RSK520_ReferenceMaterial

7/27/2019 RSK520_ReferenceMaterial

1/97


2/97

Copyright ESI InternationalJanuary 2007

All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, ortransmitted, in any form or by any means, electronic, mechanical, photocopying,recording, or otherwise, without the prior written permission ofESI International.

All material fromA Guide to the Project Management Body of Knowledge (PMBOKGuide), Third Edition is reprinted with permission of the Project Management Institute,Four Campus Boulevard, Newtown Square, Pennsylvania 19073-3299, USA, a

worldwide organization of advancing the state-of-the-art in project management. Phone:(610) 356-4600, Fax: (610) 356-4647.

PMI did not participate in the development of this publication and has not reviewed thecontent for accuracy. PMI does not endorse or otherwise sponsor this publication andmakes no warranty, guarantee, or representation, expressed or implied, as to itsaccuracy or content.

PMI does not have any financial interest in this courseware and has not contributedany financial resources.

"PMI" is a service and trademark of the Project Management Institute, Inc., which isregistered in the United States and other nations.

"PMBOK" is a trademark of the Project Management Institute, Inc., which is registered inthe United States and other nations.

"PMP" is a certification mark of the Project Management Institute, Inc., which isregistered in the United States and other nations.

ESI International

901 Glebe RoadSuite 200

Arlington, VA 22203Phone (703) 558-3000

Fax (703) 558-3001


3/97

CONTENTS

PageChapter 1: Introduction to Risk ....................................................................................................1

Introduction to Risk ............................................................................................................2

Risk Characteristics and Exposure ....................................................................................... 2Risk Management............................................................................................................... 4Risk Management and the Project.......................................................................................5

Types of Risk...................................................................................................................... 8Characteristics of Risk Events..............................................................................................9Factors Affecting Risk Perceptions.....................................................................................11Chapter Summary.............................................................................................................13Next Steps Action Plan ..................................................................................................... 14

Chapter 2: Risk Management Planning and Identifying Risks...................................................... 17

Risk Management Planning and Identifying Risks..............................................................18

Risk Management Process ................................................................................................ 18Risk Identification............................................................................................................. 20

Risk Events and Risk Event Lists ........................................................................................ 28Chapter Summary.............................................................................................................30Next Steps Action Plan ..................................................................................................... 31

Chapter 3: Analysis Fundamentals .............................................................................................. 34Establishing Risk Measurement Parameters .......................................................................35

Presenting Risk Information ..............................................................................................35Probability Analysis and Rules of Probability ....................................................................39Chapter Summary.............................................................................................................45Next-Steps Action Plan ..................................................................................................... 46

Chapter 4: Analyzing and Prioritizing Risk .................................................................................49Next Steps in Risk Management........................................................................................50Step 3: Analyzing Risks .................................................................................................... 50

Impact Analysis ................................................................................................................ 51Tools and Techniques for Risk Analysis ............................................................................52Overall Risk Rankings....................................................................................................... 58Step 4: Prioritizing Risks ................................................................................................... 59

Risk Prioritization Process and Tools.................................................................................60Prioritized Risk Listing...................................................................................................... 62Chapter Summary.............................................................................................................63


4/97

Page

Schedule Risk Response Planning..................................................................................... 72

Response Analysis Matrix ................................................................................................. 72Reserves...........................................................................................................................74

Risk Management Plan ..................................................................................................... 76Chapter Summary.............................................................................................................77Next-Steps Action Plan ..................................................................................................... 78

Chapter 6: Risk Execution, Evaluation, and Updating .................................................................81The Final Risk Management Steps..................................................................................... 82Risk Monitoring and Control.............................................................................................82

Step 6: Execute Risk Strategy ............................................................................................84Step 7: Evaluate Results .................................................................................................... 85Step 8: Document Risk Management Results ....................................................................88Chapter Summary.............................................................................................................90

Next-Steps Action Plan ..................................................................................................... 91


5/97

Introduction to Risk

Chapter 1

This chapter introduces the fundamentals of risk in a project.

Formula

Chapter Overview

Legend

1


6/97



Any study of risk and risk management should begin with thefundamentals: those basic terms and concepts that underlie all the moredetailed methods and activities that project managers and theirorganizations apply and undertake. Some of these terms and conceptsare related to the project itself, because it is the project manager who is

ultimately responsible for risk management in his or her project. Othersrelate strictly to the discipline of risk management. In any event, risk issomething that is a part of every project and has to be continuouslyevaluated and dealt with throughout the project life cycle.

Whether you are encountering some of these terms for the first time orwhether you are an accomplished project manager, you haveundoubtedly experienced the realities of risk events in a project. In fact,a project manager is in simple terms a risk manager. Every projectcontains some level of risk. If it did not, it would not be worth pursuing.As a result, project managers have to live with the reality of risk. Theirchallenge is managing it.

Risk is an uncertain event or condition that, if it occurs, has a positive ora negative affect on a project objective. Notice that in the definition, weclearly stated that there is eithera positive or negative affect on the

project. Risk is one of those words that immediately conjure up theimage of something bad. But it is important to remember that risk canalso provide positive benefits as well as negative ones. We will discuss

this in more detail later.

Risk management is the systematic process of identifying, analyzing, andresponding to project risk. We want to maximize the probability and theimpact of any positive risk factors and minimize the probability and

impact of those that might negatively affect the project.

Some organizations establish a risk office or assign a person to be therisk manager. This generally is a mistake. The project manager isultimately responsible for risk, and taking the risk function out of theproject or establishing it as a separate function from the project may

Risk Overview

Key Risk Definitions

41


7/97

Risk Characteristics and Exposure

A project risk has three defining elements:

d It is a definable event.d There is a probability the event will occur.d There is a consequence to the project if the event occurs.

The event is what could happen, both good and bad, to the project.Remember that riskby itself is a neutral word; it could be something

devastating that might happen, or it could be an opportunity to improvethe organizations capability or profit. Regardless, the risk event is whatcould happen to the project.

It is very important to determine when a risk event might occur. If theevent is likely to occur early in the project life cycle, then it mustbeaddressed immediately. Potentially long-term risk events, that is, eventsthat probably will occur later in the project life cycle, must be plannedfor but dont have to be addressed immediately (other than forcontingency planning).

The frequency of an event also is important to determine. A risk event,even a low risk event, can be disrupting and even disastrous to a projectif it is likely to occur over and over. So if you can determine thelikelihood that an event will keep occurring, it can help you plan for theeventuality and perhaps even eliminate the risk completely.

The probability of the risk is simply the chances the event will occur.Clearly, there may be a potential event, but if the chances of it occurringare slim to none, then it is not really a risk at all as a practical matter. Aswe will see later, it is important to consider this aspect of risk and, ifpossible, assign an actual percentage probability to the occurrence of riskevents. Assigning a probability figure enables one to use additionalplanning tools in preparing against the risks impact.

The consequence of the occurrence of any risk event is measured interms of its impact on the project. The project can have an identified riskevent with a high probability of its happening; but if the impact (even if itdoes happen) is low, then the risk can be ignored or at least tolerated.

With these elements described, the amount of risk exposure to theproject and to the organization can be determined

Three DefiningElements


8/97

Risk Characteristics and Exposure (continued)

chapter.) This is one instance in which the senior management is notparticularly interested in the gain from a risk event; when he or she asks,What is our risk exposure? the interest is in determining what the costto the project or organization could be.

One of the challenges the project manager and the project team face isdefining risk. Even though we provided a definition of risk and described

its elements, the reality is that everyone views risk differently. Forexample, if one asks, What is the risk? he or she may be asking for adescription of the risk event.

