Project Risk Management

What is risk?
A possibility of change in the expected outcome of a task or event implies a
risk. Every activity has an inherent risk in it. Even walking on the road has its own
risks, like getting hit by a truck.
Simplest of the tasks on a project has risks. For instance, as project release gets
closer projects software architect may fall sick, thereby increasing the risk of
delivery. Any of scope, cost, schedule and quality of the project may be affected due
to materialization of a risk.

On the day you wanted to buy that project management software, you come across
a discount code that saves you 50% on the cost! This is also a risk although a
positive one. Positive risk is called an opportunity.
If risk occurs on a project it may lead to a positive or negative impact on one or more
of project objectives.

There are known unknowns and unknown unknowns on a

project. What does this mean?
Known unknowns are identified risks on the project. If you have only one
architect working on the project you know that if he has an emergency there is no
one to fill in for him during his absence. Such risks cost you money when they
materialize. This expenditure is covered from contingency reserves.
Unknown unknowns are those risks that you cannot proactively identify. During
project execution, your lead developer may find out that a piece of scope has never
been covered in requirements documentation. You cannot plan for these types of
risks. When unknown unknowns occur, their expenditure is covered from
management reserves.
Every organization has some amount or risk tolerance. Degree or tolerance depends
on factors such as nature and complexity of project, extent of rewards in the offering.
If you are building a nuclear reactor the amount of risk tolerance would be much
lower, whereas you may exhibit more risk tolerance for a software product that is
looking to time the market.

Risk attitude of an organization

The three concepts related to risks that an organization can exhibit

Risk tolerance amount of risk that organization can withstand before it

reacts to take an evasive measure
Risk appetite amount of risk the organization can afford to take in
anticipation of reward
 Risk threshold the is the point of risk level at which organization decides
whether to accept risk. Below threshold organization will accept risk, above
threshold organization will not tolerate risk.
Project Risk Management Knowledge Area has 6 processes, 5 of them in planning
process group alone! Why? Because, you prepare for a risk before you give it a
chance to materialize. Most of risk related processes are executed in planning state
before the actual project work starts. A risk involved with an activity has a chance of
materialization the moment work is started!

What project management activities do you do to attend

project risk?
Planning The Management Of Risk is a project management activity to
create a plan that identifies methods of managing risks, assigns responsibilities
for people who handle risks, outlines risk budget, defines risk categories, and
identifies probability and impact matrix.
Identifing Project Risks Proactively is the project management activity to
come up with a register for all risks, known as Risk Register. This risk register
contains list of identified risks, their sources, and potential responses.
Analyzing Risks In Qualitatively is the project management activity where
risks in the risk register are ranked and prioritized based on urgency, probability
of them coming true, and potential impact. These are based on subjective
analysis, and so are quicker to do than the next project management activity.
Analyzing Risks In With Numerical Analysis is the project management
activity where risks in the risk register are analyzed using statistical tools and
their priorities are updated.
Planning Appropriate Responses for Risks is the project management
activity for developing actions to enhance opportunities and reduce threats to
project objectives posed by risks.
Monitoring and Controlling Risks is the project management activity to
actually implement risk response plans, track and monitor residual risks, and
identify new risks.

How to deal with negative risks (or threats)?

Let us look at this with an example. Meeting with an accident is a real (negative) risk
involved with driving a car. How can one deal with it?

Avoid just dont drive the car at all.

Transfer take an insurance. In case of an accident, at least financial losses
will be covered.
Mitigate regularly service the car, learn all the traffic rules and driving
etiquette, and mitigate the risk of accident happening.
Accept just dont do anything about it. Drive without a worry in the world. If
it happens, it happens.
How to make the best of positive risks (or opportunities)?
A friend tells you about a piece of real estate available for purchase near an
upcoming airport project. You feel that total amount to be invested is out of your
reach. If you get to invest in it though, the price is expected to be doubled every year
for next 3-4 years and it makes for a great investment opportunity right now. What
would you do?

Exploit invest all your savings, take up a loan. Go for it.

Share team up with the friend who can invest partially and together buy the
piece of land.
Enhance go for aggressive bargain, offer all-cash-deal to get it if possible.
Enhance the benefit of this opportunity.
Accept show interest but dont do anything actively. If the seller comes
around for your price you will make the deal.
If you need a mnemonic to remember these, consider this silly one-
If you need a mnemonic to remember these, consider this
Negative ATMA, PositivE SEA
Negative risks you can Avoid, Transfer, Mitigate or Accept; Positive risks you
can Exploit,Share, Enhance or Accept.

