Project Risk Management

Lecture objectives

At the end of the lecture students should be able to:


Define a risk

Define a project risk

Explain characteristics and categories of risks

Explain the Risk mgt process
 What is A Risk
• Risk is defined as the effect of uncertainty on
objectives of a project. The effect may be
positive or negative. (ISO 31000)
• Uncertain event or condition that if it occurs
has a positive or negative effect on a project
objectives
 What is a project risk
A Project risk is an uncertain event or condition
that if it occurs, has a positive or negative
effect on at least one project objective, such
as time, cost, scope and/or quality (eg
deliverance within the agreed schedule or
budget. (PMBOK)
 Risk Categories
• Technical/quality or performance risks – These include risks associated with
un proven technology, complex technology, or changes to technology anticipated
during the course of the project. They may also include un realistic performance
goals.
• Project Management risks: This includes improper schedule and resource
planning, poor project planning and improper or poor project management
disciplines or methodologies
• Organizational risks: These include resource conflicts due to multiple projects
occurring at the same time in the organization; scope, time and cost objectives
that are unrealistic given the organization’s resources or structure and lack of
funding for the project or diverting funds from this project to other projects.
• External risks: These include things external to the project such as new laws or
regulations, labour issues, weather, changes in ownership,foreign policies.
Catastrophic risks known as force majeure-beyond the scope of risk
management planning and instead require disaster recovery techniques.
 Risk Classification

Risks are classified according to:

• The project objectives
• Sources
• Project life cycle
• Degree of control (Controllable and uncontrollable)
• Pure (Insurable) and speculative (threats and opportunities)
• Availability of information (Known and unknown)
• Internal and external risks
• Level of risks (probabilities and consequences)
 Risk Attributes/Characteristics

• Risk has a future focus

• Risk has alternative possibilities
• Risk deals with probabilities
• Risk requires information (ranging from total uncertainty
to total certainty)
• Risk must affect the project objectives
 Risk Components
• Causes
• Event
• Effects
 Risk Management
Difficult to define because of many perspectives arising from professional biases.

• The management of pure or non speculative risks to which the assets, personnel and income
of a business are expected (Insurer Broker)

• The art and science of identifying, assessing and responding to project risk throughout the
life of a project and in the best interests of its objectives (Wideman)

• Risk management is the process of identifying, assessing and prioritizing of risks followed by
coordinated and economical application of resources to minimize, monitor and control the
probability and or impact of unfortunate events or to maximize the realization of
opportunities. (ISO 31000)

• Project Risk Management includes the processes of conducting risk management planning,
identification, analysis, response planning and controlling risk on a project. The major
objectives of project risk management are to increase the likelihood and impact of positive
events, and decrease the likelihood and impact of negative events in the project.(PMBOK)
 Risk Mgt Process

• Plan Risk Management – process of defining how to conduct risk management

activities for a project.
• Identify Risk – determining which risks may affect the project and documenting
their characteristics
• Perform Qualitative Risk Analysis – prioritizing risks for further analysis or
action by assessing and combining their probability of occurrence and impact.
• Perform Quantitative Risk Analysis – numerically analyzing the effect of
identified risks on overall project objectives
• Plan Risk responses - Developing options and actions to enhance opportunities
and to reduce threats to project objectives
• Control Risk – process of implementing risk response plans, tracking identified risks,
monitoring residual risks, identifying new risks, and evaluating risk process effectiveness
throughout the project.
 Plan Risk Mgt

This is the process of defining how to conduct risk management activities for a project.
Risk management plan is vital to communicate with and obtain agreement and
support frol all stakeholders to ensure risk management process is supported and
performed effectively over the project life cycle.
Inputs:

Project management plan

Project charter

Stakeholders' register

Enterprise environmental factors

Organizational process assets
 Plan Risk Mgt
Tools and Techniques:

Analytical technique

Expert judgment

Meetings

Output:
Risk management plan
 Risk Management Plan
This describes how risk management activities will be structured and performed. Risk Mgt Plan includes the
following:
• Methodology: Defines approaches, tools, and data sources that will be used to perform risk
management on the project.
• Roles and responsibilities: defines the lead, support and risk management team members for
each type of activity in the management plan, and clarifies their responsibilities.
• Budgeting: Estimates funds needed, based on assigned resources, for inclusion in the cost baseline
and establishes protocols for application of contingency and management reserves
Timing : defines when and how often the risk mgt process will be performed throughout the PLC. It also
establishes protocols for application of schedule contingency reserves, and establishes risk mgt
activities for inclusion in the project schedule.
Risk categories: Categorize or groups potential risks and their causes . A risk breakdown structure
(RBS) in respect to risk categories(technical, external, organisational, prj mgt) is made
Risk probability and impact matrix: Estimate the probabilities of the risks happening and their
impacts on the project.(Prob & Impact Matrix)
 Risk mgt Planning (cont’d)

• Risk contingency planning: Always have a contingency plan (budget) which is normally
based on the qualitative and quantitative analysis of the risk on the project.
• Reporting Format: This details how risk mgt information will be maintained, updated,
analyzed and reported to project participants and stakeholders.
• Tracking – documentation on how activities will be recorded for the benefit of the current
project and how risk mgt processes will be audited.
 Identify Risks
This is where one determines which risk might affect the project and documents their
characteristics.
INPUTS:
Risk, Cost, Schedule, Quality, Human Resource, Scope, management plans

