9-Risk Management
Project Management Training,
Qais Ur Rehman Rasooli, PMP

What is Risk?
• Any uncertain event which can impact
achieving project objectives
(scope,schedule,cost , quality),
• Impact can be positive or negative
• In PMI context Opportunities and threats fall
under the category of risk,
• A risk may have one or more causes,
• A risk may have one or more impacts,
• An occurred negative risk is an issue
• Risk has roots in Uncertainty,
• Uncertainty – lack of knowledge about an
event , investigation leads to risk identification
Uncertainty
Known risk not proactivity
managed – Use
Contingency reserves
Unknown Risk –Use
Management Reserves

Risk Management
Project risk management includes processes of,
• Risk management planning, identification
analysis, response planning, controlling risks
• Main purpose is to increase likelihood and
impact of opportunities and reduce it for
threats
• Six sequential risk management processes:
Plan RM, Identify risks, Perform Qualitative Risk
Analysis, Perform Quantitative Risk Analysis,
Plan risk responses & Control Risks
OPPORTUNITIES
THREATHS
LIKELIHOOD
IMPACT

Factors influencing Risk Attitudes
• Risk Appetite
degree of uncertainty an entity is willing to take on in
anticipation of reward
• Risk Tolerance
degree, amount, or volume of risk that an organization or
individual will withstand
• Risk Threshold
below the threshold the org will accept the risk

1. Plan Risk Management,
2. Identify Risks
3. Perform Qualitative Risk
Analysis
4. Perform Quantitative Risk
Analysis
5. Plan Risk Reponses,
6. Control Risks

Plan Risk Management
• Define how to conduct risk management activities,
• Ensure correct degree , type and visibility of RM based on
- project risks
- importance of project in the org,
• Starts with project consideration and should be completed in
planning phase
• Inputs include: PMP,Project charter, Stakeholder register,
EEF,OPA,
• Tool & techniques Include: analytical techniques, Expert
judgment, meetings

Output: Risk Management Plan
• Part of PMP and describes how risk management activities will
be structured and performed and Includes:
• Methodology (defines approaches, tools and data sources)
• Roles and Responsibilities(lead,support, RM team members)
• Budgeting (estimates funds needed, based on resources)
• Timing (when and how often the RM process will be performed,
schedule contingency reserves,RM activities in schedules)
• Risk Categories (External, internal, technical, unforeseen, PM)
• Definition of risk probability and impact,
• PI Matrix,
• Reporting formats and Tracking

Output: Risk Management Plan

1. Plan Risk Management,
2. Identify Risks
3. Perform Qualitative Risk
Analysis
4. Perform Quantitative Risk
Analysis
5. Plan Risk Reponses,
6. Control Risks `

Risk Identification
• Identify potential risks to the project,
• Document the characteristics of the risk.
• Include as many internal and external stakeholders as possible
in risk identification,
• Iterative process, Start during initiation and continues to the
end
• Inputs include: RMP, Cost MP, Schedule MP, Quality MP,
Human resource MP, Scope baseline, Activity cost and
duration estimates, stakeholder register, Project documents,
procurement docs, EEF,OPA

Risk Identification: Tools &
Techniques
• Documentation Review: What is and is not included in the
documentation,
-Quality of the plans and consistency among plan, project
req,and assumptions to identify risk
• Information Gathering Techniques:
-Brainstorming,
-Delphi technique
-Interviewing
-Root cause analysis

Risk Identification: Tools &
Techniques
• Checklist Analysis: developed based on historical information,
should not prevent teams creativity of risk identification,
• Assumptions Analysis: explores the validity of assumptions
(inaccuracy, instablility,inconsistency or incompleteness)
• Diagramming Techniques:
Cause and effect diagrams, System or process flow charts,
Influence Diagrams
• SWOT Analysis: examines the project from Strength weakness
opportunities and threats angles
• Expert Judgment: Expert input in identification of risks

SWOT Analysis
Strength
Weakness
ThreatsOpportunities

Risk Identification: Output
• Risk Register is the output to risk identification and develop
with other risk processes conducted
• Includes: list of identified risks (clear and specifically mentioned)
List of potential responses
Root causes of risks
updated risk categories
• Use Risk statements for listing risks in risk register, example
below
CAUSE EVENT EFFECT

1. Plan Risk Management,
2. Identify Risks
3. Perform Qualitative Risk
Analysis
4. Perform Quantitative Risk
Analysis
5. Plan Risk Reponses,
6. Control Risks `

Perform Qualitative Risk Analysis
• Process of prioritizing risks for further analysis
• Assesses the probability and impact of risks,
• Helps PM to focus on high priority risk,
• Subjective analysis of risks identified in the risk register,
• For each risk identify probability and impact on a scale of 1 -10
or Low , medium , high
• Establish definitions to reduce the influence of bias
• Time criticality of risk-related action magnify risk importance
• Rapid & Cost effective mean of establishing priorities

Perform Qualitative Risk Analysis -
Inputs
• Risk management plan
Roles and responsibilities, budgets, schedule activities for risk
management, risk categories, probability and impact definition,PI
Matrix
• Scope baseline
• Risk register
• EEF:industry studies of similar project risks,
Risk database from industry or proprietary sources
• OPA

