Post on 06-May-2015
description
Project Risk Management
Compiled by Muhammad Aleem Habib
June 25, 2013Information derived from PMBOK & Rita Mulcahy
What is Project Risk Management?
• Project risk management is actively managing the risks on your project
• The goal of risk management is to be more proactive and less reactive
Why Risk Management
• A project manager’s work should not focus on dealing with problems; it should focus on preventing them.
• How would it feel to say, “No problem; we anticipated this, and we have a plan in place that will resolve it”.
• Performing risk management helps prevent many problems and helps make other problems less likely
What is a Risk?
• A risk is an uncertain event that could have a positive or negative effect on your project
• * This means there is a probability between 1-99% that the event could occur
• If there is a 0% chance of an event occurring, there is no risk
• (example; there is a 0% chance your project will be adequately funded, this is not a risk, it is a reality).
What is a Risk?
• If there is a 100% chance of an event occurring, this would be an issue, not a risk
• Risks with negative consequences are called threats
• Risks with positive consequences are called opportunities (Yes, risk can be good! Stop thinking of risk as bad, and start thinking of it in terms of probabilities!)
Risk Event Graph
Types of RiskRisks can be broken out into two primary types
1. Pure Risk (hazard)– risk with potential loss only– ex. Fire, theft, personal injury
2. Business Risk (speculative risk) – risk with potential loss or gain
– ex. A highly skilled employee becomes available to work on your project, reducing your schedule time, the tax rate changes, a new server costs less (or more) than you budgeted for!
Risk Management Process
Threats
Opportunities
Project Risk Management
Knowledge Area
Process
Initiating Planning Executing Monitoring & Contol Closing
Risk Plan Risk ManagementIdentify RiskPerform Qualitative Risk AnalysisPerform Quantitative Risk AnalysisPlan Risk Response
Monitor and Control Risks
Enter phase/Start project
Exit phase/End project
InitiatingProcesses
ClosingProcesses
PlanningProcesses
ExecutingProcesses
Monitoring &Controlling Processes
5 Overall Project Management Processes with Risk Management
• Risk Planning – this is how you plan on conducting risk management. You wouldn’t start managing your project without a plan, so why would you approach risk management that way?
• Identify Risks – this is the phase where you attempt to identify most of your risks
• Qualitative analysis – this is a subjective analysis of your risks that produces a risk ranking, usually in the order of high, medium, low, or on an ordinal scale. Rankings are by agreement of your project team, sponsors and key stakeholders
Risk Management Processes
Risk Management Processes
• Quantitative Analysis – a numerical analysis of the probability and impact of the risk on your project
• Plan Risk Response– a course of action you will take to deal with your risks should they go from risk to issue
• Monitor & Control Risks – monitoring your lists (there are two lists which I will discuss later) of risks to enact a risk response plan, to move a risk from one list to the other, or to remove a risk because it is no longer a risk.
• Uncertainty: a lack of knowledge about an event that reduces confidence
• Risk averse: someone who does not want to take risks.• Risk Prone – Someone who is willing to take big risk• Risk tolerances: area of risk that are acceptable /
unacceptable. • Risk thresholds: the point at which a risk become
unacceptable• Risk Areas: Project Constraints (scope, time, cost, etc)
Terms & concepts
Risk Factors
1. The probability the risk will occur
2. The range of possible outcomes (impact)
3. When in the project lifecycle the risk is likely to occur (the timing);
* once the expected timeframe of the risk has passed and it is no longer a risk, it can be removed from the risk list
4.
How often the risk is expected to occur on the project (frequency)
11.1 Plan Risk Management
• The process of defining how to conduct risk management activities for a project
• Important to provide sufficient resources and time for risk management activities, and to establish an agreed upon basis for evaluating risk.
Plan Risk Management DFD. Figure 11-3
Plan Risk Management
• How much time should we spend?• Who will be involved?• How should we perform risk
management?
