Risk management in project

management

Dr. Mauricio Corona

[email protected]
@MauricioCorona
 Agenda
• Basics for Risk Management
• Project Risk Management
• Management of Risk (MoR) Framework
Basics for Risk Management
 What is Risk Management?

• Good management practice

• Process steps that enable improvement in
decision making
• A logical and systematic approach
• Identifying opportunities
• Avoiding or minimizing losses
 What is Risk Management?

Risk Management is the name given to a

logical and systematic method of identifying,
analyzing, treating and monitoring the risks
involved in any activity or process.

Risk Management is a methodology that helps

managers make best use of their available
resources
 Critical success factors for
management of risk
• Clearly identified senior management to support, own and lead on
risk management
• Risk management policies and the benefits of effective management
clearly communicated to all staff
• Existence and adoption of a framework for management of risk that
is transparent and repeatable
• Existence of an organizational culture which supports well thought-
through risk taking and innovation
• Management of risk fully embedded in management processes and
consistently applied
• Management of risk closely linked to achievement of objectives
• Risks associated with working with other organizations explicitly
assessed and managed
• Risks actively monitored and regularly reviewed on a constructive
‘no-blame’ basis.
Where risks occur
 How is risk management used
The Risk Management process steps are a
generic guide for
any organisation, regardless of theThere are
7 steps
type of business, activity or function.
in the RM
process
 How is risk management used
The basic process steps are:
1. Establish the context
2. Identify the risks
3. Analyse the risks
4. Evaluate the risks
5. Treat the risks
6. Monitoring and review
7. Communication & consultation
 The risk management process
• Establish the context
The strategic and organizational context in
which risk management will take place.
For example, the nature of your business, the
risks inherent in your business and your
priorities.

Communicate & consult

 The risk management process
• Identify the risks
Defining types of risk, for instance, ‘Strategic’
risks to the goals and objectives of the
organisation.
Identifying the stakeholders, (i.e.,who is
involved or affected).
Past events, future developments.
Monitor and review
Communicate & consult
 The risk management process
• Analyse the risks
How likely is the risk event to happen?
(Probability and frequency?)
What would be the impact, cost or
consequences of that event occurring?
(Economic, political, social?)

Monitor and review

Communicate & consult
 The risk management process
• Evaluate the risks
Rank the risks according to management
priorities, by risk category and rated by
likelihood and possible cost or consequence.
Determine inherent levels of risk.

Monitor and review

Communicate & consult
 The risk management process
• Treat the risks
Develop and implement a plan with specific counter-measures to
address the identified risks.
Consider:
• Priorities (Strategic and operational)
• Resources (human, financial and technical)
• Risk acceptance, (i.e., low risks)
Document your risk management plan and describe the reasons
behind selecting the risk and for the treatment chosen.
Record allocated responsibilities, monitoring or evaluation
processes, and assumptions on residual risk.
Monitor and review
Communicate & consult
 The risk management process
• Monitor and review
In identifying, prioritising and treating risks, organisations
make assumptions and decisions based on situations that
are subject to change, (e.g., the business environment,
trading patterns, or government policies).
Risk Management policies and decisions must be regularly
reviewed.
Risk Managers must monitor activities and processes to
determine the accuracy of planning assumptions and the
effectiveness of the measures taken to treat the risk.
Methods can include data evaluation, audit, compliance
measurement.
Communicate & consult
The risk management process
Establish the context

