Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
J anuary 2007
All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording, or otherwise, without the prior written permission of ESI International.
All material from A Guide to the Project Management Body of Knowledge (PMBOK
Guide), Third Edition is reprinted with permission of the Project Management Institute,
Four Campus Boulevard, Newtown Square, Pennsylvania 19073-3299, USA, a
worldwide organization of advancing the state-of-the-art in project management. Phone:
(610) 356-4600, Fax: (610) 356-4647.
PMIdid not participate in the development of this publication and has not reviewed the
content for accuracy. PMIdoes not endorse or otherwise sponsor this publication and
makes no warranty, guarantee, or representation, expressed or implied, as to its
accuracy or content.
PMIdoes not have any financial interest in this courseware and has not contributed
any financial resources.
"PMI" is a service and trademark of the Project Management Institute, Inc., which is
registered in the United States and other nations.
"PMBOK" is a trademark of the Project Management Institute, Inc., which is registered in
the United States and other nations.
"PMP" is a certification mark of the Project Management Institute, Inc., which is
registered in the United States and other nations.
ESI International
901 Glebe Road
Suite 200
Arlington, VA 22203
Phone (703) 558-3000
Fax (703) 558-3001
ESI International, Inc. iii
CONTENTS
Page
Chapter 1: Introduction to Risk .................................................................................................... 1
Introduction to Risk ............................................................................................................ 2
Risk Characteristics and Exposure ....................................................................................... 2
Risk Management ............................................................................................................... 4
Risk Management and the Project....................................................................................... 5
Types of Risk...................................................................................................................... 8
Characteristics of Risk Events .............................................................................................. 9
Factors Affecting Risk Perceptions..................................................................................... 11
Chapter Summary............................................................................................................. 13
Next Steps Action Plan ..................................................................................................... 14
Chapter 2: Risk Management Planning and Identifying Risks...................................................... 17
Risk Management Planning and Identifying Risks.............................................................. 18
Risk Management Process ................................................................................................ 18
Risk Identification............................................................................................................. 20
Risk Events and Risk Event Lists ........................................................................................ 28
Chapter Summary............................................................................................................. 30
Next Steps Action Plan ..................................................................................................... 31
Chapter 3: Analysis Fundamentals .............................................................................................. 34
Establishing Risk Measurement Parameters ....................................................................... 35
Presenting Risk Information .............................................................................................. 35
Probability Analysis and Rules of Probability .................................................................... 39
Chapter Summary............................................................................................................. 45
Next-Steps Action Plan ..................................................................................................... 46
Chapter 4: Analyzing and Prioritizing Risk ................................................................................. 49
Next Steps in Risk Management........................................................................................ 50
Step 3: Analyzing Risks .................................................................................................... 50
Impact Analysis ................................................................................................................ 51
Tools and Techniques for Risk Analysis ............................................................................ 52
Overall Risk Rankings....................................................................................................... 58
Step 4: Prioritizing Risks ................................................................................................... 59
Risk Prioritization Process and Tools................................................................................. 60
Prioritized Risk Listing...................................................................................................... 62
Chapter Summary............................................................................................................. 63
Next-Steps Action Plan ..................................................................................................... 64
Chapter 5: Risk Response Planning ............................................................................................. 67
Risk Response .................................................................................................................. 68
Risk Response Planning Process ....................................................................................... 68
Risk Response Strategies for Threats.................................................................................. 70
Risk Response Strategies for Opportunities ....................................................................... 71
ESI International, Inc. iv
Page
Schedule Risk Response Planning..................................................................................... 72
Response Analysis Matrix ................................................................................................. 72
Reserves........................................................................................................................... 74
Risk Management Plan ..................................................................................................... 76
Chapter Summary............................................................................................................. 77
Next-Steps Action Plan ..................................................................................................... 78
Chapter 6: Risk Execution, Evaluation, and Updating ................................................................. 81
The Final Risk Management Steps..................................................................................... 82
Risk Monitoring and Control............................................................................................. 82
Step 6: Execute Risk Strategy ............................................................................................ 84
Step 7: Evaluate Results .................................................................................................... 85
Step 8: Document Risk Management Results .................................................................... 88
Chapter Summary............................................................................................................. 90
Next-Steps Action Plan ..................................................................................................... 91
ESI 1
Introduction to Risk
Chapter 1
This chapter introduces the fundamentals of risk in a project.
