Risk management

Lecture 10

Conf. univ. dr. Dana Boldeanu

 Course objectives
• PROJECT RISK MANAGEMENT
– Risk versus uncertainty
– What is project risk management?
– How Do We Manage Risk?
– Plan risk management
– Risk categories
– Identify risks tools
– Risk assessment
– Probability and Impact Matrix
– Level of risk
– Risk strategies

06.12.2020 2
 What is Project Risk?
Project risk – an uncertain event or condition that, if it occurs, has a
positive or negative effect on a project's objectives.
 Deviations in the project as a whole, to a phase or work package
regarding:
➢ Scope
➢ Schedule
➢ Cost
➢ Quality

A risk may have one or more causes and if it occurs, it may have one
or more impacts.
 A cause may be a given or potential requirement, assumption,
constraint, or condition that creates the possibility of negative or
positive outcomes.
06.12.2020 3
 Risk versus Uncertainty

RISK
Risk is defined as unknowns
that have measurable UNCERTAINTY
probabilities.
Uncertain event or condition Uncertainty involves unknowns
with an effect on the normal with no measurable probability
evolution of a project. of outcome.
Risk triggers: an event or Uncertainty is a situation which
condition that causes involves imperfect and/or
a risk to occur. unknown information about an
event that reduce confidence in
conclusions drawn from data.
Uncertainty => Risk
06.12.2020 4
 Risk Management

• Project Risk Management includes the processes of conducting

risk management planning, identification, analysis, response
planning and controlling risk on a project (PMBOK, 2013).
• Proper risk management implies control of possible future
events and is proactive rather than reactive.
• It includes increasing the probability and impact of the positive
events and decrease the consequences (probability and impact)
of negative events.

06.12.2020 5
 Process Groups: Planning and
Monitoring and Controlling
Knowledge Area: Risk
Management

(Source: PMBOK, 2013)

06.12.2020 6
 How Do We Manage Risk?

• We manage risk by using the following processes:

Plan Risk Identify Perform Perform Plan Risk Monitor and

Management Risks Qualitative Quantitative Responses Control Risks
Risk Analysis Risk Analysis

06.12.2020 7
 Plan Risk Management

• The risk management plan is vital to communicate with and obtain

agreement and support from all stakeholders to ensure the risk
management process is supported and performed effectively over the
project life cycle. (PMBOK, 2013)
• The project manager, sponsor, team, customer, other stakeholders and
experts may be involved in the Plan Risk Management process to define
how risk management will be structured and performed for the project.
• Since risk management is so critical to the success of a project => plan
before you act!

06.12.2020 8
 Plan Risk Management

Tools & Techniques

• Project Charter
• Project Management Inputs ❑ Analytical techniques Outputs Risk
Plan
❑ Expert judgement Management
• Stakeholder register
❑ Planned meetings Plan
• Enterprise
Environmental Factors
• Organizational
Process Assets

Plan Risk Identify Risks Perform Perform Plan Risk Monitor and
Management Qualitative Quantitative Responses Control Risks
Risk Analysis Risk Analysis

Adapt after Inputs, Tools & Techniques and Outputs (PMBOK, 2013)
 Exercise 1
• Explain why each of the following inputs to risk management (RM) is
needed before you can adequately perform the risk management
process?

Inputs to the RM Why is this input needed?

Project chart ?
Project plan ?
Stakeholder register ?
Enterprise ?
environmental factors
Organizational process ?
assets

06.12.2020 Project Management 10

 Inputs to the RM Why is this input needed?
Project chart The project charter indicates the initial, high-level risks identified on the project and
helps you see if the overall project objectives and constraints are generally risky or
not. The charter also helps identify risks based on what is and what is not included
in the project.
Project plan The entire project management plan is an input to the Plan Risk Management and
Control Risks processes, as all of the management plans must be taken into account.
Additionally, specific management plans are inputs to other risk management
processes. They are listed separately within this table.
Stakeholder register Stakeholders will view the project from different perspectives and thus will be able
to see risks that the team cannot.
Stakeholders are involved in many aspects of risk management.
Enterprise Knowing the degree of risk the organization is willing to accept and the areas where
environmental factors there is willingness to accept risk (organizational risk appetites, tolerances, and
thresholds) helps to identify the impact of risks, rank risks, and determine which risk
response strategies to use. A company's culture can add or diminish risk and should
be considered when identifying risks.
Organizational process These records may have information about risks from past, similar projects,
assets including risk, categories, formats for stating risks, and risk management templates,
plus lessons learned that are relevant to managing risk on the current project.
06.12.2020 Company processes
Project andManagement
procedures for project management and risk management, 11
or the lack of such standardized procedures, may help identify additional risks.
 What is a Risk Management Plan?

