Project Risk Management
What is Risk?
Risk and uncertainty are
equivalent
Three Definitions
• Risk
– A possible future event which if it occurs will
lead to an undesirable outcome.
• Project Risk
– The cumulative effect of the chances of an
uncertain occurrence that will adversely affect
project objectives.
• Risk Management
– A systematic and explicit approach for
identifying, quantifying, and controlling project
risk.
DEFINITION
PROJECT RISK MANAGEMENT IS THE ART AND SCIENCE OF
IDENTIFYING, ASSESSING, AND RESPONDING TO PROJECT
RISK THROUGHOUT THE LIFE OF A PROJECT AND IN THE
BEST INTERESTS OF ITS OBJECTIVES
PROJECT RISK IS THE CUMULATIVE EFFECT OF THE CHANCES OF
UNCERTAIN OCCURRENCES ADVERSELY AFFECTING PROJECT
OBJECTIVES
RISK MANAGEMENT PURPOSE
IDENTIFY FACTORS THAT ARE LIKELY TO IMPACT THE PROJECT
OBJECTIVES OF SCOPE, QUALITY, COST AND TIME
QUANTIFY THE LIKELY IMPACT OF EACH FACTOR
GIVE A BASELINE FOR PROJECT NON-CONTROLLABLES
MITIGATE IMPACTS BY EXERCISING INFLUENCE OVER PROJECT
CONTROLLABLES
THE PMBOK ALSO POINTS OUT THAT RISK MANAGEMENT INCLUDES
MAXIMIZING THE RESULTS OF POSITIVE EVENTS AND MINIMIZING THE
CONSEQUENCES OF ADVERSE EVENTS.
ISSUES
A RISK SHOULD ONLY BE TAKEN WHEN THE POTENTIAL BENEFIT AND
CHANCES OF WINNING EXCEED THE REMEDIAL COST OF AN
UNSUCCESSFUL DECISION AND CHANCES OF LOSING BY A
SATISFACTORY MARGIN
WHAT WILL BE GAINED?
WHAT COULD BE LOST?
WHAT ARE THE CHANCES OF SUCCESS (AND FAILURE)?
WHAT CAN BE DONE IF THE DESIRED RESULT IS NOT ACHIEVED?
IS THE POTENTIAL REWARD WORTH THE RISK?
POTENTIAL FREQUENCY OF LOSS
AMOUNT AND RELIABILITY OF INFORMATION AVAILABLE
POTENTIAL SEVERITY OF LOSS
MANAGEABILITY OF THE RISK
VIVIDNESS OF THE CONSEQUENCES
POTENTIAL FOR (ADVERSE) PUBLICITY
WHOSE MONEY IS IT?
NATURE OF RISK MANAGEMENT
WHEN SPEAKING OF RISK, THINK OF ONLY HAZARDOUS ONES
EVERYDAY COMMON DAY ONES ARE IGNORED
RARELY DO WE SYSTEMATICALLY IDENTIFY ALL RISKS INVOLVED
HOWEVER, INCLINED TO CONSIDER RISK DIFFERENTLY RELATIVE TO
FAMILY - VERY PRECIOUS AND LOTS OF POTENTIAL
EXAMPLES:
SMALL CHILDREN - STAY AWAY FROM ROAD
HOW DID DAY GO? - DO MORE TO HELP THEM
- RISK ID & AVOIDANCE
- INFO FEEDBACK
THESE ACTIONS ARE ESTABLISHING THE BASIC ELEMENTS OF
MANAGING PROJECT RISK INTO OUR CHILDREN
PROJECT RISK MGMT IS PRO-ACTIVE
CLASSIC SYSTEMS METHODOLOGY:
INPUT
PROCESS
OUTPUT
FEEDBACK LOOP
THIS PROCESS VITAL TO EFFECTIVE PROJECT CONTROL, HOWEVER
RISK IS DIFFERENT - - HAS TO DO WITH:
UNCERTAINTY, PROBABILITY OR UNPREDICTABILITY, AND
CONTINGENT PLANNING
REACTIVE vs. PRO-ACTIVE
CRISIS MANAGEMENT -- REACTIVE MODE -- SELECT RESPONSE
PRO-ACTIVE -- ANTICIPATE AND PLAN TO AVOID
RISK & DECISION MAKING:
TAKE RISK IF POTENTIAL BENEFIT AND CHANCE OF WINNING
EXCEEDS COST OF UNSUCCESSFUL DECISION AND CHANCES OF
LOSING BY A SATISFACTORY MARGIN (CLASSIC COST / BENEFIT
ANALYSIS)
Project Risk Management
Project Risk
Management
11.0
Risk
Identification
11.1
Risk
Quantification
11.2
Risk Response
Development
11.3
Risk Response
Control
11.4
PMBOK Risk
• Opportunities - Positive outcome
• Threats - Negative outcome
Benefits of Risk Management
• More and better information is available
during planning and decision making
• Project objectives are verified
• Improved communications
• Higher probability of project success
• Proactive approach
• Project might be canceled
Why Organizations don’t do
Risk Management
• Unwillingness to admit risks exist
• Postpone the hard parts of the project until
later
• Risk management costs money
– Up front investment of time
– Can’t prove it’s necessary
• Think health insurance
Why Organizations don’t do
Risk Management
• “Can Do” management style severely
inhibits risk management
• Risk identification can make you look like a
whiner
Ways to Avoid
