RISK MANAGEMENT

A project manager's work should not focus on dealing with problems; it should focus on preventing them! A

great project manager would have worked with his or her team to identify possible actions to take if a
hurricane was forecast for implementation weekend. When one actually was forecast, the team would then
have reacted according to the plan, probably moving the implementation to another weekend. This is the
science of risk management.
When you eliminate uncertainties, the estimates for work can decrease. Therefore, risk management saves time
and money on a project.
Plan Risk Management
Identify Risks
Perform Qualitative Risk Analysis
Monitor and Control Risk Responses
Plan Risk Responses
Perform Quantitative Risk Analysis

Planning process group

Planning process group
Planning process group
Planning process group
Planning process group
Monitoring and controlling

Uncertainty is a lack of knowledge about an event that reduces confidence in conclusions drawn from the data.
The work that needs to be done, the cost, the time. the quality needs, the communications needs, etc.,can be
uncertain. The investigation of uncertainties may help identify risks.
Risk Factors When looking at risk, one should determine:
.. The probability that it will occur (what)
~ The range of possible outcomes (impact or amount at stake)
.. Expected timing (when) in the project life cycle
~ The anticipated frequency of risk events from that source (how often)
Risk Averse Someone who does not want to take risks is said to be risk averse.
Risk Tolerances and Thresholds' Tolerances are the areas of risk that are acceptable or
unacceptable. For example. "a risk that affects our reputation will not be tolerated" Tolerance areas can
include any project constraints (such as scope, time, cost, quality, etc.),as well as reputation and other
intangibles that may affect the customer. A threshold is the point at which a risk becomes unacceptable.

Project background
information
Organizational risk tolerances

Information like correspondence from before the project was approved,

articles written about similar projects. and other such information will
help identify risks.
Knowing the areas of risk the organization is willing to accept helps
identify the impact of risks, the highest ranked risks, and which risk
response strategies you will use. (Part of eff )

The six sequential risk management processes are:

1. Plan Risk Management
2. Identify Risks
3.Perform Qualitative Risk Analysis
4. Perform Quantitative Risk Analysis
5. Plan Risk Responses
6. Monitor and Control Risk Responses

Outputs of Plan Risk Management PAGE 279 When you have completed risk management
planning, you should have the following:
~ Risk Management Plan The risk management plan may include:
~ Methodology This section defines how you will perform risk management for the particular
project
~ Roles and responsibilities Who will do what? Did you realize that non-team members may
have roles and responsibilities regarding risk management?
~ Budgeting This section includes the cost for the risk management process. Yes, you must
realize the cost of doing risk management, but know that risk management saves the project time and money
overall by avoiding or reducing threats and taking advantage of opportunities.
~ Timing This section talks about when to do risk management for the project.
~ Risk categories See the following section for more detail.
) Definitions of probability and impact Would everyone who rates the probability a "seven"
in qualitative risk analysis mean the same thing?
~ Stakeholder tolerances What if the stakeholders have a low risk tolerance for cost overruns?
That information would be taken into account to rank cost impacts higher than they would
if the low tolerance was in another area. Tolerances should not be implied, but uncovered in
project initiating and clarified or refined continually.
~ Reporting formats This describes any reports related to risk management that will be used
and what they will include.
>Tracking Take this to mean how the risk process will be audited, and the documentation of
what happens with risk management activities.
Expect the phrases "sources of risk" and "risk categories" to be used interchangeably on the exam.
Risk categories or sources of risks can be organized in an organizational chart or WBS-like format
called a risk breakdown structure, also referred to as an RBS.
Smart project managers begin looking for risks as soon as a project is first discussed. In fact, the
PMBOK" Guide lists high-level risks as an output of the creation of the project charter in integration
management. However, the major risk identification effort occurs during planning, as the scope baseline
(the project scope statement, WBS, and WBS dictionary) is an important input to risk identification.
Because risk identification primarily occurs during the initiating and planning process groups
The following are some risk identification tools and techniques.

Documentation Reviews What is and what is not part of the documentation, including the charter,
contracts, and planning documentation, can help identify risks. Those involved in risk identification might look
at this documentation, as well as lessons learned, articles, and other documents, to help uncover risks. This
used to be a trick for risk management and now has become standard practice.
Information Gathering Techniques Another way to identify risks is to use one of the following techniques.
Many of these techniques are also used to collect requirements for the project.
Brainstorming is usually done in a meeting where one idea helps generate another.
Delphi technique' This technique is used to build consensus of experts who participate anonymously. A
request for information is sent to the experts, their responses are compiled, and the results are sent back to

them for further review until consensus is reached. This technique can also be used for estimating time and
cost.
Interviewing Also called expert interviewing on the exam, this consists of the team or project manager
interviewing project participants, stakeholders, or experts to identify risks on the project or a specific element
of work.
Root cause analysis4 Reorganizing the identified risks by their root causes will help you identify more risks.

