RISK MANAGEMENT

REV4

Presented by: Milan Stengl March 20, 2014

Risk Management
Introduction
2

Uncertainty, opportunity and risk

Unknowns about the future may turn out to be either
favorable or unfavorable. Lack of knowledge of future
events constitutes uncertainty
(set of all possible outcomes).
Opportunity = the probability of favorable outcomes.
Threat = the probability of unfavorable outcomes.
Both can be considered a risk (will/wont occur).

An event that is certain is not considered to be a risk. It is

an issue and requires different approach.

It is crucial to perform Risk Management. Many PMs and

organizations dont. Most of those that do, arent taking
opportunities into consideration (only the threats).

Risk Management
Introduction

Example1: When our children are small we instruct them

not to go near the road [RISK IDENTIFICATION
&AVOIDANCE].
If they must cross the road we teach them to do it safely
[RISK ASSESSMENT, PLANNING, MITIGATION] or direct
them to the school crossing guard [RISK SHARING].
When they return home we ask them about their day, did
they cross the street and how ?
[RISK MONITORING & CONTROL, CORRECTIVE ACTIONS].
We also make a mental note of this experience and will use
it in future, when our youngest reach the age of street
crossing [RISK LOG, RISK DATABASE, LESSONS LEARNED]

Can we ever be in control of risk events ?

Risk Management Introduction

4

Project Risk Management could be a misleading term.

Management implies control over risk events (man -- >
hand, manage handle?)

Example 2: You are at risk of being shot at. Your reaction

can be :
Reactive
Move and try to avoid the bullet
Deflect the bullet
Repair the damage done by the bullet (after the event
occurred)
Pro-active
Take steps to avoid being confronted by the person
with the gun

Risk Management Introduction

5

Risk management: analyzing and managing (handling)

uncertain events during the project. It influences many
areas;

budget creation and control: reserves (contingency +

management)
business case accuracy: market/user, cost,
manufacturing etc.. threats & opportunities
project baseline estimating (scope, schedule, cost):
improved accuracy through quantitative risk analysis
contract creation and reviews: major threats to be
shared through different contract types
forming partnerships: major opportunities to be
enhanced that way

Definition of a Project: a temporary group activity

Risk Management Introduction

6

We shouldnt define
project schedule
/budget
without having the
risks
translated into
reserves.
There are two types;
* Contingency
reserves
- for known
unknowns
- calculated
- added to estimates
thetoproject cost baseline to form the Cost Budget. Their use is
form
the cost
approved
by the manager
baseline
(not
the PM!). Remember: reserves are not an additional cost to a

Risk Management Concepts

7

Goal: Define strategies to increase the probability & impact

of opportunities while decreasing the probability & impact
of threats.
Risks are identified/managed starting in Initiating process
group and are continuously kept up-to-date by the PM and
the team.
Risk Averse = not willing to take risks
Risk Tolerance = Risk areas that are
acceptable/unacceptable

1. Plan Risk Management

8

1. Plan Risk Management

9

Types of Risks
Business risk = includes opportunities and threats = risk of gain
or loss.
Pure risk (insurable risks) = Only a risk of loss (fire, injury, theft).
Could be insured.
Risk Categories
There are many ways to sort and categorize risks. It is good to
keep historical records of identified risks to help categorize them in
future projects. Some risks (uncertainties) can impact more than
one project area and will surface out in various risk categories.
External (to the project) = regulatory, government,
environmental..
Internal (to the project) = time, cost or scope changes, staffing,
materials, equipment
Technical = changes in technology
Unforeseeable = those we cant predict. About 10% of all risks

1. Plan Risk Management

10

It is very useful to classify risks by their source tailored to the

organization;
Sensor team, Manufacturing, Legal, Validation.. helps focus
project efforts.
Some PMs classify risks by the project area that is mostly affected
by the risk:
Schedule: parts could arrive earlier allowing us to move on with
WP ABC
Cost: price of gasoline might increase 15% causing increase in WP
transport
Quality: the concrete may cure before the steel work is complete
so we might ship the
beams directly to the site instead of leasing a warehouse.
Scope: the main stakeholder might be on medical leave and we
will not know if the scope is correctly defined until s/he comes back
(may add new work packages)

2. Identify Risks
11

Who should perform this process ? Everyone: the team,

stakeholders and even the
outside sources. Very important (10%)! Pay attention to the Risk

3. Perform Qualitative Risk Analysis

12

This is a subjective analysis. Usually rapid and cost effective. Risk

Categorization could

3. Perform Qualitative Risk Analysis

13

Probability and Impact Matrix (Risk Exposure)

Numeric form
PROBABILIT
RISK
RISK DESCRIPTION

Late prototyping
Regulatory changes
Team "A" staffing
changes
Risk X

IMPACT

PXI

7.00
10.00

2.10
4.00

INDEX
2
1

0.20

5.00

1.00

Px

Ix

Px * Ix

Y
0.30
0.40

The results depend on the bias of those performing this task. The
matrix can help determine which risks warrant immediate
attention and which can go on the Watch List. Risk Index is also
known
as Composite
Risk Index.
Probability
and Impact
Matrix (Risk Exposure)
Descriptive form

3. Perform Qualitative Risk Analysis

14

Probability and Impact Matrix (Risk Exposure)

Numeric form

Basic percentage approach (steps of 10%) is most practical for

bigger teams, bigger (longer) risk registers (sorting resolution)
and is needed for calculating risk financial impact. Scalable to
some extent to project size and importance (weights)

4. Perform Quantitative Risk Analysis

15

What risk events warrant response ? What is our overall project risk ?
Can we quantify probability of meeting project objectives. Cost &
Schedule reserves ? Update estimated targets.

