Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
11.2 Processes
1
Reading Material
11.25 Summary
11.26 Reference
Learning Objectives
Explain The processes under Project Risk Management and of course the
ITTO’s under each process.
The key objectives are to increase the probability and/or impact of positive risks and to
decrease the probability and/or impact of negative risks in order to optimise the chances
of project success.
Many people assume that risk is always negative. However, that is incorrect. It can be
positive also. If it is negative it is called a threat and if it is positive, it is an opportunity.
As a project manager you need to increase the probability of increasing positive risks
and if they are negative you should reduce the probability of occurrence of those risks.
2
Reading Material
There is no right or wrong answer for the Risk Management and decisions are taken
depending on the situation.
11.2 Processes
There are seven Project Risk Management processes namely Plan Risk Management,
Identify Risks, Perform Qualitative Risk Analysis, Perform Quantitative Risk Analysis,
Plan Risk Responses, Implement Risk Responses and Monitor Risks.
Plan Risk Management, Identify Risks, Perform Qualitative Risk Analysis, Perform
Quantitative Risk Analysis and Plan Risk Responses are part of the Planning process
group, Implement Risk Responses is part of the Executing process group and the last
process Monitor Risks is part of the Monitoring And Controlling process group.
3
Reading Material
Plan Risk Management is the process of defining how to conduct risk management
activities for a project.
The key benefit of adopting this process is that it ensures that the degree, type, and
visibility of risk management are proportionate to both risks and the importance of the
project to the organisation and other stakeholders.
The key inputs for the Plan Risk Management process are:
Project Charter
Project Documents
Stakeholder Register
Data analysis (stakeholder analysis), expert judgment, and meetings are the tools and
techniques that are generally used for this process.
The main output from this process is the Risk Management Plan
4
Reading Material
The Risk Management Plan describes how risk management activities will be structured
and performed. It is a component of the Project Management Plan and includes the
following information:
Methodology – Defines the approaches, tools, and data sources that will be
used to perform risk management on the project
Roles and responsibilities – Defines the lead, support, and risk management
team members for each type of activity in the risk management plan, and
clarifies their responsibilities
Funding – Estimates funding needs for inclusion in the cost baseline and
establishes protocols for application of contingency and management
reserves
Timing – Defines when and how often risk management process will be
performed throughout the project life cycle.
Risk categories – Provide a means for grouping potential causes of risk. Risk
break down structure is a common method that helps a project team look at
various sources from which project risk may arise in a risk identification
exercise.
Definitions of risk probability and impact – The quality and credibility of the
risk analysis requires that different levels of risk probability and impact, that
are specific to the project context, be defined.
Probability and impact matrix – This is a grid for mapping the probability of
each risk occurrence and its impact on project objectives if that risk occurs.
Risks are prioritised according to their potential implications for having an
effect on the project’s objectives.
5
Reading Material
required.
Tracking – Documents how risk activities will be recorded for the benefit of
the current project and how risk management processes will be audited.
Identify Risks is the process of identifying individual project risks as well as sources of
overall project risk and documenting their characteristics.
The key benefit of this process is the documentation of existing individual project risks
and the sources of overall project risk.
Scope Baseline
Schedule Baseline
Cost Baseline
Agreements
EEF
OPA
Project Documents
Assumption Log
6
Reading Material
Cost Estimates
Duration Estimates
Issue Log
Requirements Documentation
Resource Requirements
Stakeholder Register
Procurement Documentation
The various tools and techniques that may be used for identifying risks are:
Expert Judgement
Data Gathering
Brainstorming
Checklists
Interviews
Facilitation
Prompt Lists
Data Analysis
SWOT Analysis
Document Analysis
Meetings
Risk Register
7
Reading Material
Risk Report
Assumption Log
Issue Log
Prompt Lists is a predetermined list of risk categories and act as sources of identifying
individual or overall project risk. Some of the strategic frameworks that are used in an
organisation to find the sources from where the risk originates include:
The primary output from Identify Risks is the initial entry into the Risk Register. Apart
from a list of all initial risks identified, the Risk Register documents the results of risk
analysis and risk response planning are recorded. The list of identified risks are
described with a unique identifier. Potential risk owners are identified and confirmed
during qualitative risk analysis. Potential responses to a risk may sometimes be
identified during the Identify Risks Process. These should also be confirmed during the
Plan Risk responses process.
Sources of risk
Perform Qualitative Risk Analysis is the process of prioritizing risks for further analysis
8
Reading Material
The key benefit of this process is that it focuses efforts on high priority risks.
