Project Risk Management
Unit 2
Unit 2 – Project Risk
Management
© Copyright 2009 Start to Finish PM, Inc.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2-1
2-1
Project Risk Management
Unit 2
Unit 2 - Objectives
By the end of this section, you will be able to:
Define Project Risk, Risk Events and Risk
Conditions
Understand the difference between Threats
and Opportunities
Understand the difference between a risk and
an issue
Articulate the role of the project manager in
risk management
Follow a structured approach to risk
management
© Copyright 2009 Start to Finish PM, Inc.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2-2
2-2
Project Risk Management
Unit 2
According to the PMBOK® Guide, project risk is really just uncertainty about what will
happen in the future, but an uncertainty that has consequences. What can happen can
either be good, bad or neutral. Many of us are only concerned about bad outcomes, so
our focus is on the potential negative impacts, but a strong case can be made for
addressing those positive impacts of a potential risk. These opportunities can accelerate
our project schedule, reduce costs and improve quality, and, for these reasons alone,
should be explored.
There are many tools that can help in the identification of both positive impact risks
(opportunities) and negative impact ones (threats), but one of the more obvious is a
SWOT analysis. A SWOT analysis is a tool where we examine where to apply specific
focused efforts to achieve a particular outcome. SWOT stands for:
Strengths
Weaknesses
Opportunities
Threats
From a risk perspective, strengths and opportunities represent risks with positive impacts,
and weaknesses and threats are those with negative impacts.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2-3
Project Risk Management
Unit 2
Positive vs. Negative Impacts
• Risk Management involves making
decisions
• Decisions and actions have consequences
• Risk events with Negative Impacts –
Threats
• Risk events with Positive Impacts Opportunities
© Copyright 2009 Start to Finish PM, Inc.
2-4
Since risk represents uncertainty that has consequences, decisions must be made as to
how to deal with these questions. These decisions, and actions taken as a result of them,
will depend upon a number of factors, such as probability of occurrence, impact to the
success criteria of the project, urgency, etc. Each choice we make will influence how the
risk is managed, and carries with it certain consequences.
For example, pretend you were going to renovate your kitchen. You make up the
following partial list of uncertainties:
1.
2.
3.
4.
I’m not sure that I will like the color of the kitchen wall once painted.
I’m not sure that I will like the color of the appliances once installed.
I’m not sure that I will like the placement of the sink and appliances once
installed.
I’m not sure whether I should perform the plumbing and electrical work
myself, or find a craftsman to do it.
As you can see from this list, the choices one makes regarding colors, placement and
resources for this project will depend not only on your own individual tolerance for risk,
but also, your stomach for dealing with any consequences as a result of these choices.
For example, if you consider yourself a good painter, then the choice of color for the
kitchen may not have such serious impacts. However, your choice of color for the
appliances, and their placement, could have more serious financial consequences.
Your choice as to whether to do some of the work yourself could save you some money
(opportunity), or, if you’re not handy, cost more in rework (threat). You might choose to
balance the short term cost risk (paying a contractor to do the work) vs. the long term cost
risk (causing a fire due to poor wiring). Your choice will be influenced by your analysis
of the consequences and their chance of occurring.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2-4
Project Risk Management
Unit 2
Risk Events and Risk Conditions
• Risk Event – an incident or consequence
that has negative or positive impacts to the
project objectives
• Risk Condition – a situation or
environment that contributes to the
uncertainty that has positive or negative
impacts
© Copyright 2009 Start to Finish PM, Inc.
2-5
Project risk is often expressed as an event or situation that has positive or negative
outcomes. For example, consider the following:
Risk Event or condition
Consequence
We don’t have enough
available staff
We’ll finish the project late
The weather forecast is for
pleasant working conditions
We can start outdoor work
earlier
We are new to project
technology
Technology could perform
differently than expected
Each event or condition has a probability of occurring, which leads to the consequence,
or impact, listed. Part of our decision-making process for dealing with a risk will be to
explore these probabilities and make a judgment based upon our tolerance for the impact.
