PMIZ PGDPM SEMESTER 2- PROJECT RISK MANAGEMENT by P.Mlambo(PMP) Page 1

Project management institute of Zimbabwe (pmiz)

POST GRADUATE DIPLOMA IN PROJECT MANAGEMENT

PROJECT RISK MANAGEMENT

Project risk management includes the process of conducting risk management planning,identification, analysis, response planning, and monitoring and control of risks or threats on aproject. The objectives of project risk management are to increase the probability and impactof positive events while decreasing the probability and impact of negative events within aproject.

Project risk management processes are as follows:

1.1 Plan risk management- the process of defining how to conduct risk managementactivities for a project.

1.2 Identify risk-The process of determining which risks may affect the project anddocumenting their characteristics

1.3 Perform qualitative risk analysis- the process of prioritizing risks for further analysis oraction by assessing and combining their probability of occurrence and impact.

1.4 Perform quantitative risk analysis- the process of numerically analyzing the effect ofidentified risks on overall project objectives

1.5 Plan risk responses- the process of developing options and actions to enhanceopportunities and to reduce threats to project objectives

1.6 Monitor and control risks- The process of implementing risk response plans, trackingidentified risks, monitor residual risks, identifying new risks, and evaluating risk processeffectiveness throughout the project.

Project risk is always in the future. Risk is an uncertain event or condition that, if itoccurs, has an effect on at least one project objectives. Object can include scope,schedule, cost and quality. Project risk has its origins in the uncertainty present in allprojects, known risks are those that has been identified and analyzed, making it possibleto plan responses for those risks. Specific unknown risks cannot be managed proactively,which suggests that the project team should create a contingency plan.Unknown unknown risks should have management reserves assigned.Organizations and stakeholders are willing to accept varying degrees or risks. This iscalled risk tolerance. Risks that are threats to the project maybe accepted if the risks arewithin tolerances and are in balance with the rewards that may be gained by taking therisks, for example adopting a fast track schedule is a risk taken to achieve the rewardscreated by an earlier completion date.Risk responses reflects an organizations perceived balance between risk taking and riskavoidance

PMIZ PGDPM SEMESTER 2- PROJECT RISK MANAGEMENT by P.Mlambo(PMP) Page 2

To be successful, organizations should be committed to address risk managementproactively and consistently throughout the projectThe fallacy of risk management being equated to the instrument landing system whichidentify future aircraft obstacles and directs it, till it lands safely.Moving forward on a project without a proactive focus on risk management increases theimpact that a realized risk can have on a project and can potentially lead to project failure.

A. PLAN RISK MANAGEMENT

Plan risk management is the process of defining how to conduct risk managementactivities for a project. Careful and explicit planning enhances the probability of successfor the five other risk management process. Planning is also important to providesufficient resources and time for risk management activities, and to establish an agreed –upon basis for evaluating risks. The plan risk management process should begin as aproject is conceived and should be completed early during project planning.

PLAN RISK MANAGEMENT: INPUTS

1. Project scope statement

The project scope statement provides a clear sense of the range of possibilities associatedwith the project and its deliverables and establish the framework for how significant therisk management effort may ultimately become.

2. Cost management plan

The project cost management plan defines how risk budgets, contingencies, andmanagement reserves will be reported and accessed

3. Schedule management plan

Defines how schedule contingencies will be reported and assessed

4. Communication management plan

Defines the interaction that will occur on the project, and determines who will beavailable to share information on various risks and responses at different times (and location)

5. Enterprise environmental factors

Includes risk attitudes and tolerances that describe the degree of risk that an organizationwill withstand

6. Organizational Process assets

The OPAs that influence the plan risk management process includes, but is not limited to:

.Risk categories,

PMIZ PGDPM SEMESTER 2- PROJECT RISK MANAGEMENT by P.Mlambo(PMP) Page 3

.common definitions of concepts and terms,

Risk statements formats,

Standard templates,

Roles and responsibilities

Authority levels for decision making

Lessons learned

Stakeholder register, which are also critical assets to be reviewed as components ofestablishing effective risk management plans

PLAN RISK MANAGEMENT: TOOLS AND TECHNIQUES

Planning Meetings and Analysis: Project team hold planning meetings to develop therisk management plan. Attendees at these meetings may include the project manager,selected team members and stakeholders, anyone in the organization with responsility tomanage the risk planning and execution activities, and other, as needed.

