Managing Project Risk

advertisement
Managing Project Risk
Description: Learn how to develop a portfolio approach to
identifying, analyzing, planning and controlling enterprise-wide
risks. The portfolio includes tools and techniques for dealing with
Internal Operations, External Factors, Relationships, and
Marketplace risks. Identify relationships among risks, business
processes, project development and project implementation.
Objectives: The student will:





Use the tools of project risk management
Apply risk identification techniques to your projects
Identity categories\portfolios of risk
Use risk assessment/analysis techniques
Make connections between enterprise-wide risk
management and project plans and implementation
Benefits: Learn how a comprehensive enterprise-wide risk
management portfolio can enable your project team to
proactively manage issues that could negatively affect the
successful control and completion of your project.
1
What is Project Risk Management?
DEFINITION OF A PROBLEM OR UNCERTAINTY: An
uncommon state of nature, characterized by the absence of any
information related to a desired outcome.
DEFINITION OF A RISK OR RISK EVENT: A discrete
occurrence that may affect the project for good or bad.
RISK FACTORS: When looking at risk, one should determine:
 The probability that it will occur (what)
 The range of possible outcomes (impact or amount at stake)
 Expected timing (when) in the project life cycle
 Anticipated frequency of risk events from that source (how
often)
RISK AVERSE: Someone who does not want to take risks.
RISK TOLERANCES: The amount of risk that is acceptable
(tolerance level). For example, a risk that affects our reputation
will not be tolerated, or a risk of a two-week delay is okay.
DEFINITION OF RISK MANAGEMENT: The process involved
with identifying, analyzing, and responding to risk.
2
Overview of Taxonomy Process
* The sample risk taxonomy that follows is the exclusive
property of XL Capital Insurance of Hamilton, Bermuda.
Customers and insurance practitioners alike tend to describe risk
according to that specific risk’s characteristics and source or
origin. In keeping with this traditional naming protocol the
following hierarchical risk taxonomy was developed to categorize
to forms of risk.
Using information drawn from multiple and overlapping sources,
individual types of risk were identified, cataloged, and assessed
for their meaning. Sources for this study included published
industry literature, survey research, and personal interviews. As
required, the risk descriptors were rephrased for clarity and
consistency. When this aggregating process was completed for
individual risk types, a combination of content analysis and
affinity analysis was conducted to create meaningful groups.
Based on the nature of individual risks comprising each group,
descriptive names were assigned each category. As a result of
this first level of analysis, 17 categories were identified.
1. Natural Catastrophes
2. Human Perils
3. Political and Legal
Influences
4. Technology
5. Operations
6. Finance
7. General
8. Strategic
9. Stockholder Relationships
10.
11.
12.
13.
14.
15.
16.
17.
3
Channel Relationships
Employee Relationships
Customer Relationships
Business Partner
Relationships
Image/Reputation
Market Offering
Competition
Market Dynamics
These 17 initial categories were further analyzed and grouped
according to their common linkages and characteristics to
establish overarching domains of business risk. In total, this
process established four fundamental domains of business risk.
These overarching domains and the risk categories comprising
each domain are illustrated below:
 EXTERNAL FACTORS
1. Natural Catastrophes
2. Human Perils
3. Political and Legal Influences
 BUSINESS OPERATIONS
1. Technology
2. Operations
3. Finance
4. General
5. Strategic
 RELATIONSHIPS
1. Stockholder Relationships
2. Channel Relationships
3. Employee Relationships
4. Customer Relationships
5. Business Partner Relationships
 MARKET PLACE
1. Image/Reputation
2. Market Offering
3. Competition
4. Market Dynamics
4
EXTERNALITIES
POLITICAL LEGAL/REG.
Legislative change- interpret of regulations
HUMAN
NATURAL
Theft
Explosion
Punitive damages fines and penalties
Product/idea piracy
Fire
Currency conversion difficulty/non-conversion
Piracy
Economic Downturn
New legislation
Political terrorism
Earthquake
Shipment quarantine
Terrorism (bomb explosions)
Floods or mudslides
Change in import/export regulations/laws
Civil unrest war
Hurricane, tornado, wind
Foreign trade constraints boycotts/ embargoes
Hijacking
Volcanic eruption
Difficulty/ inability to gain export license
Kidnapping & ransom
Loss of utilities
Change in political leadership
Water
Change in reg. enforcement posture
Lightning
Environmental loss or damage
Frost or freezing
Antitrust fair trade issues
Legislative/ regulatory slowdowns of market
offering
Inadequate copyright patent IP protection
Change in Account code
Non-compliance with legal relations
Extension of taxing authority
Change in tax laws
Wage and Price controls (non-domestic)
Expropriations
Unexpected change in leadership
5
TECHNOLOGY
Changing technology
standards
Not having access to/or
properly using information
Unreliable information
systems
Inadequate information on
systems
Unethical sharing of
information-insider trading
Technology vandalism
OPERATIONS
Inventory shrinkage
Missed opportunities to
upgrade technology
Failure to keep pace
(technology advances)
Lack of viable
technology substitute
(over tie)
Year 2000
Resource dependencies
(availability supply)
Business interruption
Volatility in computer
systems and storage
devices
Inventory obsolescence
Mechanical breakdown
Inadequate transportation
Inadequate quality control
Inadequate cycle time
BUSINESS OPERATIONS
FINANCE
GENERAL
Fluctuation in financial
Automotive and truck liability
markets
Credit downgrade/credit
Unfunded liabilities
risks
Currency fluctuations
Special event liability
(foreign)
Exchange control
Miscellaneous liability
regulations
Interest rate flux
Public liability
STRATEGIC
Lack of vision, direction, focus
Inadequate succession planning
Misaligned organizational
structure
Inadequate capacity of meet
market demands
Too much capacity for market
demands
Inadequate facilities
Inadequate asset write
downs
Losses due to merger and
acquisitions
Cost of capital
Property loss or damage
Wage and price control
Owned and non-owned
property
Stock Elasticity
Injury liability to nonemployees
Retroactive liability
Inadequate budgeting
General liability
Inadequate business recovery
capability due to poor planning
Premises liability
Loss of freight or cargo
Excessive risk to return
ratios
Low/lack of liquidity
Inadequate risk financing
Inadequate internal processes and
controls
Inadequate resources allocation
and planning
Inadequate financial information
systems
Poor financial management
Incomplete inaccurate financial
information
Takeover targets/unfriendly
hostile takeover
Inadequate cash flow
Misapplication of financial
products
Mishandling of funds
Unrecognized deferred tax
liability
Improper
reinvestment/rollover
Undercapitalized
Fiduciary duties
Fluctuation in raw material
prices
6
STOCKHOLDERS
CHANNEL MEMBERS
Insider holding liabilities Default on delivery by a
supplier
Unrealistic investor
Losing confidentiality
expectations
within the channel
Wrongful acts and
Declining health/stability
misstatements
of resellers
Gaining/losing access to
distribution
Wrongful acts and
misstatements
Shipment holdup/delays
RELATIONSHIPS
EMPLOYEES
Unrealistic commitments,
entitlements, or promises
Employee defections to
competition
Inequitable employee benefits
Inadequate compensation
packages
Misaligned employee-employer
workforce skills
Embezzlement
Channel conflict
Breaches in confidentiality
External service
dependencies
Inadequate financial
strength of business
partners
Poor/inadequate
agreements within channel
Low commitment from
channel members to
manufacturing
Customer alienation due to
partnerships
Liabilities from alliances
and partnership joint
profiles
Misalignment of business
systems with partners
Not meeting contractual
commitments
Loss of a key supplier
Cultural mismatch and
conflict
Conflict of interests
Loss of control to business
partners
Liability for business
partner actions
Implications of partnering
Sexual harassment
Choosing the wrong
business partner for joint
venture or strategic
alliance
Liabilities from at-will
employment
Poor/non-standard workplace
