Risk Management

Reference Material to study:

• A Guide to the Project Management Body of Knowledge, Chapter 11 (1996 edition)
• Project and Program Risk Management, A Guide to Managing Project Risks and Opportunities, PMI, Edited by R. Max Wideman, 1992
• Project Management, A Managerial Approach, Meridith, Jack R. 1995, Chapter 2, 2.4
• Project Planning, Scheduling and Control, Lewis, James P., 1995
• PMP Challenge, ESI International, Risk Mgmt
• PMBOK Q&A, PMI, Risk Mgmt

What to Study?

• The PMBOK phases of Project Risk Management: Risk Identification, Risk Quantification, Risk Response Development, and Risk Response Control (Be familiar with Inputs, Tools and Techniques, and Outputs for each phase)
• The three components of risk: Risk Event, Probability of Risk Event, and Impact of Risk Event (Risk Event Value) and the relationship between the components (R=P*I)
• The relationship of risk and the project life cycle: the amount of uncertainty and risk is highest at the start of the project and lowest at the end of the project
• The types of risk: Business, Pure, Known, Unknown
• Risk assessment using decision trees and expected monetary value
• Monte Carlo Analysis

Key Definitions

Amount at Stake: The extent of adverse consequences which could occur to the project. (Also referred to as risk impact).

Business Risk: The inherent chances for both profit or loss associated with a particular endeavor.

Contingency Planning: The development of a management plan that identifies alternative strategies to be used to ensure project success if specified risk events occur.

Contingency Reserve: A separately planned quantity used to allow for future situations which may be planned for only in part ("known unknowns"). Contingency reserves are intended to reduce the impact of missing cost or schedule objectives. Contigency reserves are normally included in the project's cost and schedule baselines.

Deflection: The act of transferring all or part of a risk to another party, usually by some form of contract.

Expected Monetary Value: The product of an event's probability of occurrence and the gain or loss that wil result. For example, if there is a 50% probability it will rain, and rain will result in a $100 loss, the expected monetary value of the rain event is $50 (.5 * $100).

Impact Analysis: The mathematical examination of the nature of individual risks on the project, as well as potential arrangements of interdependent risks. It includes the quantification of their respective impact severity, probability, and sensitivity to changes in related project variables, including the project life cycle.

Insurable Risk: A particular type of risk which can be covered by an insurance policy. Also referred to as a pure risk.

Management Reserve: A separately planned quantity used to allow for future situations

which are impossible to predict. ("unknown unknowns") Management reserves are intended to reduce the risk of missing cost or schedule objectives. Use of management reserves requires a change to the project's cost baseline.

Mitigation: Taking steps to lessen risk by lowering the probability of a risk event's occurrence or reducing its effect should it occur.

Monte Carlo Analysis: A schedule risk assessment technique that performs a project simulation many times in order to calculate a distribution of likely results.

Opportunities: As related to risk, positive outcomes of risk.

Project Risk Management: Includes the processes concerned with identifying, analyzing, and responding to project risk.

Risk Event: A discrete occurrence that may affect the project for better or worse.

Risk Identification: Determining which risk events are likely to affect the project.

Risk Management Plan: A subsidary element of the overall project plan which documents the procedures that will be used to manage risk throughout the project. Also covers who is responsible for managing various risk areas; how contingency plans will be implemented, and how reserves will be allocated.

Risk Quantification: Evaluating the probability of risk event occurrence and effect.

Risk Response Control: Responding to changes in risk over the course of the project.

Risk Response Development: Defining enhancement steps for opportunities and mitigation steps for threats.

Threats: As related to risk, negative outcomes of risk.

Total Certainty: All information is known.

Total Uncertainty: No information is available and nothing is known. By definition, total uncertainty cannot be envisaged.

Uncertainty: The possibility that events may occur which will impact the project either favorably or unfavorably. Uncertainty gives rise to both opportunity and risk.

Workaround: A response to a negative risk event. Distinguished from contigency plan in that a workaround is not planned in advance of the occurrence of the risk event.

Risk Mgmt Processes

Risk Identification:

• The process of determining which risks are likely to affect the project and documenting the characteristics of each.
• Inputs include:
  • product description
  • other process outputs such as WBS, cost estimates, staffing plan, procurement management plan, etc. (whatever should be used to identify risks)
  • Historical information such as project files, commercial databases, and project team knowledge (lessons learned, etc.)
• Methods used during risk identification: checklists, flowcharting, and interviewing (risk oriented interviews with various stakeholders)
• Outputs include:
  • Sources of risk (categories of possible risk events such as changes in requirements, design errors, poor estimates, etc.)
  • Potential risk events including probability of occurrence, alternative possible outcomes, expected timing of the events, and anticipated frequency.
  • Risk symptoms (indirect manifestations of actual risk events)
  • Inputs to other processes: The risk identification process may identify a need for work in other areas. For example, the WBS may be insufficient.

