Computer Science

Group IT Project Management

Project Risk Management

Class: 3L5CS Academic Year 2023 Semester I LEC 37, 38, 39, 40

Marciano Ombe, Eng.

 Out Line
• Project Risk Management Summary
• Risk Management Tools and Techniques
• Mapping Risk Management and Processes and
Outputs
• Risk Management Processes
• Softwares To Assist
• Considerations for Adaptive / Agile Environments
PROJECT RISK MANAGEMENT

Source: PMBOK® Guide – Sixth

Edition. Project Management
Institute, Inc. (2017). Copyright
and all rights reserved.
RISK MANAGEMENT TOOLS AND TECHNIQUES
MAPPING RISK MANAGEMENT & PROCESSES
 IMPORTANCE OF RISK MANAGEMENT

Project risk management is the art and science of identifying, analyzing, and responding to
risk throughout the life of a project and in the best interests of meeting project objectives.

Risk management can have a positive impact on selecting projects, determining their scope,
and developing realistic schedules and cost estimates.

It helps project stakeholders understand the nature of the project, involves team members
in defining strengths and weaknesses, and helps to integrate the other project management
knowledge areas.

Managing project risks takes dedicated, talented professionals. In response to this need, PMI
introduced the PMI Risk Management Professional(PMI-RMP) SM credential in 2008.
(Consult PMI’s website for further information.)

Several risk experts suggest that organizations and individuals should strive to find a
balance between risks and opportunities in all aspects of projects and their personal lives.
 Risk Principles

Some organizations or people have a neutral tolerance for risk, some have an aversion
to risk, and others are risk-seeking. These three preferences are part of the utility
theory of risk

Risk utility is the amount of satisfaction or pleasure received from a potential

payoff.

Risk seekers enjoy high risks, risk-averse people do not like to take risks, and risk-
neutral people seek to balance risks and potential payoff.

Risk is an uncertainty that can have a negative or positive effect on meeting

project objectives.
 RISK MANAGEMENT

The goal of project risk management can be viewed as minimizing potential negative
risks (threats) while maximizing potential positive risks (Opportunities).

Known risks is used to describe risks that the project team has identified and
analyzed. Known risks can be managed proactively

Uunknown risks , or risks that have not been identified and analyzed, cannot be
managed.

Risk management is an investment; in other words, costs are associated with identifying
risks, analyzing those risks, and establishing plans to address them. Those costs must be
included in cost, schedule, and resource planning.
 RISK MANAGEMENT PROCESSES

1. Planning risk management involves deciding how to approach and plan risk
management activities for the project. The main output of this process is a risk
management plan.

2. Identifying risks involves determining which risks are likely to affect a project and
documenting the characteristics of each. The main outputs of this process are a risk
register, risk report, and project documents updates.

3. Performing qualitative risk analysis involves prioritizing risks based on their

probability of occurrence and impact. After identifying risks, project teams can use
various tools and techniques to rank risks and update information in the risk register.

4. Performing quantitative risk analysis involves numerically estimating the effects

of risks on project objectives.
 RISK MANAGEMENT PROCESSES

5. Planning risk responses involves taking steps to enhance opportunities and reduce
threats to meeting project objectives.

Using outputs from the preceding risk management processes, project teams can
develop risk response strategies that often result in change requests, updates to the
project management plan and project documents.

6. Implementing risk responses, involves implementing the risk response plans.

Outputs include change requests and project documents updates.

7. Monitoring risk involves monitoring identified and residual risks, identifying new
risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies
throughout the life of the project.
 PLANNING RISK MANAGEMENT

Planning Risk Management

Planning risk management is the process of deciding how to approach risk management
activities and plan for them in a project; the main output of this process is a risk management
plan.
A risk management plan documents the procedures for managing risk throughout the project.

A risk management plan summarizes how risk management will be performed on a particular
project - Like plans for other knowledge areas, it becomes a subset of the project management
plan

It is important to clarify roles and responsibilities, prepare budget and schedule estimates for
risk-related work, and identify risk categories for consideration. It is also important to describe
how risk management will be done, including assessment of risk probabilities and impacts as
well as the creation of risk-related documentation
 PLANNING RISK MANAGEMENT

Topics addressed in a risk management plan

 PLANNING RISK MANAGEMENT

In addition to a risk management plan, many projects also include contingency plans,
fallback plans, contingency reserves, and management reserves. taking a proactive
approach to managing project risks.

