12. Project Risk Management
Risk Management
• The process involved with identifying,
analyzing, and responding to risk. It
includes maximizing the results of
positive risks and minimizing the
consequences of negative events
Why Do We Manage Risk?
• Project problems can be reduced as much
as 90% by using risk analysis
• Positives:
– More info available during planning
– Improved probability of success
Key Terms
• Risk Tolerance – The amount of
acceptable risk
• Risk Adverse – Someone that does not
want to take risks
• Risk Factors
– Probability of occurrence
– Range of possible outcomes
– Expected timing of event
– Anticipated frequency of risk events from that
source
How Do We Manage Risk?
• Use the six risk management processes
– Plan Risk Management
– Identify Risks
– Perform Qualitative Risk Analysis
– Perform Quantitative Risk Analysis
– Plan Risk Responses
– Monitor and Control Risks
Plan Risk
Management
Identify
Risks
Perform
Qualitative
Risk
Analysis
Perform
Quantitativ
e Risk
Analysis
Plan Risk
Responses
Monitor
and
Control
Risks
Plan Risk Management
Project Scope
Statement
Cost Management
Plan
Schedule
Management Plan
Enterprise
Environmental Factors
Organizational
Process Assets
Risk
Management
Plan
Planning Meetings and
AnalysisInputs
Outputs
Tools & Techniques
Plan Risk
Management
Identify
Risks
Perform
Qualitative
Risk Analysis
Perform
Quantitative
Risk Analysis
Plan Risk
Responses
Monitor and
Control Risks
What is a Risk Management Plan?
• Methodology – Approach, tools, & data
• Roles & Responsibilities
• Budgeting – Resources to be put into risk
management
• Timing – When and how often
• Risk Categories – Risk Breakdown
Structure (RBS)
• Definitions – Risk probabilities and impact
What is a Risk Mgmt Plan (Cont’d)?
• Probability and Impact Matrix
• Stakeholder tolerances
• Reporting formats
• Tracking
Risk Breakdown Structure
• Lists categories and subcategories where
risks may arise
Identify Risks
Risk Management Plan
Activity Cost Estimates
Activity Duration
Estimates
Scope Baseline
Stakeholder Register
Cost Management Plan
Schedule Management
Plan
Quality Management Plan
Project Documents
Enterprise Environmental
Factors
Organizational Process
Assets
Risk Register
Documentation Reviews
Information Gathering
Techniques
Checklist Analysis
Assumption Analysis
Diagramming Techniques
SWOT Analysis
Expert Judgment
Inputs
Outputs
Tools & Techniques
Plan Risk
Management
Identify
Risks
Perform
Qualitative
Risk Analysis
Perform
Quantitative
Risk Analysis
Plan Risk
Responses
Monitor and
Control Risks
Information Gathering Techniques
• Brainstorming
• Delphi technique
– Successive anonymous questionnaires on
project risks with responses summarized for
further analysis
• Interviewing
• Root cause identification
• Strengths, weaknesses, opportunities, and
threats (SWOT) analysis
Diagramming Techniques
• Cause and Effect Diagrams
– Also known as Ishikawa or fishbone
Product
Delivered
Late
Bad SpecsInsufficient
Resources
Inadequate
Time
Project
Prioritization
Testing
Materials
Potential Causes Effect
Personnel
Risk Register
• List of
– Identified risks
– Potential responses
– Root causes
• Updated risk categories (if required)
Perform Qualitative Risk Analysis
Risk Register
Risk Management
Plan
Project Scope
Statement
Organizational
Process Assets
Risk Register
Updates
Risk probability and impact
statement
Probability and impact matrix
Risk data quality
assessment
Risk categorization
Risk urgency assessment
Expert Judgement
Inputs
Outputs
Tools & Techniques
Plan Risk
Management
Identify
Risks
Perform
Qualitative
Risk Analysis
Perform
Quantitative
Risk Analysis
Plan Risk
Responses
Monitor and
Control Risks
Methodologies
• Probability and Impact Matrix
–Based on Failure Modes and Effects
Analysis (FMEA)
–From 1950’s analysis of military
systems
Probability and Impact Matrix
• Define Probability Scale & Impact Scale
Likelihood Class
Likelihood of Occurrence
(events/year)
Not Likely (NL)
<0.01% chance of
occurrence
Low (L)
0.01 - 0.1% chance of
occurrence
Moderate (M)
0.1 - 1% chance of
occurrence
High (H)
1 - 10% chance of
occurrence
Expected (E) >10% chance of occurrence
Probability Scale
