WordPress.comMDP273a: Project Risk Management v1.0 i Table of Contents Course Introduction

MDP273a

Project Risk Management v1.0 Participant Guide

© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.

Written and published by:

Corporate Education Group

1 Executive Drive, Suite 301

Chelmsford, MA 01824-2558

978-649-8200

No parts of this guide may be reproduced or transmitted in any form, or by any means, electronic or

mechanical, including photocopying, recording, or any information storage and retrieval system,

without prior written permission of the publisher.

This publication is a derivative work of A Guide to the Project Management Body of Knowledge

(PMBOK® Guide) – Fourth Edition, which is copyrighted material of and owned by, Project Management

Institute, Inc. (PMI), copyright (2008). This publication has been developed and reproduced with the

permission of PMI. Unauthorized reproduction of this material is strictly prohibited. The derivative

work is the copyrighted material of and owned by TechSkills LLC d/b/a Corporate Education Group,

copyright (2009).

―PMI", the PMI logo, ―PMP‖, the PMP logo, ―PMBOK‖ ―PgMP‖, ―Project Management Journal‖, ―PM

Network‖, and the PMI Today logo are registered marks of the Project Management Institute, Inc. All

other marks are the property of their respective owners.

Any references to company names or individuals in this guide are for demonstration purposes only and

are not intended to refer to any actual organization or person(s).

Disclaimer:

While Corporate Education Group takes care to ensure accuracy of the materials in this guide,

Corporate Education Group cannot guarantee the accuracy and does not provide any warranty

whatsoever.

Printed in the United States of America.

MDP273a: Project Risk Management v1.0

i

Table of Contents

Course Introduction .......................................................................................vi

Course Objectives ....................................................................................... viii

Course Information ....................................................................................... ix

A Tour of the Participant Guide ....................................................................... xi

Sources and Additional Readings ...................................................................... xv

Module 1: Introduction to Project Risk Management ............................................. 1-1

Module Introduction .................................................................................. 1-2

Module Objectives .................................................................................... 1-3

Topic 1: Project Risk Management in the Context of Project Management .................. 1-4

Topic 2: What is Project Risk Management? .....................................................1-11

Topic 3: Project Risk Management in a Project Life Cycle ....................................1-21

Topic 4: Fundamental Principles of Project Risk Management ................................1-27

Topic 5: Overview of Project Risk Management .................................................1-36

Module Summary .....................................................................................1-41

Module 2: Plan Risk Management ..................................................................... 2-1



Topic 1: Overview of the Plan Risk Management Process ....................................... 2-4

Topic 2: Inputs to the Plan Risk Management Process ........................................... 2-9

Topic 3: Tools and Techniques for the Plan Risk Management Process ......................2-17

Topic 4: Outputs from the Plan Risk Management Process ....................................2-20

Module Summary .....................................................................................2-34

Module 3: Identify Risks ................................................................................ 3-1



Topic 1: Overview of the Identify Risks Process .................................................. 3-4

Topic 2: Inputs to the Identify Risks Process.....................................................3-12

ii

Topic 3: Tools and Techniques for the Identify Risks Process .................................3-16

Topic 4: Outputs from the Identify Risks Process ...............................................3-34

Module Summary .....................................................................................3-41

Module 4: Perform Qualitative Risk Analysis ....................................................... 4-1



Topic 1: Overview of the Perform Qualitative Risk Analysis Process .......................... 4-4

Topic 2: Inputs to the Perform Qualitative Risk Analysis Process .............................4-15

Topic 3: Tools and Techniques for the Perform Qualitative Risk Analysis Process .........4-17

Topic 4: Outputs from the Perform Qualitative Risk Analysis Process .......................4-31

Module Summary .....................................................................................4-37

Module 5: Perform Quantitative Risk Analysis ..................................................... 5-1



Topic 1: Overview of the Perform Quantitative Risk Analysis Process ........................ 5-4

Topic 2: Inputs to the Perform Quantitative Risk Analysis Process ...........................5-16

Topic 3: Tools and Techniques for the Perform Quantitative Risk Analysis Process .......5-18

Topic 4: Outputs from the Perform Quantitative Risk Analysis Process ......................5-41

Module Summary .....................................................................................5-44

Module 6: Plan Risk Responses ........................................................................ 6-1



Topic 1: Overview of the Plan Risk Responses Process .......................................... 6-4

Topic 2: Inputs to the Plan Risk Responses Process .............................................. 6-9

Topic 3: Tools and Techniques for the Plan Risk Responses Process .........................6-10

Topic 4: Outputs from the Plan Risk Responses Process .......................................6-34

Module Summary .....................................................................................6-43

Module 7: Monitor and Control Risks ................................................................ 7-1



Topic 1: Overview of the Monitor and Control Risks Process ................................... 7-4

Topic 2: Inputs to the Monitor and Control Risks Process ......................................7-12

Topic 3: Tools and Techniques for the Monitor and Control Risks Process ..................7-16

Topic 4: Outputs from the Monitor and Control Risks Process ................................7-23

Module Summary .....................................................................................7-28


iii

Appendix A: Exercises ................................................................................. A-1

Appendix B: Solutions .................................................................................. B-1

Appendix C: Job Aids ................................................................................... C-1

iv

Table of Figures

Figure 1-1. Competing Project Constraints ....................................................... 1-8

Figure 1-2. Triple Constraint Model ................................................................ 1-9

Figure 1-3. Risk over the project life cycle ......................................................1-15

Figure 1-4. Risk and the Project life Cycle .......................................................1-23

Figure 1-5. Spiral Life Cycle Example .............................................................1-25

Figure 1-6. Balance Response to Risk with Proportionate Expenditure ......................1-28

Figure 1-7. Project Risk Management Process Group Map .....................................1-37

Figure 1-8. Project Risk Management Overview .................................................1-38

Figure 1-9. Planning Process Group ...............................................................1-40

Figure 2-1. Project Risk Management Process Group Map: Plan Risk Management .......... 2-5

Figure 2-2. Plan Risk Management: Data Flow Diagram ......................................... 2-7

Figure 2-3. Plan Risk Management: Inputs, Tools & Techniques, and Outputs............... 2-8

Figure 2-4. Definition of Impact Scales for Four Project Objectives .........................2-23

Figure 2-5. Example of a Risk Breakdown Structure (RBS) .....................................2-29

Figure 3-1. Project Risk Management Process Group Map: Identify Risks .................... 3-5

Figure 3-2. Using a Process Approach to Identify Risks .......................................... 3-7

Figure 3-3. Identify Risks: Data Flow Diagram .................................................... 3-9

Figure 3-4. Identify Risks: Inputs, Tools & Techniques, and Outputs ........................3-11

Figure 3-5. Sample Cause-and-Effect Diagram ..................................................3-27

Figure 3-6. Sample System/Process Flowchart ..................................................3-28

Figure 3-7. Sample Influence Diagram ............................................................3-30

Figure 3-8. SWOT Diagram Example ...............................................................3-31

Figure 3-9.Sample Risk Register ...................................................................3-36

Figure 3-10. Sample Risk Register Worksheet ...................................................3-39

Figure 4-1. Project Risk Management Process Group Map: Perform Qualitative Risk

Analysis Process ....................................................................................... 4-5

Figure 4-2. Perform Qualitative Risk Analysis: Data Flow Diagram ........................... 4-7

Figure 4.3. Subjective and Objective Risk Analysis Techniques...............................4-13

Figure 4-4. Perform Qualitative Risk Analysis: Inputs, Tools & Techniques, and Outputs 4-14

Figure 4-5. Probability and Impact Matrix........................................................4-27

Figure 4-6. Risk Score Change Over Time ........................................................4-35


v

Figure 5-1. Project Risk Management Process Group Map: Perform Quantitative Risk

Analysis ................................................................................................. 5-5

Figure 5-2. Perform Quantitative Risk Analysis: Data Flow Diagram .......................... 5-7

Figure 5-3. Normal Distribution and Standard Deviation Ranges ..............................5-12

Figure 5-4. Perform Quantitative Risk Analysis: Inputs, Tools & Techniques, and

Outputs ................................................................................................5-15

Figure 5-5. Range of Project Cost Estimates from Stakeholder Interview ...................5-19

Figure 5-6. Two Commonly Used Probability Distributions ....................................5-21

Figure 5-7. Sensitivity Analysis: Labor Rates and Total Project Budget .....................5-24

Figure 5-8. Tornado Diagram Example: Panama Canal Third-Lane Locks ....................5-25

Figure 5-9. Sensitivity Analysis Scenario: Summary ............................................5-27

Figure 5-10. Simplified Decision Tree .............................................................5-29

Figure 5-11. Decision Tree Diagram Example ....................................................5-30

Figure 5-12. Cost Risk Simulation Results ........................................................5-34

Figure 5-13. Monte Carlo Simulation Results Example..........................................5-38

Figure 6-1. Project Risk Management Process Group Map: Plan Risk Responses ............. 6-5

Figure 6-2. Plan Risk Responses Data Flow Diagram ............................................. 6-8

Figure 6-3. Plan Risk Responses: Inputs, Tools & Techniques, and Outputs .................. 6-8

Figure 7-1. Project Risk Management Process Group Map: Monitor and Control Risks ...... 7-5

Figure 7-2. Monitor and Control Risks Data Flow Diagram .....................................7-10

Figure 7-3. Monitor and Control Risks: Inputs, Tools & Techniques, and Outputs ..........7-11

Figure 7-4. Sample Risk Trend Analysis Format .................................................7-19

Figure 7-5. Sample Technical Performance Chart ...............................................7-20

vi

Course Introduction

Managing risks is a key element of effective project management. In

this course you will gain knowledge of the processes of Project Risk

Management. You will also:

? Apply skills from these processes to class projects

? Explore the benefits of managing risks and the consequences of

failing to do so

? Gain experience identifying, analyzing, and responding to risks—both

positive and negative—in projects through lectures, discussions,

group activities, a case study, and work examples

The Project Risk Management course aims to develop a foundation of

project management skills using generally accepted project

management knowledge and practices. This course complies with

standards of the Project Management Institute (PMI®) and the PMI®

publication A Guide to the Project Management Body of Knowledge

(PMBOK® Guide)- Fourth Edition.

Project Risk Management seeks to increase the probability and impact

of positive events in a project, and decrease the probability and impact

of events adverse to the project. The processes in Project Risk

Management are initiated early in the project and are implemented

continuously throughout the project. The project manager is responsible

for ensuring that the risk management plan is properly executed and for

evaluating the effectiveness of the entire risk management process.

The course will help you develop risk management skills and prepare in

part for Project Management Professional (PMP ) certification from the

Project Management Institute.


vii

Note: Completing the Project Management Professional (PMP®)

certification process and obtaining Microsoft Project proficiency are

not objectives for this course. PMP® certification is available only

through the Project Management Institute (PMI®), which has specific

educational and experiential requirements that determine whether an

individual is eligible to apply for certification.

viii

Course Objectives

Upon completion of the course, the participant will be able to:

? Incorporate the processes of the Project Risk Management

Knowledge Area into day-to-day project management activities

? Describe the Project Risk Management process interactions and data

flow

? Identify the benefits of managing risk and the impacts on project

objectives when risk is not managed effectively

? Explain the iterative nature of the risk management processes and

the need for the processes to be performed throughout the life of

the project

? Describe the components of the risk management plan

? Determine stakeholder risk tolerance

? Use inputs and tools and techniques of the Project Risk Management

processes to identify and categorize risks

? Conduct a probability and impact assessment for identified project

risks

? Apply Perform Quantitative Risk Analysis process techniques to

evaluate project risks

? Develop appropriate risk response strategies to address positive and

negative risks

? Choose appropriate techniques to track identified risks, monitor

residual risks, and identify new risks


ix

Course Information

Course Agenda

Day 1

? Module 1: Introduction to Project Risk Management

? Module 2: Plan Risk Management

? Module 3: Identify Risks

? Module 4: Perform Qualitative Risk Analysis

Day 2

? Module 5: Perform Quantitative Risk Analysis

? Module 6: Plan Risk Responses

? Module 7: Monitor and Control Risks

x

Housekeeping

Your instructor will provide information on:

? Coffee breaks

? Lunch

? Location of restrooms

? Location of exits

? ―Parking lot‖ – a place to record questions that will be answered

later in the course

Expectations for Participants

Participants are expected to:

? Arrive on time for every class

? Actively participate in class work

? Attend 90% (minimum) of scheduled class time

CLASS DISCUSSION: INTRODUCTIONS

? Name

? Current role

? Experience in project management

? Personal objectives for the course

? Fun fact (a hobby or interest apart from work or project management,

not including children or pets)


xi

A Tour of the Participant Guide

The Project Risk Management Participant Guide presents the body of

content covered in the course. The material in the guide is organized in

the same sequence as the slides. This guide:

? Enables you to follow the presentation in class and take notes if

desired.

? Provides a reference that you can use after the class is over.

Course Structure

Modules consist of one or more numbered topics. Topics are divided into

subtopics.

In general, each subtopic in the Participant Guide is covered by one

slide. The guide does not include images of the slides.

The Participant Guide appendices include exercises, exercise solutions,

and job aids.

xii

Participant Guide Components

The Participant Guide consists of the following components, many of

which are associated with icons and callout boxes:

Objectives

The overall course objectives are presented at the beginning of the

course, with more detailed objectives at the beginning of each module.

Business Challenges and the Case Study

The SummerFest Case Study is threaded through this course. Examples of

familiar business challenges based on the case study are used to introduce

the participant to the subject matter. The same case study forms the

background for many of the exercises conducted in class.

Definitions

Key terms are defined in the module where they are first introduced.

Definitions are highlighted in the Participant Guide and are often displayed

in the slide presentation.

Class Discussions and Group Breakouts

The course includes specific time periods set aside for discussion, with

specific questions suggested. The discussion questions are inserted at

designated points in both the slides and the Participant Guide.

Discussions may be facilitated by the instructor or conducted in small

groups.


xiii

Examples

Brief examples unrelated to the case study may appear from time to time

in this callout box.

For more lengthy examples, such as samples of typical project management

work products, you will be referred to Appendix C.

Exercises and Activities

Exercises are a chance for you to apply what you are learning in the course.

Exercises are provided in Appendix A of the Participant Guide.

Activities are short exercises which may appear from time to time in this

callout box.

Job Aids

A variety of templates and sample work products are included with this

course as job aids. The purpose of the job aids is to reinforce what you

learned in class after you return to the workplace.

Job aids are in Appendix C of the Participant Guide.

Tip

Tip statements provide suggestions in the context of a process step or

application of a technique.

Caution

Caution statements highlight potential challenges when working on a

particular technique or process step.

xiv

Participant Guide Appendices

Appendices are located in separate tabs of the Participant Guide.

Appendix A: Exercises

Exercises in Appendix A include procedures and any inputs or templates

you may need to complete the assignments. Your instructor will provide

additional guidance.

Appendix B: Solutions

Upon completing an exercise, you will usually be asked to compare your

results with a suggested solution in Appendix B.

Appendix C: Job Aids

Appendix C includes templates that you can use in your workplace and

samples of project management deliverables. You may use these

samples as a reference when doing the exercises.


xv

Sources and Additional Readings

? General Project Management

Y Adams, John R., Principles of Project Management (PMI Books).

Y Brassard, Michael and Diane Ritter, The Memory Jogger II: A

Pocket Guide of Tools for Continuous Improvement and Effective

Planning, 1st Ed. Salem, NH: GOAL/QPC, 1994.

Y Burkun, Scott, The Art of Project Management. Sebastopol, CA:

O'Reilly, 2005.

Y DeCarlo, Doug, eXtreme Project Management: Using Leadership,

Principles, & Tools to Deliver Value in the Face of Volatility, 1st

Ed. San Francisco, CA: Jossey-Bass, 2004.

Y DeMarco, Tom, The Deadline: A Novel about Project

Management. Dorset House Publishing Company, 1997.

Y Kemp, Sid, Project Management Demystified. New York, NY:

McGraw-Hill, 2004.

Y Kemp, Sid, Ultimate Guide to Project Management. Madison, WI:

CWL Publishing Enterprises, Inc., 2005.

Y Kendrick, Tom, PMP, Results Without Authority: Controlling a

Project When the Team Doesn't Report to You -- A Project

Manager's Guide. New York, NY: AMACOM, 2006.

Y Kerzner, Harold, PhD, Project Management: A Systems Approach

to Planning, Scheduling, and Controlling, 10th Ed. Hoboken, NJ:

John Wiley & Sons, Inc., 2009.

Y Larson, Eric W. and Clifford F. Gray, Project Management: The

Managerial Process. McGraw-Hill Companies, Inc., 2003.

Y Leach, Lawrence P., Lean Project Management: Eight Principles

for Success. Boise: Advanced Projects, Inc., 2005.

http://www.amazon.com/eXtreme-Project-Management-Leadership-Principles/dp/B0028IGP24/ref=sr_1_1?ie=UTF8&s=books&qid=1246372747&sr=1-1



http://www.amazon.com/Project-Management-Approach-Scheduling-Controlling/dp/0470278706/ref=sr_1_1?ie=UTF8&s=books&qid=1246370201&sr=1-1



xvi

Y Martin, Paula and Karen Tate, The Project Management Memory

Jogger: A Pocket Guide for Project Teams, 1st Ed. Salem, NH:

GOAL/QPC, 1997.

Y Phillips, Jack J., PH. D., Timothy W. Bothell, PH.D., and Lynne

G. Snead, The Project Management Scorecard. Butterworth-

Heinemann, 2002.

Y Pinkerton, William, Project Management: Achieving Project

Bottom-Line Success. McGraw-Hill Professional, 2003.

Y Schwalbe, Kathy, Information Technology Project management.

Course Technology, 2009.

Y Stackpole, Cynthia, A Project Manager’s Book of Forms: A

Companion to the PMBOK Guide, 4th Ed. Hoboken, NJ: John

Wiley & Sons, Inc., 2009.

Y Thomset, Rob, Radical Project Management. Upper Saddle River,

NJ: Prentice Hall PTR, 2002.

Y Thomsett, Michael C., Little Black Book of Project Management,

2nd Edition Publisher: Amacom, 2002.

Y Wiefling, Kimberly, Scrappy Project Management: The 12

Predictable and Avoidable Pitfalls Every Project Faces. Silicon

Valley: Scrappy About™, 2007.

Y Wysocki, Robert K., Phd, Effective Project Management:

Traditional, Agile, Extreme, 5th Ed. Indianapolis, IN: Wiley

Publishing, 2009.


xvii

? Risk

Y Ariely, Dan, Predictably Irrational: The Hidden Forces That

Shape Our Decisions, 1st ed. New York, NY : Harper, 2008

Y Kendrick, Tom, PMP, Identifying and Managing Project Risk:

Essential Tools for Failure-Proofing Your Project, 2nd Ed. New

York, NY: AMACOM, 2009.

Y Mulcahy, Rita, PMP, Risk Management, Tricks of the Trade for

Project Managers. RMC Publications, Inc., 2003.

Y Ropeik, David and George Gray, Risk: A Practical Guide for

Deciding What's Really Safe and What's Really Dangerous in the

World Around You. New York, NY: Houghton Mifflin Company,

2002.

Y Schuyler, John R., Risk and Decision Analysis in Projects, 2nd Ed.

Newtown Square, PA: Project Management Institute, 2001.

Y Wideman, R. Max, Project Program Risk Management A Guide to

Managing Project Risk & Opportunities, Project Management

Institute, 1992.

xviii

Module 1

Introduction to Project Risk Management

Module 1: Introduction to Project Risk Management


1-2

Module Introduction

Project Risk Management is one of the nine Knowledge Areas in the

Project Management Body of Knowledge (PMBOK®). The goals of Project

Risk Management are to increase the probability and impact of positive

events to a project, and to decrease the probability and impact of

adverse events.

This module, Introduction to Project Risk Management, describes how

risk management is integrated with project management as a whole. It

identifies how the Project Risk Management Knowledge Area intersects

with the five Project Management Process Groups: Initiating, Planning,

Executing, Monitoring & Controlling, and Closing.

The module also introduces the Project Risk Management processes:

? Plan Risk Management

? Identify Risks

? Perform Qualitative Risk Analysis

? Perform Quantitative Risk Analysis

? Plan Risk Responses

? Monitor and Control Risks

In addition, this module:

? Provides background information about risk and risk management

? Introduces the language and practice of Project Risk Management in

the context of the project management life cycle


1-3

Module Objectives

Upon completion of this module, the participant will be able to:

? Define Project Management

? Define Project Risk Management and explain its goals

? Explain how risks evolve during the project life cycle

? Identify fundamental concepts of risk management

? Identify the benefits of managing risk and the impacts on project

objectives when risk is not managed effectively

? Explain the iterative nature of the risk management processes and

the need for the processes to be performed throughout the life of

the project


1-4

Topic 1: Project Risk Management in the Context of Project Management

This section provides an overview of Project Risk Management in the

context of the Project Management Body of Knowledge. This section

also explains some of the key terms used in Project Risk Management.

All projects have two features:

? Projects are temporary. A project has a definite beginning and

well-defined completion criteria (a planned ending). The temporary

nature of a project may also apply to the products it is designed to

produce, since the window of opportunity for a product is often

short-lived.

? Projects are unique. Projects are not repetitive in nature and do

not describe an ongoing operation or a production run. Projects are

designed to produce unique deliverables—a product, a capability, or

a result.

Because a project is unique by definition, it will encounter new,

unexplored territory in some way. This is why Project Risk Management

is such a key part of Project Management.


1-5

Key Project Attributes

Projects differ in size and type but have specific characteristics or

attributes. These attributes help identify a project:

? Developed using progressive elaboration

? Requires resources, often from various departments or organizations

? Must have a primary sponsor or customer

? Involves uncertainty

? Has specific objectives

Uncertainty

Each project’s unique qualities may make it challenging to define the

project’s objectives clearly, for example, to estimate how long a

project will take to complete, or to determine how much it will cost.

Sometimes, external factors interfere, for instance, a supplier—or a

competitor—going out of business, or a key team member needing

unscheduled time off. This uncertainty is one of the primary reasons

project management is so challenging, especially with projects that

involve cutting-edge technologies or take place in highly volatile

markets.

Defining Project Management

The use of project management methodology has increased dramatically

since the latter half of the twentieth century. This trend is due to the

successes, failures, and lessons learned when organizations undertake

large, difficult-to-define, complex, and lengthy challenges. Projects

today might be even more difficult to manage with traditional

organizational structures and management methodologies.

DEFINITION: PROJECT MANAGEMENT

―The application of knowledge, skills, tools, and techniques to project

activities to meet the project requirements.‖

PMBOK® Guide, Fourth Edition


1-6

Project management is a universal discipline that delivers consistent,

predictable, and repeatable projects, and can be applied to any

project, regardless of size, budget, or timeline.

Applications of Project Management

Project management is a proven discipline that can be applied to many

scenarios. The level of project management diligence depends on:

? The importance of the project

? The difficulty of the project

? Experience with the type of project

? The size of the project

? The risk factors for the project

The concept of diligence also applies to Project Risk Management. Risk

analysis, management, and response can be time-consuming and

expensive. For significant risks on important projects, however, it

makes sense to invest that time to either enhance a project opportunity

or reduce a project threat.

The idea of applying these techniques commensurately with the depth

and breadth of the project is an important theme throughout this

course, and throughout all of Project Management practice.

Defining Stakeholders

Many individuals within a project manager’s organization, the

customer’s organization, and from regulatory or industry-specific groups

are interested in or affected by a project. Collectively, these individuals

are called project stakeholders.


1-7

DEFINITION: STAKEHOLDER

―Person or organization (e.g., customer, sponsor, performing organization,

or the public) that is actively involved in the project, or whose interests

may be positively or negatively affected by execution or completion of the

project. A stakeholder may also exert influence over the project and its

deliverables.‖


Stakeholders are people involved in or affected by the project activities

and include the project sponsor, project manager, project team,

support staff, customers, users, suppliers, and even opponents of the

project. Stakeholders often have different needs and expectations.

Typical Project Stakeholders

Typical project stakeholders include:

? Project sponsor—Person or group that provides the financial

resources for the project

? Project manager—Person responsible for the successful

accomplishment of the project

? Customers and/or users—People who determine the project

deliverables (requirements) and often are, or represent, the user of

the final product or service

? Performing organization—The enterprise whose personnel are most

directly involved in doing the work of the project

? Project team members—Individuals who perform the required

project tasks

? Suppliers—Employees of organizations that provide services and or

products to the performing organization

A successful project meets the stakeholders’ requirements and

expectations. A primary responsibility of a project manager is to

understand and manage the stakeholders’ expectations. Learning the

many stakeholders’ interests in the project and then trying to satisfy all

of them, within the bounds of the contract or project management

plan, is a challenging task.


1-8

Before a project management plan can be prepared, it is important to

understand and document stakeholder needs and expectations.

Key Elements for Managing a Project

A project manager must simultaneously manage three basic principles of

project management to deliver a successful project:

? Identify requirements

? Address stakeholders’ needs, concerns, and expectations as the

project is planned and executed

? Balance competing project constraints, including but not limited to:

Y Scope

Y Quality

Y Schedule

Y Budget

Y Resources

Y Risk

Figure 1-1 shows the competing project constraints.

Figure 1-1. Competing Project Constraints


1-9

A project manager establishes and maintains project stability by

carefully balancing the relationships between constraints. If one of the

factors shown in Figure 1-1 changes, it affects at least one of the other

factors.

Figure 1-2 shows the Triple Constraint Model, named for the concept

that only (1) Time, (2) Cost, and (3) Scope and Quality are factors that

affected one another.

Figure 1-2. Triple Constraint Model

As project management evolves as a discipline, professionals regularly

update and redefine what particular industries call good practices or

best practices. These widely recognized practices are based on

consensus for applying skills, tools, and techniques that enhance the

chance of success over a wide range of projects.


1-10

Today’s project managers agree that it is important to also recognize

how the relationship of resources and risk, along with the three factors

of Time, Cost, and Scope & Quality, affect the project managers’ ability

to balance these competing constraints. PMI also renamed the term

―Time‖ to Schedule and ―Cost‖ to Budget to be more specific when

discussing project constraints.

The PMBOK® Guide and its Knowledge Areas

The Project Management Institute (PMI) publishes ―A Guide to the

Project Management Body of Knowledge,‖ known as the PMBOK® Guide.

The PMBOK® Guide contains a framework of 42 project management

processes that are applicable to nine project management Knowledge

Areas.

Six of the 42 processes are Project Risk Management processes. These

are introduced in Topic 4 of this module. All Project Risk Management

processes are numbered starting with an ―11‖ because Project Risk

Management is Chapter 11 of the PMBOK® Guide.

The nine project management Knowledge Areas are:

? Project Integration Management

? Project Scope Management

? Project Time Management

? Project Cost Management

? Project Quality Management

? Project Human Resource Management

? Project Communications Management

? Project Risk Management

? Project Procurement Management

Although Project Risk Management is a distinct knowledge area, this

course shows that the effects of risk interplay with all other Knowledge

Areas.


1-11

Topic 2: What is Project Risk Management?

THE BUSINESS CHALLENGE

Inspired by attending a Memorial Day parade while visiting her in-laws in a

neighboring state, Hannah Foster proposes that SummerFest, the four-day

June town fair, add a Saturday morning parade to boost attendance and

generate additional revenues.

As a board member of Citizens Collaborative, the nonprofit group that

manages SummerFest, Hannah is all too aware of a three-year trend that

shows declining Saturday attendance. The board has discussed various ways

to address that decline. Fellow board member Jack North immediately

dismisses the parade idea as too risky. "It's like using a fire hose to blow out

a candle," he says. "Who knows what you destroy in the process. We have no

idea what risks it will generate, and for totally speculative benefits."

Risk, Hannah reminds the board, can also mean opportunity. ―Besides,‖ she

says, ―any action involves risk. What does it hurt to look into it? This might

be a huge revenue opportunity.‖ Hannah does some research, and learns

that the parade is a huge tourism booster for her in-laws' town.

In a close vote, the board opts to pursue the SummerFest parade. Hannah

Foster drafts a scope statement for the project, and Ana Cruz is brought in

to manage it.

? How can Ana best identify and prepare for risks that might be involved

in the parade project?

The risk management process is a methodical progression, from

discovery (or identification) to analysis and responding to project risk. A

project manager must understand a particular risk in terms of its

relative significance to the project and in relationship to other risks.

Risk is an inherent part of all human endeavors. Most decisions,

including the most simple, involve risk.


1-12

Defining Risk

Some consider risk as a source of danger or possibility of incurring loss

or misfortune, while others define risk as a venture undertaken without

regard to possible loss or injury. This type of risk is called a threat.

DEFINITION: THREAT

―A condition or situation unfavorable to the project, a negative set of

circumstances, a risk that will have a negative impact on a project

objective if it occurs, or a possibility for negative changes.‖


Risk can also be defined as an uncertain event with a positive probable

consequence. This type of risk is called an opportunity.

DEFINITION: OPPORTUNITY

―A condition or situation favorable to the project, a positive set of

circumstances, a positive set of events, a risk that will have a positive

impact on project objectives, or a possibility for positive changes. Contrast

with threat.‖


Thus the PMBOK® Guide, Fourth Edition, defines risk as either positive

or negative.

DEFINITION: RISK

―An uncertain event or condition that, if it occurs, has a positive or

negative effect on a project’s objectives.‖



1-13

Risk Events and Conditions

A risk event differs from a risk condition.

? Risk event: an occurrence or outcome that has a positive or

negative effect on a project’s objectives

? Risk condition: a circumstance of the project’s context that

contributes to positive or negative risks

What is Project Risk?

A project risk is any uncertain event or condition that, if it occurs, has a

positive or negative effect on at least one project objective, such as

time, cost, scope or quality. For example, if a key expert resource is

injured in a traffic accident, the risk event may affect schedule (if work

is delayed until the resource can return), cost (if a substitute resource

must be hired), and quality (if a substitute resource lacks the expertise

of the injured person).

CLASS DISCUSSION: WHAT RISK MANAGEMENT CHALLENGES DO YOU

CURRENTLY FACE?

? What risk-related initiatives or programs are implemented at your companies today?

? Working with your group, select the five biggest risk management challenges that you or your company currently face.

Goals of Risk Management

Risk is inherent in all projects and may impact one or more elements of

the project baseline. Risks have one or more causes, and may have

more than one impact if they occur. The goal of risk management is to:

? Maximize the probability and impact of opportunity

? Minimize the probability and impact of threats

Risk management requires that the project manager anticipates

problems long before they occur and take action to keep the project

running smoothly.


1-14

Similarly, the project manager must actively seek opportunities to

enhance project performance. Other risk management goals include:

? Identify as many plausible risk events as possible

? Establish contingency plans and funds to cover risk events that do

materialize

? Manage responses to risk events

Why Risk Management is Important

Managing risk is important because it:

? Leads to early recognition of risks

? Ensures design and application of effective risk responses

? Matches the investment and effort to control risks with their

potential to impair or enhance the project

? Reduces burnout of team members

? Helps to ensure project success by mitigating risk

Because of the nature of risk and its potential to adversely affect

project success, the project team must assess risk and document their

risk management approach as early as possible in the project, during

the initiating processes if possible. A key aspect of the Define Scope

process, with development of the project scope statement, is to

identify and document project risks.

This early risk assessment in conjunction with the project’s dollar value,

visibility, and complexity will help determine the right approach to

manage project risk.

When is the Risk the Greatest Threat to the Project?

The chance that risk will have a negative effect on a project is greatest

at its beginning because less is known about the project’s environment.

Early in a project the cost impact of risk is also smaller than later in the

project. The project manager must identify, decide on a response, and

minimize the potential for risk during the early stages of the project.


1-15

The cost of a risk event occurring after a project passes the halfway

mark increases rapidly.

Figure 1-3. Risk over the project life cycle

Figure 1-3 shows an example of risk over a project life cycle. As a

project matures, the likelihood of known and unknown risk events drops

sharply.

It can be tempting to re-allocate unused risk contingency funds for non-

risk-related purposes. However, because the cost to fix risk events after

a project’s midpoint increases sharply, unused contingency funds may

well be needed to respond to subsequent risk events.

Risk management is a proactive process that helps project management

teams identify, prepare for, and address potential and realized risks

during a project.

Although risk management is a proactive approach that may reveal

many potential risks, the possibility of unknown risks cannot be

managed proactively. A prudent approach by the project management

team to deal with unknown risks might be to allocate general

contingency funds against such risks, as well as to known risks for which

response plans may not be cost-effective or possible to develop.


1-16

Benefits of Managing Risk

Project managers must use a systematic approach to managing risk to

ensure that all risks are identified and addressed.

Managing risk benefits the organization by:

? Increasing project visibility (profit and success)

? Focusing attention on mitigation by:

Y Using a proactive rather than reactive approach to risk

management

Y Improving morale by providing rewards and incentives

? Preparing for risk realizations

? Providing a competitive advantage

? Generating personal success

Consequences of Failing to Manage Risk

Failing to recognize risk and risk potential can lead to project failure.

This is particularly likely with respect to achieving a project’s technical

performance objectives, such as transaction times, number of delivered

defects, or storage capacity.

Where risk can be avoided, the project management team must study

alternative approaches to the associated activity, choose one, and

incorporate it into the project management plan.

Where risk cannot be avoided, the team must develop and incorporate

mitigating strategies into the project management plan.

Failing to use Project Risk Management can cause two kinds of negative

consequences:

? Failure to meet project objectives

? Missed opportunities to exceed project objectives


1-17

Failing to Meet Project Objectives

Consequences of failure to meet project objectives include:

? Significant cost overruns

? Schedule delays

? Failure to deliver the committed project scope

? Project cancellation

? Fines and penalties

? Injuries and damages

? Personal and/or organizational liabilities

? Loss of credibility

? Loss of market share

Missed Opportunities to Exceed Project Objectives

Failure to use risk management commonly results in failure to take

advantage of opportunities in the four major categories of project

objectives.


1-18

OBJECTIVE MISSED OPPORTUNITY

Scope To identify and include additional functionality by

reusing existing components for modest additional

investment

To build the infrastructure of the solution to

support enhancements more efficiently

Schedule To fast-track activities (or networks of activities)

by limiting the interaction between the

components of the product (uncoupling)

To substitute highly productive capital resources

for labor by taking advantage of windows of

opportunity when these resources are available

Cost To obtain the best rates for resources through

competitive bidding, or by leveraging buying

power across several projects

To obtain funding at the lowest cost to the

organization

To leverage reusable components

Quality To leverage higher quality resources when they

unexpectedly become available

To leverage the best available components and

materials


1-19

Risk Management and the Organizational Culture

Risk management can be affected by these aspects of an organization’s

culture:

? Organizational standards and policies

? Expectations and behaviors

? Resistance

? Optimism

Organizational Standards and Policies

Organizational standards and policies often provide guidance to ensure

a degree of consistency across projects. Likewise, planning for risk

management on a project involves choosing the best application of

organizational policies commensurate with the overall project risk. The

risk management plan is the project manager’s commitment to the

sponsor and organization regarding standards for risk management.

Expectations and Behaviors

Risk management may be affected by the culture in an organization. To

ensure that the process of managing risk is rooted in the organization’s

culture and policy, the process must begin before the project begins.

Without well-established expectations and without models of effective

behavior by senior management, a project manager’s attempts to

manage risk are likely to be misunderstood, resisted, and ultimately

prove fruitless.

An organization must also subscribe to the principle that a well-

designed process, when properly followed, is the best guarantee against

the potential of risks arising due to errors or omissions.


1-20

Resistance

If an organization’s culture involves resisting the application of process

discipline, even the basic project management processes cannot be

effectively and diligently executed. This situation leads to a continuous

and growing stream of errors and omissions, creating risks that cannot

be managed by simply applying more processes.

Optimism

Organizations that are eternally optimistic may be unwilling to explore

the possibilities of negative outcomes. They demonstrate a form of

organizational denial. Because they attempt to minimize the likelihood

and impact of negative events, it is difficult to persuade them to invest

the necessary resources, including time and money, in risk management

activities.

They are also reluctant to commit contingency reserves.

DEFINITION: CONTINGENCY RESERVE

―The amount of funds, budget, or time needed above the estimate to

reduce the risk of overruns of project objectives to a level acceptable to

the organization.‖

PMBOK® Guide, Fourth Edition,

Project failures in these organizations are frequently downplayed or

even covered up. On the other hand, organizations that take time to

consider possible negative outcomes and conscientiously prepare to face

or eliminate them will adopt risk management readily.


1-21

Topic 3: Project Risk Management in a Project Life Cycle

Project Risk Management describes the entire discipline, from beginning

to the end of a project. A project may consist of multiple phases. Each

phase may have its own risk characteristics, such as concept exploration

or final production. At the beginning and at key points of each phase, a

specific risk assessment may be performed to identify risks and to assess

their severity. Risk management happens within each phase of the

project life cycle.

What is a Project Phase?

DEFINITION: PROJECT PHASE

―A collection of logically related project activities, usually culminating in

the completion of a major deliverable. Project phases are mainly

completed sequentially, but can overlap in some project situations. A

project phase is a component of a project life cycle. A project phase is not

a Project Management Process Group.‖


Information technology projects offer a clear illustration of the concept

of project phases. Several phases are used to manage unique processes

and deliverables. For example, the requirements phase defines the

basic performance requirements of the system, while the subsequent

design phase determines how to best fulfill those requirements. The

requirements phase will generally produce requirements documents,

whereas the design specifications are the result of the design phase.

What is a Project Life Cycle?

Projects are divided into several project phases to provide better

management control and appropriate links to ongoing operations of the

performing organization. Collectively, these phases are known as a

Project Life Cycle.


1-22

DEFINITION: PROJECT LIFE CYCLE

―A collection of generally sequential project phases whose name and

number are determined by the control needs of the organization or

organizations involved in the project. A life cycle can be documented with a

methodology.‖


Project Phases and Life Cycles

Projects and their life cycles are usually divided into project phases.

Each phase of the project life cycle is marked by the completion of one

or more deliverables and allows for Go or No-Go decisions. Phases

define:

? Work to be done

? Who should be involved

The conclusion of a project phase in the life cycle is marked by a review

of both key deliverables and project performances. These checkpoints

are often called phase exits, stage gates, Q-gates, or kill points.

Reviews are conducted in order to determine if the project should

continue, and to detect and correct any variances in a timely manner.

Many project life cycle models are available for use in project

management. The project manager is responsible for selecting the life

cycle that best supports the type of project being managed.

Perform risk processes throughout a project life cycle to identify and

manage significant risks. A project risk analysis can be performed at any

time during the project life cycle. In fact, one of the earliest actions

when planning for risk is to determine at what point during the project

life cycle risk analysis must be performed.

Subsequent reviews and revisions must be performed periodically.

Project managers conduct risk analyses for the following reasons:

? A major risk that was previously identified has been realized

? The potential of a high-risk item changed

? The potential for new risks have been identified


1-23

Project Life Cycles and Risk

The project risk management process is iterative. Managing the project

and managing existing risks leads to the discovery of new risks. The

progress of the project will unearth new unknowns and assumptions.

Very late in a project a project manager may discover issues that

cannot be anticipated, for example, regulatory changes, changes in

personnel, or issues with manufacturing.

Figure 1-4 shows an example of risk and the project life cycle. Over

time, the analysis of risk should show that probability and impacts of

risks are decreasing in response to effective management as shown

below. However, residual risks may remain. The probability of risk may

be decreased significantly, but risk will never be absent

Figure 1-4. Risk and the Project life Cycle

Project managers must establish a threshold of risk acceptance for each

type of risk.

Think of risk management as an integrated discipline that is practiced

continually through the life of a project. This means that an action or

failure to take an action in one area usually affects other areas. Risk

management often requires tradeoffs among project objectives.


1-24

Performance in one area may be enhanced only by sacrificing

performance in another.

Managing Risk by Project Phase

Different phases involve different types and sizes of risk. Two main

principles cause this variation in project risk:

? The kind of work performed in each phase differs.

? Each kind of work introduces its own risks.

For example, in the design phase, the faulty application of a design

technique or tool can result in significant difficulties. This problem

cannot occur during testing or implementation because the tool or

technique is not used in those phases.

