Project Risk Management is a knowledge area that covers only 2 phases of the entire life cycle of the project. During each phase, certain processes pertaining to this knowledge area take place.

Each project contains individual risks that can affect the achievement of one or many project objectives, in a positive or negative way. The overall project risk is a combination of individual risks and of the other sources of uncertainty forms. Unmanaged threats may result in issues or problems such as delays, cost overruns, performance shortfall, loss of reputation. Opportunities that are captured can lead to reduced time and cost, improved performance, or reputation.

Overall project risk is managed by reducing drivers of negative variation, promoting drivers of positive variation, and maximizing the probability of achieving overall project objectives.

In order to ensure that all types of risk are considered, and that project risks are understood in wider context, emerging practices include: event based risks  ( seller goes out of business, the customer changes requirements, subcontractor changes operating procedures), non-event risks (variability risk – productivity different than target, testing errors different than expected, unseasonable weather conditions; ambiguity risk – requirement/technical solution, regulatory framework developments, project systemic complexity) are addressed using Monte Carlo analysis or training, prototyping, simulation; project resilience ( when unknowable-unknowns emerge the project requires to have the right level of budget and schedule contingency in addition to a specific risk budget for known risks; strong & flexible change management processes; trusted and empowered team; frequent review of early warning signs; stakeholder input for adjusting scope or strategy in response to emergent risks) ;  integrated risk management ( some higher level risks are managed by the team, while some project risks are elevated to be managed outside the project).

Tailoring project risk management processes by project size in terms of budget, duration, scope, team size (detailed vs simplified) ; project complexity in terms of high levels of innovation, new technology, commercial arrangements ,interfaces, external dependencies (robust vs simplified); project importance in terms of opportunities produced, organizational performance improvements, product innovation (increased vs simplified); development approach in terms of addressing sequentially or at the start of each iteration as well as during its execution (waterfall vs agile). the outcomes of tailoring are recorded in the risk management plan. In high-variability environments , use frequent reviews of incremental work as well as cross-functional project teams to accelerate knowledge sharing and ensure that risk is understood and managed and the requirements are updated regularly.

Project Initiation

There are no processes taken place during this phase.

Project Planning

During this phase, there are 5 processes taking place: Risk Management Planning, Risk Identification, Qualitative Risk Analysis , Quantitative Risk Analysis, Risk Response Planning.

Plan Risk Management

the process of defining how to conduct risk management activities. It should be begin when a project is conceived and should be completed early in the process. It is to be revisited at a major phase change, scope change, risk management effectiveness review. It includes things like itemizing the risk categories (market, procurement, resources, etc.), determining the timing and procedures for reassessing risks, and definitions of risk probability and impact. The plan activities are developed in meetings with selected project team members, key stakeholders, and a facilitator who help participants remain focused on the task, risk approach, sources of bias.

Inputs

1. Project charter – high-level project description and boundaries, requirements, and risks.
2. Project management plan
   • All subsidiary management plans for consistency
3. Project documents
   • Stakeholder register – details , roles, responsibilities for managing risk, as well as setting risk thresholds for he project.
4. Enterprise environmental factors – overall risk thresholds set by the organization or key stakeholders.
5. Organizational process assets – internal risk policy, risk categories organized into a risk breakdown structure, definitions of risk concepts and terms, risk statement format, templates for the risk management plan, risk register, and risk report, roles and responsibilities, authority levels for decision making, lessons learned repository.

