Reading Material

PMP – READING MATERIALS

Module 11 - Project Risk Management

Table of Contents

11. Project Risk Management

11.1 Project Risk Management

11.2 Processes

11.3 Key Concepts

11.4 Plan Risk Management

11.5 Plan Risk Management - ITTOs

11.6 Risk Management Plan

11.7 Identify Risks

11.8 Identify Risks - ITTOs

11.9 Perform Qualitative Risk Analysis

11.10 Perform Qualitative Risk Analysis – ITTOs

11.11 Perform Quantitative Risk Analysis

11.12 Perform Quantitative Risk Analysis – ITTOs

11.13 Decision Tree

11.14 Plan Risk Responses

11.15 Plan Risk Responses – ITTOs

11.16 Strategies for Threats

11.17 Strategies for opportunities

11.18 Implement Risk Responses

1
Reading Material

11.19 Implement Risk Responses – ITTOs

11.20 Monitor Risks

11.21 Monitor Risks—ITTOs

11.22 Trends and Emerging Practices

11.23 Tailoring Considerations

11.24 Consideration of Agile / Adaptive Environment

11.25 Summary

11.26 Reference

Learning Objectives

By the end of this session you will be able to:

 Define Project Risk Management

 Discuss Key Concepts, Trend and Emerging concepts and Agile/Adaptive

considerations for Risk management

 Explain The processes under Project Risk Management and of course the
ITTO’s under each process.

 Describe Strategies for Threat and Strategies for Opportunities

 Create a Decision Tree

11.1 Project Risk Management

Project Risk Management includes the processes of conducting risk management

planning, identification, analysis, response planning, response implementation and
monitoring risk on a project.

The key objectives are to increase the probability and/or impact of positive risks and to
decrease the probability and/or impact of negative risks in order to optimise the chances
of project success.

Many people assume that risk is always negative. However, that is incorrect. It can be
positive also. If it is negative it is called a threat and if it is positive, it is an opportunity.
As a project manager you need to increase the probability of increasing positive risks
and if they are negative you should reduce the probability of occurrence of those risks.

2
Reading Material

There is no right or wrong answer for the Risk Management and decisions are taken
depending on the situation.

Risk taking ability depends organisation to organisation. Some organisations do not

take any risks. They are called risk averse. Some organisations may however be open to
taking risks, and are called risk seekers. How much of risk one can take is based on a
parameter called risk appetite. The definition of risk appetite is the degree of
uncertainty an organisation or individual is willing to accept in anticipation of a
reward.

11.2 Processes
There are seven Project Risk Management processes namely Plan Risk Management,
Identify Risks, Perform Qualitative Risk Analysis, Perform Quantitative Risk Analysis,
Plan Risk Responses, Implement Risk Responses and Monitor Risks.

Plan Risk Management, Identify Risks, Perform Qualitative Risk Analysis, Perform
Quantitative Risk Analysis and Plan Risk Responses are part of the Planning process
group, Implement Risk Responses is part of the Executing process group and the last
process Monitor Risks is part of the Monitoring And Controlling process group.

11.3 Key Concepts

Some key project risk management concepts are discussed below.

 Organisations should choose to take project risks in a controlled and

intentional manner in order to create value while balancing risk and reward.

 Effectiveness of project risk management is directly related to project success.

 Risk exists at two levels.

 Individual project risk—which is an uncertain event or condition that if it

occurs, has a positive or negative effect on one or more project objectives. For
example, delay from vendor may impact schedules and delay an activity. But
this may not impact the overall project as this activity may be in a non-critical
path.

 Overall project risk—which is the effect of uncertainty on the project as a

whole arising from all sources of uncertainty including individual risk.
Taking the same example mentioned above, the delay by the vendor can
delay the entire project if the deliverable is in the critical path.

3
Reading Material

Risks need to be managed in a systematic way. An organisation should be committed to

address risk management proactively and consistently throughout the project.
Communication about risk and its handling should be open and honest. There should
be no bias, concealment or tweaking of risk information. Known risks that cannot be
managed proactively, should be assigned a contingency reserve. Unknown risks cannot
be managed proactively and therefore may be assigned a management reserve. Both
individual project risks and overall project risk should be assessed. Based on the
organisation’s attitude towards risk, the overall project risk is managed.

11.4 Plan Risk Management

Plan Risk Management is the process of defining how to conduct risk management
activities for a project.

The key benefit of adopting this process is that it ensures that the degree, type, and
visibility of risk management are proportionate to both risks and the importance of the
project to the organisation and other stakeholders.

This is part of planning process group.

