The document discusses best practices in project risk management, emphasizing the importance of identifying, assessing, and managing risks to achieve project objectives. It outlines the processes involved in project risk management, including risk planning, qualitative and quantitative analysis, and response planning, while also highlighting the role of enterprise risk management (ERM) and ISO 31000 standards. The aim is to enhance the likelihood of positive outcomes and minimize adverse effects on project objectives.

1. Project Risk Management
Best Practices
By
Mohamad Boukhari
bdm@pmilebanonchapter.org
mohamad.boukhari@cmcs-mena.com

2. Best Practices in Project Risk
Management
• Routine activities that lead to high level of
maturity.

3. Risk and Uncertainty
Risk Uncertainty
Risk Uncertainty that affects objectives

4. What is a risk ?
• A Risk is :
“An uncertain event, activity, or situation that
can have a positive or a negative effect on
any objective” -ARM
• A Project Risk is :
“an uncertain event or condition that, if it occurs, has a
positive or negative effect on at least one project
objective.” (PMBOK 4th)
Cause Effect
Uncertainty

5. Risk and Issue
– An Issue is a situation or circumstance that
has occurred, is occurring, or has a 100%
probability of occurring; and will have a
detrimental impact on a program’s schedule,
cost, customer satisfaction, technical or
quality objectives
– Issues can be initiated as a result of findings
or failure to mitigate risks.

6. Risk and Risks
• Individual risks
• Overall project risk

7. Individual Risks
Individual risks are the focus of day-to-day Project Risk
Management in order to enhance the prospects of a
successful project outcome.
Individual risks refer to specific events or conditions that
have the ability to affect project objectives positively or
negatively.
An individual risk may affect one or more project
objectives, elements, or tasks.

8. Overall Project Risk
The overall project risk is more than the sum
of individual risks, and it represents the effect
of uncertainty on the project as a whole.
It represents the exposure of stakeholders to
the implications of variations in project
outcome.
Chapter 2: Principles and Concepts of Risk Management

9. Project Risk Management
• “Project Risk Management includes the
processes concerned with conducting risk
management planning, identification, analysis
responses and monitoring & control on a
project .”
Organisations are good at identifying Risks, but poor at doing something about
them.
Risk Identification
is not
Risk Management.

10. Project Risk Management Objective
• “The objectives of Project Risk Management
are to increase the probability and impact of
positive events, and decrease the probability
and impact of events adverse to the Project.”

11. Role of Project Risk Management in
Project Management
“Risk management should be embedded in the
planning and operational documents of the project,
and should not be considered as an optional
activity.”
Chapter 1: Introduction to Risk Management Concepts

12. General Risk Management
“Continuous Risk Management”
• Identification
– Risk sources can be external or internal.
• Assessment
– How important? / So what?
– What are the current trends?
• Treatment
– What can we do / What will we do?
– When do we need to manage the risk?
Treat
Assess
Identify

13. Risk Process
Chapter 11 of the PMBOK is the basis for
Practice Standard for Project Risk Management

14. Risk Process

15. Plan Risk Management
• The process concerned with producing the
risk management plan focusing on how risks
will be approached on the project.
• This process is high-level and takes place early
in the project since the results of this (and
other risk processes) can significantly
influence decisions made about scope, time,
cost, quality, and procurement.

16. Identify Risks
• The process of determining which risks may
affect the project and documenting their
characteristics

17. Perform Qualitative Risk Analysis
• The process of prioritizing risks for further
analysis or action by assessing and combining
their probability of occurrence and impact
• This process helps you rank and prioritize the
risks so that you can put the right emphasis on
the right risks. It helps to ensure that time and
resources are spent in the right risk areas.

18. QRA can answer the following
questions …
• What is the risk?
• Why might it occur?
• How likely it is ? Probability
• How good/bad might it be ? Impact
• Does it matter ?
• What can we do ?
• When should we act ?
• Who is responsible?

19. Critical Success Factors for the
Perform Qualitative Risk Analysis Process
Perform Qualitative Risk Analysis

20. Probability-Impact Matrix
5 -5 -10 -15 -20 -25 25 20 15 10 5 5
4 -4 -8 -12 -16 -20 20 16 12 8 4 4
3 -3 -6 -9 -12 -15 15 12 9 6 3 3
2 -2 -4 -6 -8 -10 10 8 6 4 2 2
1 -1 -2 -3 -4 -5 5 4 3 2 1 1
-1 -2 -3 -4 -5 5 4 3 2 1
LIKELIHOOD
Propability - Impact (P-I) Matrix
THREATS
(NEGATIVE IMPACT)
OPPORTUNITIES
(POSITIVE IMPACT)
RISK IMPACTS (CONSEQUENCES)
LIKELIHOOD
Perform Qualitative Risk Analysis

21. Risk Score
Risk Score = Probability X Impact
The higher the Risk score the more serious the risk
Chapter 6: Perform Qualitative Risk Analysis

22. Qualitative Analysis - Risk Register
Updates
Relative ranking or priority list of project risks
Risks grouped by categories
Causes of risk or project areas requiring
particular attention
List of risks requiring response in the near-term
List of risks for additional analysis and response
Watch lists of low-priority risks
Trends in qualitative risk analysis results

23. Perform Quantitative Risk Analysis
• It is the process of numerically analyzing the
effect of identified risks on overall project
objectives.
• It assigns a projected value to (quantify) the risks
that have been ranked by performing Qualitative
Risk Analysis.

