Project Risk

Management
 Project risk is a potential source of deviation
from the project plan. Project risks can have
negative or positive impact on the project.

 Project risks that are negative are called

threats.

 Project risks that are positive are called

opportunities.
Attitudes Toward Risk

◦ Clinically depressed people

judge risks more
accurately than ‘normal’
people do.

◦ ‘Safe as houses’ – real

estate will always go up.

◦ ‘Everything will be OK’

◦ Darwin awards

◦ Other examples?
‘Get ‘r done!’ – No matter
what?

From Pamela S. Evers, ‘Business and Contract Law’, Cameron School of Business Executive Certificate Program
 Types of Project Risks
1. Direct Risks to the Success of the Project 2. Other Risks

◦ Health and safety

◦ Environmental
Time The Cost
Iron ◦ Legal
Triangle ◦ Others?

Scope
(Quality)
The Biggest Risk of All
 Risk Management Processes
Process Project Phase Key Deliverables

Plan Risk Management Planning Risk Management Plan

Identify Risks Planning Risk register

Perform Qualitative Risk
Planning Risk register updates
Analysis

Perform Quantitative Risk

Planning Risk register updates
Analysis

Risk related contract

Plan Risk Responses Planning
decisions

Monitor and Control Risks Monitoring and Controlling Risk register updates
Risk Management Process
 Risk
◦ Uncertain or chance events that planning can not
overcome or control.
 Risk Management
◦ A proactive attempt to recognize and manage
internal events and external threats that affect
the likelihood of a project’s success.
 What can go wrong (risk event).
 How to minimize the risk event’s impact
(consequences).
 What can be done before an event occurs
(anticipation).
 What to do when an event occurs (contingency
plans).
Risk Management’s
Benefits
 A proactive rather than reactive approach.
 Reduces surprises and negative
consequences.
 Prepares the project manager to take
advantage
of appropriate risks.
 Provides better control over the future.
 Improves chances of reaching project
performance objectives within budget and on
time.
The Risk Management Plan
The risk management plan does not detail
the planned responses to individual risks
within the project-this is purpose of the risk
response plan. The risk management plan is
responsible for determining:
 How risks will be ID
 How quantitative and qualitative analysis will be
completed
 How risk response planning will happen
 How risks will be monitored
 How ongoing risk management activities will
happen throughout the project lifecycle
Meeting to create the Risk
Management Plan
Attendees should include:

 Project Manager
 Project team leaders
 Key stakeholders
 Personnel specific to risk management
 Others
Categories of Risk to Project
Success
1. Technical, quality or performance risks: People,
equipment or technology used on the project are not
able to do the job properly

2. Organizational risks: Unreasonable expectations,

misaligned processes, requirements, constraints,
inadequate funding or resources, etc.

3. External risks: Legal and labor issues, regulations,

politics, economic shifts, weather

4. Project management risks: Misallocation or poor

management of time and resources, poor
understanding of project scope or objectives

Examples?
Preparing for Murphy’s Law

◦ What might cause scope creep or poor quality?

◦ What might cause work to be delayed?

◦ What might cause costs to increase?

◦ What might cause the project to generate ‘negative

externalities’? (e.g. health/safety, environment, etc.)
Ways to Identify Risks
◦ Brainstorm with team members – using SWOT
analysis, Ishikawa cause-and-effect diagrams, flow
charts, influence diagrams or other tools

◦ Interview customers, partners, other stakeholders

◦ Use the Delphi technique (anonymous inquiry)

◦ Work ‘backwards’ from effects through proximate

causes to root causes – ask ‘why?’ five times.

◦ Identify risks through interviews.

◦ Identify and examine all assumptions!

Analyzing Assumptions

◦ Probability: How reliable is the information

underlying the assumption – how likely is it to be
wrong?