Identify the risks

Analyse the risks

Evaluate the risks

Treat the risks

Project Risk Management
 Project Risk Management
• Project Risk Management
– Includes identifying, analyzing, and responding to risk areas;
maximizing results of positive events and minimizing
consequences of adverse events
• Risk Identification – which are likely to affect the project
• Risk Quantification – evaluation of risk to assess the range of
possible outcomes
– Sometimes treated as single process; risk analysis/assessment
• Risk Response Development – defining enhancement steps for
opportunities and response
– Sometimes called response planning/mitigation
• Risk Response Control – responding to changes in risk over
course of project
– May be combined as risk management
 Project Risk Management
• Risk Identification
– Determining which risks are likely to affect the
project and documenting them
– Performed on a regular basis; address internal and
external risks
• Internal –project team has control/influence over
• External – beyond project team’s control
– Identify cause and effect and effects and causes;
what could happen vs. what outcomes should be
avoided
 Project Risk Management
• Inputs to Risk Identification
– Product Description – more risk associated with unproven
technologies (innovation/invention). Often described in terms of
cost and schedule impact
– Other Planning Reports
• WBS (any non-traditional approaches)
• Cost/Duration Estimates – aggressive schedules; limited amount of
information
• Staffing Plan – hard to replace/source skill sets
• Procurement Management Plan – market conditions
– Historical Information – previous projects
• Project Files
• Commercial Databases
• Project Team Knowledge – member experiences
 Project Risk Management
• Tools & Techniques for Risk Identification
– Checklists – organized by source of risk, included
project context, process outputs, product and
technology issues, internal sources
– Flowcharting – understand cause and effect
relationships
– Interviewing – conversations with stakeholders
 Project Risk Management
• Outputs from Risk Identification
– Sources of Risk – categories of possible risk events, all-inclusive
• Changes in requirements
• Design errors, omissions, misunderstanding
• Poorly defined roles and responsibilities
• Insufficiently skilled staff
– Include estimate of probability, range of possible outcomes, expected timing, anticipated
frequency
– Potential Risk Events – discrete occurrences that may affect project
• Identified when probability/magnitude of loss is high (e.g. turnover)
– New technologies obsolete need of product
– Socio, Political and Economic events
– Include estimate of probability, range of possible outcomes, expected timing, anticipated
frequency
– Risk Symptoms – triggers that are indirect manifestations of actual risk events (e.g.
poor morale)
– Inputs to other processes – identify need in another area; constraints and
assumptions
 Project Risk Management
• Risk Quantification
– Evaluation of possible project outcomes and
determining which events warrant response
• Opportunities and threats can provide unanticipated results
(e.g. schedule delay considers a new strategy)
• Multiple effects from a single event
• Singular Stakeholder opportunities may force suffering in other
areas
• Reliance on statistics and forecasting (mathematical errors)
 Project Risk Management

• Inputs to Risk Quantification

– Stakeholder risk tolerance
• More capital to expend; perceptions of severity
– Sources of Risk
– Potential Risk Events
– Cost Estimates
– Activity Duration Estimates
 Project Risk Management
• Tools & Techniques for Risk Quantification
– Expected Monetary Value – product of 2 numbers
• Risk Event Probability – estimate that event will occur
• Risk Event Value – estimate of gain or loss
– Statistical Sums – calculate range of total costs from
cost estimates for individual work items
– Simulation – representation or model; provide statistical
distribution of calculated results.
• Monte Carlo, Critical Path, PERT techniques
– Decision Trees – depicts key interactions among
decisions and possible outcomes
– Expert Judgment
 Project Risk Management

