Project risk management - Methodology and application

PROJECT RISK MANAGEMENT

METHODOLOGY AND APPLICATION

Author: Marco De Santis, PMP, 2014

Author: Marco De Santis, PMP, 2014

2

Agenda

Introduction to the Risk Management

FOCUS on 6 RISK MANAGEMENT processes, PMBOK Guide ®, Fifth Edition

Guidelines for project risks management

Practical application with an use case

Attachments

Examples of the operational tools for Risk Management

Glossary

The risk model is based on the existence of one or more causes with an unknown probability of occurrence and one or more effects that will appear due to the occurrence of the event.

In practice, both the known and unknown risks are addressed with a reactive approach. The difference is that the paradigm underlying the risk management provides the responsive approach, limited to the unknown risks, in addiction to the proactive approach reserved to a known risk.


3 Author: Marco De Santis, PMP, 2014

One of the most common mistakes is to confuse a risk with the impact: the phrase "we risk to incur in a penalty" is related to the impact and not to the risk (which can be caused to a lack of performance testing of the information system that we are developing for our customer).

The risk, in the common sense, is the possibility of suffering harm or achieving an advantage, due to certain circumstances, more or less predictable.

The way in which the organization and its stakeholders perceive risk and relate with it (the risk attitude) is influenced by three main factors : 1. risk appetite: the level of an acceptable uncertainty in view of a future benefit

2. risk tollerance: the grade, size or amount of risk that an individual or an organization can tolerate

3. risk threshold: the measure of the level of uncertainty or the impact in which a stakeholder may have a specific interest. Only below this threshold, the organization will accept the risk

There are four risk macro-categories (universal) which helps us to support and guide the management of the risk on the basis of the risk attitude, such as:


Therefore, managing the risk means to adopt an attitude, more or less consciously, in order to protect yourself against a negative event (threat) and/or to take advantage of a positive event (opportunity) as long as you have identified and understood the scenario before the event happens.


Let's start with two assumptions: the first is that there isn't a project without a risk, and the second is that, in spite of a "perfect" planning, the use of estimates implies an indeterminacy related to their probabilistic nature.

The uncertainties may relate to the existence and the duration of activities, to the cost of resources and activities, to the presence or the absence of adequate resources, to the management of supplies. There are also external factors that contribute positively or negatively to a project’s destiny.


The project risk, then, is defined as an uncertain event or a condition that, if it were to occur, would have a positive or negative effect on one or more objectives of the project such as scope, schedule, cost and quality. The project risk management is the systematic process of identifying, analyzing and responding to project risks in order to increase the probability and/or the impact of positive events and to decrease the probability and/or the impact of negative events in accordance with the constraints. The project risk management is based on an integrated analysis of the uncertainties of the project that leads to a different approach based on the probability that certain situations could happen or not, conducting, therefore, to probabilistic outcomes.

past present future


The Risk management in a project throughout its lifetime, must be iterative and appropriate because while it reduces the likelihood of a project failure and/or increases the chances of success, at the same time, if it’s perceived as "the dark side "project, it can cause the paralysis of the project.


By way of example and in applying the concept of appropriateness for software projects have been identified the following seven risk "universal"

1. User involvement and support of the management 2. Inflationary / uncontrolled rise of the requirements (or scope creep) 3. Difficulties in the sharing and understanding of the specifications and

requirements 4. Errors in planning 5. Unrealistic expectations 6. Changes in project teams 7. Inefficient Project Management

7

The Project Manager is responsible for the management of risk and he’s the one who will have to gain the support of stakeholders both in the identification of risks and in the planning and the implementation of the necessary responses’ measures through a comprehensive and timely flow of the communication and the documentation.


7

Source: The Standish Group Report CHAOS, © 2014 Project Smart

Author: Marco De Santis, PMP, 2014\

http://calleam.com/WTPF/?page_id=1445

FOCUS on 6 RISK MANAGEMENT processes PMBOK Guide®, Fifth Edition


The process of defining the rules for the development of the risk management plan, which includes: methodology, responsibility, definition and management of reserves and changes

The process of identifying project risks, accurately describing and giving a first response hypothesis

Risks are classified by importance, in order to define a priority based on a Risk Factor (RF)

The overall effect of the project risks (Expected Monetary Value, EMV) is measured numerically. The contingency reserve, which is the pre-reserve economic response to the risks , will be defined

Here are being planned necessary responses for facing the threats in order to reduce the probability and / or the impact of threats and / or to amplify those opportunities

The process of implementing the responses, of updating the status of the risks (identified, secondary, residual and new) and evaluating the effectiveness of the risk management.

PLA

NN

ING

M

ON

TIO

RIN

G A

ND

CO

NTR

OLI

NG

1. Plan Risk Management

2. Identify Risks

3. Perform Qualitative Risk Analysis

4. Perform Quantitative Risk

Analysis

5. Plan Risk Responses

6. Control Risks

Based on "Corso di preparazione all'esame PMP", TI HR Services - Eureka Service, Roma, 2013

Threats Risk Strategy OpportunityAvoid Uncertaincy removal Exploit

TransferReallocation of responsibilities Enhance

MitigateExposition level

modification ShareAccept Current management Accept

Following the Risk Management diagram presented in the previous slide, the activities that the project team must ensure are:

1. Plan Risk Management: is the decision-making process on how to approach and how to plan the activities of the risk management. A plan of the risk management is defined (or re-used and customized appropriately, if already available in the company) for this purpose, where is being formalized:

a. if any, the collecting of the risk information identified in the project approval and presented in the Business Case

b. the applied methodology, roles and responsibilities c. the budget and the timing of the implementation of the management

processes d. the categories of risks impacting the project (technical, external,

organizational, management, other) e. the definitions of the risk probability and the impact (ref. attachments, the

probability scale, the impact scale) and the probability and the impact matrix (ref. attachments)

f. the Risk Breakdown Structure (ref. attachments), that breaks the risks universe identified in the Company and represents the basis for creating the structure for a specific project

g. The rules to manage and release the contingency reserve



2. Identify the risks: it is the process of determining the risks that may affect the project and documenting their characteristics, starting, if available, from the initial list of risks contained in the Project Charter authorizing the start of the project. For effective risk identification it is recommended that you have defined the scope of the project.

The identification of project risks starts while trying go get the support of as many stakeholders as possible and through the use of tools (if necessary, by multiple choice, depending on the nature and type of the participants) such as:

documentation reviews, checklist and project assumption analysis information gathering techniques: brainstorming, nominal group, delphi,

interviews, route cause analysis diagramming techniques: Ishikawa diagram, process/system flow chart,

influence diagrams SWOT (Strengths, Weakness, Opportunities, Threats) expert judgment

The list of identified risks is presented in the document "risk register" which will also include the triggers that indicate the approach or the occurrence of the event which took place.

It is advisable to also indicate the WBS code and appoint the assigned risk owners, if available.



3. Perform Qualitative Risk Analysis: it is the process of prioritizing risks for further analysis or action by assessing and combining the probability of occurrence of the risk and its impact.

The list can be subject to a pre-skimming through the Pareto diagram with the objective to proceed with the treatment of "significant" risks with the aim of defining a first classification on the basis of the Risk Factor of risks through the use of the stairs probability and impact.

The temporal proximity of the risk (risk proximity) is considered another decisional factor for taking charge of risk (risk urgency); risks to be monitored and those with low risk, which will be kept under observation (watch list) are also identified during the execution phase of the project through the matrix probability and the impact.


In this moment, we evaluate the opportunity to continue by using the quantitative analysis (which implies high costs and the time consuming) or to go directly to the response plan.

The risk register is updated based on new informations, along with other project documents.


4. Perform Quantitative Risk Analysis: it is the process of numerical analysis of the effect of the identified risks (which were to be monitored, as decided in qualitative analysis) on the general objectives of the project.


Through the investigation and with the involvement of experts and stakeholders is defined as the economic impact on the project.

The tools available for the analysis are: data gathering and representation techniques, through interviews with

stakeholders and experts quantitative risk analysis and modeling techniques: sensitivity analysis, expected

monetary value (EMV) analysis and decision trees, modeling and simulation expert judgment

In this phase, the basis for the definition of contingency reserves (through EVM) is being prepared and the statistical analysis on the likelihood of success of the project is being consolidated.

A new classification of the risk prioritization (based on quantitative data) is drawn up and the risk register is updated, along with other project documents.



5. Plan Risk Responses: it is the development process of options and actions whose aim is to enhance opportunities and reduce threats for the project objectives. This process needs a strong involvement of the project stakeholders.

The goal is to ensure "buy in" to those who will have to ensure the answers and/or finance them, and the strategies may include:

avoid, transfer, mitigate, and accept (actively / passively) the downside risks

exploit potential, share and accept (actively / passively) the positive risks

The plan of response actions is defined based on the results of the analysis of the EMV and the decision tree between the identified alternative responses. In front of the response plan, the changes are being proposed, and mainly they are relate to costs, the scope (WBS) and the planning .

The contingency reserve (which is to cover the contingency plan and the fall back plan) necessary for the definition of the project budget and for the revision of the schedule is being set up and the residual risks and the secondary risks arising from the implementation of plan and actions are being identified; and the quantitative analysis of the risks can be executed again.

The risk register is updated, along with the other project documents and the management plan of the project.


Project Execution: In carrying out the project (there are no dedicated processes), by using the full version of the risk register (ref. attachments), during the project meetings, the Project Manager should always include in the agenda the task of re-evaluation of the risks that:

a) if present, check the triggers (alarms defined in the initial version of the risk register which report the occurrence or the approach of the event), and if necessary, activate response plans!

b) communicate to all stakeholders the status of project risks!

c) monitor your watch list!

d) locate new risks!

e) evaluate the management efficiency!

f) enrich the DB risk on a company level!



6. Control Risks: it is the process of the response plans implementation, of the identified risks tracking, of the residual risks monitoring, of the new risks identification and of the effectiveness assessment of the risk management processes throughout the project.

The revaluation results of the identified risks and audits on the management effectiveness of "end to end" Risk Project are being evaluated.

Possibile new risks are being managed and brought to the 2° trial (perform a qualitative analysis of the risks), and the residual risks are being monitor, no more verifiable risks are being closed.

A best practice is to run again the quantitative analysis of existing risks during this process. The unused reserve (contingency and management) release can happen even in the case of a no longer verifiable risk or at the end of the project (it is a business decision and it’s defined in the risk management plan).


If necessary, the improvement changes or corrections are being required.

The use of contingency and management reserves is being assessed and, where appropriate, an action is taken in order to restore the proper use through the proposed change request.

Possible changes which are to include in the project documents and in the management plan of the project are being undertaken at this point.


Practical application with use case As an example of practical application of the Risk Management will use the design of a specialized course.

PMP Certification Course

Step 1: we re-use the corporate risk management plan (existing and proven fitness for my project) with the following characterizations: the release of the reserve is at the end of the project.

Step 2: identify the risks at the time "t0" jointly using techniques such as brainstorming, Ishikawa diagram, histogram, Pareto, delphi, and SWOT to consider the opportunities, too. The result is the risk register that contains:

R1 – unavailability classrooms R2 – funding block R3 – unavailability teacher R4 – poor learning material R5 – absence of participants R6 – unavailable simulator

R3 and R6 were considered as non-impacting because the contract already provides a reaction plan.


Step 3: we start from the consistency of risk register to create a cause-event-effect matrix using the five-why technique (we ask ourselves a reason why of each cause and we proceed backwards 5 times untill we arrive at the route cause) Fon any given cause, it's suggested to use the WBS code and to mention the assigned risk owner, if the information is available.

CAUSE EVENT EFFECT Period of occurrence Trigger

Uncorrect planning Unavailability classrooms Time The entire course

The unavailability classrooms detected 15 days before the

date of the lesson Courses overlapping

Classrooms inagibility Huge absence of participants

Funding block Quality, Cost The entire course The receipt of payment from the bank wasn't received Governance

Not adequated budget Poor didactic material Quality The entire course

A lot's of difficulties was faced in reading and use of the

material Tender at lower price

Strike transportation (bus)

Absence of participants Quality The entire course No participants above 30% for two consecutive lessons

Teachers quality Lack of information

Corporate issues (task overlapping)

Participants personal issues

Practical application with use case


Step 4: we group the (homogeneous) causes and customize the RiBS (Risk Breakdown Structure) of our project, that allow the Project Manager to identify which category affects mainly the project. The Risk Management Plan will be updated by inserting the project RiBS .

Applicazione pratica con use case


RiBS "PMP Certification Course" project

Organizational External Technical

Strike transportation (bus) Participants personal issues

Corporate course planning Human Resource management (particpants) Finanacial Governance Procurament management

Project Management

Planning Budget Teachers quality Communications

Classrooms inagibility Absence of participants

Step 5: we proceed with the qualitative analysis (based on scale probability x impact defined in the management plan), and we define the ranking of risks, through the matrix probability and impact. In this way we define the risks that must be managed and the ones included in the watch list.



Probability Impact

Risk Factor scale value scale value

R1 M 0,6 M 0,2 0,12 R2 L 0,3 M 0,2 0,6 R4 L 0,3 L 0,1 0,3 R5 M 0,6 H 0,4 0,24

Probability Impact

Risk Factor scale value scale value

R5 M 0,6 H 0,4 0,24 R1 M 0,6 M 0,2 0,12 R2 L 0,3 M 0,2 0,6 R4 L 0,3 L 0,1 0,3 In watch list

to be managed

to be managed

to be managed

Step 6: now we proceed with the determination of the economic impact of the risks to be managed (EMV Expected Monetary Value) and the new risks ranking, by using one of the quantitative risk analysis methods. Assumption: independent risks



Probable damage

Total Project damage Probability that all

3 events occur

Probability Impact

EMV Value Value

R5 20% 50k€ 12k€ R1 10% 20k€ 2k€ R2 2% 50k€ 1k€

0,0004% 120k€ 13k€

Step 7: we define the level of risk responses that in our use case - just as an example - is the "Absence of participants" (taking charge of the risk management with the highest EMV, as in the table above). In order to select the best answer we perform a cost-benefit analysis: the real action cost (the certain one) versus the least (probable) impact, and in our example, the Virtual Class is the best solution.

Applicazione pratica con use case


Code Event Probability Impact EMV Strategy Selected actions Cost of action

Post risk response scenario

Probability Impact EMV

R5 Absence of participants 20% 50k€ 10k€ Mitigation

Communications plan with the request of the participant

feedback 500 € 10% 50k€ 5k€ Notification of dates to

functional managers (bosses) 500 € 10% 50k€ 5k€

Virtual class 1.000 € 5% 50k€ 2,5k€

By choosing the "Virtual Class", the immediate cost is € 1,000, the "S" curve rears for 1.000€ and further 2,500€ are to be set up as a contingency reserve and added to the cost baseline.

So we add the activity in the GANTT project, we propose a change requests to the project documents and, if not already indicated in the risk register, we formalize the risk owner, the person who assumes the ownership of the management of the end-to-end response. No action has fielded at this time. Upon the occurrence of the trigger foreseen in the initial risk register, in the process of monitoring and control of the project, the answers will be activated.

The residual risk in the risk analysis, compared with the response plan is 5% (ref. previous table).

The change caused by the new activity (response plan) impacts the project in term of costs, scope (WBS) and schedule.

Then we move on to the analysis of an eventual secondary risk derivated by the introduction of a new mitigation activity (risk response) and a check if any response actions are necessary.

If the plan fails, I could already predict a fallback plan and it could be financed always and only by the contingency reserve (no extra cost could be added).



Step 8: in Monitoring and Control: we implement the response plan "Virtual Class" if the expected trigger "no participant

more than 50% for two consecutive lessons" occurred we evaluate the effectiveness of the risk management plan "end to end" through the

analysis of the process and the results of the provided actions we manage possible new risks, bringing them to the process of qualitative analysis we re-evaluate the existing risks and monitor the residual risks, by intercepting

significant changes in the Risk Factor and / or nell'EMV we close the risks no longer verifiable while communicating that event to

stakeholders we measure the level of the use of the contingency reserve to ensure a proper usage

and to ensure a necessary availability during the life of the project

Step 9: At the end of the project: we ensure that the DB of the risks and gathered lessons learned during the risk

management are incorporated in updating project documents we release the contingency reserve for risks that have not occurred (consistently with

the requirements in the Risk Management Plan)



Attachments

Definitions of risk probability and impact

Probability and impact matrix

Risk Breakdown Structure (RiBS)

