This chapter focuses on the topic of Project Risk Management; like the other knowledge areas, it begins with a process of planning, which produces a risk management plan. It then has four further planning process—Identify Risks, Perform Qualitative Risk Analysis, Perform Quantitative Risk Analysis, and Plan Risk Responses—that iteratively develop and refine the risk register. It has a single monitoring and controlling process, Control Risks, which measures the actual risks versus the forecast risks and, if required, generates change requests.
The PMBOK
®
Guide Processes
Project Risk Management Knowledge Area
The six processes in the Project Risk Management knowledge area are as follows:
- Plan Risk Management (planning process)
- Identify Risks (planning process)
- Perform Qualitative Risk Analysis (planning process)
- Perform Quantitative Risk Analysis (planning process)
- Plan Risk Responses (planning process)
- Control Risks (monitoring and controlling process)
What Is Project Risk Management?
Project Risk Management is focused on the processes of developing a risk management plan and a risk register that outlines and identifies how you will deal with project risks or uncertainties. In order to do this effectively, you need to be able to define all potential risks, their causes, and their potential impact, and formulate strategies for dealing with them. After they are identified, you then monitor what you had forecast would occur in relation to risk and what is actually occurring, while looking out for new or changed risks.
Figure 9-1 shows the general linear and highly iterative process of planning for risk and developing the risk register.
Figure 9-1.
A sequential and iterative reprocess for risk management
All projects experience some degree of risk throughout the project life cycle. How you choose to identity and respond to risk reflects the level of risk tolerance that your project team or the wider organization has. If you have a low tolerance for risk, then you will either devote more time and energy to dealing with risks or choose not to undertake projects with high levels of risk. Conversely, if you have a high tolerance for risks, you will either devote less time to proactively planning for risks or choose to take on projects with high degrees of risk, perhaps seeking a high return. It is very important that the project manager spend time assessing the level of risk tolerance that key stakeholders such as your organization and the customer have, because this will affect how much time and effort goes into your risk management planning.
Exam Tip
If you are familiar with ISO 31000 Standard for Risk Management, much of this section will be familiar to you.
Risk is simply a measure of uncertainty that can affect the project either positively or negatively. For example, all the estimates you have done have some degree of uncertainty—either positive or negative—and this uncertainty represents risk that you need to account for and seek to manage.
Exam Tip
If you are having trouble understanding exactly what risk management is all about, simply substitute the word uncertainty for the word risk. Risk management focuses on acknowledging that there is uncertainty throughout the entire project and on planning how to deal with that uncertainty.
If you come across a question on the exam that hints at any amount of uncertainty, you should assume that you must perform some level of risk identification and analysis.
Risk, or uncertainty, can be positive or negative. If a factor is a potential positive risk, then it is viewed as an opportunity to be maximized through proper selection of risk-response strategies. If it is a negative risk, then it is a threat to the project, and your risk-response strategies should seek ways to minimize it. Most people tend to think of risks as purely negative events, and although the majority of risks may indeed be potentially negative, there are many positive risks. For example, there can be a risk that you will deliver the project under budget by careful procurement of goods and services, in which case you should seek to ensure that you maximize the chances of this risk occurring.
REAL WORLD
As a very general rule of thumb, I try to have about two-thirds of my project risk register focused on negative risks, or threats, and about one-third focused on positive risks, or opportunities. This is a very loose rule, and you may find that your projects differ depending on their industry, size, and complexity. The key point is to make sure you consider both negative and positive risks on your project.
Plan Risk Management
More Info
Plan Risk Management
You can read more about the Plan Risk Management process in the PMBOK Guide, 5th edition, in Chapter 11, section 11.1. Table 9-1 identifies the process inputs, tools and techniques, and outputs.
Table 9-1.
Plan Risk Management Process
Inputs ➪ | Tools and Techniques ➪ | Outputs |
|---|---|---|
• Project management plan • Project charter • Stakeholder register • Enterprise environmental factors • Organizational process assets | • Analytical techniques • Expert judgment • Meetings | • Risk management plan |
The Plan Risk Management process is a planning process with the risk management plan as its sole output. In order to develop a successful risk management plan, you first need to understand the general level of risk your project faces, as well as the project team’s or organization’s tolerance for risk. Because risk or uncertainty can occur in any part of the project, you need all the other management plans contained in the project management plan to ensure that you assess and consider all potential sources of risk.
The Plan Risk Management process covers the following planning domain task:
- Task 10: Develop the risk management plan by identifying, analyzing, and prioritizing project risks, and defining risk response strategies, in order to manage uncertainty and opportunity throughout the project life cycle.
Inputs
The Plan Risk Management process uses some or all of the following inputs as part of the development of the risk management plan for the project.
Project Management Plan
The project management plan is useful as an input into the Plan Risk Management process because risk can occur at any point from any other aspect of the project. Thus, the already-developed subsidiary plans and baselines contained in the project management plan highlight areas of uncertainty that can be used to develop the risk management plan. The project management plan is an output from the Develop Project Management Plan process.
Project Charter
The project charter, depending on the form it takes, may contain initial descriptions and assessments of known or anticipated risks for the project that provide valuable information for the development of the risk management plan. The project charter is an output from the Develop Project Charter process.
Stakeholder Register
The stakeholder register identifies stakeholders in the project, records their roles and contact details, and documents their expectations, all of which are important in including stakeholders in the process of managing risk. The stakeholder register is an output from the Identify Stakeholders process.
Enterprise Environmental Factors
The specific enterprise environmental factor that is useful as an input into this process is the broader organizational tolerance for risk. Organizations with a low tolerance for risk put much more effort and energy into managing risk on a project, whereas organizations with a higher tolerance for risk and uncertainty expend less effort in managing risk and may take on higher-risk projects. International standards such as ISO 31000 may also affect how this process is carried out and, as such, constitute enterprise environmental factors.
Organizational Process Assets
The specific organizational process assets that may play an important input in the development of your risk management plan include any templates, processes, or guidelines that the organization has for the development of a risk management plan and managing risk. Other important organizational process assets are, of course, lessons learned and historical information about successful or unsuccessful risk identification and management from past projects.
Tools and Techniques
The following tools and techniques are available to be used to develop the inputs in this process in order to produce the risk management plan.
Analytical Techniques
The main purpose of analytical techniques is to determine the approach to risk management on your project. This involves checking with stakeholders about their particular appetite and attitude toward risk on the project, and also completing a high-level assessment of risk exposure for the project. Typical analytical techniques are a stakeholder risk profile analysis, which can be completed by interviewing individual stakeholders about their attitudes and expectations of risk that is suitable for the project. Strategic risk scoring sheets are also used to provide a high-level view of the types and level of risk the project will encounter.
Expert Judgment
Expert judgment is an excellent tool to use when planning your approach to risk management. Using the knowledge and experience of subject matter experts is invaluable not only in your overall risk management plan but also in identifying and completing an analysis of risks. Suitable experts who may provide judgment include senior management, stakeholders with relevant experience, and external subject matter experts such as risk professionals, industry groups, and professional associations.
REAL WORLD
If your project is likely to be subject to a high number of complex risks, you may want to consider employing the services of a risk management professional. Just as the profession of project management requires a particular skill set, the profession of risk management also employs a particular skill set. I highly recommend using risk management professionals for dealing with complex risk issues.
Meetings
Meetings are a great way to bring together project team members, stakeholders, and other experts in order to consider how risk will be managed on the project. There are a number of ways you can run these meetings in order to efficiently get the information you require. They can be run formally with defined agendas and examination of reports, or they can be run as creative brainstorming sessions. The style of meeting you choose will reflect the participants and your intended outcomes.
REAL WORLD
I have often found that meetings are a great way to not only solicit technical input from people with relevant experience but also generate buy-in and commitment. This is especially important in the area of risk management, because giving team members and relevant stakeholders the opportunity to contribute to the management of project risk helps keep them involved and also allows them to understand the importance of being proactive rather than reactive when managing risk.
Outputs
After applying the appropriate tools and techniques to the selected inputs, the Plan Risk Management process has the following output.
Risk Management Plan
The Plan Risk Management process has the risk management plan as its sole output. Similar to other management plans, the risk management plan provides a guide for completing the project’s risk management activities. The risk management plan will probably contain information about the following:
- The risk methodology and approach to be taken on the project.
- The individual roles and responsibilities within the team and the wider group of stakeholders.
- Any approved budgets for managing risk, which should then be included in the cost performance baseline.
- An initial analysis of the individual risk categories using a risk breakdown structure (RBS). Figure 9-2 shows an example of a risk breakdown structure.
Figure 9-2.The development of risk categories using a risk breakdown structure
Exam Tip
The RBS is one of four breakdown structures. The other three are the organizational breakdown structure, work breakdown structure, and resource breakdown structure. Each of the breakdown structures takes a high-level concept and breaks it down into its component parts.