◦ Impact: How badly would the project be affected if

the assumption is wrong?
 Understanding Risks through
Assumptions
High

Medium Priority
High Priority Risks
Risks

Probability

Medium Priority
Low Priority Risks
Risks

Low

Low High
Impact
Influence Diagrams
 Three Ways to Manage Risks

High

Medium Priority
High Priority Risks
Risks

Probability

Medium Priority
Low Priority Risks
Risks

Low

Low High
Impact
Creating a Risk Register
 Risks

 Potential responses

 The root cause of risk

 Updates risk categories

Qualitative risk
analysis
Qualifying the risks that have
been identified; subjectively
Steps in Qualitative Risk
Analysis
1. Identify risks

2. Prioritize risks by
probability and impact

3. Identify risks that require

more analysis

4. Highlight risks to be
addressed first
Creating a Risk Register
Probability Impact Score
Risk

Merged systems fail to Low High Moderate

communicate
Internet connectivity is lost High Low Moderate

Customer data is lost High Moderate High

Client does not accept Moderate High High

recommendations
Client accepts Moderate Moderate Moderate
recommendations, but does
not implement
Project staff are kidnapped Low High Moderate

Funding ceases before Moderate Low Moderate

completion of project
Numerical Risk Register
Probabilit Impact Score
Risk
y
Merged systems fail to 0.5 4 2
communicate
Internet connectivity is lost 0.75 2 1.5

Customer data is lost 0.75 3 2.25

Client does not accept 0.5 5 2.5

recommendations
Client accepts recommendations, 0.50 3 1.5
but does not implement
Project staff are kidnapped 0.25 5 1.25

Funding ceases before completion 0.5 2 1

of project
The ‘RAG’ Risk Register
Probabilit Impact Score
Risk
y
Merged systems fail to Low High Amber
communicate
Internet connectivity is lost High Low Amber

Customer data is lost High Moderate Red

Client does not accept Moderate High Red

recommendations
Client accepts Moderate Moderate Amber
recommendations, but does not
implement
Project staff are kidnapped Low High Amber

Funding ceases before Moderate Low Amber

completion of project
Assessing Risks – Key
Considerations
◦ Data precision: How much do we really know
about probability and impact? (assumptions!)

◦ Reporting bias: Does the person who

generated the information have a reason to
under/over estimate probability or impact?

◦ Timing: Is the risk imminent, medium-term or

distant? Imminent risks require greater
attention.

Update the risk register regularly!

Quantitative Risk
Analysis
Numerically assessing the
probability and impact of
identified risks
Goals of Quantitative Risk
Analysis
 Ascertain the likelihood of reaching project
success
 Ascertain the likelihood of reaching a

particular project objective

 Determine the risk exposure for the project
 Determine the likely amount of contingency

reserve needed
 Determine the risks with the largest impact
 Determine realistic, time, cost, scope

targets
Inputs for Quantitative
Analysis
 Risk register

 Risk management plan

 Cost management plan

 Schedule management plan

 Organizational process assets

Notes on Quantitative Risk
Analysis
◦ Risk distribution: Describes relationship between impact
and probability: uniform, normal, triangular, beta or
logonormal.

◦ Sensitivity analysis: Assesses impact on the project

(cost, time, scope/quality) of various risk outcomes

◦ Expected monetary value: Quantifies financial impact of

a given risk based on the probability that it will occur.
(Value-at-Risk)

◦ Decision trees: Quantifies probabilities in order to

determine the best outcome (highest expected value)

◦ Monte-Carlo and other simulations: Use computer

algorithms to simulate decision-making in a complex
environment.
 Expected Scenario
Monetary 1
Value (EMV)
Best case provides a
20% probability of BC = 20% X $180,000= $36,000
making $180,000

Worst case provides a

15% probability of WC = 15% X(-$20,000) =(-$3,000)
loosing [-$20,000]

