EMRM5103 Project Risk Managemnt Faculty of Science and Technology Open University Malaysia

Marking Scheme Assoc. Prof. Samiappan Marappan sam2universe@gmail.com

Instruction to candidates 1. Part A : Answer Both Questions 2. Part B : Answer Any Three Questions 3. Time Allowed : 3 hours

EMRM5103-Project Risk Management

Final Examination

September, 2009

Part A
Question 1 (a) You have $1,000,000 worth of equipment at the job site and wish to minimize your risk of direct property damage by taking out an insurance policy. The insurance company provides you with their statistical data as shown below: Damage Type Probability(%) Loss Amount in $ Total 0.02 1,000,000 Medium 0.08 400,000 Low 0.10 200,000 No Damage 99.8 0 Assuming that the insurance company adds on $300 for handling and prot and uses expected value to calculate premiums, calculate the premium for: i. full cover against any loss ii. cover against losses in excess of $200,000. (b) Your company has asked you to determine the nancial risks of manufacturing 6,000 units of a product rather than purchasing them from a vendor at $66.50 per unit. The production line will handle exactly 6,000 units and requires a one-time setup cost of $50,000. The production cost is $60/unit. Your manufacturing personnel inform you that some of the units may be defective, as shown below: % defective 0 1 2 3 4 Probability of occurrenec (%) 40 30 20 6 4 Defective items must be removed and replaced at a cost of $145/defective unit. However, 100 percent of units purchased from vendors are defect-free. Construct a payo table, and using the expected-value model, determine the nancial risk and whether the make or buy option is best. Solution: (a) The expected value of losses is: Damage Type Total Medium Low No Damage Hence, i. the premium for full cover against any loss = $(720 + 300) = $1,020, ii. for losses in excess of $200,000, the coditional expected loss is $520, leading to a premium of $820. (b) The cost of replacing the expected number of defectives( assuming that this process does not produce further defects ) is: % defective Probability of occurrenec (%) Expected Cost (%) 0 40 0 1 30 0.30 2 20 0.40 3 6 0.18 4 4 0.16 Probability(%) 0.02 0.08 0.10 99.8 Probability 0.0002 0.0008 0.0010 0.9980 Loss Amount in $ 1,000,000 400,000 200,000 0 Total Expected Value 200 320 200 0 720

giving 1.04 per 100 units per $1 of replacement cost. Hence, the total cost is 1.04 60 145 = 904.80. The payo table is: Option Setup cost Buy Nil Make 50,000

Production cost 399,000 360,000

Defects cost Nil 904.80

Total cost 399,000.00 410,904.80

Sam

EMRM5103-Project Risk Management

Final Examination

September, 2009

It is clear that the buy option is superior.

Question 2 (a) Discuss the use of Project Risk Registers (PRR) in project risk management. (b) As part of the Project Denition exercise, a project manager has obtained the following Project Risk Register for costs. WBS Item Aleatoric Risk Mean 3.2 5.1 4.0 Std.Dev 1.0 1.7 1.2 Risk 1 Prob = 0.25 Mean Std.Dev 2.0 0.3 0.5 0.1 Mean Std Deviation Figure 1: Cost risk based on PRR Epistemic Risk Risk 2 Prob = 0.1 Mean Std.Dev 1.0 0.2 Risk 3 Prob = 0.2 Mean Std.Dev 1.0 0.3 Expected Value 3.30 5.80 4.05 13.15 4.15

101 102 103

In the contexts of the above PRR, i. explain the following terms: WBS Item Aleatoric Risk Epistemic Risk ii. describe the insight provided by the PRR iii. explain how the manager arrived at the stated values of 13.15 and 4.15, respectively for the mean and standard deviation of the total cost distribution for the project. iv. if contingency funds of 5.0 are set aside in addition to the mean costs, estimate, stating clearly all your assumptions, the likelihood of completing the project within this budgeted cost. Solution: (a) The Risk Register documents the identied risks, the assessment of their root causes, areas of the project aected (WBS elements), the analysis of their likelihood of occurring and impact if they occur and the criteria used to make those assessments and the overall risk rating of each identied risk by objective (e.g. cost, time, scope and quality). Importantly, it includes the risk triggers, response strategies for high priority risks, and the assigned risk owner who will monitor the risk. However, for it to play a more eective role, it must record the dstributional aspects of all major aleatoric risks. In addition, the PRR must contain all the important epistemic risks, since it reects the lack of knowledge at the start of a project and the gradual resolution of those uncertainties. The major aleatoric uncertainties should also be held in the PRR. (b) i. The development of a project plan is predicated on having a clear and detailed understanding of both the tasks involved, the estimated length of time each task will take, the dependencies between those tasks, and the sequence in which those tasks have to be performed. Additionally, resource availability must be determined in order to assign each task or group of tasks to the appropiate worker. One method used to develop the list of tasks is to create what is known as a work breakdown structure.

