This document discusses project risk management. It begins by explaining that projects inherently carry uncertainty and innovation, which leads to risks if not properly managed. It then outlines the typical risk management process, including planning risk management, risk identification, risk analysis, planning risk responses, and risk monitoring. Several key points are made about each step in the process. Identification techniques discussed include using the work breakdown structure, network diagrams, assumption analysis, checklists, interviews, and brainstorming to thoroughly identify potential risks and their causes.

1. Project Risk Management
Marco Sampietro1. Professor at SDA Bocconi School of Management.
marco.sampietro@sdabocconi.it
Maurizio Poli. Professor at SDA Bocconi School of Management.
maurizio.poli@sdabocconi.it
1 Why Managing Project Risk
Projects are implemented by organizations in order to seize new opportunities that,
according to their Management, may be appreciated by the market or can contribute
to a better internal efficiency in the organization. Projects are characterized by
innovation. Innovation can be implemented in multiple ways: it could mean following a
different pathway that has never been considered before, or it could mean following
the direction taken by other companies, by also treasure and use at best the
experience and the mistakes made by others, or it could also mean applying
improvements to well-known products or services, and so on and so forth. In any case,
innovation implies a certain degree of uncertainty – namely, the fact that there is not a
thorough knowledge of events that might happen in the future. In general terms, the
higher the degree of innovation is, the higher the uncertainty level will be. An
uncertain situation can produce positive as well as negative effects. In the first case,
we are dealing with opportunities which, if properly identified and managed, can bring
some benefits to the project; in the second case, we are faced with risks which, if not
properly identified and managed, can impact the project in negative terms, by making
it more expensive, or with a project that goes beyond the expected and planned
duration or with one that is poorer in qualitative terms with respect to expectations.
Consequently, the fact of non-managing the risk (and opportunities) means
overlooking the innovative feature of projects – more specifically, it means missing a
crucial point that characterizes a project vis-à-vis ordinary operations or recurring
activities within an organization. More specifically, even if we do not want to take into
consideration risk management as a discipline, project management can be viewed as
a tool to decrease the level of uncertainty and, consequently, a tool to decrease risk in
projects. By identifying and clarifying objectives, allocating resources with well defined
competences, clarifying responsibilities, fixing some assessment phases in the project
and so on and so forth, we tend to decrease the uncertainty level in the project.
Where is the difference? By planning, we opt for a pathway (one of the multiple
options available) that will take us to the achievement of pre-set targets. This being
said, such path will not be free of obstacles: via the implementation of risk
management we will try to understand and manage problems and opportunities
derived from the implementation of a specific path / plan. The planning activity tells us
1
Paragraphs from 1 to 5.1 and 6, 7, 8 are by Marco Sampietro. Paragraph 5.2 is by Maurizio Poli.
1

2. the course to follow; risk management tries to eliminate the turbulence that might
take us off-route.
I do not understand: we have devised a perfect plan, we have identified costs right
down to the last penny just as we have calculated duration also taking minutes
into account, and still we have problems. We are exceeding our budget! Maybe, I
have to drill-down information to get to an even more detailed picture!
We are late/out by 3% on what was originally planned, that’s not bad, especially if
we think that our usual supplier has gone bankrupt and did not deliver our goods.
Luckily, I sensed that there was something wrong, and I started to look for another
supplier that could replace the original one.
Chi ha gestito il rischio ?
2 The risk management process
The risk management process is a proactive and systematic approach, which aims at
keeping the project under control as well as at decreasing its uncertainty level.
Managing risks means minimizing the consequences of adverse events, but also
maximizing the effects of positive events (risks and opportunities). In this document,
we will focus on the area that has to do with managing adverse events.
Let’s start by reviewing the typical features of a risk management process. The
definition “systematic” means following a well-defined risk-management process. The
definition “proactive” means bein able to identify and manage risks before they brake
out. This consideration needs to be reviewed more in detail. Proactivity does not mean
being able to see into the future; conversely, it means a timely identification, by
resorting to the most appropriate tools, of the highest number of risks that might
impact a project. It also means that, once identified, some remedial measures will
need to be taken. Just identifying risks and not managing them (managing does not
only mean eradicating them, as we will see later on in this paper) is pointless. The only
value that such a behaviour might have is that, once they actually erupt, we can
recognize them, at least if we were aware about their features (poor consolation!).
A good risk management process is set out in five macro phases (fig. 1):
1. Planning the risk management process, by defining the actual execution
activities linked to the management process, people involved in the process as
well as procedures to be implemented;
2. Risk identification, with specific assessment of project–specific risks, by making
the different information sources taking part in the assessment;
3. Risk analysis, by quantitatively and/or qualitatively reviewing and assessing the
risks identified in the previous phase and also deciding which risks need a
specific attention and focus;
2

3. 4. Planning a response to risks, by defining which measures shall be taken in order
to reduce the project overall risk;
5. Risk monitoring and control, by implementing the risk response plan as soon as
they occur or bypass a given threshold.
In this chapter, focus will mainly be on phases 2 and 3.
The risk management process shall not be viewed as an isolated type of activity.
Conversely, risk management shall take place on a regular base – more specifically, it is
only by making the project develop that new risks can come to light (or some already
existing ones can be fixed) and new useful information can be used for analysis and
new planning.
RM Process Planning
Risk Identification
Risk Analysis
Risk Response
Monitoring & Control
Figure 1. The risk management process
3 Planning a Risk Management Process
As to this phase, the main target is to provide guidelines for risk management
activities, by setting a structured approach for actually managing the risk.
In order to develop this phase, the following points shall be taken into consideration:
 any existing policies and procedures pertaining to risks in general terms,
 the implemented approach shall be fine-tuned with the type of project – more
specifically, with its dimensions, its impacts, with the project team experience
as well as with respect to the importance of the project itself vis-à-vis the
organization.
3

