1 of 22
for Projects & Programmes
Things that we know that we know
Things that we know that we don’t know
Things that we do not know we don’t know
2 of 22
What is Risk?
We know that plans are unlikely to be a precise
prediction of the future
Plans are a model of interconnected tasks believed
certain to be required to achieve an objective
There are also events which are less than certain,
but if they happen, would impact the plan
A Risk is a significant but uncertain event that, if it occurs, has an effect on the plan
A risk can have detrimental or beneficial effects
Threat A risk with a detrimental effect
Opportunity A risk with a beneficial effect
Patsy, Monty Python and the Holy Grail, 1975
3 of 22
What is Risk Management?
How we act to manage significant uncertainty
Uncertain events will always be part of any
plan for the future
Risk Management is a core PM competence
“There are known knowns; there are things that we know that we know.
There are known unknowns; that is to say, there are things that we know that we don’t know.
But there are also unknown unknowns – there are things that we do not know we don’t know.”
Donald Rumsfeld, US Secretary of Defence, 2002
Context & Assumptions
4 of 22
Why do Risk Management?
Good Risk Management will
Lead to more realistic plans
Help to set expectations appropriate to value, risk and complexity
Inform bid/no bid decisions
Help in selecting the most appropriate contract type
Inform PM selection, matching PM competence to value, risk and complexity
Help set project level contingencies, rather than task level or a fixed amount
Enable greater honesty, openness and understanding
Reduce uncertainty by implementing responses to risk
Enable simpler, more transparent reporting
Reduce stress and reliance on a hero culture
Significantly increase the likelihood of meeting time, cost and quality objectives
! Risk Management will not guarantee meeting time, cost and quality objectives
! If undertaken as a tick box exercise, or only at bid time, the full value will not be realised
! The effort invested should be proportional to value, risk and complexity
5 of 22
International Standards Organisation
ISO 31000  Risk Management Principles & Guidelines
ISO IEC 31010  Risk Management Risk Assessment Techniques
ISO Guide 73  Risk Management Vocabulary
BS 6079-3  Guide to the Management of Business Related Project Risk
Association for Project Management
PRAM: Project Risk Analysis and Management Guide, 2nd Edition 
Interfacing Risk and Earned Value Management 
Prioritising Project Risks 
Project Management Institute
Practice Standard for Project Risk Management 
The Institute of Risk Management
Publications that primarily deal with enterprise risk management
The Orange Book: Management of Risk, Principles and Concepts 
Management of Risk, Guidance for Practitioners, 3rd edition [2010, Axelos]
Ministry of Defence Acquisition System Guidance: Risk Management [v4.2.2]
Risk Management Best Practice Guidance
6 of 22
Risk Management Training
Certification Valid Renewal Acquisition Pre-requisite
- - 1 hour multiple choice exam: 60 questions, pass ≥60%
Confirms knowledge sufficient to allow contribution to risk management within a project.
Can be taken as a 2 day course, cost £1,100 (inc. exam fee). Open exam fee £164 (£146 for APM members).
3.25 hour exam: section A, 100 marks;
section B, 100 marks, 2 from 4 questions, 2 relate to case
study, pass ≥60%
Risk Certificate Level 1
knowledge (not certification)
Confirms knowledge, understanding and capability, sufficient to undertake project risk management.
Can be taken as a 2 day course, cost £1,100 (inc. exam fee). Open exam fee £430 (£310 for APM members).
Combined Risk Levels 1 & 2 Open exam fee £558 (£384 for APM members).
UK Cabinet Office
1 hour multiple choice exam: 75 questions of which 70 count,
pass ≥50% (35/70)
Confirms sufficient knowledge and understanding to contribute to the identification, assessment and control of risks across any
3 hour exam: 4 questions, 20 marks each, open book
(specified M_o_R books only), pass ≥50% (40/80)
Confirms sufficient understanding of how to apply and tailor M_o_R in a scenario situation.
M_o_R Foundation and Practitioner can be taken together in a 5 day course, cost £2,300.
over 3 years
3.5 hour multiple choice exam: 170 questions, 150 scoring,
'Modified Angoff Method' to determine pass
Degree, 2 years’ project risk
management experience and 30
hours formal project risk
Recognises competence in assessing and identifying project risks, mitigating threats and capitalizing on opportunities, while still
possessing a core knowledge and practical application in all areas of project management.