Planning For Managing Risks On a Project

What is Risk Management Plan?
Risk Management Plan is a document that identifies methods of managing risks,
assigns responsibilities for people who handle risks, outlines risk budget, defines risk
categories, and identifies probability and impact matrix.

As a planning activity this process is carried out after most of the other planning
exercises are completed such as scope, cost, schedule and communication. Why?
Simply because all of these need to be studied in order to assess risks inherent in
them.

What do we need?
Project plan, of course risks need to be analyzed in all activities of the project,
which means that you need to study baselines and subsidiary management plans
such as for cost, schedule, scope and quality.
Project charter all high-level information you need such as requirements,
milestones, assumptions and constraints can be referred to in this document.
Stakeholder register this document contains information such as role, interests
and level of influence of stakeholders.
Here are few things that give you a head start you can look at risk management
plans from previous projects and available templates. Some of the readily available
artifacts may be predefined risk categories and risk terms. You get all these
from organizational process assets.
How easily can this be done?
Involving experts this is one technique employed at planning stage can help a lot
of time, energy and resources at later point in the project. Stakeholders, team
members who have worked in similar project earlier, subject matter experts,
consultants, industry experts and even senior management people in the
organization can contribute in risk management planning.
What is a risk management plan?
Risk management plan describes how risk management is going to be structured
and performed on the project.
Risk management plan is a subset of project management plan. It is a subsidiary
plan just like other plans considered as inputs to this process. Which also means that
any change to risk management plan is to be driven via change control process.

This plan gives you the methods to identify, assess and manage risks, and contains
following components

Roles and responsibilities of team members for conducting each activity

defined in the plan
Risk management budget, when and how should it be used on the project on
realization of risks
Probability and impact matrix gives you a feel of the impact on project
objectives when a risk materializes. Based on the probability and the impact on
project objectives scale of a risk is decided. Scale is defined relatively (low,
medium, high) or numerically (a value from 0 to 1).
Stakeholders tolerance decides how much of a risk can be absorbed
without impacting project objectives. For instance, how long can you afford to
wait before it impacts schedule when one of the critical developers falls sick
defines risk tolerance on schedule.
Risk categorization framework such as risk breakdown structure (RBS),
like the one below that Kathy used on her landscaping project
How should outcome of risk management process are documented and
communicated is driven by which reporting format is to be used.
Risk tolerances of stakeholders
Format for risk management outcome reports to be used for
communicating to stakeholders
Definition of risk probability and impact, and the actual matrix for qualitative
risk analysis. A sample risk probability and impact matrix is given below
Risk Management plan is an important subsidiary plan of Project plan, and can be
prepared much easily be banking on existing templates or sample plans in the
organizational process assets. This exercise itself gives insights into some of
inherent risks in the project, and sort of feeds on into next process Identifying
Project Risks
How to Identify Risks In Your Project
Identifying risks is one of the easiest processes, really. Our minds are wired to look
for things that can go wrong, and that is what required for this process. Only caution
to be exercised is to keep things in the realm of practicality.

Who identifies risks?

It could be the same team that worked on risk planning. Or it can be the team and
few more people that know about the project and/or have experience working with
similar project. Some organizations have risk management experts to help project
teams identify risks.
Involving the team increases a sense of ownership in them. Also, when team actively
thinks about risks they develop a mental frame that helps them deal with the risks in
case they materialize.

How do we go about identifying risks?

First of all what we need is the Risk management plan.
Now, how do you identify a risk involved with any work that you want to do?

By analyzing that work carefully.

For instance, risks involved with Mount Everest climbing expedition are identified by
analyzing climbing techniques, equipment and mountaineering gears used, health of
climbers, support systems and weather condition.