11.5 Plan Risk Management  ITTOs

The key inputs for the Plan Risk Management process are:

 Project Charter

 Project Management Plan

 All Approved Subsidiary Plans to be Considered

 Project Documents

 Stakeholder Register

 Enterprise Environmental Factors (EEF), and

 Organisational Process Assets (OPA).

Data analysis (stakeholder analysis), expert judgment, and meetings are the tools and
techniques that are generally used for this process.

The main output from this process is the Risk Management Plan

4
Reading Material

11.6 Risk Management Plan

The Risk Management Plan describes how risk management activities will be structured
and performed. It is a component of the Project Management Plan and includes the
following information:

 Risk strategy—General approach to the project risk management

 Methodology – Defines the approaches, tools, and data sources that will be
used to perform risk management on the project

 Roles and responsibilities – Defines the lead, support, and risk management
team members for each type of activity in the risk management plan, and
clarifies their responsibilities

 Funding – Estimates funding needs for inclusion in the cost baseline and
establishes protocols for application of contingency and management
reserves

 Timing – Defines when and how often risk management process will be
performed throughout the project life cycle.

 Risk categories – Provide a means for grouping potential causes of risk. Risk
break down structure is a common method that helps a project team look at
various sources from which project risk may arise in a risk identification
exercise.

 Definitions of risk probability and impact – The quality and credibility of the
risk analysis requires that different levels of risk probability and impact, that
are specific to the project context, be defined.

 Probability and impact matrix – This is a grid for mapping the probability of
each risk occurrence and its impact on project objectives if that risk occurs.
Risks are prioritised according to their potential implications for having an
effect on the project’s objectives.

 Stakeholder risk appetite – Stakeholders’ risk-taking ability is expressed as

risk threshold.

 Reporting formats – Defines how the outcomes of the risk management

process will be documented, analysed and communicated. It describes the
content and format of the Risk Register as well as any other risk report

5
Reading Material

required.

 Tracking – Documents how risk activities will be recorded for the benefit of
the current project and how risk management processes will be audited.

11.7 Identify Risks

Identify Risks is the process of identifying individual project risks as well as sources of
overall project risk and documenting their characteristics.

The key benefit of this process is the documentation of existing individual project risks
and the sources of overall project risk.

This is part of planning process group.

11.8 Identify Risks – ITTOs

The inputs to the ‘Identify Risks’ process include:

 Project Management Plan

 Requirements Management Plan

 Schedule Management Plan

 Cost Management Plan

 Quality Management Plan

 Resource Management Plan

 Risk Management Plan

 Scope Baseline

 Schedule Baseline

 Cost Baseline

 Agreements

 EEF

 OPA

 Project Documents

 Assumption Log

6
Reading Material

 Cost Estimates

 Duration Estimates

 Issue Log

 Lessons Learned Register

 Requirements Documentation

 Resource Requirements

 Stakeholder Register

 Procurement Documentation

The various tools and techniques that may be used for identifying risks are:

 Expert Judgement

 Data Gathering

 Brainstorming

 Checklists

 Interviews

 Interpersonal and team skills

 Facilitation

 Prompt Lists

 Data Analysis

 Root Cause Analysis

 Assumption and Constraint Analysis

 SWOT Analysis

 Document Analysis

 Meetings

The output from this process are

 Risk Register

7
Reading Material

 Risk Report

 Project Documents Updates

 Assumption Log

 Issue Log

 Lessons Learned Register

SWOT analysis is a technique used for identifying Strengths, Weaknesses,

Opportunities, and Threats of a project. Strengths and weaknesses are internal to the
project whereas, opportunities and threats are external to the project. The analysis could
yield a lot of relevant information for identifying risks – both positive and negative.

Prompt Lists is a predetermined list of risk categories and act as sources of identifying
individual or overall project risk. Some of the strategic frameworks that are used in an
organisation to find the sources from where the risk originates include:

 PESTLE—Political, Economic, Social, Technological, Legal, Environmental

 TCOP—Technical, Environmental, Commercial, Operational, Political

 VUCA—Volatility, Uncertainty, Complexity, Ambiguity

The primary output from Identify Risks is the initial entry into the Risk Register. Apart
from a list of all initial risks identified, the Risk Register documents the results of risk
analysis and risk response planning are recorded. The list of identified risks are
described with a unique identifier. Potential risk owners are identified and confirmed
during qualitative risk analysis. Potential responses to a risk may sometimes be
identified during the Identify Risks Process. These should also be confirmed during the
Plan Risk responses process.

Risk Report includes:

 Sources of risk

 Summary information like threats, opportunities, categories, metrics, trends,

etc.

