RISK TABLE OF CONTENTS

MAPPING OF THE 42 PROCESSES TO THE 5 PROCESS GROUPS......................................................3

6 RISK PROCESS OVERVIEW........................................................................................................4
HOW THE OUTPUTS ARE LINKED AS INPUTS................................................................................5
PLAN RISK MANAGEMENT............................................................................................................8
IDENTIFY RISKS......................................................................................................................... 9
PERFORM QUALITATIVE RISK ANALYSIS.....................................................................................10
PERFORM QUANTITATIVE RISK ANALYSIS..................................................................................11
PLAN RISK RESPONSE............................................................................................................... 12
MONITOR AND CONTROL RISKS................................................................................................ 13
 MAPPING OF THE 42 PROCESSES TO THE 5 PROCESS GROUPS

MONITOR
INITIATE PLAN EXECUTE & CLOSE
(2) (20) (8) CONTROL (2)
(10)
 Monitor
 Direct & Control
 Develop Project Work
 Close
INTEGRATION  Develop Project & Manage
Project Project or
(6) Management Plan Project  Perform
Charter Phase
Execution Integrated
Change Control
 Collect Requirements
SCOPE  Verify Scope
 Define Scope
(5)  Control Scope
 Create WBS
 Define Activities
 Sequence Activities
TIME
 Est. Act. Resources
 Control
(6) Schedule
 Est Act. Durations
 Develop Schedule
COST  Estimate Costs
 Control Costs
(3)  Determine Budget
QUALITY
(3)
 Plan Quality  Perform QA  Perform QC

 Acquire Project Team

HUMAN RESOURCE  Develop Human
 Develop Project Team
(4) Resource Plan
 Manage Project Team
 Distribute
Information
 Identify  Manage
COMMUNICATIONS  Report
Stakeholder  Plan Communications Stakeholder
(5) Performance
s s
expectations

 Plan Risk Mgmt

 Identify Risks
 Perform Qualitative
RISK Risk Analysis  Monitoring &
(6)  Perform Control Risks
Quantitative Risk
Analysis
 Plan Risk Responses

PROCUREMENT  Plan  Conduct  Administer  Close

(4) Procurement Procurement Procurements Procurements
 6 RISK PROCESS OVERVIEW
PROCESS DESCRIPTION GROUP INPUTS T&T OUTPUTS
Project scope
Plan Risk Determine approach statement
Mgmt Plans: Planning meetings
Management and plan risk mgmt Cost; Schedule; and analysis
Risk management plan
activities Communications
EEF; OPA
Risk mgmt plan
Activity cost Documentation
estimates reviews
Activity duration Info-gathering
Determine and estimates techniques
document Scope baseline Checklist analysis
Identify Risks Stakeholder register Assumptions analysis
Risk register
characteristics of
potential risks Mgmt Plans: Diagramming
Cost; Schedule techniques
Quality SWOT analysis
Project documents Expert judgment
EEF; OPA
Risk P/I assessment
Probability & impact
Conduct qualitative Plan Risk register matrix
Perform Risk mgmt plan Risk data quality
analysis of risks and
Qualitative Project scope assessment UPDATES to:
conditions and statement Risk categorization
Risk Analysis prioritize their effects Risk register
OPA Risk urgency
assessment
Expert judgment
Data gathering &
Measure probability Risk register
representation
Perform and consequences of techniques
Mgmt Plans: UPDATES to:
Quantitative risks and estimate Risk; Cost;
Quantitative risk
Risk register
Risk Analysis implications for analysis & modeling
Schedule
project objectives techniques
OPA
Expert judgment
Strategies for: Risk related contract
Develop options and Negative risks or decisions
Plan threats
actions to enhance
Risk Risk register Positive risks or
opportunities and UPDATES to:
Responses Risk mgmt plan opportunities
reduce threats to the Contingent response Risk register
project's objectives strategies Project mgmt plan
Expert judgment Procurement docs
Risk reassessment
Monitor residual risks, Risk register Risk audits Change requests
identifying new risks, Project Variance & trend UPDATES to:
Risk
executing risk management plan analysis Risk register;
Monitoring Control Work performance Technical performance OPA
response plans and
and Control evaluating their information measurement Project mgmt plan
effectiveness. Performance reports Reserve analysis Project documents
Status meetings

HOW THE OUTPUTS ARE LINKED AS INPUTS

Review this table to understand how the various outputs (O) are then input (I) to the next process.

