Group IT PM - Risk Management Rev0
Group IT PM - Risk Management Rev0
Group IT PM - Risk Management Rev0
Class: 3L5CS Academic Year 2023 Semester I LEC 37, 38, 39, 40
Project risk management is the art and science of identifying, analyzing, and responding to
risk throughout the life of a project and in the best interests of meeting project objectives.
Risk management can have a positive impact on selecting projects, determining their scope,
and developing realistic schedules and cost estimates.
It helps project stakeholders understand the nature of the project, involves team members
in defining strengths and weaknesses, and helps to integrate the other project management
knowledge areas.
Managing project risks takes dedicated, talented professionals. In response to this need, PMI
introduced the PMI Risk Management Professional(PMI-RMP) SM credential in 2008.
(Consult PMI’s website for further information.)
Several risk experts suggest that organizations and individuals should strive to find a
balance between risks and opportunities in all aspects of projects and their personal lives.
Risk Principles
Some organizations or people have a neutral tolerance for risk, some have an aversion
to risk, and others are risk-seeking. These three preferences are part of the utility
theory of risk
Risk seekers enjoy high risks, risk-averse people do not like to take risks, and risk-
neutral people seek to balance risks and potential payoff.
The goal of project risk management can be viewed as minimizing potential negative
risks (threats) while maximizing potential positive risks (Opportunities).
Known risks is used to describe risks that the project team has identified and
analyzed. Known risks can be managed proactively
Uunknown risks , or risks that have not been identified and analyzed, cannot be
managed.
Risk management is an investment; in other words, costs are associated with identifying
risks, analyzing those risks, and establishing plans to address them. Those costs must be
included in cost, schedule, and resource planning.
RISK MANAGEMENT PROCESSES
1. Planning risk management involves deciding how to approach and plan risk
management activities for the project. The main output of this process is a risk
management plan.
2. Identifying risks involves determining which risks are likely to affect a project and
documenting the characteristics of each. The main outputs of this process are a risk
register, risk report, and project documents updates.
5. Planning risk responses involves taking steps to enhance opportunities and reduce
threats to meeting project objectives.
Using outputs from the preceding risk management processes, project teams can
develop risk response strategies that often result in change requests, updates to the
project management plan and project documents.
7. Monitoring risk involves monitoring identified and residual risks, identifying new
risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies
throughout the life of the project.
PLANNING RISK MANAGEMENT
Planning risk management is the process of deciding how to approach risk management
activities and plan for them in a project; the main output of this process is a risk management
plan.
A risk management plan documents the procedures for managing risk throughout the project.
A risk management plan summarizes how risk management will be performed on a particular
project - Like plans for other knowledge areas, it becomes a subset of the project management
plan
It is important to clarify roles and responsibilities, prepare budget and schedule estimates for
risk-related work, and identify risk categories for consideration. It is also important to describe
how risk management will be done, including assessment of risk probabilities and impacts as
well as the creation of risk-related documentation
PLANNING RISK MANAGEMENT
In addition to a risk management plan, many projects also include contingency plans,
fallback plans, contingency reserves, and management reserves. taking a proactive
approach to managing project risks.
Contingency plans are predefined actions that the project team will take if an identified risk
event occurs.
Fallback plans are developed for risks that have a high impact on meeting project objectives
and are put into effect if attempts to reduce the risk do not work.
Contingency reserves or contingency allowances are funds included in the cost baseline
that can be used to mitigate cost or schedule overruns if known risks occur.
Management reserves are funds held for unknown risks that are used for management control
purposes.
They are not part of the cost baseline, as discussed in Cost Management, but they are part of the
project budget and funding requirements. If the management reserves are used for unforeseen
work, they are added to the cost baseline after the change is approved.
Contingency plans, fallback plans, and reserves show the importance of t
PLANNING RISK MANAGEMENT
Market risk: If the IT project will create a new product or service, will it be useful to the organization
or marketable to others? Will users accept and use the product or service? Will someone else create a
better product or service faster, making the project a waste of time and money
Financial risk: Can the organization afford to undertake the project? How confident are
stakeholders in the financial projections? Will the project meet NPV, ROI, and payback estimates? If
not, can the organization afford to continue the project? Is this project the best way to use the
organization’s financial resources?
