wordpress.commdp273a: project risk management v1.0 i table of contents course introduction
TRANSCRIPT
MDP273a
Project Risk Management v1.0 Participant Guide
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Written and published by:
Corporate Education Group
1 Executive Drive, Suite 301
Chelmsford, MA 01824-2558
978-649-8200
No parts of this guide may be reproduced or transmitted in any form, or by any means, electronic or
mechanical, including photocopying, recording, or any information storage and retrieval system,
without prior written permission of the publisher.
This publication is a derivative work of A Guide to the Project Management Body of Knowledge
(PMBOK® Guide) – Fourth Edition, which is copyrighted material of and owned by, Project Management
Institute, Inc. (PMI), copyright (2008). This publication has been developed and reproduced with the
permission of PMI. Unauthorized reproduction of this material is strictly prohibited. The derivative
work is the copyrighted material of and owned by TechSkills LLC d/b/a Corporate Education Group,
copyright (2009).
―PMI", the PMI logo, ―PMP‖, the PMP logo, ―PMBOK‖ ―PgMP‖, ―Project Management Journal‖, ―PM
Network‖, and the PMI Today logo are registered marks of the Project Management Institute, Inc. All
other marks are the property of their respective owners.
Any references to company names or individuals in this guide are for demonstration purposes only and
are not intended to refer to any actual organization or person(s).
Disclaimer:
While Corporate Education Group takes care to ensure accuracy of the materials in this guide,
Corporate Education Group cannot guarantee the accuracy and does not provide any warranty
whatsoever.
Printed in the United States of America.
MDP273a: Project Risk Management v1.0
i
Table of Contents
Course Introduction .......................................................................................vi
Course Objectives ....................................................................................... viii
Course Information ....................................................................................... ix
A Tour of the Participant Guide ....................................................................... xi
Sources and Additional Readings ...................................................................... xv
Module 1: Introduction to Project Risk Management ............................................. 1-1
Module Introduction .................................................................................. 1-2
Module Objectives .................................................................................... 1-3
Topic 1: Project Risk Management in the Context of Project Management .................. 1-4
Topic 2: What is Project Risk Management? .....................................................1-11
Topic 3: Project Risk Management in a Project Life Cycle ....................................1-21
Topic 4: Fundamental Principles of Project Risk Management ................................1-27
Topic 5: Overview of Project Risk Management .................................................1-36
Module Summary .....................................................................................1-41
Module 2: Plan Risk Management ..................................................................... 2-1
Module Introduction .................................................................................. 2-2
Module Objectives .................................................................................... 2-3
Topic 1: Overview of the Plan Risk Management Process ....................................... 2-4
Topic 2: Inputs to the Plan Risk Management Process ........................................... 2-9
Topic 3: Tools and Techniques for the Plan Risk Management Process ......................2-17
Topic 4: Outputs from the Plan Risk Management Process ....................................2-20
Module Summary .....................................................................................2-34
Module 3: Identify Risks ................................................................................ 3-1
Module Introduction .................................................................................. 3-2
Module Objectives .................................................................................... 3-3
Topic 1: Overview of the Identify Risks Process .................................................. 3-4
Topic 2: Inputs to the Identify Risks Process.....................................................3-12
ii
Topic 3: Tools and Techniques for the Identify Risks Process .................................3-16
Topic 4: Outputs from the Identify Risks Process ...............................................3-34
Module Summary .....................................................................................3-41
Module 4: Perform Qualitative Risk Analysis ....................................................... 4-1
Module Introduction .................................................................................. 4-2
Module Objectives .................................................................................... 4-3
Topic 1: Overview of the Perform Qualitative Risk Analysis Process .......................... 4-4
Topic 2: Inputs to the Perform Qualitative Risk Analysis Process .............................4-15
Topic 3: Tools and Techniques for the Perform Qualitative Risk Analysis Process .........4-17
Topic 4: Outputs from the Perform Qualitative Risk Analysis Process .......................4-31
Module Summary .....................................................................................4-37
Module 5: Perform Quantitative Risk Analysis ..................................................... 5-1
Module Introduction .................................................................................. 5-2
Module Objectives .................................................................................... 5-3
Topic 1: Overview of the Perform Quantitative Risk Analysis Process ........................ 5-4
Topic 2: Inputs to the Perform Quantitative Risk Analysis Process ...........................5-16
Topic 3: Tools and Techniques for the Perform Quantitative Risk Analysis Process .......5-18
Topic 4: Outputs from the Perform Quantitative Risk Analysis Process ......................5-41
Module Summary .....................................................................................5-44
Module 6: Plan Risk Responses ........................................................................ 6-1
Module Introduction .................................................................................. 6-2
Module Objectives .................................................................................... 6-3
Topic 1: Overview of the Plan Risk Responses Process .......................................... 6-4
Topic 2: Inputs to the Plan Risk Responses Process .............................................. 6-9
Topic 3: Tools and Techniques for the Plan Risk Responses Process .........................6-10
Topic 4: Outputs from the Plan Risk Responses Process .......................................6-34
Module Summary .....................................................................................6-43
Module 7: Monitor and Control Risks ................................................................ 7-1
Module Introduction .................................................................................. 7-2
Module Objectives .................................................................................... 7-3
Topic 1: Overview of the Monitor and Control Risks Process ................................... 7-4
Topic 2: Inputs to the Monitor and Control Risks Process ......................................7-12
Topic 3: Tools and Techniques for the Monitor and Control Risks Process ..................7-16
Topic 4: Outputs from the Monitor and Control Risks Process ................................7-23
Module Summary .....................................................................................7-28
MDP273a: Project Risk Management v1.0
iii
Appendix A: Exercises ................................................................................. A-1
Appendix B: Solutions .................................................................................. B-1
Appendix C: Job Aids ................................................................................... C-1
iv
Table of Figures
Figure 1-1. Competing Project Constraints ....................................................... 1-8
Figure 1-2. Triple Constraint Model ................................................................ 1-9
Figure 1-3. Risk over the project life cycle ......................................................1-15
Figure 1-4. Risk and the Project life Cycle .......................................................1-23
Figure 1-5. Spiral Life Cycle Example .............................................................1-25
Figure 1-6. Balance Response to Risk with Proportionate Expenditure ......................1-28
Figure 1-7. Project Risk Management Process Group Map .....................................1-37
Figure 1-8. Project Risk Management Overview .................................................1-38
Figure 1-9. Planning Process Group ...............................................................1-40
Figure 2-1. Project Risk Management Process Group Map: Plan Risk Management .......... 2-5
Figure 2-2. Plan Risk Management: Data Flow Diagram ......................................... 2-7
Figure 2-3. Plan Risk Management: Inputs, Tools & Techniques, and Outputs............... 2-8
Figure 2-4. Definition of Impact Scales for Four Project Objectives .........................2-23
Figure 2-5. Example of a Risk Breakdown Structure (RBS) .....................................2-29
Figure 3-1. Project Risk Management Process Group Map: Identify Risks .................... 3-5
Figure 3-2. Using a Process Approach to Identify Risks .......................................... 3-7
Figure 3-3. Identify Risks: Data Flow Diagram .................................................... 3-9
Figure 3-4. Identify Risks: Inputs, Tools & Techniques, and Outputs ........................3-11
Figure 3-5. Sample Cause-and-Effect Diagram ..................................................3-27
Figure 3-6. Sample System/Process Flowchart ..................................................3-28
Figure 3-7. Sample Influence Diagram ............................................................3-30
Figure 3-8. SWOT Diagram Example ...............................................................3-31
Figure 3-9.Sample Risk Register ...................................................................3-36
Figure 3-10. Sample Risk Register Worksheet ...................................................3-39
Figure 4-1. Project Risk Management Process Group Map: Perform Qualitative Risk
Analysis Process ....................................................................................... 4-5
Figure 4-2. Perform Qualitative Risk Analysis: Data Flow Diagram ........................... 4-7
Figure 4.3. Subjective and Objective Risk Analysis Techniques...............................4-13
Figure 4-4. Perform Qualitative Risk Analysis: Inputs, Tools & Techniques, and Outputs 4-14
Figure 4-5. Probability and Impact Matrix........................................................4-27
Figure 4-6. Risk Score Change Over Time ........................................................4-35
MDP273a: Project Risk Management v1.0
v
Figure 5-1. Project Risk Management Process Group Map: Perform Quantitative Risk
Analysis ................................................................................................. 5-5
Figure 5-2. Perform Quantitative Risk Analysis: Data Flow Diagram .......................... 5-7
Figure 5-3. Normal Distribution and Standard Deviation Ranges ..............................5-12
Figure 5-4. Perform Quantitative Risk Analysis: Inputs, Tools & Techniques, and
Outputs ................................................................................................5-15
Figure 5-5. Range of Project Cost Estimates from Stakeholder Interview ...................5-19
Figure 5-6. Two Commonly Used Probability Distributions ....................................5-21
Figure 5-7. Sensitivity Analysis: Labor Rates and Total Project Budget .....................5-24
Figure 5-8. Tornado Diagram Example: Panama Canal Third-Lane Locks ....................5-25
Figure 5-9. Sensitivity Analysis Scenario: Summary ............................................5-27
Figure 5-10. Simplified Decision Tree .............................................................5-29
Figure 5-11. Decision Tree Diagram Example ....................................................5-30
Figure 5-12. Cost Risk Simulation Results ........................................................5-34
Figure 5-13. Monte Carlo Simulation Results Example..........................................5-38
Figure 6-1. Project Risk Management Process Group Map: Plan Risk Responses ............. 6-5
Figure 6-2. Plan Risk Responses Data Flow Diagram ............................................. 6-8
Figure 6-3. Plan Risk Responses: Inputs, Tools & Techniques, and Outputs .................. 6-8
Figure 7-1. Project Risk Management Process Group Map: Monitor and Control Risks ...... 7-5
Figure 7-2. Monitor and Control Risks Data Flow Diagram .....................................7-10
Figure 7-3. Monitor and Control Risks: Inputs, Tools & Techniques, and Outputs ..........7-11
Figure 7-4. Sample Risk Trend Analysis Format .................................................7-19
Figure 7-5. Sample Technical Performance Chart ...............................................7-20
vi
Course Introduction
Managing risks is a key element of effective project management. In
this course you will gain knowledge of the processes of Project Risk
Management. You will also:
? Apply skills from these processes to class projects
? Explore the benefits of managing risks and the consequences of
failing to do so
? Gain experience identifying, analyzing, and responding to risks—both
positive and negative—in projects through lectures, discussions,
group activities, a case study, and work examples
The Project Risk Management course aims to develop a foundation of
project management skills using generally accepted project
management knowledge and practices. This course complies with
standards of the Project Management Institute (PMI®) and the PMI®
publication A Guide to the Project Management Body of Knowledge
(PMBOK® Guide)- Fourth Edition.
Project Risk Management seeks to increase the probability and impact
of positive events in a project, and decrease the probability and impact
of events adverse to the project. The processes in Project Risk
Management are initiated early in the project and are implemented
continuously throughout the project. The project manager is responsible
for ensuring that the risk management plan is properly executed and for
evaluating the effectiveness of the entire risk management process.
The course will help you develop risk management skills and prepare in
part for Project Management Professional (PMP ) certification from the
Project Management Institute.
MDP273a: Project Risk Management v1.0
vii
Note: Completing the Project Management Professional (PMP®)
certification process and obtaining Microsoft Project proficiency are
not objectives for this course. PMP® certification is available only
through the Project Management Institute (PMI®), which has specific
educational and experiential requirements that determine whether an
individual is eligible to apply for certification.
viii
Course Objectives
Upon completion of the course, the participant will be able to:
? Incorporate the processes of the Project Risk Management
Knowledge Area into day-to-day project management activities
? Describe the Project Risk Management process interactions and data
flow
? Identify the benefits of managing risk and the impacts on project
objectives when risk is not managed effectively
? Explain the iterative nature of the risk management processes and
the need for the processes to be performed throughout the life of
the project
? Describe the components of the risk management plan
? Determine stakeholder risk tolerance
? Use inputs and tools and techniques of the Project Risk Management
processes to identify and categorize risks
? Conduct a probability and impact assessment for identified project
risks
? Apply Perform Quantitative Risk Analysis process techniques to
evaluate project risks
? Develop appropriate risk response strategies to address positive and
negative risks
? Choose appropriate techniques to track identified risks, monitor
residual risks, and identify new risks
MDP273a: Project Risk Management v1.0
ix
Course Information
Course Agenda
Day 1
? Module 1: Introduction to Project Risk Management
? Module 2: Plan Risk Management
? Module 3: Identify Risks
? Module 4: Perform Qualitative Risk Analysis
Day 2
? Module 5: Perform Quantitative Risk Analysis
? Module 6: Plan Risk Responses
? Module 7: Monitor and Control Risks
x
Housekeeping
Your instructor will provide information on:
? Coffee breaks
? Lunch
? Location of restrooms
? Location of exits
? ―Parking lot‖ – a place to record questions that will be answered
later in the course
Expectations for Participants
Participants are expected to:
? Arrive on time for every class
? Actively participate in class work
? Attend 90% (minimum) of scheduled class time
CLASS DISCUSSION: INTRODUCTIONS
? Name
? Current role
? Experience in project management
? Personal objectives for the course
? Fun fact (a hobby or interest apart from work or project management,
not including children or pets)
MDP273a: Project Risk Management v1.0
xi
A Tour of the Participant Guide
The Project Risk Management Participant Guide presents the body of
content covered in the course. The material in the guide is organized in
the same sequence as the slides. This guide:
? Enables you to follow the presentation in class and take notes if
desired.
? Provides a reference that you can use after the class is over.
Course Structure
Modules consist of one or more numbered topics. Topics are divided into
subtopics.
In general, each subtopic in the Participant Guide is covered by one
slide. The guide does not include images of the slides.
The Participant Guide appendices include exercises, exercise solutions,
and job aids.
xii
Participant Guide Components
The Participant Guide consists of the following components, many of
which are associated with icons and callout boxes:
Objectives
The overall course objectives are presented at the beginning of the
course, with more detailed objectives at the beginning of each module.
Business Challenges and the Case Study
The SummerFest Case Study is threaded through this course. Examples of
familiar business challenges based on the case study are used to introduce
the participant to the subject matter. The same case study forms the
background for many of the exercises conducted in class.
Definitions
Key terms are defined in the module where they are first introduced.
Definitions are highlighted in the Participant Guide and are often displayed
in the slide presentation.
Class Discussions and Group Breakouts
The course includes specific time periods set aside for discussion, with
specific questions suggested. The discussion questions are inserted at
designated points in both the slides and the Participant Guide.
Discussions may be facilitated by the instructor or conducted in small
groups.
MDP273a: Project Risk Management v1.0
xiii
Examples
Brief examples unrelated to the case study may appear from time to time
in this callout box.
For more lengthy examples, such as samples of typical project management
work products, you will be referred to Appendix C.
Exercises and Activities
Exercises are a chance for you to apply what you are learning in the course.
Exercises are provided in Appendix A of the Participant Guide.
Activities are short exercises which may appear from time to time in this
callout box.
Job Aids
A variety of templates and sample work products are included with this
course as job aids. The purpose of the job aids is to reinforce what you
learned in class after you return to the workplace.
Job aids are in Appendix C of the Participant Guide.
Tip
Tip statements provide suggestions in the context of a process step or
application of a technique.
Caution
Caution statements highlight potential challenges when working on a
particular technique or process step.
xiv
Participant Guide Appendices
Appendices are located in separate tabs of the Participant Guide.
Appendix A: Exercises
Exercises in Appendix A include procedures and any inputs or templates
you may need to complete the assignments. Your instructor will provide
additional guidance.
Appendix B: Solutions
Upon completing an exercise, you will usually be asked to compare your
results with a suggested solution in Appendix B.
Appendix C: Job Aids
Appendix C includes templates that you can use in your workplace and
samples of project management deliverables. You may use these
samples as a reference when doing the exercises.
MDP273a: Project Risk Management v1.0
xv
Sources and Additional Readings
? General Project Management
Y Adams, John R., Principles of Project Management (PMI Books).
Y Brassard, Michael and Diane Ritter, The Memory Jogger II: A
Pocket Guide of Tools for Continuous Improvement and Effective
Planning, 1st Ed. Salem, NH: GOAL/QPC, 1994.
Y Burkun, Scott, The Art of Project Management. Sebastopol, CA:
O'Reilly, 2005.
Y DeCarlo, Doug, eXtreme Project Management: Using Leadership,
Principles, & Tools to Deliver Value in the Face of Volatility, 1st
Ed. San Francisco, CA: Jossey-Bass, 2004.
Y DeMarco, Tom, The Deadline: A Novel about Project
Management. Dorset House Publishing Company, 1997.
Y Kemp, Sid, Project Management Demystified. New York, NY:
McGraw-Hill, 2004.
Y Kemp, Sid, Ultimate Guide to Project Management. Madison, WI:
CWL Publishing Enterprises, Inc., 2005.
Y Kendrick, Tom, PMP, Results Without Authority: Controlling a
Project When the Team Doesn't Report to You -- A Project
Manager's Guide. New York, NY: AMACOM, 2006.
Y Kerzner, Harold, PhD, Project Management: A Systems Approach
to Planning, Scheduling, and Controlling, 10th Ed. Hoboken, NJ:
John Wiley & Sons, Inc., 2009.
Y Larson, Eric W. and Clifford F. Gray, Project Management: The
Managerial Process. McGraw-Hill Companies, Inc., 2003.
Y Leach, Lawrence P., Lean Project Management: Eight Principles
for Success. Boise: Advanced Projects, Inc., 2005.
xvi
Y Martin, Paula and Karen Tate, The Project Management Memory
Jogger: A Pocket Guide for Project Teams, 1st Ed. Salem, NH:
GOAL/QPC, 1997.
Y Phillips, Jack J., PH. D., Timothy W. Bothell, PH.D., and Lynne
G. Snead, The Project Management Scorecard. Butterworth-
Heinemann, 2002.
Y Pinkerton, William, Project Management: Achieving Project
Bottom-Line Success. McGraw-Hill Professional, 2003.
Y Schwalbe, Kathy, Information Technology Project management.
Course Technology, 2009.
Y Stackpole, Cynthia, A Project Manager’s Book of Forms: A
Companion to the PMBOK Guide, 4th Ed. Hoboken, NJ: John
Wiley & Sons, Inc., 2009.
Y Thomset, Rob, Radical Project Management. Upper Saddle River,
NJ: Prentice Hall PTR, 2002.
Y Thomsett, Michael C., Little Black Book of Project Management,
2nd Edition Publisher: Amacom, 2002.
Y Wiefling, Kimberly, Scrappy Project Management: The 12
Predictable and Avoidable Pitfalls Every Project Faces. Silicon
Valley: Scrappy About™, 2007.
Y Wysocki, Robert K., Phd, Effective Project Management:
Traditional, Agile, Extreme, 5th Ed. Indianapolis, IN: Wiley
Publishing, 2009.
MDP273a: Project Risk Management v1.0
xvii
? Risk
Y Ariely, Dan, Predictably Irrational: The Hidden Forces That
Shape Our Decisions, 1st ed. New York, NY : Harper, 2008
Y Kendrick, Tom, PMP, Identifying and Managing Project Risk:
Essential Tools for Failure-Proofing Your Project, 2nd Ed. New
York, NY: AMACOM, 2009.
Y Mulcahy, Rita, PMP, Risk Management, Tricks of the Trade for
Project Managers. RMC Publications, Inc., 2003.
Y Ropeik, David and George Gray, Risk: A Practical Guide for
Deciding What's Really Safe and What's Really Dangerous in the
World Around You. New York, NY: Houghton Mifflin Company,
2002.
Y Schuyler, John R., Risk and Decision Analysis in Projects, 2nd Ed.
Newtown Square, PA: Project Management Institute, 2001.
Y Wideman, R. Max, Project Program Risk Management A Guide to
Managing Project Risk & Opportunities, Project Management
Institute, 1992.
xviii
Module 1
Introduction to Project Risk Management
Module 1: Introduction to Project Risk Management
Module 1: Introduction to Project Risk Management
1-2
Module Introduction
Project Risk Management is one of the nine Knowledge Areas in the
Project Management Body of Knowledge (PMBOK®). The goals of Project
Risk Management are to increase the probability and impact of positive
events to a project, and to decrease the probability and impact of
adverse events.
This module, Introduction to Project Risk Management, describes how
risk management is integrated with project management as a whole. It
identifies how the Project Risk Management Knowledge Area intersects
with the five Project Management Process Groups: Initiating, Planning,
Executing, Monitoring & Controlling, and Closing.
The module also introduces the Project Risk Management processes:
? Plan Risk Management
? Identify Risks
? Perform Qualitative Risk Analysis
? Perform Quantitative Risk Analysis
? Plan Risk Responses
? Monitor and Control Risks
In addition, this module:
? Provides background information about risk and risk management
? Introduces the language and practice of Project Risk Management in
the context of the project management life cycle
MDP273a: Project Risk Management v1.0
1-3
Module Objectives
Upon completion of this module, the participant will be able to:
? Define Project Management
? Define Project Risk Management and explain its goals
? Explain how risks evolve during the project life cycle
? Identify fundamental concepts of risk management
? Identify the benefits of managing risk and the impacts on project
objectives when risk is not managed effectively
? Explain the iterative nature of the risk management processes and
the need for the processes to be performed throughout the life of
the project
Module 1: Introduction to Project Risk Management
1-4
Topic 1: Project Risk Management in the Context of Project Management
This section provides an overview of Project Risk Management in the
context of the Project Management Body of Knowledge. This section
also explains some of the key terms used in Project Risk Management.
All projects have two features:
? Projects are temporary. A project has a definite beginning and
well-defined completion criteria (a planned ending). The temporary
nature of a project may also apply to the products it is designed to
produce, since the window of opportunity for a product is often
short-lived.
? Projects are unique. Projects are not repetitive in nature and do
not describe an ongoing operation or a production run. Projects are
designed to produce unique deliverables—a product, a capability, or
a result.
Because a project is unique by definition, it will encounter new,
unexplored territory in some way. This is why Project Risk Management
is such a key part of Project Management.
MDP273a: Project Risk Management v1.0
1-5
Key Project Attributes
Projects differ in size and type but have specific characteristics or
attributes. These attributes help identify a project:
? Developed using progressive elaboration
? Requires resources, often from various departments or organizations
? Must have a primary sponsor or customer
? Involves uncertainty
? Has specific objectives
Uncertainty
Each project’s unique qualities may make it challenging to define the
project’s objectives clearly, for example, to estimate how long a
project will take to complete, or to determine how much it will cost.
Sometimes, external factors interfere, for instance, a supplier—or a
competitor—going out of business, or a key team member needing
unscheduled time off. This uncertainty is one of the primary reasons
project management is so challenging, especially with projects that
involve cutting-edge technologies or take place in highly volatile
markets.
Defining Project Management
The use of project management methodology has increased dramatically
since the latter half of the twentieth century. This trend is due to the
successes, failures, and lessons learned when organizations undertake
large, difficult-to-define, complex, and lengthy challenges. Projects
today might be even more difficult to manage with traditional
organizational structures and management methodologies.
DEFINITION: PROJECT MANAGEMENT
―The application of knowledge, skills, tools, and techniques to project
activities to meet the project requirements.‖
PMBOK® Guide, Fourth Edition
Module 1: Introduction to Project Risk Management
1-6
Project management is a universal discipline that delivers consistent,
predictable, and repeatable projects, and can be applied to any
project, regardless of size, budget, or timeline.
Applications of Project Management
Project management is a proven discipline that can be applied to many
scenarios. The level of project management diligence depends on:
? The importance of the project
? The difficulty of the project
? Experience with the type of project
? The size of the project
? The risk factors for the project
The concept of diligence also applies to Project Risk Management. Risk
analysis, management, and response can be time-consuming and
expensive. For significant risks on important projects, however, it
makes sense to invest that time to either enhance a project opportunity
or reduce a project threat.
The idea of applying these techniques commensurately with the depth
and breadth of the project is an important theme throughout this
course, and throughout all of Project Management practice.
Defining Stakeholders
Many individuals within a project manager’s organization, the
customer’s organization, and from regulatory or industry-specific groups
are interested in or affected by a project. Collectively, these individuals
are called project stakeholders.
MDP273a: Project Risk Management v1.0
1-7
DEFINITION: STAKEHOLDER
―Person or organization (e.g., customer, sponsor, performing organization,
or the public) that is actively involved in the project, or whose interests
may be positively or negatively affected by execution or completion of the
project. A stakeholder may also exert influence over the project and its
deliverables.‖
PMBOK® Guide, Fourth Edition
Stakeholders are people involved in or affected by the project activities
and include the project sponsor, project manager, project team,
support staff, customers, users, suppliers, and even opponents of the
project. Stakeholders often have different needs and expectations.
Typical Project Stakeholders
Typical project stakeholders include:
? Project sponsor—Person or group that provides the financial
resources for the project
? Project manager—Person responsible for the successful
accomplishment of the project
? Customers and/or users—People who determine the project
deliverables (requirements) and often are, or represent, the user of
the final product or service
? Performing organization—The enterprise whose personnel are most
directly involved in doing the work of the project
? Project team members—Individuals who perform the required
project tasks
? Suppliers—Employees of organizations that provide services and or
products to the performing organization
A successful project meets the stakeholders’ requirements and
expectations. A primary responsibility of a project manager is to
understand and manage the stakeholders’ expectations. Learning the
many stakeholders’ interests in the project and then trying to satisfy all
of them, within the bounds of the contract or project management
plan, is a challenging task.
Module 1: Introduction to Project Risk Management
1-8
Before a project management plan can be prepared, it is important to
understand and document stakeholder needs and expectations.
Key Elements for Managing a Project
A project manager must simultaneously manage three basic principles of
project management to deliver a successful project:
? Identify requirements
? Address stakeholders’ needs, concerns, and expectations as the
project is planned and executed
? Balance competing project constraints, including but not limited to:
Y Scope
Y Quality
Y Schedule
Y Budget
Y Resources
Y Risk
Figure 1-1 shows the competing project constraints.
Figure 1-1. Competing Project Constraints
MDP273a: Project Risk Management v1.0
1-9
A project manager establishes and maintains project stability by
carefully balancing the relationships between constraints. If one of the
factors shown in Figure 1-1 changes, it affects at least one of the other
factors.
Figure 1-2 shows the Triple Constraint Model, named for the concept
that only (1) Time, (2) Cost, and (3) Scope and Quality are factors that
affected one another.
Figure 1-2. Triple Constraint Model
As project management evolves as a discipline, professionals regularly
update and redefine what particular industries call good practices or
best practices. These widely recognized practices are based on
consensus for applying skills, tools, and techniques that enhance the
chance of success over a wide range of projects.
Module 1: Introduction to Project Risk Management
1-10
Today’s project managers agree that it is important to also recognize
how the relationship of resources and risk, along with the three factors
of Time, Cost, and Scope & Quality, affect the project managers’ ability
to balance these competing constraints. PMI also renamed the term
―Time‖ to Schedule and ―Cost‖ to Budget to be more specific when
discussing project constraints.
The PMBOK® Guide and its Knowledge Areas
The Project Management Institute (PMI) publishes ―A Guide to the
Project Management Body of Knowledge,‖ known as the PMBOK® Guide.
The PMBOK® Guide contains a framework of 42 project management
processes that are applicable to nine project management Knowledge
Areas.
Six of the 42 processes are Project Risk Management processes. These
are introduced in Topic 4 of this module. All Project Risk Management
processes are numbered starting with an ―11‖ because Project Risk
Management is Chapter 11 of the PMBOK® Guide.
The nine project management Knowledge Areas are:
? Project Integration Management
? Project Scope Management
? Project Time Management
? Project Cost Management
? Project Quality Management
? Project Human Resource Management
? Project Communications Management
? Project Risk Management
? Project Procurement Management
Although Project Risk Management is a distinct knowledge area, this
course shows that the effects of risk interplay with all other Knowledge
Areas.
MDP273a: Project Risk Management v1.0
1-11
Topic 2: What is Project Risk Management?
THE BUSINESS CHALLENGE
Inspired by attending a Memorial Day parade while visiting her in-laws in a
neighboring state, Hannah Foster proposes that SummerFest, the four-day
June town fair, add a Saturday morning parade to boost attendance and
generate additional revenues.
As a board member of Citizens Collaborative, the nonprofit group that
manages SummerFest, Hannah is all too aware of a three-year trend that
shows declining Saturday attendance. The board has discussed various ways
to address that decline. Fellow board member Jack North immediately
dismisses the parade idea as too risky. "It's like using a fire hose to blow out
a candle," he says. "Who knows what you destroy in the process. We have no
idea what risks it will generate, and for totally speculative benefits."
Risk, Hannah reminds the board, can also mean opportunity. ―Besides,‖ she
says, ―any action involves risk. What does it hurt to look into it? This might
be a huge revenue opportunity.‖ Hannah does some research, and learns
that the parade is a huge tourism booster for her in-laws' town.
In a close vote, the board opts to pursue the SummerFest parade. Hannah
Foster drafts a scope statement for the project, and Ana Cruz is brought in
to manage it.
? How can Ana best identify and prepare for risks that might be involved
in the parade project?
The risk management process is a methodical progression, from
discovery (or identification) to analysis and responding to project risk. A
project manager must understand a particular risk in terms of its
relative significance to the project and in relationship to other risks.
Risk is an inherent part of all human endeavors. Most decisions,
including the most simple, involve risk.
Module 1: Introduction to Project Risk Management
1-12
Defining Risk
Some consider risk as a source of danger or possibility of incurring loss
or misfortune, while others define risk as a venture undertaken without
regard to possible loss or injury. This type of risk is called a threat.
DEFINITION: THREAT
―A condition or situation unfavorable to the project, a negative set of
circumstances, a risk that will have a negative impact on a project
objective if it occurs, or a possibility for negative changes.‖
PMBOK® Guide, Fourth Edition
Risk can also be defined as an uncertain event with a positive probable
consequence. This type of risk is called an opportunity.
DEFINITION: OPPORTUNITY
―A condition or situation favorable to the project, a positive set of
circumstances, a positive set of events, a risk that will have a positive
impact on project objectives, or a possibility for positive changes. Contrast
with threat.‖
PMBOK® Guide, Fourth Edition
Thus the PMBOK® Guide, Fourth Edition, defines risk as either positive
or negative.
DEFINITION: RISK
―An uncertain event or condition that, if it occurs, has a positive or
negative effect on a project’s objectives.‖
PMBOK® Guide, Fourth Edition
MDP273a: Project Risk Management v1.0
1-13
Risk Events and Conditions
A risk event differs from a risk condition.
? Risk event: an occurrence or outcome that has a positive or
negative effect on a project’s objectives
? Risk condition: a circumstance of the project’s context that
contributes to positive or negative risks
What is Project Risk?
A project risk is any uncertain event or condition that, if it occurs, has a
positive or negative effect on at least one project objective, such as
time, cost, scope or quality. For example, if a key expert resource is
injured in a traffic accident, the risk event may affect schedule (if work
is delayed until the resource can return), cost (if a substitute resource
must be hired), and quality (if a substitute resource lacks the expertise
of the injured person).
CLASS DISCUSSION: WHAT RISK MANAGEMENT CHALLENGES DO YOU
CURRENTLY FACE?
? What risk-related initiatives or programs are implemented at your companies today?
? Working with your group, select the five biggest risk management challenges that you or your company currently face.
Goals of Risk Management
Risk is inherent in all projects and may impact one or more elements of
the project baseline. Risks have one or more causes, and may have
more than one impact if they occur. The goal of risk management is to:
? Maximize the probability and impact of opportunity
? Minimize the probability and impact of threats
Risk management requires that the project manager anticipates
problems long before they occur and take action to keep the project
running smoothly.
Module 1: Introduction to Project Risk Management
1-14
Similarly, the project manager must actively seek opportunities to
enhance project performance. Other risk management goals include:
? Identify as many plausible risk events as possible
? Establish contingency plans and funds to cover risk events that do
materialize
? Manage responses to risk events
Why Risk Management is Important
Managing risk is important because it:
? Leads to early recognition of risks
? Ensures design and application of effective risk responses
? Matches the investment and effort to control risks with their
potential to impair or enhance the project
? Reduces burnout of team members
? Helps to ensure project success by mitigating risk
Because of the nature of risk and its potential to adversely affect
project success, the project team must assess risk and document their
risk management approach as early as possible in the project, during
the initiating processes if possible. A key aspect of the Define Scope
process, with development of the project scope statement, is to
identify and document project risks.
This early risk assessment in conjunction with the project’s dollar value,
visibility, and complexity will help determine the right approach to
manage project risk.
When is the Risk the Greatest Threat to the Project?
The chance that risk will have a negative effect on a project is greatest
at its beginning because less is known about the project’s environment.
Early in a project the cost impact of risk is also smaller than later in the
project. The project manager must identify, decide on a response, and
minimize the potential for risk during the early stages of the project.
MDP273a: Project Risk Management v1.0
1-15
The cost of a risk event occurring after a project passes the halfway
mark increases rapidly.
Figure 1-3. Risk over the project life cycle
Figure 1-3 shows an example of risk over a project life cycle. As a
project matures, the likelihood of known and unknown risk events drops
sharply.
It can be tempting to re-allocate unused risk contingency funds for non-
risk-related purposes. However, because the cost to fix risk events after
a project’s midpoint increases sharply, unused contingency funds may
well be needed to respond to subsequent risk events.
Risk management is a proactive process that helps project management
teams identify, prepare for, and address potential and realized risks
during a project.
Although risk management is a proactive approach that may reveal
many potential risks, the possibility of unknown risks cannot be
managed proactively. A prudent approach by the project management
team to deal with unknown risks might be to allocate general
contingency funds against such risks, as well as to known risks for which
response plans may not be cost-effective or possible to develop.
Module 1: Introduction to Project Risk Management
1-16
Benefits of Managing Risk
Project managers must use a systematic approach to managing risk to
ensure that all risks are identified and addressed.
Managing risk benefits the organization by:
? Increasing project visibility (profit and success)
? Focusing attention on mitigation by:
Y Using a proactive rather than reactive approach to risk
management
Y Improving morale by providing rewards and incentives
? Preparing for risk realizations
? Providing a competitive advantage
? Generating personal success
Consequences of Failing to Manage Risk
Failing to recognize risk and risk potential can lead to project failure.
This is particularly likely with respect to achieving a project’s technical
performance objectives, such as transaction times, number of delivered
defects, or storage capacity.
Where risk can be avoided, the project management team must study
alternative approaches to the associated activity, choose one, and
incorporate it into the project management plan.
Where risk cannot be avoided, the team must develop and incorporate
mitigating strategies into the project management plan.
Failing to use Project Risk Management can cause two kinds of negative
consequences:
? Failure to meet project objectives
? Missed opportunities to exceed project objectives
MDP273a: Project Risk Management v1.0
1-17
Failing to Meet Project Objectives
Consequences of failure to meet project objectives include:
? Significant cost overruns
? Schedule delays
? Failure to deliver the committed project scope
? Project cancellation
? Fines and penalties
? Injuries and damages
? Personal and/or organizational liabilities
? Loss of credibility
? Loss of market share
Missed Opportunities to Exceed Project Objectives
Failure to use risk management commonly results in failure to take
advantage of opportunities in the four major categories of project
objectives.
Module 1: Introduction to Project Risk Management
1-18
OBJECTIVE MISSED OPPORTUNITY
Scope To identify and include additional functionality by
reusing existing components for modest additional
investment
To build the infrastructure of the solution to
support enhancements more efficiently
Schedule To fast-track activities (or networks of activities)
by limiting the interaction between the
components of the product (uncoupling)
To substitute highly productive capital resources
for labor by taking advantage of windows of
opportunity when these resources are available
Cost To obtain the best rates for resources through
competitive bidding, or by leveraging buying
power across several projects
To obtain funding at the lowest cost to the
organization
To leverage reusable components
Quality To leverage higher quality resources when they
unexpectedly become available
To leverage the best available components and
materials
MDP273a: Project Risk Management v1.0
1-19
Risk Management and the Organizational Culture
Risk management can be affected by these aspects of an organization’s
culture:
? Organizational standards and policies
? Expectations and behaviors
? Resistance
? Optimism
Organizational Standards and Policies
Organizational standards and policies often provide guidance to ensure
a degree of consistency across projects. Likewise, planning for risk
management on a project involves choosing the best application of
organizational policies commensurate with the overall project risk. The
risk management plan is the project manager’s commitment to the
sponsor and organization regarding standards for risk management.
Expectations and Behaviors
Risk management may be affected by the culture in an organization. To
ensure that the process of managing risk is rooted in the organization’s
culture and policy, the process must begin before the project begins.
Without well-established expectations and without models of effective
behavior by senior management, a project manager’s attempts to
manage risk are likely to be misunderstood, resisted, and ultimately
prove fruitless.
An organization must also subscribe to the principle that a well-
designed process, when properly followed, is the best guarantee against
the potential of risks arising due to errors or omissions.
Module 1: Introduction to Project Risk Management
1-20
Resistance
If an organization’s culture involves resisting the application of process
discipline, even the basic project management processes cannot be
effectively and diligently executed. This situation leads to a continuous
and growing stream of errors and omissions, creating risks that cannot
be managed by simply applying more processes.
Optimism
Organizations that are eternally optimistic may be unwilling to explore
the possibilities of negative outcomes. They demonstrate a form of
organizational denial. Because they attempt to minimize the likelihood
and impact of negative events, it is difficult to persuade them to invest
the necessary resources, including time and money, in risk management
activities.
They are also reluctant to commit contingency reserves.
DEFINITION: CONTINGENCY RESERVE
―The amount of funds, budget, or time needed above the estimate to
reduce the risk of overruns of project objectives to a level acceptable to
the organization.‖
PMBOK® Guide, Fourth Edition,
Project failures in these organizations are frequently downplayed or
even covered up. On the other hand, organizations that take time to
consider possible negative outcomes and conscientiously prepare to face
or eliminate them will adopt risk management readily.
MDP273a: Project Risk Management v1.0
1-21
Topic 3: Project Risk Management in a Project Life Cycle
Project Risk Management describes the entire discipline, from beginning
to the end of a project. A project may consist of multiple phases. Each
phase may have its own risk characteristics, such as concept exploration
or final production. At the beginning and at key points of each phase, a
specific risk assessment may be performed to identify risks and to assess
their severity. Risk management happens within each phase of the
project life cycle.
What is a Project Phase?
DEFINITION: PROJECT PHASE
―A collection of logically related project activities, usually culminating in
the completion of a major deliverable. Project phases are mainly
completed sequentially, but can overlap in some project situations. A
project phase is a component of a project life cycle. A project phase is not
a Project Management Process Group.‖
PMBOK® Guide, Fourth Edition
Information technology projects offer a clear illustration of the concept
of project phases. Several phases are used to manage unique processes
and deliverables. For example, the requirements phase defines the
basic performance requirements of the system, while the subsequent
design phase determines how to best fulfill those requirements. The
requirements phase will generally produce requirements documents,
whereas the design specifications are the result of the design phase.
What is a Project Life Cycle?
Projects are divided into several project phases to provide better
management control and appropriate links to ongoing operations of the
performing organization. Collectively, these phases are known as a
Project Life Cycle.
Module 1: Introduction to Project Risk Management
1-22
DEFINITION: PROJECT LIFE CYCLE
―A collection of generally sequential project phases whose name and
number are determined by the control needs of the organization or
organizations involved in the project. A life cycle can be documented with a
methodology.‖
PMBOK® Guide, Fourth Edition
Project Phases and Life Cycles
Projects and their life cycles are usually divided into project phases.
Each phase of the project life cycle is marked by the completion of one
or more deliverables and allows for Go or No-Go decisions. Phases
define:
? Work to be done
? Who should be involved
The conclusion of a project phase in the life cycle is marked by a review
of both key deliverables and project performances. These checkpoints
are often called phase exits, stage gates, Q-gates, or kill points.
Reviews are conducted in order to determine if the project should
continue, and to detect and correct any variances in a timely manner.
Many project life cycle models are available for use in project
management. The project manager is responsible for selecting the life
cycle that best supports the type of project being managed.
Perform risk processes throughout a project life cycle to identify and
manage significant risks. A project risk analysis can be performed at any
time during the project life cycle. In fact, one of the earliest actions
when planning for risk is to determine at what point during the project
life cycle risk analysis must be performed.
Subsequent reviews and revisions must be performed periodically.
Project managers conduct risk analyses for the following reasons:
? A major risk that was previously identified has been realized
? The potential of a high-risk item changed
? The potential for new risks have been identified
MDP273a: Project Risk Management v1.0
1-23
Project Life Cycles and Risk
The project risk management process is iterative. Managing the project
and managing existing risks leads to the discovery of new risks. The
progress of the project will unearth new unknowns and assumptions.
Very late in a project a project manager may discover issues that
cannot be anticipated, for example, regulatory changes, changes in
personnel, or issues with manufacturing.
Figure 1-4 shows an example of risk and the project life cycle. Over
time, the analysis of risk should show that probability and impacts of
risks are decreasing in response to effective management as shown
below. However, residual risks may remain. The probability of risk may
be decreased significantly, but risk will never be absent
Figure 1-4. Risk and the Project life Cycle
Project managers must establish a threshold of risk acceptance for each
type of risk.
Think of risk management as an integrated discipline that is practiced
continually through the life of a project. This means that an action or
failure to take an action in one area usually affects other areas. Risk
management often requires tradeoffs among project objectives.
Module 1: Introduction to Project Risk Management
1-24
Performance in one area may be enhanced only by sacrificing
performance in another.
Managing Risk by Project Phase
Different phases involve different types and sizes of risk. Two main
principles cause this variation in project risk:
? The kind of work performed in each phase differs.
? Each kind of work introduces its own risks.
For example, in the design phase, the faulty application of a design
technique or tool can result in significant difficulties. This problem
cannot occur during testing or implementation because the tool or
technique is not used in those phases.
The earlier in the project life cycle that the risk is realized, the greater
the impact is on the rest of the project.
Because most problems propagate through the remaining project
management activities and deliverables, more of the value of the
project is affected by a problem in an early phase than by a problem in
a later phase.
For example, an omission in the specification, which occurs in the
design phase, and then remains undetected until testing, or even
implementation will usually require reworking the design, as well as
every downstream deliverable that is affected.
Example of Managing Risk throughout Phases of a Project
Project risk management processes are performed throughout the life
cycle of a project. Because each phase of a project introduces its own
risks, a fresh risk analysis must be performed when transitioning to a
new phase.
A problem with traditional software process models is that they do not
deal sufficiently with the uncertainty that is inherent to software
projects. Important software projects have failed because project risks
MDP273a: Project Risk Management v1.0
1-25
were neglected and no one was prepared when something unforeseen
happened. Barry Boehm recognized this and tried to incorporate project
risk into a project life cycle model. Figure 1-5 shows a spiral model of a
software development project, with risk analysis accompanying the
creation of each prototype.