2008 launch, 2,033 credential holders worldwide by 30 April 2013. Certification fee $670 ($520 for PMI members).
Project Risk Management is also covered in general PM certifications
APM: PFQ, PQ, RPP Axelos (OGC): PRINCE2 PMI: PMP
7 of 22
Context is the environment in which an organisation seeks to achieve its objectives.
As the context changes, it may be necessary to adjust the approach to Risk Management.
Risk Management principles are the same at all levels – strategic, change & operational.
At the strategic level Risk Management is a significant part of corporate governance. How risk is to be
managed across an organisation taking into account external factors such as legislation, government
policy, market, domain and internal factors such as the organisation’s size, complexity and culture as
well as the strategic vision, balance of risk across the organization, conflict resolution, risk appetite and
lessons learned, may be described in a Risk Management Strategy. The RMS may be a single document
or a number of documents, e.g. Policy, Process and Guidance.
Operational Risk Management covers day-to-day business functions such as health & safety, people,
information security and business continuity.
Change is what projects and programmes deliver.
Apply Risk Management through all project delivery phases
– in a manner proportional to the value, risk and complexity at each phase.
The nature and degree of freedom for responding to risk will change at different project phases, e.g. in
the concept phase there will be a greater chance to adjust the scope and set budgets to manage risk.
Risk Management Context
8 of 22
Risk Management Process
Iterate to keep the Risk Exposure
(the impact of risk on objective attainment),
within the Risk Appetite
(an agreed, acceptable level of risk),
in a cost-effective manner.
Identify Risks: Experience, Checklist, SWOT, Interviews
Probability & Impact
Define Risk Response: Exploit/Avoid, Share/Transfer,
9 of 22
Identify, Assess, Plan, Implement
Identify: What could happen
Identify & List Risks: Experience, Checklist, SWOT, PESTLE, Interviews, Questionnaires
Categorise: By project phase, system element, or other suitable risk event source breakdown
Assess: Understand consequences
Qualitative assessment: Probability of the risk occurring and the size of the Impact on objectives
Prioritise: Rank the risks – focus on those with highest probability and impact
Timing: Understand when the risk may occur
Quantitative analysis: modelling, confidence levels, sensitivity
Plan: Define appropriate responses
Exploit/Avoid, Share/Transfer, Enhance/Mitigate
Residual Risk: Risk that remains after taking enhancement/mitigation measures
Secondary Risk: Risk that arises as a result of taking enhancement/mitigation measures
Implement: Monitor and control the risks
Review: Risk triggers, responses, add new risks, close dead risks & release risk pot
Communicate: Key risks
10 of 22
Plan: Define appropriate responses
Allocate ownership to manage risk optimally
Insure (internally by pooling or externally)
Reduce the uncertainty – if cost effective to do so
Fall-back, should the risk occur/not occur despite mitigation/enhancement
Risk or Residual Risk after enhancement/mitigation
May also choose to treat as Risks and define a response etc.
Log / Monitor
Specification Partners PBS, WBS Supplierse.g. Requirements
11 of 22
Rank Risks by assessing risk probabilities and impacts having first adjusted to suit the project
Probability Impact Diagram
Mapping risks helps to decide where
best to focus risk management effort.
A Risk Register can calculate the total
Contingency based on the entered data.
This figure is at best a guide
and must be subject to discussion.
Probability VH VH
VL L M H VH VH H M L VL
Negative Impact Positive Impact
Focus effort on
Very Low Low Medium High Very High
Schedule Impact < 2 weeks 2 weeks to < 1 month 1 to < 2 months 2 to < 4 months > 4 months
Cost Impact < 1% 1% to < 2% 2% to < 4% 4% to < 8% > 8%
in a secondary aspect
in a secondary aspect
in one key aspect
in one key aspect
in multiple key aspects
Probability < 10% 10% to < 25% 25% to < 50% 50% to < 75% > 75%
12 of 22
Bias, Concurrency & Estimation Uncertainty
Optimism Bias can make assumptions too positive, perhaps as a result of making a plan fit fixed targets.
Cognitive Bias is where personal past experience unscientifically skews estimates.
Plan dates and costs are often optimistic if
estimation uncertainty is not considered.
Plans generally feature concurrent tasks with
minimal float. Task effort estimates frequently
use expert judgement, often given as single
point, or deterministic, estimates.