Technology risk: Is the project technically feasible? Will it use mature, leading-edge, or bleeding-
edge technologies? When will decisions be made on which technology to use? Will hardware,
software, and networks function properly? Will the technology be available in time to meet project
objectives? Could the technology be obsolete before a useful product can be created? You can also
break down the technology risk category into hardware, software, and network technology, if
desired.
Considerations for Agile/Adaptive Environments
People risk: Does the organization have people with appropriate skills to complete the
project successfully? If not, can the organization find such people? Do people have the
proper managerial and technical skills? Do they have enough experience? Does senior
management support the project? Is there a project champion? Is the organization familiar
with the sponsor or customer for the project? How good is the relationship with the sponsor
or customer?
Structure/process risk: What degree of change will the new project introduce into user
areas and business procedures? How many distinct user groups does the project need to
satisfy? With how many other systems does the new project or system need to interact?
Does the organization have processes in place to complete the project successfully?
PLANNING RISK MANAGEMENT
A risk breakdown structure is a useful tool to help project managers consider potential
risks in different categories. Similar in form to a WBS, a risk breakdown structure is a
hierarchy of potential risk categories for a project.
PLANNING RISK MANAGEMENT
IDENTITIFYING RISKS
Identifying risks is the process of understanding what potential events might hurt or enhance a
particular project.
It is important to identify potential risks early, but you must also continue to identify risks
based on the changing project environment.
Another consideration for identifying risks is the likelihood of advanced discovery, which is
often viewed at a program level rather than a project level
IDENTITIFYING RISKS
Project teams often begin this process by reviewing project documentation, recent and historical
information related to the organization, and assumptions that might affect the project.
Project team members and outside experts often hold meetings to discuss this information and
ask important questions about it as they relate to risk
After identifying potential risks at the initial meeting, the project team might then use different
information-gathering techniques to further identify risks.
Some common techniques include brainstorming, the Delphi technique, interviewing, root
cause analysis, and SWOT analysis.
IDENTITIFYING RISKS
The Delphi technique is an approach to gathering information that helps prevent some of the
negative group effects found in brainstorming. The basic concept of the Delphi technique is to derive a
consensus among a panel of experts who make predictions about future developments.
SWOT analysis of strengths, weaknesses, opportunities, and threats, which is often used in strategic
planning.
IDENTITIFYING RISKS
One important output of risk identification is a list of identified risks and other information
needed to begin creating a risk register.
A risk register is a document that contains results of various risk management processes; it
is often displayed in a table or spreadsheet format. A risk register documents potential risk
events and related information
Risk events refer to specific, uncertain events that may occur to the detriment or enhancement
of the project.
IDENTITIFYING RISKS
Contents of a risk report include sources of overall project risk, important drivers of overall
project risk exposure, and summary information on risk events, such as number of risks, total
risk exposure, distribution across risk categories, metrics, and trends.
The risk report is developed progressively during the entire risk planning processes.
After identifying risks, the next step is to understand which risks are most important by
performing qualitative risk analysis
Performing Qualitative Risk Analysis
Qualitative risk analysis involves assessing the likelihood and impact of identified risks to
determine their magnitude and priority.
The Top Ten Risk Item Tracking technique can be also used to produce an overall ranking for
project risks and to track trends in qualitative risk analysis.
Some organizations simply determine that risks are high, medium, or low and color code them as
red, yellow, and green, with very little analysis. Using the methods above can greatly improve
qualitative risk analysis.
Performing Qualitative Risk Analysis
Using Probability/Impact Matrixes to Calculate Risk Factors
A project manager can chart the probability and impact of risks on a probability/impact matrix or
chart , which lists the relative probability of a risk occurring and the relative impact of the risk
occurring.
Qualitative risk analysis is normally done quickly, so the project team has to decide
what type of approach makes the most sense for its project.
