Risk Management for Project Managers

Concepts and Practices

By Marcus Goncalves and Raj Heda

The Technical Manager’s Survival Guides

© 2014, ASME, 2 Park Avenue, New York, NY 10016, USA (www.asme.org)

All rights reserved. Printed in the United States of America. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher.

INfoRMATIoN CoNTAINEd IN THIS woRk HAS BEEN oBTAINEd BY THE AMERICAN SoCIETY of MECHANICAl ENGINEERS fRoM SoURCES BElIEvEd To BE RElIABlE. HowEvER, NEITHER ASME NoR ITS AUTHoRS oR EdIToRS GUARANTEE THE ACCURACY oR CoMPlETENESS of ANY INfoRMATIoN PUBlISHEd IN THIS woRk. NEITHER ASME NoR ITS AUTHoRS ANd EdIToRS SHAll BE RESPoNSIBlE foR ANY ERRoRS, oMISSIoNS, oR dAMAGES ARISING oUT of THE USE of THIS INfoRMATIoN. THE woRk IS PUBlISHEd wITH THE UNdERSTANdING THAT ASME ANd ITS AUTHoRS ANd EdIToRS ARE SUPPlYING INfoRMATIoN BUT ARE NoT ATTEMPTING To RENdER ENGINEERING oR oTHER PRofESSIoNAl SERvICES. If SUCH ENGINEERING oR PRofESSIoNAl SERvICES ARE REqUIREd, THE ASSISTANCE of AN APPRoPRIATE PRofESSIoNAl SHoUld BE SoUGHT.

ASME shall not be responsible for statements or opinions advanced in papers or . . . printed in its publications (B7.1.3). Statement from the Bylaws.

for authorization to photocopy material for internal or personal use under those circumstances not falling within the fair use provisions of the Copyright Act, contact the Copyright Clearance Center (CCC), 222 Rosewood drive, danvers, MA 01923, tel: 978-750-8400, www.copyright.com.

Requests for special permission or bulk reproduction should be addressed to the ASME ­Publishing­­Department,­or­submitted­online­at:­http://www.asme.org/kb/books/book-proposal-guidelines/permissions

ASME Press books are available at special quantity discounts to use as premiums or for use in corporate training programs. for more information, contact Special Sales at customercare@asme.org

Library of Congress Cataloging-in-Publication Data

Goncalves, Marcus. Risk­management­for­project­managers­:­concepts­and­practices­/­by­Marcus­Goncalves­and­Raj­Heda. pages­cm­--­(The­technical­manager's­survival­guides)Includes bibliographical references.ISBN 978-0-7918-6023-6 1.­Risk­management.­2.­Project­management.­I.­Heda,­Raj.­II.­Title.

Hd61.G646 2013658.15'5--dc232013041478

AcknowledgementI would like to thank, yet again, Mary Grace Stefanchik, the edi-

tor at the American Society of Mechanical Engineers (ASME), not only for publishing yet another one of my work for ASME’s collection, but espe-cially for her continuous patience during the production phase of this book. Many­thanks,­again,­to­my­co-author­and­friend­Raj­Heda,­for­finding­time­in his schedule to land his expertise on risk management, and write this book with me.

Raj Heda: I wish to record my debt to some of the people who have made an indelible mark in my life.

A special note of thanks to my dear professor and now friend and colleague, Marcus Goncalves, for his generous helpfulness, trust, support and­above­all,­for­offering­me­again­the­opportunity­to­co-author­this­book.

To my mother for being ever loving and encouraging. To my brother Ravi for all the love and the fun days we spent. To my aunt, Meenu for always lending me a patient ear and giving me genuine advice in all my endeavors. To my friend and colleague in business, dorothy, for her sincere lookout for my well-being and for her beautiful heart. To my dear friends Anand, Shrikant, Prajay, Prashant and Amit for always being there for­me­ in­ good­ times­ and­ bad.­ To­my­ good­ friend,­Matt,­ for­ help­with­graphics in the book.

Many thanks to Marcus and the team at ASME for involving me in this project. I am indebted to my beautiful daughters, Radhika and vrinda, for showering all their love on me and for always bringing a smile to my face;­ they­make­everything­worth­ the­ effort.­ I­ am­grateful­ to­my­ loving­wife­for­always­having­the­confidence­in­me­-­even­beyond­what­I­have­in­myself.­Finally,­I­can­never­forget­the­contributions­of­my­mother­in­getting­me to where I am in my life today. love you Mom!

dedicationTo my wife Carla, sons Samir and Josh (in memory), and my prin-

cess Andrea (also in memory), the true joy of my life. To God be the glory!

