each project will have a
specific Risk Management Plan, flowing down from the ERM
Guideline if it exists, and from the Policy Framework. It is
the Reference Document
 It provides Project Specific metrics & KPI’s, and project
specific scorecards that have been approved and signed off
by the Project Manager and Senior Management
 It does not have to be a separate document and can be an
integrated section of the Project Management Plan

14.  Their number and forms can vary from one organization to
another, but it is recommended that they include at
minimum the following four Process Assets:
◦ Risk Identification Form
◦ Contingency Release Form
◦ Risk Register Template
◦ Risk Reporting Template

15. Critical Success Factors
Shoot the Messenger

16. Risk
Management
Success
Integrate with
Project
Management
Recognize the
Value of Risk
Management
Individual
Commitment &
Responsibility
Open & Honest
Communication
Organizational
Commitment
Scale Risk Effort
to Project
Risk
Management
Success
Integrate with
Project
Management
Recognize the
Value of Risk
Management
Individual
Commitment &
Responsibility
Open & Honest
Communication
Organizational
Commitment
Scale Risk Effort
to Project

17. “If I don’t speak out and this risk realizes, I will be in trouble, but…
If I speak out, they will shoot the messenger!”
 Raising a Project Risk is always a dilemma for a team
member!
 Employees need to feel that they can raise their hands to
identify new risks without fear of adverse consequences on
their jobs!
 For Risk Management to succeed, you need to enable a
culture where the Messenger is no longer Shot…

18.  This needs a massive mentality change at all levels of the
organization
 Switching to a Risk Culture is no different to any
transformation initiative. You will need to:
◦ Understand your Stakeholders and their Risk Appetite
◦ Commit the Highest Level of the organization to the Risk Culture
◦ Start small and address the low hanging fruits
 Raising a Risk is not a sign of weakness!
 Acknowledging a Proposed Risk is not a sign of failing!

19.  First proposed during the Project Risk Forum (Prague, CZ,
2008), the concept is to work with various stakeholders
risk profiles
 At the crossroads of Risk Management and Stakeholders
Management
 Enables you to map on a matrix the risk appetite of your
stakeholders groups to build specific “behaviors”
(Communications, Trainings or Awareness Sessions, Hand-
holding, etc.)
 This is essential in multicultural environments!

20. Objectives of the Risk Register
Structure of the Risk Register

21.  The Risk Register is a tool that serves several purposes:
◦ Collecting all identified risks, regardless of their source or status
◦ Providing the organization with a clear and complete snapshot of
the overall risk exposure of a project/portfolio/company
 Depending on the platform used (MS-Excel, Integrated Risk
Management Software, ERP), the features will change (e.g.
variance tracking, history graphs, etc.), but those two key
elements have to be present
 You can start with a very simple MS-Excel spreadsheet

22.  Risk Information
◦ Risk ID Unique Risk Identifier (can include “R” or
“O” to identify opportunities)
◦ Risk Description “There is a Risk that…” (describes impact as well)
◦ Raised Date When has the Risk been identified (form)
◦ Risk Status Proposed, Open/Rejected, Closed/Realized
◦ Risk Owner Accountable for the specific risk
◦ Risk Category Derived from the Risk Management Plan
◦ WBS Highest element impacted by the Risk
◦ Severity Low/Medium/High (Calculated, based on
Scorecard)

23.  Impact Information
◦ Un-weighted Exposure Estimated by SME
◦ Probability Estimated by SME
◦ Weighted Exposure Calculated
◦ Financial Impact Low/Medium/High (Calculated)
◦ Schedule Impact Low/Medium/High (Estimated by SME)
◦ Performance Impact Low/Medium/High (Estimated by SME)

24.  Response Information
◦ Strategy Accept/Reduce/Transfer/Avoid
◦ Response Owner Can be different from Risk Owner
◦ Response Description Explains what needs to be done
◦ Response Cost To be compared with the Weighted Risk

25.  When choosing a platform, bare in mind that the
information contained in the Risk Register must be easy to
filter and compile:
◦ To provide an accurate subset based on specific criteria (Top Risks,
Risks pertaining to a domain of work, a department, a specific
product, or a WBS element)
◦ To provide a unique, demonstrable and undisputed value of the
overall risk exposure for the organization (or the project). This will
give you your requirement for Contingency, and ultimately your
“Risk Index” (the ratio between the exposure level and the available
contingency)

26. The Best Approach
Top-Down
Bottom-Up

27.  There is constant argument as to which is the best
approach to risk assessment: Top-Down or Bottom-Up?
 The key there is to identify as many real risks as possible
 How to best enable this? By capturing as many risks as
possible (real ones, duplicates, wrong ones, fake ones, etc.).
Consider the Risk Management process as a funnel. You
need an enormous amount of risks at the entrance to end
with an accurate depiction of your risk portfolio
 For this, you will perform both a Top-Down and a Bottom-
Up Risk Assessment! And you will do so continuously!

28.  The Top-Down Approach is inherited from the audit
industry. This is where the most senior members of the
team identify the key risks that have an overall impact on
the project or the program
 In most of the cases, those “meta-risks” are already
identified at the bid phase, although they might evolve
over time

29.  The Bottom-Up Approach assigns risk impact based on the
Work Breakdown Structure of the project
 It typically involves a larger portion of the project team
(ideally … everyone)
 The goal of this exercise is to identify ALL possible risks,
even if it implies to identify the same risk at several levels
 The Risk Manager will “de-duplicate” risks with the
individuals who raised risks deemed identical