Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Project Risk ManagementMarco Sampietro1. Professor at SDA Bocconi School of Management.marco.sampietro@sdabocconi.itMauriz...
the course to follow; risk management tries to eliminate the turbulence that mighttake us off-route.       I do not unders...
4. Planning a response to risks, by defining which measures shall be taken in order      to reduce the project overall ris...
As to the first point, if the company has already devised some guidelines pertaining torisk management in more general ter...
I do not understand, do you want to drive me crazy?! In the project that we managed 6 months ago, we rated risk probabilit...
Such macro-areas are linked to the identification methodologies. In fact, there aremethodologies that only cover part of t...
“path” that has been chosen in order to deal with the project and, as such, it can beuseful as starting point for risk ide...
up, this checklist is the same as the one we had for our latest project...). Lastly, the factof resorting to a check list ...
o costs,       o quality,       o other important performance dimensions.Usually, such information cannot exclusively be p...
responsibility will prove to be all successful, they will think that I am the best, because Ihave successfully managed als...
recurring and, consequently, understanding if a risk will only take place once orwhether it will erupt on a regular base, ...
Usually people resort to a matrix-based description formula, in order to have animmediate and easy reading of data.An easy...
At this point, either we opt for a pre-defined number of risks, or we can decide tofocus on all the ones exceeding a given...
5.2 Risk Quantitative AnalysisThe qualitative analysis focused on the assignment of probability and impactvalues/scores to...
Lastly, risk, is an individual perception of a situation, by which a set of variabilities,uncertainty and decision consequ...
The steps needed in order to “quantify” uncertainty and variability in a project aregoing to be briefly touched upon in th...
When we have to introduce variability and uncertainty in the duration of a projectactivity, we will feel more comfortable ...
Normale(20;2)                                                                 Normale(35;3)                      Normale(2...
BetaPERT(1;35;40)              BetaPERT(5;10;35)                                         BetaPERT(0;20;45) 0      5       ...
Uniform DistributionThis distribution, which is also called Rectangular Distribution due to the shape of thedensity functi...
In figure 13 specific information is proposed as an example for structuring a riskquantitative analysis for project schedu...
model itself: project timing and costs. The technique that, thanks to the developmentof hardware and software tools and to...
Indici statistici                    Percentile     Valore                       Iterazioni             10000             ...
25,0%                          20,0%                          15,0%            Probabilità                          10,0% ...
6 The Phase Dedicated to Planning a Risk ResponseFrom quantitative and qualitative analyses some useful pieces of informat...
can offer his/her idea, the team can review and improve it. This being said, whenacting on risks is needed, allocating res...
BibliographyGreenfield M.A., Risk as a Resource, Langley Research Center, 1998Greenfield M.A., Risk Management Tools, Lang...
Upcoming SlideShare
Loading in …5
×

Project risk management

2,161 views

Published on

Introductory paper related to project risk management and written by Professor Marco Sampietro and Professor Maurizio Poli . The paper explains the main project risk management phases (process planning, identification, analysis, response, monitoring&control) and presents both the qualitative and the quantitative approach.

Published in: Business, Economy & Finance
  • Be the first to comment

Project risk management

  1. 1. Project Risk ManagementMarco Sampietro1. Professor at SDA Bocconi School of Management.marco.sampietro@sdabocconi.itMaurizio Poli. Professor at SDA Bocconi School of Management.maurizio.poli@sdabocconi.it1 Why Managing Project RiskProjects are implemented by organizations in order to seize new opportunities that,according to their Management, may be appreciated by the market or can contributeto a better internal efficiency in the organization. Projects are characterized byinnovation. Innovation can be implemented in multiple ways: it could mean following adifferent pathway that has never been considered before, or it could mean followingthe direction taken by other companies, by also treasure and use at best theexperience and the mistakes made by others, or it could also mean applyingimprovements to well-known products or services, and so on and so forth. In any case,innovation implies a certain degree of uncertainty – namely, the fact that there is not athorough knowledge of events that might happen in the future. In general terms, thehigher the degree of innovation is, the higher the uncertainty level will be. Anuncertain situation can produce positive as well as negative effects. In the first case,we are dealing with opportunities which, if properly identified and managed, can bringsome benefits to the project; in the second case, we are faced with risks which, if notproperly identified and managed, can impact the project in negative terms, by makingit more expensive, or with a project that goes beyond the expected and plannedduration or with one that is poorer in qualitative terms with respect to expectations.Consequently, the fact of non-managing the risk (and opportunities) meansoverlooking the innovative feature of projects – more specifically, it means missing acrucial point that characterizes a project vis-à-vis ordinary operations or recurringactivities within an organization. More specifically, even if we do not want to take intoconsideration risk management as a discipline, project management can be viewed asa tool to decrease the level of uncertainty and, consequently, a tool to decrease risk inprojects. By identifying and clarifying objectives, allocating resources with well definedcompetences, clarifying responsibilities, fixing some assessment phases in the projectand so on and so forth, we tend to decrease the uncertainty level in the project.Where is the difference? By planning, we opt for a pathway (one of the multipleoptions available) that will take us to the achievement of pre-set targets. This beingsaid, such path will not be free of obstacles: via the implementation of riskmanagement we will try to understand and manage problems and opportunitiesderived from the implementation of a specific path / plan. The planning activity tells us1 Paragraphs from 1 to 5.1 and 6, 7, 8 are by Marco Sampietro. Paragraph 5.2 is by Maurizio Poli. 1