On a project, things can go wrong in project costing, its scope, schedule or quality.
Hence these must be studied closely, and analyzed carefully to identify risks.
Therefore, we needscope baseline, cost, schedule and quality management
plans as inputs. There may be risks associated with people hired for the project,
either with their availability or skillsets, hence Human resource management
plan becomes an input.
Activity cost estimates and duration estimates are to be looked at to see whether
they seem sufficient to complete the tasks. If team feels that some of them are not
sufficient then they are considered to be risks.
If the team identifies cost or duration estimates of any activity on the critical path to
be risky, it heightens overall project risk. This is because if an activity on the critical
path slips, entire project slips.
Some of the stakeholders have good knowledge about the project and/or domain,
and involving them in risk identification exercise will be beneficial. You would
need stakeholders register to identify such stakeholders.
Some of the useful project documents are assumptions log and work performance
reports.
Procurement documents describe the work sourced out to another organization.
These will help you understand risk involved with that work, based on its complexity
and dependability with the work your team is doing. For instance, if deliverable from
seller is delayed by a week (if there is no buffer in place) what risk will it pose for
project dates?
We already understand from earlier processes why organizational process
assets andenterprise environmental factors as important. The former can help
you with lessons learned, risk documentation formats and templates, the latter can
give you published checklists, commercial risk databases and risk attitude.

How do we do this?
Documentation reviews is about closely reviewing all project documents such as
plans, contracts, contracts, written assumptions and so on we considered during
inputs. Look for inconsistencies amongst them and if found identify the risks.
Brainstorming is a group technique which is done under a facilitator. Multiple
groups can brainstorm independently and identify risks. With this exercise risk
categories, scale, definitions can also be updated. Nominal group technique,
explained as part of Collect requirements process, also can be used to identify
risks.
Delphi technique is a collective intelligence principle based method which
means that decisions from a structured group of experts are more accurate than
decisions from individuals. It is explained as part of Collect Requirements
process.
This is driven by a facilitator and need not be done by putting all experts in
one room. Often means of communication such as mails are employed by
facilitator. She first sends the questions to the group of experts and seeks their
feedback. She then collates them, removes everyones names against their
feedback and circulates back with the group. Once a consensus nears (or
based on number of rounds) the narrowed down decision is taken as final.
Anonymity is important here to avoidbandwagon effort or halo effect, which may
influence each others feedback.
Interviewing is quite useful as you tap into peoples understanding of the
project and issues, and unearth risks.
Root cause analysis is about studying a problem, investigating the root
causes and identifying preventive actions.
Checklist analysis is about analyzing check lists available in the system. Lowest
level of Risk Breakdown Structure can also be considered as a checklist to assess
risks. Checklists can never be exhaustive so this approach is a bit limited in this
respect.
Assumptions analysis is just that looking closely at all assumptions made in
subsidiary plans, cost and duration estimates and project documents and then
checking if they hide any potential risks.
Diagramming techniques represent certain data in the form of diagram helping us
unearth hidden risks. These are briefly described here and detailed in the post on
Perform Quality Control process.
Cause and effect diagrams are also called Ishikawa diagrams or Fishbone
diagrams. These are used to identify potential factors causing an effect.
Example: Kathy from Landscaping project analyzed a defect found in the jogging
track:

Figure 2: Fishbone diagram

System or process flow charts used to identify risks in systems or
processes defined.

Figure 3: Simple flow chart

Influence diagrams are decision diagrams used to model a decision situation
showing the factors that influence decision. This makes it easy to understand all
influencing factors and take informed decision.
Checklist analysis is about analyzing check lists available in the system. Lowest
level of Risk Breakdown Structure can also be considered as a checklist to assess
risks. Checklists can never be exhaustive so this approach is a bit limited in this
respect.
SWOT analysis is a structured planning method making use of Strengths,
Weaknesses, Opportunities and Threats involved in an environment, in order to
make most of it. While first two are internal factors, last two are external (in the
environment) factors. SWOT analysis is done for the entire project from a holistic
perspective.

What do we get?
Risk register is the sole output of Identify Risks process. This also is the starting
point of this document, in the sese the document is created during this process. And
during other risk management processes risk information in it gets elaborated. Risk
register contains list all identified risks, their root causes and potential responses.
These are identified using tools and techniques mentioned earlier such as
interviews, brainstorming sessions, SWOT analysis, checklist analysis, expert
judgment.
You dont really need to identify potential responses to risks during this process. It is
actually part of Plan Risk Responses process. However, sometimes responses
become apparent while analyzing root causes, in which case you just log them.
Figure 3: Sample risk register, that Kathy may come up with for her Landscaping
project

How often are risks identified?

One of the possible risks while driving a car is possibility of an accident. To avoid it
we keep checking certain things, consciously or unconsciously, such as speed of the
car in relation to traffic, presence of potholes, obstacles or slippery liquids on the
road, level of gas in the car, and engine temperature. And we do it throughout the
drive.