Another person might ask, What is the risk? and be referring to theimpact of the risk or the risk exposure to the organization. Thus, it isimperative that the project manager be well versed in risk managementand particularly adept at determining exactlywhat the person wants to

know. More importantly, the project manager must be able to describeexactly what the person wants to know within his or her frame ofreference. The latter can be greatly aided by understanding the differenttypes of risks.

Risk Management

Knowing that the project manager is responsible for project riskmanagement may not provide a sense of comfort, but considering how agood risk management program can benefit the project and organization,every project manager should strive to be an accomplished risk manager.

There are several benefits of risk management. They include:

d Minimizing management by crisis: When a risk event occurs,

there is always a reactive response to it if the risk was notanticipated.

d Minimizing surprises and problems: As you will soon discover,identifying and planning for risk is the best way to avoid beingsurprised by it.

d Gaining competitive advantage: Any well developed,

Risk Exposure(continued)

Benefits of RiskManagement


9/97

Risk Management (continued)

d Increasing the probability of success: Keeping the project on itsplanned schedule and budget enhances the probability that theproject can be completed successfully.

d Increasing profitability: Poor risk planning invariably leads torework, scheduling problems, and cost overruns; good riskplanning eliminates many of these problems and contributesdirectly to the bottom line.

We mentioned earlier that the project manager has ultimate responsibilityfor risk management in his or her project. We also mentioned that it isnot wise to assign a separate person or group to be responsible for riskbecause the tendency is to assume someone is taking care of the riskproblems when, in fact, he or she may not be. That does not mean thatthe project manager cant assign task leaders or other team members tobe responsible for watching the potential risks that have been identified

in their tasks and for implanting the risk response strategy to cope with arisk should it happen.

The project manager is responsible for initiating and leading the riskmanagement process. This is done by integrating the risk managementplan into the project plan and then ensuring that every team member isfamiliar with the identified potential risks, when they are likely to occurduring the project life cycle, the task(s) they are likely to affect, and theapproved response strategy to mitigate each risk.

The project team members are responsible for performing the riskmanagement process by watching for risk triggers (that is, indicators thata risk event could occur), actually implementing the appropriate riskresponse strategy, and most importantly, reporting the status of the risk tothe project manager. A closely coordinated risk management plan and adefined and documented risk management process will help ensure asmoothly run and successful project.

Risk Management and the Project

Risk management has to be performed through out the project life cycle,d th id tifi ti f t ti l i k t i b d i th li t

Benefits of Risk

Management(continued)

Project Manager and

Team MemberResponsibility in RiskManagement

Risk Management IsI t t d ith th


10/97

Risk Management and the Project (continued)

Generally, the steps of the risk process are

d Identificationd Quantificationd Response developmentd Response control

These are the major steps, which will be expanded and discussed in

depth in the next chapter when we introduce the ESI Risk Model. Thereasons for introducing these steps here are twofold: to lead into howone can begin identifying risks during project planning and to accentuatethe fact that there are specific steps to the risk management process thatcannot be overlooked. This concept will become clearer during thefollowing discussion.

At the beginning of a project, the earliest that you will have some sense

of its risks is during the assessment of the requirements. The customeralmost always makes some statements as to when the product or serviceis needed. That statement potentially defines a risk. For example, if thecustomer states that the product must be operational by no later than aparticular date, that may create a risk because it may not be possible todeliver by that date without extraordinary efforts such as workingovertime, hiring new resources, teaming with another company, orengaging consultants. There also will be other statements in the

requirements that indicate risks. For example, the customer may placerestrictions on the budget and product reliability or maintenancerequirements.

The next opportunity to identify risk is in the development of the WBS.The WBS is, in the opinion of most project managers, the best place toidentify risks because after the tasks are identified, the attendant risksalmost identify themselves. For example, if a required task is one thatyour organization has little or no expertise to deliver, then clearly it is arisk; even if your organization has the expertise, the resources may not beavailable when they are needed. Another opportunity for identifying riskis while doing budget and schedule estimates. Obviously, when tasksare planned and the cost and time to do them are considered, there mayor may not be an impact to the project. Again, it is a matter of pureresource availability and during this assessment period the skill sets that

Risk Management IsIntegrated with theProject Planning

Process (continued)


11/97

Risk Management and the Project (continued)

By the time the cost, schedule, and scope baselines are defined andagreed upon, most of the risks in the project should be identified andassessed as to whether they represent real risks, response strategiesshould be developed, and an overall risk plan should be written.

The best project managers are those who constantly evaluate and test

their plans and revise them on a regular basis. That is not to imply thatthe projects baseline changes every few days; it does not. But planningby definition involves estimating, which does require reevaluating andrefining. Every time any plan or any portion of a plan is updated, the riskmanagement plan must be reevaluated and updated too. Thorough riskmanagement is integral to the success of the project and without it, theproject may be doomed to failure before it ever begins.

But the news is not all dismal. As the project progresses, risk decreases.It decreases simply because we learn more about the project and its risksas time passes. Also, risk events that were predicted at the beginning ofthe project either may actually not occur; and if they do occur, ourresponse strategies are put into place, and we know how well the projectresponded.

However, risk only decreases in the sense that the probability of a riskevent happening decreases. The impact of a risk event, if it shouldhappen, increases as the end of the project gets closer. This is truebecause by the time the project is in its final phases, the investment oftime and money in the project is at its highest.

Risk Management IsIntegrated with theProject Planning

Process (continued)(continued)

Risk Management Is a

Full Project Life-Cycle Responsibility

Project Life Cycle

Risk

Impact

Level

Ti


12/97

Types of Risk

Actually, there are different types of risk. Remember that we spoke ofopportunity for gain and the possibility of loss when risk is considered.In a very real sense, that notion defines the types of risks that areconfronted in a project. Basically, at least for all practical purposes, thereare four types of risk that project managers and their teams need to beaware of. They are

d Business riskd Pure or insurable riskd Known riskd Unknown risk

Business risk is the normal risk of doing business and carries with it thepotential for both loss and gain. For example, suppose the customer for aproject decides to change the scope. The change may involve a negative

risk, that is, loss, because it might require expertise that your organizationdoes not possess. On the other hand, it might involve considerable gainbecause it could mean significantly more profit if you can accomplish thescope change efficiently. Business risk is the kind of risk an organizationshould not only embrace but also pursue. It is the type of risk we canmanage.

Pure or insurable riskis the risk that is associated only with loss and hasno opportunity for gain. This includes threats such as fire or hurricane.The organization needs to avoid or at least greatly reduce the directimpact of this form of risk by passing it on to another party. This can beaccomplished by purchasing insurance or by teaming with another partythat has the expertise to do the job.

Generally, we think of this kind of risk in terms of catastrophic events,such as fire, but the fact is, this kind of risk occurs when an organizationattempts to do a job without having the requisite skill sets or expertise.Those are the cases where the solution is simply to team with a companythat has the skill and expertise to accomplish the task(s) in question.

Known risk includes those risks one should naturally be aware of (such as

Are There Different

Types of Risk?

Business Risk

Pure or InsurableRisk

Known Risk


13/97

Types of Risk (continued)

particular time, then the decision could be made to either hire additionalresources, team with another company, outsource the work, or negotiatewith the customer to delay work on that particular portion of the project.

Unknown riskis not so easy to deal with. By its very definition, itincludes risks that we cannot anticipate or plan for, except perhaps by

adding money to the management reserve fund.

An unknown risk is, for example, a tornado that strikes in an area notusually susceptible to such weather phenomenon. The disease AIDS wasan unknown risk before it hit millions of people.

Having reviewed the different types of risk, it is important to considersome of the characteristics of risk events themselves.