4. Perform Quantitative Risk Analysis

16

Expected Monetary Value

Analysis
RISK DESCRIPTION

PROBABILIT
IMPACT ($)
Y

EXPECTED MONETARY
VALUE

Late prototyping

0.30

50,000

15,000.00

Regulatory changes
Team "A" capacity
change
Risk X

0.40

20,000

8,000.00

0.20

25,000

5,000.00

Px

Ix$

Px * Ix$

Pretty simple calculation.

4. Perform Quantitative Risk Analysis

17

Goal: Understand the time dimension of the project

sensitivity
to risks.
Risk
Severity
= introducing time
Risk Severity is a calculated value based on the Risk Exposure
dimension
(slide 14) and time expected for the risk to appear (How soon ?
When ? ).

STEP 1: Estimate the time resolution (10% of the project

schedule) .
STEP 2: Estimate how much time you have until the risk is
expected to occur= Frame Use time resolution, project schedule
and the current date. Each Time Frame variable is assigned an
appropriate weight (numeric value) based on;
expected project completion date
organizational maturity and agility
TIME FRAME
CRITERIA
project team
Thecapabilities
risk could occur at any time from now until (now + 10(%)) of
Immediate
(w=5)
Short Term (w=3)
Medium Term
(w=2)

the project duration

The risk could occur 2 time resolution intervals form now (3.5-4
months on Vaughan)
The risk could occur 3-5 time resolutions from now (5.5 9 months
on Vaughan)

4. Perform Quantitative Risk Analysis

18

TIME FRAME
Immediate (w=5)
Short Term (w=3)
Medium Term
(w=2)
Long Term (w=1)

T1
Project Start

CRITERIA
The risk could occur at any time from now until (now + 10(%)) of
the project duration
The risk could occur 2 time resolution intervals form now (3.5-4
months on Vaughan)
The risk could occur 3-5 time resolutions from now (5.5 9 months
on Vaughan)
The risk could occur 6+ time resolutions from now (10+ months on
Vaughan)

T2

T3

RISK
Project End

Risk severity is increasing as it approaches

projects with many risks (NPD) need to have time perception built in)

4. Perform Quantitative Risk Analysis

19

Risk Severity = add time dimension to risk analysis (see slide 13

first)
2: Calculate Risk Severity by multiplying Risk Exposure with the Time Fra
ht. Create new Risk Index to sort the risks accordingly.

RISK
DESCRIPTION
Late prototyping
Regulatory
changes
Team "A"
staffing
changes

Note
how

PROBABILI
IMPACT
TY

EXPOSUR
E
(P x I)

RISK
INDEX

0.30

7.00

2.10

0.40

10.00

4.00

0.20

5.00

1.00

the first two risks swapped

Risk X
Px
Ix
Px * Ix
X
dimension.
(new
index)

TIME
RISK
PRIMARY
WEIGHT
SEVERITY
INDEX
FACTOR
(Exp * Tx)
5
(immediate
10.5
1
)
2 (med
8.0
2
term)
3 (short
3.0
3
term)
places
due to the time
Tx

Px * Ix * Tx

4. Perform Quantitative Risk Analysis

20

Qualitative versus Quantitative Risk

Analysis

QUALITATIVE risk analysis

Predecessor
Always required (must be
performed)

Subjective
(different people different risk
ratings)
Reviews / analyzes all the
identified risks

QUANTITATIVE risk analysis

Successor
(needs the output of the
qualitative r.a.)
Not required for all project risks
(only if they are worth the time
and money)
More objective but still based on
the human input (and
experiendce). More control
elements (money, time)
Reviews / analyzes only a short
list of risks (qualified during the
Qualitative r.a.)

5. Plan Risk Responses

21

Answers the question: What are we going to do about each

top risk ?
The goal is to:

eliminate the threats before they happen & minimize their

probability and/or impact
ensure opportunities happen & maximize their probability and/or
impact.

For the residual threats;

Create contingency plans

Have a fallback plan in place if the contingency plans show to be
ineffective

5. Plan Risk Responses

22

Strategies must be timely. The effort selected must be appropriate to

the severity of the
risk. Involve the team, other stakeholders and experts in selecting a

6. Monitor & Control Risks

23

Workarounds are unplanned responses developed to deal with

the occurrence of

7. Documentation & Risk Database

24

Good project management calls for ;

documenting all the project risks and their final outcomes

archiving documentation used for Risk Management on a

project
By doing so we are creating important Risk Management
experience and the
structure for future projects (maturity).
By not doing so the Risk Management will become unique
endeavor for each of our
projects and as such most organizations (teams) will skip it or
underperform it.
Risk identification, probability and impact matrices could be
formalized into
corporate templates.
Identified risk categories and risk sources (both threats and