 Updates across all processes.

11.9 Perform Qualitative Risk Analysis

Perform Qualitative Risk Analysis is the process of prioritizing risks for further analysis

8
Reading Material

or action by assessing their probability of occurrence and impact as well as other

characteristics.

The key benefit of this process is that it focuses efforts on high priority risks.

This process is part of the Planning process group.

11.10 Perform Qualitative Risk Analysis – ITTOs

The key inputs for the Perform Qualitative Risk Analysis process are:
 Project Management Plan

 Risk Management Plan

 Project Documents

 Assumption Log

 Risk Register

 Stakeholder Register

 EEF

 OPA

The tools and techniques that may be applied for performing qualitative risk analysis of
identified risks include:

 Expert Judgment

 Data Gathering

 Interviews

 Data Analysis

 Risk Data Quality Assessment

 Risk Probability and Impact Assessment

 Assessment of Other Risk Parameters

 Interpersonal and Team Skills

 Facilitation

 Risk Categorization

9
Reading Material

 Data Representation

 Probability and Impact Matrix

 Hierarchical Charts

 Meetings

Updates to project documents are the outputs from this process. That includes updates
to Assumption log, Issue log, Risk register and Risk Report.

The prioritization of risk is done through two values namely probability and impact.

Risk probability assessment investigates the likelihood that each specific risk will occur.

Risk impact assessment investigates the potential effect on a project objective such as
schedule, cost, quality, or performance – both negative effects and positive effects.

Probability and impact grid mapping or matrix helps in ranking the risks. An example
of such a matrix is given below.

Fig 1: Probability and Impact Matrix

The probability categories are shown in the first column and the impact categories are
shown in the last row. The percentage is also shown in each of these cells. It may be
noted that there are two sections – threats and opportunities.

The probability percent is multiplied with the impact percent to get the score and assign
a rating. For example, a risk with high threat impact will have a percent of 0.4 and a
very high probability has a percent of 0.9. The multiplied figure for both these percent
results in 0.36 weight. This way scores are calculated for all identified risks. The risks
with higher scores are ranked higher and ones with lower scores are ranked lower.

10
Reading Material

11.11 Perform Quantitative Risk Analysis

Perform Quantitative Risk Analysis is the process of numerically analysing the

combined effect of identified individual project risks and other sources of uncertainty
on overall project objectives.

The key benefit of this process is that it quantifies overall project risk exposure, and it
can also provide additional quantitative risk information to support Risk Response
Planning.

This process is part of the Planning process group.

Some of the guidelines for this process are:

 Not required for all projects

 Mostly appropriate for large or complex projects, strategically important

projects

 Uses information from qualitative risk analysis process

 Outputs of this process are used for risk response planning.

11.12 Perform Quantitative Risk Analysis – ITTOs

The information inputs that are useful in performing the quantitative risk analysis are:

• Project Management Plan

• Risk Management Plan

• Scope Baseline

• Schedule Baseline

• Cost Baseline

• EEF

• OPA

• Project Documents

• Assumption Log

• Basis Of Estimates

• Cost Estimates

11
Reading Material

• Cost Forecasts

• Duration Estimates

• Milestone List

• Resource Requirements

• Risk Register

• Risk Report

• Schedule Forecasts

The tools and techniques that can be effectively used for quantitative risk analysis
include:

• Expert Judgment

• Data Gathering

• Interviews

• Interpersonal and team skills

• Facilitation

• Representations of uncertainty

• Data Analysis

• Simulation

• Sensitivity Analysis

• Decision Tree Analysis

• Influence Diagram

Updates to project documents are the main outputs from this process. The updates are
made to the Risk Report.

11.13 Decision Tree

A Decision Tree helps in understanding the degree of risk, based on Expected Monetary
Value (EMV) calculations. Let us see an example where a decision needs to be made on
whether to buy or upgrade. EMV for upgrade is better than for buying, by $10M. So, it
is better to upgrade.

12
Reading Material

Fig 2: Decision Tree

11.14 Plan Risk Responses

Plan Risk Responses is the process of developing options, selecting strategies and
agreeing on actions to address overall project risk exposure, as well as to treat
individual project risks.

The key benefit of this process is that it identifies appropriate ways to address overall
project risk and individual project risks.

This process belongs to the Planning process group.