Formula
Chapter Overview
Legend
1
ESI 2
Introduction to Risk
Introduction to Risk
Any study of risk and risk management should begin with the
fundamentals: those basic terms and concepts that underlie all the more
detailed methods and activities that project managers and their
organizations apply and undertake. Some of these terms and concepts
are related to the project itself, because it is the project manager who is
ultimately responsible for risk management in his or her project. Others
relate strictly to the discipline of risk management. In any event, risk is
something that is a part of every project and has to be continuously
evaluated and dealt with throughout the project life cycle.
Whether you are encountering some of these terms for the first time or
whether you are an accomplished project manager, you have
undoubtedly experienced the realities of risk events in a project. In fact,
a project manager is in simple terms a risk manager. Every project
contains some level of risk. If it did not, it would not be worth pursuing.
As a result, project managers have to live with the reality of risk. Their
challenge is managing it.
Risk is an uncertain event or condition that, if it occurs, has a positive or
a negative affect on a project objective. Notice that in the definition, we
clearly stated that there is either a positive or negative affect on the
project. Risk is one of those words that immediately conjure up the
image of something bad. But it is important to remember that risk can
also provide positive benefits as well as negative ones. We will discuss
this in more detail later.
Risk management is the systematic process of identifying, analyzing, and
responding to project risk. We want to maximize the probability and the
impact of any positive risk factors and minimize the probability and
impact of those that might negatively affect the project.
Some organizations establish a risk office or assign a person to be the
risk manager. This generally is a mistake. The project manager is
ultimately responsible for risk, and taking the risk function out of the
project or establishing it as a separate function from the project may
cause the project manager to be less careful about risk events because
someone else is responsible for them. Besides, a person or group outside
the project knows less about the project requirements (and consequently
its risks) than the project manager and the project team do.
So as a project manager, assume you are responsible for the risks in your
project because, frankly, you are.
Risk Overview
Key Risk Definitions
4 1
ESI 3
Risk Characteristics and Exposure
A project risk has three defining elements:
It is a definable event.
There is a probability the event will occur.
There is a consequence to the project if the event occurs.
The event is what could happen, both good and bad, to the project.
Remember that risk by itself is a neutral word; it could be something
devastating that might happen, or it could be an opportunity to improve
the organizations capability or profit. Regardless, the risk event is what
could happen to the project.
It is very important to determine when a risk event might occur. If the
event is likely to occur early in the project life cycle, then it must be
addressed immediately. Potentially long-term risk events, that is, events
that probably will occur later in the project life cycle, must be planned
for but dont have to be addressed immediately (other than for
contingency planning).
The frequency of an event also is important to determine. A risk event,
even a low risk event, can be disrupting and even disastrous to a project
if it is likely to occur over and over. So if you can determine the
likelihood that an event will keep occurring, it can help you plan for the
eventuality and perhaps even eliminate the risk completely.
The probability of the risk is simply the chances the event will occur.
Clearly, there may be a potential event, but if the chances of it occurring
are slim to none, then it is not really a risk at all as a practical matter. As
we will see later, it is important to consider this aspect of risk and, if
possible, assign an actual percentage probability to the occurrence of risk
events. Assigning a probability figure enables one to use additional
planning tools in preparing against the risks impact.
The consequence of the occurrence of any risk event is measured in
terms of its impact on the project. The project can have an identified risk
event with a high probability of its happening; but if the impact (even if it
does happen) is low, then the risk can be ignored or at least tolerated.
With these elements described, the amount of risk exposure to the
project and to the organization can be determined.
Risk exposure is another way to describe the impact of a risk event
occurring. Risk exposure is determined by multiplying the probability
times the impact. Stated another way, most project managers equate risk
exposure with expected value. (Expected value is a common measure
used in risk and quality assessments, but it will be reviewed in a later
Three Defining
Elements
Risk Exposure
ESI 4
Risk Characteristics and Exposure (continued)
chapter.) This is one instance in which the senior management is not
particularly interested in the gain from a risk event; when he or she asks,
What is our risk exposure? the interest is in determining what the cost
to the project or organization could be.