Figure 1-5. Spiral Life Cycle Example
Module 1: Introduction to Project Risk Management
1-26
The radial dimension of the model represents cumulative costs. Each
path around the spiral reflects increased costs. The angular dimension
represents the progress made in completing each cycle. Each loop of
the spiral from the X-axis clockwise through 360 degrees represents one
phase. Each phase is split roughly into four sectors of major activities:
? Planning: Determining objectives, alternatives, and constraints
? Risk Analysis: Analyzing alternatives and attempt to identify and
resolve risks
? Development: Developing and testing the product
? Assessment: The customer evaluating the product
MDP273a: Project Risk Management v1.0
1-27
Topic 4: Fundamental Principles of Project Risk Management
There are seven basic principles of Risk Management:
1. Determine proportionate expenditure
2. Use a pragmatic approach
3. Apply a graded approach
4. Use open communication
5. Apply continuous processes
6. Use integrated risk management
7. Use a team approach
Module 1: Introduction to Project Risk Management
1-28
1. Determine Proportionate Expenditure
The time and money spent in analyzing risk and determining risk management
and mitigation strategies must be considered from a cost to benefit
perspective. It should not cost more to manage or mitigate the risk than to
realize the risk. The goal of the risk management or mitigation strategy is to
significantly reduce the risk potential and to cost significantly less than the
realized risk.
Realized risk describes the impact to the project if the risk actually occurs in
an unmitigated manner. An example of this may be the development of a work-
around strategy that adds five days to the project schedule in order to avoid a
prospective risk, but implementing the strategy causes an additional schedule
delay of three days. This is not considered wise risk management.
Figure 1-6. Balance Response to Risk with Proportionate Expenditure
Determine Expenditure Proportionate to the Realized Risk
Realized risk is the impact to the project if the risk actually occurs. This
can be shown in terms of financial loss, delay in schedule, or inability to
achieve stated objectives and or requirements. Ultimately, each of
these can be reduced to the time and cost that will be required to
repair or recover from the risk event. An example: one might wish to
estimate the value of realized risk from a public disaster such as a
hurricane. Losses are not simply declared as a loss of a million dollars.
Instead, the costs are defined in terms of the cost to return to normal,
such as rebuilding roads, houses, and public infrastructure. Likewise
when a project suffers a loss, some course of corrective action is taken
to recover. The cost of that action (in terms of time, resources, and
budget) is the true realized risk.
MDP273a: Project Risk Management v1.0
1-29
In some project domains, the idea of realized risk is replaced by the
value of the risk factored by the probability that it will occur.
Statistically, a risk with an impact of $50,000 but only 10% likelihood of
occurring is worth, or has an expected monetary value of $5,000. Using
this example, $5,000 is the maximum appropriate expenditure to
eliminate such a risk.
In a given project you will have dozens of risks, and only a portion of
them will actually occur. You cannot reasonably spend up to the full
value of each risk in order to defend your project. Additional discussion
of the statistical basis of risk is in the material on Monte Carlo analysis
presented later in the course.
2. Use a Pragmatic Approach
This principle involves two important rules:
? Differentiate between high and medium risks
? Identify those risks that can be managed or mitigated
It may be more cost effective to concentrate management attention on
the mitigation of some medium risks, which can be controlled, rather
than on some high risks with results largely determined by outside
influences.
It may not be possible to manage or mitigate every risk; therefore,
some risks must simply be accepted. Some risks are uncontrollable. For
example, if a key resource pool belongs to a union, which is
sympathetic to a strike that may take place at an unrelated facility,
management may choose to simply ignore the risk because there are no
alternative strategies and the strike is beyond their control.
DEFINITION: RISK ACCEPTANCE
―A risk response planning technique that indicates that the project team
has decided not to change the project management plan to deal with a risk,
or is unable to identify any other suitable response strategy.‖
PMBOK® Guide, Fourth Edition
Module 1: Introduction to Project Risk Management
1-30
Also, a risk with an extremely high consequence but an extremely low
potential of occurring may not need to be considered as a risk with any
real potential for the project.
3. Apply a Graded Approach
The use of a flexible process lets the project manager choose a more or
less rigorous application of project risk management approaches,
controls, and tools to actually manage project risk. This includes using
a:
? Means to identify activities with significant risk
? Process to determine risks and commensurate controls/responses
? Documented record of the decisions and chosen controls/responses
A formal, documented process must be used in determining the
application of the graded approach, and included in the risk
management plan. This process normally begins with an analysis of the
risk to the project’s successful completion as conceived and planned. In
one sense, project management is the art and skill of bringing a project
to successful completion through the management and mitigation of
risk. Project managers are risk managers.
Basis for Grading
The basis for grading is formulated by using a qualitative and
quantitative process, or by considering and applying the proportionate
resources and pragmatic response with:
? The dollar value associated with the project
? The complexity of the project
? The visibility of the project
? The importance (stake) of the project
The project dollar value, complexity, visibility, and stake—for example,
what is at stake if this project fails— are the basis for determining the
application of a graded approach.
MDP273a: Project Risk Management v1.0
1-31
When determining and applying the graded approach, project stake
must be the only basis. This process may lead to a clearer definition of
the application of the risk-based graded approach.
4. Use Open Communication
In order to maximize the probability that information about risks will
reach the project team, every effort must be made to encourage
submissions of possible risks, including validating the contributions from
all sources, no matter what their background or function.
The project management team must also encourage the free flow of
information among all participants in the project. This will ensure that
available sources of information about risks will be surfaced and
tapped, and that potentially sensitive information will reach the
necessary parties.
Because individuals tend to prefer specific communication vehicles and
avoid others, and because the project team cannot predetermine who
will possess important risk information, the team must encourage the
use of a wide variety of communication vehicles. This will increase the
probability that information about a risk will be divulged and
communicated effectively to the necessary parties on the project team.
5. Apply Continuous Processes
Project management team members and stakeholders must remain
attentive to the emergence of new risks throughout all phases of the
project. Team members must also maintain adequate monitoring
sources that provide alerts regarding emerging risks.
6. Use Integrated Risk Management
Project managers and risk managers must include risk management
activities as an integral part of the other project management
activities. This means considering risk whenever a project status
meeting is held, or a new resource is introduced to the project, or an
unexpected event occurs.
Module 1: Introduction to Project Risk Management
1-32
In order to make Project Risk Management a more intrinsic part of the
project management activities, the project management team must
ensure that all aspects of the project's infrastructure (such as its
communication vehicles, repository, and work management processes)
include a risk management aspect.
In addition, the project management team must encourage risk
awareness within the project team’s culture. For example, the team
members must be tolerant of negative reactions to new circumstances,
and explore them openly for any possible validity. They must also
routinely challenge optimistic assertions and forecasts, ask each other
challenging questions about how adverse events might affect the
project, and suggest ideas on how to prepare for such events in
advance.
7. Use a Team Approach
The final fundamental principal of risk management involves using a
team approach. The project manager is ultimately responsible for risk
management, but needs participation from all team members. Best
results are achieved when all the stakeholders who might have
information about project risks and impact, or how best to mitigate
them, are involved. Gaining that commitment to participate is a project
manager’s responsibility.
Reasons for using the Team Approach
The project manager will achieve superior results in risk management
by engaging members of the project team in risk management
activities. This is primarily for three reasons:
? Project team members have the greatest familiarity with the kinds
of technical risks that are likely to occur.
? Project stakeholders are in the best position to identify and assess
external factors that may cause risks for the project.
? When the team is working well together, their creative and
analytical thinking are enhanced through their collaboration, and
both problems and solutions will be raised which might not surface
when the same individuals work alone.
MDP273a: Project Risk Management v1.0
1-33
Create a Shared Vision
To increase each team member’s enthusiasm for and effectiveness at
identifying and managing new risks successfully, the team must share a
common understanding of what the final product or service of the
project will look like and do.
Team members must also, to the extent possible, be encouraged to
contribute to defining the product and its functions. These two
practices will make the team more alert to new threats to the project
and more tenacious about facing and advising them.
Who makes up the Risk Management Team?
The project management team typically consists of the following
members:
? Project manager
? Team leaders
? Team members
? Subject matter experts
? Engineers and other employees
? Sponsor or customers
? Others, based on knowledge and expertise
The Project Manager’s Responsibilities
The project manager must establish an open climate that encourages
the active contribution of all project team members and stakeholders.
Whether participating in the initial, formal risk assessments, or
contributing to the follow-up analysis and control of risks, each
participant must be fully involved. This may require the project
manager to exercise the soft skills to draw out the quiet team members
and to gracefully control the more outspoken members.
Module 1: Introduction to Project Risk Management
1-34
When doing a formal assessment, thought must be given to establishing
a meeting that encourages input from all perspectives on the project.
This may include the customer and other stakeholders not normally
considered as having direct or valid input. The feedback from other
individuals in an organization who have timely and vital lessons learned
from similar experiences is extremely valuable and must be included.
In addition to the above, project managers usually:
? Plan risk management strategies
? Identify opportunities for regulatory agencies or stakeholders to
participate in risk planning
? Actively seek opportunities to introduce positive events, thereby
enhancing project performance
? Organize risk management activities for the project team, including
assigning and supervising risk management activities
? Assign and supervise the conduct of risk management activities by
team members
? Seek opportunities to turn potential risk events into positive events,
thereby enhancing project performance
? Detect and correct deviations from planned activities
? Anticipate problems before they occur and take corrective actions
to keep the project running smoothly
? Address quality problems in risk management deliverables
? Engage project stakeholders to solicit and exchange information
about risk management
? Document risk plans, risks encountered, and responses to risks
? Determine the correct level of risk management application, and
which controls, and responses are appropriate based on the project
baseline, and available resources
? Gain approval from the necessary project stakeholders for risk
management plans and investments
MDP273a: Project Risk Management v1.0
1-35
Team Member Responsibilities
During Planning, the team must address:
? Risk identification
? Risk analysis
? Risk mitigation strategy development
During Execution, all team members must be involved in:
? Monitoring risk triggers
? Responding to risks
? Identifying new risks
? Reevaluating known risks in the light of new information or changed
circumstances
Module 1: Introduction to Project Risk Management
1-36
Topic 5: Overview of Project Risk Management
Project Risk Management is a disciplined approach to managing risk. It is
a preventative process designed to reduce surprises and minimize
negative consequences. This process also incorporates a methodology
for managers to seize opportunistic advantages to the project
associated with time, cost and technical capabilities.
DEFINITION: PROJECT RISK MANAGEMENT
―Project Risk Management includes the processes concerned with
conducting risk management planning, identification, analysis, responses,
and monitoring and control on a project.‖
PMBOK® Guide, Fourth Edition
Sources of risk are endless! Risk can be internal and/or external to the
project. Successful risk management gives the project manager better
control of the project and increases the chances of achieving project
objectives of being on time, within budget and meeting product or
service requirements and criteria.
MDP273a: Project Risk Management v1.0
1-37
Processes of the Project Risk Management Knowledge Area
Adapted from the PMBOK® Guide, Fourth Edition
Figure 1-7. Project Risk Management Process Group Map
Figure 1-7 shows the six processes that make up the Project Risk
Management Knowledge Area. Each process is examined in detail in the
remainder of the course.
? Plan Risk Management: deciding how to approach, plan, and
execute the risk management activities for a project
? Identify Risks: determining which risks might affect the project and
documenting their characteristics
? Perform Qualitative Risk Analysis: prioritizing risks for subsequent
further analysis or action by assessing and combining their
probability of occurrence and impact
? Perform Quantitative Risk Analysis: numerically analyzing the
effect on overall project objectives of identified risks
? Plan Risk Responses: developing options and actions to enhance
opportunities, and to reduce threats to project objectives
? Monitor and Control Risks: tracking identified risks, monitoring
residual risks, identifying new risks, executing risk response plans,
and evaluating their effectiveness throughout the project life cycle
Module 1: Introduction to Project Risk Management
1-38
Each process is composed of inputs, tools and techniques, and outputs.
Figure 1-8 shows the inputs, tools and techniques, and outputs for each
process.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 1-8. Project Risk Management Overview
MDP273a: Project Risk Management v1.0
1-39
Why Is Project Risk Management Important?
As discussed earlier in this module, managing risk is important because
it:
? Leads to early recognition of risks
? Ensures design and application of effective risk responses
? Matches the investment and effort to control risks with their
potential to impair or enhance the project
? Reduces burnout of team members
? Helps to ensure project success by mitigating threats and
maximizing opportunities
Early risk assessment, in conjunction with the project’s dollar value,
visibility and complexity, helps determine the appropriate approach to
manage project risk.
Project Risk Management Process Interactions
As mentioned earlier, risk management is iterative. Risk management
processes interact with each other and with processes in other
Knowledge Areas. Each process may involve one or more individuals or
departments based on the needs of the project. Each process occurs at
least once in each project and if the project is divided into phases, each
process will occur in one or more of the project phases.
Figure 1-9 shows the flow between the risk processes and how the major
inputs and outputs are exchanged. Inputs and outputs for each process
are identified by arrows. Although the processes are presented in this
course as discrete elements with well-defined interfaces, in practice
they may overlap and interact in ways not detailed in the course.
Module 1: Introduction to Project Risk Management
1-40
PMBOK® Guide, Fourth Edition
Figure 1-9. Planning Process Group
MDP273a: Project Risk Management v1.0
1-41
Module Summary
All projects have a beginning and an end. No two projects are alike, as
each service or product created differs in some way from other services
or products.
Risk is inherent in all projects. Failing to deal effectively with risk can
result in loss of credibility as well as significant cost overruns or
cancellation of the project.
Risk management is a proactive process that helps identify and prepare
for risks that may occur during the life of the project. The risk
management process must be performed throughout the entire project
life cycle to identify and manage significant risks.
There are seven fundamental principles of risk management. The
project manager is responsible for implementing risk management
processes, but the best results are achieved when all of the
stakeholders who might have information about project risks are
involved.
The Project Risk Management Knowledge Area includes the processes
concerned with conducting risk management planning, identification,
analysis, responses, and monitoring and control on a project.
Module 1: Introduction to Project Risk Management
1-42
Module 2
Plan Risk Management
Module 2: Plan Risk Management
Module 2: Plan Risk Management
2-2
Module Introduction
The Plan Risk Management process defines how risk management
activities for a project will be conducted. Careful planning helps to
ensure that sufficient resources and time for risk management activities
will be allotted in the project. Planning also ensures that the structure
and nature of risk management are appropriate to the risks and to the
importance of the project to the organization.
The document that results from this process, the risk management plan,
is essential to establishing and attaining the project’s goals of
minimizing negative risks (threats) and their impact, as well as
maximizing positive risks (opportunities).
This module:
? Describes the Plan Risk Management process
? Identifies the inputs, tools and techniques, and outputs of the Plan
Risk Management process
? Discusses the components of a risk management plan and provides
opportunities to develop and use this document during this course
MDP273a: Project Risk Management v1.0
2-3
Module Objectives
Upon completion of this module, the participant will be able to:
? State the purpose and importance of the Plan Risk Management
process
? Create a project risk management plan
? Create a Risk Breakdown Structure
Module 2: Plan Risk Management
2-4
Topic 1: Overview of the Plan Risk Management Process
THE BUSINESS CHALLENGE
Hannah, now formally the project sponsor, is already tapping a wide array
of parade participants, from the usual marching bands and local Shriner's
chapter to Duane Evans' drum and bugle corps and a lawn-mower drill team.
Since a parade is a completely new type of project to Ana, the first thing
she does is gather a strong project team around her.
In addition to Hannah and SummerFest consultant Marc Stuver, she enlists
the help of SummerFest founder Walter Stone and of Brita Porter, the long-
time project manager for the Memorial Day parade Hannah attended.
Ana knows her first task is to decide how to approach, plan, and execute
risk management activities for the parade. She'll need a solid plan to ensure
that threats do not cause the project to miss objectives, and opportunities
are fully taken advantage of. To do this, she'll need to assess stakeholders'
tolerance for risk. She calls a planning meeting with her team, plus some
key stakeholders, such as Jack North and Brenda Welsh, chair of the town's
board of selectmen.
? How can Ana best define ways to approach and conduct risk
management? What should her plan look like?
The Plan Risk Management process focuses on a general methodology for
managing risks throughout the project. It differs from the Plan Risk
Responses process, whose purpose is to develop specific responses to
identified risks.
The Plan Risk Management process may be rooted in an organization’s
culture and policies. This context may offer guidance to the project
manager to ensure consistent application of risk policies across
projects.
MDP273a: Project Risk Management v1.0
2-5
Figure 2-1 shows that the Plan Risk Management process occurs in the
Planning Process Group.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 2-1. Project Risk Management Process Group Map: Plan Risk
Management
DEFINITION: PLAN RISK MANAGEMENT
―The process of defining how to conduct risk management activities for a
project.‖
PMBOK® Guide, Fourth Edition
Purpose of the Plan Risk Management Process
The primary purpose of the Plan Risk Management process is to define
how to approach, conduct, and document risk management activities
for the project. The output from this process, the risk management
plan, is the project manager’s commitment to the sponsor and to the
organization regarding the project’s standards for risk management.
The value of the Plan Risk Management process lies in its ability to
ensure that:
? Threats (negative risks) do not cause the project to miss objectives
? Opportunities (positive risks) are effectively converted into
advantages for the project
Module 2: Plan Risk Management
2-6
? Minimum investment of time and money required to mitigate the
impact of negative risks, should they occur
In order for this value to be realized, the project management team
must implement the Plan Risk Management process and other Project
Risk Management Knowledge Area processes thoroughly and diligently.
Tailoring the Plan Risk Management Process
The Project Risk Management Knowledge Area processes, like all other
project management processes, must be tailored in order to match the
level of effort in risk management to the overall value of the project to
the organization.
EXAMPLE: TAILORING THE PLAN RISK MANAGEMENT PROCESS
A business-critical project requires greater levels of sophistication and
effort in its Project Risk Management processes than a project to perform a
routine upgrade to an infrastructure service requires.
This tailoring might take the form of:
? A larger budget for risk management activities
? More time allowed to perform risk management activities
? Higher levels of involvement by senior stakeholders
? Larger contingency reserves for cost and time to absorb risk impacts
Stakeholders’ Tolerance for Risk
The stakeholders’ tolerance for risk is an important factor affecting the
Plan Risk Management process. Their risk tolerance will affect how
much they are willing to invest in Project Risk Management activities
and contingency plans, and set aside for contingency reserves of time
and cost in order to absorb risk impacts that could not be efficiently
eliminated.
MDP273a: Project Risk Management v1.0
2-7
The Plan Risk Management process will cause the addition of items to
the project work breakdown structure. This means that these items will
need to be incorporated into the project schedule and budget baselines
in order to track them and measure their performance.
For this reason, the Plan Risk Management process takes place as soon
as the preliminary schedule and budget have been sufficiently
developed to identify their own inherent risks. This may result in
revised baselines for the schedule and budget prior to the initiation of
significant project work.
Interactions with Other Processes
Figure 2-2, the Plan Risk Management process data flow diagram, shows
how inputs are transformed through tools and techniques into outputs.
PMBOK® Guide, Fourth Edition
Figure 2-2. Plan Risk Management: Data Flow Diagram
Module 2: Plan Risk Management
2-8
The Plan Risk Management process draws upon initial project planning
for scope, time, cost, and communications management. Enterprise and
organizational inputs include risk attitudes of the organization and
process assets such as risk categories, templates, role and authority
definitions, lessons learned, and stakeholder registers. The output of
the process, the risk management plan, is part of the project
management plan.
Overview of Plan Risk Management Inputs, Tools and Techniques, and Outputs
Figure 2-3 shows the inputs, tools and techniques, and outputs of the
Plan Risk Management process. These inputs, tools and techniques, and
outputs are discussed in detail in this module.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 2-3. Plan Risk Management: Inputs, Tools & Techniques, and
Outputs
MDP273a: Project Risk Management v1.0
2-9
Topic 2: Inputs to the Plan Risk Management Process
The preparation of the risk management plan includes reviewing key
project documents such as the project charter, project scope
statement, project schedule, and project budget, as well as prior
project management administrative work products. The team must also
review all of the planning assumptions, which lend themselves to early
identification of risks. Historical information, such as documentation of
lessons learned from similar projects, will also yield risk-related
information. Finally, the risk management plans of prior projects may
serve as examples for the current project to emulate.
The inputs to the Plan Risk Management process are:
? Project scope statement
? Cost management plan
? Schedule management plan
? Communications management plan
? Enterprise environmental factors
? Organizational process assets
Project Scope Statement
The project scope statement defines the project’s scope and lists the
project’s deliverables and assumptions. It is the framework for how
significant the risk management effort might become. Each part of the
project scope presents its own areas of risk.
Module 2: Plan Risk Management
2-10
EXAMPLE: PROJECT SCOPE AND RISK MANAGEMENT
Assume that the scope of a project to develop a new consumer product
includes marketing the new product in a country where the company has
never before done business. Many new risks are presented, including:
? Distribution channels may be inefficient or subject to high rates of loss
? Advertising program may fail to motivate purchasing
? Product may infringe on laws or customs peculiar to the country
Cost Management Plan
The cost management plan establishes the criteria for planning,
structuring, estimating, budgeting, and controlling project costs. This
plan is an important element of the Plan Risk Management process
because it identifies how risk-related budgets, contingencies, and
management reserves will be reported and accessed.
Schedule Management Plan
The schedule management plan documents the project’s approach to
schedule management. The nature or structure of the plan for managing
the project schedule can increase or decrease the potential risk level of
the project.
Communications Management Plan
The communications management plan defines the requirements and
methods for communications within the project. It includes items such
as stakeholder communication requirements, flow charts of the
information flow on the project, and communications constraints. The
communications management plan determines who will be available to
share information on various risks and responses throughout the project.
Enterprise Environmental Factors
At a project level, enterprise environmental factors are any factors,
related to the external or internal environment of the organization that
may impact the success of the project as whole, including:
MDP273a: Project Risk Management v1.0
2-11
? Industry Quality standards or guidelines
? Industry or government regulations
? Organizational or company culture and structure
? Infrastructure (for example, existing facilities and capital
equipment)
? Market conditions
? Existing human resources
Additional detail on this input is provided later in this module.
Organizational Process Assets
Organizational process assets are comprised of the information that an
enterprise has available to it at the start of the project. These assets
may offer valuable, tangible tools, standards, and lessons about how
projects and systems progress in the enterprise.
Typically the organizational process assets related to risk management
may include these documents:
? Risk categories
? Common definitions of concepts and terms
? Risk statement formats
? Lessons learned documents
? Stakeholder registers
Additional detail on this input is provided later in this module.
Enterprise Environmental Factors
As discussed earlier, enterprise environmental factors are any factors,
related to the external or internal environment of the organization,
which can impact the success of the project as whole. In the context of
risk management, one of the major factors to consider in the Plan Risk
Management process is risk tolerance.
Module 2: Plan Risk Management
2-12
DEFINITION: RISK TOLERANCE
―The degree, amount, or volume of risk that an organization or individual
will withstand.‖
PMBOK ® Guide, Fourth Edition
Project managers must understand the customer’s and the
organization’s attitude and tolerance toward risk. In general,
stakeholders and organizations fall into one of these categories:
? Risk-prone, seeker, taker
? Risk-neutral
? Risk-avoiding
Stakeholder Risk Tolerance
Stakeholders’ risk tolerances must be determined in order to perform
Plan Risk Management efficiently. Their risk tolerances will drive how
much investment the stakeholder will approve in risk management
activities.
Extremely risk-averse stakeholders, such as those in government
agencies or enterprises with significant safety concerns, will be more
inclined to invest in risk management efforts and risk response plans
than stakeholders in business areas that naturally involve relatively high
failure rates and many short projects, such as advertising agencies
developing branding programs.
Determining Tolerance through Documentation
Examining documentation and historical data, as well as working with
stakeholders, the project manager must determine the stakeholders’
risk tolerance level regarding project scope, quality, budget, and
schedule, and to other risks specific to their project. These questions
must be considered, and the results documented in the risk
management plan:
MDP273a: Project Risk Management v1.0
2-13
? How much risk are stakeholders willing to accept?
? Of scope, cost, and time objectives: which is most important?
? For cost and time: how much contingency reserve will be
authorized?
Determining Tolerance through Past Performance
It may not always be possible to understand a stakeholder’s level of
tolerance through normal interaction. Rather than conducting
interviews, which may elicit opinions that are not actually supported by
behavior, it is more effective to examine the stakeholder’s past actions.
Examples of evidence of a stakeholder’s tolerance for risk include:
? The rigor and detail with which they establish, promote, and
enforce policies and procedures
? Whether they tend to punish or forgive failures
? Whether they encourage gleaning lessons from problems
? How closely they scrutinize opportunities
? What kinds of opportunities they select
? How tenaciously they support projects
? How frequently they shift priorities
EXAMPLE: RISK TOLERANCE MATRIX
Capitol Flyer, a Washington DC-to-Philadelphia express bus service, has
skyrocketed to success in just three years of operation offering low-cost,
high amenity ground travel as an alternative to shuttle flights. The company
has become a favorite for reliable transport and excellent customer service.
As fare competition intensifies from airlines and no-frills bus companies,
Capitol Flyer looks to further differentiate its services with a Corporate
Customer Satisfaction Project. Early in planning, the project manager
decides to gauge the risk tolerance of key stakeholders to see how
aggressive the project can be.
To view the risk tolerance matrix she developed, see Appendix C.
Module 2: Plan Risk Management
2-14
Organization Risk Tolerance
Opportunity and risk go hand in hand. Organizations are in business
because they are willing to take risks. The key is to find a balance
between the pursuit of opportunity and risk tolerance.
Several risk experts have suggested that organizations and individuals
strive to strike a balance between risks and opportunities in all aspects
of projects and their personal lives. The idea of striving to balance risks
and opportunities suggests that different organizations and people have
different tolerances for risk.
The organization’s risk tolerance can be affected by:
? The current economic environment
? The willingness or reluctance of senior management to take risks
? The project’s status as high-value and complex or low-value and
relatively simple
A project manager and project team must understand the risk tolerance
level of a company early in the risk-planning phase. A template from
previous project efforts can be used and helps define and explain the
organization’s methodology regarding risk tolerance.
MDP273a: Project Risk Management v1.0
2-15
CLASS DISCUSSION: RATE YOUR RISK TOLERANCE
In general, are you a risk seeker, risk-neutral, or a risk avoider?
Rate yourself for risk tolerance in terms of specific situations, such as:
? Driving
? Playing the lottery
? Investments and other financial endeavors.
Most people have no problem buying one lottery ticket, but as the stakes
increase (number of tickets purchased) does the level of discomfort also
begin to increase?
? What have you observed regarding risk?
Organizational Process Assets
As mentioned previously, organizational process assets are comprised of
the information that an enterprise has available to it at the outset of
the project. This includes items such as organizational risk management
policies, templates, definitions of roles and responsibilities, and
historical information.
Organizational Risk Management Policies
Specific risk management policies and other definitions of functional
(matrix) roles and responsibilities must be known beforehand in order to
plan effectively for risk management. The organizational risk
management policies dictate:
? How risk management is to be performed
? Who is to participate
? What deliverables are required
Module 2: Plan Risk Management
2-16
Organizational Risk Management Rules
Formally written, established rules assign accountability for risk
management and ensure analysis of new initiatives for risk. The rules
should also define:
? A standard risk process
? Risk management tools
? The frequency and level of reporting
Organizations may have legal regulations or organizational policies for
specific types of risks, such as hazardous materials handling and
disposal.
Templates
An organization may have a well-defined approach and template for the
Plan Risk Management process, especially in organizations with
standards for quality systems such as the ISO 9000 series. Applying the
template ensures consistency, allowing individuals from different
projects to easily comprehend the risk plans on a specific project.
The risk management plan template will usually include or refer to:
? Specialized tools, such as a standard base set of risk categories
? Risk screening checklists
? Standard probability and impact matrix, or separate probability and
impact scales
Defined Roles and Responsibilities
The defined roles and responsibilities describe who must participate,
who is responsible for reviewing and approving risk management
deliverables, and who must be involved in risk mitigation strategies,
including monitoring risk triggers and responding to risk events.
Depending upon the organizational structure, certain types of risks may
fall within the responsibility area of specific parties in an organization.
MDP273a: Project Risk Management v1.0
2-17
Topic 3: Tools and Techniques for the Plan Risk Management Process
The primary technique for the Plan Risk Management process is a
combination of planning meetings and analysis to develop the risk
management plan. These are conducted in the same manner as other
planning meetings, and include:
? Using a meeting agenda
? Having objectives to create specific deliverables
? Using data gathering techniques to ensure that all meaningful input
is obtained
? Using objective evaluation and decision-making techniques
Planning Meeting Participants
Plan Risk Management meetings involve key members of the project
team, including:
? The project manager
? Project team leaders
? Key internal stakeholders
? Others responsible for directing, conducting, or overseeing risk
activities within the organization, such as risk officers, consultants,
and auditors
? External stakeholders as required and allowed
What is Defined by the Planning Meeting
Preliminary risk assessment examines known risks. The team considers
these questions:
? What concerns have sponsors or key stakeholders expressed?
? What risks have occurred on recent, similar projects?
? What areas of risk require the team’s attention?
Module 2: Plan Risk Management
2-18
In particular, the planning meetings must establish an understanding of
the types and extent of controls that will be in place for project
monitoring and control. This leads to an understanding of the generic
risk controls for low and medium risks, which are typically covered
sufficiently by the prudent use of available standard project
management controls.
Results of Planning Meetings
Planning meetings also define:
? Who will lead, support, and identify team members for each type of
risk action
? What approaches, tools, and data sources will be used for risk
management
? What scoring and interpretation methods will be used to categorize
and analyze risks
? Which team members will be assigned for each identified risk
? What the threshold criteria will be for levels of risk impact
? How much additional cost for risk mitigation will be acceptable to
the project stakeholders
? How often the risk management process will be performed
? How reports will be generated and what standard content will be
included, analyzed, and communicated
? How all the risk activities will be recorded and/or tracked
MDP273a: Project Risk Management v1.0
2-19
Initial Planning Meeting
The first planning meeting defines:
? How the planning meetings will be conducted throughout the
project
? How organizational process assets will be tailored to meet the needs
of the project
? How the remaining activities in the Plan Risk Management process
will be conducted
? Agendas and deliverables for the remaining Plan Risk Management
meetings
Planning Meeting Activities
The planning meeting involves reviewing:
? Key project documents such as:
Y Project charter
Y Project scope statement
Y Project schedule and project budget
Y Previous project management administrative work products
? The planning assumptions
? Historical information, such as documentation of lessons learned
from similar projects and risk management plans of previous
projects
? Known risks, identified by questions such as:
Y What concerns have sponsors or key stakeholders expressed?
Y What risks have occurred on recent, similar projects?
Y What areas of risk require the team’s attention?
Reviewing these materials will facilitate early identification of risks and
risk-related information. The materials may also serve as models for the
current project.
Module 2: Plan Risk Management
2-20
Topic 4: Outputs from the Plan Risk Management Process
The output from the Plan Risk Management process is the risk
management plan, which is a key component of the project
management plan.
DEFINITION: RISK MANAGEMENT PLAN
―The document describing how project risk management will be structured
and performed on the project. It is contained in or is a subsidiary plan of
the project management plan. Information in the risk management plan
varies by application area and project size. The risk management plan is
different from the risk register that contains the list of project risks, the
results of risk analysis, and the risk responses.‖
PMBOK® Guide, Fourth Edition
Specifically, the risk management plan defines:
? How risk management activities will be performed
? Who will perform risk management activities
? When risk management activities will be performed
? How much risk management activities will cost
? How to implement and perform the various risk processes including:
Y Risk Identification
Y Qualitative and Quantitative Risk Analysis
Y Risk Response Planning
Y Risk Monitoring and Control
The risk management plan does not describe the planned responses to
specific risks—this is the purpose of the risk response plans in the risk
register. The plan does, however, describe the broader methodology for
planning for and managing risk during the project’s life cycle.
MDP273a: Project Risk Management v1.0
2-21
The risk management plan becomes part of the project management
plan. The cost and budget portions of the project management plan are
not complete until all risk management activities and the selected risk
responses are defined.
The risk management plan typically includes these ten components:
? Methodology
? Roles and responsibilities
? Budgeting
? Timing
? Risk categories
? Definitions of risk probability and impact
? Probability and impact matrix
? Revised stakeholders’ tolerances
? Reporting formats
? Tracking
Each of these components is described below.
Methodology
Methodology describes the tools, methods, and sources of information
which will be used to perform risk management, including how risks will
be identified, analyzed, and categorized; how risk response plans will
be prepared, implemented, and monitored; and how risk triggers will be
monitored.
Roles and responsibilities
The roles and responsibilities section defines who performs what tasks
during all risk management activities. In particular, it specifies who will
direct and manage the implementation of risk management activities,
for example, the project manager or a designated risk manager for the
project.
Module 2: Plan Risk Management
2-22
Budgeting
The budget establishes the anticipated cost for the risk management
activities and the associated risk response plans, including contingency
reserves.
Timing
The timing describes how often risk management activities will be
performed and when they will take place within the project schedule.
Risk Categories
The project team must agree upon and use risk categories, which will:
? Provide a comprehensive process of systematically identifying risk to
a consistent level of detail
? Contribute to the effectiveness and quality of risk identification
? Provide a focus for leveraging risk response effort
? Help team members become comfortable discussing risks openly
TIP
Developing a complete and practical risk category list is one of the first
steps in identifying the risks themselves. The careful consideration of each
risk category will help the team generate ideas on risk events specific to
those categories.
Risk categories will be discussed in greater detail later in this module.
Definitions of Risk Probability and Impact
Project managers and the risk team will define different levels of risk
probability and impact as a foundation for quality and credible data for
the Qualitative Analysis Process. Typically, these levels are tailored to
an individual project during the risk management planning meetings and
analyses. An impact scale represents the significance of the impact,
which can be either negative for threats, or positive for opportunities,
on each project objective.
MDP273a: Project Risk Management v1.0
2-23
To define a risk scale, you can use relative values from Very Low to Very
High, or numerical values such as 0.1, 0.2, and so on. Numeric values
can be non-linear. Methods for scoring risks and interpreting risk impact
are set in advance of identifying particular risks. This practice will
prevent undue influence of personal or organizational biases in the
attention given to particular risks. The development of common
definitions of risk probability and impact is necessary so that risks will
be analyzed and responded to objectively.
Figure 2-4 shows negative impact definitions that may be used to
evaluate risk impact on four project objectives.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 2-4. Definition of Impact Scales for Four Project Objectives
Probability and Impact Matrix
Organizations find it useful to categorize the severity of several risks
into some form of matrix. The matrix is formed around the impact and
likelihood of a risk event.
Matrices are often divided into several zones representing major,
moderate, and minor risks. To signify this, the associated matrix entries
can be colored to identify which level they belong to. For example, the
Module 2: Plan Risk Management
2-24
low risks may be colored green, the medium risks yellow, and the high
risks red.
Using this technique simplifies applying policies (and therefore effort
and resources) according to defined risk score levels. For example, risks
rated as red may require review at every weekly status meeting, while
green risks may be reviewed only monthly, or on a less frequent,
rotating basis.
Revised Stakeholders’ Tolerances
Risk thresholds define the criteria that a risk must satisfy in order to be
acted upon, by whom, and in what manner. For example, one threshold
may require that if a risk delays the project’s schedule objective by
more than 30%, and the project team would require another 20% of
project budget to mitigate the schedule impact below that level, then a
reevaluation of the project's cost-benefit is automatically triggered.
Selecting which level of risk factors is ―high‖ risk is a matter of
stakeholder tolerance. In some cases, stakeholders may temporarily
adjust their attitudes toward risk for a specific project, particularly if
one or more project objectives represent significant strategic value to
the organization.
Sometimes an organization faces significant external threats, such as
the pressure of competitive innovation or significant restructuring in the
industry. Stakeholders may also be willing to revise their risk tolerance
level if a windfall opportunity presents itself. By temporarily suspending
normal risk thresholds, the organization will have the agility to respond.
Such variances from the normal thresholds must be clearly decided and
communicated.
Reporting Formats
Reporting formats present:
? How the outcomes of risk management activities will be
documented, analyzed, and communicated to project stakeholders
? The contents and format of the risk register (described later)
MDP273a: Project Risk Management v1.0
2-25
Tracking
Tracking defines how risk management activities will be documented
and audited for these uses:
? Evaluation of the current project's performance
? Historical information for the benefit of later projects
? Determining if and how risk management processes will be audited
EXAMPLE: RISK MANAGEMENT PLAN
Capitol Flyer's ambitious Corporate Customer Satisfaction Project involves
several initiatives: a second point of origin in both DC and Philadelphia;
special pricing for corporate customers and "frequent flyer" individuals; and
an upgraded the online booking/payment system. With so many aspects to
handle, the PM needs one centralized source to help her mitigate project
risks and pounce on opportunities.
To view the risk management plan she developed, see Appendix C.
Risk categories
As mentioned previously, agreeing on and using risk categories:
? Provides a comprehensive process of systematically identifying risk
to a consistent level of detail
? Contributes to the effectiveness and quality of risk identification
? Provides a focus for leveraging risk response effort
? Helps team members become comfortable discussing risks openly
Module 2: Plan Risk Management
2-26
Purpose for Using Risk Categories
The purpose of the Identify Risks process is to ensure that as many of
these eventualities as possible are evaluated. To do this, project teams
must have a list of categories to address. This ensures that the process
is as comprehensive as possible. The risk categories generated during
the Plan Risk Management process are used as an input to the Identify
Risks process. There is no single, standard list, but there are good
starting points from which the team can build. Most risks fall into one of
several broad categories; however, any project may run unique risks.
Risk categories are tools that:
? Enable the project team to more efficiently analyze and respond to
risks with common characteristics
? Ensure that no potential sources of risk will be overlooked during
the subsequent Identify Risks process
Various risk category lists are available in the public domain.
Typical Risk Categories
Risk categories can be structured to provide different levels of groups
for different risk management purposes, or to provide greater scope or
more focus as needed during risk analysis and response planning.
TIP
One specialized list available in the public domain is a ―Force Majeure‖ list,
which covers risks beyond the control of anyone involved in the project,
such as earthquakes, floods, or civil unrest. These events generally require
disaster recovery actions by the entire performing organization, rather than
risk management by the project manager.
MDP273a: Project Risk Management v1.0
2-27
The table below shows a general list of risk categories. Industries often
have their own typical risk categories and terminology.
RISK CATEGORY DESCRIPTION
Technology Technology or technical approach chosen to achieve the project objectives
Time Schedule, project completion objectives, other project time-related issues
Contractor capabilities Ability of contractors or other vendors to achieve project objectives
Interfaces Work in a multi-project environment, or interfaces with existing operational activities
Safety Occupational safety, industrial safety, and potential for contamination
Environmental Environmental laws, licenses, and permits
Regulatory involvement Involvement of any regulatory agency such as EPA or DHEC, or by local, state, and national governments
Political visibility Significance or visibility to local, state, or national governments
Intellectual property Availability and cost of using key technologies and techniques for critical project activities
Involvement of key stakeholders
Involvement by someone other than a primary owner for decision-making and management
Product and project complexity
Issues with design criteria, functional requirements, complex design features, or the condition of existing documentation
Labor skills availability and productivity
Adequate resources, specialty resources, rapid labor force build-up, exposure to environmental extremes
Number of locations/site access/site ownership
Site ownership and access issues
Funding/cost sharing Project duration and involvement/funding by other parties
Magnitude and type of contamination
Presence of hazardous or mixed waste
Quality requirements Requirement for precision work or other QA requirements
Public involvement Citizen interest or involvement
Module 2: Plan Risk Management
2-28
Four-Way Risk Categorization
The PMBOK® Guide shows risks grouped into four categories: technical,
external, organizational, and project management.
? Technical risks include those risks introduced because of the
difficulty of the work itself, new or changed technology, unrealistic
performance goals, or changes to standards.
? External risks come from a changing regulatory environment, labor
issues, changing priorities of the organization's owner, country risks,
resource and product price fluctuations due to changing economic
circumstances, and weather. They also come from issues arising
from dealing with the public.
? Organizational risks are risks associated with cost, time, and scope
objectives. They materialize when project objectives are
incompatible, when projects are not prioritized effectively within
the organization, when funding is not reliably provided, or when
there is competition for project resources from other projects.
? Project management risks include those arising from poor use of
resources, poor quality of the project plan, and poor project
management discipline.
MDP273a: Project Risk Management v1.0
2-29
Risk Breakdown Structure (RBS)
A Risk Breakdown Structure (RBS) is a hierarchical, multi-tiered
organization of the risk categories. When risks are being analyzed, a
grouping process may make it possible to gather and review those risks
with a common characteristic, such as their cause, or the phase or
activity in which they occur.
DEFINITION: RISK BREAKDOWN STRUCTURE (RBS)
―A hierarchically organized depiction of the identified project risks
arranged by category and subcategory that identifies the various areas and
causes of potential risks. The risk breakdown structure is often tailored to
specific project types.‖
PMBOK® Guide, Fourth Edition
This approach of reviewing risks that appear together within the RBS
may increase the efficiency of any investigations into their causes. It
may also improve leverage when risk response plans in the risk register
are developed. For example, risks with similar or a shared cause in a
particular process step may be mitigated together by a single process
change.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 2-5. Example of a Risk Breakdown Structure (RBS)
Module 2: Plan Risk Management
2-30
Risk Management Plan Checklist
A checklist may be used to complete the risk management plan. It
addresses the basic considerations in producing a risk management plan,
but might be expanded upon for the specifics of a particular project.
The risk management plan checklist may be referred to at each planning
meeting or review of the risk management plan to ensure that these
considerations are being addressed. The risk management plan checklist
should be completed as each Project Risk Management process is
defined in the project management plan.
A. Methodology
Does the risk management plan describe how the risk management plan itself will be/was developed and how it will be maintained?
Does the risk management plan describe how the risk identification process will be carried out?
Does the risk management plan describe how the qualitative risk analysis process will be carried out?
Does the risk management plan describe how the quantitative risk analysis process will be carried out?
Does the risk management plan describe how the risk response planning process will be carried out?
Does the risk management plan describe how the risk monitoring and control process will be carried out?
B. Roles and Responsibilities
Who will direct all risk management activities?
Who has been designated to participate in risk management group work sessions, including risk assessment and risk response planning?
What are the duties of the participants in the risk management group work sessions, including preparation, outside research, and documentation?
MDP273a: Project Risk Management v1.0
2-31
What governing body will oversee the execution of risk management activities?
Who are the representatives of internal stakeholders who will participate in risk management activities?
Who are the representatives of external stakeholders who will participate in risk management activities?
C. Budgeting
Have all risk management activities been budgeted?
Have contingency reserves for cost been set aside to accommodate residual and secondary risks?
