Project Risk and Cost Analysis

1
Project Risk and Cost Analysis
Michael S. Dobson, PMP

Deborah S. Dobson, M.Ed.
Chapter 8 contains material on preparing a network diagram and scheduling that was originally published in a slightly
different form in Chapter 5 of Managing Multiple Projects, Dobson and Dobson (New York: American M anagement
Association, 2011).
Reprinted by permission of the publisher. www.amacombooks.org.
2012 American M anagement Association. All rights reserved. This material may not be reproduced, stored in a retrieval
system, or transmitted in whole or in part, in any form or by any means, electronic, mechanical, photocopying, recording, or
otherwise, without the prior written permission of the publisher.
ISBN-13: 978-0-7612-1492-2
ISBN-10: 0-7612-1492-5
Printed in the United States of America.
AM ACOM Self Study Program
http://www.amaselfstudy.org/
AM ERICAN M ANAGEM ENT ASSOCIATION
http://www.amanet.org
10 9 8 7 6 5 4 3 2 1
Contents
About This Course

How to Take This Course
Introduction
Pre-Test
Chapter 1: Introduction to Project Risk and Cost Analysis

Learning Objectives
Fundamental Concepts of Risk and Risk Management
Risk Defined
The Value of a Risk
Types of Risk
Risk Management Defined
Cost Analysis and Risk Management Planning
Recap
Review Questions
Chapter 2: Risk Identification

Learning Objectives
Identifying Risks
Risk Register
Risk ID
Description of Risk
Category of Risk
Where Found?
Probability of Occurrence
Nature and Degree of Impact
Risk Rating
Disposition
Comments
How to Identify Risks

Systematic Risk Identification
Documentation
Brainstorming
Diagramming Techniques
Checklists
Expert judgment
Output from Risk Identification Process

Recap
Review Questions
Chapter 3: Qualitative Risk Analysis

Learning Objectives
Introduction to Risk Analysis
Qualitative Risk Analysis
Quantitative Risk Analysis

Start
Impact
Probability
Urgency
Ownership
Solution
Acceptability
Risk Triage and Other Risk Analysis Processes

Recap
Review Questions
Chapter 4: Tools for Qualitative Risk Analysis

Learning Objectives
Qualitative Risk Analysis Tools
Assessing Probability and Impact
Establishing Ranges
Risk Thresholds
Combining Probability and Impact

Calculating Risk Scores with Non-Numerical Information
Developing a Risk Ranking for a Project

Updating the Risk Register and Developing a Risk Information Sheet
Recap
Review Questions
Chapter 5: Statistical Foundations of Quantitative Risk and Cost

Analysis
Learning Objectives
Quantitative Risk and Cost Analysis Fundamentals
A Statistic
The Law of Large Numbers
Probability, Odds, and Throwing Dice
Basic Rules of Probability

Distribution
Normal Distribution
Measures of Central Tendency: Mean, Median, and Mode
Normal and and Other Distributions
Standard Deviation
Other Types of Distributions

Recap
Review Questions
Chapter 6: Risk Cost Analysis

Learning Objectives
Introduction to Cost Risk Analysis
Classical Risk
Risk Cost Analysis
Insurance as a Model for Risk Cost Analysis
Contingency Allowance and Contingency Reserve
Pricing Insurance Risk

Risk Premiums
Insurance Risk with Low Variation
Insurance Risk with High Variation
Additional Factors in Risk Decisions
Black Swan Events
Developing a Final Risk Price
Recap
Review Questions
Chapter 7: Quantitative Cost Analysis Tools

Learning Objectives
Quantitative Cost Analysis
Cost Estimating Under Uncertainty
Cost Risk Analysis Tools
Cost-Benefit Analysis
Expected Monetary Value (EMV)
Decision Tree Analysis
Sensitivity Analysis
Recap
Review Questions
Chapter 8: Quantitative Schedule Analysis Tools

Learning Objectives
Sensitivity Analysis for Scheduling Issues
Schedule Risk Analysis
Schedule Development
Network Diagramming and Critical Path Analysis
Forward and Backward Pass
Critical Path and Float
Types of Schedule Risk
Three-Point Estimating Techniques

Program Evaluation and Review Technique (PERT)
Monte Carlo Simulation
Recap
Review Questions
Chapter 9: Risk Response Planning

Learning Objectives
Organizing for Risk Response Planning
Residual and Secondary Risk

Residual Risk
Secondary Risk
Multi-Stage Solutions
Managing Threats
Avoidance
Transfer
Mitigation
Managing Opportunities
Exploit
Enhance
Share
Managing Acceptance
Contingent Responses
Acceptance
Implementing Risk Response Strategies

Recap
Review Questions
Chapter 10: Risk Monitoring and Control

Learning Objectives
Risk Management Processes in Project Execution, Monitoring and Control, and
Closeout
Risk Management Plans and Policies
Risk Management Policy Development
Philosophy, Approach, Scope
Risk Management Methodology and Process
Project Risk Monitoring and Control Systems

Managing the Project Risk Environment
Establishing Risk Metrics and Early Warning Indicators
Earned Value Project Management
Implementing and Monitoring Risk Responses
Corrective Actions and Unplanned Responses
Watching Watch and Wait Risks
Change Management and Risk

Planning for Changes
Managing Unplanned Change
Revisiting Risk Identification and Risk Analysis

Closing Risks
Risk Management and Project Lessons Learned

Recap
Review Questions
Answers to Exercises and Case Studies

Exercise 1-1. Managing Important Risks
Exercise 1-2. Your Current Risk Management Process
Exercise 1-3. What You Spend on Risk Management
Exercise 2-1. Risk Identification Practice
Exercise 2-2. SWOT Analysis
Exercise 3-1. Cause-and-Effect Diagram
Exercise 4-1. Establishing Risk Thresholds

Exercise 4-2. Ranking Risks
Exercise 4-3. Prepare a Risk Information Sheet
Exercise 5-1. Probability Practice
Exercise 5-2. Calculate a Standard Deviation
Exercise 6-1. Greater Accident Variation
Exercise 6-2. Premium Income and Claims Outlays
Exercise 6-3. Pricing Risk
Exercise 7-1. Deterministic or Probabilistic?
Exercise 7-2. Calculating Expected Monetary Value (EMV)
Think About It (Decision Tree)
Exercise 7-3. Decision Tree
Exercise 7-4. Sensitivity Analysis
Exercise 8-1. Critical Path
Exercise 8-2. Scheduling with PERT Estimates
Exercise 8-3. Calculating Standard Deviation for a Path or Network
Exercise 9-1. Risk Response Planning
Exercise 9-2. Residual and Secondary Risk
Exercise 9-3. Types of Risk Response
Exercise 10-1. Earned Value Method (EVM) Performance Index Ratios
Bibliography and Recommended Reading
Glossary
Post-Test
Index
List of Exercises
Think About It!
Think About It!
Think About It! (Decision Tree)
Think About It!
Think About It!
Think About It!
Exercise 10-1. Earned Value Method (EVM) Performance Index Ratios
Think About It!
List of Exhibits
Exhibit 2-1. Risk Register Categories
Exhibit 2-2. Questioning Risks
Exhibit 2-3. Sample Risk from a Requirements Document
Exhibit 2-4. Sample Risk from a Project Charter or Statement of Work
Exhibit 2-5. Sample Risk from a Work Breakdown Structure (WBS) Work Package
Exhibit 2-6. Common Types of Documentation for Risk Identification
Exhibit 2-7. Brainstorming Rules
Exhibit 2-8. Negative Brainstorming
Exhibit 2-9. Cause and Effect Diagram
Exhibit 3-1. Risk Triage Process
Exhibit 3-2. Cause-and-Effect Diagram for Impact Analysis
10
Exhibit 3-3. Probability Boosters

Exhibit 3-4. Risk Triage Categories and Next Steps
Exhibit 4-1. Levels of knowledge
Exhibit 4-2. Risk Matrix
Exhibit 4-3. Rating Scale
Exhibit 4-4. Total Risk Exposure
Exhibit 4-5. Measuring Total Project Risk
Exhibit 4-6. Risk Information Sheet
Exhibit 5-1. Basic Probabilities with One Six-Sided Die
Exhibit 5-2. Basic Probabilities Rolling One Die Twice
Exhibit 5-3. Mathematical Descriptions of Probability
Exhibit 5-4. Sum of Two Dice
Exhibit 5-5. Distribution of Outcomes Rolling Two Dice
Exhibit 5-6. Normal Distribution
Exhibit 5-7. Analyzing a Normal Distribution
Exhibit 5-8. Analyzing a Skewed Distribution
Exhibit 5-9. Flat and Narrow Normal Distributions
Exhibit 5-10. Standard Deviation
Exhibit 5-11. Calculating Standard Deviations
Exhibit 5-12. Percent of Cases within 1, 2, and 3 Standard Deviations in a Normal
Distribution
Exhibit 6-1. Assumptions for Insurance Case Study
Exhibit 6-2. Effect of Premium Change on Net Income (Loss)
Exhibit 6-3. Recommended Risk Price
Exhibit 6-4. Financial Results over Eleven Years
Exhibit 7-1. Cost-Benefit Analysis
Exhibit 7-2. Expected Monetary Value (EMV)
Exhibit 7-3. Decision Tree
Exhibit 7-4. Sensitivity Analysis
Exhibit 8-1. Arrow vs. Node
Exhibit 8-2. Network Diagram
Exhibit 8-3. Forward Pass
Exhibit 8-4. Backward Pass
Exhibit 8-5. Critical Path and Float
Exhibit 8-6. Types of Schedule Risk
Exhibit 8-7. Historical Times for a Common Task
Exhibit 8-8. PERT Formulas
Exhibit 8-9. Confidence Levels
Exhibit 8-10. Monte Carlo Input Screen
Exhibit 8-11. Monte Carlo Simulation Results
Exhibit 9-1. Six Tips for Risk Response Planning
Exhibit 9-2. Questions That Shape Risk Responses
Exhibit 10-1. Organizational Considerations for Risk Management Policy
Exhibit 10-2. Earned Value Method (EVM) Performance Index Ratios
Exhibit 10-3. Sample Risk Response Action Plans
11
About This Course
In this new Self-Study course, Project Risk and Cost Analysis, we focus on risk in the context of
project management, primarily in the area of risks effects on project costs, with emphasis on the
many modern tools that help you and your organization quantify and manage project risk. You will
learn how to perform a formal risk and cost analysis, apply the Earned Value Method to risk
management, and adjust schedule and budget reserves appropriately for your project conditions.
We will follow the basic project risk management approach as laid out in A Guide to the
Project Management Body of Knowledge (PMBOK Guide), 4th Edition, popularly known as the
PMBOK Guide, along with other sources listed in the bibliography and suggested reading. Risk
cuts across many disciplines, not merely project management, and we strongly encourage you to
read and study widely. In the wise words of the classic science fiction film Plan 9 from Outer
Space (1959), We are all interested in the future, for that is where you and I are going to spend the
rest of our lives.
Michael S. Dobson, PMP, is an internationally known authority on project management and
author of 22 previous books, including The Jugglers Guide to Managing Multiple Projects
(PMI, 1999). As principal of Dobson Solutions (www.dobsonsolutions.com) and the Sidewise
Institute (www.sidewiseinsights.com), Michael consults, speaks, and trains on project management
topics throughout the world. His clients range from the U.S. Navys nuclear propulsion program to
Calvin klein Cosmetics. As an operating executive and project manager, Michael has been vice
president, Discovery Software International; vice president, Games Workshop; and director of
marketing and games development, TSR, Inc. He was part of the team that built the Smithsonian
Institutions National Air and Space Museum in the 1970s. He holds a bachelors degree from the
University of North Carolina at Charlotte.
Deborah S. Dobson, M.Ed., is assistant vice president/director of leadership and
organizational development for Science Applications International Corporation (SAIC), a 44,000person Fortune 500 scientific, engineering, and technology applications company. She was
previously a senior vice president with broadline foodservice distributor US Foodservice, and
division vice president of GATX Terminals. She is the co-author of Enlightened Office Politics
(AMACOM, 2001), Managing UP! (AMACOM, 2000), and Coping with Supervisory
Nightmares (SkillPath, 1997), and most recently a contributing author to the International Society
for Performance Improvements Handbook of Improving Performance in the Workplace
(Volume 1: Instructional Design and Training Delivery) (Pfeiffer, 2010). She holds a masters
degree in Education from Loyola University Maryland and completed her undergraduate degree at
Towson State University, also in Maryland.
The Dobsons live in Bethesda, Maryland.
12
This course consists of text material for you to read and three types of activities (the pre/post tests,
in-text exercises, and end-of-chapter review questions) for you to complete. These activities are
designed to reinforce the concepts brought out in the text portion of the course and to enable you to
evaluate your progress.
PRE-TEST AND POST-TEST

A pre-test and post-test are included in this course. Take the pre-test before you study any of the
course material to determine the amount of prior knowledge you have on the subject matter. Submit
one of the scannable answer forms enclosed with this course for grading. On return of the graded
pre-test, complete the course material. Take the post-test after you have completed all the course
material. By comparing results of the pre-test and the post-test, you can measure how effective the
course has been for you.
To have your pre-test and post-test graded, please mail your answer forms to:
American Management Association
Educational Services
P. O. Box 133
Florida, NY 10921
All tests are reviewed thoroughly by our instructors and will be returned to you promptly.
If you are viewing the course digitally, the scannable forms enclosed in the hard copy of AMA
Self-Study titles are not available digitally. If you would like to take the course for credit, you will
need to either purchase a hard copy of the course from www.amaselfstudy.org or you can purchase
an online version of the course from www.flexstudy.com.
THE TEXT
The most important component of this course is the text, for it is here that the concepts and methods
are first presented. Reading each chapter twice will increase the likelihood of your understanding the
text fully.
We recommend that you work on this course in a systematic way. Only by reading the text and
working through the exercises at a regular and steady pace will you get the most out of this course
and retain what you have learned.
13
In your first reading, concentrate on getting an overview of the chapters contents. Read the
learning objectives at the beginning of each chapter first. They serve as guidelines to the major topics
of the chapter and enumerate the skills you should master as you study the text. As you read the
chapter, pay attention to the headings and subheadings. Find the general theme of the section and
see how that theme relates to others. Dont let yourself get bogged down with details during the first
reading; simply concentrate on remembering and understanding the major themes.
In your second reading, look for the details that underlie the themes. Read the entire chapter
carefully and methodically, underlining key points, working out the details of the examples, and
making marginal notations as you go. Complete the exercises.
EXERCISES
Interspersed with the text in each chapter you will find numbered exercises. These take a variety of
forms, including brief essay, short answer, charts, and questionnaires. Answers to many of the
exercises can be found in the back of the book in the section titled Answers to Exercises and Case
Studies.
THE REVIEW QUESTIONS

After reading a chapter and before going on to the next, work through the review questions. By
answering the questions and comparing your own answers to the answers provided, you will find it
easier to grasp the major ideas of that chapter. If you perform these self-check exercises
conscientiously, you will develop a framework in which to place material presented in later chapters.
GRADING POLICY
The American Management Association will continue to grade examinations and tests for one year
after the courses out-of-print date.
If you have questions regarding the tests, the grading, or the course itself, call Educational
Services at 1-800-225-3215.
14
Introduction
I cannot conceive of any vital disaster happening to this vessel. Modern shipbuilding has gone
beyond that.
RMS Titanic Captain Edward J. Smith, 1907
We are ready for any unforeseen event that may or may not occur.
Dan Quayle, quoted in Cleveland Plain Dealer, 27 September 1990
Things dont always go according to plan. Thats why we have risk management.
In the case of RMS Titanic, both management and operations thought the risk of catastrophe
was low, and indeedmeasured objectivelyit was. The Titanic was, in many respects, a marvel
of safety engineering, with watertight compartments designed to keep it buoyant even in case of
collision. It traveled in shipping lanes filled with other ships, so that even in case of disaster, help
would arrive quickly. All of these steps reduced the risk, but as we all know, did not eliminate it
altogether.
A report on the late-2000 financial crisis by the leaders of the Group of Twenty (G20) nations
focused on the failure of risk management as one of the root causes. They wrote, During a period
of strong global growth, growing capital flows, and prolonged stability earlier this decade, market
participants sought higher yields without an adequate appreciation of the risks and failed to exercise
proper due diligence. At the same time, weak underwriting standards, unsound risk management
practices, increasingly complex and opaque financial products, and consequent excessive leverage
combined to create vulnerabilities in the system. Policy-makers, regulators and supervisors, in some
advanced countries, did not adequately appreciate and address the risks building up in financial
markets, keep pace with financial innovation, or take into account the systemic ramifications of
domestic regulatory actions. When risk management fails, the damage can be incalculable.
Risk, fundamentally, is the measurement of uncertainty about the future as it applies to usour
project objectives, corporate goals, or personal goals. How long will the project take? How much
will the project cost? Will the project be successful? The answer is, of course, that even when
probability is firmly on our side, certainty is elusive. We can make educated guesses; we can analyze
probability; we can identify potential scenarios. But we dontwe cantknow, at least not until an
event happens, or until we pass the point when the event could happen.
Lack of knowledge, however, does not equal helplessness. Risk management and cost analysis
provide tools to help us measure the limits of our knowledge, estimate the range of potential futures,
and empower us to take action.
The discipline of risk and cost analysis helps managersproject and othersintegrate risk into
cost proposals and estimates, to determine the likelihood of achieving cost objectives, to determine
15
appropriate levels of reserve, and to establish a common vocabulary to enable project teams to
manage risks effectively.
Managers and leaders are often asked to provide cost estimates under conditions of
uncertainty, and then to manage according to those estimates regardless of subsequent events or
issues. To do that, the estimates have to take into account uncertainty: they must measureand act
uponrisk.
Risk management as a formal discipline is a relatively recent idea. Before the development of
statistics beginning in the 17th century, the modern word risk didnt even appear in the English
language! Uncertainty, of course, was well known. The ancients sacrificed animals to the local gods
as insurance against risk, and prayer is still a well-known and well-respected response to lifes many
dangers: From lightning and tempest; from earthquake, fire, and flood; from plague, pestilence, and
famine/Good Lord, deliver us. (Book of Common Prayer, 148)
The root of the word risk goes back to Homers Odyssey: when the crew of Odysseus ship
are devoured by the monster Scylla, Odysseus survives by clinging to the roots (rhiza) of a fig tree
high atop a cliff face. This became a metaphor for any difficulty or danger at sea, evolving into the
Latin risicum and the Spanish risico. As the first use of what we think of as modern risk
management involved sea trade, it was altogether natural that the word, stripped now of its naval
heritage, became a stand-in for all sorts of danger.
In common language, risk is often used as a synonym for bad potential events, but risks can be
positive as well. A stock market investment can gain as well as lose in value; a technology business
started in a garage can turn into Hewlett-Packardor end up in an even smaller garage.
Nobel physicist Niels Bohr and baseball malapropist Yogi Berra are both credited as having
said, Prediction is hardespecially when its about the future. The future is, indeed, uncertain.
How long will it take? How much will it cost? The answer to those questions often depends on
events that havent happened yet. What if something goes wrong? Alternatively, what if we get
lucky?
Risk management doesnt (and cant) predict the future. It is instead an attempt to measure the
uncertainty of the future as it applies to the objectives of the project, no matter whether those events
are negative (downside risks) or positive (upside risks). We identify risks, we analyze risks, we
develop potential responses to risks, we execute our response plansand we adjust as necessary.
Good luck!
16
Pre-Test
Course Code 98008

INSTRUCTIONS: Record your answers on one of the scannable forms enclosed. Please follow the
directions on the form carefully. Be sure to keep a copy of the completed answer form for
your records. No photocopies will be graded. When completed, mail your answer form to:
P.O. Box 133
Florida, NY 10921
Self-Study titles are not available digitally. If you would like to take the course for credit, you
will need to either purchase a hard copy of the course from www.amaselfstudy.org or you can
purchase an online version of the course from www.flexstudy.com.
1. Qualitative risk analysis is defined as:
(a) numerically analyzing the effect of identified risks on overall project objectives.
(b) measuring the accuracy and quality of risk data in objective terms.
(c) identifying risks that may affect your project.
(d) prioritizing risks for further analysis by assessing and combining their probability and
impact.
2. If the cost of insurance for a particular risk is greater than the value of the underlying risk, the
difference between the two numbers is known as:
(a) risk premium.
(b) contingency reserve.
(c) degree to which the policy is overpriced.
(d) price-to-book ratio.
3. One category of threat risk response is:
(a) mitigation.
(b) exploitation.
17
(c) sharing.
(d) enhancement.
4. If there is a 20% probability of an event that would cost the project $20,000, what is the
value of the risk?
(a) $20,000
(b) $4,000
(c) $24,000
(d) $2,000
5. To run a Monte Carlo simulation program, you must first:
(a) prepare three-point estimates for task durations.
(b) perform decision tree analysis of make vs. buy options.
(c) calculate the root sum square of the schedule standard deviation for tasks on the critical
path.
(d) perform a full PERT analysis of the schedule network.
6. In developing risk responses for opportunities, you may consider:
(a) avoidance.
(b) mitigation.
(c) transfer.
(d) sharing.
7. What does a project network diagram do?
(a) Displays a project schedule graphically
(b) Shows a project schedule as a bar graph over time
(c) Connects project resources with project activities
(d) Establishes the communication plan for the project
8. How does negative brainstorming differ from conventional brainstorming?
(a) Negative brainstorming is the result of failure of a conventional brainstorming.
(b) Negative brainstorming allows criticism and evaluation of ideas during the process.
(c) Negative brainstorming looks at the potential problems with conventional brainstormed
answers.
(d) Negative brainstorming involves brainstorming a negative question to identify downside
risks.
9. What is a characteristic of a black swan event?
(a) Hard to predict and rare
(b) Something that cannot possibly occur
(c) Conforms to project assumptions
(d) Has a relatively small impact
10. To compare costs and benefits, you must:
(a) describe all costs and benefits in deterministic form.
(b) perform expected monetary value analysis on costs and benefits impacting 10% or more
of total project value (TPV).
(c) perform a PERT analysis of the project network to determine schedule risk.
(d) quantify all aspects of the project in the same unit of measurement and at the same point
in time.
11. In the PMBOK model, which of the following processes involves studying risks to
understand their nature, probability, and impact?
18
(a)
(b)
(c)
(d)
Risk response planning

Risk identification
Risk monitoring and control
Risk analysis
12. What does a decision tree analysis do?

(a) Filters risks during qualitative risk analysis
(b) Shows causes and effects of risks in a fishbone diagram
(c) Calculates total risk exposure on a project
(d) Compares expected monetary values (EMV) of different alternatives, choices, or
conditions
13. What is the probability that you will not roll a 4 or a 6 on a six-sided die?
(a) 2/6
(b) 2/12
(c) 4/24
(d) 4/6
14. The confidence level for a project measures:
(a) how much we know about project risks.
(b) how good the project managers track record has been.
(c) how stable the customers requirements will be.
(d) how likely the project will finish on or before a given date.
15. What technique should you use to perform risk triage of your identified risks?
(a) Cause-and-effect diagramming
(b) Filtering
(c) PERT analysis
(d) Risk response planning
16. Which measure of central tendency describes the average of a group of numbers?
(a) Median
(b) Mode
(c) Mean
(d) Medium
17. When you write a risk as an ifthen statement, what are the two parts called?
(a) Business risk and pure risk
(b) Condition and consequence
(c) Probability and impact
(d) Problem and solution
18. Which of the following words is one of the named categories in a SWOT analysis?
(a) Supervision
(b) Wildly-Aimed Guess
(c) Other Factors
(d) Threat
19. Convergence risk is the risk that:
(a) a task will take longer than scheduled.
(b) a sequence of dependent tasks will take longer than scheduled.
(c) critical tasks will take longer than scheduled.
19
(d) at least one predecessor of a task with multiple predecessors will take longer than
scheduled.
20. What does a risk matrix do?
(a) Combines word descriptions of probability and impact into a grid
(b) Applies a numerical scale to risk probability and impact
(c) Classifies risks when probability and impact are known and definite
(d) Supports Boolean analysis of risk data
21. In qualitative risk analysis, what can you do with the risks you identify?
(a) Avoid, transfer, or accept them
(b) Exploit, enhance, or share them
(c) Accept them or prepare a contingent response
(d) Accept, transfer, or do something about the risk
22. A risk management plan should be prepared:
(a) only after important project milestones have been missed.
(b) as an integral part of any well-prepared project management plan.
(c) as part of a postmortem project review.
(d) after serious organizational consequences have been incurred.
23. One strategy for approaching risks that are very low in probability but potentially catastrophic
in outcome is:
(a) decision-tree analysis.
(b) cost-benefit analysis.
(c) Monte Carlo simulation.
(d) multi-stage solution.
24. Business risk differs from pure risk in what way?
(a) Business risk is about the potential for loss.
(b) To manage a business risk, you can purchase insurance.
(c) Business risk combines the possibility of positive and negative outcomes in the same
decision or event.
(d) Business risk is upside risk.
25. In risk management, a cause-and effect diagram allows you to:
(a) find better solutions to specific risks.
(b) find the critical path in a project network diagram.
(c) brainstorm root causes of risk in a structured fashion.
(d) filter risks during qualitative risk analysis.
20
1
Introduction to Project Risk and Cost Analysis
Learning Objectives
By the end of this chapter, you will be able to:
Define the terms risk and risk management, upside and downside risk, pure and business risk.
Describe the fundamental formula for pricing a risk.
Identify the two ways to manage pure risk and the four ways to manage business risk.
List the five steps in the project risk management process.
Explain why it is necessary to update a risk management plan throughout the project lifecycle.
Identify the three categories of risk management costs and provide examples of each.
Estimated timing for this chapter:

Reading
40 minutes
Exercises
1 hour 30 minutes
Review Questions 10 minutes
Total Time
2 hours 20 minutes
FUNDAMENTAL CONCEPTS OF RISK AND RISK MANAGEMENT

We often dontand cantbe sure whats actually going to happen. There is often more than one
possibility. Depending on the likelihood and potential impact of these possibilities, some strategies
increase your chances of good results. Understanding the potential environment and making choices
are the essence of managing risk.
The goal of risk management is not to predict the future. The goal of risk management is to
21
make decisions in the present. Risk and risk management are widely misunderstood, so its
important to establish some fundamental concepts about the topic. In this section, well identify and
define common terms in project risk and cost analysis to provide a common basis going forward.
RISK DEFINED
There are a number of common definitions of risk:
Merriam-Webster Dictionary: Possibility of loss or injury; a person or thing that is a specified
hazard to an insurer.
Princeton WordNet: a source of danger; a possibility of incurring loss or misfortune.
Wikipedia: The deviation of one or more results of one or more future events from their expected
value; the value may be positive or negative.
Dictionary.com: Exposure to the chance of injury or loss; a hazard or dangerous chance.
PMBOK Guide: Risk is an uncertain event or condition that, if it occurs, has an effect on at least
one project objective.
Most definitions of risk focus on the possibility of adverse events: loss, injury, or hazard. But risktaking often has a positive connotation. Famed management theorist Peter Drucker argues, To take
risks is the essence of economic activity. (Drucker, 125) successful risk-takers are often praised
and lauded. If indeed risk is only about the negative, such praise is hard to understand.
Both the PMBOK Guide and Wikipedia acknowledge the more complicated truth: while risk
certainly includes the possibility of adverse effects, it can also include the possibility of positive
effects as well. Some 80% of businesses fail within five years, but the leaders of the remaining 20%
may become very rich indeed.
What all the definitions agree upon, however, is that risk is about the uncertainty of future
events. There is always a possibility that things can go wrong, but there is also a possibility of
potential gain. Problems are in the here-and-now; the risks with which we are concerned mayor
may notoccur.
The PMBOK Guide definition of risk limits the discussion to potential events that might affect
project objectives. However, there is also the possibility of collateral damage (or benefit). For
example, a project may successfully dispose of hazardous waste in a way that achieves its internal
objectives and benefits the company, yet negative effects may land on the shoulders of other people.
Conversely, a project that is a failure on its own terms may provide secondary benefits. In
1968, 3M research scientist Dr. Spence Silver invented an unusual adhesive that did not stick very
strongly. It was useless and the project was abandoned. It was not until 1974 that another 3M
researcher, art Fry, had problems with bookmarks falling out of his hymnbook, and thought of the
long-abandoned weak adhesive. The result, of course, was Post-It notes.
For the purposes of our discussion, well modify the PMBOK Guide definition slightly: Risk is
an uncertain event or condition that if it occurs will have a significant impact, whether negative
(downside risk) or positive (upside risk). Our definition is agnostic as to whether the risk must
affect a project objective or something outside the official boundary of the project.
This implies two conditions: the uncertainty and the effect. Uncertainty is measured as a
likelihood or probability of the event. Sometimes our knowledge of the probability is quite accurate;
other times we have very little idea whether the event is likely to happen or not. Sometimes we
know the effect; at other times the effect is itself uncertain. The effect of a car accident covers quite
a range, from the trivial to the catastrophic. By comparison, a problem, because its something that
has already happened, only contains an effect.
22
THE VALUE OF A RISK

The fundamental formula for pricing a risk is to multiply its probability of occurrence by the cost if it
should occur, expressed as:
Risk = Probability Impact
If there is one chance in ten that a risk event will cause you to lose $1,000, we say the value of the
risk is 10% $1,000, or $100. That implies that if you can avoid the risk at a cost of less than
$100, theres a presumption that this would be a good investment.
Theres more to a risk decision than that, of course. For example, what if the cost of getting rid
of the risk is $101? should you pay the extra $1? What else could you do with that $100 if you
chose to accept the risk instead? are you really sure that those numbers are accurate in the first
place? What about the upside risk? If theres a 90% chance youll make $2,000, a 10% chance of
losing $1,000 may be a completely reasonable risk to take.
The base value of the risk isnt necessarily the final value of the risk, because not all
considerations lend themselves to being expressed in financial terms. However, the financial basis of
any risk is certainly information worth knowing, and often influences the appropriate decision.
TYPES OF RISK
Downside risk, as weve established, is the likelihood of a negative outcome from an uncertain event
or condition, and upside risk is the likelihood of a positive outcome.
Pure risk (also known as insurable risk) is a risk situation that only has a negative outcome. If
the negative outcome doesnt happen, you dont receive a benefit, but only avoid a loss. The
possibility of your being in a car accident, for example, is a pure risk. If it doesnt happen, your
life continues the way it was; the best you can do is avoid the downside.
Business risk, on the other hand, combines the possibility of positive and negative outcome in the
same decision or event. If you buy stock, for example, theres a possibility that the stock will
increase in value, and a possibility that the stock will decrease in value.
Theoretically, there are also risks that are pure upside, with no cost or effort that needs to be
invested to achieve the result, and no negative consequence (status quo) for failing to achieve them.
These are normally considered outside the sphere of risk management thinking because theres no
real decision that must be made: they are the essence of no-brainer.
There are two basic ways to change the value of a risk: you can change the likelihood that it
will happen, or you can change the impact or consequences if it does happen. To make it less likely
that youll be in an accident, you can drive safely. Obeying the speed limit, being sober, paying
attention, and keeping both hands on the wheel lower the chance of being in an accident. To make it
less expensive to be in an accident, you can buy car insurance. (The total financial effect of an
accident isnt actually changed by the act of buying insurance. What changes is who signs the
check.)
Pure risks have a cost if they occur, and there is normally a cost associated with reducing or
eliminating them: theres a cost of being in a car accident and theres a cost associated with buying
insurance. The risk mitigation cost is what you would need to spend (including the effort involved
in improving your driving skill) to reduce the risk to an acceptable level. When you make decisions
about risks, you are comparing the risk mitigation cost to the cost of simply accepting the risk
23
doing nothing about it unless the risk should actually occur.

In managing business risk, you have to consider the costs and benefits of both the upside and
downside possibilities. To improve your outcome as a stock market investor, you can improve the
potential outcome of your investments four ways:
Reduce likelihood of negative outcomes. Pick safer stocks.

