1.
Project Risk Management
Compiled by
Muhammad Aleem Habib
June 25, 2013
Information derived from PMBOK & Rita Mulcahy

2.
What is Project Risk Management?
• Project risk management is actively
managing the risks on your project
• The goal of risk management is to be
more proactive and less reactive

3.
Why Risk Management
• A project manager’s work should not focus
on dealing with problems; it should focus
on preventing them.
• How would it feel to say, “No problem; we
anticipated this, and we have a plan in
place that will resolve it”.
• Performing risk management helps
prevent many problems and helps make
other problems less likely

4.
What is a Risk?
• A risk is an uncertain event that could have a positive or
negative effect on your project
• * This means there is a probability between 1-99% that
the event could occur
• If there is a 0% chance of an event occurring, there is no
risk
• (example; there is a 0% chance your project will be
adequately funded, this is not a risk, it is a reality).

5.
What is a Risk?
• If there is a 100% chance of an event occurring, this
would be an issue, not a risk
• Risks with negative consequences are called threats
• Risks with positive consequences are called
opportunities (Yes, risk can be good! Stop thinking of risk
as bad, and start thinking of it in terms of probabilities!)

6.
Risk Event Graph

7.
Types of Risk
Risks can be broken out into two primary types
1. Pure Risk (hazard)– risk with potential loss only
– ex. Fire, theft, personal injury
2. Business Risk (speculative risk) – risk with
potential loss or gain
– ex. A highly skilled employee becomes available to
work on your project, reducing your schedule time,
the tax rate changes, a new server costs less (or
more) than you budgeted for!

8.
Risk Management Process
Threats
Opportunities

9.
Project Risk Management
Knowledge
Area
Process
Initiating Planning Executing Monitoring & Contol Closing
Risk
Plan Risk Management
Identify Risk
Perform Qualitative Risk Analysis
Perform Quantitative Risk Analysis
Plan Risk Response
Monitor and Control Risks
Enter phase/
Start project
Exit phase/
End project
Initiating
Processes
Closing
Processes
Planning
Processes
Executing
Processes
Monitoring &
Controlling Processes

10.
5 Overall Project Management
Processes with Risk Management

11.
• Risk Planning – this is how you plan on conducting risk
management. You wouldn’t start managing your project
without a plan, so why would you approach risk
management that way?
• Identify Risks – this is the phase where you attempt to
identify most of your risks
• Qualitative analysis – this is a subjective analysis of
your risks that produces a risk ranking, usually in the
order of high, medium, low, or on an ordinal scale.
Rankings are by agreement of your project team,
sponsors and key stakeholders
Risk Management Processes

12.
Risk Management Processes
• Quantitative Analysis – a numerical analysis of the
probability and impact of the risk on your project
• Plan Risk Response– a course of action you will take to
deal with your risks should they go from risk to issue
• Monitor & Control Risks – monitoring your lists (there
are two lists which I will discuss later) of risks to enact a
risk response plan, to move a risk from one list to the
other, or to remove a risk because it is no longer a risk.

13.
• Uncertainty: a lack of knowledge about an event that reduces
confidence
• Risk averse: someone who does not want to take risks.
• Risk Prone – Someone who is willing to take big risk
• Risk tolerances: area of risk that are acceptable /
unacceptable.
• Risk thresholds: the point at which a risk become
unacceptable
• Risk Areas: Project Constraints (scope, time, cost, etc)
Terms & concepts

14.
Risk Factors
1. The probability the risk will occur
2. The range of possible outcomes (impact)
3. When in the project lifecycle the risk is likely to occur
(the timing);
* once the expected timeframe of the risk has passed and it
is no longer a risk, it can be removed from the risk list
4.
How often the risk is expected to occur on the project
(frequency)

15.
11.1 Plan Risk Management
• The process of defining how to
conduct risk management activities
for a project
• Important to provide sufficient
resources and time for risk
management activities, and to
establish an agreed upon basis for
evaluating risk.

16.
Plan Risk Management DFD. Figure 11-3

17.
Plan Risk Management
•How much time should we spend?
•Who will be involved?
•How should we perform risk
management?

18.
Plan Risk Management:
Tools & Techniques
• Planning Meetings and Analysis
– Project teams meet with stakeholders
– High level plans for risk management are
define in these meetings

19.
Plan Risk Management: Outputs
• Methodology Defines the tools, approaches,
and data sources that may be used to perform
risk management on the project.
• Budgeting A budget for project risk
management should be established and
included in the risk management plan.
• Role & Responsibility Defines the lead,
support, and risk management team
membership for each type of action in the risk
management plan.