  2. 2. the course to follow; risk management tries to eliminate the turbulence that mighttake us off-route. I do not understand: we have devised a perfect plan, we have identified costs right down to the last penny just as we have calculated duration also taking minutes into account, and still we have problems. We are exceeding our budget! Maybe, I have to drill-down information to get to an even more detailed picture! We are late/out by 3% on what was originally planned, that’s not bad, especially if we think that our usual supplier has gone bankrupt and did not deliver our goods. Luckily, I sensed that there was something wrong, and I started to look for another supplier that could replace the original one. Chi ha gestito il rischio ?2 The risk management processThe risk management process is a proactive and systematic approach, which aims atkeeping the project under control as well as at decreasing its uncertainty level.Managing risks means minimizing the consequences of adverse events, but alsomaximizing the effects of positive events (risks and opportunities). In this document,we will focus on the area that has to do with managing adverse events.Let’s start by reviewing the typical features of a risk management process. Thedefinition “systematic” means following a well-defined risk-management process. Thedefinition “proactive” means bein able to identify and manage risks before they brakeout. This consideration needs to be reviewed more in detail. Proactivity does not meanbeing able to see into the future; conversely, it means a timely identification, byresorting to the most appropriate tools, of the highest number of risks that mightimpact a project. It also means that, once identified, some remedial measures willneed to be taken. Just identifying risks and not managing them (managing does notonly mean eradicating them, as we will see later on in this paper) is pointless. The onlyvalue that such a behaviour might have is that, once they actually erupt, we canrecognize them, at least if we were aware about their features (poor consolation!).A good risk management process is set out in five macro phases (fig. 1): 1. Planning the risk management process, by defining the actual execution activities linked to the management process, people involved in the process as well as procedures to be implemented; 2. Risk identification, with specific assessment of project–specific risks, by making the different information sources taking part in the assessment; 3. Risk analysis, by quantitatively and/or qualitatively reviewing and assessing the risks identified in the previous phase and also deciding which risks need a specific attention and focus; 2
  3. 3. 4. Planning a response to risks, by defining which measures shall be taken in order to reduce the project overall risk; 5. Risk monitoring and control, by implementing the risk response plan as soon as they occur or bypass a given threshold.In this chapter, focus will mainly be on phases 2 and 3.The risk management process shall not be viewed as an isolated type of activity.Conversely, risk management shall take place on a regular base – more specifically, it isonly by making the project develop that new risks can come to light (or some alreadyexisting ones can be fixed) and new useful information can be used for analysis andnew planning. RM Process Planning Risk Identification Risk Analysis Risk Response Monitoring & ControlFigure 1. The risk management process3 Planning a Risk Management ProcessAs to this phase, the main target is to provide guidelines for risk managementactivities, by setting a structured approach for actually managing the risk.In order to develop this phase, the following points shall be taken into consideration:  any existing policies and procedures pertaining to risks in general terms,  the implemented approach shall be fine-tuned with the type of project – more specifically, with its dimensions, its impacts, with the project team experience as well as with respect to the importance of the project itself vis-à-vis the organization. 3
  4. 4. As to the first point, if the company has already devised some guidelines pertaining torisk management in more general terms, or to management of some specific risks, theproject risk plan shall also use and include them. It is a useful approach, because itprevents any duplications of efforts, and it allows for sending a quite consistentmessage to co-workers, who are already familiar with such procedures.As to the second point, it pertains to customization of the implemented approachbased on true needs and on the environment where it is used. In a mono-functional software development project, the project manager had decided to resort to a pre-defined list of risks devised by a famous University and to personally mark on that list the risks pertaining to the project. He had achieved a good result, as many mistakes had been avoided. That same person, one year later, was appointed as leader of a project focused on the optimization and streamlining of processes involving five organization functions. The project manager, based on his previous experience, decided to use the same check list. Unfortunately, he was not successful this time, as he was able to identify and manage the technology-related risks, but he totally underestimated or overlooked the organizational-related ones. Consequently, the project became highly conflicting and timing and costs went out of control.At this phase, the following issues shall be tackled:  selecting the information sources to be used for risk detection (historical data, check list, knowledge of people, etc.);  defining the risk identification techniques to be used (interviews, brainstorming, forms, etc.);  defining roles and responsibilities of people with respect to risk management (who is responsible for the management of a specific risk area, what are his/her powers);  Setting the time-frame for risk-maintenance purposes;  Defining how to allocate and interpret values linked to risks (probability, timing and impacts) (Which are the scales to be used: numerical, qualitative ones? Down to what detail?);  Setting the attention and action threshold to be used as a reference (within our organization, is it wise to focus on a risk with medium probability and impact scores?)  Defining the communication and reporting methods to be implemented.By focusing on the above listed points, we implement an official mechanism that canbe easily used and communicated; moreover, it makes project risk management moreeffective and stable over the time. The project risk plan can then be used in otherprojects, if properly customized. 4
  5. 5. I do not understand, do you want to drive me crazy?! In the project that we managed 6 months ago, we rated risk probability on a low, medium/low, medium, medium/high, high and extremely high scale. In the project that we had 3 months ago, we used the 0.2, 0.4, 0.5, 0.6, 0.8, 0.9 rating scale. Now we are rating risk probability by using the words unlikely, quite likely, likely, highly likely. Can’t we identify a standard rating scale that fits all the projects? You are incompetent: now we are late because of you! You have not managed risk by rating it as “medium”, and now we need to find alternative solutions! I am sorry, but in the previous project, risks rated as “medium” were not even taken into consideration!4 Risk Identification PhaseApart from drawing up the risk management plan, which sets the framework and theguidelines to be followed, the risk identification phase is of particular relevance, as itsets the foundations for truly managing risks (it is a bit like the WBS used for planningactivities). We can have some excellent methods for managing risks, but if we applythem to the wrong ones or if we are not able to identify the most important ones, theoutcome is a pure expression of style, which will produce poor benefits for theprojects. Consequently, the identification phase shall be a very thorough job.Identifying risks entails also the following:  understanding the causes generating them,  opting for the most appropriate methods supporting a thorough understanding of root-causes.As to the first bullet-point, risk factors are generated by the actual project features andby its interactions with the environment. By reasoning according to macro-areas, theremight be risks linked to the following:  the intrinsic characteristics of the project to be implemented (the main output);  project management – more specifically, the way events in the project are planned and controlled. This point includes technical and method-related issues as well as organizational issues;  the outside environment, by which the following is meant: o managing communication, contacts, interests and the level of involvement of all those who are impacted by the project (stakeholders); o managing constraints coming from entities that are beyond our control, like regulations, directives, etc. 5