safety practices
Labor strikes and work
slowdowns
Employee dissatisfaction
Employee dishonesty
Inadequate employee
compensation
Employee injury on job
Discrimination in
employment practices
Improper/wrongful termination
Contractual liabilities
Lack of experienced employees
Inadequate staffing
Inadequate recruiting
and hiring practices
Wrongful acts and misstatements
7
CUSTOMERS
BUSINESS PARTNERS
Customer not paying bills Lack of performance by outsource
vendor
Wrongful acts and
Vicarious liability from vendors
misstatements
and contractors
Unmet customer
Lack of control over outsource
expectations
vendor
Customer going bankrupt Misalignment with business
partners
Contractual
Wrongful acts and misstatements
commitments/liabilities
Tenant/neighbor liability Contractual liability
MARKET PLACE
MARKET DYNAMICS
Single market dependence
MARKET OFFERING
Product liability
Demands of multiple markets
COMPETITIVE
IMAGE
Violations of Intellectual Property rights Product recall
by others
Copyright & patent infringement by
Unkempt business promises
others
Competitor litigation
Unethical business practices
Capturing market share
Competitor collision
Lack of business integrity
Inadequate/poor product support
Inadequate/misaligned research and
development
Excess industry dominance "Goliath"
Competitor products = higher quality
False advertising
Poor pricing practices
Competitor price competition
Poor eroding public image
Unrealistic product business mixes
Poor perceived corporate citizenship
Decreasing brand equity
Being ahead of the market
Poor timing in distribution/transportation Competitor actions
Advertising problems
Competitive espionage
Product misaligned with product
needs/expectations
Unplanned product/customer support
Unexpected shifts in market
Product development/market place
complacency
Buyer changes product order mix
Easy entry into restricted markets
Product life cycle
Access to global markets
Single product dependence
Shifts in market demand factors
Co-dependency of products
Misaligned marketing strategies
Sub-par product quality
Market customer crisis
Cannibalization of products in line
Product deception on false advertising
Errors & omissions
Our firm: violation of copyright and
patent
Excessive product development time
(time to market)
Unrealistic promises
Express & implied warranties
9
Definitions of Risk Categories
EXTERNAL FACTORS: The business problems and exposures in this category
are the result of phenomena that lie outside the immediate realm of the company’s
direct influence or control. Although the analysis and management of these
problems is the responsibility of the company, by definition they originate from
sources that are removed from the specific activities and operations of the
company. Nevertheless, exposure to these external factors effects how
management makes decisions regarding internal operations. Additionally, the
subcategories may establish constraints within which the company must operate.
These external factors have been classified within three subcategories:
1. Political and Legal Regulations
2. Human Perils
3. Natural Catastrophes
INTERNAL OPERATIONS: This category encompasses the uncertainties
associated with a company’s functional business processes and systems. It
manifests the risks and exposures related to the various functional activities
comprising the business’s operations. These uncertainties reflect today’s intensely
competitive market that expects innovative products, exceptional quality, and short
cycle-times at the same time that it demands low costs. The functional business
processes and systems are the vehicles through which the organization collects and
uses information, conceptualizes customer needs and expectations, and generates
relevant value-added solutions that it offers in the marketplace. These functional
risks and uncertainties have been classified into five subcategories:
1.
2.
3.
4.
5.
Technology
Operations
Finance
General
Strategic
RELATIONSHIPS: Relationship risks pertain to the various stakeholders that
organizations serve and/or maintain relationships with in the course of conducting
business. While including the more traditional risks inherent in dealing with
second and third parties, this category also embodies the uncertainties associated
with the expanded business paradigms of supply chain management and strategic
partnering. This extended perspective of organizational stakeholders reflects the
diverse risks and uncertainties associated with the complex of multiple
interrelationships between an enlarged set of network members. These
uncertainties must be effectively addressed if the network is to perform and
maximize the mutual benefits for all parties. Five subcategories of relationships
with the inherent risks have been identified:
1.
2.
3.
4.
5.
Stockholders
Channel Members
Employees
Customers
Business Partners
MARKET PLACE: The Marketplace category comprises the set of potential
business problems and exposures related to the firm competing in its chosen
market(s). Key issues in this category pertain specifically to the process of
managing the market offering(s) of the firm in the marketplace (including planning
and positioning), competitive forces and marketplace activities, and the dynamics
of continual change in customer expectations. This category of risks carries a high
level of importance due to increasingly dynamic trends in markets, evolving
business strategies, and intensifying competition. These risks directly affect the
firm’s competitive position and performance outcomes (e.g., sales, market share,
profitability, brand equity, and customer satisfaction). Marketplace risks have been
further organized into the following four subcategories:
1.
2.
3.
4.
Image/Reputation
Market Offering
Competition
Market Dynamics
Definitions Of Risk Sub-Categories
1. Natural Catastrophes. This subcategory addresses a variety of phenomena that
produce a simultaneous occurrence of a peril affecting a large number of
people. They can be violent disturbances or destruction by any means directly
related to physical influences of the environment.
2. Human Perils. Human Perils are those exposures and problems that result from
individual carelessness or intentional wrongdoing by people external to the
organization (non-employees). The situation is dangerous when individuals
11
deliberately seek to endanger the well being of the organization or individuals
within the organization.
3. Political and Legal Regulations. The risks in this subcategory pertain to laws
or regulations that govern the conduct, behavior or actions of the company’s
operations. Procedures or activities of the company may be modified based on
the conditions set forth by these influences.
4. Technology. Several risks are associated with the use of technological
equipment, support mechanisms, or information systems. Costs or risks may be
associated with the failure to update or reconstruct obsolete equipment and/or
systems. Technological systems can include developments in gene technology,
artificial intelligence, telecommunications, medicine, manufacturing and
production, global energy resources, environmental issues, military and defense
systems, etc. Therefore, technological risks are those risks that comprise the
man-made means used to fulfill human needs and desires in order to solve
specific problems in a given setting.
5. Operations. Exposures to risk in the Operations subcategory are associated
with the fundamental functional activities required for the production of goods
and services. The Operations subcategory also includes the operational aspects
of the organization.
6. Finance. This subcategory comprises the problems and losses associated with
the acquisition, management, and utilization of organizational funds. One
source of financial risk for companies pertains to volatility and fluctuations in
financial markets and phenomena related to how financial markets operate.
Another source of financial risks is associated with the process of managing the
firm’s funds, capitalization, and cash flow.
7. General. Some exposures tend to be generic across different businesses and
pervasive across the different functions within an organization. These
uncertainties are related to how the company carries out its day to day
operations, maintaining its existence, and running the organization. Examples
of these General risks include fleet operations, general business liability and
property loss or damage.