- A standardized definition of risk probability and impact, which is particularly useful for qualitative analysis because the analysis can be subjective. Figure 9-3 shows an example of a standardized definition of risk probability and impact.
Figure 9-3.Standardized definitions of risk probability and impact - A probability and impact matrix is useful again for qualitative risk analysis, because it allows you to focus risk activities on positive or negative risks that present the greatest opportunity or threat. Figure 9-4 shows an example of a probability and impact matrix showing that the highest risks are any with a combined probability and impact greater than 45%; these are colored dark grey.
Figure 9-4.Probability and impact matrix - Any predefined formats, processes, guidelines, or templates for risk registers or tracking or reporting risks.
The risk management plan is a subsidiary of the project management plan and is used as an input into the other five risk management processes.
Quick Check
1.
What is the main focus of the Plan Risk Management process?
2.
Why is it important to also consider positive risk?
3.
What other areas of the project management plan can risk affect?
Quick Check Answers
1.
The main focus of the Plan Risk Management Process is to formulate your particular approach to how you will manage risks on your project. This is documented in the risk management plan.
2.
Many people naturally consider risk a negative event; however, there are many positive risks, which can lead to a project being under budget, ahead of time, delivering greater quality, and delivering higher-than-expected stakeholder expectations.
3.
Risk management can affect every other aspect of the project, because there is generally always uncertainty in all elements of your project.
Identify Risks
More Info
Identify Risks
You can read more about the Identify Risks process in the PMBOK Guide, 5th edition, in Chapter 11, section 11.2. Table 9-2 identifies the process inputs, tools and techniques, and outputs.
Table 9-2.
Identify Risks Process
Inputs ➪ | Tools and Techniques ➪ | Outputs |
|---|---|---|
• Risk management plan • Cost management plan • Schedule management plan • Quality management plan • Human resource management plan • Scope baseline • Activity cost estimates • Activity duration estimates • Stakeholder register • Project documents • Procurement documents • Enterprise environmental factors • Organizational process assets | • Documentation reviews • Information-gathering techniques • Checklist analysis • Assumption analysis • Diagramming techniques • SWOT analysis • Expert judgment | • Risk register |
The Identify Risks process is a planning process that uses a wide variety of inputs and tools and techniques to identify all the risks to the project. It is performed through the life of the project, and the risk register is always updated with newly identified risks or current risks that are reassessed by using the other risk planning processes.
The Identify Risks process covers the following planning domain task:
- Task 10: Develop the risk management plan by identifying, analyzing, and prioritizing project risks, and defining risk response strategies, in order to manage uncertainty and opportunity throughout the project life cycle.
In addition to being performed throughout the life of the project, risk identification should be completed by all project team members and stakeholders with experience in the area. This enables you to draw on their skills and experience, and it also creates buy-in to the process of risk management. It is important to realize that the process of identifying risks is not a stand-alone process but one that involves many stakeholders in a constant state of communication to obtain their expertise and experience.
REAL WORLD
Despite your best efforts, you will probably miss certain risks. On a project I was working on, we spent a lot of time and money identifying risks for a particularly complex piece of work that was to occur over a five-day period. We used historical information, consulted experts, reviewed documents and plans, involved the project team members, and conducted tests to prepare what we thought was a completely comprehensive risk register. Within the first two hours of the five-day piece of work, a problem arose that we had not identified. We were able to respond to the situation well in this instance, and we used this information for a new risk register for a similar piece of work to be completed 12 months later. The main lesson we learned is that you need to be ready for the unexpected and not assume that your risk register captures every risk.
You should recognize from the range of inputs into the Identify Risks process that risk can occur in any other part of the project.
Inputs
The Identify Risks process uses some or all of the following inputs.
Risk Management Plan
The risk management plan is an essential input into the Identify Risks process because it contains information about your particular approach or methodology to identifying risks generally, and more specifically it contains information derived from the risk breakdown structure regarding already-identified risk categories. It also contains a description of the particular risk tolerance for the project, which will assist you in determining the effort you put into identifying particular risks. The risk management plan is an output from the Plan Risk Management process.
Cost Management Plan
The cost management plan contains cost estimates for all elements of the project, and these estimates should reflect the amount of uncertainty in the estimating process. Each of these areas of uncertainty, either negative or positive, represents a risk on the project. The cost management plan is an output from the Plan Cost Management process.
Exam Tip
All estimates are by their very nature uncertain. They are educated guesses of what the future will be, based on information in hand today. As such, any baselines, such as cost and time, that are built up using estimates will have a range of uncertainty, both negative and positive. On the exam, if you find the word uncertainty or estimate, you should assume that risk is present.
Schedule Management Plan
The schedule management plan refers to areas of uncertainty or risk in the development of the project schedule. This information can be used to identify risks associated with the project time frame. The schedule management plan is an output from the Plan Schedule Management process.
Quality Management Plan
The quality management plan identifies areas of uncertainty in the delivery of quality on the project. The quality management plan is an output from the Plan Quality Management process.
Human Resource Management Plan
The human resource management plan identifies areas of uncertainty with the definition, recruitment, retention, and development of project team members, all of which represent risks for the project and should be taken into account during the Identify Risks process. The human resource management plan is an output from the Plan Human Resource Management process.
Scope Baseline
The scope baseline, made up of the scope statement, the work breakdown structure (WBS), and the WBS dictionary, defines the work to be done on the project and also outlines any areas of uncertainty in the project scope that require further definition. These areas of uncertainty represent risk for the project and should be used to identify individual risks related to the project scope. The scope baseline is an output from the Create WBS process.
Activity Cost Estimates
Individual activity cost estimates include cost estimates for individual project activities. In addition to the actual dollar amount of the estimate, there is information about the information used and assumptions made in preparing the estimates, which provides insight into the range of uncertainty in the estimate. This uncertainty represents risk for the project and should be included in the development of the risk register. Activity cost estimates are an output from the Estimate Costs process.
Activity Duration Estimates
Activity duration estimates contain information about the individual time estimates prepared for project activities. This estimating information should contain an indication of the range of uncertainty surrounding the estimate, which represents risk to the project. Activity durations estimates are an output from the Estimate Activity Duration process.
Stakeholder Register
The stakeholder register is extremely useful in identifying individual risks for two reasons. First, the stakeholder register allows you to interview individual stakeholders about their particular attitude toward risk. Second, each stakeholder can assist with identifying project risks from their own unique point of view. The stakeholder register is an output from the Identify Stakeholders process.
Project Documents
The specific types of project documents that are useful in the Identify Risks process are things such as work performance reports, network diagrams, and assumption logs, because they provide information about how the project is performing, the sequence of planned activities, and the assumptions made about different estimates, respectively.
Procurement Documents
Procurement documents are a key input into the Identify Risks process because they outline any contractual obligations that may contribute to uncertainty, and the value of this uncertainty. Procurement documents are an output from the Plan Procurement Management process.
Enterprise Environmental Factors
The specific types of enterprise environmental factors that are useful in managing project risk are any broader organizational attitude and tolerance for risk, and any external risk standards the organization is using.
Organizational Process Assets
The specific types of organizational process assets that will assist in managing project risk are any blank templates, historical information and lessons learned, and any project-specific policies and guidelines relating to risk management.
Tools and Techniques
The following tools and techniques are used on the inputs to deliver the Identify Risks process outputs.
Documentation Reviews
Documentation reviews refer to a structured analysis and review of all relevant project documents and the information they contain to detect any areas of uncertainty or risk on the project. The types of documents reviewed are any part of the project management plan or baselines, documents providing descriptions of any part of the project, and documents outlining the assumptions made in preparing estimates. Documentation reviews are generally carried out by the project manager and project team members.
Information-Gathering Techniques
There are many different ways to gather information in relation to project risk. Each has its own benefits and delivers a varying degree of accuracy and thoroughness. Examples of useful information-gathering techniques for the Identify Risks process include the following:
- Brainstorming: This is an excellent way to encourage creative thinking about particular risk issues. The intended outcome is a comprehensive list of all potential risks.
- Interviewing: Interviewing experts and people with experience in similar projects and the associated risks is an excellent way to quickly obtain relevant information.
- Delphi technique: This is an extremely useful tool to use to solicit information from experts anonymously, to avoid peer pressure and groupthink. This is particularly useful when you are seeking to encourage a wide range of opinions and assessments of potential project risks.
REAL WORLD
One of the few times I’ve been involved as a participant in a Delphi technique was in the identification of risks on a large, complex IT project. To me as a participant, it was a complex process requiring significant thought, input, and review of other anonymous participants’ opinions. After the results were gathered and disseminated to participants, though, I could see that there had been an extremely comprehensive identification and assessment of all the potential risks that could affect this particular project.
