Risk management for project managers concepts and practices

As observed in Table 1.1, the two main variables to be analyzed in any risk assessment and mitigation process, which should govern the response actions required, are the probability of o

Two Park Avenue

New York, NY 10016, USA

www.asme.org

The Technical Manager’s Survival Guides

Risk Management for Project Managers

Concepts and Practices

By

Marcus Goncalves and Raj Heda

“Good read This book is a template for managing complex businesses and

contains information that every Asset Manager should know Highly

recom-mended.”

—James Willey, P.E., Vice President, Pearl Energy Philippines Operating, Inc.

“Uncertainty, or risk, is an essential part of life so that thoughtful action can

influence the success or failure of endeavours This is nowhere more

ap-parent than in projects, where poor risk management often leads to failure

Goncalves and Heda’s new book makes a valuable contribution to the project

risk management literature, highlighting the need to systematically and

practi-cally manage risks, and gives valuable best-practice advice on how this can

be done effectively and efficiently It is a concise, easy read for non-technical

managers who will find it full of practical information.”

—Richard Whitfield PhD, President, East-West Institute for Advanced

Stud-ies, Macau, China

“Marcus’s new guide to risk management provides pragmatic advice that

project managers can use to help them frame risks, use that knowledge to

retain control of their projects and get their project completed with a minimum

number of unpleasant surprises An excellent book that all project managers

should keep on their book shelf.”

—Rick Welch, Senior Vice President of Services, Demandware Corporation,

Burlington, MA, USA

Risk Management for Project Managers

Concepts and Practices

The Technical Manager’s Survival Guides

Job Name:280684 Date:13-11-21 PDF Page:280684pbc.p1.pdf

Risk Management for Project

Managers

Concepts and Practices

By Marcus Goncalves and Raj Heda

The Technical Manager’s Survival Guides

© 2014, ASME, 2 Park Avenue, New York, NY 10016, USA (www.asme.org)

All rights reserved Printed in the United States of America Except as permitted under

the United States Copyright Act of 1976, no part of this publication may be

reproduced or distributed in any form or by any means, or stored in a database or

retrieval system, without the prior written permission of the publisher.

INfoRMATIoN CoNTAINEd IN THIS woRk HAS BEEN oBTAINEd BY THE AMERICAN SoCIETY of MECHANICAl ENGINEERS fRoM SoURCES BElIEvEd To BE RElIABlE HowEvER, NEITHER ASME NoR ITS AUTHoRS oR EdIToRS GUARANTEE THE ACCURACY oR CoMPlETENESS of ANY INfoRMATIoN PUBlISHEd IN THIS woRk NEITHER ASME NoR ITS AUTHoRS ANd EdIToRS SHAll BE RESPoNSIBlE foR ANY ERRoRS, oMISSIoNS, oR dAMAGES ARISING oUT of THE USE of THIS INfoRMATIoN THE woRk IS PUBlISHEd wITH THE UNdERSTANdING THAT ASME ANd ITS AUTHoRS ANd EdIToRS ARE SUPPlYING INfoRMATIoN BUT ARE NoT ATTEMPTING To RENdER ENGINEERING oR oTHER PRofESSIoNAl SERvICES If SUCH ENGINEERING oR PRofESSIoNAl SERvICES ARE REqUIREd, THE ASSISTANCE of AN APPRoPRIATE PRofESSIoNAl SHoUld BE SoUGHT.

ASME shall not be responsible for statements or opinions advanced in papers or

printed in its publications (B7.1.3) Statement from the Bylaws.

for authorization to photocopy material for internal or personal use under those

circumstances not falling within the fair use provisions of the Copyright Act, contact

the Copyright Clearance Center (CCC), 222 Rosewood drive, danvers, MA 01923,

tel: 978-750-8400, www.copyright.com.