High level plans for conducting the risk management activities are defined in thesemeetings. Risk management cost elements and schedule activities will be developed forinclusion in the project budget and schedule, respectively. Risk contingency reserveapplications approaches maybe established or reviewed. Risk managementresponsibilities will be assigned

PLAN RISK MANAGEMENT: OUTPUTS

1. Risk Management Plan

It describes how risk management will be structured and performed on the project andbecomes a subset of the project management plan. The risk management plan includes thefollowing:

a) Methodology- defines the approaches, tools and data sources that may be used toperform risk management on the project

b) Roles and responsibilitiesc) Budgeting-Assigns resources, estimates funds needed for risk management for

inclusion in the cost performance baseline, and establishes protocols for application ofcontingency reserves

d) Timing- defines when and how often the risk management process will be performedthroughout the project lifecycle and establishes protocols for application of schedulecontingency reserve

e) Risk categories- provides a structure that ensure a comprehensive process ofsystematically identifying risks to a consistent level of detail and contributes to theeffectiveness and quality of the identified risk process. Organizations may use a Risk

PMIZ PGDPM SEMESTER 2- PROJECT RISK MANAGEMENT by P.Mlambo(PMP) Page 4

breakdown structure (RBS). An RBS is a hierarchically organized depiction of theidentified risk arranged by risk category and subcategory that identifies the various areasand causes of potential risks.

f) Definitions of risk probability and impactg) Probability and impact matrixh) Revised stakeholders tolerancesi) Reporting formatsj) Tracking

B. IDENTIFY RISKS

Identify Risks is the process of determining which risks may affect the project anddocumenting their characteristics. Participants in risk identification activities can include thefollowing: project manager, project team members, risk management team (if assigned),customers, subject matter experts from outside the project team, end users, other projectmanagers, stakeholders and risk management experts, while these personnel are often keyparticipants for risk identification, all project personnel should be encouraged to identifyrisks.

Identify risk is an iterative process because new risks may evolve or become known as theproject progresses through its life cycle.

IDENTIFY RISK: INPUTS

1. Risk Management Plan:

Key inputs from the risk management plan to the identify risk process are the assignmentsof roles and responsibilities, provision for risk management activities in the budget andstructure

2. Activity cost estimates

Activity cost estimate reviews are useful in identifying risks as they provide a quantitativeassessment of the likely cost to complete scheduled activities and ideally are expressed asa range, with the width of the range indicating the degree of risk. The review may resultin projections indicating the estimate is either sufficient or insufficient to complete theactivity (and hence pose a risk to the project).

3. Activity Duration Estimates

Activity duration estimates reviews are useful in identifying risks related to timeallowances for the activities or project as a whole, again with the width of the range of suchestimates indicating the relative degree of risk

4. Scope Baseline

PMIZ PGDPM SEMESTER 2- PROJECT RISK MANAGEMENT by P.Mlambo(PMP) Page 5

Project assumptions are found in the project scope statement. Uncertainty in projectassumptions should be evaluated as potential causes of project risk.

The WBS is a critical input to identify risk as it facilitates an understanding of the potentialrisks at both the micro and macro levels. Risks can be indentified and tracked at summary,control account, and/or work package levels.

5. Stakeholder Register

Information about the stakeholders will be useful in soliciting inputs for identifying risks asthis will ensure that key stakeholders, especially the customers, are interviewed or otherwiseparticipate during the identify risk process

6. Cost Management Plan-the project specific approach to cost management maygenerate or alleviate risk by its nature or structure

7. Schedule Management Plan-the project-specific approach to schedule managementmay generate or alleviate risk by its nature or structure

8. Quality management plan- the project-specific approach to quality managementmay generate or alleviate risk by its nature or structure

9. Project documents

These includes but are not limited to: assumption log, work performance reports, earnedvalue reports, network diagrams, baselines and other project information proven to bevaluable in identifying risks.

10 .Enterprise Environmental factors (EEF)

The EEF that can influence the identify risk includes but are not limited to:

Published information including commercial databases, academic studies, publishedchecklists, benchmarking, industry studies and risk attitude.

11. Organisatonal process assets: these includes but not limited to: project filesincluding actual data, organizational and project process controls, risk statementtemplates, and lessons learned.

IDENTIFY RISK: TOOLS AND TECHNIQUES

1. Documentation reviewsA structured review may be performed of project documentation, including plans,assumptions, previous project files, contracts and other information. The quality of theplans as well as consistency between those plans and project requirements andassumptions, can be indicators of risk in the project

2. Information Gathering techniques.

Examples of information gathering techniques used in identifying risk can be;

Brainstorming

PMIZ PGDPM SEMESTER 2- PROJECT RISK MANAGEMENT by P.Mlambo(PMP) Page 6

Delphi technique: a technique to reach a consensus of experts. Project risk expertsparticipate in this technique anonymously.