D. Timing
Have intervals been determined for all regularly occurring risk management activities, such as risk review sessions?
Have all risk management activities been incorporated into the project schedule?
E. Risk Categories
If a set of standard risk categories is available in the organization, was it adopted for use on the current project?
Has a set of risk categories been tailored to suit the characteristics of the current project?
If an RBS will be used, has it been developed yet?
F. Definitions of Risk Probability and Impact
Has a scale of terms been defined for different levels of risk probability?
Has a scale of terms been defined for different levels of risk impact?
Module 2: Plan Risk Management
2-32
G. Probability and Impact Matrix
Has a matrix been constructed that reflects all possible combinations of risk impact and probability levels?
Have the entries in the probability and impact matrix been stratified into a small number of overall risk levels?
H. Revised Stakeholder Tolerances
Have the normal risk tolerances of all stakeholders been reviewed and determined?
Have any of the stakeholders’ risk tolerances been temporarily relaxed or tightened for this particular project?
I. Reporting Formats
Has a standard entry form for the various sections of the risk register been developed, including the probabilistic project analysis and the revised project objectives, as well as the risk response plans?
Have report layouts been defined for the periodic reporting of risks to the stakeholders?
Has a form been designed for stakeholders to report the results of implementing their risk response plans?
Has a form been designed for identifying new risks?
J. Tracking
Has a repository been set up to collect risk management work products?
Are the minutes of risk review meetings being collected and stored in the repository?
Are the start and stop dates of risk management activities being reported?
Are all of the significant information items concerning risk management (reports, notifications, and memos) that are reported to stakeholders being recorded in the repository?
How are the audits of the risk management activities going to be carried out?
MDP273a: Project Risk Management v1.0
2-33
EXERCISE: CASE STUDY INTRODUCTION
Become familiar with the case study used for the course project. Identify
significant project stakeholders and discuss their risk tolerances. Identify
the components needed as inputs to the Plan Risk Management process.
Refer to case study in Appendix A.
EXERCISE: RISK MANAGEMENT PLAN
Using the risk management plan template provided, consider the
components of the risk management plan for the course case study. Refer
to the Risk Management Plan topic in Appendix A.
Module 2: Plan Risk Management
2-34
Module Summary
ADDRESSING THE BUSINESS CHALLENGE
Ana begins the planning meeting by stressing to the group that their
mandate is not to avoid risk, but to manage it. The key is to find a balance
between the opportunities you want to pursue and the risks you are willing
to take.
The group gets to work to define the risks already known, the concerns that
the sponsors and stakeholders have, and the risks that have occurred on
similar projects. While Jack North remains skeptical about hosting a parade,
he tells Ana after the meeting he appreciates her careful approach. The
information gleaned at the meeting will form the foundation for Ana's risk
management plan.
The Plan Risk Management process focuses on a general methodology for
managing risks throughout the project. The primary purpose of the Plan
Risk Management process is to define how risk management will be
carried out for the project, both for the team and as a commitment to
the project sponsor.
The major output of the Plan Risk Management process is the risk
management plan. The risk management plan is a key component of the
project management plan. The risk management plan describes how risk
management activities will be performed, who will perform them, and
when they will be performed, as well as how much they will cost.
Module 3
Identify Risks
Module 3: Identify Risks
Module 3: Identify Risks
3-2
Module Introduction
The Identify Risks process determines the risks that might impact the
project, and documents the nature and characteristics of the risks. The
primary participants in the Identify Risks process include the project
manager and project team members, customers, end users,
stakeholders, and risk management experts.
The output of the Identify Risks process is the risk register, which
documents the risks, potential risks, risk triggers, root causes of risks to
the project, and possible updates to the risk categories.
This module:
? Describes the Identify Risks process and its role in project risk
management
? Identifies the inputs, tools and techniques, and outputs of the
process
MDP273a: Project Risk Management v1.0
3-3
Module Objectives
Upon completion of this module, the participant will be able to:
? Define the Identify Risks process
? Place the Identify Risks process within the framework of project
management
? Describe the inputs, tools and techniques, and outputs of the
Identify Risks process
? Identify risks for the case study
Module 3: Identify Risks
3-4
Topic 1: Overview of the Identify Risks Process
THE BUSINESS CHALLENGE
With a risk management plan in place, Ana gathers the team for a risk
assessment working session. This session will help her determine which risks
might affect the project, and document the characteristics of those risks to
understand them better. Jack North sits by the window, arms folded,
complaining about having to make time for "endless meetings." Ana tells
him that while she understands his frustration with meetings, taking a
proactive approach to identify risks will help them minimize negative risks
and act on positive ones.
As preparation for the session, Ana has asked the team to review project
documentation for an overview of all aspects of the parade. She begins the
meeting by telling the team they'll separate positive risks from negative
risks, and devote a chunk of time to each so opportunities don't get
overlooked, as can often happen.
? What's the best way for Ana and the team to identify the risks
associated with the project? What tools and techniques can they use to
identify those risks?
The risks associated with undertaking a project must be identified at
the very beginning of every project. The goal of the Identify Risks
process is to gain an understanding of the potential risks associated with
a project or project phase. The risk management plan guides the
process.
The Identify Risks process occurs throughout the project. This process
must be undertaken periodically, as called for in the risk management
plan. It must also occur whenever a significant circumstance changes.
This change might be as obvious as the retirement of the project
sponsor, or as subtle as news of an impending merger of the performing
organization with another.
MDP273a: Project Risk Management v1.0
3-5
Figure 3-1 shows that the Identify Risks process occurs in the Planning
Process Group.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 3-1. Project Risk Management Process Group Map: Identify Risks
The PMBOK® Guide, Fourth Edition defines Identify Risks as:
DEFINITION: IDENTIFY RISKS
―The process of determining which risks may affect the project and
documenting their characteristics.‖
PMBOK® Guide, Fourth Edition
Purpose of the Identify Risks Process
Risk is inherent in all projects. Risks must be identified in order to be
appropriately managed and to ensure the greatest likelihood of project
success. Furthermore, in the course of planning the project, positive
risks or opportunities must be identified so that the project is
implemented as efficiently as possible, which helps reduce costs and
shorten the schedule while providing the highest possible performance
and quality.
The benefits of identifying risks and opportunities are:
? Outputs from the Identify Risks process lead to the early recognition
of risks and risk potential
Module 3: Identify Risks
3-6
? The Identify Risks process helps ensure that effective risk responses
will be designed and applied
? Planned risk responses yield more effective risk responses than
unplanned responses, or workarounds
The recognized best practice is to conduct a formal identification of
risks, normally by holding a meeting or working session known as a risk
assessment. This is not the last time the project manager should
undertake the identification of risks; indeed, it is a continuous practice
throughout the project life cycle.
Advantages of Using a Proactive Approach
Using a proactive approach to identify risks is far better than waiting for
the problems to arise on their own. Being proactive has the following
benefits:
? Anticipating risks allows the participants to become more
comfortable discussing and analyzing circumstances and events that
might usually cause anxiety. By handling the topics in a methodical
way, participants are reassured that the risks will be successfully
managed.
? Analyzing the potential for risk helps ensure that all areas of
potential risk will be fully explored and that identified risks will
receive balanced treatment, regardless of personal biases and
influences.
One aspect of the methodical approach involves separating the
identification of positive risks from the identification of negative risks.
It is usually best to provide separate agenda time or even to set up
separate risk assessment sessions for these two kinds of risks. If the two
types of risk are considered in the same period, the positive risks will
tend to get overlooked or only reviewed in a cursory manner.
Some risks will be seen to have both positive and negative impacts,
depending on the actions taken. For example, a risk that a task will
take longer than expected may also present an opportunity to finish
sooner than expected.
MDP273a: Project Risk Management v1.0
3-7
Using a Process Approach to Identify Risks
To ensure the effectiveness of the Identify Risks process, the risk
assessment must meet the requirements of the organization’s risk
management plans and policy. The requirements provide useful
guidelines and parameters for conducting the session. Standard forms or
templates that ensure compliance with the organization’s ISO or quality
system framework may be included.
Figure 3-2 shows a process for identifying risk. When a project team is
developing a risk list, they start with what they know, in the form of
the current project baseline.
Next, the team reviews the project assumptions to determine which
ones are most likely to be inaccurate. They also try to imagine other
potential risk events suggested by the baseline. Furthermore, the team
must consider the unknowns, those uncontrolled sources of risk in the
business or political environment. Considering these three sources
contributes to the formation of the risk list.
In the remaining Project Risk Management processes, the risk list will be
analyzed and prioritized. Significant or high risks should be removed by
revising the project baseline. Most risks will be managed using a number
of responses (covered in the ―Plan Risk Responses‖ module of this
course).
Figure 3-2 shows a process approach to risk identification.
Figure 3-2. Using a Process Approach to Identify Risks
Module 3: Identify Risks
3-8
Identifying Assumptions and Iterating the Identify Risks Process
The necessary information already exists in the form of the current
project baseline information. This factual data changes as the project
plan matures and then as the project commences. The project
management team must identify the assumptions and the basis for
estimation that produced the current project information.
Any assumption that could be false should be treated as a potential
source of risk, positive or negative. Historical information such as closed
project files and lessons-learned reports should be reviewed to identify
further sources of risks.
This process is iterative, because the Risk Response Planning process
will require changes to the project baselines, and subsequent risks will
continue to require further baseline changes.
In addition to identifying risks based on the project itself, the Identify
Risks Process may occur during the Project Management processes in the
Project Cost Management, Project Time Management, Project Human
Resource Management, or Project Quality Management Knowledge
Areas.
MDP273a: Project Risk Management v1.0
3-9
Interactions with Other Processes
Figure 3-3, the Identify Risks process data flow diagram, shows how
inputs are transformed through tools and techniques into outputs.
PMBOK® Guide, Fourth Edition
Figure 3-3. Identify Risks: Data Flow Diagram
Module 3: Identify Risks
3-10
Since managing risk requires a comprehensive view of the project, the
Identify Risks process takes inputs from all project areas. For example,
this process uses activity cost and duration estimates. It draws on the
scope baseline, including the scope statement, which documents
project assumptions, and the work breakdown structure, which offers
visibility into the project at several organizational levels. Plans for
managing cost, schedule, and quality are also sources. The stakeholder
register may be used to identify participants in the Identify Risks
process. Other useful project documents can include reports on work
performed or earned value, network diagrams, baselines, and any other
project information relevant to identifying risks.
Other inputs to the Identify Risks process are enterprise environmental
factors, such as published checklists and industry studies, and
organizational process assets, which may include process controls and
lessons learned from past projects.
The Risk Management Plan guides the use of all these inputs to identify
risks and record them in the risk register. The Identify Risk process
leads to risk analysis, planning risk responses, and monitoring and
controlling risks. In addition, the Identify Risk process may have
implications for management of other project areas, such as cost,
quality, and procurements.
MDP273a: Project Risk Management v1.0
3-11
Overview of Identify Risks Inputs, Tools and Techniques, and Outputs
Figure 3-4 shows the inputs, tools and techniques, and outputs of the
Identify Risks process. These inputs, tools and techniques, and outputs
are discussed in detail in this module.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 3-4. Identify Risks: Inputs, Tools & Techniques, and Outputs
Module 3: Identify Risks
3-12
Topic 2: Inputs to the Identify Risks Process
The inputs to the Identify Risks process are:
? Risk management plan
? Activity cost estimates
? Activity duration estimates
? Scope baseline
? Stakeholder register
? Cost management plan
? Schedule management plan
? Quality management plan
? Project documents
? Enterprise environmental factors
? Organizational process assets
Risk Management Plan
The risk management plan defines how and when the Identify Risks
process is performed. The plan:
? Assigns roles and responsibilities to participants in the Identify Risks
process
? Allocates budget and time for the Project Risk Management
activities
? Determines risk categories that the team will use to explore and
organize the identified risks
Activity Cost Estimates
Activity cost estimates, an output of the Estimate Costs process in the
Project Cost Management Knowledge Area, provide a quantitative
analysis of the expected cost to complete individual project activities.
These cost estimates are useful inputs to the Identify Risks process,
MDP273a: Project Risk Management v1.0
3-13
since a review of the estimates may uncover activities that have been
underbudgeted. If an estimated cost is insufficient to complete the
activity, it poses a risk to project completion.
Activity Duration Estimates
Activity duration estimates provide a quantitative analysis of the time
allowed in the project to complete individual activities or the project as
a whole. A review of the estimated time allowances may identify time-
related project risks.
Scope Baseline
A scope baseline is an approved detailed version of the:
? Detailed scope statement
? Work breakdown structure (WBS)
? WBS dictionary
During the Identify Risks process, the project assumptions within the
project scope statement must be carefully reviewed and evaluated for
potential risks. The WBS also contains critical information; using the
WBS, the impact of potential risks can be identified at a detailed level
as well as a summary level.
Stakeholder Register
The stakeholder register lists the individuals and organizations, internal
and external, that are impacted by the project. It documents relevant
information about each stakeholder’s interest, involvement, and
influence on the success of the project.
The information contained in the stakeholder register is valuable for
gathering data and input from key stakeholders regarding potential
project risks.
Cost Management Plan
The cost management plan, a component of the project management
plan, provides information on the cost management approach for the
project. The nature or structure of the plan for managing project costs
may increase or decrease the potential risk level of the project.
Module 3: Identify Risks
3-14
Schedule Management Plan
Like the cost management plan, the schedule management plan is a
component of the project management plan. It provides information on
the schedule management approach for the project. The nature or
structure of the plan for managing the project schedule may increase or
decrease the potential risk level of the project.
Quality Management Plan
The quality management plan sets the intended quality standard and
direction for the organization/project team. It also describes how the
team will implement the quality policy, and it addresses quality
assurance, quality control, and quality improvement.
The degree to which organization-wide quality policies and processes
are documented and understood directly impacts the level of success in
implementing the quality plan and, ultimately, will directly impact the
risk level of the project.
Project Documents
Project documents relevant to identifying risks include:
? Assumptions log
? Work performance reports
? Earned value reports
? Network diagrams
? Baselines
? Other risk-related project information
MDP273a: Project Risk Management v1.0
3-15
Enterprise Environmental Factors
Examples of published information that may yield sources of risk for the
project team to consider include:
? Journal articles about the use of planned project activities and
related technology
? Academic studies about the project activities or types of resources
being considered
? News reports and business data about intended partners or
outsourcing vendors
Organizational Process Assets
Historical data from prior projects will often yield information about
risks for the current project, particularly if similar activities were
performed or resources utilized. They may also indicate how effectively
the risks were managed and highlight any risks that were not
anticipated by the prior project’s team.
In addition, many organizations use a standard set of risk categories as a
starting point for the Identify Risks process. In some cases, subject
matter experts (SMEs) may be consulted to help manage risks in
general, or in specific application areas.
Module 3: Identify Risks
3-16
Topic 3: Tools and Techniques for the Identify Risks Process
The tools and techniques for identifying risks include:
? Documentation reviews
? Information gathering techniques
? Checklist analysis
? Assumptions analysis
? Diagramming techniques
? SWOT analysis
? Expert judgment
MDP273a: Project Risk Management v1.0
3-17
Documentation Reviews
An important step in identifying risks is to conduct a documentation
review. The project team typically reviews project documentation to
get a ―bird's-eye view‖ of all aspects of the project, its goals, and how
the project goals will be achieved.
A review of historical information may provide insight into what was
effective and what could be improved on prior projects.
Information Gathering Techniques
A project team uses information gathering techniques to elicit ideas on
risks from team members. There are several methods that can be used
to gather information. The most commonly used techniques are:
? Brainstorming
? Delphi technique
? Interviewing
? Root cause analysis
These techniques are described in detail below.
Brainstorming
Brainstorming helps a team to generate as many ideas as possible in a
short time period. Project team members, management, and
stakeholders might all participate in brainstorming about potential
quality issues, concerns, needs, and expectations. The inclusion of
individuals with different project roles will result in a greater variety of
ideas generated by the group.
In a brainstorming session, participants, led by a facilitator, generate a
list of possible risks. The ideas are generated without discussion and
evaluation, in order to facilitate the flow of thought and to capture all
ideas or suggestions.
Module 3: Identify Risks
3-18
This process produces a long list of risks that are then categorized and
grouped by type. Further brainstorming to explore each category may
follow. Finally, similar ideas may be merged, and definitions may be
clarified for each risk.
Variations of the brainstorming technique include:
? The Round-robin approach, in which participants take turns sharing
their ideas. This helps to ensure that everyone has an opportunity to
contribute and prevents one person from dominating during the
process
? Collecting or posting, which involves using small cards that are
collected by the facilitator or posted on a wall for review by the
team
Advantages and Disadvantages of Brainstorming
The advantages of the brainstorming technique are:
? All participants are treated as equals
? All sessions are cooperative not competitive
? Sessions are more objective than a discussion; participants cannot
steer the group toward a particular area of the project
? It is less likely that a significant risk will be overlooked
? Team members are motivated to actively participate in the
remaining risk management activities; this is a team-building
exercise where the team, rather than individuals, owns the results
The major disadvantage of brainstorming is that the process generates a
lot of material, and duplication is inevitable. Including evaluation as
part of the process helps mitigate this disadvantage.
MDP273a: Project Risk Management v1.0
3-19
EXAMPLE: BRAINSTORMING THAT INCLUDES EVALUATION OF IDEAS
During a group review exercise, display ideas on a wall. Participants silently
circulate in a line past the wall, and as they do they can rearrange the
ideas into groupings, until no more rearranging takes place.
This brings similar ideas together so that they can be merged. This is a
noncompetitive, team-oriented activity, so it has the same organizational
benefits as the initial idea-generation activity.
Delphi Technique
The Delphi technique is an approach used to gain consensus among a
panel of experts. The Delphi technique, named for the famous oracle
who could be considered the subject matter expert (SME) of ancient
Greece, relies on experts.
DEFINITION: DELPHI TECHNIQUE
―An information gathering technique used as a way to reach a consensus of
experts on a subject. Experts on the subject participate in this technique
anonymously. A facilitator uses a questionnaire to solicit ideas about the
important project points related to the subject. The responses are
summarized and are then recirculated to the experts for further comment.
Consensus may be reached in a few rounds of this process. The Delphi
technique helps reduce bias in the data and keeps any one person from
having undue influence on the outcome.‖
PMBOK® Fourth Edition
The Delphi technique follows these steps:
1. A number of subject matter experts are invited to submit ideas
about important project risks, usually via a survey.
2. The results are circulated anonymously, in several rounds, and new
or revised input is requested. This process is repeated until
consensus is reached.
Module 3: Identify Risks
3-20
3. The facilitator circulates the final list to the contributors and asks
for their consensus on the risks. The facilitator ensures that no one
contributor biases the resulting list with one perspective or
preference.
4. The results are tabulated and presented to the group in the form of
a histogram (sometimes along with all individual estimates).
5. Participants who fall in the outer quartiles of the group are asked to
provide a rationale for their recommendations.
A prerequisite to such a process is the competence of the experts
themselves. Because all opinions are weighed equally, it is important
that all the participants have expertise in the area.
Advantages and Disadvantages of the Delphi Technique
The main advantage of the Delphi technique is that expert opinion is
included, regardless of whether the experts are actually assigned to the
project. Most experts are ambitious, however, and this usually means
they are competitive. To eliminate the effects of competitiveness,
which could otherwise serve to alienate some of the experts and
discourage objective input, the process requires anonymity.
One disadvantage of using experts is that some of their ideas may be
unrealistically extreme, because experts frequently work (and think) at
the boundaries of their respective domains of expertise.
To reduce the likelihood of excessive importance being given to a highly
improbable risk, a consensus approach is used, where the experts must
agree as a group on the list of risks. This minimizes the potential that
one individual, no matter how influential, will enable the prioritization
of a risk that the other experts do not acknowledge as important.
Interviewing
Interviewing involves asking questions of SMEs and stakeholders to elicit
information about potential risks. The information gathered must be
anonymous to avoid biasing the evaluation of the input.
MDP273a: Project Risk Management v1.0
3-21
Documentation is generally a more reliable form of evidence than
interviewing, but in the following situations interviewing is necessary
and effective.
? The information needed cannot be obtained in any other way, for
example:
Y The topic is so new or has been studied so little that published
information is unavailable or inadequate.
Y The questions of interest are so sensitive, technical, or
complicated that a face-to-face communication is required to
guide people through the process of answering questions.
? Detailed, narrative information is required, as opposed to simple,
factual information or quantitative judgments from many people
that can be collected via telephone or mail survey.
Risks of Interviewing
Interviewing is more subjective than the other techniques and has the
potential for ambiguities or misinterpretation. Although interview
questions may be carefully composed to be consistent for all interview
subjects, any question can introduce some ambiguity or can be
misinterpreted.
Another risk associated with the interviewing technique is that
responses might include more personal opinion than factual data. An
interview subject’s memory is never perfect, and, after accumulating
enough experience, experts rely more on judgment and intuition than
on objective analysis.
Additionally, if an interview question is not framed correctly, it may not
lead the respondent to discuss the intended risk. On the other hand, a
question may lead the respondent to make an obvious statement rather
than provide an unbiased assessment of the risk area.
Finally, interviewers must be given adequate training and practice. In
particular, they must be trained not to bias responses with their non-
verbal communication. Each interview must be conducted methodically
and consistently.
Module 3: Identify Risks
3-22
Root Cause Analysis
Root cause analysis explores what, how, and why a risk occurred or
might occur. It breaks down high-level risks such as ―risk of schedule
delay‖ into more specific descriptions of the risks that cause schedule
delay. The technique is best conducted by a facilitator who takes a risk
that a respondent has identified, and interviews further to find out if it
can be broken down into more specific elements of risk.
Benefits of Root-Cause Analysis
Exploring the root causes of a risk can lead to:
? Identifying other risks arising from the same cause—For example,
determining that a critical staff person is absent because of illness
may lead to the discovery that he has contracted a communicable
disease. If he contracted the disease at work, staff with whom he
works might also become ill.
? A basis for a set of more economical risk response plans during
the Plan Risk Responses process—Large problems are often found
to have simple causes that contribute to the more obvious
symptoms. Treating the true cause rather than the symptom can
save significant effort.
Checklist Analysis
Checklist analyses can be helpful if they reflect lessons learned from
previous projects. Checklists can also be limiting, however, if the team
assumes that the checklist is comprehensive and complete (which is
rarely the case).
How Checklists Work
1. Historical information or a checklist from another project is deemed
useful.
2. The project team reviews the checklist and determines how it can
be adapted. If the checklist does not include areas of risk that are
germane to the current project, the team adds these areas. If the
checklist includes areas of risk that are not germane to the current
project, the team omits them.
MDP273a: Project Risk Management v1.0
3-23
3. The checklist is divided into types of risk or risk categories, with
associated questions that require a positive or negative response.
(Typically, positive responses to questions indicate a risk potential
that would trigger further evaluation by the team.)
4. At the end of the project, the risk checklist is reviewed against the
project's actual performance in risk management. If necessary, the
checklist is revised before it is submitted as historical information.
Advantages and Disadvantages of Checklist Analysis
The advantage of a checklist analysis is that the technique is simple and
efficient. Checklists can be helpful, especially when they reflect lessons
learned from previous projects.
A disadvantage of using checklists is that a checklist cannot be entirely
sufficient unless it is tailored to the current project. Therefore, a large
project is likely to require a lengthy checklist and a substantial amount
of time to review it.
Example of a Risk Checklist
An organization involved in project management should consider
developing a risk checklist specific to its needs; however, the sample
below may be sufficient for most projects.
The checklist below shows risks by category, such as Technology and
Time. When time is short, this type of checklist lets the team focus on
specific areas for their risk potential, rather than examining the entire
list.
Once an area of concern is flagged, it is necessary to identify risk
statements that describe the specific concern more completely. These
might be, for example, ―Development software vendor fails to provide
adequate technical support,‖ or ―Major snowstorm prevents team from
reaching offices for two workdays.‖
Module 3: Identify Risks
3-24
A. Technology
New technology
Unknown or unclear technology
New application of existing technology
Modernize advanced technology in existing application
B. Time
Project schedule uncertainties or constraints that may impact project completion or milestone dates
Long lead procurement items that may affect the completion of the critical path or milestones
C. Contractor Capabilities
Potential for unavailability of qualified vendors or contractors
D. Interfaces
Significant transportation or infrastructure impacts
Multiple project interfaces
Significant interfaces with an operational facility
E. Safety
Risks to worker safety during construction
Significant contamination potential
Accidents due to new design or other non-reviewed safety questions
Involvement of hazardous material
MDP273a: Project Risk Management v1.0
3-25
Assumptions Analysis
Every project, and every identified risk, involves a set of assumptions.
These are typically documented as an assumptions log within the
project scope statement.
DEFINITION: ASSUMPTIONS
―Assumptions are factors that, for planning purposes, are treated as true,
real, or certain without proof or demonstration.‖
PMBOK® Guide, Fourth Edition
In the previous project planning activities, the project team established
estimates and assumptions covering:
? Scope
? Deliverables
? Objectives
? Time durations
? Resources
? Costs
The assumptions analysis technique determines the validity of project
assumptions. The analysis identifies risks by testing the accuracy,
stability, consistency, and completeness of assumptions.
Good practice suggests making a clear list of such assumptions so that
the appropriate stakeholders and decision-makers can validate them
and agree to them.
Module 3: Identify Risks
3-26
EXAMPLE: ASSUMPTIONS ANALYSIS
A project team expects to be able to travel efficiently between project
locations. They may assume that a transportation network exists, has
available space, can be used by them, and works reliably and efficiently.
Some organizations run their own private shuttle or jet services between
office locations to eliminate the risk that this assumption is not true. Others
rely on personal or public transportation.
If frequent travel is necessary, it may present an unacceptable risk to
assume that the team will experience no difficulties without special
arrangements or provisions for backup transportation alternatives.
Diagramming Techniques
Diagramming techniques are primarily used to ensure that the Identify
Risks process is thorough and focused. They show how various elements
relate to one another and visually display project information to locate
specific areas where risk may be encountered.
Various types of diagrams are available, including:
? Cause-and-effect diagrams
? System or process flowcharts
? Influence diagrams
These techniques are helpful in ensuring that the entire risk picture is
considered and that the right effort is expended, in the right place, to
mitigate the risks as economically as possible.
MDP273a: Project Risk Management v1.0
3-27
Cause-and-Effect Diagrams
Figure 3-5 shows an example of a Cause-and-effect diagram. These
diagrams (also known as Ishikawa or fishbone diagrams) track problems
to the root cause. The major defect, or in this case, a risk, is at the
head. Along the backbone are the major spines indicating the types of
causes that can contribute to the risk.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 3-5. Sample Cause-and-Effect Diagram
A simple way to think about this diagramming method is to start with
the fish head and ask, ―What caused this?‖ The answer usually falls into
one of the identified categories as a fish bone. The follow-up question
continues, ―What caused that?‖ with each answer extending or creating
another, smaller fish bone. Exploring the cause behind each cause can
produce a list of very well-defined, specific causes grouped very clearly.
When all the major risks have been analyzed, the root causes should be
examined to see if the same causes are appearing in different
categories. For example, in the diagram above, if the same root cause,
―Major hurricane‖ appears under ―Personnel,‖ ―Material,‖ and
―Energy,‖ addressing the effect of seasonal weather should be a
priority. Perhaps the project should be postponed. Addressing root
causes that affect many areas will have the widest beneficial impact on
the project as a whole.
Module 3: Identify Risks
3-28
System/Process Flowcharts
A process flowchart presents the chain of activities in a process, and
may show the transfer of information, the transfer of control, or both.
When a risk is present in one of the activities, the diagram can be used
to identify where in the downstream activities problems will occur. It
can also be used to explore how upstream activities might be
contributing to this risk. This information can be used to understand the
risks, how widespread their effects are, and how they should best be
addressed.
Figure 3-6 shows a process flowchart. System/process flowcharts follow
the same principles as the cause-and-effect diagram. By outlining the
flow within a system, potential causes can be identified for
consideration.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 3-6. Sample System/Process Flowchart
MDP273a: Project Risk Management v1.0
3-29
Influence Diagram
An influence diagram shows the relationship between factors in an
environment. These factors can be objects, events, activities, or
transitions.
In the Identify Risks process, the relationships between factors in a
project environment can be explored, such as the relationship between
office space assignments, desk space, noise levels, and productivity.
The relationship between these factors in turn affects whether the
project meets its scheduled milestones.
A risk that affects the office space assignments may adversely affect all
of these. For example, the discovery of asbestos contamination in a
team’s original space might force the team to relocate to a new
workspace that is next to the building's climate control equipment. The
noise levels will go up, the productivity will go down, and the project
will miss scheduled milestones.
Figure 3-7 shows an influence diagram of the factors involved in
restoring a diseased patient to health. The disease presents symptoms,
and it also signals that the patient is a candidate for a test for the
disease (in health care, this situation relating a patient to a medical
action is known as an ―indication‖). The symptoms lead the doctor to
perform a test on the patient. This leads to a test report, which
compares the indication to the actual test results, and also to diagnosis
and treatment. The treatment leads to recovery. Finally, the patient's
quality of life is affected by the recovery, and also by the treatment
costs (if they are too high) and any side effects that may occur from the
treatment.
Module 3: Identify Risks
3-30
Figure 3-7. Sample Influence Diagram
Strengths, Weaknesses, Opportunities, and Threats (SWOT) Analysis
The SWOT analysis is a strategic planning technique that examines the
project’s strengths, weaknesses, opportunities, and threats. The results
of the analysis can increase the project team’s understanding of
identified risks, by helping the team to uncover potential weaknesses
and threats, and to recognize strengths and potential opportunities.
A SWOT analysis is conducted by asking the team to list:
? The strengths of the project, team, and performing organization
? The weaknesses of the same organizations
? The opportunities they face
? The threats they face
MDP273a: Project Risk Management v1.0
3-31
Figure 3-8 shows a SWOT matrix diagram.
Strengths
(Internal Advantages)
* What are our core competencies?
Weaknesses
(Internal Disadvantages)
* What has caused us problems in the past?
* What areas are outside our core competencies?
Opportunities
(External Advantages)
* What advantages do we have over our competition?
* What market needs can we fill?
Threats
(External Disadvantages)
* What competition do we face?
* What potential market downturns are possible?
* What challenges could we face from legal or regulatory changes?
Figure 3-8. SWOT Diagram Example
TIP
Strengths and weaknesses are often internal to your organization.
Opportunities and threats often relate to external factors. For this reason
the SWOT Analysis is sometimes called Internal-External Analysis.
Examples of Strengths, Weaknesses, Opportunities and Threats
Strengths: Strengths are usually internal factors that describe the
positive attributes of the team. The team may have highly skilled or
experienced staff members with diverse capabilities. They may enjoy
excellent support from a strong sponsor or stakeholder. They may be
resourceful and superbly responsive to change.
Module 3: Identify Risks
3-32
Weaknesses: Weaknesses may be internal to the team or external, such
as inexperience or lack of maturity in team members or a shortage of
resources, a poor organizational climate, and lack of administrative
support or adequate facilities.
Opportunities: Opportunities generally involve the performing
organization or the larger organization; for example, the chance to
introduce a new method or tool into the performing organization for
wider adoption; gaining brand recognition for the organization with the
project's product; or establishing a new service as an internal revenue
generator.
Threats: Threats are usually external to the project team, such as a
possible attempt by a powerful executive to stop the project from
diverting his resources from a favorite initiative; the discovery of
improper accounting practices in subcontracting work; or the danger
that a competitor will release a successful equivalent product before
the project is completed.
TIP
To increase the effectiveness of the SWOT analysis:
? Ask for precise, verifiable statements
? If team members offer perceptions rather than verifiable statement,
capture those answers separately, so that shared perceptions and trends
may be identified
? Edit (cut) long lists of factors, perhaps by verifying their validity or
frequency of occurrence
? Prioritize factors so the most significant ones receive the most attention
? Apply the analysis at the right level; for example, focus questions on a
component rather than an entire product, or on a sub-process rather
than the whole process
MDP273a: Project Risk Management v1.0
3-33
Expert Judgment
Expert judgment is the application of specialized knowledge or training
to the Identify Risks process. This expertise may be contributed by a
group or by an individual, including:
? Other departments
? Consultants
? Professional associations
? Subject matter experts
The insight of experts can be especially valuable in suggesting possible
risks based on their own expertise and experiences. Take into account
the experts’ potential bias.
Module 3: Identify Risks
3-34
Topic 4: Outputs from the Identify Risks Process
The major output of the Identify Risks process is the risk register. The
risk register will ultimately contain the outcomes of the other risk
management processes, and therefore it will grow over time, as risk
activities are completed and more information is gathered.
DEFINITION: RISK REGISTER
―The document containing the results of the qualitative risk analysis,
quantitative risk analysis, and risk response planning. The risk register
details all identified risks, including description, category cause, probability
of occurring, impact(s) on objectives, proposed responses, owners, and
current status.‖
PMBOK® Guide, Fourth Edition
MDP273a: Project Risk Management v1.0
3-35
Components of the Risk Register
The initial components of the risk register, resulting from completing
the activities in the Identify Risk process, are:
? A list of identified risks
? A list of potential risk responses
? Additional information
List of Identified Risks
The identified risks should be described in as much detail as possible. It
is helpful to apply a simple structure to the list, such as an Event and
Impact list, or an If/Then/Effect statement, for each risk. Structuring
the list in such a way could cause the root causes of the identified risks
to become more evident. The root causes, which may result in one or
more of the identified risks, must be recorded and made available to
support future risk identification for this and other projects.
List of Potential Risk Responses
As the Identify Risks process is executed, potential risk responses may
be identified as well. Potential responses should be captured and, if
applicable, used as inputs to the Plan Risk Responses process.
Additional Information
The risk register can also contain other valuable information that has
been gathered during the Identify Risks process, such as:
? A list of root causes
? A list of triggers—objective and early warning signs that a risk event
will soon occur
? Updated risk categories
Module 3: Identify Risks
3-36
Development of the Risk Register
The following information and examples will be helpful in developing a
project risk register.
Guidelines for Creating the Risk Register
The definitions of the risks must be agreed on and widely
communicated. This prevents mistakes pertaining to an identified risk,
and ensures that interpretations of what is included in a particular risk
definition are not overly broad. Obvious duplicates should be eliminated
from the list.
In order for risks to be effectively managed, information about them
must be controlled. Changes and additions to the list, as well as
removal from the list must be undertaken according to a formal
process.
The information should be stored in a structured list called a risk
register. Other project management processes can reference the risk
register. Many departmental and enterprise-level project management
systems contain a risk management subsystem. For simple projects, a
simple database, such as a Microsoft® Excel spreadsheet, may be
perfectly adequate. Figure 3-8 shows an example of a risk register.
Figure 3-9.Sample Risk Register
MDP273a: Project Risk Management v1.0
3-37
These are examples of data that may populate a risk register:
? ID: R234
? Rank: 1
? Description: During the scheduled time allocated to transport
materials to the project location, a transportation strike could
occur, which would result in schedule delays.
? Probability: Low
? Impact: High
? Risk Score: (.10) (.7) = .07 [P*I=RS]
? Potential Response: Move the schedule date for transportation
ahead if Teamsters contract is not signed in 2 weeks.
? Root Cause: We agreed to use union truck drivers on this project.
? Triggers: Failed contact negotiations.
? Potential impact to Cost and Schedule: Cost will be increased by 15k
to implement an early shipping plan. Schedule will not be adversely
impacted
? Category: K. Labor Skills, availability
? Contingency: The material to be shipped is on hand and in place.
Establish contracts with non-union shippers to ship the materials two
weeks earlier than previously scheduled. This will support the
aggressive schedule and avoid potential conflict with union members
should a strike occur.
? Owner: Paul Lanni
Module 3: Identify Risks
3-38
Risk Register Worksheet
Project management teams can use worksheets to catalogue risk
information, including severity, triggers, and risk category. At this
point, the only factual information known for sure appears in the first
three columns, although other information, such as severity, potential
response, triggers, and root cause, may be known or hypothesized.
Later, Project Risk Management activities will involve assessing
qualitative factors, such as probability and impact, and quantitative
factors, such as costs; selecting appropriate responses to manage the
risk; and documenting the final impact of the risk and the effectiveness
of the associated risk responses. As information about the risk is
obtained it can be transferred from the worksheet to the risk register
database. Figure 3-10 shows an example of a risk register worksheet.
MDP273a: Project Risk Management v1.0
3-39
Project: Mountaintop Hotel
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Transportation Strike K. Labor Skills, availability
Description of Identified Risk:
As a result of having to transport materials to the project location, a transportation strike could occur, which would result in schedule delays.
Assumptions/Basis:
Because of project location, most materials will be transported by truck. Although no Teamsters’ strike has affected this region for 20 years, the consequences of a strike could set the project schedule back by more than 30 days.
Risk Response Planning
Strategy Chosen:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate Accept
Trigger measure to be monitored, and Source:
Threshold Condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after risk response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs Cost / Schedule Impact
Date Due
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs Cost / Schedule Impact
Risk Owner:
Figure 3-10. Sample Risk Register Worksheet
Module 3: Identify Risks
3-40
EXERCISE: IDENTIFY PROJECT RISKS
Identify risks for the case study. Your diligence will determine the
effectiveness of the overall risk management effort. Refer to the Identify
Risks topic in Appendix A.
Use the following tools and techniques of the Identify Risks process to help
identify and document project risks:
? Documentation reviews
? Information-gathering techniques
? Checklists
? Diagramming methods
? Assumptions analysis
See Exercise 3-1, in Appendix A of this Participant Guide.
MDP273a: Project Risk Management v1.0
3-41
Module Summary
ADDRESSING THE BUSINESS CHALLENGE
Ana leads the team in a brainstorm to elicit ideas on risks that might be
associated with the parade. She has one flip chart for negative risks, and
one for positive, and gives the team an example of each: hidden costs, for
instance, are possible in an event they've never run before. On the other
hand, favorable publicity may generate a crowd and a bigger audience for
the SummerFest fair. Using data from the meeting, Ana generates a cause-
and-effect diagram to show how various risk elements relate; and develops
a risk register, with opportunities and threats sorted by type and perceived
severity.
The risk management plan guides the Identify Risks process. The
Identify Risks process is used to gain an understanding of the potential
risks associated with a project or project phase. The Identify Risks
process occurs throughout the project; it must be undertaken
periodically according to the risk management plan, and must also be
used whenever a significant circumstance changes.
The Identify Risks process results in a comprehensive list of all
identified risks sorted by type and perceived severity. In addition, the
definitions of the risks must be agreed on and widely communicated so
that no mistake is made about the identified risks, and also so that a
risk that has not been properly identified is not mistaken for being
already included in an existing risk definition.
The outputs from Identify Risk are contained in the risk register.
Module 3: Identify Risks
3-42
Module 4
Perform Qualitative Risk Analysis
Module 4: Perform Qualitative Risk Analysis
Module 4: Perform Qualitative Risk Analysis
4-2
Module Introduction
Once risk management planning is established and risks have been
identified, the next step is to prioritize each risk. One approach is
called qualitative analysis, which is scoring risks relative to previously
established definitions of probability and impact.
Another risk assessment approach, quantitative analysis, applies more
detailed numeric methods. Only risks ranked high by qualitative analysis
may be subject to quantitative analysis, which is addressed in Module 5.
Risk analysis is the basis for eventual risk response planning.
MDP273a: Project Risk Management v1.0
4-3
Module Objectives
Upon completion of this module, the participant will be able to:
? Define the Perform Qualitative Risk Analysis process within the
context of the project management framework
? Identify and describe the inputs, tools and techniques, and outputs
of the Perform Qualitative Risk Analysis process
? Apply qualitative methods to conduct a probability and impact
assessment for identified risks
Module 4: Perform Qualitative Risk Analysis
4-4
Topic 1: Overview of the Perform Qualitative Risk Analysis Process
THE BUSINESS CHALLENGE
While a list of identified risks is an important step, it doesn't do much to
determine the importance of addressing specific risks. Which means, in the
case of the SummerFest parade, the list only accentuates Jack North's sense
of alarm. He approaches Ana after the assessment session. "There are so
many risks," he says. "How do we deal with them all?"
Ana reassures him that identifying risks is not the end point, it's a
beginning. At their next meeting, she tells him, they'll analyze each
identified risk to understand its likelihood and potential impact on cost,
schedule, scope, and quality. Then they'll have a better sense of which risks
they need to address, and how soon.
? What tools and techniques can Ana use with the team to prioritize risks
for further analysis or action?
The PMBOK® Guide, Fourth Edition, recognizes two approaches to risk
analysis. This module describes the more subjective method, known as
Perform Qualitative Risk Analysis, which can achieve the desired end
quickly and economically, but provides only approximate results. The
second approach is a more detailed numerical analysis. Known as
Perform Quantitative Risk Analysis, it is addressed in the next module.
To manage risks efficiently, it is necessary to understand the risk in
terms of its relative significance to the project and in relationship to
other risks. Given the list of identified risks and some established
conventions for measuring the size of the risk, two primary questions
are answered in the Perform Qualitative Risk Analysis process:
? How likely is this risk to occur?
? And, if it occurs, how significant is the impact to the project?
MDP273a: Project Risk Management v1.0
4-5
Perform Qualitative Risk Analysis is a process of the Planning Process
Group. The Perform Qualitative Risk Analysis process follows the
Identify Risks process and results in evaluating the probability of a risk
occurring and the impact of that risk on the project.
Figure 4-1 shows that the Perform Qualitative Risk Analysis process
occurs in the Planning Process Group.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 4-1. Project Risk Management Process Group Map: Perform
Qualitative Risk Analysis Process
The PMBOK® Guide, Fourth Edition, defines Perform Qualitative Analysis
as:
DEFINITION: PERFORM QUALITATIVE ANALYSIS
―The process of prioritizing risks for further analysis or action by assessing
and combining their probability of occurrence and impact.‖
PMBOK® Guide, Fourth Edition
The Perform Qualitative Risk Analysis process allows the project
management team to prioritize the risks for the Plan Risk Responses
process, and to evaluate whether a high-priority risk should be carried
further into the Perform Quantitative Risk Analysis process.
Module 4: Perform Qualitative Risk Analysis
4-6
Purpose of Perform Qualitative Risk Analysis
The Perform Qualitative Risk Analysis process is a way to determine the
importance of addressing specific risks, and allows the team to guide
risk responses based on factors such as:
? Time criticality of the risk
? Quality and quantity of information about the risk
? The probability of occurrence and impact of the risk
The output of the Identify Risks process provides a comprehensive list of
risks. This list may easily include dozens to hundreds of risks, depending
on the size of the project. Such a long list can overwhelm the project
manager and team, and would also alarm the project sponsor and
organization management unless appropriate steps are taken to simplify
and order the list as much as possible. The goal here is to begin
establishing order out of chaos so that prudent and economical actions
can be taken to protect the project from the risks.