Checklist Analysis
Checklist analysis uses historical information gathered from previous projects and presents a list of activities and items that must be checked off to ensure that they have been done as part of a thorough risk identification process.
Assumption Analysis
Any and all assumptions made about any aspect of the project represent uncertainty and therefore risk for the project. Therefore, gathering the assumptions log and testing its accuracy, stability, consistency, and completeness are essential parts of identifying project risks.
Diagramming Techniques
The use of diagramming techniques is an excellent way to graphically represent the process of identifying individual risks. Several diagramming techniques are particularly useful in the identification of risks. They include the cause-and-effect, Ishikawa, or fishbone diagram, which is extremely useful for getting to the root cause of project risks. You saw the use of this diagramming technique in Chapter 6, to determine the root cause of quality issues. Figure 9-5 shows a cause-and-effect diagram being used to identify risks associated with cost overruns on a project.
Figure 9-5.
A cause-and-effect diagram for risk identification
Another useful diagramming technique is a flowchart, which can show how events are related to each other in a system. By analyzing how different activities or events are interrelated, you can recognize how risk can flow from one part of the project to another.
A third type of diagramming technique that is useful for the identification of risks is an influence diagram, which is a simple graphical representation of cause-and-effect relationships between sequential activities.
SWOT Analysis
A key element of any risk identification process is the use of SWOT analysis. SWOT stands for strengths, weaknesses, opportunities, and threats. The idea is to identify and document each of these four areas and then focus on your strengths while making provision for your weaknesses, prepare to take advantage of the opportunities that present themselves, and plan how to respond to identified threats. All of these are key elements in identifying risks.
REAL WORLD
I have successfully used SWOT analysis on many occasions to put a framework around a brainstorming session. Getting people to focus on current strengths, weaknesses, opportunities, and threats is an extremely easy way to start them thinking about uncertainty in the project.
Expert Judgment
The use of experts and their experience and skills in identifying risks is a key tool to be used during this process, because the identification of risks can be quite a complex process. By using the experience of project team members who may have done this sort of project before or external consultants with expertise in this particular area, you have a greater chance of identifying all the risks on the project.
Outputs
The Identify Risks process has the following single output.
Risk Register
The risk register is the single output from the Identify Risks process. The development of the risk register is highly iterative, and the risk register itself should be treated as a live document and reviewed regularly. It should be reviewed at all levels from testing the assumptions made right through to the qualitative and quantitative analysis applied to the identified risks. The actual risk register can take many forms depending on your organizational risk tolerance and any existing templates and guidelines. Figure 9-6 shows a generic form of risk register indicating risk identification, qualitative analysis, quantitative analysis, and risk responses.
Figure 9-6.
A generic risk register
REAL WORLD
In addition to providing extremely valuable technical information about your assessment of risk on the project, the preparation and constant revisiting of the risk register keeps risk at the forefront of your project team’s minds. I have found time and effort invested in risk management to be useful not only from a technical point of view in managing risk, but also for obtaining buy-in and helping people to recognize the importance of proactive risk management.
Exam Tip
The risk register is perhaps the most iterative document in the project, because it is constantly undergoing review and being updated. On the exam, you should always assume that the risk register is being referred to frequently.
Quick Check
1.
Why is the risk register considered a highly iterative document?
2.
Who should be involved in the identification of risks?
3.
What are three types of information-gathering techniques that can be used to identify risks?
Quick Check Answers
1.
The risk register is a highly iterative document because you will always be updating it as information becomes available, assumptions made are tested and refined, and new risks are identified and old ones closed.
2.
The project manager will take ultimate responsibility for the Identify Risks process. But the entire project team and relevant external experts should also be involved in the process.
3.
Many types of information-gathering techniques are useful for many aspects of project management. Techniques specifically mentioned as useful for the Identify Risks process include brainstorming, the Delphi technique, interviewing, and root-cause analysis.
Perform Qualitative Risk Analysis
More Info
Perform Qualitative Risk Analysis
You can read more about the Perform Qualitative Risk Analysis process in the PMBOK Guide, 5th edition, in Chapter 11, section 11.3. Table 9-3 identifies the process inputs, tools and techniques, and outputs.
Table 9-3.
Perform Qualitative Risk Analysis Process
Inputs ➪ | Tools and Techniques ➪ | Outputs |
|---|---|---|
• Risk management plan • Scope baseline • Risk register • Enterprise environmental factors • Organizational process assets | • Risk probability and impact assessment • Probability and impact matrix • Risk data quality assessment • Risk categorization • Risk urgency assessment • Expert judgment | • Project document updates |
The Perform Qualitative Risk Analysis process is a planning process focused on assigning a qualitative, or subjective, analysis of probability and impact to all identified risks.
The Perform Qualitative Risk Analysis process covers the following planning domain task:
- Task 10: Develop the risk management plan by identifying, analyzing, and prioritizing project risks, and defining risk response strategies, in order to manage uncertainty and opportunity throughout the project life cycle.
Exam Tip
The key difference between qualitative and quantitative assessment is that qualitative assessment is subjective—that is, it uses opinion and experience—and is done quickly. On the other hand, quantitative assessment involves actual data and figures to support a more objective assessment. For example, you may do a qualitative assessment that the chance of it snowing in winter during your construction project is 7 out of 10 (1 being that it definitely will not snow, and 10 being that it definitely will snow) and that the impact if it does snow is 6 out of 10 (1 being no impact at all, and 10 being a catastrophic impact). This gives a total qualitative assessment of 42 out of a possible 100. You may then decide to spend some time and money doing quantitative risk analysis on this risk and contact the local weather bureau, which tells you that there is a 0.831 chance of it snowing on those dates; in addition, your team members tell you that if it does snow, you will suffer a $10,000 loss. This gives you a total quantitative assessment of $8,310. You can see that quantitative assessment takes more time and money to get the information, but it is more accurate.
The process of qualitative risk analysis is generally done on all identified risks because it is quick and easy. It is simply a matter of assigning a subjective assessment of the probability of the risk occurring and also assigning a subjective assessment of the impact of the risk, using defined scales. The scales used can be numerical, such as 1–10, or text based, such as low, very low, high, and so on.
When these two factors are multiplied together, the result is an individual qualitative risk score for each identified risk, which you can use to prioritize the risks and choose to focus on those that rank the highest. Additionally, you will go on to perform quantitative risk analysis only on those risks that score the highest.
Inputs
The following inputs are used in the Perform Qualitative Risk Analysis process.
Risk Management Plan
Obviously one of the key inputs into any of the other risk management planning processes is the risk management plan because it contains information about how each risk management process, including the Perform Qualitative Risk Analysis process, will be performed. The risk management plan is an output from the Plan Risk Management process.
Scope Baseline
The scope baseline is an important input into the Perform Qualitative Risk Analysis process because it describes all the work to be done and the work not to be done on the project. With this description of the work, you get a full picture of the elements of the scope that are clear and defined, along with those elements of the scope that are still uncertain and ill-defined and that represent risk on the project that needs to be analyzed. The scope baseline is an output from the Create WBS process.
Risk Register
The risk register is a key input into the Perform Qualitative Risk Analysis process because, in its first iteration, it is a list of all the risks that have been identified. The continual development of the risk register includes qualitative risk analysis performed not only once, but on an ongoing basis as new information, new risks, and assumptions are refined. The risk register is an output from the Identify Risks process.
Enterprise Environmental Factors
The specific types of enterprise environmental factors that are useful as inputs into the Perform Qualitative Risk Analysis process are any external industry standards, such as ISO 31000, and any external information held by risk professionals, such as risk databases and information about the analysis of individual risks.
Organizational Process Assets
The specific organizational process assets that are of use in the Perform Qualitative Risk Analysis process are any historical information the organization has about similar risks and their probability and impact, and any pre-prepared templates and processes to assist in the qualitative analysis of individually identified risks.
Tools and Techniques
The following tools and techniques of this process can be used on the separate inputs to deliver the Perform Qualitative Risk Analysis process outputs.
Risk Probability and Impact Assessment
The primary tool used in the Perform Qualitative Risk Analysis process is risk probability and impact assessment. The key here is to assess each identified risk and assign to it a probability of the risk occurring and an assessment of the impact if the risk does occur, by using a standardized scale that should be included in the risk management plan. Because it is a qualitative analysis, several kinds of numerical scales or text descriptions can be used to standardize the responses assessing probability and impact.
Because the assessments of probability and impact being made are qualitative and therefore somewhat subjective, it is important during this process to document assumptions that are made based on the information available at the time the assessment is done. Throughout the course of the project, you will revisit these assumptions, and you will gain further information, which may change either the assessment of risk probability or its impact.