Using this tool involves establishing a periodic review of the project’s most
significant risk items with management; similar reviews can also occur with the
customer.
The review begins with a summary of the status of the top ten sources of risk on the
project.
The summary includes each item’s current ranking, previous ranking, number of
times it appears on the list over a period of time, and a summary of progress made in
resolving the risk item since the previous review.
Performing Qualitative Risk Analysis
Example of Top Ten Risk Item Tracking
Performing Qualitative Risk Analysis
Risk management review
First, it keeps management and the customer (if included) aware of major influences that
could prevent or enhance the project’s success.
Second, by involving the customer, the project team may be able to consider alternative
strategies for addressing the risks.
The main output of qualitative risk analysis is updating the risk register.
The ranking column of the risk register should be filled in, along with a numeric value or
rating of high, medium, or low for the probability and impact of the risk event.
Additional information is often added for risk events, such as identification of risks that
need more attention in the near term or those that can be placed on a watch list.
A watch list is a list of risks that have low priority but are still identified as potential risks.
Qualitative analysis can also identify risks that should be evaluated quantitatively, as you
learn in the next section.
Performing Quantitative Risk Analysis
Quantitative risk analysis often follows qualitative risk analysis, yet both processes can be
done together or separately.
On some projects, the team may only perform qualitative risk analysis.
The nature of the project and availability of time and money affect which risk analysis
techniques are used.
Quantitative risk analysis and modeling techniques of decision tree analysis, simulation,
and sensitivity analysis are often used.
Performing Quantitative Risk Analysis
Decision Trees and Expected Monetary Value
A decision tree is a diagramming analysis technique used to help select the best course of
action when future outcomes are uncertain. A common application of decision tree analysis
involves calculating expected monetary value.
Expected monetary value (EMV) is the product of a risk event probability and the risk event’s
monetary value.
To create a decision tree, and to calculate expected monetary value specifically, you must
estimate the probabilities or chances of certain events occurring.
The sum of the probabilities for outcomes for each project must equal one
Using EMV helps account for all possible outcomes and their probabilities of occurrence,
no only partially, thereby reducing the tendency to pursue overly aggressive or
conservative risk strategies.
Performing Quantitative Risk Analysis
Simulation
A more sophisticated technique for quantitative risk analysis is simulation, which uses a
representation or model of a system to analyze its expected behavior or performance
Most simulations are based on some form of Monte Carlo analysis. Monte Carlo analysis
simulates a model’s outcome many times to provide a statistical distribution of the calculated
results
For example, Monte Carlo analysis can determine that a project will finish by a certain date only 10
percent of the time, and determine another date for which the project will finish 50 percent of the
time.
In other words, Monte Carlo analysis can predict the probability of finishing by a certain date
or the probability that the cost will be equal to or less than a certain value.
Performing Quantitative Risk Analysis
Simulation
You can use several different types of distribution functions when performing a Monte Carlo
analysis. The following example is a simplified approach.
3. For each variable, such as the time estimate for a task, select a random value based on the
probability distribution for the occurrence of the variable.
4. Run a deterministic analysis or one pass through the model using the combination of values
selected for each of the variables.
5. Repeat Steps 3 and 4 many times to obtain the probability distribution of the model’s
results.
Considerations for Agile/Adaptive Environments
Performing Quantitative Risk Analysis
Sensitivity
Sensitivity analysis is used to show the effects of changing one or more variables on an
outcome
The main outputs of quantitative risk analysis are updates to project documents, such as the
risk report and risk register.
The quantitative analysis also provides high-level information about the probabilities of
achieving certain project objectives.
This information might cause the project manager to suggest changes in contingency reserves.
In some cases, projects may be redirected or canceled based on the quantitative analysis, or the
quantitative analysis might be used to help initiate new projects to help the current one
succeed
PLANNING RISK RESPONSES
Developing a response to risks involves developing options and defining strategies for reducing
negative risks and enhancing positive risks
The five basic response strategies for negative risks are as follows:
3. Risk transference or shifting the consequence of a risk and responsibility for its
management to a third party
4.Risk mitigation or reducing the impact of a risk event by reducing the probability of its
occurrence.