20.
Plan Risk Management: Outputs
• Timing Defines how often the risk management
activities will be performed throughout the
project life cycle.
• Risk categories Documentation such as risk
breakdown structures (RBSes) or categories
from previous projects will help identify and
organize risks.
• Definitions of risk Risks and their probabilities
are probability & impact defined for use in
Qualitative Risk Analysis using a scale of ―very
Unlikely to ―almost certain.

21.
Risk Breakdown Structure
• A risk breakdown structure (RBS)
organizes potential sources of risk to the
project.
• Functioning much like a work breakdown
structure, an RBS arranges categories into
a hierarchy.
• This approach allows the project team to
define risk at very detailed levels.

22.
Risk Breakdown Structure for a
Software Development Project
Software Dev
Project
Business
Competitors
Suppliers
Cash Flow
Technical
Hardware
Software
Network
Organizational
Executive Support
User Support
Team Support
Project
Management
Estimates
Communication
Resources

23.
RBS Example

24.
Risk Profile
• A risk profile is a list of questions that
address traditional areas of uncertainty on
a project.
• These questions has been designed and
developed from the experience of past
projects.

25.
Risk Profile Questions

26.
No Category Description of Risk IMPACT
PROBA
BILITY
RISK
LEVEL
1 Resource Testing environment not available 4 B ORANGE
2 Schedule
Documentation approval took longer
time
4 A RED
Probability Impact Matrix

27.
Risk Management Plan(Contd.)
• Stakeholder tolerances – Stakeholders have a low risk
tolerance than impact is high. That information should be
taken into account to rank cost impacts higher than if the
low tolerance was in another area. Tolerances should not
be implied, but uncovered in project initiating and clarified
or refined continually.
• Reporting – Describes reports related to RM and how
they will be used and what they will include.
• Tracking – Auditing, documentation regarding RM

28.
Q: “ An uncommon state of nature,
characterized by the absence of any
information related to a desired outcome” , is
a common definition for:
A. An act of God
B. An amount at stake
C. Uncertainty
D. Risk aversion

29.
11.2 Identify Risks
• This is the phase where you work with
your team to identify as many risks as
possible.

30.
Identify Risks: Things to remember
• Identify Risks can’t be completed without the project
scope statement and Work Breakdown Structure
(WBS)
• Identify Risks happens at the onset of the project
and throughout the project
• Risks can be identified at any time and during any
phase of the project
• Risk management is an iterative process, you
should work to identify risk during any changes to
the project, working with resources, and when
dealing with issues

31.
Question ?
• Who should be involved in Risk
Identification?

32.
Identify Risk: Tools & Tech
• Documentation Reviews – including charter,
contracts, and planning documentation, can help
identify risks.
• Those involved in risk identification might look at
this documentation, as well as lessons learned,
articles, and other documents, to help uncover
risks.

33.
Identify Risk: tools & tech
• Brainstorming: One idea generates another
• Delphi technique: Expert participate
anonymously; facilitator use questionnaire;
consensus may be reached in a few rounds; Help
reduce bias in the data and prevent influence
each others.
• Interviewing: interviewing experts, stakeholders,
experienced PM
• Root cause analysis: Reorganizing the identified
risk by their root cause may help identify more
risks

34.
Identify Risk: Tools & Tech
• Checklist analysis: checklist developed based
on accumulated historical information from
previous similar project
• Assumption analysis: identify risk from
inaccuracy, instability, inconsistency,
incompleteness.
• SWOT analysis – Strengths, Weaknesses,
Opportunities, Threats

35.
Identify Risk: tools & tech
• Influence diagrams
– show the casual influences among project variables,
the timing or time ordering of events, and the
relationships among other project variables and their
outcomes.
• Cause and Effect Diagrams
• Flowcharts

36.
Output: Risk Register
• Output is initial entries into the risk
register. It includes:
– List of risk
– List of POTENTIAL responses
– Root causes of risks
– Updated risk categories

37.
Risk Register Example

38.
• Q: Risk tolerances are determined in order
to help:
A. The team rank the project risks
B. The project manager estimate the project
C. The team schedule the project
D. Management know how other managers
will act to the project

39.
11.2 Perform Qualitative Risk Analysis
• This is the phase where you rank the risks
you’ve identified from Identify Risks to come up
with a list of risks you will create plans for
dealing with

40.
Perform Qualitative Risk Analysis
• Things to remember
– Perform Qualitative Risk Analysis is subjective
– What is the probability of the risk occurring? High,
medium, low? 1-10?
– What is the impact if the risk does occur? High,
medium, low? 1-10?