This is accomplished by first performing an analysis of each risk that has
been identified. Using a divide-and-conquer approach, the project
management team investigates each of the risks so that all risks are
understood more fully. Then, the project manager prioritizes and
allocates resources to them to address the overall risk most effectively.
The impact of the risk may affect one or more of the project
objectives, including the scope, schedule, cost, and quality objectives.
Because stakeholder tolerance for risk varies, it is important to have
determined the risk tolerance of the current project’s stakeholders
during the Plan Risk Management process. The tolerance levels will
indicate what risk impacts can be accepted without further
intervention, and what level of investment would be considered
justified by the stakeholders in order to avoid or minimize the impact of
a risk.
MDP273a: Project Risk Management v1.0
4-7
Once the probability and impact of each risk is evaluated, a
determination can be made as to which risks deserve the most attention
and how much investment they warrant. Part of this investment may be
the additional research and computational effort involved in subjecting
the risk to the Perform Quantitative Risk Analysis process.
Perform Qualitative Risk Analysis is performed once the first time that
the Project Risk Management Knowledge Area processes are carried out,
but it may be repeated as often as needed to reassess the risks when
new information becomes available, or when new risks are identified.
This approach enables prioritization based on facts, not opinions or
bias, but it cannot address all risks. Time criticality of a risk and the
quality of data that defines it are also important in establishing priority.
Interactions with Other Processes
Figure 4-2, the Perform Qualitative Risk Analysis process data flow
diagram, shows how inputs are transformed through tools and
techniques into outputs.
PMBOK ® Guide, Fourth Edition
Figure 4-2. Perform Qualitative Risk Analysis: Data Flow Diagram
Module 4: Perform Qualitative Risk Analysis
4-8
Perform Qualitative Risk Analysis receives inputs from the enterprise
and the project management plan. The process of risk analysis is kept
distinct from risk identification to counteract bias in risk planning. Risk
analysis is followed by the Plan Risk Responses process and the Monitor
and Control Risk process.
Risk analysis is a focus early in the project. Over the course of the
project, risk analysis is repeated often, since risks and their impact
change with time. The risk register, the signature artifact of risk
planning, is updated with each analysis cycle. Risk management bears
directly on project objectives of scope, cost, schedule, and quality.
Perform Qualitative Risk Analysis Format
Generally, Perform Qualitative Risk Analysis is performed in a meeting
or forum with all identified participants present. The meeting format
permits an open discussion of the project scope, potential risks and
assumptions, and brainstorming of management and mitigation
strategies. If the project is a low-dollar-value project, a formal meeting
may not be required to perform a risk analysis.
Prior to conducting a risk analysis, the project manager should provide
the risk analysis participants with all available project information for
evaluation and review. The project manager leads and participates in
the discussions and the ensuing risk analysis activities.
Each participant has the responsibility to prepare for, actively
participate in, and concur with the group consensus concerning the
results of the risk analysis. This should include looking at specific
project baseline information. For example, the engineering
management group may be responsible for all work breakdown structure
(WBS) elements with design work scope.
MDP273a: Project Risk Management v1.0
4-9
Scope of Perform Qualitative Risk Analysis
A Perform Qualitative Risk Analysis should be an integrated analysis of
risk in all elements of the project. Perform Qualitative Risk Analysis is
not separate from, or in addition to, other risk-based analyses
traditionally employed during project development and execution, such
as analyzing purely technical risks or establishing cost and schedule
contingencies. In many companies, a risk analysis is performed using a
very specific technique, often formally applied at the beginning of the
project, or even earlier during initiation or strategic planning.
During the Identify Risks process, the team must be diligent in
identifying as many potential risks as they can, using a brainstorming
technique that specifically excludes any editing or qualifying of the
identified risks.
However, risk analysis must be conducted in a moderated way. The risk
analysis activities are tempered by judgment, since the results of the
analysis will add to the cost and effort of the project management
activities. The risk analyses will be used in later risk management
activities as an aid in tasks such as:
? Deciding between several potentially expensive technical risk
response alternatives
? Establishing levels of reserve resources to be used to absorb the
impact of any risk that materializes, thereby adding to the cost and
time of the project
? Selecting procurement strategies to pay another party to take on
the risk
? Determining project performance measures to monitor for detecting
when risk events are about to occur or have occurred and require a
response
? Selecting project performance reports to present the performance
measures in a timely and efficient manner
Module 4: Perform Qualitative Risk Analysis
4-10
Frequency of Performing Qualitative Risk Analysis
As with the Identify Risks process, the Perform Qualitative Risk Analysis
process should be repeated throughout the project life cycle, especially
at major milestones between project phases, to identify significant risks
and formulate management and mitigation strategies. A project risk
analysis can be performed at any time during the project life cycle.
Reasons for Performing Qualitative Risk Analysis
Subsequent reviews/revisions/updates should be performed at least
once during each project phase, preferably at the beginning of the
phase, and at any time deemed appropriate by the project manager.
For instance, a project manager should consider conducting a risk
analysis for the following reasons:
? A major previously identified risk has been realized.
? The potential of a high-risk item has been eliminated.
? The potential for a new risk(s) is identified.
? New information has surfaced, which may indicate that a risk’s
probability of occurrence or impact has increased or decreased.
If possible, all participants in the initial risk analysis should participate
in subsequent reviews. When these reviews are performed, all available
information on project scope, project performance, and any other
relevant data should be provided to the team.
Risk Impact
Perform Qualitative Risk Analysis rates the relative impact of identified
risks on project objectives so the risks may be prioritized. Although we
are doing a qualitative analysis at this stage, it is important to
understand the relative value or impact of the risk in case it becomes a
reality.
MDP273a: Project Risk Management v1.0
4-11
Cost Impact
An appreciation for the cost impact of a risk event should consider the
dimensions of cost. There is the cost of rework required to recover from
the risk event, should it happen. This cost includes labor and materials,
as well as any other capital or indirect costs. You should understand
whether the cost impact is isolated to one or two project work
packages, or whether the risk’s impact propagates into other project
deliverables.
This study of cost impact is known as the Price of Nonconformance
(PONC) and incorporates the various rework costs.
Risk impacts tend to inflate over time. If unaddressed, the cost of
correcting a problem that occurs during the project concept phase
tends to escalate by a factor of ten in each subsequent phase, so that a
one dollar problem during the concept phase could cost thousands of
dollars to repair when the product is in service.
There may be other externally imposed costs, such as litigation and
fines, or less obvious costs such as an economic opportunity cost, loss of
market share. Intangible costs may include damage to brand image,
goodwill, or reputation. Each of these costs should be considered and
evaluated relative to the impacts of other risks.
Schedule Impact
The impact on the project schedule must be evaluated. Consider the
following:
? How many days will the schedule be delayed?
? What key milestones will be affected?
? Will this affect the project completion date or not?
? What is the impact to related tasks?
? How will this affect the availability of resources?
? What is the impact on the project’s estimated benefits resulting
from the delayed implementation?
Module 4: Perform Qualitative Risk Analysis
4-12
The scoring of the risk can be based on the degree of schedule impact,
for example, by determining how large a delay to the critical path is
expected, and the value of a day’s delay in implementation.
Scope Impact
The effect of some risks is to force the project team to eliminate some
portion of scope. For example, a technology for which the project team
assumed the performing organization had obtained usage rights may be
found to be proprietary and unavailable, leading to the elimination of a
key component in the product.
Quality Impact
Some risks represent a threat to the quality of deliverables. One
example might be the lack of availability of the assigned expert
resources, causing deliverables to be developed by resources with
inadequate experience to ensure they are completed with only minor
defects, or so deliverables cannot be effectively reviewed and
evaluated for their quality.
Another way risks can affect quality is by causing upstream delays in a
schedule-sensitive project, so the project team is forced to accelerate
testing activities. Such acceleration inevitably causes the team to omit
tests or to defer removal of identified defects until after
implementation, or both.
Proportionate Expenditure of Risk Analysis Techniques
Perform Qualitative Risk Analysis is basically an intuitive prediction of
risk impact.
For risks that clearly involve low complexity and small dollar values,
using only the Perform Qualitative Risk Analysis process is best, because
it requires less effort and time and generally yields similar results to
quantitative analysis in these cases. In other words, using the
quantitative approach for low-dollar risks is overkill, and does not add
value to the project management result.
MDP273a: Project Risk Management v1.0
4-13
In cases where there is high complexity and high dollar value, using
Perform Quantitative Risk Analysis is warranted. The Perform
Qualitative Risk Analysis process is not well suited to complex situations
because it involves essentially simplistic human judgment, and human
judgment becomes less accurate as complexity increases. Also, as the
dollar value of the risk increases, stakeholders will expect more rigors
to be applied in analyzing the risk so as to minimize the possibility of
error. Perform Quantitative Risk Analysis is the more rigorous
technique. Figure 4.3 contrasts subjective and objective risk analysis
techniques.
Figure 4.3. Subjective and Objective Risk Analysis Techniques
The project status suggests whether the impacts of some risks are
higher or lower than expected, and whether it is too early to
successfully analyze a risk fully. For example, if the project is in the
requirements stage, the analysis of risks involving the technical
alternatives of the design may be worth deferring until the design stage.
On the other hand, if the project is behind schedule, a project-funding
problem may become more acute than if it were on track.
Project type can also be useful in focusing analysis more productively.
For example, it may be possible to assess projects that involve familiar
work processes and tools less rigorously than those that involve
technical innovation. Those that involve outsourcing may introduce a
whole new set of risks not posed by projects conducted in-house.
Module 4: Perform Qualitative Risk Analysis
4-14
Overview of Perform Qualitative Risk Analysis Inputs, Tools and Techniques, and Outputs
Figure 4-4 shows the inputs, tools and techniques, and outputs of the
Perform Qualitative Risk Analysis process. These inputs, tools and
techniques, and outputs are discussed in detail in this module.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 4-4. Perform Qualitative Risk Analysis: Inputs, Tools &
Techniques, and Outputs
MDP273a: Project Risk Management v1.0
4-15
Topic 2: Inputs to the Perform Qualitative Risk Analysis Process
The inputs to the Perform Qualitative Analysis process, described
below, are:
? Risk register
? Risk management plan
? Project scope statement
? Organizational process assets
Risk Register
The identified risks documented on the risk register are the main driver
of the analysis; each risk is considered in turn, along with any
supporting documentation that describes the causes and impacts of the
risk on various project processes and components.
Risk Management Plan
The Perform Qualitative Risk Analysis process uses scales of probability
and impact, risk categories, the probability and impact matrix, and
updated stakeholders’ risk tolerances from the risk management plan.
Other relevant elements in the plan include how qualitative risk analysis
will be used, whether and which of its outputs will eventually be used
by the Perform Quantitative Risk Analysis process, when risk
management activities will be performed, and who will participate. Any
of these aspects of the risk management plan not developed during the
Plan Risk Management process can be developed during the Perform
Qualitative Risk Analysis process.
Module 4: Perform Qualitative Risk Analysis
4-16
Project Scope Statement
Assumptions from the project scope statement, which the team
reviewed during the Identify Risks process, have already suggested some
risks. Evaluating these assumptions supports assignment of probability
and impact values for the associated risks.
Organizational Process Assets
Organizational process assets provide data on past projects and risks
encountered or lessons learned. For example, if the impact of a
procurement risk is difficult to establish because the organization has
no experience in this kind of procurement, some additional research or
benchmarking may be worthwhile.
MDP273a: Project Risk Management v1.0
4-17
Topic 3: Tools and Techniques for the Perform Qualitative Risk Analysis Process
The tools and techniques for performing a qualitative risk analysis
include the following:
? Risk probability and impact assessment
? Probability and impact matrix
? Risk data quality assessment
? Risk categorization
? Risk urgency assessment
? Expert judgment
Module 4: Perform Qualitative Risk Analysis
4-18
Risk Probability and Impact Assessment
Not all risks that were identified pose a serious threat to the interests
of the project. You have to develop a method to sift through the list of
risks, eliminating inconsequential risks and documenting worthy ones in
terms of importance and needs for attention. To conduct a risk
probability and impact assessment, you evaluate the probability that
each risk will occur and the impact that each risk would have if
realized.
PMI considers definitions of risk probability and impact to be outputs of
the Plan Risk Management process. Applying probability and impact
scales, however, occurs in the Perform Qualitative Risk Analysis process.
This module addresses both details of measuring risk and impact and
how to apply those measures.
A measure of the effect of a risk can be estimated by multiplying the
risk probability (P) by the risk impact (I) to produce a risk score (RS) for
each risk.
Risk Score (RS) = Probability (P) * Impact (I)
The entire list of risks can be prioritized, or sorted, based on the risk
score. This analysis lets you describe the probability and consequences
of each risk in qualitative terms. Usually, risk scores are ranked in two
tables: negative risks start with the score with the highest negative
value at the top, while opportunities are ranked with the highest
positive risk score at the top. Management can attack the risks at these
extremes first, by focusing their effort on the areas that will yield the
greatest benefit.
The risk score can also be used to select a group of risks for special
treatment, such as passing the worst risks on to Perform Quantitative
Risk Analysis, escalating them to the sponsor’s review, or subjecting
them to further research.
By using the risk score, rather than the probability or the impact alone,
you will ensure that changes in the risk’s probability, impact, or both,
are detected and reflected in the analysis.
MDP273a: Project Risk Management v1.0
4-19
For projects for which there is a relatively high tolerance for risk, the
values for the risk scores can be determined subjectively. Using this
method for qualitative analysis, you apply a predetermined scale of
values. Sometimes, high, moderate, and low are used instead of
numbers.
Using a Scale to Rank the Probability of Occurrence (P)
In the formula Risk Score (RS) = Probability (P) * Impact (I), P is the
probability of occurrence.
Assigning a probability to a risk allows management to determine
whether the risk is worth addressing and how much to invest in
addressing it.
Setting up a probability scale involves selecting a set of terms for
probability so that all participants can rank risks in a consistent way.
This type of scale is known as a Likert scale and is frequently used in
surveys. For example, a set of items for a probability scale might be:
? Very unlikely
? Somewhat unlikely
? 50-50 possibility
? Somewhat likely
? Very likely
The terms for a probability scale must be assigned meaningful
numerical values that indicate their relative positions. Probability is
usually expressed as a percentage. In practice, you should avoid using
0% and 100% because they signify certainty that the risk will not or will
occur, respectively.
Module 4: Perform Qualitative Risk Analysis
4-20
Examples of probability terms and values that can be used in a five-
point scale appear in the following table.
TERM VALUE
Very unlikely 10%
Somewhat unlikely 30%
50-50 possibility 50%
Somewhat likely 75%
Very likely 90%
A probability of Very unlikely means that the event is nearly
impossible, while a probability of Very likely means that it is almost
certain to happen. A 50-50 possibility means that it is just as likely to
happen as not; an example of this probability is a coin toss, where the
probability of either heads or tails is 50%,
A five-point (5, 25, 50, 75, and 95) scale usually provides enough spread
to differentiate among risks. In cases that are submitted to qualitative
analysis, the usual quality of available data and the lack of a real
measurement usually do not justify greater accuracy.
Cautions on Applying a Scale for Probability of Occurrence (P)
It is important to note that scale values do not amount to an actual
likelihood; they are simply relative values that permit later numerical
analysis. This numerical analysis enables the project management team
and stakeholders to compare dissimilar risks by ranking them.
MDP273a: Project Risk Management v1.0
4-21
The probability of each risk’s occurrence should be set at a single value
that represents the best judgment of the team at this time from the
available data. The team should not consider the impact while
evaluating the probability. For example, the probability of a train
collision has nothing to do with the freight or passengers carried by the
train, or the damage the wreck will do. It is solely a function of the
condition of the locomotives, tracks, switches, signaling and
communications equipment, the weather, the schedule of trains, and
the competence and fitness of traffic controllers and engineers.
Creating a Risk Impact (I) Scale
In the formula Risk Score (RS) = Probability (P) * Impact (I), I is the
impact of risk. The impact of the risk measures the consequence to the
project if this risk happens. A scale similar to that of risk probabilities
must be set up for the risk impacts.
The risk impact can be evaluated on a scale of relative terms:
? Very low
? Somewhat low
? Moderate
? Somewhat high
? Very high
Examples of terms and values that can be used in a five-point scale
appear in the following table.
TERMS VALUES
Very low 0.1
Somewhat low 0.3
Moderate 0.5
Somewhat high 0.7
Very high 0.9
Module 4: Perform Qualitative Risk Analysis
4-22
Measuring the Impact (I) of Risk Relative to Four Major Project Objectives
In some cases, it can be easier to reach agreement on a set of terms
that relate specifically to one of the four major project objectives:
cost, time, scope, and quality. For example, for scope the terms might
be:
? Scope impact barely discernible
? Minor areas of scope impaired
? Major areas of scope impaired
? Scope reduction unacceptable
? Final product undeliverable or useless
The probability and impact scales do not need to use equally spaced
values (such a scale is known as linear). A set of values with unequal
intervals can emphasize the undesirability of somewhat high, or even
moderate, negative impacts, or the desirability of a somewhat high
positive impact, even though the risk has a relatively low probability of
occurring. Some organizations use a scale with extreme values at the
ends and a concentration near the 0 midpoint. This helps to distinguish
those risks with very large positive or negative impacts from those in
the middle.
If both negative and positive impacts are to be evaluated at the same
time, then the scale can be set to range from -1 to +1, where -1
represents highly undesirable, and +1 represents highly desirable.
While this spectrum has no absolute meaning, it allows risks to be
compared effectively. One of the best ways to ensure that the scale is
applied consistently is to define a table of impact values and their
meaning in project objective terms.
MDP273a: Project Risk Management v1.0
4-23
The evaluation of project risk impact should quantify the impact in
terms of rough quantities of dollars and schedule time units, such as
weeks and months. By translating impact into general cost and schedule
terms, the team is able to compare the impacts of all risks based on
standard project parameters and with high confidence. This translation
into cost and schedule effects also allows the project management
team to communicate meaningfully with stakeholders who will only
understand the effects of risks in terms of measurable project
performance results.
It is valuable to require that the stakeholders approve the risk impact
table, because this establishes the expectations for how various impacts
will be differentiated. It is a way of determining the stakeholders’ risk
tolerance.
Organizations often find it useful to stratify the table’s 25 possible Risk
Score (RS) values into three levels, one representing low risks, one
representing moderate risks, and one representing high risks. The
associated matrix entries can be colored to represent three levels. For
example, the low risks can be colored green, the medium risks yellow,
and the high risks red.
This technique simplifies the application of policies (and hence effort
and resources) according to risk scale level. For example, risks rated as
red may require review at every weekly status meeting, while green
risks may need to be reviewed only monthly, or on a less frequent,
rotating basis.
Module 4: Perform Qualitative Risk Analysis
4-24
Risk Impact Scales Example
This sample table shows the impact scales based on project objectives.
(Only negative impacts are shown.) This type of table should be
developed during the Plan Risk Management process.
VALUE
OF I
IMPACT TO THE
PROJECT
COST
THRESHOLDS
SCHEDULE
THRESHOLDS
SCOPE
THRESHOLDS
QUALITY
THRESHOLDS
0.1
Minimal or no
cost and
schedule
consequences
– unimportant
<$25K No baseline
extension
Minor areas
of scope
affected
Only very
demanding
applications
are affected
0.3
Small
reduction in
desired cost
and schedule
results
$25K–$49.9K
< 5 day
baseline
delay
Major areas
of scope
affected
Quality
reduction
requires
sponsor
approval
0.5
Some
reduction in
desired cost
and schedule
results
$50K–$99K
6–29 day
baseline
delay
Scope
reduction
unacceptabl
e to sponsor
Quality
reduction
unacceptable
to sponsor
0.7
Significant
degradation in
cost and
schedule
results
$100K–
$250K
30–59 day
baseline
delay
Scope
reduction
unacceptabl
e to sponsor
Quality
reduction
unacceptable
to sponsor
0.9
Desired cost
and schedule
results cannot
be achieved
>$250K
> 60 day
baseline
delay
Project end
item is
effectively
useless
Project end
item is
effectively
useless
When the impact has been determined for each identified risk, the value is
entered in the risk register.
MDP273a: Project Risk Management v1.0
4-25
The values in the sample table are not fixed across industries. They may
be determined by company policy, current budget climate, or team
consensus for a particular program or project. When risk impact scale
values are standardized for all projects in an organization, projects can
be evaluated and compared more effectively.
The values and thresholds must also reflect stakeholders’ risk tolerance.
In some cases, the impact scale may be defined as non-linear. For
example, the highest value might be set at 0.99, and the value below
that at 0.95.
A non-linear scale results in inflating the risk score for risks with failure
and significant degradation impact assessments to the point where
significant investments in avoiding or mitigating these risks would be
justified and approved by the stakeholders.
If the limit of the top range is set very low at the request of a
particularly risk-averse stakeholder, a large number of risks may fall
into the highest value category. This situation may indicate that the
project is not appropriate to pursue with this stakeholder, with this
approach, and at this time.
Probability and Impact Scales for Positive Risks
It is equally important to define a scale for assessing the probability of
achieving a positive risk or opportunity, and the corresponding scale for
impacts.
The probability of a positive risk behaves in the same way as the
probability of a negative risk. The same probability scale can be applied
for both. When designing the impact scale for positive risks, some
thought should be applied to defining meaningful positive impact
thresholds, which may differ from the previously defined negative
impacts. However, using the same intervals and values (though opposite
in sign) as those used on the negative impact scale facilitates comparing
risks and opportunities, for example, ―Do we have sufficient
opportunities to balance the risks?‖
Module 4: Perform Qualitative Risk Analysis
4-26
Using the Risk Score
The resulting risk score can be used to rank the risks in priority order,
with those having the highest negative risk score at the top and those
having the highest positive risk score at the bottom, so that
management can attack the ends first. These will yield the greatest
benefit for the effort expended.
You can also use the risk score to select a group of risks for special
treatment, such as passing the worst risks on to Perform Quantitative
Risk Analysis, escalating them to the sponsor’s review, or subjecting
them to further research.
Probability and Impact Matrix
A probability and impact matrix is used to look up the combined risk
rating, also known as the risk score, for a particular combination of
probability and impact values. The score is used to prioritize risks for
later risk management activities.
A graphical probability and impact matrix effectively communicates the
relative severity of risk scores. In the example in Figure 4-5, any risk
with a risk score of 0.18 or higher is considered to be high risk, while
those with a risk score between 0.06 and 0.14 are considered medium
or moderate risk, with the remainder considered as low risk.
MDP273a: Project Risk Management v1.0
4-27
Adapted from the PMBOK® Guide, Fourth Edition
Figure 4-5. Probability and Impact Matrix
A risk with a probability of 0.30 and an impact of 0.80 has a risk score of
0.24 and is in the high risk area. Another risk with probability of 0.70
and an impact of 0.20 has a risk score of 0.14, in the moderate risk area
on this matrix.
Risk Data Quality Assessment
In order to be useful to project management, Perform Qualitative Risk
Analysis requires accurate and unbiased data. Assessing the quality of
risk data helps to determine and evaluate the risk analysis process.
Examining data quality is an opportunity to observe how well the team
and stakeholders understand project risk. To assess data quality,
consider the following:
? Accuracy
? Quality
? Reliability
? Integrity
Module 4: Perform Qualitative Risk Analysis
4-28
Classifying Data Quality
In risk data quality assessment, an additional parameter is assigned to
the risk data, indicating the accuracy of information. When we begin
identifying and evaluating risks, the amount of known information is
relatively poor; it improves as more work is done to analyze the risk.
Therefore, it can be useful to classify risk data using the following three
values:
? High precision: Information about the risk’s behavior, including the
probability and impact, is well established and reliable; we are
unlikely to encounter surprises with this risk.
? Medium precision: Information about the risk parameters is good
enough to proceed in most cases; some variance from the expected
behavior may be encountered, but it is unlikely to cause serious
harm to the project plan.
? Low precision: Information available concerning the risk is
essentially founded on guesswork and should not be trusted because
the risk parameters could change significantly; the affected area of
the project and the related risk scores must be monitored closely
until the behavior of the risk is better understood. Investments in
addressing the risk must be moderated until the data are confirmed.
In general, data quality will be highest when the risk has been observed
and managed in the organization before. In other words, it would be
helpful to have at least one person on the team who was involved in the
previous project, or to have published information regarding the risk’s
behavior.
Data may be of medium precision if there is only anecdotal information
about the risk’s behavior within the organization, or if it has never been
observed and managed within the performing organization. Data will be
of low quality when the risk is completely novel, or when the sources of
information regarding the risk are unreliable or unverifiable.
MDP273a: Project Risk Management v1.0
4-29
One way to indicate the quality of risk data is to color-code the data
quality indicator:
? Low: Red – Stop and analyze further.
? Medium: Yellow – Proceed with caution.
? High: Green – GO!
Risk Categorization
When the causes or other characteristics of project risks are identified,
it may be possible to group them so they can be addressed at the same
time by a single risk response plan. This is an economical source of
leverage for the investments required to manage risks. The risk
breakdown structure (RBS) described in Plan Risk Management process
can be designed to facilitate this kind of causal analysis.
Alternatively, risks can be grouped by the type of activity in which they
arise, and if multiple risks are determined to come from a specific type
of activity, an investment in redefining how that activity is performed
may be justified. This kind of grouping may be extended from activities
up to project phases, so that investments in process improvements to
manage risk can be made in a more focused manner. These groupings
may be used in the risk register to support later risk management
activities.
Risk Urgency Assessment
In addition to evaluating a risk’s probability and impact, it is sometimes
useful to consider the timing of the risk as a primary factor in
prioritizing it. Risks are deemed urgent when the deadline for effective
response is near-term so that they are ranked higher than risks that
pose a longer-term threat.
If the effect of the risk is severe enough, it may be necessary to
complete the categorization of the remaining urgent risks, and then halt
further risk analysis in order to prepare risk response plans for these
urgent risks before any of the risk events occur. These urgent risks
would be listed separately in the risk register.
Module 4: Perform Qualitative Risk Analysis
4-30
To analyze for urgency, you can expand the risk score equation to
include an urgency factor. Urgency could be defined on a three- to five-
point scale, similar to the scales for probability and impact:
Risk Score (RS) = Probability (P) * Impact (I) * Urgency (U)
Watch List of Low-Priority Risks
In some cases, risks are determined to be so improbable, or to have
such negligible impact, that they are placed on a watch list without
further analysis or action. The risks on this low-priority watch list are
periodically reassessed to ensure that new information does not indicate
that their probability or impact has increased substantially to the point
where they should now receive more complete risk management
treatment. These low-priority risks would be listed separately in the risk
register.
Expert Judgment
To assess the probability and impact of each risk requires expert
judgment. An expert may be someone with recent experience on a
similar project. People planning the project at hand are also experts on
the project and its details.
Ways to capture expert judgment include facilitated workshops and
interviews. It is important to consider the experts’ bias during this
process.
MDP273a: Project Risk Management v1.0
4-31
Topic 4: Outputs from the Perform Qualitative Risk Analysis Process
The Perform Qualitative Risk Analysis process has only one major
output:
? Risk register updates
Risk Register Updates
The risk register, started during the Identify Risks process, is updated
with information from qualitative analysis. These updates include the
following:
? Prioritized list of project risks – The list of risks for the project is
prioritized, often as low, moderate, and high. This prioritization of
risks allows the project manager to focus proportionate attention on
the greatest risks. Risks may also be organized by type of impact
(schedule, cost, scope, and quality) for further management focus.
For example, risks that affect cost can be directed to a financial
committee for review and response, while risks affecting schedule
can be sent to a resource planning function, such as a project
management office (PMO).
? Risks grouped by category – The risks may be grouped by category
to facilitate later risk management. Categories can be root cause or
project area. Identifying patterns can improve understanding of the
risks overall or facilitate planning more economical responses.
? List of risks requiring a quick response – Risks that require an
urgent response can be presented separately and fast-tracked
through the Plan Risk Responses process.
? List of risks for additional analysis and response – These are risks
that merit more analysis, possibly quantitative risk analysis, and
response action.
? Watch list of low-priority risks – These are risks deemed not to
need further analysis or response; they are placed on a watch list
and monitored.
Module 4: Perform Qualitative Risk Analysis
4-32
? Trends in qualitative risk analysis results – As analysis is repeated,
trends for particular risks may emerge. The importance of a risk may
change, affecting risk response or warranting further analysis.
Example of Updated Risk Register Worksheet
An example of a risk register worksheet for risk analysis appears below.
You can use the worksheet to catalogue risk information, including
probability, impact, and risk category. Later, risk management
activities will involve selecting an appropriate response to manage the
risk and to document the final impact of the risk and the effectiveness
of the associated risk responses.
MDP273a: Project Risk Management v1.0
4-33
Project: Mountaintop Hotel
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Transportation Strike .03 .05 .15 K. Labor Skills, availability
Description of Identified Risk:
As a result of having to transport materials to the project location, a transportation strike could occur, which would result in schedule delays.
Assumptions/Basis:
Because of project location, most materials will be transported by truck. Although no Teamsters’ strike has affected this region for 20 years, the consequences of a strike could set the project schedule back by more than 30 days.
Risk Response Planning
Strategy Chosen:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate Accept
Trigger measure to be monitored, and Source:
Threshold Condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after risk response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Risk Owner:
Module 4: Perform Qualitative Risk Analysis
4-34
EXAMPLE: RISK REGISTER WORKSHEET, RISK REGISTER WITH RISK
RATINGS
Working from the list of identified risks, the Capitol Flyer Corporate
Customer Satisfaction project manager led her team through a qualitative
review to prioritize risks and determine their probability and impact.
To view a sample risk register worksheet, and the resulting risk register
with ratings and preliminary response strategies, see Appendix C.
Trends in Qualitative Risk Analysis Results
The score of a particular risk will change over time, as the probability
of the risk’s occurrence changes, and the size of the impact increases or
shrinks. Project activities may simply increase exposure to the risk for a
time and then eliminate the exposure as those activities are completed
and others begun.
An example is the outsourcing of software development to an offshore
company, where the risk posed by the vendor’s possible insolvency and
closure increases as contractual commitments are made and the
schedule provides a diminishing window to find an alternative partner.
When the code is shipped and tested, the vendor’s condition becomes
irrelevant. Note that it is the impact that is changing in this situation;
the probability of insolvency could have remained at a constant value
during the entire project.
Risk probability can also change over time. For example, learning curves
frequently result in a higher probability that a serious defect will be
introduced during design or construction, involving new staff or a new
technique, but as the activities are performed and experience grows,
the probability of the same kind of defect diminishes.
Using the risk score, rather than the probability or the impact alone,
ensures that changes in either risk probability, impact, or both, are
detected and reflected in the analysis.
MDP273a: Project Risk Management v1.0
4-35
As the risk score increases, monitoring for the indicator of the risk, the
risk trigger, may increase in frequency. If the indicator crosses a
predetermined threshold and the potential effect of the risk is severe
enough, a contingency plan may be implemented, even though the risk
has not yet materialized, in order to exploit the remaining available
time to minimize risk impact or reduce risk probability.
As the risk score decreases, the response plan for that risk may be
modified by reducing the level of effort or investment for managing the
risk. For example, if contingency reserves of project funds had been set
aside, they may be reduced, and the remainder released for other uses.
Monitoring such trends can give the project team advance warning of
such developments, allowing them to act before the situation becomes
urgent.
Figure 4-6 shows an example of a risk score changing over the duration
of the project. There is no standard curve or shape for this change.
Figure 4-6. Risk Score Change Over Time
Module 4: Perform Qualitative Risk Analysis
4-36
Caution for Trend Analysis
This trend analysis must be done carefully because the underlying data
was derived from team discussions and is subjective. This data is not as
reliable as quantitative observations and will have random fluctuations
greater than those from observations.
To avoid responding prematurely to such noise, the team should
perform further research when, without any significant new data, the
probability or impact of a particular risk is rated higher.
Furthermore, do not consider one minor increase to be a trend; the
team should see at least two increases in a row, or a major increase,
before taking action.
EXERCISE: ASSESS AND RANK RISKS
Assess and rank the risks that were identified in the previous exercise.
Document the probability, impact, risk score, and risk category for each
identified risk using the Perform Qualitative Risk Analysis section of the risk
register worksheet located in the Assess and Rank Risks topic in Appendix A.
MDP273a: Project Risk Management v1.0
4-37
Module Summary
ADDRESSING THE BUSINESS CHALLENGE
A long list of potential risks can overwhelm the team and scare sponsors and
stakeholders. Also, in raw form, such a list is only marginally meaningful. So
Ana works with the team to turn the identified risks into a set of assessed
risks. Using their collective judgment and experience – and leaning
particularly on Walter and Marc's SummerFest knowledge and Brita's parade
experience – they work from their lists of positive (opportunity) and
negative (threat) risks to create a probability and impact matrix.
Once the probability and impact of each risk is evaluated, Ana can
determine can which risks deserve the most attention and how much
investment they warrant.
The Perform Qualitative Risk Analysis process allows the project
management team to:
? Prioritize the risks for the Plan Risk Responses process
? Evaluate whether a high-priority risk should be carried further into
the Perform Quantitative Risk Analysis process
The key parameters analyzed are probability and impact. It is important
to complete risk identification before prioritizing risks. Remember, risk
parameters change over time; therefore, reassess them periodically.
Module 4: Perform Qualitative Risk Analysis
4-38
Module 5
Perform Quantitative Risk Analysis
Module 5: Perform Quantitative Risk Analysis
Module 5: Perform Quantitative Risk Analysis
5-2
Module Introduction
Perform Quantitative Risk Analysis is similar to Perform Qualitative Risk
Analysis. Both analyses are performed on identified risks and measure
impact on project objectives.
Once qualitative risk analysis has ranked risks, some high risks may be
subject to further numeric analysis. The decision to apply quantitative
methods depends on the size and complexity of the project.
MDP273a: Project Risk Management v1.0
5-3
Module Objectives
Upon completion of this module, the participant will be able to:
? Define the Perform Quantitative Risk Analysis process within the
context of the project management framework
? Identify and describe the inputs, tools and techniques, and outputs
of the Perform Quantitative Risk Analysis process
? Apply a quantitative analysis tool (decision tree analysis) to an
identified risk in the case study
Module 5: Perform Quantitative Risk Analysis
5-4
Topic 1: Overview of the Perform Quantitative Risk Analysis Process
THE BUSINESS CHALLENGE
Now that they've identified and assessed risks, Hannah Foster is eager to set
parade plans in motion. After all, they've gathered reams of data,
brainstormed possibilities, and tapped the experience of experts. ―Enough
scrutiny,‖ she announces after they complete their qualitative analysis.
―Let's put on a parade.‖
While she appreciates Hannah's enthusiasm, Ana breaks the news that
they've got one more important step of analysis. For a few of the highest
risks, she tells Hannah, she will perform an in-depth numerical analysis to
measure probable outcomes. On these high risks, Ana says, it's important to
determine risk exposure and contingency cost.
―I don't understand what that means,‖ Hannah tells her.
―It means,‖ Ana says, ―that on certain key issues, we need to think through
in advance the implications of choosing one or another alternative.‖ For
instance, Walter Stone has just informed her that the regional antique car
club that's a core act is not insured, and that some of the members are ―a
little erratic.‖ At a recent car rally, 86-year-old Greg Heinz veered off into
the crowd. Fortunately, no one was injured.
? What's the best way for Ana to quantify key project risks?
Perform Quantitative Risk Analysis is the process of using numerical
methods to assess the impact of identified risks on overall project
objectives. The Perform Quantitative Risk Analysis process is applied in
proportion to the project size and degree of overall project risk. Like
the Perform Qualitative Risk Analysis process, its purpose is to develop a
more complete understanding of a risk so an appropriate response can
be planned. It:
? Analyzes only those risks that previous analysis shows have the
potential to substantially impact the project
MDP273a: Project Risk Management v1.0
5-5
? Analyzes the effect of those risk events and assigns a numerical
rating to them
? Provides a quantitative approach to decision-making in the presence
of uncertainty
Figure 5-1 shows that the Perform Quantitative Risk Analysis process
occurs in the Planning Process Group.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 5-1. Project Risk Management Process Group Map: Perform
Quantitative Risk Analysis
Perform Quantitative Risk Analysis follows the Perform Qualitative
Risk Analysis process. In some projects, it may be possible to plan
suitable risk responses without performing quantitative analysis.
Factors in selecting a risk analysis approach include:
? Time and budget available for risk analysis
? The need for qualitative or quantitative assessment of risk and its
impact
When used, the Perform Quantitative Risk Analysis process is applied at
multiple times in the project. Quantitative analysis should be repeated
after the Plan Risk Responses process, and as part of the Monitor and
Control Risks process, to determine whether project risk has been
sufficiently decreased. Trends can reveal the need for more or less
attention to risk management.
Module 5: Perform Quantitative Risk Analysis
5-6
DEFINITION: PERFORM QUANTITATIVE ANALYSIS
―The process of numerically analyzing the effect of identified risks on
overall project objectives.‖
PMBOK® Guide, Fourth Edition
Purpose of the Perform Quantitative Analysis Process
Given a list of identified risks, a qualitative analysis will probably be
performed on all of them. Only the highest risks are flagged for more in-
depth quantitative study.
The Perform Quantitative Risk Analysis process helps ensure that:
? Understanding of the potential effect of risk on the project
objectives is as clear as possible
? Expenditures associated with managing the risk do not exceed the
expected impact of the realized risk
? Factors that influence the risk’s probability and impact are
understood so they can be leveraged to minimize the effect of a
negative risk on project objectives, or maximize the effect of a
positive risk
? The probability of success for project objectives is evaluated
? Practical contingency reserves for project schedule and budget are
quantified
Quantitative risk analysis enables prioritization based on facts, not
opinions or bias, but it cannot address all risks. Time criticality and data
quality must also be considered to perform quantitative risk analysis
effectively.
MDP273a: Project Risk Management v1.0
5-7
Interactions with Other Processes
Figure 5-2, the Perform Qualitative Risk Analysis process data flow
diagram, shows how inputs are transformed through tools and
techniques into outputs.
PMBOK® Guide, Fourth Edition
Figure 5-2. Perform Quantitative Risk Analysis: Data Flow Diagram
The Perform Quantitative Risk Analysis process provides a more detailed
picture of the effect of the risk on project objectives. This process
requires sophisticated tools and takes more time, making it
substantially more expensive than Perform Qualitative Risk Analysis.
It is important to complete the Perform Qualitative Risk Analysis process
first, and only then to pass on the risks rated as high to the Perform
Quantitative Risk Analysis process for a more precise determination of
their possible effects on project objectives.
Inputs to Perform Quantitative Risk Analysis are similar to inputs to
Perform Qualitative Risk Analysis. Both processes draw on the risk
register and risk management plan, and both result in risk register
updates. However, where qualitative analysis uses the project scope
statement as a resource for assessing risk, quantitative analysis refers to
the cost management and schedule management plans.
Module 5: Perform Quantitative Risk Analysis
5-8
Because these documents establish the structure and quantitative
approach for managing cost and schedule, these plans may offer an
important perspective on quantitative analysis of risk and its impact. As
was true for qualitative analysis, organizational process assets are
another input to quantitative analysis. These assets may include
information from past projects, studies of similar projects, and risk
databases from industry or private sources.
Once performed initially, quantitative risk analysis may be repeated to
test the impact of risk mitigation efforts.
Concepts of Probability
Effective planning is based on assumptions. Project managers and teams
make assumptions about the future based on the past. These
assumptions cover a range of factors, but most assumptions are
grounded, directly or indirectly, in human performance. Factors such as
weather, seismic occurrences, or interstellar activity may truly be force
majeure and resulting failures may be excusable; all else is predictable
to some degree of accuracy. Where historical information about
activities is gathered, it may be possible to discern patterns and trends
that can help predict the behavior of future, similar activities.
Statistics, the branch of mathematics concerned with analyzing and
interpreting numerical data on samples and populations, can help the
project management team to manage risk.
To find patterns and predict future behavior, we need a way to model
the behavior of all possible outcomes, which is known as the
population. We describe a population with a probability distribution
and some parameters, including a mean, variance, confidence
interval, and usually a standard deviation.
Probability Distribution
The probability distribution of a set of possible outcomes is a list of
probabilities associated with the list of possible outcomes. For example,
when throwing a single die, each of the sides, with the values from one
to six, has an equal likelihood of being rolled.
MDP273a: Project Risk Management v1.0
5-9
Each should appear approximately once for every six rolls if a large
enough sample of rolls is thrown. So, the probability distribution
associated with throwing a single die is shown below:
? 1 1/6th
? 2 1/6th
? 3 1/6th
? 4 1/6th
? 5 1/6th
? 6 1/6th
Mean
The mean is a statistical measure that is equal to the sum of a sample,
divided by the number of samples in the set. Often known as the
average, this is the most common statistic. Although a valuable
indicator of central tendency, the mean can be skewed by a small
number of observations that lie far from the majority of the data
values. Thus the highest and lowest scores of Olympic judges are
dropped, and the average is calculated only from the remaining scores.
The mean of a set of sample observations is approximately the same as
the mean of the whole population. The larger the sample, the closer
the approximation.
Variance
Variance is concerned with the average separation of a set of
observations from the mean of the set. The variance is obtained by
squaring the value of each observation’s distance from the mean.
Squaring eliminates the tendency of positive and negative values to
cancel each other out.
Consider a set of three numbers all equal to 4: this is the set {4, 4, and
4}. The mean is clearly 4. The absolute differences between the
numbers in the set and their mean are all also clearly 0. If we take the
square of each difference before we add them together, we still get 0.
This is the variance of this sample.
Module 5: Perform Quantitative Risk Analysis
5-10
Now consider the set of three numbers: 2, 4, and 6. The mean of these
three numbers is (2+4+6)/3, or 4. The absolute differences between
each number and this mean are -2, 0, and +2. If we add these numbers,
the result is 0, just as in the first case. If we only looked at the mean
and this sum of the absolute differences, the two sets would appear to
be identical. But they clearly are not.
Now, let us take the square of each difference before summing them:
? -2 ^ 2 = 4
? 0 ^ 2 = 0
? 2 ^ 2 = 4
? Sum of squares = 8
The first sample and the second sample differ in how the individual
observations vary from the mean. Squaring the differences before
summing them prevents negative and positive differences from
canceling each other out.
Standard Deviation
When all of the variances of a set of observations are summed together,
their average difference from the mean is obtained by taking their
square root. This is the standard deviation. The smaller the standard
deviation, the closer the pattern of observation is to their mean value.
Along with the mean, this statistic is essential to understanding what
the observations tell us about the underlying population of data from
which the observations were taken. In a commonly occurring type of
distribution known as the normal distribution, the observations are
distributed equally on both sides of the mean value, and they tend to
cluster around the mean and tail off away from it, producing a shape
that resembles a bell. This shape is known as a bell curve.
MDP273a: Project Risk Management v1.0
5-11
When considering all of the values within a range both above and below
the mean by an amount equal to one or more standard deviations, the
following observations are always true:
? A range of one standard deviation on either side of the mean
includes 68.3% of all the observations.
