Florida University Southeast, School of Professional Studies

Foundations of Project Management Course (FUSE-SPS-PM101)

Module 7: Project Risk Management

 Project Risk Management
Project Risk Processes
• Plan Risk Management
• Identify Risks
• Perform Qualitative Risk Analysis
• Quantitative Risk Analysis
• Plan Risk Responses
• Implement Risk Response
• Monitor Risk
Project Risk Management
 Project Risk Management
• Includes the processes of conducting risk management planning,
identification, analysis, response planning and controlling risk on a project.
• Its objective to the organization is to increase the likelihood and impact of
positive events and decrease the likelihood and impact of negative events.
• A proactive attempt to recognize and manage internal events and external
threats that affect the likelihood of a project’s success.
• What can go wrong (risk event).
• How to minimize the risk event’s impact (consequences).
• What can be done before an event occurs (anticipation).
• What to do when an event occurs (contingency plans).
 Project Risk Management
• Known risks are those that have been identified and analyzed, making it possible to plan
responses for those risks
Project risk is an
• Known risks that cannot be managed proactively, should be assigned a contingency uncertain event
reserve or condition
• Unknown risks cannot be managed proactively and therefore may be assigned a that, if it occurs,
management reserve has a positive or
• A negative project risk that has occurred is considered an issue negative effect
on one or more
project
Classification of risk attitudes objectives such
as scope,
Risk appetite - the degree of uncertainty an entity is willing to take on in anticipation
schedule, cost,
of a reward and quality.
Risk tolerance - the degree, amount, or volume of risk that an organization or individual
will withstand
Risk threshold - refers to measures along the level of uncertainty or the level of impact at
which a stakeholder may have a specific interest. Below that risk threshold, the organization
will accept the risk. Above that risk threshold, the organization will not tolerate the risk
 Key Concepts for Project Risk Management
• All projects are risky since they are unique undertakings with varying degrees
of complexity that aim to deliver benefits.

• Aims to identify and manage risks that are not addressed by other
project management processes.
• Addresses both levels of risk in projects including

• Individual project risk- an uncertain event or condition that, if it concurs,

has a positive or negative effect on one or more project objectives

• Overall project risk – is the effect of uncertainty on the project as a whole,

arising from all sources of uncertainty including individual risks, representing
the exposure of stakeholders to the implications of variations in project
outcome, both positive and negative.
 Trends and Emerging Practices
• Trends and emerging practice for project risk management include
• Non-event risks

• Variability risk – uncertainty exists about some key characteristics of a planned event or
activity or decision.
• Ambiguity risk – uncertainty exists about what might happen in the future
• Project resilience
• Integrated risk management
• Tailoring Considerations
• Project size | Project complexity |Project importance | Development approach
• Consideration for Agile/Adaptive Environments
• High-variability environments, by definition, incur more uncertainty and risk.
• To address this, projects managed using adaptive approach make user of frequent review of
incremental work products and cross-functional project teams to accelerate knowledge
sharing and ensure that risk is understood and managed.
 Plan Risk Management
• The process of defining how to conduct risk management activities for a project.

Inputs:
• Project management
plan
Tools & Techniques:
• Project charter Outputs:
• Project documents • Data analysis
• Expert judgment • Risk management plan
• Enterprise
environmental • Meetings
factors
• Organizational
process assets

• The key benefit of this process is it ensures that the degree, type, and visibility of
risk management are commensurate with both the risks and the importance of the
project to the organization.
 Plan Risk Management - Inputs

Project Management
Enterprise Environmental Factors
Plan
Project Documents
Organizational Process Assets
Project Charter
• Risk categories
• Common definitions of concepts and
terms
• Risk statement formats
• Standard templates
• Roles and responsibilities
• Authority levels for decision-making
• Lessons learned
Plan Risk Management – Tools and Techniques

Data Analysis Meetings

Used to understand and
define the overall risk
management context of Expert Judgment
the project • Senior management
• Project stakeholders
• Project managers who have worked on
projects in the same area
• Subject matter experts (SMEs) in
business or project area
• Industry groups and consultants
• Professional and technical associations
 Plan Risk Management – Outputs (RMP)