41.
Tools and Techniques of
Qualitative Analysis
• Probability & Impact Matrix – a matrix that creates a
consistent evaluation of high, medium, or low for your
projects. This helps to make the risk rating process more
repeatable between projects.
• Risk Data Quality Assessment – What is the quality of
the data used to determine or assess the risk? Think
about the following
– Extent of the understanding of the risk
– Data available about the risk
– Quality of the data
– Reliability & Integrity of the data

42.
Tools and Techniques of
Qualitative Analysis
• Risk Categorization – Which of your categories has
more risk than others? Which of your work packages
could be most affected by risk?
• Risk Urgency Assessment – Which of your risks could
occur soon, or require a longer planning time? Risk
urgency assessment helps move these risks more
quickly through the rest of the project management
process

43.
Output: Risk Register Updates
• Risk ranking for the project compared to other
projects
• List of prioritized risks and their probability and
impact ratings
• Risks grouped by categories
• List of risks for additional analysis and
response
• Watchlist (non-critical risks)
• Trends

44.
Perform Quantitative Risk Analysis
• A numerical analysis of the probability and
impact of the risks with the highest risk rating
score determined from qualitative analysis
• Is a numerical evaluation (more objective)
• This process may be skipped.

45.
Perform Quantitative Risk Analysis
Purpose of this process
• Determine which risk events warrant a response.
• Determine overall project risk (risk exposure).
• Determine the quantified probability of meeting
project objectives.
• Determine cost and schedule reserves.
• Identify risks requiring the most attention.
• Create realistic and achievable cost, schedule,
or scope targets.

46.
Tools and Techniques of
Quantitative Analysis
• EMV – Expected Monetary Value – What is the
probability of the risk occurring multiplied by the impact if
the risk does occur? If the risk occurs, what could the
financial or time loss be to your project?
• In the example below, this project has an EMV of
($58,250), this means that you need to put aside
$58,250 in your risk reserve account for potential risks
Risk Probability Impact EMV
A 20% $ (100,000.00) $(20,000.00)
B 90% $ 10,000.00 $ 9,000.00
C 5% $ 30,000.00 $ 1,500.00
D 65% $ (75,000.00) $(48,750.00)
Total $(58,250.00)

47.
Q: If a project has a 60% chance of a US $
100,000 profit and a 40% chance of a US $
100,000 loss, the expected monetary value
for the project is :
A. $ 100,000 profit
B. $ 60,000 loss
C. $ 20,000 profit
D. $ 40,000 loss

48.
Tools and Techniques of
Quantitative Analysis
• Decision Tree – used for planning on individual
risks instead of planning for the whole project
– Takes into account future events to make a decision
today
– Can calculate the EMV in more complex situations
– Involves mutual exclusivity

49.
Airline A has a 90% chance to reach at time and Airline B has
a 60% chance to reach at time. If you don’t reach at time, it will
cost you 100,000. Use EMV to find which airline you should
choose?

50.
Decision tree /EMV example
Airline A EMV: 10,000 + (10% * 100,000) = 20,000
Airline B EMV: 8000 + (40%*100,000) = 48,000

51.
Tools and Techniques of
Quantitative Analysis
• Monte Carlo Analysis – A technique that uses
simulation to show the probability of completing your
project on time and within budget.
– Determines the overall risk of the project, not the task
– Determines the probability of completing the project on a specific
day and for a specific cost
– Takes into account path convergence (places in the network
diagram where many paths converge into one activity)
– Used to evaluate the impact to your schedule and budget
– Due to the complicated mathematical computations used, Monte
Carlo analysis is usually done with a computer program
– Creates a probability distribution – triangular, normal, beta,
uniform or lognormal (learn these)

52.
Sensitivity Analysis
• To determine which risks have the most potential impact
to the project
• Changing one or more elements/variables and set other
elements to its baseline then see the impact.
• One typical display of sensitivity analysis is the tornado
diagram
• Tornado diagram is useful in analyzing risk taking
scenarios.
• They provide the positive and negative impact of each
risk on the project and let you decide to choose which
risk to take.