Characteristics of Risk Events

Recognizing risk characteristics aid in planning responses to them. Oneor more of several characteristics are inherent in every risk event. Riskevents are

d Situationald Interdependentd Magnitude dependentd Value basedd Time based

Because risks can occur from actions by team members, stakeholders(internal or external to the project) or just from the normal project

activities, risk inevitably must be handled on a case-by-case basis. Inshort, risks are predictable only within limited parameters, and so theongoing use of sound project management tools and techniques that aretried, documented, and available to team members is crucial.

Known Risk(continued)

Unknown Risk

Risk Events Overview

Situational


14/97

Characteristics of Risk Events (continued)

Second, if the domino effect of interdependent risks is large enough, theimmediate perception is that the project is too difficult. In the secondcase, a too risky project is one that loses stakeholder and team membersupport very rapidly.

Low risk events usually involve only a few people or relatively low costs.

In other words, the risk is low enough that its affect on the project can beignored. However, as the magnitude of the risk increases, it has impactson many people, organizations, and costs. The fact that the risk impact ispotentially greater is not necessarily bad; remember that risk has both aloss andgain component. For example, if the customer increases thescope of the project, the change might add increased risk to theorganization because the new requirement(s) may involve work outsidethe organizations expertise. However, the increased scope may mean

larger profits if the organization can increase its skill base by eitherteaming with another company, hiring the requisite experience and skillsneeded, or negotiating a delay in providing the additional scoperequirements until the skill sets are trained.

Again, if the perception of risk is that it is too big to be handled, then theproject manager will lose stakeholder and team support. Arguably, thebigger problem is that risks can become so big and affect so many people

or groups of people that the cost of involvement in the project outweighsits potential payoff.

Risk means different things to different people. The banking industry, forexample, is very conservative. Bankers do not lend money to peoplewho have poor credit ratings. On the other hand, venture capitalistshave no problem lending money on very risky ventures, provided thepayoff is large. So risk management in each organization will take on adifferent complexion depending upon the organizations industry, itsbusiness goals, its culture, and how well they are equipped and trained tohandle risks.

Risk is a phenomenon that is time based; it is always in the future In

Interdependent(continued)

Magnitude

Dependent

Value Based

Time Based


15/97

Characteristics of Risk Events (continued)

In the former case, having more time available, risk actually does lessen.The more time we have, then the more we understand about the projectrequirements, how well the technical solution is working, whether theproper personnel are on the project, and the more efficient themanagement processes, including risk management, are working.

It is important to remember these risk characteristics because they affecthow we plan our risk responses, which is discussed in more detail laterin this text. One way to remember them is with the mnemonic, STIM-V,which is (S)ituational, (T)ime based, (I)nterdependent, (M)agnitude based,and (V)alue based.

Factors Affecting Risk Perceptions

Organizations and individuals have perceptions of risk that influencetheir approach to them. There are many reasons why project teams andorganizations in general do not do a good job managing risk.Understanding these reasons and factors affecting the perception of risk isone key to improving the risk management process for your organizationand your project.

The factors that most affect the perceptions of risk are

d Lack of controld Lack of informationd Timed Risk preference

Much of project risk is not within the control of the project team. It isrisk that is created by outside influences such as weather phenomena,environmental or other regulations, or even actions from other projectand organizational activities. Perhaps the most common risks occurwhen one projects schedule depends upon the schedule of resourceswithin other projects. If a key task requires, for example, tests by anoverworked small specialized test group within the organization the

Time Based(continued)

STIM-V

Risk PerceptionsOverview

Lack of Control


16/97

Factors Affecting Risk Perceptions (continued)

Lack of information is the norm, particularly in the early stages of riskidentification. Generally, the lack of information is caused by incompleteor poorly stated requirements, unfamiliarity with the customer or thecustomers needs, or lack of experience or skills with the likely technicalsolution. The single biggest obstacle in obtaining adequate information istime. Given enough time, we could collect all the relevant data neededto identify and plan for nearly every risk, but most projects must meet

either a customers operational schedule or time to market imperative.

In addition to the impact of time on how much information is or is notavailable, time has other important implications as well, some perceptualand some real.

The farther the potential risk event is into the future, then the greater the

degree of uncertainty is about the risk impact should the event occur.On the other hand, the perception often is out of sight and out of mind.We tend to become complacent about the risk, and unless aconscientious effort is made to continue assessing it, the risk eventsoccurrence may come as a surprise and turn out worse than expected.

There is one good thing about time when it is used properly in the senseof risk planning. Given adequate time, the project manager and his orher team can change their approach or plan contingency approaches tominimize the negative effects and maximize the opportunities that therisk event holds.

Lack of Information

Time


17/97

Chapter Summary

9 There are three defining components of risk:o The event itself (what can happen, good or bad, to the

project?)

o The probability of occurrence (how likely is it that theevent will occur?)

o The impact of the event (what is the effect on theproject if the event does occur?)

9 Risk can have either a negative or positive component if itis business risk. This is the kind of risk every project andorganization should be pursuing, with the aim of reducingthe former and maximizing the latter.

9 Risk that has only a potential for loss is called pure orinsurable risk. This kind of risk should be avoided orpassed to a third party either by purchasing insurance, byteaming with another company, hiring additionalpersonnel, or by renegotiating the delivery schedule.

9 Risk events are inherently situational, interdependent,magnitude dependent, value based, and time based.

9Risk management is the process of identifying, analyzing,and responding to the risks in a project.

Chapter Summary


18/97

Next-Steps Action Plan

Take a few minutes to review what you have learned from the last unitand how you will apply the principles learned when you return to yourorganization.

1. How is risk managed in your organization today?

2. How does your organization view risk?

What are typical threats in your environment? What are typical opportunities in your environment?

3. Who is responsible for dealing with risk in your organization?

4. Why is it so important for risk management to be performedthrough the project life cycle?

5. Turn to the Action Plan on the next page and document your next

steps.

6. Develop a list of two or three actions you will complete whenyou return to work.

7. Identify who you need to involve for each item you have listed.

8. Finally, identify the appropriate time frame for accomplishingeach of these steps. For items you know will be ongoing, identify

milestones for each period (3, 6, 9, and 12 months and over).

Next-Steps Action

Plan


19/97

ESI 15

Risk Management Chapter 1: Introduction to Risk

Action Plan: Apply what you have learned from this unit by developing a list of actions you will complete when you return to your organization.Time

What do I want/need to do next? Who 3 months 6 months 9 months 12+ months

1.

2.

3.


20/97

ESI 16

Time


4.

5.

6.


21/97

Risk Management Planning and Identifying Risks

Chapter 2

This chapter discusses the first two steps of the Risk Management Model.

Formula

Chapter Overview

Legend

2


22/97

Risk Management Planning and Identifying Risks

Risk Management Planning and Identifying

Risks

To manage risks effectively, the project manager must obtain thoughtfulinput on project risks from the project team. To do this, the projectmanager must be able to convince the project team of the importanceand benefits of risk management based on his or her own understanding.The project manager should be able to describe the basic eight-step ESIrisk management model and the activities that it includes, identify risksusing a variety of tools and techniques, and develop a risk listing for aproject.

What is the relationship between risk management and project

management? Project management involves planning, organizing,directing, and controlling company resources to provide a product orservice on schedule, within budget, and in accordance with thecustomers stated requirements. Risk management is that part of projectmanagement that deals with the processes of identifying, quantifying,responding to, and controlling the risks inherent in a project.

In other words, there is a fundamental difference between risk

management and project management. Project management is theprocess that gets us to an objective; risk management is an enabler to thatprocess. Risk management considers issues that could possibly affect thatprocess as it unfolds; project management looks at the process itself. Riskmanagement looks at how we can avoid problems; project managementlooks at how we get beyond problems. It is a fundamental, very simpledifference. When it comes to risk management, we are looking at thereality of day-to-day life and how we can have an impact on those things

that might stop us from getting to our objective. Project management isthe effort to work toward and actually reach that objective.