• Outputs from Risk Quantification

– Opportunities to pursue; threats to respond
– Opportunities to ignore; threats to accept
 Project Risk Management
• Risk Response Development
– Defining enhancement steps for
opportunities and responses to threats
• Avoidance – eliminating threat by eliminating
the cause
• Mitigation – reducing expected monetary value
of event by reducing the probability of
occurrence
• Acceptance – accept the consequences (active -
contingency plan - or passive response)
 Project Risk Management
• Inputs to Risk Response Development
– Opportunities to pursue, threats to respond
– Opportunities to ignore, threats to accept
• Tools & Techniques for Risk Response
Development
– Procurement – acquire resources (exchange 1 risk for
another)
– Contingency Planning – defining action steps should a
risk event occur
– Alternative Strategies – change planned approach
– Insurance
 Project Risk Management
• Outputs from Risk Response Development
– Risk Management Plan – document procedures to manage risk events.
Addresses risk identification and quantification processes, personnel
responsible for managing areas of risk, maintenance of identification and
quantification process, implementation of contingency plans and
allocation of reserve
– Inputs to other processes – alternative strategies, contingency plans,
anticipated procurements
– Contingency Plans
– Reserves – provision in project plan to mitigate costs and schedule risks.
Used with a modifier (management, schedule, budget) to provide further
detail when type of reserve can be used
– Contractual Agreements – insurance, services and other functions to avoid
and mitigate threats.
 Project Risk Management
• Risk Response Control
– Involves executing the risk management plan in order
to respond to risk events during the project
• Control and iteration are required; not all risks can be
identified
• Inputs to Risk Response Control
– Risk Management Plan
– Actual Risk Events – recognize occurrence
– Additional Risk Identification – surfacing of potential
or actual risk sources
 Project Risk Management
• Tools & Techniques for Risk Response Control
– Workarounds – unplanned responses to negative risk
events (response was not defined in advance)
– Additional Risk Response Development – planned
response may not be adequate
• Outputs from Risk Response Control
– Corrective Action – performing the planned risk
response
– Updates to Risk Management Plan
 Project Risk Management
• Tips from Review Guide
– Definition of risk: a discrete occurrence that may affect
the project for good or bad
– Definition of uncertainty: an uncommon state of nature,
characterized by the absence of any information related
to a desired outcome
– Definition of risk management: The processed involved
with identifying, analyzing, and responding to risk.
Maximize results of positive events; minimizing
consequences of negative events
 Project Risk Management
• Tips from Review Guide
– Inputs to Risk Management:
• All project background information
• Historical records
• Past Lessons Learned
• Project Charter
• Scope Statement
• Scope of work
• WBS
• Network Diagram
• Cost and Time estimates
• Staffing Plan
 Project Risk Management
• Tips from Review Guide
– Risk Management Process
• Risk Identification – majority during Planning; onset of project
to close of project
– Sources:
» External: Regulatory, environmental, government
» Internal: Schedule, cost, scope change, inexperience,
planning, people, staffing, materials, equipment
» Technical: Changes in technology
» Unforeseeable: small (only about 10%)
 Project Risk Management
• Tips from Review Guide
– Risk Management Process
• Risk Factors – determine:
– Probability that it will occur (what)
– Range of possible outcomes (impact, amount at stake)
– Expected Timing (when)
– Anticipated frequency (how often)
• Symptoms – early warning signs determined by PM
• Risk Tolerances – amount of risk that is acceptable
 Project Risk Management
• Tips from Review Guide
– Common Stumbling Blocks
• Risk identification is completed without knowing enough about the project
• Project Risk evaluated only by questionnaire, interview or Monte Carlo; does
not provided a per task analysis of risk
• Risk identification ends too soon
• Project Risk identification and Evaluation are combined – results in risks that
are evaluated when they appear; decreased total number of risks and stops
identification process
• Risks are identified too generally
• Categories of risks are forgotten (technology, culture)
• Only 1 identification method is used
• First risk response strategy is used without other consideration
• Risks are not devoted enough attention during the Execution phase
 Project Risk Management
• Tips from Review Guide
– Risk Management Process
• Risk Quantification – assess risks to determine range of
possible outcomes; which risk events warrant a response
– Probability
– Amount at stake (impact)
– Develop a ranking (priority) of risks
» Qualitative – take an educated guess
» Quantitative – estimation by calculation
• Risk Assessment = Risk Identification + Risk Quantification
 Project Risk Management
• Tips from Review Guide
– Risk Management Process
• Risk Quantification – assess risks to determine range of
possible outcomes; which risk events warrant a response
– Probability
– Amount at stake (impact)
– Develop a ranking (priority) of risks
» Qualitative – take an educated guess
» Quantitative – estimation by calculation
• Risk Assessment = Risk Identification + Risk Quantification
 Project Risk Management
• Tips from Review Guide
– Risk Management Process
• Monte Carlo simulation – simulates cost and schedule results of
project
– Indicates risk of a project and each task by providing a percent
probability that each task will be on the critical path
– Accounts for path convergence (where tasks in a Network diagram
converge into 1 task – more risk)
• Expected Monetary Value – multiply probability by impact
– Helps define and prove what the project reserve should be
• Decision Trees
– Takes into account future events when making a decision today
– Makes use of expected value calculations and mutual exclusivity
– Be able to draw one; boxes are decisions, circles are what can happen as
a result of the decision
 Project Risk Management

