C11PA - Project Management: Week 5

C11PA – Project Management
Week 5
Gowrie Vinayan
Malaysia
Shai Davidov & Nilakshi Galahitiyawe
Edinburgh
Asraf Raouf
Dubai
February 2024
© Edinburgh Business School
Project Management
Risk Management
Aim of this module
The aim of this module is to provide an overview of risk management
as an integral part of the work of the project and the way contingency
and change management are used as part of this process.
Topics to be covered:
• Conditions of certainty, risk and uncertainty
• What is project risk management
• The risk management system
• Contingency planning and control
• Change management
Do you ever identify risks in your activities?

Introduction
• Risk and uncertainty are inherent in all projects whatever the type or
size.
• Things that go wrong on a project could have devastating effects that
impact on the projects being delayed, costs increasing, and levels of
quality not being achieved, but could also impact on the health and
safety of project team.
• Therefore, preparing for risks is an essential project management
responsibility.
• Project managers need to be pessimistic about risks and undertake to
manage them in a systematic manner.
5 © Edinburgh Business School

Risk and uncertainty
Known unknowns are the risks that the organization is aware of but is unaware of the size and effect of the risk. An organization
may know that there is a risk that rain may affect business operations, but the lack of knowledge about how much rain there will be
makes it hard to make concrete plans; risks that you know exist, but can't accurately quantify their potential impact; ex. the
tolerances on raw material or of our process are in a range of possibilities, so it is up to us to control the variability to reduce our
risk of nonconformance
• All projects face uncertainty
• Conditions of certainty
• “known-known” facts and
requirements, not risks; these are managed as
part of the project scope
• Conditions of risk
• “known-unknown”
• Conditions of uncertainty
• “unknown-unknown”
Unknown-unknown risks are unidentified because they are not known until they happen. It's
nearly impossible to formulate a response plan for these risks. You are unable to manage
6 are not determined during the planning phase. © Edinburgh Business School
these risks proactively since they
Risk and projects
• A risk event can be defined as “An uncertain event or set of circumstances that
would , if it occurred, have an effect on the achievement of one or more
objectives” (APMBoK, 2019)
• In terms of projects, a risk is commonly viewed as having an adverse impact on
the project.
• Project risk management is the proactive approach of dealing with the inherent
uncertainty of projects.
• It is concerned with developing a systematic process to manage all the possible
risks on a project, before and after they occur.
• This involves identifying, analyzing and responding to any risks throughout the
project life cycle and seeking to control the level of impact, should a risk occur
(iterative process).
Risk Management Process
The process that allows individual risk events and overall risk to be
understood and managed proactively, optimizing success by
minimizing threats and maximizing opportunities (APMBoK, 2019)
• What can go wrong (risk event).
• How to minimize the risk event’s impact (consequences).
• What can be done before an event occurs (anticipation).
• What to do when an event occurs (contingency plans).
23/02/2024 © Edinburgh Business School

Benefits of Risk Management Planning
• Proactive rather than reactive approach.
• Reduces surprises and negative consequences.
• Prepares the project manager to take advantage of appropriate risks.
• Provides better control over the future.
• Improves chances of reaching project performance objectives within
budget and on time.

The Risk Event Graph

Risk vs. Amount at Stake
Total Project Life Cycle
Plan Accomplish
Phase 1 Phase 2 Phase 3 Phase 4
Initiation Planning Execution Closure
Project risk
Increasing Risk
£ Value
Period of
highest
Amount at stake risk impact
Time
Project Risk Management
Risk versus the Amount at stake

• Project risk management should be an iterative process that continues
throughout the project lifecycle. This is because project risks can occur at any
time in the project and some risks will not be apparent until its later stages.
• As the project progresses the level of ambiguity is reduced as decisions are
made, designs are implemented and the remaining unknowns become known,
until a zero point is reached (Burke, 2003). © Edinburgh Business School
Project Risk Management
Risk versus the Amount at stake

• Conversely, the amount at stake, in terms of investment, is minimal at the start,
as only a few resources have been committed to the project. As the project
progresses, the level of resources and financial capital increases dramatically,
with the highest point at project closure.
• The highest exposure to risk for the organisation therefore occurs during the
final phases of the project life cycle. This is when uncertainty is still relatively
high and the amount
14 at stake is rising rapidly. © Edinburgh Business School
Risk components
– An event (unwanted change)
– A probability of occurrence of
that event
• Uncertainty
•versus
– The Impact of that event