11.15 Plan Risk Responses – ITTOs

The key inputs for Plan Risk Responses are:

• Project Management Plan

• Resource Management Plan

• Risk Management Plan

• Cost Baseline

• EEF

• OPA

• Project Documents

13
Reading Material

o Lessons Learned Register

o Project Schedule

o Project Team Assignments

o Resource Calendar

o Risk Register

o Risk Report

o Stakeholder Register

The tools and techniques that may be used for Plan Risk Responses are:

• Expert Judgment

• Data Gathering

• Interviews

• Interpersonal and Team Skills

• Facilitation

• Strategies for threat

• Escalate

• Avoid

• Mitigate

• Transfer

• Accept

• Strategies for opportunities

• Escalate

• Exploit

• Share

• Enhance

• Accept

14
Reading Material

• Contingent response strategies

• Strategies for overall project risk

• Data Analysis

• Alternative Analysis

• Cost Benefit Analysis

• Decision Making

• Multicriteria Decision Analysis

Change Requests, updates to Project Management Plan and other project documents are
the key outputs from this process.

11.16 Strategies for Threats

Different strategies may be applied for responding to identified risks.

Risk Escalate is appropriate when the project team or the project sponsor agrees that a
threat is outside the scope of the project or that the proposed response would exceed
the project manager’s authority.

Risk Avoidance is a risk response strategy whereby the project team acts to eliminate
the threat or protect the project from its impact.

Risk Transfer is a strategy whereby the project team shifts the impact of the threat to a
third party, together with ownership of the response.

In case of Risk Mitigation the project team acts to reduce the probability of occurrence
of impact of a risk.

One common strategy for threats and opportunities is Accept.

In case of Risk Acceptance the project team decides to acknowledge the risk and not
take any action unless the risk occurs.

11.17 Strategies for Opportunities

Similarly, in the case of opportunities also, a number of strategies may be applied.

Risk Escalate is appropriate when the project team or the project sponsor agrees that an
opportunity is outside the scope of the project or that the proposed response would
exceed the project manager’s authority.

15
Reading Material

Where an Exploit strategy is selected, the organisation wishes to ensure that the
opportunity is realized.

In case of Enhance strategy, the aim is to increase the probability and/or the positive
impacts of an opportunity. Key drivers are identified and maximized to increase the
probability of occurrence of the opportunity.

Sharing a positive risk involves allocating some or all of the ownership of the
opportunity to a third party who is best able to capture the opportunity for the benefit
of the project.

And last strategy is Accept. Accepting an opportunity is being willing to take advantage
of the opportunity if it arises, but not actively pursuing it.

11.18 Implement Risk Responses

Implement Risk Responses is the process of implementing agreed upon risk response
plans.

The key benefit from this process is that it ensures that agreed-upon risk responses are
executed as planned in order to address overall project risk exposure, minimise
individual project threats and maximise individual project opportunities.

This process is part of the Executing process group.

11.19 Implement Risk Responses – ITTOs

Inputs to the Implement Risk Responses process are:

• Project management plan

• Risk Management Plan

• Project Documents

• Lessons Learned Register

• Risk Register

• Risk Report

• EEF

• OPA

The tools and techniques that may be applied to control risks include:

16
Reading Material

• Expert Judgment

• PMIS

• Interpersonal and Team Skills

• Influencing

The main outputs from this process are:

• Change Requests

• Project Documents Updates

• Issue Log

• Lessons Learned Register

• Project Team Assignments

• Risk Register

• Risk Report

11.20 Monitor Risks

Monitor Risks is the process of monitoring the implementation of agreed upon risk
response plans, tracking identified risks, identifying and analysing new risks, and
evaluating risk process effectiveness throughout the project.

The key benefit from this process is that it enables project decisions to be based on
current information about overall project risk exposure and individual project risks.

This process is part of the Monitoring and Controlling Process Group.

11.21 Monitor Risks  ITTOs

The inputs to Monitor Risks process are:

• Project Management Plan

• Risk Management Plan

• Project Documents

• Issue Log

• Lessons Learned Register

17
Reading Material

• Risk Register

• Risk Report

• Work Performance Data

• Work Performance Reports

The tools and techniques that may be applied to Monitor Risks include:

• Data Analysis

• Technical Performance Analysis

• Reserve Analysis

• Audits

• Meetings

The main outputs from this process are:

• Work Performance Information

• Change Requests

• Project Management Plan Updates

• Any Component Of Project Management Plan

• Project Documents Updates

• Assumption Log

• Issue Log

• Lessons Learned Register

• Risk Register

• Risk Report

• OPA Updates

Risk audits examine and document the effectiveness of the risk responses in dealing
with identified risks and their root causes.

Risk audits also check the effectiveness of the risk management process.

18
Reading Material

The project manager is responsible for ensuring that risk audits are performed at an
appropriate frequency as defined in the project’s risk management plan and may be
included during routine project review or separate risk meetings.