8. Strategic. Several risks are associated with problems that impact the
performance of a firm and stem from the long-range and complex decisions
about products, markets, processes, and facilities. Specifically, the risks in this
12
subcategory fall under inadequate strategic planning and structural and cultural
mismatches and misalignment.
9. Stockholder Relationships. Risks in this subcategory relate to difficulties in
dealing with stockholders and the risks that can impact the organization’s
bottom line and ability to raise funds. Examples include improper trading and
investment practices and mismanaging investor communications.
10.Channel Member Relationships. This subcategory comprises inefficiencies
and potential losses arising out of the organization’s role within a channel of
distribution. Problems relate to the firm’s relationships with suppliers and
down-line channel intermediaries (e.g., wholesalers, brokers, distributors,
retailers) used to access end users of the firm’s products.
11.Employee Relationships. Risks associated with employee relationships include
the direct and indirect exposures resulting from employing others. Direct risks
include the traditional forms of employment practice exposures. Other
uncertainties are more indirect and deal with issues such as selecting and hiring
the right individuals in line with the company’s needs, influences on employee
satisfaction, and even individual productivity issues.
12.Customer Relationships. This subcategory includes the risks and uncertainties
associated with creating and nurturing effective business relationships with
customers who buy the firm’s goods and services. These uncertainties center on
selecting the right customers, understanding and responding to their
expectations, and collecting funds related to the exchange of goods and
services.
13.Business Partner Relationships. Effective partnering relationships with
constituents (other than stockholders, direct channel members, employees, and
customers) are important for maximal business performance. These
relationships commonly take the form of partnerships, alliances, and outsource
vendor relationships that expose the company to a different group of risks and
uncertainties.
14.Image/Reputation. The Image/Reputation risk subcategory pertains to
perceptions held about a firm or industry by various relevant constituent groups,
especially customers and potential customers, shareholders, and employees.
These risks effect how the firm interacts with its customers and society.
13
15.Market Offering. A number of problems, expenses, and potential losses
constitute risks associated with the conception, design, support, life cycle,
advertising, warranties, and recalls of goods and services by an organization to
its customers. These risks are impacted by how the firm packages price,
product/service, and non-product/service benefits to meet the customer's price,
product/service, and non-product/service needs.
16.Competition. This subcategory addresses risks that stem from the competitive
acts of other organizations vying for the same market and customers. The risks
in this subcategory are the outcomes of competitor conduct and behavior to
seek value-added relationships that drive value in such a way that a competitive
market advantage is attained. The Competition subcategory contains eight
specific risk types:
17.Market Dynamics. This subcategory addresses uncertainties associated with
operating in a marketplace characterized by ever changing customer
expectations and needs. Key issues in this subcategory that can create
uncertainties include industry structure and size, fluctuations in demand and its
determinants, and economic and policy issues that affect how markets function.
BUSINESS PROCESS DEFINITIONS
This section introduces a generic list and description of business processes. The
classification system is intended to be comprehensive and general, reflecting the
wide variety of business processes that are inherent in any organization. The
business process classification presented below is rooted in a hierarchy that breaks
down an organization in terms of its various functional areas and activities. This
hierarchy is as follows:
 Functional Business Unit
 Business Processes
 Supporting Activities
 Supporting Tasks
 Supporting Steps.
14
Each level in the hierarchy is a subset of the level above it. Each level is defined
below. Then definitions of the 27 business processes are provided.
KEY HIERARCHICAL DEFINITIONS:
A Function Business Unit represents a major group of business processes, which
together completely support a stand-alone unit. A Functional Business Unit is
static in nature, and has no definite beginning or ending points. Examples of
Functional Business Units include Procurement, Asset Management, Human
Resources and Finance Management.
A Business Process is a description of a series of Supporting Activities or subprocesses that together produce a tangible result, usually in support of a function. It
manipulates (transforms, controls or manages) information and/or physical things
in the business. It is typically described in terms of its inputs, outputs, and/or
controls and can be composed of additional processes. An example of a Business
Process would be Procure Raw Materials, which supports the overall Business
Function of Procurement. Another example would be Recruit & Hire Employees,
which supports the overall Business Function of Human Resources.
A Supporting Activity or sub-process is a breakdown of a Business Process and
represents a specific activity within the process. An example of a Supporting
Activity within Procure Raw Materials would be the creation of a Purchase Order.
On the Recruit & Hire Employees side an example of a Supporting Activity
would be to make a job offer and negotiate details.
A Supporting Task is a step involved in performing a specific Supporting
Activity and is a subset of an overall Business Process. An example of a
Supporting Task would be the creation of a Purchase Order for a consumable
versus stock item. Using a Payroll example for a Supporting Task would be
paying employees by direct deposit versus generating a check. Steps in a
Supporting Activity are defined to the transaction level, (which become business
steps).
A Supporting Step walks one through a Supporting Activity and identifies the
decision points one will have to make to complete the task. This really defines the
flow of how one will do a job.
15
BUSINESS PROCESS DEFINITIONS
1. Establish & Manage Information Systems – The selection of standards or
protocols used for communicating knowledge from one person to another,
such as by simple verbal communication, punched-card systems, optical
coincidence systems based on coordinate indexing, and completely
computerized methods of storing, searching, and retrieving information.
2. Gather & Evaluate Market Information - The gathering and evaluation of
data concerned with the past, present, or future attributes of potential or
existing consumers of a product or service.
3. Develop Market Communications - The organization's ability to share
information internally as well as with its suppliers and customers.
4. Develop Business Strategy - The organizations commitment to routinely
leveraging resources by: partnering, entering new markets, accessing global
resources, developing, achieving, and protecting core competencies,
streamlining supplier relations, reducing risks of innovation, and leveraging
investment dollars.
5. Market & Sell Product &/or Services - To sell the organization's products
or services, to enhance customer satisfaction by building long-term
relationships, and to provide sales and market information to other internal
departments within the organization.
6. Develop Product Requirements & Design – A document that specifies the
requirements for a system or component. Typically included are functional
requirements, performance requirements, interface requirements, design
requirements, and development standards.
7. Develop Customer Relations - The communication mechanisms by which
an organization interacts with its customers. Customers may be internal or
external to the parent organization and may or may not be the end user of the
product or service. A financial transaction is not necessarily implied. The
individual or organization that specifies and accepts the project deliverables.
8. Price Products &/or Services - Pricing is the critical element in achieving a
profit and is a factor that all firms can control. Before setting your prices,
16
you must understand your product's market, distribution costs, and
competition. Every service has different costs. By analyzing the cost of each
service, prices can be set to maximize profits and eliminate unprofitable
services. Material, labor and overhead make up the total cost of any product
or service.
9. Forecast Sales, Revenues, & Income – The procedures for extrapolation of
future characteristics of organizational product or service sales in terms of
expected or potential income.
10.Build Prototype Products – The processing, fabrication, assembly, and
production of a model suitable for use to evaluate a products form, design,
and performance.
11.Develop Supplier Relationships - An integrative approach for planning and
controlling the flow of goods and information through a distribution channel
from suppliers to end-users. Generally, several independent firms are
involved in the activities from manufacturing a product to placing it in the
hands of the end users. The network through which these firms pass goods
and simultaneous information can be referred to as a supply chain or
network. Supply chain members can include customers, suppliers, carriers,
vendors, distribution centers, and other third parties.
