What is Risk?

Projects are distinct from operations due to their unique nature hence there is a lot of uncertainty. Any uncertainty can impact a project positively or negatively. Such uncertainty is called Risk. A risk may have one or more causes and if it occurs, one or more impact. Risk can be defined as a combination of probability of an event and its impact (consequences) Mathematically it can be represented as,

Risk = Probability of an event occurring x Impact of the event

A risk with positive consequences is termed as an Opportunity, and a risk with negative consequences is termed as a Threat The risk and uncertainty associated with a project are managed by the implementation of Risk Management processes; the objective of which is to increase the probability and impact of opportunities and decrease the probability and impact of Threats to the project. Risks are identified and managed during the initiating stage and updated and added as the project progresses (reassess the threats and opportunities) Risk Tolerances Organizations and Stakeholder are willing to accept varying degrees of risks, this is called Risk Tolerances. Risk tolerance in terms of severity is the point above which a risk is not acceptable and below which the risk is acceptable. Threat to an organization may be accepted if it is in balance with the reward that may be gained. For e.g. A Project Manager of may decide to fast-track the Project. Though fast-tracking in itself may be risky, it may fetch the reward of completing the Project on an earlier date. The tolerance areas can include project constraints (scope, time, cost, quality etc) as well as reputation and other intangibles that may affect the customer. Risk Thresholds A threshold is the point at which the risk becomes unacceptable. Risk Factors: When looking at risk, one should determine Probability / Chances of occurrence Impact When or Which part of project life cycle it can occur Frequency of risk events from that source.

There are four basic ways to handle a risk: Avoid: The best thing that you can do with a risk is avoid itif you can prevent it from happening, it definitely wont hurt your project. Mitigate: If you cant avoid the risk, you can mitigate it. This means taking some sort of action that will cause it to do as little damage to your project as possible. Transfer: One effective way to deal with a risk is to pay someone else to accept it for you. The most common way to do this is to buy insurance. Accept: When you cant avoid, mitigate, or transfer a risk, then you have to accept it. But even when you accept a risk, at least youve looked at the alternatives and you know what will happen if it occurs.

Project Risk Management includes the (below) processes of conducting risk management planning, identification, analysis, response planning and monitoring and control on a project. Risk Management processes are, 1. 2. 3. 4. 5. 6. Plan Risk Management (Iterative) Planning PG Identify Risks (Iterative) Planning PG Perform Qualitative Risk Analysis Planning PG Perform Quantitative Risk Analysis Planning PG Plan Risk Responses Planning PG Monitor and Control Risks Monitoring & Controlling PG

These processes will be used as per the needs of the project. Low Priority projects will need less risk management effort compared to the High Priority projects.

Contingency Reserves These reserves account for Known Unknown (or simply Known) risks identified in risk management. These reserves may only be used to handle the impact of the specified risk, it was set aside for. So if the change is part of the risk response plan that was previously budgeted for, the reserve may be used. They cover the residual (accepted) risks in the project. Project Manager can directly access the contingency reserves. If the risk was NOT identified and budgeted for then ethically Project Manager should take corrective action, preventive action, fast track, crash or adjust the project to accommodate or makeup for the impact of the problem and its resulting changes. Contingency Reserves are calculated and made part of Cost baseline.

Management Reserves These account for Unknown Unknown (or simply Unknown) risks which could not be identified in risk management. Only under certain circumstances, usually determined by the performing organization, management reserves may be used to accommodate for problems or risks that has not been identified previously. A Project Manager needs management approval to access these reserves.

Project Cost Budget = Cost Baseline + Management Reserve. Project Cost Baseline = Project Estimate + Contingency Reserve.

RM Process 1 Plan Risk Management Planning PG Plan Risk Management is the process of defining how to conduct risk management activities for a project. Planning is important to provide sufficient resources and time for risk management activities and to establish an agreedupon basis for evaluating risks. To Remember - Dont forget that you define Probability and Impact values during the Plan Risk Management process.