Risk Quantification:

• The process of evaluating risks and risk interactions to assess the range of possible project outcomes.
• Inputs include: stakeholder risk tolerances, sources of risk, potential risk events, cost estimates, and activity duration estimates.
• Methods used during risk quantification: include:
  • Expected monetary value: risk event probability * risk event value
  • Statistical sums: used to calculate a range of total project costs from the cost estimates for individual work items.
  • Simulation: Uses a representation or model of a system to analyze the behavior or performance of the system.
  • Decision trees: a diagram that depicts key interactions amoung decisions and associated chance events as they are understood by the decison maker.
  • Expert judgment: can be applied in lieu of or in addition to the mathematical techniques. (For example, risk events could be described as having a high, medium, or low probability of occurrence and a severe, moderate, or limited impact.
• Outputs include:
  • Opportunities to pursue, threats that require attention
  • Opportunities to ignore, threats to accept
    

Risk Response Development:

• The process of defining enhancement steps for opportunities and responses to threats.
• Inputs include:
  • Opportunities to pursue, threats that require attention
  • Opportunities to ignore, threats to accept
• The methods used in risk response development include: procurement, contingency planning, alternative strategies, and insurance.
• Outputs from risk response development:
  • Risk Management Plan: documents the procedures that will be used to manage risk throughout the project. Also documents who is responsible for managing various areas of risk; how contingency plans will be implemented, and how reserves will be allocated.
  • Inputs to other project management processes such as contingency plans, alternative strategies, anticipated procurements, etc.
  • Contingency plans: pre-defined action steps to be taken if an identified risk event should occur.
  • Reserves: provisions in the project plan to mitigate cost and/or schedule risk. The term is often used with a modifier such as management reserve, contingency reserve, or schedule reserve to provide further detail on what types of risk are meant to be mitigated. (the specific meaning of the modifier and the word reserve varies with the application area)
  • Contractual agreements (to avoid or mitigate threats)

Risk Response Control:

• The process of responding to changes in risk over the course of the project.
• Inputs to risk response control include:
  • Risk Management Plan
  • Actual risk events: identified risk events that have occurred
  • Additional risk identification
• Methods used during risk response control: workarounds and additional risk response development.
• Outputs include: corrective action (implementing contingency plans and/or workarounds) and updates to risk managment plan
  

Risk Management Concepts

Expected Monetary Value:

• A Risk Quantification Tool
• EMV is the product of the risk event probability and the risk event value
• Risk Event Probability: An estimate of the probability that a given risk event will occur
• Risk Event Value:
  • An estimate of the gain or loss that will be incurred if the risk event does occur
  • Risk event values must reflect both tangibles and intangibles in order to compare risks. (Otherwise, the risks are not equivalent)
• EMV is generally used in further analysis such as decision trees

Decision Trees:

• A diagram that depicts key interactions among decisions and associated chance events as understood by the decision maker.
• Can be used in conjunction with EMV since risk events can occur individually or in groups and in parallel or in sequence.

Scope of Project Risk Management:
(reference I-2) in Risk Management Book from PMI

• Scope of project risk management lies somewhere between the two extremes of total certainty and total uncertainty
• Spectrum: Total Uncertainty, General Uncertainty, Specific Uncertainty, and Total Certainty
• Spectrum: Unknown Unknowns (no information), Known Unknowns (partial information), and Knowns (complete information)
• Management Reserves handle unknown unknowns while contingency reserves handle known unknowns

Categories of Risk Response:

• Avoidance
  • Eliminate a specific threat, usually by eliminating the cause.
  • Examples: Don't do the project; or do the project in a different way such that the risk is no longer a risk
• Mitigation
  • Reduce the expected monetary value of a risk event by reducing the probability of occurrence or reducing the risk event value (impact of the risk)
  • Example: Using proven technology to lessen the probability that the product will not work
  • Mitigation includes transferring the risk by buying insurance.
• Acceptance
  • Accepting the consequences of the risk.
  • Acceptance can be active: Developing a contingency plan should the risk occur
  • Acceptance can be passive: Accepting a lower profit is some activities overrun
    

Sample Questions

1. Project Risk Management includes all of the following processes except:
   A. Risk Quantification
   B. Risk Identification
   C. Risk Analysis
   D. Risk Response Development
   E. Risk Response Control
   
   
2. Using the PMBOK definition of contingency reserve, which of the following statements about contingency reserves is false?
   A. A contigency reserve is a separately planned quantity used to allow for future situations which may be planned for only in part.
   B. Contigency reserves may be set aside for known unknowns.
   C. Continency reserves may be set aside for unknown unknowns.
   D. Contingency reserves are normally included in the project's cost and schedule baselines.
   