Risk Management
• “Managing risk is everybody’s business”
• “There is only one risk: The project might
fail. And we’re managing that by working
real hard to assure that doesn’t happen.”
The Uncertainty Spectrum
NO
Information
Partial
Information
(Unknown
unknowns)
(Known
unknowns)
GENERAL
TOTAL
UNCERTAINTY UNCERTAINTY
SPECIFIC
UNCERTAINTY
Complete
Information
(Knowns)
TOTAL
CERTAINTY
SCOPE OF PROJECT RISK MANAGEMENT*
*Note: in this range the information to be sought is known
Project Risk
Integration
Communication
Scope
Time
Project Risk
Quality
Cost
Procurement
Human Resources
INTEGRATING RISK
PROJECT
MANAGEMENT
INTEGRATION
Life Cycle and
Environment Variables
SCOPE
Ideas, Directives,
Data Exchange Accuracy
Expectations
Feasibility
Requirements
Standards
QUALITY
PROJECT
RISK
Time Objectives,
Restraints
TIME
INFORMATION /
COMMUNICATIONS
Availability
Productivity
HUMAN
RESOURCES
Services, Plant, Materials:
Performance
Cost Objectives,
Restraints
COST
CONTRACT /
PROCUREMENT
Project Risk Management
A subset of project management that
includes the processes concerned with
identifying, analyzing, and responding to
project risk.
Risk Management Objectives
• Reduce the number of surprise events
• Minimize consequences of adverse events
• Maximize the results of positive events
Risk Classification
•
•
•
•
•
•
Business risks vs. pure (insurable) risks
Classified by uncertainty (business risks)
Classified by impact on project elements
Classified by their nature
Classified by their source
Classified by their probability to occur and
amount at stake
Consequences of Risk Analysis
Positives
• greater information is made available during the
course of planning and decision making
• project objectives are verified
• better communications
• better probability that project realization will be
optimal
• increased chance of project success
Consequences of Risk Analysis
Negatives
• belief that all risks have been accounted for
• project could be shut down
Some Considerations
• Real information is the key.
• The relationship between uncertainty and
information is inverse.
• For the project manager, conditions of relative
uncertainty (partial information) are the rule.
• There is a natural resistance to formal risk
analysis.
• Risks should only be taken to achieve a project
objective.
PMBOK FIGURE 11-1
PROJECT RISK MANAGEMENT OVERVIEW
Risk Identification
Risk Quantification
Response Development
Response Control
Inputs
Inputs
Inputs
Inputs
Product Description
Stakeholder risk tolerances
Other Planning Outputs
Sources of Risk
Historical Information
Tools & Techniques
Checklists
Flowcharting
Interviewing
Outputs
Potential Risk Events
Cost Estimates
Activity Duration Estimates
Tools & Techniques
Opportunities to ignore,
threats to accept
Tools & Techniques
Risk Symptoms
Expert Judgment
Outputs
Opportunities to pursue,
threats to respond to
Opportunities to ignore,
threats to accept
Tools & Techniques
Additional Risk Response
Development
Insurance
Decision Trees
Additional Risk Identification
Contingency Planning
Alternative Strategies
Potential Risk Events
Actual Risk Events
Workarounds
Statistical Sums
Simulation
Risk Management Plan
Procurement
Expected Monetary Value
Sources of Risk
Inputs to other Processes
Opportunities to pursue,
threats to respond to
Outputs
Risk Management Plan
Inputs to other Processes
Contingency Plans
Reserves
Contractual Agreements
Outputs
Corrective Action
Updates to Risk Management
Plan
Risk Identification
Project Risk
Management
11.0
Risk
Identification
11.1
Risk
Quantification
11.2
Risk Response
Development
11.3
Risk Response
Control
11.4
Risk identification is determining which risks are likely to affect the
project and documenting the characteristics of each.