Reduce impact of negative outcomes. Invest smaller amounts.
Increase likelihood of positive outcomes. Pick stocks with the possibility of large gains.
Increase impact of positive outcomes. Invest greater sums of money.
It will be obvious that any of these strategies taken to excess is inappropriate. Picking safer stocks
and investing smaller amounts reduces the chance of positive outcomes as well as negative ones.
Stocks with the potential of big gains often have uncertainty associated with them (or else the price
would already have gone up), so larger investments increase the potential impact of losses.
Balancing upside and downside risk has elements of both art and science. As you can see, risk
plays an important consideration in virtually every aspect of business and life. Indeed, virtually every
conceivable management activity involves developing and executing risk management strategies. As
Drucker continues, While it is futile to try to eliminate risk, and questionable to try to minimize it, it
is essential that the risks being taken must be the right risks. (Drucker, 125)
Of course, figuring out which are the right risks and what to do about them isnt so easy.
Fortunately, there is the discipline of risk management. From its origins in the financial and insurance
world, the art and science of identifying, analyzing, responding to, and acting on risk has developed
into a robust and comprehensive set of constantly evolving tools and techniques.
Exercise 1-1
Managing
Important Risks
We all practice risk management on a daily basis, whether were aware of it or not. In this exercise,
you will identify important risks you are currently managing. For commentary on the exercise and
your answers, see Answers to Exercises and Case Studies at the end of the course.
24
25
26
RISK MANAGEMENT DEFINED

As the name implies, risk management is the process of managing the risks in your environment. It
can be formal or informal; it can be done well or poorly; it can use rigorous methodology or the
notorious Wildly-aimed Guess (WAG) approach; you can act or you can fail to act.
Some disciplines inherently use more formal risk management techniques than others. Safety
practices in engineering, quantitative risk analysis in finance, and quality control in business processes
all involve the application of formal risk management tools. But risk management doesnt always
have to be rigorous and mathematical to be effective. Managing risks in, say, a sales office is likely to
be a more informal process, but that doesnt mean the resulting risk management is necessarily
ineffective.
In the world of project management, risk management is an activity that parallels the other
project processes. Because a project is a temporary endeavor undertaken to create a unique
product, service, or result, (PMBOK Guide, 1.2) it cannot possibly be devoid of risk: uncertainty is
implicit in the definition. In the PMBOK model, the core risk management activities begin in the
planning process, resulting in the development of a risk management plan. These activities are:
1. Identify the risks (risk identification)
2. Study the risks to understand their nature, probability, and impact (quantitative and qualitative
risk analysis)
3. Decide what, if anything, is to be done about specific risks (risk response planning)
4. Integrate risk management decisions and actions into the project plan (risk management
planning)
As the project gets underway, risk monitoring and control parallels project execution and
other project monitoring and control activities. As the wave front of actual project knowledge moves
forward in time, the risks of the project naturally evolve. There comes a point where a given risk can
no longer happen: if the prototype passed its test, the risk that it might fail to do no longer exists.
On the other hand, if a risk occursthereby changing into a problem or opportunityit may
also trigger a domino effect on other risks, changing both their probabilities and impacts as well as
your intended strategy. That means once is not enough when it comes to a risk management plan.
Your initial plan needs constant review and updating as the risk profile of the project changes.
We suggest you keep a companion file to this course. Use it to hold your notes and any
documents or forms from the text that will be helpful as you work through the chapters. Please
access www.amaselfstudy.org/go/Project Risk for a list of documents that can be downloaded.
Exercise
1-2 Risk Management Process
Y
our Current
In this exercise, your goal is to describe the risk management process that currently exists with
respect to the projects for which you are responsible, either as a manager or a participant.
1. Does your organization or department have a formal requirement for risk management
planning on projects? Yes____ No____
2. Describe the formal requirement if one exists. Specify whether all projects are included, or
27
whether there is a minimum project size for the requirement. If theres a written standard,
add that to the companion file of notes and documents you will keep with this self-study
course.
3. If there is no formal risk management policy or process (or if its not well followed in
practice), how are risks currently managed on your projects?
4. What works well about the way risks are currently managed on your projects?
5. In what ways could your project risk management be improved?
COST ANALYSIS AND RISK MANAGEMENT PLANNING

28
The actual cost of the project, as we all know, is not always or necessarily the cost originally
planned or intended. Whether particular risks occur or dont occur has a dramatic effect on the cost.
And, as youve seen, responding to risk also has costs.
Weve described the basic formula for valuing a risk. The cost of responding to risk falls into
three basic categories:
Risk management infrastructure. The cost of developing policies and programs, training people
in their use, recording and tracking risk data, improving risk management performance. These
costs are usually not charged directly to your project except as company overhead.
Project risk management. The portion of project resources spent on identifying, analyzing,
strategizing, and tracking risks; developing risk plans and reports; developing risk metrics.
Specific risk mitigation costs. The costs associated with responding to individual risks.
Straightforward cost analysis is easier to perform when numbers are known and stable. How
much you spent last year is a matter of record; what you will spend next year is subject to change.
The cost of responding to risk involves actual expenditures. The value of the unmanaged risk,
however, is best expressed as a range of probabilities. You dont know what will actually happen.
And yet its often incumbent upon you to come up with numbers that have some reasonable basis in
reality.
As noted earlier, financial and statistical analysis is not necessarily the sole or always even the
primary basis on which a given decision is made. That is not to say the numbers are ever
inconsequential or irrelevant. Importantly, numbers change over time, hinting at trends or outcomes
that may help you respond early when plans need adjusting. Risk management needs to be an
ongoing process throughout the entire project life cycle.
Exercise
What
You1-3
Spend on Risk Management
In this exercise, you will develop a rough estimate of how much of your project budget currently
goes toward risk management activities.
RISK MANAGEMENT INFRASTRUCTURE
Case
Estimated Cost
Charged to Your Project?
Example: Training course in risk

management with outside vendor
$1000/participant for two-day

workshop; 300 people trained
No
TOTAL COST
Value of your project as a percent Total cost % project value =

of company revenue
Amount attributable to your project
29
PROJECT RISK MANAGEMENT COSTS
Case
Estimated Cost
Identified as Risk
Management expense?
Example: Write and

develop a risk
management plan
3 meetings attended by 5 people, average length 90

minutes, plus 15 hours writing time, at roughly
$200/hour = $7500
No; considered part of

general planning
budget
AMOUNT
IDENTIFIED AS RISK
MANAGEMENT
TOTAL COST
SPECIFIC RISK MITIGATION COSTS
Risk Being Mitigated
Estimated Cost
Identified as Risk Management

Expense?
Example: Risk that the

DigiWigit prototype will be
damaged in transit
Need to fabricate special insulated

shipping case to ensure prototype is
protected; cost $15,000
No; shipping container cost built

into original price and charged
to customer
AMOUNT IDENTIFIED AS RISK

MANAGEMENT
TOTAL COST
TOTAL INVESTMENT IN RISK MANAGEMENT

Infrastructure costs attributable to your project
$///
Project risk management costs
$///
Specific risk mitigation costs
$///
TOTAL
$///
Less costs charged officially to risk management
$///
Costs not listed as risk management
$///
30
Risk is an uncertain event or condition that if it occurs will have a significant impact, whether negative
(downside risk) or positive (upside risk). Risks may affect project objectives, or they may have an
impact that falls outside the official boundary of the project.
The fundamental formula for pricing a risk is to multiply its probability of occurrence by the
cost if it should occur, expressed as:
Risk = Probability Impact
If the cost of dealing with the risk is significantly less than the price of the risk, there is a strong
business case for action. If the cost is higher, action may still be appropriate, but additional
justification is normally required.
In the real world, exact information on probability and impact is not always available or
accurate. Factors other than financial analysis may enter into the decision. Still, the basic price of a
risk is important information to support decision-making.
Downside risk is the likelihood of a negative outcome from an uncertain event or condition,
and upside risk is the likelihood of a positive outcome.
Pure risk (also known as insurable risk) is a risk situation that only has a negative outcome.
Business risk combines the possibility of positive and negative outcome in the same decision.
The two basic ways to change the value of a risk are to change the likelihood it will happen, or
to chance the impact or consequences if it does happen. There is often a cost associated with
changing a risk, so decision-makers must always consider those costs in comparison to the value of
the risk. Not all risks requireor warrantaction.
When you consider a business risk, you must consider probability and impact of both the
upside and downside elements in order to reach a balanced decision. Sometimes it may be wise to
accept an increased risk of loss in exchange for a substantially increased risk of gain.
Risk management is the process of managing the risks in your environment, whether it is done
as a formal, systematic process or not. Different disciplines, such as engineering, finance, and project
management, have their own specific tools and approaches to risk management.
In project management, risk management is an activity that parallels the other project
processes. Because a project is a temporary endeavor undertaken to create a unique product,
service, or result, (PMBOK Guide, 1.2), uncertainty and risk are always present.
In the PMBOK model, the core risk management activities begin in the planning process,
resulting in the development of a risk management plan. These activities are:
1. Identify the risks (risk identification).
2. Study the risks to understand their nature, probability, and impact (qualitative and quantitative
risk analysis).
3. Decide what, if anything, is to be done about specific risks (risk response planning).
4. Integrate risk management decisions and actions into the project plan (risk management
31
planning).
5. Risk monitoring and control parallels project execution and other project monitoring and
control activities. Risks change as the project moves forward in time, meaning that your initial
plan needs constant review and updating as the risk profile of the project changes.
There are three basic categories of costs in dealing with risks:
Risk management infrastructure. Organizational expenditures on risk management
Project risk management. Costs of risk management processes on your project
Specific risk mitigation costs. The costs associated with responding to individual risks
In risk management, you have strict limits on the knowledge available to you. Nevertheless,
there are many tools that can help you manage and prosper even in the face of the unforeseen and
unforeseeable.
32
Review Questions
INSTRUCTIONS: Here is the first set of review questions in this course. Answering the
questions following each chapter will give you a chance to check your comprehension of the
concepts as they are presented and will reinforce your understanding of them.
As you can see below, the answer to each numbered question is printed to the side of the
question. Before beginning, you should conceal the answers by placing a sheet of paper over
the answers as you work down the page. Then read and answer each question. Compare your
answers with those given. For any questions you answer incorrectly, make an effort to
understand why the answer given is the correct one. You may find it helpful to turn back to
the appropriate section of the chapter and review the material of which you were unsure. At
any rate, be sure you understand all the review questions before going on to the next chapter.
1. The cost of training staff members in risk management is an example of:
(a) specific risk mitigation cost.
(b) project risk management cost.
(c) risk management infrastructure cost.
(d) training in risk management cost.
1. (c)
2. For the purposes of risk management, risk is defined as:
(a) an uncertain event or condition that if it occurs will have a significant impact.
(b) a hazard or bad thing that might happen.
(c) a problem or situation you are currently experiencing.
(d) something that only affects the project on which you are working.
2. (a)
3. If there is a 20% chance of a price increase on a key project component that will increase
your total cost by $10,000, the value of the risk is:
(a) $10,000
(b) $1,000
(c) $20,000
(d) $2,000
3. (d)
4. The activity of risk monitoring and control happens:
(a) during the project planning process.
(b) in parallel with project execution and other monitoring and control activities.
(c) throughout the project from initiation through closeout.
(d) at the weekly project status meeting.
4. (b)
5. Integrating risk management decisions and actions into the plan and other project
management process is known as risk.
(a) response planning.
(b) management planning.
(c) analysis.
(d) identification.
33
5. (b)
34
2
Risk Identification
Learning Objectives
Describe the process of risk identification on projects.

Create and populate a risk register.
Examine project requirements, goals, conditions, and circumstances to identify risks.
Determine whether a particular risk belongs to the project or is being sufficiently managed
elsewhere.
Write a statement of risk in the condition and consequence format.
Apply a variety of tools and techniques to systematically identify and reduce project risk, including
document review, standard and negative brainstorming, cause-and-effect diagramming and SWOT
analysis, and checklists.
Reading
55 minutes
Exercises
1 hour 10 minutes
Total Time
2 hours 15 minutes
IDENTIFYING RISKS
What, exactly, are you worried about?
Figuring that out is the process known as risk identification: listing the risks that give us
35
potential concern. That includes business as well as pure risks, of course. Were concerned with
downside risks because of the negative impact; were concerned with upside risk because wed
really like to reap the benefits. We need to balance the level of risk and the level of response.
Its not always obvious at the outset how significant a given risk may turn out to be. In risk
identification, the best choice is to err on the side of inclusion, not exclusion. The tools of risk
analysis will help us winnow out the risks that justify response, but thats in subsequent steps. For
now, the best strategy is to go for quantity over quality.
While the process of risk identification is normally described as something that takes place at
the beginning of the project, thats not enough. Risks change as the project moves forward. Some
risks drop off the radar while other grow in intensity. Risk identification, therefore, must be a
continual activity, not merely a one-time action.
RISK REGISTER
The number of risks on a project can grow quite large, and managing your risk information can pose
challenges. Start by creating a risk register, a centralized place where you write down the risks you
collect. This can be as simple as a spreadsheet, or in some cases, even as low-tech as a legal pad.
At the high end, advanced risk management and monitoring systems can take many millions of
dollars to develop and implement. If youre in the kind of business that warrants such an approach,
you probably already have something in place, even if theres room for improvement.
The basic information you need to gather about a given risk is pretty much the same, however,
whether youre dealing with one risk or thousands, or with one dollar or millions. Exhibit 2-1
illustrates a basic risk register format and identifies the fundamental information you need to gather
about any given risk.
Risk ID
The risk identification number labels the risk. If you decide to number risks, make sure the number
cannot be confused easily with other numbering systems at work on your project.
Description of Risk
A description of risk is often written as an ifthen statement, containing the condition (the
circumstances that would make the risk event occur) and the consequence (the description of the
outcome should it occur).
If our competition releases its new product before ours is ready, the chance our product will
dominate its market is reduced.
If we do not complete the documentation by January 21, we will have to pay a contract penalty
of $37,000.
Category of Risk
Grouping risks together by common factors helps you manage them more easily. If there are
numerous safety risks involved with the construction portion, safety would be a useful risk category.
If there are risks involving interest rates and the stock market, financial risks would make another
good category.
Some organizations establish standard risk categories; if your organization has such categories,
you should use them. If all the projects in your functional area are close enough in subject matter and
36
circumstances, you may wish to establish standard risk categories for those projects, even if your
organization doesnt require it.
Where Found?
The systematic search for risk includes a list of places where risks might be found. For example, if
there is a list of requirements, you would normally inspect the requirements for risks associated with
them. Under Where Found? you would list Requirements. If the plan contains a Work
Breakdown Structure (WBS) listing all the tasks, you would normally look at the individual tasks
for associated risks. Under Where Found? you would list WBS.
Occasionally, you may have a specific number for this space based on a long history of actual data:
There is a 20% chance of component failure. More often, you can only provide a general
indicationor your best guess. You might rate probability as Low, Medium, or High, or on a
1-5 scale. This estimate is subject to revision as you look more closely at a given risk.

Here too, you may have a specific number (This would cost us $15,000), or you may only be able
to provide a general description of the impact. (It would embarrass us in the eyes of the customer
and jeopardize repeat business). Sometimes, you can only say Low, Medium, or High. This
information also tends to evolve as you look deeper.
For business risk, you must list both upside and downside values. If the information from the
preliminary engineering study is confirmed by these tests, per-unit manufacturing costs should drop
by 40%. If the results are negative, per-unit manufacturing costs will remain at current levels.
Risk Rating
This is the answer to the equation R = P I. If you do not have numbers for probability and impact,
the risk rating will also be imprecise: low, medium, or high. Thats usually enough to get started.
xhibitRegister
2-1
Risk
Categories
37
Disposition
What do you do with the risk after you have analyzed it? Does it go on a parking lot with other
minor risks that wont receive much attention? is it a major priority requiring significant effort and
resources? Should you handle the risk yourself, or should another department or group (or the
customer, for that matter) be the proper owner and manager of the risk? your choice of action goes
here: the disposition of the risk.
Comments
If there is additional information necessary to the understanding of this risk, it goes here.
HOW TO IDENTIFY RISKS

38
A potential risk exists in every declarative statement about your project. The deadline is February
15 contains the potential risk that you wont be done by February 15. Perhaps February 15 gives
you plenty of time and the risk is quite low; perhaps February 15 gives you a wholly inadequate
amount of time to get the work done and the risk of failure is high.
Then theres the cost of failure. Perhaps theres a $1,000,000 contract penalty if youre late;
perhaps no one really cares as long as they get it by the end of the month. The risk is the likelihood
youll be late times the cost if you are. Inadequate time and big penalty = serious risk. Plenty of time
and no penalty for missing the deadline = trivial risk.
Risks can be about deadlines, budgets, or performance goals: the risk of not being done on
February 15; the risk of spending more than the budgetary estimate of $125,000; the risk that the
product wont pass acceptance testing.
Risks can be about outside factors: the risk that customer requirements will change; the risk
that interest rates will rise or fall; the risk that your competitors will beat you to market or vice versa.
Risks can be about the potential outcome of events: the risk that your prototype will fail its
initial test; the risk that your proposed solution wont work as well as you hope; the risk that good
safety practices cant prevent every conceivable accident.
The process of risk identification involves looking for the risk events and situations of potential
concern. Exhibit 2-2 lists questions to ask as you look at the details of your project environment.
You dont have to write down everything in this level of detail. We are doing so here so
that the thought process is made explicit. The only things you need to write down are the risks that
you decide are serious enough to warrant further studyand the place to write those risks is on the
risk register.
Exhibits 2-3, 2-4, and 2-5 provide examples of the risk identification process. Following those
three exhibits, Exercise 2-1 provides you with a practice opportunity to do it yourself.
xhibit 2-2 Risks

Questioning
Question
What is being asked of
us?
What force or
circumstance could affect
us?
Is this difficult,
problematic, or
uncertain?
What are the

consequences of failure?
Answer
Write this as a description of what would occur if you were guaranteed the desired outcome, or
a statement of how reality will look if it goes the way you prefer.
Desired outcome: If youre being asked to meet a budget of $125,000, then write Keep costs
within total budget of $125,000.
Circumstance: If the profitability or benefit of the project will change dramatically if the prime
rate changes, write what you want to happen. Prime rate will stay under 4.25%.
Desired outcomes and circumstance only contain risks if theres a chance they wont happen
the way you prefer. If $125,000 is ample, then you expect no unusual difficulties in meeting it:
low or no risk. If $125,000 is tight, then the risk rises. If interest rates appear stable and the
project is short term, the risk of a sudden jump is low. If the time horizon stretches out over
years, the risk tends to rise.
Sometimes this is scenario-based. If your ability to meet the $125,000 cost figure is dependent
on using a supplier able to meet your specific needs, and the supplier is financially shaky, the
risk of not meeting the budget is a function of the financial health of the supplier. The risk in
this case is focused on a specific scenario.
Define the likely downside if the risk should occur. A supplier going bankrupt might affect the
prices you payor it might affect your ability to buy the components at all. The latter could
be a more serious risk than the former. If interest rates spike suddenly and unexpectedly, both
your project and your customers might be affected.
39
Are there any

circumstances or
conditions that would
result in failure?
Looking for early warning signs and triggers is often one of the more valuable results of risk
management. In some cases, you have direct control over whether a risk occurs; in other cases,
the best you can do is achieve an earlier warning.
Are there any

opportunities to do this
work better, faster, or
cheaper, or to gain
additional benefit from
the work?
Look for upside opportunity as well as downside threat when you look for risks. If your key
supplier is financially weak, you might look at acquiring it yourself, or working to develop
alternate sources of supply in advance of need. If interest rates spike, your competition is also
likely to be affected, as are your customers. There may be an opportunity for gain if
everyones in the same boat.
Are these risks being

managed elsewhere?
Some risks are real, but not necessarily your problem. Theres a risk someone might get hurt on
the plant floor, but theres usually a set of safety policies and procedures already in place.
Unless what youre doing adds unusual amounts of risk to the normal routine, there may be
nothing to do specifically on your project.
Other risks are outside your authority even if youre the project manager. If a project contains
potential for litigation, its usually not the engineering department that manages this area of risk
even if they are project managers for the project as whole.
Should we add any of

these risks to our project
risk identification list?
Sometimes the answer to this is no. Not every task or requirement contains risks demanding of
your attention. Some risks are so minor and remote they dont deserve further attention. With
luck, large amounts of your project fall into this category.
Conclusion
If you decide there is no risk to manage here, then youre done. If there is a risk, whats your
first impression of the probability and the impact? Its okay if thats a guess for now.
Statement of Risk
You may find multiple risks in a given situation. For each risk, go to the risk register and write
the risk in the condition and consequence format. Add your initial estimates of probability
and impact.
xhibit 2-3
Sample
Risk from a Requirements Document
Question
Answer
What is being asked of

us?
What force or
circumstance could
affect us?
Requirement: Parts must be machined to a tolerance of 1/32".
Is this difficult,
problematic, or
uncertain?
No. The machinery we use is capable of machining to much smaller tolerances, as low as 1/128".
We have trained operators who have done this hundreds of times. The schedule provides
sufficient time for the job.
What are the

consequences of
failure?
Parts outside tolerance may result in more mechanical failures in use. The consequence to the
customer of failure is loss of capacity, which can be measured in money. Safety risk (harm to
people) as a result of a mechanical failure is not an issue in this case.
Yes. If the schedule is too aggressive, the rate of error tends to increase. Here, the schedule does
40
circumstances or
conditions that would
result in failure?
Are there any

opportunities to do
this work better,
faster, or cheaper, or
to gain additional
benefit from the
work?
not appear to be aggressive. Failure to maintain and properly operate the machinery would also
result in problems. However, we do have a maintenance program. Even trained operators with
good equipment can make mistakes. Thats why we have a quality control procedure to verify
that parts are within tolerance before they get assembled into the final product.
Doing quality work on time and budget is one of the competitive strengths of this company; we
should be able to reinforce and add to that reputation.
There is new machinery available that could potentially improve what we do, but its not costeffective to buy it for this project alone. M anagement is currently reviewing whether it makes
sense for the company as a whole.

managed elsewhere?
Yes. Plant maintenance and quality control processes already exist and appear sufficient to the
potential risk.
Should we add any of

these risks to our
project risk
identification list?
No. They are being managed elsewhere.
Conclusion
No project level risks.
Statement of Risk
N/A
xhibit 2-4
Sample
Risk from a Project Charter or Statement of Work
Question
What is being asked of us?
What force or circumstance could
affect us?
Answer
Goal: Produce 25,000 widgets and ship them to the customer no later than the end
of next month.
Is this difficult, problematic, or

uncertain?
There is some potential uncertainty. The 25,000 number itself is not too much for
the capacity of the plant. We do, however, experience occasional overload with
multiple jobs that can severely disrupt delivery dates.
What are the consequences of

failure?
Damage to reputation; effect on future business from this customer, in rare cases,
claims for damages.
Are there any circumstances or

conditions that would result in
failure?
Uncertainty in scheduling sometimes means capacity is strained more than usual.

The priority of other work may be higher than the priority of our own. Equipment
breakdowns sometimes happen even with excellent maintenance.
Are there any opportunities to do

this work better, faster, or cheaper,
or to gain additional benefit from the
work?
Our existing initiative to improve shop floor scheduling has the potential to
improve performance in time and cost. By supporting it, we make all the projects a
little better.
Are these risks being managed

elsewhere?
Partially. There is a plant scheduling function that has primary jurisdiction over this
part of our project. However, we are still responsible for getting the product to the
customer on time, and plant scheduling problems wont excuse our failure to do so.
41
Should we add any of these risks to

our project risk identification list?
Yes. While scheduling problems dont occur often, they can result in serious
problems when they do. Its our responsibility to make sure we get things done.
Conclusion
Low Probability/High Impact Risk
Statement of Risk
If too many other projects schedule manufacturing time to coincide with ours, the
plant production schedule may not be able to support our deadline.
xhibit 2-5
Sample
Risk from a Work Breakdown Structure (WBS) Work
Package
Question
Answer
What is being asked of us?
Work Package: M anuals
What force or circumstance

could affect us?
Description of work: Prepare online searchable product manuals for operation of the
product and for maintenance and repair of the product.
Is this difficult, problematic,

or uncertain?
Problematic. It isnt inherently difficult to do, but its often done under difficult conditions.
It often cant start until late in the project cycle because the needed information is not yet
available or is subject to change. Engineers and other technical experts may have other
things to do than provide support and documentation to tech writers.
What are the consequences

of failure?
There are two kinds of failure: being late and being wrong. The consequences of being as
much as six weeks late with the manuals are minor, because we have warranty
responsibility for repair work during that period anyway.
The consequences of being wrong are potentially more serious, and can expose the
company to significant financial risks.
Are there any circumstances

or conditions that would
result in failure?
Are there any opportunities
to do this work better, faster,
or cheaper, or to gain
additional benefit from the
work?
If we put emphasis on schedule rather than emphasis on quality, the potential damage will
be worse than if its the other way around.
The Q-38 design is based on the Q-37 design, so theres a good chance that parts of the Q37 manual can be used as an outline and rough first draft for the Q-38 design. This has the
potential to improve quality while at the same time speeding schedule and lowering cost.
Similarly, the archive of tech manuals that we are building makes it easier to do each new
one. The output of this project will add one more to the growing database.

managed elsewhere?
No. All the risks involved with the manuals belong to this project.
Should we add any of these

risks to our project risk
identification list?
Yes. We can accept the risk that we might be as much as six weeks late with the manual,
but no more than that. We cant accept the risk that there will be material errors in the
manual.
Conclusion
M ultiple risks; both Low Probability/M edium Impact (second risk has higher impact than
the first)
There are two risks here. Both have direct consequences to the customer, and indirect
consequences for us (need to provide additional services or compensation; damage to
reputation and customer relationships).
42
Statement of Risk
1) If the manual is more than six weeks late, the customer will not be able to take over maintenance and
repair of the equipment at the end of our warranty period.
2) If the manual contains errors, the customer may not be able to maintain and repair the equipment correctly
and in extreme cases, could suffer significant losses as a result of our errors.
Exercise
2-1
Risk
Identification
Practice
For this exercise, your project is to conduct an end-of-year inventory in a large warehouse. The
warehouse will be closed for shipping for a three-day period, and must be able to resume operations
on the fourth day. Your project team consists of three warehouse workers and two people from the
supply department. There are approximately 10,000 items in the inventory.
43
SYSTEMATIC RISK IDENTIFICATION

There are many tools to help you root out risk wherever it may be hiding. Approach risk
identification in a systematic manner. Make a list of the places you will look and the tools you will
use to ensure youve done a comprehensive job.
Find risks by examining project documentation; brainstorming, analyzing and deconstructing
project elements; and using formal risk management tools.
Documentation
A project or operation tends to produce a lot of paper (or its electronic equivalent). There are
contracts, instructions, requirements, project charters, plans, standards, policies, and much more.
Many items in all this documentation involve risk, so the first place to start in identifying the risks in
44
your environment is with a thorough and systematic document review. Start by identifying and
collecting the documentation available.
Exhibit 2-6 lists common types of project documentation. Theres some extra space provided
so you can write down which of these sources apply to your situation. The amount of information
and documentation tends to increase over time, so this step needs to continue as you move through
the project life cycle.
Brainstorming
Both structured and unstructured brainstorming sessions uncover project risks. A simple
unstructured brainstorming session is as simple as gathering parties together and saying Lets
brainstorm the risks. The purpose of risk identificationlooking at all risksmatches well with the
fundamental brainstorming rule of welcoming all ideas and withholding criticism.
Standard Brainstorming Techniques
Aside from the subject matter, theres nothing particularly different about brainstorming risks as
opposed to brainstorming anything else. Exhibit 2-7 lists standard rules common to all brainstorming
sessions.
After a brainstorming session, theres usually a process to winnow out the valuable ideas. The
outputcouched as statements of riskis added to the risk register.
Negative Brainstorming
There are many different ways to brainstorm, and weve had good results with multiple techniques.
One specific brainstorming technique has particular value when the topic is risk: negative
brainstorming (Dobson and leemann, 111)the focus on why things wont work or will go wrong.
Exhibit 2-8 describes the process.
As with all brainstorming, welcome all ideas and withhold criticism until the session is over. The
purpose of risk identification is to make sure all potential risks are considered, so err on the side of
inclusion.
xhibit 2-6Types of Documentation for Risk Identification

Common
45
46
xhibit 2-7
Brainstorming
Rules
1. Define the problem.
2. Select participants.
3. Set ground rules.
4. Define the brainstorming question or goal.
5. Welcome all ideas.
6. Focus on quantity, not quality.
7. Withhold criticism.
Risk identification borrows tools from other management disciplines as well. Two often-used tools
are the cause-and-effect diagram and SWOT analysis.
Exhibit 2-9 shows a cause-and-effect diagram, also known as an Ishikawa diagram or
fishbone diagram. The cause-and-effect diagram is a structured way to brainstorm root causes of
risk by focusing on all the areas where the risk might live. To use this diagram the brainstorm team
should address a potential problem area, then look for the ways each of the categories might
contribute to the problem.
xhibit 2-8Brainstorming
Negative
The goal of negative brainstorming is to identify areas of downside risk and vulnerability in your
project environment so that you can decide how to address these areas. (Regular brainstorming
does a fine job on upside risk and opportunity.)
1. Follow the normal brainstorming process from Exhibit 2-7 except as noted.
2. For the brainstorming question, select a negative question, one that focuses on failure and
bad luck.
Why is this project impossible?
What cant we do?
How will other people and circumstances keep us from succeeding?
What ideas are absolutely not worth trying?
Whats the worst possible decision or action we could take right now?
What could turn this into a complete catastrophe?
Why are we already doomed to fail?
3. Strive for a maximum number of answers. Do not provide happy thoughts, corrective
47
actions, or solutions.
4. When the negative brainstorming session is over, discuss which risks need to be added to
the risk register, which risks are unimportant, and which risks are easily solved or dealt with
by existing systems.
xhibit 2-9
Cause
and Effect Diagram
Credit: Fabian Lange
A format for a SWOT analysis is shown in Exercise 2-2. In a SWOT analysis, the group
brainstorms a particular area of the project, looking at four different characteristics: strengths,
weaknesses, opportunities, and threats. Strengths and opportunities are beneficial to the project;
they help achieve the objective or make it better. Weaknesses and threats are harmful to the
objective; they make it less likely that you will achieve it or that you will achieve less.
Strengths and weaknesses are internal to the project; that is, they are characteristics of the
organization and the people in it. Opportunities and threats are external to the project; that is, they
are part of the environment.
Exercise
2-2
SWOT
Analysis
Continuing with the inventory project from Exercise 2-1, prepare a SWOT analysis for the project.
48
Checklists
Before an airplane takes off, the pilot typically uses a checklist to make sure nothing has been
overlooked. A checklist isnt ever exhaustive, of course, but it guards against common errors and
provides early warning of certain risks. If you do the same kind of project over and over again,
checklists are useful tools for risk management. A good checklist not only identifies risk but also
reduces it at the same time. Landing gear handle down addresses the risk that the landing gear
handle might be in the wrong position for takeoff.
While checklists dont substitute for comprehensive risk management, they are a significant aid
to compensating for inattention or memory lapsessomething almost all of us have been guilty of at
one time or another.
Expert Judgment
If you and the project team have little experience in a particular risk area, its a very good idea to
experts who can advise you about risks and responses. The two concerns, of course, are whether
the person being consulted is in fact an expert, and whether the expert has a bias you need to take
into account.
OUTPUT FROM RISK IDENTIFICATION PROCESS

The output of risk identification is simply the risk registera list of the risks youve identified. Of
course, youre not nearly done. Risk identification is only the first step in a good risk management
process. Many of the risks you identify need further analysis to determine how serious they are.
Some risks youll end up choosing to accept, and others will need a comprehensive response. In
between identifying the risks and deciding what (if anything) to do about them comes the stage
known as risk analysis, the subject of the next several chapters.
Remember that risk management continues throughout the life of the project. No matter how
well your initial risk identification process goes, the nature of the project always evolves over time.
Continue to add items to the risk register as you discover them, and follow through the rest of the
process steps with these new risks as well.
49
Risk identification, as the name suggests, is the process of identifying potential risks that may require
some action on our part. Risk identification includes both business risks and pure risks. Because its
not always obvious from the outset how serious a potential risk is, risk identification tries to err on
the side of inclusion. If youre not sure whether its a risk, write it down.
Start by creating a risk register, a centralized place where you write down the risks you
collect. A risk register contains a description of the risk, the category in which it belongs, where you
located it, your initial estimate of its probability and impact, an overall initial risk rating (low, medium,
or high), and any comments or background needed to understand the context of the risk.
A potential risk exists in every declarative statement about your project. If its less than certain
youll achieve the stated goal, then there is a risk. Risks, of course, vary in seriousness, and some
risks are so improbable or have such a minor effect that there is no value in addressing them. Some
risks involve circumstances of the project or the consequences of your own actions; other risks are
part of the environment and you may have little control over whether they occur.
To make an initial assessment of a risk, consider the following questions:
What is being asked of us, or what force or circumstance could affect us?
is this difficult, problematic, or uncertain?
What are the consequences of failure?
Are there any circumstances or conditions that would result in failure?
Are there any opportunities to do this work better, faster, or cheaper, or to gain additional benefit
from the work?
Are these risks being managed elsewhere?
Should we add any of these risks to our project risk identification list?
If the answer is yes, add them to the risk register. Please note that for the most part you can
ask these questions without writing everything down; only write down what you discover that is of
significance. If theres doubt, of course, err on the side of inclusion.
A systematic process of risk identification normally starts with a comprehensive document
review, and may also including techniques of brainstorming, various diagramming tools (such as
cause-and-effect diagrams and SWOT analysis), and checklists. Its also a good idea to identify
experts to advise you in risk areas with which you and your team are not familiar.
The output from the risk identification process is a completed risk register. No matter how well
your initial risk identification process goes, the nature of the project always evolves over time.
Continue to add items to the risk register as you discover them.
The next step in the risk management process is risk analysis.
50
Review Questions
1. Two factors in assessing the seriousness of a given risk are:

(a) contract penalties and customer satisfaction.
(b) risk rating and risk register position.
(c) the likelihood of the risk occurring and the consequences if it should occur.
(d) the cost of responding to the risk compared to the total budget of the project.
1. (c)
2. A systematic risk identification process needs to be performed:
(a) only at the outset of the project as part of the risk plan.
(b) every six weeks.
(c) by professional risk managers.
(d) throughout the project life cycle because of changes in circumstances and information.
2. (d)
3. in describing a risk formally, the statement of risk should always include:
(a) the probability and impact estimate for the identified risk.
(b) any proposed solutions or responses to the risk.
(c) the condition that provides concern and the consequence that would result.
(d) the category in which the risk falls.
3. (c)
4. Risk identification is concerned primarily with:
(a) listing risks that give us potential concern.
(b) identifying pure risks on projects.
(c) identifying business risks on projects.
(d) analyzing risks for probability and impact.
4. (a)
5. in the negative brainstorming technique, risk managers should:
(a) select a negative question to focus brainstorming efforts.
(b) ensure that the group develops corrective actions for the risks it identifies before moving
on.
(c) focus on costs associated with risks.
(d) keep the brainstorming group small.
5. (a)
51
3
Learning Objectives
Define common terms and concepts in risk analysis, including qualitative risk analysis, quantitative
risk analysis, risk triage, and filtering.
Identify appropriate risk categories to organize identified risks for further action.
Use a filtering process to perform risk triage, sorting risks according to priority, urgency,
ownership, and solvability.
Implement a variety of qualitative concepts and techniques, including cause-and-effect
diagramming to analyze impact, assessment of non-numerical factors in determining risk
probability, identification of proper risk ownership, and the mechanism for transferring risks.
Apply risk triage and other processes to confirm that risks have been correctly identified and
categorized.
Reading
40 minutes
Exercises
50 minutes
Total Time
1 hour 40 minutes
INTRODUCTION TO RISK ANALYSIS

In between deciding what the risks actually are and deciding what, if anything, you plan to do about
52
them, comes risk analysisthe process of studying the risks to measure and define their
probability, impact, and other characteristics. Armed with improved understanding, you can separate
important risks from trivial ones and identify the opportunities you have to influence our risk
environment in the right direction.
There are many different techniques used in risk analysis. Some are specific to a given industry
or technical area. You dont normally need a systems engineering risk assessment for a marketing
plan, nor are the tools of financial risk analysis generally of primary value in determining whether the
shop floor is safe. This self-study course will focus on the tools most commonly used and those with
widest application. Depending on your industry, profession, and circumstances, you may want to
explore a certain set of tools in much greater depth.
In general, risk analysis techniques fall into two groups. The PMBOK Guide (11.3, 11.4)
defines them as follows:
Qualitative risk analysis is the process of prioritizing risks for further analysis by assessing and
combining their probability of occurrence and impact.
Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on
overall project objectives.
Quantitative risk analysis as a process normally follows qualitative risk analysis, but the PMBOK
Guide observes that, in some cases, quantitative risk analysis may not be required to develop
effective risk responses. In certain categories of projects, quantitative tools may be used first, with
qualitative analysis filling in the gaps. Whats important is that you use these processes and tools in
the order and sequence they make most sense to you.

When we performed risk identification in the last chapter, we decided to lean in favor of including
risks rather than excluding them. Our risk register, therefore, includes a number of risks that fall
below the reasonable threshold requiring response.
In qualitative risk analysis, we define the characteristics of the risk in more detail. We gather
additional information. We rate the relative importance of the risk in terms of probability and impact
without, in many cases, being able to put specific numbers to those values.
Qualitative risk analysis accomplishes the following:
By defining and assessing probability and impact, even in general terms, it ranks the relative
importance of the identified risks to the project, the organization, and to specific stakeholders,
enabling resources to be focused where theyll achieve the most benefit.
By classifying risks into categories, it helps reveal potential common causes and vulnerability areas
where action can be highly productive, and ensures risks are routed to the proper owners and
managed properly.
By defining risk characteristics and potential common causes, it provides the basis for effective
risk response planning.

