Project Risk Management

Lecture objectives
At the end of the lecture students
should be able to:
Define a risk and a project risk
Identify risk characteristics,
categories and classifications
Identify and explain project risk
processes

What is A Risk
Risk is defined as the effect of
uncertainty on objectives of a
project. The effect may be positive or
negative. (ISO 31000)
Uncertain event or condition that if it
occurs has a positive or negative
effect on a project objectives

What is a project risk

A Project risk is an uncertain event or
condition that if it occurs, has a
positive or negative effect on at least
one project objective, such as time,
cost, scope and/or quality (eg
deliverance within the agreed
schedule or budget. (PMBOK)

Risk Categories
Technical/quality or performance risks These include risks
associated with un proven technology, complex technology, or
changes to technology anticipated during the course of the
project. They may also include un realistic performance goals.
Project Management risks: This includes improper schedule
and resource planning, poor project planning and improper or
poor project management disciplines or methodologies
Organizational risks: These include resource conflicts due to
multiple projects occurring at the same time in the organization;
scope, time and cost objectives that are unrealistic given the
organizations resources or structure and lack of funding for the
project or diverting funds from this project to other projects.
External risks: These include things external to the project such
as new laws or regulations, labour issues, weather, changes in
ownership,foreign policies. Catastrophic risks known as force
majeure-beyond the scope of risk management planning and
instead require disaster recovery techniques

Risk Classification
Risks are classified according to:
The project objectives
Sources
Project lifecycle
Degree of control (Controllable and uncontrollable)
Pure (Insurable) and speculative (threats and
opportunities)
Availability of information (Known and unknown)
Internal and external risks
Level of risks (probabilities and consequences)

Risk Attributes

Risk has a future focus

Risk has alternative possibilities
Risk deals with probabilities
Risk requires information (ranging
from total uncertainty to total
certainty)
Risk must affect the project
objectives

Risk Components
Causes
Event
Effects

Risk Management
The art and science of identifying, assessing and responding
to project risk throughout the life of a project and in the best
interests of its objectives (Wideman)
Risk management is the process of identifying, assessing
and prioritizing of risks followed by coordinated and
economical application of resources to minimize, monitor
and control the probability and or impact of unfortunate
events or to maximize the realization of opportunities. (ISO
31000)
Project Risk management includes the processes concerned
with conducting risk management planning, identification,
analysis, responses and monitoring & control on a project
throughout its life cycle. The objectives of project risk
management are to increase the probability and impact of
positive events, and decrease the probability and impact of
events adverse to the project. (PMBOK)

Risk Mgt Process

Risk Mgt Planning

Risk Identification
Qualitative analysis
Quantitative analysis
Risk response planning
Rist monitoring and controlling

Risk Mgt Planning

This is where you decide on how to approach and plan
the risk management activities in the project eg
stakeholders analysis, problem analysis, and objective
setting, swot analysis. Risk Mgt Planning includes the
following:
Methodology: This is a description of how you will
perform risk mgt including elements like methods,
tools, and where you might find risk data that you can
use in the later processes.
Roles and responsibilities: describes the team of
people who are responsible for managing the identified
risks and their responses and for each type of activity
identified in the RMP. The teams may not be
necessarily the same team as the project team
Budgeting: Assign resources and estimate the costs
of risk management and its methods.

Risk mgt Planning (contd)

Timing : defines when and how often the risk mgt process will
be performed throughout the PLC.
Risk categories: Categorize the identified risks (Technical,
Mgt, Organizational, External)
Risk probability and impact: Estimate the probabilities of
the risks happening and their impacts on the project.(Prob &
Impact Matrix)
Risk contingency planning: Always have a contingency plan
(budget) which is normally based on the qualitative and
quantitative analysis of the risk on the project.
Reporting Format: This details how risk mgt information will
be maintained, updated, analyzed and reported to project
participants and stakeholders.
Documentation: Documents how all facets of risk activities
will be recorded for the benefit of the current project, future
needs and lessons learned.