   
3. Which of the following is not a tool or technique used during the Risk Quantification Process?
   A. Expected monetary value
   B. Contingency planning
   C. Decision Trees
   D. Statistical sums
   E. All of the above are tools and techniques of Risk Quantification
   
   
4. Which of the following is true about pure risk?
   A. The risk can be deflected or transferred to another party through a contract or insurance policy.
   B. Pure risks involve the chance of both a profit and a loss.
   C. No opportunities are associated with pure risk, only losses.
   D. a and c
   E. a and b
   
   
5. A contingency plan is:
   A. A planned response that defines the steps to be taken if an identified risk event should occur.
   B. A workaround
   C. A reserve used to allow for future situations which may be planned for only in part.
   D. a and c
   E. a and b
   
   
6. The normal risk of doing business that carries opportunities for both gain and loss is called:
   A. favorable risk
   B. opportunity risk
   C. pure risk
   D. business risk
   
   
7. A risk response which involves eliminating a threat is called:
   A. Mitigation
   B. Deflection
   C. Avoidance
   D. Transfer
   E. b and d
   
   
8. Deflection or transfer of a risk to another party is part of which of the following risk response categories?
   A. Mitigation
   B. Acceptance
   C. Avoidance
   D. Analysis
   
   
9. When should risk identification be performed? (select best answer)
   A. During Concept Phase
   B. During Development Phase
   C. During Implementation Phase
   D. Risk identification should be performed on a regular basis throughout the project.
   
   
10. Which of the following statements is false?
    A. Uncertainty and risk are greatest at the start of the project and lowest at the end.
    B. The amount at stake is lowest at the end of the project and greatest at the start.
    C. Expected monetary value can be expressed as the product of the risk event probability and the
    risk event value.
    D. Opportunites are positive outcomes of risk.
    
    
11. A contigency plan is executed when:
    A. A risk is identified.
    B. An identified risk occurs.
    C. When a workaround is needed.
    D. All of the above
    E. b and c
    
    
12. Management reserves are used to handle which type of risk?
    A. Unknown unknowns
    B. Known unknowns
    C. business risks
    D. pure risks
    
    
13. Which of the following techniques accounts for path convergence and generally estimates project durations more accurately?
    A. CPM
    B. PERT
    C. Schedule simulation
    D. Path convergence method
    
    
14. Most schedule simulations are based on some form of which of the following?
    A. Delphi
    B. PERT
    C. CPM
    D. Monte Carlo Analysis
    
    
15. When should a risk be avoided?
    A. When the risk event has a low probability of occurrence and low impact.
    B. When the risk event is unacceptable -- generally one with a very high probability of occurrence and high impact.
    C. When it can be transferred by purchasing insurance.
    D. A risk event can never be avoided.
    
    
16. If a project has an 80% chance of having the scope defined by a certain date and a 70% chance of obtaining approval for the scope by a certain date, what is the probability of both events occurring?
    A. 75%
    B. 65%
    C. 50%
    D. 56%
    E. 66%
    
    
17. The independence of two events in which the occurrence of one is not related to the occurrence of the other is called:
    A. event phenomenom
    B. independent probability
    C. statistical independence
    D. statistical probability
    
    
18. The one document that should always be used to help identify risk is the:
    A. Risk Management Plan
    B. WBS
    C. Scope Statement
    D. Project Charter
    E. Contigency Plan
    
    
19. Risks are accepted when:
    A. You develop a contigency plan to execute should the risk event occur.
    B. You accept the consequences of the risk.
    C. You transfer the risk to another party.
    D. You reduce the probability of the risk event occurring
    E. a and b
    
20. An example of risk mitigation is:
    A. Using proven technology in the development of a product to lessen the probability that the product will not work
    B. Purchasing insurance
    C. Eliminating the cause of a risk
    D. Accepting a lower profit if costs overrun
    E. a and b
    
    

Answers

1. C
2. C
3. B
4. D
5. A A workaround is an unplanned response to a negative risk event. Option C is the
   definition of contingency reserve.
6. D
7. C
8. A
9. D
10. B
11. B
12. A
13. C
14. D
15. B
16. D
17. C
18. B
19. E
20. E