(amount at stake)

Risk Profiling
A list of questions that Developed and refined Historical information Tailored to suit specific Normally generated
address traditional areas from previous, similar projects from the PMO
of uncertainty in a projects
project
Where will risks likely occur? Past Project files
Databases

The Risk management Process

The Risk Management Process
• What are the risks and
The risk management plan generally consists of the

where do they come
from?
• What is likely to happen
should the risk occur?
• What is the probability of
output of the six sequential stages

the risk occurring?
• What are the
consequences of the risk
occurring?
• What are the signs that
the risk is going to occur?
by the project team, or by a

dedicated risk management
team directed by the project
20 manager. © Edinburgh Business School
The Risk management Process
Step 1: Risk Identification
• Generate a list of possible risks through brainstorming, problem identification and risk
profiling.
• Macro risks first, then specific events
Step 2: Risk Assessment
• Scenario analysis for event probability and impact
• Risk assessment matrix
• Failure Mode and Effects Analysis (FMEA)
• Probability analysis
• Decision trees, NPV, and PERT
• Semi-quantitative scenario analysis
Risk identification
• The first stage of the risk management process involves generating a list of all the
possible risk events that could have an adverse affect the project.
• Methods to risk identification:
• Brainstorming sessions
• Lessons learned: Historical documentation on similar projects will identify the
majority of highly probable risks.
• Delphi technique: This involves reaching a census by asking a panel of carefully
selected experts’ particular questions regarding possible risks on the project.
• Interviewing: Experienced project managers, stakeholders and experts are a
great source of knowledge for identifying risks.
• SWOT: A common business practice of examining risks through the SWOT
within the project
Risk classification categories
• Strategic Risks
• Project Risk
• Financial Risk
• Market Risk
• Technical Risks
• External Risk
• Organisational Risk
• Project Management Risks
• Health and Safety Risk Poor Motor Risk Management costs Firm
© Edinburgh Business School 23
Risk Breakdown Structure (RBS)
• Risk categories can also be identified
in a Risk Breakdown Structure (RBS).
Project
• Using the same principles as a WBS,

Project
Technical External Organisational Management Health & Safety
the RBS ensures a comprehensive Requirements Regularity Resources Estimating Dangers
process of systematically identifying

Technology Market Funding Planning Noise
Quality Political Prioritisation Controlling Lights
risk to a consistent level of detail and Performance

and reliability
Weather Project
Dependencies
Communciation Facilities
contributes to the effectiveness and Complexity

and interfaces
Subcontractors
and suppliers
Working
Conditions
quality of risk identification. It is a

hierarchical representation of
potential sources of risks. (PMI, 2019)

Partial Risk Profile for
Product Development Project

Risk Assessment
Not all risks identified deserve attention (trivial/non-trivial risks)
Prioritise risks - Severity and threat on the project
Assess on two dimensions:

1. Probability of Risk Occurring
• Likelihood of the risk occurring
2. Impact of the event
• Cost, Schedule, Quality, Scope

Risk assessment form
Failure Mode and Effects Analysis (FMEA)

Impact × Probability × Detection = Risk Value
FIGURE 7.6
Risk probability / impact matrices
Impact
Low Medium High
High
Probability
Medium
Low

Risk Probability / Impact Matrices
• The typical approach
to prioritising
potential risk is the
Risk Probability and
Impact Matrix.
• This tool
demonstrates
evaluation of all the
risks within a project
on a single chart.

Risk Severity Matrix
Failure Mode and Effects Analysis (FMEA)
Impact × Probability × Detection = Risk Value

Probability impact matrix
Probability Probability Ranking Index Values
Rating Scale
values
Almost 5 5 10 20 40 80
Certain
Likely 4 4 8 16 32 64
Possible 3 3 6 12 24 48
Unlikely 2 2 4 8 16 32 Level
Rare 1 1 2 4 8 16 of
acceptance
Impact Scale Values 1 2 4 8 16
Impact Rating Insignificant Minor Medium Major Severe

Risk Clinic – For your Assignment in the
tutorial
• Draw a risk matrix on clip chart
• In Project teams – analyse all identified risks
• Probability
• What is the likelihood of the risk occurring?
• Impact
• What is the consequence of the risk occurring?
• Brainstorming
• Place post-it notes in the relevant area
• Agreed
• Rearrange
• Discard repeats