  6. 6. Such macro-areas are linked to the identification methodologies. In fact, there aremethodologies that only cover part of them, and being aware of this is advisable so asto focus also on the overlooked areas.The methodologies and the identification tools covered by our paper are the following: 1. WBS 2. Networks 3. Assumption analysis 4. Check list 5. Interviews 6. Brain storming 7. Historical dataThe identified risks shall be proposed with a short description, in order to be clearwithout any possible misunderstanding. Such description, in order to be asunderstandable as possible, shall be organized into three sections: cause, risk, effect(figure 2).Just out of clarity: by cause, we mean the event triggering the risk; this being said,what we consider as being a cause might be viewed as an effect by others. Our abilityto drill down our analysis on causes depends on the available resources and on thedegree of control that we have on events. Cause Risk Effect As the supplier has The delivery of motors The project time-frame provisioning problems might be delayed might be extendedFigure 2. Example of risk descriptionThe cause “As the supplier has provisioning problems” could actually be determined byother events, like a financial crisis of upstream suppliers, which might be triggered byother causes and so on and so forth. Such other causes could also be unknown by us.Being able to trace back the real causes could only be useful, if people involved in theproject can take measures with respect to them. In the above illustrated example, thefact of knowing that the provisioning problem is caused by hindrances in getting therow material used in the manufacturing of motors does not add much to our analysis,as we do not have powers to find a way out.The various techniques that we are going to illustrate can jointly be used. Some ofthem provide some semi-finished results that can be used as such, others are asupport to further reasoning.WBS. WBS breaks down the objective into activities that can be planned, managed andassigned to a unique person. Consequently, WBS is a static representation of the 6
  7. 7. “path” that has been chosen in order to deal with the project and, as such, it can beuseful as starting point for risk identification. More specifically, risks will have animpact on the activities set in the WBS and, consequently, focus shall be given onthose activities. The major benefit that WBS has is that it allows the analysis to becarried out against the project-specific background; nevertheless, it also has someflaws:  it does not tell risks and causes, it only identifies the activities where risks might develop;  activities often show a granular structure that does not allow for the identification of truly operative guidelines;  activities “supporting” the project are often not included in the WBS – i.e.: project management activities or communication management ones – although they are a risk source too (and they should be included in a good WBS);  in WBS risks and effects connected to time scheduling do not appear, because the information on dependencies and resources allocation is not included.Networks. By reviewing the project network, in general, and the CPM diagram, inparticular, some risks can be detected:  activities with multiple input from different paths risk to become a risk-area, due to the needed synchronization, which is based on a massive coordination work;  the critical path may produce the risk of non-compliance with the timing;  the semi-critical paths can easily become risk sources with respect to timing non-compliance;  the quality of resources dedicated to activities identified in the critical and semi-critical paths shall carefully be evaluated, if we want to avoid a higher risk of timing non-compliance.Assumption analysis. Projects, meant as innovative activities, are not exclusively basedon certainties, they are rather based on hypotheses (assumptions). An assumptionanalysis, in terms of incompleteness and inaccuracy, can be a useful source for riskidentification. Examples are assumptions on price growth, assumptions on turnoveretc.Check list. These are risk precompiled lists that can be used in a quite simple way.Usually, checklists are summaries based on the experience of multiple projects. Manyare those publicly available and some of them focus on some specific areas. Checklistshave the advantage of speeding up identification of the most-recurring risks. Suchfeature makes them also dangerous, because people tend to exclusively focus on therisks included in such document, or to approach them with condescension (let’s speed 7
  8. 8. up, this checklist is the same as the one we had for our latest project...). Lastly, the factof resorting to a check list does not mean that risk identification is to be carried out byone single person.Interviews. Interviews are useful for identifying risks as well as for analysing them.They are used as an alternative to group identification (when such option is notfeasible), or in order to get the opinion of people who are not directly involved in theproject, but who are believed they could provide some useful insights. Interviews toexperts become particularly important – namely, asking the opinion of people who arethought to be able to provide a high added value, thanks to their experience.Brain storming. This technique is based on the distinction and separation of the idea-generation phase from the actual judgement. In a meeting dedicated to riskidentification, this means asking participants to list what are the negative events thatmight break out in the project. It is possible to follow incremental detail levels – morespecifically, starting from identification of project risks per area, the analysis can drilldown to individual activities.Historical information. Resorting to a project-risk database can be a valuable source ofideas, provided that risks are sorted according to some specific project characteristicsotherwise the result is a thicker and thicker checklist that gets more and more generic.5 Risk Analysis PhaseThe identification phase only produces a list of risks, which, unfortunately, is not usefulfor an operative management of the project. As a matter of fact, a long list of risks cancreate greater confusion, rather than producing remarkable benefits, as the attempt tomanage all of them would probably result in an actual duplication of work.Consequently, a further step forward is advisable: analyzing the risks to understandtheir characteristics is now necessary so as to focus the attention on the most relevantones. The type of attention that takes to risk management depends on each individualcompany and sometimes on each individual project.During the analysis phase, the following measures shall be linked to each individualrisk:  event probability to occur;  timing of the event that could potentially occur;  event frequency (i.e. if the risk is repetitive or not);  identification of the impacted activities;  identification of the impact on individual activities and on the project as a whole in terms of: o timing, 8