The earlier in the project life cycle that the risk is realized, the greater

the impact is on the rest of the project.

Because most problems propagate through the remaining project

management activities and deliverables, more of the value of the

project is affected by a problem in an early phase than by a problem in

a later phase.

For example, an omission in the specification, which occurs in the

design phase, and then remains undetected until testing, or even

implementation will usually require reworking the design, as well as

every downstream deliverable that is affected.

Example of Managing Risk throughout Phases of a Project

Project risk management processes are performed throughout the life

cycle of a project. Because each phase of a project introduces its own

risks, a fresh risk analysis must be performed when transitioning to a

new phase.

A problem with traditional software process models is that they do not

deal sufficiently with the uncertainty that is inherent to software

projects. Important software projects have failed because project risks


1-25

were neglected and no one was prepared when something unforeseen

happened. Barry Boehm recognized this and tried to incorporate project

risk into a project life cycle model. Figure 1-5 shows a spiral model of a

software development project, with risk analysis accompanying the

creation of each prototype.

Figure 1-5. Spiral Life Cycle Example


1-26

The radial dimension of the model represents cumulative costs. Each

path around the spiral reflects increased costs. The angular dimension

represents the progress made in completing each cycle. Each loop of

the spiral from the X-axis clockwise through 360 degrees represents one

phase. Each phase is split roughly into four sectors of major activities:

? Planning: Determining objectives, alternatives, and constraints

? Risk Analysis: Analyzing alternatives and attempt to identify and

resolve risks

? Development: Developing and testing the product

? Assessment: The customer evaluating the product


1-27

Topic 4: Fundamental Principles of Project Risk Management

There are seven basic principles of Risk Management:

1. Determine proportionate expenditure

2. Use a pragmatic approach

3. Apply a graded approach

4. Use open communication

5. Apply continuous processes

6. Use integrated risk management

7. Use a team approach


1-28

1. Determine Proportionate Expenditure

The time and money spent in analyzing risk and determining risk management

and mitigation strategies must be considered from a cost to benefit

perspective. It should not cost more to manage or mitigate the risk than to

realize the risk. The goal of the risk management or mitigation strategy is to

significantly reduce the risk potential and to cost significantly less than the

realized risk.

Realized risk describes the impact to the project if the risk actually occurs in

an unmitigated manner. An example of this may be the development of a work-

around strategy that adds five days to the project schedule in order to avoid a

prospective risk, but implementing the strategy causes an additional schedule

delay of three days. This is not considered wise risk management.

Figure 1-6. Balance Response to Risk with Proportionate Expenditure

Determine Expenditure Proportionate to the Realized Risk

Realized risk is the impact to the project if the risk actually occurs. This

can be shown in terms of financial loss, delay in schedule, or inability to

achieve stated objectives and or requirements. Ultimately, each of

these can be reduced to the time and cost that will be required to

repair or recover from the risk event. An example: one might wish to

estimate the value of realized risk from a public disaster such as a

hurricane. Losses are not simply declared as a loss of a million dollars.

Instead, the costs are defined in terms of the cost to return to normal,

such as rebuilding roads, houses, and public infrastructure. Likewise

when a project suffers a loss, some course of corrective action is taken

to recover. The cost of that action (in terms of time, resources, and

budget) is the true realized risk.


1-29

In some project domains, the idea of realized risk is replaced by the

value of the risk factored by the probability that it will occur.

Statistically, a risk with an impact of $50,000 but only 10% likelihood of

occurring is worth, or has an expected monetary value of $5,000. Using

this example, $5,000 is the maximum appropriate expenditure to

eliminate such a risk.

In a given project you will have dozens of risks, and only a portion of

them will actually occur. You cannot reasonably spend up to the full

value of each risk in order to defend your project. Additional discussion

of the statistical basis of risk is in the material on Monte Carlo analysis

presented later in the course.

2. Use a Pragmatic Approach

This principle involves two important rules:

? Differentiate between high and medium risks

? Identify those risks that can be managed or mitigated

It may be more cost effective to concentrate management attention on

the mitigation of some medium risks, which can be controlled, rather

than on some high risks with results largely determined by outside

influences.

It may not be possible to manage or mitigate every risk; therefore,

some risks must simply be accepted. Some risks are uncontrollable. For

example, if a key resource pool belongs to a union, which is

sympathetic to a strike that may take place at an unrelated facility,

management may choose to simply ignore the risk because there are no

alternative strategies and the strike is beyond their control.

DEFINITION: RISK ACCEPTANCE

―A risk response planning technique that indicates that the project team

has decided not to change the project management plan to deal with a risk,

or is unable to identify any other suitable response strategy.‖



1-30

Also, a risk with an extremely high consequence but an extremely low

potential of occurring may not need to be considered as a risk with any

real potential for the project.

3. Apply a Graded Approach

The use of a flexible process lets the project manager choose a more or

less rigorous application of project risk management approaches,

controls, and tools to actually manage project risk. This includes using

a:

? Means to identify activities with significant risk

? Process to determine risks and commensurate controls/responses

? Documented record of the decisions and chosen controls/responses

A formal, documented process must be used in determining the

application of the graded approach, and included in the risk

management plan. This process normally begins with an analysis of the

risk to the project’s successful completion as conceived and planned. In

one sense, project management is the art and skill of bringing a project

to successful completion through the management and mitigation of

risk. Project managers are risk managers.

Basis for Grading

The basis for grading is formulated by using a qualitative and

quantitative process, or by considering and applying the proportionate

resources and pragmatic response with:

? The dollar value associated with the project

? The complexity of the project

? The visibility of the project

? The importance (stake) of the project

The project dollar value, complexity, visibility, and stake—for example,

what is at stake if this project fails— are the basis for determining the

application of a graded approach.


1-31

When determining and applying the graded approach, project stake

must be the only basis. This process may lead to a clearer definition of

the application of the risk-based graded approach.

4. Use Open Communication

In order to maximize the probability that information about risks will

reach the project team, every effort must be made to encourage

submissions of possible risks, including validating the contributions from

all sources, no matter what their background or function.

The project management team must also encourage the free flow of

information among all participants in the project. This will ensure that

available sources of information about risks will be surfaced and

tapped, and that potentially sensitive information will reach the

necessary parties.

Because individuals tend to prefer specific communication vehicles and

avoid others, and because the project team cannot predetermine who

will possess important risk information, the team must encourage the

use of a wide variety of communication vehicles. This will increase the

probability that information about a risk will be divulged and

communicated effectively to the necessary parties on the project team.

5. Apply Continuous Processes

Project management team members and stakeholders must remain

attentive to the emergence of new risks throughout all phases of the

project. Team members must also maintain adequate monitoring

sources that provide alerts regarding emerging risks.

6. Use Integrated Risk Management

Project managers and risk managers must include risk management

activities as an integral part of the other project management

activities. This means considering risk whenever a project status

meeting is held, or a new resource is introduced to the project, or an

unexpected event occurs.


1-32

In order to make Project Risk Management a more intrinsic part of the

project management activities, the project management team must

ensure that all aspects of the project's infrastructure (such as its

communication vehicles, repository, and work management processes)

include a risk management aspect.

In addition, the project management team must encourage risk

awareness within the project team’s culture. For example, the team

members must be tolerant of negative reactions to new circumstances,

and explore them openly for any possible validity. They must also

routinely challenge optimistic assertions and forecasts, ask each other

challenging questions about how adverse events might affect the

project, and suggest ideas on how to prepare for such events in

advance.

7. Use a Team Approach

The final fundamental principal of risk management involves using a

team approach. The project manager is ultimately responsible for risk

management, but needs participation from all team members. Best

results are achieved when all the stakeholders who might have

information about project risks and impact, or how best to mitigate

them, are involved. Gaining that commitment to participate is a project

manager’s responsibility.

Reasons for using the Team Approach

The project manager will achieve superior results in risk management

by engaging members of the project team in risk management

activities. This is primarily for three reasons:

? Project team members have the greatest familiarity with the kinds

of technical risks that are likely to occur.

? Project stakeholders are in the best position to identify and assess

external factors that may cause risks for the project.

? When the team is working well together, their creative and

analytical thinking are enhanced through their collaboration, and

both problems and solutions will be raised which might not surface

when the same individuals work alone.


1-33

Create a Shared Vision

To increase each team member’s enthusiasm for and effectiveness at

identifying and managing new risks successfully, the team must share a

common understanding of what the final product or service of the

project will look like and do.

Team members must also, to the extent possible, be encouraged to

contribute to defining the product and its functions. These two

practices will make the team more alert to new threats to the project

and more tenacious about facing and advising them.

Who makes up the Risk Management Team?

The project management team typically consists of the following

members:

? Project manager

? Team leaders

? Team members

? Subject matter experts

? Engineers and other employees

? Sponsor or customers

? Others, based on knowledge and expertise

The Project Manager’s Responsibilities

The project manager must establish an open climate that encourages

the active contribution of all project team members and stakeholders.

Whether participating in the initial, formal risk assessments, or

contributing to the follow-up analysis and control of risks, each

participant must be fully involved. This may require the project

manager to exercise the soft skills to draw out the quiet team members

and to gracefully control the more outspoken members.


1-34

When doing a formal assessment, thought must be given to establishing

a meeting that encourages input from all perspectives on the project.

This may include the customer and other stakeholders not normally

considered as having direct or valid input. The feedback from other

individuals in an organization who have timely and vital lessons learned

from similar experiences is extremely valuable and must be included.

In addition to the above, project managers usually:

? Plan risk management strategies

? Identify opportunities for regulatory agencies or stakeholders to

participate in risk planning

? Actively seek opportunities to introduce positive events, thereby

enhancing project performance

? Organize risk management activities for the project team, including

assigning and supervising risk management activities

? Assign and supervise the conduct of risk management activities by

team members

? Seek opportunities to turn potential risk events into positive events,

thereby enhancing project performance

? Detect and correct deviations from planned activities

? Anticipate problems before they occur and take corrective actions

to keep the project running smoothly

? Address quality problems in risk management deliverables

? Engage project stakeholders to solicit and exchange information

about risk management

? Document risk plans, risks encountered, and responses to risks

? Determine the correct level of risk management application, and

which controls, and responses are appropriate based on the project

baseline, and available resources

? Gain approval from the necessary project stakeholders for risk

management plans and investments


1-35

Team Member Responsibilities

During Planning, the team must address:

? Risk identification

? Risk analysis

? Risk mitigation strategy development

During Execution, all team members must be involved in:

? Monitoring risk triggers

? Responding to risks

? Identifying new risks

? Reevaluating known risks in the light of new information or changed

circumstances


1-36

Topic 5: Overview of Project Risk Management

Project Risk Management is a disciplined approach to managing risk. It is

a preventative process designed to reduce surprises and minimize

negative consequences. This process also incorporates a methodology

for managers to seize opportunistic advantages to the project

associated with time, cost and technical capabilities.

DEFINITION: PROJECT RISK MANAGEMENT

―Project Risk Management includes the processes concerned with

conducting risk management planning, identification, analysis, responses,

and monitoring and control on a project.‖


Sources of risk are endless! Risk can be internal and/or external to the

project. Successful risk management gives the project manager better

control of the project and increases the chances of achieving project

objectives of being on time, within budget and meeting product or

service requirements and criteria.


1-37

Processes of the Project Risk Management Knowledge Area

Adapted from the PMBOK® Guide, Fourth Edition

Figure 1-7. Project Risk Management Process Group Map

Figure 1-7 shows the six processes that make up the Project Risk

Management Knowledge Area. Each process is examined in detail in the

remainder of the course.

? Plan Risk Management: deciding how to approach, plan, and

execute the risk management activities for a project

? Identify Risks: determining which risks might affect the project and

documenting their characteristics

? Perform Qualitative Risk Analysis: prioritizing risks for subsequent

further analysis or action by assessing and combining their

probability of occurrence and impact

? Perform Quantitative Risk Analysis: numerically analyzing the

effect on overall project objectives of identified risks

? Plan Risk Responses: developing options and actions to enhance

opportunities, and to reduce threats to project objectives

? Monitor and Control Risks: tracking identified risks, monitoring

residual risks, identifying new risks, executing risk response plans,

and evaluating their effectiveness throughout the project life cycle


1-38

Each process is composed of inputs, tools and techniques, and outputs.

Figure 1-8 shows the inputs, tools and techniques, and outputs for each

process.


Figure 1-8. Project Risk Management Overview


1-39

Why Is Project Risk Management Important?

As discussed earlier in this module, managing risk is important because

it:

? Leads to early recognition of risks

? Ensures design and application of effective risk responses

? Matches the investment and effort to control risks with their

potential to impair or enhance the project

? Reduces burnout of team members

? Helps to ensure project success by mitigating threats and

maximizing opportunities

Early risk assessment, in conjunction with the project’s dollar value,

visibility and complexity, helps determine the appropriate approach to

manage project risk.

Project Risk Management Process Interactions

As mentioned earlier, risk management is iterative. Risk management

processes interact with each other and with processes in other

Knowledge Areas. Each process may involve one or more individuals or

departments based on the needs of the project. Each process occurs at

least once in each project and if the project is divided into phases, each

process will occur in one or more of the project phases.

Figure 1-9 shows the flow between the risk processes and how the major

inputs and outputs are exchanged. Inputs and outputs for each process

are identified by arrows. Although the processes are presented in this

course as discrete elements with well-defined interfaces, in practice

they may overlap and interact in ways not detailed in the course.


1-40


Figure 1-9. Planning Process Group


1-41

Module Summary

All projects have a beginning and an end. No two projects are alike, as

each service or product created differs in some way from other services

or products.

Risk is inherent in all projects. Failing to deal effectively with risk can

result in loss of credibility as well as significant cost overruns or

cancellation of the project.

Risk management is a proactive process that helps identify and prepare

for risks that may occur during the life of the project. The risk

management process must be performed throughout the entire project

life cycle to identify and manage significant risks.

There are seven fundamental principles of risk management. The

project manager is responsible for implementing risk management

processes, but the best results are achieved when all of the

stakeholders who might have information about project risks are

involved.

The Project Risk Management Knowledge Area includes the processes

concerned with conducting risk management planning, identification,

analysis, responses, and monitoring and control on a project.


1-42

Module 2

Plan Risk Management

Module 2: Plan Risk Management


2-2

Module Introduction

The Plan Risk Management process defines how risk management

activities for a project will be conducted. Careful planning helps to

ensure that sufficient resources and time for risk management activities

will be allotted in the project. Planning also ensures that the structure

and nature of risk management are appropriate to the risks and to the

importance of the project to the organization.

The document that results from this process, the risk management plan,

is essential to establishing and attaining the project’s goals of

minimizing negative risks (threats) and their impact, as well as

maximizing positive risks (opportunities).

This module:

? Describes the Plan Risk Management process

? Identifies the inputs, tools and techniques, and outputs of the Plan

Risk Management process

? Discusses the components of a risk management plan and provides

opportunities to develop and use this document during this course


2-3

Module Objectives


? State the purpose and importance of the Plan Risk Management

process

? Create a project risk management plan

? Create a Risk Breakdown Structure


2-4

Topic 1: Overview of the Plan Risk Management Process


Hannah, now formally the project sponsor, is already tapping a wide array

of parade participants, from the usual marching bands and local Shriner's

chapter to Duane Evans' drum and bugle corps and a lawn-mower drill team.

Since a parade is a completely new type of project to Ana, the first thing

she does is gather a strong project team around her.

In addition to Hannah and SummerFest consultant Marc Stuver, she enlists

the help of SummerFest founder Walter Stone and of Brita Porter, the long-

time project manager for the Memorial Day parade Hannah attended.

Ana knows her first task is to decide how to approach, plan, and execute

risk management activities for the parade. She'll need a solid plan to ensure

that threats do not cause the project to miss objectives, and opportunities

are fully taken advantage of. To do this, she'll need to assess stakeholders'

tolerance for risk. She calls a planning meeting with her team, plus some

key stakeholders, such as Jack North and Brenda Welsh, chair of the town's

board of selectmen.

? How can Ana best define ways to approach and conduct risk

management? What should her plan look like?

The Plan Risk Management process focuses on a general methodology for

managing risks throughout the project. It differs from the Plan Risk

Responses process, whose purpose is to develop specific responses to

identified risks.

The Plan Risk Management process may be rooted in an organization’s

culture and policies. This context may offer guidance to the project

manager to ensure consistent application of risk policies across

projects.


2-5

Figure 2-1 shows that the Plan Risk Management process occurs in the

Planning Process Group.


Figure 2-1. Project Risk Management Process Group Map: Plan Risk

Management

DEFINITION: PLAN RISK MANAGEMENT

―The process of defining how to conduct risk management activities for a

project.‖


Purpose of the Plan Risk Management Process

The primary purpose of the Plan Risk Management process is to define

how to approach, conduct, and document risk management activities

for the project. The output from this process, the risk management

plan, is the project manager’s commitment to the sponsor and to the

organization regarding the project’s standards for risk management.

The value of the Plan Risk Management process lies in its ability to

ensure that:

? Threats (negative risks) do not cause the project to miss objectives

? Opportunities (positive risks) are effectively converted into

advantages for the project


2-6

? Minimum investment of time and money required to mitigate the

impact of negative risks, should they occur

In order for this value to be realized, the project management team

must implement the Plan Risk Management process and other Project

Risk Management Knowledge Area processes thoroughly and diligently.

Tailoring the Plan Risk Management Process

The Project Risk Management Knowledge Area processes, like all other

project management processes, must be tailored in order to match the

level of effort in risk management to the overall value of the project to

the organization.

EXAMPLE: TAILORING THE PLAN RISK MANAGEMENT PROCESS

A business-critical project requires greater levels of sophistication and

effort in its Project Risk Management processes than a project to perform a

routine upgrade to an infrastructure service requires.

This tailoring might take the form of:

? A larger budget for risk management activities

? More time allowed to perform risk management activities

? Higher levels of involvement by senior stakeholders

? Larger contingency reserves for cost and time to absorb risk impacts

Stakeholders’ Tolerance for Risk

The stakeholders’ tolerance for risk is an important factor affecting the

Plan Risk Management process. Their risk tolerance will affect how

much they are willing to invest in Project Risk Management activities

and contingency plans, and set aside for contingency reserves of time

and cost in order to absorb risk impacts that could not be efficiently

eliminated.


2-7

The Plan Risk Management process will cause the addition of items to

the project work breakdown structure. This means that these items will

need to be incorporated into the project schedule and budget baselines

in order to track them and measure their performance.

For this reason, the Plan Risk Management process takes place as soon

as the preliminary schedule and budget have been sufficiently

developed to identify their own inherent risks. This may result in

revised baselines for the schedule and budget prior to the initiation of

significant project work.

Interactions with Other Processes

Figure 2-2, the Plan Risk Management process data flow diagram, shows

how inputs are transformed through tools and techniques into outputs.


Figure 2-2. Plan Risk Management: Data Flow Diagram


2-8

The Plan Risk Management process draws upon initial project planning

for scope, time, cost, and communications management. Enterprise and

organizational inputs include risk attitudes of the organization and

process assets such as risk categories, templates, role and authority

definitions, lessons learned, and stakeholder registers. The output of

the process, the risk management plan, is part of the project

management plan.

Overview of Plan Risk Management Inputs, Tools and Techniques, and Outputs

Figure 2-3 shows the inputs, tools and techniques, and outputs of the

Plan Risk Management process. These inputs, tools and techniques, and

outputs are discussed in detail in this module.


Figure 2-3. Plan Risk Management: Inputs, Tools & Techniques, and

Outputs


2-9

Topic 2: Inputs to the Plan Risk Management Process

The preparation of the risk management plan includes reviewing key

project documents such as the project charter, project scope

statement, project schedule, and project budget, as well as prior

project management administrative work products. The team must also

review all of the planning assumptions, which lend themselves to early

identification of risks. Historical information, such as documentation of

lessons learned from similar projects, will also yield risk-related

information. Finally, the risk management plans of prior projects may

serve as examples for the current project to emulate.

The inputs to the Plan Risk Management process are:

? Project scope statement

? Cost management plan

? Schedule management plan

? Communications management plan

? Enterprise environmental factors

? Organizational process assets

Project Scope Statement

The project scope statement defines the project’s scope and lists the

project’s deliverables and assumptions. It is the framework for how

significant the risk management effort might become. Each part of the

project scope presents its own areas of risk.


2-10

EXAMPLE: PROJECT SCOPE AND RISK MANAGEMENT

Assume that the scope of a project to develop a new consumer product

includes marketing the new product in a country where the company has

never before done business. Many new risks are presented, including:

? Distribution channels may be inefficient or subject to high rates of loss

? Advertising program may fail to motivate purchasing

? Product may infringe on laws or customs peculiar to the country

Cost Management Plan

The cost management plan establishes the criteria for planning,

structuring, estimating, budgeting, and controlling project costs. This

plan is an important element of the Plan Risk Management process

because it identifies how risk-related budgets, contingencies, and

management reserves will be reported and accessed.

Schedule Management Plan

The schedule management plan documents the project’s approach to

schedule management. The nature or structure of the plan for managing

the project schedule can increase or decrease the potential risk level of

the project.

Communications Management Plan

The communications management plan defines the requirements and

methods for communications within the project. It includes items such

as stakeholder communication requirements, flow charts of the

information flow on the project, and communications constraints. The

communications management plan determines who will be available to

share information on various risks and responses throughout the project.

Enterprise Environmental Factors

At a project level, enterprise environmental factors are any factors,

related to the external or internal environment of the organization that

may impact the success of the project as whole, including:


2-11

? Industry Quality standards or guidelines

? Industry or government regulations

? Organizational or company culture and structure

? Infrastructure (for example, existing facilities and capital

equipment)

? Market conditions

? Existing human resources

Additional detail on this input is provided later in this module.

Organizational Process Assets

Organizational process assets are comprised of the information that an

enterprise has available to it at the start of the project. These assets

may offer valuable, tangible tools, standards, and lessons about how

projects and systems progress in the enterprise.

Typically the organizational process assets related to risk management

may include these documents:

? Risk categories

? Common definitions of concepts and terms

? Risk statement formats

? Lessons learned documents

? Stakeholder registers

Additional detail on this input is provided later in this module.


As discussed earlier, enterprise environmental factors are any factors,

related to the external or internal environment of the organization,

which can impact the success of the project as whole. In the context of

risk management, one of the major factors to consider in the Plan Risk

Management process is risk tolerance.


2-12

DEFINITION: RISK TOLERANCE

―The degree, amount, or volume of risk that an organization or individual

will withstand.‖

PMBOK ® Guide, Fourth Edition

Project managers must understand the customer’s and the

organization’s attitude and tolerance toward risk. In general,

stakeholders and organizations fall into one of these categories:

? Risk-prone, seeker, taker

? Risk-neutral

? Risk-avoiding

Stakeholder Risk Tolerance

Stakeholders’ risk tolerances must be determined in order to perform

Plan Risk Management efficiently. Their risk tolerances will drive how

much investment the stakeholder will approve in risk management

activities.

Extremely risk-averse stakeholders, such as those in government

agencies or enterprises with significant safety concerns, will be more

inclined to invest in risk management efforts and risk response plans

than stakeholders in business areas that naturally involve relatively high

failure rates and many short projects, such as advertising agencies

developing branding programs.

Determining Tolerance through Documentation

Examining documentation and historical data, as well as working with

stakeholders, the project manager must determine the stakeholders’

risk tolerance level regarding project scope, quality, budget, and

schedule, and to other risks specific to their project. These questions

must be considered, and the results documented in the risk

management plan:


2-13

? How much risk are stakeholders willing to accept?

? Of scope, cost, and time objectives: which is most important?

? For cost and time: how much contingency reserve will be

authorized?

Determining Tolerance through Past Performance

It may not always be possible to understand a stakeholder’s level of

tolerance through normal interaction. Rather than conducting

interviews, which may elicit opinions that are not actually supported by

behavior, it is more effective to examine the stakeholder’s past actions.

Examples of evidence of a stakeholder’s tolerance for risk include:

? The rigor and detail with which they establish, promote, and

enforce policies and procedures

? Whether they tend to punish or forgive failures

? Whether they encourage gleaning lessons from problems

? How closely they scrutinize opportunities

? What kinds of opportunities they select

? How tenaciously they support projects

? How frequently they shift priorities

EXAMPLE: RISK TOLERANCE MATRIX

Capitol Flyer, a Washington DC-to-Philadelphia express bus service, has

skyrocketed to success in just three years of operation offering low-cost,

high amenity ground travel as an alternative to shuttle flights. The company

has become a favorite for reliable transport and excellent customer service.

As fare competition intensifies from airlines and no-frills bus companies,

Capitol Flyer looks to further differentiate its services with a Corporate

Customer Satisfaction Project. Early in planning, the project manager

decides to gauge the risk tolerance of key stakeholders to see how

aggressive the project can be.

To view the risk tolerance matrix she developed, see Appendix C.


2-14

Organization Risk Tolerance

Opportunity and risk go hand in hand. Organizations are in business

because they are willing to take risks. The key is to find a balance

between the pursuit of opportunity and risk tolerance.

Several risk experts have suggested that organizations and individuals

strive to strike a balance between risks and opportunities in all aspects

of projects and their personal lives. The idea of striving to balance risks

and opportunities suggests that different organizations and people have

different tolerances for risk.

The organization’s risk tolerance can be affected by:

? The current economic environment

? The willingness or reluctance of senior management to take risks

? The project’s status as high-value and complex or low-value and

relatively simple

A project manager and project team must understand the risk tolerance

level of a company early in the risk-planning phase. A template from

previous project efforts can be used and helps define and explain the

organization’s methodology regarding risk tolerance.


2-15

CLASS DISCUSSION: RATE YOUR RISK TOLERANCE

In general, are you a risk seeker, risk-neutral, or a risk avoider?

Rate yourself for risk tolerance in terms of specific situations, such as:

? Driving

? Playing the lottery

? Investments and other financial endeavors.

Most people have no problem buying one lottery ticket, but as the stakes

increase (number of tickets purchased) does the level of discomfort also

begin to increase?

? What have you observed regarding risk?


As mentioned previously, organizational process assets are comprised of

the information that an enterprise has available to it at the outset of

the project. This includes items such as organizational risk management

policies, templates, definitions of roles and responsibilities, and

historical information.

Organizational Risk Management Policies

Specific risk management policies and other definitions of functional

(matrix) roles and responsibilities must be known beforehand in order to

plan effectively for risk management. The organizational risk

management policies dictate:

? How risk management is to be performed

? Who is to participate

? What deliverables are required


2-16

Organizational Risk Management Rules

Formally written, established rules assign accountability for risk

management and ensure analysis of new initiatives for risk. The rules

should also define:

? A standard risk process

? Risk management tools

? The frequency and level of reporting

Organizations may have legal regulations or organizational policies for

specific types of risks, such as hazardous materials handling and

disposal.

Templates

An organization may have a well-defined approach and template for the

Plan Risk Management process, especially in organizations with

standards for quality systems such as the ISO 9000 series. Applying the

template ensures consistency, allowing individuals from different

projects to easily comprehend the risk plans on a specific project.

The risk management plan template will usually include or refer to:

? Specialized tools, such as a standard base set of risk categories

? Risk screening checklists

? Standard probability and impact matrix, or separate probability and

impact scales

Defined Roles and Responsibilities

The defined roles and responsibilities describe who must participate,

who is responsible for reviewing and approving risk management

deliverables, and who must be involved in risk mitigation strategies,

including monitoring risk triggers and responding to risk events.

Depending upon the organizational structure, certain types of risks may

fall within the responsibility area of specific parties in an organization.


2-17

Topic 3: Tools and Techniques for the Plan Risk Management Process

The primary technique for the Plan Risk Management process is a

combination of planning meetings and analysis to develop the risk

management plan. These are conducted in the same manner as other

planning meetings, and include:

? Using a meeting agenda

? Having objectives to create specific deliverables

? Using data gathering techniques to ensure that all meaningful input

is obtained

? Using objective evaluation and decision-making techniques

Planning Meeting Participants

Plan Risk Management meetings involve key members of the project

team, including:

? The project manager

? Project team leaders

? Key internal stakeholders

? Others responsible for directing, conducting, or overseeing risk

activities within the organization, such as risk officers, consultants,

and auditors

? External stakeholders as required and allowed

What is Defined by the Planning Meeting

Preliminary risk assessment examines known risks. The team considers

these questions:

? What concerns have sponsors or key stakeholders expressed?

? What risks have occurred on recent, similar projects?

? What areas of risk require the team’s attention?


2-18

In particular, the planning meetings must establish an understanding of

the types and extent of controls that will be in place for project

monitoring and control. This leads to an understanding of the generic

risk controls for low and medium risks, which are typically covered

sufficiently by the prudent use of available standard project

management controls.

Results of Planning Meetings

Planning meetings also define:

? Who will lead, support, and identify team members for each type of

risk action

? What approaches, tools, and data sources will be used for risk

management

? What scoring and interpretation methods will be used to categorize

and analyze risks

? Which team members will be assigned for each identified risk

? What the threshold criteria will be for levels of risk impact

? How much additional cost for risk mitigation will be acceptable to

the project stakeholders

? How often the risk management process will be performed

? How reports will be generated and what standard content will be

included, analyzed, and communicated

? How all the risk activities will be recorded and/or tracked


2-19

Initial Planning Meeting

The first planning meeting defines:

? How the planning meetings will be conducted throughout the

project

? How organizational process assets will be tailored to meet the needs

of the project

? How the remaining activities in the Plan Risk Management process

will be conducted

? Agendas and deliverables for the remaining Plan Risk Management

meetings

Planning Meeting Activities

The planning meeting involves reviewing:

? Key project documents such as:

Y Project charter

Y Project scope statement

Y Project schedule and project budget

Y Previous project management administrative work products

? The planning assumptions

? Historical information, such as documentation of lessons learned

from similar projects and risk management plans of previous

projects

? Known risks, identified by questions such as:

Y What concerns have sponsors or key stakeholders expressed?

Y What risks have occurred on recent, similar projects?

Y What areas of risk require the team’s attention?

Reviewing these materials will facilitate early identification of risks and

risk-related information. The materials may also serve as models for the

current project.


2-20

Topic 4: Outputs from the Plan Risk Management Process

The output from the Plan Risk Management process is the risk

management plan, which is a key component of the project

management plan.

DEFINITION: RISK MANAGEMENT PLAN

―The document describing how project risk management will be structured

and performed on the project. It is contained in or is a subsidiary plan of

the project management plan. Information in the risk management plan

varies by application area and project size. The risk management plan is

different from the risk register that contains the list of project risks, the

results of risk analysis, and the risk responses.‖


Specifically, the risk management plan defines:

? How risk management activities will be performed

? Who will perform risk management activities

? When risk management activities will be performed

? How much risk management activities will cost

? How to implement and perform the various risk processes including:

Y Risk Identification

Y Qualitative and Quantitative Risk Analysis

Y Risk Response Planning

Y Risk Monitoring and Control

The risk management plan does not describe the planned responses to

specific risks—this is the purpose of the risk response plans in the risk

register. The plan does, however, describe the broader methodology for

planning for and managing risk during the project’s life cycle.


2-21

The risk management plan becomes part of the project management

plan. The cost and budget portions of the project management plan are

not complete until all risk management activities and the selected risk

responses are defined.

The risk management plan typically includes these ten components:

? Methodology

? Roles and responsibilities

? Budgeting

? Timing

? Risk categories

? Definitions of risk probability and impact

? Probability and impact matrix

? Revised stakeholders’ tolerances

? Reporting formats

? Tracking

Each of these components is described below.

Methodology

Methodology describes the tools, methods, and sources of information

which will be used to perform risk management, including how risks will

be identified, analyzed, and categorized; how risk response plans will

be prepared, implemented, and monitored; and how risk triggers will be

monitored.

Roles and responsibilities

The roles and responsibilities section defines who performs what tasks

during all risk management activities. In particular, it specifies who will

direct and manage the implementation of risk management activities,

for example, the project manager or a designated risk manager for the

project.


2-22

Budgeting

The budget establishes the anticipated cost for the risk management

activities and the associated risk response plans, including contingency

reserves.

Timing

The timing describes how often risk management activities will be

performed and when they will take place within the project schedule.

Risk Categories

The project team must agree upon and use risk categories, which will:

? Provide a comprehensive process of systematically identifying risk to

a consistent level of detail

? Contribute to the effectiveness and quality of risk identification

? Provide a focus for leveraging risk response effort

? Help team members become comfortable discussing risks openly

TIP

Developing a complete and practical risk category list is one of the first

steps in identifying the risks themselves. The careful consideration of each

risk category will help the team generate ideas on risk events specific to

those categories.

Risk categories will be discussed in greater detail later in this module.

Definitions of Risk Probability and Impact

Project managers and the risk team will define different levels of risk

probability and impact as a foundation for quality and credible data for

the Qualitative Analysis Process. Typically, these levels are tailored to

an individual project during the risk management planning meetings and

analyses. An impact scale represents the significance of the impact,

which can be either negative for threats, or positive for opportunities,

on each project objective.


2-23

To define a risk scale, you can use relative values from Very Low to Very

High, or numerical values such as 0.1, 0.2, and so on. Numeric values

can be non-linear. Methods for scoring risks and interpreting risk impact

are set in advance of identifying particular risks. This practice will

prevent undue influence of personal or organizational biases in the

attention given to particular risks. The development of common

definitions of risk probability and impact is necessary so that risks will

be analyzed and responded to objectively.

Figure 2-4 shows negative impact definitions that may be used to

evaluate risk impact on four project objectives.


Figure 2-4. Definition of Impact Scales for Four Project Objectives

Probability and Impact Matrix

Organizations find it useful to categorize the severity of several risks

into some form of matrix. The matrix is formed around the impact and

likelihood of a risk event.

Matrices are often divided into several zones representing major,

moderate, and minor risks. To signify this, the associated matrix entries

can be colored to identify which level they belong to. For example, the


2-24

low risks may be colored green, the medium risks yellow, and the high

risks red.

Using this technique simplifies applying policies (and therefore effort

and resources) according to defined risk score levels. For example, risks

rated as red may require review at every weekly status meeting, while

green risks may be reviewed only monthly, or on a less frequent,

rotating basis.

Revised Stakeholders’ Tolerances

Risk thresholds define the criteria that a risk must satisfy in order to be

acted upon, by whom, and in what manner. For example, one threshold

may require that if a risk delays the project’s schedule objective by

more than 30%, and the project team would require another 20% of

project budget to mitigate the schedule impact below that level, then a

reevaluation of the project's cost-benefit is automatically triggered.

Selecting which level of risk factors is ―high‖ risk is a matter of

stakeholder tolerance. In some cases, stakeholders may temporarily

adjust their attitudes toward risk for a specific project, particularly if

one or more project objectives represent significant strategic value to

the organization.

Sometimes an organization faces significant external threats, such as

the pressure of competitive innovation or significant restructuring in the

industry. Stakeholders may also be willing to revise their risk tolerance

level if a windfall opportunity presents itself. By temporarily suspending

normal risk thresholds, the organization will have the agility to respond.

Such variances from the normal thresholds must be clearly decided and

communicated.

Reporting Formats

Reporting formats present:

? How the outcomes of risk management activities will be

documented, analyzed, and communicated to project stakeholders

? The contents and format of the risk register (described later)


2-25

Tracking

Tracking defines how risk management activities will be documented

and audited for these uses:

? Evaluation of the current project's performance

? Historical information for the benefit of later projects

? Determining if and how risk management processes will be audited

EXAMPLE: RISK MANAGEMENT PLAN

Capitol Flyer's ambitious Corporate Customer Satisfaction Project involves

several initiatives: a second point of origin in both DC and Philadelphia;

special pricing for corporate customers and "frequent flyer" individuals; and

an upgraded the online booking/payment system. With so many aspects to

handle, the PM needs one centralized source to help her mitigate project

risks and pounce on opportunities.

To view the risk management plan she developed, see Appendix C.

Risk categories

As mentioned previously, agreeing on and using risk categories:

? Provides a comprehensive process of systematically identifying risk

to a consistent level of detail

? Contributes to the effectiveness and quality of risk identification

? Provides a focus for leveraging risk response effort

? Helps team members become comfortable discussing risks openly


2-26

Purpose for Using Risk Categories

The purpose of the Identify Risks process is to ensure that as many of

these eventualities as possible are evaluated. To do this, project teams

must have a list of categories to address. This ensures that the process

is as comprehensive as possible. The risk categories generated during

the Plan Risk Management process are used as an input to the Identify

Risks process. There is no single, standard list, but there are good

starting points from which the team can build. Most risks fall into one of

several broad categories; however, any project may run unique risks.

Risk categories are tools that:

? Enable the project team to more efficiently analyze and respond to

risks with common characteristics

? Ensure that no potential sources of risk will be overlooked during

the subsequent Identify Risks process

Various risk category lists are available in the public domain.

Typical Risk Categories

Risk categories can be structured to provide different levels of groups

for different risk management purposes, or to provide greater scope or

more focus as needed during risk analysis and response planning.

TIP

One specialized list available in the public domain is a ―Force Majeure‖ list,

which covers risks beyond the control of anyone involved in the project,

such as earthquakes, floods, or civil unrest. These events generally require

disaster recovery actions by the entire performing organization, rather than

risk management by the project manager.


2-27

The table below shows a general list of risk categories. Industries often

have their own typical risk categories and terminology.

RISK CATEGORY DESCRIPTION

Technology Technology or technical approach chosen to achieve the project objectives

Time Schedule, project completion objectives, other project time-related issues

Contractor capabilities Ability of contractors or other vendors to achieve project objectives

Interfaces Work in a multi-project environment, or interfaces with existing operational activities

Safety Occupational safety, industrial safety, and potential for contamination

Environmental Environmental laws, licenses, and permits

Regulatory involvement Involvement of any regulatory agency such as EPA or DHEC, or by local, state, and national governments

Political visibility Significance or visibility to local, state, or national governments

Intellectual property Availability and cost of using key technologies and techniques for critical project activities

Involvement of key stakeholders

Involvement by someone other than a primary owner for decision-making and management

Product and project complexity

Issues with design criteria, functional requirements, complex design features, or the condition of existing documentation

Labor skills availability and productivity

Adequate resources, specialty resources, rapid labor force build-up, exposure to environmental extremes

Number of locations/site access/site ownership

Site ownership and access issues

Funding/cost sharing Project duration and involvement/funding by other parties

Magnitude and type of contamination

Presence of hazardous or mixed waste

Quality requirements Requirement for precision work or other QA requirements

Public involvement Citizen interest or involvement


2-28

Four-Way Risk Categorization

The PMBOK® Guide shows risks grouped into four categories: technical,

external, organizational, and project management.

? Technical risks include those risks introduced because of the

difficulty of the work itself, new or changed technology, unrealistic

performance goals, or changes to standards.

? External risks come from a changing regulatory environment, labor

issues, changing priorities of the organization's owner, country risks,

resource and product price fluctuations due to changing economic

circumstances, and weather. They also come from issues arising

from dealing with the public.

? Organizational risks are risks associated with cost, time, and scope

objectives. They materialize when project objectives are

incompatible, when projects are not prioritized effectively within

the organization, when funding is not reliably provided, or when

there is competition for project resources from other projects.

? Project management risks include those arising from poor use of

resources, poor quality of the project plan, and poor project

management discipline.


2-29

Risk Breakdown Structure (RBS)

A Risk Breakdown Structure (RBS) is a hierarchical, multi-tiered

organization of the risk categories. When risks are being analyzed, a

grouping process may make it possible to gather and review those risks

with a common characteristic, such as their cause, or the phase or

activity in which they occur.

DEFINITION: RISK BREAKDOWN STRUCTURE (RBS)

―A hierarchically organized depiction of the identified project risks

arranged by category and subcategory that identifies the various areas and

causes of potential risks. The risk breakdown structure is often tailored to

specific project types.‖


This approach of reviewing risks that appear together within the RBS

may increase the efficiency of any investigations into their causes. It

may also improve leverage when risk response plans in the risk register

are developed. For example, risks with similar or a shared cause in a

particular process step may be mitigated together by a single process

change.