The key inputs for the Perform Qualitative Risk Analysis process are:
Project Management Plan
Project Documents
Assumption Log
Risk Register
Stakeholder Register
EEF
OPA
The tools and techniques that may be applied for performing qualitative risk analysis of
identified risks include:
Expert Judgment
Data Gathering
Interviews
Data Analysis
Facilitation
Risk Categorization
9
Reading Material
Data Representation
Hierarchical Charts
Meetings
Updates to project documents are the outputs from this process. That includes updates
to Assumption log, Issue log, Risk register and Risk Report.
The prioritization of risk is done through two values namely probability and impact.
Risk probability assessment investigates the likelihood that each specific risk will occur.
Risk impact assessment investigates the potential effect on a project objective such as
schedule, cost, quality, or performance – both negative effects and positive effects.
Probability and impact grid mapping or matrix helps in ranking the risks. An example
of such a matrix is given below.
The probability categories are shown in the first column and the impact categories are
shown in the last row. The percentage is also shown in each of these cells. It may be
noted that there are two sections – threats and opportunities.
The probability percent is multiplied with the impact percent to get the score and assign
a rating. For example, a risk with high threat impact will have a percent of 0.4 and a
very high probability has a percent of 0.9. The multiplied figure for both these percent
results in 0.36 weight. This way scores are calculated for all identified risks. The risks
with higher scores are ranked higher and ones with lower scores are ranked lower.
10
Reading Material
The key benefit of this process is that it quantifies overall project risk exposure, and it
can also provide additional quantitative risk information to support Risk Response
Planning.
The information inputs that are useful in performing the quantitative risk analysis are:
• Scope Baseline
• Schedule Baseline
• Cost Baseline
• EEF
• OPA
• Project Documents
• Assumption Log
• Basis Of Estimates
• Cost Estimates
11
Reading Material
• Cost Forecasts
• Duration Estimates
• Milestone List
• Resource Requirements
• Risk Register
• Risk Report
• Schedule Forecasts
The tools and techniques that can be effectively used for quantitative risk analysis
include:
• Expert Judgment
• Data Gathering
• Interviews
• Facilitation
• Representations of uncertainty
• Data Analysis
• Simulation
• Sensitivity Analysis
• Influence Diagram
Updates to project documents are the main outputs from this process. The updates are
made to the Risk Report.
A Decision Tree helps in understanding the degree of risk, based on Expected Monetary
Value (EMV) calculations. Let us see an example where a decision needs to be made on
whether to buy or upgrade. EMV for upgrade is better than for buying, by $10M. So, it
is better to upgrade.
12
Reading Material
Plan Risk Responses is the process of developing options, selecting strategies and
agreeing on actions to address overall project risk exposure, as well as to treat
individual project risks.
The key benefit of this process is that it identifies appropriate ways to address overall
project risk and individual project risks.
• Cost Baseline
• EEF
• OPA
• Project Documents
13
Reading Material
o Project Schedule
o Resource Calendar
o Risk Register
o Risk Report
o Stakeholder Register
The tools and techniques that may be used for Plan Risk Responses are:
• Expert Judgment
• Data Gathering
• Interviews
• Facilitation
• Escalate
• Avoid
• Mitigate
• Transfer
• Accept
• Escalate
• Exploit
• Share
• Enhance
• Accept
14
Reading Material
• Data Analysis
• Alternative Analysis
• Decision Making
Change Requests, updates to Project Management Plan and other project documents are
the key outputs from this process.
Risk Escalate is appropriate when the project team or the project sponsor agrees that a
threat is outside the scope of the project or that the proposed response would exceed
the project manager’s authority.
Risk Avoidance is a risk response strategy whereby the project team acts to eliminate
the threat or protect the project from its impact.
Risk Transfer is a strategy whereby the project team shifts the impact of the threat to a
third party, together with ownership of the response.
In case of Risk Mitigation the project team acts to reduce the probability of occurrence
of impact of a risk.
In case of Risk Acceptance the project team decides to acknowledge the risk and not
take any action unless the risk occurs.
Risk Escalate is appropriate when the project team or the project sponsor agrees that an
opportunity is outside the scope of the project or that the proposed response would
exceed the project manager’s authority.
15
Reading Material
Where an Exploit strategy is selected, the organisation wishes to ensure that the
opportunity is realized.
In case of Enhance strategy, the aim is to increase the probability and/or the positive
impacts of an opportunity. Key drivers are identified and maximized to increase the
probability of occurrence of the opportunity.
Sharing a positive risk involves allocating some or all of the ownership of the
opportunity to a third party who is best able to capture the opportunity for the benefit
of the project.
And last strategy is Accept. Accepting an opportunity is being willing to take advantage
of the opportunity if it arises, but not actively pursuing it.
Implement Risk Responses is the process of implementing agreed upon risk response
plans.
