Index

• accept (risk response strategy), 96–98, 155, 235, 267*
• action owner, 55, 57, 88, 91, 93–94, 96, 99–102, 105, 110–115, 119–120, 122–126, 128–129, 131–132, 134, 148, 155, 157–159, 175–177, 182, 184–185, 213, 267
  • role of, 54–55, 57
• action windows, 172–174
• active (risk status), 114, 115, 120, 122–124, 130, 131, 133, 138, 140, 158–159, 174
• Active Threat and Opportunity Manage- ment (ATOM), xi, 27–41; 267
• affective factors, 218
• agenda
  • first risk assessment/two-day risk workshop, 69–71, 167–168, 247
  • initiation meeting, 51, 246
  • major review workshop, 121–122, 247
  • post-project review meeting, 139, 248
  • risk lessons-learned meeting, 183
  • risk review meeting (half-day), 130, 248
• anchoring and adjustment (heuristic), 217
• APM. See Association for Project Management
• assess existing risk management capability, 242–243
  • reassess, 243–244
• Assessment (ATOM process step), 78–91, 267
  • activities, 81–89
  • facilitation, 226
  • flowchart, 80
  • inputs, 80–81
  • large projects, 171–175
  • outputs, 89–91
  • overview, 78–80
  • programs and portfolios, 235
  • small projects, 152–153
• assessment of probability and impacts, 82–85, 215–218
• Association for Project Management
  (APM), 5, 37, 229
• assumptions, 72–74, 151–152, 223, 267
• assumptions analysis. See assumptions and constraints analysis
• assumptions and constraints analysis, 72–74, 151–152, 223, 265, 267
• ATOM. See Active Threat and Opportu- nity Management
• availability (heuristic), 217
• avoid (risk response strategy), 96–98, 155, 235, 267

• behaviors
  • group, 224, 226–227
  • individual, 224, 225–226
• benefits breakdown structure, 234
• benefits of (effective) risk management, 8–11
• bowtie analysis, 175–176
• brainstorming, 66, 72, 166–167, 212, 223
• “business as usual” risks, 7
• business case, 27, 46–47, 52, 68, 69, 72, 135, 151, 190

• capability. See risk management capability causes (of risk), 6, 74, 85, 89, 105, 107, 174–176, 203, 267
• CBS. See cost breakdown structure change log, 136–140
• checklist, 66, 67, 68, 74, 138, 151–152, 167, 255, 267
• choices, risks as, 7
• closed (risk status), 115, 120, 124–125, 133, 138, 140–141, 158, 174
• Collaborative style (risk workshop facilitation), 220–223, 227
• conditional branching, 195
• conscious factors, 218
• consequence. See effect constraints, 72–74, 151–152, 267
• constraints analysis. See assumptions and constraints analysis
• contingency, 7, 56, 96, 179, 187, 190, 204, 206, 267–268
• contingency plan, 98, 173, 228, 268
• correlation, 191, 195–198, 268
• correlation coefficient, 197–198, 202
• correlation group, 196–198, 208
• cost breakdown structure (CBS), 189–190, 192, 196
• criticality, 201–204, 206, 268
• Critical Success Factors (CSF), 268
  • for facilitation, 227–228
  • for risk management, 11–12, 21–26, 27, 268
• cruciality, 202–204, 206, 268
• CSF. See Critical Success Factors (CSF)
• curves (distribution), 198–200

• data-gathering interviews, 176, 200
• decision tree analysis, 268
• decision trees, 25, 186
• deleted (risk status), 114–115, 120, 124–125, 133, 138, 140–141, 158, 174
• Delphi technique, 214–215, 268
• dependency. See correlation
• develop infrastructure (for risk manage- ment), 241–242
• Directive style (risk workshop facilitation), 220–222, 223, 227
• discrete or spike (distribution), 198–199
• distribution type, 191, 193–195, 198
• double Probability-Impact Matrix, 60, 80, 83–84, 90–91, 105, 153–154, 263, 268
• draft (risk status), 114–115, 119–124, 127–131, 158–159

