Project Management

Fundamentals

Basics of Risk Analysis

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland
Risk Identification

Theorie

The key principles in brief:

Risks are events that are likely to occur but have not
occurred yet. Should they happen, they would have a
negative or positive impact on a project. There are
two kinds of risks:

1. Threats (negative impact)

2. Opportunities (positive impact)

The purpose of risk management is to prevent threats

from occurring and to exploit the opportunities.
Managing risks involves the following steps:

 Risk identification: which kinds of risks may

affect my project?
 Risk analysis: which risks may have the worst
or best effects?
 Risk monitoring: which measures should be
taken and overseen to prevent the main
threats from occurring and minimize their
impact, and to maximize the benefits of
opportunities?

The topic this lesson focuses on is risk identification:

 Together with the other team members, as well as other employees involved in the
identification process, the project manager identifies risks and lists them in a risk
register.
 Furthermore, he or she uses auxiliary tools, such as brainstorming sessions, risk
checklists, structural plan analyses, analyses of the measures taken, to name but a
few.
 Difference between a problem and a risk: a problem is a negative event that has
already happened. A risk is an event that has not occurred yet; a risk with a positive
impact is called an “opportunity”.

Literature:

To find further information about this topic, we recommend the following books:

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 2 of 15
 PMBOK® Guide 4th Edition 11.1 Plan Risk Management
4th Edition: 11.2 Identify Risks

IPMA Competence Baseline Element 1.02 Interested parties

v3.0: Element 1.04 Risk & opportunity
Element 3.09 Health, security, safety &
environment

How to do
How to identify risks:

 Examine the work breakdown structure in regards to

risks.
 Carefully review all the interfaces (among components,
subsystems and organizations), as major risks often arise
from them.
 Check whether a specific type of knowledge or know-how
is in the hands of one member of the team only.
 Determine whether particular members of the project
team are busy on other projects as well, as this could
considerably reduce their availability.
 Subcontractors represent a risk factor as far as the
schedule, quality and costs are concerned. Are there
suppliers on whom the delivery of crucial parts depends?
 Past experience (in the company as a whole) can prove
fundamental in identifying risks. Call upon the advice of
project managers who have recently been involved in a
project similar to yours - they rank among the best
sources of assistance in identifying risks. Above all, they
can help you identify risks that may not have occurred to
you.
 If your company has established a database of the
lessons learnt from projects, you should absolutely
consult this data.
 With their subdivisions placed into risk categories, the
company’s or branch’s checklists will help you find the
risks you need in a systematic and thorough manner.

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 3 of 15
Record the risks identified in a list, known as the risk register.

Example

The "New Flash Memories" project is aimed at setting up a new

production line for SmartMedia memory units - memory units that
are used, for instance, in appliances such as digital cameras.
During the course of a number of meetings with the project team
and various company managers, the following main risks were
identified:

1. Delays in the delivery of the production line

2. Possible problems relating to the production line
3. Delays in the delivery of measuring instruments
4. A competitor launches a similar product on the market earlier
5. The competitor cuts the price of its competing product CompactFlash
In order that these risks may be dealt with, they were recorded in the following risk
register, which may list negative risks (threats) and positive risks (opportunities):

The other columns of the risk register will be completed during the next stages.

Checklist
 Have all sources (key people, methods) for identifying risks been examined /
used?
 Have the risks been entered into a risk register? Using the formulation “Risk
that…” enables a clearer definition of the risks.
 Has a risk checklist (the company’s or the branch’s checklist) also been used for
controlling integrality? For instance with the following risk categories:
Stability of the goals of the project
 Should goal changes be expected? If yes, which ones?
 Which goals are highly dependant on context changes (legislation, economic
trends, etc.)?
 Will the project last long?
Technical issues

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 4 of 15
  Will new components be used?
 Will new methods be used?
 Will new tools be used?
 Will partial subsystems from different suppliers be integrated?
Resources
 Will the promised resources really be available?
 Do the members of the project team have the qualifications required?
 Will training sessions be given in due time?
 Does the team already operate in unison?
 Should conflicts be expected?
Organization / environment
 Should organization changes be expected?
 Will the sponsor retain his function until the end of the project?
Project management
 To which extent are the estimates reliable?
 Have slacks been established for the high risk activities?
 Has enough time been set aside for planning?
Client / end-user
 Are there several interlocutors on the users’ side?
 Have the end-users been informed about / involved in the project?
Method for identifying risks
 Have the more experienced employees in the company been consulted?
 Have all of the activities required by the project been examined in regards to
risks?
 Have all of the deliverables been examined in regards to risks?