Contingency plans are predefined actions that the project team will take if an identified risk
event occurs.
Fallback plans are developed for risks that have a high impact on meeting project objectives
and are put into effect if attempts to reduce the risk do not work.

Contingency reserves or contingency allowances are funds included in the cost baseline
that can be used to mitigate cost or schedule overruns if known risks occur.

Management reserves are funds held for unknown risks that are used for management control
purposes.
They are not part of the cost baseline, as discussed in Cost Management, but they are part of the
project budget and funding requirements. If the management reserves are used for unforeseen
work, they are added to the cost baseline after the change is approved.
Contingency plans, fallback plans, and reserves show the importance of t
 PLANNING RISK MANAGEMENT

Common Sources of Risk on IT Projects

Market risk: If the IT project will create a new product or service, will it be useful to the organization
or marketable to others? Will users accept and use the product or service? Will someone else create a
better product or service faster, making the project a waste of time and money

Financial risk: Can the organization afford to undertake the project? How confident are
stakeholders in the financial projections? Will the project meet NPV, ROI, and payback estimates? If
not, can the organization afford to continue the project? Is this project the best way to use the
organization’s financial resources?

Technology risk: Is the project technically feasible? Will it use mature, leading-edge, or bleeding-
edge technologies? When will decisions be made on which technology to use? Will hardware,
software, and networks function properly? Will the technology be available in time to meet project
objectives? Could the technology be obsolete before a useful product can be created? You can also
break down the technology risk category into hardware, software, and network technology, if
desired.
 Considerations for Agile/Adaptive Environments

Common Sources of Risk on IT Projects

People risk: Does the organization have people with appropriate skills to complete the
project successfully? If not, can the organization find such people? Do people have the
proper managerial and technical skills? Do they have enough experience? Does senior
management support the project? Is there a project champion? Is the organization familiar
with the sponsor or customer for the project? How good is the relationship with the sponsor
or customer?

Structure/process risk: What degree of change will the new project introduce into user
areas and business procedures? How many distinct user groups does the project need to
satisfy? With how many other systems does the new project or system need to interact?
Does the organization have processes in place to complete the project successfully?
 PLANNING RISK MANAGEMENT

A risk breakdown structure is a useful tool to help project managers consider potential
risks in different categories. Similar in form to a WBS, a risk breakdown structure is a
hierarchy of potential risk categories for a project.
PLANNING RISK MANAGEMENT
 IDENTITIFYING RISKS

Identifying risks is the process of understanding what potential events might hurt or enhance a
particular project.

It is important to identify potential risks early, but you must also continue to identify risks
based on the changing project environment.

By understanding common sources of risks and reviewing a project’s project management

plan, project documents, agreements, procurement documents, enterprise environmental
factors, and organizational process assets project managers and their teams can identify many
potential risks.

Another consideration for identifying risks is the likelihood of advanced discovery, which is
often viewed at a program level rather than a project level
 IDENTITIFYING RISKS

Suggestions for Identifying Risks

There are several tools and techniques for identifying risks.

Project teams often begin this process by reviewing project documentation, recent and historical
information related to the organization, and assumptions that might affect the project.

Project team members and outside experts often hold meetings to discuss this information and
ask important questions about it as they relate to risk

After identifying potential risks at the initial meeting, the project team might then use different
information-gathering techniques to further identify risks.

Some common techniques include brainstorming, the Delphi technique, interviewing, root
cause analysis, and SWOT analysis.
 IDENTITIFYING RISKS

Suggestions for Identifying Risks

Brainstorming is a technique by which a group attempts to generate ideas or find a solution

for a specific problem by amassing ideas spontaneously and without judgment.

The Delphi technique is an approach to gathering information that helps prevent some of the
negative group effects found in brainstorming. The basic concept of the Delphi technique is to derive a
consensus among a panel of experts who make predictions about future developments.

Interviewing is a fact-finding technique for collecting information in face-to-face, phone, email, or

virtual discussions. Interviewing people with similar project experience is an important tool for
identifying potential risks.