• effects, 4–6, 268
• EMV (expected monetary value). See expected value
• enhance (risk response strategy), 96–98, 155, 235, 268
• enterprise risk management (ERM), 268
• ERM. See enterprise risk management escalated (risk status), 75, 88–89, 114–115, 119, 123, 125, 128, 131–132, 142, 230–231, 235–236, 269
• EV. See expected value excuses, 14–17
• solutions to, 15, 17–20
• expected monetary value. See expected value (EV)
• expected value (EV), 179, 187, 269
• expired (risk status), 114–115, 120, 124, 138, 140–141, 158, 174
• exploit (risk response strategy), 97, 98, 155, 235, 269
• eyeball plot, 203–205, 207, 269

• facilitation (ATOM risk process), 219–227
• Critical Success Factors (CSFs), 227–228
  • overview, 219–220
  • people (management) skills, 224–227
  • styles, 220, 221–224
• Facilitation Spectrum, 220–221
• First Risk Assessment, 30–31, 36, 54, 65, 68, 72, 78, 92, 103, 110, 269
  • agenda, 69, 70, 167, 168, 247
  • large projects, 166, 168, 170–171, 173–175, 178–180, 182
  • major review, 117
  • minor review, 127
  • small projects, 146, 150, 152–153, 155, 157–158, 162
• football plot, 203–204. See also eyeball plot
• frequency of occurrence, 90, 249, 269
• full risk report, 54, 105–107, 119–121, 125, 138, 178–180, 206

• group behavior(s), 221, 224, 226–227

• heuristics, 217–218, 269

• Identification (ATOM process step), 65–77
  • activities, 68–77
  • checklist, 152
  • Delphi technique, 214–215
  • flowchart, 67
  • inputs, 68
  • interviews, 169–170
  • large projects, 166–170
  • outputs, 77
  • overview, 65–67
  • portfolios and programs, 235
  • small projects, 150–152
  • SWOT analysis, 167–169
• impact (of risk), 4–5, 36, 58–60, 82–84, 99, 114–115, 123, 131, 171, 195–198, 216–217, 231, 235, 269. See also Probability-Impact Matrix (P-I Matrix); probability-impact (P-I) scales; probability-impact (P-I) scoring
• impact and action windows, 173–174
• Implementation (ATOM process step), 110–116, 269
  • activities, 112–115
  • flowchart, 112
  • inputs, 111–112
  • large projects, 181
  • outputs, 115–116
  • overview, 110–111
  • portfolios and programs, 235
  • small projects, 157–158
• implementation and rollout ATOM process, 243
• individual behaviors, 224–226
• influence diagram, 186, 223, 269
• inherent risk, 166, 269
• Initiation (ATOM process step), 45–64, 269
  • activities, 46–61
  • flowchart, 47
  • inputs, 47
  • large projects, 162–166
  • meeting, 51–61
  • outputs, 61–64
  • overview, 45–46
  • portfolios and programs, 234
  • small projects, 146, 148–150
• internal rate of return (IRR), 37, 189
• interviews
  • data-gathering, 200
  • risk, 35–36, 96–102
  • risk identification, 169–171
• IRR. See internal rate of return
• ISO 31000:2018 (Risk Management Guidelines), 37, 38
• issue log, 116, 136–140, 139
• issues, 6, 9, 16, 18–19, 111–114, 116, 138, 140, 270
• likelihood, 8, 10, 78, 203, 207, 208, 270