Pitfalls
 The experience of other project managers has not been taken into consideration.
 The team has not been consulted when identifying risks.
 The risks were not mentioned in order to avoid harming the project.
 The description of risks is too general instead of being specific.
 Risks are poorly formulated; for example, “new technologies”. When defined in
this way, neither can risks be assessed, nor can measures be taken to control
them.
 Instead of risks (i.e. probable events), facts or problems are described.
 Entire risk categories are left aside.
 Instead of combining the methods used (which contributes to identifying more
risks), only one is applied for risk identification (e.g. checklist).

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 5 of 15
Risk analysis

Theory

The key principles in brief:

This stage of risk management involves examining the

threats entailed by the risks identified during the
previous stage.
Furthermore, it includes estimating

 the probability that the risk occurs (probability

of occurrence) and, in case it occurs.
 the severity of the impact on the project (e.g.,
postponing deadlines, exceeding costs).

The estimated values are then translated into “grades”

on a numerical assessment scale (i.e., high=5,
moderate=3, low=1), which enables comparison of the
different impacts (e.g. schedule delay, cost overrun).
Some companies use the following scale for risks and opportunities:
Risks: Negligible – Moderate – Significant – Catastrophic
Opportunities: Negligible – Moderate – Significant - Exceptional
The risk criticality, which measures the threat posed by a risk, is calculated by
multiplying the probability the risk occurs by the value of the risk's impact.
The purpose of the probability and impact matrix is to define the levels of criticality,
determining whether a risk should be considered high, moderate or low. The matrix
helps clearly identify those areas where risk monitoring techniques should be applied as
a matter of priority.
To complete this stage, probability, impact and criticality need to be recorded in the risk
register.

Literature:

To find further information about this topic, we recommend the following books:

PMBOK® Guide 4th 11.3 Perform Qualitative Risk Analysis

Edition:
11.4 Perform Quantitative Risk Analysis

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 6 of 15
 IPMA Competence Element 1.04 Risk & opportunity
Baseline v3.0:

How to do
How to proceed to assess risks:
First of all, define a scale for the assessment of risks. In order to do that, proceed as
follows:
 check whether your organization has a general scale that you may use. If not,
establish a scale for the possible risk impacts (high, moderate, low) on the various
project objectives, as follows, for instance:

 Establish a scale for the probability of occurrence of risks, as follows, for instance:

 To create the probability and impact matrix, assign values (e.g., H=3, M=2, L=1)
and combine both scales. The following matrix shows the risk criticality (impact *
probability).

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 7 of 15
  In this way, you will be able to determine which level of criticality corresponds to
high risk (red), a moderate one (yellow) and a low one (green), essential for defining
measures to handle risk.
 Finally, assess the different risks recorded in the risk register, as follows:

1. Estimate the probability of occurrence, as shown in the scale you defined, and
record this value in the risk register.
2. Estimate the impact, as shown in the scale, and record this value in the risk
register.
3. To define the criticality of risks, multiply the probability by the value of the
impact. In this way, you will be able to compare risks, identifying the main risks
according to the impact and probability matrix.

Example

The "New Flash Memories" project aims to deploy a new production

line for SmartMedia memory units, which are used, for instance, in
devices such as digital cameras. Over the course of a number of
meetings with the project team and various company managers, the
following main risks were identified.
During the last team meeting, the project manager presented a probability and impact
matrix for risk assessment. He asked team members to analyze risks and give him their
own assessments individually, without consulting each other.

While the team members were doing their assessments, he also did his. After comparing the
results of the various assessments, he identified the main differences between them,

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 8 of 15
specified hypotheses explaining those differences, and asked that a new assessment be
made. By proceeding in a fashion similar to the Delphi method (i.e., repeatedly getting
forecasts from a panel of experts), he was able to complete the risk register as follows:

In this way, two main risks were identified (number 1 and 5).

Checklist
 Are there assessment scales defining probability and impact?
 Has a scale been defined in order to decide whether a risk is high, moderate or low?
(i.e., probability and impact matrix).
 Has a consensus been reached on the assessment of the various risks? (e.g., with the
Delphi method).
 Have the values for risk probability, impact and criticality been recorded in the risk
register?
 Are the main risks known?

Pitfalls
 There is no unified scale or reference for the assessment of risk.
 Risks are assessed arbitrarily, without reference to their probabilities or impacts.
 A risk analysis is performed without sufficient knowledge of the project.