12.Procure Raw Materials - to obtain or secure a crude, or unprocessed or
partially processed material used as feedstock for a processing operation; for
example, crude petroleum is the raw material from which Naphtha is
obtained; naphtha is the raw material from which benzene-toluene-xylene
aromatics are obtained.
13.Procure and Support Capital Equipment – Obtain, secure, and provide
for the maintenance of equipment spent for long-term additions or
improvements and charged to a capital asset account.
14.Plan Production Systems and Controls – The procedure for planning,
routing, scheduling, dispatching, and expanding the flow of materials, parts,
subassemblies, and assemblies within a plant, from the raw state to the
finished product, in an orderly and efficient manner.
15.Manage Incoming Materials - A material inventory system is designed to
provide management with information for making managerial decisions
17
regarding production, sales, and demand trends. By maintaining a current,
up-to-date plant material inventory, problems arising from overselling or
unsold products can be minimized.
16.Assemble Products - A unit containing the component parts of a
mechanism, machine, or similar device. A mass-production arrangement
whereby the work in process is progressively transferred from one operation
to the next until the product is assembled. The technique used to assemble a
manufactured product, such as hand assembly, progressive line assembly,
and automatic assembly.
17.Fabricate Materials – The manufacture of parts, usually structural or
electromechanical in nature. The assembly of parts into a structure.
18.Manage Inventories - The systematic management of the balance on hand
of inventory items, involving the supply, storage, distribution, and recording
of items.
19.Ship Products - The activities involved in transferring products to other
members of the distribution channel or to the end user. These include the
acquisition of an outsource shipping vendor or scheduling a company owned
fleet, handling logistics associated with moving products from
inventory/holding to the loading area, loading, and actual transportation.
20.Resolve Customer Complaints - The organization's ability to listen to its
customers, to analyze their complaints, and take corrective action.
21.Perform Field Service - Activities related to routine and non-routine
maintenance, upgrades and repair of products in a field setting. These
activities involve technical and support personnel and include the actual
service work as well as scheduling, record keeping, and follow-up.
22.Repair Field Returns - Routine and non-routine service, maintenance, and
repairs performed in-house for products returned form customers. Activities
include the actual repair work.
23. Manage Cash Flow - The organization's ability to effectively regulate cash
flow. The four key measures are forecasting and planning, money
mobilization, investment of surplus cash, and the use of banks and other
short-term sources of cash.
18
24.Evaluate and Report Performance - Entails acquiring regular customer
feedback by tracking actual performance along the measurement dimensions
described in your organizational goals. Feeding back performance data to
relevant subsystems, taking corrective action if performance is off target,
and resetting goals so that the organization is continually changing to
internal and external reality.
25.Recruit & Hire Employees - Activities in the Human Resource/Personnel
business function focusing on the acquisition of new hires. These activities
include writing job descriptions, assessing appropriate communications
media, screening applicants, conducting interviews, and making job offers.
26.Develop Employees - An ongoing procedure related to the education and
training of employees.
27.Manage and Support Facilities - Activities analogous to upkeep,
maintenance and remodeling of physical facilities and property. Includes
planning and staffing.
Inputs To Risk Management
What is needed in order to begin the risk management process?
Project
background
information
Historical
information
Past lessons
learned
Project charter
Scope statement
Team
Stakeholders
WBS
Network diagram
Detailed enough information about the project, what other companies are
doing, articles and other such information will help you identify more risks
Depicts or illustrates risks from past projects
Will tell you what past teams would do if they could do their projects again
Will help you identify, mitigate and manage risks on your project
Helps you see if the overall project objectives are generally risky or not
Helps identify risks based in what is and what is not included
Tells you the complexity of the project and helps you compare your team’s
knowledge and experience to what is required
The project manager cannot identify all the risks alone. A group approach
and the ability to split up risk management activities make the risk
management process more accurate and timely.
They will be able to see risks that the team cannot. Their involvement
helps continue proper stakeholder management
Risks are identified by task as well as by project
Shows path convergence (where paths converge) and thus helps to better
analyze the risks of each task
19
Cost and time
estimates
Staffing plan
Organizational
policies and
templates
High-level time and cost requirements help identify time and cost risk.
They are an input to risk management planning and an output of risk
management planning at the detail or operational level.
Helps you understand what resources are available
Provides a foundation or standardization for your risk activities
There is a strong connection between contracts (or procurement) and risk.
One of the ways to mitigate risk may be to have certain terms and
Procurement plan conditions added to a contract or to have the entire risky work outsourced.
You would give it to someone for whom it is less risky, and thus less costly
Knowing where and how much risk tolerance stakeholders have helps
Stakeholder risk
identify the impact of risks and which risk mitigation techniques you
tolerances
would use
The Risk Management Process
This is an important topic. The risk management process includes six steps:
1. Risk Management Planning
2. Risk Identification
3. Qualitative Risk Analysis
4. Quantitative Risk Analysis
5. Risk Response Planning
6. Risk Monitoring and Control
STEP 1: RISK MANAGEMENT PLANNING
Defined as “deciding how to approach and plan the risk management activities for
a project.” The project manager, team, customer, stakeholders, experts and others
will review any templates and procedures that exist for risk management,
determine how risk management will be handled on the current project and
develop the risk management plan. Therefore, risk management should be
adjusted to the size, complexity, experience, skill level, etc., of the project and
not done with just a standardized checklist.
20
A RISK MANAGEMENT PLAN: Defines how the risk process will be structured
and performed during the project life cycle.
A risk management plan includes the following:
 Methodology
 Roles and responsibilities- non-team members may be included
 Budgeting for the risk management process
 Timing- how often the risk process will be performed throughout the
project
 Scoring and interpretation
 Thresholds – a method to determine which risks will and will not be
acted upon
 Reporting formats
 Tracking
Because a risk management plan contains budget and schedules, it is an
input to schedule development and cost budgeting
STEP 2: RISK IDENTIFICATION
Defined as determining which risks might affect the project and documenting their
characteristics. All stakeholders as well as experts from other parts of the company
or outside the company may be involved in identifying risks. Sometimes, the core
team will begin the process and then the other members will become involved,
making risk identification a highly repetitive or iterative process.
Smart project managers begin looking for risks as soon as a project is first
discussed. However, the major risk identification effort occurs during planning.
Risk identification cannot be completed until a WBS has been created and the
project team knows “what is the project.” Risks may be identified at the beginning
of the project, during each project phase and before approval of a major scope
21
change. Risks may also be identified during all phases of the project including
initiating, planning, executing, controlling and closing. In other words, although
the major risk identification effort occurs at the onset of the project, risks should
continue to be identified throughout the project.
RISK CATEGORIES: Risk categories are lists of common categories of risk
(sources of risk) experienced by the company or on similar projects. Such a list
may be an input to risk identification, but using such a list of categories is not the
entire risk identification process. The categories help analyze and identify risks on
each project.
A prior version of the PMBOK included another way to classify risks.
 External - regulatory, environmental, government, market shifts
 Internal - time, cost, unforeseen conditions, scope changes,
inexperience, poor planning, people, staffing, materials, equipment
 Technical - changes in technology
 Unforeseeable - only a small portion of risks (some say about 10%)
are actually unforeseeable
If you look at categories of risks as “where do risks come from,” sources of risks
might be different then the list above. Below are some examples of risk.