Risk Management Process

Overview

Risk Management

and ProjectManagement

2


23/97

Risk Management Process (continued)

The desired outputs resulting from the use of various tools and techniquesinclude a list of prioritized risks, a risk response plan, and a list of riskindicators that, with proper monitoring, will provide early indications ofrisks that come to pass.

Both PMIand ESI International have developed risk management

models. ESIs is an eight-step model based on practical experience andbest practices that go beyond the information inA Guide to the Project

Management Body of Knowledge (PMBOK Guide). The ESI model willserve the structure for the remainder of this text. They are listed in orderbelow with the corresponding steps from the model provided by the

PMBOKGuide in parentheses. The first two steps are addressed in thischapter.

d Risk Management Planning (Risk Management Planning)d Identify (Risk Identification)d Analyze (Qualitative and Quantitative Risk Analysis)d Prioritize (Qualitative and Quantitative Risk Analysis)d Plan (Risk Response Planning)d Execute (Risk Monitoring and Control)d Evaluate (Risk Monitoring and Control)d Document (Risk Monitoring and Control)

Risk management planning is the first step of an eight-step process. Itmust be completed so that risk planning and analysis do not becomeafterthoughts to project planning. It is important to set aside time andprocesses to plan for project risk. This is done by conducting a teammeeting specifically to address risk issues. The agenda for the meetingshould include reviewing lessons learned from previous, similar projectsand reviewing all the project documents (statements of work, contracts,specifications, resource availability charts, and so on) to ensure that theteam is aware of all potential risk sources. It should conclude with anagreement on the process that will be followed and the tools andtechniques that will be used in planning for the risks associated with theproject in question.

D ti d i ti t ti iti th h t th i ht

Risk Management

Process Overview(continued)

ESIs Risk

Management Model

Step 1: RiskManagementPlanning


24/97

Risk Management Process (continued)

must perform. Second, when the project manager and project team donot identify risks, they cannot take steps to mitigate them. Finally, simplyidentifying the risks begins to reduce risk from the start.

Risk identification continues to be important throughout the duration ofthe project. Although the initial project planning phase is the first time toidentify risk, it is not the only time to do so. Risks should be identified

continuously throughout the life of the project. In addition, the initial listof risks may be used until the project is completed. This means that eachrisk event must be stated specifically and clearly for the risk managementprocess to operate effectively, because the project team members must beable to understand exactly what was meant when they refer at a later dateto the original risk management plan.

Risk Identification

Certain guidelines should be followed in describing risk events to ensurethat they are specific and fully defined. The effectiveness of the riskmanagement process relates directly to how well each risk event isdefined. If a risk event is not stated specifically, how can a projectmanager develop a good risk response? How will the organization beable to use lessons learned effectively in the future? Guidelines for riskidentification include the following:

d The risk description should state the event that may happen,when it is likely to occur, and what its impact will be. Forexample, on a prison construction project the supplier of difficult-to-find alarm glass windows might go out of business beforecompleting fabrication, thereby causing delays to accomplishreprocurement with another supplier.

d Use the WBS as a good tool for risk identification. This will helpensure coverage of all significant risks and facilitate analysis oftheir potential effects on the projects cost and schedule.

d In identifying risks, be thorough but dont be absurd. Its easy tostart brainstorming risks based on every WBS activity only todevelop a ridiculously long list of trifling risks. Risk identification

Step 2: Identify Risks(continued)

Risk IdentificationGuidelines


25/97

Risk Identification (continued)

Specific tools and techniques can be used to help the project teamidentify risks. They include the following:

d Expert interviews*d Delphi technique*d Brainstorming*d Nominal group techniqued Crawford slip methodd Affinity Diagramd Analogy processd Checklists, questionnaires, and templates*

These are all proven tools and techniques, and each has different nuancesin exposing risk and allowing the project team to find risk. The projectmanager should be careful to select the most appropriate tool for eachsituation.

The expert interviews process starts with identifying appropriateindividuals to interview. The right experts are not just those individualswho have pertinent knowledge. Rather, they are individuals who will bewilling to share that information in the interview. The team must alsoprepare for the interview and target subjects of interest. This requirespreparing open-ended questions that allow interviewees to expand onideas. If you ask yes or no questions, then you probably will get yesor no answers.

During the actual interview, when the expert talks, the team must listencarefully. Active listening is work, indeed hard work, but it is also thekey to a useful interview. Listening closely and responding withintelligent follow-up questions will yield the very best information. Toobtain the maximum benefit from the process, document what was saidduring or immediately after the interview. Otherwise, all the valuable

information garnered during the interview may be lost.

The Delphi technique is a more involved form of the expert interviewtechnique. It is named for the Greek oracle located at the foot of Mt.Parnassus whose most famous prediction was that Oedipus would kill his

Risk IdentificationTools and Techniques

Expert Interviews

Delphi Technique


26/97


The RAND Corporation developed the Delphi technique in 1948 as away of obtaining the input of several experts on specific issues. Thetechnique proceeds according to the following steps:

d Step 1. The coordinator formulates the problem and distributes itto experts in the field. This is the hardest step. If you phrase thequestion improperly, different experts can interpret it differentlyand undermine chances for the success of the Delphi technique.

When applying this technique, devote a lot of time to Step 1. Inthe risk identification process, the basic problem is to determinethe reasonably significant project risks, how likely each is tooccur, and what kind of effects each will have on the project.

d Step 2. The experts review the problem and send their writtenposition statements to the coordinator.

d Step 3. The coordinator then sends out the position paperswithout attributing them to their authors. Each expert knows only

his or her position, but this step gives each an opportunity tocompare it to the other experts positions.

d Step 4. The experts can then reconsider their positions and submitchanges as appropriate.

The cycle of reviewing and resubmitting positions can be repeatedseveral times as needed. Sometimes experts are very reluctant to changetheir opinions. Ultimately, in a risk identification exercise, the list of risksis finalized on a Risk Listing form.

The Delphi technique can be advantageous when soliciting input fromindividuals who are geographically dispersed. In these circumstances,travel time and cost make frequent group meetings infeasible, so using agroup information gathering technique with limited personal interactionworks well. Because the parties providing input do not interact directly,this technique can be useful for addressing issues that are politically

sensitive or seeking input from diverse (or adverse) individuals. TheDelphi technique also works well when the problem being addressedrequires some attention to detail, does not lend itself to precise analyticaltechniques, or can take some time to be resolved. Conversely, if youneed quick answers based on interpersonal group input, the Delphitechnique is not for you

Delphi Technique

(continued)

Advantages of theDelphi Technique


27/97


In short, the modified Delphi approach is a more practical way to get theneeded information without the rigor (or the time) needed for the originalmodel. This other approach allows companies to do it on their own andprovides for quicker resolution/solution of the multiple cycles. It,however, will be more biased than the original technique. The centralperson needs to be a good facilitator to draw out all of the information inthe meetingsto allow the silent members an opportunity to

contribute.

The steps of the modified technique are very similar to the original.

d Step 1: The facilitator prepares materials and coordinatesreviewers. Since all reviewers meet in Step 5, it is less imperativeto get the questions exactly right. Do try to remove ambiguity,but know that you will get an opportunity again to tell them whatyou really want.

d Step 2: Reviewers attend kickoff meeting to discuss the objective,due date, expectations, and so on. Provide common ground; letthe reviewers ask clarifying questions, then let them go.

d Step 3: Reviewers review materials and offer modifications oralternatives to the facilitator and/or bring them to the finalmeeting.

d Step 4: The facilitator reviews and analyzes all of the submissionsand develops a clean document that contains the consensus of the

reviewers. Any issues that do not have consensus are annotatedand become the focus of the working meeting. NOTE: This stepmay not happen if the expectation is to do all work in anextended working meeting.

d Step 5: All reviewers attend the working session to come toconsensus on issues with the new solution. The goal of thismeeting is to answer all questions and resolve all issues.

d Step 6: The facilitator takes all data and compiles the information

into the final solution/documentation.