However, these events or conditions have associated root causes, and part of our decision
as to an appropriate response, will be a determination of how controllable these root
causes are, and what actions, if any, can be taken to change the initial environment, so
that the risk event or condition can be lessened in probability, or eliminated completely.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2-5
Project Risk Management
Unit 2
Risk Management vs. Issues
Management
Risks
Issues
– Uncertainty
– Probability
- 1% - 99%
– Varying degrees of
impact
– Proactive based upon
analysis
– May not happen
– Certainty
– Probability
- 100%
– Varying degrees
of impact
– Reactive based upon
urgency and analysis
– Definitely has
happened
© Copyright 2009 Start to Finish PM, Inc.
2-6
The central difference between a risk and an issue revolves around the question of
uncertainty. As we have seen, a risk is an uncertain event, and we track not only the
impact of the risk should it occur, but also the probability that it will occur. For a risk,
the probability of occurrence varies between 1% and 99%.
An issue is a certain event or condition that will impact the project in some way. Here,
there is no concern over probability – the event has occurred (probability = 100%), and
we must deal with it.
We will spend some time discussing issues in Unit 8.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2-6
Project Risk Management
Unit 2
Why Manage Risks?
• Issue Prevention
• Increase likelihood of meeting project
objectives
• Take advantage of opportunities
• Deal with problems early on
• Apply a graded approach to project
activities
• Team Development
© Copyright 2009 Start to Finish PM, Inc.
2-7
The simple answer is this – you are either practicing risk management, or you’ll be
reacting to issues and developing workarounds. Risk management has a future-focus,
where the project team elects to spend time and money dealing with potential problems
now, rather than wait for the problems to show up and deal with them later. We would
also like to take advantage of beneficial outcomes as well, to increase the likelihood that
the project has a successful conclusion.
Realized risks are problems that often do not get better with age. Generally speaking, the
sooner you deal with a problem, the less costly and time-consuming the solution tends to
be. Practicing risk management allows one to address problems early when these
solutions are small.
Clearly, not every risk identified will actually occur on a project. It would have to be an
extremely unfortunate project, or one where risk identification was incomplete, for every
risk to be realized. What is needed, then, is a sensible, graded approach towards dealing
with project risk. Risk management activities have to be balanced out so that not too
much effort is devoted to outcomes that have little chance of occurring. Having a good
risk management plan can provide this level of tailored processes.
Finally, reactive fire-fighting is one way to destroy any team morale that may exist.
Constantly reacting to problems and developing unplanned responses to realized risks
will wear on a team, and break down any cohesion amongst its members. Performing
risk management is one to avoid this obstacle to team development.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2-7
Project Risk Management
Unit 2
What Happens If You Don’t
Manage Risks?
• Failure to meet project’s success criteria
– Missed deadlines
– Cost overruns
– Missed requirement/Requirements creep
– Quality issues
• Missed Opportunities
– Exceeding cost, schedule, quality targets
– Incentives, bonuses
© Copyright 2009 Start to Finish PM, Inc.
2-8
Simply put, not managing risks proactively ultimately means that the events will
overcome any decisions that could be made by the project team. The team will then be
forced to react to the events, often in a less than optimal fashion.
The two main outcomes of not managing risks are:
1.
2.
The criteria for a successful project, generally expressed in scope, cost,
time and quality objectives, are compromised by events that went
unplanned.
Opportunities to exceed expectations are missed due to a lack of forward
thinking and preparation.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2-8
Project Risk Management
Unit 2
Exercise
Identify Typical
Project Risks
© Copyright 2009 Start to Finish PM, Inc.
2-9
In this exercise, you will document some typical risks you encounter on a project.
EXERCISE:
1. Each individual will come up with as many risks as possible. Write each risk on a
sticky note.
2. After the allotted time, each person will place their sticky notes on a wall or
whiteboard along with the rest of their team members.
3. Review the list of risks uncovered. Remove any duplicates.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2-9
Project Risk Management
Unit 2
Practical Risk Management
Guidelines
•
•
•
•
•
Not all risks are equal
Take a practical approach
Risk management is a team exercise
Continuous risk management
Risk management needs to be integrated
with other project efforts
– Scheduling
– Budgeting
– Quality management
© Copyright 2009 Start to Finish PM, Inc.