The risk management plan describes how risk management activities will
be structured and performed.
• Methodology – Approach, tools & data
• Roles & Responsibilities
• Budgeting – Resources to be put into risk management
• Timing – When and how often
• Risk Categories –> Risk Breakdown Structure (RBS)
• Definitions –> Risk probabilities and impact
• Probability and Impact Matrix
• Stakeholder tolerances
• Reporting formats
• Tracking
 Identify Risks (I)

• The process of determining which risks may affect the project and documenting their
characteristics.
• The key benefit of this process is the documentation of existing risks and the knowledge
and ability it provides to the project team to anticipate events.

Source: PMBOK® Guide, 2013

06.12.2020 Project Management 13

 Identify Risks (II)

• Tools and techniques:

– Lessons learned from the project risk management activities
– Input from the team members
– Input from sponsors and beneficiaries

• Methods highlighting identified risks:

 RISK BREAKDOWN STRUCTURE (RBS)  RISK REGISTER
 RBS = A hierarchical representation of risks according to their risk
categories
 Risk Register = A document in which the results of risk analysis and risk
response planning are recorded.
 Risk categories (I)

Risk categories can be broad including the sources of risks that the
organization has experienced. Some of the categories could be:
➢ External: government related, regulatory, environmental, market
related, legal, natural environmental hazards, political events,
unexpected side effects, etc.
➢ Internal: Service related, customer satisfaction related, cost
related, quality related.
➢ Technical: any change in technology related.
➢ Unforeseeable: some risks about 9-10% can be unforeseeable
risks.
 Risk categories (II)

• Financial risks: risks arising from financial operations

of the company with other organizations, credit
institutions, insurance or risks from various financial
obligations (taxes, budgets, reimbursement, planning,
funding, etc.)
• Regulatory risks: legislative framework within which
your organization operates (law, regulation, policies
and procedures, standards and ethics of management
activity, etc.)
 Risk categories (III)

• Strategic risks: risks related to the mission and

strategic objectives of an organization regarding trade
issues, medium and long development of the company,
the reputation, etc.
• Operational risks: risks arise from the services you
deliver or activities you carry out. These are risks
related to human resources in the company,
information systems and technologies used, security
risks, management risk, etc.
 Identify Risks – Tools and techniques (I)

✓ Documentation Review
• plans, assumptions, previous project files, agreements, and other information
✓ Information gathering technique - Risk Breakdown Structure (RBS)
• Create a risk rating in order to obtain easily manageable risks;
• Principal types of risk: internal and external;
• Sub-categories: strategic risk, technical risk, organizational risk, regulatory risk, etc.
 Mitigation options

• There are four main ways to manage risk:

– RISK AVOIDANCE (ELIMINATION OF RISK) - Completely avoiding an activity that
poses a potential risk. While attractive, this is not always practical.
– RISK TRANSFER (INSURING AGAINST RISK) - Most commonly, this is to buy
an insurance policy. The risk is transferred to a third-party entity (in most
cases an insurance company).
– RISK SHARING - is also a type of risk transfer
– RISK REDUCTION (MITIGATING RISK) - This is the idea of reducing the
extent or possibility of a loss. This can be done by increasing precautions or
limiting the amount of risky activity.

06.12.2020 Project Management 19

 Identify Risks - Tools and Techniques (II)

– Assumption analysis
• Explores the validity of assumptions, scenarios and hypothesis as they apply to
the project.
• Table of the analysis of assumptions - tool for identifying and documenting the
assumptions of risk appearance.
 Identify Risks - Tools and Techniques (III)

– Cause and effect diagrams (Ishikawa or Fishbone diagrams)

 Describes the way of interaction and inter-relationship of the elements of a
project in terms of risk causes and possible effects.

Equipments/ Methods/Rules/
Machines Procedures People

Problem

Materials Environment Other

 The fishbone diagram
• An essential visual tool for problem solving.
• Common uses of this type of diagram are for product development and quality
improvement.
• The American Society for Quality (ASQ) recommends that you focus on these types of
causes:
– People: Anyone involved in the process
– Methods/Procedures: How is the process performed? What are the specific
requirements for doing it, such as policies and procedures?
– Machines: What tools or equipment are used to accomplish the job or complete the
process?
– Materials: What raw materials or parts are used to produce the final product?
– Measurement: What data does the process generate that will help us to evaluate its
quality?
– Environment: What are the conditions in which the process operates, such as
location, temperature and workplace culture?

06.12.2020 22
Cause and effect diagram (Fishbone diagrams)

06.12.2020 23
Identify risks – RISK REGISTER
 Risk Assessment: Techniques

➢ Perform Quantitative Risk Analysis: bring a high degree of

precision in the risk assessment. Not always can be
implemented.

