Project Risk Management includes all the processes involved in risk identification, regulation, and mitigation on a project. The objective is to increase the likelihood of positive risks (opportunities) and decrease the likelihood of negative risks (threats). This article is part of a PMP Study Notes, and it has been updated for PMBOK 6th Edition eBook.
Plan Risk Management is the process of defining how risk management activities will be conducted on the project.
The main output of this process is the Risk Management Plan. The components of this plan include the following:
This section defines how you will perform risk management for the particular project. Remember to adapt to the needs of each project.
Low priority projects will likely warrant less of a risk management effort than high priority projects
Roles and responsibilities
Who will do what?
Did you realize that non-team members may have roles and responsibilities regarding risk management?
This section includes the cost for the risk management process
Realize the cost of doing risk management, but also realize risk management saves time and money overall by avoiding and reducing threats
This section talks about when to do risk management for the project
Risk management should start as soon as you have the appropriate inputs and should be repeated throughout the life of the project, since new risks can be identified as the project progresses and the degree of risk may change
Definition of probability and impact
Would everyone who rates the probability a 7 in qualitative risk analysis mean the same thing?
A person who is risk averse might think of 7 as very high, while someone who is risk prone might think 7 as a low figure. The definitions and the probability and impact matrix help standardize these interpretations and also help compare risks between projects
What if the stakeholders have a low risk tolerance for cost overruns? That information would be taken into account to rank cost impacts higher than they would if the low tolerance was in another area
Tolerance should not be implied, but uncovered in project initiating and clarified or refined continually
This describes any reports related to risk management that will be used and what they will include
Take this to mean how the risk process will be audited, and the documents of what happens with risk management activities
On your project, you may identify hundreds (and maybe even thousands) of risk. When you have a large project with large number of risks, you need to categorize them to make it easier to manage them. Below are some categorizations and types of risks.
Internal – time, cost, scope changes; inexperience; poor planning
Technical – changes in technology
Unforeseeable – only a small portion of risks (some say about 10%) are actually unforeseeable
Work package – group risks based on which work package they are in
Root cause – group risks based on the same root cause
Types of risk:
Business risk – risk of gain or loss
Pure (insurable) risk – only a risk of loss
Identify Risks is the process of determining which risk may affect the project and documenting their characteristics. Everyone on the project team should be encouraged to participate in this process.
The tools and techniques of this process are:
The project artifacts, including the project charter and procurement contracts, can help identify risks.
Information gathering techniques
A request for information is sent to all experts, their responses are compiled, and the results are sent back to them for further review until consensus is reached
Root cause analysis
This analysis identifies the project’s strengths and weaknesses (internal) as well as opportunities and threats (external)
Based on historical information
The lowest level of RBS(risk breakdown structure) can also be used as a risk checklist
The checklist is used to help identify specific risks within each category
Analyzing what assumptions have been made on the project may lead to the identification of risks
Cause and effect diagrams (Ishikawa )
System or process flow charts
The output of this process is the risk register. The risk register is the place where most of the risk information is kept. At this point in the risk management process, the risk register includes:
Lists of risks
Root causes or risk
Root causes of risks are documented
Potential risk responses
There will be times when a response is identified at the same time as a risk
These responses should be added to the risk register as they are identified
The responses are analyzed and finalized during the Plan Risk Responses process
Perform Qualitative Risk Analysis
Perform Qualitative Risk Analysis is the process of prioritizing risks for further analysis. This process assesses the risks’ probability of occurrence and impact (subjective analysis). The key benefit of this process is that it identifies the high priority risks and allows the project team to focus on those.
Here are some key concepts for this process:
Qualitative risk analysis is a subjective analysis of risks
To perform this analysis, the following is determined:
The probability of each risk occurring, using a standard scale such as low, medium, high or 1 to 10
The impact (amount at stake or consequences, positive or negative) of each risk occurring, using a standard scale such as low, medium, high or 1 to 10
Probability & impact assessments examine:
Likelihood that a risk will occur
Impact on project objectives (e.g. schedule, cost, quality, etc.)