Quantitative risk analysis, as previously noted, is the process of numerically analyzing the effect of
identified risks on overall project objectives. As the name quantitative implies, the key word in this
definition is numerically. Quantitative risk analysis is classical risk analysis, the probability-based
tools developed to assess risk in financial instruments such as insurance.
Quantitative risk analysis tools exist in many disciplines from finance to nuclear engineering.
53
Any field in which its possible to calculate the likelihood of certain events based on either theoretical
or actual probability uses quantitative analysis. (Theoretical probability is saying the chance of
flipping heads is 1 in 2, because there are only two outcomes. Actual probability is flipping the coin a
few hundred times and reporting the result.)
If youre in a field with few available numbers to crunch, your opportunity to use quantitative
risk analysis is limited, but you may be surprised by how many numbers you can find if you look
hard enoughand what you can do with them if you find them.
Certain advanced project management techniques such as the Program Evaluation and Review
Technique (PERT) and Monte carlo simulations have application to quantitative risk management, as
youll learn in upcoming chapters. Other common analysis tools well cover include expected
monetary value (EMv), sensitivity analysis, and decision trees.
Quantitative risk analysis accomplishes the following:
By analyzing the range of outcomes and their associated costs, it provides decision-makers with
the data to establish reserves, set confidence levels, and identify whether the overall project is in
line with stakeholder risk tolerances.
By simulation and probability analysis, it provides an estimate of the likelihood of achieving a given
set of time and cost objectives.
By developing detailed numerical insights into risk characteristics, it refines the prioritization of
risks and ensures that risk responses are cost effective and appropriate.
QUALITATIVE RISK ANALYSIS

In qualitative risk analysis, you sort the risks from the risk register based on their probability and
impact, and then route them for further action. For any given risk, there are really only three choices:
accept the risk, transfer it to someone else, or do something about it.
Accept the risk. When you accept a risk, you dont do anything further about it unless it occurs. If it
occurs, you may take some remedial action, or you may simply absorb whatever it does to you.
Transfer the risk to someone else. some risks arent yours. They may belong to the customer, to
someone higher up in the organization, or to someone with specific authority or expertise. You do
have the responsibility for making sure that the correct risk owner is aware of the risk. You often
need to follow up and monitor their risk responses.
Do something about the risk. For now, this means that you put the risk in a stack with other risks
requiring action. Some risks are so urgent you need to move them to the head of the line and start
working on them now. Others can wait until you start your risk response planning process, which
follows risk analysis.
If youve ever been in a hospital emergency roomor, for that matter, watched an episode of
M*A*s*Hyou know about triage, a formal method of prioritizing medical patients based on the
severity of the situation and what can be done about it. Qualitative risk analysis is, in a fundamental
sense, a triage approach to risks. Before you can act, you have to sort.
The project management process that accomplishes this is known as filtering. Your goal is to
filter the risks on the project so that the top risks are singled out for action. Exhibit 3-1 outlines the
filtering process as a flowchart, and the copy that follows describes the action steps in more detail.
54
Start
Take each risk from the risk register, and go through the process one risk at a time. Update the risk
register based on the result of the filtering process; record the outcome on the risk registereven
for risks that will go no further. This is an important step, to make sure that no risk is inadvertently
overlooked.
Impact
You wrote down a description of the impact when you filled out the original entry in the risk register.
Now its time to revisit that statement and amplify it.
First, make sure youve considered all the potential areas in which the risk impact may occur.
In risk identification, you encountered the cause-and-effect diagram (Exhibit 2-9). You can use the
same tool to great effect in risk analysis. Lets revisit the risk of tech manual errors, introduced in
Exhibit 2-5. Heres the statement of risk:
If the manual contains errors, the customer may not be able to maintain and repair the
equipment correctly and in extreme cases could suffer significant losses as a result of our
errors.
Here are six categories of potential impact for this particular risk. Dont forget to add
opportunities as well as threats. Often, the impact contains both. Exhibit 3-2 shows the cause-andeffect diagram.
Project risks. Risks to the project and its objectives, primarily to the projects constraints of time,
cost, and performance.
xhibitTriage
3-1 Process
Risk
55
xhibit 3-2
Cause-and-Effect
Diagram for Impact Analysis
56
Organizational risks. Risks to the organization sponsoring or managing the project. Could
include such factors as reputational or business consequences, legal exposure, marketing issues,
media exposure.
Customer risks. Risks to the customer and the customers organization.
User risks. Risks to the end user of the product or service, including physical risks, economic
risks, or other factors.
Personal risks. Risk to you and your team members, such as continued employment,
consideration for promotion or advancement, chance of getting other projects, effects on career
or family.
Long-term risks. Risks that are likely to outlast the life cycle of the project, the product, or the
service.
Obviously, a risk that carries with it legal liability and the chance of physically harming others is a
serious risk and one that requires appropriate action. But notice how the impact falls out. Its effects
are extremely unbalanced. The project itself is hardly affected at all. It might be years before the
consequences of errors in the tech manual come to light.
The customer and the users are exposed to the greatest share of the impact. Depending on the
standards for legal liability or warranty claims, they may be able to transfer some part of those costs
to the organization. The danger here is not so much that an unscrupulous project team will take the
easy way out (though that has been known to happen), but that human nature puts our focus on
57
dangers that affect us most immediately. When the impact falls outside the sphere of the project, it
sometimes also falls through the cracks. Thats why this kind of risk assessment is so important.
In Exercise 3-1, youll take one of the statements of risk you wrote in Exercise 2-1, and give it
the same treatment.
Exercise 3-1
Cause-and-Effect
Diagram
Take one of the three statements of risk you wrote in Exercise 2-1, and enter it into the Risk
Statement box. Identify potential consequences of the event (both opportunities and threats),
considering all six areas. You may not find meaningful impact in all six, but make sure you look at all
of them carefully.
If the overall impact of the risk is not significant, then it may be sensible to accept the risk,
unless the solution is easy and cheap. If the overall impact of the risk is significant, however, move to
the next item on the list.
58
Probability
What (if anything) makes you believe this risk event may actually happen to your project? There are
any number of potential reasons to believe a given event is more likely to occur. Consider the list of
questions in Exhibit 3-3 as they apply to a particular risk. (The exhibit provides space for you to
follow along, using either a risk from one of your own projects or continuing with the risk you used
in the previous exercise.)
Sometimes you can arrive at a reasonable judgment that a given risk is low or high in
probability, and other times there simply isnt enough data to hazard a reasonable guess. Since
weve already established that the impact is significant (otherwise, wed have accepted the minor
risk), risks of low or unknown probability and no greater than moderate impact are good candidates
for acceptance unless, as before, the solution is easy and cheap. Low or unknown probability
combined with serious impact, however, is normally worthy of further attention.
Urgency
Some risks just cant wait. What really matters isnt the timing of the risk event itself, but how fast
any potential solutions may become unusable. In the previous example, we discussed reviewing the
manual prior to publication to catch any errors. Notice that you can only do this up until the time you
ship the manual to the customer. After that, its too late.
If the only, best, or cheapest solution is about to expire, or if the risk event is imminent, you
dont have time to take the risk through the rest of the process. Assign the risk to a risk owner or
manager (it may be you), and get started on it without waiting for all the rest of the qualitative and
quantitative analysis results to come in.
Ownership
Some risks are very serious, but that doesnt automatically mean theyre yours. If the failure of your
project could result in the bankruptcy of your organization, its the prerogative of senior
management, not you, to determine whether the risk is worth running. If the customer signs a costplus contract for development, the customer owns the risk that the project will go over budget.
As weve mentioned, risk specialists exist in organizations to handle specific categories. If
youre an engineer, you probably arent the right person to manage legal risks on the project; if
youre a lawyer, you probably arent the right person to manage risks in systems engineering. As the
project manager, you still have responsibility for risks that are not appropriate for you to manage.
You should:
Identify risks in all areas, not just inside the project boundaries.
Gather basic information about these risks.
xhibit 3-3 Boosters

Probability
Your
Risk
Question
Example
Whats the statement of risk?
If the manual contains errors, the customer may not be able to maintain and
repair the equipment correctly, and in extreme cases could suffer significant
losses as a result of our errors.
Weve discovered minor typographical errors in published manuals, but
59
Has this ever happened before,

either in our experience or in the
experience of others?
nothing of significance. This is at least partially because we already do a lot

of checking to keep serious errors out of the product.
Are there any circumstances or

conditions that would make this
risk more likely to happen? Are
these circumstances or conditions
present on this project?
The most likely reason for such an error occurring in the first place would be
late-project engineering and design changes not being properly documented,
so that manuals reflected out-of-date information. We do not currently see
this happening, but if it does, we will revise our probability for this risk
upward.
Is this risk linked to other risks in

the project environment?
Yes. A major late-project engineering or design change normally increases risk

throughout the rest of the project. If such an event happens, a number of
project assumptions will be called into question and a comprehensive risk
reassessment may be in order, especially if deadline remains the same and
cost pressures are also high.
Conclusion
Probability of a major error is low in absolute terms, but high enough that
our current review and quality control process should be continued.
M ajor mistakes have, however, been known to happen elsewhere, and the
consequences have in some cases been very severe.
Route risks to their proper risk owners, and provide relevant documentation.
Support risk owners with information and technical advice.
Review proposed risk responses for secondary impact on other project objectives.
Integrate actions of risk owners into your project plan.
Monitor risk responses and advise risk owners of trends and results.
While its usually appropriate (if not required) that you are deferential to risk owners outside
your project, remember that risk owners tend to focus on their risk areas and may not always be in
tune with the bigger picture. Try to accommodate the needs of risk owners as much as possible, but
if you cant and if the stakes are high enough, it may be appropriate to escalate the decision to a
higher level of management.
Solution
So far, weve identified the following categories of risks:
Risks without significant impact. You will probably end up accepting the majority of these risks
unless the solution is easy and cheap.
Risks with low probability and only moderate impact. You will also end up accepting the majority
of these risks unless the solution is easy and cheap.
Risks that require urgent response. Those risks are removed from the rest of the process and
assigned to a person or team for immediate action.
Risks that belong to someone else. You should route these risks and associated information to the
proper risk owner, respond to the instructions and requirements provided by the risk owner, and
monitor the risk.
This leaves a final category: risks that are serious in impact, at least moderately high in
probability (if unlikely to happen, the impact is very serious indeed), and that belong to you.
The next question, naturally, becomes what (if anything) can you do about it? For now, its not
necessary to come up with a detailed point-by-point action strategy, but to concern yourself with the
60
general question. A risk is solvable if the response is proportional, cost-effective, and doesnt create
major secondary problems or negative consequences. If it appears to be solvable, move it into the
stack of risks requiring further analysis and action.
Acceptability
It may be apparent from the beginning that there is no way to bring a particular risk down to an
acceptable level. There may be some unavoidable dangers, or factors you cant do anything about.
Risk is a fact of life.
As mentioned earlier, accepting minor risks can be perfectly appropriate and sensible. When
youre confronted with a major risk outside your control, its not so simple. Ultimately, you have two
choices:
1. Accept the risk and prepare a contingency response if possible.
2. Rethink the viability of the project, which may involve changing the objectives or cancelling the
project.
This decision often doesnt belong to the project manager, but is the province of higher levels of
management or the customer. If thats the case, treat it like an ownership issue, and make sure the
risk, options, and supporting documentation are routed to the appropriate decision-maker.
RISK TRIAGE AND OTHER RISK ANALYSIS PROCESSES

Its worth repeating that filtering your risks is only the first step in risk analysis. By grouping your
risks into various action stacks, you can route risks to their proper owners, identify low priority risks
requiring little or no action, and focus your attention on the subset of high risks that fall within your
purview.
There isnt a clear, bright line that separates risk triage (filtering) from qualitative or quantitative
risk analysis processes. When answering the questions on the flowchart from Exhibit 3-1, you often
need to apply certain of these tools even in your initial screening. Given also that your initial
knowledge of risks may be incomplete, you also need to verify that your pile of low-ranking risks
doesnt accidentally end up including one or more risks deserving more serious attention.
Exhibit 3-4 summarizes risk triage categories and next steps.
xhibitTriage
3-4 Categories and Next Steps
Risk
61
In between deciding what the risks actually are and deciding what, if anything, you plan to do about
them, comes risk analysis, the process of studying the risks to measure and define their probability,
impact, and other characteristics. In general, risk analysis techniques fall into two groups:
Qualitative risk analysis is the process of prioritizing risks for further analysis by assessing and
combining their probability of occurrence and impact.
Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on
overall project objectives.
Not every risk requires both kinds of analysis. Although it is most common to perform qualitative
risk analysis first and quantitative risk analysis second, situations vary.
Qualitative risk analysis begins as risk triage: a filtering process in which you sort risks by
category, threat level, and ownership. You define the characteristics of the risk in more detail. You
gather additional information. You rate the relative importance of the risk in terms of probability and
impactwithout, in many cases, being able to put specific numbers to those values.
62
Your basic choices about a given risk are to accept the risk, transfer the risk to someone else,
or to do something about the risk. To make a decision about each risk, ask yourself a series of
questions.
1. Is the impact significant? If not, consider accepting the risk unless the solution is easy and cheap.
2. Is the probability high? If not, consider accepting the risk unless the impact is very high.
3. Do we need to act immediately? If so, assign the risk to a person or team and get to work.
4. Is the risk ours? If the risk owner is outside the project team, route the risk (and relevant
information) to the proper owner, and monitor the results.
5. can we do anything about this risk? If theres a potential solution thats appropriate, we are likely
to implement it.
6. Is the risk worth taking? If theres no potential solution, or if significant risk remains even after
youve done what you can, you may choose to accept the risk, or it may be appropriate to
modify or even cancel the project.
In the risk triage stage, you shouldnt normally dig too deeply into risks or their solutions, but
focus instead on sorting them into piles requiring different actions. In every case, its a good idea to
review what youve done, because its all too likely that some risks have ended up in the wrong pile.
63
Review Questions
1. In performing risk analysis, the correct sequence is to:

(a) perform risk triage, qualitative risk analysis, and quantitative risk analysis in that order.
(b) apply qualitative and quantitative risk analysis tools simultaneously.
(c) apply quantitative risk analysis tools on every risk.
(d) use qualitative and quantitative risk analysis tools in the order that is appropriate for your
project.
1. (d)
2. Factors such as reputation risk, business consequences, legal exposure, and unfavorable
publicity are considered to be:
(a) project risks.
(b) customer risks.
(c) organizational risks.
(d) personal risks.
2. (c)
3. If a risk does not properly fall under the jurisdiction of the project manager or the project
team, what should you do?
(a) Transfer the risk to the proper risk owner and monitor the risk.
(b) Take action if the risk is serious and consequences to the project are significant.
(c) Accept that the risk is not your business, and focus your attention elsewhere.
(d) Escalate any adverse decision to higher management.
3. (a)
4. The purpose of qualitative risk analysis is to:
(a) analyze numerically the effect of identified risks on project objectives.
(b) identify pure risks on projects.
(c) ensure all identified risks are fully analyzed and acted upon.
(d) analyze risks for probability and impact.
4. (d)
5. Advanced project management techniques such as PERT and the Earned value Method are
useful in performing:
(a) qualitative risk analysis.
(b) quantitative risk analysis.
(c) risk triage and filtering.
(d) qualitative risk identification.
5. (b)
64
4
Tools for Qualitative Risk Analysis
Learning Objectives
Identify research needs and strategies for qualitative risk analysis.
Implement qualitative risk analysis tools to define the level of current knowledge available to
determine probability and impact, establish range scales for risk probability and impact, and define
risk thresholds for different categories of risk.
Establish a risk scoring system using either words or numbers, and rank risks according to either.
Measure overall project risk for a project using three different techniques.
Update risk register data showing disposition of all identified risks and prepare a risk information
sheet for significant project risks.
Reading
40 minutes
Exercises
1 hour 40 minutes
Total Time
2 hours 30 minutes
QUALITATIVE RISK ANALYSIS TOOLS

As you filter the risks using qualitative risk analysis, you need to establish a common set of
terminology and process to ensure consistency and good results. In this chapter, well go into
additional depth about common qualitative risk analysis tools for assessing risk probability and
65
impact.
A common thread through this process is the importance of research. Since our goal is to
establish measurements of probability and impact, at least in rough terms, the obvious questions are
(1) how do we figure out the probability and (2) how do we figure out the impact? The latter is often
easier than the former. We may not know how likely it is that a machine will malfunction, but we do
know the replacement cost if we have to put in a new one. At the same time, some aspects of
impact are not so clear: damage to reputation, for example.
Where can you go to learn more about a given risk? depending on the risk, the possibilities are
numerous, and include:
Lessons learned files and historical data from previous projects

Test and evaluation results
Interviews with people who have knowledge or experience related to the risk
User surveys and customer satisfaction data
Industry data
Scenario analysis or simulations
Of course, theres often no end to how much investigation you can do, but theres a definite
limit to how much you should do. For the (hopefully) large percentage of risks classified as
probably accept (low in some combination of probability and impact), all you need to do is to
review them to see if there are any that deserve reclassification. Even when risks are important, you
may already have all the information you need readily available. Save your maximum energy and
effort for risks that are potentially very serious and not well understood.
Think About It
What specific sources of information can you think of that will help you learn more about the risks
you have to manage on your projects?
ASSESSING PROBABILITYAND IMPACT

Because projects are notoriously temporary and unique, we often dont have detailed information
to help us judge the critical questions of how likely a given risk is, and how serious its consequences
would be, should it occur. The information you have, of course, can change over time. Thats why
research is so important.
You cant always find out everything you ideally want to know, however, no matter how deep
youre willing to dig. Thats not necessarily a fatal problem when it comes to risk management. We
can live with uncertainty. What we cant afford is to get ahead of our actual knowledge and pretend
to a level of certainty that just isnt real.
Exhibit 4-1 defines the different levels of information you may have about the probability and
66
impact of a given risk at a given point in time. You will certainly learn more in the future. Through
research and systematic analysis, you can often know more now.
Its more common to have an exact figure for impact than probability, because many costs are
known and fixed. Unless youre dealing with a very small number of known possible outcomes
(heads or tails, for example), probability estimates usually describe a range more than a single point.
Establishing Ranges
Project managers frequently use a range scale rather than numerical values because that more often
reflects the honest level of knowledge available. To avoid confusion and misinterpretation (Is 40%
moderate? Is $1 million very high?), make sure you establish and use standard terminology.
Here are some considerations for establishing a scale for your risks.
xhibit 4-1
Levels
of Knowledge
1. How many levels in the range? Having more levels creates finer distinctions among risks. Do
you have enough information to support those distinctions, and if so, will the extra levels help
you prioritize risks more usefully? (Examples: Range of 1 (low) to 6 (very high); range of Low,
Medium, and High.)
2. Midpoint, or high/low? When you use an odd number of levels, one level represents the middle
probability around the 50/50 point. When you use an even number of levels, risks have to be
pushed into higher or lower categories because theres no middle. (Examples: A range of 16
does not have a midpoint; Low/Medium/High does.)
3. Equal or skewed distribution? The most logical approach might be to divide the range equally.
With four categories, each would represent 25% of the total probability. But that doesnt always
draw the best picture. If probability and impact are lopsided, a lopsided scale might be more
useful. (Example of skewed distribution (Probability): Low = 1-25%, Medium = 25%-50%,
High = over 50%. Skewed distribution (Impact): Minor = Under $1 million; Moderate = $1
million-$1.5 million; High = over $1.5 million.)
4. Numbers or words? numbers make it easier to calculate a risk score, but sometimes mislead
people into thinking theyre more precise than they really are. You can create a probability grid
using words, but words can also mislead because we hear the same words in different ways. In
teaching risk management classes, we often ask people to say what number comes to mind
when they hear the phrase moderately probable. Student answers have ranged from 18% to
67
87%. This means you should always define your terms.
Think About It
Do you currently use a risk scale? How does it relate to the criteria above? How does it work in
practice?
If you dont currently have a risk scale, how would you apply these criteria to develop one?
Risk Thresholds
Risk can be both relative and absolute. Relatively speaking, its worse to lose $1 million than to lose
$100,000. But if your affordable loss threshold is only $50,000, then in one fundamental sense, both
risks are identicalthat is to say, theyre both unacceptable.
A risk threshold is a maximum level youre willing to suffer for a particular type of impact:
financial risk (how much were willing to risk losing), safety (chance of physical harm to workers or
users were willing to accept), legal liability (vulnerability to lawsuits or other accusations), image
(risk that public perception will suffer), or career (chance that our personal advancement and job
security will suffer). You may need additional risk thresholds for the specific risk categories that most
affect your project or environment. If youre in the nuclear power business, theres a standard for
allowable risk of radiation leakage (very low). If youre in the airline business, theres a threshold for
acceptable flying weather.
Risk thresholds help the organization control its projects. If a risk violates a risk threshold in a
particular category, its automatically on the list of risks that must be managed. If the risk cant be
reduced enough to fall safely below the threshold, its up to the organizationnot the project
managerto decide whether the risk should be accepted, or whether the project should be
modified or cancelled instead.
Exercise 4-1Risk Thresholds

Establishing
For each of the following risk categories, develop a risk threshold appropriate for your organization
68
and your projects. Who would have the authority to make any exceptions?
Your projects and your organization often have specialized risk thresholds. What additional
categories would you consider adding, and how would you define them?
COMBINING PROBABILITYAND IMPACT

The risk formula, Risk = Probability Impact (R = P I), calculates the risk score, a measurement
of the value of a risk.
If theres a 40% chance of $1 million lost (or, for that matter, gained), the risk score is 40% of
$1 million, or $400,000. If the risk is losing $1 million, the implication is that if you can get rid of the
risk for less than $400,000, its probably wise.
If the risk is a 40% chance to gain $1 million, the same logic applies: if the opportunity costs
less than $400,000, the numbers are in your favor. (The opposite is, of course, not necessarily true.
Sometimes its wise to spend more than the raw value of the risk when other factors are at stake.)
When you move away from numbers, the risk score no longer provides a clear guide to how
much money you should consider spending, but it still has value.
69

The two ways to calculate risk scores without reasonably accurate probabilities or firm dollar
amounts for impact are (1) using words and (2) using a numerical scale.
Exhibit 4-2 shows how to combine word descriptions of probability and impact into a matrix
grid. The intersection of the probability and impact estimates tells you whether the risk should be
considered high, medium, or low. You can, of course, use different words, more or fewer words, or
different ranges for each word, depending on your preferences.
Exhibit 4-3 shows how to apply a numerical scale to create risk scores and rank risks. Weve
used a scale of 1-5 for both probability and impact, with higher numbers representing greater values.
You can, of course, use more or fewer numbers in the scale, or weight the results differently.
Note that we rank risks two ways in Exhibit 4-3, by descending order of risk score (highest
risk 1, second highest 2, and so forth), and separately by High, Medium, and Low. Both metrics
have value; you arent restricted to a single way to look at risk severity.
xhibitMatrix
4-2
Risk
xhibit 4-3
Rating
Scale
Scale (Probability and Impact): 1 (lowest) to 5 (highest)
Risk Score: Probability Impact = 1 (1 1, lowest) to 25 (5 5, highest)
High risks: scores of 3 to 5 in both probability and impact
Medium risks: scores of 3 to 5 in either probability or impact, but not both
Low risks: scores under 3 for both probability and impact
Risk Ranking: From highest risk score to lowest risk score
70
ExerciseRisks
4-2
Ranking
71
Use the risks you identified in Exercise 1-1 and rank them using the two methods illustrated in
Exhibits 4-2 and 4-3.
72
Are there any significant differences in how you rated the same risk in the two parts of Exercise 4-2?
Describe the difference and why you think you chose different ratings. Which score do you think
more accurately describes the value of the risk?
DEVELOPING A RISK RANKING FOR A PROJECT

Valuing and scoring individual risks is obviously important, but what about the overall risk ranking of
a project? often, thats what customers and senior management really want to know.
Total risk exposure can be measured in several different ways, and each of these ways may
provide you with a different answer. One simple method is to determine the overall risk exposure.
To do that, add up the risk scores. In Exhibit 4-4, weve done that using the information from
Exhibit 4-3. Notice that the answer (41) doesnt tell us anything unless we compare it to the
numbers for other projects. If total risk exposure for most projects were in the range of 30-50,
wed call this a moderately risky project. If the number for most projects were, say, 10, wed call
73
this high risk. And if the average score were closer to 100, the same project would be low risk.
An organization could also measure project risk by determining the maximum possible loss (or
gain) or by the presence or absence of risks that are above the risk threshold levels in a given
category.
Risks can also be measured by category and phase using a risk table approach. One such
approach is illustrated in Exhibit 4-5. Again, the number produced by this process is only meaningful
when you compare it to the number for other projects.
xhibitRisk
4-4 Exposure
Total
Risk
Score
15
10
TOTAL
41
xhibit 4-5 Total Project Risk

Measuring
In creating the following spreadsheet, we used a scale of 1 (lowest) to 5 (highest) for the total risk in
each category for each phase of the project. The maximum possible score (risk of 5 in every
category and phase) is 350. Here, the actual score is 162.
74
HIGHEST POSSIBLE SCORE

ACTUAL SCORE
RISK RATIO
350
162
162/350, or 46%
UPDATING THE RISK REGISTER AND DEVELOPING A RISK INFORMATION SHEET

At the end of this process, youve reviewed the risks in each of the risk triage categories, assessed
probability and impact, rated the risks more fully, and estimated the total risk exposure for the
project.
Now update the risk register you started preparing during the risk identification phase (Exhibit
2-1) by adding the disposition of each risk: accept it, transfer it, or act on it. For risks you accept,
youre donefor now. The risk register serves as a parking lot for identified but accepted risks.
From time to time, its a good idea to review the risk register to see if there are any risks that ought
to be revisited because of changes in knowledge or circumstances.
For risks you transfer, the question becomes how much involvement do you still need to have
with the risk? If its entirely out of your hands, and you neither have to help manage the risk nor
furnish information, then you just need to make a note on the updated risk register. If you will be
involved with the risk, or need to manage responses to the risk, then treat it as a risk you are going
to act on.
For all risks you are going to act on, you need more space than the risk register provides. A
risk information sheet allows you to document a risk in more detail and helps you manage it actively.
75
Exhibit 4-6 provides an example of a Risk Information sheet.

The top section of the risk information sheet repeats information from the risk register: risk ID,
probability, impact, risk rating, and risk description. Simply copy what youve already written
elsewhere.
The second section captures information from both qualitative and quantitative risk analysis and
provides background and understanding of the risk and its wider context. The risk response section
(which well get to later) is the detailed description of what you plan to do about the risk. As the
project moves forward, youll update the risk information sheet when its status changes, and end up
with a final disposition for the risk.
If you get past the point in which its possible for the risk to occur, and it doesnt, the risk is
closed. For example, if theres a risk the product wont pass testing, and it does indeed pass testing,
that particular risk no longer exists. If, on the other hand, the project does fail testing, then you have
to do whatever is necessary to respond to that failure. When you have done everything you can do,
and the risk has done all the damage (or benefit, if its an opportunity) its capable of doing, the risk
is also closed.
In Exercise 4-3, youll prepare a risk information sheet of your own.
xhibitInformation
4-6
Risk
Sheet
76
Exercisea4-3
Prepare
Risk Information Sheet
Using one of the risks you originally identified in Exercise 2-1 and developed in subsequent
77
exercises, prepare a risk information sheet using the form provided.
78
How much do you know about the risk? Levels of knowledge range from certainty to completely
unknown. The information you have at the outset, however, is not the same as the information you
will have after you do research.
Establish ranges for probability and impact when you dont have actual numerical values.
Establish risk thresholdsthe maximum level of allowable risk in a given category (financial, safety,
image, and so forth). You can calculate risk scores and rate the risks with words or with numbers.
To determine the overall risk ranking for an entire project (as opposed to an individual risk),
you can use the total risk exposure (sum of the risk scores), the maximum possible loss or gain, the
presence or absence of risks above the threshold level in any category, or use a spreadsheet to
compare risks in each category to each phase of the project.
Update the risk register with the final disposition of each risk (whether you accept it, transfer it,
or decide to act on it). For risks that require significant action, prepare a risk information sheet.
Keep the risk register and review the risks on it from time to time in case circumstances or new
knowledge cause you to reassess the potential seriousness of a given risk. Youll update the risk
register with risk response information and updated risk status as the project moves forward. At the
end, you will close risks, either because they did not occur (and can no longer occur) or because
they did occur and all the outcomes of the risk and risk response have happened.
79
Review Questions
1. You should close a risk under the following conditions.

(a) When the risk exceeds an allowable risk threshold
(b) When you have decided to accept the risk and take no further action
(c) When the risk register has been successfully updated
(d) When the project has reached the point the risk can no longer happen, or when all its
effects are finished
1. (d)
2. You need to establish a risk threshold when:
(a) there are a large number of risks in a given category.
(b) the potential cost of the risk exceeds the budget of the project.
(c) there is a maximum level of risk exposure that the organization is willing to accept in that
category.
(d) the risk involves legal exposure or safety.
2. (c)
3. When it comes to determining the level of knowledge available about a given risk, you should:
(a) use exact figures for impact and ranges for probability.
(b) establish levels based on the preponderance of the evidence, rated as low, medium, or
high.
(c) wait until quantitative risk analysis results are available before documenting any risk.
(d) put down what you know right now, even if its little or nothing, and research more later if
necessary.
3. (d)
4. To assess total risk exposure, you should:
(a) review all risks that exceed risk thresholds.
(b) count the total number of risks.
(c) add up the individual risk scores.
(d) determine the maximum potential amount that can be gained or lost.
4. (c)
5. If there is a 25% chance that a given event will cost the project $100,000, what can you
conclude?
(a) If the cost of eliminating the risk is less than $25,000, its probably wise to do so.
(b) If the cost of eliminating the risk is greater than $25,000, you should not take any action.
(c) The risk exceeds the risk threshold for the project category.
(d) The risk requires development of a risk information sheet.
5. (a)
80
5
Statistical Foundations of Quantitative Risk and
Cost Analysis
Learning Objectives
Define the Law of Large Numbers and the concepts of statistics and probability that derive from
it.
Explain the difference between probability and odds, and understand the roles each plays in risk
decision-making.
Apply basic rules of probability, including joint probability and union.
Prepare a distribution of outcomes and recognize types of normal distributions (wide, narrow) and
when a distribution is not normal.
Define the three measures of central tendency (mean, median, and mode) and calculate the
standard deviation of a normal distribution.
Estimate the probability of a given outcome based on its distance from the mean as measured in
standard deviations.
Recognize that a range of distributions may apply to a given risk analysis situation.
Reading
55 minutes
Exercises
40 minutes
Total Time
1 hour 45 minutes
81
QUANTITATIVE RISK AND COST ANALYSIS FUNDAMENTALS

Quantitative risk analysis, as previously noted, is the process of numerically analyzing the effect of
identified risks on overall project objectives. As the name quantitative implies, the key word in this
definition is numerically. Quantitative risk analysis is classical risk analysis, the probability-based
tools developed to assess risk in financial instruments such as insurance. As such, its a fundamental
part of cost analysis under conditions of uncertainty.
Quantitative risk analysis tools are normally applied to risks that our previous risk analysis has
shown to be significant. Quantitative risk analysis can also be used to provide a probabilistic analysis
of the likelihood of the project meeting its cost and time objectives.
The numerical aspect of quantitative risk analysis rests on a foundation of probability and
statistics. Not everyone who has responsibility for risk and cost analysis has a background in the
mathematical disciplines of probability and statistics, but some of the basic ideas from those
disciplines are essential knowledge for moving ahead in this course. In this chapter, we will explain
the basic concepts of statistics and probability as they apply to our topic.
If this is something you already know well, feel free to skim this chapter and move forward. If
statistics wasnt your best subject in school, or its been a long time since you studied it, this chapter
is for you. The more serious you want to be about formal risk management, the more knowledge of
these subjects you will need, so we strongly encourage further study. If you decided to skip our
review on your first reading and subsequently discovered that some of the later concepts in this
book dont quite compute, welcome back.
A Statistic
Theres no evidence that the Soviet leader Joseph Stalin actually ever made a statement frequently
attributed to him: One death is a tragedy; a million deaths is a statistic. In discussing classical risk
management, the reported stalin quotation does, however, reveal an essential truth: you cant divine
a trend or tendency from a single incident.
Stalin, for example, died at the age of 74 of (apparently) natural causes. What does that tell us
about the average life span (or common causes of death) in the Soviet Union at that time?
Obviously, not much. What if instead we gather information on the age at death and cause of death
for a million people living in the Soviet Union at that time? Well, now we really do have a statistic
sort of. Actually, its just a big pile of information, but it can be analyzed. The mathematical tools we
use to organize and interpret the data are known as statistics.
Depending on the amount and quality of data and the depth of our analysis, theres all sort of
information to be gleaned here. If we measure the age at death of those who die next year (and
know the cause of death), we can see if theres been a change, and if so, how big it is, whether its a
trend, and in which categories and in which directions the trend seems to be moving.
The same tools measure what we do about it. If we implement a Five-year Plan and want to
know how well its working, we can compare the actual outcomes to the previous trend. Are we
doing significantly better than we would have otherwise? The same? Worse?
As our pile of statistics grows and the quality and depth of our analysis improves, we can give
answers with greater confidence. What statistics cant tell us is the individual case: how long is
Soviet citizen imya Rek going to live?

The Law of Large Numbers (LLN) is a principle of probability theory. It argues that the larger the
sample population or number of trials, the more likely that the actual probability will converge with
82
the theoretical one. Roll a die a single time, and you dont get a distribution, but an absolute value.
Roll the die six times, and the actual results could be all over the map, with three of one number and
one of another. Roll the die 100 times, and the likelihood increases that the resulting distribution will
look like the theoretical one. (In this case, it wouldnt be a normal distribution, but a completely flat
one, because the probability of getting each individual answer is exactly the same, 1/6.)
Roll the die 1,000,000 times, and the chance the actual distribution will look like the theoretical
one approaches certainty. That still doesnt mean youll get identical results for each number rolled,
of course. In 1,000,000 trials, a 1/6 probability you should get 166,666.667 rolls of one, but of
course thats impossible. You can roll a one 166,666 times or 166,667 times, but you cant roll a
fractional result. And, as we learned in the last chapter, we still expect some random variation. If the
final results only diverge 0.1% from theoretical probability, a difference of 300 between the number
of rolls of one and the number of rolls of two would be utterly insignificant.