Typical Life Cycle Profiles
Risk versus Amount at Stake
I
N
C
R
E
A
S
I
N
G
Total project life cycle
Plan
Accomplish
Phase 1
Phase 2
Phase 3
Phase 4
Conceive
Develop
Execute
Finish
$
(period when highest
risks are incurred)
R
I
S
K
(period of highest
risk impact)
TIME
V
A
L
U
E
Inputs to Risk Identification
• Product description
– Specification
– SOW
– Contract
• Other planning outputs
– WBS
– OBS
– Cost and Schedule estimates
Inputs to Risk Identification
• Historical information
–
–
–
–
Commercial databases
Corporate memory
Corporate database (lessons learned)
Websites
Inputs to Risk Identification
• Assumptions
– Explicit
– Implicit
• Critical success factors
PHASE 1: RISK IDENTIFICATION
IDENTIFY ALL POSSIBLE RISKS WHICH MAY SIGNIFICANTLY IMPACT
THE SUCCESS OF THE PROJECT -- CAN DO THIS BY:
CAUSE-AND-EFFECT ANALYSIS (WHAT COULD HAPPEN  WHAT ENSUES)
EFFECT-AND-CAUSE ANALYSIS (WHAT OUTCOMES TO AVOID  HOW
THEY MIGHT OCCUR)
BRING IN THE EXPERTS ON THE PROGRAM AND QUESTION THEM
BRAINSTORM
WBS - INDIVIDUAL WORK PACKAGES PLUS COMBINATIONS THEREOF
WILLOUGHBY TEMPLATES, SEI TAXONOMY AND CHARELLET CHECKLIST
Risk typically examines possibility of suffering harm or loss; however,
Risk Identification is also concerned with opportunities (positive outcomes)
and threats (negative outcomes).
TYPES OF RISK
• Business vs. Insurable Risk
• Risk Sources
–
–
–
–
–
External Unpredictable
External Predictable
Internal Non-Technical
Technical
Legal
TYPES OF RISK (2)
• Knowns
– An item or situation containing no uncertainty
• Known Unknowns
– Things which we know exist but do not know
how they will affect us. These can be identified
and evaluated.
• Unknown Unknowns
– Those risks that cannot be identified and
evaluated (unexpected needs). These can be
TYPES OF RISK (3)
• Risks can also be classified as:
– External Unpredictable
– External Predictable
– Internal Non-Technical
– Technical
– Legal
EXTERNAL UNPREDICTABLE
•
•
•
•
•
Regulatory
Natural Hazards
Postulated Events
Unexpected Side Effects of the Project
Failure to Complete Project Due to
Uncontrollable External Events
•
•
•
•
•
•
•
EXTERNAL PREDICTABLE
Market Risks
Operational
Environmental Impacts
Social Impacts
Currency Risk
Inflation
Taxes
INTERNAL, NON-TECHNICAL
•
•
•
•
•
Management
Schedule
Cost
Cash Flow
Loss of Potential Benefit or Profit
TECHNICAL
•
•
•
•
•
Changes in Technology
Performance Uncertainty
Risks Associated with Project’s Technology
Design
Sheer Size or Complexity
•
•
•
•
•
•
LEGAL
Licensing
Patent Rights
Contractual Difficulties
Outsider Suits
Insider Suits
Force Majeure (PMI’s Word)
OTHER RISK ID SOURCES
• Overly Aggressive Cost Estimates
• Overly Aggressive Duration Estimates
• Staffing Plan - Personnel With Special
Skills
• Procurement Management Plan
• Historical Project Files & Project Team
Knowledge
• Commercial Databases
KEEP IN MIND
• How can you assess risks?