Brainstorming begins with the auction stage. Each member of thegroup is asked to provide input in the form of project risks. Members areencouraged to use each others ideas to generate new ones, and all ideasare written on a list Start evaluating the ideas only after the

The Modified DelphiTechnique(continued)

Brainstorming Process


28/97


When the group has run out of ideas, they proceed to the evaluationstage. The group reviews each risk on the list and discusses the merits ofeach idea. The results of this evaluation are then summed up as thegroups results and placed on Risk Listing form. Both stages ofbrainstorming rely on group dynamics and depend on the group processfor valuing the creative merit of all ideas.

One advantage of brainstorming is that it affords everybody anopportunity to participate, promoting feelings of belonging andacceptance among team members. Another is that it allows for feedingoff anothers ideas: One team member offers a good idea; anothercatches part of it and thinks of another idea. That is synergy.

Brainstorming can have disadvantages too, though. It can sometimeslead to groupthink, so the critical issue in brainstorming is to affordeveryone an opportunity to speak to the question of what risks a projectmight face. Unfortunately, the process can intimidate less assertiveparticipants. Many times, one team member may offer seemingly endlessideas while another is quiet, reluctant to participate, and difficult to drawinto the process. This is a pitfall of brainstorming. Vocal people in thegroup tend to win in the sense that they tend to get their opinionsvoiced and documented on the flip chart or wherever information isrecorded. It is amazing how a brainstorming session can be dominatedby a few individuals. This is known as false synergy.

The nominal group technique is similar to brainstorming and the Delphitechnique in that it derives extra information by asking others for theirinsights. It uses groups that are physically together as in brainstorming,but much like the Delphi technique, it involves a lot of individualthought and written input. A relatively small group of five to sevenpeople is the ideal size, and a group of 12 is considered the maximum

size for a productive exercise.

The technique proceeds according to the following steps:

d Step 1. A question or issue is posed by the group facilitator. In arisk identification exercise, the question might be What risks are

i d i h hi j ?

Brainstorming

Process (continued)

Nominal GroupTechnique (NGT)


29/97


d Step 4. The facilitator then leads a discussion of each idea byasking for any questions, clarifications, or explanations that thegroup members may have. Each idea is given equalconsideration. There is no evaluation of the ideas at this time,just questioning, explanation, and clarification.

d Step 5. The facilitator then asks each group member to make alist of the ideas that he or she thinks is especially important. Thismay be limited to a certain number, such as the five most

important ideas, in order to facilitate the process. This is anothersilent process.

d Step 6. The facilitator tabulates the results for the entire list tonarrow it down to the most important ideas, which may belimited to a certain number. Differences of opinion can beclarified and explained at this time, and the previous step and thisone can be repeated if necessary to arrive at a clearer consensusbased on consistent understanding among the group members.

d Step 7. The facilitator asks each group member to rate the ideasin order of priority. This could be done numerically (for example,ranking a list of five items with scores of one through five fromthe least to the most important) or descriptively (for example,ranking a list of 10 items as having high, medium, or lowimportance). Every idea is ranked by each of the team membersin another silent process. The facilitator then developscumulative scores for the ideas remaining in order to prioritize

them. This step may involve clarification, explanation, andrepetition like the preceding one. The end result is that thefacilitator finalizes a prioritized list of risks on a Risk Listing form.

The name of the nominal group technique explains its underlyingrationale. The group is a group in name only for the most part because itrequires individual work and prohibits group discussion during moststeps in the process. This is a direct reaction to the problems associatedwith brainstorming. Nominal group technique is a good way to elicitinput from people who are shy or unwilling to speak up in thosesituations. This is because it treats everybody equally by giving all ideasequal consideration and because it focuses on the ideas rather than thepeople offering them. Nominal group technique also helps eliminategroupthink and jumping on the bandwagon. Its drawback is that it canl i i f b i h i h i di id l

Nominal GroupTechnique (NGT)(continued)


30/97


Second, blue paper was more expensive and thus showed the importanceof the ideas and the people offering them.

If you have ever read the same book or seen the same movie twice andexperienced new insights the second time around, then you canunderstand the premise underlying the Crawford slip method.

The process is very simple and follows these steps:

d Step 1. The facilitator establishes a question for the group toconsider, for example, What risks are associated with thisproject?

d Step 2. Each group member is given several slips of paper andwrites one answer to the question on one piece of paper. Thefacilitator gives them a full minute to write their responses.

As soon as the group members have finished Step 2, the facilitator asks

the same question again and has them write new answers, repeating thesame two steps 10 times so that each person provides 10 differentanswers.

Crawford was smart. Each time the process is repeated, the question ismore fully investigated and analyzed. By the time the group membersgive their tenth set of ideas on any topic, they are dredging the bottom.They are down to silly ideas and goofy stuff, but they have also provided

the best information they had to offer. The facilitator has everything thegroup could offer in a format that is easy to work with.

Affinity diagramming is an excellent tool for organizing and categorizinglarge ideas or concepts that use group dynamics to great advantage. Itallows project teams to gather new information and sort it in new ways.It is a great tool for finding risk symptoms and for finding huge categories

of risk that might not otherwise be discovered. The development of anaffinity diagram proceeds as follows:

d Step 1. Write all the ideas to be organized on slips of paper, oneto a slip. In the risk identification process, each slip of paperwould contain a single risk event description. Based on this firstt it i t th t ffi it di i b d

Crawford SlipMethod (continued)

Affinity Diagramming


31/97


d Step 3. Have each member of the team help group ideas byplacing slips next to other slips with related ideas. All membersmust work simultaneously but without communicating. Eachmember may move only one piece or a few pieces at a time. Atno time may a single participant completely reorganize all theinformation. Encourage the participants to react quickly to whatthey see and not to agonize over decisions.

d Step 4. Stop the grouping process when no team member wants

to make any more moves or after about 15 to 20 minutes. If thereis an obvious conflict because two members keep moving aparticular slip or group of slips back and forth, duplicate thoseslips and put them in both groups.

d Step 5. Have the participants discuss and determine appropriateheadings for the groups that have been created, either by usingexisting slips that will serve well as headings or by creating newones through group discussion.

d Step 6. Reduce the results to a formal diagram.

You now have a risk listing that is well organized by categories of riskthat were logically determined by the team based on the individual riskevents they previously identified. It will not only help you to organizeyour risk management planning; it may also reveal major categories ofrisk that have been overlooked and need further attention. This methodof categorization is preferable to putting up the headings first because thatapproach tends to create in the box thinking and stifle creativity.It also helps ensure team buy-in and understanding because each personcontributes and no single person dominates the outcome.

You now have a risk listing that is well organized by categories of risk

The rationale behind the analogy process is as ancient as Ecclesiastes 1:9:What has been will be again, what has been done will be done again;

there is nothing new under the sun. Indeed, few processes are totallyunique. Even the Apollo moonwalk project used already existent andpreviously implemented technology.

The analogy process is a simple one. You first identify the type ofinformation you need In the case of risk identification this would be

Affinity Diagramming(continued)

Analogy Process


32/97


Checklists, questionnaires, and templates are additional tools that can beused for risk identification. Like the analogy process, they are based onthe idea that no new project represents a completely new set of risks.People and companies often compile lists of risks that occurred onprevious projects and then create checklists, questionnaires, andtemplates from those lists.

