Risk Management: PMP Study Guide (PMBOK 6th Edition)

Project Risk Management includes all the processes involved in risk identification, regulation, and mitigation on a project. The objective is to increase the likelihood of positive risks (opportunities) and decrease the likelihood of negative risks (threats). This article is part of a PMP® Study Notes, and it has been updated for PMBOK® 6th Edition eBook.

Here are some key concepts for this Knowledge Area:

Uncertainty – Uncertainty is a lack of knowledge about an event that reduces confidence in conclusions drawn from the data
Risk factors – When looking at risks, one should determine
- The probability that it will occur (what)
- The range of possible outcomes (impact and amount at stake)
- Expected time (when) in the project life cycle
- The anticipated frequency of risk events from the source (how often)
Risk adverse – Someone who does not want to take risks
Risk tolerance – How much risk someone can tolerate/withstand
Risk threshold – The risk threshold determines at which point the risk becomes unacceptable to stakeholders
Risk appetite – Degree of uncertainty an entity is willing to take on in anticipation of a reward
Project manager’s role –
- Monitor and control the various aspects of the project
- Look for deviations from the trend and react early
- Keep stakeholders informed of project progress
Known risks – Risks that have been identified; if known risks cannot be managed, they can be mitigated with the contingency reserve
Unknown risks – Risks that have not been identified; if unknown risks occur on the project, they can be handled with the management reserve

There are 6 processes within this Knowledge Area, and they are:

Plan Risk Management

Plan Risk Management is the process of defining how risk management activities will be conducted on the project.

The main output of this process is the Risk Management Plan. The components of this plan include the following:

Methodology
- This section defines how you will perform risk management for the particular project. Remember to adapt to the needs of each project.
- Low priority projects will likely warrant less of a risk management effort than high priority projects
Roles and responsibilities
- Who will do what?
- Did you realize that non-team members may have roles and responsibilities regarding risk management?
Budgeting
- This section includes the cost for the risk management process
- Realize the cost of doing risk management, but also realize risk management saves time and money overall by avoiding and reducing threats
Timing
- This section talks about when to do risk management for the project
- Risk management should start as soon as you have the appropriate inputs and should be repeated throughout the life of the project, since new risks can be identified as the project progresses and the degree of risk may change
Risk categories
Definition of probability and impact
- Would everyone who rates the probability a 7 in qualitative risk analysis mean the same thing?
- A person who is risk averse might think of 7 as very high, while someone who is risk prone might think 7 as a low figure. The definitions and the probability and impact matrix help standardize these interpretations and also help compare risks between projects
Stakeholder tolerances
- What if the stakeholders have a low risk tolerance for cost overruns? That information would be taken into account to rank cost impacts higher than they would if the low tolerance was in another area
- Tolerance should not be implied, but uncovered in project initiating and clarified or refined continually
Reporting formats
- This describes any reports related to risk management that will be used and what they will include
Tracking
- Take this to mean how the risk process will be audited, and the documents of what happens with risk management activities

On your project, you may identify hundreds (and maybe even thousands) of risk. When you have a large project with large number of risks, you need to categorize them to make it easier to manage them. Below are some categorizations and types of risks.

Risk categories:

External – regulatory, environmental, government, market shifts
Internal – time, cost, scope changes; inexperience; poor planning
Technical – changes in technology
Unforeseeable – only a small portion of risks (some say about 10%) are actually unforeseeable
Work package – group risks based on which work package they are in
Root cause – group risks based on the same root cause

Types of risk:

Business risk – risk of gain or loss
Pure (insurable) risk – only a risk of loss

Identify Risks

Identify Risks is the process of determining which risk may affect the project and documenting their characteristics. Everyone on the project team should be encouraged to participate in this process.

The tools and techniques of this process are:

Documentation review
- The project artifacts, including the project charter and procurement contracts, can help identify risks.
Information gathering techniques
- Brainstorming
- Delphi technique
  - A request for information is sent to all experts, their responses are compiled, and the results are sent back to them for further review until consensus is reached
- Interviewing
- Root cause analysis
SWOT analysis
- This analysis identifies the project’s strengths and weaknesses (internal) as well as opportunities and threats (external)
Checklist analysis
- Based on historical information
- The lowest level of RBS(risk breakdown structure) can also be used as a risk checklist
- The checklist is used to help identify specific risks within each category
Assumptions analysis
- Analyzing what assumptions have been made on the project may lead to the identification of risks
Diagramming techniques
- Cause and effect diagrams (Ishikawa )
- System or process flow charts
- Influence diagrams

The output of this process is the risk register. The risk register is the place where most of the risk information is kept. At this point in the risk management process, the risk register includes:

Lists of risks
Root causes or risk
- Root causes of risks are documented
Risk categories
Potential risk responses
- There will be times when a response is identified at the same time as a risk
- These responses should be added to the risk register as they are identified
- The responses are analyzed and finalized during the Plan Risk Responses process

Perform Qualitative Risk Analysis

Perform Qualitative Risk Analysis is the process of prioritizing risks for further analysis. This process assesses the risks’ probability of occurrence and impact (subjective analysis). The key benefit of this process is that it identifies the high priority risks and allows the project team to focus on those.