  9. 9. o costs, o quality, o other important performance dimensions.Usually, such information cannot exclusively be provided by the project manager:involving all the people who have a thorough knowledge of risks and of what theyentail, similarly to the identification phase, is necessary. In the previous example,pertaining to provisioning problems experienced by suppliers, the purchasedepartment could provide some useful indications.Risk analysis can be developed in quantitative as well as qualitative terms. A qualitativeanalysis is useful to understand the general characteristics of individual risks, it islikewise useful to plan adequate responses and to gain a better understanding of theoverall risk-level in the project. Conversely, a quantitative analysis can be useful to geta more in-depth reviewing of each individual risk (usually, the most important ones) aswell as to review how the project as a whole will develop different scenarios. Aquantitative analysis provides more comprehensive information about the projectdynamics; this being said, it is more expensive and requires the project manager tohave a higher degree of knowledge and preparation. Project characteristics dictatewhat is the best approach to be implemented. As an example, an order with heavypenalties in case of late delivery could push people involved in the project to opt for aquantitative approach; conversely, a non-critical internal project can cover risks byusing a qualitative approach. In any case, one approach does not exclude the other,and they can usefully be used in parallel.5.1 Qualitative Risk AnalysisA qualitative risk analysis is based on the assignment of general values/measures onvariables pertaining to risks; sometimes it can be based on subjective assumptions,especially when collecting other types of information is impossible or when collectingthat same information is too expensive with respect to the importance of the riskitself.Before carrying out an in-depth analysis of risks, in case we are faced with a highnumber of them, understanding accuracy of the collected information can be useful.As a matter of fact, project people could be facing a case in which many are the risksoriginally identified and, in reality, they are just speculations or the information risksare based on are totally unreliable. Knowing the quantity and the quality ofinformation that got to the identification of a certain type of risk is crucial, if we wantto understand these issues. This is quite a delicate type of task as, in such cases, thefollowing reasoning/behaviour might be developed: ”In order to show how good I am, Iwill identify a set of risks and I will do my best to make people think that they are allimportant so that, once the project is completed, when activities under my 9
  10. 10. responsibility will prove to be all successful, they will think that I am the best, because Ihave successfully managed also the most adverse situations”.Leaving aside these types of behaviours, and thinking in more cooperative terms, wecan obtain a first sorting of risks by resorting to a tool as hereinafter described. Quantity of available data Quality of data Risk cause (from 1 to 10) (from 1 to 10) The supplier is about to go bankrupt and, as a consequence, our supply of row 5 2 material could be stoppedFigure 3. Risk quality analysisThe measurement scale is arbitrary. What really matters is being able to identify somequantitative and qualitative data scores, so that risk is eliminated or searching forsome additional pieces of information can start. For instance, if the information of asupplier being close to bankruptcy comes from its direct competitor, maybe the qualityof that specific figure is not to be viewed as excellent. Conversely, if ten suppliers saythe same thing, trying to gain some more insights on that specific information isadvisable. In case the General Manager also recognizes the fact that his/her companyis in financial troubles, data quantity as well as quality are at their maximumlevel/scores.Now we have a list of actual risks, with which the above listed scores shall be matched.As to risk likelihood to break out, scales from 1 to 10, from 1 to 7 or a low – medium –high probability scale can be used. Obviously, using a scale that allows for a little bit ofargumentation is extremely useful; as a matter of fact, only resorting to high, mediumor low is not so much productive or fruitful. There is an important point worth of beinghighlighted: the maximum value/score in a scale does not correspond to certainty, ascertainty is not a risk anymore, it is a fact. Consequently, activities relating to suchfacts shall be illustrated in the project plan. For instance, if a project envisages diggersto be used in Greenland, stating that there is the risk that temperatures could be verylow and that fuel could freeze in tanks is not fair, as the weather will be extremely coldfor sure and adding antifreeze additives is a must. 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 Very low Low Medium High Very high 10% 20% 30% 40% 50% 60% 70% 80% 90% 95%Figure 4. Examples of scales used for a qualitative risk analysisThe fact that a risk has been identified does not mean that it will immediately come tothe surface; consequently, identifying when its negative effects will break out isadvisable. Also in this case, various types of scales can be used (days, weeks, months;short-, medium- or long –term scales, and so on and so forth). Moreover, risks can be 10
  11. 11. recurring and, consequently, understanding if a risk will only take place once orwhether it will erupt on a regular base, becomes an important piece of information –namely, knowing how many times and with what time pattern it will break out isadvisable.The analysis is completed by assessing the impact of each individual risk factor.Assessing the impact means identifying where a risk will strike (which activities will beimpacted by a risk), what and for how long – namely, will it mainly impact time, costsor quality? And what will the size of such impact be?In fact, assessing the impact of a risk factor is difficult, when it is not put against theproject background. For instance, a possible late delivery of motorbike rims is not aproblem, if bikes are held by a gantry in the final assembly stages and wheels are onlymounted at the very end of the assembling process. Conversely, if in that givencompany motorbikes rims are usually assembled when they are already sitting on theirkickstand, the impact can be remarkable.Sharing the project structure with people involved in risk analysis is the only way to getsome consistent assessment; otherwise, a risk that has a strong impact on theactivities carried out by one single person could be judged by that same person asstrongly impacting the project as a whole.It is now possible to provide an assessment of risk impact on a given project. Also inthis case a measurement scale can be used but, conversely from the one telling usprobability of a given risk to break out, which is easily readable, associating someparameters to each value/score is requested. This idea is illustrated in figure 5. Impact Interpretation 7 The project cannot be viewed as successful 6 Up to 30% increase in costs, or in timing, or quality to be viewed as “borderline” in terms of acceptability 5 A 20% to 29% increase in costs, or in timing or quite poor quality 4 A 10% to 19% increase in costs, or in timing or remarkable decrease in quality 3 An increase from 3% to 10% in costs, or in timing, or visible decrease in quality 2 Up to 2% increase in costs, or in timing, or a slightly measurable decrease in quality 1 Impact almost unobservedFigure 5. Example of an impact scale and its related interpretationAmong the three reference parameters (timing, costs and quality), quality is the mostdifficult to be judged. As to this parameter, the organization shall try to identify somemeasurement methods that are shared for all the projects, or for some categories. Forinstance, in case of software development, an ex-ante quality measurement valuecould be the number of functionalities provided versus what has been planed. All theelements needed to get a general overview of risks in a project are now available. 11