Industry organizations and associations also produce such information.The Software Engineering Institute (SEI) has produced a checklist calledthe SEI Risk Taxonomy and made it available to the general public. TheSoftware Program Managers Network (SPMN) has done the same with itslist.

Whether they are developed internally by the projects sponsoringorganization or obtained from other sources, these tools are used byproject teams as lists of potential project risks. The project team

examines the risks and decides which, if any, pertain to their project.These instruments bear an interesting relationship to the concept ofknown and unknown risks. To improve project management and riskmanagement over time, project teams should record unknown risks on achecklist, questionnaire, or other tool when they occur. In this way, listsof known risks are generated from previously unknown risks.

Risk Events and Risk Event Lists

There are three problems that often occur in developing a risk event list:

d Risk event descriptions are too vague.d The list of risk events is not sufficiently thorough.d The risk events identified lack a consistent level of detail.

Each risk event must be specifically described. The risk event should bestated as

d Something that may or may not happen

Checklists,

Questionnaires, andTemplates

Common Problems

with Risk Event Lists

Specificity of RiskEvent Statements


33/97

Risk Events and Risk Event Lists

As such, a poor risk event statement will have the same effect on riskmanagement that a poor scope statement has on project management.These rules and recommendations apply to both threats andopportunities.

The risk event list must be as thorough and comprehensive as reasonablypossible. If the team identifying risks becomes too focused on aparticular type of risk, they may fail to include important threats oropportunities on the risk event list and fail to plan for them. The use ofcategories will help ensure thoroughness and the avoidance of criticalomissions. Examples of categories might include such subjects as legalrisks, technical risks, procurement risks, environmental risks, personnelrisks, health risks, and so on.

There are other ways to categorize risks, such as external versus internal.

External risks are those that are beyond any team control; internal risksare those that are somewhat within team control, such as financial,schedule, legal, and technical risks. External risks can be furthercategorized into unpredictable versus predictable but uncertain.Unpredictable risks would include such categories as natural disasters,public opinion, and government regulations. Predictable but uncertainrisks would include threats and opportunities such as changes in inflationor interest rates.

Many times the risk list will contain a mixture of very small risks andbroad, sweeping risks. For example, a risk list could include either of thefollowing:

d Power test failures during rework of power supply could delaymilestone #2.

d Use of new technology could increase cost and affect schedulethroughout the project.

The use of such varying degrees of detail in describing risk events candistort risk process results. If a person were to analyze and prioritizethese two risk events, the second risk event would always show moreimpact probability because the risk associated with new technology is so

Specificity of RiskEvent Statements(continued)

Categories Help

Ensure Thorough Risk

Event Lists

Risk List Level of

Detail


34/97

Chapter Summary

9 Risk management is a full project life-cycle activity.9 Risk management is composed of eight major processes:

risk management planning, identifying, analyzing,prioritizing, response planning, executing, evaluating, anddocumenting.

9 Risk identification should involve group techniques.9 Group techniques should be used based on their specific

characteristics, advantages, and disadvantages to maximizethe effectiveness of risk identification for the project inquestion.

Chapter Summary


35/97



1. What process does your organization use to identify risks?

2. How well have your project teams identified risks (both threatsand opportunities) in the past?

3. Which of the methods in this chapter would work in yourenvironment? Why?

4. Turn to the Action Plan on the next page and document your nextsteps.


6. Identify who you need to involve for each item you have listed.

7. Finally, identify the appropriate time frame for accomplishingeach of these steps. For items you know will be ongoing, identifymilestones for each period (3, 6, 9, and 12 months and over).

Next-Steps Action

Plan


36/97

ESI 32

Risk Management Chapter 2: Risk Management Planning and Identifying Risks

Action Plan: Apply what you have learned from this unit by developing a list of actions you will complete when you return to your organization.Time


1.

2.

3.


37/97

ESI 33

Time


4.

5.

6.


38/97

Analysis Fundamentals

Chapter 3

This chapter discusses how to place a value on the probability of a risk eventoccurring.

Formula

Chapter Overview

Legend

3


39/97

Analysis Fundamentals

Establishing Risk Measurement Parameters

Perhaps the most difficult aspect of analyzing and planning for risk is notrisk identification, but determining how to place some value, numericalor otherwise, on the probability that the risk event will occur. Without away to quantify this aspect of risk, it is impossible to analyze the impactof risks on the project and to prioritize risks for an appropriate degree ofmanagement attention.

Risk analysis is most effective when a numerical probability of riskoccurrence can be determined. Although it is not always possible to dothat, the project manager should understand the fundamental concepts ofprobability theory to better estimate the chances of a risk occurring, andto determine additive and multiplicative risk properties when they areinterrelated. The project manager should also understand the differencesamong quantitative, qualitative, and narrative approaches to measuring

risks, and the advantages and disadvantages of each.

Presenting Risk Information

Risk information is typically presented in one of three forms, or acombination of the three:

d Qualitatived Quantitatived Descriptive

Qualitative risk information makes use of terms such as high,medium, or low to describe the probability or impact of theoccurrence of risk events. Unless the person providing the information isan exceptional writer, this form of presenting risk information is generally

better than the narrative form for explaining the severity of a risk impact.

But even the qualitative form has its limitations. Describing a risk eventas having a medium probability of occurrence provides a sense of howlikely the risk is to occur, but leaves a wide range of possibilities toconsider In addition high medium and low are very subjective terms;


Quantification

How Risk Informationis Presented

Qualitative

43


40/97

Presenting Risk Information (continued)

In a quantitative analysis, numbers are used to assess probabilities andimpact. This is useful for two important reasons. First, assigning anumber to the risks probability affords the opportunity to use more toolsto assess the risk. Second, quantifying the risks probability providessome objectivity to the assessment of risk. Like it or not, we have torealize that there will always be a certain amount of subjectivity inassigning risk probabilities to a risk event, but there are powerful toolsthat can help us mitigate risk if we can first quantify them.

Descriptive risk information, in some respects, is very useful because itoffers an easy way to provide a lot of information about a risk event. Forexample, a person can provide a complete description of the potentialrisk event, the source of the risk, and what might be done aboutprecluding it or controlling it if it occurs. The major disadvantage of thisform of presenting risk information is that it provides no way to measure

the risks probability or its impact to the project or organization.

Risks can be presented using various formats. One of the mostcommonly used formats is the following grid. This grid is particularlyuseful when only qualitative data using high, medium, and low rankingsare available.

Looking at the grid, it is easy to see that risks falling in the low probabilityand low impact (L/L) quadrant may be ignored or assigned a lowerpriority, while those falling in the high probability and high impact (H/H)quadrant must be dealt with proactively. The two quadrants highprobability and low impact (H/L) and low probability and high impact(L/H), depending on where they fall within the grid, likewise may beignored or assigned a lower priority. If a risk has a high probability ofoccurring but minimal impact, then we are likely to accept the risk and

deal with it when and if it happens. Likewise, if there is a low probabilityof a risk event occurring, we are likely to accept the risk even if there is avery high impact.

An example of an L/H risk event is flying. If a commercial airlinercrashes, the impact is catastrophic, but the probability of such an

Quantitative

Descriptive

Handling Probabilityand Impact


41/97


Probab

ility

Impact

H

L H

H/L H/H

L/L L/H

M/L M/HM/M

Whenever risks are rated, the level of risk acceptance has to beconsidered. Organizational culture will have developed a level of risktolerance that will cause each person to see a particular risk in a verydifferent light. A low risk for one person may be a high risk for another,so delineating between levels of risk becomes very difficult, particularlywhen a qualitative analysis is done.

The following graphic can be used to define the high, medium, and lowcategories of risk event probability and impact for most organizations inmost instances.