MONITOR &
CONTROL
PLANNING

Documents, Tools and Techniques

Perform Quantitative
Perform Qualitative

Risk Monitoring &

Risk Management
Legend: I – Inputs

Risk Response
Identify Risks

Risk Analysis

Risk Analysis
T – Tools & Techniques

Planning

Control
O - Outputs

Plan
Project scope statement I I
Cost management plan I I
Schedule management plan I I
Communications management plan I
Enterprise environmental factors I I
Organizational process assets I I I I
Planning meetings and analysis T
Risk management plan O I I I I
Activity cost estimates I
Activity duration estimates I
Scope baseline I
Stakeholder register I
Quality management plan I
Project documents I
Documentation reviews T
Info-gathering techniques T
Checklist analysis T
Assumptions analysis T
Diagramming techniques T
SWOT analysis T
Expert judgment T T T T
Risk register O I I I I
Risk P/I assessment T
Probability & impact matrix T
Risk data quality assessment T
Risk categorization T
Risk urgency assessment T
UPDATES: Risk register O O O O
Data gathering & representation techniques T
Quantitative risk analysis & modeling techniques T
Strategies for Negative risks or threats T
Strategies for Positive risks or opportunities T
Strategies for Contingent response strategies T
Risk related contract decisions O
Project management plan I
Work performance information I
Performance reports I
Risk reassessment T
 MONITOR &
CONTROL
PLANNING

Documents, Tools and Techniques

Perform Quantitative
Perform Qualitative

Risk Monitoring &

Risk Management
Legend: I – Inputs

Risk Response
Identify Risks

Risk Analysis

Risk Analysis
T – Tools & Techniques

Planning

Control
O - Outputs

Plan
Risk audits T
Variance & trend analysis T
Technical performance measurement T
Reserve analysis T
Status meetings T
Change requests O
UPDATES: OPA O
UPDATES: Project mgmt plan O O
UPDATES: Project documents O O

GENERAL CONCEPTS OF RISK

Types of Risk: Business: carry both opportunities for both gains and losses
Pure/Insurable: only opportunity for losses:
operty damage
onsequential lost (clean up costs after)
ility
l

Risk Factors: Risk event: precisely what might happen to the detriment or benefit of the project
Probability: how likely the event will occur
Amount at
Stake: the extent of the loss or gain that could result (or impact)

Risk Responsibility: The CUSTOMER is responsible for identifying risks. They know their
environment.

Highest Risk Impact: During implementation and closeout process.

PLAN RISK MANAGEMENT

Deciding how to approach, plan and execute the risk management activities.
A balance must be struck between no planning, and planning to the point of
project paralysis. The key is to balance the cost of the planning process, along with
likely costs of counter measures, against the benefits to be delivered by the project.
This can only be done in conjunction with the various stockholders.
Goal is to maximize the opportunities and minimize the threats.

Project scope Assumptions specified in the scope statement should be assessed for
statement risk.
Cost Management Plan Defines how risk budgets, contingencies and management reserves will
be reported and assessed.
Schedule Mgmt Plan Defines how schedule contingencies will be reported and assessed.
Communications Mgmt Defines who is responsible for risk management, reporting frequency
Plan etc.
Enterprise Different organizations and different individuals have different
environmental factors tolerances for risk. Understand them and plan accordingly.
Risk averter: not likely to take a risk that is considered to be a high
risk. The more money at stake, the less likely the risk averter is to take
the risk since the satisfaction or tolerance diminishes.
Risk seeker: prefers an uncertain outcome and may be willing to pay a
penalty to take a high risk with a large amount of money at stake. In
other words, the higher the risk and the greater potential for benefit,
the more likely the risk seeker is to take the risk.
Risk neutral: person’s tolerance for risk is proportional to the amount of
money at stake.
Org process assets The risk management approach or policy already defined within the
organization – risk categories, templates, R& R etc.
Planning meetings Attendees include: Project manager and team, anyone in the
and analysis organization responsible for risk planning, other key
stakeholders, others as needed.
Avoid having one person do the plan.
Risk management plan Describes the project team’s approach to:
identifying, analyzing, responding to, monitoring and controlling risks.
Includes:
 Methodology (How)
 R & R (Who)
 Budget
 Timing (When)
 Risk categories
 Scoring & interpretation (risk assessment scales – P/I)
 Reporting format (How)
 Revised stakeholders tolerances
 Thresholds
 Tracking
IDENTIFY RISKS
Determine what internal and external risks will likely occur
and document the characteristics of each.
Performed throughout the project life cycle repeatedly.