? A range of two standard deviations on either side of the mean
includes 95.5% of all the observations.
? A range of three standard deviations on either side of the mean
includes 99.7% of all the observations.
The consistent relationships between observations, their mean, and
their standard deviation make the normal distribution a powerful
statistical tool. By using these known behaviors, we can establish
thresholds at the range of standard deviation that will offer us the
desired coverage of the population.
When the mean and standard deviation of a sample of observations can
be calculated, it becomes possible to make accurate predictions of
outcomes regarding all possible observations from that population. In
fact, we can state that the prediction will be correct some percentage
of the time, with the stated percentage set as a target. For example,
we may be able to say that this project will finish by May 31 with 95%
confidence. That means that we will be right 95 times in 100 similar
projects, and wrong only 5 times in 100.
Confidence Interval
Most commonly set at 95% (two standard deviations), the confidence
interval measures the likelihood that the actual behavior will fall within
the predicted range with a 95% probability. For example, after doing
the necessary analysis on the project activities and the project
network, we might state that the total project duration is forecasted to
be 196 calendar days, plus or minus 22.6 days, with 95% confidence.
Module 5: Perform Quantitative Risk Analysis
5-12
Figure 5-3 shows a normal probability distribution.
Figure 5-3. Normal Distribution and Standard Deviation Ranges
A normal probability distribution can be used to assess the achievability
of current project objectives and to establish necessary contingency
reserves.
Measures of Reliability and Relationship
It is useful to be able to measure the reliability, or statistical
significance, of an analysis. Also, it is helpful to have a method to
describe how a dependent variable in a set of data, such as a person’s
height, varies relative to an independent variable, such as a person’s
age.
MDP273a: Project Risk Management v1.0
5-13
Statistical Significance
Statistical significance refers to the reliability of a conclusion drawn
from the statistical data being analyzed. When a statistical conclusion is
significant, it means that the statistical measure involved can be relied
upon. Although individual results may vary widely, over an extensive
number of outcomes, a pattern may be discerned, measured, and
captured in a formula. As the number of outcomes increases, statistics
calculated on the sample approach those of the total population of the
underlying data. The number of data in a sample that is needed to
achieve statistical significance may be considered to be 25 data points
or greater. As more and more computer model simulations are run, the
outcomes will begin to demonstrate a pattern that reflects the entire
population. At some point, additional runs do not lend additional value
to the analysis. The number of runs required to demonstrate a
reasonable approximation to the actual behavior of the variable is
therefore set at some minimum number. With computer simulations, a
large number of runs may be necessary if there are many variables and
their interrelationship is complex. It is not uncommon to start with 100
runs, and then to add 10 more to see if the behavior of the solution set
is still changing. With high-powered computers, running the simulation a
thousand times is not unreasonable.
Regression Analysis
Regression analysis is the technique used to understand the
mathematical relationship between two variables. It is used to predict
the next occurrence of the dependent variable, where the dependent
variable’s value is a function of the value of the independent variable.
For example, for a given set of repeated tasks, such as installing a new
type of ATM at 100 bank branches, suppose that we want to know how
many days the total installation effort will take from the start of the
first installation to the completion of the last. Suppose we also know
that the number of days shrinks as the number of installation teams
increases. We may look at prior similar projects, or just take samples
from our first efforts on this project, and plot the results in the form of
Days Taken per Branch versus Number of Teams.
Module 5: Perform Quantitative Risk Analysis
5-14
If we can find a relationship between these two variables, we can
predict the entire project’s duration for any number of teams, and find
the best number to use. We might do this by plotting our sample data
points on a graph and looking for some kind of line or curve that links
them, at least approximately. Then, we can stretch out the curve for
different numbers of teams (greater or smaller), and predict the Days
Taken per Branch in cases where we do not actually have an
observation. This is regression analysis: drawing a relationship between
two variables, one of which depends on the other, so that forecasts can
be made for values of the first where no observations exist yet.
Regression analysis relies on the fact that, although individual samples
may vary from the discerned pattern, the preponderance of sample data
conforms to the underlying pattern. An early application of statistics,
regression analysis is the basis for diagnosis techniques in epidemiology,
such as applying children’s growth charts, showing height and weight
versus age and gender, to make predictions about a specific child’s
expected growth pattern.
Probability in Project Management
An estimator who forecasts that a work activity will take 10 days and
cost $50,000 is most probably basing the forecasts on average figures.
The actual performance could easily be lower or, more likely, could
prove higher. When a collection of activities in a network acts this way,
the entire project could take either less time or more time than
forecasted. Similarly, some of its constituent activities could take less
time, and others more time than their individual forecasts. Running a
set of simulations is the only practical way to evaluate what the total
project performance is likely to be, and within what range.
When the project manager states how much time the task is expected
to take as he or she assigns it to a team member, the project manager
often leaves the impression that it is okay to consume all the time
before reporting the task’s completion, whether or not it is actually
needed. This creates a tendency for tasks to take the estimated time or
to overshoot, but rarely to undershoot. To compensate for this
overshoot bias, project managers often resort to adding a schedule
contingency to each activity.
MDP273a: Project Risk Management v1.0
5-15
As task durations expand, and team members continue to overshoot
them, an overall trend towards underperformance can be expected.
To counteract this phenomenon, the project manager can set the
expectation that the team members should do their best to beat the
scheduled duration for the task. They should set the scheduled duration
to the mean value for that task, calculated using the three-point
estimating technique. In many situations, incentives for performance
can help to overcome the overshoot phenomenon.
Then the project manager should set up a schedule contingency at the
end of the network, or distributed throughout the project at the end of
each phase, so that the likelihood of meeting the overall project
completion date will be as high as the stakeholders require.
Overview of Perform Quantitative Risk Analysis Inputs, Tools and Techniques, and Outputs
Figure 5-4 shows the inputs, tools and techniques, and outputs of the
Perform Quantitative Risk Analysis process. These inputs, tools and
techniques, and outputs are discussed in detail in this module.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 5-4. Perform Quantitative Risk Analysis: Inputs, Tools &
Techniques, and Outputs
Module 5: Perform Quantitative Risk Analysis
5-16
Topic 2: Inputs to the Perform Quantitative Risk Analysis Process
The inputs to the Perform Quantitative Risk Analysis process, described
below, are:
? Risk register
? Risk management plan
? Cost management plan
? Schedule management plan
? Organizational process assets
Risk Register
The risk register, where all data associated with each risk is preserved,
should list the risks identified as needing additional analysis and
management during the Perform Qualitative Risk Analysis process.
These risks drive the Perform Quantitative Risk Analysis process.
Risk Management Plan
The risk management plan is one of the key project plan components. It
describes, among other important items, how the quantitative risk
analysis will be performed for the project.
Cost Management Plan
The cost management plan for the project, which includes the cost
information for the activities, is needed to analyze various scenarios for
risks in which the risk occurs in one activity, but affects the cost and
schedule of downstream activities.
MDP273a: Project Risk Management v1.0
5-17
Schedule Management Plan
The schedule management plan for the project includes the work
breakdown structure (WBS) and its activity dependencies and schedule
information. The constraints presented by the schedule and its related
controls may influence the approach selected for the Perform
Quantitative Risk Analysis process.
Organizational Process Assets
Organizational process assets contain historical information from
previous projects such as analysis models, raw data and results, studies
of similar projects, and databases with probability and impact
information, categorized by project characteristics.
Module 5: Perform Quantitative Risk Analysis
5-18
Topic 3: Tools and Techniques for the Perform Quantitative Risk Analysis Process
Quantitative techniques may be used to analyze the aggregate risks in
the project schedule network. The output of such an analysis might be
the discovery of activities in the work breakdown structure having risk
that influences project objectives so significantly that these activities
warrant tracking as individual risks. Various simulation and modeling
techniques exist to provide such analysis. The result will be additional
information to be captured in the risk register and more cost-effective
risk response strategies.
The tools and techniques for performing a quantitative risk analysis
include the following:
? Data gathering and representation techniques
Y Interviewing
Y Probability distributions
? Quantitative risk analysis and modeling techniques
Y Sensitivity analysis
Y Expected monetary value analysis
Y Modeling and simulation
? Expert judgment
MDP273a: Project Risk Management v1.0
5-19
Data Gathering and Representation Techniques
Interviewing
Interviews can be used to create a profile of each risk, such as how
often it has occurred in the past, whether it is associated with certain
characteristics (such as technically challenging activities, certain
resources, or dependence on external efforts), what the average,
smallest, and largest impacts were, and so forth.
For example, when trying to estimate the probability of an activity
running beyond its schedule, experts can be consulted to estimate the
optimistic, pessimistic, and most likely values for the duration of the
activity. These estimates can be used to derive a probability
distribution for the task’s duration, which can be employed, along with
other techniques, to estimate the impact of the task on the project
schedule.
Figure 5-5 shows an example of project cost estimates that might be
obtained by interviewing with low, most likely, and high cost estimates
for each activity.
PMBOK® Guide, Fourth Edition
Figure 5-5. Range of Project Cost Estimates from Stakeholder Interview
Module 5: Perform Quantitative Risk Analysis
5-20
The goal is to gain insight into what factors might make a risk more
likely to occur, or to have a larger impact.
Possible candidates for the interviewing process include:
? Project stakeholders
? Subject matter experts (SMEs) who work on the project or who have
worked on similar projects
? Other project managers
? Retired SMEs
? Contractors
? Other experts in the field
Information requirements depend on the type of probability distribution
to be used (commonly used probability distributions are discussed
shortly). Remember to always document results and associated
rationales.
Probability Distributions
Probability distributions can be used to model potential outcomes of
risk.
Discrete distributions are observations that are limited to a finite set
of values. For example, the numbers on the faces of a die produce only
six possible results.
Continuous distributions are observations that can take any value
within a continuous range. For example, if project costs are budgeted
to the nearest penny, their expected total will follow a continuous
probability distribution.
Probability distributions vary in shape according to the underlying
behavior being analyzed. Distributions may figure a normal, symmetric
distribution or they may be skewed toward one extreme.
MDP273a: Project Risk Management v1.0
5-21
Two probability distributions commonly used in project management
are:
? Beta
? Triangular
Figure 5-6 shows the characteristic shapes of these distributions.
PMBOK® Guide, Fourth Edition
Figure 5-6. Two Commonly Used Probability Distributions
In a construction project, it might be necessary to predict the number
of below-freezing days at the construction site. If the same calendar
period is examined for a number of previous years, you can create a
probability distribution by plotting each number of below-freezing days
during that period against the number of years when that number
occurred. The probability distribution for the number of below-freezing
days will cluster around the average for previous years and will have
two equal tails, one toward a lower number and one toward a higher
number. This balanced, uniform distribution is called a normal
distribution, which was graphed in Figure 5-3.
When estimating the duration of an activity, however, the tail
representing duration of fewer days is always shorter than the tail
representing duration of more days.
Module 5: Perform Quantitative Risk Analysis
5-22
This is because, even when everything goes right, the activity cannot
take less time than some minimum number of days; however, it can
extend substantially in the worst case, when it is affected by an
unexpected series of unfortunate events. This tends to produce a
skewed curve, with more values to the right of the distribution’s peak
than to the left, as well as a longer tail to the right. For activity
durations and associated costs, the probability distribution of the
activity durations follows this curve in what is known as a beta
distribution. Due to the complexity of analyzing timing for activities,
and especially for entire projects, a software tool should be used to
derive the probability distribution and the forecasted value needed to
achieve a desired confidence level. Software tools that address activity
durations are preprogrammed to use beta probability distributions.
Another distribution sometimes used in project management is the
triangular distribution, which is a continuous probability distribution
defined by a lower limit, a mode, and an upper limit. The triangular
distribution is typically used as a subjective description of a population
for which there is only limited sample data, although the relationship
between variables is known. For example, a method to estimate task
durations where each estimate is based on a minimum, a maximum, and
a most likely value is an application of triangular distribution.
Quantitative Risk Analysis and Modeling Techniques
Commonly used analysis techniques may focus on an event, such as the
impact of a decision, or on the project as a whole.
Sensitivity Analysis
Sensitivity analysis can be used to predict the impact of a proposed
change to a project baseline upon the project objectives. It is also used
to determine the impact of using substitute resources or alternative
technologies on the project objectives.
MDP273a: Project Risk Management v1.0
5-23
DEFINITION: SENSITIVITY ANALYSIS
―A quantitative risk analysis and modeling technique used to help
determine which risks have the most potential impact on the project. It
examines the extent to which the uncertainty of each project element
affects the objective being examined when all other uncertain elements are
held at their baseline values. The typical display of results is in the form of
a tornado diagram.‖
PMBOK® Guide, Fourth Edition
In order to achieve the most benefit from the smallest possible
investment in managing a risk, it is important to determine which
factors will affect the outcome the most. These factors are said to be
dominant. When many factors are in play, it is often worthwhile to use
experimental or historical methods to isolate dominant factors. In
historical situations or experiments, one variable is examined for impact
on a situation’s outcome. This technique is repeated for every factor
suspected of being dominant. Variations in the inputs to the dominant
factors produce the widest swings in outcome values.
Sensitivity analysis can be used to predict the impact of a proposed
change to a project baseline on the project objectives. It can predict
the impact on the project objectives of using substitute resources or
alternative technologies.
Sensitivity Analysis: Line Graph
Figure 5-7 shows the relationship between labor rates and the total
project budget for three labor types. The dependent variable (total
project budget) is most sensitive to variations in the Type 1 variable,
since equivalent changes in this factor produce relatively greater
changes in the dependent variable than the other types.
This sensitivity analysis shows that the project manager should focus
more attention on controlling the labor rate of the Type 1 resources
than on controlling the rates of the other labor. Note that the Type 1
labor rate represents the greatest risk, because as it varies, it has the
greatest impact on the total project budget. It also represents the
greatest positive risk (or opportunity) for the same reason.
Module 5: Perform Quantitative Risk Analysis
5-24
Figure 5-7. Sensitivity Analysis: Labor Rates and Total Project Budget
MDP273a: Project Risk Management v1.0
5-25
Sensitivity Analysis: Tornado Diagram
A tornado diagram is a useful graphical tool for depicting risk sensitivity
or influence on the overall variability of the risk model. Tornado
diagrams show the correlation between variations in model inputs and
the distribution of the outcomes; in other words, they highlight the
greatest contributors to the overall risk. Figure 5-8 is a tornado diagram
for a portion of the Panama Canal Third-Lane Locks expansion project.
The length of each bar on the tornado diagram indicates the relative
influence of the associated item on overall risk. This example depicts
only a portion of the tornado diagram from one analysis of technical
risks on the project.
Figure 5-8. Tornado Diagram Example: Panama Canal Third-Lane Locks
Sensitivity Analysis Scenario
In sensitivity analysis, calculations of schedule, cost, and other project
performance attributes are repeated while varying one risk’s impact
according to its probability distribution.
Module 5: Perform Quantitative Risk Analysis
5-26
Imagine that as a project manager you are trying to determine the
effects of three major project attributes Labor Rate, Materials, and
Interest Rate on your project from a risk perspective.
Experts from your project have provided the most likely estimates, but
have also provided a pessimistic and optimistic view for the three
attributes:
1. Labor Rate: Most likely = $60, Pessimistic = $85, Optimistic = $45
The project requires 1,000 hours of labor.
2. Materials: Most likely = $185, Pessimistic = $260, Optimistic = $100
The project requires 1,000 units of material.
3. Interest rate: Most likely = 8%, Pessimistic=14%, Optimistic = 6%
The project is borrowing $100,000.
A sensitivity analysis can use this input to determine which of these
attributes has the most effect on the project as the values of the
attributes vary from pessimistic to optimistic.
For reference, you can set all of the attributes to Pessimistic, Most
Likely, and Optimistic. If you do that, you end up with the total cost for
all three attributes at:
? All Pessimistic $359,000
? All Most Likely $253,000
? All Optimistic $151,000
To determine sensitivity, hold two of the three attributes at Most
Likely and set each individually to its Pessimistic extreme.
This results in the following:
? Labor Pessimistic (Materials/Interest held at Most Likely)
$278,000
? Materials Pessimistic (Labor/Interest held at Most Likely)
$328,000
MDP273a: Project Risk Management v1.0
5-27
? Interest Pessimistic (Labor/Materials held at Most Likely)
$259,000
The conclusion is that your project is most sensitive to Materials
because at a value of $328,000, it results in the highest cost for the
combined attributes, almost as bad as the overall worst case combined
cost of $359,000.
This shows the project manager that Materials present the greatest
opportunity and threat (in other words, it contains the most risk). If
deciding where to try to reduce costs, the project manager might want
to focus first on the materials in this case.
Sensitivity Analysis Scenario: Summary
Figure 5-9. Sensitivity Analysis Scenario: Summary
Example Calculation
Example calculation: $278,000 (Pessimistic Labor) is the result of:
? Pessimistic Labor ($85 x 1000) plus Most Likely Materials ($185 x
1000) plus Most Likely Interest (.08 x 100,000).
? That’s $85,000 + $185,000 + $8,000, or $278,000.
Module 5: Perform Quantitative Risk Analysis
5-28
Expected Monetary Value Analysis
DEFINITION: EXPECTED MONETARY VALUE (EMV) ANALYSIS
―A statistical technique that calculates the average outcome when the
future includes scenarios that may or may not happen. A common use of
this technique is within decision tree analysis.‖
PMBOK® Guide, Fourth Edition
EMV is a technique for assigning a specific dollar value to a set of
alternative, uncertain outcomes.
? The EMV of a specific uncertain outcome is the value of the
outcome, multiplied by its probability.
? The EMV of all outcomes is the sum of their individual EMVs.
For example, suppose that if a project risk were realized, it would cost
the project $12,000. Suppose the risk has a 50% probability of occurring.
Then its EMV is (.50 * -12,000), or -$6,000. The use of a negative
indicates that it is an outflow, or cost, and is undesirable.
Suppose the project manager has to choose between two alternatives:
the first one leads to the first risk, while the other one leads to a
second risk. Suppose the second risk has an impact of -$15,000, but has
only a 33% chance of occurring. The second risk’s EMV is (.33 * -15,000),
which is only -$5,000. So (barring other possible considerations), the
project manager should choose the alternative leading to the second
risk, not the first.
Decision Tree Analysis
A common use of earned monetary value analysis is in decision tree
analysis. A decision tree is a diagram with one starting point and
branches where junctions represent either decisions or chance events.
The tree incorporates the probability of occurrence for each chance
event and the cost or benefit of each end outcome.
MDP273a: Project Risk Management v1.0
5-29
A decision tree can be used in the following instances:
? To describe decisions under consideration and the implications of
choosing one or another of the available alternatives
? To account for significant random events
? To indicate which decision yields the greatest expected monetary
value when uncertain implications, risks, costs, rewards, and
decisions are quantified
? To compare alternatives and outcomes
Figure 5-10 shows a simplified decision tree, with one decision and two
chance events. In this case, a decision is made and both chance events
occur, each yielding outcomes having known probability.
Figure 5-10. Simplified Decision Tree
The sum of the probabilities of all the outcomes from a single chance
event must be 100%, since one of them must occur. The chance event in
the upper branch is the same event as the chance event in the lower
branch, but the decision has an influence on the probabilities of the
chance event’s outcomes.
Module 5: Perform Quantitative Risk Analysis
5-30
EXAMPLE: DECISION TREE ANALYSIS
As a company that built its reputation on customer service, Capitol Flyer is
determined to offer its customers the conveniences they will most value.
The project manager has planned a customer survey and focus groups to
gather that information for the Corporate Customer Satisfaction project.
Cost comparison is one important aspect she uses to determine whether to
develop and deliver that in-house, or outsource it to a marketing company.
To view her decision-tree analysis, see Appendix C.
Decision Tree Example
The decision tree in Figure 5-11 shows a decision regarding whether to
build a new plant or upgrade the existing plant to cope with anticipated
strong demand for a product line. Each decision involves construction
costs. Because product demand is uncertain, it is represented in a
simplified way by two outcomes: Strong Demand and Weak Demand.
Adapted from the PMBOK© Guide, Fourth Edition
Figure 5-11. Decision Tree Diagram Example
MDP273a: Project Risk Management v1.0
5-31
In this case, the new plant will allow the firm to make more of its
product than the upgrade plant, and the probabilities of strong or weak
demand are unaffected by the plant decision. This tree shows that Build
New Plant has a value of $36M and Upgrade Plant has a value of $46M.
This conclusion involves analyzing the tree branches from left to right.
Steps in decision tree analysis include the following:
? Determine the Decision Definition. Here, it’s Build or Upgrade?
? Define the Decision Node. List the name and cost of each
alternative (shown as negative numbers). Determine the risk or
opportunity of each possible outcome.
Y In this scenario, product demand is considered the primary
factor.
? Based on analysis not shown, provide information for the Chance
Node. In the example, it is assumed that:
Y For both paths, there is a 60% probability that product
demand is strong and a 40% probability (or risk) that demand
is weak.
Y The payoff for a new plant is $200M in response to strong
demand, but only $90M in response to weak demand.
Y Payoffs for an upgraded plant are $120M and $60M in
response to those respective demands.
Y The behavior of demand is not affected by the build-or-
upgrade decision.
? For the Net Path Value column, calculate the payoff for each
branch. For example, on the Build New Plant branch, which costs
$120M:
Y There is a 60% chance of strong product demand, defined to
result in a payoff of $200M.
Y Continuing with strong product demand, subtract the cost of
the decision ($120M) from the expected payoff ($200M) for a
net gain of $80M, shown in the Net Path Value column.
Module 5: Perform Quantitative Risk Analysis
5-32
Y Multiply the gain by its probability (60%), yielding $48M
($80M * .60 = $48M). You can display this calculation in the
Net Path Value column.
Y Repeat relevant steps to quantify the weak demand option
on the Build branch. Subtract the cost of the decision
($120M) from the expected outcome ($90M) for a net loss of
$30M. Factored by the probability of weak demand (40%), the
value of the weak demand option is -$12M.
? To determine the total expected monetary value of the Build
decision, combine the expected monetary values of the two
outcomes (strong and weak). You can display this calculation in the
Decision Node.
Y In this case, Expected Monetary Value (Build) = $48M - $12M
= $36M.
Y Applying relevant steps to the Upgrade Plant branch, its
value is calculated to be $46M.
? Compare the expected monetary values of the decisions. The
winning decision can be indicated in the Decision Definition
column.
Y Because $46M is greater than $36M, the overall expected
value of the Upgrade strategy is higher and should be the
correct choice.
EXERCISE: APPLY A PERFORM QUANTITATIVE RISK ANALYSIS TOOL
Apply a quantitative analysis tool (decision tree analysis) to a risk identified
in the previous exercise associated with the case study. Refer to the
Perform Quantitative Risk Analysis topic in Appendix A.
MDP273a: Project Risk Management v1.0
5-33
Modeling and Simulation
DEFINITION: SIMULATION
―A simulation uses a project model that translates the uncertainties
specified at a detailed level into their potential impact on objectives that
are expressed at the level of the total project. Project simulations use
computer models and estimates of risk, usually expressed as a probability
distribution of possible costs or durations at a detailed work level, and are
typically performed using a Monte Carlo analysis.‖
PMBOK® Guide, Fourth Edition
In a simulation, the project model is computed many times (iterated),
with values such as cost estimates or activity durations chosen
randomly for each iteration from the probability distributions of these
variables. Then a probability distribution, such as total cost or
completion date, is calculated from the iterations.
Module 5: Perform Quantitative Risk Analysis
5-34
Figure 5-12 shows an example of a cumulative distribution from a cost
risk simulation. The x axis represents possible costs for the project, and
the y axis indicates the probability of a particular cost. This cumulative
chart reflects the data in Figure 5-5 on interviewing for optimistic, most
likely, and pessimistic cost estimates. This example assumes triangular
distributions, which are illustrated in Figure 5-6.
PMBOK® Guide, Fourth Edition
Figure 5-12. Cost Risk Simulation Results
Simulation for schedule risk analysis, taking as inputs the schedule
network diagram and schedule duration estimates, can result in a
similar chart showing the likelihood of achieving particular schedule
targets.
Initial estimate information is entered into modeling tools and results of
varying complexity are produced, depending on the sophistication of the
tool.
For an analysis of the project’s total duration, the team creates the
project network of activities in a standard scheduling tool and estimates
the minimum, maximum, and most likely durations for each activity.
MDP273a: Project Risk Management v1.0
5-35
The simulation tool then produces an analysis of the network, describing
the critical path, the most likely project duration, and the distribution
of project durations with their associated probabilities. If the results
indicate that there is too much uncertainty to achieve the original
project schedule objective, then either the project objective must be
changed, or the project schedule must be modified, which may involve
fixing the planned activities by adding resources or changing
dependencies until the resulting analysis indicates a good likelihood of
success.
The idea here is to replicate the project model in a number of scenarios
in order to better understand probable effects or outcomes.
Monte Carlo Simulation
DEFINITION: MONTE CARLO SIMULATION
―A process which generates hundreds or thousands of probable performance
outcomes based on probability distributions for cost and schedule on
individual tasks. The outcomes are then used to generate a probability
distribution for the project as a whole.‖
PMBOK® Guide, Fourth Edition
Running a Monte Carlo analysis on the project involves setting up an
experiment to simulate the project running from start to finish many
times. Each time, the independent variables are set randomly,
according to the probability distributions they have been assigned.
Monte Carlo simulation is based on statistical probabilities. It is
extremely economical in analyzing complex situations, in which
algorithmic calculations are too difficult or labor-intensive to carry out.
The Monte Carlo method involves randomly generating values for each
input variable, using the probability distribution for the variable as the
range within which the values must fall. The values of the variables are
combined in a complex calculation to generate an outcome. This
process is repeated many times, using as many likely combinations of
values as possible, and the outcomes are plotted into a probability
distribution.
Module 5: Perform Quantitative Risk Analysis
5-36
Once a Monte Carlo simulation establishes the probability distribution
for a set of outcomes, the project team can use this information to
decide on a course of action. The result of examining the outcomes may
involve either altering the project objective so that its likelihood of
success is sufficiently high, or reserving a contingency (usually a
schedule or cost contingency) to reach the desired level of confidence
in the project’s ability to achieve the objective.
For example, to determine the correct contingency reserve to establish
for a project budget item, a Monte Carlo simulation would generate
random values for the contingency reserve and apply them to a
calculation of the total cost, factoring in the probabilities of other risk
events occurring during the project. After running many of these
simulations, the project team can identify the cost contingency input
value that produces an outcome that falls within an acceptable range of
total cost and schedule, resulting in the lowest impact on the project
objectives, or in achieving the stated target objective with the desired
confidence level.
Typically, the analysis centers on the project schedule network or its
critical path. Each task on the critical path involves a schedule risk. To
understand that risk, the project management team must answer the
following questions:
? What is the most likely duration of this task?
? What is the risk, or probability, that it will be longer (or shorter)?
? How confident is the stakeholder that the task was estimated and
budgeted accurately?
MDP273a: Project Risk Management v1.0
5-37
Steps in Monte Carlo Simulation
As in qualitative analysis, the project manager and key stakeholders on
the project participate in creating the data used in the analysis. It is
likely that they will need a trained specialist to assist with the Monte
Carlo modeling in order to get meaningful results. Monte Carlo
simulation capability is built into some project management software
tools; other software can be augmented with an add-in Monte Carlo
simulation module from third parties.
When applying Monte Carlo simulation, follow these steps:
1. Interview experts on the project to gather likely task duration
estimates.
2. Enter collected data into modeling tools. Results vary in complexity
with the sophistication of the tool.
3. Create the project network of activities in a standard scheduling
tool.
4. Analyze the project’s total duration.
5. Estimate the minimum, maximum, and most likely durations for
each activity.
6. Using the simulation tool, analyze the network, describing the
critical path, the most likely project duration, and the distribution
of project durations with their associated probabilities.
7. If the simulation results indicate a poor likelihood of achieving the
project schedule objective, change the project objective or modify
the project schedule. Alter planned activities by adding resources or
changing dependencies until the resulting analysis indicates a likely
success.
Monte Carlo Simulation Example
The chart in Figure 5-13 displays the results from a Monte Carlo
simulation of the schedule duration for a typical project. The output
data at the top left states that there were 200 samples, indicating that
200 runs were executed.
Module 5: Perform Quantitative Risk Analysis
5-38
The chart shows a distribution of the runs against the Completion Date
on the x-axis. Each bar represents the number of runs that show the
project delivered on a particular Completion Date; the actual count is
reported on the left y-axis. There is also a cumulative probability curve,
which runs from the bottom left to the top right.
Figure 5-13. Monte Carlo Simulation Results Example
To interpret the sample result, start with the bars. They form an
approximately bell-shaped curve, whose midpoint appears to occur at
March 29, 2000. Individual bars are not of interest in this analysis; only
the overall distribution is useful.
? If the number of runs in each bar is accumulated from left to right
and the sum at each position is divided by the total number of runs
in the simulation, the result is the cumulative probability curve.
? Look at the midpoint of the bars (March 29, which has a value of 50%
probability in the data table to the right of the graph). Note that
100 runs show the project completing on that date or earlier,
representing 50% of the 200 total runs.
MDP273a: Project Risk Management v1.0
5-39
? The data that produced the cumulative probability curve is reported
in the table to the right of the graph. The table shows that 75% of
the runs produce the outcome of project completion on or before
April 12. Using this table makes it easy to assess the probability that
a particular target completion date will be met.
? Based on this analysis, there is a 75% probability of finishing by April
12.
Monte Carlo Simulation Summary
In a Monte Carlo simulation, the project is virtually iterated using
randomly selected possible values for expenses or activity durations,
resulting in a cumulative probability curve for project cost or schedule.
? The Monte Carlo simulation calculates the total duration of the
project schedule based on varying factors.
? If the durations of activities have been set for the minimum, most
likely, and maximum durations, the simulation can randomize these
values.
? The simulation shows a distribution of durations, which can be used
to determine the most likely duration, but is best used to determine
the likelihood of a particular target completion date, or to set a
target date based on the minimum acceptable probability of
success.
? If the outcomes are not acceptable, sensitivity analysis can be used
to find the factors that cause the greatest increase in duration.
These factors can then be addressed by reducing their influence,
focusing management attention on them, perhaps eliminating them,
or eliminating the affected work. Of course, if the schedule is the
only problem, schedule compression techniques can also be explored
without addressing these factors; another simulation should then be
run on the revised schedule to ensure that new problems have not
been introduced.
Module 5: Perform Quantitative Risk Analysis
5-40
Expert Judgment
DEFINITION: EXPERT JUDGMENT
―Judgment provided based upon expertise in an application area,
knowledge area, discipline, industry, etc. as appropriate for the activity
being performed. Such expertise may be provided by any group or person
with specialized education, knowledge, skill, experience, or training.‖
PMBOK® Guide, Fourth Edition
Expert judgment, in the form of experienced staff from other projects
in the organization or consultants, can be used to guide the analysis of
risk and to understand the behavior of risk causes. It can support the
evaluation of potential impacts on cost and schedule and it can provide
expertise in statistical methods.
Expert judgment is also valuable for interpreting data and selecting
quantitative analysis tools. Methods have weaknesses as well as
strengths and may be more or less appropriate for a given organization.
MDP273a: Project Risk Management v1.0
5-41
Topic 4: Outputs from the Perform Quantitative Risk Analysis Process
The Perform Quantitative Risk Analysis process has only one major
output:
? Risk register updates
Risk Register Updates
As in the Perform Qualitative Risk Analysis process, the output from the
Perform Quantitative Risk Analysis process is updated to the risk
register. Updates include documentation of quantitative methods
applied, results, and recommendations. The output may include an
overall project risk assessment, such as the risk of completing the
project by the due date. Other outputs may include a specific project
metric such as a technical performance measure (TPM), a cost or
schedule reserve, or a quality control tolerance.
DEFINITION: TECHNICAL PERFORMANCE MEASUREMENT
―A performance measurement technique that compares technical
accomplishments during project execution to the project management
plan’s schedule of planned technical achievements. It may use key
technical parameters of the product produced by the project as a quality
metric. The achieved metric values are part of the work performance
information.‖
PMBOK® Guide, Fourth Edition
As analysis is repeated over the life of the project, another output is
risk trend data. A project that is run well should demonstrate a
downward trend in the overall risk. A sudden upward trend would serve
as a trigger or warning to implement corrective action.
The updates to the risk register from the Perform Quantitative Risk
Analysis process include:
? Probabilistic analysis of the project
? Probability of achieving cost and time objectives
Module 5: Perform Quantitative Risk Analysis
5-42
? Prioritized list of quantified risks.
? Trends in quantitative risk analysis results
Probabilistic Analysis of the Project
Probabilistic analysis provides probability distributions of the outcomes
of the project schedule and cost, generated by tools such as Monte
Carlo simulation. The results are combined with the information about
stakeholder risk tolerances to determine whether the probability of
meeting the project objectives is sufficient. If not, the appropriate size
and distribution of contingency reserves should be determined to give
stakeholders the necessary level of confidence.
Probability of Achieving Cost and Time Objectives
Quantitative analysis can indicate the probability of achieving the
current project cost and time objectives given the current project
management plan. This probability can show the need for changes,
whether in the project management plan, in the project objectives
themselves, or in the allocation of project contingency reserve.
Prioritized List of Quantified Risks
This list includes risks that pose the greatest threat or present the
greatest opportunity to the project, together with a measure of their
impact. Risk may be prioritized based on:
? Ranking (high, medium, or low risk)
? WBS level
? Immediacy
? What the team considers the greatest threat
? Scope, cost, schedule, and quality
? Greatest opportunity
? Stakeholder priorities
? Impact quantified
MDP273a: Project Risk Management v1.0
5-43
All risks cannot be acted upon, so there is a need to prioritize. Even if a
risk seems minor, remember stakeholder priorities. Quantifying impact
helps decision makers respond based on facts.
Trends in Quantitative Risk Analysis Results
Analysis of the most significant risks needs to be repeated at critical
points during the project. Trends in the forecasts for schedule or cost
may appear. Planned risk responses may require change. Conclusions
may be in a report separate from, or linked to, the risk register.
Module 5: Perform Quantitative Risk Analysis
5-44
Module Summary
ADDRESSING THE BUSINESS CHALLENGE
Ana studies the highest risks associated with the parade – those determined
to be most likely to occur, and have the highest impact if they did – such as
insuring the antique car club.
For each of those, she creates a probability distribution, calculates
variance, and establishes contingencies based on the results.
Because the stakes are so high for the possibility of crowd injuries, she
completes a decision tree analysis to compare alternatives and outcomes.
This arms her with some accurate information on which to predict outcome.
The Perform Quantitative Risk Analysis process is applied in proportion
to the project size and degree of overall project risk. Only risks that
qualitative analysis ranked high may be submitted to quantitative risk
analysis.
Tools and techniques for Perform Quantitative Risk Analysis may be
complex (decision tree analysis, simulation) or simple (interview,
sensitivity analysis). Choice of analytical approach depends on time and
budget resources, as well as need.
Module 6
Plan Risk Responses
Module 6: Plan Risk Responses
Module 6: Plan Risk Responses
6-2
Module Introduction
The Plan Risk Responses process develops options and actions to address
identified risks. The activities within the process are designed to
maximize the positive impact of opportunities, and to reduce threats to
the project objectives.
This module:
? Describes the Plan Risk Responses process
? Identifies the inputs, tools and techniques, and outputs of the Plan
Risk Responses process
? Presents methods for developing appropriate risk response strategies
MDP273a: Project Risk Management v1.0
6-3
Module Objectives
Upon completion of this module, the participant will be able to:
? Define the Plan Risk Responses process
? Place the Plan risk responses process within the context of the
project management framework
? Identify the purpose of the Plan Risk Responses process
? Understand the proactive nature of the Plan Risk Responses process
? Identify the inputs, tools and techniques, and outputs of the Plan
Risk Responses process
? Describe types of risk responses strategies and the factors affecting
the choice of strategy
? Develop appropriate risk response strategies to address positive and
negative risks (opportunities and threats)
Module 6: Plan Risk Responses
6-4
Topic 1: Overview of the Plan Risk Responses Process
THE BUSINESS CHALLENGE
With all risks thoroughly evaluated, Ana can develop options and actions to
respond to those risks: to enhance opportunities and reduce threats.
Hannah, for instance, is excited about the involvement of Duane Evans'
drum and bugle corps. They will be an additional expense, but their
reputation makes them a big draw in the region. On the other hand, Jack
can't fathom why PJ Brown's Llama Wranglers are being allowed to
participate. ―Any of those llamas could trample a kid,‖ Jack moans.
―Explain to me how that's worth the risk.‖ Ana reminds Jack they'd agreed
that the risk of doing the parade without the support of Brown's cousin,
police chief Mick Hopkins, is even higher.
―So what we need,‖ she tells him, ―is a good plan for how to respond to
each potential risk.‖
? What constitutes an appropriate risk response? What does a risk
response plan look like?
In the Plan Risk Responses process, the project team decides how to
respond to identified risks. There is little value in simply being alert to
the existence of a risk unless an appropriate response has been
prepared.
The Plan Risk Responses process is the natural successor to the
processes of identifying and analyzing risks. Having analyzed and
prioritized the risk, an appropriate response must be planned, starting
with the highest priority risks.
MDP273a: Project Risk Management v1.0
6-5
Figure 6-1 shows that Plan Risk Responses occur in the Planning Process
Group.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 6-1. Project Risk Management Process Group Map: Plan Risk
Responses
As a result of the Plan Risk Responses process, the project risk register
will contain the plans for minimizing the probability of a negative risk
and its impact on the project objectives. It will also contain the plans
for maximizing the probability of a positive risk and its impact on the
project objectives whenever possible.
DEFINITION: PLAN RISK RESPONSES
―The process of developing options and actions to enhance opportunities
and to reduce threats to project objectives‖
PMBOK ® Guide, Fourth Edition
Purpose of Plan Risk Responses
The purpose of the Plan Risk Responses process is to ensure that the risk
responses are:
? Appropriate to the severity of the risk
? Timely enough to be successful
? Cost effective in meeting the challenge
Module 6: Plan Risk Responses
6-6
? Realistic within the project context
? Agreed upon by all parties involved
? Owned by a responsible person or party
One common pitfall is for a team to perform a risk analysis but fail to
plan an adequate response. A second pitfall is the failure of project
team members to create effective responses. The team may lack the
creativity or experience to devise actions that are practical, efficient,
and perhaps credible.
Finally, the most common failure of risk responses plans is poor
implementation; risk owners are not assigned, do not understand their
responsibilities, fail to monitor the risk triggers, or fail to react
promptly and effectively when the risk trigger is observed.
Proactive Nature of Plan Risk Responses for Threats
For threats or the negative risks naturally encountered in life, such as
accidents or illnesses, it is normally most effective to minimize the
probability of the undesired event’s happening, and then to minimize
the impact.
Minimize the probability of a car accident by developing rules of the
road, requiring drivers to pass a test demonstrating that they
understand and can use them properly, providing rear-view mirrors,
installing stop lights at intersections, and providing traffic police to
deter drivers from ignoring the rules.
Minimize the impact of a car accident by wearing passenger restraints in
cars, buying insurance to minimize the financial damage, and organizing
community medical services to respond swiftly to minimize the health
damage.
MDP273a: Project Risk Management v1.0
6-7
What is true for everyday life is also true for project management.
Design risk responses to be cost-effective. The most cost-effective
controls are typically preventive controls. However, the Plan Risk
Responses process also includes the development of contingency or
fallback approaches, which are implemented if and when the risk
materializes. In most cases, the ability to implement these contingency
plans also requires advance preparation. Therefore, we can say that all
risk responses are to some degree proactive.
Proactive Nature of Plan Risk Responses for Opportunities
Someone interested in community service might join a volunteer group
in order to find opportunities to serve in the community. Joining the
group does not directly result in service; it merely presents the
opportunities and qualifies the individual to participate in them. As
another example, many people pursue higher education or professional
certifications before they learn of a job opportunity in which they can
use their new skills. Both strategies constitute Plan Risk Responses for
positive risks.
Similarly in projects, unexpected opportunities for the project
management team to reduce cost or shorten the project schedule
sometimes arise.
For example, acquiring and incorporating a newly released commercial
product to replace a component that the project team originally
planned to develop may greatly reduce the development time and cost.
Module 6: Plan Risk Responses
6-8
Interactions with Other Processes
Figure 6-2, the Plan Risk Responses process data flow diagram, shows
how inputs are transformed through tools and techniques into outputs.
PMBOK® Guide, Fourth Edition
Figure 6-2. Plan Risk Responses Data Flow Diagram
Overview of Plan Risk Responses Inputs, Tools and Techniques, and Outputs
Figure 6-3 shows the inputs, tools and techniques, and outputs of the
Plan Risk Responses process. These inputs, tools and techniques, and
outputs are discussed in detail in this module.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 6-3. Plan Risk Responses: Inputs, Tools & Techniques, and
Outputs
MDP273a: Project Risk Management v1.0
6-9
Topic 2: Inputs to the Plan Risk Responses Process
The inputs to the Plan Risk Responses process, described below, are:
? Risk register
? Risk management plan
Risk Register
The risk register may include:
? A list of prioritized risks, produced by qualitative risk analysis (Plan
responses to risks considered urgent first.)
? Common root causes of risks that may have been identified during
the Perform Qualitative Risk Analysis or Perform Quantitative Risk
Analysis processes (Aggregating the impacts of risks with common
causes makes it easier to see which interventions will have the most
effect for the smallest investment.)
? A list of potential responses from the Identify Risks process (This list
indicates what strategies might be useful in addressing a particular
risk.)
? A list of risks for additional analysis and response
? Trends in qualitative analysis results (These can be used to forecast
when risks are likely to demand action so that an intervention can
be prepared before it is necessary.)
? A watch list of low-priority risks (Review these risks to determine if
any have changed enough to warrant analysis, or even immediate
action.)
Risk Management Plan
Important components of the risk management plan include:
? Roles and responsibilities
? Risk analysis definitions
? Timing for reviews, and for eliminating risks from review
? Risk thresholds for low, moderate, and high risks
Module 6: Plan Risk Responses
6-10
Topic 3: Tools and Techniques for the Plan Risk Responses Process
The tools and techniques for the Plan Risk Responses process are:
? Strategies for negative risks or threats
? Strategies for positive risks or opportunities
? Contingent response strategies
? Expert judgment
MDP273a: Project Risk Management v1.0
6-11
Strategies for Negative Risk or Threats
Strategies for threats include:
? Avoid the risk
? Transfer the risk
? Mitigate the risk
? Accept the risk
Avoid the Risk
DEFINITION: RISK AVOIDANCE
―A Plan Risk Responses technique for a threat that creates changes to the
project management plan that are meant to either eliminate the risk or to
protect the project objectives from its impact.‖
PMBOK® Guide, Fourth Edition
Some actions that may be taken to avoid a negative threat are:
? Change the project plan. This may create new risks, which can
reduce the benefit of the change or even be more problematic than
the risk being avoided. Such new risks arising directly from a risk
responses plan are called secondary risks. Modifying the project plan
can involve:
Y Clarifying requirements to eliminate the possibility of ambiguity
Y Improving communications to reduce misunderstandings and
resulting rework
Y Acquiring expertise to eliminate the likelihood of poor quality or
late deliverables
Y Getting buy-in from the sponsor and stakeholders (for example,
inviting these people to a presentation or lunch discussion)
Module 6: Plan Risk Responses
6-12
? Alter the project scope, schedule, budget, or quality objectives so
that they will be met.
? Change the technical activity or underlying design to avoid the
activity associated with the risk.
? Use familiar methods and resources. Every new team member
represents risk, for example: the possibility that he or she will not
get along with others, will do poor quality work, or will not meet
commitments. So project leaders and managers tend to choose
people they know instead of strangers when staffing a team.
Transfer the Risk
DEFINITION: RISK TRANSFERENCE
―A risk response planning technique that shifts the impact of a threat to a
third party, together with ownership of the response.‖
PMBOK® Guide, Fourth Edition
Transferring risk shifts the consequences and responsibility of a risk to
another party. Transference does not eliminate the risk. If, however,
the other party is more capable than the performing organization at the
kind of work in question, the work may represent a lower risk to the
other party, and thus the project, than it does to the project team.
Choose the other party for capabilities that reduce the risk to the
overall project. Although the possibility for the risk to materialize will
still exist, it is reduced. Furthermore, if the other party cannot deliver,
the performing organization will receive some compensation.
The compensation should be equivalent to the loss associated with the
unmet project objectives. If the performing organization had attempted
the work itself and failed, there would have been no compensation. In
exchange for these benefits, the performing organization pays the other
party a premium, representing the value of the party’s experience in
reducing the risk.
MDP273a: Project Risk Management v1.0
6-13
Contracts can be used to transfer a specific risk, for example,
outsourcing manufacture of a challenging subcomponent, or to transfer
the impact of a liability, as when an insurance policy is purchased.
Contractual agreements ensure that there is a documented agreement,
which is substantially stronger in legal terms than a verbal
understanding, and that the task and its risks are accountable to the
contracting party. On some projects, it may be advisable for the
performing organization to use a contract to eliminate its liability for
specified risks that are deemed subject to ―force majeure‖ (that is,
beyond human will and ability to control), such as losses due to
weather, earthquakes, or civil unrest.
EXAMPLE: TRANSFERRING RISK
If the prototype of a new aircraft requires a titanium bulkhead, and the
company building the prototype has no experience machining titanium, they
may subcontract this work to a vendor who does. The vendor with this
experience may be a specialist, and his experience can reduce the risk to
the overall project that the bulkhead component will be flawed.
Transferring liability is effective for financial risk. This usually involves
paying a fee to the counterparty as compensation for accepting the risk.
Types of fees include:
? Insurance
Typically insurance protects the performing organization against a
loss, such as fire or weather damage.
? Performance bonds
The customer may require a bond for protection against damages
should the performing organization fail to perform. A supplier might
be required to buy a bond to protect the project from losses, should
the supplier fail to perform under the terms of their engagement.
? Warranties
This approach ensures a period of service or protection, for which a
fee is usually paid to the supplier. It can relieve you of the cost of
exhaustive acceptance testing and may reduce your overall support
costs once the product of the project is in operation.
Module 6: Plan Risk Responses
6-14
? Guarantees
A promise made on some performance aspect of a product or
service. In law this may be a promise made by a third party to
perform should the primary party fail to perform.
Mitigate the Risk
DEFINITION: RISK MITIGATION
―A risk response planning technique associated with threats that seeks to
reduce the probability of occurrence or impact of a risk below an
acceptable threshold.‖
PMBOK® Guide, Fourth Edition
Mitigation is the most commonly understood strategy. It attempts to
lessen the negative risk by reducing its probability and/or its impact to
acceptable levels.
A strategy using mitigation may also involve a contingency plan, which
is invoked once the risk materializes. The contingency plan’s purpose is
to limit the impact to the project should preventive measures fail. If
reducing a threat is not possible, the negative risk impact can often be
moderated by identifying and targeting factors that determine the
severity of the risk.
EXAMPLE: MITIGATING RISKS
Firefighters, for example, wear helmets to prevent falling ceiling materials
from causing them head injuries. If the material is heavy enough, they may
still suffer an injury, but the impact will have been reduced.
Some actions that may be taken to mitigate a negative threat are:
? Develop a prototype
? Consider an alternative path
? Simplify processes
? Conduct more engineering tests
MDP273a: Project Risk Management v1.0
6-15
? Select a more reliable seller
In general, an effective approach to mitigating risk is to identify these
three factors:
? Cause
? Driver
? Power of the driver
To find an effective mitigation strategy, consider these four questions:
? What causes the risk?
? What drives the magnitude of the impact?
? How controllable is the drive?
? How probable is the risk?
What Causes the Risk?
If the cause of the threat can be understood, and the causal
relationship can be altered or exploited, it may be possible to reduce
the likelihood that the risk will occur.
For example, in research studies regarding head-on collisions between
cars, it was determined that there was always a significant risk of a
head injury. During testing conducted on crash test dummies, it was
determined that head injuries were most often caused by striking the
car’s windshield. By implementing a shoulder restraint system that
crosses the passenger’s chest, it was possible to prevent the head from
reaching the windshield and to dramatically reduce this type of injury.
The use of seat belts is a preventive risk response that attacks the
causal factor in head injuries sustained during head-on car collisions.
What Drives the Magnitude of the Impact?
If the factors that influence the magnitude can be affected, then it may
be possible to diminish the impact of the risk.
As an example, buildings in the city of Venice are sinking, and the
effect of storm tides has been determined to be a significant factor in
the rate of sinking.
Module 6: Plan Risk Responses
6-16
By installing tidal barriers that move, Venice has been able to reduce
the size of the storm tides, while still permitting tidal basin flows to
maintain the healthy flow of silt into the ocean and salt water into the
lagoon. This strategy reduces the risk that severe storms will cause
significant damage to the city.
How Controllable is the Driver?
In the Venice example, controlling tidal surges was not possible until
the development of tidal barriers by the British and Dutch for use in
controlling storm surges on the Thames and Eastern Scheldt estuaries in
the late 1970s. As a result of these technical achievements, it became
possible to control tidal surges as a driver of flooding damage in
estuaries around the world.
On the other hand, earthquake damage is caused by wavelike motions
resulting from the opening of cracks and by sudden vertical
displacements in the surface of the earth. Only wavelike motions can be
reliably controlled through the use of flexible construction techniques
and large rollers in building foundations, as in the Transamerica
Corporation building in San Francisco. The other driver of earthquake
damage remains largely uncontrollable.
Project Management Risk Mitigation Strategies
Suggested project management risk strategies are:
? Include the duration of risk responses plans in the schedule baseline
and negotiate additional schedule relief
? Use team reviews, at the work package level, to validate activity
duration estimates
? Clarify the definitions of requirements, deliverables, tasks, and
milestones
? Clarify and confirm assumptions and constraints
? Use a change control board to implement formal schedule baseline
change control processes
? Schedule critical resources and technology within acceptable
windows
MDP273a: Project Risk Management v1.0
6-17
? Write definitions for periodic vendor performance reviews into the
purchase contract
? Ensure that vendors use project management tools
? Include vendor representatives as part of the project team
? Evaluate the use of more expert resources on challenging tasks
? Include the cost of risk responses plans in the budget baseline
? Validate the budget by use of team reviews of bottom-up estimates
? Provide productivity enhancing tools whose learning curve is not so
large that it consumes the immediate benefits to the project
? Monitor and manage costs via earned value management methods
? Conduct periodic performance reviews
Organizational Risk Mitigation Strategies
Suggested strategies to use within the organization to mitigate risk for a
project are:
? Obtain firm commitments for specialized resources, with
guarantees, if needed
? Cultivate secondary sources for specialized resources and implement
methods for rapid substitution of a secondary resource if the
primary critical resource should become unavailable
? Obtain written commitments for funding and other resources
? Ensure that the project has a committed and active sponsor
? Obtain the highest possible priority for the project by conforming
the cost-benefit value proposition of the project as closely as
possible to the priority scheme of the organization
? Recommend the inclusion of elements of scope that offer benefits to
powerful stakeholders in order to ensure their commitment
? Stay apprised of the progress of other projects on which the current
project depends, and respond promptly if progress is unsatisfactory
Module 6: Plan Risk Responses
6-18
External Risk Mitigation Strategies
Suggested strategies for mitigating risk that comes from outside the
organization are:
? Minimize development activities in hostile environments (political,
business, weather)
? Avoid single sources for critical outsourced capabilities
? Include protections against shortages or price fluctuations in
procurement contracts
? Include quality monitoring and defect correction provisions in
procurement contracts
? Confirm market data and analyses
Technical Risk Mitigation Strategies
The list below shows suggested strategies for mitigating risks arising
from technical issues.
? Clarify technical requirements
? Control changes to specifications, deliverables, and acceptance
criteria
? Design in tolerances and margins for technical products
? Identify the project’s technical limitations early in the design
process
? Allocate work based on skill, or train and certify personnel in new or
unfamiliar technologies
? Ensure adequate supervision during early stages of each type of
work
? Involve suppliers in the design process
? Conduct reliability studies early.
? Enforce discipline regarding the application of technical standards,
procedures, and methods; conduct process training
? Simplify the technical solution where practical
? Conduct concept reviews and internal design reviews
MDP273a: Project Risk Management v1.0
6-19
? Implement a phased approach to developing the technical solution
with in-process reviews by experts
? Use an established project life cycle
? Build prototypes
? Apply performance modeling, simulation, and analysis of designs
? Implement a change control process for technical specifications and
deliverables
? Tie payment milestones to satisfactory technical reviews
Risk Mitigation Strategy Guidelines
Some examples of effective mitigation strategies are:
? Specific design features
? Redundancies to mitigate the impact of failures
? Prototype testing to validate the design
? Value engineering studies
? Formal design reviews
? Analytical modeling
? Functional testing
? Expert design review
? Financial incentives to vendors and contractors
? Use of management checkpoints at completion of major project
phases
? Allocation of resource reserves
? Contingency reserves
? Implementation of project management processes to the
appropriate level for the size and complexity of the project
Module 6: Plan Risk Responses
6-20
Guidelines for Risk Response Strategies
There may be many techniques for managing and mitigating risks other
than those listed. The table below identifies sample project activities
that contribute to risks on a project and potential mitigation strategies.
PROJECT ACTIVITY CONTRIBUTING TO RISK MITIGATION STRATEGIES
Use of new technology or new application of
existing technology
Prototype testing
Unique new technology Analytical modeling and simulation
An unusually complex design Use of architecture to reduce
coupling of subsystems, functional
testing of subsystems
A novel design Formal design review
Significant personnel exposure to hazards potential Safety review
Project schedule uncertainties, or constraints that
may impact project milestones
Subcontracting work to others,
financial incentives to
vendors/subcontractors, additional
resources, overtime, multiple shifts
(All involve absorbing a cost impact
and are appropriate in projects for
which schedule has higher priority
than costs.)
Production shutdown required for project
implementation
Synchronizing implementation
schedule with low-demand period;
contingency schedule in the event of
implementation failure
MDP273a: Project Risk Management v1.0
6-21
Accept the Risk
Acceptance is a conscious decision to allow the impact of the risk to
occur if the risk is realized. You may choose this strategy for a threat if
the cost of avoiding, transferring, or mitigating the impact is too high in
proportion to the cost of the risk, or if no other suitable response
strategy is available.
DEFINITION: RISK ACCEPTANCE
―A risk response planning technique that indicates that the project team
has decided not to change the project management plan to deal with a risk,
or is unable to identify any other suitable response strategy.‖
PMBOK® Guide, Fourth Edition
Acceptance means that the team knows the threat exists, is aware of
the consequences, and is willing to wait and see what happens without
changing the project plan to deal with the negative risk.
Some ways to accept a negative threat are:
? Passive acceptance – Dealing with risk as it occurs. For example,
commuting to work in a car means accepting the potential for an
accident and the potential for injury. Everyone who commutes by
car accepts that risk.
? Active acceptance – Defining, early on, a contingency plan outlining
actions that respond to the negative risk event, and pre-allocating
contingency reserves to deal with identified risks that arise during
the project.
Module 6: Plan Risk Responses
6-22
CLASS DISCUSSION: STRATEGIES FOR THREATS
What strategy would you use to respond to the following threats?
? As a result of adding a skateboarding park to the community playground,
injury to children could occur, which would increase the town’s liability
for injuries.
? As a result of choosing the site of an old mill to build a bike path, the
ground might be contaminated with toxic chemicals, which can result in
the need to add extra time and costs to clean the contaminated area.
? As a result of buying a pre-owned vehicle, the vehicle might break down
sooner than a new vehicle, which can lead to earlier-than-expected
repair expenses.
Strategies for Positive Risks or Opportunities
Strategies for positive risks or opportunities include:
? Exploit
? Share
? Enhance
? Accept
Exploit
To exploit an opportunity, take measures to ensure that the opportunity
will occur and will be incorporated into the project.
Some methods for exploiting a positive risk include:
? Using more skilled resources on an activity for which the opportunity
is expected to materialize.
? Partnering with another organization known to provide the
opportunity. For example, one company buys another in order to
acquire existing marketing and distribution channels for a new line
of products.
MDP273a: Project Risk Management v1.0
6-23
Share
You can share an opportunity by choosing a partner who can exploit the
opportunity for the partnership’s joint benefit.
For example, if you create a joint venture with a firm that has the
capability to complete a difficult project activity, and allow them a
share in the product ownership, both the organization that originates
the project and the firm that has the expertise benefit.
Enhance
Enhancing an opportunity is the reverse of mitigating a negative risk. To
enhance an opportunity, you try to increase the probability that it will
materialize or you magnify its beneficial effects when it does.
For example, relocating a firm to a university town can increase its
ability to recruit candidates with technical or management ability, and
can reduce hiring costs by avoiding extensive searches and expensive
relocations.
Accept
As with accepting a threat, acceptance of an opportunity is a conscious
decision. In the case of a positive risk, the decision is to take advantage
of the benefits of the opportunity, if the risk is realized.
Acceptance means that the team knows the opportunity exists, is aware
of the positive impact to the project, but is not actively pursuing it.
For example, you might choose to accept a risk opportunity if the costs
of exploiting, sharing, or enhancing it are too high in proportion to the
benefits it provides.
Module 6: Plan Risk Responses
6-24
CLASS DISCUSSION: STRATEGIES FOR OPPORTUNITIES
What strategy would you use to respond to the following opportunities?
? As a result of a large company moving their headquarters to the city of
Blandville, an economic boom in the housing industry could occur, which
would lead to higher revenue for your real estate company.
? As a result of a possible donation of land to your town, the town may
build a nature preserve, which might lead to a source of recreation for
the town.
? As a result of a new neighbor who works at the same company as you,
you could carpool to work, which would lead to lower gas costs and less
air pollution.
Contingent Response Strategies
Contingency response strategies are designed for use only in certain
situations. It is a risk response plan that identifies actions to be taken to
minimize impact when and only when a specified risk occurs. It is
believed there will be sufficient warning to implement the plan and
requires constant monitoring of the risk trigger.
Define and track risk triggers such as missing intermediate milestones.
Develop a fallback plan if the risk has a high impact or if the selected
strategy is not fully effective. This might include using a schedule or
cost contingency reserve, developing alternative options, or changing
the project scope.
The most common application of this risk response technique is to
establish a contingency allowance or reserve. This allowance can
include amounts of time, money, or resources to handle known risks.
These allowances should be commensurate with the impacts of the
associated risks. They should also be computed at an acceptable level
of risk exposure for the risks that have been accepted.
MDP273a: Project Risk Management v1.0
6-25
Expert Judgment
Expert judgment is the application of specialized knowledge or training
to the Plan Risk Responses process. This expertise may be contributed
by a group or by an individual. For example:
? Other departments
? Consultants
? Professional associations
? Subject matter experts
Using Risk Principles to Manage Risk
The level of effort expended in managing a risk should be in proportion
to the level of risk itself. This was presented earlier as the fundamental
concept of applying proportionate expenditure. The probability and
impact of low- and medium-impact risks are generally reduced through
the application of good project management disciplines. The project
management processes all contribute to managing risk because they
support the objective of controlling the project.
When the project is not performing as planned, the monitoring activities
can identify that the project is in danger of not meeting its objectives
and corrective action can be initiated. This is how projects are
controlled. How much project management process rigor is appropriate?
The project manager must consider the value of the control provided
against the cost of providing it.
Suggested Minimum Requirements for Managing Risk
For the project's low and most medium risks, it is generally sufficient to
use sound project management practices. For each project management
area, there are certain minimum principles that are suggested for
managing project risk. These principles are:
? Technical element and scope definition
? Roles and responsibilities
? Schedule
Module 6: Plan Risk Responses
6-26
? Cost estimates
? Performance analysis reporting
? Funds management
? Accounting
? Work authorization
? Change management
Technical Element and Scope Definition
Experience shows that inaccurate requirements are a major contributor
to project failure.
Minimum requirements:
? Defined technical objectives based on functional and/or physical
requirements
? Defined tasks necessary to accomplish the technical objectives
? Work Breakdown Structure (WBS)
Roles and Responsibilities
If you fail to assign activities to a team member who is accountable,
―lost risks‖ can result.
Minimum requirements:
? Well-defined roles and responsibilities
? Assigned risks identified by the project manager
Schedule
Schedules spiral out of control because dates and deliverables are not
aggressively monitored and tracked on a daily basis. All too often,
managers leave issues unresolved for days that result in schedule
overruns. Schedule overruns increase the risk that the project will fail
to meet stakeholder expectations, lose support, and miss obligations to
provide work products for dependent projects, or lose resources to
other commitments.
MDP273a: Project Risk Management v1.0
6-27
Minimum requirements:
? A master schedule with identified company controlled milestones
? Milestones completion criteria and dictionary
? Documented assumptions
? Schedule contingency
Cost Estimates
Failing to develop estimates using a methodical process associated with
specific WBS elements increases the risk that unplanned costs will be
incurred without producing useful deliverables is greatly reduced.
Minimum requirements:
? Traceable to the work package definition
? Documented estimates’ bases and assumptions
? Justified cost contingencies
Performance Analysis Reporting
Poor and untimely performance analysis increases the risk that
indicators of whether the project will meet its objectives are delayed.
Minimum requirements:
? Periodic project status reviews
? Identified performance analysis parameters, data specification, and
report frequency
Funds Management
Lack of secure funding increases the risk that the project will become
insolvent.
Minimum requirements:
? A funding commitment plan
Accounting
Inaccurate cost reporting increases the risk to detect and defer
fraudulent activities
Module 6: Plan Risk Responses
6-28
Minimum requirements:
? Cost collection consistent with a time-phased cost budget and cost
accounting standards
Work Authorization
Failing to have authorizations at the start of every assignment, the
project manager may consume too much of the project budget and
increase the risk of having to do rework due to poor process discipline.
Minimum requirements:
? Formal work authorization process
Change Management
Failing to manage baseline by not defining a process and authority for
changes to baselines, especially the scope baseline, can greatly increase
the risk that the project will slip out of control. Failing to manage
baselines and not using integrated change control properly, increases
the risk that the project will run out of time and money.
Minimum requirements:
? Defined thresholds and authority for baseline changes.
? Defined thresholds and authority for small changes
Tailoring Project Management Processes to Match Risks
Tailor project management techniques to manage the project risks as
efficiently as possible. This includes focusing management attention on
the information needed to manage the project risks. Most project
managers find themselves in a ―data rich, analysis poor‖ environment.
For example, project management software typically provides many
types of reports. The project management team must select and tailor
the reports that are best suited to managing the project risks. The
reports should be both timely and focused on highlighting risk triggers.
For example, the frequent reporting of schedule and cost status at the
work package level allows the project management team to detect
problems with project work before they become significant.
MDP273a: Project Risk Management v1.0
6-29
As another example, tracking the rates at which defects are reported
and closed during a testing phase allows the project management team
to determine whether they are keeping up adequately, and even to
identify problem areas in the construction and design processes and
deliverables. If the project management team acts promptly, they can
eliminate problems whose impact might otherwise continue to grow.
Tailoring also results in the most cost-effective selection of the project
management software for the project. Proper tool selection focuses on
managing the kinds of risks that could significantly affect the project.
This allows the project manager to apply appropriate project
management control processes in these areas. Correctly tailoring the
use of software to manage the project reduces costs by minimizing the
data collection and reporting effort.
A Basic Process for Developing a Risk Response
The project manager needs a strategy to deal with all the risks on the
project. The process begins by identifying and analyzing each risk in
order to understand it in terms of probability and impact. The best
strategy is to deal with each variable of probability and impact
separately.
TIP
Select the strategy that will be the most effective for the risk. Then
develop specific actions to implement the strategy. It is wise to have a
backup strategy for the risk.
First, project managers should focus on dealing with the probability of a
given risk by striving to reduce that probability as much as is practical
for the expense involved.
This type of mitigation is known as prevention. For example, to prevent
forest fires as much as possible, the U.S. Department of Agriculture
Forest Service created the ―Smokey the Bear‖ education and awareness
program.
Module 6: Plan Risk Responses
6-30
This program seeks to teach visitors to forests how to behave to
minimize the possibility of their starting an accidental fire. However,
once a fire starts, this program has no impact on the fire’s damage.
Next, if in spite of preventive measures taken, the team cannot prevent
the risk, and if the impact is substantial, the risk responses plan must
include a contingency plan designed to reduce the impact as much as
practical for the expense involved.
Attempting to minimize the impact of a risk once it has occurred is
containment. In the forest fire example, the U.S. Department of
Agriculture Forest Service created the Fire Management Program to
respond quickly to large fires. The Fire Control Service of the Forest
Service also maintains communication with a community of state fire
responders to share best practices in fire control. These strategies serve
to contain the growth of fires that cannot be prevented.
Given a framework for planning the response, where do the ideas for
risk responses plans come from? Project management teams can utilize
the familiar techniques of brainstorming, experience, and lessons
learned. The collective experience of senior management and staff
members on other projects in the organization is a valuable resource. If
the project manager lacks experience or expertise in a specific area,
hiring a consultant may be helpful. The cost should yield many times its
worth in risk reduction.
Contingency reserves in the form of time, money, or resources are often
set aside to absorb the impact of both known and unknown risks. It is
important to note that money allocated for a specific risk should not be
transferred or reallocated to a different risk once the period for the risk
to occur has passed. Do not use these funds to compensate for poor
planning that causes changes in scope or quality. In this situation, if a
new risk impact needs to expend some of the reserves no longer needed
when the first risk failed to materialize, a change request needs to be
submitted instead.
MDP273a: Project Risk Management v1.0
6-31
Basic Process for Developing Responses to Negative Risk
The basic process for developing risk responses includes these activities:
? Brainstorm several solutions
This may be a team exercise or a task delegated to the owner of the
risk. There is usually a benefit to developing several approaches and
it may require different individuals and thinking styles to formulate
these solutions. The general strategies commonly applied are
avoidance, transference, mitigation, and acceptance.
? Decide which strategy will be most effective
The first choice should normally be avoidance, designed to eliminate
the possibility of a risk event. Typically these are less expensive and
therefore quite cost effective.
For risks that cannot be avoided, attempt to either transfer the risk,
or mitigate it by reducing the probability and/or impact. If neither
of those options is open, or, if you are unable to identify any other
suitable responses, you may need to accept the risk without
changing the project management plan.
Given several strategies, choose the most cost-effective one. This is
done by estimating the new probability and impact factors,
assuming the strategy is effective. Divide the reduction in the risk
factor by the cost of the solution to determine a relative leverage or
return-on-investment (ROI). In addition to the ROI, make sure the
strategy really reduces the risk to an acceptable level and takes into
account the total cost impact of the risk event, including possible
secondary, downstream impacts.
Module 6: Plan Risk Responses
6-32
? Design a specific, written action plan
Given the selected response, ensure that it includes a written,
detailed action plan describing the assignment of specific individuals
and due dates.
The risk responses plan should include monitoring of the ―risk
trigger‖ on a periodic basis to ensure that the risk has not
materialized. It should also define the time period of the ―threat
window‖ so it is clear when the risk may be closed and unused
resources and contingency budget released. For example, a
―requirements risk‖ may no longer be a concern after closeout of
the design phase.
? Consider fallback plans
Ensure the action plan includes the contingency plan for actions to
be employed if avoidance, transfer, and mitigation fails and the risk
event still occurs. You want to be prepared to minimize this impact
as quickly as possible. It is very difficult to react effectively and
efficiently to a crisis without advance preparation.
? Consider when the risk may occur
Risks change as a function of time. There may be a fixed window of
opportunity during which either the risk may strike, or preventive
action has a chance of stopping the risk. This may cause the project
manager to focus resources on a risk that would otherwise be
considered a lower priority. If the risk does not occur, those
resources are then reallocated to other risks.
? Consider secondary and residual risks
Risk responses will normally have an effect on other risk elements of
the project. Consider these secondary effects before committing
resources to a plan.
Ranking risks merely on P x I may not always be sufficient. A risk
that will strike tomorrow may be more urgent than one that is not
going to take effect until a month from now. Some risk responses
have effects on more than one risk. This allows some economy
(more ―bang for the buck‖) in risk responses.
MDP273a: Project Risk Management v1.0
6-33
Risk Triggers
DEFINITION:TRIGGERS
―Indications that a risk has occurred or is about to occur. Triggers may be
discovered in the risk identification process and watched in the risk
monitoring and control process. Triggers are sometimes called risk
symptoms or warning signs.‖
PMBOK® Guide, Fourth Edition
For each risk response, an indicator must be specified that will either
give advance warning that the risk is about to materialize, or in the
worst case, that it has already materialized. A threshold value may
need to be specified. If the risk trigger crosses the threshold, the risk
owner must act.
This threshold value may be ―does not exist.‖ When the trigger event
appears, it is time to activate the risk contingency plan. In other cases,
the threshold value may be a numeric quantity, such as ―five defects
per document page.‖
Periodically monitor the risk trigger to ensure that the risk event is
detected promptly. In the ideal case, an automated system monitors
the risk trigger constantly and then sends a notification to the risk
owner when the trigger crosses a risk threshold.
In other cases, project management must review the trigger indicator
regularly. For example, if the number of issues opened vs. closed each
week continues to increase, the project manager should note the trend
at each weekly status meeting. When the number increases for four
weeks in a row, the project manager should take action to determine
the causes for this as well as for the team’s failure to close the existing
issues at an equal or better rate. The project manager may determine
that the product design is seriously flawed and that this is now
manifested in design-related issues that are difficult to resolve.
Module 6: Plan Risk Responses
6-34
Topic 4: Outputs from the Plan Risk Responses Process
The outputs from the Plan Risk Responses process are:
? Risk register updates
? Risk-related contract decisions
? Project management plan updates
? Project document updates
The project management plan will be used by other planning processes
to revise the project work breakdown structure, activity list, schedule,
budget, and resource assignments in order to accommodate the
activities specified in the risk responses plans.
The risk-related contractual agreements are forwarded to the cost
management processes for inclusion in the budget, and to procurement
management to manage their implementation, monitoring, and closure.
In addition, the use of risk responses to address stakeholder risk
tolerance supports the project communications management objective
of managing stakeholder expectations.
MDP273a: Project Risk Management v1.0
6-35
Risk Register Updates
Risk register updates are the primary outputs from the Plan Risk
Responses process. The updates consist of risk responses, and they vary
according to company policies and standards and the types of risks
identified.
Components to consider in the risk responses include:
? Identified risks, their descriptions, and area(s) of the project
affected
? Risk owners and responsibilities
? Results from the qualitative and quantitative risk analysis processes
? Agreed responses, including avoidance, transference, mitigation, or
acceptance for each negative risk or threat
? Agreed responses including exploiting, sharing, enhancing, or
acceptance for each positive risk or opportunity
? The level of residual risk expected to remain after the strategy is
implemented
? Specific actions to implement the chosen response strategy
? Budget and times for responses
? Contingency plans and fallback plans
Although there is no established or required format or content for risk
responses in the risk register, include these items:
? Brief summary of the project phase, scope, schedule, and cost
objectives. These summaries are useful since a project management
plan may not always be available to use with the risk responses
documentation.
? All documented assumptions that were used in determining,
defining, and analyzing risks. This will help when the project is
reviewed and risk responses plans are evaluated for their adequacy
in addressing the risk.
Module 6: Plan Risk Responses
6-36
? For each selected strategy:
Y The person accountable for managing or mitigating the risk (the
―risk owner‖)
Y The management or mitigation strategy
Y Expected closure dates
Y A risk impact table
Y Risk analysis and identification form
Y Risk screening questions
Y Other information used by the team as appropriate for future
reference and to assist in subsequent reviews and updates.
Risk Owner
The risk owner is responsible for monitoring the stated risk trigger and
invoking the risk responses plan when the trigger event materializes. A
drill exercise is sometimes used to test whether risk owners will be
effective. If the risk owner fails to detect the simulated trigger event or
fails to activate the risk responses plan effectively, promptly address
the failure, and then carry out a new drill to prove that the problem has
been fixed.
Timing
Revise or update a risk response whenever a subsequent risk analysis
shows a change in the risk or in the risk management and mitigation
strategy. Each revision needs to be dated and summarized by a list of
the sections that were revised, with enough detail to explain the
significance of the change.
MDP273a: Project Risk Management v1.0
6-37
CAUTION
Project teams often fail to develop and maintain adequate risk response
documentation even after they have successfully identified and analyzed
risks. Implementing the risk responses is also a weak point; often the
response is published to the assigned risk owners without explaining their
required roles and responsibilities in it.
The only successful risk response is one that is understood by all
participants and will be activated promptly when the risk trigger is
detected.
Residual Risks and Secondary Risks
In many cases, it is not feasible or cost-effective to eliminate a risk
completely. Residual risks are those risks that remain even after a risk
response plan is developed.
Secondary risks are those risks that result from implementing a risk
response. In some cases, an additional risk response plan may be
needed to mitigate or transfer the secondary risk.
After creating the risk responses plan, update the risk register to reflect
the new information. Over time, as response plans are executed or the
window for the risk event to occur passes, the risk impact or its
probability will be minimized.
Many risks are never entirely prevented and residual risks may remain in
place of the original risks. There may be secondary risks that have been
caused by the risk response plans.
Contingency Reserve Amount Needed
Contingency reserve is the schedule or cost margin set aside to absorb
the impact of known risks so that their impact does not cause the
project objectives to be missed.
Probabilistic analysis and identified risk thresholds help the project
manager determine the amount of buffer or contingency needed to
reduce the risk of overruns of project objectives to an acceptable level.
Module 6: Plan Risk Responses
6-38
The contingency reserve can be used to mitigate cost or schedule risk if
changes in the scope or quality occur. For example, if the project
begins to fall behind schedule due to a lack of skilled workers, funds
can be allocated to hire a consultant/contractor to provide training to
the staff. Fallback plans are alternative strategies that can be
implemented if a high risk is realized or planned risk reduction efforts
fail.
While the entire project may have an overall risk responses plan, it is
important to understand that the previously developed plan is an overall
methodology. It is reconsidered during the Plan Risk Responses process
to document details for responding to each specific risk.
Methods to Determine Contingency
Contingency may be needed in a cost budget or in a schedule. Often
companies have a standard 10% management reserve that is held aside
to account for unknown risks (that have not yet been identified, but as
history shows, appear sooner or later).
Management Contingency Reserve (Management Reserve)
Contrasted with Contingency Reserve
These two reserve types are often confused with each other, sometimes
lumped under the common reference of ―contingency reserve.‖
Experience tells a project manager that unforeseen events occur that
could affect the cost or schedule performance of the project. These
may include the ―normal risks‖ retained that were not prioritized as
high-risk events.
To offset this, organizations often use a management contingency
reserve. A management contingency reserve is an additional
commitment of funds used to address what are called the ―unknown
unknowns‖ — the risks that the team simply failed to foresee. The
management contingency reserve is never part of the project budget
and so does not factor into the project cost calculations.
To determine the right size of management reserve, the team must rely
on prior experience and on risk thresholds set in organization policy and
standing practice.
MDP273a: Project Risk Management v1.0
6-39
Often, project budgets have a 10% contingency reserve added to them,
which is not allocated to any WBS element, and is simply available for
the project manager to allocate when a problem arises. Sometimes, the
organization will also allocate an additional management contingency
reserve for the project. This reserve is only available to the project
manager by request from senior management.
A similar reserve may be added to the project schedule. As long as the
problems the project experiences do not fully consume either of these
contingency reserves, the project will meet its cost and schedule
budgets, even though the team could not foresee the nature or size of
the problems themselves.
Contingency reserve is for the ―known unknowns,‖ usually in terms of
money or time, to support contingency plans. For example, in the
following table the price of fuel or the availability of a resource may
not be known, but must be planned into the project budget or schedule.
Contingency is often calculated as a percentage of the total project
cost.
MANAGEMENT RESERVE CONTINGENCY RESERVE
Used to deal with ―unknown
unknowns‖
Used to deal with ―known
unknowns‖
Used to counteract unforeseen
changes to project scope and cost
Used to plan for risk events
Not part of the project cost
baseline, nor earned value
calculations
Not used to compensate for poor
planning
Example: unexpected labor strike Example: Price of fuel, resource
availability
Authorized by senior management Authorized by the project manager
Not part of the project budget Part of the project budget
Module 6: Plan Risk Responses
6-40
EXAMPLE: RISK RESPONSE PLAN
Based on the risk analysis she'd done, the PM for Capital Flyer Corporate
Customer Satisfaction Project was able to define contingencies and
alternatives regarding the 2nd-point-of-origin initiative.
To view her risk response plan, see Appendix C.
Risk-Related Contract Decisions
Contract decisions, such as agreements for insurance or services that
can transfer the risk, may be used to identify each party’s responsibility
for specified risks. The risk-related contract decisions are provided as
inputs to the Plan Procurements process.
Project Management Plan Updates
The project management plan must be updated to reflect the activities
and costs required to support the risk responses. Most likely, the project
manager will be allocating additional budgeted activities and adding
new schedule events. The project manager may also expand the use of
procured services or contractual agreements to formally acknowledge
risks and either limit them or transfer liability for some of them.
Components to change may include the quality, procurement, and
human resource management plans. The work breakdown structure,
schedule baseline, and cost performance baseline may require revision.
Most responses to risk involve expenditures of additional time, cost, and
resources, and lead to changes in the project plan. Organizations
require assurance that spending is justified for the level of risk
reduction.
MDP273a: Project Risk Management v1.0
6-41
Project Document Updates
If a process or product is changed as a result of the Plan Risk Responses
process, then the project documentation also needs to change.
Documents that require change may include:
? Assumptions log updates
Assumptions might change with the application of risk responses.
? Technical documentation updates
Applying risk responses might affect technical methods and physical
deliverables.
EXAMPLE: RISK RESPONSES SECTION OF THE RISK REGISTER
WORKSHEET
The risk register includes a response plan for each risk.
EXERCISE: UPDATES TO THE RISK REGISTER – RISK RESPONSES
Create updates to the risk register to include risk responses.
See Exercise 6-1, in Appendix A of this Participant Guide.
Module 6: Plan Risk Responses
6-42
The following table is an example of a risk register worksheet with the
risk response section completed.
Project: Mountaintop Hotel
Risk Identification & Analysis
Identified Project Risk: P I RS Risk Category
Transportation Strike .3 .4 .12 K. Labor Skills, availability
Description of Identified Risk:
Because materials need to be transported to the project location, any change in the conditions of site transportation, including a strike of transportation workers, could affect the project. A strike would result in schedule delays.
Assumptions/Basis:
Because of project location, most materials will be transported by truck. Although no Teamsters strike has affected this geographic region for 20 years, the consequences of a strike could set the project schedule back by more than 30 days.
Risk Response Planning
Strategy Chosen:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate Accept
Trigger measure to be monitored and source: Contract negotiations; news media
Threshold Condition: Three days of unsuccessful negotiations between Teamsters and truck companies
Potential secondary risks (risks arising from implementing this plan): Our shippers may not be available on requested schedule for all needed overtime
Residual risk (Estimated remaining P, I, and RS after Risk Response is implemented): (P = .1) x ( I = .3) = (RS = .03)
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs Cost / Schedule Impact
Date Due
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Pay overtime to our shippers to transport materials. Team leader $10,000
Risk Owner: Team Leader
MDP273a: Project Risk Management v1.0
6-43
Module Summary
ADDRESSING THE BUSINESS CHALLENGE
At their weekly planning meeting, Ana leads the team in developing
appropriate risk responses: timely, cost-effective, realistic, and appropriate
to risk severity. They discuss strategies to respond to project threats – ways
to avoid, transfer, or mitigate the risk. And, as Hannah points out to Jack,
they need equal time to consider ways to exploit, share, and enhance
opportunities. Ana will take the results of the meeting and design a specific
action plan with fallback options.
The Plan Risk Responses process involves developing options and
determining actions to enhance opportunities and reduce threats to the
project’s objectives. A risk response plan must be appropriate to the
severity of the related risk and is dependent upon inputs from the
Identify Risks, Perform Qualitative Risk Analysis, and Perform
Quantitative Risk Analysis processes.
Select the risk response strategy most likely to be effective for each
risk. Write the risk response plan to the level of detail at which the
actions will be taken.
Module 6: Plan Risk Responses
6-44
Module 7
Monitor and Control Risks
Module 7: Monitor and Control Risks
Module 7: Monitor and Control Risks
7-2
Module Introduction
The Monitor and Control Risks process implements risk response plans,
tracks identified risks, and identifies new risks. The process also
monitors residual risks and evaluates the effectiveness of the risk
processes throughout the project.
The Monitor and Control Risks process is ongoing through the life of the
project because risks change as the project matures. In the process,
new risks may develop and other risks may disappear.
This module:
? Describes the Monitor and Control Risks process
? Identifies the inputs, tools and techniques, and outputs of the
Monitor and Control Risks process
MDP273a: Project Risk Management v1.0
7-3
Module Objectives
Upon completion of this module, the participant will be able to:
? Define the Monitor and Control Risks process
? Place the Monitor and Control Risks process within the context of
the project management framework
? Identify and describe the inputs, tools and techniques, and outputs
of the Monitor and Control Risks process
? Choose appropriate techniques to track identified risks, monitor
residual risks, and identify new risks
Module 7: Monitor and Control Risks
7-4
Topic 1: Overview of the Monitor and Control Risks Process
THE BUSINESS CHALLENGE
In any project, it's inevitable that a risk trigger occurs.
Ana knew it would happen, and now it has: BigFish Puppets, a nationally
renowned street theatre company, is missing its star performers. The
group's artistic director calls to tell her they've got a crisis. They've just
returned from a prestigious theater festival in the UK. Problem is, their
puppets haven't. The puppets seem to be somewhere in Asia. The shipping
company is trying to track them down, and the artistic director is beside
himself with worry. He's hopeful they'll eventually turn up, but whether or
not it's in time for the parade is something he can't guarantee.
Posters for the parade feature pictures of BigFish Puppets, and the group is
prominently mentioned in the press release. Now, there's a real possibility
the group may not make it to perform at the SummerFest parade.
? How can Ana monitor and control this risk?
Monitor and Control Risks is the process of tracking identified risks,
monitoring residual risks, and identifying new risks. The project
manager is responsible for ensuring the proper execution of the risk
management plan and for evaluating the effectiveness of the entire risk
management process.
The Monitor and Control Risks process is an iterative process. It
continues throughout the project, because risks change as the project
matures. New risks may develop, while other risks may disappear.
MDP273a: Project Risk Management v1.0
7-5
Figure 7-1 shows that the Monitor and Control Risks process occurs in
the Monitoring and Controlling Process Group.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 7-1. Project Risk Management Process Group Map: Monitor and
Control Risks
As a project is executed, project controls are in place to ensure that
results are meeting expectations, and, if they are not, that corrective
action is initiated.
DEFINITION: MONITOR AND CONTROL RISKS
―The process of implementing risk response plans, tracking identified risks,
monitoring residual risks, identifying new risks, and evaluating risk process
throughout the project.‖
PMBOK® Guide, Fourth Edition
During execution of the project, the Monitor and Control Risks process is
evident when the project manager and team meet regularly to review
the project and the status of its associated risks. A quality assurance
audit, intended to verify the risk management practices looks for:
? Evidence of regular meeting minutes
? An up-to-date risk database
? Metrics reports that show that the overall trend of the risk profile
(of probability and impact) is decreasing throughout the project life
cycle
Module 7: Monitor and Control Risks
7-6
Post a current risk list on the project room status board. Risk response
action plans show that assigned tasks were performed and closed out.
Purpose of Monitor and Control Risks Process
The purpose of the Monitor and Control Risks process is to:
? Monitor symptoms and warning signs of identified risks
? Reevaluate watch-list risks
? Identify, analyze, and plan for new risks
? Ensure that risk responses are implemented as planned
? Monitor residual and secondary risks after the planned responses are
activated
? Evaluate the effectiveness of the planned response in reducing risk
? Document risk metrics that are associated with implementing
contingency plans
An effective Monitor and Control Risks process provides data to help
make informed decisions in advance of the risk occurrence.
Monitor and Control Risks is an ongoing process that lasts the life of the
project. The process is responsible for tracking and acting upon this
information:
? Changes in risks as the project progresses
? New risks as they develop, and whether or not they were
successfully identified and managed before they materialized
? The effectiveness of planned risk responses
? Whether or not risks materialized, and why
MDP273a: Project Risk Management v1.0
7-7
Monitoring Risks
Risk monitoring helps to ensure that risk practices are being enforced
proactively to keep risk managed, as opposed to reactively (for
example, only preparing to deal with risks once they materialize).
The purpose of monitoring risks is to determine if:
? Project Risk Management processes are being carried out.
? A risk exposure has changed.
? A risk trigger has occurred.
? Risk responses have been implemented as planned for risks that
have materialized.
? Risk response strategies are effective, or if new responses should be
developed.
? Project assumptions are still valid.
? Project contingency reserves for cost and schedule remain adequate
to meet project objectives.
In addition, monitoring risks may determine whether the proper policies
and procedures have been followed, or whether risks have occurred that
were not previously identified.