Handling Probabilityand Impact

(continued)

Examples of

Qualitative and

Quantitative Risks

Rank Probability Impact

High Risk event is very likely to occur

Risk event has high probability ofoccurrence

If risk event occurs, a significant

impact to cost, schedule, quality,or customer satisfaction will occur

Medium Risk event is likely to occur If risk event occurs, a moderateimpact to cost, schedule, quality,


42/97


A quantitative risk presentation is one that has numbers associated withit. For example, if we can say that an event has a 15 percent probabilityof occurring and that its impact would be a cost to the project of$10,000, then we have quantitatively defined the risk. As with thequalitative analysis, it is difficult to assign accurately a probability to arisk event; it is a matter of experience, expert opinion, lessons learned,and so on. The better the historical data, the more accurate theprobability and impact assessments.

Given the particularly difficult task of assigning accurate qualitative riskratings, can these presentation models be combined in a way thatmitigates the subjective nature of the rating? The answer is, Yes, theycan. Qualitative ratings can be broken down so that within one levelthere are two or more levels. For example, high might have additionallevels of very high, medium high, and low high. Then numericalprobability ranges can be assigned to aid in determining a reasonable

probability number for each risk event. The graphic below demonstrateshow this is done.

85%

65%

35%

15%

0%

50%

0%

High Very high

Probable probability High

Medium Medium

probability

Improbable Low Low

probability Very low

100%100%

Each of the three risk presentation formats has its own advantages anddisadvantages, but when they are used together, a description of the risk

event, its likelihood of occurrence, and its impact can be clearlydocumented and communicated. The table below summarizes thecharacteristics of the approaches:

Examples of

Qualitative andQuantitative Risks(continued)

Comparing Risk

PresentationApproaches


43/97


Comparison of Risk Presentation Approaches

Qualitative Quantitative Descriptive

Fast and easy toadminister andunderstand

Difficult to enforce

uniformly acrossorganization andprojects

Requires definitions,rules, standards, andprocesses

Preferredmethodology, oftenmandated bymanagement

More time consuming;requires estimation

Misleading in thatnumbers may giveappearance ofprecision andspecificity, unless theprecision of the

estimate is given Difficult if team resists

deriving the numbers

Easier to forecast

Able to use trends

Substantially morevaluable in developing

risk response strategiesand reserves

Difficult to quantify

Usually based onexperience

Probability Analysis and Rules of Probability

Probability analysis determines how likely a risk event is to occur.Although the sources of probability assessment data were brieflymentioned previously in this chapter, they are worth reviewing.

Generally speaking a large portion of the data used for risk analysis

Comparing RiskPresentation Approaches

(continued)

Probability Analysis


44/97

Probability Analysis and Rules of Probability (continued)

His or her assessment may be colored by how tolerant he or she is to therisk. Once again, knowing what the organizational culture can toleraterelative to risk and especially to risk impact is extremely important.

When the experience is based upon historical data (that is, lessonslearned), and especially when lessons learned are documented, the datasource tends to be less biased because there are actual examples of riskevents and how they were handled. Historical data also can take some of

the subjectivity out of probability and impact assessments.

Theoretical distributions are another source of probability data that canbe used to good advantage. Many standards are developed from surveysor other data taken over the years about processes, methods, and actualproject or manufacturing events. The resulting probability formulas aremore accurate than just basing the risk estimate on an educated guess.

One of the most accurate methods for determining probabilities can be asimulation. For example, Monte Carlo analysis is a well-knownsimulation that examines many data points or what if scenarios todetermine the most likely outcome. Whatever the method used, anunderstanding of basic probability principles is necessary forunderstanding risk analysis.

The probability that a particular event will occur can be predicted byusing one of three methods: classical probability, relative frequency, andsubjective probability.

Classical probability is a form of deductive logic that states that thelikelihood of an event occurring (P) equals the ratio of the number ofpossible outcomes yielding that event divided by the number of allpossible outcomes. Logically, the number of all possible outcomesequals the number of outcomes where the event in question (A) occursplus the number of outcomes where it does not occur (B). A classicexample is the probability of getting heads when flipping a coin.Mathematically, this concept can be expressed as follows:

P(A) = A/(A + B)

Probability Analysis

(continued)

Approaches to

Predicting Probability


45/97


This approach works well with simple situations where each outcomecan be identified and is equally likely to occur. But what if the coin isknown or even suspected to be biased? Or what if the question issomething complex such as how likely a finely calibrated engine part isto fail within one year? In these cases, relative frequency offers abetter approach.

Relative frequency uses inductive logic to draw conclusions aboutprobability based on empirical results of samplings of actual events. Forexample, if 1,000 engine parts were sampled and 100 failed, the relativefrequency of failure for that sample would be 100/1,000. Applyinginductive logic, the probability of failure for all engine parts would bepredicted to equal the relative frequency and be deemed 10%.

In the case of a biased coin, the results might be that heads occurred 6

times in a sample of 10 coin flips. This would be evidence of a biastoward heads, but sample size is important, because the larger thesample, the more reliable the use of relative frequency. A relativefrequency of 60 out of 100 coin flips would be stronger evidence of a60% probability of heads, and 600 out of 1,000 would be stronger still.Conversely, when different outcomes really are equally likely (that is, thecoin is unbiased), the larger the sample, the closer the relative frequencywill come to the classical probability prediction. In that case, one mightsee 6 heads out of the first 10 flips, then 56 out of the first 100, then 520out of the first 1,000, and so on until the relative frequency closelyapproaches 50%.

What can be done to predict probability when the situation is toocomplex for application of the classical approach and not susceptible tosampling? This is when subjective probability must be used. Subjectiveprobability is not based on deductive logic, inductive logic, or empiricalobservation of test samples. It is purely an application of individualintuition. For example, suppose the probability of prime interest ratesrising above 6% must be predicted because of the effects such anincrease would have on a project. This event is far too complex for useof the classical approach, and there is no way to conduct valid testsampling. The only way to assign probability is based on conclusions

Approaches toPredicting Probability

(continued)


46/97


There are some basic rules or principles for dealing with probabilities,including these key concepts:

d Mutually exclusive eventsd Nonexclusive eventsd Independent eventsd Dependent eventsd Probability representation

These concepts are most easily explained by examples. Suppose youhave a stack of index cards numbered 1 through 10 and a coin with theusual sides of heads and tails. Then consider the following cases.

Mutually exclusive events are those that can never happen at the sametime. If one occurs, the other cannot. If you draw one card from the 10cards, you may draw an odd or even number, but if you draw odd, you

cannot draw even, and vice versa. Drawing an odd card and drawing aneven card are therefore mutually exclusive events. So are getting headsand getting tails when you flip the coin.

Nonexclusive events may or may not happen at the same time, such asdrawing an even card and a card less than five. Drawing a two or a fourwould mean doing both. Drawing a 7 or 9 would mean doing neither.

Any other draw would mean doing one or the other.

Independent events are nonexclusive events where the outcome of oneevent cannot be affected by the outcome of another event. If you draw acard, you may get any number from 1 through 10; and if you flip thecoin, you may get heads or tails. These are independent events.Suppose you are trying to both draw the number 5 from the cards andget

heads from the coin flip. The probability of both occurring is calculatedas follows:

P(A and B) = P(A) x P(B), or

P(5 and heads) = 1/10 x = 5%

Rules for Dealing withProbability

Mutually Exclusive

Nonexclusive Events

Independent Events


47/97


This formula is slightly more complex for nonexclusive events, whichmay happen at the same time. An example would be determining theprobability of drawing, on a single draw, either an even-numbered cardor a card less than five. The additional complexity in the formula isnecessary to avoid double-counting the two numbers (two and four) thatsatisfy both conditions. The probability is calculated as follows:

P(A or B) = P(A) + P(B) P(A and B)

P(even or


48/97


The summation rule states that the sum of the probabilities of occurrenceforall possible outcomes from a single event must be equal to 1.0 (thatis, 100%). Stated mathematically,

(P1 + P2 + P3 Pn) = 1.0

For events that are not mutually exclusive, one very important rule is themultiplication rule. It states that the probability ofboth one outcome and

another outcome occurring is equal to the product of the probabilities ofthe outcomes occurring individually.