One of the challenges the project manager and the project team face is
defining risk. Even though we provided a definition of risk and described
its elements, the reality is that everyone views risk differently. For
example, if one asks, What is the risk? he or she may be asking for a
description of the risk event.
Another person might ask, What is the risk? and be referring to the
impact of the risk or the risk exposure to the organization. Thus, it is
imperative that the project manager be well versed in risk management
and particularly adept at determining exactly what the person wants to
know. More importantly, the project manager must be able to describe
exactly what the person wants to know within his or her frame of
reference. The latter can be greatly aided by understanding the different
types of risks.
Risk Management
Knowing that the project manager is responsible for project risk
management may not provide a sense of comfort, but considering how a
good risk management program can benefit the project and organization,
every project manager should strive to be an accomplished risk manager.
There are several benefits of risk management. They include:
Minimizing management by crisis: When a risk event occurs,
there is always a reactive response to it if the risk was not
anticipated.
Minimizing surprises and problems: As you will soon discover,
identifying and planning for risk is the best way to avoid being
surprised by it.
Gaining competitive advantage: Any well developed,
documented, and implemented risk process reduces schedule
and cost impacts of risk events, thus improving the organizations
advantage in the marketplace.
Decreasing overall project variances: One major problem in
project management is maintaining project progress within tight
variances from the plan. Risk management is one of the principal
ways of reducing these variances. If the risk is expected and a
response is rapidly implemented, then the projects planned track
is more likely to be maintained.
Risk Exposure
(continued)
Benefits of Risk
Management
ESI 5
Risk Management (continued)
Increasing the probability of success: Keeping the project on its
planned schedule and budget enhances the probability that the
project can be completed successfully.
Increasing profitability: Poor risk planning invariably leads to
rework, scheduling problems, and cost overruns; good risk
planning eliminates many of these problems and contributes
directly to the bottom line.
We mentioned earlier that the project manager has ultimate responsibility
for risk management in his or her project. We also mentioned that it is
not wise to assign a separate person or group to be responsible for risk
because the tendency is to assume someone is taking care of the risk
problems when, in fact, he or she may not be. That does not mean that
the project manager cant assign task leaders or other team members to
be responsible for watching the potential risks that have been identified
in their tasks and for implanting the risk response strategy to cope with a
risk should it happen.
The project manager is responsible for initiating and leading the risk
management process. This is done by integrating the risk management
plan into the project plan and then ensuring that every team member is
familiar with the identified potential risks, when they are likely to occur
during the project life cycle, the task(s) they are likely to affect, and the
approved response strategy to mitigate each risk.
The project team members are responsible for performing the risk
management process by watching for risk triggers (that is, indicators that
a risk event could occur), actually implementing the appropriate risk
response strategy, and most importantly, reporting the status of the risk to
the project manager. A closely coordinated risk management plan and a
defined and documented risk management process will help ensure a
smoothly run and successful project.
Risk Management and the Project
Risk management has to be performed through out the project life cycle,
and the identification of potential risk events is begun during the earliest
project planning stages.
There are several steps in the risk planning process, and each one is
discussed separately in detail in this text. But it is important to remember
that the risk management process cannot be performed piecemeal; it
must be done as a total process with every step reevaluated every time
risk is assessed during the project.
Benefits of Risk
Management
(continued)
Project Manager and
Team Member
Responsibility in Risk
Management
Risk Management Is
Integrated with the
Project Planning
Process
ESI 6
Risk Management and the Project (continued)
Generally, the steps of the risk process are
Identification
Quantification
Response development
Response control
These are the major steps, which will be expanded and discussed in
depth in the next chapter when we introduce the ESI Risk Model. The
reasons for introducing these steps here are twofold: to lead into how
one can begin identifying risks during project planning and to accentuate
the fact that there are specific steps to the risk management process that
cannot be overlooked. This concept will become clearer during the
following discussion.