Similarly, we need to keep revisiting risk register regularly during project execution to
assess current risks or identify new ones. As project moves through phases different
type of risks may be discovered.

It is best to tag these planning meetings to milestones, such as delivery of module or

phase, so that identification of risks become a regular exercise amongst project
activities

Analyzing Risks Qualitatively

by SHIVSHANKER SHENOY

In Identify Risks process you identified all possible risks on the project.
Next logical step is to prioritize them, so that high priority ones are addressed first.
Prioritization is done based on probability of occurrence andimpact on project
objectives if and when they materialize.
This is done in this process called Perform Qualitative Risk Analysis.
Since this is qualitative, to some extent subjective, this can be done with relative
ease. Once prioritized, this list then forms as a basis for performing quantitative risk
analysis.

Quite evidently, Risk management plan is what we need to consider, as it outlines

the processes for qualitative analysis of risks.
Risk register lists all risks to analyze.
Scope baseline contains project scope document and Work Breakdown Structure
that help understand about activities. If project involves specialized needs or if it is
one-of-a-kind project then expert judgment may become critical in analyzing risks.
Enterprise environmental factors are helpful artifacts such as risk databases or
industry studies of similar projects.
While analyzing risks you would need all the help you can get. An ounce of
prevention may indeed turn out to be better than a pound of cure
later. Organizational process assets may have risk related studies done earlier or
lessons learned from similar earlier projects that you can use.

How do we analyze?
Probability and impact matrix is quite simply a tabular representation that assigns
a numerical value to every combination of probability value and impact value. This
numerical value is arrived at by multiplying probability value and impact value, as
shown below. This matrix is expected to be available in organizational process
assets.
Risks that have low probability and impact are included in a watch list. This is
monitored at regular intervals to see if their probability or impact ratings have
changed.
Each risk is prioritized based on the value derived from this matrix, looking at their
probability and impact numbers.

Risks that have values from the dark zone in the matrix below will have higher
priority, requiring aggressive response strategies.

Figure 1: Sample Probability and Impact Matrix

Separate Probability and Impact Matrix is used for threats and opportunities
A separate matrix can be prepared for each of the project objectives such as
cost, schedule, quality and scope
Number of steps in the matrix is determined based on organizations
preferences
Let us look at a simple example
You are preparing tea for the guests. What are the couple of risks you can think of?
Sugar added may be more than required, making tea too sweet
Tea may have over-boiled, making it bitter
Let us assign probability and impact percentages:

Here, Scale is determined by looking up the probability and impact values in the
chart and where the intersecting cell falls into low, medium or high.
Adding excessive sugar is assigned a scale of medium risk and over-boiling tea, high
risk.
This could also be due to the fact that, in this simple case, we understand the risk
responses: there is a way to correct the mistake in the former case (sweetness
lessened by adding milk), but for the second risk the possibility of correction is very
less. In this example we even derived the output of another process: Plan Risk
Responses.
Risk data quality measurement is about ensuring that the risk data used to assess
priorities is accurate. Since this is qualitative assessment the strength of assessment
depends on the quality of data used. This assessment is done either by experts, or
by project management team by looking at such data from previous projects.
Risk categorization is about grouping risks on some basis. Risks can be
categorized based on source, level of impact, root cause, or anything that helps in
strategizing effective responses. Categorization helps in coming up with common
risk responses that can be applied to multiple risks.
Risk urgency assessment is about figuring out which risks need to be addressed in
short term. This can be decided based on the prioritization done using probability
and impact matrix.

Whats the impact?

Risk register updates using each of the tools and techniques above you would
have valuable updates to the risk register.
Risk register can be updated with following information

Risk prioritization based on probability and impact

Risk categorization
Additional information about a risk such as trigger conditions and likelihood of
occurrence
List of risks that need responses in near-future
List of risks that are low on probability and impact, that can be put on a watch
list
Some risk responses may be discovered while analyzing risks
List of risks that could not be analyzed for lack of data and are to be
considered during Perform Quantitative Risk Analysis process
Assumption logs more you understand about risks more assumptions will be
validated, which can be updated in the assumption logs.

Analyzing Risks Quantitatively

by SHIVSHANKER SHENOY

This process is carried out as a supporting activity toRisk Analysis project

management activity, to back your qualitative analysis of risks with some solid
numbers. It may also be possible that certain risks could not be analyzed
qualitatively and hence you use quantitative risk analysis to prioritize them.
In some cases this process is treated as optional, especially when there is lack of
data, and after analyzing the risks qualitatively the team moves to the exercise of
planning risk responses.