2 - 10
As previously noted, project teams need to tailor the amount of process they add to
project activities, including the process of risk management. This graded approach
allows team members to focus on the urgent and significant uncertainties, and adopt a
less formal and rigorous treatment of those less severe.
Typical project teams identify hundreds of risk on their project. However, it would not
be a good use of a resources time to try to manage them all. Some risks are more
significant than others, and they are the ones we should act upon. Other, less significant
ones might be accepted without treatment, saving the team the time and energy it would
take to analyze and develop responses to the risk. Not all risks need responses.
Proactive risk management is a team exercise. Individuals and groups who will be doing
the risk monitoring and controlling, as well as those performing any risk response
activities, all benefit from being involved in the risk management planning, risk
identification and analysis exercises. Generally speaking, it is a good practice to involve
those who perform project work in the planning of that work. You will gain more
commitment to the work, if you let the team members involved help plan it.
One common fault often seen in projects is the tendency to introduce risk management in
sporadic spurts, often very heavy at the start of the project, and then trailing off as the
project gets underway. Project teams need to practice risk management continuously
throughout the project. And these risk management efforts need to be integrated into the
overall project planning as well. Too often, teams try to interject risk management
activities after the schedule or budget has been set. Risk management activities, like
other project management activities, need to be planned before setting any performance
measurement baselines, to be effective.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 10
Project Risk Management
Unit 2
Underlying PM Concept
Plan
Act
Do
Check
© Copyright 2009 Start to Finish PM, Inc.
2 - 11
Walter Shewart and W. Edwards Deming are known for creating the Plan-Do-CheckAct (PDCA) cycle, and this is the foundation of all project management process
interactions. First, we develop the plan, and then, we execute that plan (DO). While
executing, we monitor the results (CHECK), and take corrective actions or make changes
to our plans (ACT). The model is cyclic and designed for continuous improvement –
each pass through the cycle should result in improved plans, execution, monitoring and
controlling.
The PMBOK® Guide processes use PDCA as its foundation.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 11
Project Risk Management
Unit 2
The Triple Constraint
Time
Cost
Stakeholder
Expectations
Quality
Scope
© Copyright 2009 Start to Finish PM, Inc.
2 - 12
The primary influences on a project are the constraints of time, cost and scope and
quality. The triangle created by the time, cost, and scope and quality expectations of the
stakeholders is referred to as the Triple Constraint Model. Usually, stakeholders will
specify what, when, and how much of each as a part of a total package request.
This model is also referred to as the “Iron Triangle” as a change to one side of the
triangle cannot be made without affecting one of the other two sides. It is the project
manager’s role to manage all the variables by applying different tools and techniques,
knowledge and skills.
For example, if the product is desired sooner, then it may cost more or some features may
have to be eliminated from the end-item deliverable. If scope or quality features are
added, then the project may cost more, take longer, or both. If the customer changes a
project’s funding, the time, scope and quality values may react.
Resources and risks are among the list of constraints that the project team needs to
balance. The project at hand will determine which constraints are fixed, and which are
negotiable, and what constraints will need to have the primary focus.
The project manager must adhere to the constraints until they are formally, or
contractually, changed by the customer. The essence of project management is the
management of human resources, material assets, and other capital towards the successful
completion of the project’s goal.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 12
Project Risk Management
Unit 2
Project Objectives
• Include the measurable success criteria of
the project
• Have a wide variety of business, cost,
schedule, technical and quality objectives
• Can also include Cost, Schedule and
Quality targets (Triple Constraint)
• Should be defined in measurable terms
© Copyright 2009 Start to Finish PM, Inc.
2 - 13
The Project Scope Statement contains one section that every project manager should take
special care in defining – the project objectives. The project manager is the individual
assigned to meet the project objectives. Success for the project, and project manager, is
defined in these objectives.
Note the use of the word “measurable” in the definition. Schedule and Cost objectives
are often easy to measure. Did you finish on time? Were you on, under or over budget?
Quality objectives tend to be the ones that are problematic.
