What is risk?
A possibility of change in the expected outcome of a task or event implies a
risk. Every activity has an inherent risk in it. Even walking on the road has its own
risks, like getting hit by a truck.
Simplest of the tasks on a project has risks. For instance, as project release gets
closer projects software architect may fall sick, thereby increasing the risk of
delivery. Any of scope, cost, schedule and quality of the project may be affected due
to materialization of a risk.
On the day you wanted to buy that project management software, you come across
a discount code that saves you 50% on the cost! This is also a risk although a
positive one. Positive risk is called an opportunity.
If risk occurs on a project it may lead to a positive or negative impact on one or more
of project objectives.
As a planning activity this process is carried out after most of the other planning
exercises are completed such as scope, cost, schedule and communication. Why?
Simply because all of these need to be studied in order to assess risks inherent in
them.
What do we need?
Project plan, of course risks need to be analyzed in all activities of the project,
which means that you need to study baselines and subsidiary management plans
such as for cost, schedule, scope and quality.
Project charter all high-level information you need such as requirements,
milestones, assumptions and constraints can be referred to in this document.
Stakeholder register this document contains information such as role, interests
and level of influence of stakeholders.
Here are few things that give you a head start you can look at risk management
plans from previous projects and available templates. Some of the readily available
artifacts may be predefined risk categories and risk terms. You get all these
from organizational process assets.
How easily can this be done?
Involving experts this is one technique employed at planning stage can help a lot
of time, energy and resources at later point in the project. Stakeholders, team
members who have worked in similar project earlier, subject matter experts,
consultants, industry experts and even senior management people in the
organization can contribute in risk management planning.
What is a risk management plan?
Risk management plan describes how risk management is going to be structured
and performed on the project.
Risk management plan is a subset of project management plan. It is a subsidiary
plan just like other plans considered as inputs to this process. Which also means that
any change to risk management plan is to be driven via change control process.
This plan gives you the methods to identify, assess and manage risks, and contains
following components
For instance, risks involved with Mount Everest climbing expedition are identified by
analyzing climbing techniques, equipment and mountaineering gears used, health of
climbers, support systems and weather condition.
On a project, things can go wrong in project costing, its scope, schedule or quality.
Hence these must be studied closely, and analyzed carefully to identify risks.
Therefore, we needscope baseline, cost, schedule and quality management
plans as inputs. There may be risks associated with people hired for the project,
either with their availability or skillsets, hence Human resource management
plan becomes an input.
Activity cost estimates and duration estimates are to be looked at to see whether
they seem sufficient to complete the tasks. If team feels that some of them are not
sufficient then they are considered to be risks.
If the team identifies cost or duration estimates of any activity on the critical path to
be risky, it heightens overall project risk. This is because if an activity on the critical
path slips, entire project slips.
Some of the stakeholders have good knowledge about the project and/or domain,
and involving them in risk identification exercise will be beneficial. You would
need stakeholders register to identify such stakeholders.
Some of the useful project documents are assumptions log and work performance
reports.
Procurement documents describe the work sourced out to another organization.
These will help you understand risk involved with that work, based on its complexity
and dependability with the work your team is doing. For instance, if deliverable from
seller is delayed by a week (if there is no buffer in place) what risk will it pose for
project dates?
We already understand from earlier processes why organizational process
assets andenterprise environmental factors as important. The former can help
you with lessons learned, risk documentation formats and templates, the latter can
give you published checklists, commercial risk databases and risk attitude.
How do we do this?
Documentation reviews is about closely reviewing all project documents such as
plans, contracts, contracts, written assumptions and so on we considered during
inputs. Look for inconsistencies amongst them and if found identify the risks.
Brainstorming is a group technique which is done under a facilitator. Multiple
groups can brainstorm independently and identify risks. With this exercise risk
categories, scale, definitions can also be updated. Nominal group technique,
explained as part of Collect requirements process, also can be used to identify
risks.
Delphi technique is a collective intelligence principle based method which
means that decisions from a structured group of experts are more accurate than
decisions from individuals. It is explained as part of Collect Requirements
process.
This is driven by a facilitator and need not be done by putting all experts in
one room. Often means of communication such as mails are employed by
facilitator. She first sends the questions to the group of experts and seeks their
feedback. She then collates them, removes everyones names against their
feedback and circulates back with the group. Once a consensus nears (or
based on number of rounds) the narrowed down decision is taken as final.
Anonymity is important here to avoidbandwagon effort or halo effect, which may
influence each others feedback.