SWOT analysis of strengths, weaknesses, opportunities, and threats, which is often used in strategic
planning.
 IDENTITIFYING RISKS

The Risk Register

One important output of risk identification is a list of identified risks and other information
needed to begin creating a risk register.

A risk register is a document that contains results of various risk management processes; it
is often displayed in a table or spreadsheet format. A risk register documents potential risk
events and related information

Risk events refer to specific, uncertain events that may occur to the detriment or enhancement
of the project.
 IDENTITIFYING RISKS

The Risk Report

Another important output of identifying risks is creation of a risk report.

Overall project risk is the effect of uncertainty on the project as a whole.

Contents of a risk report include sources of overall project risk, important drivers of overall
project risk exposure, and summary information on risk events, such as number of risks, total
risk exposure, distribution across risk categories, metrics, and trends.

The risk report is developed progressively during the entire risk planning processes.

After identifying risks, the next step is to understand which risks are most important by
performing qualitative risk analysis
 Performing Qualitative Risk Analysis

Qualitative risk analysis involves assessing the likelihood and impact of identified risks to
determine their magnitude and priority.

A probability/ impact matrix is used to produce a prioritized list of risks.

The Top Ten Risk Item Tracking technique can be also used to produce an overall ranking for
project risks and to track trends in qualitative risk analysis.

Some organizations simply determine that risks are high, medium, or low and color code them as
red, yellow, and green, with very little analysis. Using the methods above can greatly improve
qualitative risk analysis.
 Performing Qualitative Risk Analysis
Using Probability/Impact Matrixes to Calculate Risk Factors

It is often described a risk probability or consequence as being high, medium or moderate,

or low

A project manager can chart the probability and impact of risks on a probability/impact matrix or
chart , which lists the relative probability of a risk occurring and the relative impact of the risk
occurring.

Many project teams would benefit from

using this simple technique to help
them identify risks that need attention.
To use this approach, project
stakeholders list the risks they think
might occur on their projects. They
then label a risk as having a high,
medium, or low probability of
occurrence and a high, medium, or low
impact if it does occur.
 Performing Qualitative Risk Analysis

It may be useful to create a separate probability/impact matrix or chart for negative

risks and positive risks to make sure that both types are adequately addressed.
Some project teams also collect data on the probability of risks and the negative or
positive impact they could have on scope, time, and cost goals.

Qualitative risk analysis is normally done quickly, so the project team has to decide
what type of approach makes the most sense for its project.

Probabilities of a risk occurring can be estimated based

on several factors determined by the unique nature of
each project.

The impact of a risk occurring could include factors such

as the availability of fallback solutions or the
consequences of not meeting performance, cost, and
schedule estimates
 Performing Qualitative Risk Analysis

Top Ten Risk Item Tracking is a qualitative risk analysis tool.

In addition to identifying risks, it maintains an awareness of risks throughout the life

of a project by helping to monitor risks.

Using this tool involves establishing a periodic review of the project’s most
significant risk items with management; similar reviews can also occur with the
customer.

The review begins with a summary of the status of the top ten sources of risk on the
project.

The summary includes each item’s current ranking, previous ranking, number of
times it appears on the list over a period of time, and a summary of progress made in
resolving the risk item since the previous review.
 Performing Qualitative Risk Analysis
Example of Top Ten Risk Item Tracking
 Performing Qualitative Risk Analysis
Risk management review

A risk management review accomplishes several objectives.

First, it keeps management and the customer (if included) aware of major influences that
could prevent or enhance the project’s success.

Second, by involving the customer, the project team may be able to consider alternative
strategies for addressing the risks.

Third, the review promotes confidence in the project team by demonstrating to

management and the customer that the team is aware of significant risks, has a strategy in
place, and is effectively carrying out that strategy.
 Performing Qualitative Risk Analysis

The main output of qualitative risk analysis is updating the risk register.

The ranking column of the risk register should be filled in, along with a numeric value or
rating of high, medium, or low for the probability and impact of the risk event.

Additional information is often added for risk events, such as identification of risks that
need more attention in the near term or those that can be placed on a watch list.

A watch list is a list of risks that have low priority but are still identified as potential risks.