REAL WORLD
There are many different ways to assess qualitative probability and impact on projects. In my career, I have used simple numerical scales from 1 to 5, and text-based descriptions such as likely, unlikely, and highly likely.
Probability and Impact Matrix
A probability and impact matrix standardizes and identifies risks after they have had a probability and impact assessment performed on them so that individual risks can be ranked very quickly. Figure 9-4, shown earlier in this chapter in the “Plan Risk Management” section, presented an example of a probability and impact matrix as a key component of the risk management plan.
Risk Data Quality Assessment
A key element when performing any sort of risk assessment is the quality of the information being used. Obviously, if poor-quality information is being used, your subsequent assessment will be poor. Therefore, it is important to use a risk data quality assessment technique to evaluate the quality of the data being used to make the assessment.
REAL WORLD
In my experience, the quality of information that you use to identify and analyze risks definitely gets better over time, especially if you are doing particular types of work for the first time and you are constantly learning and refining the information you have on hand.
Risk Categorization
A useful way of representing and presenting the qualitative risk analysis is with risk categorization techniques, which you can use to sort risks into categories for easy monitoring and reporting. An excellent example of risk categorization is the risk breakdown structure (RBS) shown earlier, in Figure 9-2. You may also choose to categorize risks by project phase or by relevance to particular stakeholders. However you choose to categorize risks, you should be able to present them in a document or graphically.
Risk Urgency Assessment
A risk urgency assessment is a tool that takes into account not only an assessment of the probability and impact of the risk, but the urgency of the risk. Urgency has to do with whether the risk is likely to occur in the near future, in which case you have a high degree of urgency compared to risks that may not manifest until a later point in time. Risks that may occur in the near future need the greatest attention paid to them. Risks that may occur further off in the project timeframe can have less attention paid to them.
Expert Judgment
Again, the use of expert judgment is an exceptionally good way to bring a robust level of analysis to your Perform Qualitative Risk Analysis process. Your choice of experts, and the way in which you choose to solicit information from them, will be an important factor in the quality of the advice given.
REAL WORLD
It is always important to give a high degree of consideration when selecting people to consult with as experts. The types of things you may want to consider are their level of experience, willingness to share this experience, availability, and ability to share information concisely, and any costs associated with the use of those experts.
Outputs
The sole output from the Perform Qualitative Risk Analysis process is the following.
Project Document Updates
The specific project documents that will be updated are the risk register and the assumptions log. Any time you complete any new qualitative risk assessments or revise existing qualitative risk assessments based on refined or new information, you need to update the risk register. In addition to updating the risk register with new or revised information, you must update the assumptions log to reflect the new assumptions that have been made.
Quick Check
1.
What is the main difference between qualitative risk assessment and quantitative risk assessment?
2.
What sort of probability and impact assessment is best used for the Perform Qualitative Risk Analysis process?
3.
How does risk urgency assessment differ from risk probability and impact assessment?
Quick Check Answers
1.
The main difference between qualitative risk assessment and quantitative risk assessment is that qualitative risk assessment uses subjective assessments of probability and impact, whereas quantitative risk assessment uses objective assessments of probability and impact, usually quantifying them in terms of money or time.
2.
There is no one best type of probability and impact assessment to use in the Perform Qualitative Risk Analysis process. The decision whether to use numerical scales or text-based descriptions of qualitative risk analysis is entirely up to you and depends on what is appropriate for your project.
3.
Risk urgency assessment takes into account the timeframe in which the risk may manifest, with risks that may manifest in the near future having a higher urgency than risks that may occur in the longer term. Risk probability and impact assessment is applied to all risk and simply assesses the probability of the risk occurring and the impact if it does occur.
Perform Quantitative Risk Analysis
More Info
Perform Quantitative Risk Analysis
You can read more about the Perform Quantitative Risk Analysis process in the PMBOK Guide, 5th edition, in Chapter 11, section 11.4. Table 9-4 identifies the process inputs, tools and techniques, and outputs.
Table 9-4.
Perform Quantitative Risk Analysis Process
Inputs ➪ | Tools and Techniques ➪ | Outputs |
|---|---|---|
• Risk management plan • Cost management plan • Schedule management plan • Risk register • Enterprise environmental factors • Organizational process assets | • Data gathering and representation techniques • Quantitative risk analysis and modeling techniques • Expert judgment | • Project document updates |
The Perform Quantitative Risk Analysis process is a planning process focused on the development of a quantitative, or objective, assessment of individual risk probability and impact, often by using a metric based on money or time.
The Perform Quantitative Risk Analysis process covers the following planning domain task:
- Task 10: Develop the risk management plan by identifying, analyzing, and prioritizing project risks, and defining risk response strategies, in order to manage uncertainty and opportunity throughout the project life cycle.
Performing quantitative risk analysis generally takes more effort than performing qualitative risk analysis and assessment, and therefore it is generally performed on risks that are identified as having a higher probability and impact on the project. The intended outcome of the quantitative risk assessment process is to assign a dollar or time amount to specific risks if they occur. You can then aggregate all these individual quantitative estimates to build contingency reserves for time or cost. Because of the complexity of the tools and techniques and information required for successful quantitative risk analysis, it is often done by risk professionals who have experience and access to relevant historical information that can be used in the analysis.
Inputs
The following inputs are used in the Perform Quantitative Risk Analysis process.
Risk Management Plan
The risk management plan outlines the particular way in which you will approach the process of quantitative risk analysis and, as such, it is an extremely important input to assist in the completion of this process. The risk management plan is an output from the Plan Risk Management process.
Cost Management Plan
The cost management plan is a useful input into the Perform Quantitative Risk Analysis process because it outlines how financial reserves will be developed and managed. One of the key metrics used in quantitative risk analysis is the use of dollar amounts; cumulatively, the individual dollar amounts can be added up to become a cost reserve for the project. The cost management plan is an output from the Plan Cost Management process.
Schedule Management Plan
Like the cost management plan, the schedule management plan provides guidelines for the development and management of a schedule reserve, which is calculated with quantitative risk analysis by using time as a metric. The schedule management plan is an output from the Plan Schedule Management process.
Risk Register
The risk register, from the moment it first appears and throughout its subsequent iterations, is an essential input into the Perform Quantitative Risk Analysis process because the outputs from this process update the risk register with specific information about individual risk assessment. The risk register is an output from the Identify Risks process.
Enterprise Environmental Factors
The specific enterprise environmental factors that are useful in the Perform Quantitative Risk Analysis process are any external industry standards such as ISO 31000 and any risk databases held by risk professionals.
Organizational Process Assets
The specific organizational process assets that are of use in the Perform Quantitative Risk Analysis process are any historical information the organization has regarding previous experience with performing quantitative risk analysis and, of course, any blank templates or guidelines the organization has for completing the Perform Quantitative Risk Analysis process.
Tools and Techniques
The following tools and techniques of this process can be used on the separate inputs to deliver the Perform Quantitative Risk Analysis process outputs.
Data Gathering and Representation Techniques
A key technique to assist with the execution of the Perform Quantitative Risk Analysis process is the use of data gathering and representation techniques. The purpose of using these techniques is to obtain relevant and accurate data that can then be assessed to develop the quantitative metrics of risk probability and impact. These data gathering and representation techniques include the following:
- Interviewing techniques that draw on the experience and skills of experts. The type of information that you seek from experts is their own quantitative assessment of probability and impact of particular risks. You may end up with a range of responses and thus may want to consider the use of three-point estimating, which was covered in the cost and time estimating processes in Chapter 4 and Chapter 5.
- Established statistical probability distributions. There are many types of probability distributions, but the most commonly used are normal distributions, beta distributions, triangular distributions, and uniform distributions, each with its own statistical distribution of data that can be used to quantify a particular risk probability or impact and the associated range of data. The type of distribution you use should be based on professional experience and historical information, in order to make sure it is valid.
Quantitative Risk Analysis and Modeling Techniques
In quantitative risk analysis and modeling techniques, sophisticated statistical and mathematical approaches are applied to the calculation and range of risk probability and impact. A variety of techniques can be used, but because of their sophistication, they are usually carried out using software. Of the available types of quantitative risk analysis and modeling techniques, the following are the most popular and useful for quantitative risk analysis:
- Sensitivity analysis: A technique that looks at different aspects of the project and how they have an impact on project risk, to determine which parts of the project are most sensitive to risk. It may, for example, determine that issues around cost are more sensitive to risk and, more specifically, that cost issues related to inflationary pressures on materials over time are most at risk. Sensitivity analysis is a highly complex set of calculations using software and, as such, generally requires specialized knowledge and expertise to carry out.
