PROJECT RISK MANAGEMENT

UNDERSTANDING RISK
  Define risk and risk management
 Establish a risk management context

COURSE 


Describe the 7 R’s and 4 T’s that form the
framework of risk management activities
Design and complete a basic risk assessment

OVERVIEW
 Determine the appropriate response to risks and
create a plan for those responses
 Describe the key components of reporting,
monitoring, and evaluation of a risk
management program
 UNDERSTANDING RISK
What is Risk?
 The effect of uncertainty on objectives.
Risk implies future uncertainty about deviation from expected earnings or expected outcome.
Risks are of different types and originate from different situations.We have liquidity risk, sovereign risk, insurance risk, business
risk, default risk, etc.
Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application
of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of
opportunities.
 Typically related to one of four areas:
1. Strategy
2. Change management
3. Operations
4. Finance
 Risks can be positive, negative, or neutral.
 UNDERSTANDING RISK

 Examples of positive risks

Here are some positive risks in project managementexamples:
• A potential upcoming change in policy that could benefit your project.
• Technology currently being developed that will save you time if released.
• A grant that you’ve applied for and are waiting to discover if you’ve been approved.
• A request for additional resources, materials, tools, or training that will make your project more efficient if provided

• Examples of positive risks

• Negative risks are those events that stop us or hinder the achievement of our objectives. We mainly consider these types of events as risks.
For example:
• - Unexpected traffic on our way to the office stops us from reaching the office in time
• - Client rejecting our shipment of goods to them
• - Extreme weather delaying the execution of the project
• - Change in currency exchange rate making our purchases costlier
 Negative risks are all those possible events that could harm an
UNDERSTANDING organization, where we seek to mitigate, prevent, or reduce the extent
RISK of that harm.

 Examples of positive risks Positive risks, in contrast, are all those events beyond the company’s
Here are some positive risks in project
control that can help the company, and are generally exploited to reap
management examples: the benefit to the project.
• A potential upcoming change in
policy that could benefit your
project.
• Technology currently being
developed that will save you time if
released.
• A grant that you’ve applied for and
are waiting to discover if you’ve
been approved.
• A request for additional resources,
materials, tools, or training that will
make your project more efficient if
provided
UNDERSTANDING RISK

What is Risk Neutral?

Risk neutral is used both in the study of game theory and in finance. It refers to a mentality in which a person is
indifferent to risk when deciding to invest. This mentality is derived not from calculation or rational deduction but an
emotional preference.
An individual with a risk-neutral approach doesn't concentrate on the risk, regardless of whether or not it's a foolish
thing to do. This way of thinking is always situational and can rely on price or other external factors.
Some examples of risks:
Business interruptions
Changes in business relationships
Changing labor market conditions
System issues
Access to information
Security conditions
  Risk neutral vs. risk averse
 Imagine you have two people in front of you – an
investor who is averse to risk and one who is neutral.
RISK NEUTRAL VS You offer them two possible investment opportunities:
RISK AVERSE • Invest $500 with 100% certainty that it will increase to
$550 in one year.
• Invest $100 with a 50% certainty that it will increase to
$150 in one year, and a 50% chance that it might
decline to $50.
UNDERSTANDING RISK

 Risk neutral vs. risk averse

 Imagine you have two people in front of you – an investor who is averse to risk
and one who is neutral. You offer them two possible investment opportunities:
• Invest $500 with 100% certainty that it will increase to $550 in one year.
• Invest $100 with a 50% certainty that it will increase to $150 in one year, and a
50% chance that it might decline to $50.
 The risk averse investor will choose the first option, because of the certainty.
 The investor who is neutral to risk will not mind which one, because they both
offer a return of $50. If you ignore the risk (losing $50), and only focus on the
return – $50 in each case – both investments are equally appealing.
 Individuals who are neutral to risk will take a long time to carefully weigh up
investment options rather than making a rapid decision to either avoid risk or
embrace it. Most of us focus almost entirely on the risk aspect.
 Risk neutral investors are significantly less common than their risk averse and risk
seeking counterparts. Most of us are risk averse, and find the notion of risk
neutrality rather strange.
UNDERSTANDING RISK
Methods
The following are some popular quantitative risk analysis techniques:
#1 – Monte Carlo Analysis QUANTITATIVE RISK
This method utilizes most likely, pessimistic, and optimistic projections to compute the overall
project cost and determine the completion dates. It establishes a range of possible outcomes and is
most effective for the risks associated with a project’s yield or duration.
#2 – Scenario Analysis
The scenario analysis technique computes multiple project outcomes’ likelihood and possible A Quantitative assessment is a risk
range.This method is extremely useful to determine if a company can achieve its desired result analysis performed with a focus on
without exceeding its risk tolerance level. In addition, it can help businesses figure out how many numerical values of the risks present.
resources they might require and when. The quantitative risk analysis allows
#3 – Decision Tree Analysis you to determine the potential risk of
The decision tree analysis technique helps organizations evaluate the risk associated with one or a project. This can help you decide if a
multiple choices. Every tree represents a choice and its associated costs. First, individuals must assign project is worth pursuing.
costs and probabilities at every point.Then, they must follow a chain and add up every cost. Once
done, they can determine which choice has the lowest risk.
#4 – Sensitivity Risk Analysis
Businesses can use the sensitivity risk analysis method to identify the risks that most likely impact a
project. It examines how a project element’s vagueness impacts the objective when every other
indefinite element is held to minimum standards.
#5 – Expected Monetary Value or EMV Analysis
In this case, individuals require the probability or likelihood of a risk occurring and the estimated
cost of that risk. Then, they can determine the total estimated risk amount by calculating the sum of
the results obtained after multiplying each risk’s cost and the probability.
 QUALITATIVE RISK
Qualitative Risk Analysis Steps
Step 1: Identify Risks
The goal of this step is to create a masterlist of risks by noting down any risk that Qualitative risk analysis involves
comes to mind and asking other members of the team for their input. Additionally, identifying threats (or opportunities),
project managers can make the risk identification process faster by holding how likely they are to happen, and
brainstorming sessions with their teams and even some workers to get a clearer idea of the potential impacts if they do. The
what’s happening in the field. results are typically shown using a
Probability/Impact ranking matrix.
Step 2: Classify Risks This type of analysis will also
There are several techniques for classifying risks. One popular technique is the risk categorize risks, either by source or
matrix, which combines the consequences and likelihood of a risk occurring. effect.
Risk Assessment Matrix / Risk Matrix

