Q.1 Explain risk management process and its each steps in details.

Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the
effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical
application of resources to minimize, monitor, and control the probability and/or impact of unfortunate
events or to maximize the realization of opportunities. Risks can come from uncertainty in financial
markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as
deliberate attacks from an adversary. Several risk management standards have been developed including
the Project Management Institute, the National Institute of Science and Technology, actuarial societies,
and ISO standards. Methods, definitions and goals vary widely according to whether the risk management
method is in the context of project management, security, engineering, industrial processes, financial
portfolios, actuarial assessments, or public health and safety.

The strategies to manage risk include transferring the risk to another party, avoiding the risk, reducing the
negative effect of the risk, and accepting some or all of the consequences of a particular risk.

Certain aspects of many of the risk management standards have come under criticism for having no
measurable improvement on risk even though the confidence in estimates and decisions increase.

In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and
the greatest probability of occurring are handled first, and risks with lower probability of occurrence and
lower loss are handled in descending order. In practice the process can be very difficult, and balancing
between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower
probability of occurrence can often be mishandled.

Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is
ignored by the organization due to a lack of identification ability. For example, when deficient knowledge
is applied to a situation, a knowledge risk materializes. Relationship risk appears when ineffective
collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures
are applied. These risks directly reduce the productivity of knowledge workers, decrease cost
effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk
management allows risk management to create immediate value from the identification and reduction of
risks that reduce productivity.

Risk management also faces difficulties in allocating resources. This is the idea of opportunity cost.
Resources spent on risk management could have been spent on more profitable activities. Again, ideal
risk management minimizes spending and minimizes the negative effects of risks.
Method

For the most part, these methods consist of the following elements, performed, more or less, in the
following order.

1. Identify, characterize, and assess threats

2. Assess the vulnerability of critical assets to specific threats
3. Determine the risk (i.e. the expected consequences of specific types of attacks on specific assets)
4. Identify ways to reduce those risks
5. Prioritize risk reduction measures based on a strategy

Risk management is a process which could be best described as being systematic. Risk management
must never be taken lightly by any organization. It is designed to deal with risks that may occur in regards
to any aspect of a project.

1
While risk management is crucially important, there are a number of additional things that project teams
can do to ensure their projects are completed properly and safely. Risk management can be broken down
into a number of different steps, and the first of these steps is to take the time to assess the risks that a
project faces.

By assessing the risks, you are essentially taking the time to think of the things that could go wrong. Once
you have an understanding of all the risks that a project faces, you will next need to prioritize them.

By prioritizing the risks, you will essentially take the time to figure out which risks are the most important,
in other words, you will rate the risk by how dangerous they are, as well as the probability of the risk
actually occurring. Risk priority numbers will generally be used to determine the amount of risk the
organization faces.

Once this step has been completed, the next step is to take the time to handle the abatement actions. To
do this, you will need to take the time to plan and put in place the actions which are needed to lower the
impact or the chance of the risk actually occurring. There are a number of different techniques that can be
used within the field of risk management.

The techniques will often differ based on the manner in which the risks have been analyzed. For instance,
the risk could be evaluated or ranked dependent on the severity, as well as the probability of occurrence.
Both effects analysis and failure mode may also be used for the purpose of analyzing and measuring risk.

No matter how you look at it, the fact remains that the risk management process is very important when it
comes to managing a project in the proper manner. There are often times when the risk management
process must be repeated multiple times throughout the life cycle for a given project. The project team
must study the risks and then prioritize them.

Following are the steps of risk management

 Risk Identification
 Risk Analysis
 Risk Planning
 Risk Tracking
 Risk Control
 Risk Communication

Risk Identification:
Risk is an undesirable situation or circumstance, which has both a probability of occurring and a potential
consequence to project success.
Risk has an impact on cost, schedule, and performance. Risk identification is the process of identifying
uncertainty within all aspects of a project.
In other words: what might go wrong and what happens if it does. For most information system projects,
these risks may be grouped in the following categories:

- Technical. Risk associated with creating a new capability or capacity

- Supportability. Risk associated with implementing, operating, and maintaining a new capability
- Programmatic. Risk caused by events outside the project's control, such as public law changes
- Cost and Schedule. Risk that cost or schedule estimates are inaccurate or planned efficiencies
are not realized

Risks should be identified continuously by project participants (at all levels) and the project management
team should capture these risks in definitive statements of probability and impact. Lessons-Learned from
previous projects may be a significant source for identifying potential risks on a new project.

2
Risk identification process goals

- Encourage input of perceived risk from the team

- Identify risk while there is time to take action
- Uncover risk and sources of risk
- Capture risk in a readable format
- Communicate risk to those who can resolve it
- Prevent project surprises
- Checklist, interview, meeting, review, routine input, survey, working group.