Inputs
1. Project Scope Statement The project Scope Stmt documents the project and product scope and deliverables. This information can help you assess how complex the project will be and what level of risk management effort is appropriate. It also contains information about boundaries, constraints and assumptions which can indicate risks for the project. Cost Management Plan This plan defines how risk budgets (contingencies and management reserves) will be reported and accessed. Schedule Management Plan This plan defines how schedule contingencies will be reported and assessed. Communication Management Plan The communication failures can add risk to the project. Communications Management Plan defines how the various Project stakeholders communicate with each other. This will act as an input to determine how risks and their responses will be communicated to stakeholders. Enterprise Environmental Factors Organizational risk tolerances and Thresholds describes the degree of risk that an Organization and stakeholders can withstand. OPA Historical records, Lessons learned, Risk categories, Authority levels for decision-making (company processes and procedures).

2. 3. 4.

5.

6.

Tools & Techniques 1. Planning Meetings and Analysis Planning meetings are held to develop the Risk Management Plan (summary of all the below). The project manager, sponsor, team, other stakeholders and experts can be involved in these meetings. High-level plans for conducting the risk management activities are defined in these meetings Risk Management cost elements and Schedule activities will be developed for inclusion in the project budget and schedule respectively. Risk Contingency reserve approaches may be established or reviewed. Risk Management responsibilities will be assigned. Organizational templates for risk categories, definition of terms (levels of risk, type of risk etc), probability and impact matrix will be tailored as per the needs of the project. Additional template of other steps in the processes may be generated.

Outputs

1.

Risk Management Plan The risk management plan describes how risk management will be structured and performed on the project. It becomes the sub-set of the project management plan. It includes, Methodology Defines the approaches, tools and data sources that may be used to perform risk management on the project. Roles and Responsibility It defines who will do what. The non-team members (experts, customers) may also have roles and responsibilities regarding risk management. Budgeting Estimates funds needed for risk management for inclusion in the cost performance baseline and establishes procedures for application of contingency reserves. Timing Defines when and how often the risk management processes will be performed throughout the project life cycle, establishes protocols for application of schedule contingency reserves and establishes risk management activities to be included in the project schedule. Risk Categories Risk categories are lists of common areas or sources of risks. Categorization ensures a comprehensive process of systematically identifying risks to a consistent level of detail and contributes to the effectiveness and quality of identify risks process. Companies and PMOs should have a standard list of risk categories that all projects can use to help identify risks. Risk categories can be structured into a Risk Breakdown Structure. The RBS is hierarchically organized depiction of the identified project risks arranged by risk category or subcategory that identifies the various areas and causes of potential risks. Definition of risk probability and impact The quality and credibility of Perform Qualitative Risk Analysis process requires that different levels of risk probabilities and risk impacts are defined. These general definitions of probability and impact levels are tailored as per the individual project needs during Plan Risk Management process and used in Perform Qualitative Risk Analysis process. Probability and Impact Matrix - is included in the Risk Management Plan. This is a look-up table that has specific Probability and Impact combinations that rate the importance of the risk as high, moderate or low. This is also used as an input to plan the response for an identified risk. Revised stakeholders tolerances Stakeholders tolerances are revised in the Plan Risk Management process as required for a specific project. Reporting Formats Defines how the results of the risk management processes will be documented analyzed and communicated. It describes the content and format of the risk register as well as other risk reports. Tracking Defines how Risk Management activities will be tracked / recorded for future Project needs and if Risk Management processes will be audited.

RM Process 2 Identify Risks Planning PG Identify Risks is the process of determining WHICH risks may affect the project and documenting their characteristics. To Remember - If asked who should be involved in risk identification, the best answer is EVERYONE! (Sponsor, Project Manager, Team Members, customers, SME, end users, stakeholders etc) Everyone has a different perspective of the project and can provide thoughts on opportunities and threats.

High Level risks is an output of Create Project Charter (High-level risks are identified during Initiating Process) Major Risk identification effort occurs during planning as the scope baseline is an important input to risk identification. However this is an iterative process since new risks may evolve & or become known as the project progresses hence it would appropriate to say Majority of risk identification takes place during Initiating & Planning (start of the project) however small number of risks may also be identified during later part of the project (during activities such as Integrated change control, working with resources and dealing with project issues ) Risks are continually assessed.

Inputs 1.