What is the difference between qualitative and quantitative risk analysis?

Qualitative risk analysis is more subjective in nature, based on facts and figures from
previous experience. However, quantitative risk analysis produces statistical
numbers for each of the risks, thus making it easier to prioritize them. This process is
analyzes effect of risks on project objectives.

What do we need?
Risk management plan, cost management plan, schedule management plan
these are plans that help you assess risk impact on project objectives.
Risk register contains all risks that need to be analyzed.

How do we do it?
Interviewing is almost like a combination of expert judgment and three-point
estimates we saw in Estimate Activity Durations or Estimate Costs processes.
You talk to different people about a set of risks that they are knowledgeable
 about, and gather information about worst case, most likely and best case
scenarios. Along with these record reasons for them. This information will help
you define a budget range that helps dealing with the impact if the risk is
materialized.
Probability distributions are used to plot range of cost and schedule
associated with a risk. This data can also be built from the three-point technique
you use while interviewing people, and try to get a range of cost and schedule
that is possible if a risk is materialized.
Once this data is collected you can draw one of the shape distribution graphs.
Commonly used ones are beta distribution that uses two value parameters (alpha
and beta), and triangular distribution which uses three parameters (most-likely, best-
case, worst-case). Cost and time values are represented on x-axis and probability
values on y-axis.

Exam pointer> You are not expected to know the formulae or plot the graphs on the
exam. Exam expects you to know just the names of these tools.
Figure 1: Beta Distribution and Triangular Distribution

Risk analysis and risk modeling

These are used to analyze and model the risks based on the data gathered.

Sensitivity analysis is very useful when you want to look at impact of the risk
on just one of the project objectives, while assuming that there is no impact on
the rest of them. This is a good way to see all risks with just one impact area and
decide how risks need to be prioritized. For instance, just looking at cost impact
of all risks will help you see how the budget is going to be distributed across
categories of risks.
One such tool is a Tornado diagram, which is basically a type of bar chart, that
gives a visual indication of risks.
Expected monetary value (EMV) analysis is about coming up with possible
scenarios to deal with a risk and assessing how much each of those paths will
cost the project. Look at this post for a detailed look at Expected Monitory Value
analysis.
Modeling and simulation translate detailed uncertainties of the project
into their potential impact on project objectives. Monte Carlo simulation is
used to arrive at a likelihood of achieving specific cost or schedule targets. This
technique iteratively computes the model several times from randomly selected
input values.
As an example, for plotting simulation of coin toss
Drawing a large number of pseudo-random uniform variables from the interval [0,1],
and assigning values less than or equal to 0.50 as heads and greater than 0.50 as
tails, is a Monte Carlo simulation of the behavior of repeatedly tossing a coin.
(reference: Wikipedia)
What do we get?
As in qualitative risk analysis, the main output of this project management activity
isupdates to the risk register. Risks are easily prioritized using this numerical
outcome. Any other supported points for reasoning the outcome are also recorded in
the risk register.
Considering previous and this processes, we have seen how using abstract thinking
and statistical tools the risks are assessed for probability of occurrence and impact
on project objectives. The next step is to plan risk responses. Before that let us first
look at detailed Expected Monitory Value analysis (EMV) one of the tools from this
process.

How to Calculate Expected Monitory Value (EMV)

for a Project?
by SHIVSHANKER SHENOY

Expected Monitory Value (EMV) analysis is part of risk analysis process.

This statistical analysis tool is about coming up with possible scenarios to deal with a
risk and assessing how much each of those paths will cost the project against the
benefits, and letting you choose the best possible path which has lesser risk and
higher benefit.

EMV lets you map all possible decisions and associated uncertainties to their
respective payoffs and costs, and show what would be the outcome of each of
those decisions.
Expected Monitory Value of a project = Summation of (every possible outcome x
probability of the outcome happening)
If this looks cryptic, do not worry. This is done easily with visual aid, called Decision
Tree.

What is a decision tree?

A decision tree is a decision support tool to decide on a strategy that is most likely to
reach the costs-versus-benefits goal.