Probability and impact matrix can be used to prioritize risks for quantitative analysis
Uses subjective measurements, such as ‘very high’, ‘high’, ‘medium’, ‘low’, or ‘very low’
Risks with low ratings should be included on a watch list and tracked to ensure their ratings did not change
Risk data quality assessment is a technique of evaluating whether the data available for the risks is comprehensive and useful. Risk data quality assessment may include:
Understanding of the risk
Data available about the risk
Quality of the data
Reliability and integrity of the data
Perform Quantitative Risk Analysis
The Perform Quantitative Risk Analysis process analyzes the numerical impact of identified risk on project deliverables. It is only used for high priority risks.
The purpose of quantitative risk analysis is to:
Determine which risk events warrant a response
Determine overall project risk (exposure)
Determine the quantified probability of meeting project objectives
Determine cost and schedule reserves
Identify risks requiring the most attention
Create realistic and achievable costs, schedule or scope targets
Quantitative probability and impact can be determined in various ways, including the following:
Cost and time estimation
Use of historical records from previous projects
Expected monetary value analysis
Monte Carlo analysis
Quantitative risk analysis and modeling techniques
Decision trees – diagram shows key interaction among decisions and associated chance events. Decisions are shown as boxes and chances are shown as circles.
Can take future events into account for decision making
Sum of probability times the expected outcome
Calculates the average outcome
Simulation – analyze the behavior of the system. Most common is the schedule simulation which uses the project network as the model based on the Monte Carlo analysis
Monte Carlo Analysis – performs the project many times to provide a statistical distribution of the calculated results to quantify the risk of various schedule alternatives
Monte Carlo analysis is used for:
Evaluating overall risk in the project
Determining the probability of completing the project on any specific date or for any specific cost
Determining the probability of any activity actually being on the critical path
Translating uncertainties into impacts to the total project
Calculating in a probability distribution
Impact Analysis – what is the likelihood the event will occur vs. the severity of the impact on the project if it does occur
Places value on the impact of changing a single variable
Helps determine which risks have the most potential impact on the project (Tornado diagram)
Plan Risk Response
Plan Risk Response process develops options and actions to enhance opportunities and reduces threats to project objectives.
The choices of response strategies for threats include:
Eliminate the threat by eliminating the root cause
g. reduce scope or remove the work package
Reduce probability or the impact of a threat
Options for reducing the probability are looked for separately from options for reducing the impact
Any reduction will make a difference, but the option with the most probability and/or impact reduction is often the option selected
Transfer (deflect – allocate)
Make another party responsible for the risk by purchasing insurance, performance bonds, warranties, guarantees, or outsourcing work
One must complete risk assessment before a contract can be signed
Transfer of risk is included in terms and conditions of the contract
The choices for response strategies for opportunities include:
Add work or change the project to make sure the opportunity occurs
Increase the likelihood (probability) and/or positive impacts of the risk event
Allocate ownership of the opportunity to a third party (forming a partnership, team, or joint venture) that is best able to achieve the opportunity
A response strategy for both threats and opportunities is:
Active acceptance may involve the creation of contingency plans to be implemented if the risk occurs and the allocation of time and cost reserves to the project
Passive acceptance leaves actions to be determined as needed, if (after) the risk occurs
A decision to accept a risk must be communicated to stakeholders
Implement Risk Responses
Key concepts for this process:
Contingency plans/Fall back plans are plans to follow when the risk becomes an issue.
Residual risk – the risk that remains after the contingency plan has been implemented.
Low priority tasks are put onto a watch list and revisited periodically.
Risk is the most important item during project team meetings.
Monitor Risk is the process of implementing the risk response plans, tracking identified risks, monitoring residual risks, and evaluating the risk processes’ effectiveness.
Here are the key concepts and terms you need to understand for this process:
An audit that ensures your project team is following the organization’s risk processes, including identifying risks and creating mitigation plans for high priority risks.
Examine and document the effectiveness of risk responses.
Develop organizational best practices.
Whereas contingency responses are developed in advance, workarounds are unplanned responses developed to deal with the occurrence of unanticipated risk events.
When project deviate from baseline, the team may need to take a corrective action.