At the beginning of a project, the earliest that you will have some sense
of its risks is during the assessment of the requirements. The customer
almost always makes some statements as to when the product or service
is needed. That statement potentially defines a risk. For example, if the
customer states that the product must be operational by no later than a
particular date, that may create a risk because it may not be possible to
deliver by that date without extraordinary efforts such as working
overtime, hiring new resources, teaming with another company, or
engaging consultants. There also will be other statements in the
requirements that indicate risks. For example, the customer may place
restrictions on the budget and product reliability or maintenance
requirements.
The next opportunity to identify risk is in the development of the WBS.
The WBS is, in the opinion of most project managers, the best place to
identify risks because after the tasks are identified, the attendant risks
almost identify themselves. For example, if a required task is one that
your organization has little or no expertise to deliver, then clearly it is a
risk; even if your organization has the expertise, the resources may not be
available when they are needed. Another opportunity for identifying risk
is while doing budget and schedule estimates. Obviously, when tasks
are planned and the cost and time to do them are considered, there may
or may not be an impact to the project. Again, it is a matter of pure
resource availability and, during this assessment period, the skill sets that
are needed and available.
Thus, every aspect of the planning process offers opportunities to identify
risk. In addition, every project manager or team action or consideration
should be weighed against other project considerations because every
time a decision is made relative to one task, it invariably impacts other
tasks.
Risk Management Is
Integrated with the
Project Planning
Process (continued)
ESI 7
Risk Management and the Project (continued)
By the time the cost, schedule, and scope baselines are defined and
agreed upon, most of the risks in the project should be identified and
assessed as to whether they represent real risks, response strategies
should be developed, and an overall risk plan should be written.
The best project managers are those who constantly evaluate and test
their plans and revise them on a regular basis. That is not to imply that
the projects baseline changes every few days; it does not. But planning
by definition involves estimating, which does require reevaluating and
refining. Every time any plan or any portion of a plan is updated, the risk
management plan must be reevaluated and updated too. Thorough risk
management is integral to the success of the project and without it, the
project may be doomed to failure before it ever begins.
But the news is not all dismal. As the project progresses, risk decreases.
It decreases simply because we learn more about the project and its risks
as time passes. Also, risk events that were predicted at the beginning of
the project either may actually not occur; and if they do occur, our
response strategies are put into place, and we know how well the project
responded.
However, risk only decreases in the sense that the probability of a risk
event happening decreases. The impact of a risk event, if it should
happen, increases as the end of the project gets closer. This is true
because by the time the project is in its final phases, the investment of
time and money in the project is at its highest.
Risk Management Is
Integrated with the
Project Planning
Process (continued)
(continued)
Risk Management Is a
Full Project Life-
Cycle Responsibility
Project Life Cycle
Risk
Impact
Level
Time
ESI 8
Types of Risk
Actually, there are different types of risk. Remember that we spoke of
opportunity for gain and the possibility of loss when risk is considered.
In a very real sense, that notion defines the types of risks that are
confronted in a project. Basically, at least for all practical purposes, there
are four types of risk that project managers and their teams need to be
aware of. They are
Business risk
Pure or insurable risk
Known risk
Unknown risk
Business risk is the normal risk of doing business and carries with it the
potential for both loss and gain. For example, suppose the customer for a
project decides to change the scope. The change may involve a negative
risk, that is, loss, because it might require expertise that your organization
does not possess. On the other hand, it might involve considerable gain
because it could mean significantly more profit if you can accomplish the
scope change efficiently. Business risk is the kind of risk an organization
should not only embrace but also pursue. It is the type of risk we can
manage.
Pure or insurable risk is the risk that is associated only with loss and has
no opportunity for gain. This includes threats such as fire or hurricane.
The organization needs to avoid or at least greatly reduce the direct
impact of this form of risk by passing it on to another party. This can be
accomplished by purchasing insurance or by teaming with another party
that has the expertise to do the job.
Generally, we think of this kind of risk in terms of catastrophic events,
such as fire, but the fact is, this kind of risk occurs when an organization
attempts to do a job without having the requisite skill sets or expertise.
Those are the cases where the solution is simply to team with a company
that has the skill and expertise to accomplish the task(s) in question.