➢ Perform Qualitative Risk Analysis when:

• risks cannot be assessed through quantitative process
• We don’t have credible information available to lead to the
quantification
• the process of getting data and perform analysis is not effective
in terms of costs involved.
 Risk analysis (I)

• Risks are measured in terms of impact and probability of

occurrence.
– Scale of impact or consequence of a risk may vary depending
on the type of project on which the quantification is
performed.
– Timeframe that will be used to represent the probability of
occurrence/likehood of the identified risk should be
restricted to the timeframe needed to carry out the specific
project phase.
 Risk matrix

• Matrices are typically an array of cells presented as squares or

rectangles in rows and columns representing risk categories or
levels. Most matrices employ likelihood and consequence as their
x and y axes and therefore it is generally accepted that:
Risk = Likelihood (Probability of occurrence) * Consequence (Impact)
R=p*c
(Donoghue 2001; Standards Australia 2004; Cox 2009)
• Risk matrices are tools that allow the categorization of risk using,
for example, “high”, “medium” or “low”. (Pickering & Cowley, 2010)

06.12.2020 Project Management 27

 Probability and Impact Matrix

06.12.2020 Project Management 28

 Scale of values to identify the level of risk impact

Impact Consequence Description

1 – minimal Trivial The damage that could be produced by the relevant risk is
not significant.
2 - low Minor The risk will not substantially affect the objectives of the
business process, causing minimal effects in the event.

3 - medium Moderate The risk will cause some delays or failure to meet the
objectives, which can lead to potential damage.

4 - high Major The risk will cause the failure to achieve the projects
objectives, the damage can be high.
5 – very high Extreme The consequences of the occurrence of such an event could
result in generating particularly disastrous implications at
the level of the project.
Scale values to quantify the probability of risk occurrence

Probability Likelihood Description

1 – very low Rare The event than can produce the analyzed risk can occur
only in exceptional circumstances within the timeframe
of the project.

2 – low Unlikely The probability of occurrence in the timeframe is

considered rather small, but it is.

3 – medium Moderate It is possible that the risk can occur during the defined
timeframe for executing the project phases.

4 – high Likely Chances are high that risk triggering event to occur
within the timeframe analyzed.

5 – very high Very likely Expects risk almost certainly to occur within the
considered timeframe.
 Encoding risks

• Risks encoding can contain a sequential numbering of each risk identified

for each category used at the level of the company.
• The risks may be displayed in the corresponding cell of the risk matrix
according to the level of impact and probability of occurrence.
• S – strategic
• R – regulatory
• O – operational
• F - financial S1, R1 O1

S2
 Quantitative Risk Analysis

• Analyze numerically the probability and consequence of

each risk
• Monte Carlo analysis
• Decision Tree analysis on test
– Diagram that describes a decision and probabilities
associated with the choices
• Expected Monetary Value Analysis (EMV)
 Expected Monetary Value Analysis (EMV)
• Expected monetary value (EMV) is a statistical technique in risk
management that is used to quantify the risks, which in turn,
assists the project manager to calculate the contingency reserve.
• According to the PMBOK Guide 5th edition: “Expected monetary
value analysis is a statistical concept that calculates the average
outcomes when the future includes the scenarios that may or may
not happen.”

– It helps in calculating the amount required to manage all

identified risks.
– It helps in selecting the choice which involves less money to
manage the risks.
06.12.2020 33
Expected Monetary Value Analysis (EMV)

Expected Monetary Value (EMV) = Probability * Impact

• You can calculate the EMV of several risks separately and

add them all if you have multiple risks.
• As a remark you can calculate the EMV of all risks,
regardless of whether they are positive risks or negative
risks.
• The EMV will be negative if they are negative risks, and
the EMV will be positive if they are positive risks.

06.12.2020 34
Expected Monetary Value Analysis (EMV)
• The EMV concepts work well to calculate the contingency reserve
when you expect a lot of risks, because the more risks you identify,
the spread of the contingency reserve will be better among all
risks.
• If you have identified fewer risks, you will not get enough spread
and your reserve may dry up too soon or may not be large
enough to cover a single considerable risk.
• Positive risks also play a crucial role in calculating the contingency
reserve. You should identify and include the positive risks in
expected value calculations.
• EMV also helps you with selecting the best decision.