Consequence Health and Safety
Extreme
Fatality or multiple fatalities
expected
High
Severe injury or disability likely; or
some potential for fatality
Moderate
Lost time or injury likely; or some
potential for serious injuries; or
small risk of fatality
Low
First aid required; or small risk of
serious injury
Negligible No concern
Impact Scale
Example
Defined conditions for impact scales of a risk on major project
objectives (Examples for negative impacts only)
Example
Detection difficulty is a measure of how easy it would be to detect
that the event was going to occur in time to take mitigating
action( how much warning would we have?) the detection scale
would range from 5= no warning to 1= lots of time to react
Risk severity matrix
User
backlash
Interface
problems
System
freezing
Hardware
malfuncti
oning
Red zone
Yellow zone
Green zone
Impact
Likelihood
Failure mode and effects analysis (FMEA)
Impact × Probability × Detection = Risk Value
1 2 3 4 5
1
2
3
4
5
The risk severity matrix provides a basis for prioritizing which
risks to address. Red zone risks receive first priority followed
by yellow zone risks. Green zone risks are typically
considered inconsequential and ignored unless their status
changes.
A risk with an impact in the “1” zone with a very low probability
and an easy detection score might score a 1 (1X1X1=1).
Conversely, a high-impact risk with a high probability and
impossible to detect would score 125 (5X5X5=125). This
broad range of numerical scores allows for easy stratification
of risk according to overall significance
Risk Register Update
• Add
– Probability and Impact Matrix results
– Perform quality check on results
– Categorize the risks to make them easier
to handle
– Perform urgency assessment to determine
which risk need immediate attention
Perform Quantitative Risk Analysis
Risk Register
Risk Management
Plan
Cost Management
Plan
Schedule
Management Plan
Organizational
Process Assets
Risk Register
Updates
Data gathering and
representation techniques
Quantitative risk analysis
and modeling
Expert Judgment
Inputs
Outputs
Tools & Techniques
Plan Risk
Management
Identify
Risks
Perform
Qualitative
Risk Analysis
Perform
Quantitative
Risk Analysis
Plan Risk
Responses
Monitor and
Control Risks
Quantitative Risk Analysis
• Analyze numerically the probability and
consequence of each risk
• Decision Tree analysis
– Diagram that describes a decision and
probabilities associated with the choices
• Expected Monetary Value Analysis (EMV)
Expected Monetary Value (EMV)
Building
Cost Probability
Optimistic Outcome $150K 0.2 $30K
Likely Outcome $225K 0.5 $113K
Pessimistic
Outcome
$300K 0.3 $100K
Expected Value $243K
Decision Tree Analysis
Build or
Upgrade
Plant
New
Plant
-$120
Upgrade
Plant
-$50
Strong
Demand
Weak
Demand
Strong
Demand
Weak
Demand
65%
$200
35%
$90
65%
$120
35%
$60
$80
-$30
$70
$10
Decision
Definition
Decision
Node
Chance
Node
Net Path
Value
EMV of New Bldg
Node = $41.5!
EMV of Upgrade
Node = $49!
Plan Risk Responses
Risk Management
Plan
Risk Register Risk Register
Updates
Strategies for negative risks
or threats
Strategies for positive risks
or opportunities
Contingent response
strategy
Expert Judgment
Inputs
Outputs
Tools & Techniques
Project Management
Plan Updates
Risk-related
Contract
Decisions
Plan Risk
Management
Identify
Risks
Perform
Qualitative
Risk Analysis
Perform
Quantitative
Risk Analysis
Plan Risk
Responses
Monitor and
Control Risks
Strategies
• Negative Risks (or Threats)
– Avoid
– Transfer
– Mitigate
– Acceptance
• Positive Risks (or Opportunities)
– Exploit
– Share
– Enhance
– Acceptance
Monitor and Control Risks
Risk Register
Project Management
Plan
Work Performance
Information
Performance Reports
Risk Register
Updates
Risk reassessment
Risk audits
Variance and trend analysis
Technical performance
measurement
Reserve analysis
Status meetings
Inputs
OutputsTools & Techniques
Organizational
Process Assets
Change Requests
Project Management
Plan Updates
Project Document
Updates
Plan Risk
Management
Identify
Risks
Perform
Qualitative
Risk Analysis
Perform
Quantitative
Risk Analysis
Plan Risk
Responses
Monitor and
Control Risks

12. Project Risk Management

  • 1.