Requests for special permission or bulk reproduction should be addressed to the ASME

guidelines/permissions

­Publishing­­Department,­or­submitted­online­at:­http://www.asme.org/kb/books/book-proposal-ASME Press books are available at special quantity discounts to use as premiums or for use in corporate training programs for more information, contact Special Sales at

I would like to thank, yet again, Mary Grace Stefanchik, the tor at the American Society of Mechanical Engineers (ASME), not only for publishing yet another one of my work for ASME’s collection, but espe-cially for her continuous patience during the production phase of this book Many­thanks,­again,­to­my­co-author­and­friend­Raj­Heda,­for­finding­time­

edi-in his schedule to land his expertise on risk management, and write this book with me

Raj Heda: I wish to record my debt to some of the people who have

made an indelible mark in my life

A special note of thanks to my dear professor and now friend and colleague, Marcus Goncalves, for his generous helpfulness, trust, support and­above­all,­for­offering­me­again­the­opportunity­to­co-author­this­book

To my mother for being ever loving and encouraging To my brother Ravi for all the love and the fun days we spent To my aunt, Meenu for always lending me a patient ear and giving me genuine advice in all

my endeavors To my friend and colleague in business, dorothy, for her sincere lookout for my well-being and for her beautiful heart To my dear friends Anand, Shrikant, Prajay, Prashant and Amit for always being there for­ me­ in­ good­ times­ and­ bad.­ To­ my­ good­ friend,­ Matt,­ for­ help­ with­graphics in the book

Many thanks to Marcus and the team at ASME for involving me in this project I am indebted to my beautiful daughters, Radhika and vrinda, for showering all their love on me and for always bringing a smile to my face;­they­make­everything­worth­the­effort.­I­am­grateful­to­my­loving­wife­for­always­having­the­confidence­in­me­-­even­beyond­what­I­have­in­myself.­Finally,­I­can­never­forget­the­contributions­of­my­mother­in­getting­

me to where I am in my life today love you Mom!

To my wife Carla, sons Samir and Josh (in memory), and my cess Andrea (also in memory), the true joy of my life To God be the glory!

prin-Marcus Goncalves, Summer 2013

To my wife, Anu, for being such a caring and loving life partner, for her synergistic help in all my activities and for her invaluable editing

of this book To my beautiful princesses Radhika and vrinda, who are my true loves and who make it all worth the while!

In loving and thankful memory of my dearest father, Shiv Heda, the angel always beside me

Raj Heda, Summer 2013

Table of Contents

Acknowledgement iii

dedication v

Chapter 1 1

Understanding Risk: Opportunities or Threat? 1

overview 1

what is Risk? 3

Chapter 2 7

Risk Management Theory and Practice 7

overview 7

what is Risk Management? 8

Appetite for Risk 9

Categories of Risk 11

outcome of Risk Assessment 11

Chapter 3 13

Developing a Risk Assessment and Mitigation Strategy 13

overview 13

Chapter 4 19

The Risk Management Process 19

overview 19

Risk­Identification 21

qualitative and quantitative Risk Analysis 22

Risk Response Planning 23

Risk Monitoring and Control 23

Chapter 5 25

Risk Analysis Tools and Methodologies 25

overview 25

qualitative Risk Analysis: Tools and Techniques 25

Risk Probability and Impact Assessment 26

Probability and Impact Matrix 26

Risk data quality Assessment 27

Risk Categorization 28

Risk Urgency Assessment 28

quantitative Risk Analysis: Tools and Techniques 28

data Gathering and Representation Techniques 29

Probability distributions 30

Monte Carlo Simulation 31

Sensitivity Analysis 32

decision Tree Analysis 33

Chapter 6 35

Identifying Risk 35

overview 35

Identifying Risks 38

Risk­Identification­Process 41

Best­Practices­for­Risk­Identification 45

Chapter 7 49

Assessing and Mitigating Risk 49

overview 49

four Steps to Risk Assessment 51

Prioritizing Risk 53

Measuring Risk Impact 54

Measuring likelihood 58

Risk Mitigation Strategies 59

Risk Assessment Best Practices 60

Chapter 8 63

Developing Risk Response Strategies 63

overview 63

developing a Risk Response Strategy 64

Responding to Risk Events 67

Identifying Risk Response Alternatives 68

Selecting Response Alternatives 69

Assigning Risk ownership 70

Preparing Risk Response Plans 70

Chapter 9 73

Implementing Risk Response Controls 73

overview 73

Response Controls and the Risk Registrar 74

Inputs to Risk Monitoring and Controls 76

Techniques to Risk Monitoring and Response Control 76

outputs to Risk Monitoring and Response Controls 77

Handling Change Requests 78

Chapter 10 83

Incident Management and BC/DR Planning 83

overview 83

distinguishing Business Continuity from disaster Recovery

Planning 86

what is in the Plans 88

developing a Business Impact Analysis 91

Incident Management Process 92

Glossary of Terms 95

About the Authors 99

Chapter 1

Understanding Risk: Opportunities or

miti-It is important that project managers have a total understanding of risk management, by familiarizing themselves with the principles of the risk management process Under the Project Management Institute’s (PMI) Project Management Body of Knowledge (PMBOK), risk management falls into the arena of Project Planning But over time, specific standards and methods have

been developed with respect to risk management best practices Such methods

of analysis have assisted those of us practicing risk management in ing standard ways of identifying, assessing, and responding and managing risk events These methods have also helped us practitioners to manage risks

establish-by avoiding, transferring, or reducing the impact of such risks, or establish-by various other alternative solutions that will be discussed throughout this book