- Tornado diagrams: Often used to present the results of sensitivity analysis. A tornado diagram is a histogram or bar chart where the data categories are listed vertically instead of horizontally, with the largest category at the top and the other categories in order of descending size, giving the diagram the appearance of a tornado. Figure 9-7 shows an example of a tornado diagram presenting the results of sensitivity analysis to show which parts of the project are most sensitive to risk, judged by the quantitative impact they will have on the net present value (NPV) of the project.
Figure 9-7.A example of tornado diagram showing how different risks may impact the project’s net present value
- Expected monetary value analysis (EMV): A way to allocate quantitative numerical probability and impact to particular options and from this to arrive at the expected monetary value of each option. Depending on the calculated outcome, you can then quantify your decision. The usual way of graphically representing the EMV analysis is with the use of decision trees. In Figure 9-8, a decision tree shows the calculation of EMV regarding whether to upgrade existing customer ordering software or to develop a completely new piece of software.
Figure 9-8.A decision tree analysis for assessing the expected monetary value of building new software or upgrading existing software
Figure 9-8 shows that for either decision, there is an 80% chance of high customer use and a 20% chance of low customer use. If you decide to build new software, it will cost $50 million, and if there is high customer use, you will make $100 million, so there is an 80% chance of making a net figure of $50 million. By the same token, if you decide to build new software at a cost of $50 million, and there is low customer use, you will only make $60 million, so there is a 20% chance of making a net figure of $10 million. You then add these two calculations together
to get an EMV of $42 million.
The other option is to upgrade the existing software, which will cost $30 million and has an 80% chance of making a net figure of $30 million and a 20% chance of making a net figure of $5 million. Therefore, the EMV for this decision is
By using this form of quantitative risk analysis, you can recognize that the best decision is to take the option with the greater EMV, which is to build new software. What is also apparent in this example is that the quality of the calculated outcome is only as good as the quality of the information going into the model. This is another example of why it is important to document the assumptions you make, so that if any of this changes in the future, you can quickly recalculate.
Exam Tip
You may have to calculate a decision tree on the exam, so remember to calculate the probability of each by the net value—cost minus income.
- Modeling and simulation: Includes Monte Carlo analysis, which is the most common type. In the Monte Carlo technique, all potential outcomes are modeled and computed many times, with different input values, to assess the most likely outcomes—that is, those with the highest probability—and to come up with a probability distribution (normal, uniform, or beta) associated with each of these outcomes. By using Monte Carlo analysis, you can find the likely probability of many different risks, and this allows you and your team to determine which risks will have the greatest or least chance of occurring. It is a highly sophisticated form of mathematical modeling and requires the use of software.
Exam Tip
If a question on the exam refers to mathematical modeling of risks, it is referring to one of these techniques.
Expert Judgment
Given the complexity of performing accurate quantitative risk analysis, the use of subject matter experts with relevant experience in this area is very important. Expert judgment is important not only for the quantitative calculations but also for the interpretation of the data produced.
Outputs
The single output from the Perform Quantitative Risk Analysis process is the following.
Project Document Updates
The specific project document that will be updated is the risk register. The types of information that will feature in the risk register updates include all the calculations generated by the quantitative risk analysis, which includes quantitative probabilities of individual risks, quantitative impacts of individual risks in terms of both cost and time, and subsequently a prioritized list of quantified risks.
Quick Check
1.
What is the main purpose of quantitative risk analysis?
2.
Why is it important to consider the use of experts during the Perform Quantitative Risk Analysis process?
3.
What is the main value of using quantitative risk analysis and modeling techniques such as sensitivity analysis and expected monetary value analysis?
Quick Check Answers
1.
The main purpose of quantitative risk analysis is to quantify in either cost or time values the particular probability and impact of individual risks, and the development of reserves for both cost and time.
2.
The Perform Quantitative Risk Analysis process can be a highly sophisticated process using complex statistical and mathematical modeling. As such, to extract maximum benefit from quantitative risk analysis, it may be necessary to use people with experience in both the preparation and interpretation of quantitative risk data.
3.
The main value in using quantitative risk analysis and modeling techniques is that it gives you a standardized and defined means of analyzing and presenting data in a way that can be understood easily.
Plan Risk Responses
More Info
Plan Risk Responses
You can read more about the Plan Risk Responses process in the PMBOK Guide, 5th edition, in Chapter 11, section 11.5. Table 9-5 identifies the process inputs, tools and techniques, and outputs.
Table 9-5.
Plan Risk Responses Process
Inputs ➪ | Tools and Techniques ➪ | Outputs |
|---|---|---|
• Risk management plan • Risk register | • Strategies for negative risks or threats • Strategies for positive risks or opportunities • Contingent response strategies • Expert judgment | • Project management plan updates • Project document updates |
The Plan Risk Responses process is a planning process that is focused on the development of proactive responses to risks.
The Plan Risk Responses process covers the following planning domain task:
- Task 10: Develop the risk management plan by identifying, analyzing, and prioritizing project risks, and defining risk response strategies, in order to manage uncertainty and opportunity throughout the project life cycle.
The development of proactive responses is a very effective way of both minimizing the potential effects of negative risk and maximizing the potential benefits of positive risk on a project. Each of the risk responses seeks to influence the risk prior to its possible occurrence and also to influence the risk if it does occur. In addition to planning responses to identified risk, the Plan Risk Responses process proactively considers responses to unplanned or unforeseen risks.
Inputs
The following inputs are used in the Plan Risk Responses process.
Risk Management Plan
The risk management plan contains information about the processes you have decided are most appropriate for the development of risk responses; as such, it is an essential input into the Plan Risk Responses process. The risk management plan is an output from the Plan Risk Management process.
Risk Register
Obviously, in order to develop risk responses, you need a list of all the identified risks, their potential consequences, and either the qualitative or quantitative risk analysis for each. All this information is contained in the risk register, which makes it an essential input into the Plan Risk Responses process. The risk register is an output from the Identify Risks process.
Tools and Techniques
The following tools and techniques of this process can be used on the separate inputs to deliver the Plan Risk Responses process output.
Strategies for Dealing with Negative Risks or Threats
There are four key strategies for dealing with negative risks or threats in relation to the development of appropriate risk responses:
- Avoid: Make plans to avoid the risk occurring. For example, if you have identified that there is a risk of earthquake damage in a building you plan to construct, an avoid strategy is to relocate the building to an area that is more geologically stable.
- Transfer: Assign someone else the responsibility and ultimately the consequences of the risk. The most common form of transfer is insurance. For example, after identifying that your building may be subject to damage from an earthquake, you may decide to take out insurance for this event.
- Mitigate: Accept that the risk may occur, but attempt to put in place a risk response that minimizes the negative effects of the risk. For example, you may decide to build your multistory building in a known earthquake zone but choose to mitigate the effects of an earthquake on the building by using base isolators and materials that are impact resistant.
- Accept: Simply accept the consequence of the risk occurring. For example, you may choose not to take out insurance, shift a planned building, or use earthquake-resistant building technology, and simply accept that if an earthquake hits, you will take responsibility for repairs.
You can have multiple strategies for each risk; often this is the wisest approach because different strategies can be enacted at different points on the timeline of a risk potentially occurring. You will also choose the most appropriate risk strategy, or strategies, for your particular risk and your particular risk tolerance.
Strategies for Dealing with Positive Risks or Opportunities
Four key strategies for dealing with positive risks or opportunities seek to maximize the chance of a positive risk occurring and if it does occur, to maximize the positive impact on the project:
- Exploit: Seek to ensure that the positive risk has the maximum chance of occurring. For example, you may decide to allocate your top designers to a particular client’s project to ensure that the positive risk of a happy client is enhanced.
- Share: Take on board a third party with particular skills and experience to help maximize the occurrence and the impact of a positive risk. For example, you may choose to go into a joint venture with a company with complementary skills in order to increase the chances of securing a particular contract.
- Enhance: Be prepared to increase the chances of the positive risk occurring and, if it does occur, its positive impact. For example, you may choose to buy more lottery tickets in order to enhance the chances of your winning.
- Accept: Make no changes to the project management plan, and simply accept the chances of the positive risk occurring and the impact it will have.
Contingent Response Strategies
Each of the strategies for dealing with negative risk or positive risk discussed previously is developed for clearly identified risks. However, despite your best efforts, you are highly unlikely to identify all the risks that may occur on a project; thus it is prudent to have in place contingent response strategies, which are planned responses to unplanned risk. The contingent response strategies outline the actions your project team will take if a set of predefined conditions occurs. This set of predefined conditions can refer to particular metrics relating to the project budget or project schedule. Your contingent response strategies are included in your contingency plan.
