Project Risk Management
Mohammad A. Rob
The Importance of Project Risk Management
 Project risk management is the art and science
of identifying, assigning, and responding to risk
throughout the life of a project and in the best
interests of meeting project objectives
 Risk management is often overlooked on
projects, but it can help improve project success
by helping select good projects, determining
project scope, and developing realistic
estimates
What is Risk?
A dictionary definition of risk is “the
possibility of loss or injury”
Project risk involves understanding
potential problems that might occur on the
project and how they might impede project
success
Risk management is like a form of
insurance; it is an investment
Why Take Risks? Because of Opportunities!
Try to balance risks and opportunities
Risks
Opportunities
What is Project Risk Management?
 The goal of project risk management is to minimize
potential risks while maximizing potential opportunities.
Major processes include
– Risk management planning: deciding how to approach and plan
the risk management activities
– Risk identification: determining which risks are likely to affect a
project
– Risk analysis: measuring the probability and consequences of
risks and estimating their effects
– Risk response planning: taking steps to enhance opportunities
and reduce threats
– Risk monitoring and control: monitoring known risks, identifying
new risks, and responding to risks over the course of the project
Risk Management Planning
 The process of deciding how to approach and plan for
risk management activities
 The major inputs to this process:
– project charter, WBS, roles and responsibility matrix, corporate
risk management policies, risk management templates
 The major tool : planning meeting to develop risk
management plan
 The major output: risk management plan
– it describes how risk identification, qualitative an quantitative
analysis, response planning, monitoring, and control will be
structured and performed during the project life cycle
Broad Categories of Risk
 Market risk: Will the new product be useful to
the organization or marketable to others? Will
users accept and use the product or service?
 Financial risk: Can the organization afford to
undertake the project? Is this project the best
way to use the company’s financial resources?
 Technology risk: Is the project technically
feasible? Could the technology be obsolete
before a useful product can be produced?
Common Sources of Risk on Information
Technology Projects
 Barry Boehm developed a list of top risk items in
software development. Some are:
– Personnel shortfalls: To overcome personnel problems, obtain
quality people and build a good team
– Control dynamic requirements: Some changes in scope is
inevitable, but control continuous changes. One way to control is
not to change plan until it is absolutely clear that they are
needed
– Control externally provided project components: combining
system components from multiple sources creates risk. Reduce
risk by coordination and compatibility checking
– Unrealistic estimates: This is due to difficulty in accurate
estimation of cost and time. Build a cost risk factor in the budget
or designing the project within the budget
McFarlan’s Major Sources of Risk
 According to F.W. McFarlan, there are three
major categories of risk: people, structure, and
technology
– People risk: includes inadequate skills (technical and
managerial) inexperience in general, and
inexperience in a specific area of technology
– Structural risk: includes the degree of change a new
project will introduce into user areas and business
procedures, the number of distinct groups the project
must satisfy, and the number of other systems the
new project must interact with
– Technological risk: involves using new or untried
technology
Developing a Risk Management Plan
 Questions a risk management plan should address:
– Why is it important to take/ not take this risk in
relation to the project objectives?
– What is the specific risk, and what are the risk
mitigation deliverables?
– How is the risk going to be mitigated? What
approach?
– Which individuals will be responsible for
implementing risk management plan?
– When will the milestones associated with the
mitigation approach occur?
– How much is required in terms of resources to
mitigate risk?
McFarlan’s Risk Questionnaire
1.
2.
3.
4.
What is the project estimate in calendar (elapsed) time?
( ) 12 months or less
Low = 1 point
( ) 13 months to 24 months
Medium = 2 points
( ) Over 24 months
High = 3 points
What is the estimated number of person days for the system?
( ) 12 to 375
Low = 1 point
( ) 375 to 1875
Medium = 2 points
( ) 1875 to 3750
Medium = 3 points
( ) Over 3750
High = 4 points
Number of departments involved (excluding IT)
( ) One
Low = 1 point
( ) Two
Medium = 2 points
( ) Three or more
High = 3 points
Is additional hardware required for the project?