Plan Risk Management: Tools & Techniques
• Planning Meetings and Analysis– Project teams meet with stakeholders
– High level plans for risk management are define in these meetings
Plan Risk Management: Outputs
• Methodology Defines the tools, approaches, and data sources that may be used to perform risk management on the project.
• Budgeting A budget for project risk management should be established and included in the risk management plan.
• Role & Responsibility Defines the lead, support, and risk management team membership for each type of action in the risk management plan.
Plan Risk Management: Outputs
• Timing Defines how often the risk management activities will be performed throughout the project life cycle.
• Risk categories Documentation such as risk breakdown structures (RBSes) or categories from previous projects will help identify and organize risks.
• Definitions of risk Risks and their probabilities are probability & impact defined for use in Qualitative Risk Analysis using a scale of ―very Unlikely to ―almost certain.
Risk Breakdown Structure
• A risk breakdown structure (RBS) organizes potential sources of risk to the project.
• Functioning much like a work breakdown structure, an RBS arranges categories into a hierarchy.
• This approach allows the project team to define risk at very detailed levels.
Risk Breakdown Structure for a Software Development Project
Software Dev Project
Business
Competitors
Suppliers
Cash Flow
Technical
Hardware
Software
Network
Organizational
Executive Support
User Support
Team Support
Project Management
Estimates
Communication
Resources
RBS Example
Risk Profile
• A risk profile is a list of questions that address traditional areas of uncertainty on a project.
• These questions has been designed and developed from the experience of past projects.
Risk Profile Questions
No Category Description of Risk IMPACT PROBABILITY
RISK LEVEL
1 Resource Testing environment not available 4 B ORANGE
2 Schedule Documentation approval took longer time 4 A RED
Probability Impact Matrix
Risk Management Plan(Contd.)
• Stakeholder tolerances – Stakeholders have a low risk tolerance than impact is high. That information should be taken into account to rank cost impacts higher than if the low tolerance was in another area. Tolerances should not be implied, but uncovered in project initiating and clarified or refined continually.
• Reporting – Describes reports related to RM and how they will be used and what they will include.
• Tracking – Auditing, documentation regarding RM
Q: “ An uncommon state of nature, characterized by the absence of any information related to a desired outcome” , is a common definition for:
A. An act of God
B. An amount at stake
C. Uncertainty
D. Risk aversion
11.2 Identify Risks
• This is the phase where you work with your team to identify as many risks as possible.
Identify Risks: Things to remember
• Identify Risks can’t be completed without the project scope statement and Work Breakdown Structure (WBS)
• Identify Risks happens at the onset of the project and throughout the project
• Risks can be identified at any time and during any phase of the project
• Risk management is an iterative process, you should work to identify risk during any changes to the project, working with resources, and when dealing with issues
Question ?
• Who should be involved in Risk Identification?
Identify Risk: Tools & Tech• Documentation Reviews – including charter,
contracts, and planning documentation, can help identify risks.
• Those involved in risk identification might look at this documentation, as well as lessons learned, articles, and other documents, to help uncover risks.
Identify Risk: tools & tech• Brainstorming: One idea generates another• Delphi technique: Expert participate
anonymously; facilitator use questionnaire; consensus may be reached in a few rounds; Help reduce bias in the data and prevent influence each others.
• Interviewing: interviewing experts, stakeholders, experienced PM
• Root cause analysis: Reorganizing the identified risk by their root cause may help identify more risks
Identify Risk: Tools & Tech
• Checklist analysis: checklist developed based on accumulated historical information from previous similar project
• Assumption analysis: identify risk from inaccuracy, instability, inconsistency, incompleteness.
• SWOT analysis – Strengths, Weaknesses, Opportunities, Threats
Identify Risk: tools & tech• Influence diagrams
– show the casual influences among project variables, the timing or time ordering of events, and the relationships among other project variables and their outcomes.