A further means of dealing with unplanned risks occurring is a workaround. The difference between a workaround and contingent response strategies is that a workaround is an unplanned and reactive response to an unplanned risk occurring, whereas a contingent response strategy is a planned and prepared response to an unplanned risk occurring. A workaround is a plan to get around a problem or risk that has arisen and not necessarily fix it. A great way to implement a workaround is to gather experienced people in a single location and get them to brainstorm a solution as fast as possible. The workaround may be a temporary solution to allow you to continue working on the project; therefore, you should be prepared to revisit the situation with a more permanent solution. Always include your experience with workarounds in your lessons learned so that future projects may anticipate the risk and include it in their risk register.
Expert Judgment
Given the complexity of executing a well-defined series of planned risk responses, it is prudent to use expert judgment as a tool in developing your risk responses. The experts you choose to use will be people with experience and skills in anticipating and dealing with the identified risks.
Outputs
The outputs from the Plan Risk Responses process are the following.
Project Management Plan Updates
The specific parts of the project management plan that will be updated as a result of your consideration of potential risk responses will include all aspects of the project management plan, such as the schedule, cost, quality, and procurement management plans, as well as the human resource management plan and scope, schedule, and cost baselines. The consideration of different and appropriate risk responses often requires you to revisit these foundational documents as a result of the risks identified and the planned responses.
Project Document Updates
The specific project documents that will be updated will of course be the risk register and the assumptions log. It is essential that both of these documents are kept up to date and reflect the latest information about particular risks, the analysis of individual risks, and the planned risk responses.
Quick Check
1.
What is the main purpose of the Plan Risk Responses process?
2.
What are the four risk response strategies for positive risks?
3.
What are the four risk response strategies for negative risks?
4.
What is the purpose of having contingent response strategies in place?
Quick Check Answers
1.
The main purpose of the Plan Risk Responses process is to give proactive consideration to the actions you will put in place prior to a risk occurring, and actions you will take as a risk occurs, in order to minimize the impact from negative risks and maximize the impact from positive risks.
2.
The four risk response strategies for positive risks are enhance, share, exploit, and accept.
3.
The four risk response strategies for negative risks are transfer, mitigate, avoid, and accept.
4.
The purpose of contingent response strategies is to ensure that you have a proactive response planned to unplanned risk occurring.
Control Risks
More Info
Control Risks
You can read more about the Control Risks process in the PMBOK Guide, 5th edition, in Chapter 11, section 11.6. Table 9-6 identifies the process inputs, tools and techniques, and outputs.
Table 9-6.
Control Risks Process
Inputs ➪ | Tools and Techniques ➪ | Outputs |
|---|---|---|
• Project management plan • Risk register • Work performance data • Work performance reports | • Risk reassessment • Risk audits • Variance and trend analysis • Technical performance measurement • Reserve analysis • Status meetings | • Work performance information • Change requests • Project management plan updates • Project document updates • Organizational process asset updates |
The Control Risks process is focused on monitoring and controlling the project risk management activities being undertaken to ensure that they are in accordance with the risk management plan and the information contained in the risk register.
The Control Risks process covers the following monitoring and controlling domain task:
- Task 4: Monitor and assess risk by determining whether exposure has changed and evaluating the effectiveness of response strategies, in order to manage the impact of risks and opportunities on the project.
Like all the other monitoring and controlling processes, the Control Risks process checks the implementation of the plan. In this case, you are checking what is occurring against what you planned to occur in relation to risk management. You will be looking out for any variance between the risks you planned for and the risks that are occurring, any new risks, and any new information affecting already-identified risks, and evaluating the overall risk process.
Inputs
The following inputs are used in the Control Risks process.
Project Management Plan
The project management plan contains information about how each part of the project will be executed, monitored, and closed, in relation to risk. The specific part of the project management plan that is most useful for the Control Risk process is the risk management plan. The project management plan is an output from the Develop Project Management Plan process, and the risk management plan is an output from the Plan Risk Management process.
Risk Register
The risk register is the key document in this process, because you are checking the information contained in the risk register against what is actually occurring. You are checking that you identified all the risks; that you correctly estimated their consequences, probability, and impact; and that your documented responses were appropriate. You are also using the risk register to check for any risks you may have missed. The risk register is an output from the Identify Risks process.
Work Performance Data
In order to assess how you are doing against what you had planned to do, you require work performance data. Work performance data will in turn become work performance reports in the Monitor and Control Project Work process. Work performance data is an output from the Direct and Manage Project Work process.
Exam Tip
Remember the sequence that work performance data becomes work performance information, which becomes work performance reports.
Work Performance Reports
Work performance reports are the result of analyzing the work performance information and presenting it in a coherent and easy-to-understand manner in order to give you a comprehensive picture of how well, or how poorly, the project is doing. Work performance reports are an output from the Monitor and Control Project Work process.
Tools and Techniques
The following tools and techniques of this process can be used on the separate inputs to deliver the Control Risks process outputs.
Risk Reassessment
Risk reassessment is an ongoing process of checking whether there are new risks, whether already-identified risks are still current, whether the analysis of their probability and impact is still accurate, and whether the planned risk responses are still appropriate. The contents of the risk register are highly fluid and subject to a high degree of change as the project progresses and more information is known about existing risks. Thus you should treat the risk register as a live document in constant need of checking and reassessment.
Exam Tip
Risk reassessment should be viewed as a continual activity led by the project manager and involving the project team.
Risk Audits
Generally, audits are a great way to check that processes are working as planned and whether there is any room for improvement. In the Control Risks process, risk audits are used to check whether the planned risk responses are appropriate, how well the risk management processes are being implemented, and whether they are appropriate. It is the project manager’s responsibility to ensure that risk audits are carried out at appropriate times and with defined objectives. The results of the risk audit contribute to the ongoing continuous improvement of your project processes.
Variance and Trend Analysis
Variance and trend analysis is used in other areas as a technique to identify and document what is occurring against what was planned and then extrapolate from that any identifiable trends that may indicate future performance. When it is used in the Control Risks process, you are looking for any divergence from the risk management plan and risk register and examining this to determine whether it indicates any trends that you can proactively plan for. For example, you may spot that you have consistently underestimated the magnitude of risks around costs of a certain material and use variance and trend analysis to reforecast the future impact and probability of these risks.
Technical Performance Measurement
Technical performance measurement means putting in place acceptable parameters around potentially negative risk events—generally those affecting scope, time, and cost—and then checking that the work being performed is within these technical performance measurements. Work being performed outside the defined technical performance measurements represents risk on the project and may require change requests to be prepared and considered, to change parameters if the planed risk response cannot bring performance back into line. For example, you may have set a range of acceptable costs for development of a new product, but when measuring the actual costs, you find them to be greater than planned; therefore, the risk of a cost overrun on the project is greater.
Reserve Analysis
During the Perform Quantitative Risk Analysis process, you used objective measurements to develop contingency reserves for either cost or time. During the Control Risks process, you check whether these calculations are still accurate and the reserves you have planned for are still appropriate. It may be that new information has come to light that means the reserve for either cost or time needs to be changed. As a project progresses and estimates become more accurate, it is typical for the range of contingency calculated by using qualitative risk analysis to decrease. For example, you may find that extra information gained about an estimate for the range of time taken to perform a certain activity means the estimate can be refined and reduced, because you have performed the activity several times. You can then reduce the time reserve allocated to this activity.
Status Meetings
You should either make risk management a normal part of regular project meetings or schedule meetings with a special focus on risk management to ensure that you and the team remain focused on risk management activities throughout the life of the project. The purpose of these status meetings is to examine all aspects of risk management on the project and ensure that they are still appropriate and effective. Additionally, having regular meetings where risk management is a topic of discussion creates greater awareness and buy-in from team members, which in turn results in better risk management.
Outputs
The outputs from the Control Risks process include the following.
Work Performance Information
As a result of carrying out the Control Risks process, you will end up with valuable work performance information about risk management activities. This information will take the form of revised information about risk responses and their effectiveness, the use of planned time and cost contingency reserves, and any defined technical performance measurements. Work performance information is used as an input into the Monitor and Control Project Work process.
Change Requests
As a result of completing the Control Risks process and conducting risk audits, variance and trend analysis, technical performance measurements, or reserve analysis, you may discover information that requires a formal change to be made to a part of the project; this is done via a change request. Change requests then go on to be processed according to your approved change-control process in the Perform Integrated Change Control process.
Project Management Plan Updates
Because risk management affects all other areas of the project, you may update many different parts of the project management plan and its baselines. You will most definitely update the risk management plan.
Project Document Updates
The specific project documents that will be updated include the risk register and the assumptions log.
Organizational Process Asset Updates
The specific organizational process assets that will be updated include any historical information about risk management and any templates, processes, or guidelines the organization has in relation to project management.
Quick Check
1.
What is the main purpose of the Control Risks process?
2.
Why is risk reassessment an important tool or technique in the Control Risks process?