( ) None
Low = 0 points
( ) Central processor type change
Low = 1 point
( ) Peripheral/storage device changes Low = 1
( ) Terminals
Med = 2
( ) Change of platform, for example High = 3
PCs replacing mainframes
Risk Management Plan
 Risk management plan documents the
procedures for managing risk throughout the
project
 It summarizes the results of the risk
identification, quantitative analysis, qualitative
analysis, response planning, and monitoring and
control processes
 It is important to define specific deliverables for
the project related to risk, assign people to work
on the deliverables, and evaluate milestones
associated with the risk management approach
Risk Management Plan
 Risk management plan includes:
– Methodology of risk management: the approaches, tools and
data sources that twill be used
– Roles and responsibilities: defines the lead, support, and risk
management team membership for each type of action
– Budgeting: budget for risk management for the project
– Timing: defines how often the risk management process will be
performed throughout the life cycle
– Scoring and interpretation: appropriate (qualitative and/or
quantitative) methods used for risk analysis
– Threshold: the criteria for risks that will be acted upon, by whom,
and in what manner
– Reporting formats: content and format of the dissemination of
risk response plan to stakeholders
– Tracking: documenting all facets of risk activities, benefiting
current project, identifying future needs, and lesson learned
Information Technology Success Factors
Success Criterion
Points
User Involvement
19
Executive Management support
16
Clear Statement of Requirements
15
Proper Planning
11
Realistic Expectations
10
Smaller Project Milestones
9
Competent Staff
8
Ownership
6
Clear Visions and Objectives
3
Hard-Working, Focused Staff
3
Total
100
Risk Identification
 Risk identification is the process of determining which
risks might affect the project and documenting their
characteristics
 In addition to identifying risk according to the areas
discussed before, risks can be identified according to
the project management knowledge areas, such as
scope, time,and cost
 Risk identification tools include: brainstorming among
group members, interviewing people, checklists of a set
of questions, process diagrams
 The main output of risk identification is a list of risk
events, triggers or risk symptoms, and inputs to other
systems (internal or external)
Potential Risk Conditions Associated With Knowledge Areas
Knowledge Area
Risk Conditions
Integration
Inadequate planning; poor resource allocation; poor integration
management; lack of post-project review
Scope
Poor definition of scope or work packages; incomplete definition
of quality requirements; inadequate scope control
Time
Errors in estimating time or resource availability; poor allocation
and management of float; early release of competitive products
Cost
Estimating errors; inadequate productivity, cost, change, or
contingency control; poor maintenance, security, purchasing, etc.
Quality
Poor attitude toward quality; substandard
design/materials/workmanship; inadequate quality assurance
program
Human Resources
Poor conflict management; poor project organization and
definition of responsibilities; absence of leadership
Communications
Carelessness in planning or communicating; lack of consultation
with key stakeholders
Risk
Ignoring risk; unclear assignment of risk; poor insurance
management
Procurement
Unenforceable conditions or contract clauses; adversarial relations
Risk Analysis
 Risk analysis is the process of evaluating risks to
assess the range of possible project outcomes
 Risk probability is the likelihood that a risk will occur
 Risk consequence is the effect on project objectives if
the risk event occurs
 Risks can be assessed qualitatively or quantitatively
 Qualitative risk analysis involves identifying the
probability of risk and consequences of risk in
qualitative terms such as very high, high, moderate,
low, or very low.