  12. 12. Usually people resort to a matrix-based description formula, in order to have animmediate and easy reading of data.An easy although a bit simplistic way to get an indicator about the project overallriskiness/risk level is to sum the probability products with the impact for each riskdivided by the number of risks.In the following example, where letters correspond to risks, we know that themaximum risk value is 49 (in case all the risks show a probability accounting for 7, withan impact amounting to 7 as well), the minimum is 1 (all the risk having probability andimpact accounting for 1). In this case, we get a value of 15.7. Such outcome could beseen as being high but also low, it depends on the attention thresholds that we’ve pre-defined. 7 C B 6 L A 5 N H D Impact 4 I E 3 M 2 O Q 1 P G F 1 2 3 4 5 6 7 ProbabilityFigure 6. Matrix showing project risks.Risks included in the matrix do not usually need the same type of focus. As a matter offact, when they are high in number, managing them by using the same level ofattention becomes more difficult. Consequently, resorting to some methods forgrouping risks is needed. Sometimes we find approaches proposing a ranking based onmultiplying probability by the impact. Such example is proposed in figure 7. Ranking Risk PXI 1 B 42 2 D 35 3 A 30 4 H 25 ….. ….. …..Figure 7. Risk ranking example 12
  13. 13. At this point, either we opt for a pre-defined number of risks, or we can decide tofocus on all the ones exceeding a given threshold. This way of proceeding is based on aprecise assumption - namely, risk neutrality. In other words, it means that two risks areviewed as being the same, even when one is the result of high probability times lowimpact and, conversely, the other is the result of low probability times high impact.This being said, we are often faced with risk disinclination, which means that, evenwhen the P X I product is the same, risks with a higher impact will be handled withgreater attention even when their probability to break out is low.It has been said that risks cannot be managed in the same way; Consequently, theyshall be sorted in homogeneous risk groups so as to be able to handle themaccordingly. Multiple alternatives are available: figure 8 proposes sorting of risk intothree groups, by starting from the disinclination/hostility to risks assumption. 7 C B 6 L A 5 N H D Probability 4 I E 3 M 2 O Q 1 P G F 1 2 3 4 5 6 7 Impact Risk to be analysed in quantitative terms and that shall be included in the risk response plan Risk to be analysed in qualitative terms and that shall be included in the risk response plan Risk to be monitored and for which reports shall be producedFigure 8. Risk GroupingAt this point, we can summarize the above illustrated data in a streamlined form thatincludes all the pieces of information that are useful for the phases to follow. Risk Effect Cause Probability Impact Trigger Impacted Expiration Analysis Event Activities Date 13
  14. 14. 5.2 Risk Quantitative AnalysisThe qualitative analysis focused on the assignment of probability and impactvalues/scores to individual risks, and on the acquisition of a piece of informationsummarizing the risk level of a project as a whole. A quantitative analysis can be usedto further investigate the qualitative one, but it is, above all, a useful tool tounderstand how the project timing and cost references can change in differentscenarios.As the issue is quite broad, this paragraph does not aim at reviewing in acomprehensive way all the methods that can be used to develop a quantitativeanalysis for risk management in a project, it rather offers useful hints in order to havea better understanding of logics and issues proposed by this further in-depth analysis.As already specified, quantitative methodologies are mainly applied to timing and costanalysis of projects, as these are aspects that perfectly fit a “quantitative”measurement and approach. This paragraph is dedicated to this specific focus, and itsstarting point is the project operational plan illustrated in the previous chapters.5.2.1 Uncertainty, variability and riskIn the first place, we shall try to define how quantitative analysis can be useful byidentifying the right terminology. In the standard practice, terms like variability,uncertainty and risk are used as synonyms as, in the everyday language, they give theidea of “non-peace of mind” of the decision-maker or of the phenomenon underreview. Conversely, the quantitative methodologies provide different meanings tosuch words.Variability is a system feature, it is intrinsic in the system itself and, in order to takevariability measures, we have to act on the system. When we toss two coins, we doknow that the possible outcome is fourfold: (H= heads, T= tails): HH, HT, TH, TT, andthey all have the same probability to break out (25%). If we want to change suchresults, we need to act on the coins by modifying their structure.Uncertainty is a state of knowledge regarding those who have to make decisions (or,generally speaking, those who have to tackle a problem). If we want to influenceuncertainty, we can try to improve our knowledge. In the previous example,uncertainty could be linked to our poor knowledge of the two coins (we do not know,for instance, if they are regular coins or if they are “loaded”, if they truly have twofacets, or if their weight is evenly distributed). Uncertainty adds up to variability of thedecision-maker anxiety level, but it is possible to decrease its impact withoutintervening on the physical state of the system – for instance, by examining the coins,and deciding to have the decision-maker state as the only variability. 14
  15. 15. Lastly, risk, is an individual perception of a situation, by which a set of variabilities,uncertainty and decision consequences is meant. In the above illustrated example,accepting, or not , to bet€ 100.00 on the “two heads” result (HH) can produce the perception of a completelydifferent outcome in two different players (and, as a consequence, the decision will bedifferent), even though they are dealing with the same system (coins and sum to bet)and have the same knowledge (coins are regular). The difference in perception isdetermined by human nature. We can identify a sort of scale in the attitude of thosewho are faced with a variable and uncertain situation (that is to say, in everydaylanguage, a “risky” situation); it ranges from strong disinclination to something up tohigh propensity to risk, passing through a condition or attitude of indifference.Nevertheless, also the magnitude of consequences and the incidental/situation areimportant – more specifically, the same player could make two opposed decisions, iffaced with the following problem: “is it better to bet € 100.00?” or “is it better to bet €10.00?” (the magnitude of consequences). By the same token, he/she could decide fora different third option, if he/she had just found € 200.00 in the street(incidental/fortuitous situation). In operative practices, the quantitative analysissupporting planning and project control mainly focuses on managing the first twoillustrated elements – namely, variability and uncertainty, which are defined as“overall uncertainty” 2. Conversely, in literature, quantitative approaches to such issuesare much wider in range3. This being said, this paper will only focus on risk analysismethods, where risk shall only be meant as variability and uncertainty. There aresome risk management issues – namely, the ones linked to uncertainty – on whichmeasures can be taken, and separating them from other issues is advisable. Anyattempt to foresee and plan, in whatever domain, is impacted by variability anduncertainty, by isolating the latter, we could be able to gain a better understanding onhow to reduce it and, consequently, we could increase the overall degree ofconfidence in the system.The project manager thought that the test phase would last from 2 to 4 weeks, basedon the relevant data collected on previous project. Nevertheless, he also knew thatthis was the first time they had to work in parallel with the client, and this couldproduce a slow down in their work; consequently, he thought that an estimation thatwas twice as much could have been more reasonable – namely, from 2 to 8 weeks.This “risk” of time extension worried him, then he recalled he got into contact withanother project manager who had already worked with that same client and decidedto call him....2 See Vose D., Risk Analysis - A Quantitative Guide, John Wiley & Sons, 2000.3 As to the individual risk perception, there are many quantitative theories and mathematical approaches(utility functions, risk disinclination curves, determination of the equivalent certainty, etc.), which havenot been included in the focus of this short paper. 15