Qualitative Risk analysis
High
Medium
Probability
Low
Low Medium High
Impact
Risk Attitude
• Managers attitude towards the risk event
Risk adverse Risk neutral Risk seeker
Level of risk
© Edinburgh Business 43
School
Risk Responses
Types of Response Risk Response Strategy

• Change project scope 1. Mitigating Risk (Minimize)
• Alter plan to avoid risks • Reducing the likelihood an adverse event will
occur.
• Proactive responses
• Reducing impact of adverse event.
• Planned and implemented responses to
reduce likelihood of risks occurring 2. Transferring Risk
• Reactive responses • Paying a premium to pass the risk to another
party.
• Provide provision in project plan for course of
action, to be implemented if risk occurs 3. Avoiding Risk
• Taking a different course of action to eliminate
the risk or condition.
4. Accept Risk
• Making a conscious decision to accept the risk
Contingency Planning
• Contingency Plan
• An alternative plan that will be used if a possible foreseen risk event actually occurs.
• A plan of actions that will reduce or mitigate the negative impact (consequences) of a risk
event.
• Risks of Not Having a Contingency Plan
• Having no plan may slow managerial response.
• Decisions made under pressure can be potentially dangerous and costly.
• Identify alternative processes
• Identify alternative resources
• Calculate lead times for substitute processes
• Identify trigger point that causes contingency plan to be activated
• Price protection risks (a rise in input costs) increase if the duration of a project is
increased
Contingency Reserves
• Cannot predict the future
• Funds to cover project risks—identified and unknown.
• Size of funds reflects overall risk of a project
• anywhere between 10-15%
• Task Contingency
• Contingency reserve for work packages
• Management Contingency
• Contingency reserve for higher level risks

Contingency plan Risk Matrix

Contingency Funding & Time Buffers
Contingency Funds
Funds to cover project risks—identified and unknown ( When, Where, Who?)
Size of funds reflects overall risk of a project
(Normally 5-10%, However in cases 20-60%)
In practice, The CRF is typically divided into:
1.Budget reserves
Are linked to the identified risks of specific work packages (e.g. computer coding & the risk of testing)
2.Management reserves:
Are large funds to be used to cover major unforeseen risks (e.g., change in project scope) of the total project.
Time buffers
Amounts of time used to compensate for unplanned delays in the project schedule to absorb
unplanned cost
(e.g. 30 days at the end of a 300 days project)
Development of a contingency fund estimate
for a hypothetical project
Activity Budget Baseline Budget Reserve Project Budget
Design £700.00 £35.00 £735.00

Code £900.00 £80.00 £980.00
Test £80.00 £8.00 £88.00
Subtotal £1680.00 £123.00 £1803.00
Management £ 75.00
Reserve
Total £1680.00 £123.00 £1878.00

Managing Risk (cont’d)
This is what happens without risk management

Risk Control
• The final stage of the risk management process involves
developing and implementing appropriate processes and
procedures for control of identified risks.
• The outcome of the Risk Assessment process should be a
Risk Information Sheet (RIS) for each identified risk
sometimes referred to as a Risk Assessment Form.
• More often the risk information sheets will be controlled
within a risk data-base and updated accordingly. Each risk
within the data-base is summarised and presented within a
Risk Register.
• This becomes a key component of the project management
plan and is used for reporting, meetings and evaluation of
the project.
Risk Registers
• A Risk Register is a document that contains the results of various risk management processes and is
often displayed in a table or spreadsheet format and often called: Risk Information Sheet (RIS).
• It is a Tool for documenting potential risk events and related information, which may include:
• An identification number for each risk event (WBS)
• The name of and description of the risk event
• Risk type
• A rank for each risk event (usually high, medium, or low)
• The probability of the risk event occurring
• The impact to the project if the risk event occurs
• The Likelihood of the risk event occurring
• Risk response strategy
• The risk owner, or person who will own or take responsibility
• The status of the risk event

Risk Register
• Main control document
• Identifies and summarises all risks
• Dynamic document
• Periodically Identify new risks
• Update risk register
• Monitor Identified risks
• Take appropriate action

Issue Management
• Risk – an event that could occur and impact on the project
• Issue – an event that has occurred and impacted on the project
• Issue management
• Actions to bringing the project back on track
• Escalation from one level of management to the next in order to seek a solution
• Issue log
• Description/risk
• Status
• Priority
• Assigned to