 Quantitative risk analysis involves identifying the
probability of risk and consequences of risk in
quantitative terms
Qualitative Risk Analysis
 Risk probability and risk consequence should be
applied to specific risk events, not to the overall
project
 One technique of identifying qualitative risks is to
create a probability/impact matrix, which assigns
ratings for probability of risk and consequence of risks
(impact) on risk events
 Risks with high probability and high impact are likely
to require further analysis, including quantification,
and aggressive risk management
 Many organizations rely on the intuitive feelings and
past experience of experts to help identify potential
project risks
Probability-Consequence Chart
Quantitative Risk Analysis
 The quantitative risk analysis process aims to analyze
numerically the probability of each risk and its
consequences on project objectives, as well as the
extent of overall project risk
 It often follows from the qualitative risk analysis
 The main techniques for quantitative risk analysis are:
decision tree and Monte Carlo simulation
– Decision tree is a diagramming method used to help select the
best course of action in situations in which future outcomes are
uncertain. A common application involves calculating expected
monetary value (EMV)
– Monte Carlo analysis simulates a model’s outcome many times
to provide a statistical distribution of the calculated results. A
simulation may determine a project’s scope and cost goals at
10%, 50%, or 90% probability
Expected Monetary Value (EMV) Example
Risk Response Planning
 Risk response planning is the process of developing
options and determining actions to reduce risk
 It includes the identification and assignment of
individuals or parties to take responsibility for each
agreed risk response
 Important tools for risk response are:
– Risk avoidance: eliminating a specific threat or risk, usually by
eliminating its causes
– Risk acceptance: accepting the consequences should a risk
occur
– Risk transference: shift the responsibility and consequence of
risk to a third party
– Risk mitigation: reducing the impact of a risk event by reducing
the probability of its occurrence
General Risk Mitigation Strategies for Technical,
Cost, and Schedule Risks
Technical Risks
Cost Risks
Schedule Risks
Emphasize team support
and avoid stand alone
project structure
Increase the frequency of
project monitoring
Increase the frequency of
project monitoring
Increase project manager
authority
Use WBS and PERT/CPM
Use WBS and PERT/CPM
Improve problem handling
and communication
Improve communication,
project goals understanding
and team support
Select the most experienced
project manager
Increase the frequency of
project monitoring
Increase project manager
authority
Use WBS and PERT/CPM
Outputs of Risk Response Planning
 The major outputs of risk response planning are: risk
response plan, contingency plan, and contingency
reserve
 A risk management plan documents the procedures for
managing risk throughout the project
 Contingency plans are predefined actions that the
project team will take if an identified risk event occurs
 Contingency reserves are provisions held by the project
sponsor for possible changes in project scope or quality
that can be used to mitigate cost and/or schedule risk
Risk Monitoring and Control
 Risk monitoring and control involves executing the risk
management processes and the risk management plan
to respond to risk events
 A previously identified risk may not materialize or a new
risk event might arise. Newly identified risks need to go
through the same process as those identified previously
 Carrying out individual risk management plans involves
monitoring risks on the basis of milestones and making
decisions regarding risks and mitigation strategies
 It may be necessary to alter a mitigation strategy if it is
ineffective, implement a planed contingency activity, or
eliminate a risk form the list when it no longer exists
 Sometimes unplanned responses to risk events are
needed when there are no contingency plans
Top 10 Risk Item Tracking
 Top 10 risk item tracking is a tool for maintaining
an awareness of risk throughout the life of a
project
 Establish a periodic review of the top 10 project
risk items
 List the current ranking, previous ranking,
number of times the risk appears on the list over
a period of time, and a summary of progress
made in resolving the risk item
Example of Top 10 Risk Item Tracking
Monthly Ranking
Risk Item
This
Last
Number
Risk Resolution
of Months Progress
Month
Month
Inadequate
planning
1
2
4
Working on revising the
entire project plan
Poor definition
of scope
2
3
3
Holding meetings with
project customer and
sponsor to clarify scope
Absence of
leadership
3
1
2
Just assigned a new
project manager to lead
the project after old one
quit
Poor cost
estimates
4
4
3
Revising cost estimates
Poor time
estimates
5
5
3
Revising schedule
estimates
Using Software to Assist in Project Risk
Management
Databases can keep track of risks.
Example: Visual SourceSafe for software
version control
Spreadsheets can aid in tracking and
quantifying risks
More sophisticated risk management
software helps develop models and uses
simulation to analyze and respond to
various project risks
Sample Monte Carlo Simulation Results for
Project Schedule
Sample Monte Carlo Simulations Results for
Project Costs
Results of Good Project Risk
Management
 Unlike crisis management, good project risk
management often goes unnoticed
 Resolving a crisis receives a much greater
visibility, often accompanied by rewards
 Well-run projects appear to be almost effortless,
but a lot of work goes into running a project well
 Project managers should strive to make their
jobs look easy to reflect the results of well-run
projects