Risk mgmt plan Output from Plan Risk Management

The guide to the team on how risk will be managed throughout the PLC.
Activity cost estimates
Risk will be expressed in range of estimate. Review may determine the
Activity duration estimate is insufficient posing a risk to the project.
estimates
Project scope Assumptions are documented in the scope statement.
statement WBS is crucial to determine the overall risk to the project.
Stakeholder Register Identifies key stakeholders to assist in risk identification.
Cost mgmt plan Specific approach to cost management determines the degree of risk.
Schedule mgmt plan Specific approach to schedule management determines the degree of
risk.
Quality mgmt plan Specific approach to quality management determines the degree of risk.
Project documents Assumptions log, EV, work performance reports, network diagrams….
Enterprise Published information, risk attitudes, commercial databases,
environmental factors benchmarking, academic studies are sources of risks identification.
Org process assets Lessons learned from previous projects
Documentation reviews Quality of plans, lack of or inconsistency of various project documents
could indicate potential risk for the project.
Info-gathering Brainstorming, Delphi, Interviewing - risk oriented meetings with
techniques various stakeholders may reveal more risks not evident during planning.
Checklist analysis Organized by source of risk: project context, other planning process
outputs; technology or product issues; internal sources such as team
members
Assumptions analysis Explores the assumptions validity. Identifies risks due to inaccuracy,
inconsistency or incomplete assumptions.
Diagramming Cause and effects; system process flow charts; influence diagrams
techniques
SWOT analysis Examines the project from the strengths, weaknesses, opportunities and
threats.
Expert judgment Consider the “experts bias” during this process.
Risks register Initial entries into the risk register – lists of risks and potential
responses if available.
Risks: An uncertain event or condition that, if it occurs has a positive or
negative effect.
Includes: List of identified risks, potential responses, root causes of risk,
risk categories.
PERFORM QUALITATIVE RISK ANALYSIS
Assessing the probability and consequences of risks and estimating their implications on project objectives
to determine their priority for further quantitative analysis and/or risk response planning.

 Prioritizes risks according to their impact on project objectives

 Determines the importance of addressing and planning responses for specific risks and their time-
criticality
 Evaluates the quality of the risk information available
 Requires that the probability and consequences of the risks be evaluated using established qualitative-
analysis methods and tools
 Trends in repeated qualitative analysis can indicate the need for more or less risk management action
 Should be revisited during the project life cycle to stay current with changes in the project’s risks
 Can lead to further analysis in quantitative risk analysis or directly to risk response planning

Qualitative (foundational) Quantitative (optional)

 What is the risk?
 Why might it happen?
 How likely is it?
 How bad/good might it be (impact)?
 Does it matter?
 What can we do?
 When should we act?
 Who is responsible?
 Modeling uncertainty
 Simulate combined effect of risks
 Predicting outcomes
 Range, min/max, expected
 Testing scenarios
 Setting confidence limits
 Identifying criticalities
 Determining options

Risk register Provides a list of the identified risks.

Risk mgmt plan How the team will manage project risk.
Scope statement The scope statement will identify if the project is similar to previous
projects or first of its’ kind which usually will have more uncertainty.
Org process assets Lessons learned on previous project risks
Risk P/I assessment Likelihood that a risk will occur
Consequences on project if the risk does occur
Probability & impact Risk probability – the likelihood that a risk will occur
matrix Risk consequences – the impact of the risk on project objectives
The above may be described in “qualitative” terms, such as “very high”,
“high”, “medium”, “low” or “very low”.
Risk data quality Description of the extent to which a risk is known and understood.
assessment Measurements
The extent of data available
The reliability of the data
Evaluation of the source of the data used to identify each risk.
Risk categorization Use the RBS or WBS to categorize the risks.
Risk urgency Immediate or near term risks can affect the risk rating making it more
assessment urgent to assess the risk response.
Expert judgment Consider experts bias.
Risk register (updates) Output from the Identify Risk process
Updates such as: ranking, categories of risk, causes, watch list low
priority risks, trends…..
PERFORM QUANTITATIVE RISK ANALYSIS
Evaluating risks and risk interactions to analyze numerically the
probability of each risk and its consequence on project objectives.
Determining which risks we need to worry about. Not all risks are quantifiable.
Uses a set of structured tools to help decide which
risk events warrant a response strategy of some kind.

Risk register List of identified risks, ranking, and categories

Risk mgmt plan Risk management guide, R& R, budgets and schedules for risk
Cost mgmt plan Establishes the controls for budget which will help determine the structure
and/or application approach for quantitative analysis.
Schedule mgmt plan Establishes the controls for the schedule which will help determine the
structure and/or application approach for quantitative analysis.
Org process assets Studies of previous projects by risk specialists and risk databases from
other industries.
Data gathering and A method of taking subjective probability and representing that data
representation objectively.
techniques Dependent on types of probability used
Triangular and Beta
use 3-point estimates (P, ML and O)
Normal, log and uniform, use means and standard deviations
Quantitative risk Decision Trees: Diagram shows key interactions among decisions and
analysis and modeling associated chance events. Decisions are shown as boxes and chances as
techniques circles.

