Managing Risk

Introduction
• Any project involves a degree of uncertainty which can impact the
outcome of a project.
• Risk is an uncertain event that, if it occurs, can jeopardize
accomplishing the project objective.
• Risk management involves identification, assessment,
monitoring, and response to project risks to minimize the likelihood
of occurrence and/or potential impact of adverse events on the
accomplishment of the project objective.
 Introduction
• Addressing risks proactively will increase the chances of
accomplishing the project objective.
• Waiting for unfavorable events to occur (reactively) and then reacting
to them can result in panic and costly responses.
• Managing risk includes taking action to prevent or minimize the
likelihood of occurrence or the impact of such unfavorable events.
• A project manager cannot be risk averse. He/She must accept
that risk is a part of project management and has to be addressed it
head-on.
 Identify Risks
• A risk is an uncertain event that, if it occurs, can jeopardize
accomplishing the project objective.
• Risk identification includes determining which risks may adversely
affect the project objective and what the impact of each risk might
be it if occurs.
• Sometimes a sponsor identifies major risks in the project charter
when the project is authorized.
• A contractor may identify risks in a proposal to a customer.
 Identify Risks
• A common approach to identifying the sources of risks is
brainstorming.
• Cause-effect (“fishbone”) diagrams, flow charts, influence
diagrams, SWOT analysis, and other operations management
techniques may be used in identifying risk factors.
Cause-and-Effect Diagram (Fishbone Diagram)

12-6
 Identify Risks
• The project manager should involve key project members in
identifying potential sources of risk things that would happen
negatively impact accomplishing the project objective.
• Another approach is to establish risk categories, which are
groupings of potential sources of risk by topic, and then identify risks
that might occur for each category.
 Identify Risks
• Examples of risk categories:
1. Technical
2. Schedule
3. Cost
4. Human resources
5. External
6. Sponsor/customer
 Identify Risks
Technical
• Failure to meet customer performance requirements
• New application for technology
• May not be able to meet quality standards or codes
Schedule
• Vendor delay in delivery of critical equipment
Cost
• Material costs escalate more than anticipated
 Identify Risks
Human resources
• May not have people available when required to staff the project
External
• Inclement weather
• Changes in government regulations
• Change in consumer preferences
• Local protesters file legal action to delay project
Sponsor/customer
• Delays in approvals
• Security of sponsor funding
 Identify Risks
• Another source that can be helpful in identifying possible risks is
historical information from past projects.
• For each risk that is identified, the potential impacts must be
estimated.
• It should be noted that at the beginning of the project, it may not be
possible to identify all risks. This is especially true for longer-term
projects, such as multiyear projects or projects that have several
phases.
PMBOK 5 Edition
th
 Assess Risks

• Risk assessment involves determining the likelihood that a risk

event will occur and the degree of impact the event will have on the
project objective.
• Each of those factors can be assigned a rating of high, medium, or
low, or some other rating scale (1-5, 1-10, percentages, etc.).
• The project manager in consultation with appropriate team
members or other experts who are most knowledgeable about the
potential risk, should determine ratings for each risk.
• Historical data from prior similar projects can also be helpful.
 Assess Risks

• Based on the likelihood of occurrence and degree of impact, the risks

can then be prioritized.
• Another factor to consider in prioritizing risks is whether a risk is
related to activities that are on critical paths. If so, perhaps such risks
should be given higher priority because if the risk occurs, it would
have a greater impact on the schedule than if it was associated with
activities on a path that has a large positive of total slack.
 Assess Risks