Risk Management Plan Provides the below information to this process, Assignment of Roles & Responsibilities to manage risks in the project. Provision of reserves for Risk Management activities in Project Cost & Schedule. Categories of Risks for which the risks are to be identified. Activity Cost Estimates A review of the Cost Estimates may indicate areas where the cost estimated may be insufficient and may hence pose a risk. Cost Estimates are expressed in Range hence the width of range indicates the degree of risk. Activity Duration Estimates - A review of the Duration Estimates may indicate areas where the time estimated may be insufficient and may hence pose a risk. Duration Estimates are expressed in Range hence the width of range indicates the degree of risk. Scope Baseline - The Scope Statement contains assumptions which should be evaluated as potential causes for risk. WBS is a critical input to identifying risks as it facilitates an understanding of the potential risks at both the micro and macro levels. Stakeholder Register - It is important to have the right information about the various stakeholders involved while identifying the risks. Cost Management Plan - Cost Management Plan is a part of the Project Plan. The approach adopted for cost management may itself contain elements that give rise to some risks. Schedule Management Plan - Schedule Management Plan is a part of the Project Plan. The approach adopted for schedule management may itself contain elements that give rise to some risks. Quality Management Plan - Quality Management Plan is a part of the Project Plan. The approach adopted for quality management may itself contain elements that give rise to some risks. Project Documents Assumptions log, Work Performance Reports, EV reports, Network Diagrams, Baselines etc.

2.

3.

4.

5. 6.

7.

8.

9.

10. Enterprise Environmental Factors - Understanding the environment of the Enterprise / organization is vital for planning risk. The risk tolerances and attitude to risks will provide an insight on how much risk the organization can take on. 11. Organizational Process Assets Organizational and project process controls, Risk Statement Templates, Lessons learned etc.

Tools & Techniques 1. Documentation Reviews - Involves reviewing Project documentation, plans, contracts, and other documents in an attempt to identify the risks. The documents quality and consistency needs to be checked thoroughly. Any inconsistency can be a cause for risks . 2. Information Gathering Techniques The project team usually performs brainstorming with multi-disciplinary experts who are not a part of the Project team. The Risk Breakdown Structure (RBS) can be used as an input by the experts to identify risks. The output of this exercise is to produce a comprehensive list of Project risks. Delphi Technique The Delphi technique is a way to reach a consensus of experts. Project risk experts participate in this technique anonymously. Experts answer a questionnaire that is circulated by a facilitator. The responses are summarized by the facilitator and the responses are recirculated for further comments. The output is a consensus of risks which is reached after a few rounds of response consolidation and comments for the responses. The advantage of this technique is that it reduces data bias and prevents a person from having a dominating influence on the outcome. This technique can also be used for estimating time and cost. Interviewing (expert interviewing) Interviewing experienced project participants, stakeholders and SME can identify risks. Root Cause Analysis Reorganizing the identified risks by their root causes will help you identify more risks. Checklist Analysis The list of risk categories was previously described in the Plan Risk Management process. This list is used to identify specific risks within category. In case of RBS the lowest level can be used as a list. Assumption Analysis Assumptions made on the project are evaluated for inconsistencies, inaccuracy and incompleteness. These can be causes for potential risks. Diagramming method Cause & effect diagrams (Ishikawa) This is useful in identifying causes of risks which will help identify additional risks for the project. System / Process Flow charts - provide a graphical representation of a process and show how various elements of a system inter-relate. Decision points in these diagrams need to be evaluated keenly for inconsistencies. Influence Diagrams - this is a graphical representation of situations showing causal influences, time-ordering of events and other relationships among variables and outcomes. SWOT Analysis SWOT Analysis helps determine the Strengths, Weaknesses, Opportunities and Threats of the performing organization. The Opportunities and Threats are of interest in identifying the risks. SWOT Analysis also determines to which extent the strengths balance threats and opportunities to overcome the weakness.

3.

4. 5. 6.

7.

8.

9.

10. Expert Judgment - Experts who have relevant experience of similar projects or related business areas may be called upon to help identify the project risks.