Interviewing Root cause analysis

3. Checklist analysis: Risk identification checklist can be developed based on historicalinformation and knowledge that has been accumulated from previous similar projectsand from other sources of information

4. Assumption analysis: Assumption analysis indentify risk to the project frominaccuracy, instability, inconsistency or incomplete of assumptions.

5. Diagramming techniques

Risk diagramming techniques may include but not limited to:

Cause and effect. These are also known as Ishikawa or fishbone diagrams and areused to identify cause of the risk

System or process flow charts: these show how processes interrelate, and themechanisms of causation

Influence diagrams

6. SWOT Analysis…strength, weakness, opportunities and threats

7. Expert judgment

IDENTIFY RISK: OUTPUTS

Risk register…list of identified risks and list of potential responses

C. PERFORM QUALITATIVE RISK ANALYSIS

Perform qualitative risk analysis is the process of prioritizing risks for further analysis oraction by assessing and combining their probability of occurrence and impact. Organizationscan improve the project performance by focusing on high-priority risks. The performqualitative risk analysis assesses the priority of identified risk using their relative probabilityof likelihood of occurrence, the corresponding impact on project objectives if the risk occur ,as well as other factors such as the time frame for response, and the organizations risktolerance associated with the project constraints of cost, schedule, scope and quality.

PMIZ PGDPM SEMESTER 2- PROJECT RISK MANAGEMENT by P.Mlambo(PMP) Page 7

PERFORM QUALITATIVE RISK ANALYSIS: INPUTS

1. Risk register2. Risk management plan ;key elements of risk management plan for perform

qualitative risk analysis include roles and responsibilities for conducting riskmanagement, budgets, schedule activities for risk management, risk categories,definition of probability and impact, the probability and impact matrix, and revisedstakeholders risk tolerance

3. Project scope statement: project of a common or recurrent type tend to have morewell-understood risks. Projects using state- of- the art or technology first of its kindand highly complex projects, tend to have more uncertainty. This can be evaluated byexamining the project scope statement

4. Organizational Process assets e.g. information on prior, similar completed projects

PERFORM QUALITATIVE RISK ANALYSIS: TOOLS AND TECHNIQUES

1. Risk probability and impact assessment: risk probability assessment investigate thelikelihood that each specific risk will occur. Risk impact assessment investigates thepotential effect on a project objective.

2. Probability and impact matrix3. Risk data quality assessment4. Risk categorization5. Risk urgency assessment6. Expert judgment

PERFORM QUALITATIVE RISK ANALYSIS: OUTPUT

1. Risk register update: the risk register is updated with the information from performqualitative risk analysis and the updated register is included in the project documents.The risk register updates may include:

a) Relative ranking or priority list of project riskb) Risks grouped by categoriesc) Causes of risk or project areas requiring particular attentiond) List of risks requiring attention in the near –terme) List of risks for additional analysis and responsef) Watch list of low-priority risksg) Trends in qualitative risk analysis results

D. PERFORM QUANTITATIVE RISK ANALYSIS

This is the process of numerically analyzing the effect of identified risks on overallproject objectives. It is done on risks that have been prioritized by the perform qualitativerisk analysis as potentially and substantially impacting the projects competing demands. Italso presents a quantitative approach to making decisions in the presence of uncertainty.

PMIZ PGDPM SEMESTER 2- PROJECT RISK MANAGEMENT by P.Mlambo(PMP) Page 8

INPUTS

1. Risk register2. Risk management plan3. Cost management plan4. Schedule management plan5. Organizational process assets

TOOLS AND TECHNIQUES

1. Data gathering and presentation techniques

a) Interviewingb) Probability distribution

2. Quantitative risk analysis and modeling techniques

a) Sensitivity analysis…helps to determine which risks have the most potential impact onthe project

b) Expected monetary value e.g. decision tree diagram

c) Modeling and simulations

3. Expert judgment

OUTPUTS

1. Risk register updates2. Probabilistic analysis of the project3. Probability of achieving cost and time objectives4. Prioritized list of quantified risks5. Trends in quantitative risk results

E. PLAN RISK RESPONSE

Plan risk responses are the process of developing options and actions to enhanceopportunities and to reduce threats to project objectives. It includes the identification andassignment of one person (the risk owner) to take responsibility for each agreed-to andfunded risk response. Plan risk response addresses the risk by their priority, insertingresources and activities into the budget, schedule and project management plan as needed.