• Cause and Effect Diagrams
• Flowcharts
Output: Risk Register
• Output is initial entries into the risk register. It includes:– List of risk– List of POTENTIAL responses– Root causes of risks– Updated risk categories
Risk Register Example
• Q: Risk tolerances are determined in order to help:
A. The team rank the project risks
B. The project manager estimate the project
C. The team schedule the project
D. Management know how other managers will act to the project
11.2 Perform Qualitative Risk Analysis
• This is the phase where you rank the risks you’ve identified from Identify Risks to come up with a list of risks you will create plans for dealing with
Perform Qualitative Risk Analysis
• Things to remember– Perform Qualitative Risk Analysis is subjective
– What is the probability of the risk occurring? High, medium, low? 1-10?
– What is the impact if the risk does occur? High, medium, low? 1-10?
Tools and Techniques of Qualitative Analysis
• Probability & Impact Matrix – a matrix that creates a consistent evaluation of high, medium, or low for your projects. This helps to make the risk rating process more repeatable between projects.
• Risk Data Quality Assessment – What is the quality of the data used to determine or assess the risk? Think about the following– Extent of the understanding of the risk– Data available about the risk– Quality of the data– Reliability & Integrity of the data
Tools and Techniques of Qualitative Analysis
• Risk Categorization – Which of your categories has more risk than others? Which of your work packages could be most affected by risk?
• Risk Urgency Assessment – Which of your risks could occur soon, or require a longer planning time? Risk urgency assessment helps move these risks more quickly through the rest of the project management process
Output: Risk Register Updates
• Risk ranking for the project compared to other projects
• List of prioritized risks and their probability and impact ratings
• Risks grouped by categories• List of risks for additional analysis and
response• Watchlist (non-critical risks) • Trends
Perform Quantitative Risk Analysis
• A numerical analysis of the probability and impact of the risks with the highest risk rating score determined from qualitative analysis
• Is a numerical evaluation (more objective)
• This process may be skipped.
Perform Quantitative Risk Analysis
Purpose of this process• Determine which risk events warrant a response.• Determine overall project risk (risk exposure).• Determine the quantified probability of meeting
project objectives.• Determine cost and schedule reserves.• Identify risks requiring the most attention.• Create realistic and achievable cost, schedule,
or scope targets.
Tools and Techniques of Quantitative Analysis
• EMV – Expected Monetary Value – What is the probability of the risk occurring multiplied by the impact if the risk does occur? If the risk occurs, what could the financial or time loss be to your project?
• In the example below, this project has an EMV of ($58,250), this means that you need to put aside $58,250 in your risk reserve account for potential risks
Risk Probability Impact EMV
A 20% $ (100,000.00) $(20,000.00)
B 90% $ 10,000.00 $ 9,000.00
C 5% $ 30,000.00 $ 1,500.00
D 65% $ (75,000.00) $(48,750.00)
Total $(58,250.00)
Q: If a project has a 60% chance of a US $ 100,000 profit and a 40% chance of a US $ 100,000 loss, the expected monetary value for the project is :
A. $ 100,000 profit
B. $ 60,000 loss
C. $ 20,000 profit
D. $ 40,000 loss
Tools and Techniques of Quantitative Analysis
• Decision Tree – used for planning on individual risks instead of planning for the whole project– Takes into account future events to make a decision
today– Can calculate the EMV in more complex situations– Involves mutual exclusivity
Airline A has a 90% chance to reach at time and Airline B has a 60% chance to reach at time. If you don’t reach at time, it will cost you 100,000. Use EMV to find which airline you should choose?
Decision tree /EMV example
Airline A EMV: 10,000 + (10% * 100,000) = 20,000
Airline B EMV: 8000 + (40%*100,000) = 48,000
Tools and Techniques of Quantitative Analysis
• Monte Carlo Analysis – A technique that uses simulation to show the probability of completing your project on time and within budget. – Determines the overall risk of the project, not the task– Determines the probability of completing the project on a specific
day and for a specific cost– Takes into account path convergence (places in the network
diagram where many paths converge into one activity)– Used to evaluate the impact to your schedule and budget– Due to the complicated mathematical computations used, Monte
Carlo analysis is usually done with a computer program– Creates a probability distribution – triangular, normal, beta,
uniform or lognormal (learn these)
Sensitivity Analysis• To determine which risks have the most potential impact
to the project• Changing one or more elements/variables and set other
elements to its baseline then see the impact.• One typical display of sensitivity analysis is the tornado
diagram• Tornado diagram is useful in analyzing risk taking
scenarios. • They provide the positive and negative impact of each
risk on the project and let you decide to choose which risk to take.