Too often, projects have “fuzzy” quality objectives like the following:
o
o
o
o
o
User friendly
Attractive
Robust
Useful
Fast
How do you measure these? Compare the above list with the following:
o
o
o
o
o
Users can correctly complete a sales order in less than 1 minute 95% of the time
Catalog uses at least 4 different colors per page
Product can support 10,000 customer inquiries
Customers can permanently change their contact information
Manufacturing process can produce 2,000 widgets per hour
It would be a lot easier to measure the above list. So, when defining the project
objectives, list the cost and schedule objectives, but be careful to list the quality
objectives in measurable terms. Look for statements that can only be answered by “yes”
or “no” answers.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 13
Project Risk Management
Unit 2
Managing Uncertainty
Uncertainty
Cost to Fix
a Problem
Time
© Copyright 2009 Start to Finish PM, Inc.
2 - 14
At the beginning of the project, the amount of unknown information is at its highest level.
On a well-managed project, this level of uncertainty should decrease, as we replace
unknowns with known information, using a process called Progressive Elaboration. As
we move through the various life cycle phases from Concept, through Planning and
Construction to product delivery, we learn more about the overall work of the project,
and therefore, should be able to more effectively manage the project’s activities and
deliverables.
At the same time, we are building equity as we produce project deliverables. At the
beginning of the project, we have no product at stake, so if we were to uncover a design
flaw, or missed requirement, it would be relatively easy, from a time and cost
perspective, to fix. However, as we move through the various phases of the project, it
becomes increasingly more expensive to fix problems. Imagine the cost and effort
required to fix a product problem after it has been installed or delivered to the customer.
Many of us are familiar with product recalls, and can only imagine how much more
expensive it is to perform a recall than to fix the product before it left the manufacturer.
Some software developers have claimed that it costs 1,000 times more to fix a software
problem after it is in production, than to fix it before it was tested!
The point of all this is to illustrate that Risk (uncertainty) and Quality (fixing problems)
are related to the effort required to proactively plan a project effectively. Project
Management is not useless overhead, but rather a structured effort to manage the
uncertainties and problems that inevitably come up as part of working with “unique
products, services or results”.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 14
Project Risk Management
Unit 2
Project Manager’s Role in Risk
Management
• Ultimately responsible for project success
• Through actions and decisions, set the example
for stakeholders
• Set up risk management processes for project
• Communicate and document risk for
stakeholders
• Lead project team in identification, analysis and
response activities
• Leverage Lessons Learned
© Copyright 2009 Start to Finish PM, Inc.
2 - 15
The PMBOK® Guide defines the project manager as “the person assigned by the
performing organization to achieve the project objectives.” If we accept that the project
objectives are the measurable success criteria for the project, then the project manager is
the individual responsible for achieving a successful outcome for the project.
As such, the project manager needs to set the example for the project team, and all the
rest of the project’s stakeholders, when it comes to risk management. Effective risk
management demands a commensurate organizational attitude towards risk management
activities. If these activities are viewed as non value-added or wasteful, then the project
team will not perform them, to the detriment of the project.
As the key individual on the project, the project manager must set in motion all risk
management activities, from setting up the ground rules for risk management, to leading
the team in risk management activities like risk identification, risk assessment, risk
response planning, and risk monitoring and control. Included in this, is the responsibility
to correctly document and communicate risk management activities to appropriate
stakeholders.
Finally, project managers should lead the team in periodic lessons learned sessions,
where any process improvements are noted and incorporated into any future risk
management activities. Teams should be learning new things throughout the project, and
include all these into any existing and future plans.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 15
Project Risk Management
Unit 2
Team Member Roles
• Proactively practice risk management
• Perform risk identification, analysis and
response planning activities
• Act as risk owners
• Look for opportunities as well as threats
• Monitor and report on risks
• Carry out risk response plans or
contingent response strategy
© Copyright 2009 Start to Finish PM, Inc.
2 - 16
Project team members have an important role in practicing effective risk management.
Like the project manager, team members need to be practicing examples of how
important it is to effectively manage project risk. Included in this behavior is the
responsibility to look for risks with positive impacts (opportunities) as well as those with
negative ones (threats).