• Failure Mode and Effect Analysis (FMEA) is the application

of a scoring model to identify, estimate, prioritize, and
evaluate risk of possible failures at each stage of a process.
 Assess Risks
• Major steps of FMEA:
1) List the possible ways a project might fail.
2) Evaluate the severity (S) of the impact of each type of failure on a 10-point
scale where “1’ is “no effect” and “10” is “almost certain”.
3) For each cause of failure, estimate the likelihood (L) of its occurrence on a
10-point scale where “1” is “remote” and “10” is “almost certain”.
4) Estimate the inability to detect (D) a failure associated with each cause.
Using a 10-point scale, “1” means detectability is almost certain using
normal monitoring/control systems and “10” means it is practically certain
that failure will not be detected in time to avoid or mitigate it.
5) Find the Risk Priority Number (RPN) where RPN = S x L x D.
6) Consider ways to reduce S,L, and D for each cause of failure with a
significantly high RPN.
PMBOK 5th Edition
 Assess Risks
• A decision tree is a schematic model of the sequence of steps in a
problem – including the conditions and consequences of each step.
• Decision trees help analysts understand the problem and assist in
identifying the best solution.
• Decision tree components include the following:
• Decision nodes – represented with squares
• Chance nodes – represented with circles
• Paths – links between nodes

5-21
 Assess Risks
• In the PMBOK 5th Edition, the use of decision tree is associated with the
concept of Expected Monetary Value (EMV) analysis.
• Expected monetary value (EMV) analysis is a statistical concept that
calculates the average outcome when the future includes scenarios that
may or may not happen(i.e., analysis under uncertainty).
• The EMV of opportunities are generally expressed as positive values, while
those of threats are expressed as negative values. EMV requires a risk-
neutral assumption— neither risk averse nor risk seeking.
• EMV for a project is calculated by multiplying the value of each possible
outcome by its probability of occurrence and adding the products together
 Plan Risk Responses

• A risk response plan is a defined set of actions to prevent or

reduce the likelihood of occurrence or the impact of a risk, or to
implement if the risk event occurs.
• Risk response planning involves:
1) Developing an action plan to reduce the likelihood of occurrence or
potential impact of each risk - “what”
2) Establishing a trigger point for when to implement the actions to address
each risk, and
3) Assigning responsibility to specific individuals for implementing each
response plan - “who”
 Plan Risk Responses

• A risk response plan can be to avoid the risk, mitigate the risk, or
accept the risk.
• Avoidance means to eliminate the risk by choosing a different course
of action.
Using conventional technology rather than advanced state-of-the-art
technology in a new product
Holding a weekend festival indoors to avoid the possibility of a rainout
 Plan Risk Responses
• Mitigating a risk involves taking an action to reduce the likelihood
that the risk event will occur or to reduce the potential impact.
Reducing the risk of multiple redesigns of a customer’s website might require
reviewing other sample designs with the client earlier in the project.
• Accepting a risk means dealing with it if and when it occurs.
 Plan Risk Responses
• A risk response plan should include a trigger point or warning flag for
when to implement the action plan for each risk.
A trigger point for when to purchase a rare material may be if the current
price increases more than 5 percent above the amount budgeted for
purchasing the material;
The trigger point for deciding to incorporate advanced technology in a new
product may be the completion of an engineering feasibility study;
The trigger for deciding to use overtime work is when the project falls behind
schedule by more than 5 percent of the remaining project duration.
• A tool for assessing and managing risks is a risk assessment matrix,
also referred to as a risk register, which includes potential risks, their
potential impact, likelihood of occurrence, and response plan.
 Monitor Risks
• Monitoring risk includes implementing risk response plans,
tracking identified risks, identifying and analyzing new risks, and
evaluating the risk response process.
• Implementing risk response plans often requires spending additional
funds for additional resources, working overtime, paying for
expedited shipments, purchasing additional materials, and so forth.
• Project prices and budgets should include a contingency reserve to
pay for additional costs associated with implementing response plans.
 Monitor Risks
• Risk monitoring involves regularly reviewing the risk assessment
matrix throughout the project in order to determine if there are any
changes to the likelihood of occurrence or the potential impact of any
of the risks:
A particular risk has increased in priority for attention
A risk has diminished
New risks have just been identified
• Project meetings are a good forum for regularly reviewing, updating,
and addressing risks and evaluating the risk response process.
• Monitoring risks throughout the project enables project decisions to be
based on current information about the project and its potential risks.