So far, weve assessed the probability of a risk event using qualitative methodswhich is to say,
weve made educated guesses, but havent done the math. Now, lets look at the mathematical
discipline of probability.
A science of probability didnt get started until relatively recently in human history, and its
arguably one of the foundations of our modern economic civilization. As weve seen, just about any
possible decision carries with it some degree of risk. Being able to quantify the risk is fundamental to
deciding to price and respond to it.
We owe the beginnings of our understanding of the mechanics of probability to a 16th century
physician and compulsive gambler named Girolamo Cardano, who first articulated the basic
concepts of probability in a book titled Liber de Ludo Aleae, or A Book on Games of Chance.
(Benjamin, 533-544) He first conceived of expressing probability as a fraction.
This self-study course follows a long tradition of illustrating probability through gambling.
Gambling provides us with an untainted theoretical environment with which to study risk. We know
the odds; we know the rules; we understand the mechanics of the game. We can measure our
expected loss before we put the first coin in a slot machine.
Of course, some people consistently win at gambling. These people are known as casino
owners. They are able to win consistently because they apply the rules of probability with great
precision to design games that provide a constant, measurable edge to the house.
Theoretical versus Actual
Its important to keep in mind that outside a casino, its different.
You often dont know the real probability, certainty not with any precision.
You may not know all the rules of the game, or all the factors that might affect the outcome.
You dont necessarily know that everyone is honest. Casinos seldom cheat because they dont
need to; the power to set the odds is more than enough. This is not always the case.
Some situations have a likelihood and impact of an upside that is far greater than any downside
risk: they are risks worth taking.
Risks are often linked to each other in ways that arent obvious. Variables arent always
independent.
Your choices matter. Approximately 80% of small businesses fail within five years of opening. A
small number of known causes account for the vast majority of failures; if you avoid those
mistakes, your odds of success are dramatically higher.
83
For all these reasons, theoretical probability doesnt always line up with actual probability.
Probability
A probability is expressed as a fraction: the number of desired outcomes divided by the number of
possible outcomes.
There are six possible outcomes if your throw a six-sided die: one, two, three, four, five, or six.
If you want to know the probability of rolling a three, three is one outcome out of six possible
outcomes. Therefore, the probability of rolling a three is 1/6 (0.167, or a little less than 17%).
By the same token, in a deck of 52 cards with four aces, the chance of drawing an ace at
random is 4/52 (1/13, 0.077, or a little less than 8%).
Odds
Odds measure the ratio of desired to undesired outcomes, as opposed to total outcomes. The
probability of rolling a three on a six-sided die is 1/6, but the odds of rolling a three are only 1/5: one
desired outcome compared to five undesired outcomes.
Imagine a game in which Player A will win $6 whenever a one is rolled, and Player B will win
$6 whenever any number except a one is rolled. To balance the game so that both Player A and
Player B have an equal chance of victory, you can adjust the financial stakes according to the odds:
Player A bets $1 each round and Player B bets $5 each round (making up the total pot of $6). Over
time, both players should end up with the same amount of money.
xhibitProbabilities
5-1
Basic
with One Six-Sided Die
Roll
Probability
Odds
1/6
1/5
1/6
1/5
1/6
1/5
1/6
1/5
1/6
1/5
1/6
1/5
BASIC RULES OF PROBABILITY

We now have two definitions: the probability of an event is the ratio of the number of times a given
result occurs divided by the total number of possibilities. There is one chance in six of rolling a three
on a six-sided die.
The odds of an event is the ratio of the number of times a given result occurs divided by the
number of times the event does not occur. The odds of rolling a three on a six-sided die are one in
five.
Exhibit 5-1 lists probabilities and odds for rolling a single die.
84
If you roll a six-sided die twice in a row, the outcome range becomes more complex. What is
the probability and odds of rolling two threes in a row? Exhibit 5-2 lists the possible outcomes from
rolling twice.
xhibitProbabilities
5-2
Basic
Rolling One Die Twice
First Roll
Second Roll
85
Rolling two threes in a row, as you can see, comes up one time out of 36 possibilities. The
probability is 1/36; the odds, accordingly, are 1/35.
Of course, listing every possible outcome quickly gets tedious, so mathematicians quickly
found an easier way to do it. As we already know, the probability of rolling a three on a single die
roll is 1/6. The probability of doing it a second time is also 1/6. Multiply the numbers together and
you get 1/36, the same answer as if you had counted them by hand. This is one of the rules of
mathematical probability.
Like other branches of mathematics, probability has its own symbols and terms. Exhibit 5-3
lists common examples.
Exercise 5-1
Probability
Practice
Imagine you are rolling a single six-sided die. Write your answers as fractions. What are the
probability and the odds that you will:
Probability
Odds
a. Roll a 4?
_______
_______
b. Roll a 2?
_______
_______
c. Not roll a 4 or a 2?
_______
_______
Now imagine that you roll two six-sided dice. What are the probability and odds that you will:
a. Roll two 4s?
_______ _______
b. Roll a 4 and then a 2?
_______ _______
c. Roll a 4 after having already rolled a 2?
_______ _______
d. Roll a 4 on at least one die?
_______ _______
e. Not roll a 4 on at least one die?
_______ _______
86
xhibit 5-3
Mathematical
Descriptions of Probability
Symbol What It Means
p(A)
The probability of Event A, represented as a number between 0 (impossible) and 1 (certain). The probability of
rolling a three on a six-sided die is approximately 0.17.
p(not
A)
The probability that Event A will not occur, also represented as a number between 0 and 1. This is also known
as the opposite or complement of an event. The probability of not rolling a three is approximately 0.83.
p(A)=1The chance that Event A will happen is equal to one minus the chance that it will not happen. The chance of
p(not
rolling a three is one minus 0.83, or 0.17.
A)
Joint probability or intersection. The probability that multiple events will happen.
p(A
B)
The joint probability that both Event A and Event B will happen. If the events are independent of one another,
then the joint probability is found by multiplying p(A) times p(B). The chance of rolling two threes is 1/6
1/6, or approximately 0.03.
Union. The probability that at least one event will happen.
p(A
B)
The probability that Event A or Event B will happen. If the events are independent of one another, the
probability of at least one happening is the sum of the chances, or p(A)+p(B). The chance of rolling at least one
three on two rolls is 1/6 + 1/6, or 2/6, approximately 0.33. (Yes, the case of double threes does count as a
situation in which at least one three is rolled.)
The probability that Event A will happen if Event B happens. Imagine a gambling game in which rolling double
threes entitles you to another throw. If you get double threes again, you win a large sum of money. If you have
p(A B) not yet thrown the dice, the probability is 1/36 1/36, or 1 in 1296, or approximately 0.00077. If, however,
youve already thrown double threes once, the probability of doing it again rises back to 1/36. The formula is
p(A B)= p(A B)/p(B)
DISTRIBUTION
In our dice example, probabilities are distributed equally. The chance of rolling a three is equal
to the chance of rolling a four, or indeed of any other number. If we roll two dice and add the
numbers together, however, the picture changes, as shown in Exhibit 5-4.
xhibitof5-4
Sum
Two Dice
First Roll
Second Roll
Total
87
10
10
11
10
11
12
88
xhibit 5-5 of Outcomes Rolling Two Dice

Distribution
As before, there are 36 possible outcomes for rolling two dice. Notice some numbers appear
more than once, and some more than others. The probability of a given roll varies, as shown in
Exhibit 5-5.
Notice that a roll of 7 has the greatest likelihood (6/36, or 1/6), and rolls of 2 or 12 are least
likely (1/36). Of course, the odds of not rolling a seven are still 30 in 36 (5/6), so most likely
doesnt automatically imply that it is in fact likely to happen. Its simply more likely than the other
possible outcomes.
We can visualize the information by displaying it as a graph, shown in Exhibit 5-6.
NORMAL DISTRIBUTION
Exhibit 5-6 is an example of a triangular distribution, with the highest value as the mean, and a
steady march downward at both ends.
As the number of data points grows larger, this kind of figure often becomes curve-shaped, the
famous bell curve known as the normal distribution. Its called the normal distribution not
because its superior to other distributions, but because it occurs very often in practice. (Theres a
mathematical concept known as the central limit theorem that explains why. The entry in the
glossary provides a link to more information if youre interested, but its not necessary for the
course.)
xhibit 5-6
Normal
Distribution
89
As weve established, theoretical probability doesnt automatically equal real-world

probability. Lets imagine we roll the dice 108 (36 3) times. Exhibit 5-6 suggests that we should
expect 18 (6 3) rolls of seven. If the actual tally listed 19 occurrences of seven, however, we
wouldnt be surprised, or think the dice were loaded. In a different set of 108 rolls, the actual
number of sevens might be 16, or 21, and no one would think of this as strange.
Occasionally, less probable outcomes will show up. If we keep rolling long enough, we may
encounter a case in which the number of sevens rolled jumps to a large number like 30, or another
case in which seven shows up only 11 times.
The more extreme the result, the more we start to suspect that non-random factors are at
work. Our basic probability rules say that if we have already rolled sevens 107 times in a row, the
probability of rolling a seven on the 108th try would be the same as it ever was: 6/36, or one chance
in six. But the chance that will happen honestly is a little less than one chance in ten followed by 85
zeros. Far more probable is that youre playing with loaded dice. In that case, of course, the
probability of rolling a seven on the 108th roll is what its been all along: 100%.
In other words, if the actual number is pretty close to the theoretical number, we are inclined to
think the variation is random. If the actual number varies a lot, we start to regard the difference as
significant. Theres usually a reason for a significant difference. Finding and managing reasons for
such differences is a lot of what risk management and cost analysis is all about.
Common sense is often enough to identify significant differences, but it can also be misleading.
A host of cognitive biases (Dobson, Random Jottings 6, 2011) distort our understanding and
judgment when it comes to risk. Probability and statistics provide tools to help you measure and
define significance in objective ways. In a normal distribution, we are interested in measures of
central tendency, which provide information about the data at hand.
90
Two statisticians shot at a target. One missed to the right, the other to the left. On average, the first
statistician said, we hit it. Of course, a statistician knows that the average is not necessarily the
most meaningful measure.
The average, or mean, of a group of numbers is easy to find. You add up the numbers and
divide by the number of entries. To find the average of $1, $5, $7, and $9, start by adding
$1+$5+$6+$9=$20, and divide the result by four, the number of items in the list: $20/4=$5. The
average is $5. If we say, They have about $5 apiece, that gives a reasonable picture of the relative
wealth of the group.
As in the case of the target-shooting statisticians, the average is not always the most useful
number. If an imaginary country has three citizens, one of whom makes $1 million and the other two
make $1 apiece, the average per capita income is $333,334. If we say, They make about
$333,334 a year, however, were obscuring the fact that two-thirds of the citizens are starving. The
high average income number doesnt help us see the full picture.
We can add the median to the discussion. The median splits the range in the middle, so that
half the values are above it and half below it. In the case of $1, $5, $7, and $9, the median is $6,
because two numbers are below the median and two are above it. The mean is $5; the median is $6.
When the median and mean are this close, either number reflects the relative wealth in a useful
fashion.
In the case of $1, $1, and $1,000,000, the median is $1. Theres one number above and one
number below. In the case of $1, $1, and $1,000,000, notice that the mean is dramatically greater
than the median. The median income reveals the extreme poverty in our imaginary country, but now
it obscures the fact that there is an extreme wealth difference on the right side of the income scale.
Identifying both mean and median provides a more complete insight into the data.
The mode is the number that occurs most often. In the first instance, each number only occurs
once. But in the second example, the mode is $1: it occurs twice, whereas $1,000,000 only occurs
once. When the mode is close to the mean and median, any of the numbers convey a similar
impression. If the mode is somewhere else, then there may be a reason for the unusual spike.
These three are known as measures of central tendency. In other words, they tell us what the
middle of the distribution looks like. In some cases, the three measures are close together or
identical; in other cases, the three measures can be dramatically different.
Normal and Other Distributions

In a normal distribution, values tend to cluster around the center, with fewer incidents at the extremes
of the range. If youre trying to find out if an observed difference is actually significant, you want to
analyze its distribution.
Lets imagine we have a big pile of six-sided dice, and we suspectbut dont actually know
that some of them are loaded so that sevens will always result. Testing the dice with physical means
will break them, which we dont want. Fortunately, we can also test them using probability.
So, we design a dice-rolling machine, and feed the dice in two at a time. The machine rolls
each pair 100 times, and counts the number of times a seven comes up. By the time we finish, we
record data on 1000 different pairs. Lets first imagine that we get the results shown in Exhibit 5-7.
In analyzing the distribution in Exhibit 5-7, the number of sevens rolled goes from a low of 8 to
a high of 31. The majority of times the results appear pretty close to 18, which is, as youll recall, the
expected outcome for 108 rolls, and there are only a few cases of extreme results on both ends. Its
not perfectly textbook smooth, but thats because its actual probability rather than theoretical. The
slight irregularities in the shape dont provide a reason to suggest anything fishy about the dice.
Now lets imagine that we got very different results instead, as shown in Exhibit 5-8.
91
How should we interpret this distribution? For one thing, the range of outcomes is now
dramatically skewed to the right. That is, there are more out-liers on the right side of the range
including one case of 100 sevens. We know immediately that at least two dice are loaded, and we
want to look at the other pairs that are implicated in extremely large numbers of sevens.
xhibit 5-7 a Normal Distribution

Analyzing
But did we catch them all? We could rerun the test to find out. Does the new distribution look
more like Exhibit 5-7 or Exhibit 5-8? if we see the normal distribution emerge, we suspect that we
got them all. If the distribution continues to be lopsided, we need to keep looking.
In our thought experiment, the differences were so obvious that common sense was sufficient
to tell the difference. But sometimes common sense can mislead, or the differences between
distributions are subtle. Heres how to do it with math.
xhibit 5-8 a Skewed Distribution

Analyzing
92
Standard Deviation
The standard deviation is the mathematical measurement of the variance in a given normal
distribution. It tells us whether the range is spread out or bunched up, and it tells us whether an
observed difference is within the normal wobble or whether it rises to the level of statistical
significance.
xhibit
5-9Narrow Normal Distributions
Flat
and
93
The standard deviation is represented by the Greek character , the little sigma. (The big
sigma, , normally represents sum.) Standard deviation measures the degree to which a normal
distribution is bunched up or spread out. Lets look at two more normal distributions. Exhibit 5-9
shows two normal distributions. The top one is a flat normal distribution, meaning the numbers are
spread out over a wide range. On the right is a narrow normal distribution, meaning the numbers
are bunched together in a comparatively narrow range. (As you can see from its shape, this
particular example may be better described as a triangular distribution.)
xhibit 5-10
Standard
Deviation
= Standard Deviation
= Sum total of what follows
d2 = The square of the deviation from the mean for each case
94
N = Total number of cases

= Square root
xhibit 5-11 Standard Deviations

Calculating
95
The standard deviation calculates how far away a number has to be from the median before it
becomes significant, suggesting a real difference as opposed to natural random variation. Exhibit 510 provides the formula.
Now, lets compare the standard deviations of the two figures. Well create a spreadsheet to
make the math easier, as shown in Exhibit 5-11.
Exercise 5-2
Calculate
a Standard Deviation
In this exercise, youll calculate the standard deviation of the normal distribution from Exhibit 5-7.
While you can do it by hand or with a calculator if you wish, we recommend using a spreadsheet
program for speed and accuracy.
96
Whats the value of knowing the standard deviation? Well, if the difference between the actual
probability and the theoretical probability is within a standard deviation (plus or minus) of the mean,
then its not considered statistically significant.
Imagine that the sales in your department increase by $25,000 over the previous month. The
question is whether that $25,000 is significant or if its just random. If the standard deviation is, say,
$10,000, then $25,000 is a real increase in sales. But if instead the standard deviation is $100,000,
then a given months variation of $25,000 is within the expected normal rangenothing to write
home about.
xhibit 5-12
Percent
of Cases within 1, 2, and 3 Standard Deviations in a
Normal Distribution
97
CREDIT: Standard deviation diagram, based on an original graph by Jeremy Kemp, 2005. Licensed under the Creative
Commons Attribution 2.5 Generic license; downloaded from Wikimedia Commons on 11 January 2011.
We divide the range into thirds, covering one, two, and three standard deviations from the
mean. Each range has an associated probability, shown in Exhibit 5-12.
In any normal distribution the farther the distance from the mean of any given variable as
measured in standard deviations, the more significant.
This, by the way, is where the name Six Sigma, referring to the quality discipline, comes
from. If errors are so rare they happen only with 6 frequency, then theyre very rare indeed,
working out to somewhere around one error per one million operations.
OTHER TYPES OF DISTRIBUTIONS

Normal distributions are commonly found in nature, but theyre far from the only kind. An
exhaustive list is beyond our scope, but some other distributions include:
Bernoulli distribution
Binomial distribution
Degenerate distribution
Discrete uniform distribution
Hypergeometric distribution
Extended negative binomial distribution
Geometric distribution
Logarithmic distribution
Parabolic fractal distribution
Continuous uniform distribution
Triangular distribution
Chi-square distribution
Pareto distribution
98
You can find a list of probability distribution functions and illustrations of what they look like by
searching list of probability distributions on Wikipedia.
Different types of distributions suggest different ideas about how to interpret the data. Although
normal distributions are very common, its not a good idea to assume that any distribution of
outcomes will automatically fall into that pattern.
Many standard tools of risk management apply concepts from probability and statistics. Probability
rests on the idea of the Law of Large Numbers, the idea that the larger the sample population or
number of trials, the more likely that actual probability will converge with theoretical probability. We
often cannot predict the outcome of one single case, but the Law of Large Numbers allows us to
predict the range of likely outcomes of many cases.
If the measure of a risk is the probability of its occurrence times the impact if it does occur,
how do you figure out the probability? Probability is defined as the ratio of the number of desired
outcomes to the number of total outcomes. The odds are slightly different: the ratio of the number of
desired outcomes to the number of undesired outcomes. Theoretical probability is different from real
probability. Flipping a coin 100 times will probably not result in exactly 50 heads and exactly 50
tails. If the number of heads is slightly greater or less, its no big deal. If, however, youve just flipped
99 heads in a row, at some point youre likely to start assuming the coin is rigged.
The chance that both Event A and Event B will happen is measured by multiplying the
probability of Event A times the probability of Event B. The probability that Event A or Event B will
happen is measured by adding the probability of Event A to the probability of Event B. The
probability that Event A will happen if Event B happens is measured by multiplying the probabilities
of Events A and B and dividing the result by the probability of Event B.
When you combine multiple independent variables (for example, by rolling two dice instead of
one), you get a distribution of outcomes. Measures of central tendency help illustrate the nature of a
particular distribution. The most common measures are the mean, the median, and the mode. In a
normal distribution, all three values tend to be close to the center.
Normal distributions can be wide or narrow, depending on the range. The standard deviation
measures the width of the distribution, and thus helps reveal whether a particular result is merely
random variation or potentially significant. Most results (roughly two-thirds) tend to fall within one
standard deviation (plus or minus) of the mean of a normal distribution. The greater the distance
from the mean, as measured in standard deviations, the more likely it is that a given event is
statistically significant.
In addition to normal distributions, there are many other sorts of distributions. Each provides
the opportunity for insight, which is why it is such an important topic in risk and cost analysis.
99
Review Questions
1. What are the odds of getting three heads in a row on three flips of a coin?
(a) 1/7
(b) 1/6
(c) 1/8
(d) 1/3
1. (a)
2. If a particular result is three standard deviations from the mean in a normal distribution, it
should be considered:
(a) proof that somethings wrong.
(b) statistically significant.
(c) normal.
(d) evidence that the distribution is not normal.
2. (b)
3. In a normal distribution, what percent of the results tend to fall within one standard deviation
from the mean?
(a) over 95%
(b) 50%
(c) All of them
(d) About 2/3
3. (d)
4. Three measures of central tendency are the mean, the median, and the mode. The mode is
defined as the:
(a) arithmetic average.
(b) square of the distance from the mean.
(c) most commonly occurring number.
(d) point that divides the range evenly.
4. (c)
5. The probability of rolling two sixes in a row with a single six-sided die is:
(a) 1/36.
(b) 1/35.
(c) 2/6.
(d) 6/36.
5. (a)
100
6
Risk Cost Analysis
Learning Objectives
Apply the fundamental risk formula of R = P I to an actual risk situation.
Define risk cost analysis, contingency allowance and reserve, and risk premium.
Identify whether a given risk has a high or low degree of variation and apply the appropriate
strategy in preparing to manage it.
Conduct a risk cost analysis and extrapolate the effect of different risk outcomes, using concepts
of standard deviation, secondary risk, residual risk, and black swan events.
Apply exclusion, capping, and reinsurance as strategies for managing black swan risk and extreme
risk fluctuations.
Reading
1 hour
Exercises
1 hour
Total Time
2 hours 10 minutes
INTRODUCTION TO COST RISK ANALYSIS

The last chapter covered basic concepts in probability and statistics, the foundation for classical risk
analysis. Statistics allows you to analyze large amounts of existing data and identify pattern.
Probability gives you a glimpse into the uncertainties of the future. It is hard to overestimate the
101
impact of classical risk analysis and risk management in the development of our modern economy.
Classical risk analysis provides a rational process for takingor avoidingrisks.
Risk and cost analysis were joined together at birth. Its hard to imagine a modern economic
civilization without the ability to quantify and price risk. Insurance, for example, is risk management
in action. So is safety engineering, as the Titanic designers unwittingly demonstrated.
Risk historian Peter Bernstein is emphatic: Without a command of probability theory and other
instruments of risk management, engineers could never have designed the great bridges that span our
widest rivers, homes would still be heated by fireplaces or parlor stoves, electric power utilities
would not exist, polio would still be maiming children, no airplanes would fly, and space travel would
just be a dream. Without insurance in its many varieties, the death of the breadwinner would reduce
young families to starvation or charity, even more people would be denied health care, and only the
wealthiest could afford to own a home. (Bernstein, 63-73)
CLASSICAL RISK
To decide what, if anything, should be done about a given risk, you have to figure out what the risk
is worth. As weve learned, the fundamental formula is R = P I: the value of a risk is the
probability of its occurrence times the impact if it does occur. When the probability is known and the
impact can be quantified financially, valuing a risk is rather straightforward: if theres a 10% chance
of losing $10,000, the value of the risk is $1,000. If the cost of doing away with the risk is less than
$1,000, theres a presumption that this would be a good investment. (Your mileage, as well see,
may vary.)
In our gambling thought experiments (and assuming honest dice), we were able to calculate
odds and payoffs well enough to estimate the likely return on our playing investment. Classical risk
analysis emphasizes the statistical and probability mechanics of large numbers.
As weve noted, real life isnt always cooperative when it comes to providing good data. While
we may sometimes know the potential impact of a risk quite precisely (if our new product fails, we
will lose the money we have invested in it), in real life measuring its probability (how likely is it that
our new product will be a hit?) is not so simple.
We could look at rates of general market acceptance of new products; we could look at our
own history of new product introduction; we could look at indicators of economic growth; we could
compile consumer survey data; we could look at the quality of our product and marketing plans. All
this information could help us develop an estimate of probability. The resulting number might be
useful, but its hardly solid. We dontwe cantknow until the market renders its verdict.
Even worse, if its a project we havent done before, we may not have any historical data on
which to base an estimate in the first place. In addition, theres unquantifiable uncertainty, the
unknown unknowns, made famous by former Secretary of Defense Donald Rumsfeld. There are
indeed things that we do not know that we do not know. Of course, thats not nearly the same thing
as being helpless to do anything about it.
RISK COST ANALYSIS

For our purposes, risk cost analysis is the process of analyzing the range of potential costs and
benefits of particular risks, and using the analysis to calculate a value for that risk. The purpose of
risk cost analysis is twofold: to incorporate risk-related costs into estimates and budgets, and to
evaluate the financial impact of various strategies to accept or mitigate them. In short, to cost analyze
a risk, we have to understand it, decide how much its worth, and compare that to the cost of doing
102
something about it. Risk cost analysis doesnt automatically turn into a decision, but its important
input.
This discipline has elements of both science and art. The science part consists of the
mathematical tools weve been studying. The art part is deciding how much weight to give various
factors in reaching your decision. If youre doing the risk cost analysis, it doesnt automatically mean
youll be making (or even recommending) the decision; that may belong to someone above you in
the organization.
Lets learn how its done. In this chapter, well deconstruct the steps in a risk cost analysis
using the tools of classical risk management.

In the same way that gambling serves as a useful model to illustrate basic probability, insurance
provides a model for the process of risk cost analysis. No matter what your field or what kind of
risk you need to analyze, youll apply some of the same principles and concepts that an insurance
company would use to set its premiums.
We think of insurance as a specific category of financial product, but in a broader sense,
insurance describes any money we spend to insulate ourselves from some of the impact of
experiencing a particular risk. If we buy insurance against a particular risk, were protecting
ourselves against part of the impact of the riskin this case, the financial impact. If we spend money
on a safer car, were also protecting ourselves against the impact of an accidentthis time literally;
we are reducing the amount of damage suffered by the occupants of the car. If we spend money to
send our children (or ourselves) to drivers education classes, we are lowering the probability of an
accidentwhich is why your insurance premiums are often lower if you have taken drivers
education classes.
We build insurance into many different kinds of financial transactions. For example, when you
borrow money, the price of that money (the interest rate) includes a provision for the risk that youll
default and not pay at all. If youre seen as having excellent credit, the risk is lowered, and the
interest rate normally reflects that. If, on the other hand, your credit scores are poor, the risk that
you wont pay back your loan increases, and so does your interest rate. You wont see that number
broken out as insurance, but in effect, thats what it is.
Risk, remember, measures uncertainty. Most people with poor credit do in fact pay their bills,
and even people with great credit sometimes dont. The insurance part of your interest rate isnt
about you personally: its the law of large numbers. What is the expected default among people
whose characteristics are similar to yours? If the pool youre in has a higher default rate, you get
assessed your share of the total risk, no matter how virtuous your own personal attitude toward your
obligations.
If groups are not carefully and thoughtfully defined, you can make important mistakes. You may
be looking at a secondary factor rather than the actual risk, or failing to see a root common cause.

In project management, an equivalent to insurance is often expressed as a contingency allowance,
extra money (or extra time) to compensate for known risks. If the price of raw materials normally
fluctuates within an expected range, you may pay more or less depending on what day you place the
order. If neither the day you make the purchase nor the price you will have to pay are under your
control, you need to build extra money into the cost estimate in case the price that day is on the high
side of the expected range.
Some authorities distinguish between a contingency allowance and a contingency reserve,
103
which is money or time set aside for unknown risks. If supplies of the needed material suddenly
quadruple in price because a war has broken out where most of the stocks come from, thats far
outside the normal fluctuation. In practice, the terms are often used interchangeably.
Whether your organization distinguishes between the two types or not, its a valuable distinction
for you to make. Many organizations resist providing a formal contingency allowance, fearing that it
will become the project managers private slush fund. If you estimate materials costs using a number
at the higher end of the normal range of fluctuation, however, its more likely to be perceived as a
legitimate response to risk.
PRICING INSURANCE RISK

When it comes to insurance, both buyers and sellers have an interest in getting the numbers right.
The cost of any insurance includes the following:
The value of the risk itself (probability times impact)

The cost of doing business (overhead, cost of marketing and sales, financing costs, salaries)
The profit the insurer hopes to make
The value of any investment income the insurer receives from its reserves of cash
Insurance companies each have their own ways of measuring and valuing their risks. There are
different sets of data available and different ways to segment a population. One insurance company
may be willing to accept more or less risk for itself, or to price more or less aggressively to win
business.
If the insurer values the risk incorrectly, there are potential consequences to both parties. If the
pricing of the risk is too high, you may go elsewhere for your insurance. If the price is too low, the
insurer could end up unable to pay legitimate claims and even go out of business. This does neither
the insurer nor the insured any favors.
The professional who prices the risk is known as an actuary, and the discipline of doing so is
known as actuarial science. no matter what your discipline, if risk is part of your environment,
knowing a little something about actuarial science is important.
Risk Premiums
Because the cost of the risk itself is only one element in establishing the price of insurance, someone
who buys insurance always pays a risk premium. The risk premium is the difference between the
price of the policy and the underlying value of the risk itself.
Depending on the seriousness of a given risk, its not inappropriate to pay a risk premium, but
a good risk manager and cost analyst always wants to know how much that premium is going to be.
A particular insurance policy may be a very good value, but you dont know unless you check the
loss ratiohow much the insurer pays out in claims for each dollar it takes in. If the loss ratio is too
high, the insurer may not be healthybut if its too low, youre overpaying.

Lets analyze the risk process and risk decision for an insurance company, using the data and
assumptions in Exhibit 6-1. For now, were only concerned with the base value of the risk, not the
additional costs or profit the insurance company will use in calculating the final premium charged to
customers.
The accident figures in Exhibit 6-1 are per 100,000 policyholders. With one million
104
policyholders, we expect ten times as many accidents. Our mean, therefore, changes to 1,000. The
base value of the risk is the probability (1000/1,000,000) times the impact ($10,000), which works
out to 0.1% $10,000, or $10. To pay the cost of claims (1,000 $10,000 = $10,000,000), that
implies the insurer needs to collect $10 from each policyholder to pay for the risk it is assuming. The
base value of the risk is therefore $10.
As Exhibit 6-1 shows (and as our understanding of probability would lead us to expect), the
number of actual covered incidents varies each year. In some years, the insurers payouts will be
higher than expected, and in some years lower. Random fluctuation suggests you may from time to
time go through several years in a row with above average payouts.
If youre the insurer, how do you manage this uncertainty? If its small enough, perhaps the
ordinary cash flow of your business is enough to cover it. You may have other money you can draw
on temporarily. This money may be capital, whether investor-furnished or retained from previous
profits; it may be a line of credit, in which you draw money out or pay it down as a way of
dampening out the effect of the fluctuation; or you may choose to change the price of the risk.
xhibit 6-1 for Insurance Case Study

Assumptions
Risky Business Insurance Company
Policy Holders: 1,000,000
Payout:
$10,000 benefit for each covered occurrence
Actuarial Data:
105
In our example, the standard deviation is very small: 0.63. The total range goes from 90 to 110
events per 100,000, which would affect your payout by a maximum of $100,000, which amounts to
only 1% of the total pot. Still, you could easily have two or three down years in a row, meaning
youd have to pay out $300,000 more from your risk pool than youre collecting in premiums.
Where will you get the money if that happens? If the variance is small related to the company
(1% in this case), your cash flow may allow you to pay your claims with no problems. The larger the
potential variance compared to your total revenue, the bigger a problem you have.
Insurance companies raise investment capital, obtain lines of credit, and keep reserves on
hand. Some categories of insurance companies are regulated, meaning that they are required by law
to meet certain conditions to ensure they can pay their claims. Other categories of insurance are not
regulated, and the companys leadership has to decide the desired balance between risk and
prudence.

Now lets imagine what would happen if the range were wider. Instead of a range of 90-110
accidents per 100,000 insured, lets say we have a range of 50-150. In Exercise 6-1, youll refigure
the base value of the risk based on changed assumptions. In Exercise 6-2, youll use that information
to calculate the impact of the wider range on the companys financial position.
ExerciseAccident
6-1
Greater
Variation
Calculate the mean and standard deviation based on the changed data from Exhibit 6-1 as provided.
106
Exercise Income
6-2
Premium
and Claims Outlays
Calculate the net income or loss by comparing premiums charged by the insurance company to
claims paid by the insurance company.
In doing these exercises, we notice the following. First, the mean (100) is unchanged from
Exhibit 6-1, but in a bad year for accidents, the insurer could be on the hook for as much as
$15,000,000, with only $10,000,000 in premiums to pay for it! A few years of losing
$5,000,000/year could be seriously damaging to your financial health.
In planning for costs and risks, you have to account for this much higher degree of variation.
Somehow, you have to make sure you have the cash on hand. You could use capital, either investors
or retained profits. You could establish a line of credit. And, of course, you can increase the
premium your policyholders need to pay.
107
Adding Standard Deviation to the Price of a Risk

When the potential range of outcomes is wide, risk managers can add safety margin to a project.
The greatest safety would be to charge the maximum value of the risk. In this case, that would mean
we use the highest number, 150 per 100,000, in the R = P I equation. The value of the risk
becomes (150/100,000) $10,000, which reduces to 0.15% $10,000, or $15.00. You should
always be able to pay your bills, and usually make a healthy profit, but you may find your market
share eroded by people whose risk premium is less steep than yours.
Alternately, you can use the standard deviation as a framework for determining an appropriate
safety margin. As you found in the exercise, changing the range of accidents also increased the
standard deviation fivefold, from 0.63 to 3.25.
As noted earlier, theres about a 68% chance the real number of accidents will be no greater
than 1 above the mean and a 95% chance it will be no greater than 2. (Yes, the standard
deviation is plus-or-minus, not just plus. In this case, were only interested in the higher side,
because we cant afford the risk of paying out an extra $5,000,000 in a bad year.)
Lets look at adding 1 to the base value of the risk. This means you would now value the risk
on 103.25 accidents per 100,000 rather than 100, and that changes your premium by 32.5.
Rounding up, that means a premium of $10.33. That looks much better to the customer than $15.
The question becomes, what happens to our expected outcomes?
Exhibit 6-2 updates the information you calculated in Exercise 6-2 showing the effect of the
change in pricing. As you can see, this change in risk pricing adds $3.6 million to the bottom line
over eleven years and reduces the net impact of bad years. Youre ahead six years out of eleven,
and in two of the four losing years, the loss is less than 10%. This corresponds reasonably well to
our theoretical value of 68% for 1.
Is that good enough? Well, you dont necessarily have to stop at 1. If, say, human life were at
stake, you might decide that safety considerations warranted adding margins of 2, 3, or even 6,
until you decided that you had done everything appropriate for the specific situation.
Your choices are limited, of course, by the money you have or can get, or the nature and
competitive demands of the marketplace in which you operate. To compensate, theres the benefit
you and customers might gain from higher degrees of safety. One size never fits all when it comes to
deciding how much safety margin is appropriate. Risk cost analysis merely measures the amount its
going to cost.