3.
How does the Control Risks process contribute to the development of contingency reserves for time and cost?
Quick Check Answers
1.
The main purpose of the Control Risks process is to determine whether the risk management activities as planned in the risk management plan are being completed as per the plan, whether the risks identified in the risk register are manifesting as forecast, and whether the qualitative and quantitative assessments and planned risk responses are still appropriate.
2.
In addition to checking whether risk management activities are being completed as per the plan, a key element of the Control Risks process is a complete reassessment of the assumptions made, the risks identified, and whether any new risks have been identified.
3.
The Control Risks process allows you to examine the time and cost contingency reserves you have developed; as part of the reassessment of risks, you may choose to redefine the reserves allowed for time and cost. Usually this process results in a reduction in the reserves for both time and cost. As more information is known, the better the estimate is, and less risk or uncertainty is associated with time and cost.
Chapter Summary
- The Risk Management knowledge area is focused on the successful use of project risk to report project performance, gain political support, and provide stakeholders with their risk requirements.
- The Plan Risk Management process produces the risk management plan, which guides the subsequent risk management processes.
- The Identify Risks process, which is a planning process, uses the risk management plan to begin the iterative process of developing the risk register by using a variety of tools and techniques to identify all potential negative and positive risks.
- The Perform Qualitative Risk Analysis process is a planning process that seeks to assign a subjective probability and impact assessment to each of the identified risks so that they can be prioritized.
- The Perform Quantitative Risk Analysis process is a planning process that assigns a quantitative and objective analysis, usually based on statistics and factual data, to the individual probability and impact of identified risks, which can lead to the creation of contingency reserves for time and cost.
- The Plan Risk Responses process is a planning process that outlines a proactive response to all identified risks on the project.
- The Control Risks process, which is a monitoring and controlling process, is like other monitoring and controlling processes in that it assesses actual performance against that forecast in the risk management plan, checks whether the risks identified and assessed in the risk register are still accurate, and checks whether there are any new risks.
Exercises
The answers for these exercises are located in the “Answers” section at the end of this chapter.
1.
Match up the risk response strategy on the left with the correct description on the right.
Risk Response Strategy | Definition |
|---|---|
1. Avoid | A. You are working on an IT project and decide that you will bear the consequences if something goes wrong on the project. |
2. Enhance | B. You decide to partner with another organization that has skills and experience you don’t, in order to present a better response to a contract on offer. |
3. Transfer | C. You have considered several options for the location of a new manufacturing plant and decide to locate it in a region with plenty of experienced workers, to get around the risk of not having enough people to do the work. |
4. Mitigate | D. You are working on a complex IT project and decide to put in place backup data storage so that you can quickly restart should anything occur to the data you are working on during the project. |
5. Accept | E. You take out insurance against wet weather delaying your construction project. |
6. Exploit | F. You pull your top project manager off other projects and assign that person to a new bridge construction project to ensure that it has the greatest chance of success. |
7. Share | G. You put all your project staff through a workshop to improve their communications management strategy to minimize the risk of not managing stakeholder expectations effectively. |
2.
Consider the following five examples of risk analysis, and decide whether they are qualitative or quantitative methods.
A.
You ask your team members to provide their opinion about whether the chance of a storm affecting your construction project next April is very low, low, neither low nor high, high, or very high.
B.
You pay the local meteorological bureau to provide you with the exact probability of there being a storm in April of a magnitude that would affect your construction project.
C.
You gather a team of seven subject matter experts and ask them to provide their opinion of probability and impact of the risk of the selected technology on your IT project. You ask them to select from a standardized scale of probabilities ranging from 0.1, meaning very low probability or impact, up to 0.9, meaning very high probability and impact. You then multiply these two numbers together to obtain a risk score.
D.
The quantity surveyor working for your cost-estimating team has calculated that over the next two years of your project, there is a risk of a 10.3% increase in hardware costs, and that this increase could cost you a total of $173,000. The surveyor recommends purchasing this hardware now and finding a place to store it to avoid this risk.
E.
You have calculated that there is a very high chance that a senior staff member will leave your project within the next three months, and that replacing them will cost $25,000. You decide to offer the staff member a salary increase of $15,000 to get them to stay with the project.
3.
Consider the decision tree shown in Figure 9-9, outlining a choice about whether to build a new factory or upgrade an existing factory to take advantage of increased demand for your product. Using expected monetary value analysis, what is the best decision to make?
Figure 9-9.
A decision tree showing the expected monetary value of building a new factory or upgrading an existing factory
Review Questions
Test your knowledge of the information in Chapter 9 by answering these questions. The answers to these questions and the explanation of why each answer choice is correct or incorrect are located in the “Answers” section at the end of this chapter.
1.
Which of the following processes produces the risk management plan?
A.
Develop Project Management Plan
B.
Plan Risk Management
C.
Manage Risk
D.
Develop Risk Management Plan
2.
The particular attitude that an organization has to the amount of risk it is prepared to accept for the project is known as what?
A.
Risk analysis
B.
Risk tolerance
C.
Risk aversion
D.
Risk avoidance
3.
Uncertainty that presents opportunities to deliver a project ahead of time is known as what?
A.
Risk threshold
B.
Positive risk
C.
Negative risk
D.
Risk analysis
4.
Which of the following documents will contain a description of risk categories?
A.
Risk register
B.
Risk analysis
C.
Risk management plan
D.
Risk progress report
5.
You have prepared a grid that shows a standardized representation of probability and impact in order to prioritize individual risks. What is this known as?
A.
Risk breakdown structure
B.
Ishikawa diagram
C.
Probability and impact matrix
D.
Risk register
6.
You are in the process of identifying individual risks to your project and are using a technique to discover the underlying causes that lead to a particular risk. What technique are you using?
A.
Brainstorming
B.
Delphi technique
C.
Interviewing
D.
Root cause analysis
7.
You have called your team together for a meeting in which you ask them to analyze the strengths, weaknesses, opportunities, and threats your project faces. What tool or technique are you using?
A.
Delphi technique
B.
Brainstorming
C.
SWOT analysis
D.
Root cause analysis
8.
After carrying out a particular risk process, you end up with a prioritized list of risks, ranking them from highest to lowest priority. Which of the following risk processes produces this list?
A.
Plan Risk Management
B.
Identify Risks
C.
Perform Qualitative Risk Analysis
D.
Perform Quantitative Risk Analysis
9.
In carrying out the risk management processes, you will often update particular project documents. What is the most common project document to be updated as a result of completing risk management processes?
A.
Risk register
B.
Risk management plan
C.
Assumptions log
D.
Project management plan
10.
You have developed a range of statistical data that demonstrates the characteristics of a beta distribution and are using this information to analyze the probability of a risk occurring. Which risk management process are you carrying out?
A.
Identify Risks
B.
Perform Qualitative Risk Analysis
C.
Perform Quantitative Risk Analysis
D.
Plan Risk Responses
11.
If you are using a piece of software to carry out the simulation of the probability of a particular risk occurring over many iterations, what tool are you using?
A.
Expected monetary value analysis
B.
Interviewing
C.
Sensitivity analysis
D.
Monte Carlo analysis
12.
The decision to delay the beginning of construction until the end of winter to ensure that team members do not have to contend with the risk of dangerous working conditions is what sort of risk response strategy?
A.
Mitigation
B.
Transference
C.
Avoidance
D.
Acceptance
13.
You have identified a potential risk to your project but have decided that you will not conduct an assessment of the probability or impact, or have a proactive response in place. What sort of risk response strategy is this?
A.
Mitigation
B.
Enhancement
C.
Transference
D.
Acceptance
14.
You are carrying out a reassessment of the cost reserves built up by using quantitative risk assessment for the procurement of materials for your project, due to new information that reduces the uncertainty in the initial estimates. Which risk management process are you carrying out?
A.
Identify Risks
B.
Perform Quantitative Risk Analysis
C.
Plan Risk Responses
D.
Control Risks
Answers
This section contains the answers for the Exercises and Review Questions in this chapter.
Exercises
1.
Match up the risk response strategy on the left with the description on the right.
Risk Response Strategy | Definition |
|---|---|
1. Avoid | C. You have considered several options for the location of a new manufacturing plant and decide to locate it in a region with plenty of experienced workers, to get around the risk of not having enough people to do the work. |
2. Enhance | G. You put all your project staff through a workshop to improve their communications management strategy to minimize the risk of not managing stakeholder expectations effectively. |
3. Transfer | E. You take out insurance against wet weather delaying your construction project. |
4. Mitigate | D. You are working on a complex IT project and decide to put in place backup data storage so that you can quickly restart should anything occur to the data you are working on during the project. |
5. Accept | A. You are working on an IT project and decide that you will bear the consequences if something goes wrong on the project. |
6. Exploit | F. You pull your top project manager off other projects and assign that person to a new bridge construction project to ensure that it has the greatest chance of success. |
7. Share | B. You decide to partner with another organization that has skills and experience you don’t, in order to present a better response to a contract on offer. |
2.