Marcus Goncalves, Summer 2013

To my wife, Anu, for being such a caring and loving life partner, for her synergistic help in all my activities and for her invaluable editing of this book. To my beautiful princesses Radhika and vrinda, who are my true loves and who make it all worth the while!

In loving and thankful memory of my dearest father, Shiv Heda, the angel always beside me.

Raj Heda, Summer 2013

vii

Table of ContentsAcknowledgement .............................................................................................iiidedication ............................................................................................................vChapter 1 .............................................................................................................. 1Understanding Risk: Opportunities or Threat? ........................................... 1

overview .......................................................................................................... 1what is Risk?.................................................................................................... 3

Chapter 2 .............................................................................................................. 7Risk Management Theory and Practice ......................................................... 7

overview .......................................................................................................... 7what is Risk Management? ........................................................................... 8

Appetite for Risk ......................................................................................... 9Categories of Risk ..................................................................................... 11

outcome of Risk Assessment .............................................................. 11Chapter 3 ............................................................................................................ 13Developing a Risk Assessment and Mitigation Strategy ........................ 13

overview ........................................................................................................ 13Chapter 4 ............................................................................................................ 19The Risk Management Process ..................................................................... 19

overview ........................................................................................................ 19Risk­Identification ......................................................................................... 21

qualitative and quantitative Risk Analysis .......................................... 22Risk Response Planning ........................................................................... 23Risk Monitoring and Control .................................................................. 23

Chapter 5 ............................................................................................................ 25Risk Analysis Tools and Methodologies ..................................................... 25

overview ........................................................................................................ 25qualitative Risk Analysis: Tools and Techniques ..................................... 25

Risk Probability and Impact Assessment .............................................. 26Probability and Impact Matrix ................................................................ 26

Risk data quality Assessment .................................................................... 27Risk Categorization ................................................................................... 28Risk Urgency Assessment ........................................................................ 28

quantitative Risk Analysis: Tools and Techniques .................................. 28data Gathering and Representation Techniques .................................. 29Probability distributions .......................................................................... 30

viii

Monte Carlo Simulation ........................................................................... 31Sensitivity Analysis ................................................................................... 32decision Tree Analysis ............................................................................. 33

Chapter 6 ............................................................................................................ 35Identifying Risk ............................................................................................... 35

overview ........................................................................................................ 35Identifying Risks ........................................................................................... 38Risk­Identification­Process ........................................................................... 41Best­Practices­for­Risk­Identification .......................................................... 45

Chapter 7 ............................................................................................................ 49Assessing and Mitigating Risk ..................................................................... 49

overview ........................................................................................................ 49four Steps to Risk Assessment .................................................................... 51

Prioritizing Risk......................................................................................... 53Measuring Risk Impact ............................................................................ 54Measuring likelihood .............................................................................. 58

Risk Mitigation Strategies ............................................................................ 59Risk Assessment Best Practices ................................................................... 60

Chapter 8 ............................................................................................................ 63Developing Risk Response Strategies ......................................................... 63

overview ........................................................................................................ 63developing a Risk Response Strategy ........................................................ 64

Responding to Risk Events ...................................................................... 67Identifying Risk Response Alternatives ............................................. 68Selecting Response Alternatives ......................................................... 69Assigning Risk ownership .................................................................. 70Preparing Risk Response Plans ........................................................... 70

Chapter 9 ............................................................................................................ 73Implementing Risk Response Controls ....................................................... 73

overview ........................................................................................................ 73Response Controls and the Risk Registrar ................................................ 74

Inputs to Risk Monitoring and Controls................................................ 76Techniques to Risk Monitoring and Response Control ................... 76

outputs to Risk Monitoring and Response Controls........................... 77Handling Change Requests ..................................................................... 78

Chapter 10 .......................................................................................................... 83Incident Management and BC/DR Planning .............................................. 83

overview ........................................................................................................ 83

ix

distinguishing Business Continuity from disaster Recovery Planning .......................................................................................................... 86

what is in the Plans .................................................................................. 88developing a Business Impact Analysis .................................................... 91Incident Management Process .................................................................... 92

Glossary of Terms ............................................................................................ 95About the Authors ........................................................................................... 99

1

Chapter 1Understanding Risk: Opportunities or Threat?