Refer to the figure below. Decision tree is a tree like graph of decisions and
their possible consequences. At each decision point you multiply probability of that
decision occurring, with cost associated with that decision, and get a value. When
you are done plotting this graph you will have several paths (or branches) through
the decision tree reaching conclusions. Now you sum up the numbers (payoffs
minus costs) along each of these paths and the number you get for each path is
the net path value.
From this then you will be able to calculate EMV value at each decision node. The
best decision path to go with usually is the one with highest number for net path
value amongst all the decision branches.

A simpler analogy to understand Decision tree could be: let us say you want to find
the best route from home to your new office. Well, the shortest route may not
necessarily be the one with least cost or best route.

As you drive from home, at each junction you will have multiple roads that can be
taken. Going by each road will have its own cost (gas, time, traffic, road condition,
driving stress, wear & tear of tires) and a certain probability of reaching office. This
way you will plot several possible routes to reach office and each route will have an
associated total cost. You would then decide on the best route that costs you least,
benefits most and makes for a comfortable ride.
Decision tree has three types of nodes:

Decision node represents a decision. Shown with a rectangle. Decision is

written inside this rectangle.
Chance node represents uncertainty associated with this decision. Could
lead to a payoff or cost. Shown with a circle.
End node end of path. Shown with a triangle.
Note that a decision tree has only burst nodes (node from which paths split), and
nosink nodes (on which paths converge).

How do you calculate Expected Monitory Value for a project?

Step 1: Plot the decision tree, you will have more than one possible decision
nodes (else you dont need this tool! )
Step 2: For each decision node plot a chance node, with multiple solution
possibilities. For each possibility put a probability %value and monitory value
representing the benefit. Note that a chance scenario is applicable to all decision
nodes.
Step 3: Repeat the steps till you cover all of the possible decisions and their
chances, so all of them reach a conclusion end node.
Step 4: For each path, deduct costs from payoffs and write at the end node. You
may end up getting a negative value if costs are higher than payoffs.
Step 5: Now to calculate EMV at each decision node working backwards from each
end node. Calculate probability of a chance multiplied by net path value of that
chance, sum them up for all chances of this decision node. Write this value under the
decision node.
Step 6: Now the decision EMV is the largest number amongst these chance node
EMVs calculated at step 5.

Planning Risk Responses In Your Project

by SHIVSHANKER SHENOY

Once the risks are identified and prioritized by doing qualitative andquantitative
analysis, the next step is to plan for possible responses for each of them.
Kathy from earlier Landscaping project example, should think about stuff like

what if there is torrential downpour on the day jogging tracks are laid?
what if large amount of exotic plant saplings die within first 2 weeks due to
unfavorable soil or weather condition?
what if the lone designer on the team quits halfway through the project?
In this process you think of ways to reduce threats and enhance opportunities to
project objectives.

Where do we start?
The risk register, obviously. That is where all risks are listed. We also look at
the risk management plan, which talks about methods of managing risks,
responsibilities for people who handle risks, outlines risk budget, defines risk
categories, and identifies probability and impact matrix.

How do we go about planning?

What are Secondary risks and Residual risks?
In few cases applying these strategies can lead to introduction of few other risks
these are called secondary risks.
Secondary risks should also be considered and added to the risk register. Usually
project management would include a risk contingency reserve. While listing risk
responses you would need to see if any of them may possibly invoke this
contingency reserve.

Sometimes few risks remain even after figuring out risk responses. These are called
residual risks.

Strategies for negative risks or Threats

We saw this briefly in the lesson on introduction to Risk management knowledge
area. There are four ways to deal with threats. Let us look at them with an example.
Meeting with an accident is a real risk involved with driving a car. How can one deal
with it?

Avoid change project plan, adjust one or more project objectives such as
reducing scope or changing schedule to avoid a risk.
For our example, this would mean not driving a car at all.
 Transfer transfer some or all of the risk, and ownership of response to a
third party.
This comes at a premium however. If it is a work that a third party vendor has
expertise in, it is wise to sign a contract and transfer the responsibility and risk of the
work.

For our example, this would amount to taking an insurance. In case of an accident,
at least financial losses will be covered.

Mitigate is about reducing the probability of risk by taking certain actions in

advance. It could be measures like adding more tests around the hi-risk areas,
making simpler designs, reducing complexity of components, having
development checklists, or assigning best resources for developing risky
modules/parts.
For our example, regularly servicing the car, learning the traffic rules and driving
etiquette, not consuming alcohol while driving and driving within prescribed speed
limits would help mitigating the likelihood of accident to some extent.