–
Break things down into individual elements and
determine their relationships
• What risks should you assess?
–
All of them
– Concentrate on those with greatest impact and
most likely probability of occurrence
RISK FACTORS
ALL PROJECT RISKS ARE CHARACTERIZED BY THE FOLLOWING
THREE RISK FACTORS
RISK EVENT: PRECISELY WHAT MIGHT HAPPEN TO THE
DETRIMENT OF THE PROJECT
Write it as an “If - Then” Statement
RISK PROBABILITY: HOW LIKELY THE EVENT IS TO OCCUR
AMOUNT AT STAKE: THE SEVERITY OF THE CONSEQUENCES
WITH THIS DATA, THE RISK EVENT STATUS ("CRITERION VALUE" OR
RANKING) OF A GIVEN RISK EVENT CAN BE DETERMINED BY:
RISK EVENT STATUS = RISK PROBABILITY X AMOUNT AT STAKE
RISK EVENT vs. RISK SYMPTOM
RISK EVENT ARE DISCRETE OCCURRENCES
RISK SYMPTOM  TRIGGERS
THESE ARE INDIRECT MANIFESTATIONS OF ACTUAL RISK EVENTS
EXAMPLES OF RISK SYMPTOMS:
POOR MORALE = EARLY WARNING SIGN OF SCHEDULE DELAY
EARLY PROJECT COST OVERRUN = POTENTIAL POOR PROJECT
OVERALL ESTIMATING
Risk Identification
Tools and Techniques
• Checklists
– Project Healthcheck
• Flowcharting
– Cause & Effect (fishbone or Ishikawa charts
• What could happen
What ensues
– Effect & Cause
• Outcomes to avoid
How they occur
– System or Process flowcharts
Risk Identification
Tools and Techniques
• Interviewing
• Brainstorming
Outputs
• Sources of risk (i.e., categories)
–
–
–
–
Stakeholder actions
Estimates
Staffing plans
Common sources of risk:
•
•
•
•
Changes in requirements
Design errors, omissions, and misunderstandings
Poorly defined R & R
Insufficiently skilled staff
Outputs
• Potential Risk events
– Specific discrete events that might effect the
project
– Generally include:
•
•
•
•
Probability
Alternative outcomes
Timing
Frequency (more than once?)
Outputs
• Risk Symptoms
– Triggers, or trip wires, or indicators
– Indirect manifestations of risk events
• Poor morale
• Lack of reported progress
• Inputs to other processes
– Improved estimating
– More training
Risk Quantification
Project Risk
Management
11.0
Risk
Identification
11.1
Risk
Quantification
11.2
Risk Response
Development
11.3
Risk Response
Control
11.4
Risk quantification consists of evaluating the risks and risk
interactions to assess the range of possible project outcomes.
PHASE 2: RISK QUANTIFICATION
GOALS OF QUANTIFICATION (OR ASSESSMENT)
INCREASE THE UNDERSTANDING OF THE PROJECT
IDENTIFY THE ALTERNATIVES AVAILABLE
ENSURE THAT UNCERTAINTIES AND RISKS ARE ADEQUATELY
CONSIDERED IN A STRUCTURED AND SYSTEMATIC WAY AND
INCORPORATED INTO THE PLANNING AND DEVELOPMENT PROCESS
ESTABLISH THE IMPLICATIONS OF THESE UNCERTAINTIES ON ALL
OTHER ASPECTS OF THE PROJECT
Risk Quantification - Inputs
•
•
•
•
•
Stakeholder risk tolerances
Sources of risk
Potential risk events
Cost estimates
Activity duration estimates
Risk Quantification
Tools and Techniques
•
•
•
•
•
Expected monetary value
Statistical sums
Simulation
Decision trees
Expert judgment
RISK ANALYSIS TECHNIQUES
BRAINSTORMING - SPONTANEOUS CONTRIBUTION OF IDEAS FROM TEAM
DELPHI METHOD - METHOD TO DERIVE CONSENSUS USING EXPERT OPINION
MONTE CARLO - ITERATIVE SIMULATION USING RANDOM NUMBERS TO