Planned risk responses must be appropriate to the significance of the risk, cost effective inmeeting the challenge, realistic within the project context, agreed upon by all partiesinvolved, and owned by a responsible person. They must be timely. Selecting the best riskresponse from several options is often required.

PMIZ PGDPM SEMESTER 2- PROJECT RISK MANAGEMENT by P.Mlambo(PMP) Page 9

PLAN RISK RESPONSE: INPUTS

1.Risk register- which refers to indentified risks, root causes of the risks, lists of potentialresponses, risk owners, symptoms and warning signs, the relative rating or priority list ofproject risks requiring response in the near term, a list of risks for additional analysis andresponse, trends in qualitative analysis results, and a watch list of low-priority risks.

2. Risk management plan-Important components of the risk management plan include rolesand responsibilities, risk analysis definitions, timing for reviews(and for eliminating risksfrom reviews) and risk threshold for low, moderate, and high risks. Risks thresholds helpidentify those risks for which specific responses are needed.

Plan risk response: Tools and Techniques

1. Strategies for negative risks or Threats Avoid-risk avoidance involves changing the management plans to eliminate the threat

entirely e.g. changing the objective that is in jeopardy for example, reducing thescope, or extending the schedule.

Transfer-involves shifting some or all of the negative impact of a threat, along withownership of the response, to a third party. E.g. insurance

Mitigate- this implies a reduction in the probability and /or impact of an adverse riskevent to be within threshold limits. Adopting less complex processes, conductingmore tests and choosing a more stable supplier are such examples of mitigating a risk.

Accept-this strategy is adopted because it is seldom possible to eliminate all threatsfrom a project. It indicates that the project team has decided not to change the projectmanagement plan to deal with the risk, or is unable to identify any other suitableresponse strategy. This can be either passive or active. Passive acceptance requires notaction except to document the strategy leaving the project team to deal with the risk asthey occur.

2. Strategies for positive risks or opportunities Exploit-examples of directly exploiting responses include assigning organizations

most talented resources to the project to reduce the time to completion or to providelower cost than originally planned.

Share-examples of sharing actions include forming risk sharing-sharing partnerships,teams, special-purpose companies, joint ventures, which can be established with theexpress purpose of taking advantage of the opportunity so that all parties gain fromtheir actions.

Enhance-identifying and maximizing key drivers of these positive-impact risks mayincrease the probability of occurrence

Accept-accepting an opportunity is being willing to take advantage of it if it comesalong, but not necessarily pursuing it.

3. Contingent response strategies: some responses are designed for use only if certainevents occur. For some risks, it is appropriate for the project team to make a response

PMIZ PGDPM SEMESTER 2- PROJECT RISK MANAGEMENT by P.Mlambo(PMP) Page 10

plan that will only be executed under certain predefined conditions, if it is believedthat there will be sufficient warming to implement the plan.

4. Expert judgment-input from knowledgeable parties pertaining to the actions to betaken on a specific and defined risk.

Plan risk response: Outputs

1. Risk register updates2. Risk-related contract decisions- decisions to transfer risk, such as agreements for

insurance, services and other items as appropriate are selected in this process.3. Project management Plan updates4. Project documents updates- e.g. assumptions log updates, technical documentation

updates

F. MONITOR AND CONTROL RISKS

Is the process of implementing risk response plans, tracking identified risks,monitoring residual risks, identifying new risks, and evaluating risk processeffectiveness throughout the project?

INPUTS1. Risk register2. Project management plan- this contains the risk management plan, which includes

risk tolerances, protocols and the assignment of people (including risk owners),time, and other resources to project risk management.

3. Work performance information- for example deliverable status, schedule progressand cost incurred

4. Performance reports

Monitor and control risks: Tools and techniques

1. Risk reassessment: monitor and control risks often results in identification of newrisks, reassessment of current risks and the closing of risks that are outdated

2. Risk audits: risk audits examine and document the effectiveness of risk responsesin dealing with identified risks and their root causes, as well as the effectivenessof the risk management plan.

3. Variance and trends analysis:4. Technical performance measurement5. Reserve analysis: this compares the amount of the contingency reserve remaining

to the amount of risk remaining at any time in the project in order to determine ifthe remaining reserve is adequate.

6. Status meetings

PMIZ PGDPM SEMESTER 2- PROJECT RISK MANAGEMENT by P.Mlambo(PMP) Page 11

OUTPUTS

Risk register updates Organizational process assets updates Change requests Project management Plan updates Project document updates

Produced by: Pfungwa Mlambo (PMP)

PMIZ PGDPM SEMESTER 2- PROJECT RISK MANAGEMENT by P.Mlambo(PMP) Page 12