    12. Project RiskManagement
  • 2.
    Risk Management • Theprocess involved with identifying, analyzing, and responding to risk. It includes maximizing the results of positive risks and minimizing the consequences of negative events
  • 3.
    Why Do WeManage Risk? • Project problems can be reduced as much as 90% by using risk analysis • Positives: – More info available during planning – Improved probability of success
  • 4.
    Key Terms • RiskTolerance – The amount of acceptable risk • Risk Adverse – Someone that does not want to take risks • Risk Factors – Probability of occurrence – Range of possible outcomes – Expected timing of event – Anticipated frequency of risk events from that source
  • 5.
    How Do WeManage Risk? • Use the six risk management processes – Plan Risk Management – Identify Risks – Perform Qualitative Risk Analysis – Perform Quantitative Risk Analysis – Plan Risk Responses – Monitor and Control Risks Plan Risk Management Identify Risks Perform Qualitative Risk Analysis Perform Quantitativ e Risk Analysis Plan Risk Responses Monitor and Control Risks
  • 6.
    Plan Risk Management ProjectScope Statement Cost Management Plan Schedule Management Plan Enterprise Environmental Factors Organizational Process Assets Risk Management Plan Planning Meetings and AnalysisInputs Outputs Tools & Techniques Plan Risk Management Identify Risks Perform Qualitative Risk Analysis Perform Quantitative Risk Analysis Plan Risk Responses Monitor and Control Risks
  • 7.
    What is aRisk Management Plan? • Methodology – Approach, tools, & data • Roles & Responsibilities • Budgeting – Resources to be put into risk management • Timing – When and how often • Risk Categories – Risk Breakdown Structure (RBS) • Definitions – Risk probabilities and impact
  • 8.
    What is aRisk Mgmt Plan (Cont’d)? • Probability and Impact Matrix • Stakeholder tolerances • Reporting formats • Tracking
  • 9.
    Risk Breakdown Structure •Lists categories and subcategories where risks may arise
  • 10.
    Identify Risks Risk ManagementPlan Activity Cost Estimates Activity Duration Estimates Scope Baseline Stakeholder Register Cost Management Plan Schedule Management Plan Quality Management Plan Project Documents Enterprise Environmental Factors Organizational Process Assets Risk Register Documentation Reviews Information Gathering Techniques Checklist Analysis Assumption Analysis Diagramming Techniques SWOT Analysis Expert Judgment Inputs Outputs Tools & Techniques Plan Risk Management Identify Risks Perform Qualitative Risk Analysis Perform Quantitative Risk Analysis Plan Risk Responses Monitor and Control Risks
  • 11.
    Information Gathering Techniques •Brainstorming • Delphi technique – Successive anonymous questionnaires on project risks with responses summarized for further analysis • Interviewing • Root cause identification • Strengths, weaknesses, opportunities, and threats (SWOT) analysis
  • 12.
    Diagramming Techniques • Causeand Effect Diagrams – Also known as Ishikawa or fishbone Product Delivered Late Bad SpecsInsufficient Resources Inadequate Time Project Prioritization Testing Materials Potential Causes Effect Personnel
  • 13.
    Risk Register • Listof – Identified risks – Potential responses – Root causes • Updated risk categories (if required)
  • 14.
    Perform Qualitative RiskAnalysis Risk Register Risk Management Plan Project Scope Statement Organizational Process Assets Risk Register Updates Risk probability and impact statement Probability and impact matrix Risk data quality assessment Risk categorization Risk urgency assessment Expert Judgement Inputs Outputs Tools & Techniques Plan Risk Management Identify Risks Perform Qualitative Risk Analysis Perform Quantitative Risk Analysis Plan Risk Responses Monitor and Control Risks
  • 15.
    Methodologies • Probability andImpact Matrix –Based on Failure Modes and Effects Analysis (FMEA) –From 1950’s analysis of military systems
  • 16.