The more concurrent tasks, the greater the
impact on the project when, as is likely, some
tasks finish later than estimated. Deterministic
outcomes often have a very low probability.
Range estimates are more realistic, with
3 points (minimum, most likely, maximum)
advised. Key project dates and costs then also
become ranges along with a probability.
Typical plan analysis: Yellow line is the probability of achieving the Deterministic Cost
13 of 22
Funding Estimation Uncertainty & Selective 4 Point Estimating
‘Most Likely’ means equally probable of being under or over, but estimates often
have a negative bias such that most likely (ML) is not 50% probable.
To avoid this negative bias, 4 points are recommended*, 3 point plus probability
of the ‘most likely’ – just for the tasks that most impact the project, found by
sensitivity analysis, as doing this for all tasks is typically not worthwhile.
Min ML P=50% Max
The business Risk Appetite can inform what probability to use across the business, e.g.:
10% Team Target (likely risks do not occur)
50% Best Estimate (as many risks occur as not)
90% ‘Safe’ Estimate (several unlikely major risks occur)
One strategy is to use the cost difference between the project cost for the probability chosen according
to the business Risk Appetite and the deterministic project cost as the main element of a ‘project risk
pot’ to handle estimation uncertainty. Rewarding using as little of this risk pot as possible, whilst
recognising that a proportion is likely to be required, encourages behaviour that enhances results whilst
recognising uncertainty and setting realistic expectations.
4 Point Estimates
* See separate presentation, “Estimation for Projects & Programmes”
Don’t confuse uncertainty with a lack of knowledge.
Large ranges generally indicate guessing – experience is required to estimate rather than guess.
14 of 22
Risk Management for Projects & Programmes
Inform / Offset
Risk Register Tool, RRT
Risk Management Strategy, RMS
Risk Management Plan, RMP
Held at Board level: Project, Programme or Business
Held at Project & Programme level
If cost effective
15 of 22
Risk Management Strategy
How risk is to be managed across an organisation, the corporate strategy & policy.
Generally an in-feed for a programme or project but may also be defined at this level, possibly as a flow-
down from an organisation RMS.
Risk Management Plan
How risk will be managed in a programme or project, tailored to that programme or project,
i.e. how the Risk Management Strategy will be delivered.
Risk Management Documents & Tools
Risk Register Tool
Central repository for Risk Events, i.e. risk data
• Opportunity & Threat Log and Analysis
• Risk Owner
• Risk Response & Cost Estimation
• Probability Impact Diagram, PID
• Risk Triggers & Timing
• Classification marking
• Internal Only option
• Baselines & Risk History graphing
• Contingency Estimation
• Risk Exposure calculation
Quantitative Analysis Tools
Quantitative Analysis (uncertainty and probabilistic modelling – Monte Carlo analysis) is best done using
purpose built tools, e.g. @Risk, or integrated scheduling and risk management tools, e.g. Oracle
Primavera Risk Analysis or Safran Risk.
16 of 22
Keep People Safe
HSE: Health, Safety and Environment
Do a Risk Assessment to expose potential hazards
EN ISO 14121-1 is a useful guide in defining potential hazards
Consider the whole lifecycle: hazards may differ from one phase to the next
Plan actions to deal with the hazards identified and reduce to an acceptable level the probability of
harm to the team and other stakeholders
There may be tasks and costs arising from the risk assessment: include these in planning
17 of 22
Risk Assessment provides scientific advice on potential threats, often the basis for making decisions to
address these threats via Risk Management.
Europe separates the roles of Risk Assessor and Risk Manager in law to make clear the distinction
between science and politics.
Risk Assessment is concerned with preventing harm to people
The Health and Safety Executive in the UK defines Risk as the chance, high or low, of somebody being
harmed by a hazard, and how serious the harm could be.
Risk Management is minimising the impact of threats and maximising the benefit of opportunities
Risk Assessment actions are aimed at reducing the potential harm to zero, or at least to acceptable
levels by taking reasonably practicable measures – balancing the level of risk against the measures
needed to control the real risk in terms of money, time or trouble.
Action need not be taken if it would be grossly disproportionate to the level of risk.
Risk Assessment is an excellent, essential and in most countries mandatory method for understanding
and reducing potential harm to people.
However, Risk Assessment is not a substitute for Risk Management, e.g. there is no concept of up-side
risk in Risk Assessment since there is no 'harm' in up-side risk.