4. As to the first point, if the company has already devised some guidelines pertaining to
risk management in more general terms, or to management of some specific risks, the
project risk plan shall also use and include them. It is a useful approach, because it
prevents any duplications of efforts, and it allows for sending a quite consistent
message to co-workers, who are already familiar with such procedures.
As to the second point, it pertains to customization of the implemented approach
based on true needs and on the environment where it is used.
In a mono-functional software development project, the project manager had decided to
resort to a pre-defined list of risks devised by a famous University and to personally mark
on that list the risks pertaining to the project. He had achieved a good result, as many
mistakes had been avoided. That same person, one year later, was appointed as leader of
a project focused on the optimization and streamlining of processes involving five
organization functions. The project manager, based on his previous experience, decided
to use the same check list. Unfortunately, he was not successful this time, as he was able
to identify and manage the technology-related risks, but he totally underestimated or
overlooked the organizational-related ones. Consequently, the project became highly
conflicting and timing and costs went out of control.
At this phase, the following issues shall be tackled:
 selecting the information sources to be used for risk detection (historical data,
check list, knowledge of people, etc.);
 defining the risk identification techniques to be used (interviews,
brainstorming, forms, etc.);
 defining roles and responsibilities of people with respect to risk management
(who is responsible for the management of a specific risk area, what are his/her
powers);
 Setting the time-frame for risk-maintenance purposes;
 Defining how to allocate and interpret values linked to risks (probability, timing
and impacts) (Which are the scales to be used: numerical, qualitative ones?
Down to what detail?);
 Setting the attention and action threshold to be used as a reference (within our
organization, is it wise to focus on a risk with medium probability and impact
scores?)
 Defining the communication and reporting methods to be implemented.
By focusing on the above listed points, we implement an official mechanism that can
be easily used and communicated; moreover, it makes project risk management more
effective and stable over the time. The project risk plan can then be used in other
projects, if properly customized.
4

5. I do not understand, do you want to drive me crazy?!
In the project that we managed 6 months ago, we rated risk probability on a low,
medium/low, medium, medium/high, high and extremely high scale. In the project that we
had 3 months ago, we used the 0.2, 0.4, 0.5, 0.6, 0.8, 0.9 rating scale. Now we are rating risk
probability by using the words unlikely, quite likely, likely, highly likely. Can’t we identify a
standard rating scale that fits all the projects?
You are incompetent: now we are late because of you! You have not managed risk by rating
it as “medium”, and now we need to find alternative solutions!
I am sorry, but in the previous project, risks rated as “medium” were not even taken into
consideration!
4 Risk Identification Phase
Apart from drawing up the risk management plan, which sets the framework and the
guidelines to be followed, the risk identification phase is of particular relevance, as it
sets the foundations for truly managing risks (it is a bit like the WBS used for planning
activities). We can have some excellent methods for managing risks, but if we apply
them to the wrong ones or if we are not able to identify the most important ones, the
outcome is a pure expression of style, which will produce poor benefits for the
projects. Consequently, the identification phase shall be a very thorough job.
Identifying risks entails also the following:
 understanding the causes generating them,
 opting for the most appropriate methods supporting a thorough understanding
of root-causes.
As to the first bullet-point, risk factors are generated by the actual project features and
by its interactions with the environment. By reasoning according to macro-areas, there
might be risks linked to the following:
 the intrinsic characteristics of the project to be implemented (the main output);
 project management – more specifically, the way events in the project are
planned and controlled. This point includes technical and method-related
issues as well as organizational issues;
 the outside environment, by which the following is meant:
o managing communication, contacts, interests and the level of
involvement of all those who are impacted by the project
(stakeholders);
o managing constraints coming from entities that are beyond our control,
like regulations, directives, etc.
5

6. Such macro-areas are linked to the identification methodologies. In fact, there are
methodologies that only cover part of them, and being aware of this is advisable so as
to focus also on the overlooked areas.
The methodologies and the identification tools covered by our paper are the following:
1. WBS
2. Networks
3. Assumption analysis
4. Check list
5. Interviews
6. Brain storming
7. Historical data
The identified risks shall be proposed with a short description, in order to be clear
without any possible misunderstanding. Such description, in order to be as
understandable as possible, shall be organized into three sections: cause, risk, effect
(figure 2).
Just out of clarity: by cause, we mean the event triggering the risk; this being said,
what we consider as being a cause might be viewed as an effect by others. Our ability
to drill down our analysis on causes depends on the available resources and on the
degree of control that we have on events.
Cause Risk Effect
As the supplier has The delivery of motors The project time-frame
provisioning problems might be delayed might be extended
Figure 2. Example of risk description
The cause “As the supplier has provisioning problems” could actually be determined by
other events, like a financial crisis of upstream suppliers, which might be triggered by
other causes and so on and so forth. Such other causes could also be unknown by us.
Being able to trace back the real causes could only be useful, if people involved in the
project can take measures with respect to them. In the above illustrated example, the
fact of knowing that the provisioning problem is caused by hindrances in getting the
row material used in the manufacturing of motors does not add much to our analysis,
as we do not have powers to find a way out.
The various techniques that we are going to illustrate can jointly be used. Some of
them provide some semi-finished results that can be used as such, others are a
support to further reasoning.
WBS. WBS breaks down the objective into activities that can be planned, managed and
assigned to a unique person. Consequently, WBS is a static representation of the
6