  16. 16. The steps needed in order to “quantify” uncertainty and variability in a project aregoing to be briefly touched upon in the following section. They can be summarised asfollows:  input definition, in order to introduce variability and uncertainty: probability distributions;  resorting to quantitative techniques to measure risk: decision-making trees, PERT (Program Evaluation & Review Technique), Monte Carlo method/simulation.  output interpretation - namely, reading results (probability and scenarios) based on project risk analysis.5.2.2 Input: Probability DistributionsMaking reference to probability is quite normal, when we talk about variability anduncertainty. Probability, meant as the measurement of the likelihood of a givenscenario to occur, describes, in a methodologically correct way, the first part of theproblem, which is then completed by matching the result of each individual scenariowith the identified probability.An organized set of these two pieces of information (probability and results) is calledprobability distribution.In the previous example, the probability distribution for the “I bet € 100.00 on twoheads (HH)” variable is the following: Result 100 -100 Probability 25% 75%If we add uncertainty (for instance, there is a 10% probability that one of the two coinsis “loaded” and, as a consequence, has two TAILS facets) to variability – which hasproperly been illustrated by distribution and, as already mentioned, is in-built in thesystem - this fact will change distribution by reducing our probabilities to be successful.The new distribution, which now aims at giving an outline of what we have defined asoverall uncertainty, is as follows: Result 100 -100 Probability 22,5% 77,5%In reality, we will very rarely be faced with phenomena that can be defined in a“moderate” way , as the above illustrated case – namely, a limited number of possibleresults, to which probabilities are matched. Usually, we are faced with situations thatcan more easily be described as value ranges . 16
  17. 17. When we have to introduce variability and uncertainty in the duration of a projectactivity, we will feel more comfortable by indicating a variation range (this activity canhave a duration between 10 and 20 days), rather than indicating fixed durations, towhich specific probabilities are matched (this activity may have a 10-day duration witha 20% probability, or a 13-day duration with a 30% duration, or a 16-day duration witha 35% probability, or a 20-day duration with a 15% probability rate). The same holdstrue when estimating a cost4.This approach, which we call “continuous”, will generate probability distributionsdifferent from the previous ones (which we called “discrete”) by allowing us to takeinto consideration all the possible values within the range, something that will producea more realistic description.Obviously, just resorting to the range could be of poor significance (minimum –maximum), and this would make us miss some pieces of information, even though theycould be extremely useful: What does happen within a range? Are there any values, orsmall ranges, to which the related probability to happen could be higher? Are suchvalues, or ranges, closer to the minimum or maximum limit? and so on and so forth.In order to fix such situation, we can use continuous probability distributions withdifferent features based on the available input. Obviously, each distribution shall becharacterized by a different set and type of initial information (parameters).Among the very many probability distributions in literature, we hereby illustrate, as anexample, the ones that are most commonly used in project risk analysis5.Normal Distribution (o Gaussian)It is the most famous type of distribution, it is “bell shaped”, and it is used in themeasurement of many phenomena as it is characterized by a central value (the meanvalue), which in the Normal Distribution is also median and most probable value, ormode and by a “random disturbance” (which can be quantified via a standarddeviation, ). Sometimes, its symmetrical shape causes it to be unfit, when non-recurring representation of varied types of situations are needed, while a possibletechnical problem (the density function that describes it is defined between -∞ and+∞) is bypassed in practice by interrupting distribution at an acceptable probabilityvalue, which can even be higher than 99% (see figure 9).4 Obviously, in many cases durations and costs can be linked. Nevertheless, in practice, the two types ofanalyses remain separated due to a need for less complexity as well as for a balanced allocation ofcompetences.5 For a more in-depth dissertation, we suggest to use as refernce one of the many publications onStatistics or Theory of Probabilities lik, for instance, Mood A.M., Graybill F.A., Boes D.C., Introductionto the Theory of Statistics, McGraw-Hill, 1987. 17
  18. 18. Normale(20;2) Normale(35;3) Normale(20;5) 0 5 10 15 20 25 30 35 40 45Probability Figure 9. Normal Distibution Beta modified Distribution (or Beta PERT) The Beta modified distribution owes its reputation to the crucial relevance it has within the PERT methodology (Program Evaluation & Review Technique), one of the stochastic network techniques used for time scheduling, which have been developed starting from the CPM methodology. The main characteristics for this type of distribution are its versatility (Beta distribution can have very different representations) and the intuitive way with which the three parameters defining it are expressed: minimum, most probable value (mode) and maximum. Such second peculiarity makes it extremely useful, as it allows for changing a scenario-based qualitative approach (pessimistic, base, optimistic) into a quantitative approach defined by a probability distribution that can be expressed by means of all the values included in the pessimism-to-optimism range, and where break-out probabilities increase, the closest they get to a base value (the most likely scenario) and, conversely, they decrease, the farthest they get from a base value, and the closest they get to one of the two extremes in a totally consistent way with respect to the qualitative hypothesis adopted. 18
  19. 19. BetaPERT(1;35;40) BetaPERT(5;10;35) BetaPERT(0;20;45) 0 5 10 15 20 25 30 35 40 45Figure 10. BetaPERT DistributionTriangular DistributionThe triangular distribution could be considered as the most popular and used type ofdistribution in the risk analysis models, as it is intuitively simple. Also this distribution isdefined by three parameters (minimum, mode, maximum), which can easily find theirparallel in the ways used to define scenarios. Compared to the BetaPERT distribution,it shows it is much more impacted by extreme values, especially if they are very distantfrom the mode value (base scenario), and this produces a higher degree of variability.Maybe this is also the reason why it is the mostly used in cases where scenario settingis poorly supported by historic data or it is completely based on subjective views. Triangolare(5;10;35) Triangolare(1;35;40) Triangolare(0;20;45) 0 5 10 15 20 25 30 35 40 45Figure 11. Triangular Probability Distribution 19