Tools and Techniques

1. Expert judgment – on internal approach to managing risk, tailoring risk management to the specific needs of a project, types of risks expected.
2. Data analysis – Stakeholder analysis to determine the risk appetite of project stakeholders
3. Meetings – kick-off or specific planning meetings

Outputs

1. Risk management plan – describes how risk management activities will be structured and performed and includes:
   1. risk strategy (general approach);
   2. methodology (approaches, tools, data sources);
   3. roles and responsibilities (the lead, support, risk management team members for each activity and their roles);
   4. funding (identifies the funds needed and protocols for the application of contingency and management reserves);
   5. timing (when and how often processes will be performed and the risk management activities for inclusion into the project schedule);
   6. risk categories (grouped in a risk breakdown structure or in a list of categories based on project objectives, such as Technical, management, commercial, external risks);
   7. stakeholders risk appetite (measurable risk thresholds around each project objective as well well as in the definition of probability and impacts of project risks),
   8. definitions of risk probability and impacts ( project specific or internal general definitions of a detailed process (five levels and scale and impact: very high, high, medium, low, very low,nil) and a simpler one (three levels) for threats (delay, additional cost, performance shortfall or opportunities (saved time or cost, performance enhancement);
   9. probability and impact matrix ( project specific or internal prioritization rules for threats and opportunities in a probability -impact score for each risk);
   10. reporting formats (process documentation, analysis, communication as content and format of the risk register and risk report);
   11. tracking (documents how risk activities will be recorded and how risk management process will be audited).

Identify Risks

The process of identifying individual and overall project risk and documenting their characteristics by project manager, team, risk specialist, customers,experts, end users, operations and project managers, stakeholders, and risk management specialists. Risk owners for individual risks may be nominated during Identify Risks process, and confirmed during Perform Qualitative Risk Analysis process. Preliminary risk responses are identified, recorded, reviewed, and confirmed during the Plan Risk Responses process. Risk statements are to use a consistent format to distinguish from their causes and their effects to support effective analysis and response development.

Inputs

1. Project management plan
   • Requirements management plan – risky project objectives
   • Schedule management plan – ambiguous or uncertain areas
   • Cost management plan – ambiguous or uncertain areas
   • Quality management plan – ambiguous or uncertain areas or risky assumptions
   • Resource management plan – ambiguous or uncertain areas
   • Risk management plan – roles and responsibilities, the schedule and budget for risk management activities, and risk categories
   • Scope baseline – risky deliverables, acceptance criteria, WBS as a framework to structure risk identification techniques
   • Schedule baseline – uncertain milestones, due dates, and risky assumptions
   • Cost baseline – ambiguous or uncertain costs or funding requirements
2. Project documents
   • Assumption log – risky assumptions and constraints
   • Cost estimates – risky range of costs
   • Duration estimates – risky range of duration
   • Issue log – risky issues
   • Lessons learned register – recurring risks
   • Requirements documentation – risky requirements
   • Resource requirements – risky range of resource requirements
   • Stakeholder register – risk owners
3. Agreements – milestones dates, contract type, acceptance criteria, awards, penalties as threats or opportunities
4. Procurement documentation – seller performance reports, approved change requests, inspection information as threats or opportunities
5. Enterprise environmental factors – published risk databases/checklists, academic studies, bench marking results, industry studies
6. Organizational process assets – actual data files, process controls, risk statement formats, similar project checklists – influence the process

Tools and Techniques

1. Expert judgment – similar projects or business areas to identify individual and overall risks, accounting for bias
2. Data gathering –
   • Brainstorming -list of risks and their sources
   • Checklists – list of items, actions, points to be considered – from similar projects
   • Interviews – of project team, stakeholders, experts
3. Data analysis
   • Root cause analysis – to discover the underlying causes that lead to a problem, and develop preventive actions – identify threats/opportunities using a problem/ benefit statement and explore the results
   • Assumption and constraint analysis – inaccuracy, instability, inconsistency, incompleteness of assumptions = threats; removing /relaxing constraints = opportunities
   • SWOT analysis – strengths, weaknesses, opportunities, threats of the project/organization
   • Document analysis – plans, similar project files, contracts, agreements, technical documentation – ambiguity, inconsistencies
4. Interpersonal and team skills
   • Facilitation by expert to follow the method, focus on task, clear descriptions, overcome bias.
5. Prompt lists – risk categories  for idea generation – overall project risk (political, economic, social, technological, legal, environmental; technical, environmental, commercial, operational, political; volatility, uncertainty, complexity, ambiguity)
6. Meetings – risk workshop /brainstorming – done by team for small projects or include experts, sellers, sponsor, customer, stakeholders in large projects.