06.12.2020 35
 EMV examples - 1

1. You have identified risk with a 30% chance of

occurring. If this risk occurs, it may cost you 500
USD. Calculate the expected monetary value
(EMV) for this risk event.
Expected monetary value (EMV) = probability * impact

EMV = 0.3 * – 500 (cost) = – 150

EMV of the risk event is -150 USD

06.12.2020 36
 EMV Examples - 2
• You have identified an opportunity with a 40%
chance of happening. However, it may help you
gain 2,000 USD if this positive risk occurs.
Calculate the expected monetary value (EMV) for
this risk event.
EMV = 0.4 * 2,000 (gain) = 800

Hence, the expected monetary value (EMV) of the

risk event is 800 USD
06.12.2020 37
 EMV examples - 3
• During risk management planning, your team has identified
three risks with probabilities of 10%, 50%, and 35%.
– If the first two risks occur, they will cost you 5,000 USD and
8,000 USD; however, it will give you a benefit of 10,000 USD
if the third risk occurs.
– Determine the expected monetary value of these risk
events.
• EMV of the first event = 0.10 * (-5,000) = -500
• EMV of the second event = 0.50 * (-8,000) = -4,000
• EMV of the third event = 0.35 * 10,000 = 3,500
EMV of all three events = EMV of the first event + EMV of the second event +
EMV of the third event
EMV of all three events = – 500 – 4,000 + 3,500 = -1,000

06.12.2020 38
 Risk control

• Steps for monitoring and controlling the risk include:

– activities to decrease the likelihood of risk to an
acceptable level for the project or
– to decrease the impact level.

 Risk control procedures, including risk categories, risk statement

templates, probability and impact definitions and probability and
impact matrix

06.12.2020 Project Management 39

 Level of risk

• Risk appetite is a general, high-level description of the acceptable level of risk.

➢ For example, the sponsor is willing to accept little risk to the schedule on this project.
• Risk tolerance is more specific, as it refers to a measurable amount of acceptable risk.
➢ For example, our sponsor might be said to be willing to accept schedule risk of up to 10 days
on this project.
• Risk threshold is the specific point at which risk becomes unacceptable (the amount
of risk that is acceptable to an organization). Most organizations can accept minimal
overruns in schedule or cost, or minor changes to the scope.
➢ For example, the sponsor will not accept a risk of the schedule being delayed 14 days or longer.

Risk appetites, tolerances and thresholds vary depending on the individual or

organization and the risk area. Risk areas can include any project constrains!

06.12.2020 Project Management 40

 Risk strategies

• Negative Risks (or Threats)

– Avoid
– Transfer
– Mitigate
– Acceptance

• Positive Risks (or Opportunities)

– Exploit
– Share
– Enhance
– Acceptance
 Strategies for Negative Risks or Threats (I)

❖ Avoid - risk response strategy whereby the project team acts to

eliminate the threat or protect the project from its impact. It usually
involves changing the project management plan to eliminate the
threat entirely. Examples of this include extending the schedule,
changing the strategy, or reducing scope

❖ Transfer - risk response strategy whereby the project team shifts

the impact of a threat to a third party, together with ownership of the
response. Transferring the risk simply gives another party
responsibility for its management—it does not eliminate it.(ex.
assurance, sub-contracting)

06.12.2020 Project Management 42

 Strategies for Negative Risks or Threats (II)

❖ Mitigate - is a risk response strategy whereby the project team acts to reduce
the probability of occurrence or impact of a risk. It implies a reduction in the
probability and/or impact of an adverse risk to be within acceptable threshold
limits (probability/impact - reducing the expected monetary value of a risk
event by reducing the probability of occurrence).

❖ Accepting of the risk - This is often accomplished by developing a contingency

plan.
– Risk acceptance is a risk response strategy whereby the project team decides to
acknowledge the risk and not take any action unless the risk occurs. This strategy is
adopted where it is not possible or cost-effective to address a specific risk in any
other way. This strategy can be either passive or active.

06.12.2020 Project Management 43

 References

• Boldeanu D., Geambasu C., Tudor C. (2016) Modelarea proceselor şi managementul proiectelor în
administraţia publică, Editura ASE
• PMBOK (2013): A Guide to the Project Management Body of Knowledge: PMBOK Guide, Project Management
Institute, Incorporated, Jan 1, 2013, 5th edition
• Pickering , A., Cowley, S., 2010, “Risk Matrices: implied accuracy and false assumptions”, volume 2 issue 1
October 2010, Journal of Health & Safety Research & Practice, online at
https://sia.org.au/download/?key=0e567f849a126f4f02ab0ae4039bc7c5e1200a899747922531bd976dde971
8e823b72d12d937b9c161b433e233bc91950b
• *** http://www.humanasset.com/freebee/Freebee_Risk_Mangement_Overview_2014-05.pdf
• *** https://www.slideshare.net/Samuel90/risk-management-slides-4397491
• *** http://www.greycampus.com/opencampus/project-management-professional/risk-categories
• *** http://www.diycommitteeguide.org/resource/categories-of-risk
• *** http://www.justgetpmp.com/2012/02/probability-and-impact-matrix.html
• *** https://mindmappingsoftwareblog.com/fishbone-diagram/
• *** https://pmstudycircle.com/2015/01/a-short-guide-to-expected-monetary-value-emv/

06.12.2020 Project Management 44