53.
Sample Sensitivity Analysis

54.
Outcome of Quantitative RA
Risk Register Updates
• Prioritized list of quantified risks
• Amount needed for contingency reserves for time and
cost
• Confidence levels of completing the project on a certain
date for a certain amount of money
• The probability of delivering the project objectives
• Trends - risk management is an iterative process; as
you repeat the process you can track your overall project
risk and determine the trend (if you are decreasing or
increasing the level of risk on your project)

55.
Outcome of Quantitative RA: Examples
• What are the risks that are most likely to cause
trouble? To affect the critical path? That need the
most contingency reserve?
• “The project requires another 50,000 and two
months of time to accommodate the risks on the
project?”
• “We are 95 percent confident that we can
complete this project on May 25th for $989,000
budget?”
• “We only have a 75 percent chance of
completing the project within the $800,000
budget.”

56.
“What are we going to do now
about each top risk?”

57.
Risk Response Planning
• Eliminate the threats before they happen
• Make sure opportunities happen
• Decrease the probability and/or impact of
threats
• Increase the probability and/or impact of
opportunities
• For Residual Threats
– Contingency Plans
– Fallback Plans

58.
Risk Response Strategies
Risk
Opportunities
Exploit
Enhance
Share
Accept
Active
Contingency
Plan
Fallback Plan
Passive
Workaround
Threats
Avoid
Transfer
Mitigate

59.
STRATEGIES FOR NEGATIVE
RISKS OR THREATS

60.
Avoidance
• Risk prevention
• Changing the plan to eliminate a risk by avoiding
the cause/source of risk
• Protect project from impact of risk
• Examples:
– Change the supplier / engineer
– Do it ourselves (do not subcontract)
– Reduce scope to avoid high risk deliverables
– Adopt a familiar technology or product

61.
Mitigation
• Seeks to reduce the impact or probability of the
risk event to an acceptable threshold
• Be proactive: Take early actions to reduce
impact/probability and don’t wait until the risk
hits your project
• Examples:
– Staging - More testing - Prototype
– Redundancy planning
– Use more qualified resources

62.
Transfer
• Shift responsibility of risk consequence to
another party
• Does NOT eliminate risk
• Most effective in dealing with financial exposure
• Examples:
– Buy/subcontract: move liabilities
– Selecting type of Procurement contracts: Fixed Price
– Insurance: liabilities + bonds + Warranties

63.
STRATEGIES FOR POSTIVE
RISKS OR OPPORTUNITIES

64.
Strategies for Opportunities
Exploit: Ensure opportunity is realized
• Ex: Assigning organization most talented
resources to the project to reduce cost
lower than originally planned.
Enhance: Increase the probability and/or
the positive impact of the opportunity
• Ex: Adding more resources to finish early

65.
Strategies for Opportunities
Share: Allocating some or all of the
ownership to third part best able to capture
the opportunity
• Ex: Joint ventures, special-purpose
companies

66.
Acceptance
(Both for Threats & opportunities)
• Active Acceptance
– Develop a contingency plan to execute if the risk
occur
– Contingency plan = be ready with Plan B
– Fall back plan = plan C if B fails
• Passive Acceptance
– Deal with the risks as they occur = Workarounds
– Usually for low ranked risks

67.
Risk Response Matrix
Risk Event Response Contingency
Plan
Trigger Who is
responsible
Interface
Problems
Mitigate: Test
Prototype
Workaround
until help
comes
Not solved within
24 hours
Asif
System
freezing
Mitigate: Test
Prototype
Reinstall OS Still frozen after 1
hour
Khalid
User backlash Mitigate:
Prototype
demonstration
Increase staff
support
Cell from top
management
Javed
Equipment
malfunction
Mitigate: Select
reliable vendor
Transfer:
Warranty
Order
replacement
Equipment fails Aleem