Outputs 1. Risk Register This is the primary output and contains the initial entries of the identified risks. The risk register is the place where most of the risk information is kept. The preparation of the risk register begins in the Identify Risks process with the below information and then becomes available for the other risk management processes as they are conducted, resulting in an increase in the level and type of information contained in the risk register overtime. List of identified risks The identified risks in this process are described in as much detail as is reasonable. List of potential responses There will be time when a response is identified at the same time as a risk is identified. These responses are added to the risk register as they are identified however they are analyzed later as part of risk response planning. Risk Register becomes part of Project Documents & on project completion it is also included in historical records for future projects.

To Remember Notice that an updated risk register is the only output of several of the risk management processes. As the risk register contains information developed from different risk management processes depend on when in the risk management process, read the exam question carefully and identify which risk management process the question is referencing to? To Remember When in the risk management process is responses documented, the answer is in both Identify Risks & Plan Risk Responses

RM Process 3 Perform Qualitative Risk Analysis (short listing the risks) Planning PG Perform Qualitative Risk Analysis (subjective analysis) is usually a rapid and cost-effective means of establishing priorities for Plan Risk Responses and lays the foundation for Perform Quantitative Risk Analysis.

The Risks are prioritized based on, Probability of occurrence of the risk Impact of risk on Project objectives Risk Urgency (time criticality of a risk may magnify the importance of a risk) Risk tolerances associate with project constraints (Scope, Schedule, Cost, Quality)

Time criticality Risk may occur soon or will require a long time to plan a response. High Priority Risks may lead directly to Plan Risk Responses Other Risks - may lead to Perform Quantitative Risk Analysis process. Perform Qualitative Risk Analysis process should be revisited during the projects life cycle to stay with current changes in the project risks.

Qualitative Risk Analysis can also be used to, Compare the risk of the project to the overall risk of other projects Determine whether the project should be selected, continued or terminated Determine whether to proceed to the Perform Quantitative Risk Analysis or Plan Risk Responses (depending on the needs of the project and the performing Organisation.)

Inputs 1. 2. Risk Register A list of identified risks and their initial information gathered during Identify Risks process. Risk Management Plan Key elements (tailored for this project) of the Risk Management Plan to perform this process includes, 3. Roles & Responsibilities assigned for Risk Management Budgets Schedule Activities for Risk Management Risk Categories Definition of Probability and Impact Probability & Impact matrix Revised stakeholders Risk Tolerances

Project Scope Statement It contains the project deliverables, the work required to complete these deliverables, detailed product description (product scope), product acceptance criteria, project constraints and assumptions. These elements are considered while evaluating the risks. Organizational Process Assets OPA assets that can influence this process are, Information on prior similar completed projects Studies of similar projects by risk experts/specialists Risk databases

4.

Tools & Techniques 1. Risk Probability and Impact Assessment Risk Probability assessment investigates the likelihood of occurrence for each risk 2. Risk Impact assessment investigates the potential effect on project objectives such as schedule, cost, quality, or performance, including both negative effects for threats and positive effects for opportunities. Assessments are done through interviews or meetings with the concerned persons (internal or external to the project). Risk Probability and impacts on each objective are rated according to the definitions in Risk Management plan. The evaluation results are recorded along with on assumptions made and justifications on assigned ratings. Risks with Low ratings will be included in the watch list for future monitoring.

Probability & Impact matrix A standard rating system to promote a common understanding of what each risk rating means is shown in a probability and impact matrix. The matrix may be used to sort or rate risks to determine the high, medium and low priority risks. Risk Data Quality Assessment Is a technique to evaluate the degree of precision of the risk data. It includes determining the following for each risk, Extent of understanding of risk Data available about the risk Quality of the data (If the data is found to be inadequate or of low quality, it may be necessary to gather more data or data of higher quality to perform the analysis.) Reliability and integrity of the data

3.

4.

Risk Categorization This technique involves grouping the risks by cause/sources of risk to know which work packages, processes, people, or other causes/sources have the most risk associated with them. Such data will be helpful in risk response planning, allowing eliminating many risks at once by eliminating one cause. Risk Urgency Assessment Risks requiring near-term responses are given high-priority to address. Indicators of priority can include, Risks that may occur soon or will require a long time to plan and or affect a response. Symptoms and warning signs Risk Rating (determined from probability and Impact risk assessment) Expert Judgment Expert judgment is required to assess risks and fit them into the P&I matrix. This is done through interviews of workshops with the experts. Experts are people who have had experiences in similar projects that have been done in the recent past.

