Courseware from my course on Project Management that I taught in 2010 at St. Joseph\'s College of Business Administration

1. Tathagat Varma
Tathagat Varma
Session 5/12: 10-Jun-2010

2.  Risk
 Negative Risk vs Positive Risk
 Secondary Risk Vs. Residual Risk
 Known Unknowns and Unknown Unknowns
 Risk Category
 Risk Proximity
 Risk Probability
 Risk Impact
 Risk Tolerance / Risk Appetite
 Risk Response Strategy
 Risk Reserve, Management Contingency Reserve
 Risk Management Approaches

3.  Risk is an uncertain event in future that, if/when
occurs, impacts the project objectives like scope,
cost, schedule or quality
 A risk could have multiple causes and multiple
impacts
 A cause could be requirement, assumption, constraint or a
condition that creates possibility of positive or negative
outcomes
 Risk conditions could include aspects of an
organization’s or a project’s environment that
may contribute to project risk, such as immature
project management practices, etc.
 PRINCE2 defines risk as: ‘Uncertainty of
Outcome – whether positive opportunity or
negative threat’.

4.  Project risk represents inherent uncertainty in
any project
 A project risk that has materialized has no
uncertainty anymore!
 Should be treated as an issue and addressed as such

5.  Negative Risks (“Threats”)
 Negative impact
 Positive Risks (“Opportunities”)
 Positive impact

6.  Avoid
 Transfer
 Mitigate
 Accept

7.  Risk avoidance involves changing the project
plan to eliminate the threat entirely.
 The most radical risk avoidance strategy
would be to shut down the project entirely!

8.  Risk transfer requires shifting some or all of the negative
impact of a threat, along with partnership of response, to a
third party.
 Transferring the risk simply gives another party the
responsibility for its management – it does not eliminate
it.
 Transferring liability for risk is most effective in dealing
with financial risk exposure, and tools could include
insurance, guarantees, performance bonds, warranties, etc.
 Contracts may be used to transfer liability for specified
risks to another party:
 For example, when a buyer has capabilities that the seller doesn’t,
it might be prudent to transfer some work and its concurrent risk
contractually back to buyer
 In many cases, use of a cost-plus contract may transfer the cost risk
to the buyer, while a fixed-price contract may transfer risk to the
seller

9.  Risk mitigation implies a reduction in the
probability or impact of an adverse risk event
to be within acceptable threshold limits.
 Taking early action to reduce the probability
or impact of a risk occurring in the project is
often more effective than trying to repair the
damage after the risk has happened.
 When it is not possible to reduce the
probability, a mitigation response might
address the risk impact by targeting linkages
that determine the severity

10.  The strategy indicates that the project team
has decided not to change the project plan to
deal with a risk, or is unable to identify any
other suitable response strategy.
 This strategy is adopted because it is seldome
possible to eliminate all threats from a project
 This strategy could be active or passive
 Passive acceptance requires no action except to
document the strategy, leaving the project team to
deal with risks and when they occur
 Most common active acceptance strategy is to
establish a contingency reserve, including amount of
time, money or resources to handle the risk

11.  Exploit
 Share
 Enhance
 Accept

12.  This strategy might be selected for risks with
positive impacts where the organization
wishes to ensure that the opportunity is
realized. This strategy seeks to eliminate the
uncertainty associated with a particular
upside risk by ensuring the opportunity
definitely happens.
 Example, assigning an organization’s most
talented resources to the project to reduce the
time to completion or to provide lower cost
than originally planned

13.  Sharing a positive risk involves allocating
some or all of the ownership of the
opportunity to a third party who is best able
to capture the opportunity for the benefit of a
project
 Examples include risk-sharing partnerships,
teams, special-purpose companies, etc. which
can be established with the express purpose
of taking advantage of the opportunity so that
all parties gain from their actions.

14.  This strategy is used to increase the
probability and/or positive impacts of an
opportunity.
 Identifying and maximizing key drivers of
these positive-impact risks may increase the
probability of their occurrence
 Examples of enhancing opportunities include
adding more resources to an activity to finish
early

15.  Accepting the opportunity is being willing to
take advantage of it if it comes along, but not
actively pursuing it

16.  Some responses are designed for use only if
certain events occur. For some risks, it is
appropriate for the project team to make a
response plan that will only be executed
under certain predefined conditions, if it is
believed that there will be sufficient warning
to implement the plan.
 Events that trigger the contingency response,
such as missing intermediate milestones or
gaining higher priority wait a supplier should
be defied and tracked

17.  A secondary risk can be defined as a risk
created by the response to another risk.
 In other words, the secondary risk is a consequence
of dealing with the original risk.
 A simple way to look at this is to think of project
management as a chess game in which one has to
think as many moves ahead as possible. One has to
consider the reaction to the reaction, or in other
words, the consequences that could arise from
dealing with a problem or risk.
 Secondary risks are generally not as severe or
significant as primary risks, but can become so if not
anticipated and planned for appropriately.

18.  Exposure to loss remaining after other known
risks have been countered, factored in, or
eliminated.
 Residual risk primarily is applied to any element of
risk that remains once the risk assessment as been
made and responses implemented.

19.  Defense Secretary Donald Rumsfeld, Feb
12, 2002:
 “Reports that say that something hasn't
happened are always interesting to me,
because as we know, there are known
knowns; there are things we know we know.
We also know there are known unknowns;
that is to say we know there are some things
we do not know. But there are also unknown
unknowns -- the ones we don't know we
don't know.”