So far, the risks we have discussed are primary risks. The primary risk is the risk that is the subject
of our initial concern. What we choose to do about that risk may itself be risky. The risk in our
proposed solution is called secondary risk. If we arent able to get rid of all the primary risk, whats
left over is known as residual risk.
xhibit 6-2
Effect
of Premium Change on Net Income (Loss)
108
Secondary Risks
A secondary risk is a risk that comes into existence as a result of your attempt to solve the original
risk. The purpose of buying insurance is to transfer some portion of financial risk associated with an
event to someone else. But what happens if the insurance company goes bankrupt? Thats a
secondary risk, because the harm of the insurer going bankrupt only affects you if you bought
insurance in the first place.
Heres another secondary risk. The insurer, as weve mentioned, may invest some part of the
pool of insurance premiums in the hope of making additional money. If the investments are
successful, the company can lower prices to be more competitive or it can pocket the money as
profit, or (often) some combination. On the other hand, if the insurance company loses money on
those investments, the company has less money for claims and expenses, and may also be unable to
meet its obligations. (This is why insurance companies often have regulatory restrictions on the type
of investments they are allowed to make with their cash reserves.)
Like primary risks, secondary risks can be managed. If youre shopping for insurance, you
might look at an independent rating agency like A. M. Best for measures of the risk that an insurer
might be at risk of bankruptcy. For the risk that an insurer might make poor investments,
governments often regulate and restrict what insurers may invest in, and how much cash they must
keep on hand to meet their obligations.
Sometimes, the proposed solution can be worse than the original risk. Unless you pay attention
109
to the secondary risk of your proposed solution, you can make things worse.
Residual Risks
The residual risk is whats left over after you have taken action on the primary risk. For example,
many times when you buy insurance, you select a deductible. The deductible is the part of a covered
event the insurer wont pay for. Because the number of small accidents is often greater than the
number of big accidents, the insurer is often willing to provide you with a discount for choosing a
higher deductible, because they save money in two ways, by not paying (or paying less) for some
events, and by avoiding the cost of processing the claim, which can be considerable.
If you have a deductible, its still insuredby you. You are retaining the residual risk. If you
do nothing, all the risk is residual risk. If you are able to eliminate the risk altogether, you have no
residual risk. Usually, you end up somewhere in between.
Black Swan Events

In Exhibit 6-2, we identified that the fewest number of accidents in any year was 50 in 100,000, and
the greatest number of accidents in any year was 150 in 100,000. In 11 years of measurement, no
value has gone outside that rangebut that doesnt mean its not possible. If theres a 100 Year
Event, theres a good chance it wont appear at all in the records we have.
Imagine what would happen if in a given year, our hypothetical insurance company was
confronted with not 150, but 1,500 accidents per 100,000? No one expects it; its highly
improbablebut for all we know, it could happen. Thats known as a black swan event.
As it applies to risk, the term originates with financier-philosopher Nassim Nicholas Taleb in his
book of the same name (Taleb, 2010), and refers to events that are high-impact, hard to predict, or
rare. The term black swan goes back to the Roman poet Juvenal, referring to something that does
not exist, because in the Western world, all known swans were white. In 1697, much to the surprise
of European ornithologists, Dutch explorer Willem de Vlamingh discovered black swans in western
Australia. From that point on, black swan no longer meant impossible, but suggested that
perceived impossibility might turn out to be true.
One kind of black swan event, then, involves a flaw in our knowledge. Other black swan
events involve things that are known to happen, but are extremely rare. Theres not much chance
youll win the lottery, but its certain someone will.
A third category of black swan events include those that are completely unexpected, but were
not considered impossible. On September 12, 2001, one of the authors of this book was scheduled
to speak at a project management conference in Chicago. In the aftermath of the 9/11 attacks, there
was of course no way the conference could go forward, at no doubt great expense to its organizers.
Of course, no one in the management of that conference would have put terrorist attack on its list
of risks to be managed, and even with 20-20 hindsight, no one would suggest that was somehow a
failure to exercise due diligence. Unfortunately, that didnt save them from the consequences. In
planning for risk, you cant afford to ignore the possibility of something completely upsetting all your
assumptions.
Three basic strategies for managing black swan risks are exclusion, capping and reinsurance.
Excluding Risks
Under what circumstances would we see a tenfold increase in accidents? We might think of natural
disasters, wars, or other circumstances that would dramatically change our risk landscape.
Because of the magnitude of such events, insurance companies often exclude them. Categories
of exclusion often include natural disasters, terrorist attacks, or wars. In a legal sense, an act of
110
God is something so overwhelming and uncontrollable that it excuses one or both parties from an
obligation they otherwise would have to fulfill. In effect, the policyholder is now self-insuring that
extreme risk, because he or she will have to pay the cost of loss personally.
Contract negotiation often involves substantial risk management because many important
contract issues involve allocation of risks. What if the customer wants to change something in the
statement of work? What if the product doesnt perform as expected? What if unexpected problems
crop up?
Capping Risks
Another strategy is capping risks. In the conditions of an insurance policy, the insurer agrees to pay
$10,000 per covered event. Perhaps an individual policyholders losses are greater; perhaps they
are less. Either way, however, the policyholder gets $10,000. By limiting the amount the policy is
going to pay, the insurer caps its risk exposure on an individual claim. The policyholder, by definition,
self-insures any excess risk.
If you ask an insurer for a $1 million policy rather than a $10,000 policy, the insurer may be
unwilling to write the policy for fear of not being able to pay the potential losses. Instead, the insurer
might accept the premium and share it with other investors, each assuming one piece of the risk
(known as treaty insurance). If the insurer has to pay the claim, it will collect from all the other
investors. (The originator of the treaty usually pockets an extra share of the money for the work
involved in selling and managing the treaty.)
When you buy insurance, youre also capping your risk. If you have a $500 deductible on your
car insurance, you are capping your personal out-of-pocket costs at $500 per occurrence.
Reinsurance
Insurance companies almost always buy insurance themselves. The practice is known as
reinsurance, and its a way to offset risk. Treaty insuranceoffsetting your risk by bringing in
additional insurersis one kind of reinsurance.
Adding 1s to the value of the risk lowers the probability of negative years and the cost of
negative years by a slight amount, and increases the probability that over time, the companys profits
will increase. That still may not be enough to cope with the potential loss of $4.7 million in a given
year, and its definitely not enough to cope with a black swan event disaster.
Depending on our cash reserves and the cost of the reinsurance, we might offset some or all of
that risk. For example, if we felt we could handle losses of up to $750,000 (a bit less than 8%)
ourselves, we could buy reinsurance that paid the difference whenever claims in a given year
exceeded $10,750,000.
Whats a fair risk price for the reinsurance? In Exercise 6-3, your job is to figure out the base
price of the risk for the reinsurer.
Exercise
6-3
Pricing
Risk
Use the estimates from the table to answer the questions.
111
a. Reinsurer will pay the excess if total outlays for any given year exceed $10,750,000, with a
maximum payout of $5,000,000 in any year. What will the reinsurer need to charge to cover the
base value of the risk according to the information we have about the last 11 years?
b. What additional factors can you think of that the reinsurer would need to consider in establishing
a fair value for the risk it is taking on?
1.
2.
3.
4.
5.
c. If we want a policy in which the reinsurer covered losses up to $10,000,000 rather than
$5,000,000, how would you price the excess risk?
d. If the reinsurers overhead and sales costs equal 25% of the value of the risk, and the reinsurer
has a profit target of 15%, how would you estimate the premium for the $5,000,000 and the
$10,000,000 policies?
112
xhibit 6-3
Recommended
Risk Price
Risky Business Insurance Company Premium Charge Worksheet
Base Cost of Risk
$10.00
1 of Base Risk
$0.33
Cost of Reinsurance ($10 million cap)
$1.32
Overhead (50%)
$5.83
Sales Commissions (15%)
$1.75
Profit Target (15%)
$1.75
Cost of Policy
$20.97

The person doing the cost risk analysis has the responsibility for making a recommendation, but not
necessarily for making the decision. The decision of what a risk is worth and what we should do
about it are not automatically the same thing.
In Exhibit 6-3, lets develop a recommended price for our insurance policy by rolling together
the various considerations to date.
Exhibit 6-4 summarizes the effect of this policy cost on the companys financial position.
Adjusting a Risk Price Based on Market Conditions
A cost of $20.97 keeps the insurer solvent enough to pay all the claims and provides an estimated
profit of 14% over eleven years, very close to the 15% target. Here, the company stays profitable
each year, but only because of the reinsurance.
As a customer, you should note that you are paying a markup of 110% of the base cost of the
risk. The extra $10.97 is, as we noted, the risk premium. Whether thats a good price for you
depends on what the competition offers, how much the protection against a $10,000 loss is worth to
you, and the effect of spending $20.97 on this when you could spend it on something else.
If market conditions dont allow the insurer to charge $20.97, how can you manage the risk?
First, look at controllable costs. Overhead in our current example costs 50% of the risk costs. If we
can reduce our costs by 10%, the price of the insurance policy drops by 58 with no increase in
financial risk and no impact on profitability. If we are willing to accept 10% profit rather than 15%,
we save another 58, and so on. Interestingly, cutting the reinsurance maximum from $10 million to
113
$5 million only saves a dime, so that may not be the best place to cut.
xhibit 6-4Results over Eleven Years

Financial
In any cost-related risk situation, the same considerations apply: what is the value of the risk
and what is the cost of responding to the risk? When the cost of responding is less than the value of
the risk itself, you have a powerful financial argument for acting on the risk. If it is the other way
around, you have to consider whether other (noneconomic) factors justify paying the necessary risk
premium.
To decide what, if anything, should be done about a given risk, you have to figure out what the risk
is worth. The fundamental risk formula R = P I provides the basis for a risk cost analysis.
While in the theoretical world of gambling, probability and impact are known, in real life you
may not have full or accurate information. In addition, unknown unknownsrisks you dont even
know you havecan complicate the situation. Risk cost analysis is the process of analyzing the
range of potential costs and benefits of particular risks, and using the analysis to calculate a value for
114
that risk. The purpose of risk cost analysis is twofold: to incorporate risk-related costs into estimates
and budgets, and to evaluate the financial impact of various strategies to accept or mitigate them.
Risk cost analysis often involves weighting different factors, including market conditions that
determine whether costs can be passed through to you own customers. In the same way that
gambling serves as a useful model to illustrate probability, insurance serves as a useful model for risk
cost analysis. In a practical sense, insurance can be thought of as any money you spend to protect
yourself against risk.
In project management, an equivalent to insurance is often expressed as a contingency
allowance, extra money (or extra time) to compensate for known risks. A contingency reserve is
extra money (or extra time) set aside for unknown risks.
Only by assessing a risks proper value can you evaluate the cost-effectiveness and
appropriateness of different strategies and options for responding to it. If you value a risk too high or
too low, there may be serious consequences to you and to your customers.
Because an insurer has costs, the charge for insurance is normally greater than the base cost of
the underlying risk. The difference between the base cost and the charge is known as a risk
premium. Depending on the seriousness of the risk and the amount of the premium, it may be a good
investmentbut not in every case.
When the expected variation is low, normal fluctuation in actual values is not serious. When the
expected variation is subject to wild swings, you may require additional layers of protection against
risk. You can absorb these swings if your financial condition permits. You can charge a higher
premium to cover the risk. Adding one or two standard deviations to the base cost of the risk
reduces the risk to the insurer.
In addition to primary risk, you may also need to account for secondary risk (new risks
brought on by your proposed response to the primary risk) and residual risk (the risk left over after
your proposed response). There are also black swan events, risk events that are high impact, hard
to predict, or rare.
Three strategies for managing excess risk, whether black swan, secondary, or residual are:
Exclusion. When you exclude a risk, you refuse responsibility for paying for it. Contract
negotiation often involves deciding which risks are outside the contract or require renegotiation
and additional payments.
Capping. When you cap a risk, you identify a maximum amount you are willing or able to pay,
and if the actual costs are greater, your responsibility stops at the maximum.
Reinsurance. You can transfer certain of your risks to other entities so that your maximum payout
obligation is limited.
The person doing the cost risk analysis has the responsibility for making a recommendation, but not
necessarily for making the decision. The decision of what a risk is worth and what we should do
about it are not automatically the same thing. Nevertheless, the decision needs to rest on a
foundation of good data.
115
Review Questions
1. The difference between the price charged for covering a risk and the base cost of the risk is
known as a:
(a) risk premium.
(b) secondary risk.
(c) black swan risk.
(d) reinsurance risk.
1. (a)
2. If the standard deviation for occurrences of a particular risk is higher 2. (b) than the standard
deviation for occurrences of a different risk, what conclusion can be fairly drawn?
(a) The first risk is more likely to happen.
(b) The range of the first risk has a greater variance.
(c) The second risk is less important.
(d) The second risk is more expensive to cover.
2. (b)
3. The difference between a contingency allowance and a contingency 3. (d) reserve is that the
contingency allowance is a provision for:
(a) unknown risks
(b) residual risks.
(c) black swan risks.
(d) known risks.
3. (d)
4. If the secondary risk is greater than the primary risk, what should you do? 4. (c)
(a) Accept a greater amount of residual risk.
(b) Accept the secondary risk.
(c) Try to reduce the secondary risk to an acceptable level, and if you cant, consider using a
different strategy.
(d) Purchase reinsurance.
4. (c)
5. How does risk management apply to contract negotiation? 5. (c)
(a) The seller must accept risks of non-performance.
(b) The buyer must offer additional money to cover expected risks.
(c) Ownership of specific risk events may be allocated to buyer or seller.
(d) The contract requires purchase of insurance or reinsurance.
5. (c)
116
7
Quantitative Cost Analysis Tools
Learning Objectives
Identify whether a particular cost is deterministic or probabilistic.

Perform a cost-benefit analysis including both deterministic and probabilistic costs.
Calculate an Expected Monetary Value (EMV) for two or more states of nature.
Prepare and interpret a decision tree analysis.
Perform a sensitivity analysis.

Reading
30 minutes
Exercises
2 hours 40 minutes
Total Time
3 hours 25 minutes
QUANTITATIVE COST ANALYSIS

Quantitative risk analysis tools, as weve noted, exist in many areas of business, from engineering
and quality to finance and scheduling. Some are highly specialized, while others are commonly used
across many organizations and disciplines. In this chapter, well explore some of the more common
quantitative tools for cost, and in the next, well cover quantitative schedule analysis.
117
COST ESTIMATING UNDER UNCERTAINTY

Cost estimates, because they involve the future, typically involve both qualitative and quantitative risk
analysis. In our example of pricing an insurance policy in the previous chapter, we saw some of the
complexity a cost estimate can contain. You may not need to go into that level of depth, but its often
important for you to apply the same kind of thinking whenever you have to prepare a cost estimate
or budget request.
Cost numbers fall into two rough categories.
Deterministic costs are fixed and known, at least within the time period covered by the project.
If the trade show has announced that the cost of renting a 1010 exhibit booth is $5,000, we can
determine the precise cost for whatever booth size we choose to get.
Probabilistic costs have uncertainty. We have to put together a budget for a proposed relocation
before we shop for space. The average cost of leasing office space in our city is $150 a square
foot, but thats an average. What we will actually pay cannot be determined with precision.
From a risk management perspective, were only concerned with probabilistic costs. Lets take the
$150/square foot real estate price. As in the insurance price case, we can present this number
several different ways, depending on the safety thats appropriate. How accurate does the estimate
need to be, and how much variance exists in the range? If your estimate has to be accurate within
10% ($15), and prices range from $135 to $165/foot, then the average price is accurate enough.
What if the range of prices goes from $135 to $250? The right answer depends on how the
cost estimate will be used. You might want to know the worst-case scenario, in which case $250
might be the right answer. You might want to know that there was no way you could pay less than
$135. You might want to start with what you can afford, and cap ityou wont look at anything
costing more than $175, so that number becomes the new ceiling.
A risk-based cost estimate should always be expressed as a range ($150/foot $15, or $135170/foot). Always define the scope of what youre estimating (cost of leasing 10,000 square feet of
office space in a downtown location close to a subway station), how long the estimate will remain
useful (current prices, subject to market change), and any assumptions being made (Class A office
space only, no unusual buildout needs).
COST RISK ANALYSIS TOOLS

Common tools for quantitative risk analysis of costs are cost-benefit analysis, Expected Monetary
Value (EMV), decision tree analysis, and sensitivity analysis.
Risk contains opportunity and threat. Cost-benefit analysis also has a risk component, because you
have to price the uncertainties of both positive and negative outcomes in balancing a business risk.
The phrase bottom line comes from the output of cost-benefit analysis. In order to compare
costs and benefits, you have to quantify all aspects of the project, both positive and negative, in the
same unit (usually, but not always, currency) and at the same point in time (comparing the value of
money in the future to money right now). The equations for determining the net present value (NPV)
of future money are not specifically about risk management, and theyre available in any good
finance reference.
What if there are costs and benefits you cant put in dollars? Well, they dont show up in the
cost-benefit analysis, and arent reflected in the bottom line. If the cost-benefit analysis turns out
118
positive anyway, it doesnt matter. If the cost-benefit analysis turns out negative, you still have to put
a minimum price on those intangibleshow much it would take to turn the cost benefit results
positive.
The Acme Widget Company is having trouble meeting demand for its custom widget designs,
and is thinking about buying a new widget maker, which would add 100,000 widgets a year to
production. Widget makers run between $100,000 and $250,000. The company makes a gross
profit of between $5 and $7 dollars per widget, and has additional overhead costs that consume $4
per widget sold.
If we take everything at face value, then the cost-benefit analysis would look something like
Exhibit 7-1. Notice that because our numbers include ranges, our cost-benefit analysis also includes
ranges.
xhibit 7-1
Cost-Benefit
Analysis
Of course, not all these numbers may be as fixed and known as they appear. In Exercise 7-1,
lets figure out which of these numbers are deterministic and which are probabilistic.
Exercise 7-1 or Probabilistic?

Deterministic
Number
Deterministic
Make 100,000 new widgets per year with the new equipment
Sell the additional 100,000 widgets to customers
Buy a widget maker for a price of $100,000 to $250,000
Make a gross profit of $5 to $7 per widget
Incur overhead costs of $3 per widget sold
119
Probabilistic
It turns out that only one of our numbers is deterministic, the rest probabilistic. For each of the
probabilistic numbers, we have to figure out what values we want to use. And for that, we have to
dig a little deeper into the situation.

Our basic risk formula R = P I is an example of an Expected Monetary Value (EMV) calculation.
If theres a 10% chance of a $10,000 problem (or opportunity), the EMV is $1,000. Of course,
you wont have to pay (or receive) $1,000. You will get one of the two outcomes: no penalty (or
benefit), or the full $10,000 (plus or minus).
One benefit of the EMV involves the law of large numbers. A given risk will or will not happen,
but of all the risks on your project, some will happen. Lets imagine we have a project with a base
cost of $500,000, and weve found 20 minor risks with an average risk score of $1,000 that we
choose to accept. If we add $20,000 (20 x $1,000) in contingency allowance to the project, it
doesnt particularly matter to us which of those risks end up consuming the $20,000.
There may be more than one alternative. In that case, the EMV has to add together
probabilities and impact for each potential outcome (sometimes referred to as each state of
nature). Lets say that for an investment of $8,000, you have a 25% chance of losing $3,000 (you
get $5,000 back), a 25% chance of making $2,000 (you get $10,000 back), and a 50% chance of
earning $12,000 (you get $20,000 back). Exhibit 7-2 shows how to calculate the EMV.
xhibit 7-2 Monetary Value (EMV)

Expected
You can compare this EMV to the potential investment to help decide whether its worth the
risk. Ignoring for the moment the time value of money (lets assume its a short-term investment), the
return is $5,750, or 71 percent. Looks goodif you can afford the potential downside of losing
$3,000.
In Exercise 7-2, you can try it yourself.
Exercise 7-2Expected Monetary Value (EMV)

Calculating
120
The Veeblebrox 3000 widget maker produces custom widget designs at a cost of $15 per widget,
and produces 1,000 widgets per run. Thirty percent of the time, the widgets are perfect. The rest of
the time, there are some defects, shown in the table below. The cost of repairing each defect is
$200. What is the EMV cost for 10,000 widgets if you also have $50,000 in fixed costs?
We recommend you use a spreadsheet to solve this problem. If you need help, the formulas are
provided separately from the final answer.
Errors
Likelihood
30%
40%
20%
10%
5%
10
1%

If you compare the EMVs of different alternatives, choices, or conditions, you create a decision
tree. Well use the investment we developed in our discussion of expected monetary value, and call
that Investment A. The EMV, as you remember, was $13,750, representing a gain of $5,750 on our
$8,000 investment.
We have another opportunity, Investment B. This ones pricier, costing $12,000. Its also
riskier, but it has a very attractive payday. Theres a 60% chance youll lose all your investment, a
30% chance youll get $20,000, and a 10% chance of making $100,000.
Exhibit 7-3 shows a side-by-side comparison of the two investments using a decision tree.
Heres how to read it. Start with the question at the left: Which investment (shall we make)?
The square to the right of the question represents a decision node. This decision node has two
branches, one leading to Investment A and one leading to Investment B. (Forget the True/False
values for now. Theyre added at the very end.)
Investment A has a cost of $8,000. The circle to the right of Investment A is called a chance
node. Like a decision node, it generates new branches, but as the name implies, the outcome isnt
up to you. The probabilities and outcomes for each alternative come next. The first outcome of
Investment A is that you get back $5,000. This is a net loss of $3,000. Because theres a 25%
chance youll get that outcome, the EMV for that branch is -$750.
When we finish calculating all three branches for Investment A, we add up the EMVs for each
outcome, and get $5,750. We write that above the decision nodein other words, thats the EMV
for the decision to choose Investment A
xhibit 7-3Tree
Decision
121
Next, we do the same thing for Investment B, and find that its EMV totals $2,800. We write
that below the decision node. And the decision tree is clear: $5,750 beats $2,800. The Investment
A decision is labeled TRUE, and the other(s) are labeled FALSE.

What price for Investment B would make it equal in EMV to Investment A?
Exercise Tree
7-3
Decision
Youre ready to buy a new widget maker, and youre looking at the Veeblebrox 3000 and the new
WidgetGenie Deluxe. The Veeblebrox costs $100,000 and the WidgetGenie costs $75,000. The
cost per widget for the Veeblebrox is $15 and for the Widget Genie its $12. The Veeblebrox has a
net error rate of 2% (repairs cost $200 each) and the WidgetGenie has an error rate of 3% (repairs
cost $150 each). If the market is good (40%), you can sell 500,000 widgets a year at $20 per
widget, but if its poor (60%), sales will only average 250,000 and you cant get more than $18 per
widget.
122
Which machine is a better buy?
If you change an assumption, what happens to the outcome? Lets continue with the Veeblebrox vs.
WidgetGenie example. The Veeblebrox 3000 produces 2% defective widgets, while the
WidgetGenie produces 3% defectives. What if the lower defect rate of Veeblebrox widgets allowed
you to charge a 10% price premium?
The process of figuring this out is known as sensitivity analysis, the measurement of how a
change in a specific assumption or variable affects the bottom line. In this case, the effect is dramatic.
Compare the table in Exhibit 7-4 to the answer you developed for Exercise 7-3.
If a 10% price premium changes the decision analysis this drastically, how about some other
changes? In Exercise 7-3, use the spreadsheet template you developed in Exercise 7-2 (or copy the
one in the answer key), and model the following scenarios. But before you do, make a guess: will
this change flip the recommended decision? You may be surprised at which changes make the
greatest difference.
123
xhibit 7-4 Analysis

Sensitivity
Exercise 7-4
Sensitivity
Analysis
For each scenario, what are the new EMVs for Veeblebrox and WidgetGenie? Does the decision
tree analysis change?
What if Veeblebrox sold a maintenance package that reduced its error rate to only 1%?
What if the Veeblebrox was so much faster than the WidgetGenie that you could make and sell
600,000 units in a good economy and 500,000 in a poor economy, as opposed to the
WidgetGenie projection of 500,000/300,000?
What if the cost of fixing Veeblebrox errors dropped from $200 to $100?
124
What if WidgetGenie doubles the price on their equipment?
Quantitative tools for risk analysis include cost-benefit analysis, expected monetary value (EMV),
decision tree analysis, and sensitivity analysis. They address probabilistic costs, costs with
uncertainty. Deterministic costs, in contrast, are fixed and known.
Uncertainty is presented different ways, depending on the purpose for a particular cost
estimate. If you want the worst-case scenario, you deliberately pick the most negative assumptions.
If you want an average or a median, you develop the estimate accordingly. You should always
express a risk-based cost estimate as range, and along with the estimate itself you need to define the
scope of the estimate, any assumptions being made, and how long the estimate is likely to remain
valid.
Cost-benefit analysis often requires you to price the uncertainties in both costs and benefits; to
do so, you must always determine which numbers are deterministic and which are probabilistic.
The expected monetary value (EMV) calculation is essentially the formula for pricing a risk: the
probability times the impact summed together for each state of nature. Decision-tree analysis
compares EMVs side-by-side to evaluate different decisions or scenarios. Sensitivity analysis
measures the effect of a specific change in assumptions or other variables on the bottom line.
These tools are only a selection of what is available. Depending on the specific environment
and industry in which you work, you may find additional tools you need.
125
Review Questions
1. If a given investment has a 20% of gaining $10,000 and an 80% chance of losing $4,000,
whats the expected monetary value?
(a) + $5,200
(b) - $1,200
(c) - $5,200
(d) + $1,200
1. (b)
2. The term bottom line comes from which financial tool?
(a) Cost-benefit analysis
(b) Decision tree analysis
(c) Expected monetary value analysis
(d) Sensitivity analysis
2. (a)
3. A circle in a decision tree diagram indicates:
(a) a decision node from which different outcomes branch.
(b) a chance node from which different outcomes branch.
(c) an end node signifying the final outcome of a given branch.
(d) an EMV calculation of a given risk factor.
4. Using the Veeblebrox/WidgetGenie sensitivity analysis data, what would happen to the buying
decision if the cost of repairing defective widgets on the Veeblebrox were the same as for the
WidgetGenie?
(a) Veeblebrox 3000 by $250,000
(b) Veeblebrox 3000 by $210,000
(c) WidgetGenie by $270,000
(d) WidgetGenie by $210,000
4. (b)
5. Consider the cost of an insurance policy and the cost of repairing the car in the event of a
fender-bender. Which costs are deterministic and which are probabilistic?
(a) Policy cost is deterministic; repair cost is probabilistic.
(b) Policy cost is probabilistic; repair cost is deterministic.
(c) Both costs are deterministic.
(d) Both costs are probabilistic.
5. (a)
126
8
Quantitative Schedule Analysis Tools
Learning Objectives
Apply sensitivity analysis to project schedule issues.
Use the tools of network diagramming and critical path analysis to construct a network diagram
from a list of tasks, perform a forward and backward pass on a network diagram, identify the
critical path in a network diagram, and calculate total float and free float in noncritical activities.
Describe the three types of schedule risk.
Create a three-point estimate for a work package with uncertain duration.
Calculate a PERT time using a three-point estimate and determine the standard deviation for a
work package and for a path using the PERT method.
Establish a confidence level for achieving a given finish date given a PERT analysis.
Describe the process used by a Monte Carlo simulation program for project risk management.
Reading
50 minutes
Exercises
1 hour 45 minutes
Total Time
2 hours 45 minutes
SENSITIVITY ANALYSIS FOR SCHEDULING ISSUES

Sensitivity analysis works for time as well as for cost. Weve been talking about cost so far, so lets
127
use a schedule example. Were putting a swimming pool in our back yard. Weve built some safety
into our schedule. According to the plan, we are scheduled to finish four days ahead of the pool
party.
One task in our project is called Dig hole. Another task is Pour concrete. Obviously, we
cant pour the concrete until after weve dug the hole. If pouring the concrete runs late, the
anticipated finish of the project also goes late by the same amount. Dig hole, clearly, is at risk of
taking longer than the scheduled time. Whats the effect on the project deadline if it does go late, say
by one day? At first glance, the answer appears to be none. We have, after all, four days of total
margin. One day isnt a big deal. (At least not for the schedule. It might affect cost, especially if
were paying people by the hour to dig the hole.)
What if were contracting out the pouring of the concrete? Now, its a different story. If the
concrete truck is scheduled to pull up bright and early Tuesday morning, and the hole is only halfdone, our problem suddenly balloons. Its not just one day any more. Depending on how busy the
contractor is, that one-day delay in digging the hole might cost us a week or more until we can get
that concrete pouredand pretty much everything else will come to a screeching halt.
Earlier, we classified costs as either deterministic or probabilistic, depending on whether they
were fixed and known. We can apply the same categories when we think about time. If you sign up
for a three-day workshop, the three days are deterministic. You can put them in your schedule. The
seminar wont take two days or four days. The time-span is fixed and known.
This self-study sourcebook contains time estimates as well, based on known metrics for
reading speed and length of time to complete exercises. But these estimates are probabilistic,
because they are based on averages. Your mileage, as they say, may differ.
SCHEDULE RISK ANALYSIS

The technique of network diagramming enables you to display a project schedule graphically. This
has numerous advantages, but for our purposes, we are concerned with network diagramming as it
applies to risk management.
Time, as we all know, is money. The discipline of quantitative risk analysis must consider
schedule issues as well as actual dollar costs. The length of time it takes to do the work often affects
the cost, especially when people are paid by the hour. In addition, the consequences of meeting or
failing to meet a deadline can be in some cases quite substantial.
The discipline of project management has long wrestled with the problem of managing
uncertainty, with the first major breakthrough coming in 1957, when the U.S. Navys Polaris Special
Projects Office and consultants from (then) Booz Allen Hamilton developed a special statistical
approach to scheduling when the durations of activities were probabilistic.
The Polaris Evaluation and Review Technique helped manage what was at the time the most
complex engineering project ever attempted. The Polaris gave way to Program, and the
Program Evaluation and Review Technique became known as PERT. More or less at the same
time, the DuPont Corporation, working with Remington Rand, developed the Critical Path
Method, commonly called CPM. Both tools involve a method called network diagramming The
technique of network diagramming enables you to display a project schedule graphically. This has
numerous advantages, but for our purposes, we are concerned with network diagramming and
schedule development as it applies to risk management.
SCHEDULE DEVELOPMENT
128
Two scheduling tools are common in project management: the Gantt chart, which is essentially a bar
graph over a calendar; and the network diagram, which shows the sequence in which activities will
be performed. For small-and medium-sized projects, the Gantt chart is the most common and
easiest scheduling tool; for very large projects, the network diagram is more appropriate. Our risk
management discussion will focus on network diagramming; for information on Gantt charts, consult
a standard project management reference book.
In the 1950s, the preferred technique for network diagramming was the activity on arrow
method, also known as arrow diagramming. Today, virtually all project management practitioners
use the precedence diagramming method (PDM), also called activity on node, which we will use
throughout this section. Exhibit 8-1 shows the difference between the two techniques.
NETWORK DIAGRAMMING AND CRITICAL PATH ANALYSIS

A network diagram resembles a computer flow chart. For our purposes, the easiest way to build a
network diagram is to use sticky notes. Each note will list one of the work packages or tasks to be
performed. Well put the notes in the order in which well do the work, and draw connecting arrows
to show the workflow. Exhibit 8-2 shows a formal example created by computer software, but ours
will be a bit more casual.
The first step is to create a Start milestone for your project. A milestone is a work package
that has zero duration and no associated work or resource consumption. In other words, a milestone
is simply a signpost. Traditionally, a milestone on a Gantt chart (but not a network diagram) is
represented by a diamond. Sometimes it makes it easier to read if you turn a sticky note 45 to
indicate that a given work package is a milestone.
Next, lay out the subsequent work packages in the order they are to be performed. Activities
can be dependent (following a predecessor activity) or parallel (performed at the same time as other
project activities. Dependent activities are sometimes required by the logic of the work (i.e., you
cant conduct a beta test of the training unless the training materials have been developed), and are
sometimes driven by available resources or other factors (for example, the same person can develop
the workbook and the exercises, but not at the same time. If no particular order is demanded by
logic, you can choose whichever order you prefer).
xhibit 8-1
Arrow
vs. Node
Both diagrams represent the same relationships: Task B is dependent on Tasks A and C; Task D is
dependent only on Task C. The dummy dependency in the arrow diagram shows the extra
dependency relationship.
129
When all activities have been placed and connecting lines drawn, create a Finish milestone.
Connect all unlinked activities to Finish so that every work package has at least one predecessor
and at least one dependent activitydont leave any orphaned work packages.
Normally, more than one sequence of activities is possible. The correct order for your project
is the one that represents how you and your team plan to approach this project. Exhibit 8-2 shows a
sample network diagram.
Heres how to read the network diagram in Exhibit 8-2. Task A is a milestone and serves as
the start of the project. Both tasks B and C are dependent on the start milestone. Task D is
dependent on both tasks B and C; task E is dependent only on task C. Task F is dependent on task
D; task G is dependent on both tasks D and E. Task H, the finish milestone, is dependent on both
tasks F and G.
xhibit 8-2Diagram
Network
This network diagram reflects the order in which work packages will be performed. Note that
estimated durations have been assigned to each activity.
130

So, how long will the project take? With dependency relationships crossing from top to bottom and
back again, the answer takes a little bit of calculation. You need to find the longest path (called the
critical path) through the project network to determine the length of the project. If you use project
management software, it will determine the critical path for you automatically. To calculate the critical
path manually, you must perform a forward pass followed by a backward pass.
Forward Pass
The forward pass calculates the early start and early finish for each activity. The final number in the
forward pass calculation is the planned duration of the project. Exhibit 8-3 shows the forward pass.
Starting in the upper-left corner of the first work package, you enter a zero, which represents
the start of business of the first day of the project. Add the task duration to the start, and write that
number in the upper-right corner. In task A, the early start (0) is added to the duration (0) to get the
early finish (0+0=0). Copy the early finish number into the connected Tasks B and C, and add the
respective durations (0+15=15 and 0+11=11).
Task E, youll note, is dependent only on Task C, and can start on day 11. Task D, however, is
dependent on both Tasks B and C. Because Task D cannot begin until both predecessor tasks are
complete, it takes the larger of the two early finish dates, or day 15. Similarly, Task G takes the
larger of the early finish dates of its two predecessors, Tasks D and E. At the end of the forward
pass you know the duration of the project. However, you arent done yet.
xhibit 8-3Pass
Forward
131
Backward Pass
If we want the project to finish within its allotted 50 days, we will now calculate the late finish and
late start of each activity, shown in Exhibit 8-4. The late finish is the latest an activity can be
completed while still achieving the overall deadline. The late start is the late finish minus the task
duration.
Tasks F and G can both finish as late as day 48. Task F can therefore begin as late as day 40,
while Task G cannot begin any later than day 36. Task D must finish in time to allow both Tasks F
and G to finish no later than day 50. This means that the lower of the two late start numbers (36 in
this case) is the late finish of Task D. The backward pass must end in zero when you reach the
beginning of the project.

Earlier, we said that the purpose of the forward and backward pass was to find the longest path
through the project, which we call the critical path.
In our swimming pool example we differentiated between what happens if we pour the
concrete ourselves (the delay is day-for-day) and if we have a scheduled date with a contractor (the
delay is until the next available date in the contractors schedule, which could potentially be weeks).
xhibit 8-4 Pass

Backward
132
The backward pass calculates the late finish and late start of each activity, showing the latest any
activity can be performed while achieving the original deadline.
Lets go back to Exhibit 8-4 and take a look at Tasks A, B, C, and D. Notice the following:
1.
2.
3.
4.
Tasks B and C cant begin until Task A is complete.

Task D cant begin until Tasks B and C are complete.
Task B is scheduled to take 15 days.
Task C is scheduled to take 11 days.
If Task B takes longer than 15 days, Task D cant start on time. However, if Task C takes longer
than 11 days (and no more than 15 days), Task Ds start time is unaffected. Task C can be as
many as four days late with no effect on the project schedule!
In project management, a task that cant be late without affecting the deadline is called critical.
If theres extra time, as in the case of Task C, its noncritical. The extra time is called float or
slack. (Well use float in this book, but either term is acceptable.) To understand and manage
schedule risk, you have to manage the critical path and the available float.
xhibit 8-5
Critical
Path and Float
133
The critical path, as shown in Exhibit 8-5, is the longest path through the network. On the
critical path, there is no difference between the early start (or finish) and the late start (or finish) of
each activity. In other words, any delay of a critical path activity immediately introduces the danger
of a late project. If a task is noncritical, it has float (also called slack), the amount of time the task
can be late before the deadline is affected.
Mathematically, a task is critical if there is no difference between the early start (or finish) and
the late start (or finish). If the late start (or finish) is greater than the early start (or finish), the
difference is called total float. A task can have delay equal to its total float without affecting the
projects deadline. Free float is the amount of delay before the task forces a delay in any
subsequent activity (whether or not its critical); float that is not free is shared with other activities.
Exhibit 8-5 shows the critical path and available total float.
Notice that task C can start as early as day 0 or as late as day 4. It has four days of total float
(extra time before lateness jeopardizes the project deadline). However, if Task C uses any of its
float, the float available for Task E is reduced because Task E will no longer start on Day 11. The
float is shared, not free. The float in Tasks E and F, however, is free float, because no other task is
affected if those activities use their available float.
ExerciseCritical
8-1
Identify
Path and Float
134
Perform a forward and backward pass on the figure above. Determine the Critical Path and identify
available float.