68.
Outputs of Risk Response Planning
Updates to Risk Register
• Residual Risks – risks that are left over after Plan Risk
Response
• Contingency Plans – plans of action in case the risk
does occur
• Risk Response Owners – the person on the team
responsible for monitoring the risk, risk triggers,
developing a response strategy, and implementing the
strategy should the risk occur
• Secondary Risks – new risks that result from the
implementation of the contingency plans for the primary
risks

69.
Outputs of Risk Response Planning
Updates to Risk Register
• Risk Triggers – early warning signs that there is a high
probability the risk will occur
• Fallback Plans – a secondary contingency plan, in case
the contingency plan does not work or is not effective
• Reserves
– Contingency reserves - covers the cost for ‘known unknowns’
discovered during risk management; covers the residual risks.
The contingency reserve is calculated and made part of the
baseline.
– Management reserves – these are estimated and made part of
the project budget, not the baseline. Management approval is
needed to use the management reserve.

70.
Outputs of Risk Response Planning
Project Management Plan Updates
• Changes made due to risk management
will be changes made to the project and
should be updated in the project
management plan

71.
Q: Replacing a doubtful supplier with an
expensive but reliable one is an example of:
A. Mitigation
B. Transference
C. Acceptance
D. Avoidance

72.
Q: A Reserve is generally intended to be
used for:
A. Rework activities.
B. Compensate for inaccurate project cost
estimates.
C. Reducing the risk of missing the cost or
schedule objectives.
D. Compensate for inaccurate project
schedule estimates.

73.
Some important points:
• What do you do with non-critical risks?
• Would you choose only one risk response
strategy?
• What risk management activities are done
during execution of the project?
• What is the most important item to be discussed
in project team meetings?
• How would risk be addressed in project
meetings?

74.
Some important points:
• What do you do with non-critical risks?
– Put them in a watch-list and revisit them periodically.
• Would you choose only one risk response
strategy?
– You may select a combination of strategies.
– Response of one risk might address another risk as
well!
• What risk management activities are done during
execution of the project?
– Watch-out risks on watch-list and looking for new risks.

75.
Some important points:
• What is the most important item to be discussed
in project team meetings?
– Off course, Risk!
• How would risk be addressed in project
meetings?
– Asking, what is the status of risks? Is their any new
risk? Is the rank of any risk goes up and down?

76.
Monitor and Control Risk
• The process of
– implementing risk response plans
– tracking identified risks
– monitoring residual risks
– identifying new risks and
– evaluating risk process effectiveness
throughout the project – risk audit.

77.
Inputs to Monitor & Control Risk
• Risk Management Plan
• Risk Register
• Approved Change Requests
• Work performance information
– Deliverable status
– Schedule progress
– Costs incurred
• Performance reports

78.
Monitor & Control Risk:
Tools
• Workaround – a response to a risk that has
occurred when no contingency plan exists.
• Risk audit – a team of experienced project team
members reviews the risk management process
and response strategies to see if you’ve
effectively identified the major risks on the
project and developed effective strategies for
dealing with them.

79.
Monitor & Control Risk:
Tools
• Risk Reassessment – Risk management is
iterative, you should review the risks on your
project throughout the project to update their
qualitative and quantitative values.
• Status meetings – status meetings should be
used to identify new risks or changes to existing
risks. This is a great opportunity to discuss with
your team and stakeholders existing risks and
new risks.

80.
Monitor & Control Risk:
Tools
• Reserve analysis – has the reserve kept up
with changes to the risk list? Does the reserve
still cover the costs of these risks should they
occur?
• Closing of risks – Risks are expected to
happen during a particular phase of the project.
When that phase has passed and the risk is no
longer probable, the risk should be removed
from the risk list and any reserve associated
should be freed up.

81.
Outputs of Monitor & Control Risks
• Updates to Risk Register
– Outcomes of the risk reassessments and risk
audits
– Closing of risks that are no longer applicable
– Details of what happened when risks occurred
– Lessons learned

82.
Outputs of Monitor & Control Risks
• Requested Changes
• Recommended Corrective & Preventive
Actions
• Updates to the Project Management Plan
• Organizational Process Assets Updates

83.
Practice Exam

84.
Answers

85.
Practice Exam

86.
Answers

87.
Practice Exam

88.
Answers

89.
Practice Exam

90.
Answers

91.
Practice Exam

92.
Answers

93.
Practice Exam

94.
Answers