Risk Management & the PMBOK

RiskManagement&thePMBOK
JohnH.Dittmer,VI
PMP, CISSPISSMP
PMP,CISSP
ISSMP

Disclaimer
Please
Pleasenotethattheviewsexpressedinthis
note that the views expressed in this
presentationarethepresentersonly.
Thesesviewsdonotrepresentanyofficial
Theses views do not represent any official
positionbyBoozAllenHamiltonoritsclients,
including any governmental agencies
includinganygovernmentalagencies.

Bottom Line Up Front (BLUF)

BottomLineUpFront(BLUF)
Project
ProjectManagersneedtorecognizethe
Managers need to recognize the
following:
Allprojectsentailacertaindegreeofrisk
All projects entail a certain degree of risk
RiskManagementPlansneedstobeincorporated
in Project Plans
inProjectPlans

Introduction to Risk
IntroductiontoRisk
Chapter11ofthe5thEditionofthePMBOK
p
GuidedealswiththeknowledgeareaofRisk
Management,asubjectofincreasingimportance
for project managers
forprojectmanagers.
Before
BeforeIdiscussindetailthesixproject
I discuss in detail the six project
managementprocessesinvolvedinthis
knowledgearea,Iwantedtotakesometimeout
to discuss some of the basic concepts of risk
todiscusssomeofthebasicconceptsofrisk
managementthatarediscussedatthebeginning
ofthischapter.

ISOssDefinitionofRisk
ISO
Definition of Risk
TheISO31000 (2009)/ISOGuide73:2002definitionof
riskisthe'effectofuncertaintyonobjectives'.Inthis
definition,uncertaintiesincludeevents(whichmayor
maynothappen)anduncertaintiescausedby
y
pp )
y
ambiguityoralackofinformation.
Italsoincludesbothnegativeandpositiveimpactson
objectives.
objectives.
Manydefinitionsofriskexistincommonusage,
howeverthisdefinitionwasdevelopedbyan
international committee representing over 30
internationalcommitteerepresentingover30
countriesandisbasedontheinputofseveralthousand
subjectmatterexperts.

PMIssDefinitionofRisk
PMI
Definition of Risk
According
Accordingto
to the 5thEditionofthePMBOK
5th Edition of the PMBOK
Guide,projectriskisanuncertaineventor
condition that if it occurs has a positive or
conditionthat,ifitoccurs,hasapositiveor
negativeeffectononeormoreproject
objectives such as scope schedule cost or
objectivessuchasscope,schedule,cost,or
quality.

KeystothePMIDefinition

So,thewords uncertainevent arekeytothedefinition.

Anothersetofkeywordsispositiveornegative.
Uncertaineventscanhaveapositiveornegativeimpactontheproject
objectives.
bj i
Thistechnicaluseofthewordriskdiffersfromtheordinary,everyday
definitionofriskwhichtendstomeanonlythoseeventswhichhaveanegative
impact.

PMIrecognizesthatthereissomedifferencebetweenthetechnical
definitionandtheordinarydefinitionofthewordrisk,becauseinthe
5thEditionofthe PMBOKGuidetherearealotofinstanceswhere
theywillusereducerisksandenhanceopportunities,the
opportunities,ofcourse,beingtheeventswhichimpacttheproject
f
b
h
h h
h
positivelyandtherisksbeingthosewhichimpactitnegatively.
Theyareconcedingtheeverydayusageofthewordriskinorderto
p
p
g
,
y
p
emphasizethepointbeingmade,thatyouhavetoreducetheimpact
orlikelihoodornegativeeventsandenhance thoseofpositiveeventsif
youaretrulydoingriskmanagement.
Thethirdkeypartofthedefinitionisthephraseifitoccurs. Ifariskthat
has been forecast actually occurs it is no longer a risk it is an issue We
hasbeenforecastactuallyoccurs,itisnolongerarisk,itisanissue.We
willdiscussawaytoquantifyitlater.

Definition of Risk Management

DefinitionofRiskManagement
RiskManagementistheidentification,assessment,andprioritization
ofrisksfollowedbycoordinatedandeconomicalapplicationof
y
pp
resourcestominimize,monitor,andcontroltheprobabilityand/or
impactofunfortunateeventsortomaximizetherealizationof
opportunities.
ProjectRiskManagementisanimportantaspectofproject
management.Riskmanagementisoneofthetenknowledgeareas
definedinPMBOK.Projectriskcanbedefinedasanunforeseenevent
or activity that can impact the project'ssprogress,resultoroutcomein
oractivitythatcanimpacttheproject
progress result or outcome in
apositiveornegativeway.Ariskcanbeassessedusingtwofactors:
impactandprobability.

Iftheprobabilityis1,itisanissue.Thismeansthatrisk
If the probability is 1 it is an issue This means that risk
isalreadymaterialized.Iftheprobabilityiszero,this
meansthatriskwillnothappenandshouldberemoved
fromtheriskregister.

Causes of Risk
CausesofRisk
The
Thecausesofriskcancomefromvarioussources,
causes of risk can come from various sources
suchas:
A
Arequirement,suchaslegalrequirementimp0sedby
requirement, such as legal requirement imp0sed by
lawsorregulations
Anassumption,suchastheconditionsinthemarket
(whichmaychange)
Aconstraint,suchasnumberofpersonnelavailableto
workonanygivenphaseoftheproject,or
k
i
h
f th
j t
Acondition,suchasthematurityoftheorganizations
project management practices
projectmanagementpractices

Known Versus Unknown Risks

KnownVersusUnknownRisks
Knownrisksarethosewhichcanbeidentifiedandanalyzed
b f h di
beforehandinsuchawayastobeabletoa)reducethelikelihood
h
t b bl t ) d
th lik lih d
oftheiroccurrence,orb)planariskresponse toreducetheir
impactintheeventthattheyoccur.
Theseriskresponses,aswewillshallsay,arepaidforoutofa
These risk responses as we will shall say are paid for out of a
contingencyreserve whichisnormallyundercontrolofthe
projectmanager.
An unknown risk,ontheotherhand,arethosethatarenot
identifiedbeforehand.
Iftheyarenotidentified,theycannotbeanalyzed,andof
coursecannotbemanagedproactively.
Ifthesekindofrisksoccur,theresponseiscalleda
If h
ki d f i k
h
i
ll d workaround
k
d
andispaidforoutofa managementreserve whichis
normally not undercontroloftheprojectmanager,butratherof
seniormanagement(hencethenamemanagementreserve).
g
(
g
)

Risk Attitude
RiskAttitude
Rememberthatriskhastwocomponents,the
uncertainty ofanevent,whichismeasuredbyits
of an event which is measured by its
probability,anditspotentialimpact ontheproject.
Amountofuncertaintythatanorganizationcanacceptis
measured by its risk appetite
measuredbyitsriskappetite
Amountofimpacttheorganizationcanacceptismeasured
byitsrisktolerance.

Th
Thecombinationoftheuncertaintyandtheprobability
bi i
f h
i
d h
b bili
cangiveyoutheamountthatneedstobeputasideto
handlethatrisk,sometimesreferredtoasthe reserve,
andtheamountofreservethattheorganizationcan
d h
f
h h
i i
acceptismeasuredbyits risk threshold. Itisthis
latterconceptwhichwilldeterminatewhatkindof risk
response theorganizationmaytake.
h
k

Risk Response
RiskResponse
Therearefourpossibleresponsestoarisk,depending
p
p
, p
g
onwhetherthereisloworhighprobabilityofits
occurring,andwhetherthefinancialimpactifitdoes
occurs is either high or low
occursiseitherhighorlow.
Avoid:Forhighprobability,highimpactevents
Transfer(suchaspurchasinginsurance):Forlow
probability,highimpactevents
Mitigate:Forhighprobability,lowimpactevents
Accept:Forlowprobability,lowimpactevents
Accept: For low probability low impact events

Thesearesomeoftheconceptsthatareusedwhen
planningriskmanagementonaproject.

Introduction to the PMBOK (Part 1)

IntroductiontothePMBOK(Part1)
Tocurethedisconnectbetweenmultipleprojectmanagement
models vying for an organization'ssattentionin1981the
modelsvyingforanorganization
attention in 1981 the
ProjectManagementInstitute(PMI)commissionedastandard
bywhichorganizationscouldstandardizeonhowtomanage
theirprojects,takingadvantageoftheirindustryneutral
experienceinthearea.
Whethertheorganizationwaspublicorprivate,smallorlarge,
Whether the organization was public or private small or large
andregardlessoftheindustrysectortheorganizationcould
utilizeacommonstandardofpracticeforalloftheprojectsin
th i
theirportfolio.
tf li

Introduction to the PMBOK (Part 2)

IntroductiontothePMBOK(Part2)
In
Intheirownwords,thePMIstatesthat,The
their own words, the PMI states that, The
"ProjectManagementBodyofKnowledge"
(PMBOK)isaninclusivetermthatdescribes
thesumofknowledgewithintheprofessionof
projectmanagement.Thisfullbodyof
k
knowledgeincludesknowledgeofproven,
l d i l d k
l d
f
traditionalpractices,whicharewidelyapplied,
as well as knowledge of innovative and
aswellasknowledgeofinnovativeand
advancedpractices,whichmayhaveseen
more limited use "
morelimiteduse.