Activity duration estimates

Activity cost estimates

Stakeholders' register

Project documents

Procurement documents

Enterprise environmental factors

Organizational process assets
 Identify Risks (T & T )
Tools and Techniques:
• Documentation reviews – eg previous project files, and agreements
• Information gathering techniques – Brain storming, Delphi technique (consensus of experts), Interviewing,
Root cause analysis
• Scenario based: Create scenarios and identify risks that can come out of them.
• Taxonomy: a questionnaire about risks is compiled and the answers to the questions reveal risks. Also
Brainstorming, Delphi technique, Interviewing, Root Cause identification, SWOT analysis. (see CMU/SEI-93-
TR-6)
• Checklist analysis: based on historical information and previous project team experience
• Assumption analysis : This explores the validity of assumptions, hypotheses, or scenarios as they apply to
the project. It identifies risks to the project from inaccuracy, inconsistency, or incompleteness of
assumptions.
• Diagramming Technique: Cause-and-effect diagrams (Ishikawa or fishbone diagrams), System or process
flow charts, and Influence diagrams especially in sequential activities
• SWOT Analysis
• Expert judgment

OUTPUTS – RISK REGISTER (List of identified risks, List of potential responses.

 Perform Qualitative risk analysis
This is the process of prioritizing risks for further analysis or action by assessing and combining their
probability of occurrence and impact. This is done by use of Probability and Impact Matrix.
INPUTS:

Risk management plan

Scope baseline

Risk register

Enterprise environmental factors

Organizational process assets
Tools and Techniques

Risk probability and impact assessment

Probability and impact matrix

Risk data quality assessment (how useful data about risk is)

Risk categorization

Risk urgency assessment (how urgent the risk needs attention)

Expert judgment
OUTPUTS: Project document updates - Risk register updates Assumption log updates
 Perform Quantitative risk analysis

This is the process of numerically analyzing the effect of identified risks on

overall project objectives. It produces quantitative risk information to
support decision making in order to reduce project uncertainty.
INPUTS:

Risk management plan

Cost management plan

Schedule management plan

Risk register

Enterprise environmental factors

Organizational process assets
 Perform Quantitative risk analysis

Tools and Techniques


Data gathering and presentation techniques

Quantitative risk analysis and modeling techniques (Sensitivity analysis, expected
monetary value analysis, modeling and simulation)

Probability and impact matrix

Expert judgment

OUTPUTS:

Project documents updates (Prioritized list of quantified risks, Trends in quantitative risk
analysis results, Probability of achieving cost and time objectives)
 Plan Risk responses

Developing options and actions to enhance opportunities and to reduce threats to

project objectives.
INPUTS:

Risk management plan

Risk register
Tools and Techniques:

Strategies for negative risks or threats

Strategies for positive risks or opportunities

Contingency response strategies

Expert judgment
OUTPUTS: Project management plan updates and Project document updates
 Plan Risk responses -strategies for negative risks or threats
Avoid the risk: Eliminate the condition that is causing the risk eg risks associated with a particular
service provider can be avoided if another one is secured.

Move the risk/transfer : This is where you give the responsibility of managing the risk to
another entity or third party eg subcontracting, insurance.

Mitigating the risk: Put in place a set of steps to ensure that the risk does not occur and if it
does then the negative impact of the risk is minimized eg use of UPS.

Accept the risk and learn from it: The project manager might look at the risk and decide to
do nothing about it , this happens because the potential impact of the risk on the project is not
substantial enough to require a response.

Monitor the risk: Monitor the risk to see whether it is more or less likely to occur as time
goes on. If it is more likely to occur the project risk team may formulate a difference response at
a later time.
Plan Risk responses- strategies for positive risks or opportunities

There are three major responses when dealing with potentially positive
impacts on project objectives . They are to exploit, share and enhance.
• Exploit: eg a risk that would get a project completed earlier than
schedule or one that would increase the quality of the product.
• Share: allocating ownership to a third party who is best able to capture
the opportunity for the benefit of the project.
• Enhance: Increasing the probability of the risk or facilitating or
strengthening the cause of the opportunity and pro-actively targeting and
reinforcing its trigger conditions might increase probability.
• Accept: accepting an opportunity is being willing to take advantage of the
opportunigy if it arises, but not actively pursuing it.
 Risk monitoring and controlling
• This is the process of implementing risk response plans, tracking identified risks,
monitoring residual risks, identifying new risks, and evaluating risk process
effectiveness throughout the project.
• Continuously monitor and control the risk throughout the PLC.
• Remember to document any information in relation to any risk and communicate
it to the relevant personnel.
• Effective risk management requires a reporting and review structure to ensure
that risks are effectively identified and assessed and that appropriate controls and
responses are in place.
 Risk monitoring and controlling
Inputs: Tools and techniques:

Project management plan 
Risk assessment

Risk register

Work performance data

Risk audits

Work performance reports 
Variance and trend analysis

Reserve analysis

Meetings

Outputs:

Work performance information

Change requests

Project management plan updates

Project document updates

Organizational process assets updates
 10 Golden Rules of Project Risk Management(Bart Jutte )

• Rule 1: Make Risk Management Part of Your Project

• Rule 2: Identify Risks Early in Your Project
• Rule 3: Communicate About Risks
• Rule 4: Consider Both Threats and Opportunities
• Rule 5: Clarify Ownership Issues (who is responsible for which risk)
• Rule 6: Prioritise Risks
• Rule 7: Analyse Risks
• Rule 8: Plan and Implement Risk Responses
• Rule 9: Register Project Risks
• Rule 10: Track Risks and Associated Tasks

The 10 golden risk rules above give you guidelines on how to implement risk management
successfully in your project. However, keep in mind that you can always improve. Therefore
rule number 11 would be to use the Japanese Kaizen approach: measure the effects of your
risk management efforts and continuously implement improvements to make it even better.