Risk Identification
This is where one determines which risk might affect the
project and documents their characteristics. Methods
of risk identification:
Objective based : any event that may endanger
achieving an objective partly or completely is identified
as a risk.
Scenario based: Create scenarios and identify risks
that can come out of them.
Taxonomy: a questionnaire about risks is compiled
and the answers to the questions reveal risks. Also
Brainstorming, Delphi technique, Interviewing, Root
Cause identification, SWOT analysis. (see CMU/SEI-93TR-6)
Common risk checking: based on historical
information and previous project team experience (see
http://cve.mitre.org)

Qualitative risk analysis

This is the qualitative assessment of the
probability of the risks and their
consequences to the project objectives in
which case the level of risks can be
categorized as high, medium and low
depending on the impact of the event
occurring. The risks are then prioritized. Use
of Probability and Impact Assessment,
Probability and Impact Matrix, Risk Data
Quality Assessment, Risk Categorization and
Risk Urgency Assessment.

Quantitative risk analysis

Measuring the probability and
consequences of the prioritized risks
and estimating the quantitative
implications for the project. It
analyzes the effects of the risk
events and assigns a numerical
rating to those risks > use of
probability impact matrix

Risk response planning for negative risks or

threats
Developing procedures and techniques to enhance opportunities and reduce the
threats to the project objectives. The major risk management and response
strategies are:
Avoid the risk: Eliminate the condition that is causing the risk eg risks
associated with a particular service provider can be avoided if another one is
secured.
Move the risk/transfer : This is where you give the responsibility of managing
the risk to another entity or third party eg subcontracting, insurance.
Mitigating the risk: Put in place a set of steps to ensure that the risk does not
occur and if it does then the negative impact of the risk is minimized eg use of
UPS.
Accept the risk and learn from it: The project manager might look at the risk
and decide to do nothing about it , this happens because the potential impact of
the risk on the project is not substantial enough to require a response.
Monitor the risk: Monitor the risk to see whether it is more or less likely to
occur as time goes on. If it is more likely to occur the project risk team may
formulate a difference response at a later time.
Have a contingency budget: It should be based on the qualitative and
quantitative risk analysis. Reflect on the would be cost of the risk and then set a
risk contingency.

Risk response planning for positive

risks or opportunities
There are three major responses when dealing with
potentially positive impacts on project objectives .
They are : exploit, share and enhance.
Exploit: eg a risk that would get a project completed
earlier than schedule or one that would increase the
quality of the product.
Share: allocating ownership to a third party who is
best able to capture the opportunity for the benefit
of the project.
Enhance: Increasing the probability of the risk or
facilitating or strengthening the cause of the
opportunity and proactively targeting and reinforcing
its trigger conditions might increase probability.

Risk monitoring and

controlling
Continuously monitor and control the risk
throughout the PLC.
Remember to document any information in
relation to any risk and communicate it to
the relevant personnel.
Effective risk management requires a
reporting and review structure to ensure
that risks are effectively identified and
assessed and that appropriate controls and
responses are in place.

10 Golden Rules of Project Risk

Management
(Bart
Jutte
)
Rule 1: Make Risk Management Part of Your Project
Rule 2: Identify Risks Early in Your Project
Rule 3: Communicate About Risks
Rule 4: Consider Both Threats and Opportunities
Rule 5: Clarify Ownership Issues (who is responsible for
which risk)
Rule 6: Prioritise Risks
Rule 7: Analyse Risks
Rule 8: Plan and Implement Risk Responses
Rule 9: Register Project Risks
Rule 10: Track Risks and Associated Tasks
The 10 golden risk rules above give you guidelines on how to
implement risk management successfully in your project.
However, keep in mind that you can always improve. Therefore
rule number 11 would be to use the Japanese Kaizen approach:
measure the effects of your risk management efforts and
continuously implement improvements to make it even better.