7. “path” that has been chosen in order to deal with the project and, as such, it can be
useful as starting point for risk identification. More specifically, risks will have an
impact on the activities set in the WBS and, consequently, focus shall be given on
those activities. The major benefit that WBS has is that it allows the analysis to be
carried out against the project-specific background; nevertheless, it also has some
flaws:
 it does not tell risks and causes, it only identifies the activities where risks might
develop;
 activities often show a granular structure that does not allow for the
identification of truly operative guidelines;
 activities “supporting” the project are often not included in the WBS – i.e.:
project management activities or communication management ones – although
they are a risk source too (and they should be included in a good WBS);
 in WBS risks and effects connected to time scheduling do not appear, because
the information on dependencies and resources allocation is not included.
Networks. By reviewing the project network, in general, and the CPM diagram, in
particular, some risks can be detected:
 activities with multiple input from different paths risk to become a risk-area,
due to the needed synchronization, which is based on a massive coordination
work;
 the critical path may produce the risk of non-compliance with the timing;
 the semi-critical paths can easily become risk sources with respect to timing
non-compliance;
 the quality of resources dedicated to activities identified in the critical and
semi-critical paths shall carefully be evaluated, if we want to avoid a higher risk
of timing non-compliance.
Assumption analysis. Projects, meant as innovative activities, are not exclusively based
on certainties, they are rather based on hypotheses (assumptions). An assumption
analysis, in terms of incompleteness and inaccuracy, can be a useful source for risk
identification. Examples are assumptions on price growth, assumptions on turnover
etc.
Check list. These are risk precompiled lists that can be used in a quite simple way.
Usually, checklists are summaries based on the experience of multiple projects. Many
are those publicly available and some of them focus on some specific areas. Checklists
have the advantage of speeding up identification of the most-recurring risks. Such
feature makes them also dangerous, because people tend to exclusively focus on the
risks included in such document, or to approach them with condescension (let’s speed
7

8. up, this checklist is the same as the one we had for our latest project...). Lastly, the fact
of resorting to a check list does not mean that risk identification is to be carried out by
one single person.
Interviews. Interviews are useful for identifying risks as well as for analysing them.
They are used as an alternative to group identification (when such option is not
feasible), or in order to get the opinion of people who are not directly involved in the
project, but who are believed they could provide some useful insights. Interviews to
experts become particularly important – namely, asking the opinion of people who are
thought to be able to provide a high added value, thanks to their experience.
Brain storming. This technique is based on the distinction and separation of the idea-
generation phase from the actual judgement. In a meeting dedicated to risk
identification, this means asking participants to list what are the negative events that
might break out in the project. It is possible to follow incremental detail levels – more
specifically, starting from identification of project risks per area, the analysis can drill
down to individual activities.
Historical information. Resorting to a project-risk database can be a valuable source of
ideas, provided that risks are sorted according to some specific project characteristics
otherwise the result is a thicker and thicker checklist that gets more and more generic.
5 Risk Analysis Phase
The identification phase only produces a list of risks, which, unfortunately, is not useful
for an operative management of the project. As a matter of fact, a long list of risks can
create greater confusion, rather than producing remarkable benefits, as the attempt to
manage all of them would probably result in an actual duplication of work.
Consequently, a further step forward is advisable: analyzing the risks to understand
their characteristics is now necessary so as to focus the attention on the most relevant
ones. The type of attention that takes to risk management depends on each individual
company and sometimes on each individual project.
During the analysis phase, the following measures shall be linked to each individual
risk:
 event probability to occur;
 timing of the event that could potentially occur;
 event frequency (i.e. if the risk is repetitive or not);
 identification of the impacted activities;
 identification of the impact on individual activities and on the project as a
whole in terms of:
o timing,
8

9. o costs,
o quality,
o other important performance dimensions.
Usually, such information cannot exclusively be provided by the project manager:
involving all the people who have a thorough knowledge of risks and of what they
entail, similarly to the identification phase, is necessary. In the previous example,
pertaining to provisioning problems experienced by suppliers, the purchase
department could provide some useful indications.
Risk analysis can be developed in quantitative as well as qualitative terms. A qualitative
analysis is useful to understand the general characteristics of individual risks, it is
likewise useful to plan adequate responses and to gain a better understanding of the
overall risk-level in the project. Conversely, a quantitative analysis can be useful to get
a more in-depth reviewing of each individual risk (usually, the most important ones) as
well as to review how the project as a whole will develop different scenarios. A
quantitative analysis provides more comprehensive information about the project
dynamics; this being said, it is more expensive and requires the project manager to
have a higher degree of knowledge and preparation. Project characteristics dictate
what is the best approach to be implemented. As an example, an order with heavy
penalties in case of late delivery could push people involved in the project to opt for a
quantitative approach; conversely, a non-critical internal project can cover risks by
using a qualitative approach. In any case, one approach does not exclude the other,
and they can usefully be used in parallel.
5.1 Qualitative Risk Analysis
A qualitative risk analysis is based on the assignment of general values/measures on
variables pertaining to risks; sometimes it can be based on subjective assumptions,
especially when collecting other types of information is impossible or when collecting
that same information is too expensive with respect to the importance of the risk
itself.
Before carrying out an in-depth analysis of risks, in case we are faced with a high
number of them, understanding accuracy of the collected information can be useful.
As a matter of fact, project people could be facing a case in which many are the risks
originally identified and, in reality, they are just speculations or the information risks
are based on are totally unreliable. Knowing the quantity and the quality of
information that got to the identification of a certain type of risk is crucial, if we want
to understand these issues. This is quite a delicate type of task as, in such cases, the
following reasoning/behaviour might be developed: ”In order to show how good I am, I
will identify a set of risks and I will do my best to make people think that they are all
important so that, once the project is completed, when activities under my
9