Accept at times there is nothing one can do to avoid risk and project
management team decides to deal with it if and when it occurs. Passive
acceptance would be doing nothing about it at all. Active acceptance would be
allocating specific contingency cost, schedule, resource budget for such risks.
For our example, this would be just not doing anything about it. Drive without a worry
in the world. If it happens, drivers driving instincts may save the day. Wear seat-
belts.

Strategies for positive risks or Opportunities

Taking most benefit from a positive risk, or opportunity, is as important as dealing
with negative risks on a project. From overall project perspective such benefits may
negate some of the damage caused by risks that do materialize.

A friend tells you about a piece of real estate available for purchase near an
upcoming airport project. The total amount to be invested is out of your reach. If you
get to invest in it, the price is expected to be doubled every year for next 3-4 years
and it makes for a great investment opportunity right now. What would you do?

Exploit plan in such a way that you remove all uncertainties and make sure
that this risk happens for sure. Example of exploiting a risk on project could be
creating vacancy for getting that star performer who is just coming out of another
project.
For our example, take all your savings even take up a loan if necessary. Go for the
investment.

Share share with a third party and get some of the benefits of this
opportunity.
For our example, team up with the friend who can invest partially and two of you
together buy that piece of land.

Enhance doing all that is possible to increase likelihood of this risk

materialization.
For our example, go for aggressive bargain, if possible offer all-cash-deal to get it.

Accept just like one of the responses for negative risk, this is just not doing
anything actively to pursue the opportunity but being prepared to take the benefit
if it materializes.
For our example, show interest but dont do anything actively. If the seller comes
around for your price you will quickly complete the deal before seller changes mind.

If you need a mnemonic to remember strategies for positive and negative risks,
consider this
Negative ATMA, PositivE SEA
Strategies for negative risks are Avoid, Transfer, Mitigate and Accept; for positive
risks they are Exploit, Share, Enhance, Accept.

Whatll we plan out?

Project plan is updated since risks impact project objectives, risk mitigation
strategies may have an impact on these objectives. Hence cost, schedule, quality,
procurement, human resource management subsidiary plans might be updated to
accommodate risk responses. Cost, Scope and Schedule baselines also might be
updated. In some cases updates to work breakdown structure is possible.
Any changes to plans need to go through change control process. Hence after risk
planning you may need to call for a meeting with change control board presenting all
these changes.

Several documents can possibly be updated including

Risk register all potential responses identified for each risk are added to
the risk register. Secondary risks ones introduced due to application of a risk
response are also added. Residual risks ones remaining even after applying
risk responses are added too. Risk response owners, their responsibilities,
categories, priorities are other data added to the risk register.
Assumption logs risk responses will bring in clarity on some of the earlier
assumptions
Change requests as mentioned earlier changes to project plan or baselines
need change requests to be raised and run through change control process
A sample risk registered might look like the one below at this stage

How To Control Risks In Project

by SHIVSHANKER SHENOY
Controlling risks is a project management activity that is essentially about managing
expected and unexpected changes in the project. While planning for risks you refer
to various subsidiary plans in Risk Management planning project management
activity, realizing that risks may materialize in any of the areas such as Cost,
Schedule, Communication or Scope. You identify risk categories such as Resources,
Technical, External, Project because risks can appear in any of these areas as
well.
Then you go ahead and identify very specific risks actual risks, residual risks
and secondary risks. And then you meticulously plan for dealing with each of them
in Risk responses planning project management activity.
Residual risks are the smaller risks remaining even after identifying
responses for bigger risks
Secondary risks are the new risks that come up due to responses planned to
manage risks
All this effort is like preparing for the battle. The usefulness of it is determined in the
way we monitor and control risks through the length of the project.

It is almost impossible to think about all the risks up front during planning stage itself.
Environments change, stakeholders change, and even requirements change as
project progresses. This leads to changes in the risks, their nature and planned
responses.

Controlling risks involves looking out for identified, residual and secondary
risks, identifying any new risks, taking quick corrective action when a risk
materializes, planning further preventive actions when you identify a trend of a
new risk, and measuring effectiveness of risk responses.

What do you need to control risks?

Project management plan

The subsidiary plan to put to use in this process is Risk management plan. This is a
guide for project manager to understand how to deal with managing risks on the
project. It defines approaches, tools and methodology to manage risks; roles and
responsibilities of people who need to deal with risks, budget allocated for them,
project specific risk categories, definition of risk probabilities and their impact on
project objectives, and such.
Risk register
Risk register is the single most important input. This comes from the project
management activity to Identify Project Risks, and lists identified risks, their
symptoms and frequencies, possible responses, and time and cost budget allocated
for dealing with risks.
You would need status of each of the planned deliverables, schedule progress and
costs incurred on the project.