Here are some key concepts for this process:

Risk analysis
- Qualitative risk analysis is a subjective analysis of risks
- To perform this analysis, the following is determined:
  - The probability of each risk occurring, using a standard scale such as low, medium, high or 1 to 10
  - The impact (amount at stake or consequences, positive or negative) of each risk occurring, using a standard scale such as low, medium, high or 1 to 10
- Probability & impact assessments examine:
  - Likelihood that a risk will occur
  - Impact on project objectives (e.g. schedule, cost, quality, etc.)
- Probability and impact matrix can be used to prioritize risks for quantitative analysis
  - Uses subjective measurements, such as ‘very high’, ‘high’, ‘medium’, ‘low’, or ‘very low’
- Risks with low ratings should be included on a watch list and tracked to ensure their ratings did not change
- Risk data quality assessment is a technique of evaluating whether the data available for the risks is comprehensive and useful. Risk data quality assessment may include:
  - Understanding of the risk
  - Data available about the risk
  - Quality of the data
  - Reliability and integrity of the data

Perform Quantitative Risk Analysis

The Perform Quantitative Risk Analysis process analyzes the numerical impact of identified risk on project deliverables. It is only used for high priority risks.

The purpose of quantitative risk analysis is to:

Determine which risk events warrant a response
Determine overall project risk (exposure)
Determine the quantified probability of meeting project objectives
Determine cost and schedule reserves
Identify risks requiring the most attention
Create realistic and achievable costs, schedule or scope targets

Quantitative probability and impact can be determined in various ways, including the following:

Interviewing
Cost and time estimation
Delphi technique
Use of historical records from previous projects
Expert judgement
Expected monetary value analysis
Monte Carlo analysis
Decision tree

Quantitative risk analysis and modeling techniques

Decision trees – diagram shows key interaction among decisions and associated chance events. Decisions are shown as boxes and chances are shown as circles.
- Can take future events into account for decision making
EMV
- Sum of probability times the expected outcome
- Calculates the average outcome
Simulation – analyze the behavior of the system. Most common is the schedule simulation which uses the project network as the model based on the Monte Carlo analysis
Monte Carlo Analysis – performs the project many times to provide a statistical distribution of the calculated results to quantify the risk of various schedule alternatives
Monte Carlo analysis is used for:
- Evaluating overall risk in the project
- Determining the probability of completing the project on any specific date or for any specific cost
- Determining the probability of any activity actually being on the critical path
- Translating uncertainties into impacts to the total project
- Calculating in a probability distribution
Impact Analysis – what is the likelihood the event will occur vs. the severity of the impact on the project if it does occur
Sensitivity analysis
- Places value on the impact of changing a single variable
- Helps determine which risks have the most potential impact on the project (Tornado diagram)

Plan Risk Response

Plan Risk Response process develops options and actions to enhance opportunities and reduces threats to project objectives.

The choices of response strategies for threats include:

Avoid
- Eliminate the threat by eliminating the root cause
- g. reduce scope or remove the work package
Mitigate
- Reduce probability or the impact of a threat
- Options for reducing the probability are looked for separately from options for reducing the impact
- Any reduction will make a difference, but the option with the most probability and/or impact reduction is often the option selected
Transfer (deflect – allocate)
- Make another party responsible for the risk by purchasing insurance, performance bonds, warranties, guarantees, or outsourcing work
- One must complete risk assessment before a contract can be signed
- Transfer of risk is included in terms and conditions of the contract

The choices for response strategies for opportunities include:

Exploit
- Add work or change the project to make sure the opportunity occurs
Enhance
- Increase the likelihood (probability) and/or positive impacts of the risk event
Share
- Allocate ownership of the opportunity to a third party (forming a partnership, team, or joint venture) that is best able to achieve the opportunity

A response strategy for both threats and opportunities is:

Accept
- Active acceptance may involve the creation of contingency plans to be implemented if the risk occurs and the allocation of time and cost reserves to the project
- Passive acceptance leaves actions to be determined as needed, if (after) the risk occurs
- A decision to accept a risk must be communicated to stakeholders

Implement Risk Responses

Key concepts for this process:

Contingency plans/Fall back plans are plans to follow when the risk becomes an issue.
Residual risk – the risk that remains after the contingency plan has been implemented.
Low priority tasks are put onto a watch list and revisited periodically.
Risk is the most important item during project team meetings.

Monitor Risk

Monitor Risk is the process of implementing the risk response plans, tracking identified risks, monitoring residual risks, and evaluating the risk processes’ effectiveness.