Risk Management and Risk Assessment
18 of 22
Risk Management: Test Strategy
Unit Test on a PC Regression Test via a simulator
automated on commit automated on commit
get code coverage
System Test the whole system Continuous Integration
doing real things where possible
probably involves people
Field Trial Interoperability Test
Site / Final
Low Level Tests
Integration Level Tests
System Level Tests
Optional System Level Tests
(required in some domains)
Design TestProduction Test
19 of 22
Prior to ‘Identify’ describe the project and goals of Risk Management for your project (often described
in the Risk Management Plan). Then the project team can raise specific project risks.
The danger of not doing this is that the risks identified may be generic and that this is carried
throughout Risk Management for the project, significantly devaluing Risk Management.
Risk descriptions need to be understandable outside the project, without further explanation.
Risks should be accurately defined and as specific as possible.
Avoid listing an effect rather than the risk leading to the effect.
It may help to think in terms of cause, then risk arising from this cause, then the effect(s) of the risk.
Probability and impact are often guesses and contain cognitive bias so it can be helpful to consider the
relative risk scores rather than the absolute in deciding which risks to actively manage.
Risk Management is more than just keeping a Risk Register.
The Risk Register is only a tool to note the risks, our responses and to help with decision making.
Completing the actions arising add the real value.
Appropriate review frequency depends on project scale and phase.
At some phases, weekly review may be worthwhile; at other phases, monthly may be sufficient.
Practical Risk Management: Hints & Tips I
20 of 22
Experience is needed to judge the appropriate Risk Management effort, but investing more in managing
risk than the cost if all the risks occur clearly makes no sense.
The Risk Management process can be gone through in a few minutes for many risks, so the effort
required need not be high.
The effort level should not however be limited simply by a lack of competence (i.e. knowledge &
experience) of those undertaking Risk Management.
The number of risks typically identified depends on the project value and complexity; usually more than
10, less than 100. How many of the identified risk are selected for managing is an experienced based
judgement; but very rarely all, except perhaps for a strategic Risk Register.
Risk Assessments commonly involve a reassessment of the impact after the risk responses have been
undertaken, since it is vital that we can see that potential harm to people has indeed been reduced to
an acceptable level by our actions. This is much less common in Risk Management in projects and
programmes where there’s often little value in this sort of reassessment.
It can be difficult for many people to consider threats and opportunities concurrently
– e.g. we don’t talk about the ‘risk’ of a beneficial event occurring in normal life.
So it may help to consider threats and opportunities separately rather than concurrently when
Practical Risk Management: Hints & Tips II
21 of 22
Most projects and programmes have to deal with risk, this presentation summarises best practice for
visible, repeatable and consistent risk management. Whilst best practice guidance offers no single
definition, it is broadly aligned.
Some level of risk is not only inevitable, but desirable for success.
Project Risk Management is a core PM competence and should be practiced on all projects and
programmes, in a manner appropriate to the value, complexity and risk.
Projects which do not undertake Risk Management are more likely to fail.
Estimation uncertainty alone can reduce the probability of on-time delivery to less than 10%.
Risk Management has many benefits, not least being a higher likelihood of delivery to time and budget.
22 of 22
In my board role I led a team of 22 Project Managers and 5 Quality Engineers, and ensured Roke’s £79m
project portfolio delivered better than budget profit. I set-up and ran a virtual PMO and created REP,
the Roke Engineering Process, also managing the engineering tools to support it.
After 4 years as an electronics engineer for Siemens, achieving Chartered Engineer,
I moved into project management for 14 years, at Siemens and Roke Manor Research.
Successfully delivering Roke’s most challenging whole lifecycle product developments
on time and under budget led to a role as Director and board member for 6 years.
In 2013 I returned to hands-on project management as Programme Director at
Cambridge Consultants, founder member of the Cambridge Science Park.
Creator of the APM corporate accredited PM Excellence Programme,
I chaired a quarterly PM forum to share best practice and built a
supportive PM community. I coached seven PMs to RPP, five to PQ,
and all passed APMP.
These investments in PM professionalism led to a turn-around and
annual improvement in project results across a 400 project portfolio
and delivered an above budget performance in five consecutive years
with profits totalling £7.9m above budget.
Passionate advocate of PM professionalism, Fellow of the APM and
the IET and author of articles published in Project and PM Today.
Winning Project Work
Earned Value Management
3 Steps to Professional Project Management: Case Study