Overview

The goal of risk assessment and mitigation management is to mea-sure and assess risk events, with the ultimate goal of managing those risks. In practical terms, risk management is the process of minimizing, or miti-gating, risk events, starting with the identification and evaluation of such events and extending on to the optimization of the resources used to moni-tor and minimize it.

It is important that project managers have a total understanding of risk management, by familiarizing themselves with the principles of the risk management process. Under the Project Management Institute’s (PMI) Project Management Body of Knowledge (PMBOK), risk management falls into the arena of Project Planning. But over time, specific standards and methods have

2

been developed with respect to risk management best practices. Such methods of analysis have assisted those of us practicing risk management in establish-ing standard ways of identifying, assessing, and responding and managing risk events. These methods have also helped us practitioners to manage risks by avoiding, transferring, or reducing the impact of such risks, or by various other alternative solutions that will be discussed throughout this book.

In 2002, the U.S. National Institute of Standards and Technology (NIST) published a set of risk management best practices. According to the guide, risk management consists of risk assessments, risk mitigation, and ongoing risk evaluations and assessments. For instance, the risk assess-ment stage is where project managers identify and evaluate each risk, the impact these risks have on the organization, and any risk-reducing recom-mendations. The risk mitigation stage involves prioritizing, implementing, and maintaining appropriate risk-reduction measures that are recom-mended in the risk assessment process, while the ongoing risk evaluation and assessment stage asks that the organization continuously evaluate their risk management activities in reducing risks.

Generally speaking, any risk event is a result of uncertainty in a proj-ect, or process, including but not limited to uncertainties in the market place such as variations on demand, supply and the stock market, project failures, accidents, and natural disasters, to name a few. As we will discuss later in this

IMPACT ACTIONSSIGNIFICANT Considerable Management

RequiredMust Manage and Monitor

Risks

Extensive Manage-ment essential

MODERATE Risk are bearable tocertain extent

Management effort worth-

while

Management effort required

MINOR Accept Risks Accept but monitor

Risks

Manage and Monitor

RisksLOW MEDIUM HIGH

LIKELIHOOD

Table 1.1 - A sample template of a risk event analysis matrix

3

book, when dealing with risk analysis, a risk prioritization process should be followed whereas risks that pose the threat of great loss and have great probability of occurrence are dealt with first. Table 1.1 provides an example to this process, which can be useful in strategizing various risk scenarios.

As observed in Table 1.1, the two main variables to be analyzed in any risk assessment and mitigation process, which should govern the response actions required, are the probability of occurrence and the impact of the risk. For instance, let’s assume a risk event condition where the impact on the project is minor and the probability of it actually occurring is low. In such scenario the best course of action, risk mitigation, may be to accept the risk without any interventions. Conversely, however, a condition where the likelihood of a risk event occurring is high and the impact is significantly high as well, there might be a need for extensive risk management. The study of risk assess-ment and mitigation methods helps us understand how a certain priority can be established in dealing with the risk. Therefore, it is key to this process that we first understand what risks are, and what they are not.

What is Risk?

Risk, or better yet risk events, can be found in almost anything that we set out to do or accomplish in life, be it in business or our own personal lives. Think of a risk event as situation that can potentially have a negative impact on something, or a process, that is important, or of value to you. Risk events can be caused by an endless variety of factors. Since we cannot anticipate all risk events and mitigate every single one of them, it is impor-tant for us to devise methods to understand and analyze the severity of a risk, so we can decide how to effectively respond to it, from deciding to do nothing about it, or something, to not taking the risk at all. Hence, a risk event should always be analyzed for its probability of occurring, the higher the chance that a risk event will happen the higher the risk. Probability is then assessed in combination with loss.

As suggested earlier in this chapter, when it comes to project manage-ment, all types of risk can occur, such as knowledge risk, relationship risk or process-engagement risk. Unfortunately, as we already know, each of these risk events can have a huge impact on the productivity of your teams and

4

ultimately on the success of the project at hand. That said, it is also impor-tant to understand that not all risks can be avoided, nor should it, otherwise nothing would ever be accomplished in your lives, or projects, as risk events exists in every single task we are involved with, some higher, some lower, but they are always there, waiting to comply with Murphy’s Law, where anything that can go wrong, will! Our job is to identify and analyze these risk events, their potential outcomes, and decide when to allow the risk. Such analytical process of assessment, analysis, and mitigation causes us to follow a risk management cycle, as depicted in Figure 1.1.

As illustrated in Figure 1.1, there are four steps in the process of risk management, which will be discussed in details in later chapters of this book. In general terms, the first step is the assessment of risk events, followed by evaluation and management of the same. The last step is mea-suring the impact of such risk events.