Known risk includes those risks one should naturally be aware of (such as
scheduling problems because of limited or committed resources) that
must be identified and watched. Known risks are usually manageable,
because we know they exist and we know what has to be done to avoid
or deal with them. It is almost always possible to develop a strategy that
will deal with this type of risk. For example, if the known risk is that the
schedule could be impacted because of a shortage of resources at a
Are There Different
Types of Risk?
Business Risk
Pure or Insurable
Risk
Known Risk
ESI 9
Types of Risk (continued)
particular time, then the decision could be made to either hire additional
resources, team with another company, outsource the work, or negotiate
with the customer to delay work on that particular portion of the project.
Unknown risk is not so easy to deal with. By its very definition, it
includes risks that we cannot anticipate or plan for, except perhaps by
adding money to the management reserve fund.
An unknown risk is, for example, a tornado that strikes in an area not
usually susceptible to such weather phenomenon. The disease AIDS was
an unknown risk before it hit millions of people.
Having reviewed the different types of risk, it is important to consider
some of the characteristics of risk events themselves.
Characteristics of Risk Events
Recognizing risk characteristics aid in planning responses to them. One
or more of several characteristics are inherent in every risk event. Risk
events are
Situational
Interdependent
Magnitude dependent
Value based
Time based
Because risks can occur from actions by team members, stakeholders
(internal or external to the project) or just from the normal project
activities, risk inevitably must be handled on a case-by-case basis. In
short, risks are predictable only within limited parameters, and so the
ongoing use of sound project management tools and techniques that are
tried, documented, and available to team members is crucial.
One of the many problems in dealing with risks is that they are
interdependent; any risk event may affect or even create others. This
characteristic has two important ramifications. First, it means that every
risk must be frequently assessed to ensure that there are no
interdependencies or, if there are, that they are known and understood.
Known Risk
(continued)
Unknown Risk
Risk Events Overview
Situational
Interdependent
ESI 10
Characteristics of Risk Events (continued)
Second, if the domino effect of interdependent risks is large enough, the
immediate perception is that the project is too difficult. In the second
case, a too risky project is one that loses stakeholder and team member
support very rapidly.
Low risk events usually involve only a few people or relatively low costs.
In other words, the risk is low enough that its affect on the project can be
ignored. However, as the magnitude of the risk increases, it has impacts
on many people, organizations, and costs. The fact that the risk impact is
potentially greater is not necessarily bad; remember that risk has both a
loss and gain component. For example, if the customer increases the
scope of the project, the change might add increased risk to the
organization because the new requirement(s) may involve work outside
the organizations expertise. However, the increased scope may mean
larger profits if the organization can increase its skill base by either
teaming with another company, hiring the requisite experience and skills
needed, or negotiating a delay in providing the additional scope
requirements until the skill sets are trained.
Again, if the perception of risk is that it is too big to be handled, then the
project manager will lose stakeholder and team support. Arguably, the
bigger problem is that risks can become so big and affect so many people
or groups of people that the cost of involvement in the project outweighs
its potential payoff.
Risk means different things to different people. The banking industry, for
example, is very conservative. Bankers do not lend money to people
who have poor credit ratings. On the other hand, venture capitalists
have no problem lending money on very risky ventures, provided the
payoff is large. So risk management in each organization will take on a
different complexion depending upon the organizations industry, its
business goals, its culture, and how well they are equipped and trained to
handle risks.
Risk is a phenomenon that is time based; it is always in the future. In
fact, one can think of risk as a problem or opportunity that has not yet
arisen. Time also has a way of affecting the perception of risk. If there is
a lot of time remaining in a project or if a long period of time has passed
without any significant risk event occurring, then risk anxiety lessens. If
there is less time available to accomplish a task or project, then risk
anxiety heightens.
Interdependent
(continued)
Magnitude
Dependent
Value Based
Time Based
ESI 11
Characteristics of Risk Events (continued)
In the former case, having more time available, risk actually does lessen.
The more time we have, then the more we understand about the project
requirements, how well the technical solution is working, whether the
proper personnel are on the project, and the more efficient the
management processes, including risk management, are working.
It is important to remember these risk characteristics because they affect
how we plan our risk responses, which is discussed in more detail later
in this text. One way to remember them is with the mnemonic, STIM-V,
which is (S)ituational, (T)ime based, (I)nterdependent, (M)agnitude based,
and (V)alue based.