Interviewing is quite useful as you tap into peoples understanding of the
project and issues, and unearth risks.
Root cause analysis is about studying a problem, investigating the root
causes and identifying preventive actions.
Checklist analysis is about analyzing check lists available in the system. Lowest
level of Risk Breakdown Structure can also be considered as a checklist to assess
risks. Checklists can never be exhaustive so this approach is a bit limited in this
respect.
Assumptions analysis is just that looking closely at all assumptions made in
subsidiary plans, cost and duration estimates and project documents and then
checking if they hide any potential risks.
Diagramming techniques represent certain data in the form of diagram helping us
unearth hidden risks. These are briefly described here and detailed in the post on
Perform Quality Control process.
Cause and effect diagrams are also called Ishikawa diagrams or Fishbone
diagrams. These are used to identify potential factors causing an effect.
Example: Kathy from Landscaping project analyzed a defect found in the jogging
track:
What do we get?
Risk register is the sole output of Identify Risks process. This also is the starting
point of this document, in the sese the document is created during this process. And
during other risk management processes risk information in it gets elaborated. Risk
register contains list all identified risks, their root causes and potential responses.
These are identified using tools and techniques mentioned earlier such as
interviews, brainstorming sessions, SWOT analysis, checklist analysis, expert
judgment.
You dont really need to identify potential responses to risks during this process. It is
actually part of Plan Risk Responses process. However, sometimes responses
become apparent while analyzing root causes, in which case you just log them.
Figure 3: Sample risk register, that Kathy may come up with for her Landscaping
project
Similarly, we need to keep revisiting risk register regularly during project execution to
assess current risks or identify new ones. As project moves through phases different
type of risks may be discovered.
In Identify Risks process you identified all possible risks on the project.
Next logical step is to prioritize them, so that high priority ones are addressed first.
Prioritization is done based on probability of occurrence andimpact on project
objectives if and when they materialize.
This is done in this process called Perform Qualitative Risk Analysis.
Since this is qualitative, to some extent subjective, this can be done with relative
ease. Once prioritized, this list then forms as a basis for performing quantitative risk
analysis.
How do we analyze?
Probability and impact matrix is quite simply a tabular representation that assigns
a numerical value to every combination of probability value and impact value. This
numerical value is arrived at by multiplying probability value and impact value, as
shown below. This matrix is expected to be available in organizational process
assets.
Risks that have low probability and impact are included in a watch list. This is
monitored at regular intervals to see if their probability or impact ratings have
changed.
Each risk is prioritized based on the value derived from this matrix, looking at their
probability and impact numbers.
Risks that have values from the dark zone in the matrix below will have higher
priority, requiring aggressive response strategies.
Separate Probability and Impact Matrix is used for threats and opportunities
A separate matrix can be prepared for each of the project objectives such as
cost, schedule, quality and scope
Number of steps in the matrix is determined based on organizations
preferences
Let us look at a simple example
You are preparing tea for the guests. What are the couple of risks you can think of?
Sugar added may be more than required, making tea too sweet
Tea may have over-boiled, making it bitter
Let us assign probability and impact percentages:
Here, Scale is determined by looking up the probability and impact values in the
chart and where the intersecting cell falls into low, medium or high.
Adding excessive sugar is assigned a scale of medium risk and over-boiling tea, high
risk.
This could also be due to the fact that, in this simple case, we understand the risk
responses: there is a way to correct the mistake in the former case (sweetness
lessened by adding milk), but for the second risk the possibility of correction is very
less. In this example we even derived the output of another process: Plan Risk
Responses.
Risk data quality measurement is about ensuring that the risk data used to assess
priorities is accurate. Since this is qualitative assessment the strength of assessment
depends on the quality of data used. This assessment is done either by experts, or
by project management team by looking at such data from previous projects.
Risk categorization is about grouping risks on some basis. Risks can be
categorized based on source, level of impact, root cause, or anything that helps in
strategizing effective responses. Categorization helps in coming up with common
risk responses that can be applied to multiple risks.
Risk urgency assessment is about figuring out which risks need to be addressed in
short term. This can be decided based on the prioritization done using probability
and impact matrix.
Qualitative risk analysis is more subjective in nature, based on facts and figures from
previous experience. However, quantitative risk analysis produces statistical
numbers for each of the risks, thus making it easier to prioritize them. This process is
analyzes effect of risks on project objectives.
What do we need?