 Schedule risk – “The hardware will arrive later than planned
causing a delay in task XYZ of three days.”
 Cost risk – “Because the hardware will arrive later than planned,
we may need to extend our lease on the staging area at a cost of
$20,000.”
 Quality risk – “The concrete may not dry before winter weather
sets in causing us to not meet our quality standard for concrete
strength.”
 Performance or scope of work risk – “We might not have correctly
defined the scope of work for the computer installation. If that
proves true we will have to add tasks at a cost of $20,000.”
22
 Resource risk – “Dan is such an excellent designer that he may be
called away to work on another higher priority project. This will
cause our schedule will slip between 100 to 275 hours.”
 Customer satisfaction (stakeholder satisfaction) risk – “There is a
chance that our customer will not be happy with the XYZ
deliverable and not tell us, causing at least a 20% increase in
communication problems.
INFORMATION-GATHERING TECHNIQUES
Below are several methods to identify risk:
 Brainstorming: Usually done in a meeting where one idea helps
generate another
 Delphi technique: A multi-session data gathering technique
 Interviewing: Also called expert interviewing. Consists of the team or
project manager interviewing an expert to identify risks on the project
or a specific element of work
 Strengths, weaknesses, opportunities and threats analysis: An analysis
that looks at the project to identify its strengths, etc. and thereby
identify risks.
TYPES OF RISK: Risks can be classified under two main types:
 Business – Risk of a gain or loss
 Pure (insurable) Risk – Only a risk of loss (e.g. fire, theft, personal
injury)
OUTPUTS FROM RISK IDENTIFICATION
 List of individual risks your organization is susceptible to.
 Risk Triggers – warnings signs or alerts. A project manager should
determine what are the early warning signs (indirect manifestations of
23
actual risk events) for each risk on a project so that they will
understand when to take action.
STEP 3: QUALITATIVE RISK ANALYSIS
Is a subjective analysis of risks to:
 Determine which risk events warrant a response
 Determine the probability and impact of all risks identified in step 2,
in a subjective manner
 Determine which risks to analyze more fully in risk quantification or
to skip risk quantification in favor of going directly to risk response
planning. (This decision depends on many factors, including the
importance of the project and the potential effect of the project on the
performing organization.)
 Document non-critical, or non-top risks
 Determine the overall ranking of the project
PROBABILITY AND IMPACT: One of the ways to help rank risks is to analyze
the probability of a risk occurring and the effect (or impact or consequences) of the
risk on the project.
 Determine the probability of each risk occurring – usually in the form
of taking an educated guess (e.g. Low, Medium, High or 1 to 10)
 Determine the consequences (amount at stake, or impact) of each risk
occurring –in the form of taking an educated guess (e.g., Low,
Medium, High, or 1 to 10)
ASSUMPTION TESTING: What assumptions have been made? Before the
project manager can use the risk information collected, assumptions made must be
identified and tested. Too many unknown guesses make the data unreliable.
DATA PRECISIONS RANKING: How well is the risk understood? What is our
extent or level of understanding regarding the risk?
 Data available about the risk
 Quality of the data
 Reliability and integrity of the data
24
RISK RATING MATRIX: In order to sort or rate risks so determination can be
made as to which risks will move on through the risk process, a risk rating matrix
may be used. Such a matrix results in a consistent evaluation of low, medium, or
high (or some other scale) for the project and for all projects, an improvement in
the quality of the data and the risk process being more repeatable between projects.
OUTPUTS FROM QUALITATIVE RISK ANALYSIS: The results of qualitative
analysis of the risk of a project may include:
 Risk rating for the project
 List of prioritized risks
 List of risks created for additional analysis in risk quantification or risk
response planning
 Non-critical or non-top risks are documented now for the purpose of
being revisited later during risk monitoring and control
Risk Qualification also assists with the following:
 The project can be compared to the overall risks of other projects
 The project could be selected, continued or terminated
 Resources could be moved between projects
 A full benefit/cost analysis of the project may be able to be completed
 Trends in project risk identified if risk qualification is repeated
STEP 4: QUANTITATIVE RISK ANALYSIS
Is a numerical analysis of the probability and consequences (amount at stake or
impacts) of the highest risks on the project to:
 Determine which risk events warrant a response
 Determine overall project risk (risk exposure)
25
 Determine the quantified probability of meeting project objectives – e.g.
“We only have an 80% change of completing the project within the six
months required by the customer: to “We only have 75% chance of
completing the project within the $80,000 budget.”
 Determine cost and schedule reserves
 Identify risks requiring the most attention
 Create realistic and achievable cost, schedule or scope targets
Risk quantification involves the following activities:
 Further investigation into the highest risks on the project
 Determine the type of probability distribution that will be used – e.g.
triangular, normal, beta, uniform, or log normal distributions
 Interviewing experts
 Sensitivity analysis – determining which risks have the most impact on
the project
 Monte Carlo simulation (simulation) – described later
 Decision tree analysis – described later
EXPECTED MONETARY VALUE (OR ECPECTED VALUE): Is the product
of two numbers, probability and consequences (impact or the amount at stake).
Questions can ask, “What is expected value of a task or of a series of tasks?”
Expected value questions can also be asked in conjunction with decision trees.
EXERCISE: Test yourself! Complete the following chart.
Task
A
Probability
20%
Consequences
US $200,000
B
30%
US $90,000
C
68%
US $100,000
Expected Value
US $40,000
US $27,000
US $68,000
26
DECISION TREE: Know the following:
 A decision tree takes into account future events in trying to make a
decision today.
 It calculated the expected value (probability times consequences) in more
complex situations than the expected value previously presented
 It involves mutual exclusively
EXERCISE:
A company is trying to determine if prototyping is worthwhile on the project. They
have come up with the following consequences of whether the equipment works or
fails when it is used. Based on the information provided below, what is the
expected value of your decision?
Prototype:
Setup cost $200,000
Failure: 35% probability and
$120,000 impact
Pass: no impact
Failure: 70% probability and
$450,000 impact
Do Not Prototype:
Setup cost $0
Pass: no impact
Answer: if one just looks at the setup cost of prototyping is would seem like an
unwise decision to spend money on prototyping. However, the analysis proves
differently. Taking into account only one failure, the decision is that it would be
cheaper to do the prototyping. The answer is US $242,000, or to prototype.
27
Prototype
Do not
prototype
35% x US $120,00 = US $42,000 plus $200,000 =
$242,000
70% x US $450,000 = US $315,000
MONTE CARLO SIMULATION: this simulation “performs” the project many
times, uses the network diagram, and estimates to simulate the cost or schedule
results of the project.