• Major Reviews (ATOM process step), 117–126, 270
  • activities, 121–125
  • flowchart, 121
  • inputs, 120
  • large projects, 165, 181–182
  • outputs, 125–126
  • overview, 117–120
  • small projects, 158
  • workshop, 121–125
• manageability, 98, 172–173
• Management of Risk . See M_o_R management reserve, 56, 270
• mapping risks, 195
• meetings
  • initiation, 51–61
  • post-project review meeting, 37, 136, 138–139, 141, 159, 183
  • risk reviews, 128–132
• metalanguage. See risk metalanguage metrics, 125–126, 133
• Minor Reviews (ATOM process step), 127–134, 270
  • activities, 129–132
  • flowchart, 129
  • inputs, 128–129
  • large projects, 181–182
  • outputs, 132–134
  • overview, 127–128
  • small projects, 158–159
• mitigate. See reduce (risk response strategy)
• model. See risk model
• modified triangular distribution, 198–199
• modify ATOM process, 241
• Monte Carlo analysis/simulation, 163, 165, 171, 175–177, 179, 182, 186–188, 192, 195–197, 199, 200–201, 270
• M_o_R, 37, 38, 270

• net present value (NPV), 37, 189
• non-project impact (scale), 171, 172

• objectives. See project objectives
• OBS. See organizational breakdown structure
• occurred (risk status), 114–116, 120, 123–126, 131, 138, 140–141, 158, 174–175, 217
• Office of Government Commerce, UK, 37
• OGC. See Office of Government Com- merce, UK
• onion ring diagram, 177, 204, 206–207, 270
• opportunity, 4–5, 9, 18, 59–60, 74, 167, 197, 270
• optimism bias, 21
• organizational breakdown structure (OBS), 196
• organizational risk sponsor, 238–241, 243–244
• overall project risk, 28, 186–187, 204–205, 270

• P3M, 229
• people skills, 224–227
  • group behaviors, 224, 226–227
  • individual behaviors, 224, 225–226
• P-I matrix. See Probability-Impact Matrix
• P-I scales. See probability-impact scales
• P-I scoring. See probability-impact scoring pilot application ATOM process, 240–241
• PMBOK^® Guide, 5, 37, 39, 270
• portfolio risk management, 229–237
• Post-Project Review (ATOM process step), 135–142
  • activities, 138–141
  • flowchart, 137
  • inputs, 137–138
  • large projects, 183–185
  • outputs, 141–142
  • overview, 135–137
  • small projects, 159
• post-project review meeting, 37, 136, 138–139, 141, 159, 183
• PRAM Guide, 5, 9–10, 37, 40, 270
• probabilistic branching, 194, 196–197
• probability, 7, 36, 52, 58, 60, 78–79, 175, 215–217, 235, 270
• probability-impact grid. See Probability- Impact Matrix
• Probability-Impact Matrix (P-I Matrix), 63, 80, 83, 87, 94, 105, 153, 270–271
• double, 60, 80, 83–84, 89, 91, 101, 154, 171, 263, 268
• probability-impact (P-I) scales, 58–60, 80–82, 98–99, 124, 148–149, 165–166, 263
• probability-impact (P-I) scoring, 83–85, 87, 89–91, 94, 171, 174, 179, 271
• problems, 6
• program risk management, 229–237
• project charter, 27, 46–47, 52, 68–69, 72, 135, 151
• Project Management Institute (PMI^®)
  • PMBOK^® Guide, 5, 37, 39, 270
  • Portfolio Management: A Practical Guide, 229
  • Standard for Portfolio Management, 229
  • Standard for Program Management, 229
  • The Standard for Risk Management in Portfolios, Programs and Projects, 37, 3
• project management plan, 127–128
• project manager, role of, 56
• project objectives, 7, 16, 19, 27, 35–36, 45–47, 52–53, 58, 64, 68, 71, 73, 75, 80–81, 189
• project sizing, 31–35, 49, 51
• project sizing tool, 32, 34–35, 46, 49, 51, 145, 161–162, 240, 252
• project sponsor, role of, 56
• project status summary of report, 106, 179, 206
• project team members, role of, 57
• prompt list, 242, 271