Project team members will be the ones actually performing the risk management
activities on the project. Certain members should be involved in setting up the ground
rules for risk management, documented in the Project’s Risk Management Plan. One of
the roles various team members will be assigned is that of a risk owner. A risk owner is
an individual or group responsible for managing the assigned risk. This responsibility
includes:
Tracking and reporting on all risk-related activities
Monitoring the project, and other activities, looking for risk triggers
Carrying out the planned risk response
Monitoring the response to examine its effectiveness
Project team members should also be involved in the periodic risk re-assessment
activities. These activities should occur regularly throughout the project life cycle, as
things change, new risks arise, and former ones are retired.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 16
Project Risk Management
Unit 2
Risk Management – A Structured
Approach
• Create a risk management process model to
use for this project
• Identify risks (both positive and negative
impacts) as a team exercise
• Assess each risk and rank all risks
• Develop risk responses to the highest ranked
risks
• Monitor risks throughout the project
• Proactively respond to realized risks
• Capture lessons learned regarding risk
management activities
© Copyright 2009 Start to Finish PM, Inc.
2 - 17
Risk Management is a proactive process that allows the project team to apply a graded
approach to risk. Risks are first identified, and then analyzed, for probability of
occurrence and impact upon the project objectives. From there, a list of prioritized risks
can be developed, and response plans for the most serious developed.
The above slide presents the idea that Risk Management activities occur throughout the
project lifecycle. It also indicates that we will be adopting a “graded approach” to risks,
so that we don’t waste time dealing with lower ranked risks and focus our attention on the
more important ones.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 17
Project Risk Management
Unit 2
Tailoring Risk Management
© Copyright 2009 Start to Finish PM, Inc.
2 - 18
This concept of tailoring the amount of risk management activities appropriate to the
amount of risk inherent in the project can be illustrated by the diagram above. The goal
of our risk management process is to funnel the large amount of risks identified to the
significant few that we actually manage and proactively control.
Each step in our structured process will be to filter our list of risks to those that we will
actively deal with during the project. We want to make sure that we not spending time
and effort worrying about risks that have too little chance of occurring or have negligible
impacts.
The funnel shows that the large set of risks identified early will be whittled down to the
few that we will actively respond to by using the assessment processes (Qualitative and
Quantitative Analysis). Response plans will be developed for those risks, and we will
track and report out on them during project execution. Needless to say, all of these
processes described need to be documented in the Risk Management Plan, which
explicitly states all risk management activities.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 18
Project Risk Management
Unit 2
PMBOK® Guide Project Risk
Management Processes
•
•
•
•
•
•
11.1
11.2
11.3
11.4
11.5
11.6
Plan Risk Management
Identify Risks
Perform Qualitative Risk Analysis
Perform Quantitative Risk Analysis
Plan Risk Responses
Monitor and Control Risks
© Copyright 2009 Start to Finish PM, Inc.
2 - 19
The PMBOK® Guide contains an entire chapter (Chapter 11) to Project Risk
Management. In this chapter, there are 6 specific risk management processes, each
producing deliverables to assist in the risk management process.
PMBOK® Guide
Section
11.1
11.2
11.3
Process Name
Key Output
Risk Management Plan
Risk Register
Risk Register (Prioritized)
11.5
Plan Risk Management
Identify Risks
Perform Qualitative Risk
Analysis
Perform Quantitative Risk
Analysis
Plan Risk Responses
11.6
Control Risks
11.4
Risk Register (Quantified)
Updates to Risk Register, Project
Management Plan updates,
Contracts
Updates to Risk Register and
Organizational Process Assets,
Change requests, Recommendations
for action
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 19
Project Risk Management
Unit 2
Exercise
Case Study
© Copyright 2009 Start to Finish PM, Inc.
2 - 20
EXERCISE:
1.
2.
3.
Read the project case study in Appendix A.
Underline or highlight any areas where you initially see the need for risk
management.
Discuss briefly with project team members at your table.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 20
Project Risk Management
Unit 2
Unit 2 - Summary
• In this unit, we
Defined Project Risk, Risk Events and Risk
Conditions
Explained the difference between Threats and
Opportunities
Learned the difference between a risk and an
issue
Articulated the role of the project manager in
risk management
Learned a structured approach to risk
management
© Copyright 2009 Start to Finish PM, Inc.
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 21
2 - 21
Project Risk Management
Unit 2
© Copyright 2013 Start to Finish PM, Inc. All rights reserved
2 - 22