Professional Documents
Culture Documents
Fundamentals m4 en
Fundamentals m4 en
Fundamentals
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland
Risk Identification
Theorie
Risks are events that are likely to occur but have not
occurred yet. Should they happen, they would have a
negative or positive impact on a project. There are
two kinds of risks:
Together with the other team members, as well as other employees involved in the
identification process, the project manager identifies risks and lists them in a risk
register.
Furthermore, he or she uses auxiliary tools, such as brainstorming sessions, risk
checklists, structural plan analyses, analyses of the measures taken, to name but a
few.
Difference between a problem and a risk: a problem is a negative event that has
already happened. A risk is an event that has not occurred yet; a risk with a positive
impact is called an “opportunity”.
Literature:
To find further information about this topic, we recommend the following books:
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 2 of 15
PMBOK® Guide 4th Edition 11.1 Plan Risk Management
4th Edition: 11.2 Identify Risks
How to do
How to identify risks:
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 3 of 15
Record the risks identified in a list, known as the risk register.
Example
The other columns of the risk register will be completed during the next stages.
Checklist
Have all sources (key people, methods) for identifying risks been examined /
used?
Have the risks been entered into a risk register? Using the formulation “Risk
that…” enables a clearer definition of the risks.
Has a risk checklist (the company’s or the branch’s checklist) also been used for
controlling integrality? For instance with the following risk categories:
Stability of the goals of the project
Should goal changes be expected? If yes, which ones?
Which goals are highly dependant on context changes (legislation, economic
trends, etc.)?
Will the project last long?
Technical issues
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 4 of 15
Will new components be used?
Will new methods be used?
Will new tools be used?
Will partial subsystems from different suppliers be integrated?
Resources
Will the promised resources really be available?
Do the members of the project team have the qualifications required?
Will training sessions be given in due time?
Does the team already operate in unison?
Should conflicts be expected?
Organization / environment
Should organization changes be expected?
Will the sponsor retain his function until the end of the project?
Project management
To which extent are the estimates reliable?
Have slacks been established for the high risk activities?
Has enough time been set aside for planning?
Client / end-user
Are there several interlocutors on the users’ side?
Have the end-users been informed about / involved in the project?
Method for identifying risks
Have the more experienced employees in the company been consulted?
Have all of the activities required by the project been examined in regards to
risks?
Have all of the deliverables been examined in regards to risks?
Pitfalls
The experience of other project managers has not been taken into consideration.
The team has not been consulted when identifying risks.
The risks were not mentioned in order to avoid harming the project.
The description of risks is too general instead of being specific.
Risks are poorly formulated; for example, “new technologies”. When defined in
this way, neither can risks be assessed, nor can measures be taken to control
them.
Instead of risks (i.e. probable events), facts or problems are described.
Entire risk categories are left aside.
Instead of combining the methods used (which contributes to identifying more
risks), only one is applied for risk identification (e.g. checklist).
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 5 of 15
Risk analysis
Theory
Literature:
To find further information about this topic, we recommend the following books:
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 6 of 15
IPMA Competence Element 1.04 Risk & opportunity
Baseline v3.0:
How to do
How to proceed to assess risks:
First of all, define a scale for the assessment of risks. In order to do that, proceed as
follows:
check whether your organization has a general scale that you may use. If not,
establish a scale for the possible risk impacts (high, moderate, low) on the various
project objectives, as follows, for instance:
Establish a scale for the probability of occurrence of risks, as follows, for instance:
To create the probability and impact matrix, assign values (e.g., H=3, M=2, L=1)
and combine both scales. The following matrix shows the risk criticality (impact *
probability).
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 7 of 15
In this way, you will be able to determine which level of criticality corresponds to
high risk (red), a moderate one (yellow) and a low one (green), essential for defining
measures to handle risk.
Finally, assess the different risks recorded in the risk register, as follows:
1. Estimate the probability of occurrence, as shown in the scale you defined, and
record this value in the risk register.
2. Estimate the impact, as shown in the scale, and record this value in the risk
register.