Step 3: Control Risks

While this may look different depending on the technique chosen in the previous step,
risk control is generally divided into two categories. The first category of risk control is
focused on targeting the root causes of risks such as hazards or inefficient management
processes. The second category of risk control is geared towards lessening the negative
impact of the risk through corrective actions such as providing workers with PPE.
Step 4: Monitor Business Risks
As project managers go through the qualitative risk analysis process, they should
remember to keep all of their notes regarding risks, risk ratings, and control measures
to mitigate consequences. These notes will be useful in completing the final step: risk
QUALITATIVE RISK
monitoring. This step mainly involves observing risks and asking the following questions:

Is risk control effective?

Were risks correctly classified? Qualitative risk analysis involves
Have all risks been identified? identifying threats (or opportunities),
how likely they are to happen, and
the potential impacts if they do. The
results are typically shown using a
Probability/Impact ranking matrix.
This type of analysis will also
categorize risks, either by source or
effect.
Difference Between Qualitative and Quantitative Risk Analysis DIFFERENCE BETWEEN
The key difference between qualitative and quantitative risk analysis is the QUALITATIVE AND
basis for evaluating risks. As mentioned earlier, qualitative risk analysis is QUANTITATIVE RISK
based on a person’s perception or judgment while quantitative risk analysis ANALYSIS
is based on verified and specific data.

Another difference is the values associated with risks. In qualitative risk

analysis, this value is the risk rating or scoring. A risk may be rated “Low”
or given a score of 1 to indicate that the risk does not require immediate
attention. In quantitative risk analysis, the value associated with the risk is
often in percentages and indicates the probability of the risk occurring or
of it causing a specific negative effect on project objectives.

A quantitative risk assessment focuses on measurable and often pre-

defined data, whereas a qualitative risk assessment is based more so on
subjectivity and the knowledge of the assessor.
UNDERSTANDING RISK

What is Risk Management?

 Principles and processes that help minimize the
negative
 Impacts of risks and maximize the positive impacts.
 Process should be PACED:
Proportionate
Aligned
Complete
Embedded
Dynamic
ASSESSING – RISK MATRIX
 First step in risk management is to
recognize and identify risks.
 Your risk assessment process should
be proportionate to your
 Organization

 You should have a template to track

and record all information.
 How do you identif risks?

 Information gathering should always

be a group activity. Gather hard
 Data whenever possible.
ASSESSING – RISK MATRIX

What is a 5x5 Risk Matrix?

A type of risk matrix that is
visually represented as a table or
a grid, a 5x5 risk matrix has 5
categories each for probability
(along the X axis) and impact
(along the Y axis), all following a
scale of low to high. As a
comprehensive tool used by
organizations during the risk
assessment stage of project
planning
ASSESSING – RISK MATRIX

• Color-coding is crucial for a 5×5 risk assessment

matrix to represent the combination level of
probability and impact of the identified risks. That
said, high risks must be in red, moderate risks in
yellow (amber), and low risks in green.

• A 5×5 risk matrix also aims to answer the

question “What are the 5 risk rating levels in the
risk assessment matrix?” A 5×5 risk matrix has
two axes, or components to put it simply, that
make up the whole table or grid: the Probability
and the Impact
ASSESSING – RISK MATRIX

• Calculating Risks Using the 5×5 Risk Matrix

• Probability x Impact = Risk Level

• The first step is to assign a numeric value from 1

to 5, 1 being the lowest, for each of the categories
under Probability and Impact.

