2. In the context of projects, risk is an uncertain event or condition that, if it
occurs, has a positive or negative effect on project objectives.
For example, a cause may be a flu virus or change in scope requirements.
The event is that team members get stricken with the flu or the product
has to be redesigned. If either of these uncertain events occurs, it will
impact the cost, schedule, and quality of the project.
Risk management attempts to recognize and manage potential and
unforeseen trouble spots that may occur when the project is implemented.
Risk management identifies as many risk events as possible.
3. Risk Management Process
Figure 7.1 presents a graphic model of the risk management challenge. The chances
of a risk event occurring (e.g., an error in time estimates, cost estimates, or design
technology) are greatest during the early stages of a project.
FIGURE 7.1
Risk Event Graph
4. Risk management is a proactive approach rather than reactive. It is a
preventive process designed to ensure that surprises are reduced and that
negative consequences associated with undesirable events are minimized.
It also prepares the project manager to take action when a time, cost, and/or
technical advantage is possible.
Successful management of project risk gives the project manager better
control over the future and can significantly improve chances of reaching
project objectives on time, within budget, and meeting required technical
(functional) performance.
The sources of project risks are unlimited.
There are external sources, such as inflation, market acceptance, exchange rates,
and government regulations. In practice, these risk events are often referred to
as “threats” to differentiate them from those that are not within the project
manager’s or team’s responsibility area.
6. Step 1: Risk Identification
The risk management process begins by trying to generate a list of all the possible risks
that could affect the project.
1.Organizati
ons use risk
breakdown
structures
(RBSs) in
conjunction with
work breakdown
structures
(WBSs) to help
management
teams identify
and eventually
analyze risks.
7. Step 1: Risk Identification
2. A risk profile is
another useful tool. A
risk profile is a list of
questions that address
traditional areas of
uncertainty on a
project. These
questions have been
developed and refined
from previous, similar
projects
8. Step 2: Risk Assessment
Step 1 produces a list of potential risks. Not all of these risks deserve attention. Managers
have to develop methods for sifting through the list of risks, eliminating inconsequential or
redundant ones and stratifying worthy ones in terms of importance and need for
attention.
Scenario analysis is the easiest and most commonly used technique for analyzing risks.
Team members assess the significance of each risk event in terms of:
Probability of the event.
Impact of the event.
priorities, different kinds of impact scales are used. Some scales may simply use rank-
order descriptors, such as “low,” “moderate,” “high,” and “very high,” whereas others use
numeric weights (e.g., 1–10).
9. Probability Analysis:
There are many statistical techniques available to the project manager that can
assist in assessing project risk.
Decision trees have been used to assess alternative courses of action using
expected values.
Statistical variations of net present value (NPV) have been used to assess cash flow
risks in projects.
Correlations between past projects’ cash flow and S-curves (cumulative project
cost curve—baseline—over the life of the project) have been used to assess cash
flow risks.
PERT (program evaluation and review technique) and PERT simulation can be used
to review activity and project risk.
10. Figure 7.5 provides an
example of how
impact scales could
be defined given the
project objectives of
cost, time, scope, and
quality.
11. The risk matrix
presented in Figure 7.7
consists of a 5 × 5 array of
elements with each element
representing a different set
of impact and likelihood
values.
The risk severity
matrix provides a basis for
prioritizing which risks to
address. Red zone risks
receive first priority
followed by yellow zone
risks. Green zone risks are
typically considered
inconsequential and
ignored unless their status
changes.
12. Step 3: Risk Response Development
(Develop a strategy to reduce possible damage)
When a risk event is identified and assessed, a decision must be made concerning which
response is appropriate for the specific event. Responses to risk can be classified as
mitigating, avoiding, transferring, or retaining.
Mitigating Risk:
Reducing risk is usually the first alternative considered. There are basically two
strategies for mitigating risk:
reduce the likelihood that the event will occur
examples of reducing the probability of risks occurring are scheduling outdoor work
during the summer months, investing in up-front safety training, and choosing high-
quality materials and equipment.
13. Avoiding Risk
Risk avoidance is changing the project plan to eliminate the risk or condition.
Although it is impossible to eliminate all risk events, some specific risks may be
avoided before you launch the project. For example, adopting proven
technology instead of experimental technology can eliminate technical failure.
Transferring Risk
Passing risk to another party almost always results in paying a premium for this
exemption. Fixed price contracts are the classic example of transferring risk
from an owner to a contractor.
Another more obvious way to transfer risk is insurance.
Accept Risk
In some cases a conscious decision is made to accept the risk of an event occurring.