10. responsibility will prove to be all successful, they will think that I am the best, because I
have successfully managed also the most adverse situations”.
Leaving aside these types of behaviours, and thinking in more cooperative terms, we
can obtain a first sorting of risks by resorting to a tool as hereinafter described.
Quantity of available data Quality of data
Risk cause
(from 1 to 10) (from 1 to 10)
The supplier is about to go bankrupt and,
as a consequence, our supply of row 5 2
material could be stopped
Figure 3. Risk quality analysis
The measurement scale is arbitrary. What really matters is being able to identify some
quantitative and qualitative data scores, so that risk is eliminated or searching for
some additional pieces of information can start. For instance, if the information of a
supplier being close to bankruptcy comes from its direct competitor, maybe the quality
of that specific figure is not to be viewed as excellent. Conversely, if ten suppliers say
the same thing, trying to gain some more insights on that specific information is
advisable. In case the General Manager also recognizes the fact that his/her company
is in financial troubles, data quantity as well as quality are at their maximum
level/scores.
Now we have a list of actual risks, with which the above listed scores shall be matched.
As to risk likelihood to break out, scales from 1 to 10, from 1 to 7 or a low – medium –
high probability scale can be used. Obviously, using a scale that allows for a little bit of
argumentation is extremely useful; as a matter of fact, only resorting to high, medium
or low is not so much productive or fruitful. There is an important point worth of being
highlighted: the maximum value/score in a scale does not correspond to certainty, as
certainty is not a risk anymore, it is a fact. Consequently, activities relating to such
facts shall be illustrated in the project plan. For instance, if a project envisages diggers
to be used in Greenland, stating that there is the risk that temperatures could be very
low and that fuel could freeze in tanks is not fair, as the weather will be extremely cold
for sure and adding antifreeze additives is a must.
1 2 3 4 5 6 7 8 9 10
1 2 3 4 5
Very low Low Medium High Very high
10% 20% 30% 40% 50% 60% 70% 80% 90% 95%
Figure 4. Examples of scales used for a qualitative risk analysis
The fact that a risk has been identified does not mean that it will immediately come to
the surface; consequently, identifying when its negative effects will break out is
advisable. Also in this case, various types of scales can be used (days, weeks, months;
short-, medium- or long –term scales, and so on and so forth). Moreover, risks can be
10

11. recurring and, consequently, understanding if a risk will only take place once or
whether it will erupt on a regular base, becomes an important piece of information –
namely, knowing how many times and with what time pattern it will break out is
advisable.
The analysis is completed by assessing the impact of each individual risk factor.
Assessing the impact means identifying where a risk will strike (which activities will be
impacted by a risk), what and for how long – namely, will it mainly impact time, costs
or quality? And what will the size of such impact be?
In fact, assessing the impact of a risk factor is difficult, when it is not put against the
project background. For instance, a possible late delivery of motorbike rims is not a
problem, if bikes are held by a gantry in the final assembly stages and wheels are only
mounted at the very end of the assembling process. Conversely, if in that given
company motorbikes rims are usually assembled when they are already sitting on their
kickstand, the impact can be remarkable.
Sharing the project structure with people involved in risk analysis is the only way to get
some consistent assessment; otherwise, a risk that has a strong impact on the
activities carried out by one single person could be judged by that same person as
strongly impacting the project as a whole.
It is now possible to provide an assessment of risk impact on a given project. Also in
this case a measurement scale can be used but, conversely from the one telling us
probability of a given risk to break out, which is easily readable, associating some
parameters to each value/score is requested. This idea is illustrated in figure 5.
Impact Interpretation
7 The project cannot be viewed as successful
6 Up to 30% increase in costs, or in timing, or quality to be viewed as “borderline” in terms of
acceptability
5 A 20% to 29% increase in costs, or in timing or quite poor quality
4 A 10% to 19% increase in costs, or in timing or remarkable decrease in quality
3 An increase from 3% to 10% in costs, or in timing, or visible decrease in quality
2 Up to 2% increase in costs, or in timing, or a slightly measurable decrease in quality
1 Impact almost unobserved
Figure 5. Example of an impact scale and its related interpretation
Among the three reference parameters (timing, costs and quality), quality is the most
difficult to be judged. As to this parameter, the organization shall try to identify some
measurement methods that are shared for all the projects, or for some categories. For
instance, in case of software development, an ex-ante quality measurement value
could be the number of functionalities provided versus what has been planed. All the
elements needed to get a general overview of risks in a project are now available.
11

12. Usually people resort to a matrix-based description formula, in order to have an
immediate and easy reading of data.
An easy although a bit simplistic way to get an indicator about the project overall
riskiness/risk level is to sum the probability products with the impact for each risk
divided by the number of risks.
In the following example, where letters correspond to risks, we know that the
maximum risk value is 49 (in case all the risks show a probability accounting for 7, with
an impact amounting to 7 as well), the minimum is 1 (all the risk having probability and
impact accounting for 1). In this case, we get a value of 15.7. Such outcome could be
seen as being high but also low, it depends on the attention thresholds that we’ve pre-
defined.
7 C B
6 L A
5 N H D
Impact
4 I E
3 M
2 O Q
1 P G F
1 2 3 4 5 6 7
Probability
Figure 6. Matrix showing project risks.
Risks included in the matrix do not usually need the same type of focus. As a matter of
fact, when they are high in number, managing them by using the same level of
attention becomes more difficult. Consequently, resorting to some methods for
grouping risks is needed. Sometimes we find approaches proposing a ranking based on
multiplying probability by the impact. Such example is proposed in figure 7.
Ranking Risk PXI
1 B 42
2 D 35
3 A 30
4 H 25
….. ….. …..
Figure 7. Risk ranking example
12

13. At this point, either we opt for a pre-defined number of risks, or we can decide to
focus on all the ones exceeding a given threshold. This way of proceeding is based on a
precise assumption - namely, risk neutrality. In other words, it means that two risks are
viewed as being the same, even when one is the result of high probability times low
impact and, conversely, the other is the result of low probability times high impact.
This being said, we are often faced with risk disinclination, which means that, even
when the P X I product is the same, risks with a higher impact will be handled with
greater attention even when their probability to break out is low.
It has been said that risks cannot be managed in the same way; Consequently, they
shall be sorted in homogeneous risk groups so as to be able to handle them
accordingly. Multiple alternatives are available: figure 8 proposes sorting of risk into
three groups, by starting from the disinclination/hostility to risks assumption.
7 C B
6 L A
5 N H D
Probability
4 I E
3 M
2 O Q
1 P G F
1 2 3 4 5 6 7
Impact
Risk to be analysed in quantitative terms and that shall be included in the risk response plan
Risk to be analysed in qualitative terms and that shall be included in the risk response plan
Risk to be monitored and for which reports shall be produced
Figure 8. Risk Grouping
At this point, we can summarize the above illustrated data in a streamlined form that
includes all the pieces of information that are useful for the phases to follow.
Risk Effect Cause Probability Impact Trigger Impacted Expiration Analysis
Event Activities Date
13