Here are the key concepts and terms you need to understand for this process:

Risk audits
- An audit that ensures your project team is following the organization’s risk processes, including identifying risks and creating mitigation plans for high priority risks.
- Examine and document the effectiveness of risk responses.
- Develop organizational best practices.
Workarounds
- Whereas contingency responses are developed in advance, workarounds are unplanned responses developed to deal with the occurrence of unanticipated risk events.
- When project deviate from baseline, the team may need to take a corrective action.
Risk assessments
- The project team needs to periodically review the risk management plan and risk register and adjust them as required
- Risk management is an iterative process
Contingency reserve
- The budget set aside to handle specific risks if they do occur
Reserve analysis
- Analyzing how much money you have left in the reserves and how much you may need in the future

Things to Remember

The exam will assume that you are already doing risk management and therefore asks questions at sophisticated level about situations you should have already run into
The exam will also ask about how risk management activities change what you need to do each day as a project manager. This is an incredibly important concept that you need to get your mind around for the exam. You must understand this picture of the life of a project manager. Through risk management, the project changes from being in control of the project manager to the project manager being in control of the project
The exam will test your knowledge of the process of risk management. This process is very logical. Expect to be given a situation on the exam and then asked which risk management process is being described in the situation
Because risk identification primarily occurs during the initiating and planning process groups, the exam has often said that the major part of risk identification happens at the onset of the project. But smaller numbers of risk may also be identified during later parts of the project. Risks should be continually reassessed. The exam will specifically look for you to include risk identification during such activities as integrated change control, when working with resources, and when dealing with project issues. The exam weights the questions towards project executing and project monitoring and controlling, rather than the identification of risks.
The Perform Quantitative Risk Analysis process can include a lot of calculation and analysis. Luckily the details of these efforts are not a focus for the exam. You will need to know that the following are part of quantitative risk analysis but not know how to do them other than what is explained here.
- Further investigating the highest risks on the project
- Determining the type of probability distribution that will be used
  - Triangular
  - Normal
  - Beta
  - Uniform
  - Log normal distribution
- Performing sensitivity analysis to determine which risks have the most impact on the project
- Determining how much quantified risk the project has through expected monetary value analysis or Monte Carlo analysis
Questions on the exam can ask “what is the expected monetary value of the following?” expected monetary value questions can also be asked in conjunction with decision trees
You do not need to know how to perform this calculation for the exam. Simply know the following. Monte Carlo analysis:
- Is usually done with a computer-based Monte Carlo program because of the intricacies of the calculations
- Evaluates the overall risk in the project
- Provides the probability of completing the project on any specific day, or for any specific costs
- Provides the probability of any activity actually being on the critical path
- Takes into account path convergences
  - Places in the network diagram where many paths converge into one activity
- Translates uncertainties into impacts to the total project
- Can be used to assess cost and schedule impacts
- Results in a probability distribution
There have traditionally been only one or two questions about decision trees on the exam. You should know what is decision tree is and be able to calculate a simple one from data provided. The exam could ask you to calculate the expected monetary value (or just value) of a path or the value of your decision
Assume that all the major problems that could have been identified in advance as risks were determined before they occurred and that there was a plan put in place for each of these risks
Here are a couple of other points that can be tricky:
- Can you eliminate all risks on a project?
  - Remember that risks can actually be eliminated, but the time and trouble involved in eliminating all the risk identified on the project would probably not be worthwhile
- Qualitative risk analysis, quantitative risk analysis, and risk response planning do not end once you begin work on a project
- You need to review risks throughout the project and then return to planning to determine what to do about any newly identified risks
- Risk ratings and response strategies for existing risks can also change later in the project as more information about the risks and the selected strategies becomes known
- Ratings and response strategies must be reviewed for appropriateness over the life of the project as well
The exam may describe situations where the wrong thing is being done to see if you realize it is wrong. The following is a list of some of the common risk management errors people make.
- Risk identification is completed without knowing enough about the project
- Project risk is evaluated using only a questionnaire, interview, or Monte Carlo analysis and thus does not provide specific risks
- Risk identification end too soon, resulting in a brief list (~20 risks) rather than an extensive list
- The processes of Identify Risks through Perform Quantitative Risk Analysis are blended, resulting in risks that are evaluated or judged as they come to light. This decreases the number of total risks identified and causes people to stop participating in risk identification.
- The risk identified are general rather than specific
- Some things considered to the risks are not uncertain; they are facts, and are therefore not risks
- Whole categories (technology, cultural, marketplace, etc.) of risk are missed
- Only one method is used to identify risks rather than a combination of methods. A combination helps ensure that more risks are identified
- The first risk response strategy identified selected without looking at other options and finding the best option or combination of options
- Risk management is not given enough attention during project executing
- Project managers do not explain the risk management process to their team during project planning
- Contracts are usually signed long BEFORE risks to the project are discussed