Figure 2-5. Example of a Risk Breakdown Structure (RBS)


2-30

Risk Management Plan Checklist

A checklist may be used to complete the risk management plan. It

addresses the basic considerations in producing a risk management plan,

but might be expanded upon for the specifics of a particular project.

The risk management plan checklist may be referred to at each planning

meeting or review of the risk management plan to ensure that these

considerations are being addressed. The risk management plan checklist

should be completed as each Project Risk Management process is

defined in the project management plan.

A. Methodology

Does the risk management plan describe how the risk management plan itself will be/was developed and how it will be maintained?

Does the risk management plan describe how the risk identification process will be carried out?

Does the risk management plan describe how the qualitative risk analysis process will be carried out?

Does the risk management plan describe how the quantitative risk analysis process will be carried out?

Does the risk management plan describe how the risk response planning process will be carried out?

Does the risk management plan describe how the risk monitoring and control process will be carried out?

B. Roles and Responsibilities

Who will direct all risk management activities?

Who has been designated to participate in risk management group work sessions, including risk assessment and risk response planning?

What are the duties of the participants in the risk management group work sessions, including preparation, outside research, and documentation?


2-31

What governing body will oversee the execution of risk management activities?

Who are the representatives of internal stakeholders who will participate in risk management activities?

Who are the representatives of external stakeholders who will participate in risk management activities?

C. Budgeting

Have all risk management activities been budgeted?

Have contingency reserves for cost been set aside to accommodate residual and secondary risks?

D. Timing

Have intervals been determined for all regularly occurring risk management activities, such as risk review sessions?

Have all risk management activities been incorporated into the project schedule?

E. Risk Categories

If a set of standard risk categories is available in the organization, was it adopted for use on the current project?

Has a set of risk categories been tailored to suit the characteristics of the current project?

If an RBS will be used, has it been developed yet?

F. Definitions of Risk Probability and Impact

Has a scale of terms been defined for different levels of risk probability?

Has a scale of terms been defined for different levels of risk impact?


2-32

G. Probability and Impact Matrix

Has a matrix been constructed that reflects all possible combinations of risk impact and probability levels?

Have the entries in the probability and impact matrix been stratified into a small number of overall risk levels?

H. Revised Stakeholder Tolerances

Have the normal risk tolerances of all stakeholders been reviewed and determined?

Have any of the stakeholders’ risk tolerances been temporarily relaxed or tightened for this particular project?

I. Reporting Formats

Has a standard entry form for the various sections of the risk register been developed, including the probabilistic project analysis and the revised project objectives, as well as the risk response plans?

Have report layouts been defined for the periodic reporting of risks to the stakeholders?

Has a form been designed for stakeholders to report the results of implementing their risk response plans?

Has a form been designed for identifying new risks?

J. Tracking

Has a repository been set up to collect risk management work products?

Are the minutes of risk review meetings being collected and stored in the repository?

Are the start and stop dates of risk management activities being reported?

Are all of the significant information items concerning risk management (reports, notifications, and memos) that are reported to stakeholders being recorded in the repository?

How are the audits of the risk management activities going to be carried out?


2-33

EXERCISE: CASE STUDY INTRODUCTION

Become familiar with the case study used for the course project. Identify

significant project stakeholders and discuss their risk tolerances. Identify

the components needed as inputs to the Plan Risk Management process.

Refer to case study in Appendix A.

EXERCISE: RISK MANAGEMENT PLAN

Using the risk management plan template provided, consider the

components of the risk management plan for the course case study. Refer

to the Risk Management Plan topic in Appendix A.


2-34

Module Summary

ADDRESSING THE BUSINESS CHALLENGE

Ana begins the planning meeting by stressing to the group that their

mandate is not to avoid risk, but to manage it. The key is to find a balance

between the opportunities you want to pursue and the risks you are willing

to take.

The group gets to work to define the risks already known, the concerns that

the sponsors and stakeholders have, and the risks that have occurred on

similar projects. While Jack North remains skeptical about hosting a parade,

he tells Ana after the meeting he appreciates her careful approach. The

information gleaned at the meeting will form the foundation for Ana's risk

management plan.

The Plan Risk Management process focuses on a general methodology for

managing risks throughout the project. The primary purpose of the Plan

Risk Management process is to define how risk management will be

carried out for the project, both for the team and as a commitment to

the project sponsor.

The major output of the Plan Risk Management process is the risk

management plan. The risk management plan is a key component of the

project management plan. The risk management plan describes how risk

management activities will be performed, who will perform them, and

when they will be performed, as well as how much they will cost.

Module 3

Identify Risks

Module 3: Identify Risks


3-2

Module Introduction

The Identify Risks process determines the risks that might impact the

project, and documents the nature and characteristics of the risks. The

primary participants in the Identify Risks process include the project

manager and project team members, customers, end users,

stakeholders, and risk management experts.

The output of the Identify Risks process is the risk register, which

documents the risks, potential risks, risk triggers, root causes of risks to

the project, and possible updates to the risk categories.

This module:

? Describes the Identify Risks process and its role in project risk

management

? Identifies the inputs, tools and techniques, and outputs of the

process


3-3

Module Objectives


? Define the Identify Risks process

? Place the Identify Risks process within the framework of project

management

? Describe the inputs, tools and techniques, and outputs of the

Identify Risks process

? Identify risks for the case study


3-4

Topic 1: Overview of the Identify Risks Process


With a risk management plan in place, Ana gathers the team for a risk

assessment working session. This session will help her determine which risks

might affect the project, and document the characteristics of those risks to

understand them better. Jack North sits by the window, arms folded,

complaining about having to make time for "endless meetings." Ana tells

him that while she understands his frustration with meetings, taking a

proactive approach to identify risks will help them minimize negative risks

and act on positive ones.

As preparation for the session, Ana has asked the team to review project

documentation for an overview of all aspects of the parade. She begins the

meeting by telling the team they'll separate positive risks from negative

risks, and devote a chunk of time to each so opportunities don't get

overlooked, as can often happen.

? What's the best way for Ana and the team to identify the risks

associated with the project? What tools and techniques can they use to

identify those risks?

The risks associated with undertaking a project must be identified at

the very beginning of every project. The goal of the Identify Risks

process is to gain an understanding of the potential risks associated with

a project or project phase. The risk management plan guides the

process.

The Identify Risks process occurs throughout the project. This process

must be undertaken periodically, as called for in the risk management

plan. It must also occur whenever a significant circumstance changes.

This change might be as obvious as the retirement of the project

sponsor, or as subtle as news of an impending merger of the performing

organization with another.


3-5

Figure 3-1 shows that the Identify Risks process occurs in the Planning

Process Group.


Figure 3-1. Project Risk Management Process Group Map: Identify Risks

The PMBOK® Guide, Fourth Edition defines Identify Risks as:

DEFINITION: IDENTIFY RISKS

―The process of determining which risks may affect the project and

documenting their characteristics.‖


Purpose of the Identify Risks Process

Risk is inherent in all projects. Risks must be identified in order to be

appropriately managed and to ensure the greatest likelihood of project

success. Furthermore, in the course of planning the project, positive

risks or opportunities must be identified so that the project is

implemented as efficiently as possible, which helps reduce costs and

shorten the schedule while providing the highest possible performance

and quality.

The benefits of identifying risks and opportunities are:

? Outputs from the Identify Risks process lead to the early recognition

of risks and risk potential


3-6

? The Identify Risks process helps ensure that effective risk responses

will be designed and applied

? Planned risk responses yield more effective risk responses than

unplanned responses, or workarounds

The recognized best practice is to conduct a formal identification of

risks, normally by holding a meeting or working session known as a risk

assessment. This is not the last time the project manager should

undertake the identification of risks; indeed, it is a continuous practice

throughout the project life cycle.

Advantages of Using a Proactive Approach

Using a proactive approach to identify risks is far better than waiting for

the problems to arise on their own. Being proactive has the following

benefits:

? Anticipating risks allows the participants to become more

comfortable discussing and analyzing circumstances and events that

might usually cause anxiety. By handling the topics in a methodical

way, participants are reassured that the risks will be successfully

managed.

? Analyzing the potential for risk helps ensure that all areas of

potential risk will be fully explored and that identified risks will

receive balanced treatment, regardless of personal biases and

influences.

One aspect of the methodical approach involves separating the

identification of positive risks from the identification of negative risks.

It is usually best to provide separate agenda time or even to set up

separate risk assessment sessions for these two kinds of risks. If the two

types of risk are considered in the same period, the positive risks will

tend to get overlooked or only reviewed in a cursory manner.

Some risks will be seen to have both positive and negative impacts,

depending on the actions taken. For example, a risk that a task will

take longer than expected may also present an opportunity to finish

sooner than expected.


3-7

Using a Process Approach to Identify Risks

To ensure the effectiveness of the Identify Risks process, the risk

assessment must meet the requirements of the organization’s risk

management plans and policy. The requirements provide useful

guidelines and parameters for conducting the session. Standard forms or

templates that ensure compliance with the organization’s ISO or quality

system framework may be included.

Figure 3-2 shows a process for identifying risk. When a project team is

developing a risk list, they start with what they know, in the form of

the current project baseline.

Next, the team reviews the project assumptions to determine which

ones are most likely to be inaccurate. They also try to imagine other

potential risk events suggested by the baseline. Furthermore, the team

must consider the unknowns, those uncontrolled sources of risk in the

business or political environment. Considering these three sources

contributes to the formation of the risk list.

In the remaining Project Risk Management processes, the risk list will be

analyzed and prioritized. Significant or high risks should be removed by

revising the project baseline. Most risks will be managed using a number

of responses (covered in the ―Plan Risk Responses‖ module of this

course).

Figure 3-2 shows a process approach to risk identification.

Figure 3-2. Using a Process Approach to Identify Risks


3-8

Identifying Assumptions and Iterating the Identify Risks Process

The necessary information already exists in the form of the current

project baseline information. This factual data changes as the project

plan matures and then as the project commences. The project

management team must identify the assumptions and the basis for

estimation that produced the current project information.

Any assumption that could be false should be treated as a potential

source of risk, positive or negative. Historical information such as closed

project files and lessons-learned reports should be reviewed to identify

further sources of risks.

This process is iterative, because the Risk Response Planning process

will require changes to the project baselines, and subsequent risks will

continue to require further baseline changes.

In addition to identifying risks based on the project itself, the Identify

Risks Process may occur during the Project Management processes in the

Project Cost Management, Project Time Management, Project Human

Resource Management, or Project Quality Management Knowledge

Areas.


3-9


Figure 3-3, the Identify Risks process data flow diagram, shows how

inputs are transformed through tools and techniques into outputs.


Figure 3-3. Identify Risks: Data Flow Diagram


3-10

Since managing risk requires a comprehensive view of the project, the

Identify Risks process takes inputs from all project areas. For example,

this process uses activity cost and duration estimates. It draws on the

scope baseline, including the scope statement, which documents

project assumptions, and the work breakdown structure, which offers

visibility into the project at several organizational levels. Plans for

managing cost, schedule, and quality are also sources. The stakeholder

register may be used to identify participants in the Identify Risks

process. Other useful project documents can include reports on work

performed or earned value, network diagrams, baselines, and any other

project information relevant to identifying risks.

Other inputs to the Identify Risks process are enterprise environmental

factors, such as published checklists and industry studies, and

organizational process assets, which may include process controls and

lessons learned from past projects.

The Risk Management Plan guides the use of all these inputs to identify

risks and record them in the risk register. The Identify Risk process

leads to risk analysis, planning risk responses, and monitoring and

controlling risks. In addition, the Identify Risk process may have

implications for management of other project areas, such as cost,

quality, and procurements.


3-11

Overview of Identify Risks Inputs, Tools and Techniques, and Outputs


Identify Risks process. These inputs, tools and techniques, and outputs

are discussed in detail in this module.


Figure 3-4. Identify Risks: Inputs, Tools & Techniques, and Outputs


3-12

Topic 2: Inputs to the Identify Risks Process

The inputs to the Identify Risks process are:

? Risk management plan

? Activity cost estimates

? Activity duration estimates

? Scope baseline

? Stakeholder register



? Quality management plan

? Project documents

? Enterprise environmental factors


Risk Management Plan

The risk management plan defines how and when the Identify Risks

process is performed. The plan:

? Assigns roles and responsibilities to participants in the Identify Risks

process

? Allocates budget and time for the Project Risk Management

activities

? Determines risk categories that the team will use to explore and

organize the identified risks

Activity Cost Estimates

Activity cost estimates, an output of the Estimate Costs process in the

Project Cost Management Knowledge Area, provide a quantitative

analysis of the expected cost to complete individual project activities.

These cost estimates are useful inputs to the Identify Risks process,


3-13

since a review of the estimates may uncover activities that have been

underbudgeted. If an estimated cost is insufficient to complete the

activity, it poses a risk to project completion.

Activity Duration Estimates

Activity duration estimates provide a quantitative analysis of the time

allowed in the project to complete individual activities or the project as

a whole. A review of the estimated time allowances may identify time-

related project risks.

Scope Baseline

A scope baseline is an approved detailed version of the:

? Detailed scope statement

? Work breakdown structure (WBS)

? WBS dictionary

During the Identify Risks process, the project assumptions within the

project scope statement must be carefully reviewed and evaluated for

potential risks. The WBS also contains critical information; using the

WBS, the impact of potential risks can be identified at a detailed level

as well as a summary level.

Stakeholder Register

The stakeholder register lists the individuals and organizations, internal

and external, that are impacted by the project. It documents relevant

information about each stakeholder’s interest, involvement, and

influence on the success of the project.

The information contained in the stakeholder register is valuable for

gathering data and input from key stakeholders regarding potential

project risks.


The cost management plan, a component of the project management

plan, provides information on the cost management approach for the

project. The nature or structure of the plan for managing project costs

may increase or decrease the potential risk level of the project.


3-14


Like the cost management plan, the schedule management plan is a

component of the project management plan. It provides information on

the schedule management approach for the project. The nature or

structure of the plan for managing the project schedule may increase or

decrease the potential risk level of the project.

Quality Management Plan

The quality management plan sets the intended quality standard and

direction for the organization/project team. It also describes how the

team will implement the quality policy, and it addresses quality

assurance, quality control, and quality improvement.

The degree to which organization-wide quality policies and processes

are documented and understood directly impacts the level of success in

implementing the quality plan and, ultimately, will directly impact the

risk level of the project.

Project Documents

Project documents relevant to identifying risks include:

? Assumptions log

? Work performance reports

? Earned value reports

? Network diagrams

? Baselines

? Other risk-related project information


3-15


Examples of published information that may yield sources of risk for the

project team to consider include:

? Journal articles about the use of planned project activities and

related technology

? Academic studies about the project activities or types of resources

being considered

? News reports and business data about intended partners or

outsourcing vendors


Historical data from prior projects will often yield information about

risks for the current project, particularly if similar activities were

performed or resources utilized. They may also indicate how effectively

the risks were managed and highlight any risks that were not

anticipated by the prior project’s team.

In addition, many organizations use a standard set of risk categories as a

starting point for the Identify Risks process. In some cases, subject

matter experts (SMEs) may be consulted to help manage risks in

general, or in specific application areas.


3-16

Topic 3: Tools and Techniques for the Identify Risks Process

The tools and techniques for identifying risks include:

? Documentation reviews

? Information gathering techniques

? Checklist analysis

? Assumptions analysis

? Diagramming techniques

? SWOT analysis

? Expert judgment


3-17

Documentation Reviews

An important step in identifying risks is to conduct a documentation

review. The project team typically reviews project documentation to

get a ―bird's-eye view‖ of all aspects of the project, its goals, and how

the project goals will be achieved.

A review of historical information may provide insight into what was

effective and what could be improved on prior projects.

Information Gathering Techniques

A project team uses information gathering techniques to elicit ideas on

risks from team members. There are several methods that can be used

to gather information. The most commonly used techniques are:

? Brainstorming

? Delphi technique

? Interviewing

? Root cause analysis

These techniques are described in detail below.

Brainstorming

Brainstorming helps a team to generate as many ideas as possible in a

short time period. Project team members, management, and

stakeholders might all participate in brainstorming about potential

quality issues, concerns, needs, and expectations. The inclusion of

individuals with different project roles will result in a greater variety of

ideas generated by the group.

In a brainstorming session, participants, led by a facilitator, generate a

list of possible risks. The ideas are generated without discussion and

evaluation, in order to facilitate the flow of thought and to capture all

ideas or suggestions.


3-18

This process produces a long list of risks that are then categorized and

grouped by type. Further brainstorming to explore each category may

follow. Finally, similar ideas may be merged, and definitions may be

clarified for each risk.

Variations of the brainstorming technique include:

? The Round-robin approach, in which participants take turns sharing

their ideas. This helps to ensure that everyone has an opportunity to

contribute and prevents one person from dominating during the

process

? Collecting or posting, which involves using small cards that are

collected by the facilitator or posted on a wall for review by the

team

Advantages and Disadvantages of Brainstorming

The advantages of the brainstorming technique are:

? All participants are treated as equals

? All sessions are cooperative not competitive

? Sessions are more objective than a discussion; participants cannot

steer the group toward a particular area of the project

? It is less likely that a significant risk will be overlooked

? Team members are motivated to actively participate in the

remaining risk management activities; this is a team-building

exercise where the team, rather than individuals, owns the results

The major disadvantage of brainstorming is that the process generates a

lot of material, and duplication is inevitable. Including evaluation as

part of the process helps mitigate this disadvantage.


3-19

EXAMPLE: BRAINSTORMING THAT INCLUDES EVALUATION OF IDEAS

During a group review exercise, display ideas on a wall. Participants silently

circulate in a line past the wall, and as they do they can rearrange the

ideas into groupings, until no more rearranging takes place.

This brings similar ideas together so that they can be merged. This is a

noncompetitive, team-oriented activity, so it has the same organizational

benefits as the initial idea-generation activity.

Delphi Technique

The Delphi technique is an approach used to gain consensus among a

panel of experts. The Delphi technique, named for the famous oracle

who could be considered the subject matter expert (SME) of ancient

Greece, relies on experts.

DEFINITION: DELPHI TECHNIQUE

―An information gathering technique used as a way to reach a consensus of

experts on a subject. Experts on the subject participate in this technique

anonymously. A facilitator uses a questionnaire to solicit ideas about the

important project points related to the subject. The responses are

summarized and are then recirculated to the experts for further comment.

Consensus may be reached in a few rounds of this process. The Delphi

technique helps reduce bias in the data and keeps any one person from

having undue influence on the outcome.‖

PMBOK® Fourth Edition

The Delphi technique follows these steps:

1. A number of subject matter experts are invited to submit ideas

about important project risks, usually via a survey.

2. The results are circulated anonymously, in several rounds, and new

or revised input is requested. This process is repeated until

consensus is reached.


3-20

3. The facilitator circulates the final list to the contributors and asks

for their consensus on the risks. The facilitator ensures that no one

contributor biases the resulting list with one perspective or

preference.

4. The results are tabulated and presented to the group in the form of

a histogram (sometimes along with all individual estimates).

5. Participants who fall in the outer quartiles of the group are asked to

provide a rationale for their recommendations.

A prerequisite to such a process is the competence of the experts

themselves. Because all opinions are weighed equally, it is important

that all the participants have expertise in the area.

Advantages and Disadvantages of the Delphi Technique

The main advantage of the Delphi technique is that expert opinion is

included, regardless of whether the experts are actually assigned to the

project. Most experts are ambitious, however, and this usually means

they are competitive. To eliminate the effects of competitiveness,

which could otherwise serve to alienate some of the experts and

discourage objective input, the process requires anonymity.

One disadvantage of using experts is that some of their ideas may be

unrealistically extreme, because experts frequently work (and think) at

the boundaries of their respective domains of expertise.

To reduce the likelihood of excessive importance being given to a highly

improbable risk, a consensus approach is used, where the experts must

agree as a group on the list of risks. This minimizes the potential that

one individual, no matter how influential, will enable the prioritization

of a risk that the other experts do not acknowledge as important.

Interviewing

Interviewing involves asking questions of SMEs and stakeholders to elicit

information about potential risks. The information gathered must be

anonymous to avoid biasing the evaluation of the input.


3-21

Documentation is generally a more reliable form of evidence than

interviewing, but in the following situations interviewing is necessary

and effective.

? The information needed cannot be obtained in any other way, for

example:

Y The topic is so new or has been studied so little that published

information is unavailable or inadequate.

Y The questions of interest are so sensitive, technical, or

complicated that a face-to-face communication is required to

guide people through the process of answering questions.

? Detailed, narrative information is required, as opposed to simple,

factual information or quantitative judgments from many people

that can be collected via telephone or mail survey.

Risks of Interviewing

Interviewing is more subjective than the other techniques and has the

potential for ambiguities or misinterpretation. Although interview

questions may be carefully composed to be consistent for all interview

subjects, any question can introduce some ambiguity or can be

misinterpreted.

Another risk associated with the interviewing technique is that

responses might include more personal opinion than factual data. An

interview subject’s memory is never perfect, and, after accumulating

enough experience, experts rely more on judgment and intuition than

on objective analysis.

Additionally, if an interview question is not framed correctly, it may not

lead the respondent to discuss the intended risk. On the other hand, a

question may lead the respondent to make an obvious statement rather

than provide an unbiased assessment of the risk area.

Finally, interviewers must be given adequate training and practice. In

particular, they must be trained not to bias responses with their non-

verbal communication. Each interview must be conducted methodically

and consistently.


3-22

Root Cause Analysis

Root cause analysis explores what, how, and why a risk occurred or

might occur. It breaks down high-level risks such as ―risk of schedule

delay‖ into more specific descriptions of the risks that cause schedule

delay. The technique is best conducted by a facilitator who takes a risk

that a respondent has identified, and interviews further to find out if it

can be broken down into more specific elements of risk.

Benefits of Root-Cause Analysis

Exploring the root causes of a risk can lead to:

? Identifying other risks arising from the same cause—For example,

determining that a critical staff person is absent because of illness

may lead to the discovery that he has contracted a communicable

disease. If he contracted the disease at work, staff with whom he

works might also become ill.

? A basis for a set of more economical risk response plans during

the Plan Risk Responses process—Large problems are often found

to have simple causes that contribute to the more obvious

symptoms. Treating the true cause rather than the symptom can

save significant effort.

Checklist Analysis

Checklist analyses can be helpful if they reflect lessons learned from

previous projects. Checklists can also be limiting, however, if the team

assumes that the checklist is comprehensive and complete (which is

rarely the case).

How Checklists Work

1. Historical information or a checklist from another project is deemed

useful.

2. The project team reviews the checklist and determines how it can

be adapted. If the checklist does not include areas of risk that are

germane to the current project, the team adds these areas. If the

checklist includes areas of risk that are not germane to the current

project, the team omits them.


3-23

3. The checklist is divided into types of risk or risk categories, with

associated questions that require a positive or negative response.

(Typically, positive responses to questions indicate a risk potential

that would trigger further evaluation by the team.)

4. At the end of the project, the risk checklist is reviewed against the

project's actual performance in risk management. If necessary, the

checklist is revised before it is submitted as historical information.

Advantages and Disadvantages of Checklist Analysis

The advantage of a checklist analysis is that the technique is simple and

efficient. Checklists can be helpful, especially when they reflect lessons

learned from previous projects.

A disadvantage of using checklists is that a checklist cannot be entirely

sufficient unless it is tailored to the current project. Therefore, a large

project is likely to require a lengthy checklist and a substantial amount

of time to review it.

Example of a Risk Checklist

An organization involved in project management should consider

developing a risk checklist specific to its needs; however, the sample

below may be sufficient for most projects.

The checklist below shows risks by category, such as Technology and

Time. When time is short, this type of checklist lets the team focus on

specific areas for their risk potential, rather than examining the entire

list.

Once an area of concern is flagged, it is necessary to identify risk

statements that describe the specific concern more completely. These

might be, for example, ―Development software vendor fails to provide

adequate technical support,‖ or ―Major snowstorm prevents team from

reaching offices for two workdays.‖


3-24

A. Technology

New technology

Unknown or unclear technology

New application of existing technology

Modernize advanced technology in existing application

B. Time

Project schedule uncertainties or constraints that may impact project completion or milestone dates

Long lead procurement items that may affect the completion of the critical path or milestones

C. Contractor Capabilities

Potential for unavailability of qualified vendors or contractors

D. Interfaces

Significant transportation or infrastructure impacts

Multiple project interfaces

Significant interfaces with an operational facility

E. Safety

Risks to worker safety during construction

Significant contamination potential

Accidents due to new design or other non-reviewed safety questions

Involvement of hazardous material


3-25

Assumptions Analysis

Every project, and every identified risk, involves a set of assumptions.

These are typically documented as an assumptions log within the

project scope statement.

DEFINITION: ASSUMPTIONS

―Assumptions are factors that, for planning purposes, are treated as true,

real, or certain without proof or demonstration.‖


In the previous project planning activities, the project team established

estimates and assumptions covering:

? Scope

? Deliverables

? Objectives

? Time durations

? Resources

? Costs

The assumptions analysis technique determines the validity of project

assumptions. The analysis identifies risks by testing the accuracy,

stability, consistency, and completeness of assumptions.

Good practice suggests making a clear list of such assumptions so that

the appropriate stakeholders and decision-makers can validate them

and agree to them.


3-26

EXAMPLE: ASSUMPTIONS ANALYSIS

A project team expects to be able to travel efficiently between project

locations. They may assume that a transportation network exists, has

available space, can be used by them, and works reliably and efficiently.

Some organizations run their own private shuttle or jet services between

office locations to eliminate the risk that this assumption is not true. Others

rely on personal or public transportation.

If frequent travel is necessary, it may present an unacceptable risk to

assume that the team will experience no difficulties without special

arrangements or provisions for backup transportation alternatives.

Diagramming Techniques

Diagramming techniques are primarily used to ensure that the Identify

Risks process is thorough and focused. They show how various elements

relate to one another and visually display project information to locate

specific areas where risk may be encountered.

Various types of diagrams are available, including:

? Cause-and-effect diagrams

? System or process flowcharts

? Influence diagrams

These techniques are helpful in ensuring that the entire risk picture is

considered and that the right effort is expended, in the right place, to

mitigate the risks as economically as possible.


3-27

Cause-and-Effect Diagrams

Figure 3-5 shows an example of a Cause-and-effect diagram. These

diagrams (also known as Ishikawa or fishbone diagrams) track problems

to the root cause. The major defect, or in this case, a risk, is at the

head. Along the backbone are the major spines indicating the types of

causes that can contribute to the risk.


Figure 3-5. Sample Cause-and-Effect Diagram

A simple way to think about this diagramming method is to start with

the fish head and ask, ―What caused this?‖ The answer usually falls into

one of the identified categories as a fish bone. The follow-up question

continues, ―What caused that?‖ with each answer extending or creating

another, smaller fish bone. Exploring the cause behind each cause can

produce a list of very well-defined, specific causes grouped very clearly.

When all the major risks have been analyzed, the root causes should be

examined to see if the same causes are appearing in different

categories. For example, in the diagram above, if the same root cause,

―Major hurricane‖ appears under ―Personnel,‖ ―Material,‖ and

―Energy,‖ addressing the effect of seasonal weather should be a

priority. Perhaps the project should be postponed. Addressing root

causes that affect many areas will have the widest beneficial impact on

the project as a whole.


3-28

System/Process Flowcharts

A process flowchart presents the chain of activities in a process, and

may show the transfer of information, the transfer of control, or both.

When a risk is present in one of the activities, the diagram can be used

to identify where in the downstream activities problems will occur. It

can also be used to explore how upstream activities might be

contributing to this risk. This information can be used to understand the

risks, how widespread their effects are, and how they should best be

addressed.

Figure 3-6 shows a process flowchart. System/process flowcharts follow

the same principles as the cause-and-effect diagram. By outlining the

flow within a system, potential causes can be identified for

consideration.


Figure 3-6. Sample System/Process Flowchart


3-29

Influence Diagram

An influence diagram shows the relationship between factors in an

environment. These factors can be objects, events, activities, or

transitions.

In the Identify Risks process, the relationships between factors in a

project environment can be explored, such as the relationship between

office space assignments, desk space, noise levels, and productivity.

The relationship between these factors in turn affects whether the

project meets its scheduled milestones.

A risk that affects the office space assignments may adversely affect all

of these. For example, the discovery of asbestos contamination in a

team’s original space might force the team to relocate to a new

workspace that is next to the building's climate control equipment. The

noise levels will go up, the productivity will go down, and the project

will miss scheduled milestones.

Figure 3-7 shows an influence diagram of the factors involved in

restoring a diseased patient to health. The disease presents symptoms,

and it also signals that the patient is a candidate for a test for the

disease (in health care, this situation relating a patient to a medical

action is known as an ―indication‖). The symptoms lead the doctor to

perform a test on the patient. This leads to a test report, which

compares the indication to the actual test results, and also to diagnosis

and treatment. The treatment leads to recovery. Finally, the patient's

quality of life is affected by the recovery, and also by the treatment

costs (if they are too high) and any side effects that may occur from the

treatment.


3-30

Figure 3-7. Sample Influence Diagram

Strengths, Weaknesses, Opportunities, and Threats (SWOT) Analysis

The SWOT analysis is a strategic planning technique that examines the

project’s strengths, weaknesses, opportunities, and threats. The results

of the analysis can increase the project team’s understanding of

identified risks, by helping the team to uncover potential weaknesses

and threats, and to recognize strengths and potential opportunities.

A SWOT analysis is conducted by asking the team to list:

? The strengths of the project, team, and performing organization

? The weaknesses of the same organizations

? The opportunities they face

? The threats they face


3-31

Figure 3-8 shows a SWOT matrix diagram.

Strengths

(Internal Advantages)

* What are our core competencies?

Weaknesses

(Internal Disadvantages)

* What has caused us problems in the past?

* What areas are outside our core competencies?

Opportunities

(External Advantages)

* What advantages do we have over our competition?

* What market needs can we fill?

Threats

(External Disadvantages)

* What competition do we face?

* What potential market downturns are possible?

* What challenges could we face from legal or regulatory changes?

Figure 3-8. SWOT Diagram Example

TIP

Strengths and weaknesses are often internal to your organization.

Opportunities and threats often relate to external factors. For this reason

the SWOT Analysis is sometimes called Internal-External Analysis.

Examples of Strengths, Weaknesses, Opportunities and Threats

Strengths: Strengths are usually internal factors that describe the

positive attributes of the team. The team may have highly skilled or

experienced staff members with diverse capabilities. They may enjoy

excellent support from a strong sponsor or stakeholder. They may be

resourceful and superbly responsive to change.


3-32

Weaknesses: Weaknesses may be internal to the team or external, such

as inexperience or lack of maturity in team members or a shortage of

resources, a poor organizational climate, and lack of administrative

support or adequate facilities.

Opportunities: Opportunities generally involve the performing

organization or the larger organization; for example, the chance to

introduce a new method or tool into the performing organization for

wider adoption; gaining brand recognition for the organization with the

project's product; or establishing a new service as an internal revenue

generator.

Threats: Threats are usually external to the project team, such as a

possible attempt by a powerful executive to stop the project from

diverting his resources from a favorite initiative; the discovery of

improper accounting practices in subcontracting work; or the danger

that a competitor will release a successful equivalent product before

the project is completed.

TIP

To increase the effectiveness of the SWOT analysis:

? Ask for precise, verifiable statements

? If team members offer perceptions rather than verifiable statement,

capture those answers separately, so that shared perceptions and trends

may be identified

? Edit (cut) long lists of factors, perhaps by verifying their validity or

frequency of occurrence

? Prioritize factors so the most significant ones receive the most attention

? Apply the analysis at the right level; for example, focus questions on a

component rather than an entire product, or on a sub-process rather

than the whole process


3-33

Expert Judgment

Expert judgment is the application of specialized knowledge or training

to the Identify Risks process. This expertise may be contributed by a

group or by an individual, including:

? Other departments

? Consultants

? Professional associations


The insight of experts can be especially valuable in suggesting possible

risks based on their own expertise and experiences. Take into account

the experts’ potential bias.


3-34

Topic 4: Outputs from the Identify Risks Process

The major output of the Identify Risks process is the risk register. The

risk register will ultimately contain the outcomes of the other risk

management processes, and therefore it will grow over time, as risk

activities are completed and more information is gathered.

DEFINITION: RISK REGISTER

―The document containing the results of the qualitative risk analysis,

quantitative risk analysis, and risk response planning. The risk register

details all identified risks, including description, category cause, probability

of occurring, impact(s) on objectives, proposed responses, owners, and

current status.‖



3-35

Components of the Risk Register

The initial components of the risk register, resulting from completing

the activities in the Identify Risk process, are:

? A list of identified risks

? A list of potential risk responses

? Additional information

List of Identified Risks

The identified risks should be described in as much detail as possible. It

is helpful to apply a simple structure to the list, such as an Event and

Impact list, or an If/Then/Effect statement, for each risk. Structuring

the list in such a way could cause the root causes of the identified risks

to become more evident. The root causes, which may result in one or

more of the identified risks, must be recorded and made available to

support future risk identification for this and other projects.

List of Potential Risk Responses

As the Identify Risks process is executed, potential risk responses may

be identified as well. Potential responses should be captured and, if

applicable, used as inputs to the Plan Risk Responses process.

Additional Information

The risk register can also contain other valuable information that has

been gathered during the Identify Risks process, such as:

? A list of root causes

? A list of triggers—objective and early warning signs that a risk event

will soon occur

? Updated risk categories


3-36

Development of the Risk Register

The following information and examples will be helpful in developing a

project risk register.

Guidelines for Creating the Risk Register

The definitions of the risks must be agreed on and widely

communicated. This prevents mistakes pertaining to an identified risk,

and ensures that interpretations of what is included in a particular risk

definition are not overly broad. Obvious duplicates should be eliminated

from the list.

In order for risks to be effectively managed, information about them

must be controlled. Changes and additions to the list, as well as

removal from the list must be undertaken according to a formal

process.

The information should be stored in a structured list called a risk

register. Other project management processes can reference the risk

register. Many departmental and enterprise-level project management

systems contain a risk management subsystem. For simple projects, a

simple database, such as a Microsoft® Excel spreadsheet, may be

perfectly adequate. Figure 3-8 shows an example of a risk register.

Figure 3-9.Sample Risk Register


3-37

These are examples of data that may populate a risk register:

? ID: R234

? Rank: 1

? Description: During the scheduled time allocated to transport

materials to the project location, a transportation strike could

occur, which would result in schedule delays.

? Probability: Low

? Impact: High

? Risk Score: (.10) (.7) = .07 [P*I=RS]

? Potential Response: Move the schedule date for transportation

ahead if Teamsters contract is not signed in 2 weeks.

? Root Cause: We agreed to use union truck drivers on this project.

? Triggers: Failed contact negotiations.

? Potential impact to Cost and Schedule: Cost will be increased by 15k

to implement an early shipping plan. Schedule will not be adversely

impacted

? Category: K. Labor Skills, availability

? Contingency: The material to be shipped is on hand and in place.

Establish contracts with non-union shippers to ship the materials two

weeks earlier than previously scheduled. This will support the

aggressive schedule and avoid potential conflict with union members

should a strike occur.

? Owner: Paul Lanni


3-38

Risk Register Worksheet

Project management teams can use worksheets to catalogue risk

information, including severity, triggers, and risk category. At this

point, the only factual information known for sure appears in the first

three columns, although other information, such as severity, potential

response, triggers, and root cause, may be known or hypothesized.

Later, Project Risk Management activities will involve assessing

qualitative factors, such as probability and impact, and quantitative

factors, such as costs; selecting appropriate responses to manage the

risk; and documenting the final impact of the risk and the effectiveness

of the associated risk responses. As information about the risk is

obtained it can be transferred from the worksheet to the risk register

database. Figure 3-10 shows an example of a risk register worksheet.


3-39

Project: Mountaintop Hotel

Identify Risks & Analysis

Identified Project Risk: P I RS Risk Category

Transportation Strike K. Labor Skills, availability

Description of Identified Risk:

As a result of having to transport materials to the project location, a transportation strike could occur, which would result in schedule delays.

Assumptions/Basis:

Because of project location, most materials will be transported by truck. Although no Teamsters’ strike has affected this region for 20 years, the consequences of a strike could set the project schedule back by more than 30 days.

Risk Response Planning

Strategy Chosen:

Opportunity: Exploit Share Enhance Accept

Threat: Avoid Transfer Mitigate Accept

Trigger measure to be monitored, and Source:

Threshold Condition:

Potential secondary risks (risks arising from implementing this plan):

Residual risk (estimated remaining P, I, and RS after risk response is implemented):

Preparatory Plan: Actions to take before risk materializes

Plan Description: Who Performs Cost / Schedule Impact

Date Due

Contingency Plan: Actions if the risk is triggered


Risk Owner:

Figure 3-10. Sample Risk Register Worksheet


3-40

EXERCISE: IDENTIFY PROJECT RISKS

Identify risks for the case study. Your diligence will determine the

effectiveness of the overall risk management effort. Refer to the Identify

Risks topic in Appendix A.

Use the following tools and techniques of the Identify Risks process to help

identify and document project risks:

? Documentation reviews

? Information-gathering techniques

? Checklists

? Diagramming methods

? Assumptions analysis

See Exercise 3-1, in Appendix A of this Participant Guide.


3-41

Module Summary


Ana leads the team in a brainstorm to elicit ideas on risks that might be

associated with the parade. She has one flip chart for negative risks, and

one for positive, and gives the team an example of each: hidden costs, for

instance, are possible in an event they've never run before. On the other

hand, favorable publicity may generate a crowd and a bigger audience for

the SummerFest fair. Using data from the meeting, Ana generates a cause-

and-effect diagram to show how various risk elements relate; and develops

a risk register, with opportunities and threats sorted by type and perceived

severity.

The risk management plan guides the Identify Risks process. The

Identify Risks process is used to gain an understanding of the potential

risks associated with a project or project phase. The Identify Risks

process occurs throughout the project; it must be undertaken

periodically according to the risk management plan, and must also be

used whenever a significant circumstance changes.

The Identify Risks process results in a comprehensive list of all

identified risks sorted by type and perceived severity. In addition, the

definitions of the risks must be agreed on and widely communicated so

that no mistake is made about the identified risks, and also so that a

risk that has not been properly identified is not mistaken for being

already included in an existing risk definition.

The outputs from Identify Risk are contained in the risk register.


3-42

Module 4

Perform Qualitative Risk Analysis

Module 4: Perform Qualitative Risk Analysis


4-2

Module Introduction

Once risk management planning is established and risks have been

identified, the next step is to prioritize each risk. One approach is

called qualitative analysis, which is scoring risks relative to previously

established definitions of probability and impact.

Another risk assessment approach, quantitative analysis, applies more

detailed numeric methods. Only risks ranked high by qualitative analysis

may be subject to quantitative analysis, which is addressed in Module 5.

Risk analysis is the basis for eventual risk response planning.


4-3

Module Objectives


? Define the Perform Qualitative Risk Analysis process within the

context of the project management framework

? Identify and describe the inputs, tools and techniques, and outputs

of the Perform Qualitative Risk Analysis process

? Apply qualitative methods to conduct a probability and impact

assessment for identified risks


4-4

Topic 1: Overview of the Perform Qualitative Risk Analysis Process


While a list of identified risks is an important step, it doesn't do much to

determine the importance of addressing specific risks. Which means, in the

case of the SummerFest parade, the list only accentuates Jack North's sense

of alarm. He approaches Ana after the assessment session. "There are so

many risks," he says. "How do we deal with them all?"

Ana reassures him that identifying risks is not the end point, it's a

beginning. At their next meeting, she tells him, they'll analyze each

identified risk to understand its likelihood and potential impact on cost,

schedule, scope, and quality. Then they'll have a better sense of which risks

they need to address, and how soon.

? What tools and techniques can Ana use with the team to prioritize risks

for further analysis or action?

The PMBOK® Guide, Fourth Edition, recognizes two approaches to risk

analysis. This module describes the more subjective method, known as

Perform Qualitative Risk Analysis, which can achieve the desired end

quickly and economically, but provides only approximate results. The

second approach is a more detailed numerical analysis. Known as

Perform Quantitative Risk Analysis, it is addressed in the next module.