Risk Register Exam

ples

of t

he o

pera

tiona

l too

ls

for R

isk

Man

agem

ent

25

Definitions of risk probability and impact

Risk Factor determination

(P x I)

Based on "A Guide to the Project Management Body Of Knowledge (PMBOK Guide®)", Project Management Institute, Fifth Edition, 2012 , tab.11-1, p. 318


Definition of probabilty scale

Definition of impact scale

Probability and impact matrix

Based on "A Guide to the Project Management Body Of Knowledge (PMBOK Guide®)", Project Management Institute, Fifth Edition, 2012 , fig. 11-10, p. 331


Negative and positive risks ranking

Action on negative risks

Action on positive risks

Risk Breakdown Structure (RiBS)

Based on "A Guide to the Project Management Body Of Knowledge (PMBOK Guide®)", Project Management Institute, Fifth Edition, 2012 , fig. 11-4, p. 317

The risk categories and the Risk Breakdown Structure (RiBS) are two assets defined by the Company and included in the Risk Management Plan. According to the risk identification results the risk are aggregated by categories and the updated RiBS will be generated. This asset will be part of the Risk Management Plan.


Project

1. Technical 2. External 3. Organizational 4. Project Management

1.1 Requirements

1.2 Technology

1.3 Complexity and Interfaces

1.4 Performances and Reliability

1.5 Quality

2.1 Sub contractors and

Suppliers

2.2 Regulatory

2.3 Market

2.4 Customer

2.5 Weather

3.1 Project Dependencies

3.2 Resources

3.3 Funding

3.4 Priorization

4.1 Estimating

4.2 Planning

4.3 Controlling

4.4 Communications

Risk Register Below is an example of a full risk register. Starting from the identification information of the risk, the risk register will be enriched with the informations gathered during the entire Risk Management project (qualitative risk analysis, quantitative risk analysis, plan risk response).

According to the timing stated by the Risk Management Plan, the risk informations shall be promptly updated and in any case, the Project Manager has to guarantee the alignment with the real stratus of the project

Please, click on the hyperlink or send me an email to: [email protected] to request the risk register in Microsoft Excel version.


mailto:[email protected]

mailto:[email protected]

Glossary

Activity. A distinct, scheduled portion of work performed during the course of project.

Assumptions Analysis. A technique that explores the accuracy of assumptions and identifies risks to the project from inaccuracy, inconsistency, or incompleteness of assumptions.

Baseline. The approved portion of work product that can be changed only through formal change control procedure and is used as a basis for comparison.

Brainstorming. A general data gathering and creativity technique that can be used to identify risks, ideas, or solutions to issues by using a group of team member or subject matter expert.

Business Case. A documented economic feasibility study used to establish validity of the benefits of a selected component lacking sufficient definition and that is used as a basis for the authorization of further project management activities.

Change Request. A formal proposal to modify any document, deliverable, or baseline.

Checklist Analysis. A technique for systematically reviewing materials using a list for accuracy and completeness.

Contingency Reserve. Budget within the cost baseline or performance measurement baseline that is allocated for identified risks that are accepted and for which contingent or mitigating responses are developed.

DB Risk. Homogenous collection of business risks, useful to support risk analysis on projects.

Decision Tree Analysis. A diagramming and calculation technique for evaluating the implications of a chain of multiple options in the presence of uncertainty.

Delphi Technique. An information gathering technique used a way to reach a consensus of expert on a subject. Experts on the subject participate in this technique anonymously. A facilitator uses a questionnaire to solicit ideas about the important project points related to the subject. The responses are summarized and are then recirculated to the expert for further comment. Consensus may be reached in a few round of this process. The Delphi technique helps reduce bias in the data and keeps any one person from having undue influence on the outcome.

Earned Monetary Value (EMV). A methodology that combines scope, schedule, and resource measurements to assess project performance and progress.

GANTT Diagram. bar chart with information about the schedule in which the assets are listed on the vertical axis, the dates are shown on the horizontal axis and task durations are indicated as horizontal bars positioned according to the dates of beginning and end. 31

Basato su "Guida al Project Management Body Of Knowledge (Guida al PMBOK®)", Project Management Institute, Quinta Edizione, 2012

GANTT Diagram. bar chart with information about the schedule in which the assets are listed on the vertical axis, the dates are shown on the horizontal axis and task durations are indicated as horizontal bars positioned according to the dates of beginning and end.