• QRA. See Quantitative Risk Analysis qualitative risk assessment, 178–179
• Quantitative Risk Analysis (ATOM process step), 186–209, 271
  • correlation groups, 196–197
  • initial model, 192–195
  • interpreting outputs, 203–205
  • introduction, 188–190
  • mapping risks to model, 195–196
  • outputs, 200–203
  • overview, 186–87
  • small and medium projects, 207–208
  • validating risk model, 198–200

• RACI chart, 54–55, 148, 254, 271
• RAG. See red, amber, green scoring
• RAM. See responsibility assignment matrix
• RBS. See risk breakdown structure recording risks, 66, 68, 166, 170–171, 235
• red, amber, green scoring, 105
• reduce (risk response strategy), 96–98, 155, 235, 271
• rejected (risk status), 114–115, 123, 131, 158–159
• Reporting (ATOM process step), 103–109
  • activities, 105–106
  • flowchart, 104
  • inputs, 105–106
  • large projects, 178–180
  • outputs, 106–108
  • overview, 103–105
  • portfolios and programs, 235
  • small projects, 155–157
• representativeness (heuristic), 217
• residual risk, 125, 271
• Response Planning (ATOM process step), 92–102, 271
  • activities, 96–101
  • flowchart, 94
  • inputs, 94–95
  • large project, 175–176
  • outputs, 102
  • overview, 92–94
  • programs and portfolios, 235
  • small projects, 153–155
• response strategies. See risk response strategies
• responsibility assignment matrix (RAM), 54, 63, 271
• return on investment (ROI), 53, 141
• reviews, 30–31. See also risk reviews
• risk, 271
  • definition debate, 3–6
  • terms confused with, 6–7
• risk acceptance threshold, 271. See also
• risk threshold
• risk action, 57, 101, 111, 119–120, 128, 182, 271
• risk action owner. See action owner risk aggregation, 230–231, 235, 272
• risk analyst, 192, 197, 242, 272
• risk appetite, 24, 232, 236, 272
• risk assessment, 18, 25, 30, 272. See also Assessment; First Risk Assessment risk attitude, 23–24, 272
• risk breakdown structure (RBS), 61–62, 64, 66–68, 72–75, 78–80, 85–90, 105, 119–121, 124, 139–141, 169–174, 179, 183, 231, 235, 255, 264, 272
• risk categorization, 79, 85–88, 231
• risk champion, 13, 35, 49, 51, 54, 61, 69–73, 75, 88–89, 95–96, 104–106, 112–114, 120, 122, 121–125, 129–134, 139–142, 193, 195–197, 200, 272
  • risk interviews and, 96–101
  • role, 49, 57
  • workshops and,210, 213–215
• risk checklist. See checklist
• risk culture, 23
• risk description, 75–76, 79, 81–82, 88–89, 99, 122, 131, 152, 213, 215, 272
• risk driver, 179, 187, 189, 202–204, 206–
  207, 272
• risk efficiency, 232–237, 272
• risk evaluation. See Assessment (ATOM process step)
• risk event, 175–176, 193, 214–215, 272
• risk exposure, 17–18, 23, 28, 36, 45, 54, 65, 79, 90, 92–93, 97, 101, 105–108, 110, 117, 125–126, 131, 133, 138, 145, 158, 165, 171, 179–181, 190, 200, 205–206, 232–235, 272
• risk identification, 272. See also
• Identification
• risk identification checklist, 151–152, 166
• risk lessons learned report, 37, 136, 141
• risk lessons-learned meeting, 183
• risk lessons-learned workshop, 236
• risk management, 272
  • benefits of, 8–11
  • challenges, 20–21
  • excuses and solutions, 14–20
• risk management capability, 14, 242–243
• Risk Management Plan (RMP), 30, 35–36, 46, 52–54, 61, 63–64, 66, 68, 71, 79–80, 82–83, 93–94, 104, 106, 111–112, 117, 119–120, 124–126, 131, 146, 148–150, 152–153, 155, 163, 165–166, 179, 181, 189, 190, 272
• risk manager. See risk champion
• Risk Maturity Model (RMM), 242–243
• Risk meeting, xii, 35, 132, 139, 159, 210, 273
• risk metalanguage, 75–77, 81–82, 97–99, 113, 124, 131, 152, 168, 171, 212, 214, 273
• risk model, 171, 175–176, 179–180, 188–196, 198, 200, 202–204, 207, 273
• risk owner, 36, 54, 79–81, 83, 87–89, 93–100, 105–106, 111–115, 119–126, 128–133, 154–155, 157–159, 175–177, 192, 197–198, 212–215, 273
  • role of, 57
• risk policy, 52, 273
• Risk Register, 7, 36–37, 54, 89–90, 95, 97, 98, 99–101, 103–108, 111–112, 114–116, 118–126, 127–134, 136–141, 155–157, 159, 161, 173, 177, 180–182, 193, 195, 207–208, 235, 249, 250, 273
• risk report, 36, 54, 103–107, 111, 116, 119–120, 125, 132–133, 136–139, 155, 157, 159, 178, 180–183, 206–207, 235–236, 251, 273
• risk response strategies, 93–101, 110–115, 119–124, 131–132, 170, 175, 177, 273
• risk reviews, 36, 54, 63, 273. See also major reviews; minor reviews
  • meetings, 128–132
• risk score, 83, 273
• risk strategy statement. See Risk Manage- ment Plan
• risk threshold, 60, 79–80, 89, 232, 234–236
• risk tools and techniques, 53–54, 61, 68, 93, 163, 166
• risk workshop (ATOM), 36, 66–74, 78–81, 87, 95, 98, 119–120, 122–123, 125, 167–169, 171, 173, 182, 210–218, 273
  • subconscious biases, 217–218
  • variants on, 210–211
  • virtual workshop, 212–215
• RMM. See Risk Maturity Model
• RMP. See Risk Management Plan
• ROI. See return on investment
• roles and responsibilities (ATOM process), 54–57