Diagramming Techniques Some of the tools described in the Quality Management chapter can also be
used to analyze the root causes of issues. These include cause and effect diagrams and flowcharts. When used
as part of risk identification, they help identify additional risks for the project.
Outputs of Identify Risks
Risk Register' The risk register is the place where most of the risk information is kept. Think of
it as one document for the whole risk management process that will be constantly updated with
information as Identify Risks and later risk management processes are completed.
Notice that an updated risk register is the only output of several of the risk management processes.
Read exam questions carefully, as the risk register contains different information depending on
when in the risk management process the question is referencing. For example, if the project has just
started and you are in the Identify Risks process, the risk register will only contain the identified risks,
not response plans, which come later.
At this point in the risk management process, the risk register includes:
~ List of risks
~ List of potential responses Though risk response planning occurs later.
~ Root causes of risks The root causes of risks are documented.
~ Updated risk categories You will notice a lot of places where historical records and company records are
updated throughout the project management process.
"When in the risk management process are responses documented?" The answer is in both the Identify Risks
and Plan Risk Responses processes!

qualitative risk analysis

Therefore, qualitative risk analysis involves creating a short list of the previously identified risks. The
shortlisted risks will then be further analyzed in the Perform Quantitative Risk Analysis process or will move
into the Plan Risk Responses process.
Remember that qualitative risk analysis is a subjective analysis of the risks identified. To perform this
analysis, the following are determined:
~ The probability of each risk occurring. using a standard scale such as Low, Medium, High or 1 to10.
~ The impact (amount at stake, or consequences, positive or negative) of each risk occurring. using a
standard scale such as Low, Medium, High or 1 to10.
The following are tools you can use to perform qualitative risk analysis.
Probability and Impact Matrix
Because qualitative risk analysis is based on subjective evaluation, the rating of anyone risk can vary
depending on the bias of the person doing the rating and how risk averse they are
Therefore organizations frequently have a standard rating system to promote a common understanding of what
each risk rating means. This standard is shown in a probability and impact matrix.

Risk Data Quality Assessment

This assessment asks, "How accurate and well understood is the risk information!" Before the project manager
can use the risk information collected so far, he or she must analyze the precision of the data (asking, "How
good is the data?).
A risk data quality assessment may include determining the following for each risk:
~ Extent of the understanding of the risk
~ Data available about the risk
~ Quality of the data
4

Reliability and integrity of the data

Risk Categorization
Risk categorization asks. "What will we find if we regroup the risks by categories? By work packages!" Think
about how useful it would be to not only have a subjective assessment of the total amount of risk on the
project, but also to group the risks by cause to know which work packages, processes, people
Risk Urgency Assessment
In addition to creating a shortlist of risks, qualitative risk analysis includes noting risks that should move more
quickly through the process than others.
Reasons for this could include the fact that the risk may occur soon or will require a long time to plan a
response. Urgent risks may then move, independently, right into risk response planning while the rest continue
through quantitative risk analysis, or they may simply be the first ones for which you plan a response in risk
response planning.
Outputs of Perform Qualitative Risk Analysis
Risk register updates The risk register is updated to add the results of qualitative risk analysis, including:
Risk ranking for the project compared to other projects
List of prioritized risks and their probability and impact ratings
- Risks grouped by categories (As previously explained)
List of risks requiring additional analysis in the near term
- List of risks for additional analysis and response
Watch list (non-critical or non-top risks) These risks are documented for later review during risk
monitoring and controlling.
- Trends Qualitative risk analysis may be redone in planning (as previously explained)
Qualitative risk analysis can also be used to:
~ Compare the risk of the project to the overall risk of other projects
~ Determine whether the project should be selected, continued, or terminated
~ Determine whether to proceed to the Perform Quantitative Risk Analysis or Plan Risk Responses
processes (depending on the needs of the project and the performing organization)
~

The purpose of quantitative risk analysis is to:

-

Determine which risk events warrant a response

Determine overall project risk (risk exposure
Determine the quantified probability of meeting project objectives
Determine cost and schedule reserves
Identify risks requiring the most attention
Create realistic and achievable cost, schedule, or scope targets.