Work performance reports

..indicate performance measurement metrics such as earned value, planned value,
schedule variance, cost variance (EV, PV, SV, CV) as well as forecasting numbers
such as estimate at completion (EAC), estimate to complete (ETC) and to-complete
performance index (TCPI).

How do you do it?

Reassessing project risks

As the project progresses you find out that some of the risks are not relevant;
probability or priorities of few risks are changed, and new risks are identified. All this
can be found by regularly reassessing the risks in risk register.

This reassessment exercise is usually done as a team exercise and at regular

intervals. Risk register is updated with the changes identified during reassessment
exercises. Stakeholders are kept in loop on the risk status.

Auditing for risks

As the word audit suggests this exercise is a methodical examination of how
effectively risks have been managed, including the way root causes are analyzed,
timely corrective or preventive actions taken, how often risk reassessments are done
and their effectiveness and such. These audits typically are conducted by a team
outside of the project team.

Analyzing risk trends

In simpler terms this is about looking at project performance over a period of time,
studying the trends of cost, schedule and scope variances from baselines, and then
trying to forecast whether there is a risk of any of them going rough in near future. If
the trend indicates possibilities of any of the risks materializing, then preventive
actions are planned and put in place.

Performance variation measurement

This is about comparing project performance against planned performance. For
instance, if you were to complete the high level architecture definition completed by
certain period and the project did not realize this milestone, then there may be risks
that are overlooked. These need to be analyzed and addressed immediately else
they may create havoc for other milestones along the way.
Reserve budget analysis
Using Reserve Analysis tool you kept aside certain amount of contingency reserves
from the project budget for realized risks during the project management activity
to Determine Project Budget. This reserve is utilized only when certain risks
materialize and you need to deal with them. As project progresses you need to keep
an eye on remaining reserves. If there are less reserves remaining and more risks to
handle then you may need to plan preventive actions to ensure they are not realized,
and in addition might consider going back to sponsors for more budget.
Just like any planning exercise effective team meetings to go over risks and
strategies to manage them is an effective way. This serves two purposes
(a) team is aware of what risks may come up and so they will be equipped to look
out for symptoms,
(b) they will be able to contribute to risk mitigation strategies and come up with good
risk responses.
Project manager must ensure that these meetings are held at regular intervals such
as every other week or at the beginning of a sprint (if you are using Agile
methodology).

Whats the outcome?

Change requests
By now you know that a monitoring process is expected to discover changes, and
trigger change requests. Changes to risk management plan itself might be required
to be changed. Preventive and corrective actions planned as a risk response on the
project will need to be raised as a change request and run through change control
board via Perform Integrated Change Control process.

Updating project plan and project documents

As we considered various subsidiary plans in the input of this process, the same
stand to get updated as output. We looked at cost, schedule, quality, and scope
management plans.

When any risk materializing has an impact on any of these project objectives the
corresponding subsidiary plan has to be updated.

Assumption logs
Each time you assess risks you may get to know more about them.
This knowledge may change certain assumptions you made about the risks
and hence you will updateassumption logs.
Risk register updates
As a result of executing Monitor and Control process if your risk register has not
changed then either your interval to execute this process is very small, or the
process has not been executed effectively.

Some of the contents of risk register that get updated are

Actual outcome of materialized risks and risk responses

Outcomes from risk audits conducted by external team, risk reassessment
and status meetings to go over risks
Technical documents
You put corrective actions in place when risks materialize, and when symptoms of
certain risks start appearing you put preventive actions in place. Both these may very
well alter technical approach to produce deliverables. These result in technical
document updates.
Some of the documents such as risk breakdown structure, templates and procedures
recommended for conducting risk assessment, and lessons learned are updated as
applicable.

Summary
Controlling project risks is a very essential project management activity for the
project manager. Come to think of it, even if a project manager does not know
anything about risk management processes, she would intuitively be managing risks.
May not be comprehensively, but definitely to some basic extent. Because we are
built to look for risks for survival, and this instinct helps us keep dangers at bay.
Having said this, following these systematic, scientific and proven approaches to
handle risks ensures best possibility of project success.