Methodology: Defines the

approaches, tools, and data sources that
Revised stakeholders’ tolerances
will be used
Roles and responsibilities: Defines the
lead, support, and risk management Reporting formats
team members
Budgeting: Estimates funds needed, based
on assigned resources, for inclusion in
the cost baseline Tracking: Documents how risk activities
Timing: Defines when and how often the will be recorded for the benefit of the
risk management processes will current project and how risk management
be performed processes will be audited
Risk categories: Provide a means
for grouping potential causes of risk
Definitions of risk probability and Probability and impact matrix: A
grid for mapping the probability of each risk
impact: General definitions of probability occurrence and its impact on project
levels and impact levels are tailored to objectives if that risk occurs
the individual project
Risk Breakdown Structure (RBS)

The RBS is
hierarchical
representation of
risks according to
their risk categories.
Definition for Risk Probability and Impact
Probability and Impact Matrix
 Identify Risk
• The process of determining which risks may affect the project and documenting their
characteristics. This is an iterative process as new risks may evolve or become known as
the project progresses

Inputs:
Tools & Techniques: Outputs:
• Risk management plan
• Project documents • Expert judgment • Risk register
• Agreements • Data gathering • Risk report
• Procurement documentation • Data analysis • Project document
• Enterprise environmental factor • Interpersonal and team updates
• Organizational process assets skills
• Prompt lists
• Meetings

• The key benefit of this process is the documentation of existing individual project risks and
the sources of overall project risk
 Identify Risk – Inputs

Project Documents Scope baseline

Risk Management Plan Activity cost estimates

Activity duration
Cost Management Plan
estimates
Human Resource Enterprise Environmental Organizational Process
Management Plan Factors Assets
Schedule Management • Published information, • Project files, including
Plan including commercial actual data
Quality Management databases
Plan • Organizational and project
Activity Duration • Academic studies process controls
Estimates • Published checklists • Risk statement formats or
templates
Procurement Documents • Benchmarking
• Industry studies • Lessons learned
• Risk attitudes
 Identify Risk – Tools and Techniques

Meetings

Prompt Lists
Expert Judgment
Interpersonal and Team Skills

Data Analysis
• Root cause analysis Data Gathering
• Assumption and constraint • Brainstorming
analysis • Checklists
• SWOT analysis • Interviews
• Document analysis
 Identify Risk – Outputs
• Risk Register
• The risk register is a document in which the results of risk analysis and
risk response planning are recorded. It contains the outcomes of the
other risk
management processes.
• List of identified risks - The identified risks are described in as much
detail as is reasonable.
• Potential risk owners | List of potential responses - Potential responses
to a risk may sometimes be identified during the Identify Risks process.
• Risk Report
• Present information on sources of overall project risk, together with
summary information on identified individual project risks.
• Developed progressively throughput the project risk management process
• Includes
• Sources of overall project risk | Summary information
• Project Document Updates
 Identify Risk – Outputs

Risk Register
Impact

ID Risk Statement Probability Scope Quality Schedule Cost Response Responsible Party

Project owner on the

1 Low X Orient new project owner. Project Manager
client side is replaced.

Senior programmer is Find replacement

2 Medium X X Project Manager
taken from the project. programmer.

External system A is not

Discuss with stakeholders and
3 ready in time to High X X X Project Manager
make adjustments as agreed.
implement feature B.
 Perform Qualitative Risk Analysis
• The process of prioritizing risks for further analysis or action by assessing and
combining their probability of occurrence and impact.

Tools & Techniques:

Inputs: • Expert judgment
• Project management plan • Data gathering Outputs:
• Project documents • Data analysis • Project document
• Enterprise environmental factors • Interpersonal and team skills updates
• Organizational process assets • Risk categorization
• Data representation
• Meetings

• The key benefit of this process is that it enables project managers to reduce the level
of uncertainty and to focus on high-priority risks.
 Perform Qualitative Risk Analysis - Inputs

• Risk Management Plan

• Project documents
• Assumption log |Risk register |Stakeholder register
• Enterprise Environmental Factors
• Industry studies of similar projects by risk specialists, and
• Risk databases that may be available from industry or
proprietary sources.
• Organizational Process Assets
Perform Qualitative Risk Analysis – Tools and Techniques
• Expert Judgment
•Previous similar projects | Qualitative risk analysis
• Data Gathering
- Risk data quality assessment
- Risk probability and impact assessment
- Assessment of other risk parameters
• Urgency | Proximity | Dormancy | Manageability |
Controllability
• Detestability | Connectivity | Strategic impact |Propinquity
• Interpersonal and Team Skills
• Risk categorization
• Source of risk ( using risk breakdown structure) | The area of the
project affected | Other useful categories
Refer to page 424 of
the PMBOK
for further reading
Perform Qualitative Risk Analysis – Tools and Techniques (cont’d)
• Data Representation
•Probability and impact matrix – a grid for mapping the probability of each risk
occurrence and its impact on project objectives if that risk occurs
•Specifies combinations of probability and impact that allow individual
project risks to be divided into priority groups
•The probability of occurrence for each individual project risk is assessed as
well as its impact on one of more project objective if it does occur, using
definitions of probability and impact for the project as specified in the risk
management plan.
•Hierarchical Charts – When risks have been categorized using more than two
parameters, the probability and impact matrix cannot be used and other
graphical representations are required
•Bubble Chart : helps to display three dimension of data where each risk is
plotted as a disk (bubble) and the three parameters are represented by the
x-axis value, the y-axis value, and the bubble size
• Meetings
Perform Qualitative Risk Analysis – Tools and Techniques (cont’d)