Issue management
• A formal issue occurs when the tolerances of delegated work are
predicted to be exceeded or have been exceeded. This triggers the
escalation of the issue from one level of management to the next in
order to seek a solution. The issue must be logged in the issue log
immediately by project manager

Escalating Issues
Business
Mandate
Scope
Changes Report Issues Major
Decisions
Programme / Programme Board
Mandate
Scope
Report Issues Major
Changes
Decisions
Project Sponsor / Project Board
Mandate
Scope Report Issues Major
Changes Decisions
Project Manager
Project Team © Edinburgh Business School
69
Change Management Control
• Sources of Change
1. Project scope changes
2. Improvement changes
3. Implementation of contingency plans

Change Control System Process
List expected effects Review, evaluate, Negotiate and

Identify proposed of proposed changes and approve or resolve conflicts of
changes. on schedule and disapprove change, condition,
budget. of changes formally. and cost.
Communicate Assign responsibility Track all changes that

Adjust master
changes to parties for implementing are to be
schedule and budget.
affected. change. implemented

The change Control Process

Benefits of a Change Control System
Inconsequential Integrity of the WBS Allocation and use of

changes are discouraged Costs of changes are and performance budget and
maintained in a log. measures management reserve
by the formal process. is maintained. funds are tracked.
Scope changes will be

Responsibility for Effect of changes is
Implementation of quickly reflected in
implementation is visible to all parties
change is monitored. baseline and
clarified. involved.
performance measures.

Sample change request form

Change Request Log

Summary

Learning Outcomes
• To describe the risk management process
• To identify different kinds of risks
• To illustrate approaches for risk identification, analysis, and assessment
• To suggest approaches for responding to project risks and
opportunities
• To propose the use of contingency reserves to cover risk events
• To recognize the need for a change control process/system for any size
of project

Week 7:
Project Cost Estimation
and Budgeting

Thank You.

Risk identification
• The first stage of the risk management process involves
generating a list of all the possible risk events that could have an
adverse affect the project.
• Brainstorming sessions
• Lessons learned: Historical documentation on similar
projects will identify the majority of highly probable risks.
• Delphi technique: This involves reaching a census by asking a
panel of carefully selected experts’ particular questions
regarding possible risks on the project.
• Interviewing: Experienced project managers, stakeholders
and experts are a great source of knowledge for identifying
risks.
• SWOT: A common business practice of examining risks
83
through the SWOT within the project. © Edinburgh Business School
Risk identification
• The first stage of the risk management process involves
generating a list of all the possible risk events that could have an
adverse affect the project.
• Risk Breakdown Structure (RBS)
• Typically derived from the work breakdown structure
(WBS) whereby each activity can be analysed in attempt
to answer the question: “what may go wrong?” Rolling
up an integrated risk scenario can be developed.
• This technique can be embraced by any of the above-
mentioned methods.

Risk Classification / Categories
Risk categories for the classification of risks:
• Strategic Risk: The traditional view recognizes projects as stand-alone
vehicles whose purpose is to deliver the organizational strategic objectives
following fixed time, cost and quality targets. If there is a change in
strategy during the execution of the project, then this will reflect on the
project deliverables and might need the project manager to re-plan some
of the forthcoming activities. Some of the strategic changes are initiated
by external influences due to legal, political, environmental and
socioeconomic factors.
• Project Risk: Project risk is mainly related to the individual project
rather than the bigger picture of the organization or the industry as a
whole. Project risks can be operational risks such as absenteeism, quality
issues, time creep, cost overrun, budget errors, default of suppliers or
drop in supply of resources due to socioeconomic factors.

• Financial Risk:
• The financial risk can also be considered at the organizational level, in
some cases, and therefore can be a driver for strategic changes.
• However, the level of financial planning and the details of the analysis
will vary significantly, whether at the project or strategic level.
• Furthermore, the financial risk can be due to external drivers beyond
the control of the project manager.
• It is worth noting that the financial risks and the economic risks can
be highly correlated in most cases, in sectors such as construction, oil
and gas, tourism, etc.