Risk to the schedule comes in three forms, illustrated in Exhibit 8-6.
Task Duration Risk. The risk a task will take longer than the time scheduled.
Path Duration Risk. The risk that a sequence of dependent tasks will take longer than the total
time scheduled.
Convergence Risk. The risk that at least one predecessor of a task with multiple predecessors
will take longer than the time scheduled.
If theres a specific risk to the schedule, then you normally develop a specific response. If being late
digging the hole could lead to project disaster, then it makes sense to allow more time for digging the
hole, or to acquire more resources with which to do it quickly.
Sometimes, the problem is simply uncertainty. When tasks involve creativity and judgment, its
often not possible to assign an exact time in a meaningful way. You know how long it will take to
teach a three-day class, but when it comes to writing the course for that three-day class, youll be a
lot less precise. Itll take three or four weeks is often about as honest an estimate as youre able to
provide. Throwing extra people at the job wont necessarily help. Occasionally, itll make things
worse.
xhibit of
8-6Schedule Risk
Types
135
If you have unavoidable uncertainty about how long individual activities in your project will take
(task duration risk), you automatically end up with path duration risk for any path that includes those
tasks, and you have convergence risk whenever one of those paths links up with any other path in
your project.
How can you figure out how long the project will take when you cant be sure how long key
tasks will take? Once again, youre into the realm of probability.
THREE-POINT ESTIMATING TECHNIQUES

We have to dig a hole every time we put in a new swimming pool, but yards are different. Weather
interferes. Equipment breaks down. The time it takes to dig a hole varies. Over time, we would
naturally expect the hole-digging times to form a distribution, whether normal, triangular, or some
other type, just as weve seen in cost analysis.
xhibit 8-7 Times for a Common Task

Historical
Hole
1
2
3
136
4
5
6
7
8
9
10
Optimistic (Best Case)
Most Likely (Median)
Pessimistic (Worst Case)
We can define the schedule distribution with a three-point estimate. Instead of using a single
number as our estimate, we use three: the optimistic (best case) time, the pessimistic (worst case)
time, and the most likely estimate (either the mean or the median). Figure 8-7 provides some
historical times for digging that hole that we can use in creating a three-point estimate.
The range is between 2 and 5 days, and the median is 3 days, and now we have our three
estimates.
You can create three estimates even if you dont have historical records to draw on. In fact, a
lot of people find that its actually easier to create three estimates than one, because you can use
different assumptions to make them.
xhibit 8-8
PERT
Formulas
T(e) = (T(o) + 4 T(m) + T(p)) / 6
= (T(p) T(o)) / 6
where:
T(e) = PERT Estimate
T(o) = Optimistic Estimate
T(m) = Most Likely Estimate
T(p) = Pessimistic Estimate
= Standard Deviation of T(e) for a Single Task

Three-point estimating was developed as part of the PERT method. PERT is a comprehensive
approach to project management, but were only concerned here with a particular portion of PERT
that applies to risk analysis.
137
Lets say we have a large network diagram with hundreds (or thousands) of tasks, many of
which have a high level of uncertainty in the estimates, so weve created a three-point estimate for
each of those tasks. The question now is what to do with those three numbers. Clearly, its unwise to
plan as if well get the optimistic time on every task, and its excessive to believe that all tasks will
have a pessimistic outcome. We could use the most likely numbers, but that can be quite misleading
as well.
PERT applies two formulas to those numbers, both shown in Exhibit 8-8. The first formula
creates the PERT estimate, a weighted average of the three numbers. The second formula is how
PERT calculates the standard deviation. In this context, the standard deviation is a measure of the
degree of schedule risk (uncertainty) in the particular estimate.
By this measure, the PERT estimate (T(e)) for our dig hole activity is (2 + (4 3) + 5) / 6 =
19 / 6 = 3.16 days, and the standard deviation () is (5 2) / 6 = 0.5 days. In Exercise 8-2, create
the other PERT estimates for the tasks in our swimming pool project and enter them in the network
diagram provided.
Exercise 8-2
Scheduling
With PERT Estimates
Step 1. Calculate the PERT estimate (T(e)) and standard deviation () for each of the tasks in the
swimming pool project using the information below. Round PERT estimates to the nearest whole
day.
Step 2. Complete the network diagrams below. In the first diagram, use the PERT estimates for
each task. For comparison, use the most likely estimates in the second diagram.
138
xhibit 8-9 Levels

Confidence
Standard Deviation
Confidence Level
0
1
68.27%
1.28
1.64
1.96
2
95.45%
2.58
99.00%
2.81
99.50%
99.73%
3.29
99.90%
99.99%
139
Confidence Levels and the Standard Deviation

When we priced the risk for our insurance policy, we added a standard deviation to the base price
of the risk to increase safety. Similarly, the standard deviation serves as a tool for what we might call
scientific paddingrisk-adjusting your schedule by allowing extra time to compensate for known
uncertainty.
Using the standard deviation, we can determine a confidence level for the schedule, a
measurement of how likely it is that the project will finish on or before a given date. Exhibit 8-9
provides a table showing the confidence levels associated with specific standard deviations.
In Exercise 8-2, we found that the most likely schedule took 43 days, and the PERT
estimated schedule took 47. The confidence level for the 47-day estimate is 50%that is, theres
only a 50% chance that the project will finish on or before Day 47. What if we wanted to be 80%
certain the project would finish on time? According to Exhibit 8-9, we need to add 1.28 to the
estimate.
Now all we have to do is find the standard deviation for the project. To do that, take the
standard deviations for each of the tasks on the critical path. Square them, add up the numbers, and
take the square root of the sum (also called the root sum square). The answer is the standard
deviation for the project. Multiply that by the confidence level desired, and thats how much extra
time you need to allow.
Exercise 8-3Standard Deviation for a Path or Network

Calculating
Using the table from Step 1 of Exercise 8-2, square the standard deviations of the tasks on the
critical path, sum them, and take the square root of the sum. Now, using the information in Exhibit 89, calculate the project duration at the following levels of confidence:
80%
= ___________
confidence
90%
= ___________
confidence
95%
= ___________
confidence
Advantages and Disadvantages of PERT

As you may have noticed, the PERT formula for calculating the standard deviation doesnt resemble
the formula you learned in Chapter 5. In fact, from a statistics perspective, there are a lot of
problems with PERT.
Theres a reason for this. When PERT was first developed in the late 1950s, computing
horsepower was limited and expensive. It was simply impossible to perform a full analysis of a
network containing tens of thousands of work packages in a reasonable timeframe. The brilliant
minds behind PERT resorted to shortcuts. They made assumptions about the distribution and
standard deviation (known as back-fitting the curve) and developed formulas that were cheaper
and easier to compute based on those assumptions.
PERT estimates are very useful and have been applied successfully on major projects, but you
should always treat a PERT analysis with caution. It provides a useful yardstick to measure schedule
140
risk, but its answer tends to be far from precise. PERT is particularly subject to convergence risk,
meaning that the PERT estimate tends to provide an optimistic view of how long the project will take
to complete.
PERT works best when the project has a dominant single critical path; it is much less reliable
when the relationships among paths and tasks are highly complex. PERT is an important element in
the history of project schedule risk management, and the fundamental three-point estimating
technique is still used, but most operating project managers who need to perform schedule risk
analysis have switched from PERT to the Monte Carlo simulation technique.

While the PERT method attempts to measure schedule risk by calculation, the Monte Carlo
simulation measures schedule risk by massive simulation, run by specialized software. Monte Carlo
simulation programs for project management are available as plug-ins for common project
management programs such as Microsoft Project as well as in stand-alone versions.
xhibit 8-10
Monte
Carlo Input Screen
To run a Monte Carlo simulation, you first need the same three-point estimates for task
durations that you would use in performing a PERT analysis. (You also need the other elements of a
141
completed project schedule, including a list of tasks and their dependency relationships, of course.)
While a standard project management software package provides space to enter a single time
estimate for a task, a Monte Carlo program provides places to enter all three estimates, as shown in
Exhibit 8-10.
In PERT, we used statistical tools to analyze the schedule, but a Monte Carlo simulation uses
more of a brute force approach. The simulation pretends that we are actually managing the
project. It decides how long it takes to accomplish a particular task by selecting a random number
from the range provided. For our swimming pool project task Develop Plans, with an optimistic
estimate of 6, most likely 12, and pessimistic 24, the program might choose 15 as the duration of the
task for this iteration.
It then checks to see if a finish time of 15 days alters the start dates of any subsequent
activities, and adjusts as necessary. Then it goes to the next task (Order Materials) and selects a
number between 10 and 15. Lets say its 11. Again, it checks to see if any start times have been
moved, and then to the next task, and so on until the project ends. Perhaps the answer is 49 days
this time. The program stores that number, goes back to the top, and does it again. And again, and
again, and so on for 5,000 or 6,000 trials.
xhibit 8-11
Monte
Carlo Simulation Results
142
The output of the program is a distribution showing how often the project ended on a given
date. Exhibit 8-11 provides an example. In this particular program, the slider on top of each
histogram allows you to see the date or cost associated with any desired confidence level.
While the technique has been understood for a long time, it is only recently that the increase in
computer processing speed and reduction in cost has made the technique practical.
A Monte Carlo simulation is much more robust than a PERT analysis, and normally deserves
more weight in decision-making. As you can see, a Monte Carlo simulation can simulate cost as well
as schedule, as long as you enter the cost data (salary costs and other expenses that vary with time
spent) into the program.
Monte Carlo simulation programs are commonly available as add-ins for project management
software packages. Theres a list available in the Additional Resources section of this book, but
you should remember that software availability and features change frequently.
The tools of quantitative risk analysis extend to schedule as well as cost. Quantitative schedule
analysis requires the development of a network diagram, a flow chart of the work packages and
activities that make up the project.
Knowing how to develop a network diagram is fundamental to many aspects of project
planning. In the most commonly used technique, known as the precedence diagramming method,
work packages are represented as nodes (boxes) and connected by their dependency
relationships (arrows). Once the work package durations have been estimated, you can perform a
forward and backward pass (or let project management software do it for you) to reveal the
critical path (the longest path through the network, equal to the project duration) and the
availability of float, extra time to perform activities not on the critical path. Critical path analysis
identifies which tasks must be completed on time if you are going to meet the desired end date.
Schedule risk comes in three forms:
Task Duration Risk. The risk a task will take longer than the time scheduled.
Path Duration Risk. The risk that a sequence of dependent tasks will take longer than the total
time scheduled.
Convergence Risk. The risk that at least one predecessor of a task with multiple predecessors
will take longer than the time scheduled.
The seriousness (sensitivity) of a task duration risk is compounded by its effect on path duration risk
and convergence risk.
Specific risks to the schedule require specific risk mitigation responses, but some schedule risk
is simply the inherent uncertainty in knowing how long it will take to accomplish certain tasks. In that
case, where estimates are highly probabilistic, project risk managers can use three-point estimates
to show the range and distribution of potential outcomes.
The PERT analysis technique uses probability mechanics. The PERT time estimate is a
weighted average derived from the three-point estimate. The standard deviation of the PERT
estimate serves as a barometer of schedule risk. By taking the root sum square of the standard
deviations of the work packages on the critical path, you can determine the confidence level that
143
your project will achieve a given deadline.

More powerful computers have led to the rise of the Monte Carlo simulation technique, which
uses a repetitive technique of iterating the schedule many times to create a distribution of completion
time, dates, and costs.
144
Review Questions
1. If Task B has three days of total float, which statement must be true?
(a) Task B is expected to take three days to complete.
(b) Task B is a critical task.
(c) If Task B is delayed no more than three days, the start date of no other task will be
affected.
(d) If Task B is delayed no more than three days, the expected project completion date is not
affected.
1. (d)
2. Three-point estimates are used in which risk analysis techniques?
(a) PERT analysis and Monte Carlo simulation
(b) Probabilistic analysis and PERT analysis
(c) Monte Carlo simulation and sensitivity analysis
(d) Probabilistic analysis and sensitivity analysis
2. (a)
3. What does a network diagram show?
(a) The sequence in which activities will be performed
(b) A bar graph of task durations over a calendar grid
(c) The breakdown and logical organization of the work structure
(d) The IT infrastructure for your project
3. (a)
4. A skilled machine operator can produce 50 widgets per hour. If the machine breaks down,
the same operator can perform the necessary repairs. Which statement is true?
(a) The time to produce a given number of widgets is probabilistic; the time to fix the machine
if it breaks is deterministic.
(b) The time to produce a given number of widgets is deterministic; the time to fix the
machine if it breaks is probabilistic.
(c) Both times are deterministic.
(d) Both times are probabilistic.
4. (b)
5. The risk that at least one predecessor of a task with multiple predecessors will take longer
than the time scheduled is known as:
(a) task duration risk.
(b) convergence risk.
(c) predecessor risk.
(d) path duration risk.
5. (b)
145
9
Risk Response Planning
Learning Objectives
Establish a process to conduct risk response planning for your project or organization.
Analyze a proposed risk response for residual and secondary risk considerations.
Determine when multi-stage risk responses are desirable or appropriate.
Define three strategies for managing threat risk.
Define three strategies for managing opportunity risk.
Define two strategies for risk acceptance.
Develop action steps for a risk response and place them in the project plan or in other project
documentation.

Reading
45 minutes
Exercises
45 minutes
Total Time
1 hour 40 minutes
ORGANIZING FOR RISK RESPONSE PLANNING

Effective risk response planning rests on a foundation of good information:, the output of the risk
analysis processes that you decide to use. Its worth repeating that not all risks (or projects) demand
the sort of comprehensive analysis that weve been covering, but at least some risks and some
146
projects require that much or even more. You must always adjust the scope and level of your risk
analysis based on the actual risk exposure.
xhibit
9-1for Risk Response Planning
Six
Tips
1. Establish teams of more than one person to work out risk solutions. Not every person on
your project need be on every team, but each risk deserves more than one point of view.
2. Do not be satisfied with a single risk response; come up with several before choosing the
best one.
3. A risk solution is worthless without a plan for its implementation. Define the steps necessary
for each risk response and document them on the Risk Information Sheet (see Exhibit 4-6)
and elsewhere as necessary.
4. Always examine potential risk responses for side effects (secondary risk) and remaining risk
exposure (residual risk) before settling on a strategy.
5.
Theres no rule that limits you to one solution per risk. If you cant find a single solution,
consider multiple strategies to nibble away at the total risk.
6. Consider opportunities as well as threats in building risk responses. Making a good outcome
more likely or better can be as desirable as making a bad outcome less likely or less bad.
7. Keep a file of risks and responses for use on future projects. Recycling isnt only good for
the environment, it can be a great risk management tool as well.
When you have completed your analysis, youre ready to take appropriate action. Consider
the best practices in Exhibit 9-1 in organizing your risk response planning efforts.
Exercise
9-1 Planning
Risk
Response
Identify five risks, either ones you have used in previous chapters of this book, or ones relating to a
project you are managing or have managed in the past. For each risk, list a proposed risk response:
what you will do to manage the risk.
1. Risk:
Response:
2. Risk:
147
Response:
3. Risk:
Response:
4. Risk:
Response:
5. Risk:
Response:
RESIDUAL AND SECONDARY RISK

Proposed solutions to risks are seldom perfect. Whether were discussing opportunity or threat, our
risk responses are subject to two additional factors: residual risk and secondary risk. If these are not
taken into consideration, the response to the primary risk may not deliver the desired outcome.
Residual Risk
Residual risk is the risk left over after your proposed solution has been implemented. Automobile
insurance, for example, protects you against the financial impact of being in an accidentbut not
against all of it. If you have, say, a $500 deductible, you carry the residual risk of having to pay up to
$500 in the event of an accident. That amount is residual risk.
Theres more residual risk: the policy normally excludes certain events from its coverage. If
your accident falls into a non-covered category, you have no insurance protection. In addition, there
is the risk that the insurer may go out of business or otherwise be unable to pay the claim.
If the residual risk is small enough, you may decide to accept it. If the risk is large, you may
148
want to modify your proposed solution, add additional risk responses to address the residual risk, or
in some cases throw out that solution and move to a different one.
Secondary Risk
Secondary risk is new risk created by your proposed response to the original risk. Smoking is
extremely hazardous to your health, but obesity is even worseand giving up smoking in some
cases promotes weight gain. That doesnt mean you shouldnt give up smoking, but it does imply
that you need to be prepared to deal with potential weight gain as a secondary risk.
During the incident at the Three Mile Island nuclear plant, safety systems reported problems
110 separate alarms with flashing lights and sounds all going off at the same time. The resulting
cacophony made it difficult to sort out the potentially catastrophic factors from minor ones, caused
confusion in the relaying of orders and directives, and generally made the problem harder to solve,
not easierthe opposite of what the alarms were supposed to provide. (Chiles, 58)
Managing secondary risk doesnt mean throwing out the primary risk. Clearly, we want our
nuclear reactors equipped with alarms that tell us when something has gone wrong. However, one of
the responses to the Three Mile Island incident was to deal aggressively with the issue of control
room design, making it easier for operators to receive, interpret, and act on information in an
emergency.
As with residual risk, if the secondary risk is small enough, you may decide to accept it. If the
risk is large, you may want to modify your proposed solution, add additional risk responses to
address the secondary risk, or in some cases throw out that solution and move to a different one.
Exercise and
9-2 Secondary Risk
Residual
For the risk responses you developed in Exercise 9-1, are there important considerations of residual
or secondary risk that need to be addressed? What will you do about these?
1.
2.
3.
4.
5.
149
MULTI-STAGE SOLUTIONS
One particularly tough category of risks contains those that are low in probability but potentially
catastrophic in outcome.
Thousands of small meteors hit the earth every day. Most are the size of grains of sand, and we
know them only from the streak of bright light that marks their passing. Slightly larger meteors (5-10
meters in diameter) hit us about once a year, releasing as much energy as the Hiroshima atomic
bomb. These generally go unnoticed because they tend to go off at high altitude and thus do little
damage. However, there were observed events in South Africa (2009), Peru (2007), Norway
(2006), and the Yukon (2000).
Every thousand years or so, a larger one (over 50 meters in diameter) hits with an energy
release equivalent to 1,000 Hiroshima bombs. The last such, the Tunguska event in 1908, flattened
80 million trees over 830 square miles. Larger impacts, of course, also happen. Approximately 65
million years ago, an asteroid at least 10 kilometers in diameter struck the Yucatn Peninsula,
triggering the CretaceousPaleogene (or KPg) mass extinction event.
Clearly, a big asteroid impact would be a very bad thing, but the probability appears to be
approximately 1/65,000,000. What, if anything, should we do?
We could do nothing at all and bet that well stay lucky as a species. We could spend trillions
of dollars to put a nuclear-armed space armada into orbit to shoot down any marauding asteroids
that happened to come by.
We can also consider a multi-stage solution. In the case of the hypothetical killer asteroid, we
can divide the risk into two questions. First, is a killer asteroid actually on its way? Second, what
should we do if it is?
The first question is relatively inexpensive to answer, and has a dramatic bearing on the second
question. A comprehensive survey of near-Earth asteroids (known as Spaceguard) is at the time of
writing about 80 percent complete. Using known equations of orbital mechanics, the future positions
of these objects can be charted, and eventually well know exactly what might hit us and when.
Changes in knowledge change our understanding of probability. A generic 1/65,000,000
probability may look a lot different when we consider a given asteroid. The 99942 Apophis
asteroid, for example, has a chance of colliding with the Earth in the year 2036. NASAs Near-Earth
Object Program Office estimates the probability as 1/250,000. In absolute terms, the risk is still
small, but its a lot greater than 1/65,000,000.
A 1/250,000 chance of impact probably doesnt warrant building that space armada, but it
does justify continued study. As more accurate measurements are made, the probability of collision
will changeit will either appear increasingly probable that a collision will happen, or it will appear
increasingly improbable. At some point, if the degree of confidence is high enough, expensive action
may be warranted. If the decision to act is made early enough, a slight shove may be all thats
needed to adjust the asteroid orbit enough to avert a collision. If the decision is made too late, that
space armada may not be enough to accomplish the job.
Watch and wait is a perfectly legitimate risk response in many situation involving low
probability/high impact events. The potential action is a backup strategy, to be implemented if and
only if indicators warrant.
MANAGING THREATS
150
Whether the risk response is a single-stage or multi-stage action, you still have to develop it.
Different strategies exist for both threats and opportunities. Be sure to consider multiple possibilities
before settling on a response, and remember that you can combine solutions if necessary. In the case
of a business risk, its important to consider both sides of the risk equation (threat and opportunity)
in developing your strategy.
The three basic strategies for managing a threat are avoidance (changing the project so the risk
event cannot happen or the project is completely protected from its effects), transference (moving
the ownership and impact of the risk to another entity), and mitigation (reducing some combination
of probability and impact, but not eliminating the risk altogether).
Avoidance
Avoiding a risk completely often requires a change in the way you do things. If a project has a high
risk of failure, you can avoid the failure by cancelling the project. This may be entirely sensible.
You can potentially change many other factors that involve risk, from deadline to budget to
performance criteria. You can change the process with which you do the work, the tools you use,
whether you do the work in-house or out-of-house, whether you provide a specific functionality or
hit a specific numerical target.
An avoidance strategy by its very definition means that there is no residual risk. However,
secondary risk is almost certainly present. If the risk of doing it is so high that its not a good idea,
we still have the reason we thought about doing the project in the first place. If we change deadline
or budget or performance criteria, we may be swapping one set of risks for another.
Occasionally, the secondary risk can provide opportunity as well as threat. Whatever we think
of to replace the project as originally conceived might turn out to be better for us. The cost of
contracting out the work (and some of the risk) may turn out to be less than the cost of doing it inhouse. Check all possibilities.
Transfer
Risk transference moves the ownership of a risk from one party to another. Weve already seen
several ways this can be done. In qualitative risk analysis, we classified some risks as owned by
someone else. When we move the risk to its proper owner, weve transferred at least some of it.
Insurance is another common method of risk transfer. Some people make their money by
taking over other peoples risks for a fee. Every contract involves some risk transfer. If a vendor
charges a firm, fixed price for products or services, the vendor owns the risk of cost overruns. If a
vendor charges by the hour or on a cost-plus basis, the buyer owns the risk of cost overruns.
Contract details often spell out who has the financial liability for specific risks.
Risk transfer often leaves residual risk and can create secondary risk as well. Earlier in this
chapter, we identified residual risks in buying insurance, for example. When transferring risks
administratively, the risk may have a new owner, but residual risks often remain.
Mitigation
A mitigation strategy reduces some combination of probability and impact, lowering the risk but
leaving at least some residual risk. Mitigation strategies may also create secondary risk.
Examples of mitigation strategies include:
Testing. Tests identify problems in performance and quality before they reach the customer.
Redundancy. Having more than is necessary helps ensure youll have at least enough.
Additional resources. Adding cost, time, and personnel can reduce the risk of failing to meet one
151
or more key objective.

Skill or process improvements. Improving the skills of team members or the way in which the
work is done reduces risk.
MANAGING OPPORTUNITIES
Opportunities can be found in stand-alone form and in the form of business risk, and are often
matched with corresponding threats. The three basic strategies are to exploit the opportunity (cash in
the benefit and use it), enhance the opportunity (make it better or more probable), and share the
opportunity (give the benefit to someone else either for goodwill or in trade).
Exploit
The obvious thing to do with an opportunity is to take advantage of it, and that may indeed be the
best thing to do. If your stock market investment increases in value, you can sell it. If your successful
management of the current project makes you the front-runner for the next job, grab it.
As in the case of threat risks, opportunity risks carry the possibility of residual and secondary
risk. If you sell the stock too soon, you may make less of a profit than you would make if you held
on to it a bit longerthe residual risk is the value of what youre leaving on the table. At the same
time, the secondary risk is a threat: that the stock will tank, leaving you worse off than you would
have been had you sold it on time.
When you choose to take business risk in managing your project, exploitation of the potential
benefits is, after all, the usual reason for undertaking it.
Enhance
In the case of the stock market investment, we exploit the opportunity if we cash it in: sell the stock,
pay the capital gains tax, and pocket the rest. If we choose to keep the stock because we believe it
is likely to increase in value, we are pursuing an enhancement strategy instead.
If your outstanding work on the current project positions you well for new business, you could
enhance the opportunity by raising your rates. The benefit is greater profit; the secondary risk is
losing the business. The residual risk, again, is the potential amount youre leaving on the table.
Share
Although exploitation is the obvious strategy, sharing may often represent the best available
response. The benefit from a particular opportunity may not apply to you, and giving (or trading) the
benefit to someone who would truly find it valuable can pay tremendous dividends in goodwill and
support.
A powerful and frequently overlooked technique to improve project and organizational
effectiveness is to look at your project for ways it can incidentally provide benefit to others. For
example, your project budget might not support buying the latest and greatest equipment, but if the
equipment could benefit enough other projects and activities, the combined result might make it
profitable.
If you solve a problem, can you solve it for everyone and not merely for your own project? If
your project success makes it easier for another part of your company to win business, can you help
move that opportunity to the appropriate department or group? Can what you do benefit the
customer in ways over and above the contract? Can the work of the project provide extra benefits
to team members, such as improved education and skills that may help them in years to come?
152
MANAGING ACCEPTANCE
Acceptance strategies basically involve doing nothingat least not until the problem appears
imminent. We normally identify a number of project risks not worth the time, effort, or expense to
mitigate. We accept those risks, perhaps allowing some contingency reserve to cover them. For
risks that have high cost solutions, we may develop a different kind of contingencya contingency
plan or response.
Unlike other risk management strategies, a contingent risk response is not implemented until the risk
has actually occurred or has passed some threshold or event point that makes us believe that has
become extremely likely to occur. In our asteroid example, it makes no sense to spend a huge
amount of money on a response unless we have reason to believe that the collision is likely to
happen in the near future. We make the response contingent on actual evidence that an asteroid is
indeed heading our way. So far, our risk has jumped from 1/65,000,000 to 1/250,000, but thats
not yet enough to activate a risk trigger, a threshold at which a decision is necessary.
Some contingent responses need to be worked out well in advance. With others, its sufficient
to have a general idea of what we might do, and make the detailed plan if the risk is triggered.
Acceptance
For risks with a minor impact, simple acceptancewe wont do anything, and will cope with the
effects as best we can if the risk occursis often sufficient. Some risks are accepted because they
are subsumed by larger programs. For example, a shop safety program is aimed not at a single risk
nor at a single project, but rather at a category of risks.
Watch and wait strategies, as in our Spaceguard example, are another subdivision of
acceptance. We spend a small amount of time, effort, and resources on monitoring, and defer any
substantial action untilor unlessthe risk event appears imminent or grows so much in probability
that action is warranted.
Exercise
9-3 Response
Types
of Risk
Look at the risk responses you developed in Exercise 9-1 and classify them according to the
categories mentioned in this chapter. Are there any alternate solutions you want to consider instead?
1.
2.
3.
153
4.
5.
IMPLEMENTING RISK RESPONSE STRATEGIES

Risk responses require actions. If you need insurance, you have to go buy insurance. If you need
safety goggles, you need to stop in the shop office and pick up a pair. If you need to test
components, you need a testing plan. The effort involved in turning a risk response strategy from an
idea into action can in some cases be substantial.
It is important to document what you decide to do about a risk. The Risk Information Sheet
(Exhibit 4-6) has a space in which to write the risk response, but the real work may be done
elsewhere. In many cases, the best place to put a risk response is into the project plan itself, either
as a work package or as requirements. If, for example, testing is part of your risk response to
potential lapses in quality, you probably want to have a work package labeled Testing. Depending
on the level and sophistication of the tests, there may be multiple steps involved. Tests have testing
requirements. Which tests should be run? What constitutes a satisfactory outcome? What defines
failure?
Exhibit 9-2 contains a list of questions to consider in developing and implementing your risk
response. Space is provided for you to consider how these questions apply to the risk responses
you have worked on in this chapter.
xhibit 9-2 That Shape Risk Responses

Questions
For each proposed response to a given risk, consider the following questions.
Appropriateness
1. Is the risk response proportional?
2. Is the risk response actionable?
3. How does this risk response compare to doing nothing at all?
These questions establish whether the potential risk response can be considered further. If the
solution is not proportional to the risk (that is, substantially higher than the risk score and not justified
by other reasons), or if we cant actually do whats required, then the solution is a non-starter.
If none of the risk responses are particularly attractive, do consider the potential consequences
of doing nothing. They may be greateror lessthan you imagine.
154
Residual Risk
4. How much and what kind of residual risk will remain?
5. Is the remaining level of residual risk acceptable?
6. Can we reduce the residual risk any further?
7. Is any of the residual risk positive in nature?
We not only need to define the level and nature of any residual risk, but also need to establish
whether the residual risk is still too high. If it is, we need a better solution or an additional solution
which gets run through this same process as a new risk response.
Secondary Risk
8. Will the risk response create any secondary risks, either threats or opportunities?
9. Are the secondary risks acceptable?
10. If not, can we modify them so they are acceptable?
11. Are the secondary risks greater than the risks of doing nothing at all?
Secondary threats and opportunities are frequently overlooked in risk response planning. Be sure to
consider indirect benefits to the organization, customers, or end users along with benefits to you and
your project in evaluating these options.
Staged Response
12. Must we act now, or can this response wait on further information?
13. Will the risk response be better if it is implemented early, or if it is implemented closer to
the risk event?
14. Are secondary and residual risks affected by the timing of the response?
155
Acting early isnt always or necessarily the best thing to do. Strategic delay can be a very effective
part of risk response planning.
Action Steps
15.
What are the action steps, tasks, or work packages we have to perform in order to
implement this risk response?
16. Can these action steps be placed into the regular project workflow?
17. What resources must be allocated to make these action steps happen?
18. Are any action steps contingent on other project events?
The best place for risk response activities is in the project plan itself. If the risk response is
contingent (depending on other events), this may not be possible. In that case, where will you put the
information? How will you make sure the risk responses is triggered if necessary?
Metrics
19. What circumstances, events, or measurements will tell you that the risk has occurred or is
about to occur?
20. How and when will you know if your risk response is working as anticipated?
21. How will you know if the risk is not going to happen?
22. What will tell you if you need to modify or change your planned risk response?
Without risk metricssome way to measure whats going onits very difficult to figure out
whether a risk has occurred or whether your proposed solution is working as intended. Establishing
metrics is a valuable tool in almost every project management situation.
Backup Strategy
23. What will you do if the planned risk response is not working adequately?
156
24. How will you document and record the backup strategy, if any?
25. How will you measure the success or failure of the backup strategy?
Backup strategies and contingency plans arent necessary in all cases, but its usually worthwhile to
ask the question: Is there a chance the response wont work, and if so, what are you going to do
about it?
Closing Criteria
26. How will we decide when this risk is no longer active and should be closed?
27. How will we record the outcome of this risk event?
28.
What can we learn from this risk event (whether it happened or not) and how will that
knowledge be used?
Theres usually a point at which a risk can no longer happen, or a point at which a risk that has
happened has done all the damage (or provided all the benefit) its able to do. Closing a risk moves
it from the active list to the inactive list, and should always be done consciously and deliberately.
Risk response planning is the process of deciding what to do about specific project risks. Establish a
formal process for developing risk responses as a team, consider more than one potential solution
before settling on an answer, and document the risk response on the Risk Information Sheet, in the
project plan, and elsewhere as appropriate.
Consider residual risk and secondary risk issues before deciding on a risk response. If residual
and secondary risk levels are excessive, modify the risk response or abandon it and choose a
different one. If the risk response is expensive, consider multi-stage solutions that defer expensive
action unless absolutely necessary.
The three basic strategies for managing a threat are avoidance (changing the project so the risk
event cannot happen or the project is completely protected from its effects), transference (moving
the ownership and impact of the risk to another entity), and mitigation (reducing some combination
of probability and impact, but not eliminating the risk altogether).
Opportunities can be found in stand-alone form and in the form of business risk, and are often
matched with corresponding threats. The three basic strategies are to exploit the opportunity (cash in
the benefit and use it), enhance the opportunity (make it better or more probable), and share the
157
opportunity (give the benefit to someone else either for goodwill or in trade).
Risk acceptance has two categories: passive acceptance (we do nothing unless the risk occurs,
then we cope with it as best as we can) and contingency planning (we create a backup plan but do
nothing unless the risk is triggered).
Risk response strategies must be implemented. You need to develop action steps and put them
in the project plan or elsewhere. You need to establish metrics that tell you when the action is
necessary and whether its working. You also need to establish criteria for closing a risk, either
because it can no longer happen or because all the consequences of the risk have happened.
158
Review Questions
1. A proposed risk response must always be:
(a) free of secondary or residual risk.
(b) structured as a multi-stage solution.
(c) proportional and actionable.
(d) paired with a backup strategy.
1. (c)
2. In managing opportunity, which strategy is most appropriate if the benefit is not usable by you
or your team?
(a) Sharing
(b) Mitigation
(c) Enhancement
(d) Acceptance
2. (a)
3. Which of the following is a strategy for managing threat risk?
(a) Exploitation
(b) Sharing
(c) Mitigation
(d) Enhancement
3. (c)
4. If the proposed risk response will not eliminate all the consequences of the risk, the part that
is not eliminated is known as:
(a) secondary risk.
(b) residual risk.
(c) contingency risk.
(d) multi-stage solution risk.
4. (b)
5. If a proposed risk response has an unacceptable secondary risk, you should:
(a) modify the proposed response or select a different one.
(b) change the project so that the initial risk cannot occur.
(c) provide contingency allowance for the additional risk.
(d) establish a multi-stage solution.
5. (a)
159
10
Risk Monitoring and Control
Learning Objectives
Define key elements in a risk management plan and a risk management policy.
Implement a variety of project risk monitoring and control tools, including monitoring and control
metrics; early warning indicators; common concepts of Earned Value Project Management (EV or
EVM) including planned value, earned value, and actual cost; and schedule and cost performance
indices based on earned value metrics.
Identify the elements in a change management system.
Explain why risk identification and risk analysis must continue throughout the project life cycle.
Assess risk management effectiveness during project lessons learned.
Reading
50 minutes
Exercises
50 minutes
Total Time
1 hour 50 minutes
RISK MANAGEMENT PROCESSES IN PROJECT EXECUTION, MONITORING AND

CONTROL, AND CLOSEOUT
Weve now analyzed a single risk, but projects rarely have just one risk. Projects have a portfolio of
160
risk, usually including both upside and downside risks. Some of the risks are known (or at least
knowable); some of the risks are at least initially unknown.
While the topic of this course is project risk and cost analysis, the job isnt complete until the
risk response plan is in place and the risks are managed properly. In this chapter, well provide an
overview of the aftermath of the risk analysis process.
RISK MANAGEMENT PLANS AND POLICIES

A risk management plan is part of any well-prepared project management plan. It identifies and
describes the risks, rates their relative seriousness by considering their probability and impact, lists
any planned responses or actions intended to reduce downside risks or improve upside risks, and
explains how the project team will monitor risks and responses for effectiveness.
A risk management policy is a document that applies to an entire organization or category of
projects. It describes how the organization wants risk management to be performed, which projects
and activities are covered by the policy, the definitions and steps involved in the process, the types
of reports and documents that need to be prepared and disseminated, who must be consulted or
who must approve risk responses, and similar matters.
Your organization either has or doesnt have a formal risk management policy in place. If it
does, then your risk management planning activities must conform to it. If it doesnt, you may want
to prepare one for your own projects simply to avoid the need to start from scratch each time.

A formal risk management policy can be a valuable asset when projects and operations carry with
them the possibility of serious organizational consequences. In our judgment, a risk management
policy should be considered an organizational best practice when it comes to risk management.
There is little advantage in creating a risk management policy from scratch, because there are
numerous templates and guidelines available to help you. Many of them are specific to certain
industries or occupation, but by and large they follow the same format. You will find links to a
sampling of risk management templates in the Additional Resources section of this book, and more
are being added all the time.
Regardless of the organization or category of risk, all risk management policies must address
certain questions and issues. The following guidelines are designed to help your organization in
preparing a risk management policy.

The more explicit and clear the organizations attitude toward risk, the easier it will be for individual
projects and operations to behave in accordance with it. A statement of purpose, scope, and
commitment helps readers make sense of and apply what is to follow. Consider the following
questions:
What kinds of risks are most important?
If you manage a white-water rafting business, for example, theres an inherent level of physical
danger to participants. A risk management policy might emphasize the importance of safety
precautions, safety training, and emergency medicine. If your business manages investment portfolios
for customers, the danger is to financial wealth rather than physical health, and the risk management
policy adjusts accordingly.
161
Defining the areas of greatest concern helps focus attention where you most need it. This
doesnt mean you wont address risks outside the areas of primary concern, of course, but they
normally have to rise to a higher level for you to take them as seriously.
Think About It
What kinds, categories, or areas of risk are most important to your organization, group, or type of
project?
What kinds of risks do you want people to take?

Business risk, as weve discussed, combines upside risk and downside risk in the same decision.
Avoiding pure risk (at the right price) is clearly prudent, but avoiding business risk eliminates the
chance of gain along with the chance of loss.
To avoid any possibility of an accident in white-water rafting, the obvious solution is to avoid
white-water rafting, but you also avoid the exhilaration and fun from the activity. To avoid any
chance of financial loss, you can keep your money in the safest possible investments, but in doing so
you may miss out on valuable returns.
Think About It
What kinds, categories, or areas of risks should be encouraged? What kinds of risks are potentially
beneficial to the project, the organization, or the customers?
What kinds of risks do you want people to avoid?

Some risks are unacceptable as a matter of policy, and those need to be spelled out. For example, a
company might express a strong unwillingness to accept risks in ethical matters, risks involving the
potential for injury, or other categories.
Notice that being unwilling to accept risk in a particular area may simply shift the impact of the
risk to another area. If youre unwilling to accept the possibility of physical injury from your
products, youll usually end up paying for additional safety measures. The risk switches from
physical harm to financial impact.
162
Think About It
What kinds of risks should be avoided as a matter of policy? What is the threshold of acceptability
on these risks?
What projects and risks are covered?