In 2002, the U.S National Institute of Standards and Technology (NIST) published a set of risk management best practices According to the guide, risk management consists of risk assessments, risk mitigation, and ongoing risk evaluations and assessments For instance, the risk assess-ment stage is where project managers identify and evaluate each risk, the impact these risks have on the organization, and any risk-reducing recom-mendations The risk mitigation stage involves prioritizing, implementing, and maintaining appropriate risk-reduction measures that are recom-mended in the risk assessment process, while the ongoing risk evaluation and assessment stage asks that the organization continuously evaluate their risk management activities in reducing risks

Generally speaking, any risk event is a result of uncertainty in a ect, or process, including but not limited to uncertainties in the market place such as variations on demand, supply and the stock market, project failures, accidents, and natural disasters, to name a few As we will discuss later in this

SIGNIFICANT Considerable Management

Required Must Manage and Monitor

Risks

Extensive ment essential

Manage-MODERATE Risk are bearable to

certain extent Management effort

worth-while

Management effort required

MINOR Accept Risks Accept but

monitor Risks

Manage and Monitor Risks LOW MEDIUM HIGH

LIKELIHOOD

Table 1.1 - A sample template of a risk event analysis matrix

book, when dealing with risk analysis, a risk prioritization process should

be followed whereas risks that pose the threat of great loss and have great probability of occurrence are dealt with first Table 1.1 provides an example

to this process, which can be useful in strategizing various risk scenarios

As observed in Table 1.1, the two main variables to be analyzed in any risk assessment and mitigation process, which should govern the response

actions required, are the probability of occurrence and the impact of the risk For instance, let’s assume a risk event condition where the impact on the project

is minor and the probability of it actually occurring is low In such scenario the

best course of action, risk mitigation, may be to accept the risk without any interventions Conversely, however, a condition where the likelihood of a risk event occurring is high and the impact is significantly high as well, there might be a need for extensive risk management The study of risk assess-ment and mitigation methods helps us understand how a certain priority can be established in dealing with the risk Therefore, it is key to this process that we first understand what risks are, and what they are not

What is Risk?

Risk, or better yet risk events, can be found in almost anything that

we set out to do or accomplish in life, be it in business or our own personal lives Think of a risk event as situation that can potentially have a negative impact on something, or a process, that is important, or of value to you Risk events can be caused by an endless variety of factors Since we cannot anticipate all risk events and mitigate every single one of them, it is impor-tant for us to devise methods to understand and analyze the severity of a risk, so we can decide how to effectively respond to it, from deciding to do nothing about it, or something, to not taking the risk at all Hence, a risk event should always be analyzed for its probability of occurring, the higher the chance that a risk event will happen the higher the risk Probability is then assessed in combination with loss

As suggested earlier in this chapter, when it comes to project ment, all types of risk can occur, such as knowledge risk, relationship risk or process-engagement risk Unfortunately, as we already know, each of these risk events can have a huge impact on the productivity of your teams and

ultimately on the success of the project at hand That said, it is also tant to understand that not all risks can be avoided, nor should it, otherwise nothing would ever be accomplished in your lives, or projects, as risk events exists in every single task we are involved with, some higher, some lower, but they are always there, waiting to comply with Murphy’s Law, where anything that can go wrong, will! Our job is to identify and analyze these risk events, their potential outcomes, and decide when to allow the risk Such analytical process of assessment, analysis, and mitigation causes us to follow a risk management cycle, as depicted in Figure 1.1

impor-As illustrated in Figure 1.1, there are four steps in the process of risk management, which will be discussed in details in later chapters of this book In general terms, the first step is the assessment of risk events, followed by evaluation and management of the same The last step is mea-suring the impact of such risk events

Risk event identification, the first step, typically starts at the base

or the surface level of a project The key questions here is, what can go wrong? What can deviate from what has been planned? As we ask such questions we are also trying to identify the source of such risk events By risk source we mean any cause, which could be either internal or external

to the project at hand External sources are often beyond our control while internal sources are potentially controllable, to a certain extent at least For

Figure 1.1 - Risk Management Cycle

example, we cannot control an unexpected rain (external), but we can trol how we deal with it by carrying an umbrella (internal), etc.

con-After major risk events have been identified then it is time to assess the potential of criticality they present Such analysis will require you to

prioritize your risk events In general terms, likelihood of occurrence × impact

is equal to risk After you have a good understanding of the risk events at identified, you will be required to develop a risk management plan and implementation of the same, which will comprise of the effective security controls and control mechanisms for mitigation of risk It gores without saying that a challenging risk to any organizational effectiveness is a risk event that is present but cannot be identified

Risk management process can minimize the chances and effects

of bad outcomes in a project, and can accelerate an organization’s ery from disasters But this process does not suggest you need to avoid all risks, as there are always opportunities in risks, and insurance companies know this well and capitalize on it It is, therefore, important that as part

recov-of your risk assessment and mitigation process you also understand and analyze the threat versus opportunity a risk event imposes on your project The question here as depicted in Figure 1.2 is: Is this risk event imposing a

threat to my project or an opportunity?

As illustrated in Figure 1.2, risk events have several dimensions

A risk event in itself is neither good nor bad A risk with low probability

Figure 1.2 - Understanding risk threats and opportunities

of occurring and very low impact on a project in the event of it occurring may be insignificant enough to be ignored Conversely, a risk with high probability of occurring with a high impact to the project may be worth not taken, or at least it may deserve to be hedged

One of the main goals of risk assessment and mitigation process is, therefore, devise strategies that enables us to change the model, to change the threat versus opportunity correlation in a risk event, as depicted in Figure 1.3

The following chapter will help you understand the process in lyzing and mitigating this process in details

ana-Figure 1.3 - Changing the risk assessment model from threat into opportunity

An organization that weaves risk management into its project agement process can be said to have a proactive approach to managing risk Undoubtedly, such an organization will be better prepared to manage and mitigate risks in an increasingly volatile business environment and will have a more favorable outcome than an organization that crosses the bridge when the time comes The irony here is that most executives these days acknowledge that there are known and unknown risks impacting

their businesses and projects but very few have a risk plan that they ously follow and follow-up on

rigor-What is Risk Management?

Now that we recognize the inevitability of risk, we need to do thing to manage this uncertainty The process of managing risk in a manner

some-to maximize the probability of highest positive outcome is called risk agement Risk management needs to be an integral part of project planning

man-It is not an isolated event that occurs that the start of the project during the initial planning phase Business environments are always changing and tech-nology is changing at a much faster pace than the overall business There-fore, risk management needs to be an ongoing process More likely than not, risk management in another section of a business feeds into the project idea Active risk management continues throughout the project life cycle And risk management must continue even after the project has been successfully implemented Also, risk management is not a task relegated to an isolated risk team Risk management is just one aspect or one of the tasks under over-all project management that provides inputs during all the project steps

The core concept of risk is that it is the probability of occurrence of

an unfavorable outcome and the consequence of that outcome

In other words, R = p x c

where,

R = Risk

p = probability of unfavorable outcome

c = consequence of unfavorable outcome

For instance, if a company expects that it could either has an standing year and achieves $100mn in revenue, or might not fare that well and just be able to garner $50mn in revenue Both outcomes have equal probabilities of occurring Here, there is a 50% probability of the firm los-ing $50mn in revenue However, is that all that is at risk? Sadly, no The

out-consequences of a negative outcome go far beyond the immediate tary loss The company might have had some projects in the pipeline that it can no longer fund Therefore, the company is risking losing new revenue opportunities The company might need to lay off employees to cut wages and salaries This will impact the firm in that the firm might lose critical manpower and will have to make do with a smaller workforce This will also impact the morale of the employees laid off and also of those that remain The investors are not going to be happy about the much lower revenue and this will restrict access to capital for future projects There-fore, when managing risk, it is imperative that both the immediate and future consequences of an unfavorable outcome are taken into consider-ation Therefore, it can be said that the main purpose of risk management

mone-is not just preventing losses but also protecting a company such that it can