Monte Carlo Simulation:
 Evaluates the project, not the tasks
 Provides the probability of completing the project on any specific day,
for any specific amount of cost
 Provides the probability of any task actually being on the critical path
 Provides a percent probability that each task will be on the critical
path
 Takes into account path convergence (places in the network diagram
where many paths converge into one task)
 Translates uncertainties into impacts to the total project
 Can be used to assess cost and schedule impacts
 Is usually done with a computer-based Monte Carlo program because
of the intricacies the calculations
 Results in a probability distribution
OUTPUTS FROM QUANTITATIVE RISK ANALYSIS: When completed,
quantitative risk analysis results in:
 Prioritized list of quantified risks
 Forecasts of potential project costs or schedule
28
 Listing of the possible project completion dates and costs with their
confidence levels
 Probability of achieving the required project cost or schedule objectives
 Trends in risk as risk qualification is repeated through the project
 Documented list of non-critical, non-top risks
STEP 5: RISK RESPONSE PLANNING
This step involves figuring out - What are we going to do about it? It involves
finding ways to make the negative risk smaller or eliminate it entirely, as well as
finding ways to make positive risks more likely or greater in impact. All risk on a
project cannot be eliminated. During this step:
 Strategies are agreed upon in advance by all parties
 Primary and backup strategies are selected
 Risks are assigned to individuals or groups to take responsibility
 Strategies are reviewed over the life of the project for appropriateness as
more information about the project becomes known
RISK OWNER: Each risk must be assigned to someone who will help develop the
risk response and who will be assigned to carry it out or “own” the risk. The risk
owner is then free to take predetermined action when risks occur, resulting in faster
action and less cost, time and other impacts on the project.
RISK RESPONSE STRATEGIES: developing options and determining actions to
enhance opportunities and reduce threats. This may involve changing the planned
approach to completing the project – e.g. changing to the WBS, quality plan,
schedule and budget. These strategies cannot eliminate all risk. In each case,
communication of risks and strategies is necessary as apart of the strategy.
29
The choices include:
 AVOIDANCE – eliminate the threat by eliminating the cause
 MITIGATION - reduce the probability or the consequences of an adverse
risk and increase the probability or consequences of an opportunity
 ACCEPTANCE – Do nothing and say “if it happens, it happens” Active
acceptance may involve the creation of contingency plans and passive
acceptance may leave actions to be determined as needed. A decision to
accept a risk must be communicated to stakeholders.
 TRANSFERENCE (DEFLECTION, ALLOCATION): Make another
party responsible for the risk though purchasing of insurance,
performance bonds, warranties, and guarantees or outsourcing the work.
Here is where the strong connection between risk and procedure (or
contracts) begins. One must complete risk assessment before a contract
can be signed! Transference of risk is included in the terms and
conditions of the contract.
When selecting risk strategies, it is important to remember:
 Strategies must be timely
 The effort selected must be appropriate to the severity of the risk – avoid
spending more money preventing the risk than the impact of the risk
would cost if it occurred
 One response can be used to address more than one risk
 Involve the team, stakeholders and experts in selecting a strategy
Description of strategy
Remove a task from the project
Assign a team member to visit the seller’s
manufacturing facilities frequently to learn about
a problem with delivery as early as possible
Notify management that there would be a major
30
Name of risk response
strategy
Avoidance
Mitigation of the impact
Acceptance
increase if a risk occurs because no action is
being taken to prevent the risk
Remove a troublesome resource from the project
Provide a team member who is less experienced
with additional training
Train the team on conflict resolution strategies
Outsource difficult work to a more experienced
company
Ask the client to handle some of the work
Decide to prototype a risky piece of equipment
Avoidance
Mitigation of the
probability
Mitigation of the impact
Transference
Transference
Mitigation of the
probability
OUTPUTS FROM RISK RESPONSE PLANNING
INSURANCE: a response to certain risks such as fire, property, or personal
injury (e.g. pure risks) is to purchase insurance. Insurance exchanges an
unknown risk for a known risk because the consequences of the risk are
known.
CONTRACTING: hiring someone outside your company to complete the
work when it would decrease project risk. NOTE: you cannot remove all the
risk from a project by contracting. For example, if there is a risk of damage
in transport for a project component, hiring someone else to do the
transportation will not make the move risk-free.
RESIDUAL RISK: Some risks will remain after risk mitigation or risk
response planning. Through these risks may have been accepted, they should
be properly documented and revised through the project. What was thought
of as an acceptable risk during planning may not have the same ranking
during executing.
SECONDARY RISKS: Included in risk response planning should be an
analysis of the new risks created by the risk response strategies selected.
Frequently, what is done to mitigate one risk will cause other risks to occur.
For example, a risk of fire can be allocated to an insurance company but also
cause risk of cash flow problems. Cash flow should then be analyzed.
CONTINGENCY PLANNING: Planning the specific actions that will be
taken if a risk event occurs or planned response. These plans can be put in
31
place later, if needed, without meetings or increased impact to the project
caused by a delayed action.
FALLBACK PLANNING: Specific actions that will be taken if the
contingency plan is not effective.
RISK RESPONSE PLAN: Is a written document that captures the risks you
identified and what you plan to do about them. The project manager should
also record non-critical risks so that they can easily be revisited during the
Execution phase.
REVISED PROJECT PLAN: The efforts spent in risk management will
result in changes to the project plan. Tasks could be added, removed, or
assigned to different resources. This, planning is an iterative process.
RESERVES: Formulating the amount of time or cost that need to be added to
the project to account for risk. These are sometimes called management
reserves (to account for “unknown unknowns” items you did not or could
not identify in risk management) and contingency reserves (to account for
“known unknowns” items you did identify in risk management). Reserves
should be managed and guarded throughout the project life cycle.
Exercise: You are planning the manufacture of an existing products modification.
Your analysis has come up with the following. What is the cost reserve that you
would use?
 30% probability of a delay in the receipt of parts with a cost to the project
of US $9,000
 20% probability that the parts will be US $10,000 cheaper than expected
 25% probability that two parts will not fit together when installed,
costing an extra US $3,500
 30% probability that the manufacture may be simpler than expected,
saving US $2,500
 5% probability of a design defect causing US $5,000 of rework
32
30% x US $9,000
20% x US $10,000
25% x US $3,500
30% x US $2,500
5% x US $5,000
TOTAL
Add US $2,700
Subtract US $2,000
Add US $875
Subtract US $750
Add US $250
US $1,075
Important Concepts or Questions to ask:
 What do you do with non-critical risks? Answer: Document and revisit
periodically.
 Would you select only one risk response strategy? Answer: no, you can
choose a combination of choices.
 What risk management activities are done during the execution phase of the
project? Answer: watching out for non-critical risks that become more
important.
 What is the most important item to address in project team meetings:
Answer: Risk.
 How would risks be addressed in project meetings? Answer: By asking,
“what is the status of risks? Any new risks? Any change to the order of
importance?
STEP 6: RISK MONITORING AND CONTROL
This step involves managing the project according to the risk response plan and
may include the following activities:
 Keeping track of who is responsible for identifying risks
 Implementing a risk response plan
 Looking for the occurrence of risk triggers
 Monitoring residual risks
 Identifying new risks
 Ensuring the execution of risk plans
 Evaluating the effectiveness of risk plans
 Developing new risk responses
 Communicating risk status and collecting risk status
33
 Communicating with stakeholders about risks
 Determining if assumptions are still valid
 Revisiting low ranking or non-critical risks to see if risk responses need to
be determined
 Taking corrective action to adjust to the severity of actual risk events
 Looking for any unexpected effects or consequences of risk events
 Re-evaluating risk identification, qualification and quantification when the
project deviated from the baseline
 Updating risk plans
 Making changes to the project plan when new risk Reponses are developed
 Creating a database of risk data that may be used throughout the
organization on other projects
CONTINGENCY PLANS: Planned responses to risks, or putting in place the
contingency plans set up during risk response planning.