Factors Affecting Risk Perceptions
Organizations and individuals have perceptions of risk that influence
their approach to them. There are many reasons why project teams and
organizations in general do not do a good job managing risk.
Understanding these reasons and factors affecting the perception of risk is
one key to improving the risk management process for your organization
and your project.
The factors that most affect the perceptions of risk are
Lack of control
Lack of information
Time
Risk preference
Much of project risk is not within the control of the project team. It is
risk that is created by outside influences such as weather phenomena,
environmental or other regulations, or even actions from other project
and organizational activities. Perhaps the most common risks occur
when one projects schedule depends upon the schedule of resources
within other projects. If a key task requires, for example, tests by an
overworked, small, specialized test group within the organization, the
risk of that task and the projects schedule being affected has a high
probability.
Notice that one of the exacerbating factors with the lack of control
problem is that these risks tend to be unknowns. This is not always so, as
the lack of testing capabilities example shows; but it very often is.
Time Based
(continued)
STIM-V
Risk Perceptions
Overview
Lack of Control
ESI 12
Factors Affecting Risk Perceptions (continued)
Lack of information is the norm, particularly in the early stages of risk
identification. Generally, the lack of information is caused by incomplete
or poorly stated requirements, unfamiliarity with the customer or the
customers needs, or lack of experience or skills with the likely technical
solution. The single biggest obstacle in obtaining adequate information is
time. Given enough time, we could collect all the relevant data needed
to identify and plan for nearly every risk, but most projects must meet
either a customers operational schedule or time to market imperative.
In addition to the impact of time on how much information is or is not
available, time has other important implications as well, some perceptual
and some real.
The farther the potential risk event is into the future, then the greater the
degree of uncertainty is about the risk impact should the event occur.
On the other hand, the perception often is out of sight and out of mind.
We tend to become complacent about the risk, and unless a
conscientious effort is made to continue assessing it, the risk events
occurrence may come as a surprise and turn out worse than expected.
There is one good thing about time when it is used properly in the sense
of risk planning. Given adequate time, the project manager and his or
her team can change their approach or plan contingency approaches to
minimize the negative effects and maximize the opportunities that the
risk event holds.
Lack of Information
Time
ESI 13
Chapter Summary
There are three defining components of risk:
o The event itself (what can happen, good or bad, to the
project?)
o The probability of occurrence (how likely is it that the
event will occur?)
o The impact of the event (what is the effect on the
project if the event does occur?)
Risk can have either a negative or positive component if it
is business risk. This is the kind of risk every project and
organization should be pursuing, with the aim of reducing
the former and maximizing the latter.
Risk that has only a potential for loss is called pure or
insurable risk. This kind of risk should be avoided or
passed to a third party either by purchasing insurance, by
teaming with another company, hiring additional
personnel, or by renegotiating the delivery schedule.
Risk events are inherently situational, interdependent,
magnitude dependent, value based, and time based.
Risk management is the process of identifying, analyzing,
and responding to the risks in a project.
Chapter Summary
ESI 14
Next-Steps Action Plan
Take a few minutes to review what you have learned from the last unit
and how you will apply the principles learned when you return to your
organization.
1. How is risk managed in your organization today?
2. How does your organization view risk?
What are typical threats in your environment?
What are typical opportunities in your environment?
3. Who is responsible for dealing with risk in your organization?
4. Why is it so important for risk management to be performed
through the project life cycle?
5. Turn to the Action Plan on the next page and document your next
steps.
6. Develop a list of two or three actions you will complete when
you return to work.
7. Identify who you need to involve for each item you have listed.
8. Finally, identify the appropriate time frame for accomplishing
each of these steps. For items you know will be ongoing, identify
milestones for each period (3, 6, 9, and 12 months and over).
Next-Steps Action
Plan
ESI 15
Risk Management Chapter 1: Introduction to Risk
Action Plan: Apply what you have learned from this unit by developing a list of actions you will complete when you return to your organization.
Time
What do I want/need to do next? Who 3 months 6 months 9 months 12+ months
1.
2.
3.
ESI 16
Time
What do I want/need to do next? Who 3 months 6 months 9 months 12+ months
4.
5.
6.