Risk management plan, cost management plan, schedule management plan
these are plans that help you assess risk impact on project objectives.
Risk register contains all risks that need to be analyzed.
How do we do it?
Interviewing is almost like a combination of expert judgment and three-point
estimates we saw in Estimate Activity Durations or Estimate Costs processes.
You talk to different people about a set of risks that they are knowledgeable
about, and gather information about worst case, most likely and best case
scenarios. Along with these record reasons for them. This information will help
you define a budget range that helps dealing with the impact if the risk is
materialized.
Probability distributions are used to plot range of cost and schedule
associated with a risk. This data can also be built from the three-point technique
you use while interviewing people, and try to get a range of cost and schedule
that is possible if a risk is materialized.
Once this data is collected you can draw one of the shape distribution graphs.
Commonly used ones are beta distribution that uses two value parameters (alpha
and beta), and triangular distribution which uses three parameters (most-likely, best-
case, worst-case). Cost and time values are represented on x-axis and probability
values on y-axis.
Exam pointer> You are not expected to know the formulae or plot the graphs on the
exam. Exam expects you to know just the names of these tools.
Figure 1: Beta Distribution and Triangular Distribution
Sensitivity analysis is very useful when you want to look at impact of the risk
on just one of the project objectives, while assuming that there is no impact on
the rest of them. This is a good way to see all risks with just one impact area and
decide how risks need to be prioritized. For instance, just looking at cost impact
of all risks will help you see how the budget is going to be distributed across
categories of risks.
One such tool is a Tornado diagram, which is basically a type of bar chart, that
gives a visual indication of risks.
Expected monetary value (EMV) analysis is about coming up with possible
scenarios to deal with a risk and assessing how much each of those paths will
cost the project. Look at this post for a detailed look at Expected Monitory Value
analysis.
Modeling and simulation translate detailed uncertainties of the project
into their potential impact on project objectives. Monte Carlo simulation is
used to arrive at a likelihood of achieving specific cost or schedule targets. This
technique iteratively computes the model several times from randomly selected
input values.
As an example, for plotting simulation of coin toss
Drawing a large number of pseudo-random uniform variables from the interval [0,1],
and assigning values less than or equal to 0.50 as heads and greater than 0.50 as
tails, is a Monte Carlo simulation of the behavior of repeatedly tossing a coin.
(reference: Wikipedia)
What do we get?
As in qualitative risk analysis, the main output of this project management activity
isupdates to the risk register. Risks are easily prioritized using this numerical
outcome. Any other supported points for reasoning the outcome are also recorded in
the risk register.
Considering previous and this processes, we have seen how using abstract thinking
and statistical tools the risks are assessed for probability of occurrence and impact
on project objectives. The next step is to plan risk responses. Before that let us first
look at detailed Expected Monitory Value analysis (EMV) one of the tools from this
process.
EMV lets you map all possible decisions and associated uncertainties to their
respective payoffs and costs, and show what would be the outcome of each of
those decisions.
Expected Monitory Value of a project = Summation of (every possible outcome x
probability of the outcome happening)
If this looks cryptic, do not worry. This is done easily with visual aid, called Decision
Tree.
Refer to the figure below. Decision tree is a tree like graph of decisions and
their possible consequences. At each decision point you multiply probability of that
decision occurring, with cost associated with that decision, and get a value. When
you are done plotting this graph you will have several paths (or branches) through
the decision tree reaching conclusions. Now you sum up the numbers (payoffs
minus costs) along each of these paths and the number you get for each path is
the net path value.
From this then you will be able to calculate EMV value at each decision node. The
best decision path to go with usually is the one with highest number for net path
value amongst all the decision branches.
A simpler analogy to understand Decision tree could be: let us say you want to find
the best route from home to your new office. Well, the shortest route may not
necessarily be the one with least cost or best route.
As you drive from home, at each junction you will have multiple roads that can be
taken. Going by each road will have its own cost (gas, time, traffic, road condition,
driving stress, wear & tear of tires) and a certain probability of reaching office. This
way you will plot several possible routes to reach office and each route will have an
associated total cost. You would then decide on the best route that costs you least,
benefits most and makes for a comfortable ride.
Decision tree has three types of nodes:
Once the risks are identified and prioritized by doing qualitative andquantitative
analysis, the next step is to plan for possible responses for each of them.
Kathy from earlier Landscaping project example, should think about stuff like
what if there is torrential downpour on the day jogging tracks are laid?
what if large amount of exotic plant saplings die within first 2 weeks due to
unfavorable soil or weather condition?
what if the lone designer on the team quits halfway through the project?