• Market Risk:
• Perhaps this is the most influential type of risk yet the most challenging to
manage.
• The survival of the organization in the market is the prime aim of any
business. This cannot be achieved unless there is continual review of the
market and the market changes, well in advance, in order to maintain a
proactive approach in managing any foreseen changes effectively.
• Typically, markets tend to reflect an array of factors that include but are
not limited to the economical, political, technological, legal, social and
environmental factors, with different time lags between cause and effect.
• Project managers should be aware of the characteristics of their markets
and the subsequent risks.
• In addition, the risk analysis should encompass all the above mentioned
PESTEL factors since the latter can be drivers for risk factors. The utilization
of other analytical tools such as Porter’s Five forces can help elucidate
other market risks relevant to the industry and its subsequent impact on
the project under study. © Edinburgh Business School
87
Risk Categories
Other Market Risks can fall into one of the following broad
categories:
• Technical Risks: A common risk in all projects is the
dependency on technology. Technical failure has an impact
on the performance and reliability of the project. It also has
an impact on the quality of the project. Risks within this
category include project requirements, interfaces and levels
of complexity.
• External Risks: These are the risks that are normally out with
the direct control of the project manager. They include
meeting regulation and legislative conditions, government
and political intervention, changes in market conditions and
exposure to subcontractor and supplier forces.
Risk Categories
• Organisational Risks: It stands to reason that the project
could be vulnerable to internal issues within the performing
organisation. Priorities may change, funding may not be
available and dependent projects may not be complete on
time.
• Project Management Risks: These are the risks that are the
ultimate responsibility of the project manager and include
exposure to poor quality plans, schedules and estimates.
• Health and Safety Risks: It is the responsibility of the project
manager to ensure that all personnel working on the project
do so in a safe environment. In many countries health and
safety is covered by government legislation and failure to act
89 accordingly can result in prosecution. © Edinburgh Business School
Risk Categories
Risk categories can also be identified in a Risk Breakdown
Structure (RBS). Using the same principles as a WBS, the RBS
ensures a comprehensive process of systematically identifying
risk to a consistent level of detail and contributes to the
effectiveness and quality of risk identification (PMI, 2004).
Risk
Breakdown
Structure

C11PA - Project Management: Week 5

Uploaded by

Copyright:

Available Formats

C11PA - Project Management: Week 5

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

C11PA - Project Management: Week 5

Uploaded by

Copyright:

Available Formats

C11PA – Project Management

© Edinburgh Business School

5 © Edinburgh Business School

23/02/2024 © Edinburgh Business School

23/02/2024 © Edinburgh Business School

23/02/2024 © Edinburgh Business School

Risk versus the Amount at stake

Risk versus the Amount at stake

– The Impact of that event

16 © Edinburgh Business School

23/02/2024 © Edinburgh Business School

23/02/2024 © Edinburgh Business School

The risk management plan generally consists of the

output of the six sequential stages

by the project team, or by a

• Using the same principles as a WBS,

the RBS ensures a comprehensive Requirements Regularity Resources Estimating Dangers

process of systematically identifying

Quality Political Prioritisation Controlling Lights

risk to a consistent level of detail and Performance

contributes to the effectiveness and Complexity

quality of risk identification. It is a

29 © Edinburgh Business School

23/02/2024 © Edinburgh Business School

Prioritise risks - Severity and threat on the project

Assess on two dimensions:

© Edinburgh Business School 32

Failure Mode and Effects Analysis (FMEA)

Low Medium High

23/02/2024 © Edinburgh Business School

36 © Edinburgh Business School

© Edinburgh Business School

Impact Rating Insignificant Minor Medium Major Severe

40 © Edinburgh Business School

23/02/2024 © Edinburgh Business School

Low Medium High

• Managers attitude towards the risk event

Risk adverse Risk neutral Risk seeker

Types of Response Risk Response Strategy

© Edinburgh Business School 53

23/02/2024 © Edinburgh Business School

Design £700.00 £35.00 £735.00

Total £1680.00 £123.00 £1878.00

© Edinburgh Business School

This is what happens without risk management

23/02/2024 © Edinburgh Business School

64 © Edinburgh Business School

© Edinburgh Business School 67

© Edinburgh Business School 68

23/02/2024 © Edinburgh Business School

List expected effects Review, evaluate, Negotiate and

Communicate Assign responsibility Track all changes that

23/02/2024 © Edinburgh Business School

23/02/2024 © Edinburgh Business School

Inconsequential Integrity of the WBS Allocation and use of

Scope changes will be

23/02/2024 © Edinburgh Business School

23/02/2024 © Edinburgh Business School