Controlling Risks
The purpose of controlling risks is to help ensure:
? Management plans allocate the resources to appropriate activities in
managing risks
? Alternative risk response strategies are selected
? Appropriate contingency plans are implemented
? Corrective actions are taken
? Redistribution of resources that were previously allocated to other
risks once the associated risk is no longer present
? Changes to scope, budget, or schedule up to the point of requiring
re-planning of the project are implemented
Module 7: Monitor and Control Risks
7-8
As part of risk control, planned risk responses are implemented by the
risk response owner. The risk response owner reports to the project
manager on:
? The effectiveness of the risk responses
? Whether any side effects of the risk response have been observed in
the form of residual or secondary risks
? Whether any additional actions are needed to further mitigate or
enhance the risk
Suggested Best Practices for Monitor and Control Risks
As part of the weekly team status meetings, the project manager needs
to insist that team members provide reports on the progress against
risks. Some risks may need to be reviewed daily depending on severity.
Monitoring of trends in the appropriate risk triggers serves as an
indicator to signal when to activate planned risk responses.
The project manager can use periodic working sessions to identify and
assess risks to keep the stakeholders apprised of risk-related issues. If
the project manager has to communicate bad news to a stakeholder
when an identified risk is realized, the stakeholders will not be
alarmed. They will understand the necessity for the risk response
because their expectations concerning the risk and its impact will have
been properly set.
The main indication that the Monitor and Control Risks process is being
successfully applied is the prompt implementation of planned risk
responses when risks materialize. Although some of the project tasks
may require more time or budget than planned, there are adequate
contingency reserves to make up the shortfalls, and the total project
schedule and budget are not expected to be overshot.
MDP273a: Project Risk Management v1.0
7-9
Responsibilities of the Risk Response Owner
The risk owner’s role involves monitoring the risk trigger for each
assigned risk and initiating the planned risk responses when the trigger
event occurs. The risk owner’s responsibilities include:
? Monitoring the risk trigger often enough to allow timely
implementation of the planned risk responses
? Correctly identifying the trigger event when it appears
? Acting promptly and effectively to activate the planned risk
responses once the trigger event is detected
? Implementing the risk responses as planned and correcting any
deviations from the plan
? Determining whether the risk has been effectively addressed
(avoided, transferred, mitigated, or accepted) by the risk responses
? Informing the project manager and other affected parties of the
planned risk responses effectiveness
? Determining whether secondary or residual risks are now present as
a consequence of implementing the planned risk responses
? Participating in identifying and implementing corrective actions if
the planned risk responses fail to address the risk as planned
A drill exercise is sometimes used to test whether risk owners will be
effective at carrying out their responsibilities. If the risk owner fails to
detect the simulated trigger event or fails to activate the risk response
effectively, promptly address the failure, and carry out a new drill to
prove that the failure will not recur.
Comparing Project Risk Management to Project Management
In the Project Risk Management Knowledge Area, each individual risk
response is planned as a miniature or subproject with established scope,
budget, and schedule. The project manager must ensure that these
Module 7: Monitor and Control Risks
7-10
plans are not overlooked or pushed out of the way. In this process,
project management and Project Risk Management are very similar. A
good project manager is a good risk manager, and vice versa. The same
principles of good common sense, alertness, planning, execution,
monitoring, and control apply to both.
Interactions with Other Processes
Figure 7-2, the Control Risks process data flow diagram, shows how
inputs are transformed through tools and techniques into outputs.
PMBOK® Guide, Fourth Edition
Figure 7-2. Monitor and Control Risks Data Flow Diagram
MDP273a: Project Risk Management v1.0
7-11
Overview of Monitor and Control Risks Inputs, Tools and Techniques, and Outputs
Figure 7-3 shows the inputs, tools and techniques, and outputs of the
Monitor and Control Risks process. These inputs, tools and
techniques, and outputs are discussed in detail in this module.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 7-3. Monitor and Control Risks: Inputs, Tools & Techniques, and
Outputs
Module 7: Monitor and Control Risks
7-12
Topic 2: Inputs to the Monitor and Control Risks Process
The inputs to the Monitor and Control Risks process are the:
? Risk register
? Project management plan
? Work performance information
? Performance reports
MDP273a: Project Risk Management v1.0
7-13
Risk Register
The risk register contains the key information that is needed for
monitoring and controlling project risks. The register lists the identified
risks and their assigned owners. It also defines the agreed-upon
responses to each risk and the specific steps to be taken if a risk occurs.
This includes the prior decision as to whether a threat will be avoided,
transferred, mitigated, or accepted; likewise, the register states
whether an opportunity will be enhanced, shared exploited, or
accepted.
The risk register also identifies the risk triggers that need to be
monitored, as well as potential residual and secondary risks. Risks that
have been defined as low-priority are contained in a watch-list in the
register.
Finally, the risk register documents the reserves allotted to each risk
and its associated response, to provide for time and cost contingencies.
Project Management Plan
The project management plan contains the risk management plan. As
discussed earlier, the project risk management plan defines how and
when to perform risk management activities. The risk management plan
also documents risk tolerances and identifies risk-related roles and
responsibilities, including the risk owners, and other risk management
resources for the project manager.
CAUTION
The risk management plan is different from the risk register. The risk
register contains specific risk data, such as the list of identified risks, the
results of risk analyses, and the planned risk responses.
Module 7: Monitor and Control Risks
7-14
Work Performance Information
Work performance information provides data on the status of project
activities. If project deliverables are not being completed on a timely
basis, at or below the planned cost, and with no more than a tolerable
level of defects, a risk trigger event may have already occurred or be
about to occur.
Some of the performance results that might impact project risks are:
? Deliverable status
? Schedule progress
? Costs incurred
For example, if a significant project deliverable is forecasted to be
more than 10% late, the associated activity may be at risk, and the
cause needs to be identified. If the cause turns out to be one of the risk
trigger events, then the associated planned risk responses must be
implemented.
An example of such a cause is slow performance of a vendor because
they have lost a critical resource. The associated risk is that the
project’s scheduled completion date will be missed.
MDP273a: Project Risk Management v1.0
7-15
Performance Reports
Performance reports are an output of the Report Performance process
in the Project Communications Management Knowledge Area. These
reports organize, summarize, and analyze performance measurements.
Then the reports present the results of the analysis as compared to the
performance measurement baseline.
The performance reports provide specific data on project work
performance, including:
? Variance analysis
? Earned value data
? Forecasting data
Performance reports help to ensure that project stakeholders receive
the appropriate risk information. It is vital that this information be
timely. One pitfall for risk owners is to monitor the sources of risk
triggers too infrequently for the sources to be of any use.
For example, if a problem occurs which is only reported to the project
sponsor in a quarterly project status report, it may be almost three
months before the sponsor is advised of the trigger event. It will very
likely be impossible for the project sponsor to act promptly enough to
implement an otherwise well-planned risk response in a timely manner.
Module 7: Monitor and Control Risks
7-16
Topic 3: Tools and Techniques for the Monitor and Control Risks Process
The tools and techniques for monitoring and controlling risks are:
? Risk reassessment
? Risk audits
? Variance and trend analysis
? Technical performance measurement
? Reserve analysis
? Status meetings
MDP273a: Project Risk Management v1.0
7-17
Risk Reassessment
Risk reassessments need to be regularly scheduled throughout the
project to:
? Identify new risks
? Reassess previously identified risks
? Close outdated risks
The amount and detail of work required in these periodic reassessments
may reflect the nature of the project, including the size and complexity
of the project and whether adequate progress is being made.
Additional risk responses may need to be planned if a new risk emerges,
or if an identified risk's potential impact has changed since the previous
analysis. If the originally planned risk responses are found to be
inadequate, emergency action may be warranted.
Risk Audits
Risk audits examine and document:
? Effectiveness of risk processes and the people involved
? Effectiveness of risk responses and whether the responses were
carried out as planned
? Effectiveness of risk owner performance
Risk audits need to be performed at a frequency that is appropriate to
the size, duration, and complexity of the project. The frequency of risk
audits is specified in the risk management plan. The project manager is
responsible for ensuring that the audits adhere to the plan.
The project manager defines and documents the format and objectives
of the risk audits before the audit begins.
Module 7: Monitor and Control Risks
7-18
Variance and Trend Analysis
Variance analysis is a technique for comparing the planned results to
the actual results.
DEFINITION: VARIANCE ANALYSIS
―A method for resolving the total variance in the set of scope, cost, and
schedule variables into specific component variances that are associated
with defined factors affecting the scope, cost, and, and schedule
variables.‖
PMBOK® Guide, Fourth Edition
Trends in metrics related to the project’s performance should be
reviewed periodically using performance information. One method of
monitoring variance and trends is earned value analysis, and other
methods may also be appropriate. The results of the analyses are used
to forecast the project’s estimate at completion for cost and schedule.
If the forecasted results differ significantly from the original targets, a
risk may have materialized even though no other trigger may have
appeared.
The project manager can also use trend analysis to monitor project risks
from the time they are originally analyzed through each reassessment.
MDP273a: Project Risk Management v1.0
7-19
Figure 7-4 shows a sample risk trend analysis report. It provides a visual
representation of the risk assessment for a specific risk.
Adapted from the PMBOK® Guide, Fourth Edition
Figure 7-4. Sample Risk Trend Analysis Format
In Figure 7-4, there is a threat that unresolved interface requirements
and design problems will appear. The initial analysis graded this risk as
having a ―medium‖ risk factor for the duration of the phases shown. A
later reassessment at the beginning of the Requirements Analysis phase
determined that the risk had reached a ―high‖ level, so the contingency
plan of prototyping the interfaces was undertaken.
Once the prototyping was satisfactorily completed, the team
determined the risk as ―medium‖ (as a result of implementing the
planned risk response). Yet another reassessment determined that the
risk had become ―low‖ after the Design phase was completed. As a
result of this latest reassessment, the cost contingency reserve set aside
for the interface development risk was released. During the Monitor and
Control Risks process, maintain this chart with current results to show if
the planned reductions in the risk are actually realized.
Module 7: Monitor and Control Risks
7-20
Technical Performance Measurement
Technical performance measurement is a monitoring technique that
compares the delivered functionality to the original technical
specifications defined in the project management plan. The technique
relies on objective, quantifiable measures of technical performance.
Technical performance measures may include:
? Weight
? Transaction times
? Number of delivered defects
? Storage capacity
Any deviations from original targets may expose the degree of technical
risk faced by the project, or they may signal that a risk has
materialized.
Figure 7-5 shows how one aspect of a project's technical performance
rises from a mid-range level in the Concept and Preliminary Design
phases to a higher target level in the Detailed Design and Integration
phases.
Figure 7-5. Sample Technical Performance Chart
MDP273a: Project Risk Management v1.0
7-21
In Figure 7-5, two sample measures, represented by the black circles,
have been taken and used to determine confidence intervals for the
project’s actual performance, represented by the I-bars. Note that the
project’s planned technical performance forecasts that the project’s
rating will start at 5 in February and increase to 9 by August.
If the project’s technical performance falls significantly below plan and
then appears to make a remarkable recovery, there may be other
factors in play. Since this is a rare phenomenon, the project manager
needs to confirm that the measures are accurate and that there are no
other factors that might jeopardize the project in later stages, such as
high and constant levels of overtime, or activities being omitted.
Reserve Analysis
Reserve analysis compares the remaining contingency reserves with the
remaining risk impacts, to avoid the possibility that reserves will be
exhausted before the project is completed. If risks have materialized
over the life of the project, contingency reserves of budget and
schedule may have been used to mitigate the risks’ impact. If the
reserve analysis shows that the remaining reserves are not adequate,
then it may be necessary to prepare to ask management to make
management reserves available.
Status Meetings
The Project Risk Management activities that need to be included in the
project team’s regularly scheduled status meetings are:
? The project manager, or the assigned risk manager, needs to report
to the project team and stakeholders on the progress of each risk.
? New risks need to be identified and analyzed, and response plans
need to be prepared.
? For risks that have materialized, any discrepancies between the
planned responses and the actions actually taken need to be
identified and addressed.
Module 7: Monitor and Control Risks
7-22
Risks and their impacts change significantly as a project progresses. Risk
reviews within status meetings ensure that the team revisits the risk
processes to consider how the risks and their impacts change over the
project life cycle.
Examples of Risk Review Techniques in Status Meetings
The highest-severity risks need to be monitored the most frequently and
the metrics reported and compared to the trigger criteria. The review
also needs to include some of the medium-level risks to ensure that
they get team attention, but on a less frequent and in-depth basis.
Consider one of these approaches when setting up a risk review process:
? Review 10 of the top risks on a rotating basis, if there are fewer
than 30.
? Review the top 20% of the list at every meeting, plus a sampling
from lower risks on a rotating basis.
? Review all risks coded as red, and half of the yellows at each
session, on an alternating basis.
Remember that as the risk management activities are integrated into
the project team’s other activities, the easier it will be to discuss,
discover, and manage important risks.
MDP273a: Project Risk Management v1.0
7-23
Topic 4: Outputs from the Monitor and Control Risks Process
The outputs from the Monitor and Control Risks process are:
? Risk register updates
? Organizational process assets updates
? Change requests
? Project management plan updates
? Project document updates
Module 7: Monitor and Control Risks
7-24
Risk Register Updates
Steps to update the risk register may include:
? Incorporating the outcomes of risk reassessments, risk audits, and
periodic risk reviews, which may include identification of new risk
events.
? Documenting realized risks in the risk register. The actual steps
taken and the final cost impact of the risk need to be assessed and
recorded for future benefit.
? Closing out entries for risks that can no longer occur. If it is deemed
safe to do so, close risks that have not occurred during the expected
window of time. This allows the release of assigned resources and
contingency reserves and shifts the focus to other risks.
? Updating the risk priority rankings to ensure that the most important
risks are being addressed. A priority ranking may change based on
change in its probability or impact, which should also be recorded.
? Making any necessary changes to the planned risk responses, either
in the action steps or the risk owners, in order to manage the risks
more effectively.
Organizational Process Assets Updates
In addition to producing information that is useful to the project,
Monitor and Control Risks also provides information that can benefit
future projects when it is captured in organizational process assets. The
organizational process asset updates that relate to risk management
reflect lessons learned during the current project. Assets that may be
improved include the:
? Template for the risk management plan
? Probability and impact matrix
? Risk categories and/or the risk breakdown structure and risk
checklists
MDP273a: Project Risk Management v1.0
7-25
? Risk register, including formats of the planned risk responses and
the probabilistic project analysis techniques and their formats
? Lessons-learned knowledge repository
Updates to the Identify Risks Checklists
Updating the risk identification checklists will help future projects
manage risks more efficiently. This takes place during closeout of the
current project phase or at the project end. For evaluating lessons
learned related to project risk, document:
? What risks were anticipated?
? Which risks occurred?
? Which risks were not anticipated, but occurred?
? What was the actual impact to cost/schedule for each impact?
? How effective were planned risk responses in mitigating the impact
of risks that materialized?
? How effective were the planned risk responses in reducing the
probability of risks that did not materialize?
Change Requests
Requests for changes may be necessary to implement contingency plans
or workarounds. Workarounds are unplanned responses to risks that
were previously unidentified or to accepted risks that have potentially
larger impacts than were considered acceptable.
Change requests may also include:
? Recommended corrective actions
These actions include contingency plans and workarounds intended
to bring the project performance back into alignment with the
project management plan.
? Recommended preventive actions
These actions include steps to be taken to reduce the probability
that a negative risk will knock project performance out of alignment
with the project plan. Upon approval, preventive actions must be
documented.
Module 7: Monitor and Control Risks
7-26
Requested changes that are required to implement contingency plans or
workarounds must be submitted to the Perform Integrated Change
Control process. Approved changes will be issued to the Direct and
Manage Project Execution process and the Monitor and Control Project
Work process.
Change requests are required to ensure these outcomes:
? Performance measurement baseline integrity is maintained
? Budgeted contingency reserves remain adequate as the impacts of
risks are absorbed
? Changes are coordinated across the entire project management plan
? Spending of contingency reserves to absorb the impact of risk events
is controlled
EXAMPLE: CHANGE REQUEST
Capitol Flyer CEO had an epiphany, and it means a late-course change for
the Corporate Customer Satisfaction Project. With the company
encouraging online ticket purchase, he thought it would be great to offer
customers the ability to map transit options – or even arrange a car service
– from the terminal to their destination address. He wants to add this
feature, so the project manager will have to account for the impact of the
change.
To see her completed change request, see Appendix C.
Project Management Plan Updates
As the results of the Monitor and Control Risks process are reviewed,
change requests may be submitted, approved, and then reflected in the
project management plan.
If approved change requests impact Project Risk Management processes,
the project management plan must be updated. Most likely, the project
manager allocates additional budgeted activities and adds new schedule
events. It is possible that a realized risk event will cause a change to
one or more of the project baselines.
MDP273a: Project Risk Management v1.0
7-27
Project Document Updates
If a process or product is changed as a result of the Monitor and Control
Risks process, then the project documentation may also change. The
revised risk documents will be used in the future as the new standard.
EXERCISE: MONITOR AND CONTROL RISKS
Respond to an approved change request that generates new risks.
See Exercise 7-1, in Appendix A of this Participant Guide.
EXERCISE: FINAL SCENARIO
Develop a planned risk response using the final scenario case study.
Refer to Exercise 7-2, the Final Scenario, in Appendix A.
CLASS DISCUSSION: MEETING YOUR CURRENT RISK CHALLENGES
In your group, review the five challenges that you identified on the first
morning of the class.
? As a group reflect on each challenge.
? Then each person will use self-stick notes to document how he or she will address the challenges, using learnings from the class.
Y Write one solution per self-stick note.
Y There is no limit to the number of self-stick notes per challenge you
may create!
Y Address as many challenges as you can.
? One person will report your team findings to the class.
Module 7: Monitor and Control Risks
7-28
Module Summary
ADDRESSING THE BUSINESS CHALLENGE
Ana has made sure every weekly status meeting includes a risk report: an
occasion to track identified risks, monitor residual risks, identify new ones,
execute response plans, and evaluate the effectiveness of those plans.
None of that makes it easy when an unpleasant surprise arrives.
She informs the team about the uncertain status of BigFish Puppets, and
together they analyze contingencies, such as costs and logistics of redoing
posters. Meantime, Ana checks in daily with the group's artistic director on
the status of the missing puppets, hoping they will turn up before the team
will have to implement a mitigation strategy.
The Monitor and Control Risks process keeps track of identified risks,
monitors residual risks, and identifies new risks. The Monitor and
Control Risks process is an ongoing process for the life of the project.
The Monitor and Control Risks process uses:
? Work performance information
? The project management plan to specify how the Monitor and
Control Risks process needs to be performed
? The risk register (and its associated risk response plans and risk
trigger information)
Approved change requests, which may result in changes or additions to
the identified risks
Appendix A
Exercises
Appendix A: Exercises
Appendix A: Exercises
A-2 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Exercise Table of Contents
Exercise 2-1: Determine Stakeholder Risk Tolerance ............................................ A-3 Exercise 2-2: Develop a Risk Management Plan ................................................ A-13 Exercise 3-1: Identify Project Risks .............................................................. A-25 Exercise 4-1: Assess and Rank Risks .............................................................. A-33 Exercise 5-1: Apply a Perform Quantitative Risk Analysis Tool .............................. A-43 Exercise 6-1: Select Appropriate Risk Responses ............................................... A-49 Exercise 7-1: Monitor and Control Risks ......................................................... A-53 Exercise 7-2: Final Scenario ....................................................................... A-57
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-3
Exercise 2-1: Determine Stakeholder Risk Tolerance
Exercise Description
SummerFest is a case study that is used for practice exercises in this and other project management courses. SummerFest is an annual community fair that includes carnival rides, food concessions, and other attractions that raise money for local charities while providing family fun and boosting community spirit. SummerFest is a fictional event, but it is based in part on research into fairs that are traditional events in many New England communities.
In the case study, SummerFest is treated as a multifaceted project, and it affords many opportunities to apply the principles of project management.
This practice exercise introduces you to the SummerFest case study. Subsequent course practice exercises are based upon the SummerFest case study, so it is important for you to become very familiar with this case study.
The PMBOK® Guide, Fourth Edition, states that the objectives of Project Risk Management are “to increase the probability and impact of positive events, and decrease the probability and impact of negative events in the project.”
Risk management can be affected by various aspects of an organization's culture, such as expectations and behaviors, resistance, and optimism. As you read the case study materials, pay close attention to the project organization and how each group contributes to the project.
The goals of this exercise are to:
Introduce and familiarize you with the course case study
Perform a brief “stakeholder analysis” to determine who the significant stakeholders are, and what their attitude toward risk is
Relate the contents of the case study to the inputs to the risk management planning process
Materials Project Charter
Project Scope Statement
Work Breakdown Structure
Risk Tolerance Matrix Template
Participant Procedure
1. Read the case study materials listed above.
Appendix A: Exercises
A-4 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
As you read the project charter and project scope statement,
look for elements that represent sources of risk. You may take notes.
Focus on the project objectives and deliverables, especially items related to technical complexity, using procurement, or for which the organization has a weak or empty track record. Consider resources with unproven or shaky performance history, and the lists of project assumptions, constraints, and issues.
2. As you read, perform a “stakeholder analysis” for the course case study. Consider stakeholders who will contribute to the project and who are affected by the project.
In the risk tolerance matrix template, compile a list of significant stakeholders. Identify people by name or role. In the appropriate column, note each person’s relation to the project.
For each of these stakeholders, consider the person’s apparent attitude toward risk. Is the stakeholder risk tolerant, a risk taker, or risk averse? Enter this information in the appropriate column on the template.
Finally, in the reason column, enter information which explains or exemplifies why you identified each person as risk tolerant, a risk taker, or risk averse.
3. Compare your answer with the suggested solution provided.
Summary Project Risk Management is a proactive process that lets you identify risks that may occur during the life of the project and prepare to address them.
Failing to use Project Risk Management can cause two kinds of negative consequences:
Failure to meet project objectives
Missed opportunities to exceed project objectives
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-5
Project Charter Project Name: SummerFest parade
Project Number: 12-1024
Project Justification
Attendance has been declining during the Saturday of SummerFest town fair. A parade on the Saturday morning of SummerFest can draw more people to the fair; that will boost attendance and generate additional revenues.
Project Description
Parade to run through town streets, with participants to include local and marching bands, civic and community groups, and other performers to be identified.
Objectives and Success Criteria
Draw more people to SummerFest on Saturday
Get local marching bands, performers and civic/community groups to participate
Recruit some well-known performers to attract audience
Project Requirements
Generate additional revenue for SummerFest town fair, and keep costs down to maximize profit.
Anticipated Risks
Weather might cancel parade
No guarantee that parade produces additional revenue for SummerFest
Functional Organizations
Organization Participation
Citizens Collaborative Manage, coordinate, volunteer
Board of Selectmen Initiate project, authorize use of town streets
Police Department Approve and advise on street/parking restrictions
Shriners Club Parade participants and consultation
Approval requirements
City officials to review and approve the project plan.
Project manager: Ana Cruz
Appendix A: Exercises
A-6 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Authority level
The project manager will convene and run project meetings to define, document and execute all tasks necessary to successfully complete the SummerFest satellite parking project. The project manager will act as the liaison between Citizens Collaborative, the shuttle service provider, and all town offices.
Project sponsor: Hannah Foster
Summary milestones
Kickoff meeting February
Organize project team February
Get town approval March
Set budget April
Finalize parade line-up May
Summary budget
Expenditure type Cost in dollars
Grand Marshal $250
Headline performer $350
Signs $200
Traffic management (police) $500
Publicity $800
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-7
Project Scope Statement Project Name: SummerFest parade
Project number: 12-1024
Project Manager: Ana Cruz
Business case
Add a parade to the Saturday morning of SummerFest town fair as a way to boost attendance and generate additional revenues on a day where the numbers have been declining for the last three years
Objectives
Increase Saturday attendance at SummerFest town fair by 50% over last year's attendance numbers
Recruit a mix of marching bands, performers and civic/community groups to participate
Attract audience from throughout region by recruiting well-known performers
Generate additional revenue for SummerFest through increased attendance
Keep costs under $2.5k to maximize revenue gain
Scope Description
One-hour parade to take place the Saturday morning of SummerFest town fair. Parade route to run through town streets, beginning at Church and Main Streets and ending at fairgrounds. Participants to include local bands and marching bands, civic and community groups, and other performers to be identified. Parade staff will consist of volunteers; parade tasks will be managed by Citizens Collaborative staff and board members. Project team will recruit one "marquee" performance group (paid) to increase audience draw.
Acceptance Criteria
Project Plan to be reviewed and approved by Citizen Collaborative BOD prior to submitting to town selectmen and town officials for approval.
Town selectmen, town police, and emergencies services will review and approve plan.
Project plan
Risk plan and assessment
Scope statement
Parade route
Line-up/marching order
Permits & participant contracts
Recruitment of volunteers
Recruitment of marching participants
Appendix A: Exercises
A-8 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Exclusions
Selection of Grand Marshal and Honorees
Acquisition of liability insurance
Judging of floats, and bands
Managing the audit process; will participate if required
Constraints
Parade must take place the Saturday morning of SummerFest town fair, June XX
Parade route must begin and end at or near town park
Assumptions
Parade performers will volunteer their participation no added costs
Enough performers will participate that the event will draw an audience
Project team will be able to engage enough volunteer staff to manage event
Town will agree to necessary street closings
Risks
Bad weather might cause cancellation of parade
Parade might pull people away from town fair, rather than drawing them in
Crowd control if event draws more than expected
Milestones
Finalize parade route - March 4
Receive town approval - March 11
Finalize budget - April 10
Finalize lineup - May 4
Begin publicity campaign - May 8
Budget
$2,500
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-9
Work Breakdown Structure
SummerFest parade
1. Recruit/select participating acts
1.1. Bands
1.2. Performers
1.3. Community groups
1.4. School groups
2. Develop parade route
2.1. Parking restrictions
2.2. Street closings
2.3. Route map
2.4. City Reviews
3. Permits & approvals
3.1. Town permits
3.2. Insurance waivers for participants
3.3. Street closings
4. Public safety
4.1. Traffic
4.2. First aid/medical
4.3. Security
4.4. Emergency Procedures
4.5. Volunteer safety orientation
5. Schedule/line-up
5.1. Marching orders
5.2. Staging area
5.3. End-of-parade marshaling area
Appendix A: Exercises
A-10 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
6. Publicity
6.1. Radio
6.2. Newspaper
6.3. Signage
6.4. Sponsorships
7. Planning
7.1. Theme
7.2. Budget
7.3. Grand Marshal
7.4. Volunteers
8. Project management
8.1. Development of project plan
8.1.1. Project initiation
8.1.2. Project planning
8.1.3. Project execution
8.1.4. Project monitoring & control
8.1.5. Project closing
8.2. Project coordination w/city officials
8.3. Risk management plan
8.4. Lessons learned
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-11
Risk Tolerance Matrix Template Stakeholder Name or Role Relationship
to Project Risk Tolerance Level?
Reason for Risk Tolerance Level
Appendix A: Exercises
A-12 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-13
Exercise 2-2: Develop a Risk Management Plan
Exercise Description
Grounded in the knowledge of her stakeholders' risk tolerance, Ana is prepared to consider how the team can best manage risks - both to mitigate threats, and pounce on opportunities. At the next leadership meeting, Ana proposes that risk planning be part of their weekly meeting. Some of that amounts to simple maintenance: regular review of the risk register. Most, though, is advance planning: she proposes that the leadership team focus early to develop a qualitative risk analysis process; decide on scaling for impact and probability; plan budget and engagement strategy for contingencies; and designate individual leaders to support Ana by monitoring certain key risks.
The team is on board with Ana's suggestions, eager to stay on top of the risks involved in doing a parade. Hannah adds a suggestion of her own - because of the particular risks involved in the parade, and the number of people involved in managing risk, she requests an auditing procedure to ensure that everyone follows established procedures.
Now Ana must gather all this into a risk management plan. You will support her in this effort.
The PMBOK® Guide, Fourth Edition, defines Plan Risk Management as “The process of deciding how to conduct risk management activities for a project.”
The risk management plan, a key deliverable of the Plan Risk Management process, is developed to create a roadmap for the ways the project team and the project manager will deal with risk processes; roles and responsibilities; timing and budget for risk management; and analyzing and controlling risks.
You will develop four sections of the risk management plan and you will review several sections which have been completed for you.
Materials Case Study Materials
Risk Management Plan Template
Participant Procedure
1. Refer to the Risk Management Plan Template.
Some sections of the template have been completed for you. Some sections will be addressed in other exercises. You will complete the following:
Section 2: Roles and Responsibilities
Section 3: Budgeting
Section 4: Timing
Section 8: Stakeholders’ Risk Tolerances
Appendix A: Exercises
A-14 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
2. Review Section 1: Methodology.
Methodology describes the tools, methods, and sources of information that will be used to perform risk management, including how risks will be identified, analyzed, and categorized; how risk response plans will be prepared, implemented, and monitored; and how risk triggers will be monitored.
This section of the risk management plan has been completed for you. The processes in this section will be explained in subsequent concepts of this course.
3. Complete Section 2: Roles and Responsibilities.
In one or two sentences, define who does what during risk management activities. Specifically, document who will direct and manage risk management activities; this person may be the project manager or a designated risk manager for the project.
4. Complete Section 3: Budgeting.
Establish a contingency reserve amount to address any risks that occur during the project.
5. Complete Section 4: Timing.
Describe how often risk management activities - for example, risk reviews - will be performed and when they will take place within the project schedule. Consider how this will be affected by project risks actually being triggered.
6. Complete Section 8: Stakeholders’ Risk Tolerances.
Identify the key stakeholders.
Describe the risk tolerances of the SummerFest project stakeholders.
Rate each stakeholder, risk tolerance as
Risk avoider
Risk tolerant
Risk taker
It is helpful to illustrate stakeholders’ risk tolerances by example, such as “The chamber of commerce president wants to preserve the town’s reputation for leaving businesses alone (risk averse).”
Note: Generally, stakeholders’ tolerances are identified through discussions and interviews with the stakeholders. For the purposes of this exercise, you need to develop a guess about the
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-15
stakeholders’ tolerances based on their roles in the SummerFest case study.
7. Review the remaining sections of the risk management plan, which have been completed for you:
Section 5: Risk Categories
Section 9: Reporting Formats
Section 10: Tracking
Note that some sections will be addressed later in the course:
Section 6: Definitions of Risk Probability and Impact
Section 7: Probability and Impact Matrix with initial Risk Rating List
8. Compare your answer with the suggested solution provided.
Summary In this exercise you have become familiar with the components of the risk management plan for the course case study. You will gain more understanding of these components during the course.
There is value in thinking through these elements before actually undertaking risk management activities. The plan becomes the “impersonal boss” that the team can refer to when getting caught up in emotion-based decision making. As the Project Risk Management processes are performed, and new thresholds and methodologies are established, these are fed back into the risk management planning process, and the risk management plan is updated.
Some large projects may use a risk tracking database to automate tracking risks. However, the tool is not nearly as important as the process and the discipline of revisiting risk at regular meetings.
Appendix A: Exercises
A-16 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-17
Risk Management Plan Template
Section1: Methodology
Process Task Participants
Plan Risk Management: Define how risk will be managed for this project.
Develop and document risk plan Ana Cruz, Marc Stuver
Maintain and update plan as necessary Marc Stuver
Identify Risks: Risks will be identified using a variety of techniques during the planning phase of the project. Team will identify risks and triggers at the beginning of project and on an ongoing basis, to identify any potential new risks or to eliminate risks that are no longer applicable.
Brainstorming Project team, sponsors, Brenda Welsh
Interviews Brita Porter, Walter Stone, key participants, town officials
Review documentation Project team and sponsors
Review Memorial Day parade historical information Brita Porter, Ana Cruz
Analysis of triggers Marc Stuver, Ana Cruz
Perform Quantitative Risk Analysis: Conduct sensitivity analysis to determine which risks have the highest impact on project & how risks can be changed or mitigated. Brainstorm with impacted stakeholders and calculate expected value of each risk probability.
Interview key stakeholders Marc Stuver, risk owner
Brainstorming session with team members Marc Stuver, project team
Conduct sensitivity analysis Marc Stuver, risk owner
Determine how to change/mitigate risk Marc Stuver, risk owner
Perform Qualitative Risk Analysis: For each identified risk, the team will determine the probability and impact, and calculate a risk score. A five-point scale for probability and impact will be used. A risk ranking table will also be created to benchmark each risk score and determine the overall project risk profile.
Probability and impact analysis Project team, Marc Stuver
Determine risk score Marc Stuver, Ana Cruz, risk owner
Develop a risk ranking table Marc Stuver, Ana Cruz, risk owner
Risk profile Marc Stuver, Ana Cruz, risk owner
Plan Risk Response: For each identified risk, a risk owner will be assigned, who has primary responsibility of mitigating the risk. The risk owner is also responsible for developing a risk response plan and contingency plan, in the event that the risk
Assign risk owners Risk owner, Marc Stuver, Ana Cruz
Develop a response strategy Risk owner, Marc Stuver, Ana Cruz
Develop a contingency strategy Marc Stuver, risk owner
Appendix A: Exercises
A-18 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Process Task Participants
response fails or does not mitigate the risk to the acceptable threshold level.
Review and update strategy as needed Marc Stuver, risk owner
Monitor and Control Risks: All identified risks will be documented and scored, then prioritized based on risk score. All risks rated High or Very High will be reviewed daily; Medium rated risks will be reviewed weekly. Any risk triggers that take effect should be brought to the attention of the project manager ASAP.
Daily review of High and Very High risks Marc Stuver, Ana Cruz, risk owners
Weekly review of Medium risks Marc Stuver, Ana Cruz, risk owners
Report risk triggers change to PM Marc Stuver, Ana Cruz, risk owners
Section 2: Roles and Responsibilities
Role Responsibilities
Project Manager
Team Member Assigned to Manage a Risk
Internal Stakeholders
External Stakeholders
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-19
Section 3: Budgeting
Risk Management Activities
Activity Budget
Contingency Reserves
Description Budget
Section 4: Timing
Activity Phase/Date
Appendix A: Exercises
A-20 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Section 5: Risk Categories
Once all risks have been identified, we will develop risk categories to logically organize the risks. The categories of risk are (but not limited to):
Technical
Organizational
External
Project Management
Environmental
Communications
Safety
Scope
Time
Cost
Quality Requirements
Resource Availability
Labor Availability This list should not preclude the creation of additional categories, if project risks merit new categories.
Section 6: Definitions of Risk Probability and Impact
Probability
Very Low Low Moderate High Very High
Impact
Project Objective
Very Low Low Moderate High Very High
Cost
Time
Scope
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-21
Project Objective
Very Low Low Moderate High Very High
Quality
Appendix A: Exercises
A-22 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Section 7: Probability and Impact Matrix
Risk Rating List Value of P
Value of I
Risk Score Risk Description Risk Rating Risk Response Strategy
Probability and Impact Matrix
Probability Threats Opportunities
Section 8: Revised Stakeholders’ Risk Tolerances
Stakeholder Normal Risk Tolerance Current Project Risk Tolerance
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-23
Section 9: Reporting Formats
Report Format
Risk Register/Database Risk ID, risk category, risk description, risk originator, risk owner, last updated, probability score, impact score, risk score, risk status (new, open, mitigation plan created, mitigation plan approved, completed, re-opened),trigger, mitigation strategy, contingency strategy
High Risk Report (daily) Only High or Very High risks reported - risk ID, risk category, risk description, risk originator, risk owner, last updated, probability score, impact score, risk score, risk status (new, open, mitigation plan created, mitigation plan approved, completed, re-opened),trigger, mitigation strategy, contingency strategy.
Weekly Risk Report Only Medium risks reported - risk ID, risk category, risk description, risk originator, risk owner, last updated, probability score, impact score, risk score, risk status (new, open, mitigation plan created, mitigation plan approved, completed, re-opened),trigger, mitigation strategy, contingency strategy
Section 10: Tracking
Process Auditing Procedure
Plan Risk Management Independent auditor, contracted by Citizens Collaborative BOD, to review the plan and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action
Identify Risks Independent auditor, contracted by Citizens Collaborative BOD, to review the Identify Risks process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action
Perform Qualitative Risk Analysis Independent auditor, contracted by Citizens Collaborative BOD, to review the qualitative risk analysis process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action
Perform Quantitative Risk Analysis Independent auditor, contracted by Citizens Collaborative BOD, to review the Perform Quantitative Risk Analysis process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action
Plan Risk Responses Independent auditor, contracted by Citizens Collaborative BOD, to review the Risk Response plan and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action
Monitor and Control Risks Independent auditor, contracted by Citizens Collaborative BOD, to review the Monitoring and Control process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action
Appendix A: Exercises
A-24 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-25
Exercise 3-1: Identify Project Risks
Exercise Description
The PMBOK® Guide, Fourth Edition, defines Identify Risks as “The process of determining which risks may affect the project and documenting their characteristics.”
In this exercise, you will identify SummerFest risks and place them in categories. You will document which project objectives, such as scope, cost, schedule, and quality, may be affected by the risk.
Next you will identify the risks with highest probability of occurrence and highest impact. You will describe the potential impact of top risks on the project.
Finally, you will analyze one risk using a cause-and-effect diagram.
During this process, you may begin to identify possible responses to risks. You may consider how a list of typical risk categories can be tailored to the SummerFest project.
Materials Risk Screening Checklist Template
Initial List of Project Risks Template
Cause-and-Effect Diagram Template
Participant Procedure
1. Complete the Risk Screening Checklist Template, which identifies potential risk categories. Create a list of as many risks as possible associated with the case study.
Review the case study materials, focusing on anything that might cause a risk. A good place to start is with the assumptions documented in the project scope statement, as assumptions are a likely place for risk to “nest.” Consider project constraints also.
2. Complete the Initial List of Project Risks Template.
Using the risks on your Risk Screening Checklist, identify the top 10 risks for further attention. “Top” risks have a high probability of occurring, a high impact on the project, or both high probability and high impact. Use the following format: As a result of [cause], [risk event] could occur, which would lead to [impact].
Tip: When identifying impact on the project, it is useful to consider the areas of Scope, Cost, Schedule, or Quality.
For each top risk, make an entry In the Category column. Use a category from the Risk Screening Checklist or tailor the category description to the SummerFest project.
Appendix A: Exercises
A-26 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
3. Finally, analyze a single risk for its causes, using the cause-and-effect (or fishbone, or Ishakawa) diagram. Use the risk “Goal of increasing attendance by 50% not achieved”.
As you identify root causes, you may consider initial responses. The results from this exercise will be used in subsequent risk management activities.
4. Compare your answer with the suggested solution provided.
Summary The Identify Risks process determines which risks might affect the project and documents their characteristics. Participants in this process include the project manager, the stakeholders, risk management experts, and even customers. Identify Risks is an iterative process, and new risks may surface as the project progresses through its lifecycle.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-27
Risk Screening Checklist Template Create a list of as many risks as possible associated with the case study.
A. Scope
B. Budget
C. Time
D. Resource
E. Organizational
Appendix A: Exercises
A-28 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Create a list of as many risks as possible associated with the case study.
F. Location
G. Business
H. Financial
I. Safety
J. Training
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-29
Initial List of Project Risks Template After you have created a list of as many risks as possible associated with the case study, reduce your list to the top 10 risks. Use the following format: As a result of [cause], [risk event] could occur, which would lead to [impact].
In the Category column, enter a category such as Technical, External, Organizational, or Project Management.
List of Identified Risks Category
1._____________________________________________________________________
______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2._____________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4._____________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Appendix A: Exercises
A-30 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
List of Identified Risks Category
5._________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
6._________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
7._________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
8._________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
9._________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
10.________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
Appendix A: Exercises MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-31
Cause-and-Effect Diagram Template
Appendix A: Exercises MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-32
MDP273a: Project Risk ManagementMDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-33
Exercise 4-1: Assess and Rank Risks
Exercise Description
In this exercise you will assess and rank the risks you identified in a previous exercise as a way to determine which risks are most critical and need further analysis and/or risk response planning. You will use a Risk Register Worksheet to document your assessment of individual risks.
Materials Risk Probability & Impact Tables
List of identified risks from previous exercise
Risk Rating List Template
Risk Register Worksheet Template
Identify Risks and Analysis Worksheet Template
Participant Procedure
1. Using the list of risks you identified in the previous exercise, create an initial risk rating list using the template provided.
Determine P and I and calculate RS (risk score) for each of the top risks you have identified. Use the Risk Probability & Impact Tables.
Based on the risk score, rate the risk as high, moderate, or low.
Leave Risk Response Strategy blank - this will be covered in a subsequent exercise.
2. For your highest risk item, fill out a risk register worksheet using the template provided. Use your judgment to propose initial preparatory and contingency plans based on the information currently available.
3. Using the Identify Risks and Analysis Worksheet template provided, assign a category to each risk, and provide a brief description as well as a comment about the assumptions and basis behind the risk. [NOTE: This template is merely multiple copies of the top section of the risk register worksheet.]
4. Compare your answer with the suggested solution provided.
Summary Rating risks is a key task of Project Risk Management. Prioritization should not happen while risks are being identified, but only through analysis. By resolving risk scores into three prioritized ratings, the project manager streamlines risk management practices so that only high risks receive rigorous treatment. Low risks may receive no more than periodic monitoring. The initial list of rated risks is the core of the risk register, which is elaborated and revised over the life of the project.
Appendix A: Exercises
A-34 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
MDP273a: Project Risk ManagementMDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-35
Risk Probability & Impact Tables
Risk Probability Table
Term of Probability Value
Very low 10% (0.1)
Low 30% (0.3)
Moderate 50% (0.5)
High 70% (0.7)
Very high 90% (0.9)
Risk Impact Table Value of I Impact to the Project Cost Thresholds Schedule Thresholds
1 Minimal or no cost, unimportant schedule consequences
<$25k No baseline extension
3 Small reduction in desired cost and schedule results
$25k-$49k < 5 day baseline delay
5 Some reduction in desired cost and schedule results
$50k-$99k 6-29 day baseline delay
7 Significant degradation in cost and schedule results
$100k-250k 30-59 day baseline delay
9 Desired cost and schedule results cannot be achieved
>$250k >60 day baseline delay
Appendix A: Exercises
A-36 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Appendix A: Exercises MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-37
Risk Rating List Template Value of P
Value of I
Risk Score Risk Description Risk Rating Risk Response Strategy
Appendix A: Exercises MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-38
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-39
Risk Register Worksheet Template
The Risk Register Worksheet is completed gradually over the life of the project, and is updated as needed. Below this Risk Register Worksheet, the top section of the document is reproduced multiple times under the heading Identify Risks and Analysis Worksheet Template.
In this exercise, use the Identify Risks and Analysis worksheet to capture information that can be transferred to full Risk Register Worksheets.
Risk Register
Project:
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate Accept
Trigger measure to be monitored, and source:
Threshold condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Sched Impact
Date Due
Appendix A: Exercises
A-40 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Risk Register
Project:
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Risk Owner:
Identify Risks and Analysis Worksheet Template
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-41
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Appendix A: Exercises
A-42 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-43
Exercise 5-1: Apply a Perform Quantitative Risk Analysis Tool
Exercise Description
At every team meeting for the SummerFest parade project, there's an elephant in the room - the possibility that bad weather could force cancellation, and thereby thwart their efforts to draw more people to SummerFest and increase Saturday revenues.