• Risk Categorization
• Risks can be categorized by
• Sources of risk (example - using the RBS)
• The area of the project affected (example - using the WBS)
• Other useful categories (example - project phase)
• Common root causes
• Risk Urgency Assessment
• Risks requiring near-term responses may be considered more urgent to
address
• Indicators of priority may include
• Probability of detecting the risk
• Time to affect a risk response
• Symptoms and warning signs
• Risk rating
• Expert Judgment
Bubble Chart
Perform Qualititative Risk Analysis - Outputs

• Project Document Updates

• Assumption logs
• Issue log
• Risk resister
• Risk Report
 Perform Qualitative Risk Analysis
Perform Quantitative Risk Analysis is the process of numerically analyzing the
combined effect of identified individual project risks and other sources of
uncertainty on overall project objectives..

Inputs: Tools & Techniques: Outputs: The key benefit of

• Project management • Expert judgment • Project document this process is
plan • Data gathering updates that it produces
• Project documents • Interpersonal and quantitative risk
• Enterprise environmental team skills information to
factors • Representations of support decision
• Organizational process uncertainty making in order
assets • Data analysis to reduce project
uncertainty.
Perform Qualitative Risk Analysis - Inputs

Project
Management Plan

Project
Documents

Enterprise
Environmental
Factors

Organizational
Process Assets
Perform Qualitative Risk Analysis – Tools and Techniques

Representation of
Data Gathering Uncertainty Expert Judgment

Interpersonal and Team Skills Data Analysis

 Data Analysis
• Simulation : Quantitative risk analysis uses a model that combined effects of
individual project risks and other sources of uncertainty to evaluate their potential
impact on achieving project objectives
• Monte Carlo is one of the simulation models used to analyze cost risk
 Sensitivity Analysis
• Sensitivity analysis helps to determine which risks have the most potential impact
on the project
• It helps to understand how the variations in project’s objectives correlate with
variations in different uncertainties
• One typical display of sensitivity analysis is the tornado diagram shown below
 Decision Tree Analysis
• A decision is being made whether to invest $120M US to build a new plant
or to instead invest only $50M US to upgrade the existing plant.
 Influence Diagram
• Influence Diagrams – Graphical aids to decision making under uncertainty. It
represents a project or situation within the project as a set of entities, outcomes and
influences, together with the relationships and effects between them.
 Perform Qualitative Risk Analysis - Outputs
Probabilistic analysis of the project - Estimates are made of potential project
schedule and cost outcomes listing the possible completion dates and costs with
their associated confidence levels

Probability of achieving cost and time objectives - With the risks facing the project,
the probability of achieving project objectives under the current plan can be
estimated using quantitative risk analysis results

Prioritized list of individual project risks - This list includes those risks that pose the
greatest threat or present the greatest opportunity to the project

Trends in quantitative risk analysis results - A trend may become apparent as the
analysis is repeated, that leads to conclusions affecting risk responses

Assessment of overall project risk exposure

Recommended risk response
 Plan Risk Response
• The process of developing options and actions to enhance opportunities and to
reduce threats to project objectives.
The key benefit of
Inputs: Tools & Techniques: Outputs: this process is that it
• Project • Expert judgment • Change requests addresses the risks
management plan • Data gathering • Project by their priority,
• Project documents • Interpersonal and management plan inserting resources
• Enterprise team skills updates and activities into
environmental • Strategies for • Project documents the budget, schedule
factors threats updates and project
• Organizational • Strategies for management plan as
process assets opportunities needed.
• Contingent
response strategies
• Strategies for
overall project risk
• Data analysis
• Decision making
 Plan Risk Responses - Inputs