The project team needs to periodically review the risk management plan and risk register and adjust them as required
Risk management is an iterative process
The budget set aside to handle specific risks if they do occur
Analyzing how much money you have left in the reserves and how much you may need in the future
Things to Remember
The exam will assume that you are already doing risk management and therefore asks questions at sophisticated level about situations you should have already run into
The exam will also ask about how risk management activities change what you need to do each day as a project manager. This is an incredibly important concept that you need to get your mind around for the exam. You must understand this picture of the life of a project manager. Through risk management, the project changes from being in control of the project manager to the project manager being in control of the project
The exam will test your knowledge of the process of risk management. This process is very logical. Expect to be given a situation on the exam and then asked which risk management process is being described in the situation
Because risk identification primarily occurs during the initiating and planning process groups, the exam has often said that the major part of risk identification happens at the onset of the project. But smaller numbers of risk may also be identified during later parts of the project. Risks should be continually reassessed. The exam will specifically look for you to include risk identification during such activities as integrated change control, when working with resources, and when dealing with project issues. The exam weights the questions towards project executing and project monitoring and controlling, rather than the identification of risks.
The Perform Quantitative Risk Analysis process can include a lot of calculation and analysis. Luckily the details of these efforts are not a focus for the exam. You will need to know that the following are part of quantitative risk analysis but not know how to do them other than what is explained here.
Further investigating the highest risks on the project
Determining the type of probability distribution that will be used
Log normal distribution
Performing sensitivity analysis to determine which risks have the most impact on the project
Determining how much quantified risk the project has through expected monetary value analysis or Monte Carlo analysis
Questions on the exam can ask “what is the expected monetary value of the following?” expected monetary value questions can also be asked in conjunction with decision trees
You do not need to know how to perform this calculation for the exam. Simply know the following. Monte Carlo analysis:
Is usually done with a computer-based Monte Carlo program because of the intricacies of the calculations
Evaluates the overall risk in the project
Provides the probability of completing the project on any specific day, or for any specific costs
Provides the probability of any activity actually being on the critical path
Takes into account path convergences
Places in the network diagram where many paths converge into one activity
Translates uncertainties into impacts to the total project
Can be used to assess cost and schedule impacts
Results in a probability distribution
There have traditionally been only one or two questions about decision trees on the exam. You should know what is decision tree is and be able to calculate a simple one from data provided. The exam could ask you to calculate the expected monetary value (or just value) of a path or the value of your decision
Assume that all the major problems that could have been identified in advance as risks were determined before they occurred and that there was a plan put in place for each of these risks
Here are a couple of other points that can be tricky:
Can you eliminate all risks on a project?
Remember that risks can actually be eliminated, but the time and trouble involved in eliminating all the risk identified on the project would probably not be worthwhile
Qualitative risk analysis, quantitative risk analysis, and risk response planning do not end once you begin work on a project
You need to review risks throughout the project and then return to planning to determine what to do about any newly identified risks
Risk ratings and response strategies for existing risks can also change later in the project as more information about the risks and the selected strategies becomes known
Ratings and response strategies must be reviewed for appropriateness over the life of the project as well
The exam may describe situations where the wrong thing is being done to see if you realize it is wrong. The following is a list of some of the common risk management errors people make.
Risk identification is completed without knowing enough about the project
Project risk is evaluated using only a questionnaire, interview, or Monte Carlo analysis and thus does not provide specific risks
Risk identification end too soon, resulting in a brief list (~20 risks) rather than an extensive list
The processes of Identify Risks through Perform Quantitative Risk Analysis are blended, resulting in risks that are evaluated or judged as they come to light. This decreases the number of total risks identified and causes people to stop participating in risk identification.
The risk identified are general rather than specific
Some things considered to the risks are not uncertain; they are facts, and are therefore not risks
Whole categories (technology, cultural, marketplace, etc.) of risk are missed
Only one method is used to identify risks rather than a combination of methods. A combination helps ensure that more risks are identified
The first risk response strategy identified selected without looking at other options and finding the best option or combination of options
Risk management is not given enough attention during project executing
Project managers do not explain the risk management process to their team during project planning
Contracts are usually signed long BEFORE risks to the project are discussed
Before you go…
Lastly, don’t forget to check out the other study notes in this series and download our free 200 practice questions by clicking the links below: