Module in Risk Management

MODULE IN ELECTIVE
– 9
RISK MANAGEMENT
Prepared by:
RACQUEL S. MALLARE
MARK ANTHONY T. TANGUNAN CMBT-NEUST 2021
TABLE OF CONTENTS
TITLE PAGE
TABLE OF CONTENTS………………………..………………..………………… 1
UNIT I: INTRODUCTION TO RISK

MANAGEMENT……………………………………………………………. 3
Definition of Risk Management
Risk Management Strategies and Processes
Risk Management Approaches
Limitations of Risk Management
Risk Management Standards
Risk Management Examples
Project Risk Management
Risk Management vs. Project Management
Steps in Project Risk Management
Methods of Project Risk Management
UNIT 2: RISK MANAGEMENT PLANNING…………………..………..…..…... 15
Risk Management Definition
Risk Management Process
Risk Management Identification
Risk Management Evaluation
Risk Management Mitigation
Contingency Plan
Phases of Project Risk
UNIT 3: QUALITATIVE RISK ANALYSIS………………………….………….. 26
What is Qualitative Risk Analysis?
Qualitative vs. Quantitative Risk Analysis
Benefits of Qualitative Risk Analysis bu67
Limitations of Qualitative Risk Analysis
Types of Analysis
Process of Qualitative Risk Analysis
Page 1 of 73 For classroom discussion only

UNIT 4: QUANTITATIVE RISK ANALYSIS ……………….…..….…………... 54
What is Quantitative Risk Analysis?
Why Perform Quantitative Risk Analysis?
When to Perform Quantitative Risk Analysis?
Quantitative Risk Assessment Tools and Techniques
Example of Quantitative Risk Analysis
UNIT 5: RISK RESPONSE PLANNING ……………….……….………………... 58
Risk Response
Risk Response Strategies
Example of Risk Responses
Responding to Risks
UNIT 6: MONITORING AND CONTROLLING RISKS ……………..….……... 65
Key Inputs for Monitor and Control Risks
Tools for Monitor and Control Risks
Key Outputs for Monitor and Control Risks
REFERENCES ……………………………………….……………………………... 73

UNIT I: INTRODUCTION TO RISK MANAGEMENT
Learning Objectives

After completing this chapter, students will be able to:
• explain Project Risk Management in the Context of Project Management
• discuss Project Risk Management
• identify Project Risk Management in a Project Life Cycle
• evaluate Fundamental Principles of Project Risk Management
Overview
Risk management is formally defined as the process by which an organization assesses and
addresses its risks. Historically, the role of risk management has been associated with
insurancebuying, occupational safety and health, and legal liability management. In recent years
managers and physicians alike have begun to recognize that organizational risks are pervasive,
that these risks are extraordinarily diverse and complex, and that these risks are not just confined
to "insurable" or accident-related situations. They may include risks arising from actions of
regulatory bodies, third party payers, hospitals, partners, and employees, in addition to the
physiatrist's personal or business investment, management and clinical practice. Furthermore,
changing customer and patient preferences and/or expectations make the assessment of risk an
even more dynamic and continuous process. This article describes the formal risk management
process and suggests ways that physiatrists can apply risk management to their business and
clinical practice. In developing this description, physiatrists and their office managers will learn
about the overall goals and objectives of risk management, the challenge of identifying and
analyzing risks, the tools and treatment options available, and the means by which risk
management efforts are effectively implemented.
Lesson Proper
Risk Management
Risk management is the process of identifying, assessing and controlling threats to an

organization's capital and earnings. These threats, or risks, could stem from a wide variety of
sources, including financial uncertainty, legal liabilities, strategic management errors, accidents
and natural disasters. IT security threats and data-related risks, and the risk management
strategies to alleviate them, have become a top priority for digitized companies. As a result, a
risk management plan increasingly includes companies' processes for identifying and controlling

threats to its digital assets, including proprietary corporate data, a customer's personally
identifiable information (PII) and intellectual property.
Every business and organization face the risk of unexpected, harmful events that can cost
the company money or cause it to permanently close. Risk management allows organizations to
attempt to prepare for the unexpected by minimizing risks and extra costs before they happen.
Importance
By implementing a risk management plan and considering the various potential risks or
events before they occur, an organization can save money and protect their future. This is
because a robust risk management plan will help a company establish procedures to avoid
potential threats, minimize their impact should they occur and cope with the results. This ability
to understand and control risk enables organizations to be more confident in their business
decisions. Furthermore, strong corporate governance principles that focus specifically on risk
management can help a company reach their goals.
Other important benefits of risk management include:
• Creates a safe and secure work environment for all staff and customers.
• Increases the stability of business operations while also decreasing legal liability.
• Provides protection from events that are detrimental to both the company and the
environment.
• Protects all involved people and assets from potential harm.
• Helps establish the organization's insurance needs in order to save on unnecessary

premiums.
The importance of combining risk management with patient safety has also been revealed. In
most hospitals and organizations, the risk management and patient safety departments are
separated; they incorporate different leadership, goals and scope. However, some hospitals are
recognizing that the ability to provide safe, high-quality patient care is necessary to the
protection of financial assets and, as a result, should be incorporated with risk management.
In 2006, the Virginia Mason Medical Center in Seattle, Washington integrated their risk
management functions into their patient safety department, ultimately creating the Virginia

Mason Production System (VMPS) management methods. VMPS focuses on continuously
improving the patient safety system by increasing transparency in risk mitigation, disclosure and
reporting. Since implementing this new system, Virginia Mason has experienced a significant
reduction in hospital professional premiums and a large increase in the reporting culture.
Risk Management Strategies and Processes

All risk management plans follow the same steps that combine to make up the overall risk
management process:
• Establish context. Understand the circumstances in which the rest of the process will take
place. The criteria that will be used to evaluate risk should also be established and the
structure of the analysis should be defined.
• Risk identification. The company identifies and defines potential risks that may negatively
influence a specific company process or project.
• Risk analysis. Once specific types of risk are identified, the company then determines the
odds of them occurring, as well as their consequences. The goal of risk analysis is to further
understand each specific instance of risk, and how it could influence the company's projects
and objectives.
• Risk assessment and evaluation. The risk is then further evaluated after determining the
risk's overall likelihood of occurrence combined with its overall consequence. The company
can then make decisions on whether the risk is acceptable and whether the company is
willing to take it on based on its risk appetite.

•
Risk mitigation. During this step, companies assess their highest-ranked risks and develop a
plan to alleviate them using specific risk controls. These plans include risk mitigation
processes, risk prevention tactics and contingency plans in the event the risk comes to
fruition.
• Risk monitoring. Part of the mitigation plan includes following up on both the risks and the
overall plan to continuously monitor and track new and existing risks. The overall risk
management process should also be reviewed and updated accordingly.
• Communicate and consult. Internal and external shareholders should be included in

communication and consultation at each appropriate step of the risk management process and
in regards to the process as a whole.
Risk management strategies should also attempt to answer the following questions:
1. What can go wrong? Consider both the workplace as a whole and individual work.
2. How will it affect the organization? Consider the probability of the event and whether it
will have a large or small impact.
3. What can be done? What steps can be taken to prevent the loss? What can be done
recover if a loss does occur?
4. If something happens, how will the organization pay for it?

Risk Management Approaches
After the company's specific risks are identified and the risk management process has been
implemented, there are several different strategies companies can take in regard to different
types of risk:
• Risk avoidance. While the complete elimination of all risk is rarely possible, a risk
avoidance strategy is designed to deflect as many threats as possible in order to avoid the
costly and disruptive consequences of a damaging event.

•
• Risk reduction. Companies are sometimes able to reduce the amount of damage certain
risks can have on company processes. This is achieved by adjusting certain aspects of an
overall project plan or company process, or by reducing its scope.
Risk sharing. Sometimes, the consequences of a risk are shared, or distributed among
several of the project's participants or business departments. The risk could also be shared
with a third party, such as a vendor or business partner.
• Risk retaining. Sometimes, companies decide a risk is worth it from a business standpoint,
and decide to keep the risk and deal with any potential fallout. Companies will often retain a
certain level of risk if a project's anticipated profit is greater than the costs of its potential
risk.
Limitations
While risk management can be an extremely beneficial practice for organizations, its
limitations should also be considered. Many risk analysis techniques -- such as creating a model
or simulation -- require gathering large amounts of data. This extensive data collection can be
expensive and is not guaranteed to be reliable.
Furthermore, the use of data in decision making processes may have poor outcomes if
simple indicators are used to reflect the much more complex realities of the situation. Similarly,
adopting a decision throughout the whole project that was intended for one small aspect can lead
to unexpected results.
Another limitation is the lack of analysis expertise and time. Computer software
programs have been developed to simulate events that might have a negative impact on the
company. While cost effective, these complex programs require trained personnel with
comprehensive skills and knowledge in order to accurately understand the generated results.
Analyzing historical data to identify risks also requires highly trained personnel. These
individuals may not always be assigned to the project. Even if they are, there frequently is not
enough time to gather all their findings, thus resulting in conflicts.
Other limitations include:

•
• A false sense of stability. Value-at-risk measures focus on the past instead of the future.
Therefore, the longer things go smoothly, the better the situation looks. Unfortunately, this
makes a downturn more likely.
The illusion of control. Risk models can give organizations the false belief that they can
quantify and regulate every potential risk. This may cause an organization to neglect the
possibility of novel or unexpected risks. Furthermore, there is no historical data for new
products, so there's no experience to base models on.
• Failure to see the big picture. It's difficult to see and understand the complete picture of
cumulative risk.
• Risk management is immature. An organization's risk management policies are

underdeveloped and lack the history to make accurate evaluations.
Risk Management Standards
Since the early 2000s, several industry and government bodies have expanded regulatory
compliance rules that scrutinize companies' risk management plans, policies and procedures. In
an increasing number of industries, boards of directors are required to review and report on the
adequacy of enterprise risk management processes. As a result, risk analysis, internal audits and
other means of risk assessment have become major components of business strategy.
Risk management standards have been developed by several organizations, including the
National Institute of Standards and Technology (NIST) and the International Organization for
Standardization (ISO). These standards are designed to help organizations identify specific
threats, assess unique vulnerabilities to determine their risk, identify ways to reduce these risks
and then implement risk reduction efforts according to organizational strategy.
The ISO 31000 principles, for example, provide frameworks for risk management
process improvements that can be used by companies, regardless of the organization's size or
target sector. The ISO 31000 is designed to "increase the likelihood of achieving objectives,
improve the identification of opportunities and threats, and effectively allocate and use resources
for risk treatment," according to the ISO website. Although ISO 31000 cannot be used for
certification purposes, it can help provide guidance for internal or external risk audit, and it

•
allows organizations to compare their risk management practices with the internationally
recognized benchmarks.
The ISO recommends the following target areas, or principles, should be part of the overall
risk management process:

•
The process should create value for the organization.
• It should be an integral part of the overall organizational process.
• It should factor into the company's overall decision-making process.
• It must explicitly address any uncertainty.
• It should be systematic and structured.
• It should be based on the best available information.
• It should be tailored to the project.
• It must take into an account human factors, including potential errors.
• It should be transparent and all-inclusive.
• It should be adaptable to change.
• It should be continuously monitored and improved upon.
The ISO standards and others like it have been developed worldwide to help organizations
systematically implement risk management best practices. The ultimate goal for these standards
is to establish common frameworks and processes to effectively implement risk management
strategies.
These standards are often recognized by international regulatory bodies, or by target industry
groups. They are also regularly supplemented and updated to reflect rapidly changing sources of
business risk. Although following these standards is usually voluntary, adherence may be
required by industry regulators or through business contracts.
Risk Management Examples

One example of risk management could be a business identifying the various risks
associated with opening a new location. They can mitigate risks by choosing locations with a lot
of foot traffic and low competition from similar businesses in the area.
Another example could be an outdoor amusement park that acknowledges their business
is completely weather-dependent. In order to alleviate the risk of a large financial hit whenever
there is a bad season, the park might choose to consistently spend low and build up cash reserves.

Yet another example could be an investor buying stock in an exciting new company with
high valuation even though they know the stock could significantly drop. In this situation, risk
acceptance is displayed as the investor buys despite the threat, feeling the potential of the large
reward outweighs the risk.
Project Risk Management
What is Project Risk Management?

Project risk management is the process that project managers use to manage potential
risks that may affect a project in any way, both positively and negatively. The goal is to
minimize the impact of these risks. A risk is any unexpected event that can affect people,
technology, resources, or processes (including projects). Unlike a regular problem that may arise,
risks are incidents that may occur suddenly, sometimes entirely unexpected. Project managers do
not always know which risks the project is exposed to, when they occur, and why. Due to this
high degree of uncertainty, project risk management requires a serious and in-depth approach.
In short, the Project Risk Management process consists of identifying risks, analyzing
them, and subsequently responding to any risks that may arise throughout the project life cycle.
This is done to limit the consequences of the risk as much as possible, so that objectives can be
continued to be met. Generally speaking, risk management is not a reactive activity. To find out
which risks may arise, risk management must be included in every planning process. Which risks
are there that may influence the project, and how can these risks be controlled?
Who Conducts Project Risk Management?
Although Project Risk Management works the same for every project, it can take
different forms. Different types and sizes of projects require a different approach to risk
management. In many large-scale projects, a relatively large amount of attention is paid to
comprehensive risk management and mitigation strategies for when problems arise. For smaller
projects, a simple prioritized list of high, medium, and low priority risks is sufficient.
Risk Management vs Project Management

Risks are inevitable in organizations, and virtually every other project is exposed to risks.
The project manager has the responsibility to ensure that the impact of risks is minimized.
Generally speaking, project risk management consists of the following steps.
• Risk identification
• Risk analysis
• Risk assessment
• Risk management
• Risk monitoring
Figure 1.1 Steps in Project Risk Management

Step 1: Risk Identification

The first step in Project Risk Management is identification. When identifying risks, the
assessor may work in different ways. For example, they may look up information about similar
projects in the past. Various brainstorming techniques are also used to refresh team members’
knowledge of past projects and risks, or to share new innovative mitigation strategies.
There are different types of risks, such as operational or business risks. Different risks are
borne by different people. The risks that often directly affect a project include:
• Financial risks (budgeting)
• Legal risks
• Supplier risks
• Physical risks to employee
• Strategic risks
Step 2: Risk Analysis
After various risks have been identified, it is important to evaluate them. Risk analysis is
usually done in a qualitative or quantitative way. Subsequently, risks are categorized based on
two criteria: the probability that the risk will actually occur, and the severity of its impact. Both
criteria are assigned a value, ranging from high, medium, to low.
The risk is then assigned a category and processed in a matrix.

Figure 1.2 Risk Analysis – Assessing Risks
Risk Analysis Example:
• Qualitative Risk Analysis

Qualitative Risk Analysis is a subjective evaluation of the probability and impact of each
risk. Responses are subsequently devised for the various risks, or alternatively a risk is analyzed
again, but in a quantitative way.
An advantage of the qualitative Risk Analysis method is that it is relatively quick and easy to
implement. It is also ideally suited for people who do not have skills in calculating opportunities
and statistics.
A qualitative risk analysis also has drawbacks, however. The results can be ambiguous or
difficult to explain, for instance.
• Quantitative Risk Analysis

Quantitative Risk Analysis is the numerical analysis of the probability and impact of
identified risks. The main focus is on which risks and activities contribute most to achieving the
project objectives.
Quantitative Risk Analysis is less ambiguous and can be easily explained on the basis of
input: numbers. The probability and impact can be analytically combined in a correct way.
Contingency plans can be drawn up on the basis of the data resulting from quantitative risk
analysis.
A disadvantage of quantitative risk analysis is that the development of models and
simulations is time-intensive and external expertise is often required.
Step 3: Risk Response
As soon as it is clear where the greatest risks come from and which is the most important
to deal with quickly, corrective measures must be taken. When it comes to risks within project
management, the project manager has four options for responding to a risk. These are explained
below.
Option 1: Avoiding the risk
Avoiding a risk means that the chance that the risk will occur is reduced to as close to
zero as possible. Usually risk avoidance involves making different decisions or making some
adjustments to the original project plan. Suppose a project manager is warned by someone about
an increased risk of bankruptcy with certain suppliers, he or she can then make the decision to
choose another supplier. This avoids the risk of the impact of bankrupt suppliers.
Option 2: Limiting the impact of the risk

Limiting a risk means reducing the impact of a risk incident. By mitigating risks, you
ensure that the impact of a risk is reduced. An example of this is a project risk in the test phase
of, for example, a product. By testing more and better, risks are not prevented, but every effort
has been made to limit the possible consequences of a negative event that may occur.
Option 3: Transferring the risk
Transferring a risk involves moving responsibility for dealing with the consequences of a
risk to someone else. A well-known example of this is taking out insurance. For example, a
private individual can take out luggage insurance so that he or she does not have to deal with any
financial consequences. The impact of the risk of something happening to the luggage is then
dealt with by the insurance company. The private individual receives compensation for the
damage suffered in the event that the risk of luggage theft or damage becomes reality.
Option 4: Accepting the risk
The final option for dealing with risks is to simply accept the impact an event can have
once it becomes reality. Accepting risks may be sensible if the chances of a risk are relatively
low and the costs of mitigating it are high.
Accepting a risk is not the same as not making a decision or hiding from a problem. In
many ways, it is a risky response to a risk, but risks are always weighed and factored in.
Step 4: Implementing a risk response
The fourth step is to implement responses to various risks. Each risk response is part of
the project management plan. A risk response may come in many forms:
• A budget allocated for a specific risk
• A task assigned to a specific person
• Development or implementation of a new process
In project risk management, it is important that a responsible person is assigned to each
risk. It is this person who supervises the risk and specifically works on controlling and managing
a risk. This person communicates with all stakeholders about the status of the risk and the impact
that the risk may have and what the response looks like.
This risk manager collects as much information about the risk as possible. This approach
should be applied across the whole board of project management activities. Each risk response
must become a small sub-project, as it were.
Tips for Risk Responses
• Consider the Project Objectives
In order to establish the optimal risk-response strategy, it is important that the main goals of
the project are considered. Trade-offs will probably be necessary because it is difficult to always
have time, quality, and costs go according to plan. Understanding the deep goals of a project will
help the project team plan the right response to the right risk.
• Prioritize risks
Giving priority to a certain risk is important because it ensures that certain resources are
allocated to a particular function or task. If it is a risk with a high probability of occurrence and
high impact, it goes without saying that sufficient resources must be deployed to minimize both
the impact and probability. Involve stakeholders
The more collaboration and communication between project team members and other key
stakeholders, the faster and more effective potential risk identification and better risk response
planning.
Step 5: Monitoring the risk
As with all control processes and roadmaps in project manager and other business
situations, it is important that both measures taken and the current situation are monitored. This
is important to ensure that risk responses remain effective, fast, and efficient. The status of the
risks and expect impact and probability must be constantly monitored. There should be
considerable dynamism in this during the project life cycle. If the risks are too high at a certain
moment, you will have to act on them. At worst, risks endanger the feasibility of a project. All
information that may relate to a risk must therefore be assessed.
Effective Project Risk Management Methods
It is important to identify the main risks so that the team can effectively prepare responses
to them. In other words, it is crucial to identify the most impactful risks. Various tools can be
used for this.

• Failure Mode and Effect Analysis (FMAE)
FMAE can be used in identifying risks as a way to find cause-effect relationships of risks that
may impact a project. FMAE is also used to perform qualitative risk analysis. The advantage of
FMAE is that it adds the dimension of risk detection. For instance, how likely is a potential risk
to be detected? In this way, three parameters are kept for all risks: the probability that the risk
will become reality, the impact of the risk if it occurs, and the probability of detection of the risk.
• Risk Bow Tie diagram

The Risk Bow Tie diagram is a tool that visualizes the risk in an easy-to-understand way. The
diagram is in the form of a snare, and shows a clear division between proactive and reactive risk
management. The strength of the snare diagram is that it provides an overview of several
plausible scenarios in one image. This provides a simple and visual way of presenting risks.
• Decision Analysis
Decision Analysis formally identifies and analyses important aspects of a particular risk. The
method follows a specific step-by-step plan to guide the project team through the risk
decisionmaking process. The RACI matrix (responsible, accountable, consulted, informed) helps
to identify and define the different roles in the decision-making process.
Name : ____________________________________
Year & Section : ____________________________________
Activity 1.1
1. What is risk management? What factors of risk are addressed by managing risk?
_____________________________________________________________________________
_
_____________________________________________________________________________
_
_____________________________________________________________________________
_
______________________________________________________________________________
______________________________________________________________________________
_____________________________________________________________________________
_ __________________

2. What is risk avoidance? Give an example.
_____________________________________________________________________________
_
_____________________________________________________________________________
_
_____________________________________________________________________________
_
_____________________________________________________________________________
_
_____________________________________________________________________________
_
_____________________________________________________________________________
_ __________________
3. Discuss the relationship between avoidance and elimination.
_____________________________________________________________________________
_
_____________________________________________________________________________
_
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
__________________
4. Give one reason why we do not transfer all risks by using insurance.
_____________________________________________________________________________
_
______________________________________________________________________________
_____________________________________________________________________________
_
_____________________________________________________________________________
_
______________________________________________________________________________
______________________________________________________________________________
__________________
5. How is risk reduction or minimization used in the process of risk management?
_____________________________________________________________________________
_
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
__________________
Name : ____________________________________
Year & Section : ____________________________________
Activity 1.2

Multiple Choice. Select the best answer.
1. Risk is a term that is regularly used and that is generally understood in context. As
used in this discussion, which one of the following is one of the two elements within the
definition of risk?
A. Uncertainty of outcome
B. Likelihood of injury or damage to property
C. Probability of financial loss
D. Opportunity for profit

2. To understand risk, one needs to know the probability of an outcome or event occurring.
Which one of the following statements is correct with respect to probability?
A. It is typically expressed verbally rather than numerically.
B. It can be used to decide which activities to undertake.
C. It verifies that risk is present, but does not quantify it.
D. It identifies what can be lost when a negative outcome occurs.

3. Which one of the following is measurable and quantifies risk?
A. Uncertainty
B. Possibility
C. Probability
D. Feasibility
4. In the context of risk, the chance of being injured while driving to and from work,
loading a truck at work, moving furniture at home, or falling in an icy parking lot at the
mall are all examples of
A. Possibilities.
B. Uncertainties.
C. Probabilities.

D. Losses.
5. Company G is a manufacturer of high profile golf equipment. The risk management
professional for Company G is concerned about loss of business related to product design.
Failing to respond to changing customer demand and preferences in the design of golf clubs
could cost Company G significant market share. Categorized according to the quadrants of
risk, this exposure to loss is classified as
A. A hazard risk.
B. An operational risk.
C. A financial risk.
D. A strategic risk.
6. Classifying risk appropriately can help in managing risk. Which one of the following
statements is correct with respect to the classifications of risk?
A. Risk classifications are mutually exclusive, and only one can be applied to any given risk.
B. A pure risk is a chance of loss or no loss, but no chance of gain.
C. Insurance deals primarily with speculative risk, rather than with pure risk.
D. Usually, pure risks and speculative risks can be managed using the same techniques.
7. Risk can be classified as subjective or objective. Which one of the following statements is
correct with respect to these risk classifications?
A. Subjective risk is risk associated with individuals; objective risk is risk associated with
objects or things.
B. Risk managers focus on objective risk and attempt to avoid allowing subjective risk to affect
their decisions.
C. Subjective risk can exist even where objective risk does not.
D. Individuals' subjective perception of risk in a given set of circumstances is typically much

higher than the objective risk.
8. George has received an inheritance and is deciding what to do with the money. He has
limited his options to four choices: donate all the money to his favorite charity, use the
entire inheritance to buy a yacht, invest the inheritance in a small rental property, or use
the entire amount to purchase T-bills. Which one of the following statements is true
regarding the risk involved in George's options?

A. Donating his inheritance to charity is a pure risk; there is no uncertainty that the money will
be gone and George will have no chance of profit.
B. Buying a boat is a non-diversifiable risk because George can only afford to purchase a single
yacht.
C. The rental property presents both pure and speculative risk; property values may increase, but
the building could burn down.
D. Purchasing T-bills is a pure risk because the interest rate payable is known, and the chance of
loss is minimal.
9. Which one of the following best explains the term "residual uncertainty"?
A. It is the level of risk that remains after implementing risk management plans.
B. It is the difference between estimated subjective risk and calculated objective risk.
C. It is the amount invested in risk management in order to eliminate concern.
D. It is uncertainty regarding the value of any residual salvage that would remain after a loss.
10. The cost of residual uncertainty can have a significant effect on an individual or organization.
Which one of the following statements is correct with respect to residual uncertainty?
A. For organizations, the cost of residual uncertainty is limited to the effect that uncertainty has on the
organization itself.
B. Individuals and organizations vary greatly as to how much residual uncertainty they are willing to
accept, and this benefits society and the economy.
C. The cost of residual uncertainty includes the cost of any insurance policies purchased to cover losses
not treated by other risk management techniques.
D. The cost of residual uncertainty can be calculated by subtracting the expected cost of losses or gains
from an organization's cost of risk.

UNIT II: RISK MANAGEMENT PLANNING
Learning Objectives

• explain the overview of Plan Risk Management
• discuss the inputs to the Plan Risk Management Process
• identify the tools and techniques for the Plan Risk Management Process
• apply outputs from Plan Risk Management Process
Overview

A risk management plan is a written document that details the organization’s risk management
process. This process starts by creating a team of stakeholder across the organization to review
potential risks to the organization. This stakeholder team should include senior management, the
compliance officer, and any department managers. If the organization is developing software,
then one project manager from each project team should also be included to review project
management and respond to project risks.
Once created, the team can begin working on the risk management process.
Lesson Proper
Risk Management Planning
Even the most carefully planned project can run into trouble. No matter how well you
plan, your project can always encounter unexpected problems. Team members get sick or quit,
resources that you were depending on turn out to be unavailable, even the weather can throw you
for a loop (e.g., a snowstorm). So does that mean that you’re helpless against unknown
problems? No! You can use risk planning to identify potential problems that could cause trouble
for your project, analyze how likely they are to occur, take action to prevent the risks you can
avoid, and minimize the ones that you can’t.
A risk is any uncertain event or condition that might affect your project. Not all risks are
negative. Some events (like finding an easier way to do an activity) or conditions (like lower
prices for certain materials) can help your project. When this happens, we call it an opportunity;
but it’s still handled just like a risk.
There are no guarantees on any project. Even the simplest activity can turn into
unexpected problems. Anything that might occur to change the outcome of a project activity, we
call that a risk. A risk can be an event (like a snowstorm) or it can be a condition (like an
important part being unavailable). Either way, it’s something that may or may not happen …but
if it does, then it will force you to change the way you and your team work on the project.
If your project requires that you stand on the edge of a cliff, then there’s a risk that you
could fall. If it’s very windy out or if the ground is slippery and uneven, then falling is more
likely.

Figure 2.1 Risk Management Options
When you’re planning your project, risks are still uncertain: they haven’t happened yet.
But eventually, some of the risks that you plan for do happen, and that’s when you have to deal
with them. There are four basic ways to handle a risk.
1. Avoid: The best thing you can do with a risk is avoid it. If you can prevent it from happening, it
definitely won’t hurt your project. The easiest way to avoid this risk is to walk away from the
cliff, but that may not be an option on this project.
2. Mitigate: If you can’t avoid the risk, you can mitigate it. This means taking some sort of action
that will cause it to do as little damage to your project as possible.
3. Transfer: One effective way to deal with a risk is to pay someone else to accept it for you. The
most common way to do this is to buy insurance.
4. Accept: When you can’t avoid, mitigate, or transfer a risk, then you have to accept it. But even
when you accept a risk, at least you’ve looked at the alternatives and you know what will happen
if it occurs. If you can’t avoid the risk, and there’s nothing you can do to reduce its impact, then
accepting it is your only choice. By the time a risk actually occurs on your project, it’s too late to
do anything about it.
That’s why you need to plan for risks from the beginning and keep coming back to do more
planning throughout the project.
The risk management plan tells you how you’re going to handle risk in your project. It
documents how you’ll assess risk, who is responsible for doing it, and how often you’ll do risk
planning (since you’ll have to meet about risk planning with your team throughout the project).
Some risks are technical, like a component that might turn out to be difficult to use.
Others are external, like changes in the market or even problems with the weather.
It’s important to come up with guidelines to help you figure out how big a risk’s potential
impact could be. The impact tells you how much damage the risk would cause to your project.
Many projects classify impact on a scale from minimal to severe, or from very low to very high.
Your risk management plan should give you a scale to help figure out the probability of the risk.
Some risks are very likely; others aren’t.

Risk Management Process
Managing risks on projects is a process that includes risk assessment and a mitigation
strategy for those risks. Risk assessment includes both the identification of potential risk and the
evaluation of the potential impact of the risk. A risk mitigation plan is designed to eliminate or
minimize the impact of the risk events—occurrences that have a negative impact on the project.
Identifying risk is both a creative and a disciplined process. The creative process includes
brainstorming sessions where the team is asked to create a list of everything that could go wrong.
All ideas are welcome at this stage with the evaluation of the ideas coming later.
Risk Identification
A more disciplined process involves using checklists of potential risks and evaluating the
likelihood that those events might happen on the project. Some companies and industries develop
risk checklists based on experience from past projects. These checklists can be helpful to the
project manager and project team in identifying both specific risks on the checklist and
expanding the thinking of the team. The past experience of the project team, project experience
within the company, and experts in the industry can be valuable resources for identifying
potential risk on a project.
Identifying the sources of risk by category is another method for exploring potential risk
on a project. Some examples of categories for potential risks include the following:
• Technical
• Cost
• Schedule
• Client
• Contractual
• Weather
• Financial
• Political
• Environmental
• People
You can use the same framework as the work breakdown structure (WBS) for developing
a risk breakdown structure (RBS). A risk breakdown structure organizes the risks that have
been identified into categories using a table with increasing levels of detail to the right. The
people category can be subdivided into different types of risks associated with the people.
Examples of people risks include the risk of not finding people with the skills needed to execute
the project or the sudden unavailability of key people on the project.

Example: Risks in John’s Move
In John’s move, John makes a list of things that might go wrong with his project and uses his work
breakdown structure as a guide. A partial list for the planning portion of the RBS is shown in Table
16.1.
Task Risk
• Dion backs out

• Carlita backs out
• No common date available
Contact Dion and Carlita
• Restaurant full or closed

• Wring choice of ethnic food
Host planning lunch
• Dion or Carlita have special food allergies or
preferences
• Printer out of toner

Develop and distribute schedule • Out of paper
Table 2.1 Risk Breakdown Structure (RBS)
The result is a clearer understanding of where risks are most concentrated. This approach
helps the project team identify known risks, but can be restrictive and less creative in identifying
unknown risks and risks not easily found inside the WBS.
Risk Evaluation
After the potential risks have been identified, the project team then evaluates each risk
based on the probability that a risk event will occur and the potential loss associated with it. Not
all risks are equal. Some risk events are more likely to happen than others, and the cost of a risk
can vary greatly. Evaluating the risk for probability of occurrence and the severity or the
potential loss to the project is the next step in the risk management process.
Having criteria to determine high-impact risks can help narrow the focus on a few critical
risks that require mitigation. For example, suppose high-impact risks are those that could
increase the project costs by 5% of the conceptual budget or 2% of the detailed budget. Only a
few potential risk events meet these criteria. These are the critical few potential risk events that
the project management team should focus on when developing a project risk mitigation or
management plan. Risk evaluation is about developing an understanding of which potential risks

have the greatest possibility of occurring and can have the greatest negative impact on the project
(Figure 16.2). These become the critical few.
Figure 2.2 Risk and Impact
There is a positive correlation—both increase or decrease together—between project risk

and project complexity. A project with new and emerging technology will have a high-
complexity rating and a correspondingly high risk. The project management team will assign the
appropriate resources to the technology managers to ensure the accomplishment of project goals.
The more complex the technology, the more resources the technology manager typically needs to
meet project goals, and each of those resources could face unexpected problems.
Risk evaluation often occurs in a workshop setting. Building on the identification of the
risks, each risk event is analyzed to determine the likelihood of occurrence and the potential cost
if it did occur. The likelihood and impact are both rated as high, medium, or low. A risk
mitigation plan addresses the items that have high ratings on both factors—likelihood and
impact.
Example: Risk Analysis of Equipment Delivery

A project team analyzed the risk of some important equipment not arriving at the project
on time. The team identified three pieces of equipment that were critical to the project and would
significantly increase costs if they were late in arriving. One of the vendors, who was selected to
deliver an important piece of equipment, had a history of being late on other projects. The vendor
was good and often took on more work than it could deliver on time. This risk event (the
identified equipment arriving late) was rated as high likelihood with a high impact. The other
two pieces of equipment were potentially a high impact on the project but with a low probability
of occurring.
Not all project managers conduct a formal risk assessment on a project. One reason, as
found by David Parker and Alison Mobey in their phenomenological study of project managers,
was a low understanding of the tools and benefits of a structured analysis of project risks (2004).
The lack of formal risk management tools was also seen as a barrier to implementing a risk
management program. Additionally, the project manager’s personality and management style
play into risk preparation levels. Some project managers are more proactive and develop
elaborate risk management programs for their projects. Other managers are reactive and are more
confident in their ability to handle unexpected events when they occur. Yet others are risk averse,
and prefer to be optimistic and not consider risks or avoid taking risks whenever possible.
On projects with a low-complexity profile, the project manager may informally track
items that may be considered risk items. On more complex projects, the project management
team may develop a list of items perceived to be higher risk and track them during project
reviews. On projects of even greater complexity, the process for evaluating risk is more formal
with a risk assessment meeting or series of meetings during the life of the project to assess risks
at different phases of the project. On highly complex projects, an outside expert may be included
in the risk assessment process, and the risk assessment plan may take a more prominent place in
the project implementation plan.
On complex projects, statistical models are sometimes used to evaluate risk because there
are too many different possible combinations of risks to calculate them one at a time. One
example of the statistical model used on projects is the Monte Carlo simulation, which simulates
a possible range of outcomes by trying many different combinations of risks based on their
likelihood. The output from a Monte Carlo simulation provides the project team with the
probability of an event occurring within a range and for combinations of events. For example, the
typical output from a Monte Carlo simulation may indicate a 10% chance that one of the three
important pieces of equipment will be late and that the weather will also be unusually bad after
the equipment arrives.
Risk Mitigation
After the risk has been identified and evaluated, the project team develops a risk
mitigation plan, which is a plan to reduce the impact of an unexpected event. The project team
mitigates risks in various ways:

• Risk avoidance
• Risk sharing
• Risk reduction
• Risk transfer
Each of these mitigation techniques can be an effective tool in reducing individual risks
and the risk profile of the project. The risk mitigation plan captures the risk mitigation approach
for each identified risk event and the actions the project management team will take to reduce or
eliminate the risk.
Risk avoidance usually involves developing an alternative strategy that has a higher
probability of success but usually at a higher cost associated with accomplishing a project task. A
common risk avoidance technique is to use proven and existing technologies rather than adopt
new techniques, even though the new techniques may show promise of better performance or
lower costs. A project team may choose a vendor with a proven track record over a new vendor
that is providing significant price incentives to avoid the risk of working with a new vendor. The
project team that requires drug testing for team members is practicing risk avoidance by avoiding
damage done by someone under the influence of drugs.
Risk sharing involves partnering with others to share responsibility for the risky
activities. Many organizations that work on international projects will reduce political, legal,
labor, and others risk types associated with international projects by developing a joint venture
with a company located in that country. Partnering with another company to share the risk
associated with a portion of the project is advantageous when the other company has expertise
and experience the project team does not have. If a risk event does occur, then the partnering
company absorbs some or all of the negative impact of the event. The company will also derive
some of the profit or benefit gained by a successful project.
Risk reduction is an investment of funds to reduce the risk on a project. On international

projects, companies will often purchase the guarantee of a currency rate to reduce the risk
associated with fluctuations in the currency exchange rate. A project manager may hire an expert
to review the technical plans or the cost estimate on a project to increase the confidence in that
plan and reduce the project risk. Assigning highly skilled project personnel to manage the
highrisk activities is another risk-reduction method. Experts managing a high-risk activity can
often predict problems and find solutions that prevent the activities from having a negative
impact on the project. Some companies reduce risk by forbidding key executives or technology
experts to ride on the same airplane.
Risk transfer is a risk reduction method that shifts the risk from the project to another
party. The purchase of insurance on certain items is a risk-transfer method. The risk is transferred
from the project to the insurance company. A construction project in the Caribbean may purchase
hurricane insurance that would cover the cost of a hurricane damaging the construction site. The
purchase of insurance is usually in areas outside the control of the project team. Weather,

political unrest, and labour strikes are examples of events that can significantly impact the
project and that are outside the control of the project team.
Contingency Plan
The project risk plan balances the investment of the mitigation against the benefit for the
project. The project team often develops an alternative method for accomplishing a project goal
when a risk event has been identified that may frustrate the accomplishment of that goal. These
plans are called contingency plans. The risk of a truck drivers’ strike may be mitigated with a
contingency plan that uses a train to transport the needed equipment for the project. If a critical
piece of equipment is late, the impact on the schedule can be mitigated by making changes to the
schedule to accommodate a late equipment delivery.
Contingency funds are funds set aside by the project team to address unforeseen events
that cause the project costs to increase. Projects with a high-risk profile will typically have a
large contingency budget. Although the amount of contingency allocated in the project budget is
a function of the risks identified in the risk analysis process, contingency is typically managed as
one-line item in the project budget.
Some project managers allocate the contingency budget to the items in the budget that
have high risk rather than developing one-line item in the budget for contingencies. This
approach allows the project team to track the use of contingency against the risk plan. This
approach also allocates the responsibility to manage the risk budget to the managers responsible
for those line items. The availability of contingency funds in the line item budget may also
increase the use of contingency funds to solve problems rather than finding alternative, less
costly solutions. Most project managers, especially on more complex projects, manage
contingency funds at the project level, with approval of the project manager required before
contingency funds can be used.
Project Risk by Phases
Project risk is dealt with in different ways depending on the phase of the project.
Initiation
Risk is associated with things that are unknown. More things are unknown at the
beginning of a project, but risk must be considered in the initiation phase and weighed against
the potential benefit of the project’s success in order to decide if the project should be chosen.
Example: Risks by Phase in John’s Move

In the initiation phase of his move, John considers the risk of events that could affect the
whole project. Let’s assume that John’s move is not just about changing jobs, but also a change of

cities. This would certainly incur more risks for the project. He identifies the following risks during
the initiation phase that might have a high impact and rates the likelihood of their happening from
low to high.
1. His new employer might change his mind and take back the job offer after he’s given notice at
his old job: Low.
2. The current tenants of his apartment might not move out in time for him to move in by the first
day of work at the new job: Medium.
3. The movers might lose his furniture: Low.
4. The movers might be more than a week late delivering his furniture: Medium.
5. He might get in an accident driving from Chicago to Atlanta and miss starting his job: Low.
John considers how to mitigate each of the risks.
1. During his job hunt, John had more than one offer, and he is confident that he could get another
job, but he might lose deposit money on the apartment and the mover. He would also lose
wages during the time it took to find the other job. To mitigate the risk of his new employer
changing his mind, John makes sure that he keeps his relationships with his alternate
employers cordial and writes to each of them thanking for their consideration in his recent
interviews.
2. John checks the market in Atlanta to determine the weekly cost and availability of extended-
stay motels.
3. John checks the mover’s contract to confirm that they carry insurance against lost items, but
they require the owner to provide a detailed list with value estimates and they limit the
maximum total value. John decides to go through his apartment with his digital camera and
take pictures of all of his possessions that will be shipped by truck and to keep the camera with
him during the move so he has a visual record and won’t have to rely on his memory to make a
list. He seals and numbers the boxes so he can tell if a box is missing.
4. If the movers are late, John can use his research on extended-stay motels to calculate how
much it would cost. He checks the moving company’s contract to see if they compensate the
owner for late delivery, and he finds that they do not.
5. John checks the estimated driving time from Chicago to Atlanta using an Internet mapping
service and gets an estimate of 11 hours of driving time. He decides that it would be too risky
to attempt to make the drive by himself in one day, especially if he didn’t leave until after the
truck was packed. John plans to spend one night on the road in a motel to reduce the risk of an
accident caused by driving while too tired.
John concludes that the medium
-risks can be
mitigated and the costs from the mitigation would be
acceptable in order to get a new job.
Planning Phase

Once the project is approved and it moves into the planning stage, risks are identified
with each major group of activities. A risk breakdown structure (RBS) can be used to identify
increasing levels of detailed risk analysis.
Example: Risk Breakdown Structure for John’s Move

John decides to ask Dion and Carlita for their help during their first planning meeting to identify
risks, rate their impact and likelihood, and suggest mitigation plans. They concentrate on the
packing phase of the move. They fill out a table of risks, as shown in Table 16.2.
Legend:
• RA: Risk avoidance
• RS: Risk sharing
• RR: Risk reduction
• RT: Risk transfer
Task Risks Mitigation
Cuts from handling Buy small boxes for packing

sharp knives knives (RR)
Cuts from cracked glasses that

Pack kitchen break while being packed Discard cracked glasses (RA)
Transporting alcoholic Give opened bottles to Dion or

beverages Carlita (RA)

Supervise wrapping and
loading personally (RR) and
require movers to insure
Damage to antique furniture against damage (RT)
Buy box of large freezer bags

Lose parts while talking apart with a marker to bag and label
the entertainment center parts (RR)
Break most valuable electronics

—TV, DVD, Tuner, Buy boxes of the right size with
Packing living room Speakers sufficient bubble wrap (RR)
Buy or rent a mirror-box with

Styrofoam blocks at each
Pack bedroom Break large mirror corner (RR)
Lose prescription drugs or pack

them where they cannot be Separate prescription drugs for
found quickly transportation in the car (RA)
Ask Carlita to care for them

and bring them with her in her
van when she visits in
Pack remaining items Damage to house plants exchange for half of them (RS)
Transportation of flammable
liquids from charcoal grill Give to Dion or Carlita (RA)

Table 2.2: Risk Breakdown Structure (RBS) for Packing John’s Apartment
Implementation Phase
As the project progresses and more information becomes available to the project team,
the total risk on the project typically reduces, as activities are performed without loss. The risk
plan needs to be updated with new information and risks checked off that are related to activities
that have been performed.
Understanding where the risks occur on the project is important information for
managing the contingency budget and managing cash reserves. Most organizations develop a
plan for financing the project from existing organizational resources, including financing the
project through a variety of financial instruments. In most cases, there is a cost to the
organization to keep these funds available to the project, including the contingency budget. As
the risks decrease over the length of the project, if the contingency is not used, then the funds set
aside by the organization can be used for other purposes.
To determine the amount of contingency that can be released, the project team will
conduct another risk evaluation and determine the amount of risk remaining on the project. If the
risk profile is lower, the project team may release contingency funds back to the parent
organization. If additional risks are uncovered, a new mitigation plan is developed including the
possible addition of contingency funds.
Closeout Phase
During the closeout phase, agreements for risk sharing and risk transfer need to be
concluded and the risk breakdown structure examined to be sure all the risk events have been
avoided or mitigated. The final estimate of loss due to risk can be made and recorded as part of
the project documentation. If a Monte Carlo simulation was done, the result can be compared to
the predicted result.
Example: Risk Closeout on John’s Move
To close out the risk mitigation plan for his move, John examines the risk breakdown
structure and risk mitigation plan for items that need to be finalized. He makes a checklist to be
sure all the risk mitigation plans are completed, as shown in Table 16.3. Risk is not allocated
evenly over the life of the project. On projects with a high degree of new technology, the
majority of the risks may be in the early phases of the project. On projects with a large equipment
budget, the largest amount of risk may be during the procurement of the equipment. On global
projects with a large amount of political risk, the highest portion of risk may be toward the end of
the project.

Risk Mitigation Closeout
Confirm all of the numbered

Mover’s insurance plus digital boxes are present and still
Items lost by movers image inventory sealed.
Mover’s insurance plus Supervise unloading and

personal supervision of unwrapping; visually inspect
Antique furniture damaged wrapping and loading each piece.
Confirm that the plants are

Ask Carlita to bring half of healthy and that Carlita
House plants them in her van when she visits. brought about half of them.
Table 2.3 Closeout of Risk Mitigation Plan for John’s Move
Name : ____________________________________
Year & Section : ____________________________________
Activity 2.1

1 – You are a project manager for a bottling company. Your project involves installing a
new Accounting System, and you are performing the risk planning processes. You have
identified several problems along with the causes of those problems. Which of the following
diagrams will you use to show each problem and its causes and effects?
A. Decision tree diagram
B. Fishbone diagram
C. Benchmark diagram
D. Simulation tree diagram
2 – Assessing the probability and consequences of identified risks to the project objectives,
assigning a risk score to each risk, and creating a list of prioritized risks, describe which of
the following processes?
A. Perform quantitative risk analysis
B. Identify risks
C. Perform qualitative risk analysis
D. Plan risk management
3 – Each of the following statements is true regarding the risk management plan except for
which one?
A. The risk management plan is an output of the plan risk management process
B. The risk management plan includes a description of the responses to risks and triggers C.
The risk management plan includes thresholds, scoring and interpretation methods,
responsible parties, and budgets
D. The risk management plan is an input to all the remaining risk management processes
4 – You are using the interviewing technique to the perform a quantitative risk analysis
process. You intend to use normal and lognormal distributions. All of the following
statements are true regarding this question except which one?
A. Interviewing techniques are used to quantify the probability and impact of the risks on
project objectives
B. Normal and lognormal distributions use mean and standard deviation to quantify risks
C. Distributions and rustic plea displayed the impacts of risk to the project objectives D.
Triangular distributions rely on optimistic, pessimistic, and most likely estimates to quantify
risks
5 – The information gathering techniques used in the identify risks process include all of
the following except _________________
A. Root cause analysis
B. The Delphi technique
C. Brainstorming
D. Checklist analysis
6 – Which of the following processes assesses the likelihood of risk occurrences and their
consequences using the numerical rating?
A. Perform qualitative risk analysis

B. Identify risks
C. Perform quantitative risk analysis
D. Plan risk responses
7 – You are the project manager for a new training website. You need to perform the
perform qualitative risk analysis process. When you have completed this process, you will
produce all of the following as part of the project documents updates output except which
one?
A. Priority list of risks
B. What’s a list of low priority risks
C. Probability of achieving time and cost estimates
D. Risks grouped by categories
8 – You have identified a risk event on your current project that could save $100,000 in
project costs if it occurs. Which of the following is true based on this statement?
A. This is a risk event that should be accepted because the rewards outweigh the threats to the
project
B. This risk event is an opportunity to the project and should be exploited
C. This risk event should be mitigated to take advantage of the
savings
D. This is a risk event that should be avoided to take full advantage of the potential savings
9 – You have identified a risk event on your current project that could save $500,000 in
project costs if it occurs. Your organization is considering hiring a consulting firm to help
establish proper project management techniques to assure it to realizes these savings.
Which of the following is true based on this statement?
A. This is a risk event that should be accepted because the rewards outweigh the threats to the
project
B. This risk event is an opportunity to the project and should be exploited
C. Is risk event should be mitigated to take advantage of the
savings
D. This is a risk event that should be shared to take full advantage of the potential savings
10 – Your hardware vendor or left you a voicemail saying that a snowstorm in the Midwest
might prevent your equipment from arriving on time. She wanted to give you an advanced
warning and lost due to return the call. Which of the following statements is true?
A. This is a trigger
B. This is a contingency plan
C. This is a residual risk
D. This is a secondary risk
11 – You are constructing a probability and impact matrix for your project, which of the
following statements is true?

A. The probability and impact matrix multiplies the risk’s probability by the cost of the impact
to determine and expected value of the risk event
B. The probability and impact matrix multiplies the risk’s probability – which falls from 0.0 to
1.0 – and the risk’s impact for each potential outcome, and then adds the result of the potential
outcomes together to determine a risk score
C. The probability and impact matrix are predetermined thresholds that use the risk’s probability
multiplied by the impact of the risk event to determine and overall risk score
D. The probability and impact matrix multiplies the risk’s probability by the risk impact – which
both fall from 0.0 to 1.0 – to determine the risk score
12 – Your stakeholders have asked for an analysis of the cost risk. All the following are true
except for which one?
A. Monte Carlo analysis is the preferred method to use to determine the cost risk
B. Monte Carlo analysis is a modeling technique that computes project costs one time
C. A traditional work breakdown structure can be used as an input variable for the cost analysis
D. Monte Carlo usually expresses its results as probability distributions of possible costs
13 – Your hardware vendor left you a voicemail saying that a snowstorm in the Midwest
will prevent your equipment from arriving on time. You identified a risk response strategy
for this risk and have arranged for a local company to lease you the needed equipment
until yours arrives. This is an example of which risk response strategy?
A. Transfer
B. Acceptance
C. Mitigate
D. Avoid
14 – Risk attitude is an enterprise environmental factor that you should evaluate when
performing the plan risk management process. Risk attitude consist of all the following
elements except for which one?
A. Risk appetite
B. Risk threshold
C. Risk urgency
D. Risk tolerance
15 – You work for a large manufacturing plant and you are working on a new project to
release a new product line of toothpaste and salt. This is going to be sold into Europe which
has different dimensions and cap fittings on their tubes of toothpaste.
A new machine is needed to mix the ingredients into a concentrated formula and package it
into these smaller containers than your US product uses. You and your stakeholders are
nervous when you discover this will be the first machine your organization has purchased
from your new supplier. Which of the following statements is true given the information in
this question?
A. The question describes risk tolerance levels of the stakeholders, which should be considered
when performing the plan risk management process

B. This question describes the interviewing tool and technique used during the identify risks
process
C. This question describes risk triggers that are derived using interviewing techniques and
recorded in the risk register during the perform qualitative risk analysis process D. This question
describes a risk that requires a response strategy from the positive risk category
16 – Your project team has identified several potential risks on your current project that
could have a significant impact if they occurred. The team exam and the impact of the risks
by keeping all the uncertain elements at their baseline values. What type of diagram will
the team use to display this information?
A. Fishbone diagram
B. Tornado diagram
C. Influence diagram
D. Process flowchart
17 – Your project team is in the process of identifying project risks on your current project.
The team has the option to use all the following tools and techniques to diagram some of
these present risks, except for which one?
A. Ishikawa diagram
B. Decision tree diagram
C. Process flowchart
D. Influence diagram
18 – All the following statements are true regarding the RBS except for which one?
A. The RBS is contained in the risk management plan
B. The RBS describes risk categories, which are a systematic way to identify risks and provide a
foundation for understanding for everyone involved on the project
C. The lowest level of the RBS can be used as a checklist, which is a tool and technique of the
identify risks process
D. The RBS is similar to the WBS in that the lowest levels of both are easily assigned to a
responsible party or owner
19 – Your team has identified the risks on the project and determined their risk score. The
team is in the middle of determining what strategy is to put in place should the risks occur.
After some discussion, the team members have determined that the risk of losing their
network administrator is a risk they will just deal with if it occurs. Although they think it is
a probability, and the impact would be significant, they have decided to simply deal with it
off to the fact. Which of the following is true regarding this question?
A. This is a negative response strategy
B. This is a positive response strategy
C. This is a response strategy for either positive or negative risk known as contingency planning
D. This is a response strategy for either positive or negative risks known as passive acceptance
20 – All the following are true regarding the perform qualitative risk analysis process
except which one?

A. Probability and impact and expert interviews I used to help correct biases that occur in the
data you have gathered during this process
B. The probability and impact matrix is used during this process to assign red, yellow, and green
conditions to the risks
C. Perform qualitative risk analysis is an easy method of determining risk probability and
impact and usually takes a good deal of time to perform
D. Risk urgency assessment is a tour and technique of this process used to determine which risks
need near-term response plans
UNIT III: QUALITATIVE RISK ANALYSIS

Learning Objectives
After completing this chapter, students will be able to learn:

• the difference between qualitative and quantitative risk analysis
• types and processes for undertaking an analysis
• tips and best practices
Overview
Risk management is all about the creation of a culture in which decisions are made based on the
assessment of data in order to maximize opportunity and minimize the consequence of threats.
Qualitative risk management is a key component in the risk professionals’ tool kit. It enables
rapid prioritization of risks to help project teams to achieve their objectives. Through using these
techniques your project will have a greater chance of being delivered on time and within budget.
Lesson Proper
What is Qualitative Risk Analysis?

Qualitative risk analysis is the process of assessing the likelihood of a risk occurring and
the impact it would have on a project if it happened.
Qualitative analysis of risk serves 3 functions:
1. Prioritize risks according to probability & impact
2. Identify the main areas of risk exposure
3. Improve understanding of project risks
Projects are exposed to all sorts of risks and it’s impractical for project managers to deal
with all of them. In many cases, the resources spent to mitigate a risk actually outweighs the risk
itself.

As such, one of the primary goals for qualitative risk analysis is to prioritize risks based
on their probability and impact. This allows project managers to focus on devising treatments
for the most significant risks.
Using this method also gives project managers a better idea of the main areas of risk
exposure. You can achieve this by categorizing risks by their source. This is important when it
comes to prioritizing risk areas and treatment schedules.
Qualitative risk analysis can also improve a project manager’s understanding of risks.
This helps in devising more effective risk treatments and contingency budgeting for future
projects. Project managers discover much more than risk probability and consequences. They
also discover trigger conditions, assumptions and affected project elements. All of this helps
build up a better picture for future projects.
Qualitative vs. Quantitative Risk Analysis
Qualitative risk analysis involves identifying threats (or opportunities), how likely they
are to happen, and the potential impacts if they do. The results are typically shown using a
Probability/Impact ranking matrix. This type of analysis will also categorize risks, either by
source or effect. Unlike quantitative risk analysis, which applies numerical values and uses
verifiable data, qualitative risk analysis operates in a more generalized, “big-picture” space.
Quantitative risk analysis uses data to produce a value to measure the acceptability of a risk
event outcome.
During a typical project, qualitative risk analysis will happen first. From there, risk
managers can draw on data to address specific risks in more detail. So, while they do have two
distinctions, they don’t compete for supremacy; they’re two parts of the larger risk management
process.
Benefits of Qualitative Risk Analysis
It can be a serious logistical and financial challenge to undertake detailed quantitative

modelling necessary for major projects. There are so many factors at play. A qualitative analysis
of your risk environment will help give you the clarity to prioritize tasks quickly and
costeffectively.
Other benefits include:

Simple Assessment Methods
The project team doesn't require training, as it doesn't rely on any complicated tools or
software. The qualitative risk analysis doesn’t depend on the risk occurrence frequency. So, the
team performing the analysis can save time by not predicting the frequency and the exact timing of
each risk. Project teams can determine areas of greater risk in a short time and without expending
cost.
Easy Prioritization
Qualitative risk analysis classifies risks according to their likelihood and impact. This makes
it easy to determine which risks an organization should focus on – the ones falling into the highest
likelihood and impact categories.
Clear Presentation Options
Qualitative risk analysis classifies risks according to their likelihood and impact. This makes
it easy to determine which risks an organization should focus on – the ones falling into the highest
likelihood and impact categories.
Limitations of Qualitative Risk Analysis
Project risk is a multi-step process. This is because qualitative risk analysis has its
limitations. These include:
Subjective Evaluation
A qualitative risk analysis produces no metrics, it depends on the perception of a person

carrying out the study. In order to minimize subjectivity, a qualitative risk analysis should involve
several people. The accuracy and detail of the analysis depends on previous team experience. If the
risk team hasn’t experienced a project type, they might miss some risks or assess them inadequately.

Limited Scope
The qualitative risk analysis assesses each risk on a project but doesn't provide an
assessment of the overall project risk exposure. The analysis also won't calculate how much risk
management activities and risk treatment will cost.
Lack of Differentiation
Once several risks fall into the same category, for example, high likelihood and medium
impact, there is no further way to differentiate between the severity of risks and no way to
determine which risk should be dealt with first.
Types of Analysis
Different types of project demand different types of qualitative risk analysis. Availability
of resources and personal experience also factor into the decision of how to approach assessing a
project’s risk. The five most common types of analysis are:
1. Probability/Consequence Matrix
To many, this is the standard method of establishing risk severity. Risk matrices will
often vary in size, but they all essentially do the same thing. They provide a practical way to rank the
overall severity of a risk by multiplying the likelihood of risk occurrence against the impact of the
risk, should it still occur. By ranking risk probability against risk consequence, you can see the main
driver of risk severity, whether that’s a probability or a consequence. This information helps identify
suitable treatments to manage the risk, based on its prominent drivers.
2. Bow-Tie Analysis
A bow-tie analysis is one of the most practical techniques for identifying risk mitigations.
Bow-tie analysis starts by looking at a risk event and then projects it in two directions. On the

left, you list all the potential causes of an event. On the right, you list all the potential
consequences of the event.
Using this simple method, you can identify and apply treatments to each of the causes
and consequences separately. This helps you tackle both sides of a risk by mitigating the
probability of it occurring one side, while limiting the impact should the risk still occur.
3. Delphi Technique
Known as the Delphi Technique, experts in a field respond to several rounds of

questionnaires. The responses are aggregated and shared with the group after each round.
When applied to risk management, this technique can be applied to both identify risk, and
subsequently to assess the likelihood and impact. The experts are asked to form an opinion on
how likely the risk is to occur, and the consequence of its occurrence. These responses are
aggregated and reviewed by the experts until a consensus is achieved.
The Delphi technique was conceived in the 1950s by Olaf Helmer and Norman Dalkey of
the Rand Corporation. The name refers to the Oracle of Delphi, a priestess at a temple of Apollo
in ancient Greece, who was famous for her prophecies.
4. SWIFT Analysis
Standing for “Structured What-If Technique”, SWIFT applies a systematic, team-based

approach to risk analysis in a workshop environment. Teams investigate how changes from an
approved plan, may affect a project through a series of “What if” considerations. This technique
is particularly useful in evaluating the viability of opportunity risks.
5. Pareto Principle
Better known as the "80/20 Rule", the Pareto Principle helps in identifying risks that
will be most effective. It's known as 80/20 because the principle thesis holds that 80% of
achievements realized originate from 20% of the effort.