Consider the following five examples of risk analysis, and decide whether they are qualitative or quantitative risk analysis methods.
A.
You ask your team members to provide their opinion about whether the chance of a storm affecting your construction project next April is very low, low, neither low nor high, high, or very high.
Answer: This is an example of qualitative risk analysis because it is using subjective assessment and opinion on a fixed scale.
B.
You pay the local meteorological bureau to provide you with the exact probability of there being a storm in April of a magnitude that would affect your construction project.
Answer: This is an example of quantitative risk analysis because you are using actual statistical data instead of subjective opinion to calculate probability.
C.
You gather a team of seven subject matter experts and ask them to provide their opinion of probability and impact of the risk of the selected technology on your IT project. You ask them to select from a standardized scale of probabilities ranging from 0.1, meaning very low probability or impact, up to 0.9, meaning very high probability and impact. You then multiply these two numbers together to obtain a risk score.
Answer: This is an example of qualitative risk analysis, because, despite the use of experts using numbers with decimal points in them, it is still an opinion-based assessment on a fixed, predetermined scale.
D.
The quantity surveyor working for your cost estimating team has calculated that over the next two years of your project there is a risk of a 10.3% increase in hardware costs, and that this increase could cost you a total of $173,000. The surveyor recommends purchasing this hardware now and finding a place to store it to avoid this risk.
Answer: This is an example of quantitative risk analysis because it uses clear, calculated numbers based on facts to determine probability and impact.
E.
You have calculated that there is a very high chance that a senior staff member will leave your project within the next three months, and that replacing them will cost $25,000. You decide to offer a salary increase of $15,000 to get them to stay with the project.
Answer: This is an example of qualitative risk analysis because you have made a subjective assessment of the probability.
3.
Consider the decision tree outlining a choice about whether to build a new factory or upgrade an existing factory to take advantage of increased demand for your product. Using expected monetary value analysis, what is the best decision to make? (See the updated decision tree in Figure 9-10.)
Figure 9-10.
A decision tree showing the expected monetary value of building a new factory or upgrading an existing factory
Expected monetary value of building a new factory:
Expected monetary value of upgrading the existing factory:
Therefore, you would choose to build a new factory because it has the higher expected monetary value.
Chapter Review
1.
Correct Answer: B
A.
Incorrect: The Develop Project Management Plan produces the project management plan.
B.
Correct: The Plan Risk Management process has the risk management plan as its primary output.
C.
Incorrect: Manage Risk is a made-up process name.
D.
Incorrect: Develop Risk Management plan is a made-up process name.
2.
Correct Answer: B
A.
Incorrect: Risk analysis is the process of analyzing either quantitatively or qualitatively the probability and impact of particular risks.
B.
Correct: Risk tolerance describes the amount of risk an organization is prepared to accept on a project.
C.
Incorrect: Risk aversion is a state of mind whereby an organization would prefer not to undertake high-risk activities.
D.
Incorrect: Risk avoidance is similar to risk aversion and indicates an outcome of assessing risk tolerance.
3.
Correct Answer: B
A.
Incorrect: The risk threshold is the level of risk tolerance that an organization is comfortable with.
B.
Correct: Any uncertainty that presents opportunities constitutes positive risk.
C.
Incorrect: Negative risk is any uncertainty that represents a threat to the project.
D.
Incorrect: Risk analysis is the process of analyzing either quantitatively or qualitatively the probability and impact of particular risks.
4.
Correct Answer: C
A.
Incorrect: The risk register contains a list of identified risks, probability and impact assessment, and any planned risk responses. It may use risk categories to group individual risks together, but it does not generally contain a description of the risk categories.
B.
Incorrect: Risk analysis is the process of analyzing either quantitatively or qualitatively the probability and impact of particular risks.
C.
Correct: The risk management plan contains a lot of information about the particular approach you will take to manage risk on your project; included in this information is a description of the risk categories.
D.
Incorrect: Any risk progress reports prepared will focus on risk activities completed against risk activities planned, not on a description of risk categories.
5.
Correct Answer: C
A.
Incorrect: The risk breakdown structure shows the risk categories in graphical form.
B.
Incorrect: An Ishikawa diagram shows the probable causes of particular risk effects.
C.
Correct: The probability and impact matrix is a grid that shows a standardized list of both probability on one axis and impact on another axis; after the two values are multiplied together, it presents a graphical analysis of risk priorities.
D.
Incorrect: The risk register presents a list of identified risks, probability and impact assessment, and proactive risk responses.
6.
Correct Answer: D
A.
Incorrect: Brainstorming is a technique to gather as much information as possible from project team members or subject matter experts.
B.
Incorrect: The Delphi technique is a method of anonymously interviewing and gathering data from experts.
C.
Incorrect: Interviewing is a technique used to formally gather data from subject matter experts in a structured format.
D.
Correct: Root cause analysis seeks to discover the underlying cause or causes of a particular risk.
7.
Correct Answer: C
A.
Incorrect: The Delphi technique is a method of anonymously interviewing and gathering data from experts.
B.
Incorrect: Brainstorming is a technique to gather as much information as possible from project team members or subject matter experts.
C.
Correct: SWOT stands for strength, weaknesses, opportunities, and threats.
D.
Incorrect: Root cause analysis seeks to discover the underlying cause or causes of a particular risk.
8.
Correct Answer: C
A.
Incorrect: The Plan Risk Management process produces the risk management plan.
B.
Incorrect: The Identify Risks process produces an iteration of the risk register.
C.
Correct: The Perform Qualitative Risk Analysis process uses subjective assessment of probability and impact to give each identified risk a score so it can be ranked and prioritized.
D.
Incorrect: The Perform Quantitative Risk Analysis process uses actual statistical data to calculate probability and impact and produces contingency reserves for either time or cost.
9.
Correct Answer: A
A.
Correct: The risk register is a highly iterative document that is constantly updated by most of the risk management planning processes.
B.
Incorrect: The risk management plan may be updated as a result of completing risk management activities, particularly the Control Risks process, but the frequency of updates will be less than the updates to the risk register.
C.
Incorrect: The assumptions log will be checked and reassessed often, but not as often as the risk register.
D.
Incorrect: The project management plan, its subsidiary plans, and its baselines may be updated, but certainly not as often as the risk register.
10.
Correct Answer: C
A.
Incorrect: The Identify Risks process does not use any form of either qualitative or quantitative risk analysis.
B.
Incorrect: The Perform Qualitative Risk Analysis process uses subjective data rather than statistical data to complete its assessment of probability and impact.
C.
Correct: The Perform Quantitative Risk Analysis process uses statistical data and probability distributions such as the beta distribution to calculate quantitative risk.
D.
Incorrect: The Plan Risk Responses process is focused on the development of appropriate responses to identified risks.
11.
Correct Answer: D
A.
Incorrect: The expected monetary value analysis analyzes particular options, and the probability and net impact of those options, to determine which has the higher expected monetary value.
B.
Incorrect: Interviewing is a technique for gathering information from team members and subject matter experts in a formal setting.
C.
Incorrect: Sensitivity analysis is a way of determining which parts of the project are most sensitive to risk.
D.
Correct: Monte Carlo analysis is a sophisticated type of mathematical and statistical analysis. It carries out simulations of events occurring, to determine the likely probability and impact.
12.
Correct Answer: C
A.
Incorrect: Mitigation is a response that seeks to minimize the impact of risk if it occurs.
B.
Incorrect: Transference makes the impact of the risk someone else’s responsibility.
C.
Correct: The example represents a strategy of avoiding an identified risk.
D.
Incorrect: Acceptance would mean doing nothing and accepting the consequences.
13.
Correct Answer: D
A.
Incorrect: Mitigation is a response that seeks to minimize the impact of risk if it occurs.
B.
Incorrect: Enhancement is a risk response strategy for positive risks that seeks to enhance the probability and impact of the risk.
C.
Incorrect: Transference makes the impact of the risk someone else’s responsibility.
D.
Correct: Acceptance is a strategy whereby you make no provision at all should the risk occur and simply accept the consequences.
14.
Correct Answer: D
A.
Incorrect: The Identify Risks process seeks to identify individual risks for inclusion on the risk register.
B.
Incorrect: The Perform Quantitative Risk Analysis process conducts a quantitative assessment of probability and impact of individual risks.
C.
Incorrect: The Plan Risk Responses process prepares a proactive response to identified risks.
D.
Correct: The Control Risks process includes the reassessment of reserves to determine if the uncertainty within them has changed.