20.  The term was in use within the US military establishment long
before Rumsfeld's quote. An early use of the term comes from a
paper entitled Clausewitz and Modern War Gaming: losing can
be better than winning by Raymond B. Furlong, Lt Gen, USAF
(Ret.) in the Air University Review, July-August 1984:
 “ To those things Clausewitz wrote about uncertainty and chance, I would add
a few comments on unknown unknowns--those things that a commander
doesn't even know he doesn't know. Participants in a war game would describe
an unknown unknown as unfair, beyond the ground rules of the game. But real
war does not follow ground rules, and I would urge that games be "unfair" by
introducing unknown unknowns.[7] ” “
 NASA space exploration should largely address a problem class in reliability
and risk management stemming primarily from human error, system risk and
multi-objective trade-off analysis, by conducting research into system
complexity, risk characterization and modeling, and system reasoning. In
general, in every mission we can distinguish risk in three possible ways: a)
known-known, b) known-unknown, and c)unknown-unknown. It is probable,
almost certain, that space exploration will partially experience similar known or
unknown risks embedded in the Apollo missions, Shuttle or Station unless
something alters how NASA will perceive and manage safety and reliability. [8]

21.  From the same time, conservative lawyer Richard Epstein wrote
a well known article in the University of Chicago Law Review
about the American labour law doctrine of employment at will
(the idea that workers can be fired without warning or reason,
unless their contract states terms that are better). In giving some
of his reasons in defense of the contract at will, he wrote this.
 “ The contract at will is also a sensible private adaptation to the
problem of imperfect information over time. In sharp contrast to the
purchase of standard goods, an inspection of the job before acceptance
is far less likely to guarantee its quality thereafter. The future is not
clearly known. More important, employees, like employers, know
what they do not know. They are not faced with a bolt from the blue,
with an "unknown unknown." Rather they face a known unknown for
which they can plan. The at-will contract is an essential part of that
planning because it allows both sides to take a wait-and-see attitude to
their relationship so that new and more accurate choices can be made
on the strength of improved information.[9]

22.  Known Unknown
 refers to circumstances or outcomes that are known
to be possible, but it is unknown whether or not they
will be realized.
 The term is used in project planning and decision
analysis to explain that any model of the future can
only be informed by information that is currently
available to the observer and, as such, faces
substantial limitations and unknown risk.
 Known risks are those that have been identified and
analysed, making it possible to plan responses for
those risks

23.  Unknown Unknowns
 refers to circumstances or outcomes that were not
conceived of by an observer at a given point in time.
 Specific unknown risks can’t be managed
proactively, which suggests that project team should
create a contingency plan

25.  Risks can be categorized under headings:
 Strategic/Commercial;
 Economic/Financial/Market;
 Legal & Regulatory;
 Organisational/Management/Human factors;
 Political; Environmental;
 Technical/Operational/Infrastructure

26.  Operational Risk: Risks of loss due to improper process implementation, failed system or some external events risks.
Examples can be Failure to address priority conflicts, Insufficient resources or No proper subject training etc.
 Schedule Risk: Project schedule get slip when project tasks and schedule release risks are not addressed properly.
Schedule risks mainly affect on project and finally on company economy and may lead to project failure
 Budget Risk: Wrong budget estimation or Project scope expansion leads to Budget / Cost Risk. This risk may lead to
either a delay in the delivery of the project or sometimes even an incomplete closure of the project.
 Business Risk: Non-availability of contracts or purchase order at the start of the project or delay in receiving proper
inputs from the customer or business analyst may lead to business risks.
 Technical Environment Risk: These are the risks related to the environment under which both the client and the
customer work. For example, constantly changing development or production or testing environment can lead to this
risk.
 Information Security Risk: The risks related to the security of information like confidentiality or integrity of customer’s
personal / business data. The Access rights / privileges failure will lead to leakage of confidential data.
 Programmatic Risks: The external risks beyond the operational limits. These are outside the control of the program.
These external events can be Running out of fund or Changing customer product strategy and priority or Government
rule changes etc.
 Infrastructure Risk: Improper planning of infrastructure / resources may lead to risks related to slow network
connectivity or complete failure of connectivity at both the client and the customer sites. So, it is important to do proper
planning of infrastructure for the efficient development of a project.
 Quality and Process Risk: This risk occures due to
 incorrect application of process tailoring and deviation guidelines .
 New employees allocated to the project not trained in the quality processes and procedures adopted by the organization
 Resource Risk: This risk depends on factors like Schedule, Staff, Budget and Facilities. Improper management of any of
these factors leads to resource risk.
 Supplier Risk: This type of risk may occurs when some third party supplier is involved in the development of the
project. This risk occurs due to the uncertain or inadequate capability of supplier.
 Technology Risk: It is related to the complete change in technology or introduction of a new technology.
 Technical and Architectural Risk: These types of risks generally generally leads to failure of functionality and
performance. It addresses the hardware and software tools & supporting equipments used in the project. The risk for this
category may be due to — Capacity, Suitability, usability, Familiarity, Reliability, System Support and deliverability.

27.  Risks are contained within the project by carrying out a
Risk Analysis
 Identification;
 Evaluation;
 Response and
 Action selection
 and addressed through Risk Management
 Planning & Resourcing;
 Monitoring & Reporting
 A Risk Analysis may identify one of the following five
suitable responses:
 Prevention,
 Reduction,
 Transference,
 Contingency and
 Acceptance.
 Denial is NOT a valid risk response.

28.  ‘When’ the risk is likely to occur is known as
the risk’s ‘Proximity’.