3. To define the criticality of risks, multiply the probability by the value of the
impact. In this way, you will be able to compare risks, identifying the main risks
according to the impact and probability matrix.
Example
While the team members were doing their assessments, he also did his. After comparing the
results of the various assessments, he identified the main differences between them,
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 8 of 15
specified hypotheses explaining those differences, and asked that a new assessment be
made. By proceeding in a fashion similar to the Delphi method (i.e., repeatedly getting
forecasts from a panel of experts), he was able to complete the risk register as follows:
In this way, two main risks were identified (number 1 and 5).
Checklist
Are there assessment scales defining probability and impact?
Has a scale been defined in order to decide whether a risk is high, moderate or low?
(i.e., probability and impact matrix).
Has a consensus been reached on the assessment of the various risks? (e.g., with the
Delphi method).
Have the values for risk probability, impact and criticality been recorded in the risk
register?
Are the main risks known?
Pitfalls
There is no unified scale or reference for the assessment of risk.
Risks are assessed arbitrarily, without reference to their probabilities or impacts.
A risk analysis is performed without sufficient knowledge of the project.
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 9 of 15
Risk Monitoring and Control
Theory
For opportunities, the response strategy defines how to maximize the benefits.
A risk manager is designated. His or her task is to implement measures and watch
risks.
The risk manager tracks the evolution of the risks that concern him or her, watching
indicators that reveal, through trigger criteria, whether a risk is about to happen or
not, so that he or she may act accordingly.
All of this information is recorded in the risk register.
Literature:
To find further information about this topic, we recommend the following books:
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 10 of 15
IPMA Competence Baseline Element 1.04 Risk & opportunity
v3.0:
How to do
How to minimize project risks:
Determine the response strategies to be adopted for each major risk listed in the risk
register:
Avoiding the risk:
1. For each risk, determine indicators (warning signs, symptoms) and trigger criteria
that will continually show you whether or not a risk is about to happen throughout
the duration of the project.
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 11 of 15
3. Include in the project budget those expenses relating to emergency plans and to
measures aimed at preventing risks from happening.
Example
Based on the risk register, which was established after assessing the risks, the project
manager determined response strategies with the help of his team. These strategies follow:
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 12 of 15
A security reserve needs to be set aside to cover the costs of the planned contingency
measures.
Risk managers are in charge of the risks that have been assigned to them. Their role is to
monitor indicators and trigger conditions. When the risk trigger threshold is reached, they
take the appropriate measures.
During project execution, risk managers constantly monitor risks by checking relevant
indicators. They also constantly correct or add elements in the risk register, so that trends
may be identified. When a trigger threshold is reached, they take the measure foreseen in
the response strategy.
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 13 of 15
In this way, risk managers and project managers are able to control risks appropriately.
Checklist
For each risk whose criticality is high:
Can the risk be eliminated (e.g., by selecting another technical solution or another
supplier)?
Can the risk be transferred (e.g., to the subcontractor, by using a contractual
penalty)?
Can the probability of a risk be softened?
Can the impact be reduced?
Has a scenario been developed (i.e., the determination of fallback measures in case
the risk occurs)?
Have indicators and triggers been defined, in order that risks may be monitored?
Has a risk manager been designated for each risk that needs to be monitored?
Have the intervals at which indicators are to be checked been defined?
In the case of larger projects: has a risk manager been designated (i.e., a person in
charge of watching risks, as well as in charge of centralizing and consolidating risk-
related information gathered by the team)?
Have (monthly, weekly, daily) deadlines been set at which risks need to be
reexamined or reassessed?
Pitfalls
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 14 of 15
Spending too much time managing risks whose probability of occurrence and impact
are low.
When the risk is high, failing to eliminate it as a matter of priority (e.g., by selecting
another technical solution).
Failure to monitor risks regularly.
Failure to take minor signs into account.
Being too optimistic. It is only fair that a project manager should be optimistic.
However, when analyzing risks, he or she should rather prefer the counsel of an
employee known for being pessimistic.
Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 15 of 15