Risk event identification, the first step, typically starts at the base or the surface level of a project. The key questions here is, what can go wrong? What can deviate from what has been planned? As we ask such questions we are also trying to identify the source of such risk events. By risk source we mean any cause, which could be either internal or external to the project at hand. External sources are often beyond our control while internal sources are potentially controllable, to a certain extent at least. For

Figure 1.1 - Risk Management Cycle

5

example, we cannot control an unexpected rain (external), but we can con-trol how we deal with it by carrying an umbrella (internal), etc.

After major risk events have been identified then it is time to assess the potential of criticality they present. Such analysis will require you to prioritize your risk events. In general terms, likelihood of occurrence × impact is equal to risk. After you have a good understanding of the risk events at identified, you will be required to develop a risk management plan and implementation of the same, which will comprise of the effective security controls and control mechanisms for mitigation of risk. It gores without saying that a challenging risk to any organizational effectiveness is a risk event that is present but cannot be identified.

Risk management process can minimize the chances and effects of bad outcomes in a project, and can accelerate an organization’s recov-ery from disasters. But this process does not suggest you need to avoid all risks, as there are always opportunities in risks, and insurance companies know this well and capitalize on it. It is, therefore, important that as part of your risk assessment and mitigation process you also understand and analyze the threat versus opportunity a risk event imposes on your project. The question here as depicted in Figure 1.2 is: Is this risk event imposing a threat to my project or an opportunity?

As illustrated in Figure 1.2, risk events have several dimensions. A risk event in itself is neither good nor bad. A risk with low probability

Figure 1.2 - Understanding risk threats and opportunities

6

of occurring and very low impact on a project in the event of it occurring may be insignificant enough to be ignored. Conversely, a risk with high probability of occurring with a high impact to the project may be worth not taken, or at least it may deserve to be hedged.

One of the main goals of risk assessment and mitigation process is, therefore, devise strategies that enables us to change the model, to change the threat versus opportunity correlation in a risk event, as depicted in Figure 1.3.

The following chapter will help you understand the process in ana-lyzing and mitigating this process in details.

Figure 1.3 - Changing the risk assessment model from threat into opportunity

7

Chapter 2Risk Management Theory and Practice

Overview

Risk is no longer a measure solely restricted to the financial world, where analysts monitor the risk of a financial investment. As stated in the previous chapter, anything that we endeavor in life has a risk factor asso-ciated with it. As technology has become an increasingly core aspect of world economies, risk management has come to the fore in recent years. Given the extreme importance of risk, it is inevitable that we must have a formalized theory and approach to the risk management process.

An organization that weaves risk management into its project man-agement process can be said to have a proactive approach to managing risk. Undoubtedly, such an organization will be better prepared to manage and mitigate risks in an increasingly volatile business environment and will have a more favorable outcome than an organization that crosses the bridge when the time comes. The irony here is that most executives these days acknowledge that there are known and unknown risks impacting

8

their businesses and projects but very few have a risk plan that they rigor-ously follow and follow-up on.

What is Risk Management?

Now that we recognize the inevitability of risk, we need to do some-thing to manage this uncertainty. The process of managing risk in a manner to maximize the probability of highest positive outcome is called risk man-agement. Risk management needs to be an integral part of project planning. It is not an isolated event that occurs that the start of the project during the initial planning phase. Business environments are always changing and tech-nology is changing at a much faster pace than the overall business. There-fore, risk management needs to be an ongoing process. More likely than not, risk management in another section of a business feeds into the project idea. Active risk management continues throughout the project life cycle. And risk management must continue even after the project has been successfully implemented. Also, risk management is not a task relegated to an isolated risk team. Risk management is just one aspect or one of the tasks under over-all project management that provides inputs during all the project steps.

The core concept of risk is that it is the probability of occurrence of an unfavorable outcome and the consequence of that outcome.

In other words, R = p x c

where,

R = Riskp = probability of unfavorable outcomec = consequence of unfavorable outcome

For instance, if a company expects that it could either has an out-standing year and achieves $100mn in revenue, or might not fare that well and just be able to garner $50mn in revenue. Both outcomes have equal probabilities of occurring. Here, there is a 50% probability of the firm los-ing $50mn in revenue. However, is that all that is at risk? Sadly, no. The

9

consequences of a negative outcome go far beyond the immediate mone-tary loss. The company might have had some projects in the pipeline that it can no longer fund. Therefore, the company is risking losing new revenue opportunities. The company might need to lay off employees to cut wages and salaries. This will impact the firm in that the firm might lose critical manpower and will have to make do with a smaller workforce. This will also impact the morale of the employees laid off and also of those that remain. The investors are not going to be happy about the much lower revenue and this will restrict access to capital for future projects. There-fore, when managing risk, it is imperative that both the immediate and future consequences of an unfavorable outcome are taken into consider-ation. Therefore, it can be said that the main purpose of risk management is not just preventing losses but also protecting a company such that it can go about its business as usual.