Failing to perform adequate risk management can be catastrophic. At the same time, risk
management costs money and takes away resources that could be employed elsewhere. In order to
strike a balance between the cost of risk management and its benefits a number of different
questions should be considered, as outlined in Exhibit 10-1. Weve provided space for your issues
and considerations.
xhibit 10-1
Organizational
Considerations for Risk Management Policy
163
We do not recommend that projects below the threshold of formal risk management planning
be exempt from risk management altogether, of course. However, the degree of rigor and detail
appropriate for smaller projects may be far lower than is appropriate for larger or more inherently
dangerous ones.

While most risk management methodologies follow the same broad outline (initiation, analysis,
response planning, action), the details of preferred tools, approaches, and steps vary greatly. Even
for organizations that use an industry standard, such as the PMBOK, as a template, there are still
numerous details that must be customized for any organization, such as who must be consulted on
given risks and how risk data will be integrated with other information. Consider the following:
Definitions. Common vocabulary matters a lot. If a risk is unlikely, does that mean a
probability lower than 50% or lower than 25%? What constitutes a significant risk?
Reporting and Documentation. How will we keep track of risks? What information needs to
be archived? Who should be informed of which risks? How will risk management be handled within
other project management functions?
164
Approvals and Authority. Who is responsible for identifying risks and preparing the risk
management plan? Who must approve risks in particular categories? Who decides whether the total
risk level of a project is acceptable or unacceptable?
PROJECT RISK MONITORING AND CONTROL SYSTEMS

In project risk analysis and project risk response planning, we identified the risks that required
responses, made sure we understood those risks as thoroughly as possible, and developed
responses and action steps to implement those responses. Along with our risk responses, we
developed metrics: indicators that help us understand whats going on with a particular risk.
How will we make sure these plans and strategies are implemented, and that the things we said
we were going to do actually get done? The process of doing this is known as project monitoring
and control, the final part of our phased approach to risk management planning.

Our individual risk response plans form the basis of one aspect of project monitoring and control. In
addition, risks are often managed collectively and by category, as in the case of a shop safety
program. The safety program doesnt specifically care about the consequence to your project, but
works to prevent accidents across the board. Project risk monitoring and control has a collective
side as well. In addition to managing specific risks, you need to monitor and control the general
project environment as part of an effective risk response.
Many of the tools you use to manage the project offer information and insight into the risk
environment as well. A weekly report provides status information to check against the plan. If there
are discrepancies in, say, the schedule, youve just found evidence of a time risk to the project. If the
cost of raw widget stock is higher than the planned number, you know theres a cost issue. If the test
report says that the new widget design didnt pass the pressure test, youve uncovered a
performance issue.
There are four areas of fundamental concern in your project risk environment:
Information that suggests that specific risks have been triggered or that they are not going to
occur.
2. Information that suggests that your planned risk responses are working or are not working as
intended.
3. Information that suggests project and environmental conditions have changed or not changed
from your expectations or history.
4. Information that suggests underlying or structural issues with your project or plan exist or dont
exist.
1.
In everything you do to manage, monitor, and control the project for which you are responsible, you
need to keep these concerns in mind. As weve pointed out elsewhere, the earlier you learn that you
have a problem or an opportunity, the greater your ability to manage it to best effect.
Add a section on Risks to any status reporting form you use so that people write about what
they see in the near future as well as about what has happened in the recent past. Use part of project
staff meetings to discuss the upcoming uncertainties as well as the status of current work.

In addition to metrics, triggers, and early warning indicators for specific planned risks, you also need
165
to establish general metrics that reveal unusual trends early, and that distinguish between ordinary
variation and significant divergence from the expected norm. We are looking for significant
variance from the plan, in areas of cost, time, and performance.
Often, a project thats within 5-10% of budget estimates is considered on-budget, especially
when were dealing with large round numbers and uncertainty. If, on the other hand, the variance
started out at 1% and its gone to 8%, it might be sensible to look for any potential underlying
problem well before costs get out of hand.
If you work on a large project or in an organization that uses performance measuring software
systems, you may have a great deal of specific information available that you can use to monitor and
control your risks. Financial data, market performance, test results, and productivity metrics can be
of help.
If your project management environment contains a project management office (PMO), uses
enterprise grade software for project management, or has implemented Earned Value Project
Management (EV or EVM), you have even more tools at your disposal to monitor and control
risks on your project. A PMO often keeps performance data on other projects that you can use to
baseline your own effectiveness. Enterprise-grade project management software, capable of
handling tens of thousands of activities in tight relationships, provides extensive tools for analyzing
and tracing chains of events.
xhibit 10-2
Earned
Value Method (EVM) Performance Index Ratios
Example: Today, the schedule says you should have finished Task A, which was budgeted at
$1,000, and half of Task B, which has a total planned cost of $1,000 as well (total of $1,500).
Youve spent $1,750, but youve accomplished all of Task A and all of Task B as well. How are
you doing?
PV = $1,500 AC = $1,750 EV = $2,000
SPI = $2,000 / $1,500 = 1.33 (133%) CPI = $2,000 / $1,750 = 1.14 (114%)
Example: Today, the schedule says you should have finished Task D ($5,000), Task E ($2,500),
and half of Task F (50% of $7,500). Youve only finished Tasks D and E, and youve spent $8,250
so far. How are you doing?
PV = $11,250 AC = $8,250 EV = $7,500
SPI = $7,500 / $11,250 = 0.67 (67%) CPI = $7,500 / $8,250 = 0.91 (91%)

Earned Value Project Management requires a self-study course in itself, and a full discussion is well
outside the scope of this book. If EVM is required for your projects or by your customers, then you
will need to become familiar with it if you are not already.
The EV method starts with three numbers: The planned value (PV) measures how much work
we should have accomplished by a given date and how much we should have spent to accomplish it.
To that, we add the actual cost (AC), what we actually spent for what we actually did. Finally, we
add the earned value (EV), which measures what we should have spent for what we actually did.
Earned value allows you to determine the amount of cost or schedule variance, but from a risk
166
point of view, its valuable to pay particular attention to two ratios that measure performance. The
cost performance index (CPI) is the ratio of the earned value to the actual cost (CPI = EV / AC),
and the schedule performance index (SPI) is the ratio of the earned value to the planned value (SPI
= EV / PV). Exercise 10-1 shows you how to do it.
ExerciseValue
10-1Method (EVM) Performance Index Ratios
Earned
Today, the schedule says you should be completely done with Task A ($7,500) and Task B
($5,000), and half done with Task C (total cost of $10,000). You have completed 75% of Task A,
spending $6,000 to date; all of Task B at a cost of $6,000; and you are completely done Task C,
having spent $12,000. How are you doing?
SPI =_______________
CPI =_______________
What conclusions can you draw about this project?
An SPI or CPI of 1.00 (100%) means youre exactly on track. Small variances (less than 5%
or 10% on either side, depending on the type of project and organization) are not usually significant;
anything above 10% either way demands investigation.

Even if you develop great risk responses, they dont do very much unless theyre implemented. We
have suggested the best place for many risk responses is in the project plan, and indeed there are
always tasks in any project plan that exist solely to address risk. If there were no chance of a failure,
there would be no need for inspection or testing. If the design were certain to work, it would not
need to be reviewed. Testing, reviews, and many other activities are best treated the same way as
any other work package.
A risk response plan can consist of many sorts of actions, as shown in Exhibit 10-3.
167
xhibit 10-3
Sample
Risk Response Action Plans
Risk: Customer orders may need to be filled during inventory.
Response: Be prepared to work overtime to meet both the needs of the customer and the need for
the inventory.
Action Steps:
1. Check with Sales Manager the week before the inventory to see if customer emergencies
are expected.
2. Advise team members of the potential for last-minute overtime so they can adjust personal
plans as necessary.
3. Recruit two backup team members who will be available to work if needed; include them in
training session.
4. If it turns out that overtime or extra staff are needed, prepare authorization requests and
timesheets to submit to payroll.

Most risk responses are implemented whether or not the risk occurs. If you buy insurance, you may
or may not end up having a claim. If you conduct testing, you may or may not find anything wrong.
While the risk condition itself may be uncertain, the response is not.
Implementing a contingent response is known as corrective action. Responding to an
unplanned risk is known as a workaround. The difference, of course, is that you have at least a
general course of action in mind in the first case, and may be scrambling to find an acceptable
solution in the second case.
To make a contingent response effective, you need to establish a risk trigger, a set of
conditions or circumstances that activate the response. This is particularly important when your risk
response requires a head start on the risk event itself.

We have identified watch and wait risks, characterized as having (1) low probability, (2) potentially
catastrophic impact, and (3) expensive mitigation. Because of the cost of response, you prefer not to
spend the resources unless you have reason to believe the risk event is actually going to occur, or is
looking tremendously more likely.
What kind of metrics will you use to observe the risks? Are there leading indicators of
potentially adverse trends? Are there particular circumstances that alter the probability or impact of
the risk?
CHANGE MANAGEMENT AND RISK

168
Its far from unusual to make changes to the project scope and objectives during the project life
cycle. Sometimes new information is received; sometimes circumstances or needs change; and
sometimes people simply change their minds. The result is a change order, whether formal or
informal. They are part of life for any project manager.
Changes, of course, frequently contain risksand in the context of our project, they are new
risks, not yet included in our risk evaluation and response process. While its not always possible to
perform a full risk analysis before deciding what to do about a given change (sometimes the change
is a fact whether you like it or not), its important to perform a risk evaluation as early as practical so
that you can respond or adjust as needed.

Virtually every authority in project management recommends a formal change management
system, and its fairly obvious why this is a good idea. Changes cost money and time, they may
affect other parts of the project, and they arent always communicated effectively. Failing to review
and document changes effectively opens your project to huge and unnecessary risk.
There are many right ways to put together a change management system, and they vary by
organization and environment. At a minimum, they usually include the following:
A way to document the change
A way to allocate any associated costs for the change
Someone who can approve or reject the change
Risk analysis and risk response planning are necessarily part of all three steps, whether they are
done formally or informally. Because changes are a particularly rich source of project risk, we
recommend a formal approach in almost all cases. If a change is to be made to an in-progress
project, someone (either the project manager, or if the risk is specialized, the particular risk owner)
needs to perform a risk analysis and identify issues of potential concern.
Avoid becoming the boy who cried wolf. Your role is to figure out how to make the change
work, rather than to show why it cannot. In some cases, an honest evaluation will reveal risks so
serious that they require a reassessment of whether the proposed change is appropriate, but that
decision normally belongs to customers or managers at a higher level. Your role is to provide
objective data, and when possible to offer solutions or useful alternatives.
Think About It
Do you have a formal change management plan? Does it do a satisfactory job of evaluating new
risks associated with changes? How would you improve it?

Problem solving and crisis management are all too frequently a fact of organizational and project life.
The goal of risk management is to reduce the number and scope of problems and crises, but its
169
unrealistic to expect that even the finest risk management will make everything go away.
By their very nature, problems tend to be specific, unexpected, and unique. Risk management
cant provide individual answers in advance. We do get advantages from risk management even for
the most unplanned and unexpected events, however. By establishing our monitoring system, were
more likely to get an early warning. If we have resources available to address planned risks, they
can be repurposed to manage unplanned ones as well.
REVISITING RISK IDENTIFICATION AND RISK ANALYSIS

Timeand therefore riskmarches on. When we perform our initial risk identification during the
early planning stages of the project, we see a great deal of uncertainty. As the project moves
forward in time, however, the future slowly becomes the present, and then quickly turns into the
past. Risks turn into problems, or they dont happen at all.
The events on our project change the risk picture for the future. If we suddenly get a huge
influx of customer orders in the weeks leading up to our inventory date, and more of them than usual
are emergencies, the chance that our inventory will be interrupted by the need to ship goes up
dramatically. Instead of waiting for the actual order to work overtime, maybe it makes more sense to
put the extra manpower on the job from the beginning to get it done as quickly as possible.
New risks appear with little or no warning. Two of the employees we planned to use on the
inventory project have just quit, and they were the only two who had experience doing our inventory
in previous years. To address the new set of risks, consider doing two things:
1. Add an item to your regular status meeting agenda to talk about new risks that should be added
to the risk management plan. Assess those risks using qualitative risk analysis filtering, and
conduct risk analysis and response planning for those you consider serious.
2. If the project will take months to complete, conduct a monthly risk review. Take the plan,
existing risks, new risks, and performance data, and update the overall risk management plan.
Update the risk register and risk information sheets for new risks and for existing risks that have
changed in nature, probability, or impact.
Closing Risks
At some point in the project, every risk reaches its expiration datea point after which if the risk
has not occurred, it can no longer occur. Before the test is run, the widget has a risk of failing the
test. After the test has been run, the widget either passed or failed. Either way, theres no longer a
risk, but rather a non-event (it passed) or a problem (it failed).
When you decide that a risk needs to be monitored, managed, controlled, or watched, you
should close the risk. Close a risk under the following circumstances:
1. The risk did not happen and it is no longer possible for it to happen.
2. The risk happened, and all of its consequences have played out, for better or worse.
3. The residual level of the risk is no longer worth the time and expense to monitor it.
When the project is complete, all the risks associated with the project are also closed. (Risks in the
product, which you deliver to the customer or user, still remain, of course.)
Document when a risk is closed, either on the risk register or the risk information sheet, and list
briefly why it has been closed. Keep information related to all risks, including closed ones, for two
reasons. First, you need to review those risks and responses as part of lessons learned, and
170
second, you may encounter similar risks on future projects and will be able to reuse risk analysis and
response planning that youve already done.
RISK MANAGEMENT AND PROJECT LESSONS LEARNED

Every well-run project includes a post-mortem, or lessons learned exercise, and evaluating risk
management and risk response is part of it. Consider the following questions:
How did your estimates of probability and impact line up with reality?
What risks occurred that you did not expect?
What risks did you expect that did not occur?
What assumptions about the project turned out be incorrect?
What linkages or connections among the risks were not obvious?
How well did your risk mitigation efforts and risk response plans operate?
How effectively were you able to monitor conditions and get early warning of risk events?
Were the risk management processes that you used cost-effective and appropriate for your
project?
What would you do differently next time?
What did you learn on this project that will improve your ability to manage risks on future
projects?
Keep risk response plans, risk analysis data, and actual project results to use as raw material for
managing risks on future projects.
Risk management requires an overall process for implementation during the phases of project
execution, monitoring, and control. A risk management plan is for an individual project; a risk
management policy covers an entire organization or at least a category of projects.
Risk management policy addresses numerous questions:
What kinds of risks are most important?

What kinds of risks do you want people to take?
What kinds of risks do you want people to avoid?
What projects and risks are covered?
In addition to implementing specific risk responses, risks are also managed collectively and by
category. Project monitoring and control activities, such as status reports or other data, provide raw
information about risks, helping you to discover whether particular risks are being triggered, whether
planned risk responses are working as intended, or whether environmental conditions have changed.
Project metrics take many forms. In the Earned Value Method (EVM), the planned value,
actual cost, and earned value of a project allow you to measure schedule and cost performance on
your project.
Risk response plans detailing action steps for a given risk are normally integrated into the
171
overall project plan. In addition, you may need to implement corrective action (contingent
responses) or workarounds (unplanned risks). Monitor watch and wait risks carefully.
Project changes create new risks and modify existing ones. A formal change management
process has many virtues, including providing an opportunity for renewed risk management efforts.
Risk identification and risk analysis need to be revisited as the project moves forward over time.
Close risks when they can no longer happen, when all their consequences have played out, or when
the residual risk is no longer cost-effective to monitor.
Finally, evaluate the effectiveness of risk management as part of lessons learned, and organize
risk data on current projects so that it benefits future projects as well.
172
Review Questions
1. The schedule performance index (SPI) measures the ratio of the:
(a) earned value to the actual cost.
(b) actual cost to the planned value.
(c) planned value to the actual cost.
(d) earned value to the planned value.
1. (d)
2. A risk management policy includes which of the following elements?
(a) Risk identification and risk analysis information for the project
(b) How the organization wants risk management to be performed
(c) A list of planned risk responses and action steps
(d) Description of metrics and measurements to be used on the project
2. (b)
3. What is the effect of project change on project risk?
(a) Changes increase overall project risk.
(b) Changes only add to the list of risks.
(c) Changes create new risks and modify existing risks.
(d) Changes balance new risk with new opportunity.
3. (c)
4. What kinds of risks are most desirable? 4. (c)
(a) Pure risks
(b) Uncertain risks
(c) Business risks
(d) Nonfinancial risks
4. (c)
5. The cost performance index (CPI) measures the ratio of the:
(a) planned value to the actual cost.
(b) actual cost to the planned value.
(c) earned value to the actual cost.
(d) earned value to the planned value.
5. (c)
173
EXERCISE 1-1. MANAGING IMPORTANT RISKS

One all-too-common strategy for dealing with risk is denial. We sometimes ignore risks because it
can be uncomfortable to think about them, especially when the risks are potentially very serious and
our options to do something about the risk are limited.
The purpose of this exercise is to make you more conscious of the risks in your environment
and the fact that you are doing something in response to many (albeit not all) of those risks.
You may find that actually writing down a particular risk and thinking about the best response
causes you to take action you might not otherwise have taken, or at least refocus on an action you
have already taken. Studies showed that random messages provided to bus drivers suggesting they
be more careful on a particular day reduced accidents. Its not that the drivers were otherwise
unsafe, its that the reinforcement caused them to pay more attention for a short period.
We dont judge you for the risk on which you have surrendered on the grounds that our own
list of surrenders is embarrassingly long. However, there have been cases in which we postponed
action for a long time, but eventually did do something about it. Awareness doesnt always translate
into action, but its usually a necessary precursor.
With that in mind, we encourage you to become more conscious of the risks in your
environment. Continue the exercise over the next week, adding additional risks as you think about
them. Try to add at least one risk each day; more is better. Through practice, this will make it easier
for you to see risks in any environmentand to act upon them.
174
175
EXERCISE 1-2. YOUR CURRENT RISK MANAGEMENT PROCESS

The purpose of this exercise is not to criticize anything you or your organization may be currently
doing with respect to risk management. Depending on the seriousness of the risks, the extent to
which you have good information about those risks, and the cost of addressing those risks, some
organizations have a very high need for formal risk management while others have a comparatively
low need.
When thinking about informal risk management, be aware that risk management activities dont
always get labeled as risk management. For example, as authors, we check our spelling and
grammar before sending our manuscripts to our editors, and our editors check them again. No one
in publishing refers to proofreading as part of a books risk management plan, but if authors were
176
incapable of error, then thered be no need for poofraedinger, proofreadingat all. Editors
perform an unlabeled risk management function. So do many other professionals.
The two important questions in the exercise concern what works and what could be improved
in your current process. We urge you to keep those ideas uppermost in your mind as you continue to
work through this self-study course so that you can identify the most appropriate lessons to apply
from these pages.
EXERCISE 1-3. WHAT YOU SPEND ON RISK MANAGEMENT

Whats valuable in this exercise is increasing your awareness of risk expenditures currently taking
place, not how precise or comprehensive your estimate. As we move forward in this self-study
course, consider these estimates as you identify other opportunities and tools to manage project
risks. Are you spending the right amount on the right targets? What would be the benefit of
additional risk expenditures? Where should they be targeted?
EXERCISE 2-1. RISK IDENTIFICATION PRACTICE

Depending on your own experience, you may have answered some of these questions in a different
way. Your answers are right as long as they correspond to your experience in your own work
environmentthey dont have to be the same as ours.
177
178
EXERCISE 2-2. SWOT ANALYSIS

Depending on your own organizational experience, you may have answers different from ours that
are equally correct. Telling helpful from harmful is usually easy; check to make sure youve
separated internal from external.
EXERCISE 3-1. CAUSE-AND-EFFECT DIAGRAM

Heres one answer for the risk: If customer emergencies require us to make a special shipment
during the inventory process, we may need to work overtime to meet the original deadline from
Exercise 2-1. Notice that in this case, the costs are charged to the project (overtime) but substantial
benefits accrue to the organization.
179
EXERCISE 4-1. ESTABLISHING RISK THRESHOLDS

To provide a comparison guide, weve developed risk thresholds based on the imaginary project
from Exercise 2-1. Your thresholds are likely different.
180
EXERCISE 4-2. RANKING RISKS

One reason to consider using more than a single method of ranking risks is what happens when you
do get different results. If you found that you ranked a risk differently, it may be because of a
different scale. In the word exercise, there are four grades of probability (no in the middle choice)
and in the number scale, there are five (all risks must be rated higher or lower). Sometimes you find
yourself putting more emphasis on impact than probability, as opposed to considering both equally.
When this happens, we dont have a bias in favor of one approach over the other. Instead, we
view this as a reason to look at a given risk more deeply; based on our greater understanding,
sometimes we end up choosing a higher risk rating or a lower one.
EXERCISE 4-3. PREPARE A RISK INFORMATION SHEET

This is a risk information sheet for If customer emergencies require us to make a special shipment
during the inventory process, we may need to work overtime to meet the original deadline from
Exercise 2-1 and Exercise 3-1.
In order to provide a complete example, weve filled in the Status section of the form. In real
life, that wont get filled in until there are actual project events to report. Notice in this case, the risk
turned out to be a non-event.
181
EXERCISE 5-1. PROBABILITY PRACTICE

The basic probability of rolling a given number on a six-sided die is 1/6. Thats true no matter what
182
number you pick. The probability of not rolling a given number is 1 minus the chance of rolling it, or
5/6. The odds, remember, are not the same as the probability, but the ratio of favorable to
unfavorable outcomes.
Probability
Odds
a. Roll a 4
1/6
1/5
b. Roll a 2
1/6
1/5
c. Not roll a 4 or a 2
4/6
4/2
The probability of one event and another independent event happening is the product of the two
probabilities: 1/6 1/6 = 1/36.
Its easier to figure out the probability of not rolling a 4 on either die: 5/6 5/6 = 25/36. Since
the probability of p(A) = 1 p(not A), figure out the probability of rolling a 4 on at least one die by
subtraction: 1 25/36 = 11/36. Yes, rolling a double 4 counts as at least one die.
a. Roll two 4s
1/36
1/35
b. Roll a 4 and then a 2
1/36
1/35
c. Roll a 4 on at least one die
11/36 11/25
d. Not roll a 4 on at least one die
25/36 25/11
EXERCISE 5-2. CALCULATE A STANDARD DEVIATION

The answer key to this exercise is in two parts, both assuming youll use a spreadsheet to develop
your answer. The first line contains the formulas that tell you what information should go in each
empty cell from the exercise.
To determine the mean, add up the entries in the Result column and divide by the number of
entries.
183
To calculate the standard deviation, first divide the sum of the d2 column by the total number of cases
(1,000), then take the square root of your answer.
Armed with that information, lets fill in the rest of the cells.
Mean = 19.5
184
EXERCISE 6-1. GREATER ACCIDENT VARIATION

The formulas and process for completing this exercise are identical to the ones in Exercise 5-2
above.
185
EXERCISE 6-2. PREMIUM INCOME AND CLAIMS OUTLAYS
EXERCISE 6-3. PRICING RISK

a. Llewellyns of Los Angeles is responsible for Risky Business Insurance losses whenever those
losses in a given year are greater than $750,000 over the premium income. That means Llewellyns
writes three checks during the eleven years of coverage. Without considering any other factors, this
186
works out to a premium of 84 charged to each Risky Business policy.
b. There are many other factors to consider in coming up with the final premium. Your list may vary,
but these are some items we would consider.
1. The costs of doing business. Like all businesses, Llewellyns of Los Angeles has overhead, sales
costs, cost of money, and desired profit.
2. Risk that the actual payouts over 11 years might be greater than premium charged. If Risky
Business has one more bad year than the track record suggests, the reinsurer is on the hook for
as much $5 million in additional payouts.
3. Risk that the maximum potential payout is $5 million, not $4.67 million.
4. The cost of the capital necessary to underwrite the insurance.
5. Surprises and black swan events.
c. Covering excess risk up to $10 million rather than capping the policy at $5 million is an exercise in
judgment. We have no cases on record in which total losses have even hit the $5 million mark, our
current maximum. One possibility is to do additional research. Are other insurance companies
around the world in the same line of business? If so, have any of them experienced years in which
covered events were dramatically more frequent than normal? If we can glean a pattern from our
investigation, we can use that to price the additional risk. If you discovered, say, that the
circumstance in which youd have to pay an additional $5 million occur about 2% of the time, that
suggests adding $100,000/1,000,000 to the premium cost, or another 10 per policy.
What if you cant find any evidence whatsoever that such an event has ever happened? That
doesnt mean its impossible, but its fair to say its unlikely. At this point, risk managers end up
having to make an assumption. In this case, we might say we were unwilling to underwrite the risk
for less than 5 per policy, which equates to an assumed risk of 1%. Given the minor difference,
187
well use the 10 figure.

d. Pricing the cost of the reinsurance, as you can see, involves some judgment. Heres our answer:
$5 million $10 million
cap
cap
Base Cost of Risk
$0.84
$0.84
$-
$0.10
Overhead (25%)
$0.21
$0.24
Profit Target (15%)
$0.13
$0.14
Total
$1.18
$1.32
Additional Exposure (assuming 2% chance of

catastrophic event)
Llewellyns of Los Angeles might well add safety for itself by rounding up these numbers, and charge
a premium of $1.25 for a $5 million cap and $1.40 for a $10 million cap. For the purposes of our
example, however, well use $1.32 as the cost of reinsurance for Risky Business (we thought an
extra 5 for protection against the larger loss was a bargain).
Your analysis may yield a different number, but as long as you considered the same basic issues
and used a similar process, consider it equally valid. As weve noted, pricing risk involves judgment
as well as analysis.
EXERCISE 7-1. DETERMINISTIC OR PROBABILISTIC?

Number
Deterministic Probabilistic
Make 100,000 new widgets per year with the new equipment
Rated capacity is under specified conditions. Actual number will vary. If
100,000 is a guarantee, its the minimum number.
Sell the additional 100,000 widgets to customers
Sales forecasts and estimates of customer demand are never exact.
Buy a widget maker for a price of $100,000 to $250,000
Advertised prices are usually good for a certain period of time. If we plan to
act within that margin, the advertised price for the unit we select should be as
predicted.
Make a gross profit of $5 to $7 per widget
Cost of raw materials, labor, overhead, maintenance, and other factors can
change cost; market conditions can change price.
Incur overhead costs of $3 per widget sold
Unless these costs are unusually solid, theres probably uncertainty here as
well.
EXERCISE 7-2. CALCULATING EXPECTED MONETARY VALUE (EMV)

Create a spreadsheet with the following formula:
188
The EMV is the sum of the numbers in the final column. Thats the combined probability times
the impact of each of the states of nature.
Now, lets plug in the actual numbers.
THINK ABOUT IT (DECISION TREE)

The difference between the EMV for Investment A and Investment B is $5,750 minus $2,800, or
$2,950. Subtract that amount from the asking price for Investment B and you get $9,050.
EXERCISE 7-3. DECISION TREE

Heres a spreadsheet containing all the net income data, and the filled-in decision tree follows.
189
The more expensive WidgetGenie is a better investment, even considering its higher error rate.
EXERCISE 7-4. SENSITIVITY ANALYSIS

Scenario: Veeblebrox defects only 1%.
190
Advantage: Veeblebrox by $240,000. Even though Veeblebrox has a lower defect rate, the
higher cost of repairs is a huge drag on net income.
Scenario: Veeblebrox produces an additional 100,000 widgets.
191
Advantage: WidgetGenie by $380,000. At a price of $19 per widget, the company cant make
money no matter how many widgets they make.
Scenario: Veeblebrox errors only cost $100 to fix
Advantage: Veeblebrox by $340,000. The lower cost per error takes $1 million out of costs.
Scenario: WidgetGenie doubles its price.
192
Advantage: WidgetGenie by $170,000. A $500,000 price tag is a bit high, because that means
the WidgetGenie loses money in a bad economy. It could easily charge $400,000, however, and still
be a better value.
EXERCISE 8-1. CRITICAL PATH
EXERCISE 8-2. SCHEDULING WITH PERT ESTIMATES

Step 1 Answer:
Step 2 Answer:
193
EXERCISE 8-3. CALCULATING STANDARD DEVIATION FOR A PATH OR NETWORK
Critical path tasks are shown in bold. Only the standard deviations of those tasks are used in the
root sum square. The basic project duration using PERT estimates, as you recall, is 47 days. To that
we add the following (rounding our answers to the nearest whole day):
47 days + (1.28 * 5.89
80% confidence =
= 55 days
days)
47 days + (1.64 * 5.89
90% confidence =
= 57 days
days)
47 days + (1.96 * 5.89
95% confidence =
= 59 days
days)
194
EXERCISE 9-1. RISK RESPONSE PLANNING

Your answers, of course, will vary based on the risks you chose. We will take an existing risk
response strategy from Exercise 4-3: If customer emergencies require us to make a special
shipment during the inventory process, we may need to work overtime to meet the original
deadline.
The proposed risk response was: We will do the following things in response to this risk:
1. The sales department will provide as much advance notice as possible of any customer
emergencies requiring shipping.
2. If emergency shipping is necessary, overtime is authorized for the inventory team to ensure they
meet the three days. The project lead will assign overtime if it is needed and report the
information to payroll and to the department head for budget control.
3. If the project lead for any reason feels that the three-day window is in jeopardy, the project lead
will immediately notify the department head and VP/Ops to acquire the necessary additional
resources.
EXERCISE 9-2. RESIDUAL AND SECONDARY RISK

What level of residual risk will remain after the risk response has been implemented? Perhaps more
than one emergency order will come in; perhaps people will be sick or unavailable when we need
them for the overtime, or perhaps the emergency order will come too late in the process to allow
action. These seem unlikely enough not to require separate action, and if they happen, the solution is
more of the same: more people, more overtime.
How about secondary risk? Well, the obvious secondary risk is that if these orders come in,
the cost of doing the project (overtime, in particular) will increase. Weve explicitly accepted that the
additional cost is superior to the consequences of failing to meet a customer emergency.
EXERCISE 9-3. TYPES OF RISK RESPONSE

The particular risk strategy weve selected is a contingent response. We think its unlikely that this
risk is going to happen, and so we dont want to spend money on it unless its necessary to do so.
There are other potential responses. Lets see how wed approach the same risk using the other
available strategies.
Avoidance. To avoid the risk of a conflict between the inventory and customer emergencies,
we could decide to skip the inventory or ignore the customer. Either avoids the risk at hand, but
both have substantial negative secondary consequences.
Transfer. We could hire an outside contractor to perform the inventory and hold the contractor
responsible for the risk. This might cost a lot more money, and it could have other undesirable
consequences as well. We could also make the sales department pay for our overtime out of its
budget, meaning they would be more likely to check if this was indeed a true emergency.
Mitigation. Instead of waiting until we see if an emergency order arrives, we could go ahead
and schedule extra resources to make sure we were enough ahead of schedule so that any delay
would not matter. This certainly reduces the risk (but does not completely eliminate it for the reasons
previously discussed), but costs a lot more money.
Acceptance. Because the situation is improbable, we could simply take our chances and try to
cope in case the feared order arrives.
195
Exploitation. We could make sure our customers knew we were open for business even
during inventory, and try to reap additional goodwill. We might also make the possibility of that
emergency order more likely.
Enhancing. If we can find ways to speed up the time it takes to do the inventory, we save
money long-term and at the same time lower the potential impact of emergency orders.
Sharing. The extra work in this case falls to the project team, but the benefit goes to the
organization as a whole in the form of improved customer relationships. If that translates into extra
sales, the sales force is likely to reap some additional reward in the form of increased commissions.
EXERCISE 10-1. EARNED VALUE METHOD (EVM) PERFORMANCE INDEX RATIOS

Today, the schedule says you should be completely done with Task A ($7,500) and Task B
($5,000), and half done with Task C (total cost of $10,000). You have completed 75% of Task A,
spending $6,000 to date; all of Task B at a cost of $6,000; and you are completely done with Task
C, having spent $12,000. How are you doing?
SPI = $20,625 / $17,500 = 1.18 (118%)

CPI = $20,625 / $24,000 = 0.86 (86%)
Were probably ahead of schedule because were paying for it. This is not necessarily
unreasonable, if the value of a speeded-up project is greater than the cost of the additional resources
you may need.
196
Bernstein, Peter L. Against the Gods: The Remarkable Story of Risk. [E-book] New York: John
Wiley & Sons; 1996. Retrieved from Amazon.com 3 January 2011.
Budd, Charles I, and Charlene S. Budd. A Practical Guide to Earned Value Project
Management. Vienna, Virginia: Management Concepts; 2005.
Chapman, Chris, and Stephen Ward. Project Risk Management: Processes, Techniques, and
Insights. Chichester, England: John Wiley & Sons, Ltd.; 1997.
Chiles, James R. Inviting Disaster: Lessons From the Edge of Technology. New York:
HarperCollins; 2001.
Declaration of the Summit on Financial Markets and the World Economy. Retrieved from
http://georgewbush-whitehouse.archives.gov/news/releases/2008/11/20081115-1.html 13 April
2011.
Dobson, Michael S. Project Management for the Technical Professional. Newtown Square,
Pennsylvania: Project Management Institute; 2001.
Dobson, Michael S., Random Jottings 6: The Cognitive Biases Issue. Bethesda, Maryland: The
Sidewise Institute; 2011. (Available free at http://efanzines.com/RandomJottings/index.htm.)
Dobson, Michael S. Streetwise Project Management: How to Manage People, Processes, and
Time to Achieve the Results You Need. Avon, Massachusetts: Adams Media Corporation;
2003.
Dobson, Michael S. and Heidi Feickert. The Six Dimensions of Project Management: Turning
Constraints Into Resources. Vienna, Virginia: Management Concepts; 2007.
Dobson, Michael S., and Ted Leemann. Creative Project Management: Innovative Project
Options to Solve Problems On Time and Under Budget. New York, New York: McGrawHill; 2010.
Drucker, Peter F. Management: Tasks, Responsibilities, Practices. New York: Harper & Row;
1973.
Episcopal Church (ed.). The Book of Common Prayer (1979 U.S. version). New York: The
Church Hymnal Corporation; 1979.
Fleming, Quentin W, and Joel M. Koppelman. Earned Value Project Management (Second
197
Edition). Newtown Square, Pennsylvania: Project Management Institute; 2000.