To manage risks efficiently, it is necessary to understand the risk in

terms of its relative significance to the project and in relationship to

other risks. Given the list of identified risks and some established

conventions for measuring the size of the risk, two primary questions

are answered in the Perform Qualitative Risk Analysis process:

? How likely is this risk to occur?

? And, if it occurs, how significant is the impact to the project?


4-5

Perform Qualitative Risk Analysis is a process of the Planning Process

Group. The Perform Qualitative Risk Analysis process follows the

Identify Risks process and results in evaluating the probability of a risk

occurring and the impact of that risk on the project.

Figure 4-1 shows that the Perform Qualitative Risk Analysis process

occurs in the Planning Process Group.


Figure 4-1. Project Risk Management Process Group Map: Perform

Qualitative Risk Analysis Process

The PMBOK® Guide, Fourth Edition, defines Perform Qualitative Analysis

as:

DEFINITION: PERFORM QUALITATIVE ANALYSIS

―The process of prioritizing risks for further analysis or action by assessing

and combining their probability of occurrence and impact.‖


The Perform Qualitative Risk Analysis process allows the project

management team to prioritize the risks for the Plan Risk Responses

process, and to evaluate whether a high-priority risk should be carried

further into the Perform Quantitative Risk Analysis process.


4-6

Purpose of Perform Qualitative Risk Analysis

The Perform Qualitative Risk Analysis process is a way to determine the

importance of addressing specific risks, and allows the team to guide

risk responses based on factors such as:

? Time criticality of the risk

? Quality and quantity of information about the risk

? The probability of occurrence and impact of the risk

The output of the Identify Risks process provides a comprehensive list of

risks. This list may easily include dozens to hundreds of risks, depending

on the size of the project. Such a long list can overwhelm the project

manager and team, and would also alarm the project sponsor and

organization management unless appropriate steps are taken to simplify

and order the list as much as possible. The goal here is to begin

establishing order out of chaos so that prudent and economical actions

can be taken to protect the project from the risks.

This is accomplished by first performing an analysis of each risk that has

been identified. Using a divide-and-conquer approach, the project

management team investigates each of the risks so that all risks are

understood more fully. Then, the project manager prioritizes and

allocates resources to them to address the overall risk most effectively.

The impact of the risk may affect one or more of the project

objectives, including the scope, schedule, cost, and quality objectives.

Because stakeholder tolerance for risk varies, it is important to have

determined the risk tolerance of the current project’s stakeholders

during the Plan Risk Management process. The tolerance levels will

indicate what risk impacts can be accepted without further

intervention, and what level of investment would be considered

justified by the stakeholders in order to avoid or minimize the impact of

a risk.


4-7

Once the probability and impact of each risk is evaluated, a

determination can be made as to which risks deserve the most attention

and how much investment they warrant. Part of this investment may be

the additional research and computational effort involved in subjecting

the risk to the Perform Quantitative Risk Analysis process.

Perform Qualitative Risk Analysis is performed once the first time that

the Project Risk Management Knowledge Area processes are carried out,

but it may be repeated as often as needed to reassess the risks when

new information becomes available, or when new risks are identified.

This approach enables prioritization based on facts, not opinions or

bias, but it cannot address all risks. Time criticality of a risk and the

quality of data that defines it are also important in establishing priority.


Figure 4-2, the Perform Qualitative Risk Analysis process data flow

diagram, shows how inputs are transformed through tools and

techniques into outputs.


Figure 4-2. Perform Qualitative Risk Analysis: Data Flow Diagram


4-8

Perform Qualitative Risk Analysis receives inputs from the enterprise

and the project management plan. The process of risk analysis is kept

distinct from risk identification to counteract bias in risk planning. Risk

analysis is followed by the Plan Risk Responses process and the Monitor

and Control Risk process.

Risk analysis is a focus early in the project. Over the course of the

project, risk analysis is repeated often, since risks and their impact

change with time. The risk register, the signature artifact of risk

planning, is updated with each analysis cycle. Risk management bears

directly on project objectives of scope, cost, schedule, and quality.

Perform Qualitative Risk Analysis Format

Generally, Perform Qualitative Risk Analysis is performed in a meeting

or forum with all identified participants present. The meeting format

permits an open discussion of the project scope, potential risks and

assumptions, and brainstorming of management and mitigation

strategies. If the project is a low-dollar-value project, a formal meeting

may not be required to perform a risk analysis.

Prior to conducting a risk analysis, the project manager should provide

the risk analysis participants with all available project information for

evaluation and review. The project manager leads and participates in

the discussions and the ensuing risk analysis activities.

Each participant has the responsibility to prepare for, actively

participate in, and concur with the group consensus concerning the

results of the risk analysis. This should include looking at specific

project baseline information. For example, the engineering

management group may be responsible for all work breakdown structure

(WBS) elements with design work scope.


4-9

Scope of Perform Qualitative Risk Analysis

A Perform Qualitative Risk Analysis should be an integrated analysis of

risk in all elements of the project. Perform Qualitative Risk Analysis is

not separate from, or in addition to, other risk-based analyses

traditionally employed during project development and execution, such

as analyzing purely technical risks or establishing cost and schedule

contingencies. In many companies, a risk analysis is performed using a

very specific technique, often formally applied at the beginning of the

project, or even earlier during initiation or strategic planning.

During the Identify Risks process, the team must be diligent in

identifying as many potential risks as they can, using a brainstorming

technique that specifically excludes any editing or qualifying of the

identified risks.

However, risk analysis must be conducted in a moderated way. The risk

analysis activities are tempered by judgment, since the results of the

analysis will add to the cost and effort of the project management

activities. The risk analyses will be used in later risk management

activities as an aid in tasks such as:

? Deciding between several potentially expensive technical risk

response alternatives

? Establishing levels of reserve resources to be used to absorb the

impact of any risk that materializes, thereby adding to the cost and

time of the project

? Selecting procurement strategies to pay another party to take on

the risk

? Determining project performance measures to monitor for detecting

when risk events are about to occur or have occurred and require a

response

? Selecting project performance reports to present the performance

measures in a timely and efficient manner


4-10

Frequency of Performing Qualitative Risk Analysis

As with the Identify Risks process, the Perform Qualitative Risk Analysis

process should be repeated throughout the project life cycle, especially

at major milestones between project phases, to identify significant risks

and formulate management and mitigation strategies. A project risk

analysis can be performed at any time during the project life cycle.

Reasons for Performing Qualitative Risk Analysis

Subsequent reviews/revisions/updates should be performed at least

once during each project phase, preferably at the beginning of the

phase, and at any time deemed appropriate by the project manager.

For instance, a project manager should consider conducting a risk

analysis for the following reasons:

? A major previously identified risk has been realized.

? The potential of a high-risk item has been eliminated.

? The potential for a new risk(s) is identified.

? New information has surfaced, which may indicate that a risk’s

probability of occurrence or impact has increased or decreased.

If possible, all participants in the initial risk analysis should participate

in subsequent reviews. When these reviews are performed, all available

information on project scope, project performance, and any other

relevant data should be provided to the team.

Risk Impact

Perform Qualitative Risk Analysis rates the relative impact of identified

risks on project objectives so the risks may be prioritized. Although we

are doing a qualitative analysis at this stage, it is important to

understand the relative value or impact of the risk in case it becomes a

reality.


4-11

Cost Impact

An appreciation for the cost impact of a risk event should consider the

dimensions of cost. There is the cost of rework required to recover from

the risk event, should it happen. This cost includes labor and materials,

as well as any other capital or indirect costs. You should understand

whether the cost impact is isolated to one or two project work

packages, or whether the risk’s impact propagates into other project

deliverables.

This study of cost impact is known as the Price of Nonconformance

(PONC) and incorporates the various rework costs.

Risk impacts tend to inflate over time. If unaddressed, the cost of

correcting a problem that occurs during the project concept phase

tends to escalate by a factor of ten in each subsequent phase, so that a

one dollar problem during the concept phase could cost thousands of

dollars to repair when the product is in service.

There may be other externally imposed costs, such as litigation and

fines, or less obvious costs such as an economic opportunity cost, loss of

market share. Intangible costs may include damage to brand image,

goodwill, or reputation. Each of these costs should be considered and

evaluated relative to the impacts of other risks.

Schedule Impact

The impact on the project schedule must be evaluated. Consider the

following:

? How many days will the schedule be delayed?

? What key milestones will be affected?

? Will this affect the project completion date or not?

? What is the impact to related tasks?

? How will this affect the availability of resources?

? What is the impact on the project’s estimated benefits resulting

from the delayed implementation?


4-12

The scoring of the risk can be based on the degree of schedule impact,

for example, by determining how large a delay to the critical path is

expected, and the value of a day’s delay in implementation.

Scope Impact

The effect of some risks is to force the project team to eliminate some

portion of scope. For example, a technology for which the project team

assumed the performing organization had obtained usage rights may be

found to be proprietary and unavailable, leading to the elimination of a

key component in the product.

Quality Impact

Some risks represent a threat to the quality of deliverables. One

example might be the lack of availability of the assigned expert

resources, causing deliverables to be developed by resources with

inadequate experience to ensure they are completed with only minor

defects, or so deliverables cannot be effectively reviewed and

evaluated for their quality.

Another way risks can affect quality is by causing upstream delays in a

schedule-sensitive project, so the project team is forced to accelerate

testing activities. Such acceleration inevitably causes the team to omit

tests or to defer removal of identified defects until after

implementation, or both.

Proportionate Expenditure of Risk Analysis Techniques

Perform Qualitative Risk Analysis is basically an intuitive prediction of

risk impact.

For risks that clearly involve low complexity and small dollar values,

using only the Perform Qualitative Risk Analysis process is best, because

it requires less effort and time and generally yields similar results to

quantitative analysis in these cases. In other words, using the

quantitative approach for low-dollar risks is overkill, and does not add

value to the project management result.


4-13

In cases where there is high complexity and high dollar value, using

Perform Quantitative Risk Analysis is warranted. The Perform

Qualitative Risk Analysis process is not well suited to complex situations

because it involves essentially simplistic human judgment, and human

judgment becomes less accurate as complexity increases. Also, as the

dollar value of the risk increases, stakeholders will expect more rigors

to be applied in analyzing the risk so as to minimize the possibility of

error. Perform Quantitative Risk Analysis is the more rigorous

technique. Figure 4.3 contrasts subjective and objective risk analysis

techniques.

Figure 4.3. Subjective and Objective Risk Analysis Techniques

The project status suggests whether the impacts of some risks are

higher or lower than expected, and whether it is too early to

successfully analyze a risk fully. For example, if the project is in the

requirements stage, the analysis of risks involving the technical

alternatives of the design may be worth deferring until the design stage.

On the other hand, if the project is behind schedule, a project-funding

problem may become more acute than if it were on track.

Project type can also be useful in focusing analysis more productively.

For example, it may be possible to assess projects that involve familiar

work processes and tools less rigorously than those that involve

technical innovation. Those that involve outsourcing may introduce a

whole new set of risks not posed by projects conducted in-house.


4-14

Overview of Perform Qualitative Risk Analysis Inputs, Tools and Techniques, and Outputs


Perform Qualitative Risk Analysis process. These inputs, tools and

techniques, and outputs are discussed in detail in this module.


Figure 4-4. Perform Qualitative Risk Analysis: Inputs, Tools &

Techniques, and Outputs


4-15

Topic 2: Inputs to the Perform Qualitative Risk Analysis Process

The inputs to the Perform Qualitative Analysis process, described

below, are:

? Risk register


? Project scope statement


Risk Register

The identified risks documented on the risk register are the main driver

of the analysis; each risk is considered in turn, along with any

supporting documentation that describes the causes and impacts of the

risk on various project processes and components.


The Perform Qualitative Risk Analysis process uses scales of probability

and impact, risk categories, the probability and impact matrix, and

updated stakeholders’ risk tolerances from the risk management plan.

Other relevant elements in the plan include how qualitative risk analysis

will be used, whether and which of its outputs will eventually be used

by the Perform Quantitative Risk Analysis process, when risk

management activities will be performed, and who will participate. Any

of these aspects of the risk management plan not developed during the

Plan Risk Management process can be developed during the Perform

Qualitative Risk Analysis process.


4-16


Assumptions from the project scope statement, which the team

reviewed during the Identify Risks process, have already suggested some

risks. Evaluating these assumptions supports assignment of probability

and impact values for the associated risks.


Organizational process assets provide data on past projects and risks

encountered or lessons learned. For example, if the impact of a

procurement risk is difficult to establish because the organization has

no experience in this kind of procurement, some additional research or

benchmarking may be worthwhile.


4-17

Topic 3: Tools and Techniques for the Perform Qualitative Risk Analysis Process

The tools and techniques for performing a qualitative risk analysis

include the following:

? Risk probability and impact assessment


? Risk data quality assessment

? Risk categorization

? Risk urgency assessment

? Expert judgment


4-18

Risk Probability and Impact Assessment

Not all risks that were identified pose a serious threat to the interests

of the project. You have to develop a method to sift through the list of

risks, eliminating inconsequential risks and documenting worthy ones in

terms of importance and needs for attention. To conduct a risk

probability and impact assessment, you evaluate the probability that

each risk will occur and the impact that each risk would have if

realized.

PMI considers definitions of risk probability and impact to be outputs of

the Plan Risk Management process. Applying probability and impact

scales, however, occurs in the Perform Qualitative Risk Analysis process.

This module addresses both details of measuring risk and impact and

how to apply those measures.

A measure of the effect of a risk can be estimated by multiplying the

risk probability (P) by the risk impact (I) to produce a risk score (RS) for

each risk.

Risk Score (RS) = Probability (P) * Impact (I)

The entire list of risks can be prioritized, or sorted, based on the risk

score. This analysis lets you describe the probability and consequences

of each risk in qualitative terms. Usually, risk scores are ranked in two

tables: negative risks start with the score with the highest negative

value at the top, while opportunities are ranked with the highest

positive risk score at the top. Management can attack the risks at these

extremes first, by focusing their effort on the areas that will yield the

greatest benefit.

The risk score can also be used to select a group of risks for special

treatment, such as passing the worst risks on to Perform Quantitative

Risk Analysis, escalating them to the sponsor’s review, or subjecting

them to further research.

By using the risk score, rather than the probability or the impact alone,

you will ensure that changes in the risk’s probability, impact, or both,

are detected and reflected in the analysis.


4-19

For projects for which there is a relatively high tolerance for risk, the

values for the risk scores can be determined subjectively. Using this

method for qualitative analysis, you apply a predetermined scale of

values. Sometimes, high, moderate, and low are used instead of

numbers.

Using a Scale to Rank the Probability of Occurrence (P)

In the formula Risk Score (RS) = Probability (P) * Impact (I), P is the

probability of occurrence.

Assigning a probability to a risk allows management to determine

whether the risk is worth addressing and how much to invest in

addressing it.

Setting up a probability scale involves selecting a set of terms for

probability so that all participants can rank risks in a consistent way.

This type of scale is known as a Likert scale and is frequently used in

surveys. For example, a set of items for a probability scale might be:

? Very unlikely

? Somewhat unlikely

? 50-50 possibility

? Somewhat likely

? Very likely

The terms for a probability scale must be assigned meaningful

numerical values that indicate their relative positions. Probability is

usually expressed as a percentage. In practice, you should avoid using

0% and 100% because they signify certainty that the risk will not or will

occur, respectively.


4-20

Examples of probability terms and values that can be used in a five-

point scale appear in the following table.

TERM VALUE

Very unlikely 10%

Somewhat unlikely 30%

50-50 possibility 50%

Somewhat likely 75%

Very likely 90%

A probability of Very unlikely means that the event is nearly

impossible, while a probability of Very likely means that it is almost

certain to happen. A 50-50 possibility means that it is just as likely to

happen as not; an example of this probability is a coin toss, where the

probability of either heads or tails is 50%,

A five-point (5, 25, 50, 75, and 95) scale usually provides enough spread

to differentiate among risks. In cases that are submitted to qualitative

analysis, the usual quality of available data and the lack of a real

measurement usually do not justify greater accuracy.

Cautions on Applying a Scale for Probability of Occurrence (P)

It is important to note that scale values do not amount to an actual

likelihood; they are simply relative values that permit later numerical

analysis. This numerical analysis enables the project management team

and stakeholders to compare dissimilar risks by ranking them.


4-21

The probability of each risk’s occurrence should be set at a single value

that represents the best judgment of the team at this time from the

available data. The team should not consider the impact while

evaluating the probability. For example, the probability of a train

collision has nothing to do with the freight or passengers carried by the

train, or the damage the wreck will do. It is solely a function of the

condition of the locomotives, tracks, switches, signaling and

communications equipment, the weather, the schedule of trains, and

the competence and fitness of traffic controllers and engineers.

Creating a Risk Impact (I) Scale

In the formula Risk Score (RS) = Probability (P) * Impact (I), I is the

impact of risk. The impact of the risk measures the consequence to the

project if this risk happens. A scale similar to that of risk probabilities

must be set up for the risk impacts.

The risk impact can be evaluated on a scale of relative terms:

? Very low

? Somewhat low

? Moderate

? Somewhat high

? Very high

Examples of terms and values that can be used in a five-point scale

appear in the following table.

TERMS VALUES

Very low 0.1

Somewhat low 0.3

Moderate 0.5

Somewhat high 0.7

Very high 0.9


4-22

Measuring the Impact (I) of Risk Relative to Four Major Project Objectives

In some cases, it can be easier to reach agreement on a set of terms

that relate specifically to one of the four major project objectives:

cost, time, scope, and quality. For example, for scope the terms might

be:

? Scope impact barely discernible

? Minor areas of scope impaired

? Major areas of scope impaired

? Scope reduction unacceptable

? Final product undeliverable or useless

The probability and impact scales do not need to use equally spaced

values (such a scale is known as linear). A set of values with unequal

intervals can emphasize the undesirability of somewhat high, or even

moderate, negative impacts, or the desirability of a somewhat high

positive impact, even though the risk has a relatively low probability of

occurring. Some organizations use a scale with extreme values at the

ends and a concentration near the 0 midpoint. This helps to distinguish

those risks with very large positive or negative impacts from those in

the middle.

If both negative and positive impacts are to be evaluated at the same

time, then the scale can be set to range from -1 to +1, where -1

represents highly undesirable, and +1 represents highly desirable.

While this spectrum has no absolute meaning, it allows risks to be

compared effectively. One of the best ways to ensure that the scale is

applied consistently is to define a table of impact values and their

meaning in project objective terms.


4-23

The evaluation of project risk impact should quantify the impact in

terms of rough quantities of dollars and schedule time units, such as

weeks and months. By translating impact into general cost and schedule

terms, the team is able to compare the impacts of all risks based on

standard project parameters and with high confidence. This translation

into cost and schedule effects also allows the project management

team to communicate meaningfully with stakeholders who will only

understand the effects of risks in terms of measurable project

performance results.

It is valuable to require that the stakeholders approve the risk impact

table, because this establishes the expectations for how various impacts

will be differentiated. It is a way of determining the stakeholders’ risk

tolerance.

Organizations often find it useful to stratify the table’s 25 possible Risk

Score (RS) values into three levels, one representing low risks, one

representing moderate risks, and one representing high risks. The

associated matrix entries can be colored to represent three levels. For

example, the low risks can be colored green, the medium risks yellow,

and the high risks red.

This technique simplifies the application of policies (and hence effort

and resources) according to risk scale level. For example, risks rated as

red may require review at every weekly status meeting, while green

risks may need to be reviewed only monthly, or on a less frequent,

rotating basis.


4-24

Risk Impact Scales Example

This sample table shows the impact scales based on project objectives.

(Only negative impacts are shown.) This type of table should be

developed during the Plan Risk Management process.

VALUE

OF I

IMPACT TO THE

PROJECT

COST

THRESHOLDS

SCHEDULE

THRESHOLDS

SCOPE

THRESHOLDS

QUALITY

THRESHOLDS

0.1

Minimal or no

cost and

schedule

consequences

– unimportant

<$25K No baseline

extension

Minor areas

of scope

affected

Only very

demanding

applications

are affected

0.3

Small

reduction in

desired cost

and schedule

results

$25K–$49.9K

< 5 day

baseline

delay

Major areas

of scope

affected

Quality

reduction

requires

sponsor

approval

0.5

Some

reduction in

desired cost

and schedule

results

$50K–$99K

6–29 day

baseline

delay

Scope

reduction

unacceptabl

e to sponsor

Quality

reduction

unacceptable

to sponsor

0.7

Significant

degradation in

cost and

schedule

results

$100K–

$250K

30–59 day

baseline

delay

Scope

reduction

unacceptabl

e to sponsor

Quality

reduction

unacceptable

to sponsor

0.9

Desired cost

and schedule

results cannot

be achieved

>$250K

> 60 day

baseline

delay

Project end

item is

effectively

useless

Project end

item is

effectively

useless

When the impact has been determined for each identified risk, the value is

entered in the risk register.


4-25

The values in the sample table are not fixed across industries. They may

be determined by company policy, current budget climate, or team

consensus for a particular program or project. When risk impact scale

values are standardized for all projects in an organization, projects can

be evaluated and compared more effectively.

The values and thresholds must also reflect stakeholders’ risk tolerance.

In some cases, the impact scale may be defined as non-linear. For

example, the highest value might be set at 0.99, and the value below

that at 0.95.

A non-linear scale results in inflating the risk score for risks with failure

and significant degradation impact assessments to the point where

significant investments in avoiding or mitigating these risks would be

justified and approved by the stakeholders.

If the limit of the top range is set very low at the request of a

particularly risk-averse stakeholder, a large number of risks may fall

into the highest value category. This situation may indicate that the

project is not appropriate to pursue with this stakeholder, with this

approach, and at this time.

Probability and Impact Scales for Positive Risks

It is equally important to define a scale for assessing the probability of

achieving a positive risk or opportunity, and the corresponding scale for

impacts.

The probability of a positive risk behaves in the same way as the

probability of a negative risk. The same probability scale can be applied

for both. When designing the impact scale for positive risks, some

thought should be applied to defining meaningful positive impact

thresholds, which may differ from the previously defined negative

impacts. However, using the same intervals and values (though opposite

in sign) as those used on the negative impact scale facilitates comparing

risks and opportunities, for example, ―Do we have sufficient

opportunities to balance the risks?‖


4-26

Using the Risk Score

The resulting risk score can be used to rank the risks in priority order,

with those having the highest negative risk score at the top and those

having the highest positive risk score at the bottom, so that

management can attack the ends first. These will yield the greatest

benefit for the effort expended.

You can also use the risk score to select a group of risks for special

treatment, such as passing the worst risks on to Perform Quantitative

Risk Analysis, escalating them to the sponsor’s review, or subjecting

them to further research.


A probability and impact matrix is used to look up the combined risk

rating, also known as the risk score, for a particular combination of

probability and impact values. The score is used to prioritize risks for

later risk management activities.

A graphical probability and impact matrix effectively communicates the

relative severity of risk scores. In the example in Figure 4-5, any risk

with a risk score of 0.18 or higher is considered to be high risk, while

those with a risk score between 0.06 and 0.14 are considered medium

or moderate risk, with the remainder considered as low risk.


4-27


Figure 4-5. Probability and Impact Matrix

A risk with a probability of 0.30 and an impact of 0.80 has a risk score of

0.24 and is in the high risk area. Another risk with probability of 0.70

and an impact of 0.20 has a risk score of 0.14, in the moderate risk area

on this matrix.

Risk Data Quality Assessment

In order to be useful to project management, Perform Qualitative Risk

Analysis requires accurate and unbiased data. Assessing the quality of

risk data helps to determine and evaluate the risk analysis process.

Examining data quality is an opportunity to observe how well the team

and stakeholders understand project risk. To assess data quality,

consider the following:

? Accuracy

? Quality

? Reliability

? Integrity


4-28

Classifying Data Quality

In risk data quality assessment, an additional parameter is assigned to

the risk data, indicating the accuracy of information. When we begin

identifying and evaluating risks, the amount of known information is

relatively poor; it improves as more work is done to analyze the risk.

Therefore, it can be useful to classify risk data using the following three

values:

? High precision: Information about the risk’s behavior, including the

probability and impact, is well established and reliable; we are

unlikely to encounter surprises with this risk.

? Medium precision: Information about the risk parameters is good

enough to proceed in most cases; some variance from the expected

behavior may be encountered, but it is unlikely to cause serious

harm to the project plan.

? Low precision: Information available concerning the risk is

essentially founded on guesswork and should not be trusted because

the risk parameters could change significantly; the affected area of

the project and the related risk scores must be monitored closely

until the behavior of the risk is better understood. Investments in

addressing the risk must be moderated until the data are confirmed.

In general, data quality will be highest when the risk has been observed

and managed in the organization before. In other words, it would be

helpful to have at least one person on the team who was involved in the

previous project, or to have published information regarding the risk’s

behavior.

Data may be of medium precision if there is only anecdotal information

about the risk’s behavior within the organization, or if it has never been

observed and managed within the performing organization. Data will be

of low quality when the risk is completely novel, or when the sources of

information regarding the risk are unreliable or unverifiable.


4-29

One way to indicate the quality of risk data is to color-code the data

quality indicator:

? Low: Red – Stop and analyze further.

? Medium: Yellow – Proceed with caution.

? High: Green – GO!

Risk Categorization

When the causes or other characteristics of project risks are identified,

it may be possible to group them so they can be addressed at the same

time by a single risk response plan. This is an economical source of

leverage for the investments required to manage risks. The risk

breakdown structure (RBS) described in Plan Risk Management process

can be designed to facilitate this kind of causal analysis.

Alternatively, risks can be grouped by the type of activity in which they

arise, and if multiple risks are determined to come from a specific type

of activity, an investment in redefining how that activity is performed

may be justified. This kind of grouping may be extended from activities

up to project phases, so that investments in process improvements to

manage risk can be made in a more focused manner. These groupings

may be used in the risk register to support later risk management

activities.

Risk Urgency Assessment

In addition to evaluating a risk’s probability and impact, it is sometimes

useful to consider the timing of the risk as a primary factor in

prioritizing it. Risks are deemed urgent when the deadline for effective

response is near-term so that they are ranked higher than risks that

pose a longer-term threat.

If the effect of the risk is severe enough, it may be necessary to

complete the categorization of the remaining urgent risks, and then halt

further risk analysis in order to prepare risk response plans for these

urgent risks before any of the risk events occur. These urgent risks

would be listed separately in the risk register.


4-30

To analyze for urgency, you can expand the risk score equation to

include an urgency factor. Urgency could be defined on a three- to five-

point scale, similar to the scales for probability and impact:

Risk Score (RS) = Probability (P) * Impact (I) * Urgency (U)

Watch List of Low-Priority Risks

In some cases, risks are determined to be so improbable, or to have

such negligible impact, that they are placed on a watch list without

further analysis or action. The risks on this low-priority watch list are

periodically reassessed to ensure that new information does not indicate

that their probability or impact has increased substantially to the point

where they should now receive more complete risk management

treatment. These low-priority risks would be listed separately in the risk

register.

Expert Judgment

To assess the probability and impact of each risk requires expert

judgment. An expert may be someone with recent experience on a

similar project. People planning the project at hand are also experts on

the project and its details.

Ways to capture expert judgment include facilitated workshops and

interviews. It is important to consider the experts’ bias during this

process.


4-31

Topic 4: Outputs from the Perform Qualitative Risk Analysis Process

The Perform Qualitative Risk Analysis process has only one major

output:

? Risk register updates

Risk Register Updates

The risk register, started during the Identify Risks process, is updated

with information from qualitative analysis. These updates include the

following:

? Prioritized list of project risks – The list of risks for the project is

prioritized, often as low, moderate, and high. This prioritization of

risks allows the project manager to focus proportionate attention on

the greatest risks. Risks may also be organized by type of impact

(schedule, cost, scope, and quality) for further management focus.

For example, risks that affect cost can be directed to a financial

committee for review and response, while risks affecting schedule

can be sent to a resource planning function, such as a project

management office (PMO).

? Risks grouped by category – The risks may be grouped by category

to facilitate later risk management. Categories can be root cause or

project area. Identifying patterns can improve understanding of the

risks overall or facilitate planning more economical responses.

? List of risks requiring a quick response – Risks that require an

urgent response can be presented separately and fast-tracked

through the Plan Risk Responses process.

? List of risks for additional analysis and response – These are risks

that merit more analysis, possibly quantitative risk analysis, and

response action.

? Watch list of low-priority risks – These are risks deemed not to

need further analysis or response; they are placed on a watch list

and monitored.


4-32

? Trends in qualitative risk analysis results – As analysis is repeated,

trends for particular risks may emerge. The importance of a risk may

change, affecting risk response or warranting further analysis.

Example of Updated Risk Register Worksheet

An example of a risk register worksheet for risk analysis appears below.

You can use the worksheet to catalogue risk information, including

probability, impact, and risk category. Later, risk management

activities will involve selecting an appropriate response to manage the

risk and to document the final impact of the risk and the effectiveness

of the associated risk responses.


4-33




Transportation Strike .03 .05 .15 K. Labor Skills, availability


As a result of having to transport materials to the project location, a transportation strike could occur, which would result in schedule delays.

Assumptions/Basis:

Because of project location, most materials will be transported by truck. Although no Teamsters’ strike has affected this region for 20 years, the consequences of a strike could set the project schedule back by more than 30 days.


Strategy Chosen:



Trigger measure to be monitored, and Source:

Threshold Condition:


Residual risk (estimated remaining P, I, and RS after risk response is implemented):


Plan Description: Who Performs

Cost / Schedule Impact

Date Due




Risk Owner:


4-34

EXAMPLE: RISK REGISTER WORKSHEET, RISK REGISTER WITH RISK

RATINGS

Working from the list of identified risks, the Capitol Flyer Corporate

Customer Satisfaction project manager led her team through a qualitative

review to prioritize risks and determine their probability and impact.

To view a sample risk register worksheet, and the resulting risk register

with ratings and preliminary response strategies, see Appendix C.

Trends in Qualitative Risk Analysis Results

The score of a particular risk will change over time, as the probability

of the risk’s occurrence changes, and the size of the impact increases or

shrinks. Project activities may simply increase exposure to the risk for a

time and then eliminate the exposure as those activities are completed

and others begun.

An example is the outsourcing of software development to an offshore

company, where the risk posed by the vendor’s possible insolvency and

closure increases as contractual commitments are made and the

schedule provides a diminishing window to find an alternative partner.

When the code is shipped and tested, the vendor’s condition becomes

irrelevant. Note that it is the impact that is changing in this situation;

the probability of insolvency could have remained at a constant value

during the entire project.

Risk probability can also change over time. For example, learning curves

frequently result in a higher probability that a serious defect will be

introduced during design or construction, involving new staff or a new

technique, but as the activities are performed and experience grows,

the probability of the same kind of defect diminishes.

Using the risk score, rather than the probability or the impact alone,

ensures that changes in either risk probability, impact, or both, are

detected and reflected in the analysis.


4-35

As the risk score increases, monitoring for the indicator of the risk, the

risk trigger, may increase in frequency. If the indicator crosses a

predetermined threshold and the potential effect of the risk is severe

enough, a contingency plan may be implemented, even though the risk

has not yet materialized, in order to exploit the remaining available

time to minimize risk impact or reduce risk probability.

As the risk score decreases, the response plan for that risk may be

modified by reducing the level of effort or investment for managing the

risk. For example, if contingency reserves of project funds had been set

aside, they may be reduced, and the remainder released for other uses.

Monitoring such trends can give the project team advance warning of

such developments, allowing them to act before the situation becomes

urgent.

Figure 4-6 shows an example of a risk score changing over the duration

of the project. There is no standard curve or shape for this change.

Figure 4-6. Risk Score Change Over Time


4-36

Caution for Trend Analysis

This trend analysis must be done carefully because the underlying data

was derived from team discussions and is subjective. This data is not as

reliable as quantitative observations and will have random fluctuations

greater than those from observations.

To avoid responding prematurely to such noise, the team should

perform further research when, without any significant new data, the

probability or impact of a particular risk is rated higher.

Furthermore, do not consider one minor increase to be a trend; the

team should see at least two increases in a row, or a major increase,

before taking action.

EXERCISE: ASSESS AND RANK RISKS

Assess and rank the risks that were identified in the previous exercise.

Document the probability, impact, risk score, and risk category for each

identified risk using the Perform Qualitative Risk Analysis section of the risk

register worksheet located in the Assess and Rank Risks topic in Appendix A.


4-37

Module Summary


A long list of potential risks can overwhelm the team and scare sponsors and

stakeholders. Also, in raw form, such a list is only marginally meaningful. So

Ana works with the team to turn the identified risks into a set of assessed

risks. Using their collective judgment and experience – and leaning

particularly on Walter and Marc's SummerFest knowledge and Brita's parade

experience – they work from their lists of positive (opportunity) and

negative (threat) risks to create a probability and impact matrix.

Once the probability and impact of each risk is evaluated, Ana can

determine can which risks deserve the most attention and how much

investment they warrant.

The Perform Qualitative Risk Analysis process allows the project

management team to:

? Prioritize the risks for the Plan Risk Responses process

? Evaluate whether a high-priority risk should be carried further into

the Perform Quantitative Risk Analysis process

The key parameters analyzed are probability and impact. It is important

to complete risk identification before prioritizing risks. Remember, risk

parameters change over time; therefore, reassess them periodically.


4-38

Module 5

Perform Quantitative Risk Analysis

Module 5: Perform Quantitative Risk Analysis


5-2

Module Introduction

Perform Quantitative Risk Analysis is similar to Perform Qualitative Risk

Analysis. Both analyses are performed on identified risks and measure

impact on project objectives.

Once qualitative risk analysis has ranked risks, some high risks may be

subject to further numeric analysis. The decision to apply quantitative

methods depends on the size and complexity of the project.


5-3

Module Objectives


? Define the Perform Quantitative Risk Analysis process within the

context of the project management framework


of the Perform Quantitative Risk Analysis process

? Apply a quantitative analysis tool (decision tree analysis) to an

identified risk in the case study


5-4

Topic 1: Overview of the Perform Quantitative Risk Analysis Process


Now that they've identified and assessed risks, Hannah Foster is eager to set

parade plans in motion. After all, they've gathered reams of data,

brainstormed possibilities, and tapped the experience of experts. ―Enough

scrutiny,‖ she announces after they complete their qualitative analysis.

―Let's put on a parade.‖

While she appreciates Hannah's enthusiasm, Ana breaks the news that

they've got one more important step of analysis. For a few of the highest

risks, she tells Hannah, she will perform an in-depth numerical analysis to

measure probable outcomes. On these high risks, Ana says, it's important to

determine risk exposure and contingency cost.

―I don't understand what that means,‖ Hannah tells her.

―It means,‖ Ana says, ―that on certain key issues, we need to think through

in advance the implications of choosing one or another alternative.‖ For

instance, Walter Stone has just informed her that the regional antique car

club that's a core act is not insured, and that some of the members are ―a

little erratic.‖ At a recent car rally, 86-year-old Greg Heinz veered off into

the crowd. Fortunately, no one was injured.

? What's the best way for Ana to quantify key project risks?

Perform Quantitative Risk Analysis is the process of using numerical

methods to assess the impact of identified risks on overall project

objectives. The Perform Quantitative Risk Analysis process is applied in

proportion to the project size and degree of overall project risk. Like

the Perform Qualitative Risk Analysis process, its purpose is to develop a

more complete understanding of a risk so an appropriate response can

be planned. It:

? Analyzes only those risks that previous analysis shows have the

potential to substantially impact the project


5-5

? Analyzes the effect of those risk events and assigns a numerical

rating to them

? Provides a quantitative approach to decision-making in the presence

of uncertainty

Figure 5-1 shows that the Perform Quantitative Risk Analysis process

occurs in the Planning Process Group.


Figure 5-1. Project Risk Management Process Group Map: Perform

Quantitative Risk Analysis

Perform Quantitative Risk Analysis follows the Perform Qualitative

Risk Analysis process. In some projects, it may be possible to plan

suitable risk responses without performing quantitative analysis.

Factors in selecting a risk analysis approach include:

? Time and budget available for risk analysis

? The need for qualitative or quantitative assessment of risk and its

impact

When used, the Perform Quantitative Risk Analysis process is applied at

multiple times in the project. Quantitative analysis should be repeated

after the Plan Risk Responses process, and as part of the Monitor and

Control Risks process, to determine whether project risk has been

sufficiently decreased. Trends can reveal the need for more or less

attention to risk management.


5-6

DEFINITION: PERFORM QUANTITATIVE ANALYSIS

―The process of numerically analyzing the effect of identified risks on

overall project objectives.‖


Purpose of the Perform Quantitative Analysis Process

Given a list of identified risks, a qualitative analysis will probably be

performed on all of them. Only the highest risks are flagged for more in-

depth quantitative study.

The Perform Quantitative Risk Analysis process helps ensure that:

? Understanding of the potential effect of risk on the project

objectives is as clear as possible

? Expenditures associated with managing the risk do not exceed the

expected impact of the realized risk

? Factors that influence the risk’s probability and impact are

understood so they can be leveraged to minimize the effect of a

negative risk on project objectives, or maximize the effect of a

positive risk

? The probability of success for project objectives is evaluated

? Practical contingency reserves for project schedule and budget are

quantified

Quantitative risk analysis enables prioritization based on facts, not

opinions or bias, but it cannot address all risks. Time criticality and data

quality must also be considered to perform quantitative risk analysis

effectively.


5-7


Figure 5-2, the Perform Qualitative Risk Analysis process data flow

diagram, shows how inputs are transformed through tools and

techniques into outputs.


Figure 5-2. Perform Quantitative Risk Analysis: Data Flow Diagram

The Perform Quantitative Risk Analysis process provides a more detailed

picture of the effect of the risk on project objectives. This process

requires sophisticated tools and takes more time, making it

substantially more expensive than Perform Qualitative Risk Analysis.

It is important to complete the Perform Qualitative Risk Analysis process

first, and only then to pass on the risks rated as high to the Perform

Quantitative Risk Analysis process for a more precise determination of

their possible effects on project objectives.

Inputs to Perform Quantitative Risk Analysis are similar to inputs to

Perform Qualitative Risk Analysis. Both processes draw on the risk

register and risk management plan, and both result in risk register

updates. However, where qualitative analysis uses the project scope

statement as a resource for assessing risk, quantitative analysis refers to

the cost management and schedule management plans.


5-8

Because these documents establish the structure and quantitative

approach for managing cost and schedule, these plans may offer an

important perspective on quantitative analysis of risk and its impact. As

was true for qualitative analysis, organizational process assets are

another input to quantitative analysis. These assets may include

information from past projects, studies of similar projects, and risk

databases from industry or private sources.

Once performed initially, quantitative risk analysis may be repeated to

test the impact of risk mitigation efforts.

Concepts of Probability

Effective planning is based on assumptions. Project managers and teams

make assumptions about the future based on the past. These

assumptions cover a range of factors, but most assumptions are

grounded, directly or indirectly, in human performance. Factors such as

weather, seismic occurrences, or interstellar activity may truly be force

majeure and resulting failures may be excusable; all else is predictable

to some degree of accuracy. Where historical information about

activities is gathered, it may be possible to discern patterns and trends

that can help predict the behavior of future, similar activities.

Statistics, the branch of mathematics concerned with analyzing and

interpreting numerical data on samples and populations, can help the

project management team to manage risk.

To find patterns and predict future behavior, we need a way to model

the behavior of all possible outcomes, which is known as the

population. We describe a population with a probability distribution

and some parameters, including a mean, variance, confidence

interval, and usually a standard deviation.

Probability Distribution

The probability distribution of a set of possible outcomes is a list of

probabilities associated with the list of possible outcomes. For example,

when throwing a single die, each of the sides, with the values from one

to six, has an equal likelihood of being rolled.