Outputs

1. Risk register – the results of Perform Qualitative Risk Analysis, Plan Risk Responses, Implement Risk Responses, Monitor Risks – list of individual risks, their identifier, their owners, responses, status, category, causes, impact, triggers, affected activities, timing of identification/occurrence/response/completion
2. Risk report – sources of overall risk and individual risks during Project Risk Management process; the results of Risk Qualitative and Quantitative Analysis, Plan and Implement responses and Monitor Risks processes.
3. Project documents updates
   • Assumption log – new assumptions and constraints
   • Issue log – new and changed issues
   • Lessons learned register – effective techniques

Perform Qualitative Risk Analysis

The process of prioritizing individual risks for analysis or action according to their probability of occurrence and impact as well as other characteristics. Such assessments are subjective as they are based on perceptions of risk, which introduces bias. It establishes relative priority of individual risks and risk owner (planning and implementation) prior to Quantitative analysis.  Since risk has two components – probability of occurrence, and impact, each of these factors should be prioritized on a scale of, say, 1-10.  High-medium-low works well too.

Inputs

1. Project management plan
   • Risk management plan – roles and responsibilities, budgets, schedule activities, categories, probability and impact definitions and matrix, stakeholders risk thresholds as tailored during the Plan Risk Management process or during Qualitative Analysis process as approved by sponsor.
2. Project documents
   • Assumption log – to identify,manage, monitor assumptions and constraints
   • Risk register – details of individual risk to be assessed
   • Stakeholder register – risk owners details
3. Enterprise environmental factors – industry studies, published checklists or risk databases
4. Organizational process assets – similar projects information

Tools and Techniques

1. Expert judgment – experienced in similar projects, qualitative risk analysis – facilitated workshops or interviews
2. Data gathering
   • Interviews – structured or semi structured to assess the probability, impacts
3. Data analysis
   • Risk data quality assessment – the degree of accuracy and reliability of data – through questionnaire about completeness, objectivity, relevancy, timeliness. A weighted average of selected data quality characteristics can be generated to give an overall quality score.
   • Risk probability and impact assessment – likelihood of occurrence and potential impact on schedule, cost, quality, performance -in  meetings or interviews – any differences of opinions are recorded.
   • Assessment of other risk parameters – urgency of response, timely proximity to impact, timely dormancy before impact, degree of manageability of impact, control-ability of outcome, detect-ability of occurrence, connectivity to other risks, strategic impact, propinquity/importance to stakeholders
4. Interpersonal and team skills – Facilitation
5. Risk categorization – sources of risk, the area of the project affected, phases, budget, roles, responsibilities, common root cause,
6. Data representation
   • Probability and impact matrix – mapping/grid on project objectives ( scope, cost, time) for prioritization
   • Hierarchical charts – for any 3 parameters – detect-ability, proximity, impact
7. Meetings -team risk workshop – review risks, confirming probability and impact scales, assess probability and impact, categorization, prioritization, risk owner

Outputs

1. Project documents updates
   1. Assumption log – new assumptions and constraints
   2. Issue log -new or changed issues
   3. Risk register – probability, impact, priority, owner, urgency, categorization, watch list for low risks
   4. Risk report – high probability and impact and a prioritized list of risks and a summary conclusion.

Perform Quantitative Risk Analysis

The process of numerically analyzing the combined effect of identified individual risks and other sources of uncertainty on overall project objectives. It is not required for every project, but where it is used , it is performed throughout the project. It depends on available quality data about sources of uncertainty and a sound underlying project baseline. It requires a specialized risk software and ability to interpret risk models. It is time consuming and it is justified to be used in large, complex, strategic, projects or when the sponsor or a stakeholder demands it. The results of this analysis are used in shaping the responses to risks as specified in the Plan Risk Responses process.