Project Management Plan Project Documents

• Lessons learned register
• Risk management plan • Project schedule
• Resource management • Project ream assignments
plan • Resource calendars
• Cost baseline • Risk register
Enterprise Environmental
• Risk report
Factors • Stakeholder register
Organizational Process Assets
 Plan Risk Responses – Tools and Techniques

• Expert Judgment
•Threat response strategy

•Opportunity response strategy

•Contingent response strategies

•Overall project risk response strategies

• Data Gathering
• Interpersonal and Team Skills
Plan Risk Responses – Tools and Techniques (cont’d)
Strategies for Threats
•Escalate – is appropriate when the project team or the project sponsor
agrees that a threat is outside the scope of the project.
•Avoid - involves changing the project management plan to eliminate the
threat entirely
•Transfer - shifts the impact of a threat to a third party in exchange for a
payment
•Examples - insurance, performance bonds, warranties, guarantees
•Mitigate - Taking early action to reduce the probability and/or impact of a risk
occurring on the project
•Example - designing redundancy into a system may reduce the impact from
a failure of the original component
•Accept – acknowledge the risk and not take any action unless the risk
•Active Acceptance involves setting aside a contingency reserve occurs
Plan Risk Responses – Tools and Techniques (cont’d)
Strategies for Positive Risks or Opportunities

•Escalate – This risk response strategy is appropriate when the project

team or the project sponsor agrees that an opportunity is outside the
scope of the project or that the proposed response would exceed the
project manager’s authority.
•Exploit - seeks to eliminate the uncertainty associated with a
particular upside risk by ensuring the opportunity definitely happens
•Enhance - used to increase the probability and/or the positive impacts of
an opportunity
•Share - involves allocating some or all of the ownership of the
opportunity to a third party who is best able to capture the
opportunity
•Accept - willing to take advantage of the opportunity if it arises, but not
actively pursuing it
Plan Risk Responses – Tools and Techniques (cont’d)

Strategies for Overall Project Risk

•Avoid
• Exploit
•Transfer/share
• Mitigate/enhance
•Accept
 Plan Risk Responses - Outputs

Project Management Plan Updates Project Documents Updates

• Schedule management plan • Assumptions log updates

• Cost management plan • Cost forecasts
• Quality management plan • Lessons learned register
• Procurement management plan • Project schedule
• Human resource management plan • Project team assignments
• Scope baseline • Risk register
• Schedule baseline • Risk repot
• Cost baseline
 Implement Risk Responses
Implement Risk Responses is the process of implementing agreed-upon risk response
plans.

Inputs: Tools & Techniques: Outputs:

• Project • Expert judgment • Change requests
management plan • Interpersonal and • Project documents
• Project documents team skills updates
• Organizational • Project
process assets management
information system
Implement Risk Response - Inputs

Project Management Plan

Project Documents

Organizational Process Assets

Implement Risk Response – Tools and Techniques

Expert Judgment

Interpersonal and Team

Skills

Project Management
Information System
Implement Risk Response - Outputs

Change Requests

Project Document
Updates
 Monitor Risks
• The process of monitoring the implementation of agreed-upon risk response plans,
tracking identified risks, identifying and analyzing new risks, and evaluating risk
process effectiveness

Inputs: Tools & Techniques: Outputs:

• Project • Data analysis • Work
management plan • Audits performance
• Project • Meetings information
documents • Change requests
• Work • Project
performance data management
• Work plan updates
performance • Organizational
report process assets
updates
 Monitor Risks - Inputs

Project Management Plan • Deliverable status

• Schedule progress
Project Documents Work • Costs incurred

Performance Data

Work Performance Reports

Monitor Risks – Tools and Techniques

Data Analysis

Meetings
 Monitor Risks - Outputs

Work Performance Information

Recommended corrective actions
Recommended preventive actions
Change Requests
Project Management Plan Updates
Project Documents Updates Outcomes of risk reassessments, risk audits, and periodic risk reviews

Actual outcomes of the project’s risks and of the risk responses

Organizational Process Templates for the risk management plan, including the probability and
Assets Updates impact matrix and risk register,
Risk breakdown structure, and

Lessons learned from the project risk management activities.

 Residual Risk & Secondary Risk

Residual Risk: Residual risk is the amount of risk that remains after
a risk response, from the risk response plan, has been implemented.
Example: In a medical situation, residual risk remains after
attempting to cure someone.

Secondary Risk: Secondary risk is the jeopardy that results from

implementing a risk response. Example: In a medical situation, it is
the side effects from a treatment.