Risk managers use Pareto analysis as a tool for rapidly identifying the most critical
20% of risks that will effectively mitigate 80% of the impact.
The challenge for risk managers is knowing how to effectively score each risk. Large
projects may require multi-attribute weightings for business different priorities, such as security
data, and operational or compliance policies.
But, once you understand where to look and what to look at will help you hone in on the
most important 20%. This offers a crucial leg up in managing the threats and vulnerabilities that
have the potential to have the largest impact.
Qualitative Risk Analysis Process
Like any big task that's worth doing, risk management can seem daunting - especially
when you're starting with a blank canvas. So, the best way to take on qualitative risk analysis is
to break it down into smaller steps:
1. Identifying Risks
Risk identification is arguably the most important part of qualitative risk analysis. If you
fail to identify risks ahead of time, it becomes extremely challenging to manage them.
The trick to risk identification is keeping it simple. Start thinking of anything which
could have an uncertain effect on your project. Capturing the obvious risks will help lead you
deeper into more oblique ones. Risk identification is all about quantity. So, reach out to as many
people as you can to get a wide range of views.
Tools for Risk Identification
• Mind maps
• Questionnaires
• Interviews

• Documentation review
• Checklist analysis
• SWOT Analysis
2. Impact Analysis
Once you’ve identified possible risks, the next step is to consider their potential impact.
• Segregate the risks into threats and opportunities.
• Using qualitative risk analysis, estimate the impact of each risk on a scale (1-5 or
low/medium/high/extreme).
• Next, estimate the probability of each risk occurring, using a similar scale.
• Finally, take those scores and combine them to create a total risk ranking.
Simplicity is the major benefit of qualitative risk analysis; there’s no statistical model that
relies heavily on the quality of the data you use.
3. Risk Treatment
The next stage in the qualitative risk analysis is to apply treatments to each risk. This can
be approached in any number of ways depending on your industry or process. A simple example
could show five options when it comes to risk treatment, but these are by no means definitive: 1.
Accept
2. Mitigate
3. Exploit
4. Transfer

5. Avoid
Accept
If a risk has low impact and low probability, or the cost of preventing it is too high, sometimes
it’s more cost-effective to accept it. Mitigate
Some risks have a high probability, which means you might not be able to avoid them. In order
to reduce the impact of a risk when it becomes an issue, you could choose to mitigate it.
Exploit
A few risks can be exploited to the benefit of your project. Having the ability to identify
exploitable risks can be extremely advantageous and highlights the importance of seeking out
experienced risk experts who can spot these opportunities. Transfer
Risks with financial impacts are a common example of risks that can be transferred to a third
party.
Insurance is designed to assume a risk on your behalf, so you don’t suffer as hard an impact if
something goes wrong. Similarly, it is possible to transfer risk via a contract to a supplier or
contractor.
Avoid
If you can’t mitigate or transfer a risk, and that risk is too high to accept, the only recourse is to
avoid it. Risks can be avoided by changing or removing certain scope items or changing the
approach.
Contingency Planning
If a risk becomes an issue, you need a plan. You need to know:
• what to do
• who gets notified

• who does what
Documenting a contingency plan saves time and money. When you know what to do in
the event of an issue, you can reduce its impact by responding faster. The nature and detail of
your contingency planning will depend on the nature of the risks themselves.
4. Review & Monitor
Risk management is never over, not even after the project has finished. As the project
progresses, it’s important to keep risk logs up to date. At each stage of the project, risk
probability will fluctuate. Some risks will disappear, while others might increase in likelihood.
Reviewing your risks regularly will help keep you on top of these changes.
After the project, a full retrospective will provide valuable data and experience for future
projects, making the next one more secure and helping to further your risk maturity.
Risk Appetite
The risk matrix can be used to set the risk appetite for the organization. The simple use of
color can aid the decision-making process as well helping to set the risk culture across the group.
A risk hungry company may have a large tolerance for taking risk, whereas a high-risk company,
for example in the nuclear industry, may set their appetite a lot lower.
In the example, all risks in the red area are intolerable and must be treated to reduce them
to acceptable levels.

Risk matrices should be used for subjective guidance, not to provide you with definitive
quantitative risk ranking data.
Risk Escalation

What happens when a risk goes from Yellow to Red? Does the risk owner still have the
authority to manage the risk effectively, or should it be escalated?
If the risk owner has the tools to manage that risk, there's no need to escalate. Simply
maintain a clear line of communication on the progress of bringing the risk down to an
acceptable level and there's no need for escalated action.
Why should you escalate?
• If there's absolutely nothing you can do to bring the risk down to an acceptable level.
• If treatment requires action outside the delegation of the original risk.
• If you're managing a shared risk.
Name : ____________________________________
Year & Section : ____________________________________

Activity 3.1
1. Brainstorm this question with a friend or family member. Think about the risks that an event
like the Comrades Marathon might have to face. Make a list of all the risks that you can
think of and make suggestions about the solutions you would put in place to address these
risks.
Example:
Risk: one of the sponsors does not turn up to man a water table at a key point in the
race.
Solution: have a group of stand-by volunteers who could be asked to step in and take
over at a moment’s notice
_____________________________________________________________________________
_
_____________________________________________________________________________
_
______________________________________________________________________________
______________________________________________________________________________
_____________________________________________________________________________
_
______________________________________________________________________________
______________________________________________________________________________
_____________________________________________________________________________
_
______________________________________________________________________________
______________________________________________________________________________
_____________________________________________________________________________
_
______________________________________________________________________________
_____________________________________________________________________________
_
_____________________________________________________________________________
_
_____________________________________________________________________________
_
______________________________________________________________________________
______________________________________________________________________________
_____________________________________________________________________________
_

______________________________________________________________________________
______________________________________________________________________________
_____________________________________________________________________________
_
______________________________________________________________________________
_____________________________________________________________________________
_ UNIT IV: QUANTITATIVE RISK ANALYSIS
Learning Objectives
• explain the overview of the Perform Quantitative Risk Analysis Process

• discuss the inputs to the Perform Quantitative Risk Analysis Process
• identify tools and techniques for the Perform Quantitative Risk Analysis Process
• apply the outputs from the Perform Quantitative Risk Analysis Process
Overview
A quantitative risk analysis is a further analysis of the highest priority risks during a which a
numerical or quantitative rating is assigned in order to develop a probabilistic analysis of the
project.
A quantitative analysis:
• Quantifies the possible outcomes for the project and assesses the probability of achieving
specific project objectives
• Provides a quantitative approach to making decisions when there is uncertainty
• Creates realistic and achievable cost, schedule or scope targets
In order to conduct a quantitative risk analysis, you will need high-quality data, a
welldeveloped project model, and a prioritized lists of project risks (usually from performing a
qualitative risk analysis)
Lesson Proper
What is Quantitative Risk Analysis?

Quantitative risk analysis is a numeric estimate of the overall effect of risk on the project
objectives such as cost and schedule objectives. The results provide insight into the likelihood of
project success and is used to develop contingency reserves.

Why Perform Quantitative Risk Analysis
• Better Overall Project Risk Analysis
Individual risks are evaluated in the qualitative risk analysis. But the quantitative analysis
allows us to evaluate the overall project risk from the individual risks plus other sources of risks.
• Better Business Decisions
Business decisions are rarely made with all the information or data we desire. For more
critical decisions, quantitative risk analysis provides more objective information and data than
the qualitative analysis. Keep in mind: While the quantitative analysis is more objective, it is still
an estimate. Wise project managers consider other factors in the decision-making process.
• Better Estimates
A project manager estimated a project's duration at eight months with a cost of $300,000.
The project actually took twelve months and cost $380,000. What happened?
The project manager did a Work Breakdown Structure (WBS) and estimated the work.
However, the project manager failed to consider the potential impact of the risks (good and bad)
on the schedule and budget.
When to Perform Quantitative Risk Analysis

First, we identify risks. Then we can evaluate the risks qualitatively and quantitatively.
Consider using Quantitative Risk Analysis for:
• Projects that require a Contingency Reserve for the schedule and budget.
• Large, complex projects that require Go/No Go decisions (the Go/No Go decision may
occur multiple times in a project).
• Projects where upper management wants more detail about the probability of completing
the project on schedule and within budget.
Quantitative Risk Assessment Tools & Techniques
Quantitative Risk Analysis tools and techniques include but are not limited to:
• Three Point Estimate – a technique that uses the optimistic, most likely, and pessimistic
values to determine the best estimate.

• Decision Tree Analysis – a diagram that shows the implications of choosing one or other
alternatives.
• Expected Monetary Value (EMV) – a method used to establish the contingency reserves
for a project budget and schedule.
• Monte Carlo Analysis – a technique that uses optimistic, most likely, and pessimistic
estimates to determine the total project cost and project completion dates. For example,
we could estimate the probability of completing a project at a cost of $20M. Or what is a
company wanted to have an 80% probability of achieving its cost objectives. What is the
cost to achieve 80%?
• Sensitivity Analysis – a technique used to determine which risks have the greatest impact
on a project.
• Fault Tree Analysis (FMEA) – the analysis of a structured diagram which identifies
elements that can cause system failure.
Quantitative Risk Analysis Example

Let’s look at a simple Expected Monetary Value (EMV) example:
Keep in mind that risks include both threats and opportunities. Threats have adverse impacts on
cost. Opportunities are benefits that reduce cost. Expected Monetary Value = Probability x
Impact.
Risk Probability Cost Impact EMV

A (Threat) 20% $100,000 $20,000
B (Opportunity) 40% ($10,000) ($4,000)
C (Threat) 30% $50,000 $15,000
Total EMV $31,000
Notice we subtracted the benefit of the Opportunity from the EMV. The Total EVM represents
the project risk exposure and the amount of our Contingency Reserve.

Name : ____________________________________
Year & Section : ____________________________________
Activity 4.1
True or False Questions: Answer true or false to each of the following statements and give a
reason for your answer.
1. Something that could kill you must be very risky.

2. Risk combines the chance of something happening along with the amount of harm it can
do.
3. A high risk activity is quite likely to cause a lot of harm.
4. If something is very risky then it must also be very difficult to do.
5. Everyday things, like playing sport, are not risky at all.
6. Risk is only to do with industry and accidents at work.

UNIT V: RISK RESPONSE PLANNING
Learning Objectives
• explain the overview of the Plan Risk Response Process

• discuss the Inputs to the Plan Risk Response Process;
• identify the tools and techniques for the Plan Risk Response Process
• apply the outputs from the Plan Risk Response Process
Overview
The risk response planning involves determining ways to reduce or eliminate any threats to the
project, and also the opportunities to increase their impact. Project managers should work to
eliminate the threats before they occur. Similarly, the project managers should work to ensure
that opportunities occur. Likewise, the project manager is also responsible to decrease the
probability and impact of threats and increase the probability and impact of opportunities.
For the threats that cannot be mitigated, the project manager needs to have a robust
contingency plan and also a response plan if contingencies do not work.
It is not required to eliminate all the risks of the project due to resource and time constraints.
A project manager should review risk throughout the project. Planning for risks is iterative.
Qualitative risk, quantitative risk, and risk response planning do not end ones you begin work on
the project.
Lesson Proper
Risk Response
Risk response is the process of developing strategic options, and determining actions, to
enhance opportunities and reduce threats to the project’s objectives. A project team member is
assigned to take responsibility for each risk response. This process ensures that each risk
requiring a response has an owner monitoring the responses, although the owner may delegate
implementation of a response to someone else.

