Topic 8: Project risk management

Project risk management—an overview

Project risks are events or conditions that are not certain to occur, but if they do, their occurrence will affect the project. There are high- and low-level risks on a project. A highlevel risk is that the project might fail. A low-level risk is the project will be interupted in some manner.

A project manager can do a number of things to reduce the potential for impact on the project. Whatever they decide will fall into one of two categories:
1. They will aim to make the risk less likely to occur.
2. They will attempt to reduce the impact of the risk.

Projects almost always have risks that have positive and negative consequences. Almost all estimates whether they be cost- or schedule-related, will have both positive and negative risks associated with that estimate. A more typical example of the ability to capitalise on estimating positive risks is the ever-present issue of coordinating scheduling with external events.

Risk management tools and techniques

The PMBOK Guide describes a number of risk management tools and techniques available to project managers. These are grouped according to the nine knowledge area processes. However, appreciate that these tools and techniques can be used across a number of the processes. With this in mind, we have structured our discussion as follows:
* planning tools and techniques—tools and techniques that help the project manager capture risks and plan for their mitigations
* qualitative tools and techniques—tools and techniques to qualitatively analyse risks and their potential impact to the project
* quantitative tools and techniques—the hard number/scientific risk analysis tools.

Risk management is an iterative process, the outcomes of which need to be constantly reviewed for currency and relevance.

* Plan risk management: define the organisational context, scope, objectives and limitations of the risk management process
* Identify risks: identify all risks as is practicable.
* Perform qualitative risk analysis: identification of the key characteristics of each risk, and describing the potential impacts.
* Perform quantitative risk analysis: evaluation of the potential impact of each risk on the project in a quantitative form.
* Plan risk responses: identification of the appropriative response/mitigation for each risk.
* Monitor and control risks: implementation of mitigation strategies, monitoring of mitigation effectiveness, review of the risk environment and communication of these processes.

Risk probability and impact assessment is determining what the most likely impact will be if a risk event occurs and what the most likely probability is for the event to occur. A typical table of five consequences terms (insignificant–catastrophic), is compared against five likelihood terms (remote–highly likely). The various intersecting cells are denoted with their risk level (e.g. 3B or 4E a a matrix of consequence/probability).

'Probability' is the expression in a quantitative or mathematic sense such as 0.36 or 36%. Whereas 'likelihood' is the expression in a qualitative or descriptive sense, such as 'high' and 'very low'

Diagrams can help teams analyse risks. The Ishikawa diagram (see Topic 5—Project quality management) can be used to break down risk areas into finer levels of detail, enabling the project team to have a greater understanding of the potential list of risks that should be reviewed. In addition to the Ishikawa diagram, WBS charts, OBS charts, SBS charts and Gantt charts depict different aspects of a project and allow the team to focus on different areas of potential risks.

The Delphi method (see Topic 4—Project cost management) is a refinement of expert judgment. When doing the risk assessment, we take the best guess of someone who has worked on similar projects and can, therefore, 'estimate' (guess!) the likely risks to the project.

Borrowed from strategic planning, SWOT analysis allows a project manager to determine any risk to their project from either external or internal factors or sources.

Risks may be treated, but if they are not, then there remains a potential that they will occur. Often a risk occurrence is greatly increased by an event. Understanding this process or the life of each risk allows you to understand when the risk needs to be treated.

The expected monetary value (EMV) of a risk is simply the cost impact multiplied by the likelihood when the likelihood is expressed as a percentage, that is:
EMV = Likelihood x Impact

Furthermore, EMV is an indication of the level of risk, it is a tool for ranking priority of effort. EMV should not be thought of as a dependable method for calculating the appropriate level of contingency to cover that risk

Iso-risk diagrams graphically indicate all the likelihood and consequences (impacts) that have the same or constant risk factor (Rf) risks, where Rf is defined as:
Rf = Probability + Consequences – (Probability x Consequences)
(where both probability and consequences are scaled to be between zero and one.)

Monte-Carlo analysis is a statistical simulation technique for analysing complex systems. The important part of Monte-Carlo analysis is the difference that results from considering this estimation variability and associated risks

A Tornado diagram is an output of a Monte-Carlo modelling tool and is simply a graph of the relative sensitivities of the output to the various inputs to that output. The sensitivities are drawn as horizontal lines, with the biggest stacked on the top, the next biggest underneath and so on down to the smallest.

Sensitivity analysis measures the sensitivity of an outcome to changes to its inputs. For example, suppose a delivery date is determined by five sequential activities. A delay in any one of those activities will delay the end date by one day. However, if some of those activities are in parallel and have float, then a delay of one day in some tasks may not produce a delay in the end date.

A decision tree is a hierarchical sequence of decision nodes (with decision branches), chance nodes (with likelihoods of chance and chance branches) and end nodes with known or estimated outcomes. End nodes are specific outcomes, each with a chance of occurring. The cost or value of the end node can be estimated by summing the expected value (likelihood x end node cost) of each chance branch. We determine the best decision branch by selecting the branch with the highest expected value.

The result of a statistical branching model is a project schedule where the final arrangement of tasks is not simply created by dependencies. Key factors such as milestone dates, budgets and resourcing are determined. This is known as GERT scheduling or GERT planning.

Negative risks are those things that will have an adverse impact on the project or its outcomes. The strategic options available are: avoid, transfer, mitigate or accept. These are the PMBOK Guide terms for risk management, but other terms are also used in industry.

While the strategies for negative risks are aimed at reducing the possibility of the risk occurring or its impact, the strategies for positive risks are aimed at increasing the likelihood of the risk occurring or increasing its impact to reap the expected benefit. The strategic options available are: exploit, share, enhance or accept.

Whereas the strategies for risk treatment involve an activity being done prior to the risk event, contingent response strategies occur after the event or more accurately—after the event is known to be occurring. Events often have some preceding warning or indication. Normal project management monitoring and control is an example of a contingent response.

Once the risks have been avoided or exploited, a range of risks will remain and will need to be accepted, at least in the short term. The only way to cover for these risks is to calculate and include some reserves for costs, technical performance and schedule. Where Monte-Carlo style tools have been used, then the project manager can look up what is a reasonably likely outcome for each commitment.

Should a risk eventuate, planning has accounted for this and the item transitions seamlessly from risk to task/activity. There is no allowance for risks to become a problem (i.e. an issue), for a task/activity to become an issue or for an unforseen problem to arise…planning has been perfect. To be clear—a risk is something that may occur and has the potential to become an issue, whereas an issue is something that is causing problems.

The first step in issue management is to record the issue in an issue log. Once in the issue log, the issue is uniquely numbered to identify it and it is then assigned to someone to resolve. Finally, the degree of impact is noted as well as the date or time required for resolution. Issue escalation is often a documented process within organisations.

Project risk management artefacts

The inputs to risk management process include:
* a project scope statement—gives an indication of the type activities that will have risks. Each outcome and activity is a source of risks
* a schedule management plan—indicates the key milestones and external date commitments. Each of these has a potential risk of non-achievement. Lengthy activities are likely to have a greater impact
* a cost management plan—details the process for determining the budgets and contingencies. The budget will indicate the size of budget allocated to each WBS element and OBS element
* a communications management plan—indicates who needs to be informed of risks and who may be a person to interview when gathering risks
* enterprise environmental factors—includes specific handling and reporting of certain risk types and the approach to risk management. Industry groups often publish lessons learned from large projects or checklists for particular project types
* organisational process assets—include standard policies and procedures for developing risk management plans, monitoring risks and reporting risks and risk events. Lessons learned from previous projects are one of the best sources of risk-related information for a project
* activity cost estimates—include indications of the risks associated with that activity
* activity duration estimates—include indications of the impacts associated with the risks for that activity
* a scope baseline—likely to have a series of assumptions included in it. Each of these assumptions is a potential risk
* a stakeholder register—each stakeholder is likely to have a different area of expertise, different area of concern and different experience. Stakeholders can be invaluable in helping to identify potential risks and options for treatment of risks.
* a cost management plan—should be devised to alleviate some project risks, but its creation is likely to generate other risks. Therefore, the cost management plan is likely to be both an input to and an output from the risk management process
* a schedule management plan—should be devised to alleviate some project risks, but its creation is likely to generate some other risks. Therefore, the schedule management plan is likely to be both an input to and an output from the risk management process
* quality management plan—the approach to quality management is likely to generate or alleviate project risks. Therefore, the quality management plan is likely to be both an input to and an output from the quality management process
* project documents—details a number of items that are likely to be sources of risk
* project management plan—as the collection of sub-plans, the project management plan integrates all of the other plans and, in so doing so, also generates risks
* performance reports
* work performance information (see Topic 10—Integration management).

Outputs of the risk management process include:
* risk management plan
* risk register
* risk-related contract decisions
* project management plan updates
* project document updates.

Risk management plan

The risk management plan details how the project will identify, evaluate, treat, monitor and communicate the risks. It should make clear the responsibilities of all project team members with regard to risk identification, mitigation and monitoring. It will define the process to be used, the risk categories to be used and the definitions of any qualitative terms such as 'severe impact' or 'highly likely'. When risk mitigation activities are approved as being cost effective or required, then the plan will include the budget and activity identification for these activities.

Risk register

The risk register (sometimes known as the risk log) is a list of each risk that has been identified on the project, with details about that risk. Depending on the tools used to analyse the risks, the details contained in the risk log vary but typically include a UID, detail, impact, likliehood, mitigation, and status.

Project risk management process

The process for project risk management comprises:
* plan risk management
* identify risks
* perform qualitative risk analysis
* perform quantitative risk analysis
* plan risk responses
* monitor and control risks.

Risk management planning is the activity related to defining the approach to risk management, the activities that will be performed, the processes that will be followed and the standards that must be obeyed. Risk management planning involves developing the risk management plan and includes scheduling a range of reviews, meetings and workshops.

Like most project management planning activities, risk management planning occurs several times throughout the project, especially when major goals are achieved, stages completed or changes occur.

Qualitative risk analysis is the process of agreeing and applying descriptive or qualitative terms to the risk's likelihood and consequences. Qualitative analysis is good for a 'first-pass'
analysis to conduct as a team activity

The key output of this group of activities is updates to the risk register.

Quantitative risk analysis involves replacing the descriptive terms used in qualitative analysis to identify consequence and likelihood with numbers. This enables a range of mathematical techniques to be used, such as Monte-Carlo analysis, tornado diagram analysis and sensitivity analysis.

The purpose of all of the risk identification and analysis activities is to understand what actions are justified in order to reduce the negative risks and increase the positive risks on the project. Risk responses are changes to the project's plan that are intended to improve the outcome of the project. The key outputs of the plan risk responses activities will be updates to the project management plan and updates to the risk register.

As the project develops, it will retire old risks and create some new risks. The risk-related activities will need to be repeated with any substantial change in project direction, scope, plan, resources or procurement.