Inputs

1. Project management plan
   • Risk management plan – specifies whether this process is required, the resources available, and the frequency
   • Scope baseline – sets the starting point of the evaluation of effects and sources of uncertainty
   • Schedule baseline – sets the starting point to evaluate the effects and sources of uncertainty
   • Cost baseline – sets the starting point to evaluate the effects and sources of uncertainty
2. Project documents
   • Assumption log – what is deemed as risk, such as constraints.
   • Basis of estimates – used in variability model such as estimate’s purpose, classification, accuracy, methodology, source.
   • Cost estimates – as starting point for cost variability evaluation
   • Cost forecasts – estimate to complete, estimate at completion, budget at completion, to complete performance index are compared to the results of a quantitative cost risk analysis to determine the confidence level associated with these targets.
   • Duration estimates – as the starting point for schedule variability evaluation.
   • Milestone list -sets the schedule targets to which quantitative schedule risk analysis is compared
   • Resource requirements – the starting point from which the variability is evaluated.
   • Risk register – risk details to be used in evaluation
   • Risk report – describes the sources of risk and current risk status
   • Schedule forecasts – to be compared the the results of evaluation for confidence
3. Enterprise environmental factors – similar projects, published risk databases or checklists
4. Organizational process assets – similar projects

Tools and Techniques

1. Expert judgment – ability to quantify risks, to represent uncertainty, modeling techniques, selecting tools, interpreting output
2. Data gathering -Interviews – get inputs for analysis
3. Interpersonal and team skills -Facilitation – get inputs for analysis
4. Representations of uncertainty – if duration, cost, or resource requirement for an activity is uncertain, the range of possible values can be represented as a probability distribution (triangular, normal, log-normal, beta, uniform, discrete distributions). Risks may also be included in the model as probabilistic branches, where optimal activities are added to the model to represent the time and/or cost impact of the risk should it occur, and the chances that these activities actually occur in a particular simulation run matches the risk’s probability. Where risks are related (with a common cause or a logical dependency) correlation is used in the model to indicate this relationship.
5. Data analysis
   • Simulations – using Monte Carlo analysis – for cost risk, use cost estimates, for schedule risk, use network diagram and duration estimates. using both inputs results in a quantitative model. A software will use random input data (cost and duration estimates, or occurrence of probabilistic branches) to give the range of outcomes (project end date, cost at completion) as a histogram of iterations where a particular outcome resulted from the simulation. it may also determined which elements of risk model have the greatest effect on the critical path. A critical index for a risk is the frequency with which that element appears on the critical path (%).
   • Sensitivity analysis – determines which risk has the most potential impact (tornado diagram – risks, activities, sources of ambiguity)
   • Decision tree analysis – select the best alternative, as branches (decisions/events) ended in quantified outcome.
   • Influence diagrams – represent a project or situation with the project as a set of entities, outcomes, influence, and their relations. A risky element is represented as ranges or probability distributions. A Monte Carlo analysis is used to determine which elements have the greatest impact. the output is a S-curve or tornado diagrams.

Outputs

1. Project documents updates – Risk report to include the results of analysis.:
   1. assessment of overall project risk exposure (probability to succeed and the range of possible outcomes); detailed probabilistic analysis of the project.
   2. detailed probabilistic analysis of the project – (S-curves, tornado diagrams, criticality analysis) and a narrative interpretation of the results (amount of contingency reserve needed for confidence, the most influential risks, major drivers of risk.
   3. prioritized list of individual risks – that pose the greatest threat or opportunity, per sensitivity analysis.
   4. trends in analysis results – after several iterations
   5. recommended risk responses – to the level of overall risk exposure or key risks. these recommendations are inputs to the Plan Risk Responses process.