14. 5.2 Risk Quantitative Analysis
The qualitative analysis focused on the assignment of probability and impact
values/scores to individual risks, and on the acquisition of a piece of information
summarizing the risk level of a project as a whole. A quantitative analysis can be used
to further investigate the qualitative one, but it is, above all, a useful tool to
understand how the project timing and cost references can change in different
scenarios.
As the issue is quite broad, this paragraph does not aim at reviewing in a
comprehensive way all the methods that can be used to develop a quantitative
analysis for risk management in a project, it rather offers useful hints in order to have
a better understanding of logics and issues proposed by this further in-depth analysis.
As already specified, quantitative methodologies are mainly applied to timing and cost
analysis of projects, as these are aspects that perfectly fit a “quantitative”
measurement and approach. This paragraph is dedicated to this specific focus, and its
starting point is the project operational plan illustrated in the previous chapters.
5.2.1 Uncertainty, variability and risk
In the first place, we shall try to define how quantitative analysis can be useful by
identifying the right terminology. In the standard practice, terms like variability,
uncertainty and risk are used as synonyms as, in the everyday language, they give the
idea of “non-peace of mind” of the decision-maker or of the phenomenon under
review. Conversely, the quantitative methodologies provide different meanings to
such words.
Variability is a system feature, it is intrinsic in the system itself and, in order to take
variability measures, we have to act on the system. When we toss two coins, we do
know that the possible outcome is fourfold: (H= heads, T= tails): HH, HT, TH, TT, and
they all have the same probability to break out (25%). If we want to change such
results, we need to act on the coins by modifying their structure.
Uncertainty is a state of knowledge regarding those who have to make decisions (or,
generally speaking, those who have to tackle a problem). If we want to influence
uncertainty, we can try to improve our knowledge. In the previous example,
uncertainty could be linked to our poor knowledge of the two coins (we do not know,
for instance, if they are regular coins or if they are “loaded”, if they truly have two
facets, or if their weight is evenly distributed). Uncertainty adds up to variability of the
decision-maker anxiety level, but it is possible to decrease its impact without
intervening on the physical state of the system – for instance, by examining the coins,
and deciding to have the decision-maker state as the only variability.
14

15. Lastly, risk, is an individual perception of a situation, by which a set of variabilities,
uncertainty and decision consequences is meant. In the above illustrated example,
accepting, or not , to bet
€ 100.00 on the “two heads” result (HH) can produce the perception of a completely
different outcome in two different players (and, as a consequence, the decision will be
different), even though they are dealing with the same system (coins and sum to bet)
and have the same knowledge (coins are regular). The difference in perception is
determined by human nature. We can identify a sort of scale in the attitude of those
who are faced with a variable and uncertain situation (that is to say, in everyday
language, a “risky” situation); it ranges from strong disinclination to something up to
high propensity to risk, passing through a condition or attitude of indifference.
Nevertheless, also the magnitude of consequences and the incidental/situation are
important – more specifically, the same player could make two opposed decisions, if
faced with the following problem: “is it better to bet € 100.00?” or “is it better to bet €
10.00?” (the magnitude of consequences). By the same token, he/she could decide for
a different third option, if he/she had just found € 200.00 in the street
(incidental/fortuitous situation). In operative practices, the quantitative analysis
supporting planning and project control mainly focuses on managing the first two
illustrated elements – namely, variability and uncertainty, which are defined as
“overall uncertainty” 2. Conversely, in literature, quantitative approaches to such issues
are much wider in range3. This being said, this paper will only focus on risk analysis
methods, where risk shall only be meant as variability and uncertainty. There are
some risk management issues – namely, the ones linked to uncertainty – on which
measures can be taken, and separating them from other issues is advisable. Any
attempt to foresee and plan, in whatever domain, is impacted by variability and
uncertainty, by isolating the latter, we could be able to gain a better understanding on
how to reduce it and, consequently, we could increase the overall degree of
confidence in the system.
The project manager thought that the test phase would last from 2 to 4 weeks, based
on the relevant data collected on previous project. Nevertheless, he also knew that
this was the first time they had to work in parallel with the client, and this could
produce a slow down in their work; consequently, he thought that an estimation that
was twice as much could have been more reasonable – namely, from 2 to 8 weeks.
This “risk” of time extension worried him, then he recalled he got into contact with
another project manager who had already worked with that same client and decided
to call him....
2
See Vose D., Risk Analysis - A Quantitative Guide, John Wiley & Sons, 2000.
3
As to the individual risk perception, there are many quantitative theories and mathematical approaches
(utility functions, risk disinclination curves, determination of the equivalent certainty, etc.), which have
not been included in the focus of this short paper.
15

16. The steps needed in order to “quantify” uncertainty and variability in a project are
going to be briefly touched upon in the following section. They can be summarised as
follows:
 input definition, in order to introduce variability and uncertainty:
probability distributions;
 resorting to quantitative techniques to measure risk: decision-making trees,
PERT (Program Evaluation & Review Technique), Monte Carlo
method/simulation.
 output interpretation - namely, reading results (probability and scenarios)
based on project risk analysis.
5.2.2 Input: Probability Distributions
Making reference to probability is quite normal, when we talk about variability and
uncertainty. Probability, meant as the measurement of the likelihood of a given
scenario to occur, describes, in a methodologically correct way, the first part of the
problem, which is then completed by matching the result of each individual scenario
with the identified probability.
An organized set of these two pieces of information (probability and results) is called
probability distribution.
In the previous example, the probability distribution for the “I bet € 100.00 on two
heads (HH)” variable is the following:
Result 100 -100
Probability 25% 75%
If we add uncertainty (for instance, there is a 10% probability that one of the two coins
is “loaded” and, as a consequence, has two TAILS facets) to variability – which has
properly been illustrated by distribution and, as already mentioned, is in-built in the
system - this fact will change distribution by reducing our probabilities to be successful.
The new distribution, which now aims at giving an outline of what we have defined as
overall uncertainty, is as follows:
Result 100 -100
Probability 22,5% 77,5%
In reality, we will very rarely be faced with phenomena that can be defined in a
“moderate” way , as the above illustrated case – namely, a limited number of possible
results, to which probabilities are matched. Usually, we are faced with situations that
can more easily be described as value ranges .
16

