Page 1 of 2

Print
Close

Take a Risk (Part 2)

Geoff Choo

May 19, 2004

In the first installment of this two-part series, we looked at risk management planning, risk identification and
qualitative risk analysis. In this installment, we continue with a look at quantitative risk analysis, risk
response planning and risk monitoring and control.

Quantitative Risk Analysis

The main objective of the quantitative risk analysis process is to develop an objective and numerical
assessment of the risks facing a project. This process helps you calculate an actual probability number as
well as quantify the magnitude of the impact of the risk in terms of time or money units. This quantification
process is performed by using a Monte Carlo simulation to calculate the probability of completing the project
by various dates, sensitivity analysis to determine which variables have the greatest impact on project
results, or decision-tree analysis to calculate the time and cost impact of taking a series of decisions.

How does this impact your project? This process adds two important elements to your project planning
process. The first is the results of the probabilistic analysis which provides decision-makers with data on the
probabilities of hitting various cost and schedule targets, taking into account the various options and
decision paths available to the organization. The second is the concept of expected value, which is derived
by multiplying the probability of occurrence of a risk event by the magnitude or value of the impact of the
risk. The expected value of a risk event gives you an idea of your expected financial loss in the event that
the risk occurs. But more importantly, expected value tells you how much you should realistically spend on
your risk responses. You should generally try not to spend more in dealing with the risk than how much you
expect to lose if that risk does occur.

Risk Response Planning

In this process, you develop your strategies for responding to the risks that you have identified in the
previous processes, based on risk priority, expected value, probability of occurrence and magnitude of
impact. In responding to risk events, your key objective should be to maximize the probabilities of achieving
your schedule and cost objectives. You can choose to avoid, mitigate and transfer the risks, but sometimes
it may be too expensive or too difficult to avoid, transfer or mitigate your risks. In this situation, your only
course of action is to plainly accept the risks. You accept that the risks may occur; you hope that they don't
occur, but just in case, you create contingency plans and set aside a contingency reserve in your budget for
when those risks do happen.

How does this impact your project? Here is where the risk rubber meets the road. Once you have identified
your risks and figured which risk merit the most attention, the PMBOK risk response plan will help you define
the most appropriate strategy to adopt for every identified risk. The risk response plan will also help define
accountability for your risk response strategies by associating every risk with a risk owner who will be

http://www.gantthead.com/articles/articlesPrint.cfm?ID=217628 10/21/2008
 Page 2 of 2

responsible for tracking and dealing with the risk. For the risks that you accept, your contingency plans and
reserves will help protect the project from potential cost overruns in the event of those risk events occurring.

Risk Monitoring and Control

In this process, you monitor residual risks left over after your risk response planning, and identify new risks
that may have arisen. Your main objectives in this process include keeping an eye on identified risks and
verifying that you are following your risk response plan; checking that those risk responses are effective--if
not, you'll need to develop a new response, identifying new risks that may have arisen and creating
workaround plans for dealing with those new risk, controlling accepted risks and executing corrective action
from contingency plans if those accepted risks have occurred.

How does this impact your project? Risk management doesn't end with the identification, assessment and
handling of risk. You will be performing risk audits and risks reviews to control risk and verify that your risk
response strategies and the people you have assigned responsibility for those risks are effective. Risks can
and will happen at any point in your project lifecycle, and you need to constantly check your project for the
effectiveness of your risk management plans, and quickly correct your plans if things aren't working out as
you had envisioned.

Risks are also hardly static entities and constantly mutate to changing project conditions. Risk monitoring
and control will help ensure that you are able to keep up these changes by constantly monitoring risks to
discover changes in the impact of identified risks. The results of your risk monitoring and control entered into
a risk database which will provide essential historical information for the management of future projects.

Geoff Choo helps plan, design, implement, and manage enterprise software development projects for Northern Italian companies.
He can be reached at gantt.head@tiscali.it.

Copyright © 2008 gantthead.com All rights reserved.

The URL for this article is:

http://www.gantthead.com/article.cfm?ID=217628

http://www.gantthead.com/articles/articlesPrint.cfm?ID=217628 10/21/2008