INCORPORATE PROBABILISTIC DATA AND DERIVE A
PROBABILITY DISTRIBUTION OF THE FINAL RESULT
SENSITIVITY ANALYSIS - EVALUATE EFFECT OF A CHANGE IN A SINGLE
VARIABLE ON THE ENTIRE PROJECT
DECISION TREE ANALYSIS - GRAPHICAL "EITHER / OR" CHOICES
UTILITY THEORY - TAKES ATTITUDE OF DECISION MAKER INTO ACCOUNT
DECISION THEORY - TECHNIQUE TO REACH DECISION UNDER UNCERTAINTY
AND RISK. POINTS TO BEST POSSIBLE COURSE NO MATTER
THE FORECAST ACCURACY
PROBABILITY ANALYSIS - NEXT PAGE
SIMPLE PROBABILITY
SIMPLE PROBABILITY EQUATION:
Pr (Event #1) x Pr (Event #2) = Pr (Both Events)
P(t) = P(A) * P(B)
OR
0.70 X 0.80 = 0.56
OR 56%
NOTE: THIS APPLIES TO INDEPENDENT EVENTS ONLY
PROBABILITY EXAMPLE
DATA:
Probability of Scope = 0.70
Probability of No Scope = 0.30
Probability of Approval = 0.80
Probability of No Approval = 0.20
EXAMPLE:
Pr(Scope) x Pr(Approval) =
Pr(Scope) x Pr(No Approval) =
Pr(No Scope) x Pr(Approval) =
Pr(No Scope) x Pr(No Approval) =
0.70 x 0.80 =
0.70 x 0.20 =
0.30 x 0.80 =
0.30 x 0.20 =
Total=
0.56
0.14
0.24
0.06
1.00
PRACTICAL APPLICATION -- DECISION TREE ANALYSIS
Expected Monetary Value (EMV)
• Product of two values
– Risk event probability
– Risk event value
• Valuation of the risk event is key
– Must include tangible as well as intangible
value
– 1 week slippage with minor client impact
– 6 week slippage with major client impact
Expected Monitary Value Example
Given the following:
Cost
Probability
Optimistic $100,000 0.20
Most likely $130,000 0.60
Pessimistic $180,000 0.20
Expected Value Calculation:
Optimistic $100,000 x 0.20
= 20,000
Most likely $130,000 x 0.60
= 78,000
Pessimistic $180,000 x 0.20
= 36,000
Expected Monitary Value
$134,000
(*EMV = Opt imistic + 4(most likely) + Pessimistic)
6
* formula if probability is not known
EMV Example
• If no probabilities are given, use
EMV=(Opt + 4*ML + Pes)/6
• EMV= ($100 +4*$130+$180)*1000/6
= $133,333
Descriptive Statistics
•
•
•
•
•
•
Mean
Mode
Median
Variance
Standard Deviation
Range
Descriptive Statistics Example
Test scores are 10, 20, 25, 40, 45, 45, 50, 55, 55, 60, 60, 60, 65, 65, 65, 70, 70, 70,
70, 70, 75, 80, 80, 85, 90, 90, 90, 95, 100
Mean: number obtained by dividing the sum of a set of quantities by the number of
quantities in the set. (answer is 1855 / 29=64)
Mode: value or item occurring most frequently in a series of observations. (answer is
70 -it occurs 5 times)
Median: middle value in a distribution, above and below which lie an equal number of
values (answer is 65)
Variance: average of the squares of the variations from the mean of a frequency
distribution. (answer is 486.4)
Standard deviation: square root of the variance. (answer is 22)
Range: measure of the dispersion equal to the difference or interval between the
smallest and the largest of the set of quantities. (answer is 90 or 100-10)
Approximations
• Mean = (Opt + 4*ML + Pes)/6
• SD = (Max - Min)/6
Exercise
Opt
ML
Pess
EMV
Proj. A 100,000 125,000 180,000 130,000
SDev
Vari
13,000
169,000,000
Proj.B 80,000
100,000 125,000 100,833
7,500
5,625,000
Proj.C 75,000
130,000 180,000 129,167
17,500
306,250,000
So What?