Ana has raised the issue a couple of times, but the leadership team hasn't engaged it. Ana decides it's time. "It's our most serious risk," she tells them. "We have to acknowledge it, and determine a contingency plan." As the team brainstorms ways that parade planning could positively impact SummerFest, one simple contingency emerges, commit a fixed sum to advertising the parade, and link the parade to SummerFest town fair in all advertising. That way, even if the parade gets washed out, the money spent on promotion will have increased awareness of SummerFest, and provided some boost in fair attendance. The team agrees it's worth analyzing whether the cost of a parade would be worth the likely increase in revenues, or whether they should simply increase advertising.
Together, they work out some estimates on which to base an analysis:
w/parade w/out parade (adv. only)
additional cost $2,400 $500
est. attendance increase (good weather) 800 300
est. attendance increase (bad weather) 400 100
est. revenue per additional person $10 $10
Ana will analyze the data and report back to the team at their next meeting. You will support her in this effort.
In this exercise you will apply a Perform Quantitative Risk Analysis tool to recommend a strategy.
Materials Decision Tree Analysis Worksheet
Decision Tree Diagram Template
Participant Procedure
1. Complete the decision tree analysis worksheet. For variables of cost and attendance, use data in the exercise description.
2. Using information in the completed worksheet, construct the decision tree.
3. Considering the outcomes of the several attendance scenarios, which is the best decision?
4. Compare your answer with the suggested solution provided.
Appendix A: Exercises
A-44 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Summary Decision tree analysis is a Perform Quantitative Risk Analysis tool that is used when additional decision-making information associated with a potential risk response is needed. The probability factors used often reflect the risk tolerances of the individuals and/or organizations using them. Therefore, users need to consider the impact of subjectivity in the construct and use of the tool.
A very important principle to remember is that expected monetary value is a statistical assessment of project value, NOT a prediction of final value or cost.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-45
Decision Tree Analysis Worksheet Project: SummerFest parade PM: Ana Cruz Part 1: maximum attendance increase (good weather)
With parade:
Element Given Information Result
additional attendance
additional cost
additional revenue
additional profit
Without parade (advertising only)
Element Given Information Result
additional attendance
additional cost
additional revenue
additional profit
Part 2: minimum attendance increase (bad weather)
With parade:
Element Given Information Result
additional attendance
additional cost
additional revenue
additional profit
Appendix A: Exercises
A-46 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Without parade (advertising only)
Element Given Information Result
additional attendance
additional cost
additional revenue
additional profit
Conclusion:
Appendix A: Exercises MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-47
Decision Tree Diagram Template
Appendix A: Exercises MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-48
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-49
Exercise 6-1: Select Appropriate Risk Responses
Exercise Description
The goal of Plan Risk Responses is prevention of surprises that could negatively impact the project objectives, and the ability to take advantage of opportunities that could positively impact the project objectives.
Plan Risk Responses includes “before risk” and “after risk” plans. The risk preparation plan provides actions to mitigate, avoid, transfer, or accept risk; whereas the risk contingency plan involves actions to deal with risks should they occur.
Changing the project plan may create new risks, which may reduce the benefit of the change or even be more problematic than the risk being avoided. Such new risks arising directly from a risk response plan are called secondary risks. The impact of potential secondary risks must be considered as the risk response plan is developed.
This exercise revisits the risk register started during the Identify Risk process. Select the top three risks and create an appropriate risk response plan for each. That is, for each selected risk, develop a preparatory plan, consisting of small project plans to prepare for the risk before it occurs, and a contingency plan, which identifies steps to be taken if the risk is triggered.
Make sure that you document contractual agreements and owner responsibilities as well. Enter your plans into Risk Register Worksheets, which are part of the risk register.
Materials List of prioritized risks (from previous exercises) that are listed on Identify Risks and Analysis forms
3 Risk Register Worksheet Templates
Participant Procedure
1. Use the prioritized list of risks from a previous exercise and select the top three risks.
2. Create appropriate risk response plans using the risk register worksheets. Document contractual agreements and owner responsibilities. When quantifying things such as the amount of resources to devote to a mitigation plan, use a deliberate rationale. Document mitigation plans.
3. Compare your answers to the sample solution provided in Appendix B.
Summary This exercise completes the series of activities that began with the Identify Risks process and extends through the Plan Risk Responses process.
Appendix A: Exercises
A-50 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Risk Register Worksheet Templates
Risk Register
Project:
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate Accept
Trigger measure to be monitored, and source:
Threshold condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Risk Owner:
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-51
Risk Register
Project:
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate Accept
Trigger measure to be monitored, and source:
Threshold condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Risk Owner:
Appendix A: Exercises
A-52 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Risk Register
Project:
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate Accept
Trigger measure to be monitored, and source:
Threshold condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Risk Owner:
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-53
Exercise 7-1: Monitor and Control Risks
Exercise Description
Ana has informed the leadership team about the uncertain status of the parade's star performers, BigFish Puppets. Fortunately for them, they have diligently reviewed risk reports at every meeting. So while they don't welcome this risk trigger, they are at least prepared to handle it. They've considered contingencies for what happens if a performer - even the star performer - is a no-show.
Now, it's time to revisit those contingencies and set some in motion. You will support Ana in this effort.
When a risk event occurs that necessitates a change to project baseline or when there is a need to revise or authorize spending contingency budgets, change requests are needed.
Materials Case Study Materials
Change Request Form Template
Participant Procedure
1. Review your risk register materials for information relevant to performances.
2. Complete the project Change Request Form Template to activate contingency plans designed for the absence of a scheduled performer.
3. Compare your answer with the suggested solution provided.
Summary In this example, the risk owner creates and requests approval for the change request and the project manager approves the change.
For large-scale projects, a separate body of individuals known as the configuration change board or Change Control Board (CCB) is often created to review all change requests through a formal change control system. They are given authority to approve or deny change requests and might consist of stakeholders, business line managers, or others who may or may not have any connection to the project.
Periodic risk reviews are the primary technique of the Monitor and Control Risks process. Additional risk response planning may be necessary if a new risk emerges, or an identified risk’s impact is larger than anticipated. Workaround plans, project change requests, updates to the risk register, and updates to the Identify Risks checklists are outputs from Risk Monitoring and Control.
Appendix A: Exercises
A-54 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-55
Change Request Form Template Project: SummerFest Parade
Change Request Form
Date Raised:
Customer Name: N/A Request #: Request By:
Change Name:
Description of Change:
Date Required:
Reason for Change:
Baselines Affected:
Scope/Requirements
Schedule
Budget
Quality
Change Impact Assessment
Scope:
Schedule:
Budget:
Quality Plan:
Risk Plan:
Other Impacts:
Resources Required:
Estimated Work Effort (hours):
Estimated Cost:
Other Comments:
Appendix A: Exercises
A-56 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Contingency Plan:
Plan Description Who Performs
Cost / Schedule / Quality / Scope Impact
Project Manager Acceptance Date
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-57
Exercise 7-2: Final Scenario
Exercise Description
In this business scenario, you will briefly conduct a full Project Risk Management cycle for a new market opportunity. You will identify, analyze, and develop responses for risks, creating mitigation strategies and contingency plans.
Scenario
Your company is a software development company. Your project team has theorized that a new palm-computing device would be most marketable. Senior management has reviewed the conceptual design and has given approval to begin the planning for such a product.
This new palm device will perform all the basic functions that the current palm device performs, such as schedule maintenance, database functions, calculations, etc. The “new” area of palm computing envisioned for this device is in human biofeedback. This device will be able to monitor human heart rate, respiration, and blood sugar levels. This new medical technology would eliminate the requirement of people “sticking” themselves to perform blood sugar readings. This device would be non-obtrusive to the end user, yet would be a suitable alternative for blood sugar measurement.
Your company's goal is to be the first to market with this exciting new technology, while limiting or eliminating the company’s liability.
Materials Scenario
List of Risks Template
5 Risk Register Worksheet Templates
Participant Procedure
1. Read the scenario.
2. Identify the top eight potential risks using the above scenario.
Although you are addressing only some risks, review and consider the information on the risk management plan. Consider all aspects of the risk response plan templates.
3. Complete the Risk Register Worksheet for five of the risks you identified.
Summary How does your handling of this scenario differ from the approach you may have taken before participating in this course?
Appendix A: Exercises
A-58 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-59
List of Risks Template List of Identified Risks
1._____________________________________________________________________
______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2._____________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4._____________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5._____________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6._____________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Appendix A: Exercises
A-60 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
List of Identified Risks
7._____________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
8._____________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-61
Risk Register Worksheet Templates
Risk Register
Project:
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate Accept
Trigger measure to be monitored, and source:
Threshold condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Risk Owner:
Appendix A: Exercises
A-62 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Risk Register
Project:
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate Accept
Trigger measure to be monitored, and source:
Threshold condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Risk Owner:
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-63
Risk Register
Project:
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate Accept
Trigger measure to be monitored, and source:
Threshold condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Risk Owner:
Appendix A: Exercises
A-64 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Risk Register
Project:
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate Accept
Trigger measure to be monitored, and source:
Threshold condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Risk Owner:
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-65
Risk Register
Project:
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Description of Identified Risk:
Assumptions/Basis:
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate Accept
Trigger measure to be monitored, and source:
Threshold condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Risk Owner:
Appendix A: Exercises
A-66 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Appendix B
Solutions
Appendix B: Solutions
Appendix B: Solutions
B-2 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Solutions Table of Contents
Exercise 2-1 Solution: Determine Stakeholder Risk Tolerance ..................................... B-3 Exercise 2-2 Solution: Develop a Risk Management Plan ........................................... B-5 Exercise 3-1 Solution: Identify Project Risks ....................................................... B-13 Exercise 4-1 Solution: Assess and Rank Risks ....................................................... B-19 Exercise 5-1 Solution: Apply a Perform Quantitative Risk Analysis Tool ....................... B-23 Exercise 6-1 Solution: Select Appropriate Risk Responses ........................................ B-27 Exercise 7-1 Solution: Monitor and Control Risks .................................................. B-29
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-3
Exercise 2-1 Solution: Determine Stakeholder Risk Tolerance
Risk Tolerance Matrix
Stakeholder Name or Role Relationship to Project
Risk Tolerance Level?
Reason for Risk Tolerance Level
Ana Cruz, Project Manager Contributor Risk averse As project manager, the success or failure of the project rests on Ana, so she wants to ensure that risks are minimized.
Hannah Foster, Board Member, Citizens Collaborative
Sponsor Risk taker Because Hannah is the driver of this idea, she is willing to take certain risks to ensure the event is successful and it generates the extra revenues needed.
Jack North, Board Member, Citizens Collaborative
Contributor Risk tolerant (neutral)
Jack by nature is risk averse and skeptical of the parade. Must be convinced that this will be a risk-free event.
Brita Porter, Consultant Contributor Risk tolerant While providing support to the project, Brita will not be held responsible for the success or failure of the parade.
Brenda Welsh, Chairperson, Town Board of Selectmen
Approvers Risk averse Brenda is an elected official who is reluctant to take risks that might jeopardize her chances for re-election.
Town Selectmen Approvers Risk averse Selectmen are elected officials who are reluctant to take risks that might jeopardize their chances for re-election.
Police Department Contributors Risk averse The police are responsible for protecting the safety of the public and are focused on preventions, not heroics.
Shriners Participants Risk averse The Shriners expect a well-behaved fun-seeking group of parade attendees who pose no issues or risks.
Duane Evans Drum & Bugle Corps
Participants Risk averse The drum & bugle corps expects a well-behaved fun-seeking group of parade attendees who pose no issues or risks.
Volunteers Contributors Risk tolerant This group probably falls in the middle range of risk tolerance.
Parade Attendees Affected Risk takers Some parade-goers, particularly teenagers, in looking for a good time, may be inclined to take risk and act irresponsibly.
Appendix B: Solutions
B-4 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-5
Exercise 2-2 Solution: Develop a Risk Management Plan
Risk Management Plan
Section 1: Methodology
Process Task Participants
Plan Risk Management: Define how risk will be managed for this project.
Develop and document risk plan Ana Cruz, Marc Stuver
Maintain and update plan as necessary Marc Stuver
Identify Risks: Risks will be identified using a variety of techniques during the planning phase of the project. Team will identify risks and triggers at the beginning of project and on an ongoing basis, to identify any potential new risks or to eliminate risks that are no longer applicable.
Brainstorming Project team, sponsors, Brenda Welsh
Interviews Brita Porter, Walter Stone, key participants, town officials
Review documentation Project team and sponsors
Review Memorial Day parade historical information Brita Porter, Ana Cruz
Analysis of triggers Marc Stuver, Ana Cruz
Perform Quantitative Risk Analysis: Conduct sensitivity analysis to determine which risks have the highest impact on project & how risks can be changed or mitigated. Brainstorm with impacted stakeholders and calculate expected value of each risk probability.
Interview key stakeholders Marc Stuver, risk owner
Brainstorming session with team members Marc Stuver, project team
Conduct sensitivity analysis Marc Stuver, risk owner
Determine how to change/mitigate risk Marc Stuver, risk owner
Perform Qualitative Risk Analysis: For each identified risk, team will determine the probability and impact, and calculate a risk score. A
Probability and impact analysis Project team, Marc Stuver
Determine risk score Marc Stuver, Ana Cruz, risk owner
Develop a risk ranking table Marc Stuver, Ana Cruz, risk owner
Appendix B: Solutions
B-6 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Process Task Participants
five-point scale for probability and impact will be used. A risk ranking table will also be created to benchmark each risk score and determine the overall project risk profile.
Risk profile Marc Stuver, Ana Cruz, risk owner
Plan Risk Response: For each identified risk a risk owner will be assigned, who has primary responsibility of mitigating the risk. The risk owner is also responsible for developing a risk response plan and contingency plan, in the event that the risk response fails or does not mitigate the risk to the acceptable threshold level.
Assign risk owners Identified risk owner, Marc Stuver, Ana Cruz
Develop a response strategy Identified risk owner, Marc Stuver, Ana Cruz
Develop a contingency strategy Marc Stuver, Identified risk owner
Review and update strategy as needed Marc Stuver, Identified risk owner
Monitor and Control Risks: All identified risks will be documented and scored, then prioritized based on risk score. All risks rated High or Very High in the risk ranking table will be reviewed daily, Medium rate risks will be reviewed weekly. Any risk triggers that take effect should be brought to the attention of the project manager as soon as possible.
Daily review of High and Very High risks Marc Stuver, risk owners, Ana Cruz
Weekly review of Medium risks Marc Stuver, Risk owners, Ana Cruz
Report risk triggers change to PM Risk owner, Marc Stuver, Ana Cruz
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-7
Section 2: Roles and Responsibilities
Role Responsibilities
Ana Cruz, Project Manager Responsible for the overall risk management plan and its effective implementation throughout the project.
Marc Stuver, Project Consultant
Risk manager for project, manage the day-to-day activity for the project, consult with Ana and the risk owner.
Team Member Assigned to Manage a Risk
Each risk owner is responsible for assessing the risk and creating a risk mitigation plan for approval by the project manager. The risk owner is also responsible for presenting risk status at team meetings and recommending risk closure.
Internal Stakeholders Participate as needed on risk activities to provide subject matter expertise. May be called on to become a risk owner.
External Stakeholders Participate as needed on risk activities to provide subject matter expertise.
Section 3: Budgeting
Risk Management Activities
Activity Budget
Audit expense for external audit of risk process $500
Contingency reserve $2,000
Contingency Reserves
Based on risk assessment and expected value/dollar impact evaluation a contingency reserve will be refined and presented to Citizens Collaborative BOD.
Section 4: Timing
Activity Phase/Date
Complete risk plan March 15
Approval of risk plan March 20
Conduct Identify Risks brainstorm session March 25
Conduct risk training session March 30
Conduct audit of risk plan April 30
Appendix B: Solutions
B-8 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Section 5: Risk Categories:
Once all risks have been identified, we will develop risk categories to logically organize the risks. The categories of risk are (but not limited to):
Technical
Organizational
External
Project Management
Environmental
Communications
Safety
Scope
Time
Cost
Quality Requirements
Resource Availability
Labor Availability
This list should not preclude the creation of additional categories, if project risks merit new categories.
Section 6: Definitions of Risk Probability and Impact
Probability
Very Low Low Moderate High Very High
0.1
0.3 0.5 0.7 0.9
Impact
Project Objective
Very Low
(1)
Low
(3)
Moderate
(5)
High
(7)
Very High
(9)
Cost Insignificant increase
< 10% increase 10-20% increase 20-40% increase > 40% increase
Time Insignificant increase
< 5% increase 5-10% increase 10-20% increase > 20% increase
Scope Barely noticeable
Minor areas affected
Deliverable affected
Effect on scope unacceptable
Item is effectively useless
Quality Quality change is barely noticeable
Minor quality impact
Quality is impacted but still within defined limits
Quality is impacted, and going out of range of defined limits
Effect on quality is unacceptable
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-9
Section 7: Probability and Impact Matrix
Risk Rating List
Value of P
Value of I Risk Score
Risk Description
Risk Rating
Risk Response Strategy
Probability and Impact Matrix
Probability Threats Opportunities
Appendix B: Solutions
B-10 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Section 8: Revised Stakeholders’ Risk Tolerances
Stakeholder Normal Risk Tolerance Current Project Risk Tolerance
Hannah Foster, Board Member, Citizens Collaborative
Risk taker Risk tolerant (neutral)
Jack North, Board Member, Citizens Collaborative
Risk tolerant (neutral) Risk tolerant (neutral)
Ana Cruz, Project Manger Risk averse Risk tolerant (neutral)
Police Department Risk averse Risk averse
Shriners Risk averse Risk tolerant (neutral)
Section 9: Reporting Formats
Report Format
Risk Register/Database Risk ID, risk category, risk description, risk originator, risk owner, last updated, probability score, impact score, risk score, risk status (new, open, mitigation plan created, mitigation plan approved, completed, re-opened),trigger, mitigation strategy, contingency strategy
High Risk Report (daily) Only High or Very High risks reported - Risk ID, risk category, risk description, risk originator, risk owner, last updated, probability score, impact score, risk score, risk status (new, open, mitigation plan created, mitigation plan approved, completed, re-opened),trigger, mitigation strategy, contingency strategy
Weekly Risk Report Only Medium risks reported - Risk ID, risk category, risk description, risk originator, risk owner, last updated, probability score, impact score, risk score, risk status (new, open, mitigation plan created, mitigation plan approved, completed, re-opened),trigger, mitigation strategy, contingency strategy
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-11
Section 10: Tracking
Process Auditing Procedure
Plan Risk Management Independent auditor, contracted by Citizens Collaborative BOD, to review the plan and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action
Identify Risks Independent auditor, contracted by Citizens Collaborative BOD, to review the Identify Risks process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action
Perform Qualitative Risk Analysis Independent auditor, contracted by Citizens Collaborative BOD, to review the qualitative risk analysis process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action
Perform Quantitative Risk Analysis Independent auditor, contracted by Citizens Collaborative BOD, to review the Perform Quantitative Risk Analysis process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action
Plan Risk Response Independent auditor, contracted by Citizens Collaborative BOD, to review the Risk Response plan and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action
Monitor and Control Risks Independent auditor, contracted by Citizens Collaborative BOD, to review the Monitoring and Control process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action
Appendix B: Solutions
B-12 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-13
Exercise 3-1 Solution: Identify Project Risks
Risk Screening Checklist
A. Technology
New technology
Unknown or unclear technology
New application of existing technology
Modernize advanced technology in existing application
B. Time
Project schedule uncertainties or constraints that may impact project completion or milestone dates
Long lead procurement items that may affect the completion of the critical path or milestones
C. Contractor Capabilities
Potential for unavailability of qualified vendors or contractors
D. Interfaces
Significant transportation or infrastructure impacts
Multiple project interfaces
Significant interfaces with an operational facility
E. Safety
Risks to worker safety during construction
Significant contamination potential
Accidents due to new design or other non-reviewed safety questions
Involvement of hazardous material
Appendix B: Solutions
B-14 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
A. Scope
As a result of poor publicity, fewer marching acts than expected have signed up to participate.
Corporate sponsors want floats that advertise their companies to be prominently positioned in the parade.
B. Budget
Unforeseen expense resulting from a first-time event.
Last-minute requirements resulting in unplanned spending.
Police and emergency services expenses grow as a result of expected increase in crowd.
C. Time
Parade exceeds the anticipated 1-hour duration.
Slower-moving marching units delay the parade.
Parade ends before SummerFest opens.
D. Resource
Volunteer recruitment numbers for parade assignment not met.
Police may be called away on emergency.
Shriners threaten to pull out of parade unless a waiver absolves them of responsibility for Greg Heinz and other drivers.
No-shows cause holes in the marching lineup.
E. Organizational/Environmental
Severe weather patterns forecast for the morning of the parade.
Performers not satisfied with their position in the marching order.
Key act pulls out: no show, the morning of the parade.
F. Location
Staging areas for assembly and dismissal of parade participants not large enough.
G. Business
Parade doesn't generate anticipated increase in fairgoers.
Parade is considered too amateurish and attendees begin leaving before the parade ends.
H. Financial
Expenses exceed anticipated revenue increase at SummerFest town fair.
I. Safety
Shriners don’t practice safe driving skills of the miniature vehicles.
Crowds difficult to manage because of size could become safety hazard.
Teenagers become rowdy.
Traffic accident with one of the floats.
J. Training
Training will not be available for all volunteers.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-15
Initial list of Project Risks List of Identified Risks Category
1. As a result of poor publicity, fewer marching acts than expected will participate, resulting in a disappointing experience for parade attendees.
Scope
2. As a result of large crowds, it may become difficult to control parade attendees, resulting in safety hazards.
Safety
3. As a result of other emergencies in town, the police may have to leave the parade to respond, causing traffic and crowd control issues during the parade.
Resources
4. As a result of not enough space for proper staging, assembly, and dismissal of parade participants, confusion and crowded conditions can result in delays in the parade.
Location
5. As a result of key acts pulling out of the parade at the last minute or not showing, causing disruption in the parades schedule of events, resulting in disappointment for parade attendees and an impression of a poorly organized event.
Organizational
6. As a result of not increasing revenues, parade expenses could cause decreased SummerFest profitability, resulting in less funding available for town charities.
Financial
7. As a result of a severe weather forecast, fewer people may come to the parade, resulting in a reduced turnout for the SummerFest town fair.
Environmental
8. As a result of the parade exceeding 1 hour, parade attendees may decide to skip the SummerFest town fair, resulting in lost revenue.
Time
9. As a result of not signing a wavier protecting their drivers from liability, the Shriners may pull out of the parade, resulting in the loss of a top attraction.
Resource
10. As a result of low volunteer turnout, activities may have to be cut back, resulting in parade attendee dissatisfaction and possible safety issues.
Resource
Appendix B: Solutions
B-16 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Appendix B: Solutions MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-17
Cause-and-Effect Diagram
Rainy weather kept
crowds away Advertising started too late, reached
limited audience
Insufficient funding for publicity
campaign
Poor change control
process
Not enough
volunteers
Other town had a competing fund
raising event.
Teenagers were rowdy at the end
of the parade
External Causes
Publicity
Policies/Procedures Safety People
Goal of increasing attendance by 50% not
achieved
Project scope shifting, parade was much bigger than
originally planned
Appendix B: Solutions MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-18
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-19
Exercise 4-1 Solution: Assess and Rank Risks
Risk Rating List Value of P Value of I Risk Score Risk description Risk Rating Risk Response
Strategy
0.7 7 4.9 As a result of poor publicity, a smaller number of marching acts than expected sign up to participate.
High Mitigate
0.5 9 4.5 Severe weather patterns forecast for parade day.
High Accept
0.4 5 2.0 Large crowds, difficult to manage, could become a safety hazard.
Low Mitigate
0.4 9 3.6 Police, traffic, and crowd control may be called away on emergency.
Medium Avoid
.5 9 4.5 Key marquee act pulls out: no-show, the morning of the parade.
High Mitigate
.3 3 .9 Parade is considered too amateurish and attendees begin leaving before the parade ends.
Low Avoid
.7 5 3.5 Corporate sponsors want floats that advertise their companies to be prominently positioned in the parade.
Medium Mitigate
Appendix B: Solutions
B-20 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Risk Register Worksheet Project:
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Poor Publicity .7 7 4.9 Scope
Description of Identified Risk:
As a result of poor publicity, a smaller number of marching acts than expected sign up to participate, resulting in limited entertainment for the parade.
Assumptions/Basis:
Funding was sufficient for publicity campaign.
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate X Accept
Trigger measure to be monitored, and source: 25 bands and acts committed by April 1
Threshold condition: < 25 bands or acts committed to participate
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Launch publicity campaign directed at recruiting local organizations and bands: radio, TV, and newsprint
Comm. Director
$800 March1
Monitor sign up of participating bands and organizations Ana Cruz TBD April 1
Assess actual to plan Ana Cruz TBD April 8
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Step up publicity campaign Comm. Dir. $1,000
Visit local schools and civic organization to recruit Ana Cruz
Review after weekly to see if target has been reach Ana Cruz TBD
Risk Owner:
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-21
Identify Risks and Analysis Worksheet
Identified Project Risk: P I RS Risk Category
Not enough bands or act sign up .7 7 4.9 Scope
Description of Identified Risk:
As a result of poor publicity, fewer marching acts than expected will participate, resulting in a poor parade experience for attendees.
Assumptions/Basis:
Sufficient funding for publicity
Identified Project Risk: P I RS Risk Category
Severe weather patterns forecast for parade day .5 9 4.5 Environmental
Description of Identified Risk:
As a result of a forecast for severe weather during the parade, fewer parade goers may come to the parade, resulting in a reduced turn out for the SummerFest.
Assumptions/Basis:
Identified Project Risk: P I RS Risk Category
Key marquee act pulls out: no-show, morning of parade .5 9 4.5 Organizational
Description of Identified Risk:
As a result of a marquee act pulling out of the parade at the last minute, causing disruption in the parades schedule of events, resulting in disappointment for parade attendees and an impression of a poorly organized event
Assumptions/Basis:
All acts will honor their commitment when they agree to perform in the parade.
Appendix B: Solutions
B-22 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Identified Project Risk: P I RS Risk Category
Police, traffic, and crowd control may be call away base on another emergency.
.4 9 3.6 Resources
Description of Identified Risk:
As a result of other emergencies in town, the police may have to leave the parade to respond, causing traffic and crowd control issues during the parade.
Assumptions/Basis:
Police and emergency resources will be available and dedicated.
Identified Project Risk: P I RS Risk Category
Corporate sponsors want additional floats that advertized their companies to be prominently positioned in the parade.
.5 7 3.5 Scope
Description of Identified Risk:
As a result of not providing space for corporate sponsor floats, sponsor may pull sponsorship for the parade; this can result in the loss of sponsorship fees and continued support.
Assumptions/Basis:
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-23
Exercise 5-1 Solution: Apply a Perform Quantitative Risk Analysis Tool
Decision Tree Analysis Worksheet
Project: SummerFest parade PM: Ana Cruz
Part 1: Maximum Attendance Increase (good weather)
With parade:
Element Given Information Result
Additional Attendance 800 people
Additional Cost $2,400
Additional Revenue $10 X 800 people $8,000
Additional Profit $8,000 - $2,400 $5,600
Without parade (advertising only)
Element Given Information Result
Additional Attendance 300 people
Additional Cost $500
Additional Revenue $10 X 300 people $3,000
Additional Profit $3,000 - $500 $2,500
Part 2: Minimum Attendance Increase (bad weather)
With parade:
Element Given Information Result
Additional Attendance 400 people
Additional Cost $2,400
Additional Revenue $10 X 400 people $4,000
Additional Profit $4,000 - $2,400 $1,600
Appendix B: Solutions
B-24 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Without parade (advertising only)
Element Given Information Result
Additional Attendance 100 people
Additional Cost $500
Additional Revenue $10 X 100 people $1,000
Additional Profit $1,000 - $500 $500
Conclusion: Rain will certainly eat into profits with or without a parade, but even if it rains you will increase
attendance and increase profits after upfront costs.
Appendix B: Solutions MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-25
Decision Tree Analysis Diagram
weather
weather
Increase SummerFest Profits: Parade or
No parade?
Conclusion: Rain will certainly eat into profits with or without a parade, but even if it rains you will increase
attendance and increase profits after upfront costs.
EMV (Without Parade) = (70% X $2,500) + (30% X $500) = $2,425
EMV (With Parade) = (70% X $5,600) + (30% X $1,600) = $4,400
Without the Parade
(advertising only) $500
$0.00
Profit = ($10 X 100) - $500 = $500
Profit = ($10 X 300) - $500 = $2,500
Profit = ($10 X 400) - $2400 = $1,600
Profit = ($10 X 800) - $2,400 = $5,600
With the Parade
$2,400
30% Rain
70% Fair
30% Rain
70% Fair
Appendix B: Solutions MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-26
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-27
Exercise 6-1 Solution: Select Appropriate Risk Responses
Risk Register Worksheet Templates
Project:
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Marquee performer cancels appearance at parade .5 9 4.5 Organizational
Description of Identified Risk:
As a result of a marquee act pulling out of the parade at the last minute, causing disruption in the parade's scheduled lineup and mass appeal, attendees could be disappointed and have the impression of a poorly organized event.
Assumptions/Basis:
All acts will honor their commitment when they agree to perform in the parade.
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer Mitigate X Accept
Trigger measure to be monitored, and source: Notification from performing acts
Threshold condition: No confirmation within a week of the parade
Potential secondary risks (risks arising from implementing this plan): Promotional material needs updating.
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Get signed letter of commitment Hannah Foster
N/A May 1
Identify backup act to replace marquee act Hannah
Foster
TBD May 15
Confirm appearance Hannah Foster
TBD June 7
Appendix B: Solutions
B-28 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
Redesign and reprint posters and advertising Ana Cruz $300.00
Contact backup act and schedule them into the parade Hannah Foster TBD
Risk Owner: Hannah Foster
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-29
Exercise 7-1 Solution: Monitor and Control Risks
Change Request Form
Project: SummerFest parade
Change Request Form
Date Raised: June 7
Customer Name: N/A Request #:0099 Request By: Hannah Foster
Change Name: Replacement of Marquee Act for parade
Description of Change: We need to update posters and schedules.
Date Required: ASAP
Reason for Change: The BigFish Puppets have canceled at the last minute and we are in the process of replacing them with Three Dancing Bears, a clown act.
Baselines Affected:
Scope/Requirements
Schedule
X Budget
Quality
Change Impact Assessment
Scope: No impact on project scope. Project deliverables will not change
Schedule: No impact on project schedule. No change to project schedule,
Budget: $300 increase for updating posters and schedules. This was an identified risk and contingency funds were established.
Quality Plan: Quality plan will not be impacted.
Risk Plan: Update risk register and plan to the changes of vendors and implementation of response
strategy.
Other Impacts: Puppets were a big favorite for families. As a well-regarded clown act, Three Dancing Bears should make an excellent replacement. Should be able to maintain same projected attendance levels.
Resources Required: 8 hours of Hannah Foster and Ana Cruz’s time. Printing costs.
Estimated Work Effort (hours): 8 hours
Estimated Cost: $300.
Appendix B: Solutions
B-30 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Project: SummerFest parade
Change Request Form
Other Comments:
Contingency Plan:
Plan Description Who Performs
Cost / Schedule / Quality / Scope Impact
Contact Replacement Act Hannah Foster
Schedule
Edit Posters and Schedules Ana Cruz Schedule
Reprint Posters and Schedules Hannah Foster
Cost
Distribute Posters Hannah Foster
Schedule
Project Manager Acceptance Date
Appendix C
Job Aids
Appendix C: Job Aids
Appendix C: Job Aids
C-2 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Job Aids Table of Contents
Job Aid 2-1: Risk Tolerance Matrix Sample ........................................................... C-3 Job Aid 2-2: Risk Management Plan Sample .......................................................... C-5 Job Aid 3-1: Sample List of Project Risks ........................................................... C-11 Job Aid 3-2: Cause-and-Effect Diagram Sample .................................................... C-13 Job Aid 4-1: Risk Register Worksheet Sample ...................................................... C-15 Job Aid 4-2: Risk Rating List Sample ................................................................. C-17 Job Aid 5-1: Decision-Tree Analysis Sample ........................................................ C-19 Job Aid 6-1: Risk Response Plan Sample ............................................................ C-21 Job Aid 7-1: Change Request Sample ................................................................ C-23
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-3
Job Aid 2-1: Risk Tolerance Matrix Sample
Capitol Flyer Corporate Customer Satisfaction Project
Stakeholder Relationship to Project
Risk Tolerance Level
Reason for Risk Tolerance Level
Derek Reith, CEO Sponsor Risk taker As the CEO, he sees major opportunity to increase business. His success has come from having courage to seize opportunities.
China Baker, VP Customer Service
Contributor Risk tolerant She recognizes this as a chance to build business, but knows it will only work if implemented well.
Tim Nishimoto, Director of Reservations
Contributor Risk tolerant He sees the possibilities for improvement, but wants to make sure things run smoothly in the interim.
Martin Zarcar, Director of Operations
Contributor Risk averse He's concerned that the project will mess up an excellent existing system.
Roberta Lauderdale, VP Sales and Marketing
Contributor Risk taker She sees major opportunity with corporate customers; with her, it's all upside.
Gavin Brody, VP Finance & Accounting
Affected Risk averse The company is making good profits; why mess with success?
Appendix C: Job Aids
C-4 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-5
Job Aid 2-2: Risk Management Plan Sample
Capitol Flyer Corporate Customer Satisfaction Project
Methodology
Process Task Participants
Identify Risks Brainstorming PM, project team, customer
Interviews PM
Review of past projects PM
Analysis of triggers PM
Perform Quantitative Risk Analysis
Interview key stakeholders PM, project team
Brainstorming sessions with team members TBD
Conduct sensitivity analysis TBD
Determine how to change/mitigate risks PM, project team
Perform Qualitative Risk Analysis
Probability and impact analysis TBD
Determine risk score TBD
Risk ranking table
Risk profile
Plan Risk Responses Assign risk owner to each risk
Develop contingency plans
Monitor and Control Risks
Daily review of all High/Very High risks team
Weekly review of all Medium risks team
Report risk triggers to PM all
Appendix C: Job Aids
C-6 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Roles and Responsibilities
Role Responsibilities
Sponsor Help draft project charter
Define business objectives
Review and approve key documents (scope statement, WBS, requirements, change requests, etc.)
VP Customer Service Define business objectives
Assumptions and constraints
Review and provide feedback on key documents (scope statement, WBS, requirements, change requests, etc.)
Supply and interpret data from customer surveys and focus groups
VP Operations Assumptions and constraints
Review and provide feedback on key documents (scope statement, WBS, requirements, change requests, etc.)
Act as subject matter expert on business processes
Director of Sales and Marketing
Assumptions and constraints
Review and provide feedback on key documents (scope statement, WBS, requirements, change requests, etc.)
Advocate for new system with staff
Plan training
Budgeting
Risk Management Activities
Activity Budget
Develop and apply sample use cases $5,000
Contract with marketing company to design survey and conduct anonymous focus groups
$22,000
Conduct research on vehicle and foot traffic patterns for potential point-of-origin locations
$9,000
Contingency Reserves
Organization policy suggests 10% of risk budget for contingencies. Therefore, set contingency reserve at $3,600, which is 10% of the money budgeted for risk management activities, above.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-7
Timing
Activity Phase/Date
Develop and apply sample use cases planning
Contract with marketing company to design survey and conduct anonymous focus groups
execution
Conduct research on vehicle and foot traffic patterns for potential point-of-origin locations
planning
Risk Categories
Scope
Technology
Time
Cost
Interfaces
Project Complexity
Labor Availability
Quality Requirements
Appendix C: Job Aids
C-8 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Definitions of Risk Probability and Impact
Probability
Very Low Low Moderate High Very High
1 3 5 7 9
Impact
Project Objective
Very Low (.5) Low (1) Moderate (2) High (4) Very High (8)
Cost Insignificant increase
< 10% increase 10-20% increase 20-40% increase
> 40% increase
Time Insignificant increase
< 5% increase 5-10% increase 10-20% increase
> 20% increase
Scope Barely noticeable
Minor areas affected
Deliverable affected
Effect on scope unacceptable
Item is effectively useless
Probability and Impact Matrix
Value
of P
Value of I
Risk Score
Risk Description Risk Rating
Risk Response Strategy
7 4 28 Reservations may not know what enhancements they want
Moderate Mitigate
9 8 72 Insisting on specifying all requirements up front will lead to numerous change requests later
High Avoid
5 4 20 Operations may be too busy to provide and review requirements
Moderate Mitigate
3 4 12 Surveys and focus groups may annoy customers
Low Transfer
3 2 6 2nd point of origin/destination costs may exceed added revenues
Low Accept
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-9
Revised Stakeholders’ Risk Tolerances
Stakeholder Normal Risk Tolerance Current Project Risk Tolerance
Derek Reith Risk taker Risk taker
China Baker Risk taker Risk tolerant
Tim Nishimoto Risk tolerant Risk tolerant
Martin Zarcar Risk tolerant Risk averse
Roberta Lauderdale Risk tolerant Risk taker
Gavin Brody Risk averse Risk averse
Reporting Formats
Report Format
Risk Register Multi-column table; electronic
Status Reports Document; hard copy & email to team members
Change Requests Electronic form
Tracking
Process Auditing Procedure
Plan Risk Management
Identify Risks
Perform Qualitative Risk Analysis
Perform Quantitative Risk Analysis
Plan Risk Responses
Monitor and Control Risks
Appendix C: Job Aids
C-10 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-11
Job Aid 3-1: Sample List of Project Risks
Capitol Flyer Corporate Customer Satisfaction Project List of Identified Risks Category
1. As a result of operational responsibilities, reservations agents may not know what system enhancements they want, which would lead to unclear project objectives.
Scope
2. As a result of being asked to participate in surveys and focus groups, existing customers may get annoyed, which can lead to loss of business.
Quality
3. As a result of adding a 2nd point of origin/destination in both Washington, DC and Philadelphia, costs for terminal space will increase; for a time, while the new service is being established, added costs may exceed added revenues.
Cost
4. As a result of the corporate discount and "frequent flyer" individual discount initiative, the development team will need to create accounts for an unspecified number of new and existing customers; that is an area in which they lack experience.
Time, Technology
Appendix C: Job Aids
C-12 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Appendix C: Job Aids MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-13
Job Aid 3-2: Cause-and-Effect Diagram Sample
Capitol Flyer Corporate Customer Satisfaction Project
Appendix C: Job Aids MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-14
Appendix C: Job Aids
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-15
Job Aid 4-1: Risk Register Worksheet Sample
Risk Register
Project: Capitol Flyer Corporate Customer Satisfaction Initiatives
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Surveys and focus groups 3 4 12 Quality
Description of Identified Risk:
As a company inexperienced with conducting surveys and focus groups, we might inadvertently annoy existing customers asked to participate.
Assumptions/Basis:
Capitol Flyer will conduct the surveys and focus groups.
Participant pool will include existing customers.
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer X Mitigate Accept
Trigger measure to be monitored, and source:
Threshold condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Contract with a marketing company to design the survey and conduct the focus groups anonymously
RL $12k
MDP273a: Project Risk Management
C-16 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Plan Description: Who Performs
Cost / Schedule Impact
n/a
Risk Owner: Roberta Lauderdale
Contingency Plan: Actions if the risk is triggered
Appendix C: Job Aids
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-17
Job Aid 4-2: Risk Rating List Sample
Capitol Flyer Corporate Customer Satisfaction Project
Value
of P
Value of I
Risk Score
Risk Description Risk Rating
Risk Response Strategy
7 4 28 Reservations may not know what enhancements they want.
Moderate Mitigate
9 8 72 Insisting on specifying all requirements up front will lead to numerous change requests later.
High Avoid
5 4 20 Operations may be too busy to provide and review requirements.
Moderate Mitigate
3 4 12 Surveys and focus groups may annoy customers.
Low Transfer
3 2 6 Second point of origin/destination costs may exceed added revenues.
Low Accept
MDP273a: Project Risk Management
C-18 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Appendix C: Job Aids MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-19
Job Aid 5-1: Decision-Tree Analysis Sample
Capitol Flyer Corporate Customer Satisfaction Project
Appendix C: Job Aids MDP273a: Project Risk Management
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-20
Appendix C: Job Aids
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-21
Job Aid 6-1: Risk Response Plan Sample
Risk Register
Project: Capitol Flyer Corporate Customer Satisfaction Initiatives
Identify Risks & Analysis
Identified Project Risk: P I RS Risk Category
Surveys and focus groups 3 4 12 Quality
Description of Identified Risk:
As a company inexperienced with conducting surveys and focus groups, we might inadvertently annoy existing customers asked to participate.
Assumptions/Basis:
Capitol Flyer will conduct the surveys and focus groups.
Participant pool will include existing customers.
Plan Risk Responses
Strategy:
Opportunity: Exploit Share Enhance Accept
Threat: Avoid Transfer X Mitigate Accept
Trigger measure to be monitored, and source:
Threshold condition:
Potential secondary risks (risks arising from implementing this plan):
Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):
Preparatory Plan: Actions to take before risk materializes
Plan Description: Who Performs
Cost / Schedule Impact
Date Due
Contract with a marketing company to design the survey and conduct the focus groups anonymously
RL $12k
Contingency Plan: Actions if the risk is triggered
Plan Description: Who Performs
Cost / Schedule Impact
n/a
Risk Owner: Roberta Lauderdale
MDP273a: Project Risk Management
C-22 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.
Appendix C: Job Aids
© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-23
Job Aid 7-1: Change Request Sample
Project: Capitol Flyer Corporate Customer Satisfaction Initiatives
Change Request Form
Date Raised: September 21
Customer Name: N/A Request #: 3 Request By:
Change Name: door-to-door service option
Description of Change:
When they purchase a ticket online, customers can opt to enter their end destination (street address),
and receive map and transit options, including a car service to meet them at Capitol Flyer terminal.
Date Required: Oct 1
Reason for Change:
Enhanced customer service; gain additional competitive advantage
Baselines Affected:
X Scope/Requirements
Schedule
X Budget
X Quality
Change Impact Assessment
Scope: Adds an initiative to the project; this initiative will need to be scheduled, budgeted, and implemented.
Schedule: 2 week delay to full project launch (estimate pending scope review)
Budget: $25-$35k (estimate pending scope review)
Quality Plan: Perform weekly QA review of this service option throughout planning and development
Risk Plan: Weekly monitoring of budget and schedule throughout planning and development
Other Impacts:
Resources Required:
Development Team, QA
Estimated Work Effort (hours): 65 hours
Estimated Cost: $25,000
Other Comments:
MDP273a: Project Risk Management
C-24 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.