Lecture # 17

PRM 702

Project Risk Management

Ghazala Amin

Risk Definition

Project Risk:

“An uncertain event or condition that, if it occurs, has a positive or a negative effect on a project objective.

It includes both threats to the project objectives and opportunities to improve on those objectives.”

PMBOK Guide, 2000

Project Risk Management•Risk management should be a systematic process to identify, analyze, treat and monitor all possible risks. •There are many different descriptions ofthis systematic process, but they all have these fundamental steps:

1. Identify2. Analyze/Assess 3. Plan 4. Track & control

Project Risk Management

1. Identify – making a list of all possible risks that could happen.

2. Analyze/Assess – give each risk identified a probability and impact it could have.

3. Plan – create risk management plan.

4. Track & control – continuously monitor the risk and respond when it actually happens.

Risk Management Processes

•Risk Management Planning•Risk Identification•Qualitative Risk Analysis•Quantitative Risk Analysis•Risk Response Planning•Risk Monitoring and Control

Guide to the Project Management Body of Knowledge, 2000

Risk Management Plan

A Risk Management Plan summarizes the proposed risk management approach for the project and is usually included as a section

in the business plan.

The Risk Management Plan is dependant upon the identification of the projects risks, their criticality, status, strategy and status.

Risk Management Plan

The risk Management Plan describes: • the process which will be used to identify, analyze and manage risks both initially and throughout the life of the project; • how often risks will be reviewed, the process for review and who will be involved; • who will be responsible for which aspects of risk management; • how Risk Status will be reported and to whom; and • the initial snapshot of the major risks, current grading, planned strategies for reducing occurrence and Severity of each risk (mitigation strategies) and who will be responsible for implementing them

8

Table. Topics Addressed in a Risk Management Plan

Methodology

Roles and responsibilities

Budget and schedule

Risk categories

Risk probability and impact

Risk documentation

Risk Management Plan Contents

1.0 Introduction 1.1 Scope and purpose of document1.2 Overview of major risks1.3 Responsibilities

2.0 Project Risk Table 2.1 Risk Identification2.2 Description of all risks above cutoff2.3 Factors influencing probability and impact

3.0 Risk mitigation, monitoring and management 3.1 Risk item #n

1. Mitigation2. Monitoring3. Management

4.0 RM Plan Iteration Schedule 5.0 Summary

Risk Identification

Typical Risk Categories

• deliverable, project management, organizational, external• schedule, cost, quality, scope• management, external, technology• high, medium, low• technical, market

Risk Identification-Category

Category is the risk category based on:· Product size (PS)· Business impact (BU)· Customer characteristics (CU)· Process definition (PR)· Development environment (DE)· Technology (TE)· Staff size and experience (ST)

Risk Identification-I & L or P

Impact (I) indicates the likely effect on the project and the resulting product:· catastrophic (show-stopper) 1· critical (delay, extra cost) 2· marginal (extra effort) 3· negligible (internal effort) 4

Probability is the current estimate of the likelihood of occurrence

Risk Identification-Risk Register

The Risk Register illustrates all identified risks, including description, category, cause, probability of occurring, impact(s) on objectives, proposed responses, owners, and current status.

Risk Identification-Risk RegisterWhile the risk register will become the comprehensive output, Risk Identification process results in four entries in the Risk Register:

1. Lists of identified risks – Identified Risks with their root causes and risk assumptions are listed.2. List of potential responses – Potential responses identified here will serve as inputs to the Risk Response Planning process.3. Root causes of risk - Root causes of risk are fundamental conditions which cause the identified risk.4. Updated risk categories - The process of identifying risks can lead to new risk categories being added.

15

Table. Sample Risk Register

No. Rank Risk Description Category RootCause

Triggers PotentialResponses

RiskOwner

Probability Impact Severity Status

R44 1

R21 2

R7 3

Project severity = expectation (1-10) * impact (1-10) When should risk analysis be formed? Is not a time activity Periodic update and reviewed

16

Calculating severity

Problem Expectation Impact SeverityStaff 6 5 30Late delivery of hardware 5 8 40Communication and Networks problem

5 5 25

Project severity = expectation (1-10) * impact (1-10)

Risk Breakdown Structure (RBS)

“A source-oriented grouping of project risks that organizes and defines the

total risk exposure of the project. Each descending level represents an

increasingly detailed definition of sources of risk to the project.”

Dr. David Hillson, “The Risk Breakdown Structure as an Aid to Effective Risk Management,” PMI Europe, 2002

Risk Breakdown Structure (RBS)

•provides organization and structure•helps identify blind spots•facilitates understanding of types of risks and risk sources•indicates correlation of risks•allows for generic risk management plans to address multiple risks•allows cross-project (portfolio) risk management•allows project ranking on basis of risk

Risk Identification Guidelines

•Assemble SME s (Subject Matter

Experts)

• Identify “endemic” risks

• Create an environment that encourages honest discussion

Risk Assessment Guidelines

•Use descriptors for Probability and Impact•Qualitative Risk Assessment is useful when you do not have accurate numbers for Impact and Probability•Analysis is often unconscious rationalization of decisions•already made•Risk Scatter Diagram communicates the general risk profile for a project or phase•Decision Trees can assess multiple probabilities

Risk Management Tools

•Risk Identification– RBS– Risk Map

•Risk Assessment– Qualification model– Decision Tree Analysis– Monte Carlo Analysis

•Risk Communication– Monte Carlo histograms– RBS, Risk Map, Risk Scatter Diagram– Critical Path Analysis, Sensitivity Analysis