RISK RESPONSE AUDITS: Examining and documenting the effectiveness of the
risk response and the person managing (owning) the risk. This is an important step
in order to see if the plans put in place are effective and if changes are needed.
RISK REVIEWS: Risk should be a major topic at team meetings to keep focus on
risks and make sure plans remain appropriate. Remember that a result of such
reviews may be additional risk analysis or qualification and quantification.
OUTPUTS FROM RISK MONITORING AND CONTROL
 WORKAROUNDS: Unplanned responses to risks, or dealing with risks
that you could not or did not anticipate. Which do you think are more
frequent, contingency plans or workarounds? Most project managers will
say workarounds because that has been the projects manager’s
experience. In fact, with proper risk management, workarounds become
less frequent than contingency plans.
34
 Corrective action
 Changes to the project – it is important to realize that the risk
management process will change the project plan during planning and
during executing.
 Updates to the risk response plan – it is wise to always re-evaluate
whether the plans need any correcting or adjusting after each unidentified
or identified risk occurs
 Other updates to risk database, checklists, etc.
Prioritizing Risks
 First calculate an expected loss value for each risk. Indicates overall risk
severity.
 Rank all risks in descending order.
 Seek expert judgment to determine probability/frequency and total dollar
loss potential
Sorting Risks by Expected Loss
Quantify both the total loss and likelihood of the risk occurring.
Steps for Prioritizing Risks
1. Sort Risks by Expected Loss
2. Develop Risk Maps
3. Develop Prioritized Lists
4. Communicate Prioritized List to Project Team and Management
35
Risk Data Table
Priority
1
2
3
4
5
6
7
8
9
10
Risk ID
R18
R3
R34
R9
R12
R72
R8
R123
R159
R98
Probability or
Frequency
(Pe)
.9
.7
.9
.5
.7
.7
.3
.3
.1
.3
Probability
of Impact
(Pi)
Likelihood
1
.9
.9
.9
.7
.9
.9
.7
.5
.5
43
= P e X Pi
Total
Loss in
Lt
.9
.63
.81
.45
.49
.63
.27
.21
.05
.15
22
25
17
22
15
5
10
13
25
4
Expected
Loss
Workdays
= Pe X Pi X Lt
19.8
15.8
13.8
9.9
7.4
3.2
2.7
2.7
1.3
0.6
Developing a Risk Map
A risk map displays individual risks plotted against total loss on the X-axis and
likelihood of occurrence on the Y-axis.
$100,000,000
R128
R72
$50,000,000
R134
$25,000,000
$10,000,000
R13
$5,000,000
R19
R62
$1,000,000
0
1
5
10
20
50
100
150
200
250
300
250
300
This Risk map illustrates that risks R128, R134, and R72 are under active
management and that risks R13, R19, and R62 are being monitored.
$100,000,000
R128
R72
$50,000,000
R134
$25,000,000
R13
$10,000,000
$5,000,000
R19
R62
$1,000,000
0
1
5
10
20
44
50
100
150
200
Risks R128, R134, and R72 are considered to be catastrophic risks where some level
of insurance is most likely purchased to protect the organization.
Risks R13, R19, and R62 in most cases may be risks that the organization selfinsurers.
Remember the risk map is a visualization tool for senior management and project
team members. It quickly illustrates potential problems and uncertainties and their
impact on the organization if they actually occur.
How to Plan for Resolution of Targeted Risks
The purpose of this section is to develop risk action plans to reduce the probability of
a risk occurring and the potential loss if it does occur.
We need to be able to eliminate or reduce as many of the risk drivers (opportunities
where the risk may occur) as possible.
The following figure illustrates the risk resolution process.
Risk Resolution Process
Defer action until
more data is
received
Avoid the risk
Develop action
plans
Transfer risk to a
third party
Prevention of the
risk event
Provide
redundancy (other
alternatives)
Contingency plan
if the risk event
should occur
45
Take no action (realize
that the risk may occur)
Mitigate the risk
Financial and/or
time reserves
The Standard Model for a Risk Action Plan
Probability
Risk
Event
Risk Event
Drivers
Prevention and
avoidance of risk
event drivers
Probability
of
Impact
Risk
Impact
Impact
Drivers
Contingencies
and reserves
address impact
drivers
Total
Loss
46
As a Project Manager What Actions Can You Take?
Risk Avoidance – Anytime you make a decision you implicitly or explicitly introduce
risks into a project. Many times you can avoid a risk by simply reversing a previous
decision. If we are going to introduce risk into a project there better be an obvious
positive advantage. Know your organizations level of risk tolerance.
Risk Transfer – Transferring the risk to a third party such as a subcontractor. Move
the risk to someone else that has the expertise to deal with it. A legal department
representative typically initiates a legal documents or contract. Remember you can
only transfer the risk event not the impact.
Redundancy – Any time you employ parallel paths to improve the chances of
achieving a projects goals and deliverables.
Mitigation – means to reduce the impact or severity of the risk if it does occur.
Mitigation of risks targets the source or origin of the risk in your organization.
Typical mitigation actions include:
 Define specific actions
 Define trigger points that initiate corrective actions
 Plan for additional resource and time needs
 How will the project benefit if the plan is successful – did the expected
loss values decrease sufficiently?
 Assign ownership to the plan
 Determine how to monitor the plan
Monitoring Project Risks
This is the last step in the risk management process.
Develop a spreadsheet to track risks.
47
Below is an example of the types of information that could be included in a risk
tracking spreadsheet.
First Worksheet:
Top 10 List of Risks
Include Risk Map
Second Worksheet:
Risk Dashboard
Third Worksheet:
Active Risks with
Their Respective
Action Plans
Fourth Worksheet:
Inactive Risks
48
Sample Spreadsheet to Track an Individual Risk
Risk
ID
Priority
Risk Owner
Date
Opened
Date
Closed
Risk
Status
1
Ron Meier
8/1/03
10/31/03
Closed
Risk Event
Impact
Monitor
Dates
A city building
inspector will not grant
compliance with the
new footings causing
the footings to be
redone
Framing will be
delayed 10 days
R3
Actual
Loss
0
Pe
Pi
Workdays
Lt
Le
August 2
.5
.9
30
13.5
August 15
.3
.9
30
8.1
September 1
.3
.9
30
8.1
September 15
.1
.5
30
1.5
Risk Event Drivers
Prevention Plan
Impact Drivers
1.Previous attempts
25% successful
1.Contact inspector
to discuss past
problems and
corrective actions.
Inspector will need to
verify the research and
field test results for the
new footings.
We need to engage
the inspector and discuss
our desire to change
to the new footings.
If we have to revert back
to the old style footings the
project will delayed at least
four weeks.
Have an alternate plan
to have the materials
available in case we
cannot receive
approval to proceed
with the new footings
2.Footing design is
2. Allow extra
significantly different review time to
meet with the
city inspector.
3. Architect has limited 3. Provide
experience
additional
training for the
architect.
49
Contingency Plans
Developing a Risk Management Tool Kit
Typical Project Management Tools to Help Support Your Risk Management Process
 Sticky Density – used to pinpoint potential problem areas in a process or
project.