From the above equation, it can also be inferred that in general, if either the probability of occurrence or the impact or consequence of the occurrence increase, the risk increases. However, there is not a 1-to-1 rela-tionship between the increase in probability and/or consequence and risk. In other words, for every unit increase in probability and or/consequence, risk does not increase by the same amount. The impact on risk depends on the life cycle of the project. For instance, if a project fails very early on in its life, the risk is lower since not much has been invested into the project. However, as time passes and more resources are utilized the stakes increase.

A few important concepts to keep in mind when managing risk for a project are:

Appetite for risk• Categories of risk• Outcome of risk assessment•

Appetite for Risk

Just like not one model investment portfolio is suitable for all finan-cial investors, similarly, no one-risk management approach is suitable for all kinds of projects. Every project is unique in itself and must be viewed as such when devising risk management strategies for it. For instance, a proj-

10

ect that is not expected to result in a significant enhancement in revenues or productivity for a company might not be high on the priority list of the project management office. As such, the risk tolerance for such a project would be low. Similarly, a project that is expected to take the company to the next level would be a top-priority project for which the company would be willing to take risks.

Another important aspect to consider is the appetite for risk of the project manager. Some project managers are risk takers by nature and derive satisfaction from taking on highly risky projects and turning them around. Other project managers are risk averse and would not like to take on more risks than necessary. Yet another set of project managers make a more detached decision regarding projects. They have a more mathemati-cal approach and go by just what the numbers say.

The risk appetite of the firm has a final bearing on the risk appetite for the project. For instance, the firm might be in the process of issuing an IPO and all seems to be going as planned. At this point, the firm might not want to take on highly risky projects. This is because investors pun-ish companies more severely for failures than reward them for successes. Another example is that of a pharmaceutical company. Such companies derive maximum revenues from licensed drugs. Therefore, they spend a lot of money on drug research and are willing to embark on risky experi-ments to discover the break-through drug. On the other hands, firms that are very stable and have profit margins in the low single digits do not have much of an incentive to take on risky projects. The margin of error is low for them and they are unwilling to rock the boat when not required.

Figure 2.1 - Risk Categories

11

Categories of Risk

Risk to a project can arise from one of the following four categories listed in Figure 2.1.

Technical risks are the most obvious risks and exist for any technol-ogy project. This is because not all requirements can be penned to perfec-tion. Similarly, technological and interface complexities are hard to predict. Finally, quality is a subjective matter and there always exists the risk that quality standards of all stakeholders are not met.

External risks are toughest to manage for a project manager since these are factors that are not in the manager’s control. However, proactive planning and hedging can help the manager reduce the impact of external risks.

No project can be successful without the buy-in of the senior manage-ment. A project is dependent on the organization for funding, resources and prioritization. Finally, projects in general do not operate as silos. There could be some pet projects that work as independent entities within organizations. However, most of the projects are linked to other activities or projects within the organization, and this contributes to the risk associated with the project.

Finally, there are risks associated with the project management activities for the project. Gaps in planning, estimating, controlling and communication among project stakeholders will impact the project out-come and hence act as risks to the project.

Outcome of Risk Assessment

Based on the risk appetite of the organization and the project man-ager, the project manager has identified risks in the various categories that he needs to manage. Now what? The outcome of this risk assessment exer-cise is the risk management plan that the project manager owns. The risk management plan is integrated into the project plan. It elaborates on the two W’s and two H’s of risk management.

What• risk will be managedWho• will manage the risk

12

How• will the risk be managedHow• much will be spent on managing the risk

There are several risks impacting every project. Not all of them need to be managed. Some risks can be tolerated and some will need to be mitigated. Therefore, one of the main outcomes of risk assessment is iden-tifying which risks need to be mitigated or otherwise managed.

The risk management plan also identifies individuals or teams that will be assigned the responsibility of managing the risks and identifies tools that they will use to manage the risks. Finally, it will also outline the budget outlay for the various risk activities. Some risks might not be worth mitigating and the risk management plan will identify those risks.