•1-4: Acceptable – no further action may be needed

and maintaining control measures is encouraged
•5-9: Adequate – may be considered for further
analysis
•10-16: Tolerable – must be reviewed in a timely
manner to carry out improvement strategies
•17-25: Unacceptable – must implement cease in
activities and endorse for immediate action
 RESPONDING TO RISKS
 Risk Response Strategies for Negative Risks (Threats)
 The four strategies for risks are listed below:
1. Avoid: This risk response strategy is about removing the threat
by any means. That can mean changing your project
management plan to avoid the risk because it’s detrimental to
the project.
2. Mitigate: Some project risks you just can’t avoid. Those you
need to mitigate, which is reducing the impact of the negative
risk on the project.
3. Transfer: As the name implies, here you’ll transfer or pass the
work on resolving the project risk to a third party, such as
buying insurance or getting a warranty and guarantee.
4. Accept: This risk response strategy consists in identifying a risk
and documenting all the risk management information about it,
but not taking any action unless the risk occurs.
 RESPONDING TO RISKS

 Risk Response Strategies for Positive Risks

(Opportunities)
 On the other side of the coin, there are those positive risks
that you want to exploit.There are three strategies for these,
too:
1. Exploit: When there’s a positive risk or opportunity you want
to exploit you need to add more tasks or change the
management plan to take advantage of it.There is risk inherent
in this approach, but often the reward is worth it.
2. Enhance: Here you increase the chance of a positive risk
occurring in your project.
3. Share: Here you’ll share the risk response with other partners
across various teams or projects. It might mean sharing a skilled
team member across various projects.
RESPONDING TO RISKS

Key Considerations
 Ensure normal business practices are not interrupted.
 Managing the media should be part of your plan.
 Direct communication with stakeholders is critical.
 If there is any chance that people may be injured or
worse, you should
 Include medical support in your planning.
 You may be required by law to obtain insurance.
 REPORTING AND PLANNING
Items that will need to be reported on include:
Changes to risks
Near misses and incidents
Changes that will affect the risk management program

Items that should be monitored include:

Effectiveness of risk controls
Cost of controls vs. benefit s achieved
Laws and legislation
Industry climate
Alignment of risk management plan with corporate goals
 REVIEWING AND EVALUATING THE FRAMEWORK

✓ Analysis of risk response measures, whether they achieved the desired result, and did so efficiently
✓ Review of reporting and monitoring procedures
✓ Knowledge gap analysis for risk assessments
✓ Compliance check with appropriate regulations and organizations
✓ Opinions of key external and internal stakeholders
✓ Self-certification
✓ Risk disclosure exercise, to identify future risks
✓ Repeat of risk assessment
✓ Lessons learned
✓ Recommendations and implementation plan
 The Boat Game

Number of participants: size from 3–15

Duration: 1–2 hours
Prepare: sticky notes, whiteboard, markers, risk
matrix on the wall

Purpose of the game: To explain the necessity and

process of risk management, evaluation and dealing
with risks.
 The Boat Game

Risk management is one of the most important area of any development yet often underestimated. Look at any
project, start up, idea, there is always quite huge risk that you'll fail. You may fail because of not enough resources,
the product does not fit into the market, you ran out of money, you name it, there are dozens of threats. And yet I
still see that most of the projects underestimating the role of risk management because everybody thinks that they
know about them and that's enough. But knowing about the risk is just first step of the whole beauty of risk
management.
 The Boat Game

Imagine you are on a boat. The boat is going across Atlantic, it is one of the fancy boat where people are having fun and can enjoy various of
entertainment activities (cinema, pool, theater, dining, etc.). You go on the trip with your partner or your friends.
1. Write on the sticky notes as many as possible situations by asking the participants “What can go wrong?”. Don't limit yourself with thinking just about
the catastrophe scenarios but try to encourage to think about common threats. (5 min proved to be enough — everybody should have around 5
situation). Everybody to come to the wall and evaluate the probability (Probable, Possible, Improbable) and impact (Low, Medium, High, Extreme)
and place the sticky note on the wall according the evaluation. (If two people have same risk but different evaluation of probability and impact, they
must argue and agree on it together)
2. After all risks are on the wall, ask the people to pick 1-3 they would like to continue with. (Ideally one from the area with Extreme, Medium and Low
impact and different range of probability)
3. Write the first risk on the whiteboard and split the area of the paper in to two columns. First column is “The prevention” and second is “The worst-
case scenario”. Ask people what they would do to prevent the risk and write the options into the column “ The Prevention”. Ask people what they
would do if the situation (risk) will happen and again write it on the whiteboard into column “The worst-case scenario”.
4. Now ask people to estimate in currency how much it will cost when the risk become true (for example if the risk that food will be poisoned, and
someone got sick from it). Now ask them to estimate all prevention strategies whether they will cost more or less than impact of the risk.
5. Ask team to pick only the strategies which worth to do as a prevention.

6. Do the same with Worst case scenario strategies.

RISK MATRIX
RISK/ ISSUE LOG