ESI 17
Risk Management Planning and Identifying Risks
Chapter 2
This chapter discusses the first two steps of the Risk Management Model.
Formula
Chapter Overview
Legend
2
ESI 18
Risk Management Planning and Identifying Risks
Risk Management Planning and Identifying
Risks
To manage risks effectively, the project manager must obtain thoughtful
input on project risks from the project team. To do this, the project
manager must be able to convince the project team of the importance
and benefits of risk management based on his or her own understanding.
The project manager should be able to describe the basic eight-step ESI
risk management model and the activities that it includes, identify risks
using a variety of tools and techniques, and develop a risk listing for a
project.
What is the relationship between risk management and project
management? Project management involves planning, organizing,
directing, and controlling company resources to provide a product or
service on schedule, within budget, and in accordance with the
customers stated requirements. Risk management is that part of project
management that deals with the processes of identifying, quantifying,
responding to, and controlling the risks inherent in a project.
In other words, there is a fundamental difference between risk
management and project management. Project management is the
process that gets us to an objective; risk management is an enabler to that
process. Risk management considers issues that could possibly affect that
process as it unfolds; project management looks at the process itself. Risk
management looks at how we can avoid problems; project management
looks at how we get beyond problems. It is a fundamental, very simple
difference. When it comes to risk management, we are looking at the
reality of day-to-day life and how we can have an impact on those things
that might stop us from getting to our objective. Project management is
the effort to work toward and actually reach that objective.
Risk Management Process
Like all project management processes, risk management involves the
application of tools and techniques to certain inputs to achieve certain
outputs. Inputs include such factors as the people involved and their
expectations. However, particular attention should be paid to the triple
constraints of time, cost, and scope (or schedule, budget, and quality). If
you lack experience in risk management, these constraints offer good
places to start looking for input, because all projects will have risks
associated with schedule, budget, and quality.
Overview
Risk Management
and Project
Management
Risk Management
Process Overview
2
ESI 19
Risk Management Process (continued)
The desired outputs resulting from the use of various tools and techniques
include a list of prioritized risks, a risk response plan, and a list of risk
indicators that, with proper monitoring, will provide early indications of
risks that come to pass.
Both PMI
Guide in parentheses
. T
he first two steps are addressed in this
chapter.
Risk Management Planning (Risk Management Planning)
Identify (Risk Identification)
Analyze (Qualitative and Quantitative Risk Analysis)
Prioritize (Qualitative and Quantitative Risk Analysis)
Plan (Risk Response Planning)
Execute (Risk Monitoring and Control)
Evaluate (Risk Monitoring and Control)
Document (Risk Monitoring and Control)
Risk management planning is the first step of an eight-step process. It
must be completed so that risk planning and analysis do not become
afterthoughts to project planning. It is important to set aside time and
processes to plan for project risk. This is done by conducting a team
meeting specifically to address risk issues. The agenda for the meeting
should include reviewing lessons learned from previous, similar projects
and reviewing all the project documents (statements of work, contracts,
specifications, resource availability charts, and so on) to ensure that the
team is aware of all potential risk sources. It should conclude with an
agreement on the process that will be followed and the tools and
techniques that will be used in planning for the risks associated with the
project in question.
Documenting and communicating are two activities throughout the eight-
step model that are ongoing and crucial to risk management planning.
Identifying risks is the second step in risk management, and it is
absolutely crucial. Risk identification is considered a key step in the
process according to ESI, PMI
Guide p. 261263:
Accept
Mitigate
Transfer
Avoid
Sometimes a project manager must accept a risk because there simply are
no strategies available to deal with it. At other times, a project manager
may decide to accept a particular risk because that is the most sensible
approach. This should happen if analysis of all possible avoid, transfer,
and mitigate strategies reveals that their costs will be higher than the
amount of risk that can be tolerated. In either case, the project manager
and the organization must be able to tolerate the consequences of the
accepted risk should it occur.
Introduction
(continued)
Response Strategy
Context
Four Types of Risk
Response Strategies
Accept
ESI 70
Risk Response Strategies for Threats (continued)
There is, however, more than one way to accept a risk. As explained in
the PMBOK
Guide,
pp. 262263, include the following:
Accept
Enhance
Exploit
Share
Strategies for dealing with opportunities are conceptual opposites of
corresponding strategies for dealing with threats.
Accepting an opportunity, which means choosing to do nothing about a
desirable risk, corresponds to accepting a threat. You simply decide to
deal with the matter if and when it arises.
Transfer (continued)
Avoid
Overview
Accept
ESI 72
Risk Response Strategies for Opportunities (continued)
Enhancing an opportunity means trying to increase its expected value. It
is the opposite of threat mitigation because you try to increase rather than
decrease either the probability or the impact of the opportunity, or both.
Exploiting an opportunity is the opposite of avoiding a threat, since you
try to ensure that the risk does occur instead of ensuring that it does not.
Sharing an opportunity uses the same logic as transferring a threat. You
share the opportunity with another party that takes the responsibility for
making the opportunity occur. Then you both can share in the wealth.
Schedule Risk Response Planning
Schedule risk response planning also must include an evaluation of the
projects network schedule. In fact, the project manager cannot properly
understand schedule risk exposures without the aid of a network
schedule. That is one of the main reasons why network scheduling
techniques are strongly preferred for project schedules.
In the case of scheduling impacts, the harm that a particular threat risk
might cause to the project is significantly influenced by the presence of
float in the network schedule. For example, suppose that there is a 50
percent risk of a 90-day delay in procuring a particular project
component. There appears to be a worst-case impact of a 90-day delay
and a risk exposure (or expected value) of a 45-day delay; but if that
particular procurement activity has 180 days of float, there is actually no
impact or risk exposure at all, and the risk can be ignored.
Thus, schedule risk exposure only arises when the risk of delay
approaches or exceeds the amount of float available to the activity at risk.
When that situation occurs, the project manager should be concerned
and should consider whether the threat is acceptable or requires some
risk response planning. If it does, measures to avoid, transfer, or mitigate
the risk should be evaluated against the network schedule until the
optimum plan is determined.
Enhance
Exploit
Share
Overview
Scheduling Impacts
ESI 73
Response Analysis Matrix
Risks and responses can interact in strange ways. Project managers need
to analyze this interaction. The easiest way to do this is to create a matrix
of risks and risk responses with the risks listed by row in priority order
from top to bottom and the response strategies listed across the columns.
An example of a simple matrix is provided here for a shopping center
developers project.
For each combination of a risk and a risk response, the matrix is marked
with a plus (+) or minus (-) sign to indicate a positive or negative effect
on risk exposure. As the sample matrix shows, one response strategy
may actually solve more than one risk problem. Requiring performance
and payment bonds addresses the risks of contractor default and non-
payment of subcontractors, and providing additional soil borings
minimizes the chances of encountering unexpected subsurface
conditions and also reduces the likelihood of contractor claims.
On the other hand, the response to one risk may exacerbate another, as
in the case of shortening the contract time. Although this strategy is
designed to maximize chances of completing the project in time for the
holiday shopping season, it also increases the probability of contractor
claims by making the schedule more difficult to meet. And of course,
one risk may be affected in different ways by two different strategies as
Overview
Responses:
Risks
Builders
Risk
Insurance
Payment and
Performance
Bonds
Perform
Additional
Soil Borings
Reduce
Contract
Time
Fire or natural
disaster
+
Prime
contractor
default
+
Liens from
unpaid
subcontractors
+
Unexpected
subsurface site
conditions
+
Open after
holiday season
+
Claims by
contractor for
additional time
and money
+
_
Overview
ESI 74
Response Analysis Matrix (continued)
the risk of claims is by providing additional soil borings and by
shortening the contract time.
The key point to recognize is that risks and responses can interact in
unexpected ways, so the relationships of all risks and response strategies
must be considered together at the conclusion of response planning. The
risk response matrix is a useful tool for studying this interaction. The
final step in using it is to decide which strategies will be implemented
and which will not. The plus and minus signs for those that remain a part
of the risk response plan can be circled on the matrix to indicate that
decision.
Reserves
Reserves are an important part of the project plan and risk management
plan. They are needed to cover all the risks that have been passively or
actively accepted. They also are needed to provide an allowance for
unknowns. According to the PMBOK