go about its business as usual

From the above equation, it can also be inferred that in general, if either the probability of occurrence or the impact or consequence of the occurrence increase, the risk increases However, there is not a 1-to-1 rela-tionship between the increase in probability and/or consequence and risk In other words, for every unit increase in probability and or/consequence, risk does not increase by the same amount The impact on risk depends on the life cycle of the project For instance, if a project fails very early on in its life, the risk is lower since not much has been invested into the project However,

as time passes and more resources are utilized the stakes increase

A few important concepts to keep in mind when managing risk for

Appetite for Risk

Just like not one model investment portfolio is suitable for all cial investors, similarly, no one-risk management approach is suitable for all kinds of projects Every project is unique in itself and must be viewed as such when devising risk management strategies for it For instance, a proj-

ect that is not expected to result in a significant enhancement in revenues

or productivity for a company might not be high on the priority list of the project management office As such, the risk tolerance for such a project would be low Similarly, a project that is expected to take the company

to the next level would be a top-priority project for which the company would be willing to take risks

Another important aspect to consider is the appetite for risk of the project manager Some project managers are risk takers by nature and derive satisfaction from taking on highly risky projects and turning them around Other project managers are risk averse and would not like to take

on more risks than necessary Yet another set of project managers make a more detached decision regarding projects They have a more mathemati-cal approach and go by just what the numbers say

The risk appetite of the firm has a final bearing on the risk appetite for the project For instance, the firm might be in the process of issuing an IPO and all seems to be going as planned At this point, the firm might not want to take on highly risky projects This is because investors pun-ish companies more severely for failures than reward them for successes Another example is that of a pharmaceutical company Such companies derive maximum revenues from licensed drugs Therefore, they spend a lot of money on drug research and are willing to embark on risky experi-ments to discover the break-through drug On the other hands, firms that are very stable and have profit margins in the low single digits do not have much of an incentive to take on risky projects The margin of error is low for them and they are unwilling to rock the boat when not required

Figure 2.1 - Risk Categories

technol-External risks are toughest to manage for a project manager since these are factors that are not in the manager’s control However, proactive planning and hedging can help the manager reduce the impact of external risks.

No project can be successful without the buy-in of the senior ment A project is dependent on the organization for funding, resources and prioritization Finally, projects in general do not operate as silos There could

manage-be some pet projects that work as independent entities within organizations However, most of the projects are linked to other activities or projects within the organization, and this contributes to the risk associated with the project

Finally, there are risks associated with the project management activities for the project Gaps in planning, estimating, controlling and communication among project stakeholders will impact the project out-come and hence act as risks to the project

Outcome of Risk Assessment

Based on the risk appetite of the organization and the project ager, the project manager has identified risks in the various categories that

man-he needs to manage Now what? Tman-he outcome of this risk assessment cise is the risk management plan that the project manager owns The risk management plan is integrated into the project plan It elaborates on the

exer-two W’s and exer-two H’s of risk management

How

• will the risk be managed

How

• much will be spent on managing the risk

There are several risks impacting every project Not all of them need to be managed Some risks can be tolerated and some will need to be mitigated Therefore, one of the main outcomes of risk assessment is iden-tifying which risks need to be mitigated or otherwise managed

The risk management plan also identifies individuals or teams that will be assigned the responsibility of managing the risks and identifies tools that they will use to manage the risks Finally, it will also outline the budget outlay for the various risk activities Some risks might not be worth mitigating and the risk management plan will identify those risks

a natural calamity, etc

When a project plan does not incorporate a risk plan, it is like ing darts in air There is a likelihood of hitting the eye but this likelihood is very low In other words, the project might succeed, but its success can be attributed to sheer luck and not something that can be repeated If you pick

shoot-up some older project management books, you might not find a discussion

we least expect them As such, projects never turned out as planned and the projects plans were not equipped to handle contingencies As a result, projects ended up with cost and schedule overruns or had to be scrapped altogether Therefore, risk management started getting more and more attention.