Perform Qualitative Risk Analysis –
Tools & techniques
• Risk Probability and Impact Assessment on project objectives,
Probability looks at likelihood of occurrence of risk
Impact investigates the potential effect on project objectives
• Probability and Impact Matrix
• Risk data quality Assessment
• Risk categorization
• Risk Urgency Assessment
Risk that need to move quickly
through the process
• Expert Judgment

Perform Qualitative Risk Analysis –
output
• Risk Register Updates:
-Risk ranking for the project compared to other project
-List of prioritized risks and PI Ratings
-Risk grouped by categories,
-List of risks for additional analysis and response
-list of risks requiring additional analysis in near term,
-Watch list (risks to be review during controlling risks)
• Compare the risk of the project to overall risk of other projects
• Determine if project is to be continued or cancelled

1. Plan Risk Management,
2. Identify Risks
3. Perform Qualitative Risk
Analysis
4. Perform Quantitative
Risk Analysis
5. Plan Risk Reponses,
6. Control Risks `

Perform Quantitative Risk Analysis
The process includes:
• Numerically analyzing the probability and impact of risks,
• Determine which risk warrants a response,
• Overall project risk
• Determine the quantified probability of meeting project objectives
• Determine cost and schedule reserves
• Identify the most critical risks,
• Create achievable and realistic , cost, schedule and scope
targets

Quantitative Probability and Impact
• Interviewing,
• Cost and time estimating,
• Delphi Technique,
• Historical records from previous projects,
• Expert Judgment
• Sensitivity analysis,
• Expected Monetary Value analysis
• Monte Carlo Analysis,
• Decision Tree (chose between
alternatives, includes Mutual exclusivity)

Output Quantitative Risk Analysis
Risk register updates including;
• Prioritized list of quantified risks by highest contingency reserve
required,
• Initial amount of contingency time and cost reserves
• Possible realistic completion dates and cost with confidence
levels
• Quantified probability of meeting project objectives
• Trends in quantitative risk analysis(track changes to the overall
risk of project and see trends as a result of Quantitative risk
analysis)

1. Plan Risk Management,
2. Identify Risks
3. Perform Qualitative Risk
Analysis
4. Perform Quantitative Risk
Analysis
5. Plan Risk Reponses,
6. Control Risks `

Plan Risk Responses
Methods and techniques to deal with identified risk and
opportunities,
• Identifies who is responsible for each risk or opportunity
• Estimates resources required to handle the risk or opportunity
• Eliminate threats, increase likelihood of opportunities, decrease
probability and/or impact of threats
• For residual risk have contingency plans
• If Contingency plans are not effective use fallback plans

Risk Response Strategies
Threats
Avoid
Mitigate
Transfer
Opportunities
Exploit
Enhance
Share
A
c
c
e
p
t

Plan Risk Responses - Output
• Project Management Plan updates,
Risk management will effect most part of management plans,
Scope , cost & Schedule Baseline also modified as a result of risk
management
• Risk register Updates
 Residual risk,
 Contingency plans (EMV = P x I, Threats in +$ values, opportunities in -$
values)
 Fallback plans
 Risk owners and Risk triggers
 Secondary risks,
 Contracts
 Reserves

1. Plan Risk Management,
2. Identify Risks
3. Perform Qualitative Risk
Analysis
4. Perform Quantitative Risk
Analysis
5. Plan Risk Reponses,
6. Control Risks

Control Risk
This process includes
• Look for occurrence of risk triggers
• Implement risk response
• Tracking identified risks,
• Identify new risks, monitor residual risks,
• Monitor risk process effectiveness
• Collect and communicate risk status, discuss with stakeholders
• Determine if assumptions are still valid,
• Revisit watch list to identify additional risk responses required
• Reevaluate risk identification
• Create a database of risk for future use,
• Use and adjust contingency reserves for approved changes

Control Risk – Tools and techniques
• Workarounds (unplanned responses for unanticipated events),
• Risk reassessments
• Risk Audits (assess the overall process of RM and risk
response)
• Meetings
• Closing risk that are no longer applicable
• Reserve analysis(checking remaining reserves Vs how much is
needed)
Contingency reserves may only be used to handle the
impact of specific risk it was set aside for.

Change is part of
risk response
Yes
No
Previously Accounted for in Budget
Reserve for the risk is to be used
Take preventive actions
Fast track, crash,
Adjust the project to accommodate
for the problem and its resulting
changes

Control Risk – output
• Work performance information
- Analysis of work performance data , can be a basis for change
requests,
- Results from risk audits, risk reassessment
- this information is entered in the risk register
• Risk register updates:
outcome of risk reassessment and risk audits,
updates to previous part of risk management, i.e. identifying
risks
closing risk no longer required,
details of what happen when risks happened, lessons learned

Control Risk – output
• Change request , recommended preventive and corrective
actions
If change request are before work has started it is part of risk
response planning,
if change requests after work has started it is part of control risks
• Project Management Plan updates – needs to through integrated
change control
• OPA: risk register can be an asset for future projects

Common risk management Errors
• Some thing are not uncertain, thus a fact not risk
• Risk management is not given enough attention
• Risk are identified briefly, less time is invested
• Contract are signed long before RM is done
• Only one method to use to identify risk
• Padding is used instead of risk management process,
• Risk process are blended and thus resulting in less risk to be
identified

Actions related in Risk management
processes and outputs

The Active PMP Learner
Research Risk management in insurance field

PM Quote of the day