Risk Response Strategies
For Threats For Opportunities
Avoid. Risk can be avoided by removing the Exploit. The aim is to ensure that the opportunity
cause of the risk or executing the project in a is realized. This strategy seeks to eliminate the
different way while still aiming to achieve uncertainty associated with a particular upside
project objectives. Not all risks can be avoided risk by making the opportunity definitely happen.
or eliminated, and for others, this approach may Exploit is an aggressive response strategy, best
be too expensive or time‐consuming. However, reserved for those “golden opportunities” having
this should be the first strategy considered. high probability and impacts.
Transfer. Transferring risk involves finding Share. Allocate risk ownership of an opportunity
another party who is willing to take to another party who is best able to maximize its
responsibility for its management, and who will probability of occurrence and increase the
bear the liability of the risk should it occur. The potential benefits if it does occur. Transferring
aim is to ensure that the risk is owned and threats and sharing opportunities are similar in
managed by the party best able to deal with it that a third party is used. Those to whom threats
effectively. Risk transfer usually involves are transferred take on the liability and those to
payment of a premium, and the cost‐ whom opportunities are allocated should be
effectiveness of this must be considered when allowed to share in the potential benefits.
deciding whether to adopt a transfer strategy.
Mitigate. Risk mitigation reduces the Enhance. This response aims to modify the “size”
probability and/or impact of an adverse risk of the positive risk. The opportunity is enhanced
event to an acceptable threshold. Taking early by increasing its probability and/or impact,
action to reduce the probability and/or impact thereby maximizing benefits realized for the
of a risk is often more effective than trying to project. If the probability can be increased to 100
repair the damage after the risk has occurred. percent, this is effectively an exploit response.
Risk mitigation may require resources or time
and thus presents a tradeoff between doing
nothing versus the cost of mitigating the risk.
Acceptance. This strategy is adopted when it is not possible or practical to respond to the risk by the
other strategies, or a response is not warranted by the importance of the risk. When the project
manager and the project team decide to accept a risk, they are agreeing to address the risk if and
when it occurs. A contingency plan, workaround plan and/or contingency reserve may be developed
for that eventuality.
Table 5.1 Risk Response Strategies

Risk Statement Risk Response
Inaccuracies or incomplete information in the Mitigate: Work with Surveys to
survey file could lead to rework of the design. verify that the survey file is
accurate and complete. Perform
additional surveys as needed.
A design change that is outside of the
parameters contemplated in the Environmental Avoid: Monitor design changes
Design
Document triggers a supplemental EIS1 which against ED to avoid reassessment
causes a delay due to the public comment of ED unless the opportunity
period. outweighs the threat.
Potential lawsuits may challenge the Mitigate: Address concerns of
environmental report, delaying the start of stakeholders and public during
construction or threatening loss of environmental process. Schedule
funding. additional public outreach.
Mitigate: Schedule contract work
Environmental Nesting birds, protected from harassment to avoid the nesting season or
under the Migratory Bird Treaty Act, may delay remove nesting habitat before
construction during the nesting season. starting work.
Due to the complex nature of the staging,
additional right of way or construction
easements may be required to complete the Mitigate: Re‐sequence the work
work as contemplated, resulting in additional to enable ROW Certification.
cost to the project.
Due to the large number of parcels and
businesses, the condemnation process may have Mitigate: Work with Right‐of‐
R/W Way and Project Management to
to be used to acquire R/W, which could delay
start of construction by up to one year, prioritize work and secure
increasing construction costs and extending the additional right‐of‐way
time for COS. resources to reduce impact.
Hazardous materials encountered during
construction will require an on‐site storage Accept: Ensure storage space will
area and potential additional costs to dispose. be available.
Unanticipated buried man‐made objects
Construction Accept: Include a Supplemental
uncovered during construction require removal
and disposal resulting in additional costs. Work item to cover this risk.
TABLE 5.2 –EXAMPLE RISK RESPONSES

Responding to Risks
Following identification and analysis of project risks, the PRMT takes action to improve
the odds in favor of project success. Ultimately, it is not possible to eliminate all threats or take
advantage of all opportunities – but they will be documented to provide awareness that they exist
and have been identified. Successful risk response will change the risk profile through the project
life cycle, and risk exposure will diminish.
Risk response involves:
• The PRMT determining which risks warrant a response and identifying which strategy is best
for each risk.
• Assigning an action to the Risk Owner to identify options for reducing the probability or
impacts of each risk. The Risk Owner takes the lead and can involve experts available to the
project.
• Evaluating each option for potential reduction in the risk and cost of implementing the
option.
• Selecting the best option for the project.
• Requesting additional contingency, if needed.

• Assigning an action to the Risk Owner to execute the selected response action. The Risk
Owner is the lead and may assign specific tasks to other resources to have the response
implemented and documented.
If the PRMT judges that a risk should be accepted, it may assign an action to the Risk
Owner to prepare a contingency plan if deemed necessary.
A RISK PERSPECTIVE CAN ENHANCE DECISIONS

When considering risk mitigation methodology, it is important to recognize the
impacts of the decision. The impact of responding to a risk may make sense in the short
term (e.g. Saves design costs, allows team to meet schedule), but the impact of the risk
needs to be taken as a whole.
For example, the impact of just a few unknown conditions can affect the
construction schedule to the point where an environmental work window requires the
project to be suspended. It is important to recognize how much of an impact there would
be in making a decision. While the direct cost of resolving the unknown condition may be

less than the cost of a site visit, the overall impact of the change may be a significant
delay to the contract if not recognized.
Entering Risk Responses into the Risk Register
The risk response action for each risk is entered into the “Response Actions” column of
the risk register. Risk responses are options and actions that enhance opportunities or reduce
threats. The PMRT, PRM, PM or project team decide upon the response action to risks listed in
the risk register. The response action is then assigned to one person, the person responsible for
executing and monitoring the risk response that is chosen. Planned risk responses must be
appropriate to the significance of the risk, cost effective in meeting the challenge, realistic within
the project context and agreed upon by all parties involved, and owned by a single person. Risk
responses must also be timely.

Name : ____________________________________
Year & Section : ____________________________________
Activity 5.1
1. Name one way in which the Government is involved in risk reduction.

_____________________________________________________________________________
_
_____________________________________________________________________________
_
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
__________________
2. Name one way to manage the risk to items that are susceptible to water damage
_____________________________________________________________________________
_
_____________________________________________________________________________
_
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
__________________
3. How do you decide on items of priority? What factors are taken into account when deciding
priority?
_____________________________________________________________________________
_
_____________________________________________________________________________
_

______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
__________________
4. What is risk management? What factors of risk are addressed by managing risk?
_____________________________________________________________________________
_
_____________________________________________________________________________
_
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
__________________
5. Describe transfer of risk.

_____________________________________________________________________________
_
_____________________________________________________________________________
_
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
__________________

UNIT VI: MONITOR AND CONTROL RISKS
Learning Objectives

• explain the overview of the Monitor and Control Risks Process
• discuss the inputs to the Monitor and Control Risks Process
• identify tools and techniques for the Monitor and Control Risks Process
• apply outputs from the Monitor and Control Risks Process
Overview
Controlling project risks is a very essential project management activity for the project manager.
Come to think of it, even if a project manager does not know anything about risk management
processes, she would intuitively be managing risks.
May not be comprehensively, but definitely to some basic extent. Because we are built to
look for risks for survival, and this instinct helps us keep dangers at bay.
Having said this, following these systematic, scientific and proven approaches to handle
risks ensures best possibility of project success.
Lesson Proper

Risk monitoring is the process of keeping track of identified risks, ensuring that risk
response plans are implemented, evaluating the effectiveness of risk responses, monitoring
residual risks, and identifying new risks. The purpose of monitoring is to determine whether:
· Risk responses have been implemented.
· Risk responses were effective (or new responses are needed).
· Project assumptions are still valid.
· Any risk triggers have occurred.
· Risk exposure has changed.
· Policies and procedures are being followed-
· Any new risks have emerged.
Table 6.1 Monitor and Control Risks Four

Key Inputs for Monitor and Control Risks:
1. Risk Register: Provides the list of identified risks, risk owners, agreed responses, risk
triggers (symptoms and warning signs), residual and secondary risks, watch list of low priority
risks, and planned reserves-
2. Project Management Plan: Contains the risk management plan which assigns people,
risk owners, and the resources needed to carry out risk monitoring activities.
3. Work Performance Information: The status of the work is a major input to risk
monitoring and control. Performance reports give insights into whether risks are occurring and
whether response plans need to be implemented. Specific status of interest includes:
· Deliverable status
· Schedule progress
· Costs incurred
4. Performance Reports: These reports analyze the work performance information just
mentioned to create status reports and forecasts using various methods such as earned value.
Six Key Tools for Monitor and Control Risks:

1. Risk Reassessment: The project team should regularly check for new risks as wellas
"reassessing" previously identified risks. At least three possible scenarios should be considered:
a) new risks may have emerged and a new response plan must be devised, b) if a previously
identified risk actually occurs, the effectiveness of the response plan should be evaluated for
lessons learned, and c) if a risk does not occur, it should be officially closed out in the risk
register.
2. Risk Audits: Evaluate and document the effectiveness of risk responses as well as the
effectiveness of the processes being used. Risk audits may be incorporated into the agenda of
regularly scheduled status meetings or may be scheduled as separate events.
3. Variance and Trend Analysis: Used to monitor overall project performance. These
analyses are used to forecast future project performance and to determine if deviations from the
plan are being caused by risks or opportunities.
4. Technical Performance Measurement: Using the results of testing, prototyping, and
other techniques to determine whether planned technical achievements are being met. As with
trend analysis, this information is also used to forecast the degree of technical success on the
project.
5. Reserve Analysis: Compares the remaining reserves to the remaining risk to
determine whether the remaining reserve is adequate to complete the project.
6. Status Meetings: Risk management should be a regular agenda item at the regular
team meetings.
Five Key Outputs for Monitor and Control Risks:
1. Risk Register Updates: Records the outcomes of risk monitoring activities such as
risk reassessment and risk audits. Also records which risk events have actually occurred and
whether the responses were effective.
2. Organizational Process Assets Updates: Includes risk plan templates, the risk register,
the risk breakdown structure, and lessons learned.
3. Change Requests: When contingency plans are implemented, it is sometimes
necessary to change the project management plan. A classic example is the addition of extra
money, time, or resources for contingency purposes. These change requests may lead to
recommended corrective actions or recommended preventive actions.
Corrective actions may include contingency plans (devised at the time a risk event is
identified and used later if the risk actually occurs) and workarounds (passive acceptance of a
risk where no action is taken until or unless the risk event actually occurs). The major distinction
is that workaround responses are not planned in advance.
4. Project Management Plan Updates: Again, if approved changes have an effect on risk
information or processes, the project management plan should be revised accordingly.
5. Project Document Updates: Documents that may be updated include:
· Assumptions log updates

· Technical documentation updates
Name : ____________________________________
Year & Section : ____________________________________
Activity 6.1
1 – You are the project manager of the GHY project for your company. This project has a
budget of $543,000 and is expected to last 18 months. In this project, you have identified
several risk events and created risk response plans. In what project management process
group will you implement risk response plans?
A. Executing
B. Planning
C. Monitoring and Controlling
D. In any process group where the risk event resides
2. Holly is the project manager of the GHH Project. During risk identification and the
subsequent risk analysis process she has identified a risk with a high probability and high
impact for her project. She and the stakeholder agree that the project management plan
should be changed to eliminate the risk threat entirely. What risk response has Holly used
in this instance?
A. This is the risk mitigation response.
B. This is the avoidance risk response.
C. This is the transference risk response.

