Table D1.

Plan Risk Management

Technique Strengths Weaknesses
1 Planning Meeting and Analysis Involvement of core team members Depend on experience of participants
 Table D2. Identify Risks
Technique Strengths Weaknesses
• Simple structured approach
1 Assumptions & Constraints Analysis • hidden assumptions or constraints are often missed
• Can be based on assumptions & constraints already listed in project charter

• all participants to speak their mind and contribute to the discussion,Can involve all key stakeholders • Requires attendance of key stakeholders at a workshop
• Creative generation of ideas • produce biased results if dominated by a strong person (often management)
2 Brainstorming • Often not well facilitated
• Generates non-risks and duplicates, requires filtering

Effective selection of critical impacts

3 Cause and Effect (Ishikawa) Diagrams • Visual representation of project promotes structured thinking • Diagram can become over-complex (e.g.by use of sensitivity
analysis)

• Captures previous experience • Check list can grow to become unwieldy

4 Check Lists • Presents detailed list of risks • Risks not on the list will be missed
• only includes threats, misses opportunities

• Captures input from technical experts • Limited to technical risks

5 Delphi Technique • Removes sources of bias • Involves selected • Dependent on actual expertise of experts
experts in the process • take longer time due to iterations of the experts’ inputs

6 Document review • Exposes detailed project-specific risks • Limited to risks contained in project documentation

FMEA/Fault Tree Analysis • well understood by engineers

7 • Focuses on threats, not so useful for opportunities
• Produces an estimate of overall reliability using quantitative tools

• Creates deep understanding of factors affect project objectives • The • Time-consuming and complex technique
8 Force Field Analysis
diagram can suggest where best to apply the responses • does not provide whole-project view

• Captures previous experience

• Limited to what has previously happened
9 Industry knowledge base • Allows benchmarking against external organisations • Some
risks have standard responses

• Exposes key risk drivers

10 Influence diagrams • Can generate counter- intuitive insights • Requires disciplined thinking

• Addresses risks in detail

11 Interviews • Generates engagement of stakeholders • Experienced
• Raises non-risks, concerns, issues, worries etc, so requires filtering
practitioners can provide both new ideas and act as “devil’s advocate” for potential responses

• Allows for different levels of competence in common language

12 Nominal Group Technique • ideal base for affinity diagramming • Useful as • Can lead to frustration in dominant members who feel it is moving slowly
a creativity technique for generating novel responses

Post-project reviews/ Lessons Learned/ • Leverages previous experience • Limited to those risks that have occurred previously
13 Historical Information • Prevents making the same mistakes or missing the same opportunities twice • Details of past risks may not include details of successful resolution; ineffective
• Enhances the Organizational Process Assets strategies are rarely documented.

14 Prompt Lists • Ensures coverage of all types of risk, Stimulates creativity • Topics can be too high level

• Success depends on the quality of the questions

15 Questionnaire • Encourages broad thinking to identify risks • Limited to the topics covered by the questions
• Can be a simple reformatting of a checklist

• Offers a framework for other risk identification techniques such as brainstorming • Ensures
16 Risk Breakdown Structure (RBS) coverage of all types of risk • None
• Tests for blind spots or omissions

• identify risks because of their common root causes.

• Basis for development of pre-emptive and comprehensive responses • Allows the • Can oversimplify and hide existence of other potential causes
Root-Cause Analysis
17 organization to identify and to address the fundamental causes of risks for efficient and effective • There may be no valid strategy available for addressing the root cause once it has
responses. been identified.
• identifying symptoms for use as trigger conditions for contingent responses

• Focuses on internally generated risks arising from organizational strengths and

• Ensures equal focus on both threats and opportunities
18 SWOT Analysis weaknesses, excludes external risks
• Focus on internal (organizational strengths and weaknesses) and external (opportunities and threats)
• Tends to produce high- level generic risks, not project-specific

• Exposes unexpected inter-relations between project elements (feedback and feed-

• Requires specialized software and expertise to build models
19 System Dynamics forward loops)
• Focuses on impacts but difficult to include the concept of probability
• Produces overall impacts of all included events and risks
• Ensures all elements of the project scope are considered • Excludes external risks or those not specifically related to WBS

20 WBS Review • risks related to different levels of detail (from high-level to work packages)
 Table D3. Techniques for Perform Qualitative Risk Analysis
Technique Strengths Weaknesses
• Addresses both key dimensions of a risk, uncertainty (probability) and • Terms for probability and impact are ambiguous and
Estimating techniques (applied to its effect on project objectives (impact) subjective
1
probability and impacts)

•prioritize the project risks for further analysis ( quantitative or risk • Does not handle urgency or manageability that may
Probability and Impact Matrix (P- response) partly determine a risk’s ranking.
2
I) • Reflects the organization’s level of risk tolerance