11.22 Trends and Emerging Practices

Trends and emerging practices in Project Risk Management include non-event risk,
project resilience and integrated risk management.

Some of the risks can be easily identified during the Project Charter level or during the
Planning process group. A few examples of such risks are scenarios in which a
customer changes requirements, a resource leaves in the middle of a project, etc. These
can be identified during Planning and are called Event-based risks.

But now the trend is identifying Non-event risks. Which are further classified as
Variability Risk and Ambiguity Risk.

Variability risk is seen in scenarios where uncertainty exists about some key
characteristics of planned event or activity. Examples of such scenarios are defects may
be lower or higher, productivity may increase or decrease, variations in climatic
conditions and other such instances.

Ambiguity risk is seen in instances where uncertainty exists about what might happen
in the future. For example, instances of regulatory changes, technical complexity and
other such issues.

If you recall an earlier discussion under types of Reserves, one of them we covered was
unknown unknown risks. Such risks can be recognized only after they occur and can
prove very dangerous to the project. This can be tackled through project resilience. This
requires budget and schedule contingency in addition to budget for known risk, flexible
project processes including change management, empowering project teams who you
can trust to get the job done with agreed upon limits, frequent review of early warning
signs to identify emergent risk and clear input from stakeholders so that adjustment of
scope and strategy in response to emergent risk can be done.

An example of such a measure is to have additional 10 % budget, for the unknown risk
in addition to the planned budget.

The other trend is Integrated Risk Management. Let us assume that a project is part of
program or portfolio. A risk, identified at a high level may be delegated to a project
team. Similarly, the risk which is identified at project level and beyond control of

19
Reading Material

project team is escalated to higher level. This builds greater value.

For example, despite a project under the Telecom program getting all the requirements
clarified at the project level, it may still have an impact at the program level.

Such situations are beyond the control of the project manager: he or she should notify
the program manager so that appropriate action is taken.

11.23 Tailoring Considerations

Tailoring considerations include Project Size, Project Complexity, Project Importance

and Development Approach.

Tailoring for risk management approach is required based on project size. The size is in
terms of budget, duration, scope, team, etc. For example, for a short duration like 6
months or below Perform Quantitative Risk Management process may not be required.
Qualitative Risk Analysis itself may be enough.

Risk approach differs based on project complexity in terms of technology, innovation

requirements, external dependencies, etc. For example, if the technology is new then we
may have to consider additional time or budget contingency instead of normal. If under
normal condition a reserve of 10% is considered then with this approach the bar should
be raised to at least 15%.

Project risk approach also differs based on project importance to the organisation. For
example, for the projects which you are carrying out has value creation features because
of which you may get more business opportunities than revenue generation then there
may be blocks to organisational performances. Here the risk management approach
should be again different.

Different development approach calls for different risk management approaches. For
example, for agile development life cycle approach the risk is addressed at the start of
each iteration as well as during the execution unlike the other development approaches
where risk is addressed mostly in only planning.

These tailoring decisions are considered as part of the Plan Risk Management process
and the decisions are captured in the Risk Management Plan.

11.24 Consideration of Agile / Adaptive Environment

For Risk Management some of the agile considerations are:

20
Reading Material

• Frequent reviews of incremental work products

• Cross functional project teams to accelerate knowledge

• Risk management done during each iteration

• Update, reprioritize requirements document regularly based on current risk

exposure.

11.25 Summary:

Let us summarise the key takeaways from this lesson:

 Project Risk Management includes the processes of conducting risk management

planning, identification, analysis, response planning, response implementation
and monitoring risk on a project.

 How much of risk one can take is based on a parameter called risk appetite. The
definition of risk appetite is the degree of uncertainty an organisation or
individual is willing to accept in anticipation of a reward.

 There are seven project Risk management processes namely Plan Risk
Management, Identify Risks, Perform Qualitative Risk Analysis, Perform
Quantitative Risk Analysis, Plan Risk Responses, Implement Risk Responses and
Monitor Risks.

 Different strategies such as Risk Escalate, Risk Avoidance, Risk Transfer, Risk
Mitigation, Risk Acceptance are used to deal with project risks.

 A number of strategies such as Risk Escalate, Exploit, Enhance, Sharing and

Accept, may be used by the project team to handle opportunities in a way that
benefits projects.

 Risk audits also check the effectiveness of the risk management process.

11.26 Reference

• Project Management Institute, A Guide to the Project Management Body of

Knowledge, (PMBOK® Guide), – Sixth Edition, Project Management Institute
Inc., 2018

21