Qualitative analysis can also identify risks that should be evaluated quantitatively, as you
learn in the next section.
 Performing Quantitative Risk Analysis

Quantitative risk analysis often follows qualitative risk analysis, yet both processes can be
done together or separately.

On some projects, the team may only perform qualitative risk analysis.

The nature of the project and availability of time and money affect which risk analysis
techniques are used.

Large, complex projects involving leading-edge technologies often require extensive

quantitative risk analysis.

Quantitative risk analysis and modeling techniques of decision tree analysis, simulation,
and sensitivity analysis are often used.
 Performing Quantitative Risk Analysis
Decision Trees and Expected Monetary Value

A decision tree is a diagramming analysis technique used to help select the best course of
action when future outcomes are uncertain. A common application of decision tree analysis
involves calculating expected monetary value.

Expected monetary value (EMV) is the product of a risk event probability and the risk event’s
monetary value.

To create a decision tree, and to calculate expected monetary value specifically, you must
estimate the probabilities or chances of certain events occurring.

The sum of the probabilities for outcomes for each project must equal one

Probabilities are normally determined based on expert judgment.

 Performing Quantitative Risk Analysis
Decision Trees and Expected Monetary Value
Because the EMV provides an estimate for the total value of a decision, you want
to have a positive number; the higher the EMV, the better.

Using EMV helps account for all possible outcomes and their probabilities of occurrence,
no only partially, thereby reducing the tendency to pursue overly aggressive or
conservative risk strategies.
 Performing Quantitative Risk Analysis
Simulation

A more sophisticated technique for quantitative risk analysis is simulation, which uses a
representation or model of a system to analyze its expected behavior or performance

Most simulations are based on some form of Monte Carlo analysis. Monte Carlo analysis
simulates a model’s outcome many times to provide a statistical distribution of the calculated
results

For example, Monte Carlo analysis can determine that a project will finish by a certain date only 10
percent of the time, and determine another date for which the project will finish 50 percent of the
time.

In other words, Monte Carlo analysis can predict the probability of finishing by a certain date
or the probability that the cost will be equal to or less than a certain value.
 Performing Quantitative Risk Analysis
Simulation
You can use several different types of distribution functions when performing a Monte Carlo
analysis. The following example is a simplified approach.

The basic steps of a Monte Carlo analysis are as follows:

1. Collect the most likely, optimistic, and pessimistic estimates for the variables in the model.

2. Determine the probability distribution of each variable.

3. For each variable, such as the time estimate for a task, select a random value based on the
probability distribution for the occurrence of the variable.

4. Run a deterministic analysis or one pass through the model using the combination of values
selected for each of the variables.

5. Repeat Steps 3 and 4 many times to obtain the probability distribution of the model’s
results.
Considerations for Agile/Adaptive Environments
 Performing Quantitative Risk Analysis

Sensitivity

Sensitivity analysis is used to show the effects of changing one or more variables on an
outcome

Many professionals use

sensitivity analysis to help make
several common business
decisions, such as determining
break-even points based on
different assumptions. People
often use spreadsheet software
like Microsoft Excel to perform
sensitivity analysis
 Performing Quantitative Risk Analysis

The main outputs of quantitative risk analysis are updates to project documents, such as the
risk report and risk register.

The quantitative analysis also provides high-level information about the probabilities of
achieving certain project objectives.

This information might cause the project manager to suggest changes in contingency reserves.

In some cases, projects may be redirected or canceled based on the quantitative analysis, or the
quantitative analysis might be used to help initiate new projects to help the current one
succeed
 PLANNING RISK RESPONSES

Developing a response to risks involves developing options and defining strategies for reducing
negative risks and enhancing positive risks

The five basic response strategies for negative risks are as follows:

1. Risk avoidance or eliminating a specific threat, usually by eliminating its causes.

Of course, not all risks can be eliminated, but specific risk events can be.

2.Risk acceptance or accepting the consequences if a risk occurs.

3. Risk transference or shifting the consequence of a risk and responsibility for its
management to a third party

4.Risk mitigation or reducing the impact of a risk event by reducing the probability of its
occurrence.

5.Risk escalation or notifying a higher level authority.