We always do qualitative risk analysis, but quantitative risk analysis is not required for all projects and
may be skipped in favor of moving on to risk response planning. You should proceed with quantitative
risk analysis only I fit is worth the time and money on your project
"risk assessment" (not to be confused with "risk urgency assessment"), What risk assessment
refers to is risk identification through quantitative risk analysis.
The Perform Quantitative Risk Analysis process can include a lot of calculation and analysis. Luckily the
details of these efforts are not a focus of the exam. You will need to know that the following are part of
quantitative risk analysis but not how to do them other than what is explained in this chapter.
~ Further investigating the highest risks on the project
~ Determining the type of probability distribution that will be used, i.e., triangular, normal, beta, uniform, or
log normal distributions
~ Performing sensitivity analysis to determine which risks have the most impact on the project

Determining how much quantified risk the project has through expected monetary value analysis or Monte
Carlo analysis (described later in this section)
~

The risk register is updated to add the results of risk response planning, including:
Residual risks' These are the risks that remain after risk response planning. Residual risks are also risks that
have been accepted and for which contingency plans and fallback plans can be created. Residual risks should
be properly documented and reviewed throughout the project to see if their ranking has changed.
Contingency plans are plans describing the specific actions that will be taken if the opportunity or threat
occurs.
Risk response owners A key concept in risk response planning is that the project manager does not have to do
it all and neither does the team. Each risk must be assigned to someone who may help develop the risk
response and who will be assigned to carry out the risk response or "own" the risk. The risk response owner
can be a stakeholder other than a team member.
Secondary risks An analysis o f the new risks created by the implementation of selected risk response
strategies should be part of risk response planning. Frequently, what is done to respond to one risk will cause
other risks to occur.
Risk triggers These are events that trigger the contingency response. A project manager should identify the
early warning signs (indirect manifestations of actual risk events) for each risk on a project so that he or she
will know when to take action.
Contracts A project manager must be involved before a contract is signed. Before the contract is finalized, the
project manager will have completed a risk analysis and included contract terms and conditions required to
mitigate or allocate threats and to enhance opportunities.

Fallback plans These are specific actions that will be taken if the contingency plan is not effective. Think how
prepared you will feel if you have plans for what to do it a risk occurs and what to do if that original plan does
not work.
Reserves (contingency) Having reserves for schedule and cost is a required part of project management. You
cannot come up with a schedule or budget for the project without them.
There can be two kinds of reserves for time and cost: contingency reserves and management reserves.
Contingency reserves account for "known unknowns" (or simply "knowns" ), these are items you identified in
risk management. They cover the residual risks in the project. Management reserves account for "unknown
unknowns" (or simply "unknowns"), these are items you did not or could not identify in risk management.
Make sure you realize that reserves are not an additional cost to a project Through the risk management
process, the time and cost for the project should have been shortened.
Risks should have been eliminated or the probability or impact reduced, resulting in a reduction to the time and
cost on the project. Contingency reserves are for the prespecified opportunities and threats that remain after
the risk management process is completed.
Therefore, they must have a time and cost budget. No matter what you do, risks will remain in the project, and
there should be a budget for them, just as there is a budget for work activities on the project.
The exam often asks questions such as:
Question What do you do with non-critical risks?
Answer Document them in a watch list, and revisit them periodically.
Question Would you choose only one risk response strategy?
Answer No, you can select a combination of choices.
Question What risk management activities are done during the execution of the project?
Answer Watching out for watch listed (non-critical) risks that increase in importance.
Question What is the most important item to address in project team meetings?
Answer Risk.
Question How would risks be addressed in project meetings?
Answer By asking, "What is the status of risks? Are there any new risks? Is there any change to the
order of importance

Common Risk Management Errors

The following is a list of some of the common risk management errors people make.

Risk identification is completed without knowing enough about the project.

Project risk is evaluated using only a questionnaire, interview, or Monte Carlo analysis and thus does not
provide specific risks.
~ Risk identification ends too soon, resulting in a brief list (20 risks) rather than an extensive list (hundreds of
risks).
~ The processes of Identify Risks through Perform Quantitative Risk Analysis are blended,
resulting in risks that are evaluated or judged as they come to light. This decreases the number of total risks
identified and causes people to stop participating in risk identification.
~ The risks identified are general rather than specific (e.g. "communications" rather than "poor
communication of customer's needs regarding installation of system XXX could cause two weeks of rework").
~ Some things considered to be risks are not uncertain; they are facts, and are therefore not risks.
~ Whole categories of risks (such as technology, cultural, marketplace, etc.) are missed.
~ Only one method is used to identify risks (e.g., only using a checklist) rather than a combination of methods.
~ The first risk response strategy identified is selected without looking at other options and finding the best
option or combination of options.
~ Risk management is not given enough attention during project executing.
~ Project managers do not explain the risk management process to their team during project planning.
~ Contracts are usually signed long BEFORE risks to the project are discussed.
~
~

---------------------