The first change that needed to be made was to change the attitude towards risk Risk is not something that is bad or needs to be frowned upon Risk, if planned for appropriately and managed expertly, can result

in competitive advantage However, in order to capitalize on risk, it needs

to be anticipated proactively, prioritized intelligently, planned for priately and monitored continuously When risk is managed in this fash-ion, it becomes an opportunity for higher project success

appro-The next question was whether an individual or a team should be assigned the role of risk management and the rest of the team continues

to work as before Unfortunately, such a setup is also very likely to fail The risk managers are sadly not the favorites in the project team They are the ones that are considered the harbingers of bad news or the ones that are always pointing out what are the loose ends or what could go wrong When all is going well, no one wants to hear that there is a possibility of failure and no one wants to expend resources to prepare for outcomes that seem far from likely As such, risk management plans would not be worth the paper they are written on Therefore, risk management needs to be an integral part of project management All the stakeholders that help with the project plan also create the risk plan for the project Outside experts should also be leveraged since they might offer perspectives that might be missed by the internal stakeholders

Risks can be known and unknown For instance, an existing petitor is a known risk However, a new entrant is an unknown risk Defi-nitely, a known risk would require leashing immediately Also, it gets highest visibility However, unknown risks can cause much more severe damage and disrupt project success Therefore, when planning for risks, both known and unknown risks must be addressed

com-It must be kept in mind here that not all risks need to be mitigated All risks do not have the same impact on the project Hence, it is essential that risks are assessed for impact and a mitigation strategy be formalized accordingly

Risk assessment starts with identifying risks and estimating the probability of occurrence of the risks Once the universe of risks and their probabilities is identified, the project needs to be assessed for vulnerabili-ties to the risks identified Some risks exist and are likely but do not impact the project as much Hence, an impact analysis is conducted to identify risks that are likely and would impact the project significantly if they do occur These are the risks that need to be focused on

Once risks are assessed, a plan is made for their mitigation The process of developing options and actions to enhance opportunities, and reduce threats to project objectives, is known as risk mitigation planning Risk mitigation implementation is the process of executing risk mitiga-tion actions Risk mitigation progress monitoring includes tracking identi-fied risks, identifying new risks, and evaluating risk process effectiveness throughout the project

Figure 3.1 provides us with an overall view of the risk mitigation planning, implementation, and progress monitoring Observing Figure 3.1 you will notice that as part of an iterative process, risk-tracking tools can

be used to record the results of risk prioritization analysis (third step) that provides input to both risk mitigation (fourth step) and risk impact assess-ment (second step)

There are general guidelines for applying risk mitigation handling options, which will also be discussed in more details throughout this book These options are based on the assessed combination of the probability of occurrence and severity of the consequence for an identified risk, but keep

in mind that these guidelines, while appropriate for many projects, may not be so for many other projects and programs

Some risks are of the kind that the probability is too low, their impact is too low, or the cost of mitigation them is prohibitively high Proj-ect managers decide to live with these risks and cross the bridge when the time comes At the other extreme are risks that are too significant to take but mitigating them is not feasible In such cases, project managers decide

to avoid them completely by overhauling the project plan More likely than

not, there are risks that can either be mitigated through proactive sures, they can be shared by allocating the risk to several parties or they can be transferred to other parties like insurance companies

mea-Nonetheless, each of these alternatives requires developing a plan that is implemented and monitored for effectiveness More information on handling these alternatives is discussed in later chapter, but from a project management perspective, common methods of risk reduction or mitiga-tion with identified program risks include the following, listed in order of increasing seriousness of the risk:

Intensified technical and management reviews of the project

Rapid prototyping and test feedback

ele-as one of its nine key knowledge areele-as Several practitioners and zations have offered different variations of the risk management process However, the basic idea of all the frameworks is the same For the purpose

organi-of this book, we will work with the PMBOK framework

As per the PMBOK, the risk management process consists of the following five steps depicted in Figure 4.1

There are known and unknown risks that can endanger a project manager’s objective of meeting project goals As such, planning for miti-gating such risk events is an important step in a complete project plan

An organization that has a culture of proactively predicting and planning for contingencies has a greater probability of achieving project goals with fewer pains in the process

Risk management planning starts by developing and documenting

an approach towards risk, responses and continuous monitoring A macro and microanalysis of the organization and project team is conducted This gives a high-level view of the organization and insights into factors that impact an organization externally and could lead to risks to the project Next, taking inputs from the project scope statement and the project man-agement plan, a detailed risk management plan document is drafted

The process of documenting a risk management plan is iterative and interactive Every step in project execution provides inputs into the

Figure 4.1 - Risk Management Planning

risk management plan and hence it needs to be flexible enough to modate changes Further, there are many stakeholders in a project and they all are potential stakeholders in the risk management plan Hence, the risk management plans needs to be such that interactions with different stake-holders can provide inputs into the plan

accom-Finally, all the steps in the risk management process provide opportunities for enhancement of the risk plan For instance, if during risk response planning, it is found that the inputs of a certain set of exter-nal individuals are required for responding to some risk events, then the resource planning in the risk management plan needs to be changed An important point to remember here is that the risk management plans is a fairly strategic plan It does not incorporate risk events that are prone to frequent changes Such events are captured in a separate document called the Risk Register or the Risk Log file