 PLANNING RISK RESPONSES

The five basic response strategies for positive risks are as follows:

1.Risk exploitation or doing whatever you can to make sure the positive risk
happens.

2.Risk sharing or allocating ownership of the risk to another party.

3.Risk enhancement or changing the size of the opportunity by identifying and

maximizing key drivers of the positive risk

4.Risk acceptance also applies to positive risks when the project team does not
take any actions toward a risk.

5.Risk escalation or notifying a higher level authority also applies to positive risks.
 PLANNING RISK RESPONSES

General mitigation strategies for technical, cost, and schedule risks on projects

.* Note that increasing the frequency of project monitoring and using a WBS and Critical Path
Method (CPM) are strategies for all three areas. Increasing the project manager’s authority is a
strategy for mitigating technical and cost risks, and selecting the most experienced project manager
is recommended for reducing schedule risks. Improving communication is also an effective strategy
for mitigating risks.
 PLANNING RISK RESPONSES

The main outputs of risk response planning include updates to the project management
plan and other project documents and change requests.

The project management plan and its related plans might need to be updated if the risk
response strategies require additional tasks, resources, or time to accomplish.

Risk response strategies often result in changes to the WBS and project schedule, so plans
that contain this information must be updated as well.

The risk response strategies also provide updated information for the risk register by
describing the risk responses, risk owners, and status information.

Risk response strategies often include identification of residual and secondary risks as
well as contingency plans and reserves, as described earlier.

Residual risks are risks that remain after all of the response strategies have been
implemented.
Secondary risks are a direct result of implementing a risk response.
 IMPLEMENTING RISK RESPONSES

The main executing process performed as part of project risk management is

implementing risk responses as defined in the process to plan risk responses.

Key outputs include change requests and project documents updates (i.e. issue
log, lessons-learned register, project team assignments, risk register, and risk
report).
 Considerations for Agile/Adaptive Environments

Monitoring Risks

Monitoring risks involves ensuring the appropriate risk responses are performed, tracking
identified risks, identifying and analyzing new risk, and evaluating the effectiveness of risk
management throughout the entire project.

Project risk management does not stop with the initial risk analysis. Identified risks may not
materialize, or their probabilities of occurrence or loss may diminish.

Previously identified risks may be determined to have a greater probability of occurrence or

a higher estimated loss value.

Similarly, new risks will be identified as the project progresses. Newly identified risks need
to go through the same process as those identified during the initial risk assessment. A
redistribution of resources devoted to risk management may be necessary because of
relative changes in risk exposure.
 MONITORING RISKS

Tools and techniques for monitoring risks include data analysis, audits, and meetings.

Outputs include work performance information, change requests, and updates to the
project management plan, project documents, and organizational process assets
 Considerations for Agile/Adaptive Environments

Considerations for Agile/Adaptive Environments The PMBOK® Guide – Sixth Edition provides
the following information for project risk management: High-variability environments, by
definition, incur more uncertainty and risk.

To address this, projects managed using adaptive approaches make use of frequent reviews of
incremental work products and cross-functional project teams to accelerate knowledge
sharing and ensure that risk is understood and managed. Risk is considered when selecting
the content of each iteration, and risks will also be identified, analyzed, and managed during
each iteration.

Additionally, the requirements are kept as a living document that is updated regularly, and
work may be reprioritized as the project progresses, based on an improved understanding of
current risk exposure.*

All type of projects should share knowledge related to risks as quickly as possible and keep
documents up to date. It is true that risk is considered during each iteration for agile/adaptive
projects, which does elevate its importance. Changing priorities can be addressed more easily
by changing the product backlog for each iteration.
 Using Software to Assist in Project Risk Management

A variety of software tools can be used to enhance various risk management processes.

Most organizations use software to create, update, and distribute information in their risk
registers. The risk register is often a simple Microsoft Word or Excel file, but it can also be
part of a more sophisticated database. Spreadsheets can aid in tracking and quantifying
risks, preparing charts and graphs, and performing sensitivity analysis. Software can be used
to create decision trees and estimate expected monetary value.

More sophisticated risk management software, such as Monte Carlo simulation software,
can help you develop models and use simulations to analyze and respond to various risks.

Several high-end project management tools include simulation capabilities. Several software
packages have also been created specifically for project risk management