17. When we have to introduce variability and uncertainty in the duration of a project
activity, we will feel more comfortable by indicating a variation range (this activity can
have a duration between 10 and 20 days), rather than indicating fixed durations, to
which specific probabilities are matched (this activity may have a 10-day duration with
a 20% probability, or a 13-day duration with a 30% duration, or a 16-day duration with
a 35% probability, or a 20-day duration with a 15% probability rate). The same holds
true when estimating a cost4.
This approach, which we call “continuous”, will generate probability distributions
different from the previous ones (which we called “discrete”) by allowing us to take
into consideration all the possible values within the range, something that will produce
a more realistic description.
Obviously, just resorting to the range could be of poor significance (minimum –
maximum), and this would make us miss some pieces of information, even though they
could be extremely useful: What does happen within a range? Are there any values, or
small ranges, to which the related probability to happen could be higher? Are such
values, or ranges, closer to the minimum or maximum limit? and so on and so forth.
In order to fix such situation, we can use continuous probability distributions with
different features based on the available input. Obviously, each distribution shall be
characterized by a different set and type of initial information (parameters).
Among the very many probability distributions in literature, we hereby illustrate, as an
example, the ones that are most commonly used in project risk analysis5.
Normal Distribution (o Gaussian)
It is the most famous type of distribution, it is “bell shaped”, and it is used in the
measurement of many phenomena as it is characterized by a central value (the mean
value), which in the Normal Distribution is also median and most probable value, or
mode and by a “random disturbance” (which can be quantified via a standard
deviation, ). Sometimes, its symmetrical shape causes it to be unfit, when non-
recurring representation of varied types of situations are needed, while a possible
technical problem (the density function that describes it is defined between -∞ and
+∞) is bypassed in practice by interrupting distribution at an acceptable probability
value, which can even be higher than 99% (see figure 9).
4
Obviously, in many cases durations and costs can be linked. Nevertheless, in practice, the two types of
analyses remain separated due to a need for less complexity as well as for a balanced allocation of
competences.
5
For a more in-depth dissertation, we suggest to use as refernce one of the many publications on
Statistics or Theory of Probabilities lik, for instance, Mood A.M., Graybill F.A., Boes D.C., Introduction
to the Theory of Statistics, McGraw-Hill, 1987.
17

18. Normale(20;2)
Normale(35;3)
Normale(20;5)
0 5 10 15 20 25 30 35 40 45
Probability
Figure 9. Normal Distibution
Beta modified Distribution (or Beta PERT)
The Beta modified distribution owes its reputation to the crucial relevance it has within
the PERT methodology (Program Evaluation & Review Technique), one of the
stochastic network techniques used for time scheduling, which have been developed
starting from the CPM methodology. The main characteristics for this type of
distribution are its versatility (Beta distribution can have very different
representations) and the intuitive way with which the three parameters defining it are
expressed: minimum, most probable value (mode) and maximum. Such second
peculiarity makes it extremely useful, as it allows for changing a scenario-based
qualitative approach (pessimistic, base, optimistic) into a quantitative approach
defined by a probability distribution that can be expressed by means of all the values
included in the pessimism-to-optimism range, and where break-out probabilities
increase, the closest they get to a base value (the most likely scenario) and, conversely,
they decrease, the farthest they get from a base value, and the closest they get to one
of the two extremes in a totally consistent way with respect to the qualitative
hypothesis adopted.
18

19. BetaPERT(1;35;40)
BetaPERT(5;10;35)
BetaPERT(0;20;45)
0 5 10 15 20 25 30 35 40 45
Figure 10. BetaPERT Distribution
Triangular Distribution
The triangular distribution could be considered as the most popular and used type of
distribution in the risk analysis models, as it is intuitively simple. Also this distribution is
defined by three parameters (minimum, mode, maximum), which can easily find their
parallel in the ways used to define scenarios. Compared to the BetaPERT distribution,
it shows it is much more impacted by extreme values, especially if they are very distant
from the mode value (base scenario), and this produces a higher degree of variability.
Maybe this is also the reason why it is the mostly used in cases where scenario setting
is poorly supported by historic data or it is completely based on subjective views.
Triangolare(5;10;35)
Triangolare(1;35;40)
Triangolare(0;20;45)
0 5 10 15 20 25 30 35 40 45
Figure 11. Triangular Probability Distribution
19

20. Uniform Distribution
This distribution, which is also called Rectangular Distribution due to the shape of the
density function describing it, is the easiest and, consequently, the roughest way to
use a continuous probability distribution for analysing risks. By means of this
assumption, the same probability level is assigned to all the results/values within a
minimum to maximum range. Uniform distribution could be seen as “the last chance”,
each time there is the willingness to approach in a quantitative way variability and
uncertainty in an assessment (for instance, duration or cost for a given activity), when
only the extremes can be assessed (as said, minimum and maximum values) and
without having the possibility or the willingness to add some further information (the
most probable value, mean, etc.).
Uniforme(1;8)
Uniforme(5;20)
Uniforme(15;40)
0 5 10 15 20 25 30 35 40 45
Figure 12. Uniform Distribution
Generic Continuous Distribution
It is the most flexible way to assign a probability distribution, also allowing for the
definition of many “shades” that could not be identified by using classic distribution
methods. It is normally used when historic and research-based data are availble6.
The Project Manager tried to collect some data about trends in the duration of the
“Assembly” activity in similar projects, he realized that the minimum time reference
was 6 days, the maximum time reference was 18 days, but he also noticed that most of
the reviewed projects reported an 11-day duration. He decided that variability had to
be included and opted for adding a probability distribution that had also to take into
consideration that information.
6
Another possibilty in this case is fitting, that is to say the possibility of matching to the observed
empirical distribution a theoretical distribution (similar to the ones illustrated in this paragraph) reviewing
similarities via statistical tests analizzando la somiglianza attraverso analisi statistiche (test).
20