In this process you think of ways to reduce threats and enhance opportunities to
project objectives.
Where do we start?
The risk register, obviously. That is where all risks are listed. We also look at
the risk management plan, which talks about methods of managing risks,
responsibilities for people who handle risks, outlines risk budget, defines risk
categories, and identifies probability and impact matrix.
Sometimes few risks remain even after figuring out risk responses. These are called
residual risks.
Avoid change project plan, adjust one or more project objectives such as
reducing scope or changing schedule to avoid a risk.
For our example, this would mean not driving a car at all.
Transfer transfer some or all of the risk, and ownership of response to a
third party.
This comes at a premium however. If it is a work that a third party vendor has
expertise in, it is wise to sign a contract and transfer the responsibility and risk of the
work.
For our example, this would amount to taking an insurance. In case of an accident,
at least financial losses will be covered.
Accept at times there is nothing one can do to avoid risk and project
management team decides to deal with it if and when it occurs. Passive
acceptance would be doing nothing about it at all. Active acceptance would be
allocating specific contingency cost, schedule, resource budget for such risks.
For our example, this would be just not doing anything about it. Drive without a worry
in the world. If it happens, drivers driving instincts may save the day. Wear seat-
belts.
A friend tells you about a piece of real estate available for purchase near an
upcoming airport project. The total amount to be invested is out of your reach. If you
get to invest in it, the price is expected to be doubled every year for next 3-4 years
and it makes for a great investment opportunity right now. What would you do?
Exploit plan in such a way that you remove all uncertainties and make sure
that this risk happens for sure. Example of exploiting a risk on project could be
creating vacancy for getting that star performer who is just coming out of another
project.
For our example, take all your savings even take up a loan if necessary. Go for the
investment.
Share share with a third party and get some of the benefits of this
opportunity.
For our example, team up with the friend who can invest partially and two of you
together buy that piece of land.
Accept just like one of the responses for negative risk, this is just not doing
anything actively to pursue the opportunity but being prepared to take the benefit
if it materializes.
For our example, show interest but dont do anything actively. If the seller comes
around for your price you will quickly complete the deal before seller changes mind.
If you need a mnemonic to remember strategies for positive and negative risks,
consider this
Negative ATMA, PositivE SEA
Strategies for negative risks are Avoid, Transfer, Mitigate and Accept; for positive
risks they are Exploit, Share, Enhance, Accept.
Risk register all potential responses identified for each risk are added to
the risk register. Secondary risks ones introduced due to application of a risk
response are also added. Residual risks ones remaining even after applying
risk responses are added too. Risk response owners, their responsibilities,
categories, priorities are other data added to the risk register.
Assumption logs risk responses will bring in clarity on some of the earlier
assumptions
Change requests as mentioned earlier changes to project plan or baselines
need change requests to be raised and run through change control process
A sample risk registered might look like the one below at this stage
It is almost impossible to think about all the risks up front during planning stage itself.
Environments change, stakeholders change, and even requirements change as
project progresses. This leads to changes in the risks, their nature and planned
responses.
Controlling risks involves looking out for identified, residual and secondary
risks, identifying any new risks, taking quick corrective action when a risk
materializes, planning further preventive actions when you identify a trend of a
new risk, and measuring effectiveness of risk responses.
Change requests
By now you know that a monitoring process is expected to discover changes, and
trigger change requests. Changes to risk management plan itself might be required
to be changed. Preventive and corrective actions planned as a risk response on the
project will need to be raised as a change request and run through change control
board via Perform Integrated Change Control process.
When any risk materializing has an impact on any of these project objectives the
corresponding subsidiary plan has to be updated.
Assumption logs
Each time you assess risks you may get to know more about them.
This knowledge may change certain assumptions you made about the risks
and hence you will updateassumption logs.
Risk register updates
As a result of executing Monitor and Control process if your risk register has not
changed then either your interval to execute this process is very small, or the
process has not been executed effectively.
Summary
Controlling project risks is a very essential project management activity for the
project manager. Come to think of it, even if a project manager does not know
anything about risk management processes, she would intuitively be managing risks.
May not be comprehensively, but definitely to some basic extent. Because we are
built to look for risks for survival, and this instinct helps us keep dangers at bay.
Having said this, following these systematic, scientific and proven approaches to
handle risks ensures best possibility of project success.