Most likely case

provides a 65%
MLC = 65% X $75,000 = $48,750
probability of making $
75,000

Total Expected Monetary Value 100% $81,750

 Expected Monetary Value (EMV)
Scenario 2

Best case provides a

15% probability of BC=15% X $200,000 =$30,000
making $200,000
Worst case provides a
25% probability of WC= 25% X $ 15,000 = $ 3,750
making $15,000
Most likely case
provides a 60%
MLC=60% X $45,000 = $27,000
probability of making
$45,000
Total Expected Monetary Value 100% $60,750

which scenario do you choose? Number one, because it has the highest EMV, or
$81,750
Decision Trees
Failure Mode and Effect
Analysis (FMEA)
 List ways project might fail
 Evaluate severity (S) of each failure
 Estimate likelihood (L) of each failure

occurring
 Estimate ability to detect each failure (D)
 Calculate Risk Priority Number (RPN)
 Sort potential failures by their RPNs
Preparing for Risk
Response
Tools and Techniques for Risk
Response Planning
 Strategies for negative risks or threats

 Strategies for positive risks and

opportunities

 Strategies for both threats and

opportunities

 Contingent response strategy

Strategies for Negative Risk

◦ Avoid: Change some element of the project to

remove the risk entirely.

◦ Transfer: Move ‘ownership’ of all or part of the risk

to a third party.

◦ Mitigate: Take steps in advance to reduce either

the impact or the probability of the risk, or both.

Examples?
Strategies for Positive Risk or
Opportunities
 Exploit: looking for opportunities for positive
impacts, you want to make sure it will occur on
the project.

 Share: similar to transferring, assigning risk to a

third party who may be best able to exploit the
opportunity.

 Enhance: entails watching for and emphasizing

risk triggers to assure the organization realizes
the benefits.
Strategies for Both Threats and
opportunities
 Acceptance strategy:
◦ Passive acceptance: you make no plans to try and
avoid or mitigate the risk, your willing to accept
the consequences

◦ Active acceptance: developing contingency

reserves to deal with risks should they occur
Contingency Reserve Planning
1. Estimate the percentage probability of each risk occurring

2. Calculate the dollar value of its impact (negative)

3. Multiply the two to get the expected value

4. Add up expected value of all down-side risks

5. Offset with the expected value of any up-side opportunities

6. Sum is the recommended contingency reserve.

Contingency Reserve Planning

Probabilit Expected
Risk Impact
y Value
Travel costs
33% - $3000 - $1000
increase

Initial analysis
25% - $12,500 -$3125
takes more time

Client requests
10% -$5,000 -$500
further study

Initial analysis
25% +$12,500 +$3125 (?)
takes less time

What drives the monetary impact of each risk?

Four Possible Responses to
Every Risk
Risk  Use a proven rather than a new technology
Avoidance  Add more time to the project period
 Clarify scope and expected deliverables
Risk  Take out an insurance policy
Transferenc  Buy/require a performance bond
e
 Use a fixed-price contract with vendors

Risk  Bring in additional experts at critical points

Mitigation  Hold frequent up-date meetings with clients
 Use simulations, prototypes and pilot-tests
Risk  Include contingency funds in the project
budget
Acceptance  Understand impact of project failure
 Make contingency or ‘rescue’ plans in advance
Exercise: Identify the type of risk response strategy (avoid the
probability, mitigate the impact, transfer, exploit, enhance the
probability, enhance the impact, share, or accept) being described
Description of Strategy Name of Risk Response
Strategy
1 Remove a work package of activity from the project.
2 Assign a team member to visit the seller's
manufacturing facilities frequently to learn about a
problem with delivery as early as possible.
3 Move a work package to a date when a more
experienced resource is available to be assigned to the
project.
4 Begin negotiation for the equipment earlier than
planned so as to secure a lower price.
5 Outsource a work package so as to gain an opportunity.
6 Notify management that there could be a cost increase
if a risk occurs because no action is being taken to
prevent the risk.
Exercise: Identify the type of risk response strategy (avoid the
probability, mitigate the impact, transfer, exploit, enhance the
probability, enhance the impact, share, or accept) being described
Description of Strategy Name of Risk Response
Strategy
7 Remove a troublesome resource from the project.

8 Provide a team member who has limited experience

with additional training.

9 Train the team on conflict resolution strategies.

10 Outsource difficult work to a more experienced

company.

11 Ask the client to handle some of the work.

12 Prototype a risky piece of equipment.