• developing a relative weighting for project objectives . • Organizational decisions are often made by committees,
• creation of an overall project priority list of risks with respect to and individuals may not agree on relative priority among
individual objectives objectives
Analytic Hierarchy Process • Difficult to gather the information about pair-wise
3
comparison of the objectives from high-level management
 Examples of techniques for Perform Quantitative Risk Analysis are found shown in Table D4
Technique
Decision Tree Analysis
Expected Monetary Value (EMV)
Monte Carlo Simulation
Strengths
• helps select the decision that provides the highest Expected Monetary Value or
expected utility to the organization • Allows
calculation of the expected monetary values of various response options as well as
the value of the outcomes in the worst case and the best case
• allows to calculate the weighted average (expected) value of an event
• It is well-suited to Decision Tree Analysis
• EMV incorporates both the probability and impact of the uncertain events
• EMV is a simple calculation that does not require specialized software • Provides
an estimate of the potential benefit of a risk response
• Used for project schedule and cost risk analysis in strategic decisions
• Allows all specified risks to vary simultaneously
• Calculates quantitative estimates of overall project risk; reflects the reality that
several risks may occur together on the project
• Provides answers to questions such as:- (1)
How likely is the base plan to be successful? (2) How acquired and learned, causing a barrier to its use
much contingency in time and cost ?
(3) Which activities are important in determining the overall project risk?
Weaknesses
• The organization may not make decisions based on a linear Expected
Monetary Value basis but rather on a non-linear utility function
• Decision tree analysis of
complicated situations requires specialized software
• EMV is sometimes used in situations where Monte Carlo simulation
would be more appropriate and provide additional information about
risk
• The quality of the input data depends heavily on the expert judgment
and the effort and expertise of the risk analyst
• Simulation is sometimes resisted by management as being unnecessary
or too sophisticated compared to traditional project management tools
• Monte Carlo simulation requires specialized software which must be
 Techniques for Plan Risk Responses are given in Table D5

Technique Strengths Weaknesses

• Allows rapid and focussed response • Can give a false feeling of confidence if the risk had been avoided
1 Contingency planning • Improves image of professionalism of the way in which the project is managed

• Provides a rationale for reserves • Makes the reserve visible

2 Contingency reserve estimation • Basis for constructive discussion with sponsor

• insists on resolving resource availability issues when developing the schedule • Feeding buffers deal with predictable common cause variation, but
• Addresses schedule risk by the addition of “feeding buffers” to absorb statistical variations on inadequate to for special causes
3 Critical Chain Project Management (CCPM) the durations of non-critical path activities • Assumption that base estimates represent 50% confidence levels
• Partly mitigates financial risk by controlling the amount of “work in process”

Post-project reviews/Lessons • Leverages previous experience

4
Learned/Historical Information

• Provides a means of evaluating the potential effect of the response plans on overall project risk • Can be too involved or complex for the benefit envisaged
5 Quantitative Risk Analysis

• Provide a means of selecting the responses that best supports the full set of project objectives • Can give counterintuitive results
6 Multi-criterion selection techniques

• Provides view of the potential effect of the relevant risk and the corresponding response • Adds to the list of assumptions
strategy • can be time consuming
7 Scenario Analysis • Forces the participants to analyze the effect of any strategy
• Helps to identify secondary risks
 TABLE D6. Monitor and Control Risks Example
Technique Strengths Weaknesses
• Provides a means of tracking spend and releasing contingency amounts. • Could lead to unwarranted focus on cost dimension
1 Reserve Analysis • Gives early warning of need to communicate with sponsor.

2 Risk Audits • Provide a formal assessment as specified in risk management plan • Can be disruptive to the project

3 Risk Reassessment • Forces a review of the project risks so that risk register remains up-to-date • Takes time and effort

4 Status Meetings • Provide a means of verifying information about the status of risks • Can seem unnecessary to some participants

• Provides an indication of the effectiveness of earlier responses • Requires understanding of significant vs.non-significant variation
5 Trend Analysis • Can provide trigger conditions for responses

• Allows comparison between forecast and actual risk impacts • Does not show relationship with earlier data
6 Variance Analysis • Can provide trigger conditions for responses
• Provides data for Earned Value Analysis
 Continuous Distributions
Beta – PERT Triangular
Used to describe uncertainty about Uses estimates based on three-
the probability point estimate .

Based on two shaped parameters Uses three variables only

Used to quantify risks for each

WBS element
Continuous Distributions
Normal Uniform
Use mean and standard the simplest form of distribution probability
deviations to quantify risks

Gather three point estimates All values of the same length are equally probable

Used to display standard Shows scenarios where no obvious value is more

deviation likely than others between specified high and
low bounds, such as in the early concept stage
of design.
 Discrete Distributions
Used to show uncertain event
calculated Based on a whole number

Used to represent Possible scenarios in a

decision tree.
 Domain 1: Risk Strategy and Planning
1 Develop risk assessment processes and tools that quantify stakeholder risk tolerances assess and determine risk thresholds for the project and set criteria for risk levels

2 Update risk policies and procedures using lessons learned and outputs of risk audits improve risk management effectiveness