The five basic response strategies for positive risks are as follows:
1.Risk exploitation or doing whatever you can to make sure the positive risk
happens.
4.Risk acceptance also applies to positive risks when the project team does not
take any actions toward a risk.
5.Risk escalation or notifying a higher level authority also applies to positive risks.
PLANNING RISK RESPONSES
General mitigation strategies for technical, cost, and schedule risks on projects
.* Note that increasing the frequency of project monitoring and using a WBS and Critical Path
Method (CPM) are strategies for all three areas. Increasing the project manager’s authority is a
strategy for mitigating technical and cost risks, and selecting the most experienced project manager
is recommended for reducing schedule risks. Improving communication is also an effective strategy
for mitigating risks.
PLANNING RISK RESPONSES
The main outputs of risk response planning include updates to the project management
plan and other project documents and change requests.
The project management plan and its related plans might need to be updated if the risk
response strategies require additional tasks, resources, or time to accomplish.
Risk response strategies often result in changes to the WBS and project schedule, so plans
that contain this information must be updated as well.
The risk response strategies also provide updated information for the risk register by
describing the risk responses, risk owners, and status information.
Risk response strategies often include identification of residual and secondary risks as
well as contingency plans and reserves, as described earlier.
Residual risks are risks that remain after all of the response strategies have been
implemented.
Secondary risks are a direct result of implementing a risk response.
IMPLEMENTING RISK RESPONSES
Key outputs include change requests and project documents updates (i.e. issue
log, lessons-learned register, project team assignments, risk register, and risk
report).
Considerations for Agile/Adaptive Environments
Monitoring Risks
Monitoring risks involves ensuring the appropriate risk responses are performed, tracking
identified risks, identifying and analyzing new risk, and evaluating the effectiveness of risk
management throughout the entire project.
Project risk management does not stop with the initial risk analysis. Identified risks may not
materialize, or their probabilities of occurrence or loss may diminish.
Similarly, new risks will be identified as the project progresses. Newly identified risks need
to go through the same process as those identified during the initial risk assessment. A
redistribution of resources devoted to risk management may be necessary because of
relative changes in risk exposure.
MONITORING RISKS
Tools and techniques for monitoring risks include data analysis, audits, and meetings.
Outputs include work performance information, change requests, and updates to the
project management plan, project documents, and organizational process assets
Considerations for Agile/Adaptive Environments
Considerations for Agile/Adaptive Environments The PMBOK® Guide – Sixth Edition provides
the following information for project risk management: High-variability environments, by
definition, incur more uncertainty and risk.
To address this, projects managed using adaptive approaches make use of frequent reviews of
incremental work products and cross-functional project teams to accelerate knowledge
sharing and ensure that risk is understood and managed. Risk is considered when selecting
the content of each iteration, and risks will also be identified, analyzed, and managed during
each iteration.
Additionally, the requirements are kept as a living document that is updated regularly, and
work may be reprioritized as the project progresses, based on an improved understanding of
current risk exposure.*
All type of projects should share knowledge related to risks as quickly as possible and keep
documents up to date. It is true that risk is considered during each iteration for agile/adaptive
projects, which does elevate its importance. Changing priorities can be addressed more easily
by changing the product backlog for each iteration.
Using Software to Assist in Project Risk Management
A variety of software tools can be used to enhance various risk management processes.
Most organizations use software to create, update, and distribute information in their risk
registers. The risk register is often a simple Microsoft Word or Excel file, but it can also be
part of a more sophisticated database. Spreadsheets can aid in tracking and quantifying
risks, preparing charts and graphs, and performing sensitivity analysis. Software can be used
to create decision trees and estimate expected monetary value.
More sophisticated risk management software, such as Monte Carlo simulation software,
can help you develop models and use simulations to analyze and respond to various risks.
Several high-end project management tools include simulation capabilities. Several software
packages have also been created specifically for project risk management