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 9 of 15
Risk Monitoring and Control

Theory

The key principles in brief:

For the main risks identified during the previous stage,

measures are elaborated to reduce the threat these
risks pose. The implementation of those measures
within the project requires constant oversight.
In agreement with the stakeholders, one of the four
response strategies mentioned below is selected for
each risk:

 Avoiding the risk - Taking appropriate measures

to ensure that the risk does not occur.
 Transferring the risk - Shifting the impact of a
risk to a third party.
 Mitigating the risk - Reducing the probability of
occurrence and/or the impact of a risk by taking
appropriate measures.
 Accepting the risk - Running the project while
being aware of the risk. Take precautions and
contain the risk by planning emergency measures
and by maintaining financial reserves as well as a
margin in the schedule.

For opportunities, the response strategy defines how to maximize the benefits.
A risk manager is designated. His or her task is to implement measures and watch
risks.
The risk manager tracks the evolution of the risks that concern him or her, watching
indicators that reveal, through trigger criteria, whether a risk is about to happen or
not, so that he or she may act accordingly.
All of this information is recorded in the risk register.

Literature:

To find further information about this topic, we recommend the following books:

PMBOK® Guide 4th Edition: 11.5 Plan Risk Responses

11.6 Monitor & Control Risks

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 10 of 15
 IPMA Competence Baseline Element 1.04 Risk & opportunity
v3.0:

How to do
How to minimize project risks:

Determine the response strategies to be adopted for each major risk listed in the risk
register:
Avoiding the risk:

 Transferring the risk

 Mitigating the risk
 Accepting the risk

Define measures for each risk so as to:

 lower the probability of occurrence;

 reduce the impact in case the risk occurs.

Modify the project plan according to those measures.

Designate a risk manager for each risk.

1. For each risk, determine indicators (warning signs, symptoms) and trigger criteria
that will continually show you whether or not a risk is about to happen throughout
the duration of the project.

2. Elaborate and detail scenarios (security reserves, emergency plans, complementary

plans) for those risks that are accepted: what should be done in the case a risk
occurs?

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 11 of 15
 3. Include in the project budget those expenses relating to emergency plans and to
measures aimed at preventing risks from happening.

How to monitor and control risks:

1. Regularly monitor the indicators (warning signs, symptoms)

that are in the project register.
2. Take the appropriate measures or apply the defined
emergency plans when indicators show that a risk is about to
occur (trigger conditions have been reached).
3. Regularly assess whether new risks have appeared. If this is
the case, evaluate these risks and record them in the risk
register.

Example

The "New Flash Memories" project aims to deploy a new production

line for SmartMedia memory chips, which are used, for instance, in
devices such as digital cameras. Over the course of a number of
meetings with the project team and various company managers, five
main risks were identified and recorded in the risk register. Then, the
criticality of those risks was determined based on the risk
assessments that were made.

Risk response plan

Based on the risk register, which was established after assessing the risks, the project
manager determined response strategies with the help of his team. These strategies follow:

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 12 of 15
A security reserve needs to be set aside to cover the costs of the planned contingency
measures.

Risk managers are in charge of the risks that have been assigned to them. Their role is to
monitor indicators and trigger conditions. When the risk trigger threshold is reached, they
take the appropriate measures.

Risk Monitoring and Control

During project execution, risk managers constantly monitor risks by checking relevant
indicators. They also constantly correct or add elements in the risk register, so that trends
may be identified. When a trigger threshold is reached, they take the measure foreseen in
the response strategy.

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 13 of 15
In this way, risk managers and project managers are able to control risks appropriately.

Checklist
For each risk whose criticality is high:

 Can the risk be eliminated (e.g., by selecting another technical solution or another
supplier)?
 Can the risk be transferred (e.g., to the subcontractor, by using a contractual
penalty)?
 Can the probability of a risk be softened?
 Can the impact be reduced?
 Has a scenario been developed (i.e., the determination of fallback measures in case
the risk occurs)?
 Have indicators and triggers been defined, in order that risks may be monitored?
 Has a risk manager been designated for each risk that needs to be monitored?
 Have the intervals at which indicators are to be checked been defined?
 In the case of larger projects: has a risk manager been designated (i.e., a person in
charge of watching risks, as well as in charge of centralizing and consolidating risk-
related information gathered by the team)?
 Have (monthly, weekly, daily) deadlines been set at which risks need to be
reexamined or reassessed?

Pitfalls

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 14 of 15
 Spending too much time managing risks whose probability of occurrence and impact
are low.
 When the risk is high, failing to eliminate it as a matter of priority (e.g., by selecting
another technical solution).
 Failure to monitor risks regularly.
 Failure to take minor signs into account.
 Being too optimistic. It is only fair that a project manager should be optimistic.
However, when analyzing risks, he or she should rather prefer the counsel of an
employee known for being pessimistic.

Copyright © 1996-2012 STS Sauter Training & Simulation SA, Lausanne, Switzerland. Page 15 of 15