5-9

Each should appear approximately once for every six rolls if a large

enough sample of rolls is thrown. So, the probability distribution

associated with throwing a single die is shown below:

? 1 1/6th

? 2 1/6th

? 3 1/6th

? 4 1/6th

? 5 1/6th

? 6 1/6th

Mean

The mean is a statistical measure that is equal to the sum of a sample,

divided by the number of samples in the set. Often known as the

average, this is the most common statistic. Although a valuable

indicator of central tendency, the mean can be skewed by a small

number of observations that lie far from the majority of the data

values. Thus the highest and lowest scores of Olympic judges are

dropped, and the average is calculated only from the remaining scores.

The mean of a set of sample observations is approximately the same as

the mean of the whole population. The larger the sample, the closer

the approximation.

Variance

Variance is concerned with the average separation of a set of

observations from the mean of the set. The variance is obtained by

squaring the value of each observation’s distance from the mean.

Squaring eliminates the tendency of positive and negative values to

cancel each other out.

Consider a set of three numbers all equal to 4: this is the set {4, 4, and

4}. The mean is clearly 4. The absolute differences between the

numbers in the set and their mean are all also clearly 0. If we take the

square of each difference before we add them together, we still get 0.

This is the variance of this sample.


5-10

Now consider the set of three numbers: 2, 4, and 6. The mean of these

three numbers is (2+4+6)/3, or 4. The absolute differences between

each number and this mean are -2, 0, and +2. If we add these numbers,

the result is 0, just as in the first case. If we only looked at the mean

and this sum of the absolute differences, the two sets would appear to

be identical. But they clearly are not.

Now, let us take the square of each difference before summing them:

? -2 ^ 2 = 4

? 0 ^ 2 = 0

? 2 ^ 2 = 4

? Sum of squares = 8

The first sample and the second sample differ in how the individual

observations vary from the mean. Squaring the differences before

summing them prevents negative and positive differences from

canceling each other out.

Standard Deviation

When all of the variances of a set of observations are summed together,

their average difference from the mean is obtained by taking their

square root. This is the standard deviation. The smaller the standard

deviation, the closer the pattern of observation is to their mean value.

Along with the mean, this statistic is essential to understanding what

the observations tell us about the underlying population of data from

which the observations were taken. In a commonly occurring type of

distribution known as the normal distribution, the observations are

distributed equally on both sides of the mean value, and they tend to

cluster around the mean and tail off away from it, producing a shape

that resembles a bell. This shape is known as a bell curve.


5-11

When considering all of the values within a range both above and below

the mean by an amount equal to one or more standard deviations, the

following observations are always true:

? A range of one standard deviation on either side of the mean

includes 68.3% of all the observations.

? A range of two standard deviations on either side of the mean


? A range of three standard deviations on either side of the mean


The consistent relationships between observations, their mean, and

their standard deviation make the normal distribution a powerful

statistical tool. By using these known behaviors, we can establish

thresholds at the range of standard deviation that will offer us the

desired coverage of the population.

When the mean and standard deviation of a sample of observations can

be calculated, it becomes possible to make accurate predictions of

outcomes regarding all possible observations from that population. In

fact, we can state that the prediction will be correct some percentage

of the time, with the stated percentage set as a target. For example,

we may be able to say that this project will finish by May 31 with 95%

confidence. That means that we will be right 95 times in 100 similar

projects, and wrong only 5 times in 100.

Confidence Interval

Most commonly set at 95% (two standard deviations), the confidence

interval measures the likelihood that the actual behavior will fall within

the predicted range with a 95% probability. For example, after doing

the necessary analysis on the project activities and the project

network, we might state that the total project duration is forecasted to

be 196 calendar days, plus or minus 22.6 days, with 95% confidence.


5-12

Figure 5-3 shows a normal probability distribution.

Figure 5-3. Normal Distribution and Standard Deviation Ranges

A normal probability distribution can be used to assess the achievability

of current project objectives and to establish necessary contingency

reserves.

Measures of Reliability and Relationship

It is useful to be able to measure the reliability, or statistical

significance, of an analysis. Also, it is helpful to have a method to

describe how a dependent variable in a set of data, such as a person’s

height, varies relative to an independent variable, such as a person’s

age.


5-13

Statistical Significance

Statistical significance refers to the reliability of a conclusion drawn

from the statistical data being analyzed. When a statistical conclusion is

significant, it means that the statistical measure involved can be relied

upon. Although individual results may vary widely, over an extensive

number of outcomes, a pattern may be discerned, measured, and

captured in a formula. As the number of outcomes increases, statistics

calculated on the sample approach those of the total population of the

underlying data. The number of data in a sample that is needed to

achieve statistical significance may be considered to be 25 data points

or greater. As more and more computer model simulations are run, the

outcomes will begin to demonstrate a pattern that reflects the entire

population. At some point, additional runs do not lend additional value

to the analysis. The number of runs required to demonstrate a

reasonable approximation to the actual behavior of the variable is

therefore set at some minimum number. With computer simulations, a

large number of runs may be necessary if there are many variables and

their interrelationship is complex. It is not uncommon to start with 100

runs, and then to add 10 more to see if the behavior of the solution set

is still changing. With high-powered computers, running the simulation a

thousand times is not unreasonable.

Regression Analysis

Regression analysis is the technique used to understand the

mathematical relationship between two variables. It is used to predict

the next occurrence of the dependent variable, where the dependent

variable’s value is a function of the value of the independent variable.

For example, for a given set of repeated tasks, such as installing a new

type of ATM at 100 bank branches, suppose that we want to know how

many days the total installation effort will take from the start of the

first installation to the completion of the last. Suppose we also know

that the number of days shrinks as the number of installation teams

increases. We may look at prior similar projects, or just take samples

from our first efforts on this project, and plot the results in the form of

Days Taken per Branch versus Number of Teams.


5-14

If we can find a relationship between these two variables, we can

predict the entire project’s duration for any number of teams, and find

the best number to use. We might do this by plotting our sample data

points on a graph and looking for some kind of line or curve that links

them, at least approximately. Then, we can stretch out the curve for

different numbers of teams (greater or smaller), and predict the Days

Taken per Branch in cases where we do not actually have an

observation. This is regression analysis: drawing a relationship between

two variables, one of which depends on the other, so that forecasts can

be made for values of the first where no observations exist yet.

Regression analysis relies on the fact that, although individual samples

may vary from the discerned pattern, the preponderance of sample data

conforms to the underlying pattern. An early application of statistics,

regression analysis is the basis for diagnosis techniques in epidemiology,

such as applying children’s growth charts, showing height and weight

versus age and gender, to make predictions about a specific child’s

expected growth pattern.

Probability in Project Management

An estimator who forecasts that a work activity will take 10 days and

cost $50,000 is most probably basing the forecasts on average figures.

The actual performance could easily be lower or, more likely, could

prove higher. When a collection of activities in a network acts this way,

the entire project could take either less time or more time than

forecasted. Similarly, some of its constituent activities could take less

time, and others more time than their individual forecasts. Running a

set of simulations is the only practical way to evaluate what the total

project performance is likely to be, and within what range.

When the project manager states how much time the task is expected

to take as he or she assigns it to a team member, the project manager

often leaves the impression that it is okay to consume all the time

before reporting the task’s completion, whether or not it is actually

needed. This creates a tendency for tasks to take the estimated time or

to overshoot, but rarely to undershoot. To compensate for this

overshoot bias, project managers often resort to adding a schedule

contingency to each activity.


5-15

As task durations expand, and team members continue to overshoot

them, an overall trend towards underperformance can be expected.

To counteract this phenomenon, the project manager can set the

expectation that the team members should do their best to beat the

scheduled duration for the task. They should set the scheduled duration

to the mean value for that task, calculated using the three-point

estimating technique. In many situations, incentives for performance

can help to overcome the overshoot phenomenon.

Then the project manager should set up a schedule contingency at the

end of the network, or distributed throughout the project at the end of

each phase, so that the likelihood of meeting the overall project

completion date will be as high as the stakeholders require.

Overview of Perform Quantitative Risk Analysis Inputs, Tools and Techniques, and Outputs


Perform Quantitative Risk Analysis process. These inputs, tools and



Figure 5-4. Perform Quantitative Risk Analysis: Inputs, Tools &

Techniques, and Outputs


5-16

Topic 2: Inputs to the Perform Quantitative Risk Analysis Process

The inputs to the Perform Quantitative Risk Analysis process, described

below, are:

? Risk register





Risk Register

The risk register, where all data associated with each risk is preserved,

should list the risks identified as needing additional analysis and

management during the Perform Qualitative Risk Analysis process.

These risks drive the Perform Quantitative Risk Analysis process.


The risk management plan is one of the key project plan components. It

describes, among other important items, how the quantitative risk

analysis will be performed for the project.


The cost management plan for the project, which includes the cost

information for the activities, is needed to analyze various scenarios for

risks in which the risk occurs in one activity, but affects the cost and

schedule of downstream activities.


5-17


The schedule management plan for the project includes the work

breakdown structure (WBS) and its activity dependencies and schedule

information. The constraints presented by the schedule and its related

controls may influence the approach selected for the Perform

Quantitative Risk Analysis process.


Organizational process assets contain historical information from

previous projects such as analysis models, raw data and results, studies

of similar projects, and databases with probability and impact

information, categorized by project characteristics.


5-18

Topic 3: Tools and Techniques for the Perform Quantitative Risk Analysis Process

Quantitative techniques may be used to analyze the aggregate risks in

the project schedule network. The output of such an analysis might be

the discovery of activities in the work breakdown structure having risk

that influences project objectives so significantly that these activities

warrant tracking as individual risks. Various simulation and modeling

techniques exist to provide such analysis. The result will be additional

information to be captured in the risk register and more cost-effective

risk response strategies.

The tools and techniques for performing a quantitative risk analysis

include the following:

? Data gathering and representation techniques

Y Interviewing

Y Probability distributions

? Quantitative risk analysis and modeling techniques

Y Sensitivity analysis

Y Expected monetary value analysis

Y Modeling and simulation

? Expert judgment


5-19

Data Gathering and Representation Techniques

Interviewing

Interviews can be used to create a profile of each risk, such as how

often it has occurred in the past, whether it is associated with certain

characteristics (such as technically challenging activities, certain

resources, or dependence on external efforts), what the average,

smallest, and largest impacts were, and so forth.

For example, when trying to estimate the probability of an activity

running beyond its schedule, experts can be consulted to estimate the

optimistic, pessimistic, and most likely values for the duration of the

activity. These estimates can be used to derive a probability

distribution for the task’s duration, which can be employed, along with

other techniques, to estimate the impact of the task on the project

schedule.

Figure 5-5 shows an example of project cost estimates that might be

obtained by interviewing with low, most likely, and high cost estimates

for each activity.


Figure 5-5. Range of Project Cost Estimates from Stakeholder Interview


5-20

The goal is to gain insight into what factors might make a risk more

likely to occur, or to have a larger impact.

Possible candidates for the interviewing process include:

? Project stakeholders

? Subject matter experts (SMEs) who work on the project or who have

worked on similar projects

? Other project managers

? Retired SMEs

? Contractors

? Other experts in the field

Information requirements depend on the type of probability distribution

to be used (commonly used probability distributions are discussed

shortly). Remember to always document results and associated

rationales.

Probability Distributions

Probability distributions can be used to model potential outcomes of

risk.

Discrete distributions are observations that are limited to a finite set

of values. For example, the numbers on the faces of a die produce only

six possible results.

Continuous distributions are observations that can take any value

within a continuous range. For example, if project costs are budgeted

to the nearest penny, their expected total will follow a continuous

probability distribution.

Probability distributions vary in shape according to the underlying

behavior being analyzed. Distributions may figure a normal, symmetric

distribution or they may be skewed toward one extreme.


5-21

Two probability distributions commonly used in project management

are:

? Beta

? Triangular

Figure 5-6 shows the characteristic shapes of these distributions.


Figure 5-6. Two Commonly Used Probability Distributions

In a construction project, it might be necessary to predict the number

of below-freezing days at the construction site. If the same calendar

period is examined for a number of previous years, you can create a

probability distribution by plotting each number of below-freezing days

during that period against the number of years when that number

occurred. The probability distribution for the number of below-freezing

days will cluster around the average for previous years and will have

two equal tails, one toward a lower number and one toward a higher

number. This balanced, uniform distribution is called a normal

distribution, which was graphed in Figure 5-3.

When estimating the duration of an activity, however, the tail

representing duration of fewer days is always shorter than the tail

representing duration of more days.


5-22

This is because, even when everything goes right, the activity cannot

take less time than some minimum number of days; however, it can

extend substantially in the worst case, when it is affected by an

unexpected series of unfortunate events. This tends to produce a

skewed curve, with more values to the right of the distribution’s peak

than to the left, as well as a longer tail to the right. For activity

durations and associated costs, the probability distribution of the

activity durations follows this curve in what is known as a beta

distribution. Due to the complexity of analyzing timing for activities,

and especially for entire projects, a software tool should be used to

derive the probability distribution and the forecasted value needed to

achieve a desired confidence level. Software tools that address activity

durations are preprogrammed to use beta probability distributions.

Another distribution sometimes used in project management is the

triangular distribution, which is a continuous probability distribution

defined by a lower limit, a mode, and an upper limit. The triangular

distribution is typically used as a subjective description of a population

for which there is only limited sample data, although the relationship

between variables is known. For example, a method to estimate task

durations where each estimate is based on a minimum, a maximum, and

a most likely value is an application of triangular distribution.

Quantitative Risk Analysis and Modeling Techniques

Commonly used analysis techniques may focus on an event, such as the

impact of a decision, or on the project as a whole.

Sensitivity Analysis

Sensitivity analysis can be used to predict the impact of a proposed

change to a project baseline upon the project objectives. It is also used

to determine the impact of using substitute resources or alternative

technologies on the project objectives.


5-23

DEFINITION: SENSITIVITY ANALYSIS

―A quantitative risk analysis and modeling technique used to help

determine which risks have the most potential impact on the project. It

examines the extent to which the uncertainty of each project element

affects the objective being examined when all other uncertain elements are

held at their baseline values. The typical display of results is in the form of

a tornado diagram.‖


In order to achieve the most benefit from the smallest possible

investment in managing a risk, it is important to determine which

factors will affect the outcome the most. These factors are said to be

dominant. When many factors are in play, it is often worthwhile to use

experimental or historical methods to isolate dominant factors. In

historical situations or experiments, one variable is examined for impact

on a situation’s outcome. This technique is repeated for every factor

suspected of being dominant. Variations in the inputs to the dominant

factors produce the widest swings in outcome values.

Sensitivity analysis can be used to predict the impact of a proposed

change to a project baseline on the project objectives. It can predict

the impact on the project objectives of using substitute resources or

alternative technologies.

Sensitivity Analysis: Line Graph

Figure 5-7 shows the relationship between labor rates and the total

project budget for three labor types. The dependent variable (total

project budget) is most sensitive to variations in the Type 1 variable,

since equivalent changes in this factor produce relatively greater

changes in the dependent variable than the other types.

This sensitivity analysis shows that the project manager should focus

more attention on controlling the labor rate of the Type 1 resources

than on controlling the rates of the other labor. Note that the Type 1

labor rate represents the greatest risk, because as it varies, it has the

greatest impact on the total project budget. It also represents the

greatest positive risk (or opportunity) for the same reason.


5-24

Figure 5-7. Sensitivity Analysis: Labor Rates and Total Project Budget


5-25

Sensitivity Analysis: Tornado Diagram

A tornado diagram is a useful graphical tool for depicting risk sensitivity

or influence on the overall variability of the risk model. Tornado

diagrams show the correlation between variations in model inputs and

the distribution of the outcomes; in other words, they highlight the

greatest contributors to the overall risk. Figure 5-8 is a tornado diagram

for a portion of the Panama Canal Third-Lane Locks expansion project.

The length of each bar on the tornado diagram indicates the relative

influence of the associated item on overall risk. This example depicts

only a portion of the tornado diagram from one analysis of technical

risks on the project.

Figure 5-8. Tornado Diagram Example: Panama Canal Third-Lane Locks

Sensitivity Analysis Scenario

In sensitivity analysis, calculations of schedule, cost, and other project

performance attributes are repeated while varying one risk’s impact

according to its probability distribution.


5-26

Imagine that as a project manager you are trying to determine the

effects of three major project attributes Labor Rate, Materials, and

Interest Rate on your project from a risk perspective.

Experts from your project have provided the most likely estimates, but

have also provided a pessimistic and optimistic view for the three

attributes:

1. Labor Rate: Most likely = $60, Pessimistic = $85, Optimistic = $45

The project requires 1,000 hours of labor.

2. Materials: Most likely = $185, Pessimistic = $260, Optimistic = $100

The project requires 1,000 units of material.

3. Interest rate: Most likely = 8%, Pessimistic=14%, Optimistic = 6%

The project is borrowing $100,000.

A sensitivity analysis can use this input to determine which of these

attributes has the most effect on the project as the values of the

attributes vary from pessimistic to optimistic.

For reference, you can set all of the attributes to Pessimistic, Most

Likely, and Optimistic. If you do that, you end up with the total cost for

all three attributes at:

? All Pessimistic $359,000

? All Most Likely $253,000

? All Optimistic $151,000

To determine sensitivity, hold two of the three attributes at Most

Likely and set each individually to its Pessimistic extreme.

This results in the following:

? Labor Pessimistic (Materials/Interest held at Most Likely)

$278,000

? Materials Pessimistic (Labor/Interest held at Most Likely)

$328,000


5-27

? Interest Pessimistic (Labor/Materials held at Most Likely)

$259,000

The conclusion is that your project is most sensitive to Materials

because at a value of $328,000, it results in the highest cost for the

combined attributes, almost as bad as the overall worst case combined

cost of $359,000.

This shows the project manager that Materials present the greatest

opportunity and threat (in other words, it contains the most risk). If

deciding where to try to reduce costs, the project manager might want

to focus first on the materials in this case.

Sensitivity Analysis Scenario: Summary

Figure 5-9. Sensitivity Analysis Scenario: Summary

Example Calculation

Example calculation: $278,000 (Pessimistic Labor) is the result of:

? Pessimistic Labor ($85 x 1000) plus Most Likely Materials ($185 x

1000) plus Most Likely Interest (.08 x 100,000).

? That’s $85,000 + $185,000 + $8,000, or $278,000.


5-28

Expected Monetary Value Analysis

DEFINITION: EXPECTED MONETARY VALUE (EMV) ANALYSIS

―A statistical technique that calculates the average outcome when the

future includes scenarios that may or may not happen. A common use of

this technique is within decision tree analysis.‖


EMV is a technique for assigning a specific dollar value to a set of

alternative, uncertain outcomes.

? The EMV of a specific uncertain outcome is the value of the

outcome, multiplied by its probability.

? The EMV of all outcomes is the sum of their individual EMVs.

For example, suppose that if a project risk were realized, it would cost

the project $12,000. Suppose the risk has a 50% probability of occurring.

Then its EMV is (.50 * -12,000), or -$6,000. The use of a negative

indicates that it is an outflow, or cost, and is undesirable.

Suppose the project manager has to choose between two alternatives:

the first one leads to the first risk, while the other one leads to a

second risk. Suppose the second risk has an impact of -$15,000, but has

only a 33% chance of occurring. The second risk’s EMV is (.33 * -15,000),

which is only -$5,000. So (barring other possible considerations), the

project manager should choose the alternative leading to the second

risk, not the first.

Decision Tree Analysis

A common use of earned monetary value analysis is in decision tree

analysis. A decision tree is a diagram with one starting point and

branches where junctions represent either decisions or chance events.

The tree incorporates the probability of occurrence for each chance

event and the cost or benefit of each end outcome.


5-29

A decision tree can be used in the following instances:

? To describe decisions under consideration and the implications of

choosing one or another of the available alternatives

? To account for significant random events

? To indicate which decision yields the greatest expected monetary

value when uncertain implications, risks, costs, rewards, and

decisions are quantified

? To compare alternatives and outcomes

Figure 5-10 shows a simplified decision tree, with one decision and two

chance events. In this case, a decision is made and both chance events

occur, each yielding outcomes having known probability.

Figure 5-10. Simplified Decision Tree

The sum of the probabilities of all the outcomes from a single chance

event must be 100%, since one of them must occur. The chance event in

the upper branch is the same event as the chance event in the lower

branch, but the decision has an influence on the probabilities of the

chance event’s outcomes.


5-30

EXAMPLE: DECISION TREE ANALYSIS

As a company that built its reputation on customer service, Capitol Flyer is

determined to offer its customers the conveniences they will most value.

The project manager has planned a customer survey and focus groups to

gather that information for the Corporate Customer Satisfaction project.

Cost comparison is one important aspect she uses to determine whether to

develop and deliver that in-house, or outsource it to a marketing company.

To view her decision-tree analysis, see Appendix C.

Decision Tree Example

The decision tree in Figure 5-11 shows a decision regarding whether to

build a new plant or upgrade the existing plant to cope with anticipated

strong demand for a product line. Each decision involves construction

costs. Because product demand is uncertain, it is represented in a

simplified way by two outcomes: Strong Demand and Weak Demand.

Adapted from the PMBOK© Guide, Fourth Edition

Figure 5-11. Decision Tree Diagram Example


5-31

In this case, the new plant will allow the firm to make more of its

product than the upgrade plant, and the probabilities of strong or weak

demand are unaffected by the plant decision. This tree shows that Build

New Plant has a value of $36M and Upgrade Plant has a value of $46M.

This conclusion involves analyzing the tree branches from left to right.

Steps in decision tree analysis include the following:

? Determine the Decision Definition. Here, it’s Build or Upgrade?

? Define the Decision Node. List the name and cost of each

alternative (shown as negative numbers). Determine the risk or

opportunity of each possible outcome.

Y In this scenario, product demand is considered the primary

factor.

? Based on analysis not shown, provide information for the Chance

Node. In the example, it is assumed that:

Y For both paths, there is a 60% probability that product

demand is strong and a 40% probability (or risk) that demand

is weak.

Y The payoff for a new plant is $200M in response to strong

demand, but only $90M in response to weak demand.

Y Payoffs for an upgraded plant are $120M and $60M in

response to those respective demands.

Y The behavior of demand is not affected by the build-or-

upgrade decision.

? For the Net Path Value column, calculate the payoff for each

branch. For example, on the Build New Plant branch, which costs

$120M:

Y There is a 60% chance of strong product demand, defined to

result in a payoff of $200M.

Y Continuing with strong product demand, subtract the cost of

the decision ($120M) from the expected payoff ($200M) for a

net gain of $80M, shown in the Net Path Value column.


5-32

Y Multiply the gain by its probability (60%), yielding $48M

($80M * .60 = $48M). You can display this calculation in the

Net Path Value column.

Y Repeat relevant steps to quantify the weak demand option

on the Build branch. Subtract the cost of the decision

($120M) from the expected outcome ($90M) for a net loss of

$30M. Factored by the probability of weak demand (40%), the

value of the weak demand option is -$12M.

? To determine the total expected monetary value of the Build

decision, combine the expected monetary values of the two

outcomes (strong and weak). You can display this calculation in the

Decision Node.

Y In this case, Expected Monetary Value (Build) = $48M - $12M

= $36M.

Y Applying relevant steps to the Upgrade Plant branch, its

value is calculated to be $46M.

? Compare the expected monetary values of the decisions. The

winning decision can be indicated in the Decision Definition

column.

Y Because $46M is greater than $36M, the overall expected

value of the Upgrade strategy is higher and should be the

correct choice.

EXERCISE: APPLY A PERFORM QUANTITATIVE RISK ANALYSIS TOOL

Apply a quantitative analysis tool (decision tree analysis) to a risk identified

in the previous exercise associated with the case study. Refer to the

Perform Quantitative Risk Analysis topic in Appendix A.


5-33

Modeling and Simulation

DEFINITION: SIMULATION

―A simulation uses a project model that translates the uncertainties

specified at a detailed level into their potential impact on objectives that

are expressed at the level of the total project. Project simulations use

computer models and estimates of risk, usually expressed as a probability

distribution of possible costs or durations at a detailed work level, and are

typically performed using a Monte Carlo analysis.‖


In a simulation, the project model is computed many times (iterated),

with values such as cost estimates or activity durations chosen

randomly for each iteration from the probability distributions of these

variables. Then a probability distribution, such as total cost or

completion date, is calculated from the iterations.


5-34

Figure 5-12 shows an example of a cumulative distribution from a cost

risk simulation. The x axis represents possible costs for the project, and

the y axis indicates the probability of a particular cost. This cumulative

chart reflects the data in Figure 5-5 on interviewing for optimistic, most

likely, and pessimistic cost estimates. This example assumes triangular

distributions, which are illustrated in Figure 5-6.


Figure 5-12. Cost Risk Simulation Results

Simulation for schedule risk analysis, taking as inputs the schedule

network diagram and schedule duration estimates, can result in a

similar chart showing the likelihood of achieving particular schedule

targets.

Initial estimate information is entered into modeling tools and results of

varying complexity are produced, depending on the sophistication of the

tool.

For an analysis of the project’s total duration, the team creates the

project network of activities in a standard scheduling tool and estimates

the minimum, maximum, and most likely durations for each activity.


5-35

The simulation tool then produces an analysis of the network, describing

the critical path, the most likely project duration, and the distribution

of project durations with their associated probabilities. If the results

indicate that there is too much uncertainty to achieve the original

project schedule objective, then either the project objective must be

changed, or the project schedule must be modified, which may involve

fixing the planned activities by adding resources or changing

dependencies until the resulting analysis indicates a good likelihood of

success.

The idea here is to replicate the project model in a number of scenarios

in order to better understand probable effects or outcomes.

Monte Carlo Simulation

DEFINITION: MONTE CARLO SIMULATION

―A process which generates hundreds or thousands of probable performance

outcomes based on probability distributions for cost and schedule on

individual tasks. The outcomes are then used to generate a probability

distribution for the project as a whole.‖


Running a Monte Carlo analysis on the project involves setting up an

experiment to simulate the project running from start to finish many

times. Each time, the independent variables are set randomly,

according to the probability distributions they have been assigned.

Monte Carlo simulation is based on statistical probabilities. It is

extremely economical in analyzing complex situations, in which

algorithmic calculations are too difficult or labor-intensive to carry out.

The Monte Carlo method involves randomly generating values for each

input variable, using the probability distribution for the variable as the

range within which the values must fall. The values of the variables are

combined in a complex calculation to generate an outcome. This

process is repeated many times, using as many likely combinations of

values as possible, and the outcomes are plotted into a probability

distribution.


5-36

Once a Monte Carlo simulation establishes the probability distribution

for a set of outcomes, the project team can use this information to

decide on a course of action. The result of examining the outcomes may

involve either altering the project objective so that its likelihood of

success is sufficiently high, or reserving a contingency (usually a

schedule or cost contingency) to reach the desired level of confidence

in the project’s ability to achieve the objective.

For example, to determine the correct contingency reserve to establish

for a project budget item, a Monte Carlo simulation would generate

random values for the contingency reserve and apply them to a

calculation of the total cost, factoring in the probabilities of other risk

events occurring during the project. After running many of these

simulations, the project team can identify the cost contingency input

value that produces an outcome that falls within an acceptable range of

total cost and schedule, resulting in the lowest impact on the project

objectives, or in achieving the stated target objective with the desired

confidence level.

Typically, the analysis centers on the project schedule network or its

critical path. Each task on the critical path involves a schedule risk. To

understand that risk, the project management team must answer the

following questions:

? What is the most likely duration of this task?

? What is the risk, or probability, that it will be longer (or shorter)?

? How confident is the stakeholder that the task was estimated and

budgeted accurately?


5-37

Steps in Monte Carlo Simulation

As in qualitative analysis, the project manager and key stakeholders on

the project participate in creating the data used in the analysis. It is

likely that they will need a trained specialist to assist with the Monte

Carlo modeling in order to get meaningful results. Monte Carlo

simulation capability is built into some project management software

tools; other software can be augmented with an add-in Monte Carlo

simulation module from third parties.

When applying Monte Carlo simulation, follow these steps:

1. Interview experts on the project to gather likely task duration

estimates.

2. Enter collected data into modeling tools. Results vary in complexity

with the sophistication of the tool.

3. Create the project network of activities in a standard scheduling

tool.

4. Analyze the project’s total duration.

5. Estimate the minimum, maximum, and most likely durations for

each activity.

6. Using the simulation tool, analyze the network, describing the

critical path, the most likely project duration, and the distribution

of project durations with their associated probabilities.

7. If the simulation results indicate a poor likelihood of achieving the

project schedule objective, change the project objective or modify

the project schedule. Alter planned activities by adding resources or

changing dependencies until the resulting analysis indicates a likely

success.

Monte Carlo Simulation Example

The chart in Figure 5-13 displays the results from a Monte Carlo

simulation of the schedule duration for a typical project. The output

data at the top left states that there were 200 samples, indicating that

200 runs were executed.


5-38

The chart shows a distribution of the runs against the Completion Date

on the x-axis. Each bar represents the number of runs that show the

project delivered on a particular Completion Date; the actual count is

reported on the left y-axis. There is also a cumulative probability curve,

which runs from the bottom left to the top right.

Figure 5-13. Monte Carlo Simulation Results Example

To interpret the sample result, start with the bars. They form an

approximately bell-shaped curve, whose midpoint appears to occur at

March 29, 2000. Individual bars are not of interest in this analysis; only

the overall distribution is useful.

? If the number of runs in each bar is accumulated from left to right

and the sum at each position is divided by the total number of runs

in the simulation, the result is the cumulative probability curve.

? Look at the midpoint of the bars (March 29, which has a value of 50%

probability in the data table to the right of the graph). Note that

100 runs show the project completing on that date or earlier,

representing 50% of the 200 total runs.


5-39

? The data that produced the cumulative probability curve is reported

in the table to the right of the graph. The table shows that 75% of

the runs produce the outcome of project completion on or before

April 12. Using this table makes it easy to assess the probability that

a particular target completion date will be met.

? Based on this analysis, there is a 75% probability of finishing by April

12.

Monte Carlo Simulation Summary

In a Monte Carlo simulation, the project is virtually iterated using

randomly selected possible values for expenses or activity durations,

resulting in a cumulative probability curve for project cost or schedule.

? The Monte Carlo simulation calculates the total duration of the

project schedule based on varying factors.

? If the durations of activities have been set for the minimum, most

likely, and maximum durations, the simulation can randomize these

values.

? The simulation shows a distribution of durations, which can be used

to determine the most likely duration, but is best used to determine

the likelihood of a particular target completion date, or to set a

target date based on the minimum acceptable probability of

success.

? If the outcomes are not acceptable, sensitivity analysis can be used

to find the factors that cause the greatest increase in duration.

These factors can then be addressed by reducing their influence,

focusing management attention on them, perhaps eliminating them,

or eliminating the affected work. Of course, if the schedule is the

only problem, schedule compression techniques can also be explored

without addressing these factors; another simulation should then be

run on the revised schedule to ensure that new problems have not

been introduced.


5-40

Expert Judgment

DEFINITION: EXPERT JUDGMENT

―Judgment provided based upon expertise in an application area,

knowledge area, discipline, industry, etc. as appropriate for the activity

being performed. Such expertise may be provided by any group or person

with specialized education, knowledge, skill, experience, or training.‖


Expert judgment, in the form of experienced staff from other projects

in the organization or consultants, can be used to guide the analysis of

risk and to understand the behavior of risk causes. It can support the

evaluation of potential impacts on cost and schedule and it can provide

expertise in statistical methods.

Expert judgment is also valuable for interpreting data and selecting

quantitative analysis tools. Methods have weaknesses as well as

strengths and may be more or less appropriate for a given organization.


5-41

Topic 4: Outputs from the Perform Quantitative Risk Analysis Process

The Perform Quantitative Risk Analysis process has only one major

output:



As in the Perform Qualitative Risk Analysis process, the output from the

Perform Quantitative Risk Analysis process is updated to the risk

register. Updates include documentation of quantitative methods

applied, results, and recommendations. The output may include an

overall project risk assessment, such as the risk of completing the

project by the due date. Other outputs may include a specific project

metric such as a technical performance measure (TPM), a cost or

schedule reserve, or a quality control tolerance.

DEFINITION: TECHNICAL PERFORMANCE MEASUREMENT

―A performance measurement technique that compares technical

accomplishments during project execution to the project management

plan’s schedule of planned technical achievements. It may use key

technical parameters of the product produced by the project as a quality

metric. The achieved metric values are part of the work performance

information.‖


As analysis is repeated over the life of the project, another output is

risk trend data. A project that is run well should demonstrate a

downward trend in the overall risk. A sudden upward trend would serve

as a trigger or warning to implement corrective action.

The updates to the risk register from the Perform Quantitative Risk

Analysis process include:

? Probabilistic analysis of the project

? Probability of achieving cost and time objectives


5-42

? Prioritized list of quantified risks.

? Trends in quantitative risk analysis results

Probabilistic Analysis of the Project

Probabilistic analysis provides probability distributions of the outcomes

of the project schedule and cost, generated by tools such as Monte

Carlo simulation. The results are combined with the information about

stakeholder risk tolerances to determine whether the probability of

meeting the project objectives is sufficient. If not, the appropriate size

and distribution of contingency reserves should be determined to give

stakeholders the necessary level of confidence.

Probability of Achieving Cost and Time Objectives

Quantitative analysis can indicate the probability of achieving the

current project cost and time objectives given the current project

management plan. This probability can show the need for changes,

whether in the project management plan, in the project objectives

themselves, or in the allocation of project contingency reserve.

Prioritized List of Quantified Risks

This list includes risks that pose the greatest threat or present the

greatest opportunity to the project, together with a measure of their

impact. Risk may be prioritized based on:

? Ranking (high, medium, or low risk)

? WBS level

? Immediacy

? What the team considers the greatest threat

? Scope, cost, schedule, and quality

? Greatest opportunity

? Stakeholder priorities

? Impact quantified


5-43

All risks cannot be acted upon, so there is a need to prioritize. Even if a

risk seems minor, remember stakeholder priorities. Quantifying impact

helps decision makers respond based on facts.

Trends in Quantitative Risk Analysis Results

Analysis of the most significant risks needs to be repeated at critical

points during the project. Trends in the forecasts for schedule or cost

may appear. Planned risk responses may require change. Conclusions

may be in a report separate from, or linked to, the risk register.


5-44

Module Summary


Ana studies the highest risks associated with the parade – those determined

to be most likely to occur, and have the highest impact if they did – such as

insuring the antique car club.

For each of those, she creates a probability distribution, calculates

variance, and establishes contingencies based on the results.

Because the stakes are so high for the possibility of crowd injuries, she

completes a decision tree analysis to compare alternatives and outcomes.

This arms her with some accurate information on which to predict outcome.

The Perform Quantitative Risk Analysis process is applied in proportion

to the project size and degree of overall project risk. Only risks that

qualitative analysis ranked high may be submitted to quantitative risk

analysis.

Tools and techniques for Perform Quantitative Risk Analysis may be

complex (decision tree analysis, simulation) or simple (interview,

sensitivity analysis). Choice of analytical approach depends on time and

budget resources, as well as need.

Module 6

Plan Risk Responses

Module 6: Plan Risk Responses


6-2

Module Introduction

The Plan Risk Responses process develops options and actions to address

identified risks. The activities within the process are designed to

maximize the positive impact of opportunities, and to reduce threats to

the project objectives.

This module:

? Describes the Plan Risk Responses process

? Identifies the inputs, tools and techniques, and outputs of the Plan

Risk Responses process

? Presents methods for developing appropriate risk response strategies


6-3

Module Objectives


? Define the Plan Risk Responses process

? Place the Plan risk responses process within the context of the

project management framework

? Identify the purpose of the Plan Risk Responses process

? Understand the proactive nature of the Plan Risk Responses process

? Identify the inputs, tools and techniques, and outputs of the Plan

Risk Responses process

? Describe types of risk responses strategies and the factors affecting

the choice of strategy

? Develop appropriate risk response strategies to address positive and

negative risks (opportunities and threats)


6-4

Topic 1: Overview of the Plan Risk Responses Process


With all risks thoroughly evaluated, Ana can develop options and actions to

respond to those risks: to enhance opportunities and reduce threats.

Hannah, for instance, is excited about the involvement of Duane Evans'

drum and bugle corps. They will be an additional expense, but their

reputation makes them a big draw in the region. On the other hand, Jack

can't fathom why PJ Brown's Llama Wranglers are being allowed to

participate. ―Any of those llamas could trample a kid,‖ Jack moans.

―Explain to me how that's worth the risk.‖ Ana reminds Jack they'd agreed

that the risk of doing the parade without the support of Brown's cousin,

police chief Mick Hopkins, is even higher.

―So what we need,‖ she tells him, ―is a good plan for how to respond to

each potential risk.‖

? What constitutes an appropriate risk response? What does a risk

response plan look like?

In the Plan Risk Responses process, the project team decides how to

respond to identified risks. There is little value in simply being alert to

the existence of a risk unless an appropriate response has been

prepared.

The Plan Risk Responses process is the natural successor to the

processes of identifying and analyzing risks. Having analyzed and

prioritized the risk, an appropriate response must be planned, starting

with the highest priority risks.


6-5

Figure 6-1 shows that Plan Risk Responses occur in the Planning Process

Group.


Figure 6-1. Project Risk Management Process Group Map: Plan Risk

Responses

As a result of the Plan Risk Responses process, the project risk register

will contain the plans for minimizing the probability of a negative risk

and its impact on the project objectives. It will also contain the plans

for maximizing the probability of a positive risk and its impact on the

project objectives whenever possible.

DEFINITION: PLAN RISK RESPONSES

―The process of developing options and actions to enhance opportunities

and to reduce threats to project objectives‖


Purpose of Plan Risk Responses

The purpose of the Plan Risk Responses process is to ensure that the risk

responses are:

? Appropriate to the severity of the risk

? Timely enough to be successful

? Cost effective in meeting the challenge


6-6

? Realistic within the project context

? Agreed upon by all parties involved

? Owned by a responsible person or party

One common pitfall is for a team to perform a risk analysis but fail to

plan an adequate response. A second pitfall is the failure of project

team members to create effective responses. The team may lack the

creativity or experience to devise actions that are practical, efficient,

and perhaps credible.

Finally, the most common failure of risk responses plans is poor

implementation; risk owners are not assigned, do not understand their

responsibilities, fail to monitor the risk triggers, or fail to react

promptly and effectively when the risk trigger is observed.

Proactive Nature of Plan Risk Responses for Threats

For threats or the negative risks naturally encountered in life, such as

accidents or illnesses, it is normally most effective to minimize the

probability of the undesired event’s happening, and then to minimize

the impact.

Minimize the probability of a car accident by developing rules of the

road, requiring drivers to pass a test demonstrating that they

understand and can use them properly, providing rear-view mirrors,

installing stop lights at intersections, and providing traffic police to

deter drivers from ignoring the rules.

Minimize the impact of a car accident by wearing passenger restraints in

cars, buying insurance to minimize the financial damage, and organizing

community medical services to respond swiftly to minimize the health

damage.


6-7

What is true for everyday life is also true for project management.

Design risk responses to be cost-effective. The most cost-effective

controls are typically preventive controls. However, the Plan Risk

Responses process also includes the development of contingency or

fallback approaches, which are implemented if and when the risk

materializes. In most cases, the ability to implement these contingency

plans also requires advance preparation. Therefore, we can say that all

risk responses are to some degree proactive.

Proactive Nature of Plan Risk Responses for Opportunities

Someone interested in community service might join a volunteer group

in order to find opportunities to serve in the community. Joining the

group does not directly result in service; it merely presents the

opportunities and qualifies the individual to participate in them. As

another example, many people pursue higher education or professional

certifications before they learn of a job opportunity in which they can

use their new skills. Both strategies constitute Plan Risk Responses for

positive risks.

Similarly in projects, unexpected opportunities for the project

management team to reduce cost or shorten the project schedule

sometimes arise.

For example, acquiring and incorporating a newly released commercial

product to replace a component that the project team originally

planned to develop may greatly reduce the development time and cost.


6-8


Figure 6-2, the Plan Risk Responses process data flow diagram, shows

how inputs are transformed through tools and techniques into outputs.


Figure 6-2. Plan Risk Responses Data Flow Diagram

Overview of Plan Risk Responses Inputs, Tools and Techniques, and Outputs


Plan Risk Responses process. These inputs, tools and techniques, and

outputs are discussed in detail in this module.