Plan Risk Responses

The process of developing options, selecting strategies, , agreeing on actions to address overall project risk exposure, as well as to treat individual project risks. The purpose is to identify ways to address risks, by allocating resources and defining activities into master plan in order to minimize threats, maximize opportunities and reduce risk. Once risks have been identified, analyzed, prioritized ans assigned, activities (primary and backup)are planned. Risk responses are to be appropriate to risk significance, cost effective, realistic, approved, and owned. For large projects, use a mathematical optimization model for a robust economic analysis of strategies. Secondary risks arise from implementing a risk response. A contingency reserve is allocated for time or cost.

Inputs

1. Project management plan
   • Resource management plan -how resources for responses are coordinated
   • Risk management plan – roles and responsibilities and risk thresholds
   • Cost baseline – contingency funds for risk response.
2. Project documents
   • Lessons learned register – find similar responses
   • Project schedule – determined scheduling response along side project activities.
   • Project team assignments – show the resources to be allocated for response
   • Resource calendars – show when resources are available for responses
   • Risk register – high priority threats or opportunities require priority action by an owner and some preliminary responses, root causes, risk triggers, warning signs, immediate risks responses or additional analysis.
   • Risk report – current risk exposure, list of risks in priority order, distribution of risks
   • Stakeholder register – owners of risk responses
3. Enterprise environmental factors – the risk appetite and thresholds of key stakeholders influence the plan risk responses process
4. Organizational process assets – templates for the risk management plan, risk register, risk report, historical databases, lessons learned.

Tools and Techniques

1. Expert judgment –  subject matter experts in strategies for threat, opportunity, contingent, overall project risk response
2. Data gathering – (structured/semi-structured )Interviews with risk owners and other stakholders
3. Interpersonal and team skills
   • Facilitation
4. Strategies for threats
5. Strategies for opportunities
6. Contingent response strategies
7. Strategies for overall project risk
8. Data analysis
   • Alternatives analysis
   • Cost-benefit analysis
9. Decision making
   • Multicriteria decision analysis

Outputs

1. Change requests
2. Project management plan updates
   • Schedule management plan
   • Cost management plan
   • Quality management plan
   • Resource management plan
   • Procurement management plan
   • Scope baseline
   • Schedule baseline
   • Cost baseline
3. Project documents updates
   • Assumption log
   • Cost forecasts
   • Lessons learned register
   • Project schedule
   • Project team assignments
   • Risk register
   • Risk report

Project Execution

There is one process taken place during this phase.

Implement Risk Responses

The process of implementing agreed upon  risk response plans

Inputs

1. Project management plan
   • Risk management plan
2. Project documents
   • Lessons learned register
   • Risk register
   • Risk report
3. Organizational process assets

Tools & Techniques

1. Expert judgment
2. Interpersonal and team skills
   • Influencing
3. Project management information system

Outputs

1. Change requests
2. Project documents updates
   • Issue log
   • Lessons learned register
   • Project team assignments
   • Risk register
   • Risk report

Project Controlling

In this phase, 1 process takes place: Risk Monitoring and Control.

Monitor Risks

The process of monitoring the implementation of agreed upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project.

Inputs

1. Project management plan
   • Risk management plan
2. Project documents
   • Issue log
   • Lessons learned register
   • Risk register
   • Risk report
3. Work performance data
4. Work performance reports

Tools and Techniques

1. Data analysis
   • Technical performance analysis
   • Reserve analysis
2. Audits
3. Meetings

Outputs

1. Work performance information
2. Change requests
3. Project management plan updates
   • Any component
4. Project documents updates
   • Assumption log
   • Issue log
   • Lessons learned register
   • Risk register
   • Risk report
5. Organizational process assets updates

Project Closure

There are no processes taken place during this phase.

Previous Knowledge Are: Project Communications Management

Next Knowledge Area: Project Procurement Management

Home: Project Management Resources