Sam

Page 2 of 8

EMRM5103-Project Risk Management

Final Examination

September, 2009

A work breakdown structure (WBS) is a hierarchic decomposition or breakdown of a project or major activity into successive levels, in whcih each level is a ner breakdown of the preceding one. In nal form a WBS is very similar in structure and layout to a document outline. Each item at a specic level of a WBS is numbered consecutively (e.g., 10, 10, 30, 40, 50 ). Each item at the next level is numbered within the number of its parent item (e.g., 10.1, 10.2, 10.3, 10.4). ii. Aleatoric risk is one about which sucient information is available to represent the possible variations in its outcome by some probability distribution. Tools of probability theory then might be used in quantifying the risks impact on project deliverables. iii. Epistemic risk is one about which we donot have credible information and often belong to the realm of the unknown unknowns. Its impact on the project deliverables become known only after project initiation and the passage of time (c) The following insights are provided by the PRR: Cost estimates are not to be treated deterministically. Like the other project parameters, it too has to be treated probabilistically. Each item has a cost, and a spread of costs has been assessed for each one. There are three major risks with their particular probability of occurrence and each will aect the cost of some of the WBS items to a degree-which itself has some uncertainty. the uncertainties in the WBS items are now not independent; major risks often cut across activities and work packages, and this is modelled,albeit very simplistically. (d) For each WBS item, the expected value is obatained by summing the following items: the mean of the aleatoric risk that aects it; the product of the probability of occurrence and the mean of each of the epistemic risk that has an impact on the WBS item; thus, for the WBS Item 101, the expected value = 3.2 + 0.1 1.0 = 3.30 The individual Expected Values are then summed to obtain the aggregate mean of 13.15. However, the standard deviation cannot be determined by straight summation as what has been done for the mean. Here, the possible correlation amongst the loss distributions vitiates independence, leading often to mathematical intractability. The only way forward is to use Monte Carlo simulation. (e) Assuming that the total cost random variable, C N (13.15, 4.15), we are required to = calculate 18.15 13.15 C 13.15 Pr(C 18.15) = Pr 4.15 4.15 5.00 = Pr Z 4.15

Sam

Page 3 of 8

EMRM5103-Project Risk Management

Final Examination

September, 2009

Part B
Question 3 (a) Describe the Risk Handling process. (b) Identify the risk handling options available to a risk manager. (c) State the guiding principles in the choice of appropriate risk handling options. Solution: (a) Risk handling includes specic methods and techniques to deal with known risks, identies who is responsible for the risk issue, and provides an estimate of the cost and schedule associated with reducing the risk, if any. It involves planning and execution with the objective of reducing risks to an acceptable level. The evaluators who assess risk should begin the process by identifying risks and developing handling options and approaches to propose to the program manager, who selects the appropriate one(s) for implementation. Here are several factors that can inuence our response to a risk, including but not limited to: Amount and quality of information on the actual hazards that caused the risk (descriptive uncertainty) Amount and quality of information on the magnitude of the damage (measurement uncertainty) Amount and quality of information on probability of occurrence Personal benet to project manager for accepting the risk (voluntary risk) Risk forced upon project manager (involuntary risk) Confusion and avoidability of the risk The existence of cost-eective alternatives (equitable risks) The existence of high-cost alternatives or possibly lack of options (inequitable risks) Length of exposure to the risk (b) Risk handling options and the implemented approaches have broad cost implications. The magnitude of these costs are circumstance-dependent. The approval and funding of handling options and specic approaches should be done by the project manager or Risk Management Board (or equivalent) and be part of the process that establishes the program cost, and performance and schedule goals. The selected handling option and approach for each selected risk issue should be included in the programs acquisition strategy. Once the acquisition strategy includes the risk handling strategy for each selected risk issue, the cost and schedule impacts can be identied and included in the program plan and schedule, respectively. Risk handling must be compatible with the RMP and any additional guidance the program manager provides. A critical part of risk handling involves rening and selecting the most appropriate handling option(s) and specic approach(es) for selected risk issues (often those with medium or higher risk levels). Personnel who evaluate candidate risk handling options may use the following criteria as starting points for evaluation: Can the option be feasibly implemented and still meet the users needs? What is the expected eectiveness of the handling option in reducing program risk to an acceptable level? Is the option aordable in terms of dollars and other resources (e.g., use of critical materials, and test facilities)? Is time available to develop and implement the option, and what eect does that have on the overall program schedule?