  20. 20. Uniform DistributionThis distribution, which is also called Rectangular Distribution due to the shape of thedensity function describing it, is the easiest and, consequently, the roughest way touse a continuous probability distribution for analysing risks. By means of thisassumption, the same probability level is assigned to all the results/values within aminimum to maximum range. Uniform distribution could be seen as “the last chance”,each time there is the willingness to approach in a quantitative way variability anduncertainty in an assessment (for instance, duration or cost for a given activity), whenonly the extremes can be assessed (as said, minimum and maximum values) andwithout having the possibility or the willingness to add some further information (themost probable value, mean, etc.). Uniforme(1;8) Uniforme(5;20) Uniforme(15;40) 0 5 10 15 20 25 30 35 40 45Figure 12. Uniform DistributionGeneric Continuous DistributionIt is the most flexible way to assign a probability distribution, also allowing for thedefinition of many “shades” that could not be identified by using classic distributionmethods. It is normally used when historic and research-based data are availble6.The Project Manager tried to collect some data about trends in the duration of the“Assembly” activity in similar projects, he realized that the minimum time referencewas 6 days, the maximum time reference was 18 days, but he also noticed that most ofthe reviewed projects reported an 11-day duration. He decided that variability had tobe included and opted for adding a probability distribution that had also to take intoconsideration that information.6 Another possibilty in this case is fitting, that is to say the possibility of matching to the observedempirical distribution a theoretical distribution (similar to the ones illustrated in this paragraph) reviewingsimilarities via statistical tests analizzando la somiglianza attraverso analisi statistiche (test). 20
  21. 21. In figure 13 specific information is proposed as an example for structuring a riskquantitative analysis for project scheduling. Activity Probability Distribution Duration (weeks) min, optimistic = 3 Activity A Triangular mode, most probable = 5 max, pessimistic = 8 min, optimistic = 8 Activity B BetaPERT mode, most probable = 11 max, pessimistic = 20 mean, most probable = 12 Activity C Normal standard deviation = 2 (min, max ± 6 from mean value) min, optimistic = 7 Activity D Triangular mode, most probable = 9 max, pessimistic = 15 … …Figure 13. Example of input data (time scheduling)5.2.3 Use of Quantitative Techniques for Measuring RiskOnce we have completed the input framework, as the uncertain variables have beenassigned an appropriate probability distribution, we need to tackle the problem of howto “transfer” such information to the output, that is to say on the analysis targets.The most common methodologies, the ones based on simulations, envisage the use ofa model that, as to risk management in a project, is nothing more than the modelincluded in the project operative plan: a “solid” network (which includes allocation ofresources and costs) or, as an alternative, a network exclusively dedicated to timescheduling (which is obtained by means of Project Management application tools) anda budget model for reviewing costs (which is developed in an electronic sheet).Procedures used to build up a model are like the ones illustrated in the previouschapters, when we were talking about the project operative plan. The only differenceis that some deterministic input (activity duration and costs) have been changed intorandom variables (namely, having assigned to them probability distributions). Suchmeasures produced a more realistic model.At this point, we can observe the effects of overall uncertainty (variability anduncertainty) included in the model against the variables that are the target of the 21
  22. 22. model itself: project timing and costs. The technique that, thanks to the developmentof hardware and software tools and to its conceptual straightforwardness, is mostlyused in this type of analysis is a stochastic simulation technique called “Monte Carlosimulation technique/method”.The Monte Carlo simulation method resorts to random sampling to create a set ofpossible scenarios and then it reviews, ex-post, the distribution of results. Via therandom sampling, a possible value is selected from each probability distribution input;the data obtained by means of this procedure are used to make a calculation – via thedeterministic model at the base of the simulation (for instance, CPM for scheduling aproject timing) – of the values obtained for the variables under analysis, which arethen saved/stored.By repeating this procedure for a significant number of times (sample size),7 anempirical distribution of results is obtained; it properly represents consequences onvariability and uncertainty output given to input8.5.2.4 Output: Measuring the Overall Uncertainty for Target VariablesNow that we have completed the calculation part, we can tackle the third final part inour analysis: interpretation of results. As for each statistical sample, also the oneobtained via the Monte Carlo simulation for the target variables can be described bysummarizing indicators (statistic indexes) and by an overall reading of datadistribution.The example proposed in Figure 14 shows summary-data identified for the ProjectDuration target variable (the time unit is expressed in weeks) after having carried out10000 iterations (that is to say, after having built up a sample made up of 10000scenarios). Obviously, the type of reviewing that we are about to propose can also becarried out for each target variable under analysis (namely, overall costs, duration ofeach individual activity, milestones, etc.)9.7 The high number of software available for this type of analysis ( @Risk, Crystal Ball, Risk+, amongmany others), makes this part based on repetition of the algorithm quite easy in its execution, and allowsto have a very high number of cases included in the sample so as to ensure reliability (from a statisticview point) of the resulting distributions (Law of Large Numbers or Empirical Law on Chance).8 For further insights on the Monte Carlo simulation method, reviewed under an applicative profile,reference shall be made, among other authors, to J.Mun, Applied Risk Analysis, Wiley Finance, 2004 andD.Vose op. cit., while for insights on its origins, reference shall be made to the “historian” Metropolis N.,Ulam S., The Monte Carlo method, in Journal of the American Statistical Association, 1949.9 Even in this case, we suggest to refer to a more specific bibliography for gaining more in-depthknowledge (for instance, Vose D. op.cit., Mun J. op.cit.), as in this paper we prefer to provide anexample of the logics used for interpreting results. 22
  23. 23. Indici statistici Percentile Valore Iterazioni 10000 0% 43,47 Media 54,58 10% 50,51 Mediana 54,49 20% 51,83 Moda --- 30% 52,83 Standard Deviation 3,23 40% 53,66 Varianza 10,45 50% 54,49 Coeff. of Variazione 0,06 60% 55,31 Min 43,47 70% 56,21 Max 68,70 80% 57,28 Range 25,23 90% 58,73 100% 68,70Figure 14. Project Duration: example of summarising outputThe main information that we can deduct from the table is the following:  On average, the project is going to last a bit less than 55 weeks (54,58);  There are two possible extreme scenarios: one is pessimistic, the other is optimistic (max and min) accounting for 68.7 and 43.47 weeks respectively;  within such range, variability is not extremely high (Standard Deviation amounting to 3,23 weeks);  we actually have only a 10% probability (10% percentile) to go down below a 50.51 week duration and a 90% probability (90% percentile) of not exceeding 58.73 weeks.We have quantified the overall uncertainty, which is a consequence of the input data(in this case, duration estimates for each individual project activity), and we haveobtained a first set of numerical indications supporting our risk analysis.Even though we do not aim, in this specific paper, at drilling down this matter inquantitative terms, we can see that, apart from summarizing information that has justbeen reviewed, the simulation offers us the opportunity of analysing in detail all theresults derived from the N iterations (10000, in the example), that is to say thecomplete sample.In Figure 15, we see the complete distribution of the scenarios resulting for the targetvariable, which are represented via probability distribution and cumulativedistribution10.10 The cumulative probability (frequency) distribution is, avoiding to resort to extremely rigorousdefinitions, an alternative representation, through which we want to highlight probability (frequency) withwhich a random variable results to be lower or equal to a given value. It is obtained by adding up eachtime (by cumulating) probabilities (frequencies) up to reaching the value of interest. 23