Influence Diagram. A graphical representation of situations showing causal influences, time ordering of events, and other relationships among variables and outcomes.

Interviews. A formal or informal approach to elicit informations from stakeholders by talking to them directly.

Ishikawa Diagram. Diagramming technique through which the causes of the low risk are identified starting from the effects on the size of the project and that will be defined by these project risks.

Lesson Learned. The knowledge gained during a project which shows how project events were addressed or should be addressed in the future with the purpose of improving future performance.

Management Reserve. An amount of the project budget withheld for management control purposes. These are budgets reserved for unforeseen work that is within scope of the project. The management reserve is not included in the performance measurement baseline (PMB).

Nominal Group. A technique that enhance brainstorming with a voting process used to rank the most useful ideas for further brainstorming or for priorization.

Process. A systematic series of activities directed towards causing an end result such that one or more inputs will be acted upon to create one or more outputs.

Process/System Flow chart. The depiction in a diagram format of the inputs, process actions, and outputs of one or more processes within a system.

Project. A temporary endeavor undertaken to create a unique product, service or result.

Project Budget. The approved estimate for the project or any work breakdown structure component or any schedule activity

Project Management. The application of knowledge, skills, tools, and techniques to project activities to meet the project requirements.

Reserve. A provision in the project management plan to mitigate cost and/or schedule risk. Often used with a modifier (e.g. management reserve, contingency reserve) to provide further detail on what types of risk are meant to be mitigated.

Residual Risk. A risk that remains after risk responses have been implemented. 32 Basato su "Guida al Project Management Body Of Knowledge (Guida al PMBOK®)", Project Management Institute, Quinta Edizione, 2012

Risk Attitude. The answer is choice of an individual or a group in a climate of uncertainty and that is driven by the perception.

Risk Factor. Result obtained by multiplying the probability and impact during the Qualitative Risk Analysis that allows you to make a first classification of the identified risks.

Risk Owner. A team member or an external person that helps the Project Manager during the risk management and that takes care directly of the management and tracking of the risk responses that have been assigned to him.

Risk Reassessment. Risk reassessment is the identification of new risks, reassessment of current risks, and the closing of risks that are outdated.

Risk Threshold. Measure of the level on uncertainty or the level at which a stakeholder may have a specific interest. Below that risk threshold, the organization will accept the risk. Above that risk threshold, the organization will not tolerate the risk.

Risk Tolerance. The degree, amount, or volume of risk that an organization or individual withstand.

Risk Urgency Assessment. Review and determination of the timing of actions that may need to occur sooner than other risk items.

Route Cause Analysis. An analytical technique used to determine the basic underlying reason that causes a variance or a defect or a risk. A root cause may underline more than one variance or defect or risk.

Secondary Risk. A risk that arise as a direct result of implementing a risk response.

Sensitivity Analysis. A quantitative risk analysis and modelling technique used to help determine which risks have the most potential impact on the project. It examines the extent to which the uncertainty of each project element affects the objective being examined when all other uncertain elements are held at their baseline values. The typical display of results is in the form of a tornado diagram.

Stakeholder. An individual, group, or organization who may affect, be affected by, or perceive itself to be affected by a decision, activity, or outcome of a project.

SWOT Analysis. Analysis of strengths, weaknesses, opportunities and threats of an organizations, project , or option.

Trigger Condition. An event or condition that indicates that a risk is about to occur.

Watch List. List of risks to be monitored, but on which no response strategy has not been provided.

WBS. A hierarchical decomposition of the total scope of work to be carried out by the project team to accomplish the project objectives and create the required deliverables.

33 Basato su "Guida al Project Management Body Of Knowledge (Guida al PMBOK®)", Project Management Institute, Quinta Edizione, 2012

34

Bibliography

Guida al Project Management Body of Knowledge (Guida al PMBOK®), Quinta Edizione, Project Management Institute, 2013

Professione Project Manager, M. Martinati, A. Caccamese, Franco Angeli, 2013

Dispense Corso di preparazione alla certificazione PMP, TI HR Services and Eureka Service, 2013

Leadership & Management

Project risk management - Methodology and application