EMV: probability times the expected outcome.

Simulation: Analyze the behavior of the system. Most common is the

schedule simulation which uses the project network as the model based
on the Monte Carlo analysis.

Monte Carlo Analysis: Superior approach to analyzing the schedule

compared to PERT or CPM as these two tend to underestimate and fail to
account for path convergence. This performs the project many times to
provide a statistical distribution of the calculated results to quantify the
risk of various schedule alternatives, different project strategies, different
paths through the network, or individual activities.

Impact Analysis: What is the likelihood the event will occur vs the
severity of the impact on the project if it does occur. I.e. You have a
high probability it will snow, but you live in Maine so the risk is low.
You have a low probability it will snow, but you live in Miami so the risk is
high and would be disastrous.

Sensitivity Analysis: Places value on impact to the project by changing a

single variable. Completed only on variables with the greatest impact on
cost, schedule or economic return on the project.
Utility Theory: Considers the attitude of the decision maker; their pain
vs pleasure.

Range Estimating: Determines the maximum tolerable variation in an

estimates total cost.
Mathematical probability that a cost overrun will occur
Risks and opportunities ranked in order of bottom-line importance
The contingency required for a given level of confidence.
Expert judgment Can validate the reliability of the techniques used.
Risk register (updates) Output of Risk Identification.
 Updates include: probabilistic analysis of the project, probability of
achieving cost and time objectives, prioritized list of quantified risks and
trends in quantitative risk analysis results.

PLAN RISK RESPONSE

Defining enhancement steps for opportunities and
mitigation steps to respond to threats.

Risk register Output of Identify Risk

Risk mgmt plan The guide to how risk response planning will be conducted.
Strategies for Avoid: Change the plan to eliminate risk events
negative risks or Transfer: to a third party with ownership of the response.
threats Does not eliminate the risk.
Mitigate: Taking early action/change the plan to reduce the
monetary risk by reducing the probability of
occurrence with proven technology; use a sub
contractor; use reserve.
Acceptance: Active: Develop a contingency plan to execute if
risk occurs.
Passive: Acceptance of lower profit if activities
overrun.
Positive risks or Responses to specifically address potentially positive impacts to the
opportunities project objectives by exploiting, sharing or enhancing.
Both threats and Acceptance: Active: Develop a contingency plan to execute if
opportunities risk occurs.
Passive: Acceptance of lower profit if activities
overrun
Contingent response Contingency reserves: A provision to mitigate cost and/or schedule
strategy risk. Types: mgmt, contingency, schedule
Expert judgment Will assist with the actions.
Risk register (updates) Updates at this step of the process could be: contingency reserves of time
and cost, symptoms and warning signs, agreed upon response strategies
etc.
Risk related contractual Agreements for insurance, services are prepared.
agreements
Project Mgmt Plan Agreed upon risk response strategies are processed through the
(updates) appropriate knowledge areas and updated in the project management
plan.
Project document Assumptions log, technical documentation
(updates)
MONITOR AND CONTROL RISKS

Executing the Risk Mgmt Plan to respond to risk events during the project.
When changes occur the basic cycle of identify, quantify and respond is repeated.

Risk register Output of Identify Risk

Project mgmt plan Contains the risk mgmt plan with risk tolerances, guide, R & R …….
Work performance Project deliverables status, corrective actions and performance reports.
information
Performance reports Analysis of work performance may influence the risk management
process.
Risk reassessment New risks may be identified and changes to existing risks.
Risk audits Examine the effectiveness of the risk management process.
Variance and trend Earned value analysis may reflect potential risk to meeting overall project
analysis objectives.
Technical performance Deviations between the technical accomplishments to the plan help to
measurement determine or forecast the degree of success in achieving project scope.
Reserve analysis Regular review of the contingency reserves left to ensure adequate
remaining reserve is available.
Status meetings Should be held periodically
Risk register (updates) Outcomes of risk reassessments, audits, and risk reviews.
Org process assets Lessons learned and final templates, risk registers, checklist and RBS’s are
(updates) added to the assets.
Change requests Prepared and submitted through the Integrated Change Control process
and once approved are inputs to the Direct and Manage Project Execution.
Can be for preventive actions to include contingency plans and
workarounds
Can be for corrective actions taken to bring expected performance in line
with the plan.
Project mgmt plan Approved changes must be updated in the plan.
(updates)
Project document Assumptions log, technical documentation
updates