P(A and B) = P(A) x P(B)

Addition, Summation,and MultiplicationRules (continued)


49/97

Chapter Summary

9 Three formats are commonly used for presenting riskinformation. They are narrative, qualitative, andquantitative.

9 Because each of these formats has certain advantages anddisadvantages, neither by itself is usually sufficient. Thebest approach is to use some combination of the three.

9 In the case of mutually exclusive events or independentevents, the probability ofeitherone event orthe otherhappening is the sum of their probabilities of occurringindividually.

9 In the case of events that are not mutually exclusive, theprobability ofboth one event andthe other eventhappening is theproduct of their probabilities of occurring

individually.

9 The sum of the probabilities for every possible outcome fora given event must equal 1.0 (that is, 100%).

Chapter Summary


50/97



1. Which form of presenting risk does your organization typicallyusequalitative, quantitative, descriptive, or a combination?

Is it the best one for your organization?

How will you apply probability analysis on your next project?

2. Turn to the Action Plan on the next page and document your nextsteps.


4. Identify who you need to involve for each item you have listed.5. Finally, identify the appropriate time frame for accomplishing

each of these steps. For items you know will be ongoing, identifymilestones for each period (3, 6, 9, and 12 months and over).

Next-Steps ActionPlan

Risk Management Chapter 3: Analysis Fundamentals


51/97

ESI 47

Risk Management Chapter 3: Analysis Fundamentals

Action Plan: Apply what you have learned from this unit by developing a list of actions you will complete when you return to your organization.

Time


1.

2.

3.

Time


52/97

ESI 48


4.

5.

6.

Analyzing and Prioritizing Risk4


53/97

y g g

Chapter 4

This chapter discusses the next steps in the risk management process,analyzing and prioritizing risks.

Formula

Chapter Overview

Legend

4

Analyzing and Prioritizing Risk4


54/97

y g g

Next Steps in Risk Management

After leading the project team through the identification of risks, theproject manager must lead them in analyzing and prioritizing theidentified risks using a variety of techniques. Examples of thesetechniques include decision trees, which can be used to evaluate relative

levels of probability and risk, and financial measures, which can be usedto quantify risk. By performing risk analysis, the project teamaccomplishes several risk management objectives. These includedetermining the values of the variables involved, identifying variousconsequences of the occurrence of risk events, estimating the magnitudeof the risks identified, and reducing the possibility of surprise, which cannever be eliminated altogether. Taken together, these efforts are aimed atthe overall objective of preparing a thorough value analysis of the risksentailed by a project.

Step 3: Analyzing Risks

Risk analysis is the third step in the risk management process and followsrisk identification. It involves systematically estimating the probability ofoccurrence and magnitude of impact for each risk event that was

identified in Step 2 (risk identification). The objective of this step is toreduce the uncertainty that always accompanies risks.

Risk analysis is a process itself within the larger risk management process.Its primary input is the risk event listing generated by the riskidentification process. Using a qualitative or quantitative approach or acombination of both, various tools are used to assess both the probabilityof the occurrence and the likely impact of each risk event. The end

product is a fully analyzed risk event listing.

Certain guidelines should be kept in mind while performing risk analysis.It is important to cover all the risk events listed at the end of risk

Analyzing andPrioritizing Risk

Introduction

Overview

Risk AnalysisGuidelines

4


55/97

Step 3: Analyzing Risks (continued)

The primary thing to avoid during risk analysis is trying to prioritize therisks at the same time. People have a natural tendency to want toprioritize risks as they analyze them. This is a bad practice because ifproject team members prioritize as they analyze, they may lose focus andnever perform the sort of rigorous analysis that is necessary to validate theprioritization of risks.

Impact Analysis

There are two basic impact categories for any risk, because a risk mayaffect either the project cost or the project schedule. Schedule impactscan often have cost impacts, especially when a project incurs additionalcosts as a corrective action to keep the project on schedule. Cost impactsmay affect scheduling in cases where work must be delayed to addresscost issues.

There are several sources of data for impact analysis. Historical databased on similar situations that actually occurred on previous projectscan be considered. Estimates and subjective judgments are common datasources that should not be confused. They differ in that subjectivejudgments are opinions based on intuition without the substantiation ofan analytical process such as estimating. Finally, simulations can be used

in more complex scenarios. Regardless of what approach is used, thoseperforming the analysis are basically undertaking an estimating process.

The project team must analyze all identified risks to determine the impactof each on project cost. In doing so, they must consider the effects of therisk on cost factors such as level of effort, labor rates, labor hoursrequired, materials required, and tools and equipment. Cost impact

assessment must be done for both opportunities and threats.

Similarly, all listed risks need to be analyzed to determine their impact onthe project schedule. Factors such as resource shortages, extended task

Risk AnalysisGuidelines(continued)

Impact Analysis

Overview

Project CostImpacts

Project ScheduleImpacts


56/97

Impact Analysis (continued)

To be meaningful, all these effects should be considered against theproject schedule. Although an impact assessment may determine that theoutcome may be a 5-week delay to a procurement task, the only way tounderstand the effect on the project end date is to examine the networkdiagram and critical path. The delay may be on a chain of activities with10 weeks of float, which means that the impact on the overall schedule isnil. As with cost impact analysis, it is important to analyze the effect of

both opportunities and threats on the project schedule.

Tools and Techniques for Risk Analysis

Fortunately, certain proven tools and techniques are available to help inrisk analysis. They include the following:

d Expert judgmentd Financial measurementsd Expected valued Decision treesd Statistical sumsd Computer simulation

Each of these tools will be discussed more fully in this chapter, but tworequire some immediate clarification. The term statistical sum refers to a

process that combines statistical distributions into a single overalldistribution, the most notable example being Program Evaluation andReview Technique (PERT). The term computer simulation refers to theprocess of constructing a computer model of the project to simulateexecution and analyze possible outcomes, the most notable examplebeing the Monte Carlo simulation.

An experts judgment can be used to help analyze risks much like anexpert interview can be used to help identify them. The source ofexpertise may be outside consultants or team members assigned to theproject. Because they are performing the work, team members often willhave a better understanding of the impact the risk will have on the

Project ScheduleImpacts(continued)

Proven Tools andTechniques

Expert Judgmentin Risk Analysis

T l d T h i f Ri k A l i ( ti d)


57/97

Tools and Techniques for Risk Analysis (continued)

Many financial measurements or techniques are available to help analyzerisks, particularly business risks. The importance of financialconsiderations when determining risk impact and probability is difficultto overstate. If the financial risk is too high, the project may not even getoff the ground. An organization normally decides to undertake aparticular project based on certain expected business results asdetermined by a general business financial measurement, for example, acertain level of return on investment (ROI). Life-cycle costing (LCC) isanother financial measurement tool that is more focused on projectmanagement. The project manager should be able to use such measuresin quantifying the financial impact that risks may have on the project.

Where project risks have a lasting effect, the project manager shouldexamine them in relation to the entire life cycle of the projectdeliverables, not just the duration of the project. The project life cycle

will go through closeout, but the project deliverables may beimplemented, operated, maintained, and enhanced for a m

Documents

RSK520_ReferenceMaterial