The key benefit from this process is that it ensures that agreed-upon risk responses are
executed as planned in order to address overall project risk exposure, minimise
individual project threats and maximise individual project opportunities.
• Project Documents
• Risk Register
• Risk Report
• EEF
• OPA
The tools and techniques that may be applied to control risks include:
16
Reading Material
• Expert Judgment
• PMIS
• Influencing
• Change Requests
• Issue Log
• Risk Register
• Risk Report
Monitor Risks is the process of monitoring the implementation of agreed upon risk
response plans, tracking identified risks, identifying and analysing new risks, and
evaluating risk process effectiveness throughout the project.
The key benefit from this process is that it enables project decisions to be based on
current information about overall project risk exposure and individual project risks.
• Project Documents
• Issue Log
17
Reading Material
• Risk Register
• Risk Report
The tools and techniques that may be applied to Monitor Risks include:
• Data Analysis
• Reserve Analysis
• Audits
• Meetings
• Change Requests
• Assumption Log
• Issue Log
• Risk Register
• Risk Report
• OPA Updates
Risk audits examine and document the effectiveness of the risk responses in dealing
with identified risks and their root causes.
Risk audits also check the effectiveness of the risk management process.
18
Reading Material
The project manager is responsible for ensuring that risk audits are performed at an
appropriate frequency as defined in the project’s risk management plan and may be
included during routine project review or separate risk meetings.
Trends and emerging practices in Project Risk Management include non-event risk,
project resilience and integrated risk management.
Some of the risks can be easily identified during the Project Charter level or during the
Planning process group. A few examples of such risks are scenarios in which a
customer changes requirements, a resource leaves in the middle of a project, etc. These
can be identified during Planning and are called Event-based risks.
But now the trend is identifying Non-event risks. Which are further classified as
Variability Risk and Ambiguity Risk.
Variability risk is seen in scenarios where uncertainty exists about some key
characteristics of planned event or activity. Examples of such scenarios are defects may
be lower or higher, productivity may increase or decrease, variations in climatic
conditions and other such instances.
Ambiguity risk is seen in instances where uncertainty exists about what might happen
in the future. For example, instances of regulatory changes, technical complexity and
other such issues.
If you recall an earlier discussion under types of Reserves, one of them we covered was
unknown unknown risks. Such risks can be recognized only after they occur and can
prove very dangerous to the project. This can be tackled through project resilience. This
requires budget and schedule contingency in addition to budget for known risk, flexible
project processes including change management, empowering project teams who you
can trust to get the job done with agreed upon limits, frequent review of early warning
signs to identify emergent risk and clear input from stakeholders so that adjustment of
scope and strategy in response to emergent risk can be done.
An example of such a measure is to have additional 10 % budget, for the unknown risk
in addition to the planned budget.
The other trend is Integrated Risk Management. Let us assume that a project is part of
program or portfolio. A risk, identified at a high level may be delegated to a project
team. Similarly, the risk which is identified at project level and beyond control of
19
Reading Material
For example, despite a project under the Telecom program getting all the requirements
clarified at the project level, it may still have an impact at the program level.
Such situations are beyond the control of the project manager: he or she should notify
the program manager so that appropriate action is taken.
Tailoring for risk management approach is required based on project size. The size is in
terms of budget, duration, scope, team, etc. For example, for a short duration like 6
months or below Perform Quantitative Risk Management process may not be required.
Qualitative Risk Analysis itself may be enough.
Project risk approach also differs based on project importance to the organisation. For
example, for the projects which you are carrying out has value creation features because
of which you may get more business opportunities than revenue generation then there
may be blocks to organisational performances. Here the risk management approach
should be again different.
Different development approach calls for different risk management approaches. For
example, for agile development life cycle approach the risk is addressed at the start of
each iteration as well as during the execution unlike the other development approaches
where risk is addressed mostly in only planning.
These tailoring decisions are considered as part of the Plan Risk Management process
and the decisions are captured in the Risk Management Plan.
20
Reading Material
11.25 Summary:
How much of risk one can take is based on a parameter called risk appetite. The
definition of risk appetite is the degree of uncertainty an organisation or
individual is willing to accept in anticipation of a reward.
There are seven project Risk management processes namely Plan Risk
Management, Identify Risks, Perform Qualitative Risk Analysis, Perform
Quantitative Risk Analysis, Plan Risk Responses, Implement Risk Responses and
Monitor Risks.
Different strategies such as Risk Escalate, Risk Avoidance, Risk Transfer, Risk
Mitigation, Risk Acceptance are used to deal with project risks.
Risk audits also check the effectiveness of the risk management process.
11.26 Reference
21