Garvey, Paul R. Cost Risk Analysis Without Statistics!! The MITRE Corporation. MITRE Paper
MP 050000001, presented to the DoD Cost Analysis Symposium, February 14-18, 2005.
Downloaded
3
January
2011
from
<http://209.48.244.135/DODCAS%20Archives/38th%20DODCAS%20(2005)/Theme/Garvey.pdf>
Hulett, David T., Ph.D. Project Cost Risk Analysis. Hulett & Associates website.
<http://www.projectrisk.com/Welcom/Cost_Risk_Paper/cost_risk_paper.html> Retrieved 3
January 2011.
Kerzner, Harold. Project Management: A Systems Approach to Planning, Scheduling, and
Controlling (9th Edition). Hoboken, New Jersey: John Wiley & Sons; 2006.
Kuehn, Ursula, PMP. Integrated Cost and Schedule Control in Project Management. Vienna,
Virginia: Management Concepts; 2006.
Kwak, Young Hoon and Lisa Ingall, Exploring Monte Carlo Simulation Applications for Project
Management, Risk Management (2007) 9, 4457. doi:10.1057/palgrave.rm.8250017
Leach, Lawrence P. Critical Chain Project Management. Norwood, Massachusetts: Artech
House, Inc.; 2000.
Levine, Harvey A. Project Portfolio Management: A Practical Guide to Selecting Projects,
Managing Portfolios, and Maximizing Benefits. San Francisco, California: Jossey-Bass;
2005.
Mooz, Hal, PMP; Kevin Forsberg, Ph.D.; and Howard Cotterman. Communicating Project
Management: The Integrated Vocabulary of Project Management and Systems
Engineering. New York: John Wiley & Sons; 2003.
Project Management Institute. A Guide to the Project Management Body of Knowledge
(PMBOK Guide), 4th Edition [E-book]. Newtown Square, Pennsylvania: Project
Management Institute; 2008. Retrieved from Amazon.com 18 October 2010.
Royer, Paul S. Project Risk Management: A Proactive Approach (Project Management
Essential Library). Vienna, Virginia: Management Concepts; 2002.
Schuyler, John. Risk and Decision Analysis in Projects (Second Edition). Newtown Square,
Pennsylvania: Project Management Institute; 2001.
Taleb, Nassim Nicholas. The Black Swan: The Impact of the Highly Improbable (Second
Edition) [E-book]. New York: Random House; 2010.
ADDITIONAL RESOURCES
In addition to the many fine books (some listed in the bibliography) and seminars available from a
variety of sources, the web is a rich source of information on project risk management.
The list below is not intended to be comprehensive, and new resources appear on the web all
the time.
198
http://www.amanet.org
Self-study programs: http://www.amaselfstudy.org/
Sidewise Insights (Michael Dobson, PMP)
http://sidewiseinsights.com
http://sidewiseinsights.blogspot.com
http://www.twitter.com/SideWiseThinker
Risk Management Information
Department of Defense Acquisitions Community:
https://acc.dau.mil/CommunityBrowser.aspx?id=108201
NASA:
http://www.hq.nasa.gov/office/hqlibrary/ppm/ppm22.htm
Hulett & Associates:
http://www.projectrisk.com/Welcome/White_Papers/white_papers.html
Risk Management Policy and Planning Templates

Ethics and compliance risks:
http://www.lrn.com/PPCCorporateCompliance/form.php?
crcat=ppc&crsource=google&crkw=Risk%20management&keyword=Risk%20_management&engine=google
UdHA
Information security risks:
http://www.sans.org/security-resources/policies/
Public safety/environmental health and safety/disaster preparedness:
http://policies.csusb.edu/riskmgmt.htm
Sport and recreation:
http://www.scribd.com/doc/31691777/Guide-to-using-SPARCs-Risk-Management-Tookit
Hazardous materials:
http://www.fpaa.com.au/licencing/docs/Risk_Management_Planning_Tool.pdf
Project Management information
http://en.wikipedia.org/wiki/Project_management
http://www.projectmanagement.com/
http://www.achievemax.com/books/project-management/index.htm
Project Management Institute (PMI)
http://www.pmi.org
Project Management Professional (PMP) Certification
http://www.pmi.org/Certification.aspx
Network Diagramming Methods
199
Arrow diagramming:
http://en.wikipedia.org/wiki/Arrow_Diagramming_Method
Precedence diagramming:
http://en.wikipedia.org/wiki/Precedence_Diagram_Method
Monte Carlo Simulation Software for Microsoft Project
@RISK for Project from Palisade Corporation (www.palisade.com)
RiskyProject from Intaver Institute (www.intaver.com)
Pertmaster software from Pertmaster Limited (www.pertmaster.com)
Risk+ from S/C Solutions Inc. (www.cs-solutions.com).
200
Glossary
A person who analyzes business risk (primarily financial) using mathematical and statistical
tools, most often found in the insurance industry.
Actuary
Acceptance
A risk management strategy involving no action whatsoever unless the risk actually
occurs.
For planning purposes, assumptions are things considered to be true, real, or certain,
without actual proof or demonstration. For example, it might be assumed that organizational
priorities will not shift in the next six months, or that the work is technically feasible even though it
has not been done before. Assumptions are often necessary, but carry risk.
Assumptions
The right to make decisions, spend funds, allocate resources, or approve choices. Your
authority can be defined in three categories: things you can do for which you do not need
permission, things you can do with permission, and things that must be done by someone else.
Authority
Average
See mean.
A risk management strategy that involves changing the project so the risk event cannot
occur or the project is protected from its consequences.
Avoidance
Backward pass
See forward and backward pass.
The process of establishing the planned value of the project at different points of the
project life cycle. The baseline (n) is therefore the approved project plan plus or minus approved
changes. Use the baseline to compare actual to planned results so you can determine if the project is
on track. Revise the baseline if there are major changes that make the original baseline useless as a
measuring point.
Baseline (v)
Black swan event
A risk event that is high impact, and either hard to predict or extremely rare.
A risk situation that combines the possibility of positive and negative outcome in the
same decision or event.
Business risk
Establishing a maximum level for a risk. If you have an insurance deductible on your
policy, your risk is capped at the amount of that deductible because that is the maximum amount you
will have to pay for a covered event.
Capping
201
A tool to help identify root causes of problems, risks, or other situations.

Sometimes referred to as a fishbone diagram because it resembles the skeleton of a fish, and as an
Ishikawa diagram for its creator, Kaoru Ishikawa.
Cause-and-effect diagram
A fundamental idea in probability theory, the CLT says, in short, that if

there are a large number of independent random variables (rolling hundreds of dice of different
shapes and sizes, some with six sides and others with eight or four or twelve, for example), the
outcome will naturally fall into an approximately normal distribution. There is a full technical proof
which is
beyond
the
scope
of this
course;
you can find
it
at
http://mathworld.wolfram.com/CentralLimitTheorem.html.
Central Limit Theorem (CLT)
Closeout
The formal process of bringing a project to an end.
A probability that a project will achieve a certain goal of time or budget based on
its level of risk. The Program Evaluation and Review Technique (PERT) and the Monte Carlo
simulation both provide methodologies for establishing confidence levels.
Confidence level
Contingency
A risk management strategy involving a plan to be triggered if the risk occurs or
appears likely.
Extra time or money to compensate for known risks.
Contingency allowance
Money or time set aside for unknown risks.
Contingency reserve
See schedule risk.
Convergence risk
The process of comparing the total expected benefits of a course of action

with the total expected costs of that action. In addition to analyzing a specific course of action, costbenefit analysis can also compare costs and benefits of different alternative actions.
Cost-benefit analysis
Cost estimating
A process for determining the likely or potential cost associated with a project or
work package.
The sequence of project activities that determines the duration of the project; the
longest path through a project network diagram.
Critical path
Decision tree analysis
A graphical tool for comparing the Expected Monetary Values (EMV) of
different alternatives.
In a network diagram, a connection between two work packages that
describes the conditions under which the dependent task can start or finish.
Dependency relationship
Costs that are definite and known before they are incurred, such as the price in
a firm fixed price contract. Compare with probabilistic costs.
Deterministic costs
The range of possible outcomes and the number of times each outcome has or is
expected to occur. Distributions come in many types, of which the normal distribution (often
described as the bell curve) is best known. In project management, the triangular distribution
appears frequently, especially in three-point estimates.
Distribution
202
See threat.
Downside risk
An advanced tool for comparing schedule and cost performance

to plan. Considered an exceptionally valuable tool for identifying troubled projects early.
Enhancement
A risk management strategy for improving the probability or impact of an opportunity.
A provision in an insurance policy that removes a particular cause from the list of
covered events. If a homeowners policy does not cover flood damage, for example, it is excluded
from the risks assumed by the insurer, and the homeowner therefore retains those risksor buys
separate flood insurance.
Exclusion
The sum of the probability times the impact for each possible
outcome, used as a basis for comparison and decision-making among alternatives with risk. For
example, if an investment is 70% likely to produce a $25,000 gain, and 30% likely to produce a
$10,000 loss, the EMV is (0.7 $25,000) + (0.3 -$10,000), or $17,500 + (-$3,000), which
reduces to $14,500.
A risk management strategy that involves using an opportunity to improve the

timeliness, cost, or quality of a project.
Exploitation
Facultative insurance
See reinsurance.
A process for analyzing risks, performed as an initial sorting process during qualitative
risk analysis. See also risk triage.
Filtering
Fishbone diagram
See cause-and-effect diagram.
Extra time to accomplish certain tasks before the accumulated lateness threatens the
expected project completion date. Free float is extra time before the next task begins, whether the
subsequent task is on the critical path or not. Also known as slack.
Float
Forward and backward pass
A technique for calculating the critical path on a network diagram.
A bar graph drawn over a calendar grid, showing when specific tasks will be
accomplished in the schedule.
Gantt chart
Initiation
The process of starting a project.
Insurable risk
See pure risk.
Ishikawa diagram
See cause-and-effect diagram.
The probability that both Event A and Event B will happen; the product of the
individual probabilities.
Joint probability
A principle of probability theory that argues that the larger the sample
population or number of trials, the more likely that the actual probability will converge with the
theoretical one.
Law of Large Numbers (LLN)
203
The process of evaluating a projects performance for future improvement.
Lessons learned
Mean
The average of a group of numbers.
Measures of Central Tendency
The mean, median, and mode of numbers in a distribution.
The central number in a range of numbers; half the cases are above and half below the
Median
median.
Mitigation
A risk management strategy for lowering a combination of the likelihood or impact of a
risk.
Mode
The number in a distribution that occurs most often.
A probability simulation technique. In project management, a Monte Carlo

simulation is a specialized computer program that usually works as an add-on to popular project
management software packages. Instead of entering a single number as an estimate of a tasks
duration, the project manager enters a range of numbers (optimistic, pessimistic, and most likely) for
each task. The program simulates the course of the project hundreds or thousands of times, selecting
a weighted random number from the range for the duration of each task, and records the finish date.
By analyzing the number of times the project finishes on any given date, you can calculate a
confidence level, or probability you will meet that date.
Monte Carlo simulation
A brainstorming technique that focuses on reasons something might fail

rather than on ways to make it succeed; useful in the process of risk identification.
Negative brainstorming
A flow chart picture of the work of the project that shows interdependencies and
connections. There are two types of network diagrams. The Precedence Diagramming Method
(PDM) has largely replaced an older technique, the Arrow Diagramming Method (ADM).
Network diagram
A bell curve distribution in which most values tend toward the mean and few
values are found at the extremes. The most common kind of distribution, although its never wise to
assume a distribution will automatically follow the normal shape without evidence.
Normal distribution
Odds
The number of favorable outcomes divided by the number of unfavorable ones.
Opportunity
A term for upside risk, the chance of experiencing a positive outcome from a risk
event.
Path duration risk
PERT analysis
See schedule risk.
See Program Evaluation and Review Technique (PERT).
Precedence Diagramming Method (PDM)
See network diagram.
Invented by the U.S. Navy and Booz Allen

Hamilton to manage the Polaris nuclear submarine project in the late 1950s, the PERT method is
considered one of the major breakthroughs in project management practice. In the area of risk
management, PERT pioneered the use of the three-point estimating technique.
204
Costs that are subject to change depending on circumstances. Labor costs, for
example, increase if the schedule slips, so the final price for labor on the project may be greater or
less depending on how quickly the project goes. The labor estimate is a probabilistic cost in your
budget because the final actual price is unknown and variable. Compare with deterministic costs.
Probabilistic costs
The number of desired outcomes divided by the number of possible outcomes.
Probability
A temporary endeavor undertaken to create a unique product, service, or result. Projects

have a definite beginning and end.
Project
The application of knowledge, skills, tools, and techniques to project activities

to meet the project requirements.
Project management
A risk situation that only has a negative outcome (also known as insurable risk).
Pure risk
The process of sorting and prioritizing risks. Risks can be sorted according
to characteristics such as probability, impact, category, ownership, actionability, and acceptability.
Risks deemed significant can be prioritized for further risk analysis and for risk response planning.
Qualitative risk analysis
The process of using measurable and objective data to value risks, such
as Earned Monetary Value (EMV) and other statistical and financial techniques.
Quantitative risk analysis
A type of insurance purchased by insurance companies to offset excess risk by

transferring it to a larger entity. Two types of reinsurance are treaty insurance, in which a large risk
is apportioned among different payers, and facultative insurance, in which a single large entity
assumes the risk.
Reinsurance
Reserve
See contingency reserve.
Residual risk
Risk left over after you have taken action on the primary risk.
An uncertain event or condition that if it occurs will have a significant impact, whether
negative (threat, or downside risk) or positive (opportunity, or upside risk).
Risk
The process of studying the risks of a particular project, operation, or organization in

order to define their probability, impact, and other characteristics. The results of risk analysis help us
decide which risks should be addressed, which risks should be accepted, and which strategies are
likely to be most cost-effective in managing them. Two types of risk analysis are qualitative risk
analysis and quantitative risk analysis.
Risk analysis
The process of analyzing the range of potential costs and benefits of particular
risks, and using the analysis to calculate a value for that risk.
Risk cost analysis
Risk identification
The process of identifying and describing the risks associated with the project.
Risk management
The process of identifying, analyzing, responding to, and managing threats and
opportunities.
A document that is part of the project plan and that identifies and describes
the risks, rates their relative seriousness by considering their probability and impact, lists any planned
Risk management plan
205
responses or actions intended to reduce downside risks or improve upside risks, and explains how
the project team will monitor risks and responses for effectiveness.
A document that applies to an entire organization or category of projects. It
describes how the organization wants risk management to be performed, which projects and
activities are covered by the policy, the definitions and steps involved in the process, the types of
reports and documents that need to be prepared and disseminated, who must be consulted or who
must approve risk responses, and similar matters.
Risk management policy
Risk mitigation cost
The amount you would need to spend to reduce the risk to an acceptable level.
Activities involved in executing the risk management plan and making

adjustments based on actual experience.
Risk monitoring and control
Risk premium
The difference between the cost of responding to a risk and the underlying value of
the risk itself.

A list of all the projects identified risks, often in a spreadsheet format, with
information and analysis about the riskalong with a summary of planned responses.
Risk register
The process of deciding what action (if any) to take in response to a

specific risk or category of risk, both threats and opportunities. Basic strategies for threats are
avoidance, transfer, and mitigation. Basic strategies for opportunities are exploitation, sharing,
and enhancement. The remaining strategies, acceptance and contingency planning, apply to both
threats and opportunities. In addition, some risk responses are multi-staged; that is, they use more
than one risk response, sometimes together or sometimes the additional strategy is used as a
contingency response. Finally, some risk responses are wait and see measures, in which a final
decision or action is postponed until a triggering event causes reevaluation.
Risk response planning
The process of prioritizing risks for further analysis and response. Often associated
with filtering, and a process used in risk analysis.
Risk triage
An event or point in time that determines whether to execute a particular risk

response or contingency plan. If the risk response to running out of gas is to fill up the tank, you
might establish a mental risk trigger that you should find a gas station as soon as the fuel gage drops
below an eighth of a tank.
Risk trigger
The risk that the actual schedule of a project will differ from the planned schedule.
There are three kinds of schedule risk: task duration risk (the risk that a specific task or work
package will take more or less time than expected), path duration risk (the risk that a sequence of
tasks or work packages will take more or less time than expected), and convergence risk (the risk
that when a task has multiple predecessors that at least one of the predecessors will be late in
finishing).
Schedule risk
A risk that comes into existence as a result of your attempt to solve the primary
(original) risk. If you rent a tent to mitigate the risk it will rain on your picnic, the risk that the tent will
be damaged and you will have to pay for it is a secondary risk. A secondary risk may be minor
enough to ignore, it may be serious enough to cause you to find a different solution, or the secondary
risk itself can be lowered through additional risk response planning.
Secondary risk
206
An analysis to determine the effect on a mathematical model if you change one

of the variables. If the model is robust, small changes in variables have correspondingly small impact
on the output. If the model is highly sensitive, small changes in variables (the difference between 2%
growth and 2.2% growth, for example) can have a disproportionate effect on the output.
Sensitivity analysis
A risk management strategy that involves transferring the value of an opportunity

elsewhere.
Sharing
Slack
See float.
A mathematical measurement of the variance in a given normal distribution,

calculated by the formula:
Standard deviation
In statistics, a statistically significant result is one that is unlikely to have

occurred by chance. In risk, statistical significance is often described as a function of the standard
deviation.
Statistical significance
A structured brainstorming tool that identifies the strengths (S), weaknesses (W),
opportunities (O), and threats (T) of an actual or potential event or situation to aid in analysis and
response planning.
SWOT Analysis
See schedule risk.
Task duration risk
A term for downside risk, the chance of experiencing a negative outcome from a risk
Threat
event.
When the estimated time or cost of a given work packages is variable, a threepoint estimate identifies the optimistic (best case with a probability of at least 1%), the pessimistic
(worst case with a probability of at least 1%), and the most likely (mode) values. Three-point
estimates are used in both PERT analysis and the Monte Carlo simulation.
Three-point estimate
Choices among different priorities. A project may take longer or cost more if we set a
higher performance target. Tradeoffs can be within a project or among multiple projects (when more
for Project A means less for Project B).
Tradeoffs
A risk management strategy that involves moving the ownership of the risk to some other
entity. Insurance is a common form of risk transfer.
Transfer
Treaty insurance
A type of reinsurance.
A type of distribution that resembles a triangle. It is typically used as a

subjective description of a population for which there is only a limited amount of information or
sample size. A three-point estimate, used in many simulation techniques, is in effect a triangular
distribution of the range of possible outcomes.
Triangular distribution
The three common boundaries of all projects: the time constraint, the cost
(resources) constraint, and the performance standard.
Triple constraints
Union
The probability that Event A or Event B will happen; the sum of the individual probabilities.
207
Upside risk
WBS
See opportunity.
See Work Breakdown Structure (WBS) dictionary.
A form or template for each WBS component that

briefly defines the scope or statement of the work, defines deliverables, contains a list of associated
activities, and provides a list of recognized milestones to gauge progress.
Work Breakdown Structure (WBS) dictionary
208
Post-Test

Course Code 98008
INSTRUCTIONS: Record your answers on one of the scannable forms enclosed. Please follow the
directions on the form carefully. Be sure to keep a copy of the completed answer form for
your records. No photocopies will be graded. When completed, mail your answer form to:
P.O. Box 133
Florida, NY 10921
Self-Study titles are not available digitally. If you would like to take the course for credit, you
will need to either purchase a hard copy of the course from www.amaselfstudy.org or you can
purchase an online version of the course from www.flexstudy.com.
1. Qualitative risk analysis is defined as:
(a) numerically analyzing the effect of identified risks on overall project objectives.
(b) measuring the accuracy and quality of risk data in objective terms.
(c) identifying risks that may affect your project.
(d) prioritizing risks for further analysis by assessing and combining their probability and
impact.
2. If the cost of insurance for a particular risk is greater than the value of the underlying risk, the
difference between the two numbers is known as:
(a) risk premium.
(b) contingency reserve.
(c) degree to which the policy is overpriced.
(d) price-to-book ratio.
3. One category of threat risk response is:
(a) mitigation.
(b) exploitation.
(c) sharing.
209
(d) enhancement.
4. If there is a 20% probability of an event that would cost the project $20,000, what is the
value of the risk?
(a) $20,000
(b) $4,000
(c) $24,000
(d) $2,000
5. To run a Monte Carlo simulation program, you must first:
(a) prepare three-point estimates for task durations.
(b) perform decision tree analysis of make vs. buy options.
(c) calculate the root sum square of the schedule standard deviation for tasks on the critical
path.
(d) perform a full PERT analysis of the schedule network.
6. In developing risk responses for opportunities, you may consider:
(a) avoidance.
(b) mitigation.
(c) transfer.
(d) sharing.
7. What does a project network diagram do?
(a) Displays a project schedule graphically
(b) Shows a project schedule as a bar graph over time
(c) Connects project resources with project activities
(d) Establishes the communication plan for the project
8. How does negative brainstorming differ from conventional brainstorming?
(a) Negative brainstorming is the result of failure of a conventional brainstorming.
(b) Negative brainstorming allows criticism and evaluation of ideas during the process.
(c) Negative brainstorming looks at the potential problems with conventional brainstormed
answers.
(d) Negative brainstorming involves brainstorming a negative question to identify downside
risks.
9. What is a characteristic of a black swan event?
(a) Hard to predict and rare
(b) Something that cannot possibly occur
(c) Conforms to project assumptions
(d) Has a relatively small impact
10. To compare costs and benefits, you must:
(a) describe all costs and benefits in deterministic form.
(b) perform expected monetary value analysis on costs and benefits impacting 10% or more
of total project value (TPV).
(c) perform a PERT analysis of the project network to determine schedule risk.
(d) quantify all aspects of the project in the same unit of measurement and at the same point
in time.
11. In the PMBOK model, which of the following processes involves studying risks to
understand their nature, probability, and impact?
(a) Risk response planning
210
(b) Risk identification

(c) Risk monitoring and control
(d) Risk analysis
12. What does a decision tree analysis do?
(a) Filters risks during qualitative risk analysis
(b) Shows causes and effects of risks in a fishbone diagram
(c) Calculates total risk exposure on a project
(d) Compares expected monetary values (EMV) of different alternatives, choices, or
conditions
13. What is the probability that you will not roll a 4 or a 6 on a six-sided die?
(a) 2/6
(b) 2/12
(c) 4/24
(d) 4/6
14. The confidence level for a project measures:
(a) how much we know about project risks.
(b) how good the project managers track record has been.
(c) how stable the customers requirements will be.
(d) how likely the project will finish on or before a given date.
15. What technique should you use to perform risk triage of your identified risks?
(a) Cause-and-effect diagramming
(b) Filtering
(c) PERT analysis
(d) Risk response planning
16. Which measure of central tendency describes the average of a group of numbers?
(a) Median
(b) Mode
(c) Mean
(d) Medium
17. When you write a risk as an ifthen statement, what are the two parts called?
(a) Business risk and pure risk
(b) Condition and consequence
(c) Probability and impact
(d) Problem and solution
18. Which of the following words is one of the named categories in a SWOT analysis?
(a) Supervision
(b) Wildly-Aimed Guess
(c) Other Factors
(d) Threat
19. Convergence risk is the risk that:
(a) a task will take longer than scheduled.
(b) a sequence of dependent tasks will take longer than scheduled.
(c) critical tasks will take longer than scheduled.
(d) at least one predecessor of a task with multiple predecessors will take longer than
211
scheduled.
20. What does a risk matrix do?
(a) Combines word descriptions of probability and impact into a grid
(b) Applies a numerical scale to risk probability and impact
(c) Classifies risks when probability and impact are known and definite
(d) Supports Boolean analysis of risk data
21. In qualitative risk analysis, what can you do with the risks you identify?
(a) Avoid, transfer, or accept them
(b) Exploit, enhance, or share them
(c) Accept them or prepare a contingent response
(d) Accept, transfer, or do something about the risk
22. A risk management plan should be prepared:
(a) only after important project milestones have been missed.
(b) as an integral part of any well-prepared project management plan.
(c) as part of a postmortem project review.
(d) after serious organizational consequences have been incurred.
23. One strategy for approaching risks that are very low in probability but potentially catastrophic
in outcome is:
(a) decision-tree analysis.
(b) cost-benefit analysis.
(c) Monte Carlo simulation.
(d) multi-stage solution.
24. Business risk differs from pure risk in what way?
(a) Business risk is about the potential for loss.
(b) To manage a business risk, you can purchase insurance.
(c) Business risk combines the possibility of positive and negative outcomes in the same
decision or event.
(d) Business risk is upside risk.
25. In risk management, a cause-and effect diagram allows you to:
(a) find better solutions to specific risks.
(b) find the critical path in a project network diagram.
(c) brainstorm root causes of risk in a structured fashion.
(d) filter risks during qualitative risk analysis.
212
Index
The index that appeared in the print version of this title was intentionally removed from the
eBook. Please use the search function on your eReading device to search for terms of interest.
For your reference, the terms that appear in the print index are listed below.
AC (actual cost)
acceptance
of major risks
of minor risks
and probability of occurrence
acceptance management
activity on arrow method
activity on node method
actual cost (AC)
actual probability
actuarial science
actuaries
answers to exercises
arrow diagramming
assumptions
authority
average
avoidance of risk
Backward pass
baseline
Bernstein, Peter, on risk management
Berra, Yogi, on prediction
black swan events
Bohr, Niels, on prediction
213
Book of Common Prayer, xviii

A Book on Games of Chance (Girolamo Cardano)
Booz Allen Hamilton
bottom line
brainstorming
business risk
Capping risks
Cardano, Girolamo
career risks
categories of risk
cause-and-effect diagrams
Central limit Theorem (ClT)
central tendency, measures of
change management
change management systems
checklists, for risk identification
classical risk analysis
closeout, project
closing a risk
CLT (Central Limit Theorem)
confidence levels
contingency
contingency allowance
contingency reserve
contingent responses
control, project, see also risk monitoring and control
convergence risk
corrective actions
cost analysis
cost-benefit analysis
cost estimating
costs
actual
deterministic
of failure
probabilistic
project
risk mitigation
critical path
Critical Path Method (CPM)
customer risks
214
Decision nodes
decision tree analysis
decision trees
dependency relationships
description of risk
deterministic costs
diagramming techniques
Dictionary.com, definition of risk from
disposition of risk
distribution(s)
normal
other than normal
triangular
downside risks
Drucker, Peter, on eliminating risks
DuPont Corporation
Early warning indicators

earned value (EV)
Earned Value Method (EVM)
Earned Value Project Management (EV, EVM)
EMV (Expected Monetary Value)
enhancing opportunities
EV (earned value)
EV (Earned Value Project Management)
EVM (Earned Value Method)
EVM (Earned Value Project Management)
excluding risks
expert judgment
exploiting opportunities
Failure, cost of
filtering
final risk price
financial analysis
financial crisis (late-2000s)
fishbone diagram, see also cause-and-effect diagrams
float
forward pass
free float
215
Fry, Art
Gambling
Gantt charts
Hewlett-Packard
Homer
Impact of risks
assessing
combining probability and
measuring
in qualitative risk analysis
in risk register
information, levels of
infrastructure, see risk management infrastructure
initiation, project
insurable risk
insurance
as model for risk cost analysis
treaty
insurance risk
and black swan events
and final risk price
with high variation
with low variation
and reinsurance
and residual risks
risk premiums in
and secondary risks
Ishikawa, kaoru
Ishikawa diagram, see also cause-and-effect diagrams
Joint probability
Juvenal
Known risks
Law of Large Numbers (LLN)
lessons learned
216
levels of information
Liber de Ludo Aleae (Girolamo Cardano)
LLN (Law of Large Numbers)
long-term risks
Mean
measures of central tendency
median
Merriam-Webster dictionary, definition of risk in
meteor strikes
mitigation of risk
mode
monitoring, project, see also risk monitoring and control
Monte Carlo simulations
multi-stage risk response
NASA Near-Earth Object Program Office

nature of risk
negative brainstorming
network diagram
network diagramming
and critical path analysis
preferred techniques for
resources for
normal distributions
Odds
Odyssey (Homer)
opportunities management
opportunity
organizational risks
ownership of risk
Path duration risk

PDM (precedence diagramming method)
performance index ratios, EVM
personal risks
PERT, see Program Evaluation and Review Technique
physical hazards
planned value (PV)
PMBOK Guide
217
PMI (Project Management Institute)

PMP certification
Polaris evaluation and review Technique
Post-It notes
post-test
precedence diagramming method (PDM)
pre-test
primary risks
Princeton WordNet
probabilistic costs
probability
actual
assessing
basic rules of
combining impact and
definition of
distribution of
expressing
mathematical descriptions of
measuring
in qualitative risk analysis
in risk register
science of
theoretical
project
project charters, identifying risks from
project cost
project documentation, identifying risks from
project management
project management information
Project Management Institute (PMI)
Project Management Professional (PMP) certification
project monitoring and control
project risk and cost analysis
cost analysis and risk management planning in
post-test for
pre-test for
risk and risk management concepts in
see also specific topics
project risk environment, managing
project risk management
project risk rankings
218
project risks
pure risk
PV (planned value)
Qualitative risk analysis

choices in
impact of risks in
purpose of
risk triage process in
updating risk register in
qualitative risk analysis tool(s)
for assessing probability and impact
for combining probability and impact
for developing project risk rankings
risk information sheet as
for risk register update
quantitative cost analysis, statistical foundations of, see statistics
quantitative cost analysis tool(s)
cost-benefit analysis as
and cost estimating under uncertainty
decision tree analysis as
Expected Monetary Value as
sensitivity analysis as
quantitative risk analysis, see also statistics
quantitative risk analysis tools
quantitative schedule analysis tool(s)
critical path analysis as
Gantt charts as
Monte Carlo simulation as
network diagramming as
Program Evaluation and Review Technique as
schedule risk analysis as
sensitivity analysis as
three-point estimating techniques as
and types of schedule risk
Quayle, Dan, on unforeseen events
questioning risks
Rankings, risk
rating scale, risk
reinsurance
Remington rand
219
requirements documents, identifying risks from

research, importance of
residual risks
resources
risk analysis
classical
ongoing
see also qualitative risk analysis; quantitative risk analysis
risk and cost analysis, discipline of
risk cost analysis
classical risk in
contingency allowance and contingency reserve in
definition of
insurance as a model for
and pricing of insurance risk
risk formula
risk identification
as a continual activity
ongoing
output from process of
practice in
process of
from project charters of statements of work
questioning risks in
from requirements documents
risk register in
systematic
from WBS work packages
risk identification number (risk Id)
risk information sheet
risk management
of business risk
cost analysis in
current process for
fundamental concepts of
goal of
important risks for
information on
methodology and process for
project
risk management infrastructure
risk management plan
risk management policy
220
risk matrix
risk metrics
risk mitigation costs
risk monitoring and control
and change management
ongoing risk identification and analysis in
plans and policies for
in project monitoring and control
risk premiums
risk rankings
risk rating
risk rating scale
risk register
risk response plan
risk response planning
implementing strategies from
for managing acceptance
for managing opportunities
for managing threat
multi-stage solutions in
organizing for
residual and secondary risk in
tips for
risk(s)
capping
closing
definitions of
excluding
value of
see also specific types of risk
risk score
risk thresholds
risk triage process
risk triggers
root sum square
Rumsfeld, Donald
Schedule risk
schedule risk analysis, see also quantitative schedule analysis tool(s)
secondary risks
sensitivity analysis
sharing opportunities
221
Sidewise Insights
significance, statistical, see statistical significance
Silver, Spence
Six Sigma
skewed distributions
slack
Smith, edward j., on the Titanic, xvii
specific risk mitigation costs
Stalin, Joseph
standard deviation
statements of work, identifying risks from
statistical analysis
statistical significance
statistics
basic probability rules in
definition of
distribution in
distributions other than normal in
and Law of Large Numbers
normal distribution in
odds in
probability in
standard deviation in
surrender
SWOT analysis
systematic risk identification
Taleb, Nassim Nicholas

task duration risk
theoretical probability
threat
threat management
Three Mile Island nuclear plant
three-point estimates
thresholds, risk
Titanic, RMS, xvii
total float
total risk exposure
tradeoffs
transfer of risk
treaty insurance
triage, see risk triage process
222
triangular distribution
triple constraints
Tunguska meteor event
Unacceptable risks
uncertainty
of cost estimates
in definitions of risk
in insurance risk
and levels of information
measuring
unquantifiable
union
unknown risks
unplanned change, managing
unplanned responses
upside risk
urgency of risk
U.S. Navy Special Projects Office
user risks
Value of a risk
Vlamingh, Willem de
WAGs (Wildly-Aimed Guesses)

watch and wait risks
WBS, see Work Breakdown Structure
Wikipedia
Wildly-Aimed Guesses (WAGs)
workarounds
Work Breakdown Structure (WBS)
223
Table of Contents
Cover
Title Page
Copyright
Contents
Exercise-and-Exhibits
About This Course
Introduction
Pre-Test
Chapter 1: Introduction to Project Risk and Cost Analysis
Learning Objectives
Fundamental Concepts of Risk and Risk Management
Risk Defined
The Value of a Risk
Types of Risk
Risk Management Defined
Cost Analysis and Risk Management Planning
Recap
Review Questions
1
3
4
5
10
12
13
15
17
21
21
21
22
23
23
27
28
31
33
Chapter 2: Risk Identification
35
Learning Objectives
Identifying Risks
Risk Register
Risk ID
Description of Risk
Category of Risk
Where Found?
Risk Rating
35
35
36
36
36
36
37
37
37
37
224
Disposition
Comments
How to Identify Risks
Systematic Risk Identification
Documentation
Brainstorming
Checklists
Expert judgment
Output from Risk Identification Process
Recap
Review Questions
38
38
38
44
44
45
47
49
49
49
50
51
Chapter 3: Qualitative Risk Analysis
52
Learning Objectives
Introduction to Risk Analysis
Start
Impact
Probability
Urgency
Ownership
Solution
Acceptability
Risk Triage and Other Risk Analysis Processes
Recap
Review Questions
Chapter 4: Tools for Qualitative Risk Analysis

Learning Objectives
Qualitative Risk Analysis Tools
Assessing Probability and Impact
Establishing Ranges
Risk Thresholds
225
52
52
53
53
54
55
55
59
59
59
60
61
61
62
64
65
65
65
66
67
68
Combining Probability and Impact

Developing a Risk Ranking for a Project
Updating the Risk Register and Developing a Risk Information
Sheet
Recap
Review Questions
69
70
73
75
79
80
Chapter 5: Statistical Foundations of Quantitative Risk

and Cost Analysis
81
Learning Objectives
Quantitative Risk and Cost Analysis Fundamentals
A Statistic
Basic Rules of Probability
Distribution
Normal Distribution
Normal and and Other Distributions
Standard Deviation
Other Types of Distributions
Recap
Review Questions
81
82
82
82
83
84
87
89
90
91
93
98
99
100
Chapter 6: Risk Cost Analysis

Learning Objectives
Introduction to Cost Risk Analysis
Classical Risk
Risk Cost Analysis
Pricing Insurance Risk
Risk Premiums
226
101
101
101
102
102
103
103
104
104
104
106

Black Swan Events
Recap
Review Questions
Chapter 7: Quantitative Cost Analysis Tools

Learning Objectives
Quantitative Cost Analysis
Cost Estimating Under Uncertainty
Cost Risk Analysis Tools
Recap
Review Questions
108
110
113
114
116
117
117
117
118
118
118
120
121
123
125
126
Chapter 8: Quantitative Schedule Analysis Tools
127
Learning Objectives
Sensitivity Analysis for Scheduling Issues
Schedule Risk Analysis
Schedule Development
Network Diagramming and Critical Path Analysis
Three-Point Estimating Techniques
Recap
Review Questions
127
127
128
128
129
131
132
135
136
137
141
143
145
Chapter 9: Risk Response Planning
146
Learning Objectives
Organizing for Risk Response Planning
Residual and Secondary Risk
146
146
148
227
Residual Risk
Secondary Risk
Multi-Stage Solutions
Managing Threats
Avoidance
Transfer
Mitigation
Managing Opportunities
Exploit
Enhance
Share
Managing Acceptance
Acceptance
Implementing Risk Response Strategies
Recap
Review Questions
Chapter 10: Risk Monitoring and Control

Learning Objectives
Risk Management Processes in Project Execution, Monitoring and
Control, and Closeout
Risk Management Plans and Policies
Project Risk Monitoring and Control Systems
Change Management and Risk
228
148
149
150
150
151
151
151
152
152
152
152
153
153
153
154
157
159
160
160
160
161
161
161
164
165
165
165
166
167
168
168
168
169

Revisiting Risk Identification and Risk Analysis
Closing Risks
Risk Management and Project Lessons Learned
Recap
Review Questions

Exercise 10-1. Earned Value Method (EVM) Performance Index
Ratios
229
169
170
170
171
171
173
174
174
176
177
177
179
179
180
181
181
182
183
185
186
186
188
188
189
189
190
193
193
194
195
195
195
196

Glossary
Post-Test
Index
230
197
201
209
213

Project Risk and Cost Analysis

Uploaded by

Copyright:

Available Formats

Project Risk and Cost Analysis

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Project Risk and Cost Analysis

Uploaded by

Copyright:

Available Formats

1