Chapter Three

Risk Management Phases

1
 Risk Management process/Phases
- It is the systematic application of management policies,
procedures & practices to the tasks of identifying, analyzing,
evaluating, treating, monitoring & communicating risk.

- Risk management strategy be established early in a project

and continually addressed throughout the project life cycle.

- Risk management process includes:

 Risk management plan
 Risk Identification
 Risk Analysis
 Risk Responses Plan
 Risk Monitoring and Control

2
 Risk Management Plan
• A project risk management plan is vital to the overall
project management plan.

• It guides how to carry out risk management activities

in the project.
• Projects always have unexpected issues, and as a
project manager, it is your job to identify events that
cause issues and manage them proactively.

• A well developed risk management plan outlines

how to identify, qualify, monitor, and control risks
throughout the project life cycle.

3
 Cont….
- Risk Management Plan is detailed formulation of a
program of action for the management of risk.
- A risk management plan describes how risk is handled
in the project.
-It documents how project risk assess, who is responsible
for doing it, and how often you'll do risk planning.
- It is the process to:
 Develop & document an organized, comprehensive,
and interactive risk management strategy.
 Determine the methods to be used to execute a
program’s risk management strategy.
 Plan for adequate resources.

4
 Cont….
 Risk planning develops a risk management strategy,
which includes both the process and implementation
approach for the project.

 An output of the risk planning process is the risk

management plan (RMP).

 RMP is the roadmap that guides the project team from

current state to desired future state.

 RMP should include appropriate definitions, ground rules

& assumptions associated with performing risk
management on the project, risk categories, suitable risk
identification & analysis methodologies, a suitable risk
management implementation, & suitable documentation
for risk management activities.

5
 Risk Identification
 Risk identification is the process of understanding
what potential unsatisfactory outcomes are
associated with a particular project.
 Involves identifying potential project risks.
 It documents which risks might affect the project
and documents their characteristics.
 It is a result from; survey of the project, customer,
and users for potential concerns.

6
 Cont…
 Common practice of project risk (business, contract
relationship, cost, funding, management, political,
and schedule risks) according to its source, which is
typically either objective or subjective.

1. Objective sources: recorded experience from past

projects and the current project as it proceeds.
- Lessons learned files
- Program documentation evaluations
- Current performance data

7
 Cont….
2. Subjective sources experiences based upon
knowledgeable experts.
- Interviews and other data from subject matter experts.
Risks can also be identified according to life-cycle phases,
as shown in following figure
 In the early life-cycle phases, the total project risk is high
in part because of the lack of information that may
preclude comprehensive and accurate risk identification,
and because risk response plans have yet to be developed
and implemented.
 In the later life-cycle phases, financial risk is generally
substantial both because of investments made (such as
cost) and because of foreclosed options (opportunity cost).
8
Cont….

9
Cont….

10
 Cont….
 Risk identification should be approached from the
perspective of “IF” the risk occurs (e.g., probability-
1.0), “Then” what will be the impact (consequence of
occurrence) “Because” of one or more underlying
causes (potentially root cause).

 Using this approach avoids confusion associated with

the level of the probability of occurrence (and its
components) and consequence of occurrence (cost,
technical performance, schedule).

11
 Risk Analysis
 Conducted to determine causes of risk, and estimate
their probability and consequences.
 systematic process to estimate the level of risk for
identified and approved risks.
 It involves estimating the probability of occurrence and
consequence of occurrence and converting the results to
a corresponding risk level.
Principles in Analyzing Risk
1. Ensure that there is a clearly structured process in which
both likelihood and impact are considered for each risk.
2. Record the assessment of risk in a way which facilitates
monitoring and the identification of risk priorities.
12
 Cont…
3. Be clear about the difference between, inherent & residual
risk.
- Inherent Risk is the intrinsic risk of an event or
circumstances that existed before the introduction of any
means of control. It is the product of impact and Likelihood
of a risk.
- Residual Risk is the risk remaining after institution of
appropriate controls. Effectively, this is the risk that needs to
be managed.
4. Evaluate both the likelihood of the risk being realized and
the impact if the risk is realized.
5. Compare the assessed risk to the risk appetite, and the extent
of action required becomes clear. The action required are
then judged against the risk appetite.
- Risk appetite is the amount of risk that an organization is
prepared to accept, tolerate, or be exposed to at any point in
time.
13
 Cont…
 Risk analyses are often based on detailed information that
may come from a variety of techniques, including but not
limited to:
• Analysis of plans and related documents
• Comparisons with similar systems
• Data from engineering or other models
• Experience and interviewing
• Modeling and simulation
• Relevant lessons-learned studies
• Results from tests and prototype development
• Sensitivity analysis of alternatives and inputs
• Specialist and expert judgments etc.
- After performing a risk analysis, it is often necessary to
convert the results into risk levels. Project risk can be
analyzed through: 1. Qualitative analysis and
- 2. Quantitative analysis
14
 Qualitative Risk Analysis
 When a qualitative risk analysis is performed, risk
ratings can be used as an indication of the potential
importance of risks on a program.
• High risk: substantial impact on cost, technical
performance, or schedule. Substantial action required to
alleviate issue. High priority management attention is
required.

• Medium risk: some impact on cost, technical performance,

or schedule. Special action may be required to alleviate
issue. Additional management attention may be needed.

• Low risk: minimal impact on cost, technical performance,

& schedule. Normal management oversight is sufficient.
15
 Cont….

 It assesses the priority of identified risks using their

probability of occurring, the corresponding impact on
project objectives if the risks do occur, as well as other
factors such as the time frame and risk tolerance of the
project constraints of cost, schedule, scope, and quality.

 The risk is evaluated using expert opinion against all

relevant probability of occurrence scales as well as the
three consequences of occurrence scales (cost, technical
performance, & schedule), & the results are then
transferred onto a risk mapping matrix to convert these
values to a corresponding risk level.

16
 Cont…
 There are different classes of risk scales:
 Nominal scales: have coefficients with no mathematical
meaning, and the values are generally placeholders (e.g.,
freeway numbers) – not used for risk analysis
 Interval scales: such as Fahrenheit and Celsius, are
cardinal in nature but Interval scales are not commonly
used in risk analyses.
 Ordinal scales: have levels that are only rank-ordered-
they have no cardinal meaning because the true scale
interval values are unknown.
 Calibrated ordinal scales: are ordinal scales whose scale-
level coefficients are estimated by evaluating an additive
utility function (similar approach).
17
 Cont…

 Ratio scales: such as Kelvin and Rankine, have cardinal

coefficients, indicate absolute position and importance,
and the zero point is meaningful.
 Estimative probability scales: can either be ordinal
(more common) or cardinal (less common) in nature,
depending upon the source of the underlying data and
the structure of the scale.
- This type of scale should never be the first choice when
performing a risk analysis because different people may
assign different probability values to the same subjective
word

18
 Quantitative Risk Analysis
 When a quantitative risk analysis methodology is used,
the results can be grouped by existing cost risk, schedule
risk, or technical risk boundaries that have specifically
been tailored to the program, or by performing a
(statistical) cluster analysis on the results.

 Several methodologies are commonly used in quantitative

risk analyses, include, a Monte Carlo process, and
decision analysis.
 A common methodology that incorporates a model
structure and probability distributions is a Monte Carlo
process (commonly called a Monte Carlo simulation).

19
 Cont…
 Quantitative risk analysis outputs can be used in a variety of
ways, including but not limited to developing:
 prioritized risk lists (similar to that for calibrated ordinal
scales)
 probabilistic cost estimates at completion per project
phase and probabilistic schedule estimates for key
milestones to help the project manager allocate reserve
accordingly.
 probabilistic estimates of meeting desired technical
performance parameters (e.g., missile accuracy) and
validating technical performance of key components
(e.g., real-time integrated circuit operation)
 estimates of the probability of meeting cost, technical
performance, and schedule objectives (e.g., determining
the probability of achieving the planned estimate at
completion, a key schedule milestone, or top-level
technical performance requirements).
20
 The Monte Carlo Process
 It is an attempt to create a series of probability distributions
for potential risks, randomly sample these distributions, and
to then transform these numbers into useful information that
reflects quantification of the associated cost, technical
performance, or schedule risks.

 Monte Carlo simulations have also been used to estimate risk

in the design of service centers; time to complete key
milestones in a project; the cost of developing, fabricating,
and maintaining an item; inventory management; and
thousands of other applications.

 To use a Monte Carlo simulation, you must have three

estimates (most likely, pessimistic, and optimistic) plus an
estimate of the likelihood of the estimate being between the
optimistic and most likely values.
21
 Cont….
 A summary of the steps used in performing a Monte Carlo
simulation for cost and schedule trails, but, technical
performance simulations can have a widely varying model
structure.
 The details of implementing the Monte Carlo simulation will
vary between applications, many cases use a procedure
similar to this:
1. Develop and validate a suitable cost or schedule
deterministic model without risk or uncertainty.
2. Develop the reference point estimate (e.g., cost or schedule
duration) for each WBS (work breakdown structure) element
or activity contained within the model.
3. Check & recheck the model logic(cost & schedule)&
constraints(schedule), as incorrect model logic & constraints
are surprisingly common &will lead to erroneous simulation
results.
22
 Cont….
4. Identify the lowest WBS or activity level for which
probability distributions will be constructed. The level
selected will depend on the program phase—often lower
levels as the project matures.

5. Identify which WBS elements or activities contain

estimating uncertainty and/or risk. (For example, technical
risk can be present in some cost estimate WBS elements and
schedule activities).
6. Develop suitable probability distributions for each WBS
element or activity with estimating uncertainty and/or risk.

 For cost risk analyses cost estimating uncertainty, schedule

risk, and technical risk should be considered as separate
distributions.

23
 Cont….
 For schedule risk analyses schedule estimating uncertainty,
technical risk, and possibly cost risk should be considered as
separate distributions. With some tools (e.g., some project
scheduling software) only a single probability distribution can
be used for a given WBS element or activity.

7. Aggregate the WBS element or activity probability

distributions functions using a Monte Carlo simulation.
8. Sensitivity and scenario analyses should also be considered for
cost and schedule risk analyses.
 However, they should be performed on the probabilistic
(simulation) model, not the deterministic (predictable) model.
 If the deterministic model is used, probabilistic considerations
will not be taken into consideration.

24
 Risk Responses Plan
• Plan risk responses is the process of developing options,
selecting strategies, and agreeing on actions to address
overall project risk exposure, as well as to treat individual
project risks.
• Effective and appropriate risk responses can minimize
individual threats, maximize responses can have the
converse effect.
• Risk response should be appropriate for the significance of
the risk, cost effective in meeting the challenge, realistic
within the project context, agreed up on by all parties
involved, and owned by responsible person.
• Specific actions are developed to implement the agreed up
on risk response strategy, including primary and backup
strategies, as necessary.
25
 Cont….
 Project management plan components include:
• Resource management plan
• Risk management plan
• Cost baseline

Objectives of Risk Response Planning

• Develop options & determine actions to enhance
opportunities & minimize threats to project objectives.
„

• Assign responsibility to individuals or parties for each

risk response.

26
 Criteria For Risk Response
 Risk response must be:
• Proportional to the severity of the risk
• Cost effective
• Timely
• Realistic
• Accepted by all parties involve
• Owned by a person or a party

27
Risk Response Planning: Inputs, Tools, &Techniques
& Outputs

Inputs Tools &Techniques Outputs

• Strategies for negative

risk (Threats) • Risk register updates
• Risk management • Strategies for positive • Risk management plan
plan risk (opportunities) updates
• Risk register • Strategies for both for • Risk contractual
both opportunities and agreement
threats
• Contingent response
strategy

28
 Inputs to Risk Response Planning
1. Risk management plan. Major elements from the plan
needed include roles & responsibilities, budgets and schedule
for risk management activities, risk categories, definitions of
probability & impact, and the stakeholders’ tolerances.

2. Risk Register Reference will be made to:

a. List of prioritized risks. from qualitative and quantitative
risk analysis.
b. Probabilistic analysis of the project. from quantitative
risk analysis.
c. Probability of achieving the cost and time objectives.
d. List of potential responses. In the risk identification
process, actions may be identified that respond to
individual risks or categories o f risks.
29
 Cont….
5. Risk thresholds. The level of risk that is acceptable to the
organization will influence risk response planning.
6. Risk owners. A list of project stakeholders able to act as
owners of risk responses. Risk owners should be involved in
developing the risk responses.
7. Common risk causes. Several risks may be driven by a
common cause. This situation may reveal opportunities to
mitigate two or more project risks with one generic response.
8. Trends in qualitative and quantitative risk analysis results.
Trends in results can make risk response or further analysis
more or less urgent and important.
9. Watch list of low priority risks.

30
Tools & Techniques for Response Planning
1. Strategies for negative risks (Threats)
2. Strategies for positive risks (Opportunities)
1. Strategies for negative risks (Threats)
- Risk response includes the following strategies.
Avoidance, transfer, mitigate and accept

 Risk avoidance is done by changing the project plan to

eliminate the risk or the condition that causes the risk in
order to protect the project objectives from its impact.
• Examples of risk avoidance are: ‰
add resources or time,
obtain information…etc. ‰

31
 Cont…
 „ isk transfer is the risk to a third party who will carry the risk
R
impact and ownership of the response.
• Examples of risk transfer are: the use of insurance,
performance bonds, warranties & guarantees.
 Risk mitigation aims at reducing the probability and/or impact
of a risk to within an acceptable threshold.
• Examples of risk mitigation: adopting less complex processes,
or choosing a more stable supplier.
 Risk acceptance indicates a decision not to make any changes
to the project plan to deal with a risk or that a suitable response
strategy cannot be identified.
 There are two types of acceptance:
Active acceptance: may include developing a contingency
plan to execute should a risk occurs.
Passive acceptance: requires no action. The project team
‰
will deal with the risk as it occurs.
32
 Cont…

 A contingency plan is developed in advance to respond to

risks that arise during the project.
 The most usual risk acceptance response is to establish a
contingency allowance, or reserve, including amounts of time,
money or resources to account for known risks.
2. Strategies for positive risks (Opportunities)
 Strategies for positive risks are: exploit, share and enhance

 Exploit the opportunity

 „Ensure that the risk event happens by eliminating the
uncertainty to take advantage of the opportunity. Examples:
assign qualified personnel, select an appropriate project
delivery, provide better quality.

33
 Cont…
 Share the risk „
 Allocate ownership to a third party who has a better
chance of achieving the required results. Examples: joint
ventures, partnerships, rewards.
 Enhance „
 Increase the likelihood of occurrence or the impact of the
of the event. ‰
• Improve chances for the event to happen so the
opportunity becomes more certain.‰

• Consider how the impact can be increased and choose a

course of action that in the increased impact.

34
 Outputs from Risk Response Planning
1. Risk Register Updates
 The risk register is updated to reflect the results of the
response planning process. Level of detail of documenting a
risk should be appropriate to the ranking of the risk (high risks
in detail, low risks by listing).

2. Project Management Plan Updates

 The project management plan is updated to incorporate
response activities including reflecting impact on cost and
schedule.

3. Risk Contractual Agreements

 Contractual agreements are prepared to specify each party’s
responsibility for specific risks, should they occur. This
include agreements for insurance, services, & other items as
appropriate in order to avoid or mitigate threats
35
 Project Risk Monitoring and Control
 The project management monitoring and controlling
starts as soon as a project begins.
 Project monitoring and controlling processes are
where the performance of the project is measured and
action is taken based on an analysis of this data.
 The aim of project monitoring and control is to
provide an understanding of the project’s progress so
that appropriate corrective actions can be taken when
the project’s performance deviates significantly from
the plan.

36
 Cont…
 Monitoring is the process of collecting, recording and
reporting information concerning project performance
that project manager and others wish to know.
 Controlling is uses data from monitor activity to bring
actual performance to planned performance.

 Control is the process and activities needed to correct

deviations from plan.

Control the triple constraints

 Time(schedule)
 Cost(budget, expenses, etc.)
 Performance(specifications, testing results etc.)

37
 Cont….

Why do we monitor?
 Provide project manger and development team the
following:
• An accurate assessment of the progress to date.
• Insight in to the quality of the evolving software
product.
• A basis for estimating cost and budgeting with
increased accuracy over time.

38
 Purposes of Monitoring and Control
 Ensure the team is making progress.
 Overall objectives:-
 Track accomplishment and compare to planned values.
 Revise the project plan: accomplishments so far,
remaining work(if needed).
 Detect performance issues As early as possible, such
that corrective action can be taken.

What do we obtain?
Inputs Outputs
- Time - Progress
- Money - Costs
- Resources - Job starts
- Materials usage - Job completion
- Task - Design changes
- Quality/Technical performance - Variation order
39
 When do we monitor?
 Continuously
 Regularly
 Logically
 At preplanned decision points(milestones)
 At task completion
Project Monitoring and Control Activities
 Continuously monitor progress
• Examine progress on all key dimensions of the
projects, goals, likely to be met?
 Communicate team reviews
• Communicate status(technical activities) plan for next
activities of the project.
 Manages changes
• Identify, evaluate, prioritize, and control changes to the
project.
40
 Cont….
 Revise the plan
• Significant changes needed to be reviewed and agreed to by
those who originally approved the plan.
 Conduct work product reviews
• Walkthroughs, technical reviews and inspections, based on
quality goals.
 Milestone attainment
• Maintain the initial baseline, as well as the most recent
update.
 Effort spent
• Compare initial effort estimates for each major WBS
element with actual effort spent.
 Budget/ cost performance
 Compare rate of spending on the project by period(week and
month) compared to the planned spending.
41