Once the high-level strategy for risk management is defined, the next step is to define and spec out the tactics At this point, we need to determine the methods to be adopted for executing the risk management plan and who will be responsible for the various steps We also need to identify the tools and techniques that will be utilized for risk management and outline the risk communication plan The risk plan, however, does not get into the details of the tools and techniques that will be used in managing risk This allows for flexibility in the various steps in the risk management process

The final output of this step is the Risk Management Plan (RMP) The RMP is the framework or road map that defines the approach to risk of the project team It analyzes the risk environment, documents the plan for managing the risks, identifies the key personnel enlisted with the various tasks in the risk management process and lists the tools and techniques available for managing risk

Risk Identification

The next step in the risk management process is risk identification

In this stage, the risks that the project is prone to are identified Some risks are known risk and some are unknown risks It is easier to identify and plan for known risks However, the basic idea of risk management is to plan and

prepare for both known and unknown contingencies Risk identification is also an iterative process, since new risks may be uncovered as the project proceeds Both internal and external stakeholders provide inputs for risk identification Internal stakeholders have knowledge of the specific proj-ect and hence are in the best position to identify risks associated with it External stakeholders and subject matter experts have a broader view of the project and hence can provide insights that the internal stakeholders might miss

Not all risks need to be mitigated or managed Once risks are tified, the project team can decide which risks need to be actively man-aged and which risks they are going to live with This is done to efficiently allocate limited resources and to target risks that can have the maximum negative impact on the project

iden-The outcome of this step is the Risk Register or the Risk Log File This is a document that gets edited frequently as new information or knowledge flows in and new risks are identified or existing risks are modi-fied The Risk Register documents risks in the categories identified earlier

It is dated to keep a log of the progression of risks at various stages of the project Usually, the Risk Register has maximum entries at the project ini-tiation phase and the list gets smaller in the later stages of the project life cycle This is because as the project progresses, the unknowns and uncer-tainties reduce

Qualitative and Quantitative Risk Analysis

Once the risks are identified and approved for management by the key stakeholders, they are processed through a more thorough evaluation process The first step in this process is qualitative risk analysis The pur-pose of this step is to sift through the multitude of risks to identify the ones with maximum probability of occurrence and corresponding impact This helps organizations harness their key resources to mitigate high impact risks Although this step is called qualitative risk analysis, the process used

is highly structured and objective Highly efficient and detailed tools are utilized for identifying the high impact risks

Once the high impact risks are identified through qualitative risk analysis, these risks are processed through a quantitative risk analysis pro-cess so a numerical value can be assigned to them This process uses tech-niques such as decision analysis, Monte Carlo simulation, etc to quantify the possible monetary impact of the risks that require the most monitoring.

Typically, the two steps above are followed to complete a hensive risk analysis of the project However, depending on the needs of the project or the comfort level of the project manager, only one of the above steps can directly feed into Risk Response Planning

compre-Risk Response Planning

After identifying high impact risks and measuring their potential impact, the obvious next step is to devise tactics for mitigating these risks

or bringing them down to acceptable levels The risk response planning process outlines tools and techniques identified for managing the high impact risks, assign risk response owners who have agreed to own the handling of specific risks and allocates resources for managing the risks

Risk response planning must be compatible with the overall project plan in that it should avoid overbooking of resources while also ensuring that none of the project objectives are impacted due to known or avoid-able risks The risk responses must correspond with the level and potential impact of the risks being considered It must also consider the feasibility of the response given the constraints of budget, time and resources Several possible risk responses might be considered with the objective of selecting the best

Risk Monitoring and Control

As has been stated in several instances, risk management is an tive process Risks identified at the start of the project may not be valid any more towards the end of the project Similarly, new risk might crop up that

were not identified earlier The risk monitoring and control process acts as a risk police monitoring the progress of defined risk responses in mitigating identified high impact risks, re-evaluating the risk priorities, monitoring the risk register for changes in the list of potential risks and evaluating the effec-tiveness of the various tools and techniques used in mitigating risk

Risk monitoring and control is a continuous process The project has a dynamic life cycle and hence the risks associated with the project and corresponding responses for risk mitigation must be dynamically adjusted

as well The extent of risk monitoring would depend on the size of the project and the impact of the potential risks For smaller projects, the cost

of continuously monitoring risk might be prohibitively high

Finally, risk monitoring and control also includes documenting sons learned for the benefit of current and future projects and other project teams in the organization

manage-Qualitative Risk Analysis: Tools and Techniques

As discussed in the previous chapter, one of the key factors in the risk management process is identification of risks that need to be managed and monitored So, the basic question here is how do we know which risks need to be managed and monitored? For the purpose of this, we define two key characteristics of risk – risk probability and risk impact

Risk Probability and Impact Assessment

As discussed in the previous chapter, one of the key factors in the risk management process is identification of risks that need to be managed and monitored So, the basic question here is how do we know which risks need to be managed and monitored? For the purpose of this, we define two key characteristics of risk – risk probability and risk impact

Probability is the likelihood of an event occurring For instance, earth as we know it might come to an end if a very big asteroid hits the surface of earth However, what is the likelihood of this event occurring? It

is probably very low As such, we do not actively strategize for this risk It

is more likely that a nuclear bomb might change the face of earth Hence, all nuclear powers in the world get together and arrive at agreements to keep nuclear wars at bay

Impact is the positive or negative effect of a risk event occurring For instance, if a company knows that its competitor is planning on launching

a product that would compete with the company’s current offering The company will evaluate the impact of the competitor’s launch on its rev-enues and devise strategies to overcome the impact

Once a set of risks to the project success is identified, a probability and impact assessment for each of the risks is conducted The most com-monly used approach to assessing project risks is by conducting meetings with project participants and/or external experts with insights into the risks Project documents, lessons learned documents from previous proj-ects are also highly useful sources for qualitative risk assessment The risk probability and expected impact are recorded along with the explanations for each assignment

Probability and Impact Matrix

Once the risk probabilities and impact are assessed, we need to present the information in a usable format This is done using the Prob-ability and Impact Matrix, as shown in Figure 5.1

As depicted in Figure 5.1, risks in the upper right hand quadrant have the highest probability of occurrence and the highest impact on the project objectives of cost schedule, time or quality Hence, these are the risks that need to be actively managed and monitored Risks in left quad-rants have a low impact on the project objectives and hence are the ones that the project will assume without actively managing them Risks in the lower right-hand quadrant have a low probability of occurrence but a high impact on the project objectives if the risk does occur Hence, while the project manager will not go overboard in managing such risks, he will con-stantly monitor them in case they change quadrants

Risk Data Quality Assessment

For qualitative risk analysis to have any value, the data inputted into the assessment needs to be of high quality In other words, the data needs to be unbiased, must have a basis or reasoning behind it, must come from credible sources with key insights into the project or risks and must

be timely Therefore, it is beneficial to conduct a risk data quality ment to evaluate the quality of risk measures

assess-Figure 5.1 - Probability and Impact Matrix

Risk Categorization

In Chapter 2, we discussed the risk categories Risk can also be egorized in terms of the area of the project impacted – cost, time, money, etc Risk categorization is helpful because a more focused risk mitigation strategy can be devised for a group of risks that are similar in any fashion

cat-Risk Urgency Assessment

Along with the probability and impact of occurrence, another important factor in risk assessment is the time of occurrence A risk that is imminent needs to be addressed immediately and might assume a priority even above those that have a potentially higher probability and impact if those risks are well into the future Also, if a risk response requires more time to take effect; such risk will need to be addressed immediately to allow for the additional time Finally, if a risk that fell in the low probability high impact quadrant of the probability impact matrix has started showing signs of occurrence; the project manager might need to divert resources to its mitigation more urgently

Quantitative Risk Analysis: Tools and Techniques

The purpose of quantitative risk analysis is to assign a projected value (usually in terms of cost or time) to the risks that have already being ranked by the previous process of performing qualitative risk analysis Don’t confuse these two processes, even though they are normally per-formed at the same time When performing a quality of risk analysis you are attempting to determine the probability and impact of the risks to the project and then to prioritize and rank them in your risk matrix The out-puts from this process will be used to plan risk responses and also to moni-tor and control risks

Data Gathering and Representation Techniques

There are several tools and techniques that can be used during ous phases of managing a risk are briefly described here There are many tools and techniques for Risk identification, starting with documentation reviews, including:

vari-Information gathering techniques

Interviewing – During qualitative risk analysis, project