Sample Sensitivity Analysis
Outcome of Quantitative RA
Risk Register Updates• Prioritized list of quantified risks• Amount needed for contingency reserves for time and
cost• Confidence levels of completing the project on a certain
date for a certain amount of money• The probability of delivering the project objectives• Trends - risk management is an iterative process; as
you repeat the process you can track your overall project risk and determine the trend (if you are decreasing or increasing the level of risk on your project)
Outcome of Quantitative RA: Examples
• What are the risks that are most likely to cause trouble? To affect the critical path? That need the most contingency reserve?
• “The project requires another 50,000 and two months of time to accommodate the risks on the project?”
• “We are 95 percent confident that we can complete this project on May 25th for $989,000 budget?”
• “We only have a 75 percent chance of completing the project within the $800,000 budget.”
“What are we going to do now about each top risk?”
Risk Response Planning
• Eliminate the threats before they happen• Make sure opportunities happen • Decrease the probability and/or impact of
threats• Increase the probability and/or impact of
opportunities• For Residual Threats
– Contingency Plans– Fallback Plans
Risk Response StrategiesRisk
Opportunities
Exploit
Enhance
Share
Accept
Active
Contingency Plan Fallback Plan
Passive
Workaround
Threats
Avoid
Transfer
Mitigate
STRATEGIES FOR NEGATIVE RISKS OR THREATS
Avoidance
• Risk prevention• Changing the plan to eliminate a risk by avoiding
the cause/source of risk• Protect project from impact of risk• Examples:
– Change the supplier / engineer– Do it ourselves (do not subcontract)– Reduce scope to avoid high risk deliverables– Adopt a familiar technology or product
Mitigation
• Seeks to reduce the impact or probability of the risk event to an acceptable threshold
• Be proactive: Take early actions to reduce impact/probability and don’t wait until the risk hits your project
• Examples:– Staging - More testing - Prototype– Redundancy planning– Use more qualified resources
Transfer
• Shift responsibility of risk consequence to another party
• Does NOT eliminate risk• Most effective in dealing with financial exposure• Examples:
– Buy/subcontract: move liabilities– Selecting type of Procurement contracts: Fixed Price– Insurance: liabilities + bonds + Warranties
STRATEGIES FOR POSTIVE RISKS OR OPPORTUNITIES
Strategies for Opportunities
Exploit: Ensure opportunity is realized• Ex: Assigning organization most talented
resources to the project to reduce cost lower than originally planned.
Enhance: Increase the probability and/or the positive impact of the opportunity• Ex: Adding more resources to finish early
Strategies for Opportunities
Share: Allocating some or all of the ownership to third part best able to capture the opportunity• Ex: Joint ventures, special-purpose
companies
Acceptance (Both for Threats & opportunities)
• Active Acceptance– Develop a contingency plan to execute if the risk
occur– Contingency plan = be ready with Plan B– Fall back plan = plan C if B fails
• Passive Acceptance– Deal with the risks as they occur = Workarounds– Usually for low ranked risks
Risk Response MatrixRisk Event Response Contingency
PlanTrigger Who is
responsible
Interface Problems
Mitigate: Test Prototype
Workaround until help comes
Not solved within 24 hours
Asif
System freezing
Mitigate: Test Prototype
Reinstall OS Still frozen after 1 hour
Khalid
User backlash Mitigate: Prototype demonstration
Increase staff support
Cell from top management
Javed
Equipment malfunction
Mitigate: Select reliable vendorTransfer: Warranty
Order replacement
Equipment fails Aleem
Outputs of Risk Response Planning
Updates to Risk Register• Residual Risks – risks that are left over after Plan Risk
Response• Contingency Plans – plans of action in case the risk
does occur• Risk Response Owners – the person on the team
responsible for monitoring the risk, risk triggers, developing a response strategy, and implementing the strategy should the risk occur
• Secondary Risks – new risks that result from the implementation of the contingency plans for the primary risks
Outputs of Risk Response Planning
Updates to Risk Register• Risk Triggers – early warning signs that there is a high
probability the risk will occur• Fallback Plans – a secondary contingency plan, in case
the contingency plan does not work or is not effective• Reserves
– Contingency reserves - covers the cost for ‘known unknowns’ discovered during risk management; covers the residual risks. The contingency reserve is calculated and made part of the baseline.