• Normal Distribution
– Mean is expected value
– Mean = Mode = Median
– Standard deviation is a measure of dispersion
about the mean
• 68.27% of cases occur between Mean + SD and
Mean - SD
• 95.45% of cases occur between Mean+2SD and
Mean-2SD
• 99.73% of cases occur between Mean+3sd and
Mean-3SD
Mean
Blue = 68%
Blue + Green = 95%
Blue + Green
+ Red = 99.7%
34.1%
1.1%
- 3SD
- 2SD
34.1%
13.6%
- SD
13.6%
+ SD
Normal Distribution
+ 2SD
1.1%
+ 3SD
Mode
Median
Mean
Skewed Normal Distribution
BETA vs. TRIANGULAR DISTRIBUTIONS
BETA
DISTRIBUTION
TRIANGULAR
DISTRIBUTION
EXPECTED VALUE
P
R
O
B
A
B
I
L
I
T
Y
EXPECTED VALUE
P
R
O
B
A
B
I
L
I
T
Y
COST ESTIMATE
Mean = (a + 4m + b) / 6
2
Variance = [(b - a) / 6]
COST ESTIMATE
Mean = (a + m + b) / 3
Variance = [(b - a) 2 + (m - a) (m - b)] / 18
Simulation
Simulation uses a representation or model of a
system to analyze the behavior or
performance of the system.
• Monte Carlo analysis is best known
• results used to quantify risk of various schedule
choices
Monte Carlo
• Requires Optimistic, Most Likely, and
Pessimistic estimates.
• Uses random number generator to select
which value to use
• Calculates the database multiple times to
develop a probability distribution of the data
Decision Trees
Aggressive schedule EMV = $110,000
Conservative schedule EMV = $7,000
Given the following decision tree:
Outcome
60%
aggressive
Choice
event
conservative
Choice
event
Choice
event
40%
20%
250 k
EMV
150 k
100 k
40 k
45 k
9k
20 k
16 k
80%
UTILITY THEORY
• Definition
– Endeavors to formalize management’s attitude
toward risk of the decision maker.
• Types
– Risk Seeking
– Risk Neutral
– Risk Averse
Expert Judgment
Expert judgment can often be applied in lieu of or in
addition to the mathematical techniques described
above.
Derived from:
•
•
•
•
team members
others in or outside of organization
published findings
industry averages / statistics
QUALITY RISK
GOALS OF RISK MANAGEMENT
- INCREASE UNDERSTANDING OF PROJECT
- IMPROVE PLANS, DELIVERY, AND ID GREATEST RISKS
- WHERE TO FOCUS ATTENTION
REMAINING MAJOR PROJECT RISK AREA ...
WHAT IF PROJECT FAILS TO PERFORM AS EXPECTED DURING
OPERATIONAL LIFE / PRODUCT LIFE CYCLE?
CONFORMANCE TO QUALITY REQUIREMENT REMEMBERED LONG
AFTER COST AND SCHEDULE PERFORMANCE.
\ QUALITY MANAGEMENT HAS MOST IMPACT ON LONG-TERM
PERCEIVED & ACTUAL SUCCESS OF PROJECT
SCHEDULE RISK
CAN MANAGE “CRITICAL PATH” BUT NOT MANAGE DURATION
REASON --> SCHEDULE RISK
HIGHEST RISK PATH = PATH WITH MOST PROJECT COMPLETION RISK
RISK IN ALL ACTIVITY DURATION BECAUSE FUTURE IS UNCERTAIN
LONGEST DURATION ACTIVITY  RISKIEST
THEREFORE, NEED TO ID & MANAGE WHAT COULD CONTRIBUTE TO
PROJECT DELAY -- COULD OVERRIDE MANAGEMENT OF CRITICAL
PATH
SCHEDULE RISK (CONT'D)
C
B
FINISH
E
START
A
ACTIVITY
MOST
D
MEAN
LOW
LIKELY
HIGH
EXPECTED
A-B
8
9
10
9
B-C
4
5
6
5
C-E
0
0
0
0
B-E
1
6
7
4.7
A-D
4
9
14
9
D-E
1
2
7
3.3
SCHEDULEBRISK (CONT'D)
FINISH
E
START
A
D
SUM OF
SUM OF
MOST LIKELY
MEANS
HIGHS
A-B-C-E
14
14
16
A-B-E
15
13.7
17
A-D-E
11
12.3
21
A-B-E
A-B-C-E
A-D-E
PATH
MOST RISKY
SUM OF
Risk Quantification- Outputs
Opportunities to pursue, threats to respond to
Opportunities to ignore, threats to accept
Risk Response Development
Project Risk
Management
11.0
Risk
Identification
11.1
Risk
Quantification
11.2
Risk Response
Development
11.3
Risk Response
Control
11.4
Risk response development defines the enhancement steps for
opportunities and responses to threats.