Risk Analysis
Risk Analysis quantifies the identified risks and conducts detailed sensitivity studies of the most critical
variables involved. The outcome of these analyses may be a quantified list of probabilities of occurrence
and consequences that may be combined into a single numerical score. This single score allows project
risks to be prioritized.

Risk analysis process goals

- Analyze risk in a cost efficient manner

- Refine the risk context
- Determine the source of risk
- Determine the risk exposure
- Determine the time frame for action
- Determine the highest-severity risk

Analysis process activities

- Groups similar and related risk

- Determine risk drivers
- Determine the source of risk
- Use risk analysis techniques and tools
- Estimate the risk exposure
- Evaluate risk against criteria
- Rank risks related to other risks

Risk exposure(RE) = Probability x Cost

Risk Planning

Risk planning decides what to do about a project risk. Available actions are:

- Avoid the risk.

- Assume the risk
- Transfer the risk

The action selected for each risk will depend on the project phase, the options that are available, and the
resources that can be used for risk management. A majority of project activities involve tracking and
controlling the project risk.

Risk planning process goals

- Provide visibility for key events and conditions

- Reuse successful risk resolution strategies
- Optimize selection criteria

3
 - Understand the next action for each high severity risk
- Establish automatic triggering mechanisms
- Risk planning process activities
- Develop risk scenarios for high severity risks
- Develop risk resolution alternatives
- Select the risk resolution approach
- Develop a risk action plan
- Establish thresholds for early warning

Risk Tracking
Risk tracking involves gathering and analyzing project information that measures risk. For example, test
reports, design reviews, and configuration audits are risk tracking tools used by project management to
assess the technical risk of moving forward into the next life cycle phase.

Risk tracking process goals

- Monitor the events and conditions of risk scenarios

- Track risk indicators for early warning
- Provide notification for triggering mechanism
- Capture results of risk resolution efforts
- Report risk measure and metrics regularly
- Provide visibility in risk status

Risk Control

Risk control takes the results of risk tracking and decides what to do and then does it. For example, if a
project design review shows inadequate progress in one area, the decision may be made to change
technical approaches or delay the project.

Risk Mitigation Techniques

Risk mitigation techniques are used to control or transfer risk until an acceptable risk level is reached. The
most common techniques are inherent in good management and engineering practice:

- Budget management reserve - mitigates cost risk

- Schedule slack - mitigates schedule risk
- Parallel development - mitigates technical risk
- Prototyping - mitigates technical risk

Risk resolution process goals

- Assign responsibility and authority to the lowest possible level

- Follow a documented risk action plan
- Report results of risk resolution efforts
- Provide for risk aware decision making
- Determine the cost effectiveness of risk mgmt
- Is prepared to adapt to changing circumstances
- Take corrective actions when necessary
- Improve communication within the team
- Systematically control the software risk

Risk resolution process activities

- Respond to notification of triggering event

- Execute the risk action plan
- Report action against the plan

4
 - Correct the deviation from the plan

Risk Communication
Risk information should be communicated to all levels of the project organization and to appropriate
external organizations. This ensures understanding of the project risks and the planned strategies to
address the risk. Risk information then feeds the decision processes within the project and should
establish support within external organizations for mitigation activities. For example, an agency
comptroller who understands the project risks is more likely to allow the project manager to have a
management reserve within the project budget.
Communicating risk information in a clear, understandable, balanced, and useful manner is difficult. The
ability to state the problem at hand clearly, concisely, and without ambiguity is essential.

Force field analysis

Is a technique to help people to understand the positive and negative aspects of change? Force field
analysis provides motivation to overcome the barriers. Compelling reasons that change is needed to
provide motivation for the use of risk management.

Q.2 List the various categories of risk. Explain in brief seven risk
identification methods with its advantages and disadvantages.

Risk Categories
Risk management is an essential activity of project management. It is important to classify risks into
appropriate categories. Risks can be classified into following 13 categories:

1. Operational Risk: Risks of loss due to improper process implementation, failed system or some
external events risks. Examples can be Failure to address priority conflicts, Insufficient resources or No
proper subject training etc.

2. Schedule Risk: Project schedule get slip when project tasks and schedule release risks are not
addressed properly. Schedule risks mainly affect on project and finally on company economy and may
lead to project failure

3. Budget Risk: Wrong budget estimation or Project scope expansion leads to Budget / Cost Risk. This
risk may lead to either a delay in the delivery of the project or sometimes even an incomplete closure of
the project.

4. Business Risk: Non-availability of contracts or purchase order at the start of the project or delay in
receiving proper inputs from the customer or business analyst may lead to business risks.

5. Technical Environment Risk: These are the risks related to the environment under which both the
client and the customer work. For example, constantly changing development or production or testing
environment can lead to this risk.

6. Information Security Risk: The risks related to the security of information like confidentiality or
integrity of customer’s personal / business data. The Access rights / privileges failure will lead to leakage
of confidential data.