24. Quantitative Analysis - Risk Register
Updates:
Probabilistic analysis of the project
Probability of achieving cost and time
objectives
Prioritized list of quantified risks
Trends in quantitative risk analysis results

25. Plan Risk Responses
• The process of developing options and actions
to enhance opportunities and to reduce
threats to project objectives
• It includes the identification and assignment
of one person (the “risk response owner”) to
take responsibility for each agreed-to and
funded risk response.

26. Response Plan
Strategies for Negative Risk
CAUSE
RISK
EFFECT
X
X
CAUSE
RISK
EFFECT
CAUSE
RISK
EFFECT
CAUSE
RISK
EFFECT
Avoid
Avoid
Transfer
=
=
Mitigate
Mitigate
Accept
Accept

27. Response Plan
Strategies for Positive Risks
CAUSE
RISK
EFFECT
CAUSE
RISK
EFFECT
CAUSE
RISK
EFFECT
CAUSE
RISK
EFFECT
Exploit
Exploit
Share
+
+
Enhance
Enhance
Ignore
Ignore

28. Monitor and Control Risks
• The process of implementing risk response
plans, tracking identified risks, monitoring
residual risks, identifying new risks, and
evaluating risk process effectiveness
throughout the project
• The project work should be continuously
monitored for new, changing, and outdated
risks.

29. Risk Identification- The Iterative
Process
• Risk Identification should be repeated to find risks which were not
evident earlier in the project.
• Input is required from a wide range of project stakeholders, since
each will have a different perspective on the risks facing the project.
• Historical records and project documents are reviewed.
• Identified risks are not filtered, screened, or assessed at this stage;
all identified risks are recorded.
• A risk owner is designated for each identified risk. It is the
responsibility of the risk owner to manage the corresponding risk
through all of the subsequent risk management processes.
Chapter 3: Introduction to Project Risk Management Processes

30. Risk Assessment
• Prioritizes
• Evaluates the level of overall project risk
• Determine appropriate responses
• Risk evaluation can be performed using:
– Qualitative techniques to address individual risks
– Quantitative techniques for overall effect of risk on the
project outcome.
– Integrated approach for both - requires different types of
data
Chapter 3: Introduction to Project Risk Management Processes

31. Qualitative Techniques
• Gaining better understanding of individual risks, understanding and
prioritizing risks is a prerequisite to managing them
• Qualitative techniques are used on most projects.
• Outputs:
– Probability of occurrence
– Degree of impact on project objectives
– Manageability
– Timing of possible impacts
– Relationships with other risks
– Common causes or effects
• Outputs are documented and communicated to key project
stakeholders and form a basis for determining appropriate
responses.
Chapter 3: Introduction to Project Risk Management Processes

32. Quantitative Techniques
• May not be required for all projects
• Provide combined effect of identified risks on the project
outcome by taking into account probabilistic or project-
wide effects, such as:
– Correlation between risks
– Interdependency
– Feedback loops
– Degree of overall risk faced by the project.
• Outputs of quantitative analysis provide:
– Focus for development of appropriate responses
– The calculation of required contingency reserve levels
– Documented and communicated to inform subsequent actions
Chapter 3: Introduction to Project Risk Management Processes

33. Risk Responses
• Appropriate risk responses must be developed using an
iterative process which continues until an optimal set of
responses has been developed.
• Strategies exists for both threats and opportunities.
• The risk owner should select an achievable, affordable, and
appropriate strategy for each individual risk, based on its
characteristics and assessed priority
• The use of a single strategy that addresses several related
risks should be considered whenever possible.
Chapter 3: Introduction to Project Risk Management Processes

34. What is ERM ? (Enterprise Risk
Management)
• The simple definition
– Integrated risk management working as a co-ordinated activity
across the whole organisation.
– Bringing together all risk management activities
– Sharing them with all parts of the organisation
– Using an an appropriate framework
• ERM is about the entire
organisation not just bits of it and
it is about performing all activities,
not just some of them.
• COSO (Committee of Sponsoring
Organisations)
– See’s ERM as appropriate level of controls being exercised in a
series of interconnected functional layers
The COSO ERM Framework

35. What is ISO 31000 Risk Management
ISO 31000:2009 sets out principles, a framework and a process for the management of
risk that are applicable to any type of organization in public or private sector. It does not
mandate a "one size fits all" approach, but rather emphasizes the fact that the
management of risk must be tailored to the specific needs and structure of the particular
organization.

36. ISO 31000• ISO 31000:2009 has been received as a replacement to the existing
standard on risk management, AS/NZS 4360:2004
• Risk is the “effect of uncertainty on objectives”
• Principles:
a) Risk management creates value.
b) Risk management is an integral part of organizational processes.
c) Risk management is part of decision making.
d) Risk management explicitly addresses uncertainty.
e) Risk management is systematic, structured and timely.
f) Risk management is based on the best available information.
g) Risk management is tailored.
h) Risk management takes human and cultural factors into account.
i) Risk management is transparent and inclusive.
j) Risk management is dynamic, iterative and responsive to change.
k) Risk management facilitates continual improvement and enhancement of the
organization.

37. Thank You