21. In figure 13 specific information is proposed as an example for structuring a risk
quantitative analysis for project scheduling.
Activity Probability Distribution Duration (weeks)
min, optimistic = 3
Activity A Triangular mode, most probable = 5
max, pessimistic = 8
min, optimistic = 8
Activity B BetaPERT mode, most probable = 11
max, pessimistic = 20
mean, most probable = 12
Activity C Normal standard deviation = 2
(min, max ± 6 from mean value)
min, optimistic = 7
Activity D Triangular mode, most probable = 9
max, pessimistic = 15
… …
Figure 13. Example of input data (time scheduling)
5.2.3 Use of Quantitative Techniques for Measuring Risk
Once we have completed the input framework, as the uncertain variables have been
assigned an appropriate probability distribution, we need to tackle the problem of how
to “transfer” such information to the output, that is to say on the analysis targets.
The most common methodologies, the ones based on simulations, envisage the use of
a model that, as to risk management in a project, is nothing more than the model
included in the project operative plan: a “solid” network (which includes allocation of
resources and costs) or, as an alternative, a network exclusively dedicated to time
scheduling (which is obtained by means of Project Management application tools) and
a budget model for reviewing costs (which is developed in an electronic sheet).
Procedures used to build up a model are like the ones illustrated in the previous
chapters, when we were talking about the project operative plan. The only difference
is that some deterministic input (activity duration and costs) have been changed into
random variables (namely, having assigned to them probability distributions). Such
measures produced a more realistic model.
At this point, we can observe the effects of overall uncertainty (variability and
uncertainty) included in the model against the variables that are the target of the
21

22. model itself: project timing and costs. The technique that, thanks to the development
of hardware and software tools and to its conceptual straightforwardness, is mostly
used in this type of analysis is a stochastic simulation technique called “Monte Carlo
simulation technique/method”.
The Monte Carlo simulation method resorts to random sampling to create a set of
possible scenarios and then it reviews, ex-post, the distribution of results. Via the
random sampling, a possible value is selected from each probability distribution input;
the data obtained by means of this procedure are used to make a calculation – via the
deterministic model at the base of the simulation (for instance, CPM for scheduling a
project timing) – of the values obtained for the variables under analysis, which are
then saved/stored.
By repeating this procedure for a significant number of times (sample size),7 an
empirical distribution of results is obtained; it properly represents consequences on
variability and uncertainty output given to input8.
5.2.4 Output: Measuring the Overall Uncertainty for Target Variables
Now that we have completed the calculation part, we can tackle the third final part in
our analysis: interpretation of results. As for each statistical sample, also the one
obtained via the Monte Carlo simulation for the target variables can be described by
summarizing indicators (statistic indexes) and by an overall reading of data
distribution.
The example proposed in Figure 14 shows summary-data identified for the Project
Duration target variable (the time unit is expressed in weeks) after having carried out
10000 iterations (that is to say, after having built up a sample made up of 10000
scenarios). Obviously, the type of reviewing that we are about to propose can also be
carried out for each target variable under analysis (namely, overall costs, duration of
each individual activity, milestones, etc.)9.
7
The high number of software available for this type of analysis ( @Risk, Crystal Ball, Risk+, among
many others), makes this part based on repetition of the algorithm quite easy in its execution, and allows
to have a very high number of cases included in the sample so as to ensure reliability (from a statistic
view point) of the resulting distributions (Law of Large Numbers or Empirical Law on Chance).
8
For further insights on the Monte Carlo simulation method, reviewed under an applicative profile,
reference shall be made, among other authors, to J.Mun, Applied Risk Analysis, Wiley Finance, 2004 and
D.Vose op. cit., while for insights on its origins, reference shall be made to the “historian” Metropolis N.,
Ulam S., The Monte Carlo method, in Journal of the American Statistical Association, 1949.
9
Even in this case, we suggest to refer to a more specific bibliography for gaining more in-depth
knowledge (for instance, Vose D. op.cit., Mun J. op.cit.), as in this paper we prefer to provide an
example of the logics used for interpreting results.
22

23. Indici statistici Percentile Valore
Iterazioni 10000 0% 43,47
Media 54,58 10% 50,51
Mediana 54,49 20% 51,83
Moda --- 30% 52,83
Standard Deviation 3,23 40% 53,66
Varianza 10,45 50% 54,49
Coeff. of Variazione 0,06 60% 55,31
Min 43,47 70% 56,21
Max 68,70 80% 57,28
Range 25,23 90% 58,73
100% 68,70
Figure 14. Project Duration: example of summarising output
The main information that we can deduct from the table is the following:
 On average, the project is going to last a bit less than 55 weeks (54,58);
 There are two possible extreme scenarios: one is pessimistic, the other is
optimistic (max and min) accounting for 68.7 and 43.47 weeks respectively;
 within such range, variability is not extremely high (Standard Deviation
amounting to 3,23 weeks);
 we actually have only a 10% probability (10% percentile) to go down below a
50.51 week duration and a 90% probability (90% percentile) of not exceeding
58.73 weeks.
We have quantified the overall uncertainty, which is a consequence of the input data
(in this case, duration estimates for each individual project activity), and we have
obtained a first set of numerical indications supporting our risk analysis.
Even though we do not aim, in this specific paper, at drilling down this matter in
quantitative terms, we can see that, apart from summarizing information that has just
been reviewed, the simulation offers us the opportunity of analysing in detail all the
results derived from the N iterations (10000, in the example), that is to say the
complete sample.
In Figure 15, we see the complete distribution of the scenarios resulting for the target
variable, which are represented via probability distribution and cumulative
distribution10.
10
The cumulative probability (frequency) distribution is, avoiding to resort to extremely rigorous
definitions, an alternative representation, through which we want to highlight probability (frequency) with
which a random variable results to be lower or equal to a given value. It is obtained by adding up each
time (by cumulating) probabilities (frequencies) up to reaching the value of interest.
23