5.

6.

Outputs 1. Risk Register Updates The risk register is further updated to add the results of qualitative risk analysis, including, List of prioritized risks and their relative ranking The Risks may be listed by priority separately for each objective (schedule, cost, performance) since organizations may value each objective over other. The project manager can then use this prioritized list to focus attention on those items with high risk and most valued objective whereby responses can lead to better project outcomes. Risks grouped by categories Risk categorization can reveal common root causes of risk or project areas requiring particular attention which will help in preparing effective risk responses. List of risks requiring response in near term Those risks which require an urgent response. List of risks for additional analysis Some of the risks may need more analysis which are moved to Quantitative Risk Analysis. Watch list or Low priority risks - Low priority risks are placed on a watch list and monitored throughout the project life cycle. Trends in qualitative risk analysis results Qualitative risk analysis may be redone in planning or in other part of the project (Reassessing the risks). The trend for particular risks may become evident making the risk response and further analysis more or less urgent/important.

RM Process 4 Perform Quantitative Risk Analysis Planning PG Perform Quantitative Risk Analysis is the process of numerically analyzing the effect of identified risks on overall project objectives. Qualitative Risk Analysis identifies risks that will potentially impact the Projects objectives. The outcome of this analysis is used as an input for performing the Quantitative Risk Analysis. Quantitative Risk Analysis presents a quantitative approach to decision-making in the presence of uncertainty. The purpose of Quantitative Analysis is to, Determine the overall project risk Determining the quantified probability of meeting project objectives (e.g. We only have an 80% chance of completing the project within 6 months required by the customer. OR We only have a 75% chance of completing the project within the $80,000 budget) Determine cost and schedule reserves Assess probability (expressed in %) of achieving some specific Project objectives (schedule, cost, scope) Identify risks that require most attention (high severity risks) by quantifying their relative contribution to the overall project risks. Identify realistic and achievable cost, schedule and scope targets given the Project risks.

Qualitative Risk analysis is done for all projects however Quantitative risk analysis is not required for all projects and may be skipped in favor of moving to Risk Response Planning. Quantitative risk analysis is performed only if its worth the time and money on a project. For some projects few risks may be identified for quantitative risk assessment. This assessment is not performed for Low priority and short term projects. To Remember If exam mentions the term risk assessment then it refers to is Risk Identification through Quantitative Risk Analysis. Quantitative Risk Analysis needs to be performed also after Risk Response Planning and Risk Monitoring & Control to check if the overall project risks have satisfactorily decreased.

Inputs 1. Risk Register Contains the ranking of Risks based on the values in the P&I Matrix and also the categorization of risks based on the root causes. Lists risks requiring near-term action. Risk Management Plan Contains the definitions for Probability and Impact along with the scales to measure the Probability and Impact. Contains information about roles and responsibilities, stakeholders risk tolerance, scope, schedule etc. Cost Management Plan Contains information about how costs can be controlled. These controls may help determine the structure or application approach for the quantitative analysis of the cost budget. Schedule Management Plan Contains information about how schedule can be controlled. These controls may help determine the structure or application approach for the quantitative analysis of the project schedule. Organizational Process Assets - Information on similar projects executed, databases with risk-related documents etc can influence the qualitative risk analysis

2.

3.

4.

5.

Tools & Techniques 1. Data Gathering and Representation Techniques Interviewing techniques draw an experience and historical data to quantify the probability and Impact of risks on project objectives. Documenting the rationale of the risk ranges and the assumptions behind them are important components of the risk interview because they can provide insight on the reliability and credibility of analysis. Probability Distribution Determining which type of probability distribution that will be used i.e. triangular, normal beta, uniform or log normal distributions. Continuous Probability represents uncertainty in values. Discrete Probability represents uncertain events.

2.

Quantitative Risk Analysis and Modeling Techniques Sensitivity Analysis - looks individually at each project objective and measures how uncertainty could impact that objective. This makes it possible to identify what risks have the greatest potential impact, and can show how uncertainty can impact project objectives. For example, if labor cost could fluctuate between -20% and +20%, sensitivity analysis applies this cost range throughout affected project components and then displays which components are most susceptible to this risk. Sensitivity analysis is usually shown as a tornado diagram or a spider diagram. Expected Monetary Value (EMV) analysis is the cost or benefit of an uncertain event. EMV for a project is calculated by multiplying the value of each possible outcome by its probability of occurrence and adding the products together. A common use of this type of analysis is in decision tree analysis.

For an example, let's assume that there is a carnival game in which there are three shells but only one has a ping-pong ball under it. The game costs $1 to play and the winner will receive $2 if he correctly picks the shell with the ball hidden under it. There are two outcomes based on the one-in-three chance of choosing the correct shell: either the players chances of loosing are 66.66% or he earns $2 with 33.33% chances of winning. The EMV for this game is: EMV = (66.66% x $0) + (33.33% x $2) EMV = $0 + $0.67 EMV=$0.67 EMV incorporates any initial cost for the decision as a negative value (such as cost of goods or services), which in our example is the price of the game: Net EMV = (-$1) + $0.67 Net EMV = (-$0.33) A negative EMV is a risk cost and a positive EVM is a benefit, so in this example the odds are not in the player's favor over the long term even if he wins $2 one out of every three tries. Another use of EMV is in establishing the contingency reserve by aggregating the EMV for each known risk. Modeling and simulation - Monte Carlo Analysis throws large numbers of scenarios at the project Schedule or Cost to see the impact of certain risk events. It is a computer based program because of the intricacies of the calculations. Evaluates the overall risk in the project Provides the probability of completing the project on any specific day or for any specific cost. Provides the probability of any activity actually being on the critical path Takes into account path convergence Translates uncertainties into impacts to the total project. Can be used to assess cost and schedule impacts Results in probability distribution

For the EXAM, remember that simulation techniques are used to predict schedule or cost risks. 3. Expert Judgment Expert Judgment comes into play in the interpretation of data. Experts should be able to identify the appropriate tools and strength and weakness of these tools.

Outputs 1. Risk Register Updates The risk register is further updated to include a quantitative risk report detailing quantitative approaches, outputs and recommendations. Updates include the following components,

Probabilistic analysis of the project - estimates of potential project cost and schedules are arrived. Confidence level of meeting cost budgets and time schedules are also derived. The output is often expressed as a cumulative distribution. Probability of achieving cost and time objectives Probability of achieving cost and time objectives are updated considering the risks that need to be factored for. Prioritized list of quantified risks This list of risks includes those risks that pose greatest opportunities or threats. These include the risks that may have the greatest effect on cost contingency and those that are most likely to influence the critical path. Trends in quantitative risk analysis results - Quantitative risk analysis may be redone in planning and when changes are proposed (Reassessing the risks). The trend for particular risks may become evident making the risk response and further analysis more or less urgent/important.

RM Process 5 Plan Risk Responses Planning PG In risk response planning you will find ways to, Reduce the threat or eliminate them entirely Make opportunities more probable or increase their impact

For remaining residual risks (threats) that cannot be eliminated, Do something if the risk happens (prepare Contingency plans) Do something if Contingency plans are not effective (prepare Fallback plans)

Plan Risk Responses processes addresses risks by priority, including resources and activities into the budget, schedule and project management plan. On the exam, assume that all the major problems that could have been identified in advance as risks were determined before they occurred and there was a plan put in place to address each of these risks. If there is a question describing the a major problem on the project, the best choice would be that talks about implementing the contingency plan than the choice that talks about discussing the possible solutions after the problem has occurred. Some Tricky points to remember for exam, It is possible to eliminate all the risks on a project however the time and effort involved in eliminating all the risks would probably not be worthwhile. Risk Identification, Qualitative risk analysis, Quantitative risk analysis and Risk Response planning does not end once the project execution starts. However these processes are ongoing and repeatable. While the project work is being, new risks may be discovered, resulting in the need to analyze and plan for the risks. Risks ratings and response strategies for existing risks can also change later in the project as more information about the risks and selected strategies is known. Therefore risk ratings, responses must be reviewed for appropriateness over the life of project as well. This is the iterative nature of risk.