7. Programmatic Risks: The external risks beyond the operational limits. These are outside the control
of the program. These external events can be running out of fund or Changing customer product strategy
and priority or Government rule changes etc.

5
 Risk Identification Techniques

During risk identification, it is important to seek out the 'real' risks. There are various methods and tools
for capturing statements of risks. You want to search the realm of "what could happen" by a suitable
method that is convenient for your team. Some examples of popular techniques are listed below.
Techniques may be used alone or combined, depending on the approach that is best for the team.

• Brainstorming
• Surveys
• Interviews
• Working Groups
• Experiential or Documented Knowledge
• Risk Lists - Lessons Learned
• Outputs From Risk-Oriented Analysis
• Historical Information
• Engineering Templates
• Critical Path Templates

Techniques:

-Brainstorming- is a technique that is best accomplished when the approach is unrestrained or

unstructured (the facilitator accepts random inputs from the group). Group members verbally identify
risks which provide the opportunity to build on each others ideas. To achieve the desired outcome it is
essential to select participants that are familiar with the topics discussed, relevant documentation is
provided and a facilitator that knows the risk process, leads the group. A note-taker should be appointed
to capture the ideas that are being discussed. A structured brainstorming session, where each group
member presents an idea in turn, may be used where not all group members are participating. Structured
brainstorming ensures participation by all group members. Brainstorming can also be used during
planning to generate a list of migration strategies, possible causes for the risk, or other areas of impact,
however, it is not intended for in-depth risk analysis.

-Surveys- are a technique where lists of questions are developed to seek out risk in a particular
area. A constraint with this method is that people inherently don't like to complete surveys and may not
provide accurate information. The survey process is inherently a hands-off process with no insight into
the caveats that go with the answers. The value of the surveys may be difficult to determine due to
subjectivity in the answers or the focus of the questions themselves.

-Interviews- are an effective way to obtain risk areas. Group Interviews can assist in identify the
baseline of risk on a project. The interview process is inherently a questioning process. It is limited by
the effectiveness of the facilitator and the questions that are being asked. The interview can be
conducted before or after the brainstorming session. However if it is accomplished before the
brainstorming session, the results should be shared with the group after they have provided their inputs to
the risk list. If the interview(s) are accomplished after the brainstorming session has been completed, the
list of risks should be provided to all participants for comment before they are added to the risk list.

-Working Groups- are great way to analysis a particular are or topic in a discussion process to
surface risks that may not be obvious to the risk identification group. The working group is usually a
separate group of people working a particular area within the project that is conducting the risk
identification.

-Experiential Knowledge- is the collection of information that a person has obtained through their
experiences. Caution must be used when using any knowledge based information to ensure it is relevant
and applicable to the current situation.

6
 -Documented Knowledge- is the collection of information or data that has been documented
about a particular subject. This is a source of information that provides insight into the risks in a particular
area of concern. Caution must be used when using any knowledge based information to ensure it is
relevant and applicable to the current situation. It is important to understand any caveats that may
accompany the documented information.

-Risk Lists- are generally lists of risks that have been found on similar programs and/or similar
situations. Caution must be used when using this type of information to ensure it is relevant and
applicable to the current program or situation. It is important to understand any caveats that may
accompany the documented information.

-Risk Trigger Questions- are lists of situations or events in a particular area of a program that can
lead to risk for the program. These are situations or areas where risks have been discovered by other
programs. These trigger questions may be grouped by areas such as performance, cost, schedule,
software, programmatic, etc.

-Lessons Learned- are experiential knowledge that has been compiled into information that may
be relevant to the present project or to other projects within the organization. This source of information
may guide you in finding risk on your program. Caution must be used when using this type of information
to ensure it is relevant and applicable to the current program or situation.

-Outputs from Risk-Oriented Analysis- There are various types of risk oriented analysis. Two
such techniques are fault tree analysis and event tree analysis. These are top down analysis that
attempts to determine want events, conditions, or faults could lead to a specific top level undesirable
event. This event with the associated consequence could be a risk for your program. A look at any Risk-
Oriented Analysis can reveal risk on your program or at least give you some insight into where risk may
be found.

-Historical Information- is basically the same as documented knowledge. The difference is that
historical information is usually widely accepted as fact.

-Engineering Templates- are a set of flow charts for various aspects of the development process.
These templates are preliminary in nature and are intended as general guidance to accomplish a top
down assessment of activities. These templates describe the engineering activities and give a list of the
inputs and outputs for each activity as well as listing some factors for consideration. Some valuable
information can be obtained from these; however they may be incomplete. Care must be taken to ensure
the missing critical aspects are not overlooked.

-Critical Path Templates- also know as the Willoughby templates show areas of risk and provide an
outline for reducing risk for each area or function throughout the entire life-cycle. These templates were
published in DOD 4245.7-M, September 1985, by the Assistant Secretary of Defense, Acquisition and
Logistics. The templates are helpful, however, keep in mind that the material is dated.