Figure 6-3. Plan Risk Responses: Inputs, Tools & Techniques, and

Outputs


6-9

Topic 2: Inputs to the Plan Risk Responses Process

The inputs to the Plan Risk Responses process, described below, are:

? Risk register


Risk Register

The risk register may include:

? A list of prioritized risks, produced by qualitative risk analysis (Plan

responses to risks considered urgent first.)

? Common root causes of risks that may have been identified during

the Perform Qualitative Risk Analysis or Perform Quantitative Risk

Analysis processes (Aggregating the impacts of risks with common

causes makes it easier to see which interventions will have the most

effect for the smallest investment.)

? A list of potential responses from the Identify Risks process (This list

indicates what strategies might be useful in addressing a particular

risk.)

? A list of risks for additional analysis and response

? Trends in qualitative analysis results (These can be used to forecast

when risks are likely to demand action so that an intervention can

be prepared before it is necessary.)

? A watch list of low-priority risks (Review these risks to determine if

any have changed enough to warrant analysis, or even immediate

action.)


Important components of the risk management plan include:


? Risk analysis definitions

? Timing for reviews, and for eliminating risks from review

? Risk thresholds for low, moderate, and high risks


6-10

Topic 3: Tools and Techniques for the Plan Risk Responses Process

The tools and techniques for the Plan Risk Responses process are:

? Strategies for negative risks or threats

? Strategies for positive risks or opportunities

? Contingent response strategies

? Expert judgment


6-11

Strategies for Negative Risk or Threats

Strategies for threats include:

? Avoid the risk

? Transfer the risk

? Mitigate the risk

? Accept the risk

Avoid the Risk

DEFINITION: RISK AVOIDANCE

―A Plan Risk Responses technique for a threat that creates changes to the

project management plan that are meant to either eliminate the risk or to

protect the project objectives from its impact.‖


Some actions that may be taken to avoid a negative threat are:

? Change the project plan. This may create new risks, which can

reduce the benefit of the change or even be more problematic than

the risk being avoided. Such new risks arising directly from a risk

responses plan are called secondary risks. Modifying the project plan

can involve:

Y Clarifying requirements to eliminate the possibility of ambiguity

Y Improving communications to reduce misunderstandings and

resulting rework

Y Acquiring expertise to eliminate the likelihood of poor quality or

late deliverables

Y Getting buy-in from the sponsor and stakeholders (for example,

inviting these people to a presentation or lunch discussion)


6-12

? Alter the project scope, schedule, budget, or quality objectives so

that they will be met.

? Change the technical activity or underlying design to avoid the

activity associated with the risk.

? Use familiar methods and resources. Every new team member

represents risk, for example: the possibility that he or she will not

get along with others, will do poor quality work, or will not meet

commitments. So project leaders and managers tend to choose

people they know instead of strangers when staffing a team.

Transfer the Risk

DEFINITION: RISK TRANSFERENCE

―A risk response planning technique that shifts the impact of a threat to a

third party, together with ownership of the response.‖


Transferring risk shifts the consequences and responsibility of a risk to

another party. Transference does not eliminate the risk. If, however,

the other party is more capable than the performing organization at the

kind of work in question, the work may represent a lower risk to the

other party, and thus the project, than it does to the project team.

Choose the other party for capabilities that reduce the risk to the

overall project. Although the possibility for the risk to materialize will

still exist, it is reduced. Furthermore, if the other party cannot deliver,

the performing organization will receive some compensation.

The compensation should be equivalent to the loss associated with the

unmet project objectives. If the performing organization had attempted

the work itself and failed, there would have been no compensation. In

exchange for these benefits, the performing organization pays the other

party a premium, representing the value of the party’s experience in

reducing the risk.


6-13

Contracts can be used to transfer a specific risk, for example,

outsourcing manufacture of a challenging subcomponent, or to transfer

the impact of a liability, as when an insurance policy is purchased.

Contractual agreements ensure that there is a documented agreement,

which is substantially stronger in legal terms than a verbal

understanding, and that the task and its risks are accountable to the

contracting party. On some projects, it may be advisable for the

performing organization to use a contract to eliminate its liability for

specified risks that are deemed subject to ―force majeure‖ (that is,

beyond human will and ability to control), such as losses due to

weather, earthquakes, or civil unrest.

EXAMPLE: TRANSFERRING RISK

If the prototype of a new aircraft requires a titanium bulkhead, and the

company building the prototype has no experience machining titanium, they

may subcontract this work to a vendor who does. The vendor with this

experience may be a specialist, and his experience can reduce the risk to

the overall project that the bulkhead component will be flawed.

Transferring liability is effective for financial risk. This usually involves

paying a fee to the counterparty as compensation for accepting the risk.

Types of fees include:

? Insurance

Typically insurance protects the performing organization against a

loss, such as fire or weather damage.

? Performance bonds

The customer may require a bond for protection against damages

should the performing organization fail to perform. A supplier might

be required to buy a bond to protect the project from losses, should

the supplier fail to perform under the terms of their engagement.

? Warranties

This approach ensures a period of service or protection, for which a

fee is usually paid to the supplier. It can relieve you of the cost of

exhaustive acceptance testing and may reduce your overall support

costs once the product of the project is in operation.


6-14

? Guarantees

A promise made on some performance aspect of a product or

service. In law this may be a promise made by a third party to

perform should the primary party fail to perform.

Mitigate the Risk

DEFINITION: RISK MITIGATION

―A risk response planning technique associated with threats that seeks to

reduce the probability of occurrence or impact of a risk below an

acceptable threshold.‖


Mitigation is the most commonly understood strategy. It attempts to

lessen the negative risk by reducing its probability and/or its impact to

acceptable levels.

A strategy using mitigation may also involve a contingency plan, which

is invoked once the risk materializes. The contingency plan’s purpose is

to limit the impact to the project should preventive measures fail. If

reducing a threat is not possible, the negative risk impact can often be

moderated by identifying and targeting factors that determine the

severity of the risk.

EXAMPLE: MITIGATING RISKS

Firefighters, for example, wear helmets to prevent falling ceiling materials

from causing them head injuries. If the material is heavy enough, they may

still suffer an injury, but the impact will have been reduced.

Some actions that may be taken to mitigate a negative threat are:

? Develop a prototype

? Consider an alternative path

? Simplify processes

? Conduct more engineering tests


6-15

? Select a more reliable seller

In general, an effective approach to mitigating risk is to identify these

three factors:

? Cause

? Driver

? Power of the driver

To find an effective mitigation strategy, consider these four questions:

? What causes the risk?

? What drives the magnitude of the impact?

? How controllable is the drive?

? How probable is the risk?

What Causes the Risk?

If the cause of the threat can be understood, and the causal

relationship can be altered or exploited, it may be possible to reduce

the likelihood that the risk will occur.

For example, in research studies regarding head-on collisions between

cars, it was determined that there was always a significant risk of a

head injury. During testing conducted on crash test dummies, it was

determined that head injuries were most often caused by striking the

car’s windshield. By implementing a shoulder restraint system that

crosses the passenger’s chest, it was possible to prevent the head from

reaching the windshield and to dramatically reduce this type of injury.

The use of seat belts is a preventive risk response that attacks the

causal factor in head injuries sustained during head-on car collisions.

What Drives the Magnitude of the Impact?

If the factors that influence the magnitude can be affected, then it may

be possible to diminish the impact of the risk.

As an example, buildings in the city of Venice are sinking, and the

effect of storm tides has been determined to be a significant factor in

the rate of sinking.


6-16

By installing tidal barriers that move, Venice has been able to reduce

the size of the storm tides, while still permitting tidal basin flows to

maintain the healthy flow of silt into the ocean and salt water into the

lagoon. This strategy reduces the risk that severe storms will cause

significant damage to the city.

How Controllable is the Driver?

In the Venice example, controlling tidal surges was not possible until

the development of tidal barriers by the British and Dutch for use in

controlling storm surges on the Thames and Eastern Scheldt estuaries in

the late 1970s. As a result of these technical achievements, it became

possible to control tidal surges as a driver of flooding damage in

estuaries around the world.

On the other hand, earthquake damage is caused by wavelike motions

resulting from the opening of cracks and by sudden vertical

displacements in the surface of the earth. Only wavelike motions can be

reliably controlled through the use of flexible construction techniques

and large rollers in building foundations, as in the Transamerica

Corporation building in San Francisco. The other driver of earthquake

damage remains largely uncontrollable.

Project Management Risk Mitigation Strategies

Suggested project management risk strategies are:

? Include the duration of risk responses plans in the schedule baseline

and negotiate additional schedule relief

? Use team reviews, at the work package level, to validate activity

duration estimates

? Clarify the definitions of requirements, deliverables, tasks, and

milestones

? Clarify and confirm assumptions and constraints

? Use a change control board to implement formal schedule baseline

change control processes

? Schedule critical resources and technology within acceptable

windows


6-17

? Write definitions for periodic vendor performance reviews into the

purchase contract

? Ensure that vendors use project management tools

? Include vendor representatives as part of the project team

? Evaluate the use of more expert resources on challenging tasks

? Include the cost of risk responses plans in the budget baseline

? Validate the budget by use of team reviews of bottom-up estimates

? Provide productivity enhancing tools whose learning curve is not so

large that it consumes the immediate benefits to the project

? Monitor and manage costs via earned value management methods

? Conduct periodic performance reviews

Organizational Risk Mitigation Strategies

Suggested strategies to use within the organization to mitigate risk for a

project are:

? Obtain firm commitments for specialized resources, with

guarantees, if needed

? Cultivate secondary sources for specialized resources and implement

methods for rapid substitution of a secondary resource if the

primary critical resource should become unavailable

? Obtain written commitments for funding and other resources

? Ensure that the project has a committed and active sponsor

? Obtain the highest possible priority for the project by conforming

the cost-benefit value proposition of the project as closely as

possible to the priority scheme of the organization

? Recommend the inclusion of elements of scope that offer benefits to

powerful stakeholders in order to ensure their commitment

? Stay apprised of the progress of other projects on which the current

project depends, and respond promptly if progress is unsatisfactory


6-18

External Risk Mitigation Strategies

Suggested strategies for mitigating risk that comes from outside the

organization are:

? Minimize development activities in hostile environments (political,

business, weather)

? Avoid single sources for critical outsourced capabilities

? Include protections against shortages or price fluctuations in

procurement contracts

? Include quality monitoring and defect correction provisions in

procurement contracts

? Confirm market data and analyses

Technical Risk Mitigation Strategies

The list below shows suggested strategies for mitigating risks arising

from technical issues.

? Clarify technical requirements

? Control changes to specifications, deliverables, and acceptance

criteria

? Design in tolerances and margins for technical products

? Identify the project’s technical limitations early in the design

process

? Allocate work based on skill, or train and certify personnel in new or

unfamiliar technologies

? Ensure adequate supervision during early stages of each type of

work

? Involve suppliers in the design process

? Conduct reliability studies early.

? Enforce discipline regarding the application of technical standards,

procedures, and methods; conduct process training

? Simplify the technical solution where practical

? Conduct concept reviews and internal design reviews


6-19

? Implement a phased approach to developing the technical solution

with in-process reviews by experts

? Use an established project life cycle

? Build prototypes

? Apply performance modeling, simulation, and analysis of designs

? Implement a change control process for technical specifications and

deliverables

? Tie payment milestones to satisfactory technical reviews

Risk Mitigation Strategy Guidelines

Some examples of effective mitigation strategies are:

? Specific design features

? Redundancies to mitigate the impact of failures

? Prototype testing to validate the design

? Value engineering studies

? Formal design reviews

? Analytical modeling

? Functional testing

? Expert design review

? Financial incentives to vendors and contractors

? Use of management checkpoints at completion of major project

phases

? Allocation of resource reserves

? Contingency reserves

? Implementation of project management processes to the

appropriate level for the size and complexity of the project


6-20

Guidelines for Risk Response Strategies

There may be many techniques for managing and mitigating risks other

than those listed. The table below identifies sample project activities

that contribute to risks on a project and potential mitigation strategies.

PROJECT ACTIVITY CONTRIBUTING TO RISK MITIGATION STRATEGIES

Use of new technology or new application of

existing technology

Prototype testing

Unique new technology Analytical modeling and simulation

An unusually complex design Use of architecture to reduce

coupling of subsystems, functional

testing of subsystems

A novel design Formal design review

Significant personnel exposure to hazards potential Safety review

Project schedule uncertainties, or constraints that

may impact project milestones

Subcontracting work to others,

financial incentives to

vendors/subcontractors, additional

resources, overtime, multiple shifts

(All involve absorbing a cost impact

and are appropriate in projects for

which schedule has higher priority

than costs.)

Production shutdown required for project

implementation

Synchronizing implementation

schedule with low-demand period;

contingency schedule in the event of

implementation failure


6-21

Accept the Risk

Acceptance is a conscious decision to allow the impact of the risk to

occur if the risk is realized. You may choose this strategy for a threat if

the cost of avoiding, transferring, or mitigating the impact is too high in

proportion to the cost of the risk, or if no other suitable response

strategy is available.

DEFINITION: RISK ACCEPTANCE

―A risk response planning technique that indicates that the project team

has decided not to change the project management plan to deal with a risk,

or is unable to identify any other suitable response strategy.‖


Acceptance means that the team knows the threat exists, is aware of

the consequences, and is willing to wait and see what happens without

changing the project plan to deal with the negative risk.

Some ways to accept a negative threat are:

? Passive acceptance – Dealing with risk as it occurs. For example,

commuting to work in a car means accepting the potential for an

accident and the potential for injury. Everyone who commutes by

car accepts that risk.

? Active acceptance – Defining, early on, a contingency plan outlining

actions that respond to the negative risk event, and pre-allocating

contingency reserves to deal with identified risks that arise during

the project.


6-22

CLASS DISCUSSION: STRATEGIES FOR THREATS

What strategy would you use to respond to the following threats?

? As a result of adding a skateboarding park to the community playground,

injury to children could occur, which would increase the town’s liability

for injuries.

? As a result of choosing the site of an old mill to build a bike path, the

ground might be contaminated with toxic chemicals, which can result in

the need to add extra time and costs to clean the contaminated area.

? As a result of buying a pre-owned vehicle, the vehicle might break down

sooner than a new vehicle, which can lead to earlier-than-expected

repair expenses.

Strategies for Positive Risks or Opportunities

Strategies for positive risks or opportunities include:

? Exploit

? Share

? Enhance

? Accept

Exploit

To exploit an opportunity, take measures to ensure that the opportunity

will occur and will be incorporated into the project.

Some methods for exploiting a positive risk include:

? Using more skilled resources on an activity for which the opportunity

is expected to materialize.

? Partnering with another organization known to provide the

opportunity. For example, one company buys another in order to

acquire existing marketing and distribution channels for a new line

of products.


6-23

Share

You can share an opportunity by choosing a partner who can exploit the

opportunity for the partnership’s joint benefit.

For example, if you create a joint venture with a firm that has the

capability to complete a difficult project activity, and allow them a

share in the product ownership, both the organization that originates

the project and the firm that has the expertise benefit.

Enhance

Enhancing an opportunity is the reverse of mitigating a negative risk. To

enhance an opportunity, you try to increase the probability that it will

materialize or you magnify its beneficial effects when it does.

For example, relocating a firm to a university town can increase its

ability to recruit candidates with technical or management ability, and

can reduce hiring costs by avoiding extensive searches and expensive

relocations.

Accept

As with accepting a threat, acceptance of an opportunity is a conscious

decision. In the case of a positive risk, the decision is to take advantage

of the benefits of the opportunity, if the risk is realized.

Acceptance means that the team knows the opportunity exists, is aware

of the positive impact to the project, but is not actively pursuing it.

For example, you might choose to accept a risk opportunity if the costs

of exploiting, sharing, or enhancing it are too high in proportion to the

benefits it provides.


6-24

CLASS DISCUSSION: STRATEGIES FOR OPPORTUNITIES

What strategy would you use to respond to the following opportunities?

? As a result of a large company moving their headquarters to the city of

Blandville, an economic boom in the housing industry could occur, which

would lead to higher revenue for your real estate company.

? As a result of a possible donation of land to your town, the town may

build a nature preserve, which might lead to a source of recreation for

the town.

? As a result of a new neighbor who works at the same company as you,

you could carpool to work, which would lead to lower gas costs and less

air pollution.

Contingent Response Strategies

Contingency response strategies are designed for use only in certain

situations. It is a risk response plan that identifies actions to be taken to

minimize impact when and only when a specified risk occurs. It is

believed there will be sufficient warning to implement the plan and

requires constant monitoring of the risk trigger.

Define and track risk triggers such as missing intermediate milestones.

Develop a fallback plan if the risk has a high impact or if the selected

strategy is not fully effective. This might include using a schedule or

cost contingency reserve, developing alternative options, or changing

the project scope.

The most common application of this risk response technique is to

establish a contingency allowance or reserve. This allowance can

include amounts of time, money, or resources to handle known risks.

These allowances should be commensurate with the impacts of the

associated risks. They should also be computed at an acceptable level

of risk exposure for the risks that have been accepted.


6-25

Expert Judgment

Expert judgment is the application of specialized knowledge or training

to the Plan Risk Responses process. This expertise may be contributed

by a group or by an individual. For example:

? Other departments

? Consultants

? Professional associations


Using Risk Principles to Manage Risk

The level of effort expended in managing a risk should be in proportion

to the level of risk itself. This was presented earlier as the fundamental

concept of applying proportionate expenditure. The probability and

impact of low- and medium-impact risks are generally reduced through

the application of good project management disciplines. The project

management processes all contribute to managing risk because they

support the objective of controlling the project.

When the project is not performing as planned, the monitoring activities

can identify that the project is in danger of not meeting its objectives

and corrective action can be initiated. This is how projects are

controlled. How much project management process rigor is appropriate?

The project manager must consider the value of the control provided

against the cost of providing it.

Suggested Minimum Requirements for Managing Risk

For the project's low and most medium risks, it is generally sufficient to

use sound project management practices. For each project management

area, there are certain minimum principles that are suggested for

managing project risk. These principles are:

? Technical element and scope definition


? Schedule


6-26

? Cost estimates

? Performance analysis reporting

? Funds management

? Accounting

? Work authorization

? Change management

Technical Element and Scope Definition

Experience shows that inaccurate requirements are a major contributor

to project failure.

Minimum requirements:

? Defined technical objectives based on functional and/or physical

requirements

? Defined tasks necessary to accomplish the technical objectives

? Work Breakdown Structure (WBS)

Roles and Responsibilities

If you fail to assign activities to a team member who is accountable,

―lost risks‖ can result.


? Well-defined roles and responsibilities

? Assigned risks identified by the project manager

Schedule

Schedules spiral out of control because dates and deliverables are not

aggressively monitored and tracked on a daily basis. All too often,

managers leave issues unresolved for days that result in schedule

overruns. Schedule overruns increase the risk that the project will fail

to meet stakeholder expectations, lose support, and miss obligations to

provide work products for dependent projects, or lose resources to

other commitments.


6-27


? A master schedule with identified company controlled milestones

? Milestones completion criteria and dictionary

? Documented assumptions

? Schedule contingency

Cost Estimates

Failing to develop estimates using a methodical process associated with

specific WBS elements increases the risk that unplanned costs will be

incurred without producing useful deliverables is greatly reduced.


? Traceable to the work package definition

? Documented estimates’ bases and assumptions

? Justified cost contingencies

Performance Analysis Reporting

Poor and untimely performance analysis increases the risk that

indicators of whether the project will meet its objectives are delayed.


? Periodic project status reviews

? Identified performance analysis parameters, data specification, and

report frequency

Funds Management

Lack of secure funding increases the risk that the project will become

insolvent.


? A funding commitment plan

Accounting

Inaccurate cost reporting increases the risk to detect and defer

fraudulent activities


6-28


? Cost collection consistent with a time-phased cost budget and cost

accounting standards

Work Authorization

Failing to have authorizations at the start of every assignment, the

project manager may consume too much of the project budget and

increase the risk of having to do rework due to poor process discipline.


? Formal work authorization process

Change Management

Failing to manage baseline by not defining a process and authority for

changes to baselines, especially the scope baseline, can greatly increase

the risk that the project will slip out of control. Failing to manage

baselines and not using integrated change control properly, increases

the risk that the project will run out of time and money.


? Defined thresholds and authority for baseline changes.

? Defined thresholds and authority for small changes

Tailoring Project Management Processes to Match Risks

Tailor project management techniques to manage the project risks as

efficiently as possible. This includes focusing management attention on

the information needed to manage the project risks. Most project

managers find themselves in a ―data rich, analysis poor‖ environment.

For example, project management software typically provides many

types of reports. The project management team must select and tailor

the reports that are best suited to managing the project risks. The

reports should be both timely and focused on highlighting risk triggers.

For example, the frequent reporting of schedule and cost status at the

work package level allows the project management team to detect

problems with project work before they become significant.


6-29

As another example, tracking the rates at which defects are reported

and closed during a testing phase allows the project management team

to determine whether they are keeping up adequately, and even to

identify problem areas in the construction and design processes and

deliverables. If the project management team acts promptly, they can

eliminate problems whose impact might otherwise continue to grow.

Tailoring also results in the most cost-effective selection of the project

management software for the project. Proper tool selection focuses on

managing the kinds of risks that could significantly affect the project.

This allows the project manager to apply appropriate project

management control processes in these areas. Correctly tailoring the

use of software to manage the project reduces costs by minimizing the

data collection and reporting effort.

A Basic Process for Developing a Risk Response

The project manager needs a strategy to deal with all the risks on the

project. The process begins by identifying and analyzing each risk in

order to understand it in terms of probability and impact. The best

strategy is to deal with each variable of probability and impact

separately.

TIP

Select the strategy that will be the most effective for the risk. Then

develop specific actions to implement the strategy. It is wise to have a

backup strategy for the risk.

First, project managers should focus on dealing with the probability of a

given risk by striving to reduce that probability as much as is practical

for the expense involved.

This type of mitigation is known as prevention. For example, to prevent

forest fires as much as possible, the U.S. Department of Agriculture

Forest Service created the ―Smokey the Bear‖ education and awareness

program.


6-30

This program seeks to teach visitors to forests how to behave to

minimize the possibility of their starting an accidental fire. However,

once a fire starts, this program has no impact on the fire’s damage.

Next, if in spite of preventive measures taken, the team cannot prevent

the risk, and if the impact is substantial, the risk responses plan must

include a contingency plan designed to reduce the impact as much as

practical for the expense involved.

Attempting to minimize the impact of a risk once it has occurred is

containment. In the forest fire example, the U.S. Department of

Agriculture Forest Service created the Fire Management Program to

respond quickly to large fires. The Fire Control Service of the Forest

Service also maintains communication with a community of state fire

responders to share best practices in fire control. These strategies serve

to contain the growth of fires that cannot be prevented.

Given a framework for planning the response, where do the ideas for

risk responses plans come from? Project management teams can utilize

the familiar techniques of brainstorming, experience, and lessons

learned. The collective experience of senior management and staff

members on other projects in the organization is a valuable resource. If

the project manager lacks experience or expertise in a specific area,

hiring a consultant may be helpful. The cost should yield many times its

worth in risk reduction.

Contingency reserves in the form of time, money, or resources are often

set aside to absorb the impact of both known and unknown risks. It is

important to note that money allocated for a specific risk should not be

transferred or reallocated to a different risk once the period for the risk

to occur has passed. Do not use these funds to compensate for poor

planning that causes changes in scope or quality. In this situation, if a

new risk impact needs to expend some of the reserves no longer needed

when the first risk failed to materialize, a change request needs to be

submitted instead.


6-31

Basic Process for Developing Responses to Negative Risk

The basic process for developing risk responses includes these activities:

? Brainstorm several solutions

This may be a team exercise or a task delegated to the owner of the

risk. There is usually a benefit to developing several approaches and

it may require different individuals and thinking styles to formulate

these solutions. The general strategies commonly applied are

avoidance, transference, mitigation, and acceptance.

? Decide which strategy will be most effective

The first choice should normally be avoidance, designed to eliminate

the possibility of a risk event. Typically these are less expensive and

therefore quite cost effective.

For risks that cannot be avoided, attempt to either transfer the risk,

or mitigate it by reducing the probability and/or impact. If neither

of those options is open, or, if you are unable to identify any other

suitable responses, you may need to accept the risk without

changing the project management plan.

Given several strategies, choose the most cost-effective one. This is

done by estimating the new probability and impact factors,

assuming the strategy is effective. Divide the reduction in the risk

factor by the cost of the solution to determine a relative leverage or

return-on-investment (ROI). In addition to the ROI, make sure the

strategy really reduces the risk to an acceptable level and takes into

account the total cost impact of the risk event, including possible

secondary, downstream impacts.


6-32

? Design a specific, written action plan

Given the selected response, ensure that it includes a written,

detailed action plan describing the assignment of specific individuals

and due dates.

The risk responses plan should include monitoring of the ―risk

trigger‖ on a periodic basis to ensure that the risk has not

materialized. It should also define the time period of the ―threat

window‖ so it is clear when the risk may be closed and unused

resources and contingency budget released. For example, a

―requirements risk‖ may no longer be a concern after closeout of

the design phase.

? Consider fallback plans

Ensure the action plan includes the contingency plan for actions to

be employed if avoidance, transfer, and mitigation fails and the risk

event still occurs. You want to be prepared to minimize this impact

as quickly as possible. It is very difficult to react effectively and

efficiently to a crisis without advance preparation.

? Consider when the risk may occur

Risks change as a function of time. There may be a fixed window of

opportunity during which either the risk may strike, or preventive

action has a chance of stopping the risk. This may cause the project

manager to focus resources on a risk that would otherwise be

considered a lower priority. If the risk does not occur, those

resources are then reallocated to other risks.

? Consider secondary and residual risks

Risk responses will normally have an effect on other risk elements of

the project. Consider these secondary effects before committing

resources to a plan.

Ranking risks merely on P x I may not always be sufficient. A risk

that will strike tomorrow may be more urgent than one that is not

going to take effect until a month from now. Some risk responses

have effects on more than one risk. This allows some economy

(more ―bang for the buck‖) in risk responses.


6-33

Risk Triggers

DEFINITION:TRIGGERS

―Indications that a risk has occurred or is about to occur. Triggers may be

discovered in the risk identification process and watched in the risk

monitoring and control process. Triggers are sometimes called risk

symptoms or warning signs.‖


For each risk response, an indicator must be specified that will either

give advance warning that the risk is about to materialize, or in the

worst case, that it has already materialized. A threshold value may

need to be specified. If the risk trigger crosses the threshold, the risk

owner must act.

This threshold value may be ―does not exist.‖ When the trigger event

appears, it is time to activate the risk contingency plan. In other cases,

the threshold value may be a numeric quantity, such as ―five defects

per document page.‖

Periodically monitor the risk trigger to ensure that the risk event is

detected promptly. In the ideal case, an automated system monitors

the risk trigger constantly and then sends a notification to the risk

owner when the trigger crosses a risk threshold.

In other cases, project management must review the trigger indicator

regularly. For example, if the number of issues opened vs. closed each

week continues to increase, the project manager should note the trend

at each weekly status meeting. When the number increases for four

weeks in a row, the project manager should take action to determine

the causes for this as well as for the team’s failure to close the existing

issues at an equal or better rate. The project manager may determine

that the product design is seriously flawed and that this is now

manifested in design-related issues that are difficult to resolve.


6-34

Topic 4: Outputs from the Plan Risk Responses Process

The outputs from the Plan Risk Responses process are:


? Risk-related contract decisions

? Project management plan updates

? Project document updates

The project management plan will be used by other planning processes

to revise the project work breakdown structure, activity list, schedule,

budget, and resource assignments in order to accommodate the

activities specified in the risk responses plans.

The risk-related contractual agreements are forwarded to the cost

management processes for inclusion in the budget, and to procurement

management to manage their implementation, monitoring, and closure.

In addition, the use of risk responses to address stakeholder risk

tolerance supports the project communications management objective

of managing stakeholder expectations.


6-35


Risk register updates are the primary outputs from the Plan Risk

Responses process. The updates consist of risk responses, and they vary

according to company policies and standards and the types of risks

identified.

Components to consider in the risk responses include:

? Identified risks, their descriptions, and area(s) of the project

affected

? Risk owners and responsibilities

? Results from the qualitative and quantitative risk analysis processes

? Agreed responses, including avoidance, transference, mitigation, or

acceptance for each negative risk or threat

? Agreed responses including exploiting, sharing, enhancing, or

acceptance for each positive risk or opportunity

? The level of residual risk expected to remain after the strategy is

implemented

? Specific actions to implement the chosen response strategy

? Budget and times for responses

? Contingency plans and fallback plans

Although there is no established or required format or content for risk

responses in the risk register, include these items:

? Brief summary of the project phase, scope, schedule, and cost

objectives. These summaries are useful since a project management

plan may not always be available to use with the risk responses

documentation.

? All documented assumptions that were used in determining,

defining, and analyzing risks. This will help when the project is

reviewed and risk responses plans are evaluated for their adequacy

in addressing the risk.


6-36

? For each selected strategy:

Y The person accountable for managing or mitigating the risk (the

―risk owner‖)

Y The management or mitigation strategy

Y Expected closure dates

Y A risk impact table

Y Risk analysis and identification form

Y Risk screening questions

Y Other information used by the team as appropriate for future

reference and to assist in subsequent reviews and updates.

Risk Owner

The risk owner is responsible for monitoring the stated risk trigger and

invoking the risk responses plan when the trigger event materializes. A

drill exercise is sometimes used to test whether risk owners will be

effective. If the risk owner fails to detect the simulated trigger event or

fails to activate the risk responses plan effectively, promptly address

the failure, and then carry out a new drill to prove that the problem has

been fixed.

Timing

Revise or update a risk response whenever a subsequent risk analysis

shows a change in the risk or in the risk management and mitigation

strategy. Each revision needs to be dated and summarized by a list of

the sections that were revised, with enough detail to explain the

significance of the change.


6-37

CAUTION

Project teams often fail to develop and maintain adequate risk response

documentation even after they have successfully identified and analyzed

risks. Implementing the risk responses is also a weak point; often the

response is published to the assigned risk owners without explaining their

required roles and responsibilities in it.

The only successful risk response is one that is understood by all

participants and will be activated promptly when the risk trigger is

detected.

Residual Risks and Secondary Risks

In many cases, it is not feasible or cost-effective to eliminate a risk

completely. Residual risks are those risks that remain even after a risk

response plan is developed.

Secondary risks are those risks that result from implementing a risk

response. In some cases, an additional risk response plan may be

needed to mitigate or transfer the secondary risk.

After creating the risk responses plan, update the risk register to reflect

the new information. Over time, as response plans are executed or the

window for the risk event to occur passes, the risk impact or its

probability will be minimized.

Many risks are never entirely prevented and residual risks may remain in

place of the original risks. There may be secondary risks that have been

caused by the risk response plans.

Contingency Reserve Amount Needed

Contingency reserve is the schedule or cost margin set aside to absorb

the impact of known risks so that their impact does not cause the

project objectives to be missed.

Probabilistic analysis and identified risk thresholds help the project

manager determine the amount of buffer or contingency needed to

reduce the risk of overruns of project objectives to an acceptable level.


6-38

The contingency reserve can be used to mitigate cost or schedule risk if

changes in the scope or quality occur. For example, if the project

begins to fall behind schedule due to a lack of skilled workers, funds

can be allocated to hire a consultant/contractor to provide training to

the staff. Fallback plans are alternative strategies that can be

implemented if a high risk is realized or planned risk reduction efforts

fail.

While the entire project may have an overall risk responses plan, it is

important to understand that the previously developed plan is an overall

methodology. It is reconsidered during the Plan Risk Responses process

to document details for responding to each specific risk.

Methods to Determine Contingency

Contingency may be needed in a cost budget or in a schedule. Often

companies have a standard 10% management reserve that is held aside

to account for unknown risks (that have not yet been identified, but as

history shows, appear sooner or later).

Management Contingency Reserve (Management Reserve)

Contrasted with Contingency Reserve

These two reserve types are often confused with each other, sometimes

lumped under the common reference of ―contingency reserve.‖

Experience tells a project manager that unforeseen events occur that

could affect the cost or schedule performance of the project. These

may include the ―normal risks‖ retained that were not prioritized as

high-risk events.

To offset this, organizations often use a management contingency

reserve. A management contingency reserve is an additional

commitment of funds used to address what are called the ―unknown

unknowns‖ — the risks that the team simply failed to foresee. The

management contingency reserve is never part of the project budget

and so does not factor into the project cost calculations.

To determine the right size of management reserve, the team must rely

on prior experience and on risk thresholds set in organization policy and

standing practice.


6-39

Often, project budgets have a 10% contingency reserve added to them,

which is not allocated to any WBS element, and is simply available for

the project manager to allocate when a problem arises. Sometimes, the

organization will also allocate an additional management contingency

reserve for the project. This reserve is only available to the project

manager by request from senior management.

A similar reserve may be added to the project schedule. As long as the

problems the project experiences do not fully consume either of these

contingency reserves, the project will meet its cost and schedule

budgets, even though the team could not foresee the nature or size of

the problems themselves.

Contingency reserve is for the ―known unknowns,‖ usually in terms of

money or time, to support contingency plans. For example, in the

following table the price of fuel or the availability of a resource may

not be known, but must be planned into the project budget or schedule.

Contingency is often calculated as a percentage of the total project

cost.

MANAGEMENT RESERVE CONTINGENCY RESERVE

Used to deal with ―unknown

unknowns‖

Used to deal with ―known

unknowns‖

Used to counteract unforeseen

changes to project scope and cost

Used to plan for risk events

Not part of the project cost

baseline, nor earned value

calculations

Not used to compensate for poor

planning

Example: unexpected labor strike Example: Price of fuel, resource

availability

Authorized by senior management Authorized by the project manager

Not part of the project budget Part of the project budget


6-40

EXAMPLE: RISK RESPONSE PLAN

Based on the risk analysis she'd done, the PM for Capital Flyer Corporate

Customer Satisfaction Project was able to define contingencies and

alternatives regarding the 2nd-point-of-origin initiative.

To view her risk response plan, see Appendix C.

Risk-Related Contract Decisions

Contract decisions, such as agreements for insurance or services that

can transfer the risk, may be used to identify each party’s responsibility

for specified risks. The risk-related contract decisions are provided as

inputs to the Plan Procurements process.

Project Management Plan Updates

The project management plan must be updated to reflect the activities

and costs required to support the risk responses. Most likely, the project

manager will be allocating additional budgeted activities and adding

new schedule events. The project manager may also expand the use of

procured services or contractual agreements to formally acknowledge

risks and either limit them or transfer liability for some of them.

Components to change may include the quality, procurement, and

human resource management plans. The work breakdown structure,

schedule baseline, and cost performance baseline may require revision.

Most responses to risk involve expenditures of additional time, cost, and

resources, and lead to changes in the project plan. Organizations

require assurance that spending is justified for the level of risk

reduction.


6-41

Project Document Updates

If a process or product is changed as a result of the Plan Risk Responses

process, then the project documentation also needs to change.

Documents that require change may include:

? Assumptions log updates

Assumptions might change with the application of risk responses.

? Technical documentation updates

Applying risk responses might affect technical methods and physical

deliverables.

EXAMPLE: RISK RESPONSES SECTION OF THE RISK REGISTER

WORKSHEET

The risk register includes a response plan for each risk.

EXERCISE: UPDATES TO THE RISK REGISTER – RISK RESPONSES

Create updates to the risk register to include risk responses.



6-42

The following table is an example of a risk register worksheet with the

risk response section completed.


Risk Identification & Analysis


Transportation Strike .3 .4 .12 K. Labor Skills, availability


Because materials need to be transported to the project location, any change in the conditions of site transportation, including a strike of transportation workers, could affect the project. A strike would result in schedule delays.

Assumptions/Basis:

Because of project location, most materials will be transported by truck. Although no Teamsters strike has affected this geographic region for 20 years, the consequences of a strike could set the project schedule back by more than 30 days.


Strategy Chosen:



Trigger measure to be monitored and source: Contract negotiations; news media

Threshold Condition: Three days of unsuccessful negotiations between Teamsters and truck companies

Potential secondary risks (risks arising from implementing this plan): Our shippers may not be available on requested schedule for all needed overtime

Residual risk (Estimated remaining P, I, and RS after Risk Response is implemented): (P = .1) x ( I = .3) = (RS = .03)



Date Due




Pay overtime to our shippers to transport materials. Team leader $10,000

Risk Owner: Team Leader


6-43

Module Summary


At their weekly planning meeting, Ana leads the team in developing

appropriate risk responses: timely, cost-effective, realistic, and appropriate

to risk severity. They discuss strategies to respond to project threats – ways

to avoid, transfer, or mitigate the risk. And, as Hannah points out to Jack,

they need equal time to consider ways to exploit, share, and enhance

opportunities. Ana will take the results of the meeting and design a specific

action plan with fallback options.

The Plan Risk Responses process involves developing options and

determining actions to enhance opportunities and reduce threats to the

project’s objectives. A risk response plan must be appropriate to the

severity of the related risk and is dependent upon inputs from the

Identify Risks, Perform Qualitative Risk Analysis, and Perform

Quantitative Risk Analysis processes.

Select the risk response strategy most likely to be effective for each

risk. Write the risk response plan to the level of detail at which the

actions will be taken.


6-44

Module 7

Monitor and Control Risks

Module 7: Monitor and Control Risks


7-2

Module Introduction

The Monitor and Control Risks process implements risk response plans,

tracks identified risks, and identifies new risks. The process also

monitors residual risks and evaluates the effectiveness of the risk

processes throughout the project.

The Monitor and Control Risks process is ongoing through the life of the

project because risks change as the project matures. In the process,

new risks may develop and other risks may disappear.

This module:

? Describes the Monitor and Control Risks process

? Identifies the inputs, tools and techniques, and outputs of the

Monitor and Control Risks process


7-3

Module Objectives


? Define the Monitor and Control Risks process

? Place the Monitor and Control Risks process within the context of

the project management framework


of the Monitor and Control Risks process

? Choose appropriate techniques to track identified risks, monitor

residual risks, and identify new risks


7-4

Topic 1: Overview of the Monitor and Control Risks Process


In any project, it's inevitable that a risk trigger occurs.

Ana knew it would happen, and now it has: BigFish Puppets, a nationally

renowned street theatre company, is missing its star performers. The

group's artistic director calls to tell her they've got a crisis. They've just

returned from a prestigious theater festival in the UK. Problem is, their

puppets haven't. The puppets seem to be somewhere in Asia. The shipping

company is trying to track them down, and the artistic director is beside

himself with worry. He's hopeful they'll eventually turn up, but whether or

not it's in time for the parade is something he can't guarantee.

Posters for the parade feature pictures of BigFish Puppets, and the group is

prominently mentioned in the press release. Now, there's a real possibility

the group may not make it to perform at the SummerFest parade.

? How can Ana monitor and control this risk?

Monitor and Control Risks is the process of tracking identified risks,

monitoring residual risks, and identifying new risks. The project

manager is responsible for ensuring the proper execution of the risk

management plan and for evaluating the effectiveness of the entire risk

management process.

The Monitor and Control Risks process is an iterative process. It

continues throughout the project, because risks change as the project

matures. New risks may develop, while other risks may disappear.


7-5

Figure 7-1 shows that the Monitor and Control Risks process occurs in

the Monitoring and Controlling Process Group.


Figure 7-1. Project Risk Management Process Group Map: Monitor and

Control Risks

As a project is executed, project controls are in place to ensure that

results are meeting expectations, and, if they are not, that corrective

action is initiated.

DEFINITION: MONITOR AND CONTROL RISKS

―The process of implementing risk response plans, tracking identified risks,

monitoring residual risks, identifying new risks, and evaluating risk process

throughout the project.‖


During execution of the project, the Monitor and Control Risks process is

evident when the project manager and team meet regularly to review

the project and the status of its associated risks. A quality assurance

audit, intended to verify the risk management practices looks for:

? Evidence of regular meeting minutes

? An up-to-date risk database

? Metrics reports that show that the overall trend of the risk profile

(of probability and impact) is decreasing throughout the project life

cycle


7-6

Post a current risk list on the project room status board. Risk response

action plans show that assigned tasks were performed and closed out.