3 Develop and recommend project risk strategy based on project objectives establish the outline for the risk management plan

4 Produce risk management plan for the project define, fund, and staff effective risk management processes

5 Establish evaluation criteria for risk management processes measure effectiveness of the project risk process

Domain 2: Stakeholder Engagement

1 Promote a common understanding of the value of risk management foster an appropriate level of shared accountability, responsibility, and risk ownership

2 Train, coach, and educate stakeholders in risk principles create shared understanding of principles and processes, and foster engagement in risk management

3 Coach project team members in implementing risk processes ensure the consistent application of risk processes

4 Assess stakeholder risk tolerance using interviewing stakeholders identify project risk thresholds

5 Identify stakeholder risk attitudes and cognitive biases using stakeholder analysis techniques manage stakeholder expectations and responses

6 Engage stakeholders on risk prioritization process optimize consensus regarding priorities

7 Provide risk-related recommendations to stakeholders support effective risk-based decision making

8 Promote risk ownership by proactively communicating improve risk response execution

9 Liaise with stakeholders of other projects by using effective communication techniques inform them of implications for their projects

Domain 3: Risk Process Facilitation

1 Apply risk assessment processes quantify stakeholder risk tolerances and determine risk levels

2 Facilitate risk identification enable project team and stakeholders to understand and determine the risk exposure

3 Facilitate the project team’s evaluation of the identified risks’ attributes prioritize the risks for response planning

4 Facilitate the development of an aligned risk response strategy and related risk actions by risk owners ensure timely and defined action when required

5 Facilitate the formulation of project contingency reserve have the capability and resources to respond to realized risks

6 Provide risk data to cost and schedule analysts/estimators properly reflected in cost and schedule estimates for the project

7 Use scenarios to validate potential risk responses enhance the likelihood of project success

Domain 4: Risk Monitoring and Reporting

1 Document and periodically update project risk information maintain a single, current repository

2 Coordinate with project manager using communication techniques integrate risk management

3 Create periodic standard and custom reports using risk-related metrics communicate risk management activities and status

4 Monitor risk response metrics by analyzing risk response performance information ensure resolution of risk and develop additional risk response strategies to address residual and secondary risks

5 Analyze risk process performance against established metrics drive risk process improvements

6 Update the project risk management plan keep the plan current

7 Capture risk lessons learned incorporate into future risk planning

Domain 5: Perform Specialized Risk Analyses

1 Evaluate the attributes of identified risks using advanced quantitative tools and specialized qualitative techniques estimate overall risk exposure of the project

2 Analyze risk data produced during the project using statistical analyses and expert judgment strengths and weaknesses of risk strategy

3 Perform specialized risk analysis using advanced support stakeholder decision making
 Project Manager RISK OWNER RISK ACTION OWNER(Response Owner)

has overall responsibility for delivering a successful project to meets defined

1 A single risk owner should be assigned to every identified risk. Each agreed-upon risk response should have a single risk action owner.
objectives.

Reports periodically to the project manager on the effectiveness of the plan,

is accountable for the day-to-day management of the project, including risk Manage the corresponding risk through all of the subsequent Project Risk
2 any unanticipated effects, and any correction needed to handle the risk
management. Management processes.
appropriately.

Select a suitable strategy for each individual risk based on its characteristics Ensuring that the agreed-upon risk responses are carried out as planned, in a
3 Encouraging senior management support for Project Risk Management activities.
and assessed priority. timely manner.

Ensuring that the strategy is achievable, affordable, cost effective, and

4 Promoting the Project Risk Management process for the project. Take agreed-upon actions as required.
appropriate.

Defining actions to implement the chosen strategy. These actions may be Provide the risk owners with relevant information on status or changes to the
5 Developing and approving the risk management plan.
delegated to action owners as appropriate. risk characteristics.

Monitor actions to determine their effectiveness, and also to identify any

Determining the acceptable levels of risk for the project in consultation with Monitor the trigger conditions and ensure that the corresponding actions are
6 secondary risks which may arise because of the implementation of risk
stakeholders. carried out as defined, in a timely manner.
responses.

Facilitating open and honest communication about risk within the project team, Ensuring that the risk response is effective and for planning additional risk
7
management, stakeholders. responses if required.

Assess the effectiveness of any actions, decide whether additional actions are
8 Participating in all aspects of the Project Risk Management process.
required, and keep the project manager informed of the situation.

9 Approving risk responses and associated actions prior to implementation. Risk owner may choose to assemble a team to develop a response.

Applying project contingency funds to deal with identified risks that occur during
10
the project.

11 Overseeing risk management by subcontractors and suppliers.

Regularly reporting risk status to key stakeholders, with recommendations for

12
appropriate strategic decisions.

Escalating identified risks to senior management where appropriate: such risks

13 which are outside the authority or control of the project manager, and any for the
release of management reserve.

Monitoring the efficiency and effectiveness of the Project Risk Management

14
process.

15 Auditing risk responses for their effectiveness and documenting lessons learned.