Sam

Page 4 of 8

EMRM5103-Project Risk Management

Final Examination

September, 2009

What eect does the option have on the systems technical performance? (c) Risk handling options include: risk assumption, risk avoidance, risk control, and risk transfer. Although the control option (often called mitigation) is commonly used in many high technology programs, it should not automatically be chosen. All four options should be evaluated, and the best one chosen for each risk issue. The options for handling risk fall into the following categories: Risk assumption (i.e., retention) Risk assumption is an acknowledgment of the existence of a particular risk situation and a conscious decision to accept the associated level of risk, without engaging in any special eorts to control it. However, a general cost and schedule reserve may be set aside to deal with any problems that may occur as a result of various risk assumption decisions. This risk handling option recognizes that not all identied program risks warrant special handling; as such, it is most suited for those situations that have been classied as low risk. The key to successful risk assumption is twofold: Identify the resources (e.g., money, people, and time) that will be needed to overcome a risk if it materializes. This includes identifying the specic management actions (such as retesting, and additional time for further design activities) that may occur. Ensure that necessary administrative actions are taken to identify a management reserve to accomplish those management actions. Risk avoidance: This involves a change in the concept, requirements, specications, and/or practices to reduce risk to an acceptable level. Simply stated, it eliminates the sources of high or possibly medium risk and replaces them with a lower risk solution. This method may be used in parallel with the up-front requirements analysis, supported by cost/requirement trade-o studies. It may also be used later in the development phase when test results indicate that some requirements cannot be met, and the potential cost and/or schedule impact would be severe. Risk control (i.e., prevention or mitigation): Risk control does not attempt to eliminate the source of the risk but seeks to reduce or mitigate the risk. It manages the risk in a manner that reduces the likelihood and/or consequence of its occurrence on the program. This option may add to the cost of a program, and the selected approach should provide an optimal mix among the candidate approaches of risk reduction, cost eectiveness, and schedule impact. Risk transfer Risk transfer may reallocate risk from one part of the system to another, thereby reducing the overall system and/or lower-level risk. It may also redistribute risks between the buyer (e.g., government) and the seller (e.g., prime contractor), or within the buyer or seller teams. It should be considered as part of the requirements analysis process. Risk transfer is a form of risk sharing and not risk abrogation on the part of the buyer or seller, and it may inuence cost objectives. An example is the transfer of a function from hardware implementation to software implementation or vice versa. (Risk transfer is also not deecting a risk issue because insucient information exists about it.) The eectiveness of risk transfer depends on the use of successful system design techniques. Other examples of risk transfer include the use of insurance, warranties, bonding (e.g., bid, performance, or payment bonds), and similar agreements.

Sam

Page 5 of 8

EMRM5103-Project Risk Management

Final Examination

September, 2009

Question 4 You are the project manager for a project and you have done proper project management and have assigned risk response owners, have in place various contingency plans, and scheduled other such activities as appropriate at the project initiation stage. List the activities that you would undertake in managing risk while the project work is ongoing. Solution: The work involves managing the project according to the risk response plan and is likely to involve the following actions: Look for the occurrence of risk triggers Montor residual risks Identify, analyze and plan for new risks that come to light as the project work proceeds Ensure the execution of risk management plans Evaluate the eectiveness of risk mangement plans Develop new risk responses Collect and communicate risk status Communicate with stakeholders about risks Determine if assumptions are still valid Ensure proper risk management procedures are being followed Revisit the watchlist to see if additional risk responses need to be determined Implement corrective actions to adjust to the severity of actual risk events Look for any unexpected eects or consequences of risk events Reevaluate risk identication, qualitative and quantitative risk analysis when the project deviates from the baseline Update risk management and response plans Look at the need to recommend corrective actions and change requests to see if they lead to identifying more risks Make changes to the project management plan when new risk responses are developed Create a database of risk data that may be used throughout the organization on other projects Perform variance and trend analysis on project performance data Use contingency reserves and adjust for changes