Purpose of Monitor and Control Risks Process

The purpose of the Monitor and Control Risks process is to:

? Monitor symptoms and warning signs of identified risks

? Reevaluate watch-list risks

? Identify, analyze, and plan for new risks

? Ensure that risk responses are implemented as planned

? Monitor residual and secondary risks after the planned responses are

activated

? Evaluate the effectiveness of the planned response in reducing risk

? Document risk metrics that are associated with implementing

contingency plans

An effective Monitor and Control Risks process provides data to help

make informed decisions in advance of the risk occurrence.

Monitor and Control Risks is an ongoing process that lasts the life of the

project. The process is responsible for tracking and acting upon this

information:

? Changes in risks as the project progresses

? New risks as they develop, and whether or not they were

successfully identified and managed before they materialized

? The effectiveness of planned risk responses

? Whether or not risks materialized, and why


7-7

Monitoring Risks

Risk monitoring helps to ensure that risk practices are being enforced

proactively to keep risk managed, as opposed to reactively (for

example, only preparing to deal with risks once they materialize).

The purpose of monitoring risks is to determine if:

? Project Risk Management processes are being carried out.

? A risk exposure has changed.

? A risk trigger has occurred.

? Risk responses have been implemented as planned for risks that

have materialized.

? Risk response strategies are effective, or if new responses should be

developed.

? Project assumptions are still valid.

? Project contingency reserves for cost and schedule remain adequate

to meet project objectives.

In addition, monitoring risks may determine whether the proper policies

and procedures have been followed, or whether risks have occurred that

were not previously identified.

Controlling Risks

The purpose of controlling risks is to help ensure:

? Management plans allocate the resources to appropriate activities in

managing risks

? Alternative risk response strategies are selected

? Appropriate contingency plans are implemented

? Corrective actions are taken

? Redistribution of resources that were previously allocated to other

risks once the associated risk is no longer present

? Changes to scope, budget, or schedule up to the point of requiring

re-planning of the project are implemented


7-8

As part of risk control, planned risk responses are implemented by the

risk response owner. The risk response owner reports to the project

manager on:

? The effectiveness of the risk responses

? Whether any side effects of the risk response have been observed in

the form of residual or secondary risks

? Whether any additional actions are needed to further mitigate or

enhance the risk

Suggested Best Practices for Monitor and Control Risks

As part of the weekly team status meetings, the project manager needs

to insist that team members provide reports on the progress against

risks. Some risks may need to be reviewed daily depending on severity.

Monitoring of trends in the appropriate risk triggers serves as an

indicator to signal when to activate planned risk responses.

The project manager can use periodic working sessions to identify and

assess risks to keep the stakeholders apprised of risk-related issues. If

the project manager has to communicate bad news to a stakeholder

when an identified risk is realized, the stakeholders will not be

alarmed. They will understand the necessity for the risk response

because their expectations concerning the risk and its impact will have

been properly set.

The main indication that the Monitor and Control Risks process is being

successfully applied is the prompt implementation of planned risk

responses when risks materialize. Although some of the project tasks

may require more time or budget than planned, there are adequate

contingency reserves to make up the shortfalls, and the total project

schedule and budget are not expected to be overshot.


7-9

Responsibilities of the Risk Response Owner

The risk owner’s role involves monitoring the risk trigger for each

assigned risk and initiating the planned risk responses when the trigger

event occurs. The risk owner’s responsibilities include:

? Monitoring the risk trigger often enough to allow timely

implementation of the planned risk responses

? Correctly identifying the trigger event when it appears

? Acting promptly and effectively to activate the planned risk

responses once the trigger event is detected

? Implementing the risk responses as planned and correcting any

deviations from the plan

? Determining whether the risk has been effectively addressed

(avoided, transferred, mitigated, or accepted) by the risk responses

? Informing the project manager and other affected parties of the

planned risk responses effectiveness

? Determining whether secondary or residual risks are now present as

a consequence of implementing the planned risk responses

? Participating in identifying and implementing corrective actions if

the planned risk responses fail to address the risk as planned

A drill exercise is sometimes used to test whether risk owners will be

effective at carrying out their responsibilities. If the risk owner fails to

detect the simulated trigger event or fails to activate the risk response

effectively, promptly address the failure, and carry out a new drill to

prove that the failure will not recur.

Comparing Project Risk Management to Project Management

In the Project Risk Management Knowledge Area, each individual risk

response is planned as a miniature or subproject with established scope,

budget, and schedule. The project manager must ensure that these


7-10

plans are not overlooked or pushed out of the way. In this process,

project management and Project Risk Management are very similar. A

good project manager is a good risk manager, and vice versa. The same

principles of good common sense, alertness, planning, execution,

monitoring, and control apply to both.


Figure 7-2, the Control Risks process data flow diagram, shows how

inputs are transformed through tools and techniques into outputs.


Figure 7-2. Monitor and Control Risks Data Flow Diagram


7-11

Overview of Monitor and Control Risks Inputs, Tools and Techniques, and Outputs


Monitor and Control Risks process. These inputs, tools and



Figure 7-3. Monitor and Control Risks: Inputs, Tools & Techniques, and

Outputs


7-12

Topic 2: Inputs to the Monitor and Control Risks Process

The inputs to the Monitor and Control Risks process are the:

? Risk register

? Project management plan

? Work performance information

? Performance reports


7-13

Risk Register

The risk register contains the key information that is needed for

monitoring and controlling project risks. The register lists the identified

risks and their assigned owners. It also defines the agreed-upon

responses to each risk and the specific steps to be taken if a risk occurs.

This includes the prior decision as to whether a threat will be avoided,

transferred, mitigated, or accepted; likewise, the register states

whether an opportunity will be enhanced, shared exploited, or

accepted.

The risk register also identifies the risk triggers that need to be

monitored, as well as potential residual and secondary risks. Risks that

have been defined as low-priority are contained in a watch-list in the

register.

Finally, the risk register documents the reserves allotted to each risk

and its associated response, to provide for time and cost contingencies.

Project Management Plan

The project management plan contains the risk management plan. As

discussed earlier, the project risk management plan defines how and

when to perform risk management activities. The risk management plan

also documents risk tolerances and identifies risk-related roles and

responsibilities, including the risk owners, and other risk management

resources for the project manager.

CAUTION

The risk management plan is different from the risk register. The risk

register contains specific risk data, such as the list of identified risks, the

results of risk analyses, and the planned risk responses.


7-14

Work Performance Information

Work performance information provides data on the status of project

activities. If project deliverables are not being completed on a timely

basis, at or below the planned cost, and with no more than a tolerable

level of defects, a risk trigger event may have already occurred or be

about to occur.

Some of the performance results that might impact project risks are:

? Deliverable status

? Schedule progress

? Costs incurred

For example, if a significant project deliverable is forecasted to be

more than 10% late, the associated activity may be at risk, and the

cause needs to be identified. If the cause turns out to be one of the risk

trigger events, then the associated planned risk responses must be

implemented.

An example of such a cause is slow performance of a vendor because

they have lost a critical resource. The associated risk is that the

project’s scheduled completion date will be missed.


7-15

Performance Reports

Performance reports are an output of the Report Performance process

in the Project Communications Management Knowledge Area. These

reports organize, summarize, and analyze performance measurements.

Then the reports present the results of the analysis as compared to the

performance measurement baseline.

The performance reports provide specific data on project work

performance, including:

? Variance analysis

? Earned value data

? Forecasting data

Performance reports help to ensure that project stakeholders receive

the appropriate risk information. It is vital that this information be

timely. One pitfall for risk owners is to monitor the sources of risk

triggers too infrequently for the sources to be of any use.

For example, if a problem occurs which is only reported to the project

sponsor in a quarterly project status report, it may be almost three

months before the sponsor is advised of the trigger event. It will very

likely be impossible for the project sponsor to act promptly enough to

implement an otherwise well-planned risk response in a timely manner.


7-16

Topic 3: Tools and Techniques for the Monitor and Control Risks Process

The tools and techniques for monitoring and controlling risks are:

? Risk reassessment

? Risk audits

? Variance and trend analysis

? Technical performance measurement

? Reserve analysis

? Status meetings


7-17

Risk Reassessment

Risk reassessments need to be regularly scheduled throughout the

project to:

? Identify new risks

? Reassess previously identified risks

? Close outdated risks

The amount and detail of work required in these periodic reassessments

may reflect the nature of the project, including the size and complexity

of the project and whether adequate progress is being made.

Additional risk responses may need to be planned if a new risk emerges,

or if an identified risk's potential impact has changed since the previous

analysis. If the originally planned risk responses are found to be

inadequate, emergency action may be warranted.

Risk Audits

Risk audits examine and document:

? Effectiveness of risk processes and the people involved

? Effectiveness of risk responses and whether the responses were

carried out as planned

? Effectiveness of risk owner performance

Risk audits need to be performed at a frequency that is appropriate to

the size, duration, and complexity of the project. The frequency of risk

audits is specified in the risk management plan. The project manager is

responsible for ensuring that the audits adhere to the plan.

The project manager defines and documents the format and objectives

of the risk audits before the audit begins.


7-18

Variance and Trend Analysis

Variance analysis is a technique for comparing the planned results to

the actual results.

DEFINITION: VARIANCE ANALYSIS

―A method for resolving the total variance in the set of scope, cost, and

schedule variables into specific component variances that are associated

with defined factors affecting the scope, cost, and, and schedule

variables.‖


Trends in metrics related to the project’s performance should be

reviewed periodically using performance information. One method of

monitoring variance and trends is earned value analysis, and other

methods may also be appropriate. The results of the analyses are used

to forecast the project’s estimate at completion for cost and schedule.

If the forecasted results differ significantly from the original targets, a

risk may have materialized even though no other trigger may have

appeared.

The project manager can also use trend analysis to monitor project risks

from the time they are originally analyzed through each reassessment.


7-19

Figure 7-4 shows a sample risk trend analysis report. It provides a visual

representation of the risk assessment for a specific risk.


Figure 7-4. Sample Risk Trend Analysis Format

In Figure 7-4, there is a threat that unresolved interface requirements

and design problems will appear. The initial analysis graded this risk as

having a ―medium‖ risk factor for the duration of the phases shown. A

later reassessment at the beginning of the Requirements Analysis phase

determined that the risk had reached a ―high‖ level, so the contingency

plan of prototyping the interfaces was undertaken.

Once the prototyping was satisfactorily completed, the team

determined the risk as ―medium‖ (as a result of implementing the

planned risk response). Yet another reassessment determined that the

risk had become ―low‖ after the Design phase was completed. As a

result of this latest reassessment, the cost contingency reserve set aside

for the interface development risk was released. During the Monitor and

Control Risks process, maintain this chart with current results to show if

the planned reductions in the risk are actually realized.


7-20

Technical Performance Measurement

Technical performance measurement is a monitoring technique that

compares the delivered functionality to the original technical

specifications defined in the project management plan. The technique

relies on objective, quantifiable measures of technical performance.

Technical performance measures may include:

? Weight

? Transaction times

? Number of delivered defects

? Storage capacity

Any deviations from original targets may expose the degree of technical

risk faced by the project, or they may signal that a risk has

materialized.

Figure 7-5 shows how one aspect of a project's technical performance

rises from a mid-range level in the Concept and Preliminary Design

phases to a higher target level in the Detailed Design and Integration

phases.

Figure 7-5. Sample Technical Performance Chart


7-21

In Figure 7-5, two sample measures, represented by the black circles,

have been taken and used to determine confidence intervals for the

project’s actual performance, represented by the I-bars. Note that the

project’s planned technical performance forecasts that the project’s

rating will start at 5 in February and increase to 9 by August.

If the project’s technical performance falls significantly below plan and

then appears to make a remarkable recovery, there may be other

factors in play. Since this is a rare phenomenon, the project manager

needs to confirm that the measures are accurate and that there are no

other factors that might jeopardize the project in later stages, such as

high and constant levels of overtime, or activities being omitted.

Reserve Analysis

Reserve analysis compares the remaining contingency reserves with the

remaining risk impacts, to avoid the possibility that reserves will be

exhausted before the project is completed. If risks have materialized

over the life of the project, contingency reserves of budget and

schedule may have been used to mitigate the risks’ impact. If the

reserve analysis shows that the remaining reserves are not adequate,

then it may be necessary to prepare to ask management to make

management reserves available.

Status Meetings

The Project Risk Management activities that need to be included in the

project team’s regularly scheduled status meetings are:

? The project manager, or the assigned risk manager, needs to report

to the project team and stakeholders on the progress of each risk.

? New risks need to be identified and analyzed, and response plans

need to be prepared.

? For risks that have materialized, any discrepancies between the

planned responses and the actions actually taken need to be

identified and addressed.


7-22

Risks and their impacts change significantly as a project progresses. Risk

reviews within status meetings ensure that the team revisits the risk

processes to consider how the risks and their impacts change over the

project life cycle.

Examples of Risk Review Techniques in Status Meetings

The highest-severity risks need to be monitored the most frequently and

the metrics reported and compared to the trigger criteria. The review

also needs to include some of the medium-level risks to ensure that

they get team attention, but on a less frequent and in-depth basis.

Consider one of these approaches when setting up a risk review process:

? Review 10 of the top risks on a rotating basis, if there are fewer

than 30.

? Review the top 20% of the list at every meeting, plus a sampling

from lower risks on a rotating basis.

? Review all risks coded as red, and half of the yellows at each

session, on an alternating basis.

Remember that as the risk management activities are integrated into

the project team’s other activities, the easier it will be to discuss,

discover, and manage important risks.


7-23

Topic 4: Outputs from the Monitor and Control Risks Process

The outputs from the Monitor and Control Risks process are:


? Organizational process assets updates

? Change requests

? Project management plan updates

? Project document updates


7-24


Steps to update the risk register may include:

? Incorporating the outcomes of risk reassessments, risk audits, and

periodic risk reviews, which may include identification of new risk

events.

? Documenting realized risks in the risk register. The actual steps

taken and the final cost impact of the risk need to be assessed and

recorded for future benefit.

? Closing out entries for risks that can no longer occur. If it is deemed

safe to do so, close risks that have not occurred during the expected

window of time. This allows the release of assigned resources and

contingency reserves and shifts the focus to other risks.

? Updating the risk priority rankings to ensure that the most important

risks are being addressed. A priority ranking may change based on

change in its probability or impact, which should also be recorded.

? Making any necessary changes to the planned risk responses, either

in the action steps or the risk owners, in order to manage the risks

more effectively.

Organizational Process Assets Updates

In addition to producing information that is useful to the project,

Monitor and Control Risks also provides information that can benefit

future projects when it is captured in organizational process assets. The

organizational process asset updates that relate to risk management

reflect lessons learned during the current project. Assets that may be

improved include the:

? Template for the risk management plan


? Risk categories and/or the risk breakdown structure and risk

checklists


7-25

? Risk register, including formats of the planned risk responses and

the probabilistic project analysis techniques and their formats

? Lessons-learned knowledge repository

Updates to the Identify Risks Checklists

Updating the risk identification checklists will help future projects

manage risks more efficiently. This takes place during closeout of the

current project phase or at the project end. For evaluating lessons

learned related to project risk, document:

? What risks were anticipated?

? Which risks occurred?

? Which risks were not anticipated, but occurred?

? What was the actual impact to cost/schedule for each impact?

? How effective were planned risk responses in mitigating the impact

of risks that materialized?

? How effective were the planned risk responses in reducing the

probability of risks that did not materialize?

Change Requests

Requests for changes may be necessary to implement contingency plans

or workarounds. Workarounds are unplanned responses to risks that

were previously unidentified or to accepted risks that have potentially

larger impacts than were considered acceptable.

Change requests may also include:

? Recommended corrective actions

These actions include contingency plans and workarounds intended

to bring the project performance back into alignment with the

project management plan.

? Recommended preventive actions

These actions include steps to be taken to reduce the probability

that a negative risk will knock project performance out of alignment

with the project plan. Upon approval, preventive actions must be

documented.


7-26

Requested changes that are required to implement contingency plans or

workarounds must be submitted to the Perform Integrated Change

Control process. Approved changes will be issued to the Direct and

Manage Project Execution process and the Monitor and Control Project

Work process.

Change requests are required to ensure these outcomes:

? Performance measurement baseline integrity is maintained

? Budgeted contingency reserves remain adequate as the impacts of

risks are absorbed

? Changes are coordinated across the entire project management plan

? Spending of contingency reserves to absorb the impact of risk events

is controlled

EXAMPLE: CHANGE REQUEST

Capitol Flyer CEO had an epiphany, and it means a late-course change for

the Corporate Customer Satisfaction Project. With the company

encouraging online ticket purchase, he thought it would be great to offer

customers the ability to map transit options – or even arrange a car service

– from the terminal to their destination address. He wants to add this

feature, so the project manager will have to account for the impact of the

change.

To see her completed change request, see Appendix C.

Project Management Plan Updates

As the results of the Monitor and Control Risks process are reviewed,

change requests may be submitted, approved, and then reflected in the

project management plan.

If approved change requests impact Project Risk Management processes,

the project management plan must be updated. Most likely, the project

manager allocates additional budgeted activities and adds new schedule

events. It is possible that a realized risk event will cause a change to

one or more of the project baselines.


7-27

Project Document Updates

If a process or product is changed as a result of the Monitor and Control

Risks process, then the project documentation may also change. The

revised risk documents will be used in the future as the new standard.

EXERCISE: MONITOR AND CONTROL RISKS

Respond to an approved change request that generates new risks.


EXERCISE: FINAL SCENARIO

Develop a planned risk response using the final scenario case study.

Refer to Exercise 7-2, the Final Scenario, in Appendix A.

CLASS DISCUSSION: MEETING YOUR CURRENT RISK CHALLENGES

In your group, review the five challenges that you identified on the first

morning of the class.

? As a group reflect on each challenge.

? Then each person will use self-stick notes to document how he or she will address the challenges, using learnings from the class.

Y Write one solution per self-stick note.

Y There is no limit to the number of self-stick notes per challenge you

may create!

Y Address as many challenges as you can.

? One person will report your team findings to the class.


7-28

Module Summary


Ana has made sure every weekly status meeting includes a risk report: an

occasion to track identified risks, monitor residual risks, identify new ones,

execute response plans, and evaluate the effectiveness of those plans.

None of that makes it easy when an unpleasant surprise arrives.

She informs the team about the uncertain status of BigFish Puppets, and

together they analyze contingencies, such as costs and logistics of redoing

posters. Meantime, Ana checks in daily with the group's artistic director on

the status of the missing puppets, hoping they will turn up before the team

will have to implement a mitigation strategy.

The Monitor and Control Risks process keeps track of identified risks,

monitors residual risks, and identifies new risks. The Monitor and

Control Risks process is an ongoing process for the life of the project.

The Monitor and Control Risks process uses:

? Work performance information

? The project management plan to specify how the Monitor and

Control Risks process needs to be performed

? The risk register (and its associated risk response plans and risk

trigger information)

Approved change requests, which may result in changes or additions to

the identified risks

Appendix A

Exercises



A-2 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.

Exercise Table of Contents

Exercise 2-1: Determine Stakeholder Risk Tolerance ............................................ A-3 Exercise 2-2: Develop a Risk Management Plan ................................................ A-13 Exercise 3-1: Identify Project Risks .............................................................. A-25 Exercise 4-1: Assess and Rank Risks .............................................................. A-33 Exercise 5-1: Apply a Perform Quantitative Risk Analysis Tool .............................. A-43 Exercise 6-1: Select Appropriate Risk Responses ............................................... A-49 Exercise 7-1: Monitor and Control Risks ......................................................... A-53 Exercise 7-2: Final Scenario ....................................................................... A-57

MDP273a: Project Risk Management

© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. A-3

Exercise 2-1: Determine Stakeholder Risk Tolerance

Exercise Description

SummerFest is a case study that is used for practice exercises in this and other project management courses. SummerFest is an annual community fair that includes carnival rides, food concessions, and other attractions that raise money for local charities while providing family fun and boosting community spirit. SummerFest is a fictional event, but it is based in part on research into fairs that are traditional events in many New England communities.

In the case study, SummerFest is treated as a multifaceted project, and it affords many opportunities to apply the principles of project management.

This practice exercise introduces you to the SummerFest case study. Subsequent course practice exercises are based upon the SummerFest case study, so it is important for you to become very familiar with this case study.

The PMBOK® Guide, Fourth Edition, states that the objectives of Project Risk Management are “to increase the probability and impact of positive events, and decrease the probability and impact of negative events in the project.”

Risk management can be affected by various aspects of an organization's culture, such as expectations and behaviors, resistance, and optimism. As you read the case study materials, pay close attention to the project organization and how each group contributes to the project.

The goals of this exercise are to:

Introduce and familiarize you with the course case study

Perform a brief “stakeholder analysis” to determine who the significant stakeholders are, and what their attitude toward risk is

Relate the contents of the case study to the inputs to the risk management planning process

Materials Project Charter


Work Breakdown Structure

Risk Tolerance Matrix Template

Participant Procedure

1. Read the case study materials listed above.



As you read the project charter and project scope statement,

look for elements that represent sources of risk. You may take notes.

Focus on the project objectives and deliverables, especially items related to technical complexity, using procurement, or for which the organization has a weak or empty track record. Consider resources with unproven or shaky performance history, and the lists of project assumptions, constraints, and issues.

2. As you read, perform a “stakeholder analysis” for the course case study. Consider stakeholders who will contribute to the project and who are affected by the project.

In the risk tolerance matrix template, compile a list of significant stakeholders. Identify people by name or role. In the appropriate column, note each person’s relation to the project.

For each of these stakeholders, consider the person’s apparent attitude toward risk. Is the stakeholder risk tolerant, a risk taker, or risk averse? Enter this information in the appropriate column on the template.

Finally, in the reason column, enter information which explains or exemplifies why you identified each person as risk tolerant, a risk taker, or risk averse.

3. Compare your answer with the suggested solution provided.

Summary Project Risk Management is a proactive process that lets you identify risks that may occur during the life of the project and prepare to address them.

Failing to use Project Risk Management can cause two kinds of negative consequences:

Failure to meet project objectives

Missed opportunities to exceed project objectives



Project Charter Project Name: SummerFest parade

Project Number: 12-1024

Project Justification

Attendance has been declining during the Saturday of SummerFest town fair. A parade on the Saturday morning of SummerFest can draw more people to the fair; that will boost attendance and generate additional revenues.

Project Description

Parade to run through town streets, with participants to include local and marching bands, civic and community groups, and other performers to be identified.

Objectives and Success Criteria

Draw more people to SummerFest on Saturday

Get local marching bands, performers and civic/community groups to participate

Recruit some well-known performers to attract audience

Project Requirements

Generate additional revenue for SummerFest town fair, and keep costs down to maximize profit.

Anticipated Risks

Weather might cancel parade

No guarantee that parade produces additional revenue for SummerFest

Functional Organizations

Organization Participation

Citizens Collaborative Manage, coordinate, volunteer

Board of Selectmen Initiate project, authorize use of town streets

Police Department Approve and advise on street/parking restrictions

Shriners Club Parade participants and consultation

Approval requirements

City officials to review and approve the project plan.

Project manager: Ana Cruz



Authority level

The project manager will convene and run project meetings to define, document and execute all tasks necessary to successfully complete the SummerFest satellite parking project. The project manager will act as the liaison between Citizens Collaborative, the shuttle service provider, and all town offices.

Project sponsor: Hannah Foster

Summary milestones

Kickoff meeting February

Organize project team February

Get town approval March

Set budget April

Finalize parade line-up May

Summary budget

Expenditure type Cost in dollars

Grand Marshal $250

Headline performer $350

Signs $200

Traffic management (police) $500

Publicity $800



Project Scope Statement Project Name: SummerFest parade

Project number: 12-1024

Project Manager: Ana Cruz

Business case

Add a parade to the Saturday morning of SummerFest town fair as a way to boost attendance and generate additional revenues on a day where the numbers have been declining for the last three years

Objectives

Increase Saturday attendance at SummerFest town fair by 50% over last year's attendance numbers

Recruit a mix of marching bands, performers and civic/community groups to participate

Attract audience from throughout region by recruiting well-known performers

Generate additional revenue for SummerFest through increased attendance

Keep costs under $2.5k to maximize revenue gain

Scope Description

One-hour parade to take place the Saturday morning of SummerFest town fair. Parade route to run through town streets, beginning at Church and Main Streets and ending at fairgrounds. Participants to include local bands and marching bands, civic and community groups, and other performers to be identified. Parade staff will consist of volunteers; parade tasks will be managed by Citizens Collaborative staff and board members. Project team will recruit one "marquee" performance group (paid) to increase audience draw.

Acceptance Criteria

Project Plan to be reviewed and approved by Citizen Collaborative BOD prior to submitting to town selectmen and town officials for approval.

Town selectmen, town police, and emergencies services will review and approve plan.

Project plan

Risk plan and assessment

Scope statement

Parade route

Line-up/marching order

Permits & participant contracts

Recruitment of volunteers

Recruitment of marching participants



Exclusions

Selection of Grand Marshal and Honorees

Acquisition of liability insurance

Judging of floats, and bands

Managing the audit process; will participate if required

Constraints

Parade must take place the Saturday morning of SummerFest town fair, June XX

Parade route must begin and end at or near town park

Assumptions

Parade performers will volunteer their participation no added costs

Enough performers will participate that the event will draw an audience

Project team will be able to engage enough volunteer staff to manage event

Town will agree to necessary street closings

Risks

Bad weather might cause cancellation of parade

Parade might pull people away from town fair, rather than drawing them in

Crowd control if event draws more than expected

Milestones

Finalize parade route - March 4

Receive town approval - March 11

Finalize budget - April 10

Finalize lineup - May 4

Begin publicity campaign - May 8

Budget

$2,500



Work Breakdown Structure

SummerFest parade

1. Recruit/select participating acts

1.1. Bands

1.2. Performers

1.3. Community groups

1.4. School groups

2. Develop parade route

2.1. Parking restrictions

2.2. Street closings

2.3. Route map

2.4. City Reviews

3. Permits & approvals

3.1. Town permits

3.2. Insurance waivers for participants

3.3. Street closings

4. Public safety

4.1. Traffic

4.2. First aid/medical

4.3. Security

4.4. Emergency Procedures

4.5. Volunteer safety orientation

5. Schedule/line-up

5.1. Marching orders

5.2. Staging area

5.3. End-of-parade marshaling area



6. Publicity

6.1. Radio

6.2. Newspaper

6.3. Signage

6.4. Sponsorships

7. Planning

7.1. Theme

7.2. Budget

7.3. Grand Marshal

7.4. Volunteers

8. Project management

8.1. Development of project plan

8.1.1. Project initiation

8.1.2. Project planning

8.1.3. Project execution

8.1.4. Project monitoring & control

8.1.5. Project closing

8.2. Project coordination w/city officials

8.3. Risk management plan

8.4. Lessons learned



Risk Tolerance Matrix Template Stakeholder Name or Role Relationship

to Project Risk Tolerance Level?

Reason for Risk Tolerance Level





Exercise 2-2: Develop a Risk Management Plan


Grounded in the knowledge of her stakeholders' risk tolerance, Ana is prepared to consider how the team can best manage risks - both to mitigate threats, and pounce on opportunities. At the next leadership meeting, Ana proposes that risk planning be part of their weekly meeting. Some of that amounts to simple maintenance: regular review of the risk register. Most, though, is advance planning: she proposes that the leadership team focus early to develop a qualitative risk analysis process; decide on scaling for impact and probability; plan budget and engagement strategy for contingencies; and designate individual leaders to support Ana by monitoring certain key risks.

The team is on board with Ana's suggestions, eager to stay on top of the risks involved in doing a parade. Hannah adds a suggestion of her own - because of the particular risks involved in the parade, and the number of people involved in managing risk, she requests an auditing procedure to ensure that everyone follows established procedures.

Now Ana must gather all this into a risk management plan. You will support her in this effort.

The PMBOK® Guide, Fourth Edition, defines Plan Risk Management as “The process of deciding how to conduct risk management activities for a project.”

The risk management plan, a key deliverable of the Plan Risk Management process, is developed to create a roadmap for the ways the project team and the project manager will deal with risk processes; roles and responsibilities; timing and budget for risk management; and analyzing and controlling risks.

You will develop four sections of the risk management plan and you will review several sections which have been completed for you.

Materials Case Study Materials

Risk Management Plan Template


1. Refer to the Risk Management Plan Template.

Some sections of the template have been completed for you. Some sections will be addressed in other exercises. You will complete the following:

Section 2: Roles and Responsibilities

Section 3: Budgeting

Section 4: Timing

Section 8: Stakeholders’ Risk Tolerances



2. Review Section 1: Methodology.

Methodology describes the tools, methods, and sources of information that will be used to perform risk management, including how risks will be identified, analyzed, and categorized; how risk response plans will be prepared, implemented, and monitored; and how risk triggers will be monitored.

This section of the risk management plan has been completed for you. The processes in this section will be explained in subsequent concepts of this course.

3. Complete Section 2: Roles and Responsibilities.

In one or two sentences, define who does what during risk management activities. Specifically, document who will direct and manage risk management activities; this person may be the project manager or a designated risk manager for the project.

4. Complete Section 3: Budgeting.

Establish a contingency reserve amount to address any risks that occur during the project.

5. Complete Section 4: Timing.

Describe how often risk management activities - for example, risk reviews - will be performed and when they will take place within the project schedule. Consider how this will be affected by project risks actually being triggered.

6. Complete Section 8: Stakeholders’ Risk Tolerances.

Identify the key stakeholders.

Describe the risk tolerances of the SummerFest project stakeholders.

Rate each stakeholder, risk tolerance as

Risk avoider

Risk tolerant

Risk taker

It is helpful to illustrate stakeholders’ risk tolerances by example, such as “The chamber of commerce president wants to preserve the town’s reputation for leaving businesses alone (risk averse).”

Note: Generally, stakeholders’ tolerances are identified through discussions and interviews with the stakeholders. For the purposes of this exercise, you need to develop a guess about the



stakeholders’ tolerances based on their roles in the SummerFest case study.

7. Review the remaining sections of the risk management plan, which have been completed for you:

Section 5: Risk Categories

Section 9: Reporting Formats

Section 10: Tracking

Note that some sections will be addressed later in the course:

Section 6: Definitions of Risk Probability and Impact

Section 7: Probability and Impact Matrix with initial Risk Rating List


Summary In this exercise you have become familiar with the components of the risk management plan for the course case study. You will gain more understanding of these components during the course.

There is value in thinking through these elements before actually undertaking risk management activities. The plan becomes the “impersonal boss” that the team can refer to when getting caught up in emotion-based decision making. As the Project Risk Management processes are performed, and new thresholds and methodologies are established, these are fed back into the risk management planning process, and the risk management plan is updated.

Some large projects may use a risk tracking database to automate tracking risks. However, the tool is not nearly as important as the process and the discipline of revisiting risk at regular meetings.





Risk Management Plan Template

Section1: Methodology

Process Task Participants

Plan Risk Management: Define how risk will be managed for this project.

Develop and document risk plan Ana Cruz, Marc Stuver

Maintain and update plan as necessary Marc Stuver

Identify Risks: Risks will be identified using a variety of techniques during the planning phase of the project. Team will identify risks and triggers at the beginning of project and on an ongoing basis, to identify any potential new risks or to eliminate risks that are no longer applicable.

Brainstorming Project team, sponsors, Brenda Welsh

Interviews Brita Porter, Walter Stone, key participants, town officials

Review documentation Project team and sponsors

Review Memorial Day parade historical information Brita Porter, Ana Cruz

Analysis of triggers Marc Stuver, Ana Cruz

Perform Quantitative Risk Analysis: Conduct sensitivity analysis to determine which risks have the highest impact on project & how risks can be changed or mitigated. Brainstorm with impacted stakeholders and calculate expected value of each risk probability.

Interview key stakeholders Marc Stuver, risk owner

Brainstorming session with team members Marc Stuver, project team

Conduct sensitivity analysis Marc Stuver, risk owner

Determine how to change/mitigate risk Marc Stuver, risk owner

Perform Qualitative Risk Analysis: For each identified risk, the team will determine the probability and impact, and calculate a risk score. A five-point scale for probability and impact will be used. A risk ranking table will also be created to benchmark each risk score and determine the overall project risk profile.

Probability and impact analysis Project team, Marc Stuver

Determine risk score Marc Stuver, Ana Cruz, risk owner

Develop a risk ranking table Marc Stuver, Ana Cruz, risk owner

Risk profile Marc Stuver, Ana Cruz, risk owner

Plan Risk Response: For each identified risk, a risk owner will be assigned, who has primary responsibility of mitigating the risk. The risk owner is also responsible for developing a risk response plan and contingency plan, in the event that the risk

Assign risk owners Risk owner, Marc Stuver, Ana Cruz

Develop a response strategy Risk owner, Marc Stuver, Ana Cruz

Develop a contingency strategy Marc Stuver, risk owner




response fails or does not mitigate the risk to the acceptable threshold level.

Review and update strategy as needed Marc Stuver, risk owner

Monitor and Control Risks: All identified risks will be documented and scored, then prioritized based on risk score. All risks rated High or Very High will be reviewed daily; Medium rated risks will be reviewed weekly. Any risk triggers that take effect should be brought to the attention of the project manager ASAP.

Daily review of High and Very High risks Marc Stuver, Ana Cruz, risk owners

Weekly review of Medium risks Marc Stuver, Ana Cruz, risk owners

Report risk triggers change to PM Marc Stuver, Ana Cruz, risk owners


Role Responsibilities

Project Manager

Team Member Assigned to Manage a Risk

Internal Stakeholders

External Stakeholders




Risk Management Activities

Activity Budget

Contingency Reserves

Description Budget

Section 4: Timing

Activity Phase/Date



Section 5: Risk Categories

Once all risks have been identified, we will develop risk categories to logically organize the risks. The categories of risk are (but not limited to):

Technical

Organizational

External

Project Management

Environmental

Communications

Safety

Scope

Time

Cost

Quality Requirements

Resource Availability

Labor Availability This list should not preclude the creation of additional categories, if project risks merit new categories.


Probability

Very Low Low Moderate High Very High

Impact

Project Objective


Cost

Time

Scope



Project Objective


Quality



Section 7: Probability and Impact Matrix

Risk Rating List Value of P

Value of I

Risk Score Risk Description Risk Rating Risk Response Strategy


Probability Threats Opportunities

Section 8: Revised Stakeholders’ Risk Tolerances

Stakeholder Normal Risk Tolerance Current Project Risk Tolerance




Report Format

Risk Register/Database Risk ID, risk category, risk description, risk originator, risk owner, last updated, probability score, impact score, risk score, risk status (new, open, mitigation plan created, mitigation plan approved, completed, re-opened),trigger, mitigation strategy, contingency strategy

High Risk Report (daily) Only High or Very High risks reported - risk ID, risk category, risk description, risk originator, risk owner, last updated, probability score, impact score, risk score, risk status (new, open, mitigation plan created, mitigation plan approved, completed, re-opened),trigger, mitigation strategy, contingency strategy.

Weekly Risk Report Only Medium risks reported - risk ID, risk category, risk description, risk originator, risk owner, last updated, probability score, impact score, risk score, risk status (new, open, mitigation plan created, mitigation plan approved, completed, re-opened),trigger, mitigation strategy, contingency strategy


Process Auditing Procedure

Plan Risk Management Independent auditor, contracted by Citizens Collaborative BOD, to review the plan and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action

Identify Risks Independent auditor, contracted by Citizens Collaborative BOD, to review the Identify Risks process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action

Perform Qualitative Risk Analysis Independent auditor, contracted by Citizens Collaborative BOD, to review the qualitative risk analysis process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action

Perform Quantitative Risk Analysis Independent auditor, contracted by Citizens Collaborative BOD, to review the Perform Quantitative Risk Analysis process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action

Plan Risk Responses Independent auditor, contracted by Citizens Collaborative BOD, to review the Risk Response plan and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action

Monitor and Control Risks Independent auditor, contracted by Citizens Collaborative BOD, to review the Monitoring and Control process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action





Exercise 3-1: Identify Project Risks


The PMBOK® Guide, Fourth Edition, defines Identify Risks as “The process of determining which risks may affect the project and documenting their characteristics.”

In this exercise, you will identify SummerFest risks and place them in categories. You will document which project objectives, such as scope, cost, schedule, and quality, may be affected by the risk.

Next you will identify the risks with highest probability of occurrence and highest impact. You will describe the potential impact of top risks on the project.

Finally, you will analyze one risk using a cause-and-effect diagram.

During this process, you may begin to identify possible responses to risks. You may consider how a list of typical risk categories can be tailored to the SummerFest project.

Materials Risk Screening Checklist Template

Initial List of Project Risks Template

Cause-and-Effect Diagram Template


1. Complete the Risk Screening Checklist Template, which identifies potential risk categories. Create a list of as many risks as possible associated with the case study.

Review the case study materials, focusing on anything that might cause a risk. A good place to start is with the assumptions documented in the project scope statement, as assumptions are a likely place for risk to “nest.” Consider project constraints also.

2. Complete the Initial List of Project Risks Template.

Using the risks on your Risk Screening Checklist, identify the top 10 risks for further attention. “Top” risks have a high probability of occurring, a high impact on the project, or both high probability and high impact. Use the following format: As a result of [cause], [risk event] could occur, which would lead to [impact].

Tip: When identifying impact on the project, it is useful to consider the areas of Scope, Cost, Schedule, or Quality.

For each top risk, make an entry In the Category column. Use a category from the Risk Screening Checklist or tailor the category description to the SummerFest project.



3. Finally, analyze a single risk for its causes, using the cause-and-effect (or fishbone, or Ishakawa) diagram. Use the risk “Goal of increasing attendance by 50% not achieved”.

As you identify root causes, you may consider initial responses. The results from this exercise will be used in subsequent risk management activities.


Summary The Identify Risks process determines which risks might affect the project and documents their characteristics. Participants in this process include the project manager, the stakeholders, risk management experts, and even customers. Identify Risks is an iterative process, and new risks may surface as the project progresses through its lifecycle.



Risk Screening Checklist Template Create a list of as many risks as possible associated with the case study.

A. Scope

B. Budget

C. Time

D. Resource

E. Organizational



Create a list of as many risks as possible associated with the case study.

F. Location

G. Business

H. Financial

I. Safety

J. Training



Initial List of Project Risks Template After you have created a list of as many risks as possible associated with the case study, reduce your list to the top 10 risks. Use the following format: As a result of [cause], [risk event] could occur, which would lead to [impact].

In the Category column, enter a category such as Technical, External, Organizational, or Project Management.

List of Identified Risks Category

1._____________________________________________________________________

______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

2._____________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

3______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

4._____________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________



List of Identified Risks Category

5._________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

6._________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

7._________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

8._________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

9._________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

10.________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

Appendix A: Exercises MDP273a: Project Risk Management


Cause-and-Effect Diagram Template



MDP273a: Project Risk ManagementMDP273a: Project Risk Management


Exercise 4-1: Assess and Rank Risks


In this exercise you will assess and rank the risks you identified in a previous exercise as a way to determine which risks are most critical and need further analysis and/or risk response planning. You will use a Risk Register Worksheet to document your assessment of individual risks.

Materials Risk Probability & Impact Tables

List of identified risks from previous exercise

Risk Rating List Template

Risk Register Worksheet Template

Identify Risks and Analysis Worksheet Template


1. Using the list of risks you identified in the previous exercise, create an initial risk rating list using the template provided.

Determine P and I and calculate RS (risk score) for each of the top risks you have identified. Use the Risk Probability & Impact Tables.

Based on the risk score, rate the risk as high, moderate, or low.

Leave Risk Response Strategy blank - this will be covered in a subsequent exercise.

2. For your highest risk item, fill out a risk register worksheet using the template provided. Use your judgment to propose initial preparatory and contingency plans based on the information currently available.