Inputs 1. Risk Register The risk register refers to identified risks, root causes of risks, lists of potential responses, risk owners, symptoms and warning signs, the relative rating or priority list of project risks, a list of risks requiring response in the near term, a list of risks for additional analysis and response, trends in qualitative analysis results and a watchlist of low-priority risks. 2. Risk Management Plan Important components of the risk management plan include roles and responsibilities, risk analysis definitions, timing for reviews, risk thresholds for high, moderate and low risks

Tools & Techniques 1. Strategies for Negative Risks or Threats - The choices for response strategies for threats include, Avoid Eliminate the threat by eliminating the cause (remove the work package or person) Transfer Transferring some or all of the negative impact (threat) along with the response ownership to a third party. Transferring the risk simply gives another party responsibility for its management it does not eliminate the risk. E.g. purchasing insurance, performance bonds, warranties, and guarantees or outsourcing the work. The risk assessment should be completed before a contract can be signed. Transference of risk is included in the terms and conditions of the contract. Mitigate Reducing the probability or the impact of a threat of an adverse risk (high priority risk) event to be within the acceptable threshold limits. E.g. (conducting more tests, choosing more stable supplier, prototyping) Strategies for Positive Risks or Opportunities The choices of response strategies for opportunities include, Exploit Add work or change the project to make sure the opportunity occurs. Enhance Increase the likelihood (probability) and positive impacts of the risk event. Share Allocate Ownership of the opportunity to a third party (forming a partnership, team or joint venture) that is best able to achieve the opportunity. A response strategy for both threats and opportunities is ACCEPT (Known Unknown) Accepting the positive / negative risks This strategy is adopted because it seldom possible to eliminate all threats from a project. This strategy indicates that the project team has decided not to change any elements of the project management plan to deal with a risk OR is unable to identify any other suitable response strategy. Acceptance strategy has the below 2 categories, Passive Acceptance Team decides to deal with the risk as and when they occur. Active Acceptance may involve the creation of contingency plans but do not implement it unless the risk event occurs. and allocating the contingency reserves (schedule and cost) to the project. Acceptance of a risk means that the severity of the risk is low enough that we will do nothing about the risk unless it occurs. Using the acceptance strategy means that the severity of the risk is lower than our risk tolerance level.

2.

3.

A decision to accept a risk must be communicated to stakeholders. 4. Expert Judgment - Expertise can be valuable input for deciding on which strategy of risk response needs to be adopted. Acceptance is active when a risk is identified as being acceptable but we decide to make a plan for what to do when and if the risk occurs.

Outputs 1. Risk Register Updates Identified risks, their descriptions, areas of the project affected (WBS element), their causes (RBS element) and how they may affect project objectives. Risk Owners and assigned responsibilities Prioritized lists from project risks (Qualitative Analysis) Agreed-upon response strategies and actions to be implemented, Triggers, symptoms and warning signs or risks occurrence Cost and Time factoring to implement the response strategies (Risk response cost) Contingency and Fall back plans Residual risks Secondary risks that arise as a direct outcome of implementing a risk response Project Management Plan Updates Subsidiary management plans such as Cost, Schedule, Quality, Procurement and Human Resource are updated based on the risk response strategy adopted. Because of new work or omitted work, baselines for cost and schedule, and WBS are also updated to reflect the risk response. Risk-related contract agreements - Risk related contract agreements need to be prepared if 3rd parties are involved for risk transfer or sharing. Project Document Updates - Assumption logs and technical documents may change to reflect the risk response strategies.

2.

3. 4.

RM Process 6 Monitor and Control Risks Planning PG Monitor and Control Risks is the process of, Implementing risk response plans Tracking identified risks (high, medium, low) Monitoring residual risks Identifying new risks, analyze and plan for them Evaluating risk process effectiveness throughout the project (are the risk management processes working?) If the earlier plan no longer seems like it will work based on new information. Lets plan a different response. Collect and communicate risk status Determine if assumptions are still valid Ensure proper risk management procedures are being followed. Revisit the watch list to analyze if the project changes have changed their severity. Recommend corrective action to adjust the severity of actual risk events (This risk did not have the impact we
expected, so lets adjust the contingency plan we are in middle of implementing and change what we do if the risk reoccurs)

Look for any unexpected effects or consequences or risk events. Reevaluate risk identification, Qualitative, Quantitative risk analysis when the project deviates from the baseline. Update risk management and response plans. Look at the changes, including recommended corrective actions, to see if they lead to identifying more risks. Make changes to the project management plan and project documents when new risk responses are developed. Create a database of risk data that may be used throughout the organization on other projects. Perform Variance and trend analysis on project performance data. Use contingency reserves and adjust for approved changes.

Workarounds - Recommendations for corrective action on a project may include workarounds. Whereas contingency responses are developed in advance, workarounds are unplanned responses developed to deal with the occurrence of unanticipated risk events. Project managers who do not perform risk management spend most of their time creating workarounds.
Inputs 1. Risk Register It contains key inputs that include Identified risks and risk owners Agreed risk responses and implementation actions Symptoms and warning signs or risk Residual and secondary risks Watch list of low priority risks Time and Contingency reserves Project Management Plan Contains Risk Management Plan which includes the risk tolerances, allocation of resources for risk-related activities, and risk owners. Work Performance Information - Provides performance information that is related to the various performance results such as Deliverable status, Schedule progress and Costs incurred, Performance Reports.

2.

3.

Tools & Techniques 1. Risk Reassessment This is an important agenda on team meetings. The risk management plan and risk register is reviewed and adjustments are made as required. This may result in identification of new risks, reassessment of current risks and closing of risks that are outdated (qualitative and quantitative analysis) as well as further risk response planning. Risk Audits Risk Audits examines and documents the effectiveness of risk responses in dealing with identified risks and their root causes as well as the effectiveness of the risk management process. This results in identification of lessons learned which then forms a part of OPA. Risk Audits are evidence of how seriously risk should be taken on a project. Variance and Trend Analysis Earned value analysis and other methods of project variance and trend analysis may be used for monitoring overall project performance. Outcomes of these analyses may forecast potential deviation of the project at completion from cost and schedule targets. Deviation from the baseline plan may indicate the potential impact of threats or opportunities. Technical Performance Measurement - Compares the technical achievement actually achieved to the planned achievements. Deviations from the original plan are assessed and these help in forecasting the degree of success in achieving the project scope. Reserve Analysis It compares the amount of the contingency reserves remaining to the amount of risk remaining at any time in the project in order to determine if the remaining reserve is not adequate. Status Meetings Project risk management should be an agenda item at periodic status meetings. Frequent discussions about risks makes it more likely that people will identify risks and opportunities.

2.

3.

4. 5.

6.

Outputs 1. Risk Register Updates The M&C will add following to the risk register, Outcomes of the risk reassessments and risk audits Updates to previous parts of risk management, including the identification of new risks Closing of risks that are no longer applicable Details of what happened when risks occurred Lessons Learned Change Requests Implementing Contingency plans and Workarounds sometimes results in a change request. Change requests with recommended corrective and preventive actions are prepared and submitted to the PICC process. Recommended Corrective actions These include Contingency plans and workarounds Recommended Preventive actions These are documented directions to perform an activity that can reduce the probability of negative consequences associated with the project. Project Management Plan Updates The approved change requests can result changes in the below components of PM plan Subsidiary management plans such as Cost, Schedule, Quality, Procurement and Human Resource are updated to reflect the approved changes Because of new work or omitted work, baselines for cost and schedule, and WBS are also updated. Project Document Updates Assumption logs and technical documents may change, stakeholder management strategy, metrics may also change as a result of Risk M&C. Organizational Process Assets Updates The 6 Risk Management processes produce information that can be used to for future projects hence should be captured in OPA. The assets may include, Templates for Risk Management Plan, including P&I Matrix and Risk Register. Risk Breakdown Structure. Lessons Learned from Project Risk Management activities.

2.

3.

4.

5.