    Probability and ImpactMatrix • Define Probability Scale & Impact Scale Likelihood Class Likelihood of Occurrence (events/year) Not Likely (NL) <0.01% chance of occurrence Low (L) 0.01 - 0.1% chance of occurrence Moderate (M) 0.1 - 1% chance of occurrence High (H) 1 - 10% chance of occurrence Expected (E) >10% chance of occurrence Probability Scale Consequence Health and Safety Extreme Fatality or multiple fatalities expected High Severe injury or disability likely; or some potential for fatality Moderate Lost time or injury likely; or some potential for serious injuries; or small risk of fatality Low First aid required; or small risk of serious injury Negligible No concern Impact Scale
  • 17.
    Example Defined conditions forimpact scales of a risk on major project objectives (Examples for negative impacts only)
  • 18.
    Example Detection difficulty isa measure of how easy it would be to detect that the event was going to occur in time to take mitigating action( how much warning would we have?) the detection scale would range from 5= no warning to 1= lots of time to react
  • 19.
    Risk severity matrix User backlash Interface problems System freezing Hardware malfuncti oning Redzone Yellow zone Green zone Impact Likelihood Failure mode and effects analysis (FMEA) Impact × Probability × Detection = Risk Value 1 2 3 4 5 1 2 3 4 5 The risk severity matrix provides a basis for prioritizing which risks to address. Red zone risks receive first priority followed by yellow zone risks. Green zone risks are typically considered inconsequential and ignored unless their status changes. A risk with an impact in the “1” zone with a very low probability and an easy detection score might score a 1 (1X1X1=1). Conversely, a high-impact risk with a high probability and impossible to detect would score 125 (5X5X5=125). This broad range of numerical scores allows for easy stratification of risk according to overall significance
  • 20.
    Risk Register Update •Add – Probability and Impact Matrix results – Perform quality check on results – Categorize the risks to make them easier to handle – Perform urgency assessment to determine which risk need immediate attention
  • 21.
    Perform Quantitative RiskAnalysis Risk Register Risk Management Plan Cost Management Plan Schedule Management Plan Organizational Process Assets Risk Register Updates Data gathering and representation techniques Quantitative risk analysis and modeling Expert Judgment Inputs Outputs Tools & Techniques Plan Risk Management Identify Risks Perform Qualitative Risk Analysis Perform Quantitative Risk Analysis Plan Risk Responses Monitor and Control Risks
  • 22.
    Quantitative Risk Analysis •Analyze numerically the probability and consequence of each risk • Decision Tree analysis – Diagram that describes a decision and probabilities associated with the choices • Expected Monetary Value Analysis (EMV)
  • 23.
    Expected Monetary Value(EMV) Building Cost Probability Optimistic Outcome $150K 0.2 $30K Likely Outcome $225K 0.5 $113K Pessimistic Outcome $300K 0.3 $100K Expected Value $243K
  • 24.
    Decision Tree Analysis Buildor Upgrade Plant New Plant -$120 Upgrade Plant -$50 Strong Demand Weak Demand Strong Demand Weak Demand 65% $200 35% $90 65% $120 35% $60 $80 -$30 $70 $10 Decision Definition Decision Node Chance Node Net Path Value EMV of New Bldg Node = $41.5! EMV of Upgrade Node = $49!
  • 25.
    Plan Risk Responses RiskManagement Plan Risk Register Risk Register Updates Strategies for negative risks or threats Strategies for positive risks or opportunities Contingent response strategy Expert Judgment Inputs Outputs Tools & Techniques Project Management Plan Updates Risk-related Contract Decisions Plan Risk Management Identify Risks Perform Qualitative Risk Analysis Perform Quantitative Risk Analysis Plan Risk Responses Monitor and Control Risks
  • 26.
    Strategies • Negative Risks(or Threats) – Avoid – Transfer – Mitigate – Acceptance • Positive Risks (or Opportunities) – Exploit – Share – Enhance – Acceptance
  • 27.
    Monitor and ControlRisks Risk Register Project Management Plan Work Performance Information Performance Reports Risk Register Updates Risk reassessment Risk audits Variance and trend analysis Technical performance measurement Reserve analysis Status meetings Inputs OutputsTools & Techniques Organizational Process Assets Change Requests Project Management Plan Updates Project Document Updates Plan Risk Management Identify Risks Perform Qualitative Risk Analysis Perform Quantitative Risk Analysis Plan Risk Responses Monitor and Control Risks