Introduction to the PMBOK (Part 3)

IntroductiontothePMBOK(Part3)
Thereforebyestablishingonecommonbodyof
y
g
y
knowledgeanorganizationcanrelyuponproven
industrystandardsforprojectmanagementand
focus their resources on implementing a project
focustheirresourcesonimplementingaproject
(inthiscaseanaudit),ratherthanreinventinga
processthathasprovenitselftobeeffective.
Relyingonindustrystandardsthisagainallows
organizationstofocusontheircorebusiness
objectives rather than be distracted by the
objectives,ratherthanbedistractedbythe
developmentofyetanotherindependent
standard.

IntroductiontothePMBOK(Part4)
PMBOKalsorecognizesthattherearetenknowledge
areasthatmustalsobeconsideredasapartofthis
projectdevelopmentprocess.Thesenineknowledge
areasinfluencetheproject'sdirectionandguidesthe
decisionmakingprocessforallkeystakeholders
involvedintheproject.Thetenknowledgeareasare:

ProjectIntegrationManagement
Project Scope Management
ProjectScopeManagement
ProjectTimeManagement
ProjectCostManagement
Project Quality Management
ProjectQualityManagement
ProjectHumanResourceManagement
ProjectCommunicationsManagement
ProjectRiskManagement
ProjectProcurementManagement
ProjectStakeholdersManagement(NEW!Addedin5thedition)

Introduction to the PMBOK (Part 5)

IntroductiontothePMBOK(Part5)
Eachofthetenknowledgeareascontainstheprocesses
thatneedtobeaccomplishedwithinitsdisciplineinorder
toachieveaneffectiveprojectmanagementprogram.Each
oftheseprocessesalsofallsintooneofthefivebasic
processgroups,creatingamatrixstructuresuchthatevery
ti
ti t t
h th t
processcanberelatedtooneknowledgeareaandone
processgroup.
ThePMBOKGuide ismeanttoofferageneralguideto
managemostprojectsmostofthetime.Thereare
currentlytwoextensionstothePMBOKGuide:the
y
ConstructionExtensiontothePMBOKGuide appliesto
constructionprojects,whiletheGovernmentExtensionto
thePMBOKGuide appliestogovernmentprojects.

SummaryofMajorChangeswiththe
PMBOK5th Edition
d
ThecontentfromSection3TheStandardfor
f
ProjectManagementofaProjecthasbeen
movedtoAnnexA1.ThenewSection3addresses
project management processes and Process
projectmanagementprocessesandProcess
Groups.
The
TheadditionofanewKnowledgeArea
addition of a new Knowledge Area Project
Project
StakeholderManagement increasesthe
KnowledgeAreasfromninetoten.
Eachmajorknowledgeareahasbeenreinforced
intermsoftheirplanningprocesses.

PMBOK & Credential Exams

PMBOK&CredentialExams
How
HowwillthenewPMBOK
will the new PMBOKaffectexams?
affect exams?
ThePMP andCAPM examswillbeupdated
to reflect changes in the PMBOK 5th edition.
toreflectchangesinthePMBOK5thedition.
WhenwillPMIupdatethecredentialexams?
PMP::
CAPM:
PMI
PMISP
SP:
PMIRMP:
PgMP
g :

31July2013
31
July 2013
01July2013
31 August 2013
31August2013
31August2013
31July2013
y

One Method to Quantify Risk

OneMethodtoQuantifyRisk
Theannualizedlossexpectancy (ALE)istheproductofthe
annualrateofoccurrence(ARO)andthesingleloss
expectancy(SLE).Itismathematicallyexpressedas:
Supposethananassetisvaluedat$100,000,andtheExposure
F t (EF) f thi
Factor(EF)forthisassetis25%.Thesinglelossexpectancy(SLE)
t i 25% Th i l l
t
(SLE)
then,is25%*$100,000,or$25,000.

Theannualizedlossexpectancyistheproductoftheannual
p
y
p
rateofoccurrence(ARO)andthesinglelossexpectancy.
ALE=ARO*SLE
ALE
=ARO*SLE
Foranannualrateofoccurrenceofone,theannualizedloss
expectancyis1*$25,000,or$25,000.

ForanAROofthree,theequationis:ALE=3*$25,000.
Therefore: ALE = $75 000
Therefore:ALE=$75,000

Questions?
ThankYou!
JohnDittmer
Dittmer_John@bah.com