D. This is a scope change and not a risk response.
3. You work as a project manager for BlueWell Inc. You have to communicate the causes of
risk events to the stakeholders. Which risk diagramming technique you will use to
communicate the causes of risk events to project stakeholders?
A. Project network diagrams
B. Process flow charts
C. Ishikawa diagrams
D. Influence diagrams
4. You are the project manager of the GHE Project. You have identified the following risks
with the characteristics as shown in the following figure: How much capital should the
project set aside for the risk contingency reserve?
A. $142,000
B. $41,750
C. $23,750
D. $232,000
5. Which one of the following is the only output for the qualitative risk analysis process?
A. Enterprise environmental factors
B. Project management plan
C. Risk register updates
D. Organizational process assets
6. Linda is the project manager of the NAB Project. One of the risks her project team has
identified is too dangerous for the project team to manage internally so she has hired a
vendor to complete this portion of the project and to manage the identified risk. What risk
response has Linda used in this instance?
A. Transference
B. Avoidance
C. Contractual
D. Mitigation
7. Which of the following documents is described in the statement below? "It is developed
along with all processes of the risk management. It contains the results of the qualitative
risk analysis, quantitative risk analysis, and risk response planning."
A. Risk management plan
B. Project charter
C. Risk register
D. Quality management plan
8. You are the project manager of a large construction project. This project will last for 18
months and will cost $750,000 to complete. You are working with your project team,
experts, and stakeholders to identify risks within the project before the project work
begins. Management wants to know why you have scheduled so many risk identification

meetings throughout the project rather than just initially during the project planning.
What is the best reason for the duplicate risk identification sessions?
A. The iterative meetings allow the project manager and the risk identification participants to
identify newly discovered risk events throughout the project.
B. The iterative meetings allow all stakeholders to participate in the risk identification processes
throughout the project phases.
C. The iterative meetings allow the project manager to discuss the risk events which have
passed the project and which did not happen.
D. The iterative meetings allow the project manager to communicate pending risks events
during project execution.
9. You are the project manager of a large, high-profile project in your organization. You
have realized that politics within your company may affect the true identification of risk
events within the project. You decide that you'd like to use a method to identify risk events
through an anonymous process. Which one of the following risk events will allow you to
collect and distribute risk information without the stakeholders knowing what other
stakeholders are communicating about the project risk events?
A. Surveys
B. Monte Carlo Technique
C. Checklist analysis
D. Delphi Technique
10. Your project spans the entire organization. You would like to assess the risk of the
project but are worried that some of the managers involved in the project could affect the
outcome of any risk identification meeting. Your worry is based on the fact that some
employees would not want to publicly identify risk events that could make their supervisors
look bad. You would like a method that would allow participants to anonymously identify
risk events. What risk identification method could you use?
A. Delphi technique
B. Isolated pilot groups
C. SWOT analysis
D. Root cause analysis
11. Donna is the project manager of the QSD Project and she believes Risk Event D in the
following figure is likely to happen. If this event does happen, how much will
Donna have left in the risk contingency reserve if none of the other risk events have
happened?
A. $35,000
B. $41,700
C. $14,000
D. $6,700

12. You are working with your project stakeholders to identify risks within the JKP
Project. You want to use an approach to engage the stakeholders to increase the breadth of
the identified risks by including internally generated risk. Which risk identification
approach is most suited for this goal?
A. Delphi Technique
B. SWOT analysis
C. Assumptions analysis
D. Brainstorming
13. Harry is the project manager of the MMQ Construction Project. In this project, Harry
has identified a supplier who can create stained glass windows for 1,000 window units in
the construction project. The supplier is an artist who works by himself, but creates
windows for several companies throughout the United States. Management reviews the
proposal to use this supplier and while they agree that the supplier is talented, they do not
think the artist can fulfill the 1,000 window units in time for the project's deadline.
Management asked Harry to find a supplier who can fulfill the completion of the windows
by the needed date in the schedule. What risk response has management asked Harry to
implement?
A. Mitigation
B. Acceptance
C. Avoidance
D. Transference
14. Adrian is a project manager for a new project using a technology that has recently been
released and there's relatively little information about the technology. Initial testing of the
technology makes the use of it look promising, but there's still uncertainty as to the
longevity and reliability of the technology. Adrian wants to consider the technology factors
a risk for her project. Where should she document the risks associated with this technology
so she can track the risk status and responses?
A. Risk register
B. Risk low-level watch list
C. Project scope statement
D. Project charter
15. You are preparing to start the qualitative risk analysis process for your project. You
will be relying on some organizational process assets to influence the process. Which one of
the following is NOT a probable reason for relying on organizational process assets as an
input for qualitative risk analysis?
A. Studies of similar projects by risk specialists
B. Risk databases that may be available from industry sources
C. Review of vendor contracts to examine risks in past projects
D. Information on prior, similar projects

16. Sammy is the project manager for her organization. She would like to rate each risk
based on its probability and affect on time, cost, and scope. Harry, a project team member,
has never done this before and thinks Sammy is wrong to attempt this approach. Harry
says that an accumulative risk score should be created, not three separate risk scores. Who
is correct in this scenario?
A. Harry is correct, because the risk probability and impact considers all objectives of the
project.
B. Harry is correct, the risk probability and impact matrix is the only approach to risk
assessment.
C. Sammy is correct, because organizations can create risk scores for each objective of the
project.
D. Sammy is correct, because she is the project manager.
17. You are the project manager of the AMD project for your organization. In this project,
you are currently performing quantitative risk analysis. The tool and technique you are
using is simulation where the project model is computed many times with the input values
chosen at random for each iteration. The goal is to create a probability distribution from
the iterations for the project schedule. What technique will you use with this simulation?
A. Pareto modeling
B. Expected Monetary Value
C. Analogous modeling
D. Monte Carlo Technique
18. You are the project manager for your organization and you are working with Thomas,
a project team member. You and Thomas have been working on a specific risk response for
a probable risk event in the project. Thomas is empowered with a risk response and will
control all aspects of the identified risk response in which a particular risk event will
happen within the project. What title, in regard to risk, is bestowed on Thomas?
A. Risk expeditor
B. Risk owner
C. Risk team leader
D. Risk coordinator
19. Mary is the project manager of PKT project. In Mary's project there are certain
enterprise environmental factors that require Mary to use modeling and simulation
techniques to predict the likelihood of achieving cost and schedule objectives in the project.
Mary is using a technique for which the cost estimates are chosen at random for each
iteration of the analysis, such as pessimistic, most likely, and worst-case scenarios. What
type of analysis is Mary using in this project?
A. Quantitative analysis
B. Qualitative analysis
C. Risk distribution

D. Monte Carlo Analysis
20. You are the project manager of the GHG project for your company. You have
identified the project risks, completed qualitative and quantitative analysis, and created
risk responses. You also need to document how and when risk audits will be performed in
the project. Where will you define the frequency of risk audits?
A. Risk response plan
B. Quality management plan
C. Risk management plan
D. Schedule management plan
REFERENCES
Parker, D., & Mobey, A. (2004). Action Research to Explore Perceptions of Risk in Project
Management. International Journal of Productivity and Performance Management 53(1), 18–32.
https://opentextbc.ca/projectmanagement/chapter/chapter-16-ris-management-planning-
projectmanagement/
https://www.projectmanager.com/blog/risk-management-process-steps
https://www.wrike.com/project-management-guide/faq/what-is-risk-management-in-
projectmanagement/
https://www.toolshero.com/project-management/project-risk-management/
https://www.safran.com/content/introduction-qualitative-risk-analysis
https://projectriskcoach.com/evaluating-risks-using-quantitative-risk-analysis/
https://www.safran.com/blog/whats-the-difference-between-qualitative-and-quantitative-riskanalysis
https://www.pmlearningsolutions.com/blog/qualitative-risk-analysis-vs-quantitative-riskanalysis-
pmp-concept-

https://www.erminsightsbycarol.com/risk-response-strategies/ http://www.pmvista.com/risk-
monitoring-and-risk-control/
https://www.gristprojectmanagement.us/guide/monitor-and-control-risk.html
https://www.gristprojectmanagement.us/guide/monitor-and-control-risk.html
https://www.pmexamsmartnotes.com/monitor-and-control-risks/
http://anamulhuq.blogspot.com/2012/01/risk-management.html
https://www.researchgate.net/topic/Risk-Analysis https://www.researchgate.net/topic/Risk-
Assessment
https://pmbasics101.com/risk-management-quiz-correct-answers-explanations/
https://lovepmp.com/docs/question/pmp-questions/ID-1557-perform-qualitative-risk-analysis-isa-
quick-way-to-prioritize-how-a-project-team-will-respond-to
https://www.techrepublic.com/article/how-to-perform-a-qualitative-risk-analysis/
http://yats.free.fr/doc/jorion-frm-exam-answers.pdf
https://www.objectivequiz.com/objective-questions/business-management/risk-management

Module in Risk Management

Uploaded by

Copyright:

Available Formats

Module in Risk Management

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module in Risk Management

Uploaded by

Copyright:

Available Formats

MODULE IN ELECTIVE

UNIT I: INTRODUCTION TO RISK

Page 1 of 73 For classroom discussion only

Page 2 of 73 For classroom discussion only

Page 3 of 73 For classroom discussion only

Risk management is the process of identifying, assessing and controlling threats to an

Page 4 of 73 For classroom discussion only

Other important benefits of risk management include:

• Protects all involved people and assets from potential harm.

• Helps establish the organization's insurance needs in order to save on unnecessary

Page 5 of 73 For classroom discussion only

Risk Management Strategies and Processes

Page 6 of 73 For classroom discussion only

• Communicate and consult. Internal and external shareholders should be included in

4. If something happens, how will the organization pay for it?

Page 7 of 73 For classroom discussion only

Other limitations include:

Page 8 of 73 For classroom discussion only

• Risk management is immature. An organization's risk management policies are

Page 9 of 73 For classroom discussion only

Page 10 of 73 For classroom discussion only

The process should create value for the organization.

• It should be an integral part of the overall organizational process.

• It should factor into the company's overall decision-making process.

• It must explicitly address any uncertainty.

• It should be systematic and structured.

• It should be based on the best available information.

• It should be tailored to the project.

• It must take into an account human factors, including potential errors.

• It should be transparent and all-inclusive.

• It should be adaptable to change.

• It should be continuously monitored and improved upon.

Risk Management Examples

Page 11 of 73 For classroom discussion only

Project Risk Management

What is Project Risk Management?

Risk Management vs Project Management

Figure 1.1 Steps in Project Risk Management

Page 13 of 73 For classroom discussion only

Page 14 of 73 For classroom discussion only

Risk Analysis Example:

• Qualitative Risk Analysis

• Quantitative Risk Analysis

Option 2: Limiting the impact of the risk

Page 17 of 73 For classroom discussion only

• Risk Bow Tie diagram

Page 18 of 73 For classroom discussion only

Page 20 of 73 For classroom discussion only

B. Likelihood of injury or damage to property

C. Probability of financial loss

D. Opportunity for profit

A. It is typically expressed verbally rather than numerically.

B. It can be used to decide which activities to undertake.

C. It verifies that risk is present, but does not quantify it.

D. It identifies what can be lost when a negative outcome occurs.

Page 21 of 73 For classroom discussion only

B. A pure risk is a chance of loss or no loss, but no chance of gain.

D. Individuals' subjective perception of risk in a given set of circumstances is typically much