3. Using the Identify Risks and Analysis Worksheet template provided, assign a category to each risk, and provide a brief description as well as a comment about the assumptions and basis behind the risk. [NOTE: This template is merely multiple copies of the top section of the risk register worksheet.]


Summary Rating risks is a key task of Project Risk Management. Prioritization should not happen while risks are being identified, but only through analysis. By resolving risk scores into three prioritized ratings, the project manager streamlines risk management practices so that only high risks receive rigorous treatment. Low risks may receive no more than periodic monitoring. The initial list of rated risks is the core of the risk register, which is elaborated and revised over the life of the project.



MDP273a: Project Risk ManagementMDP273a: Project Risk Management


Risk Probability & Impact Tables

Risk Probability Table

Term of Probability Value

Very low 10% (0.1)

Low 30% (0.3)

Moderate 50% (0.5)

High 70% (0.7)

Very high 90% (0.9)

Risk Impact Table Value of I Impact to the Project Cost Thresholds Schedule Thresholds

1 Minimal or no cost, unimportant schedule consequences

<$25k No baseline extension

3 Small reduction in desired cost and schedule results

$25k-$49k < 5 day baseline delay

5 Some reduction in desired cost and schedule results

$50k-$99k 6-29 day baseline delay

7 Significant degradation in cost and schedule results

$100k-250k 30-59 day baseline delay

9 Desired cost and schedule results cannot be achieved

>$250k >60 day baseline delay





Risk Rating List Template Value of P

Value of I

Risk Score Risk Description Risk Rating Risk Response Strategy





Risk Register Worksheet Template

The Risk Register Worksheet is completed gradually over the life of the project, and is updated as needed. Below this Risk Register Worksheet, the top section of the document is reproduced multiple times under the heading Identify Risks and Analysis Worksheet Template.

In this exercise, use the Identify Risks and Analysis worksheet to capture information that can be transferred to full Risk Register Worksheets.

Risk Register

Project:




Assumptions/Basis:

Plan Risk Responses

Strategy:



Trigger measure to be monitored, and source:

Threshold condition:


Residual risk (estimated remaining P, I, and RS after Risk Response is implemented):



Cost / Sched Impact

Date Due



Risk Register

Project:




Risk Owner:

Identify Risks and Analysis Worksheet Template



Assumptions/Basis:



Assumptions/Basis:





Assumptions/Basis:



Assumptions/Basis:



Assumptions/Basis:





Exercise 5-1: Apply a Perform Quantitative Risk Analysis Tool


At every team meeting for the SummerFest parade project, there's an elephant in the room - the possibility that bad weather could force cancellation, and thereby thwart their efforts to draw more people to SummerFest and increase Saturday revenues.

Ana has raised the issue a couple of times, but the leadership team hasn't engaged it. Ana decides it's time. "It's our most serious risk," she tells them. "We have to acknowledge it, and determine a contingency plan." As the team brainstorms ways that parade planning could positively impact SummerFest, one simple contingency emerges, commit a fixed sum to advertising the parade, and link the parade to SummerFest town fair in all advertising. That way, even if the parade gets washed out, the money spent on promotion will have increased awareness of SummerFest, and provided some boost in fair attendance. The team agrees it's worth analyzing whether the cost of a parade would be worth the likely increase in revenues, or whether they should simply increase advertising.

Together, they work out some estimates on which to base an analysis:

w/parade w/out parade (adv. only)

additional cost $2,400 $500

est. attendance increase (good weather) 800 300

est. attendance increase (bad weather) 400 100

est. revenue per additional person $10 $10

Ana will analyze the data and report back to the team at their next meeting. You will support her in this effort.

In this exercise you will apply a Perform Quantitative Risk Analysis tool to recommend a strategy.

Materials Decision Tree Analysis Worksheet

Decision Tree Diagram Template


1. Complete the decision tree analysis worksheet. For variables of cost and attendance, use data in the exercise description.

2. Using information in the completed worksheet, construct the decision tree.

3. Considering the outcomes of the several attendance scenarios, which is the best decision?




Summary Decision tree analysis is a Perform Quantitative Risk Analysis tool that is used when additional decision-making information associated with a potential risk response is needed. The probability factors used often reflect the risk tolerances of the individuals and/or organizations using them. Therefore, users need to consider the impact of subjectivity in the construct and use of the tool.

A very important principle to remember is that expected monetary value is a statistical assessment of project value, NOT a prediction of final value or cost.



Decision Tree Analysis Worksheet Project: SummerFest parade PM: Ana Cruz Part 1: maximum attendance increase (good weather)

With parade:

Element Given Information Result

additional attendance

additional cost

additional revenue

additional profit

Without parade (advertising only)



additional cost

additional revenue

additional profit

Part 2: minimum attendance increase (bad weather)

With parade:



additional cost

additional revenue

additional profit






additional cost

additional revenue

additional profit

Conclusion:



Decision Tree Diagram Template





Exercise 6-1: Select Appropriate Risk Responses


The goal of Plan Risk Responses is prevention of surprises that could negatively impact the project objectives, and the ability to take advantage of opportunities that could positively impact the project objectives.

Plan Risk Responses includes “before risk” and “after risk” plans. The risk preparation plan provides actions to mitigate, avoid, transfer, or accept risk; whereas the risk contingency plan involves actions to deal with risks should they occur.

Changing the project plan may create new risks, which may reduce the benefit of the change or even be more problematic than the risk being avoided. Such new risks arising directly from a risk response plan are called secondary risks. The impact of potential secondary risks must be considered as the risk response plan is developed.

This exercise revisits the risk register started during the Identify Risk process. Select the top three risks and create an appropriate risk response plan for each. That is, for each selected risk, develop a preparatory plan, consisting of small project plans to prepare for the risk before it occurs, and a contingency plan, which identifies steps to be taken if the risk is triggered.

Make sure that you document contractual agreements and owner responsibilities as well. Enter your plans into Risk Register Worksheets, which are part of the risk register.

Materials List of prioritized risks (from previous exercises) that are listed on Identify Risks and Analysis forms

3 Risk Register Worksheet Templates


1. Use the prioritized list of risks from a previous exercise and select the top three risks.

2. Create appropriate risk response plans using the risk register worksheets. Document contractual agreements and owner responsibilities. When quantifying things such as the amount of resources to devote to a mitigation plan, use a deliberate rationale. Document mitigation plans.

3. Compare your answers to the sample solution provided in Appendix B.

Summary This exercise completes the series of activities that began with the Identify Risks process and extends through the Plan Risk Responses process.



Risk Register Worksheet Templates

Risk Register

Project:




Assumptions/Basis:

Plan Risk Responses

Strategy:










Date Due




Risk Owner:



Risk Register

Project:




Assumptions/Basis:

Plan Risk Responses

Strategy:










Date Due




Risk Owner:



Risk Register

Project:




Assumptions/Basis:

Plan Risk Responses

Strategy:










Date Due




Risk Owner:



Exercise 7-1: Monitor and Control Risks


Ana has informed the leadership team about the uncertain status of the parade's star performers, BigFish Puppets. Fortunately for them, they have diligently reviewed risk reports at every meeting. So while they don't welcome this risk trigger, they are at least prepared to handle it. They've considered contingencies for what happens if a performer - even the star performer - is a no-show.

Now, it's time to revisit those contingencies and set some in motion. You will support Ana in this effort.

When a risk event occurs that necessitates a change to project baseline or when there is a need to revise or authorize spending contingency budgets, change requests are needed.

Materials Case Study Materials

Change Request Form Template


1. Review your risk register materials for information relevant to performances.

2. Complete the project Change Request Form Template to activate contingency plans designed for the absence of a scheduled performer.


Summary In this example, the risk owner creates and requests approval for the change request and the project manager approves the change.

For large-scale projects, a separate body of individuals known as the configuration change board or Change Control Board (CCB) is often created to review all change requests through a formal change control system. They are given authority to approve or deny change requests and might consist of stakeholders, business line managers, or others who may or may not have any connection to the project.

Periodic risk reviews are the primary technique of the Monitor and Control Risks process. Additional risk response planning may be necessary if a new risk emerges, or an identified risk’s impact is larger than anticipated. Workaround plans, project change requests, updates to the risk register, and updates to the Identify Risks checklists are outputs from Risk Monitoring and Control.





Change Request Form Template Project: SummerFest Parade

Change Request Form

Date Raised:

Customer Name: N/A Request #: Request By:

Change Name:

Description of Change:

Date Required:

Reason for Change:

Baselines Affected:

Scope/Requirements

Schedule

Budget

Quality

Change Impact Assessment

Scope:

Schedule:

Budget:

Quality Plan:

Risk Plan:

Other Impacts:

Resources Required:

Estimated Work Effort (hours):

Estimated Cost:

Other Comments:



Contingency Plan:

Plan Description Who Performs

Cost / Schedule / Quality / Scope Impact

Project Manager Acceptance Date



Exercise 7-2: Final Scenario


In this business scenario, you will briefly conduct a full Project Risk Management cycle for a new market opportunity. You will identify, analyze, and develop responses for risks, creating mitigation strategies and contingency plans.

Scenario

Your company is a software development company. Your project team has theorized that a new palm-computing device would be most marketable. Senior management has reviewed the conceptual design and has given approval to begin the planning for such a product.

This new palm device will perform all the basic functions that the current palm device performs, such as schedule maintenance, database functions, calculations, etc. The “new” area of palm computing envisioned for this device is in human biofeedback. This device will be able to monitor human heart rate, respiration, and blood sugar levels. This new medical technology would eliminate the requirement of people “sticking” themselves to perform blood sugar readings. This device would be non-obtrusive to the end user, yet would be a suitable alternative for blood sugar measurement.

Your company's goal is to be the first to market with this exciting new technology, while limiting or eliminating the company’s liability.

Materials Scenario

List of Risks Template

5 Risk Register Worksheet Templates


1. Read the scenario.

2. Identify the top eight potential risks using the above scenario.

Although you are addressing only some risks, review and consider the information on the risk management plan. Consider all aspects of the risk response plan templates.

3. Complete the Risk Register Worksheet for five of the risks you identified.

Summary How does your handling of this scenario differ from the approach you may have taken before participating in this course?





List of Risks Template List of Identified Risks

1._____________________________________________________________________

______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

2._____________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

3______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

4._____________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

5._____________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

6._____________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________



List of Identified Risks

7._____________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

8._____________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________




Risk Register

Project:




Assumptions/Basis:

Plan Risk Responses

Strategy:










Date Due




Risk Owner:



Risk Register

Project:




Assumptions/Basis:

Plan Risk Responses

Strategy:










Date Due




Risk Owner:



Risk Register

Project:




Assumptions/Basis:

Plan Risk Responses

Strategy:










Date Due




Risk Owner:



Risk Register

Project:




Assumptions/Basis:

Plan Risk Responses

Strategy:










Date Due




Risk Owner:



Risk Register

Project:




Assumptions/Basis:

Plan Risk Responses

Strategy:










Date Due




Risk Owner:



Appendix B

Solutions



B-2 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.

Solutions Table of Contents

Exercise 2-1 Solution: Determine Stakeholder Risk Tolerance ..................................... B-3 Exercise 2-2 Solution: Develop a Risk Management Plan ........................................... B-5 Exercise 3-1 Solution: Identify Project Risks ....................................................... B-13 Exercise 4-1 Solution: Assess and Rank Risks ....................................................... B-19 Exercise 5-1 Solution: Apply a Perform Quantitative Risk Analysis Tool ....................... B-23 Exercise 6-1 Solution: Select Appropriate Risk Responses ........................................ B-27 Exercise 7-1 Solution: Monitor and Control Risks .................................................. B-29


© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. B-3

Exercise 2-1 Solution: Determine Stakeholder Risk Tolerance

Risk Tolerance Matrix

Stakeholder Name or Role Relationship to Project

Risk Tolerance Level?


Ana Cruz, Project Manager Contributor Risk averse As project manager, the success or failure of the project rests on Ana, so she wants to ensure that risks are minimized.

Hannah Foster, Board Member, Citizens Collaborative

Sponsor Risk taker Because Hannah is the driver of this idea, she is willing to take certain risks to ensure the event is successful and it generates the extra revenues needed.

Jack North, Board Member, Citizens Collaborative

Contributor Risk tolerant (neutral)

Jack by nature is risk averse and skeptical of the parade. Must be convinced that this will be a risk-free event.

Brita Porter, Consultant Contributor Risk tolerant While providing support to the project, Brita will not be held responsible for the success or failure of the parade.

Brenda Welsh, Chairperson, Town Board of Selectmen

Approvers Risk averse Brenda is an elected official who is reluctant to take risks that might jeopardize her chances for re-election.

Town Selectmen Approvers Risk averse Selectmen are elected officials who are reluctant to take risks that might jeopardize their chances for re-election.

Police Department Contributors Risk averse The police are responsible for protecting the safety of the public and are focused on preventions, not heroics.

Shriners Participants Risk averse The Shriners expect a well-behaved fun-seeking group of parade attendees who pose no issues or risks.

Duane Evans Drum & Bugle Corps

Participants Risk averse The drum & bugle corps expects a well-behaved fun-seeking group of parade attendees who pose no issues or risks.

Volunteers Contributors Risk tolerant This group probably falls in the middle range of risk tolerance.

Parade Attendees Affected Risk takers Some parade-goers, particularly teenagers, in looking for a good time, may be inclined to take risk and act irresponsibly.





Exercise 2-2 Solution: Develop a Risk Management Plan


Section 1: Methodology


Plan Risk Management: Define how risk will be managed for this project.

Develop and document risk plan Ana Cruz, Marc Stuver

Maintain and update plan as necessary Marc Stuver

Identify Risks: Risks will be identified using a variety of techniques during the planning phase of the project. Team will identify risks and triggers at the beginning of project and on an ongoing basis, to identify any potential new risks or to eliminate risks that are no longer applicable.

Brainstorming Project team, sponsors, Brenda Welsh

Interviews Brita Porter, Walter Stone, key participants, town officials

Review documentation Project team and sponsors

Review Memorial Day parade historical information Brita Porter, Ana Cruz

Analysis of triggers Marc Stuver, Ana Cruz

Perform Quantitative Risk Analysis: Conduct sensitivity analysis to determine which risks have the highest impact on project & how risks can be changed or mitigated. Brainstorm with impacted stakeholders and calculate expected value of each risk probability.

Interview key stakeholders Marc Stuver, risk owner

Brainstorming session with team members Marc Stuver, project team

Conduct sensitivity analysis Marc Stuver, risk owner

Determine how to change/mitigate risk Marc Stuver, risk owner

Perform Qualitative Risk Analysis: For each identified risk, team will determine the probability and impact, and calculate a risk score. A

Probability and impact analysis Project team, Marc Stuver

Determine risk score Marc Stuver, Ana Cruz, risk owner

Develop a risk ranking table Marc Stuver, Ana Cruz, risk owner




five-point scale for probability and impact will be used. A risk ranking table will also be created to benchmark each risk score and determine the overall project risk profile.

Risk profile Marc Stuver, Ana Cruz, risk owner

Plan Risk Response: For each identified risk a risk owner will be assigned, who has primary responsibility of mitigating the risk. The risk owner is also responsible for developing a risk response plan and contingency plan, in the event that the risk response fails or does not mitigate the risk to the acceptable threshold level.

Assign risk owners Identified risk owner, Marc Stuver, Ana Cruz

Develop a response strategy Identified risk owner, Marc Stuver, Ana Cruz

Develop a contingency strategy Marc Stuver, Identified risk owner

Review and update strategy as needed Marc Stuver, Identified risk owner

Monitor and Control Risks: All identified risks will be documented and scored, then prioritized based on risk score. All risks rated High or Very High in the risk ranking table will be reviewed daily, Medium rate risks will be reviewed weekly. Any risk triggers that take effect should be brought to the attention of the project manager as soon as possible.

Daily review of High and Very High risks Marc Stuver, risk owners, Ana Cruz

Weekly review of Medium risks Marc Stuver, Risk owners, Ana Cruz

Report risk triggers change to PM Risk owner, Marc Stuver, Ana Cruz





Ana Cruz, Project Manager Responsible for the overall risk management plan and its effective implementation throughout the project.

Marc Stuver, Project Consultant

Risk manager for project, manage the day-to-day activity for the project, consult with Ana and the risk owner.

Team Member Assigned to Manage a Risk

Each risk owner is responsible for assessing the risk and creating a risk mitigation plan for approval by the project manager. The risk owner is also responsible for presenting risk status at team meetings and recommending risk closure.

Internal Stakeholders Participate as needed on risk activities to provide subject matter expertise. May be called on to become a risk owner.

External Stakeholders Participate as needed on risk activities to provide subject matter expertise.



Activity Budget

Audit expense for external audit of risk process $500

Contingency reserve $2,000


Based on risk assessment and expected value/dollar impact evaluation a contingency reserve will be refined and presented to Citizens Collaborative BOD.

Section 4: Timing

Activity Phase/Date

Complete risk plan March 15

Approval of risk plan March 20

Conduct Identify Risks brainstorm session March 25

Conduct risk training session March 30

Conduct audit of risk plan April 30



Section 5: Risk Categories:

Once all risks have been identified, we will develop risk categories to logically organize the risks. The categories of risk are (but not limited to):

Technical

Organizational

External

Project Management

Environmental

Communications

Safety

Scope

Time

Cost


Resource Availability

Labor Availability

This list should not preclude the creation of additional categories, if project risks merit new categories.


Probability


0.1

0.3 0.5 0.7 0.9

Impact

Project Objective

Very Low

(1)

Low

(3)

Moderate

(5)

High

(7)

Very High

(9)

Cost Insignificant increase

< 10% increase 10-20% increase 20-40% increase > 40% increase

Time Insignificant increase

< 5% increase 5-10% increase 10-20% increase > 20% increase

Scope Barely noticeable

Minor areas affected

Deliverable affected

Effect on scope unacceptable

Item is effectively useless

Quality Quality change is barely noticeable

Minor quality impact

Quality is impacted but still within defined limits

Quality is impacted, and going out of range of defined limits

Effect on quality is unacceptable



Section 7: Probability and Impact Matrix

Risk Rating List

Value of P

Value of I Risk Score

Risk Description

Risk Rating

Risk Response Strategy


Probability Threats Opportunities



Section 8: Revised Stakeholders’ Risk Tolerances


Hannah Foster, Board Member, Citizens Collaborative

Risk taker Risk tolerant (neutral)

Jack North, Board Member, Citizens Collaborative

Risk tolerant (neutral) Risk tolerant (neutral)

Ana Cruz, Project Manger Risk averse Risk tolerant (neutral)

Police Department Risk averse Risk averse

Shriners Risk averse Risk tolerant (neutral)


Report Format

Risk Register/Database Risk ID, risk category, risk description, risk originator, risk owner, last updated, probability score, impact score, risk score, risk status (new, open, mitigation plan created, mitigation plan approved, completed, re-opened),trigger, mitigation strategy, contingency strategy

High Risk Report (daily) Only High or Very High risks reported - Risk ID, risk category, risk description, risk originator, risk owner, last updated, probability score, impact score, risk score, risk status (new, open, mitigation plan created, mitigation plan approved, completed, re-opened),trigger, mitigation strategy, contingency strategy

Weekly Risk Report Only Medium risks reported - Risk ID, risk category, risk description, risk originator, risk owner, last updated, probability score, impact score, risk score, risk status (new, open, mitigation plan created, mitigation plan approved, completed, re-opened),trigger, mitigation strategy, contingency strategy





Plan Risk Management Independent auditor, contracted by Citizens Collaborative BOD, to review the plan and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action

Identify Risks Independent auditor, contracted by Citizens Collaborative BOD, to review the Identify Risks process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action

Perform Qualitative Risk Analysis Independent auditor, contracted by Citizens Collaborative BOD, to review the qualitative risk analysis process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action

Perform Quantitative Risk Analysis Independent auditor, contracted by Citizens Collaborative BOD, to review the Perform Quantitative Risk Analysis process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action

Plan Risk Response Independent auditor, contracted by Citizens Collaborative BOD, to review the Risk Response plan and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action

Monitor and Control Risks Independent auditor, contracted by Citizens Collaborative BOD, to review the Monitoring and Control process and present findings to Sponsor and Citizen Collaborative BOD for follow up and corrective action





Exercise 3-1 Solution: Identify Project Risks

Risk Screening Checklist

A. Technology

New technology

Unknown or unclear technology

New application of existing technology

Modernize advanced technology in existing application

B. Time

Project schedule uncertainties or constraints that may impact project completion or milestone dates

Long lead procurement items that may affect the completion of the critical path or milestones

C. Contractor Capabilities

Potential for unavailability of qualified vendors or contractors

D. Interfaces

Significant transportation or infrastructure impacts

Multiple project interfaces

Significant interfaces with an operational facility

E. Safety

Risks to worker safety during construction

Significant contamination potential

Accidents due to new design or other non-reviewed safety questions

Involvement of hazardous material



A. Scope

As a result of poor publicity, fewer marching acts than expected have signed up to participate.

Corporate sponsors want floats that advertise their companies to be prominently positioned in the parade.

B. Budget

Unforeseen expense resulting from a first-time event.

Last-minute requirements resulting in unplanned spending.

Police and emergency services expenses grow as a result of expected increase in crowd.

C. Time

Parade exceeds the anticipated 1-hour duration.

Slower-moving marching units delay the parade.

Parade ends before SummerFest opens.

D. Resource

Volunteer recruitment numbers for parade assignment not met.

Police may be called away on emergency.

Shriners threaten to pull out of parade unless a waiver absolves them of responsibility for Greg Heinz and other drivers.

No-shows cause holes in the marching lineup.

E. Organizational/Environmental

Severe weather patterns forecast for the morning of the parade.

Performers not satisfied with their position in the marching order.

Key act pulls out: no show, the morning of the parade.

F. Location

Staging areas for assembly and dismissal of parade participants not large enough.

G. Business

Parade doesn't generate anticipated increase in fairgoers.

Parade is considered too amateurish and attendees begin leaving before the parade ends.

H. Financial

Expenses exceed anticipated revenue increase at SummerFest town fair.

I. Safety

Shriners don’t practice safe driving skills of the miniature vehicles.

Crowds difficult to manage because of size could become safety hazard.

Teenagers become rowdy.

Traffic accident with one of the floats.

J. Training

Training will not be available for all volunteers.



Initial list of Project Risks List of Identified Risks Category

1. As a result of poor publicity, fewer marching acts than expected will participate, resulting in a disappointing experience for parade attendees.

Scope

2. As a result of large crowds, it may become difficult to control parade attendees, resulting in safety hazards.

Safety

3. As a result of other emergencies in town, the police may have to leave the parade to respond, causing traffic and crowd control issues during the parade.

Resources

4. As a result of not enough space for proper staging, assembly, and dismissal of parade participants, confusion and crowded conditions can result in delays in the parade.

Location

5. As a result of key acts pulling out of the parade at the last minute or not showing, causing disruption in the parades schedule of events, resulting in disappointment for parade attendees and an impression of a poorly organized event.

Organizational

6. As a result of not increasing revenues, parade expenses could cause decreased SummerFest profitability, resulting in less funding available for town charities.

Financial

7. As a result of a severe weather forecast, fewer people may come to the parade, resulting in a reduced turnout for the SummerFest town fair.

Environmental

8. As a result of the parade exceeding 1 hour, parade attendees may decide to skip the SummerFest town fair, resulting in lost revenue.

Time

9. As a result of not signing a wavier protecting their drivers from liability, the Shriners may pull out of the parade, resulting in the loss of a top attraction.

Resource

10. As a result of low volunteer turnout, activities may have to be cut back, resulting in parade attendee dissatisfaction and possible safety issues.

Resource



Appendix B: Solutions MDP273a: Project Risk Management


Cause-and-Effect Diagram

Rainy weather kept

crowds away Advertising started too late, reached

limited audience

Insufficient funding for publicity

campaign

Poor change control

process

Not enough

volunteers

Other town had a competing fund

raising event.

Teenagers were rowdy at the end

of the parade

External Causes

Publicity

Policies/Procedures Safety People

Goal of increasing attendance by 50% not

achieved

Project scope shifting, parade was much bigger than

originally planned





Exercise 4-1 Solution: Assess and Rank Risks

Risk Rating List Value of P Value of I Risk Score Risk description Risk Rating Risk Response

Strategy

0.7 7 4.9 As a result of poor publicity, a smaller number of marching acts than expected sign up to participate.

High Mitigate

0.5 9 4.5 Severe weather patterns forecast for parade day.

High Accept

0.4 5 2.0 Large crowds, difficult to manage, could become a safety hazard.

Low Mitigate

0.4 9 3.6 Police, traffic, and crowd control may be called away on emergency.

Medium Avoid

.5 9 4.5 Key marquee act pulls out: no-show, the morning of the parade.

High Mitigate

.3 3 .9 Parade is considered too amateurish and attendees begin leaving before the parade ends.

Low Avoid

.7 5 3.5 Corporate sponsors want floats that advertise their companies to be prominently positioned in the parade.

Medium Mitigate



Risk Register Worksheet Project:



Poor Publicity .7 7 4.9 Scope


As a result of poor publicity, a smaller number of marching acts than expected sign up to participate, resulting in limited entertainment for the parade.

Assumptions/Basis:

Funding was sufficient for publicity campaign.

Plan Risk Responses

Strategy:


Threat: Avoid Transfer Mitigate X Accept

Trigger measure to be monitored, and source: 25 bands and acts committed by April 1

Threshold condition: < 25 bands or acts committed to participate






Date Due

Launch publicity campaign directed at recruiting local organizations and bands: radio, TV, and newsprint

Comm. Director

$800 March1

Monitor sign up of participating bands and organizations Ana Cruz TBD April 1

Assess actual to plan Ana Cruz TBD April 8




Step up publicity campaign Comm. Dir. $1,000

Visit local schools and civic organization to recruit Ana Cruz

Review after weekly to see if target has been reach Ana Cruz TBD

Risk Owner:



Identify Risks and Analysis Worksheet


Not enough bands or act sign up .7 7 4.9 Scope


As a result of poor publicity, fewer marching acts than expected will participate, resulting in a poor parade experience for attendees.

Assumptions/Basis:

Sufficient funding for publicity


Severe weather patterns forecast for parade day .5 9 4.5 Environmental


As a result of a forecast for severe weather during the parade, fewer parade goers may come to the parade, resulting in a reduced turn out for the SummerFest.

Assumptions/Basis:


Key marquee act pulls out: no-show, morning of parade .5 9 4.5 Organizational


As a result of a marquee act pulling out of the parade at the last minute, causing disruption in the parades schedule of events, resulting in disappointment for parade attendees and an impression of a poorly organized event

Assumptions/Basis:

All acts will honor their commitment when they agree to perform in the parade.




Police, traffic, and crowd control may be call away base on another emergency.

.4 9 3.6 Resources


As a result of other emergencies in town, the police may have to leave the parade to respond, causing traffic and crowd control issues during the parade.

Assumptions/Basis:

Police and emergency resources will be available and dedicated.


Corporate sponsors want additional floats that advertized their companies to be prominently positioned in the parade.

.5 7 3.5 Scope


As a result of not providing space for corporate sponsor floats, sponsor may pull sponsorship for the parade; this can result in the loss of sponsorship fees and continued support.

Assumptions/Basis:



Exercise 5-1 Solution: Apply a Perform Quantitative Risk Analysis Tool

Decision Tree Analysis Worksheet

Project: SummerFest parade PM: Ana Cruz

Part 1: Maximum Attendance Increase (good weather)

With parade:


Additional Attendance 800 people

Additional Cost $2,400

Additional Revenue $10 X 800 people $8,000

Additional Profit $8,000 - $2,400 $5,600




Additional Cost $500


Additional Profit $3,000 - $500 $2,500

Part 2: Minimum Attendance Increase (bad weather)

With parade:



Additional Cost $2,400


Additional Profit $4,000 - $2,400 $1,600






Additional Cost $500


Additional Profit $1,000 - $500 $500

Conclusion: Rain will certainly eat into profits with or without a parade, but even if it rains you will increase

attendance and increase profits after upfront costs.



Decision Tree Analysis Diagram

weather

weather

Increase SummerFest Profits: Parade or

No parade?

Conclusion: Rain will certainly eat into profits with or without a parade, but even if it rains you will increase

attendance and increase profits after upfront costs.

EMV (Without Parade) = (70% X $2,500) + (30% X $500) = $2,425

EMV (With Parade) = (70% X $5,600) + (30% X $1,600) = $4,400

Without the Parade

(advertising only) $500

$0.00

Profit = ($10 X 100) - $500 = $500

Profit = ($10 X 300) - $500 = $2,500

Profit = ($10 X 400) - $2400 = $1,600

Profit = ($10 X 800) - $2,400 = $5,600

With the Parade

$2,400

30% Rain

70% Fair

30% Rain

70% Fair





Exercise 6-1 Solution: Select Appropriate Risk Responses


Project:



Marquee performer cancels appearance at parade .5 9 4.5 Organizational


As a result of a marquee act pulling out of the parade at the last minute, causing disruption in the parade's scheduled lineup and mass appeal, attendees could be disappointed and have the impression of a poorly organized event.

Assumptions/Basis:

All acts will honor their commitment when they agree to perform in the parade.

Plan Risk Responses

Strategy:


Threat: Avoid Transfer Mitigate X Accept

Trigger measure to be monitored, and source: Notification from performing acts

Threshold condition: No confirmation within a week of the parade

Potential secondary risks (risks arising from implementing this plan): Promotional material needs updating.





Date Due

Get signed letter of commitment Hannah Foster

N/A May 1

Identify backup act to replace marquee act Hannah

Foster

TBD May 15

Confirm appearance Hannah Foster

TBD June 7






Redesign and reprint posters and advertising Ana Cruz $300.00

Contact backup act and schedule them into the parade Hannah Foster TBD

Risk Owner: Hannah Foster



Exercise 7-1 Solution: Monitor and Control Risks

Change Request Form

Project: SummerFest parade

Change Request Form

Date Raised: June 7

Customer Name: N/A Request #:0099 Request By: Hannah Foster

Change Name: Replacement of Marquee Act for parade

Description of Change: We need to update posters and schedules.

Date Required: ASAP

Reason for Change: The BigFish Puppets have canceled at the last minute and we are in the process of replacing them with Three Dancing Bears, a clown act.

Baselines Affected:

Scope/Requirements

Schedule

X Budget

Quality


Scope: No impact on project scope. Project deliverables will not change

Schedule: No impact on project schedule. No change to project schedule,

Budget: $300 increase for updating posters and schedules. This was an identified risk and contingency funds were established.

Quality Plan: Quality plan will not be impacted.

Risk Plan: Update risk register and plan to the changes of vendors and implementation of response

strategy.

Other Impacts: Puppets were a big favorite for families. As a well-regarded clown act, Three Dancing Bears should make an excellent replacement. Should be able to maintain same projected attendance levels.

Resources Required: 8 hours of Hannah Foster and Ana Cruz’s time. Printing costs.

Estimated Work Effort (hours): 8 hours

Estimated Cost: $300.



Project: SummerFest parade

Change Request Form

Other Comments:

Contingency Plan:

Plan Description Who Performs

Cost / Schedule / Quality / Scope Impact

Contact Replacement Act Hannah Foster

Schedule

Edit Posters and Schedules Ana Cruz Schedule

Reprint Posters and Schedules Hannah Foster

Cost

Distribute Posters Hannah Foster

Schedule

Project Manager Acceptance Date

Appendix C

Job Aids



C-2 © 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved.

Job Aids Table of Contents

Job Aid 2-1: Risk Tolerance Matrix Sample ........................................................... C-3 Job Aid 2-2: Risk Management Plan Sample .......................................................... C-5 Job Aid 3-1: Sample List of Project Risks ........................................................... C-11 Job Aid 3-2: Cause-and-Effect Diagram Sample .................................................... C-13 Job Aid 4-1: Risk Register Worksheet Sample ...................................................... C-15 Job Aid 4-2: Risk Rating List Sample ................................................................. C-17 Job Aid 5-1: Decision-Tree Analysis Sample ........................................................ C-19 Job Aid 6-1: Risk Response Plan Sample ............................................................ C-21 Job Aid 7-1: Change Request Sample ................................................................ C-23


© 2009 TechSkills LLC, d/b/a Corporate Education Group. All Rights Reserved. C-3

Job Aid 2-1: Risk Tolerance Matrix Sample

Capitol Flyer Corporate Customer Satisfaction Project

Stakeholder Relationship to Project

Risk Tolerance Level


Derek Reith, CEO Sponsor Risk taker As the CEO, he sees major opportunity to increase business. His success has come from having courage to seize opportunities.

China Baker, VP Customer Service

Contributor Risk tolerant She recognizes this as a chance to build business, but knows it will only work if implemented well.

Tim Nishimoto, Director of Reservations

Contributor Risk tolerant He sees the possibilities for improvement, but wants to make sure things run smoothly in the interim.

Martin Zarcar, Director of Operations

Contributor Risk averse He's concerned that the project will mess up an excellent existing system.

Roberta Lauderdale, VP Sales and Marketing

Contributor Risk taker She sees major opportunity with corporate customers; with her, it's all upside.

Gavin Brody, VP Finance & Accounting

Affected Risk averse The company is making good profits; why mess with success?





Job Aid 2-2: Risk Management Plan Sample


Methodology


Identify Risks Brainstorming PM, project team, customer

Interviews PM

Review of past projects PM

Analysis of triggers PM


Interview key stakeholders PM, project team

Brainstorming sessions with team members TBD

Conduct sensitivity analysis TBD

Determine how to change/mitigate risks PM, project team


Probability and impact analysis TBD

Determine risk score TBD

Risk ranking table

Risk profile

Plan Risk Responses Assign risk owner to each risk

Develop contingency plans


Daily review of all High/Very High risks team

Weekly review of all Medium risks team

Report risk triggers to PM all



Roles and Responsibilities


Sponsor Help draft project charter

Define business objectives

Review and approve key documents (scope statement, WBS, requirements, change requests, etc.)

VP Customer Service Define business objectives

Assumptions and constraints

Review and provide feedback on key documents (scope statement, WBS, requirements, change requests, etc.)

Supply and interpret data from customer surveys and focus groups

VP Operations Assumptions and constraints


Act as subject matter expert on business processes

Director of Sales and Marketing

Assumptions and constraints


Advocate for new system with staff

Plan training

Budgeting


Activity Budget

Develop and apply sample use cases $5,000

Contract with marketing company to design survey and conduct anonymous focus groups

$22,000

Conduct research on vehicle and foot traffic patterns for potential point-of-origin locations

$9,000


Organization policy suggests 10% of risk budget for contingencies. Therefore, set contingency reserve at $3,600, which is 10% of the money budgeted for risk management activities, above.



Timing

Activity Phase/Date

Develop and apply sample use cases planning

Contract with marketing company to design survey and conduct anonymous focus groups

execution

Conduct research on vehicle and foot traffic patterns for potential point-of-origin locations

planning

Risk Categories

Scope

Technology

Time

Cost

Interfaces

Project Complexity

Labor Availability




Definitions of Risk Probability and Impact

Probability


1 3 5 7 9

Impact

Project Objective

Very Low (.5) Low (1) Moderate (2) High (4) Very High (8)

Cost Insignificant increase

< 10% increase 10-20% increase 20-40% increase

> 40% increase

Time Insignificant increase

< 5% increase 5-10% increase 10-20% increase

> 20% increase

Scope Barely noticeable

Minor areas affected

Deliverable affected

Effect on scope unacceptable

Item is effectively useless


Value

of P

Value of I

Risk Score

Risk Description Risk Rating


7 4 28 Reservations may not know what enhancements they want

Moderate Mitigate

9 8 72 Insisting on specifying all requirements up front will lead to numerous change requests later

High Avoid

5 4 20 Operations may be too busy to provide and review requirements

Moderate Mitigate

3 4 12 Surveys and focus groups may annoy customers

Low Transfer

3 2 6 2nd point of origin/destination costs may exceed added revenues

Low Accept



Revised Stakeholders’ Risk Tolerances


Derek Reith Risk taker Risk taker

China Baker Risk taker Risk tolerant

Tim Nishimoto Risk tolerant Risk tolerant

Martin Zarcar Risk tolerant Risk averse

Roberta Lauderdale Risk tolerant Risk taker

Gavin Brody Risk averse Risk averse

Reporting Formats

Report Format

Risk Register Multi-column table; electronic

Status Reports Document; hard copy & email to team members

Change Requests Electronic form

Tracking


Plan Risk Management

Identify Risks



Plan Risk Responses






Job Aid 3-1: Sample List of Project Risks

Capitol Flyer Corporate Customer Satisfaction Project List of Identified Risks Category

1. As a result of operational responsibilities, reservations agents may not know what system enhancements they want, which would lead to unclear project objectives.

Scope

2. As a result of being asked to participate in surveys and focus groups, existing customers may get annoyed, which can lead to loss of business.

Quality

3. As a result of adding a 2nd point of origin/destination in both Washington, DC and Philadelphia, costs for terminal space will increase; for a time, while the new service is being established, added costs may exceed added revenues.

Cost

4. As a result of the corporate discount and "frequent flyer" individual discount initiative, the development team will need to create accounts for an unspecified number of new and existing customers; that is an area in which they lack experience.

Time, Technology



Appendix C: Job Aids MDP273a: Project Risk Management


Job Aid 3-2: Cause-and-Effect Diagram Sample






Job Aid 4-1: Risk Register Worksheet Sample

Risk Register

Project: Capitol Flyer Corporate Customer Satisfaction Initiatives



Surveys and focus groups 3 4 12 Quality


As a company inexperienced with conducting surveys and focus groups, we might inadvertently annoy existing customers asked to participate.

Assumptions/Basis:

Capitol Flyer will conduct the surveys and focus groups.

Participant pool will include existing customers.

Plan Risk Responses

Strategy:


Threat: Avoid Transfer X Mitigate Accept








Date Due

Contract with a marketing company to design the survey and conduct the focus groups anonymously

RL $12k





n/a

Risk Owner: Roberta Lauderdale




Job Aid 4-2: Risk Rating List Sample


Value

of P

Value of I

Risk Score

Risk Description Risk Rating


7 4 28 Reservations may not know what enhancements they want.

Moderate Mitigate

9 8 72 Insisting on specifying all requirements up front will lead to numerous change requests later.

High Avoid

5 4 20 Operations may be too busy to provide and review requirements.

Moderate Mitigate

3 4 12 Surveys and focus groups may annoy customers.

Low Transfer

3 2 6 Second point of origin/destination costs may exceed added revenues.

Low Accept





Job Aid 5-1: Decision-Tree Analysis Sample






Job Aid 6-1: Risk Response Plan Sample

Risk Register




Surveys and focus groups 3 4 12 Quality


As a company inexperienced with conducting surveys and focus groups, we might inadvertently annoy existing customers asked to participate.

Assumptions/Basis:

Capitol Flyer will conduct the surveys and focus groups.

Participant pool will include existing customers.

Plan Risk Responses

Strategy:


Threat: Avoid Transfer X Mitigate Accept








Date Due

Contract with a marketing company to design the survey and conduct the focus groups anonymously

RL $12k




n/a

Risk Owner: Roberta Lauderdale





Job Aid 7-1: Change Request Sample


Change Request Form

Date Raised: September 21

Customer Name: N/A Request #: 3 Request By:

Change Name: door-to-door service option

Description of Change:

When they purchase a ticket online, customers can opt to enter their end destination (street address),

and receive map and transit options, including a car service to meet them at Capitol Flyer terminal.

Date Required: Oct 1

Reason for Change:

Enhanced customer service; gain additional competitive advantage

Baselines Affected:

X Scope/Requirements

Schedule

X Budget

X Quality


Scope: Adds an initiative to the project; this initiative will need to be scheduled, budgeted, and implemented.

Schedule: 2 week delay to full project launch (estimate pending scope review)

Budget: $25-$35k (estimate pending scope review)

Quality Plan: Perform weekly QA review of this service option throughout planning and development

Risk Plan: Weekly monitoring of budget and schedule throughout planning and development

Other Impacts:

Resources Required:

Development Team, QA

Estimated Work Effort (hours): 65 hours

Estimated Cost: $25,000

Other Comments:

