Project Risk Management Tutorial

11.1 Project Risk Management

Hello and welcome to PMP Certification Course offered by Simplilearn! In this lesson, we will focus on project risk management. Let us begin with the objectives of this lesson.

11.2 Objectives

After completing this lesson, you will be able to: ?Define risk ?Identify key terms related to risk ?Calculate risk ?Identify different categories of risk ?Describe Project Risk Management processes In the next screen, let us take a quick look at project management process map.

11.3 Project Management Process Map

There are 47 processes in project management grouped into ten Knowledge Areas, and mapped to five Process Groups. In this lesson, we will look at the eighth knowledge area, i.e., (Pronounce that is) Project Risk Management and its processes. In the next screen, let us understand risk.

11.4 Risk

Risk is an uncertain event or condition that can affect a project positively or negatively. Although most of the time you view this uncertainty as bad, sometimes it also has a likely positive outcome. Let us look at an example of risk having a positive outcome. You are using a software for managing time sheet of your team members. Due to budget constraints, you are forced to use a new software. Though you were initially reluctant to use it, you found the new software to be better than the current one. It is more efficient and has better reporting facility. An example of bad uncertainty can be swine flu. Government declares a mandatory holiday to check flu spread which may affect your project work. In the next screen, let us look at risk related terms.

11.5 Key Terms

Bad risks are also called threats. Positive events or conditions are also called opportunities or “good risks”. A risk that can have a positive or negative consequence is called business risk. A risk that can only have a negative consequence is called pure risk. The other risk related terms are: Risk averse: One who does not take risk is called “risk averse”. Risk tolerance is the degree, amount, or volume of risk that an organization or individual will withstand. For example, a company might have a policy that any risk that affects their customer relationship will not be tolerated. Risk threshold is the measure of level of uncertainty or the level of impact at which a stakeholder may have a specific interest. Below that risk threshold, the organization will accept the risk, and above that, the organization will not tolerate the risk. This helps identifying the level of risk, beyond which specific responses are needed. For example, a company may have a policy that a risk that increases the project cost by 10 percent or less is OK, but not more than that. It is essential that you have a fair understanding of the key terms of project risk management. This will be useful while answering questions in the exam. In the next screen, we will understand how risk is calculated.

11.6 Calculation of Risk

Risks can be managed only if they are measured quantitatively. Suppose there are many risks identified in a project and you have limited resources to manage them, you should know which risk is most important that has to be managed first. Therefore measuring risk becomes very critical. Risk is measured by assigning a monetary value to it and that value is arrived at by multiplying the probability and impact of the risk. In the next screen, let us look at an example for calculating risk.

11.7 Calculation of Risk - Example

Calculate total expected monetary value for the three work packages, given their probability and impact. Let us look at package X. The value of the risk is 25 percent of the impact, $10,000, which is $2,500. The expected monetary value or EMV of the risk sometimes called the “exposure” to the risk. The impact where the value is negative, is called threat and the impact where value is positive, is called opportunity. Calculate the EMV for the next two packages. Also determine the overall EMV for a project by analyzing all the identified risks and adding them up. In this example, if all the risks materialize then there is threat of $1,300. In the next screen, let us learn risk categorization.

11.8 Risk Categorization

Risk can be categorized in various ways. One such categorization is external, internal, technical, or project management related risk. External risk arises out of external policies or regulations. For example, government policy that the river water can be used for drinking purposes, may hinder your production, which is dependent on the river water. Internal risk arises from within the project—for example, the complexity of the work may result in time and cost escalation. Technical risks arise from the technology being used. Projects in space exploration have a lot of technical complexity. Risks could be related to project management. For example, if there are many interdependencies between the sub-projects, it is a risk from the project management standpoint. The categorization of risk can be based on the origin. Risks can be classified as scope risk, resource risk, schedule risk, cost risk, and quality risk. Scope risk can include redoing the same task, if the scope is not well understood. When the only resource is assigned to some other project, it is called resource risk. In the next screen, let us discuss the decision tree that will help us estimate risk.

11.9 Decision Tree

A decision tree helps in analyzing risk and its impact on taking decisions in a scenario where there is uncertainty on the outcome. Suppose you want to buy a car. You can buy either a new car or an old car. Which one should you buy? Which has more risk over a period of 5 years? Consider the concept of decision tree to solve this problem. The initial cost of buying a new car is $20,000 and the cost of buying the old car is $15,000. For a new car, the probability of it having any problem (fail scenario) is only 10 percent, i.e., there is a 90 percent likelihood that it will just work without any problems (pass scenario) and if at all it does have, the impact of the problem is $15,000. The reason is that it was bought at a higher cost. An old car has 70 percent probability of having a problem. The reason being the probability is high because the car was already used by someone else in the past. However, the impact here is low, say, $10,000. If you add probability multiplied by impact of both the options at the decision nodes, you will find buying an old car over a period more risky than buying a new car. In the next screen, let us discuss risk reserve.

11.10 Risk Reserve

The project cost will be arrived at, after considering the risk reserves of both, the known risks and unknown risks. There is a specific order in which these reserves are calculated in the project cost. First, the cost of all activities is identified. Activities are the smallest, unique project tasks. All the activities cots add up to the cost of the work packages. Work packages are the last level of classification in a work breakdown structure Work packages cost adds up to the control account cost. One or more work packages are clubbed together to create a control account and manage the cost of the work packages. Next, the project costs are identified. There can be multiple control accounts in a project. Now, once the project cost is calculated, some reserve is added to take care of any uncertainties. You may have made some assumptions to calculate the cost of the activities, and by adding some reserve, you would want to take care of those uncertainties. In this case, make a note that you are accounting for the assumptions made and it can be said that this reserve takes care of known uncertainties. This reserve is also called contingency reserve. At this point, you have arrived at the cost baseline, i.e., the cost for the project that will be used for budgeting and tracking purposes. Once the planned cost is arrived, there is another reserve that gets added, called management reserve. Note that management reserves are not part of the cost baseline and are used during emergencies only. By adding contingency reserve, you have taken care of known uncertainties, and by adding management reserve, you take care of unknown uncertainties, i.e., those risks that perhaps have not yet been identified. Unknown uncertainties are added based on experience or expert judgment. Let us discuss the project risk management, in the next screen.

11.11 Project Risk Management

Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response planning, and controlling risk on a project. The key objective of risk management is to increase the probability and or impact of positive events and decrease the probability and or impact of negative events. In the next screen, let us look into a business scenario to understand this concept better. After reading the problem statement, click the solution button to look at a possible answer.

11.12 Business Scenario - Problem Statement

In the next screen, let us look at the project risk management processes.

11.13 Project Risk Management Processes

There are six risk management processes. Plan risk management, identify risks, perform qualitative risk analysis, perform quantitative risk analysis, and plan risk responses belong to the project planning group and Control Risks belongs to the monitoring and controlling process group. Let learn about these six processes in the subsequent screens. Let us begin with the first process, i.e., plan risk management.

11.14 Plan Risk Management

Plan Risk Management is the process of defining how to conduct risk management activities for a project. The key benefit of this process is it ensures that the degree, type, and visibility of risk management are commensurate with both the risks and the importance of the project to the organization. It is part of the planning process group. This is an important process and requires involvement of project sponsor, customer, and other key stakeholders along with the project manager. Risk management is one of the key project management activities and hence it requires proper planning. In some cases, the impact of the risk is not worth the time spent to plan and manage it. All such decisions and more are taken during risk management planning. Key inputs to this process are project management plan and project charter. The project management plan and its subsidiary plans form a key input to the plan risk management process. The process for managing risk is closely aligned with the processes for managing cost, schedule, quality, and scope. Project charter contains high-level information about the project and the important objectives, the plan will contain details. The other important input is the stakeholder register that contains the list of stakeholders. The stakeholders can provide valuable inputs to the risk management processes on the project. Enterprise environmental factors and organization process assets are also listed as input. Analytical techniques are one the important techniques used. The rigor and level of risk management processes depend on the risk threshold of the project’s stakeholders and the level of risk on the project. Analytical techniques help us find a balance between these factors. There is no substitute to expert judgment as it brings in many years of experience on the projects. Risk management planning is the outcome of several meetings between the project team and the stakeholders of the project. The output of this process is the risk management plan, which has information like, methodology used for risk management, roles and responsibilities of key people involved in risk management, budget for the risk management activities, and timing of the risk management activities. Note, since risk management plan has information like budget and schedules for risk management activities, it is an input for processes like cost estimation, time estimation, schedule development, and cost budgeting. In the next screen, let us look into the kind of information used in risk management plan, i.e., impact scale.