 Spreadsheets – used to organize, sort, and present risk data
 Decision Analysis – aides in helping project team members and senior
management to visualize and understand various situations
 Risk Simulations – what are the effects of individual or risk portfolios on
your organization
 Design Structure Matrix – a technique for carefully examining iterative
processes whereby the team may not receive important data and
information until after they need it
Sticky Density
The intent is to develop a visual aid to examine problematic areas of their schedule.
The value of this tool is to highlight potential problem areas and their
interdependencies.
This is a takeoff on the Hoshin brainstorming activity!
 Pick Team members who have contributed in developing the WBS, network
diagram, and draft schedule.
 Pass out a predetermined number of 3 X 5 sticky notes [five for this
example] and have your team answer the following question five times.
 What could go wrong at this point in the schedule? Wait until each
participant has written down a response.
 Place the responses on a whiteboard or table.
50
 Now ask the participants to discuss ways to make sure these risks do not
occur or if they do occur to minimize the impact on the project
 Repeat the question at FOUR other points or milestones in the schedule.
 One last step is to seek the team’s input to see if they can determine the root
causes for each of these problems. If we can ID the root cause we should be
able to design the risk out of the process.
Spreadsheets
The risk tracking spreadsheet discussed earlier is an example of this type of tool.
It captures relevant process or project information that can be used to communicate
risk status to your project team.
You should develop spreadsheets that can be used to:
 depict quick analyses,
 organize personal and project team action items,
 track test results
Decision Analysis
A graphical technique used by the project manager to help your project team organize
their thoughts and to achieve consensus on complex situations dealing with project
risks and uncertainties. Decision analysis is usually shown as a decision tree that is
carefully mapped to the project network diagram and schedule.
In Class Exercise
Scenario. Your project team has just received a product review report from senior
management. The report includes a summary statement from senior management
granting approval for this project. The report includes a crude foam model of the part.
A representative from your organizations marketing and sales department is on your
project team. She is having a fit about the poor quality of the foam model provided by
senior management Your marketing representative says the model is insufficient for
51
determining the attributes of the product [specifically – shape, feel, looks, and
ergonomics]. Your marketing rep says that the project needs to be delayed until a
better model can be built. Your project team determines that there is an 80%
probability that the foam model is adequate. Senior management has already spent
$50,000 building the foam model. However, if the foam model is found to be
inadequate someone will have to manufacture either a plastic or solid metal part to
satisfy the marketing and sales department. The marketing staff believes that a metal
part will have a 30% chance of being approved and the plastic part has a 70% chance
of being accepted. Your team does their research and determines that to manufacture
the part in plastic will cost $300,000 while the metal part will cost $500,000. This will
also cause a 1-month delay in the project that will cost $1,000,000. What is the
expected loss from this risk? Build a tree diagram to illustrate the decision process.
Answer
Designed
Better
Model
From The
Start
.3
Metal Model $500,000 -
.7
Plastic Model $300,000
$360,000
Foam Inadequate
Add $1,000,000
.2
Initial Foam
Model
Total is $1,360,000
$272,000
.8
Foam Model is Adequate Cost
is $50,00 Already Spent
At his point in time with the Foam Model already built the team should accept the risk
and proceed with just the foam model.
52
The cost of avoiding the risk outweighs the expected loss of the risk.
This example illustrates that avoiding a known risk is not always the best choice.
The team should also consider what would have happened if they built the better
model initially.
Risk Simulation
Risk Simulation Tools can increase the confidence level on your project completion
date. Risk simulation tools are used to better estimate project completion dates based
upon running thousands of simulations with what-if scenarios.
Example
ID
Task Name
Start
Finish
Duration
1
2
3
4
5
6
Test
ID Defects
Correct Defects
Build Load
Integration Test
Validate
Oct 1
Oct 1
Oct 6
Oct 13
Oct 14
Oct 21
Nov 3
Oct 5
Oct 12
Oct 13
Oct 20
Nov 3
24 days
3 days
5 days
1 day
5 days
10 days
Probability
o = 3, m = 5, p = 10
o = 3, m = 5, p = 7
o = 5, m = 10, p = 15
Note that ID #’s 3, 5, & 6 have estimates for optimistic, means, and pessimistic
completion durations
Design Structure Matrix
How do we deal with the lack of information and data? This information might come
from a previous activity or task that has yet to be completed.
53
Example
To illustrate how Design Structure Matrix works we will examine a conventional hair
dryer found in residences or hotel rooms. The hair dryer has 7 design variables.
1.
2.
3.
4.
5.
6.
7.
Wattage rating
Footprint on the bathroom counter
Height
Weight
Maximum electrical current drawn
Length of time to fully heat
Air displacement – blower or fan rating
Develop a matrix
Wattage
Wattage
Footprint
Height
Weight
Current
Time to Heat
Air
Displacement
Footprint Height
Weight Current
---------X
X
X
X
--------
----------
X
X
X
X
X
---------
Air
Displacement
X
---------X
X
X
Time to
Heat
X
X
-------------X
X
X
---------------
All X’s above the diagonal represent information that is not yet available.
Developing Risk Management Strategies
Always avoid risk when it does not add value!!!!!!!! For example reuse proven
components and design techniques. Reuse software subroutines.
In manufacturing a common way of eliminating risk is a concept called poka-yoke or
mistake proofing. This involves configuring assembly parts so that they only fit
together one way. If the parts don’t fit then a previous step had to have been done
wrong.
54
An organization cannot afford to be totally risk averse. If they are they will drive away
innovation and profitability.
Important Items to Remember When Developing a Risk Strategy
 Stay flexible on unresolved issues
 Maintain contact with customers
 Always address the risky activities first
 Apportion risk carefully
 Test at a low level
 Use failure to your advantage
Implementing A Risk Management Program for Your Projects
Risk management requires project team members to change their behaviors.
Project team members must become:
 Proactive in identifying and resolving project risks
 Team oriented – really team oriented and not just pretending
 Non firefighters – you will never get anything done
 Willing to invest time and money proactively to reduce or eliminate risks
 Optimistic regarding how to identify and remove project risks
 Averse to the paperwork required to do it right the first time
55
How Can We Fit Risk Management Into Project Management?
Develop
Product
Description
Develop
Business
Case and
Feasibility
Study
Develop
Project
Plans,
Estimates,
and
Schedules
Develop System
Requirements
Conduct Risk
ID Session
Conduct Risk
Analysis Session
Prioritize and
Map Risks
Plan Risk
Resolution
Project
Initiation
Finalize Project Plans, Estimates, and Schedules
Create Risk Plan for On-going Monitoring
56
What Comprises A Risk Management Program?
 Integration of Risk Management into All Five Phases of Project
Management
 Initiation
 Planning
 Execution
 Controlling
 Closing
 Development of Data Management Tools for Your Teams and Senior
Management
 Remembering to Strategize the Upside or Opportunity of Project Related
Risks
 TRAINING Your Teams
 Forcing Senior Management to Consider Risks
 Taking All Potential Problems Seriously
 Sparing the Messenger – Learn to Appreciate Honesty Regarding How the
Organization Is Really Performing
 NOT LETTING ENGINEERS RUN PROJECT RISK MANAGEMENT
 Collecting and Disseminating Risk Measurement Tools
 Not Overselling Project Risk Management
 LEARNING from Each Project
57
Download