– Management reserves – these are estimated and made part of the project budget, not the baseline. Management approval is needed to use the management reserve.
Outputs of Risk Response Planning
Project Management Plan Updates• Changes made due to risk management
will be changes made to the project and should be updated in the project management plan
Q: Replacing a doubtful supplier with an expensive but reliable one is an example of:
A. Mitigation
B. Transference
C. Acceptance
D. Avoidance
Q: A Reserve is generally intended to be used for:
A. Rework activities.
B. Compensate for inaccurate project cost estimates.
C. Reducing the risk of missing the cost or schedule objectives.
D. Compensate for inaccurate project schedule estimates.
Some important points:
• What do you do with non-critical risks?• Would you choose only one risk response
strategy?• What risk management activities are done
during execution of the project?• What is the most important item to be discussed
in project team meetings?• How would risk be addressed in project
meetings?
Some important points:
• What do you do with non-critical risks?– Put them in a watch-list and revisit them periodically.
• Would you choose only one risk response strategy?– You may select a combination of strategies.– Response of one risk might address another risk as
well!
• What risk management activities are done during execution of the project?– Watch-out risks on watch-list and looking for new risks.
Some important points:
• What is the most important item to be discussed in project team meetings?– Off course, Risk!
• How would risk be addressed in project meetings?– Asking, what is the status of risks? Is their any new
risk? Is the rank of any risk goes up and down?
Monitor and Control Risk
• The process of – implementing risk response plans– tracking identified risks– monitoring residual risks– identifying new risks and – evaluating risk process effectiveness
throughout the project – risk audit.
Inputs to Monitor & Control Risk
• Risk Management Plan• Risk Register• Approved Change Requests• Work performance information
– Deliverable status– Schedule progress– Costs incurred
• Performance reports
Monitor & Control Risk: Tools
• Workaround – a response to a risk that has occurred when no contingency plan exists.
• Risk audit – a team of experienced project team members reviews the risk management process and response strategies to see if you’ve effectively identified the major risks on the project and developed effective strategies for dealing with them.
Monitor & Control Risk: Tools
• Risk Reassessment – Risk management is iterative, you should review the risks on your project throughout the project to update their qualitative and quantitative values.
• Status meetings – status meetings should be used to identify new risks or changes to existing risks. This is a great opportunity to discuss with your team and stakeholders existing risks and new risks.
Monitor & Control Risk: Tools
• Reserve analysis – has the reserve kept up with changes to the risk list? Does the reserve still cover the costs of these risks should they occur?
• Closing of risks – Risks are expected to happen during a particular phase of the project. When that phase has passed and the risk is no longer probable, the risk should be removed from the risk list and any reserve associated should be freed up.
Outputs of Monitor & Control Risks
• Updates to Risk Register– Outcomes of the risk reassessments and risk
audits– Closing of risks that are no longer applicable– Details of what happened when risks occurred – Lessons learned
Outputs of Monitor & Control Risks
• Requested Changes • Recommended Corrective & Preventive
Actions• Updates to the Project Management Plan• Organizational Process Assets Updates
Practice Exam
Answers
Practice Exam
Answers
Practice Exam
Answers
Practice Exam
Answers
Practice Exam
Answers
Practice Exam
Answers