Some risks are so large it is not feasible to consider transferring or reducing the event
(e.g., an earthquake or flood).
14. (Develop contingency plans)
A contingency plan is an alternative plan that will be used if a possible foreseen risk event
becomes a reality.
The contingency plan represents actions that will reduce or mitigate the negative impact
of the risk event.
Like all plans, the contingency plan answers the questions of what, where, when, and
how much action will take place.
The absence of a contingency plan, when a risk event occurs, can cause a manager to
delay or postpone the decision to implement a remedy.
The availability of a contingency plan can significantly increase the chances for project
success.
Conditions for activating the implementation of the contingency plan should be decided
and clearly documented.
The plan should include a cost estimate and identify the source of funding.
All parties affected should agree to the contingency plan and have authority to make
commitments. Because implementation of a contingency plan embodies disruption in the
sequence of work.
Contingency Planning:
15. Some of the most common methods for handling risk are discussed here:
Technical Risks:
Technical risks are problematic; they can often be the kind that cause the project to be
shut down. What if the system or process does not work? Contingency or backup plans
are made for those possibilities that are foreseen.
Technology offers many methods for early testing and validation, ranging from 3-D
printing and holographic imagery for model building to focus groups and early design
usability testing for market testing .
Schedule Risks
Often organizations will defer the threat of a project coming in late until it
surfaces. Here contingency funds are set aside to expedite or “crash” the
project to get it back on track. Crashing, or reducing project duration, is
accomplished by shortening (compressing) one or more activities on the critical
path. This comes with additional costs and risk.
For example, schedules can be altered by working activities in parallel.
16. Cost Risks:
Projects of long duration need some contingency for price changes.
Funding Risks
Seasoned project managers recognize that a complete risk assessment must include
an evaluation of funding supply.
17. An opportunity is an event that can have a positive impact on project objectives.
The project management profession has identified four different types of response to an
opportunity:
Exploit.
This tactic seeks to eliminate the uncertainty associated with an opportunity to ensure
that it definitely happens. Examples : component to be purchased rather than developed
internally.
Share.
This strategy involves allocating some or all of the ownership of an opportunity to
another party who is best able to capture the opportunity for the benefit of the
project.
Examples, include establishing continuous improvement incentives for external
contractors or joint ventures.
Opportunity Management /positive risk
18. Enhance.
This tactic seeks to eliminate the uncertainty associated with an opportunity to ensure
that it definitely happens.
Accept.
Accepting an opportunity is being willing to take advantage of it if it occurs, but not
taking action to pursue it.
19. Contingency funds are established to cover project risks—identified and unknown.
When, where, and how much money will be spent is not known until the risk
event occurs.
In practice, the contingency reserve fund is typically divided into budget and
management reserve funds for control purposes.
Budget reserves are set up to cover identified risks; these reserves are those allocated
to specific segments or deliverables of the project.
Management reserves are set up to cover unidentified risks and are allocated to
risks associated with the total project.
The risks are separated because their use requires approval from different
levels of project authority.
Budget Reserve
These reserves are identified for specific work packages or segments of a project found in
the baseline budget or work breakdown structure. Thus, budget reserves decrease as the
project progresses.
Contingency Funding and Time Buffers
20. Management Reserves
These reserve funds are needed to cover major unforeseen risks and, hence, are applied
to the total project. These reserves are independent of budget reserves and are
controlled by the project manager and the “owner” of the project.
Time Buffers
Just as contingency funds are established to absorb unplanned costs, managers use time
buffers to cushion against potential delays in the project.
21. Step 4: Risk Response Control
Typically the results of the first three steps of the risk management process are
summarized in a formal document often called the risk register.
A risk register details all identified risks, including descriptions, category, and
probability of occurring, impact, responses, contingency plans, owners, and
current status.
Risk control involves executing the risk response strategy, monitoring triggering
events, initiating contingency plans, and watching for new risks.
22. A major element of the risk control process is change management. Every detail of a
project plan will not materialize as expected.
Change management systems involve reporting, controlling, and recording changes to the
project baseline. (Note: Some organizations consider change control systems part of
configuration management.)
In practice most change management systems are designed to accomplish the following:
1. Identify proposed changes.
2. List expected effects of proposed change(s) on schedule and budget.
3. Review, evaluate, and approve or disapprove changes formally.
4. Negotiate and resolve conflicts of change, conditions, and cost.
5. Communicate changes to parties affected.
6. Assign responsibility for implementing change.
7. Adjust master schedule and budget.
8. Track all changes that are to be implemented.
Change Control Management