Risk Response Development
• Defines steps for
– enhancing opportunities
– responding to threats
Types of Responses
• Avoidance - eliminate
• Mitigation
– Reduce EMV by reducing probability
– Reduce Impact - buy insurance
• Acceptance
– Active: develop plan to deal with risk if it
occurs
– Passive: Accept risk (e.g., lower profit)
PLANNING ALTERNATIVES
• Project Managers have Several Response
Options
–
–
–
–
–
–
Avoidance
Absorption
Adjustment
Deflection
Contingent Planning
A Combination of the Above
AVOIDANCE
• Defined
– Characterized by project manager
statements such as: “This alternative is
totally unacceptable to me
– You would take the appropriate steps to
avoid this situation.
ABSORPTION
•
•
•
•
Risk is Recognized-But Not Acted Upon
Accept the Risk AS IS
It’s a Matter of Policy
Retained & Absorbed (by prudential
allowances)
• Unrecognized, Unmanaged, or Ignored (by
default)
ADJUSTMENT
• Modification of the Project
– Scope
– Budget
– Schedule
– Quality Specification
– Combination of the Above
DEFLECTION
• Involves transfer of risk by such means as:
– Contracting Out to Another Party
– Insurance or Bonding
– By Recognizing it in the Contract
CONTINGENT
PLANNING
CONTINGENT PLANNING IS A MEANS TO ADDRESS RISKS TO THE
PROJECT THROUGH A FORMAL PROCESS AND PROVIDE RESOURCES
TO MEET THE RISK EVENTS.
IT IS THE ESTABLISHMENT OF MANAGEMENT PLANS TO BE INVOKED
IN THE EVENT OF SPECIFIED RISK EVENTS
EXAMPLES:
THE PROVISION AND PRUDENT MANAGEMENT OF A
CONTINGENCY ALLOWANCE IN THE BUDGET
THE PREPARATION OF SCHEDULE ALTERNATIVES AND
WORK-AROUNDS
EMERGENCY RESPONSES TO DEAL WITH MAJOR SPECIFIC
AREAS OF RISK
AN ASSESSMENT OF LIABILITIES IN THE EVENT OF A
COMPLETE PROJECT SHUT-DOWN
Types of Responses
• Prevent risk from occurring
– Reduce the probability that the event will occur
– Eliminate means P=0
• Reduce the impact (think “containment”)
– Buy insurance (monetary)
– Alternative strategies (additional supplier to
PDQ)
CONTRACT STRATEGY
• To Select the Right Form of Contract
Requires:
–
Identification of Specific Risks
– Determination of how they should be shared
between the parties, and
– The insertion of clear, legal language in the
contract documents to put it into effect.
CONTRACT TYPE vs. RISK
SCOPE OF WORK
INFORMATION
UNCERTAINTY
DEGREE OF
RISK
VERY LITTLE
HIGH
HIGH
100%
SUGGESTED
RISK
ALLOCATION
PARTIAL
MODERATE
MEDIUM
LOW
LOW
0%
AGENCY (BUYER)
SELLER (CONTRACTOR) 100%
0%
CONTRACT
TYPES
COMPLETE
CPPF
CPIF
CPFF
FPPI
FFP
CONTRACT TYPE vs. RISK (CONT'D)
Project A
Well defined scope and work
content. High probability of
achieving realistic cost
estimate at 100%
P
R
O
B
A
B
I
L
I
T
Y
Project B
Fairly well defined scope
and work content. Fair
probability of achieving
100% cost estimate
Project c
Poorly defined scope
and content. Low
probability of 100%
cost estimate
80%
90%
95%
100%
110%
120%
140%
COST ESTIMATE VALUE
+/- 15%: FFP
+/- 25%: CPFF
+/- 50%: CPIF
> 50%: CPPF
Suggested types of
contract for various
spreads
FAST-TRACKING
• Awarding contracts before all the
information is complete to reduce the
overall time for the project
• Much higher risk category!!