• scalability (of ATOM and risk manage- ment), 11, 12, 25–26, 27, 29, 31–32, 35, 145, 161, 183, 187
• scenario analysis, 175, 273
• S-curve, 177, 179, 188, 200–201, 203–204, 206–207, 273–274
• secondary risk, 25, 93, 96, 99–100, 102, 110–113, 123, 125, 131, 154, 181, 274
• sensitivity. See cruciality
• sensitivity analysis, 207–208, 271, 274
• share (risk response strategy), 96–98, 155, 235, 274
• Six As Model, 224, 226–227
• stakeholder, 274
  • analysis, 46–48,61, 69 274
  • roles of, 57
• standards, 37–41
• stochastic branches, 189, 191, 193, 195, 200, 274
• Strengths, Weaknesses, Opportunities, and Threats analysis. See SWOT (analysis)
• styles, facilitation, 220–224
• subconscious biases, 217–218
• supportive organizations, 22–24
• Supportive style (risk workshop facilita- tion), 220–222, 224
• SWOT (analysis), 167–169, 223, 274

• tailoring ATOM process, 238–240
• threat, 4–5, 9, 16–19, 21, 58–60, 167, 196, 274
• tornado chart/diagrams, 203–204, 207, 274
• train staff, 242
• transfer (risk response strategy), 96–98, 155, 235, 274
• trigen. See modified triangular distribution
• Tuckman–s model of team formation, 221–222

• uncertainty, 4–5. See also risk uniform distribution, 198–199

• virtual workshop, 212–215

• WBS. See work breakdown structure
• work breakdown structure (WBS), 66–68, 73, 75, 78–80, 85–86, 88–90, 119–121, 124, 169, 171–174, 179, 193
• workshop. See risk workshop

* Items in bold are glossary entries.