Sam

Page 6 of 8

EMRM5103-Project Risk Management

Final Examination

September, 2009

Question 5 Contemporary project management practice is characterised by: late delivery, exceeded budgets, reduced functionality and questioned quality. Provide a critique of the above statement within the contexts of project risk management. Solution: The validity of the statement has its roots in project complexity. The overall project complexity can be characterised by two dimensions, each of which have two sub-dimensions, shown in Figure 2. The two sub-dimensions of structural complexity lead to a complex system in which the whole is more than the sum of the parts. In these systems, it is very dicult to intuitively infer the behaviour of the system from the behaviour of the sub-elements. In fact, Forrester, inventor of System Dynamics, said that such systems are likely to exhibit counter-intuitive behaviour. We have developed abilities in comprehending and managing such systems when they are reasonably known and deterministic. However, when uncertainties arise, either in the goals or the methods, they cause perturbations and dynamics to be set up within the structurally complex systems, causing complex dynamic behaviour. Uncertainty in goals (say), on its own might not cause complexitybut add uncertainty in goals to, say, a product development project which is already structurally complex, and changes and perturbations cause cross-impacts, feedback, dynamics eects and behaviour much too complex for simple intuitive understandingin fact, we need models to comprehend what is happening (or what might happen, or what has happened, depending on at which stage the modeller is working)!

Size : Number of elements

Interaction in complex ways: Total is more than sum of parts

Structural Complexity Complexity in Projects Uncertainty

Size : Interdependence of elements

Uncertainty in goals Structural complexity compounded by uncertainty Uncertainty in methods

Figure 2: Dimensions of Project Complexity

Sam

Page 7 of 8

EMRM5103-Project Risk Management Question 6

Final Examination

September, 2009

(a) Describe the use of the CPM/PERT techniques in project management. (b) Provide a brief discussion of their shortcomings. Solution: (a) A PERT chart is a project management tool used to schedule, organize, and coordinate tasks within a project. PERT stands for Program Evaluation Review Technique, a methodology developed by the U.S. Navy in the 1950s to manage the Polaris submarine missile program. PERT charts depict task, duration, and dependency information. Each chart starts with an initiation node from which the rst task, or tasks, originates. If multiple tasks begin at the same time, they are all started from the node or branch, or fork out from the starting point. Each task is represented by a line which states its name or other identier, its duration, the number of people assigned to it, and in some cases the initials of the personnel assigned. The other end of the task line is terminated by another node which identies the start of another task, or the beginning of any slack time, that is, waiting time between tasks. Each task is connected to its successor tasks in this manner forming a network of nodes and connecting lines. The chart is complete when all nal tasks come together at the completion node. When slack time exists between the end of one task and the start of another, the usual method is to draw a broken or dotted line between the end of the rst task and the start of the next dependent task. A PERT chart may have multiple parallel or interconnecting networks of tasks. If the scheduled project has milestones, checkpoints, or review points (all of which are highly recommended in any project schedule), the PERT chart will note that all tasks up to that point terminate at the review node. In brief, PERT enables a simple deterministic network analysis and looks at two questions: How long is the project going to take? Which are the most important (i.e. critical) activities? (b) What is needed is to provide answers to the above same two questions, but for networks where there are uncertainties. PERT fails to address the followng issues: Most projects have activities with uncertain durations Second come uncertainties that operate across a range of activities and/or resources, such as third-party eects, or common-cause eects: the major risks within a project usually involve more than one activity. Domain-specic uncertainties can have very particular uncertainty proles, such as the random failure of test rigs, or weather windows in deep-sea oil work etc. Then, modelling these eects might imply dierent or unusual distributions to describe the duration of activities. One obvious instance that frequently occurs in practice is the need to combine discrete and continuous uncertainties, where several risks combine in an activity, particularly where some of those risks are epistemic and others are aleatoric. We might need to model resource availabilities or requirements that are themselves uncertain (and possibly with uncertainties that vary over time): these can sometimes be the critical uncertainties, for example, the precise timing of the availability window for a vital resource can be the deciding factor in whether a project meets its deadline. We might need to model uncertainties in the project network structure itself: all classical network methods assume that the network itself is xed; however, in practice there can be branching, either probabilistic (where one path or another in the network is taken depending on a probabilistic event, such as the weather) or conditional (where management will choose one path or another, depending upon a project parameter.

Sam

Page 8 of 8