• Appropriate contingency allowances must
be increased accordingly.
Risk Response Development Inputs
Opportunities to pursue, threats to respond to
Opportunities to ignore, threats to accept
Risk Response Development
Tools and Techniques
• Procurement
– Buy outside skills
• Contingency planning
– what to do if the event occurs
– containment
• Alternative strategies
– Prevention
• Insurance
Risk Response Development Outputs
•
•
•
•
•
Risk management plan
Inputs to other processes
Contingency plans
Reserves
Contractual agreements
Risk Response Control
Project Risk
Management
11.0
Risk
Identification
11.1
Risk
Quantification
11.2
Risk Response
Development
11.3
Risk Response
Control
11.4
Risk response control involves responding to changes in risk
over the life of the project.
PHASE 4:
RISK RESPONSE CONTROL
• EXECUTE THE RISK MANAGEMENT PLAN FROM PHASE #3
-ID, QUANTIFY AND RESPOND TO ANY CHANGES
EXECUTE WORKAROUNDS -- UNPLANNED RESPONSES
TO NEGATIVE EVENTS
-ADDITIONAL RISK RESPONSE DEVELOPMENT
•CURRENT PROJECT DATABASE
-DOCUMENTING ON-GOING RISKS
•BUILD HISTORICAL DATABASES
RELIABLE DATA IS HARD TO FIND! SHOULD CONSIST OF:
-RECORDED RISK EVENTS
-EXPERIENCE ON PAST PROJECTS (SIMILAR IS PREFERRED)
•POST-PROJECT ASSESSMENT AND ARCHIVE UPDATE
Risk Response Control
• Respond to the changes in project risk over
the life of the project
Risk Response Control - Inputs
• Risk management plan
• Actual risk events
• Additional risk identification
Risk Response Control
Tools and Techniques
• Workarounds
– Unplanned responses to unforeseen risks that
actually occur
• Additional risk response development
– Revisions to the response, if it proves
inadequate
Risk Response Control - Outputs
• Corrective action
– Implementing the risk management plan when
the risk occurs
• Updates to risk management plan
– Revisions to the risk management plan as
circumstances require
• Risk never materializes
• Probability of occurrence is reduced
Risk Documentation
Historical database
Current project database
Post project assessment and archive update
•
•
•
•
•
Lessons learned
Plan variances
Actuals
Methods, tools and techniques
Case studies
SUMMARY
PROJECTS ARE LAUNCHED TO TAKE ADVANTAGE OF OPPORTUNITIES,
BUT OPPORTUNITIES ARE ASSOCIATED WITH UNCERTAINTIES WHICH
HAVE RISKS ATTACHED
RISK CAN NEVER BE 100% ELIMINATED
FOR THE PROJECT TO BE VIABLE, THE EXPECTED VALUE RESULTING
FROM A FAVORABLE PROBABILITY OF GAIN MUST BE HIGHER THAN
THE CONSEQUENCES AND PROBABILITY OF LOSS
THEREFORE, THE RISKS ASSOCIATED WITH A PROJECT MUST RECEIVE
CAREFUL EXAMINATION IN THE CONTEXT OF THE ORGANIZATION'S
WILLINGNESS OR AVERSION TO TAKING RISKS
THIS IS THE DOMAIN OF PROJECT RISK MANAGEMENT, WHICH FORMS
A VITAL AND INTEGRAL PART OF PROJECT MANAGEMENT
When Should Risk Assessments
be Carried Out?
Risk assessments should be carried out
as early as possible and then continuously.
Don’t take the risk if...
•
•
•
•
•
•
the organization cannot afford to lose.
the exposure to the outcome is too great.
the situation (or project) is not worth it.
the odds are not in the project’s favor.
the benefits are not clearly identified.
there appear to be a large number of acceptable
alternatives.
Don’t take the risk if...
• the risk does not achieve the project objective.
• the expected value from baseline assumptions is
negative.
• the data is unorganized, without structure or
pattern.
• there is not enough data to understand the results.
• a contingency plan for recovery is not in place
should the results prove unsatisfactory.