• Tips from Review Guide

– Risk Management Process
• Outputs from Risk Quantification
– Determination of top risks
– Opportunities to pursue
– Opportunities to ignore
– Threats to respond to
– Threats to ignore
 Project Risk Management
• Tips from Review Guide
– Risk Management Process
• Risk Response Development (what will be done,
how to make risk smaller or eliminate)
– Not all risks can be eliminated
– Alternative Strategies (risk mitigation)
» Avoidance – eliminate the cause
» Mitigation – effect the probability or impact of risk
» Acceptance – do nothing
» Deflection (transfer, allocate) – make another party
responsible, insurance, outsourcing
 Project Risk Management
• Tips from Review Guide
– Risk Management Process
• Outputs from Risk Response Development
– Insurance – exchange an unknown risk for a known risk
(response to pure risks)
– Contracting – hire experience to perform work
– Contingency Planning – specific actions to take if risk event
occurs
– Reserves (contingency) – recommended total of 10% to account
for known and unknown risks
• Risk Management Plan – documents risks identified and how
they are addressed; non-critical risks should be recorded to
revisit during the execution phase
 Project Risk Management

• Tips from Review Guide

– Risk Management Process
• Risk Response Control – executing and updating the
Risk Management Plan
– Workarounds – Unplanned responses to risks; addressing
risks that were unanticipated
– Contingency Plans – planned responses to risks; risk
response development actions
 Project Risk Management
• Tips from Review Guide
– Risk Mitigation – does not involve ID of risks (they are
already known)
– Self Insurance – can lead to failure to ensure funds for
low probability events and confuse business risks with
pure risks
– Risk mitigation – can purchase insurance
– Schedule Risk – critical path adjusted by High Risk
activity float
– Sensitivity Analysis – estimate the effect of change of
one project variable on overall project
 Project Risk Management

• Tips from Review Guide

– Standard Deviation of project completion –
relationship of uncertainty of critical path
activities; indicator of project end target
confidence
MoR Framework
Management Of Risk
Management Of Risk Principles Management of Risk
Definition of Risk
• Uncertainty
(M_o_R) of outcome –
approach
Embed & review
either as a positive
• Risk Management
opportunity or as aPolicy
negative threat
• Process Guide
Communicate Managing Risk
• Plans
Identification and control
of exposure to risk which
• Risk registers
may have an impact on
organization to achieve
• Issue Logs
business outcomes or
objectives through a risk
M_o_R Approach
Risk Management
Process Guide

management framework

© Crown copyright 2007 Reproduced under license from OGC Figure 4.23 – SD Book
47
 Concept: Risk Categorization
Most Severe
Fire /
Explosion
Chemical Storm
Severity / Impact

Leak Damage
Loss of
PBX/ACD
Server
Failure Major
Network Theft
Failure

Acceptable
risk
Power
Failure
Least severe

Coffee
Corrupt Spill
Database On PC

Least likely Acceptable Most likely

risk
Likelihood Of Occurrence 48
Strategic Framework MoR
 Risk identification approaches
Strategic/corporate level

At this level you will be making business-focused decisions

based on options analysis and investment appraisal. It may be
appropriate to use the Business Excellence Model to identify
how well your organisation is performing, in addition to
adopting some of the following techniques:

• NPV (net present value)

• IRR (internal rate of return)
• ROI (Return on Investment)
• cashflow analysis
• currency analysis
• SWOT (strengths, weaknesses, opportunities and threats) analysis
• scenarios
• cost-benefit analysis
• decision trees
• CRAMM for business impact security requirements.
 Risk identification approaches
Programme level

At this level your primary focus is the management

of interdependencies between the projects that make
up the programme and the wider business
environment. Techniques include:

• Decision trees
• CPA (Critical Path Analysis)
• Cost-benefit analysis
• Sensitivity analysis
• Stakeholder risk analysis
• Simulations
• Scenarios
• LCC (lifecycle costing analysis).
 Risk identification approaches
Project level
At this level you are seeking to avoid the
consequences of unwanted outcomes. Techniques to
help would include:

• Simulations
• LCC
• Decision trees
• Risk tables
• PERT (Programme Evaluation and Review Technique)
• Performance analysis
• Reliability analysis
• Capability analysis
• Monte Carlo simulation
• Influence diagrams
• CRAMM.
 Risk identification approaches
Operational level
As with the project level, your main objective is to
avoid the consequences of unwanted outcomes.
Techniques include:

• Simulations
• LCC
• Performance analysis
• Reliability analysis
• Queuing analysis
• Algorithm analysis
• Capability analysis
• Top down analysis
• Hazop (HAZard and OPerability analysis, risk registers and databases)
• CRAMM.
Questions