  24. 24. 25,0% 20,0% 15,0% Probabilità 10,0% 5,0% 0,0% 42 44 46 48 50 52 54 56 58 60 62 64 66 68 Durata (settimane) 100% 90% (60; 95,06%) 80% 70%Probabilità cumulata 60% 50% 40% 30% 20% 10% (50; 7,24%) 0% 40 45 50 55 60 65 70 Durata (settimane)Figure15. Project duration: probability distribution and cumulative distributionAt this detail level, we can obtain further information like, for instance, the probabilityto remain within a certain target duration: in the example we only have a 7.24%probability for the project to last less than/or as much as 50 weeks, while we are quiteconfident that it will last 60 weeks, for which we have a less than 5% probability toexceed such reference (4.94%= 100% - 95.06%).As already mentioned, this analysis pertaining to project duration is an example, or –better – an aspect, of the quantitative risk analysis that can be carried out. As a matterof fact, by applying the proposed methodology, it is possible to structure a type ofanalysis impacting multiple project management aspects (timing, costs, but also use ofresources, sequence of activities, milestone compliance, etc.). This further drillingdown enriches the information needed not only for a comprehensive definition of theproject plan, but also for an effective execution and control activity.The Project Manager looked at the result of the simulation he had launched and a chillran down his spine: according to those calculations, the project showed more than30% probability to exceed the cost target and, even worse, for quite remarkable sums.He was not used to run this type of risk, and he was quite worried about suchinformation. He drew up a detailed report on the information produced by thatsimulation getting down to individual Work Package details in the WBS, and heimmediately asked to have a meeting with the project team. They had to preparesome countermeasures (in the planning, execution and control phases) in order toreduce variability and uncertainty impacting the project up to that moment. 24
  25. 25. 6 The Phase Dedicated to Planning a Risk ResponseFrom quantitative and qualitative analyses some useful pieces of information can beidentified, in order to understand what risks will influence the project as well as howthe project could be impacted by such potential events.In this phase, we want to identify measures to be taken in order to reduce the overallproject risk so as to reduce, as a consequence, the likelihood for each potential risk tobreak out (and, by the same token, increasing probabilities and the positive influenceof opportunities).Many are the options available to reach this goal. In any case, three response levelsshall be devised. They are the following:  actions to be taken in order to manage risks or impacts before they occur;  actions to be taken when risks have occurred (contingency plan);  actions to be taken when the contingency plan did not produced the desired effects (fallback plan).The fallback plan is only envisaged in rare cases, when risks are so much impacting thatthinking about any possible alternative is required.Usually, when reviewing the type of possible responses to risk, people immediatelythink about reducing their probability or impact. In reality, this is one of the manypossible response. In fact, the following options are available:  avoiding risk by not implementing the activity it could have an impact on;  rationally accepting risk by understanding (using rationality) that any response can be more negative than actually experience damage;  transferring risk - that is to say, assigning risk to external third parties (insurance companies or outsourcing);  mitigating risk – more specifically, reducing its probability or its impact, which might mean acting on risks or, even better, acting on causes.The above listed actions can produce an impact on a project structure; consequently,the project plan might need to be modified.So far, we have talked about risk management making little reference to peopleinvolved in such procedure. The risk identification phase shall be the focus of a groupof people – namely, a team that includes a project manager, project team membersand, where possible, stakeholders. In the analysis phase, group activities are stillrelevant and needed, but assigning probability dimensions and impact is based onrooted knowledge of each individual risk entity. In this case, analysis shall be started byone single person: the work of a group can only provide some additional contributions.Planning responses to risks is a phase similar to risk analysis: the expert for each risk 25
  26. 26. can offer his/her idea, the team can review and improve it. This being said, whenacting on risks is needed, allocating responsibilities to individuals is advisable in orderto have a better and more effective type of management. A Risk Owner is the personaccountable for implementing actions decided for an individual risk. A Risk Ownermust have the power needed for carrying out such task. By identifying a Risk Owner,the management of a project is streamlined as, once risks and actions have beendefined by the team, the individual can act in order to implement such decisions.When such role is not assigned, frequent meeting are needed to fix contingentproblems.7 The Risk Monitoring and Control PhaseThe monitoring phase aims at assessing whether actions on risks have produced thedesired results, while the control phase focuses on implementing the changes neededfor an appropriate project management.During such phase, positive – i.e.: risks that get fixed without taking actions - as well asunexpected negative events – i.e.: the surfacing of previously non-identified risks - canoccur. In this case, some immediate corrective measures shall be taken. The controlphase closes and starts a new risk management process; in fact, by assessing how goodthe actions taken up to that moment are, elements and information for deciding newactions to be taken can be identified.8 ConclusionsRisk Management is a crucial activity to “professionally” manage projects. Projects, bynature, are exposed to risky events, and not taking such events into considerationmeans underestimating the true essence of projects themselves. Risk management canvary from basic activities that do not require some specific knowledge or skills to muchmore complex types of approach. The type of approach depends on values at stake. 26
  27. 27. BibliographyGreenfield M.A., Risk as a Resource, Langley Research Center, 1998Greenfield M.A., Risk Management Tools, Langley Research Center, 2000Grey S., Pratical Risk Assesment for Project Management, John Wiley & Sons, 1995Metropolis N., Ulam S., The Monte Carlo method, in Journal of the American StatisticalAssociation, 1949Mood A.M., Graybill F.A., Boes D.C., Introduction to the Theory of Statistics, McGraw-Hill, 1987Mulcahy R., Risk Management, RMC Publications, 2003Mun J., Applied Risk Analysis, Wiley Finance, 2004Rosenberg L., Hammer T., Gallo A., Continuos Tisk Management at NASA, 1999Vose D., Risk Analysis - A Quantitative Guide, John Wiley & Sons, 2000PMI, A guide to project management body of knowledge. Project Management InstitutePMBOK Guide, 2000 27

×