24. 25,0%
20,0%
15,0%
Probabilità
10,0%
5,0%
0,0%
42 44 46 48 50 52 54 56 58 60 62 64 66 68
Durata (settimane)
100%
90%
(60; 95,06%)
80%
70%
Probabilità cumulata
60%
50%
40%
30%
20%
10%
(50; 7,24%)
0%
40 45 50 55 60 65 70
Durata (settimane)
Figure15. Project duration: probability distribution and cumulative distribution
At this detail level, we can obtain further information like, for instance, the probability
to remain within a certain target duration: in the example we only have a 7.24%
probability for the project to last less than/or as much as 50 weeks, while we are quite
confident that it will last 60 weeks, for which we have a less than 5% probability to
exceed such reference (4.94%= 100% - 95.06%).
As already mentioned, this analysis pertaining to project duration is an example, or –
better – an aspect, of the quantitative risk analysis that can be carried out. As a matter
of fact, by applying the proposed methodology, it is possible to structure a type of
analysis impacting multiple project management aspects (timing, costs, but also use of
resources, sequence of activities, milestone compliance, etc.). This further drilling
down enriches the information needed not only for a comprehensive definition of the
project plan, but also for an effective execution and control activity.
The Project Manager looked at the result of the simulation he had launched and a chill
ran down his spine: according to those calculations, the project showed more than
30% probability to exceed the cost target and, even worse, for quite remarkable sums.
He was not used to run this type of risk, and he was quite worried about such
information. He drew up a detailed report on the information produced by that
simulation getting down to individual Work Package details in the WBS, and he
immediately asked to have a meeting with the project team. They had to prepare
some countermeasures (in the planning, execution and control phases) in order to
reduce variability and uncertainty impacting the project up to that moment.
24

25. 6 The Phase Dedicated to Planning a Risk Response
From quantitative and qualitative analyses some useful pieces of information can be
identified, in order to understand what risks will influence the project as well as how
the project could be impacted by such potential events.
In this phase, we want to identify measures to be taken in order to reduce the overall
project risk so as to reduce, as a consequence, the likelihood for each potential risk to
break out (and, by the same token, increasing probabilities and the positive influence
of opportunities).
Many are the options available to reach this goal. In any case, three response levels
shall be devised. They are the following:
 actions to be taken in order to manage risks or impacts before they occur;
 actions to be taken when risks have occurred (contingency plan);
 actions to be taken when the contingency plan did not produced the desired
effects (fallback plan).
The fallback plan is only envisaged in rare cases, when risks are so much impacting that
thinking about any possible alternative is required.
Usually, when reviewing the type of possible responses to risk, people immediately
think about reducing their probability or impact. In reality, this is one of the many
possible response. In fact, the following options are available:
 avoiding risk by not implementing the activity it could have an impact on;
 rationally accepting risk by understanding (using rationality) that any response
can be more negative than actually experience damage;
 transferring risk - that is to say, assigning risk to external third parties
(insurance companies or outsourcing);
 mitigating risk – more specifically, reducing its probability or its impact, which
might mean acting on risks or, even better, acting on causes.
The above listed actions can produce an impact on a project structure; consequently,
the project plan might need to be modified.
So far, we have talked about risk management making little reference to people
involved in such procedure. The risk identification phase shall be the focus of a group
of people – namely, a team that includes a project manager, project team members
and, where possible, stakeholders. In the analysis phase, group activities are still
relevant and needed, but assigning probability dimensions and impact is based on
rooted knowledge of each individual risk entity. In this case, analysis shall be started by
one single person: the work of a group can only provide some additional contributions.
Planning responses to risks is a phase similar to risk analysis: the expert for each risk
25

26. can offer his/her idea, the team can review and improve it. This being said, when
acting on risks is needed, allocating responsibilities to individuals is advisable in order
to have a better and more effective type of management. A Risk Owner is the person
accountable for implementing actions decided for an individual risk. A Risk Owner
must have the power needed for carrying out such task. By identifying a Risk Owner,
the management of a project is streamlined as, once risks and actions have been
defined by the team, the individual can act in order to implement such decisions.
When such role is not assigned, frequent meeting are needed to fix contingent
problems.
7 The Risk Monitoring and Control Phase
The monitoring phase aims at assessing whether actions on risks have produced the
desired results, while the control phase focuses on implementing the changes needed
for an appropriate project management.
During such phase, positive – i.e.: risks that get fixed without taking actions - as well as
unexpected negative events – i.e.: the surfacing of previously non-identified risks - can
occur. In this case, some immediate corrective measures shall be taken. The control
phase closes and starts a new risk management process; in fact, by assessing how good
the actions taken up to that moment are, elements and information for deciding new
actions to be taken can be identified.
8 Conclusions
Risk Management is a crucial activity to “professionally” manage projects. Projects, by
nature, are exposed to risky events, and not taking such events into consideration
means underestimating the true essence of projects themselves. Risk management can
vary from basic activities that do not require some specific knowledge or skills to much
more complex types of approach. The type of approach depends on values at stake.
26

27. Bibliography
Greenfield M.A., Risk as a Resource, Langley Research Center, 1998
Greenfield M.A., Risk Management Tools, Langley Research Center, 2000
Grey S., Pratical Risk Assesment for Project Management, John Wiley & Sons, 1995
Metropolis N., Ulam S., The Monte Carlo method, in Journal of the American Statistical
Association, 1949
Mood A.M., Graybill F.A., Boes D.C., Introduction to the Theory of Statistics, McGraw-Hill, 1987
Mulcahy R., Risk Management, RMC Publications, 2003
Mun J., Applied Risk Analysis, Wiley Finance, 2004
Rosenberg L., Hammer T., Gallo A., Continuos Tisk Management at NASA, 1999
Vose D., Risk Analysis - A Quantitative Guide, John Wiley & Sons, 2000
PMI, A guide to project management body of knowledge. Project Management Institute
PMBOK Guide, 2000
27