11.15 Definition of Impact Scale - Example

The impact on scope, cost, time, and quality is provided in the table. The impact is scaled as per the perception of risk by the manager. This kind of table can also be obtained from PMO. The scaling varies from organization to organization. For a risk-averse person, a 15 percent slippage in schedule may appear to be high, however, for a risk-seeking person it may not be so. It is in the interest of the project to define these clearly in the form of an impact scale, so that there is no ambiguity. During the planning stage, this table should be agreed by all the stakeholders, which is a best practice. The risk management plan defines what is high impact and high probability, so that everyone involved in the project interprets the risk data in the same manner. Similarly, look at the examples for other tools and techniques and the contents of the risk management plan as described in the PMBOK® Guide. In the next screen, let us look at the next process, that is, identify risks.

11.16 Identify Risks

Risk identification is an ongoing and iterative process. It is the process of determining which risks may affect the project and documenting their characteristics. It belongs to the Planning Process Group. Risks can arise at any time during the project execution cycle. Even when the project starts, the customer or the project sponsor can inform the possible project risks to the project manager. Generally, the project team should look for possible risks in project management plan, project schedule, cost, and scope data. The plan would include the risk management plan, activity cost and duration estimates, stakeholder register, schedule management plan, human resource management plan, project documents, scope baseline, cost management plan, quality management plan, and procurement documents. If the organization has executed similar projects in the past, project managers can look in the old project archives for some possible sources of risks, known as organizational process assets. Sometimes, risks can be identified from industry studies or surveys, i.e., enterprise environmental factor. There are various tools and techniques for risk identification. One of them is documentation reviews and this is a necessary technique for risk identification. It is a structured way to go through the different project documents, like project management plan, project scope statement, etc., to look for possible risks. If there are any assumptions listed in these documents, the analysis of those assumptions can also be potential risks. You can use several information gathering techniques for identifying risks—including interviews, questionnaires, etc. Diagramming techniques such as process flow diagrams, schedule network diagrams, etc., can help identify potential risks on the project. Expert judgment is an important factor as many risks can be pointed out based on experiences. Some organizations have ready-made checklist for risk identification. These checklists are generally in the form of questionnaires that help in risk identification. SWOT analysis, which stands for strength, weakness, opportunities, and threats, is also used to analyze project risks. Usually these analyses are done at organization level first and later the findings are applied at project level too. For example, organization that has very good technology strength is applicable for the project as well. Similarly, if the organization infrastructure is not that good, it can be a potential risk for the project as well. The output of the risk identification process is risk register, which is the list of identified risk. Sometimes, potential threats are also listed in the risk register and they are monitored to check if they are actually becoming a project risk or not. Information gathering techniques like brainstorming, interviewing, root cause analysis and others are used to get risk related information. In the next screen, we will look into the third process, i.e., perform qualitative risk analysis.

11.17 Perform Qualitative Risk Analysis

While risk identification is the process of identifying all possible risks, it is not realistic to work on all those risks, due to the impact of the risk, which may be negligible in some cases and not worth the worry. To identify the risk that you would work on priority, you need to analyze it. Perform qualitative risk analysis is the process of prioritizing risks for further analysis or action by assessing their probability of occurrence and impact, which is part of the planning process group. The inputs to this process are risk register and risk management plan. Apart from these, the scope baseline for the project forms an important input as the scope defines all the work that needs to be done. The enterprise environmental factors and organizational process assets are also inputs for all risk management processes. Qualitative risk analysis is the technique of risk probability and impact assessments. One of the most important techniques is risk data quality assessment, which is to find out the accuracy of the risk data, i.e., whether the risks are real risks. Once the accuracy of the risk data is verified, the next step is to find out which risks needs to be addressed on priority and analyzing them on priority. The analysis can be done by using a probability and impact matrix, where you can classify risks as high, medium, and low priority. With this analysis, if a risk has both high probability as well as high impact, it needs to be addressed before any other risks. Risks can be further categorized, for example, as technical, project management, etc. The urgency of the risk can be considered. Urgency indicates whether a risk event is likely to happen in the near future. Expert judgment also plays a role in qualitative risk analysis. The output of this process is prioritized risks with their probability and impact ratings. These are updated and reflected in the various project documents. The process also results in a list of risks that requires further analysis, because the data available might not be sufficient to determine their probability and impact. Concept based questions on qualitative risk analysis can be expected in the PMP exam. So prepare this topic well to answer such questions correctly. In the next screen, let us understand the probability and impact matrix technique that will help you prioritize and focus on important risks.

11.18 Probability and Impact Matrix - Example

The probability and impact matrix tabulates the probability and impact scales for the opportunities and threats on the project. Probability multiplied by impact gives you an exposure figure, which is mentioned in the individual cells. For example, look at fourth cell in the first row, which has a probability of 0.9 and impact of 0.20. The exposure value is 0.18. Likewise, you can verify for all other cells. After filling up this table, you can define a risk threshold, beyond which a risk becomes a candidate for active management. For example, any risk with exposure value of 0.15 or more should be actively managed. You can see from the table that the cells marked in grey are those, which correspond to this value. In the next screen, let us look at how to analyze the risks from a numerical standpoint in the next process.

11.19 Perform Quantitative Risk Analysis

Perform quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives. Usually, quantitative risk analysis is done for the highest risk on the project to investigate them further. Therefore, the updated list of risk register is the input to quantitative risk analysis. The inputs for quantitative risk analysis are similar to the qualitative risk analysis. Since numerical analysis is being considered here, the cost and schedule management plans would be important inputs here. The other inputs include enterprise environmental factors, organization process assets, and risk management plan. The first technique used is data gathering and representation techniques. The numerical quantitative risk data is usually collected by analyzing past project data or by expert judgment. Sometimes numerical data are also used for simulation and one of the simulation techniques is Monte Carlo Analysis. For example, by using Monte Carlo Analysis you can check if the project is executed 100 times, and the probability of completing the project is on a specific date. Similar analysis can be done for the risk as well. Numerical data also helps in using decision tree concept to analyze project risks and impact objectively. The other techniques include expert judgment and quantitative risk analysis and modeling techniques. The quantitative risk analysis should only be done when it is worth doing it. Usually large multi-year project may require quantitative risk analysis. The output of this process is the quantified list of prioritized risks. Along with this, sometimes the amount of contingency reserve in terms of time and cost is also calculated as part of this process. This will be reflected in updates to the project documents. Concept based questions on quantitative risk analysis can be expected in the exam. So understanding the inputs, techniques, and outputs of quantitative risk analysis is essential. In the next screen, let us discuss the plan risk responses process.

11.20 Plan Risk Responses

Once the risks are identified and analyzed, the next step in risk management is to plan what can be done about these risks. “Plan risk responses” is the process of developing options and actions to enhance opportunities and to reduce threats to project objectives. It is part of the Planning Process Group The inputs for this process are the risk register, which has now been updated with the identified risks and the information from qualitative and quantitative risk analysis; and risk management plan, which provides guidance about the risk management processes on the project. There are different strategies used for negative risk and positive risks. One of the strategies for the negative risk or threats is to avoid the risk. For example, one of your team member is not punctual, which is a risk; replace him with another team member who is. The next strategy is to transfer the risk to someone else. For example, your factory is prone to catching fire. You can transfer this risk to an insurance company by purchasing fire insurance cover. The third strategy is to mitigate the probability and impact of the risk. For example, your project is being delayed and that is a risk, you can mitigate it by either reducing certain part of the scope or adding more team members to the project. The final strategy is to accept the risk and do something about it, only when it occurs. The plan that states what can be done when risk actually occurs is called contingency plan. For example, suppose your building is damaged in a natural disaster, you can have a contingency plan to move into another building, which was pre-identified. The strategies to handle positive risks or opportunities are exploit, share, enhance and accept. Exploit corresponds to avoid and enhance corresponds to mitigate in the negative risks. Accept is a common strategy for both positive and negative risks. An example of sharing a positive risk or opportunities can be getting into a joint venture to exploit the opportunity together. Contingent response strategy is another technique of risk response planning. This refers to planning the response whenever a contingency or planned risk event occurs. Expert judgment is useful for planning for risk responses. The output of this process is the updated risk list, which will result in the updates to project management plan and project documents. Those risks that remain in the system after all the response plans have been laid down are called residual risks. Contingency plans need to be developed for those (i.e., what you can do when the risk actually occurs). Sometimes, the implementation of a response gives rise to additional risks—these are called secondary risks. For example, you may decide to outsource some work to a third party. Since, the act of outsourcing also introduces a dependency; you have to worry about the reliability of the third party. The risk response owner is also identified as part of this process. The project risk reserve is also updated because of this process. During this process, the actual amounts are identified. In the next screen, let us look at the control risks process.

11.21 Control Risks

The last step in risk management is controlling of the risk management activities that involves implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project. It is part of the monitoring and controlling process group. The inputs to this process are risk register, project management plan, and work performance data. Work performance reports, in the form of earned value analysis, give an accurate status of the project health, and risk management effectives can be analyzed in light of the project progress. The techniques used for monitoring and controlling the risk are risk audits, in terms of checking whether the project is identifying risks and working on a plan to resolve the risk. The other strategy is to do continuous risk re-assessment, which is a kind of periodic review of the risk management plans. Risks are also one of the key discussion topics in project status review meeting, as team members can point out to new risks. Regular meetings also ensure that team members are aware of their responsibilities to look for new risks and opportunities for project. Reserve analysis is also done throughout the risk monitoring and controlling process to check if any new identified risk requires additional reserve to take care of any eventuality. Variance and trend analysis helps us identify additional risks or monitor changes to existing risks. The process also makes use of the technical performance measurements. The outputs of this process are updated risk list, for example, some risks that are no longer applicable will be removed from the risk register. This will result in updates to project management plan and project documents. Any monitoring process also results in some work performance information, corrective or preventive action to ensure that same mistakes are not repeated in future. This process also results in organizational process asset updates, like updating lessons learned database about best practices in risk management, and change requests. Let us now check your understanding of the topics covered in this lesson.

11.22 Quiz

A few questions will be presented in the following screens. Select the correct option and click submit to see the feedback.

11.23 Summary

Here is a quick recap of what was covered in this lesson: Risk is an uncertain event or condition that, that has a positive or negative effect on a project’s objectives. Risk is calculated by multiplying probability and impact of risk. Risk Weighting = Probability * Impact Risk can be classified in various ways. Under one category, risks are classified as external, internal, technical and project management; and on the basis of origin, risks can be classified as scope, resource, schedule, cost and quality risks. A decision tree is used to analyze risk and its impact on decisions, in the face of uncertainties. The six Project Risk Management processes are Plan Risk Management, Identify Risks, Perform Qualitative Risk Analysis, Perform Quantitative Risk Analysis, Plan Risk Responses, and Control Risks.

11.24 Conclusion

With this, we have come to the end of this lesson. In the next lesson, we will cover project procurement management.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*