Managing Project Risk Project Skills

Managing Project Risk Project Skills Paul Newton www.free-management-ebooks.com ISBN 978-1-62620-986-4 Copyright Notice © www.free-management-ebooks.com 2015. All Rights Reserved ISBN 978-1-62620-986-4 The material contained within this electronic publication is protected under International and Federal Copyright Laws and treaties, and as such any unauthorized reprint or use of this material is strictly prohibited. You may not copy, forward, or transfer this publication or any part of it, whether in electronic or printed form, to another person, or entity. Reproduction or translation of any part of this work without the permission of the copyright holder is against the law. Your downloading and use of this eBook requires, and is an indication of, your complete acceptance of these ‘Terms of Use.’ You do not have any right to resell or give away part, or the whole, of this eBook. MANAGING PROJECT RISK Table of Contents Preface 2 Visit Our Website 3 Introduction 4 Managing Project Risk 9 Creating a Risk Management Plan 12 Identifying Project Risks 18 Performing a Risk Analysis 22 Planning & Controlling Risk Responses 30 Summary 35 References 37 ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 1 MANAGING PROJECT RISK Preface Every project involves risks and every project needs to have a management strategy for dealing with the threats and opportunities represented by each risk. This eBook explains the key issues and concepts involved in effective risk management in a clear and accessible way, providing a comprehensive approach that is applicable to all sizes of project, whether requiring detailed, quantitative analysis or a rougher approach using only qualitative analysis. You will learn: ● Why a proactive approach to risk management is necessary. ● How to develop a risk management plan that will protect the project. ● How to identify and document risks. ● How to prioritize risks by assessing their probability and impact. ● How to assess risks using both qualitative and quantitative approaches. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 2 MANAGING PROJECT RISK Visit Our Website More free management eBooks (FME) along with a series of essential templates and checklists for managers are all available to download free of charge to your computer, iPad, or Amazon Kindle. The FME online library offers you over 500 free resources for your own professional development. Our eBooks, Checklists, and Templates are designed to help you with the management issues you face every day. We are adding new titles every month, so don’t forget to check our website regularly for the latest releases. Visit http://www.free-management-ebooks.com ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 3 MANAGING PROJECT RISK Introduction Everything that is done in business contains some measure of risk. No matter what the activity, there is an element of risk that must be analyzed and weighed against the potential rewards. The best organizations are those who can choose the right risks to take on, and the ones to avoid. Dealing with too little risk often means that the organization is being too conservative and is limiting their potential for growth—too much risk, however, and the company is likely to crash and burn at some point along the way. Project Scope May occur— what is the effect on Risk a future event that Project Schedule Project Cost Project Quality May not happen As projects are a regular part of business, it only stands to reason that they incur a certain level of risk as well. Managing project risk deals with the activities involved in identifying potential risks, assessing and analyzing them, inally monitoring them throughout the life of a project. Every project will have a unique set of risks based on the speciic details of the work being done. It is often up to the project manager to outline these risks ahead of time and include them as part of the overall plan of the project. Requirements, Assumptions, Constraints or Conditions can cause Risks (include Threats & Opportunities) creates potential Positive or Negative outcomes ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 4 MANAGING PROJECT RISK Dealing with the risk inside of a project isn’t much different from dealing with any other business risks that you encounter. While it probably isn’t possible to foresee all potential risks that could come down the line, planning for as many of them as you can will give the project its greatest chance at success. Identifying the Risks Before a project even gets started, it is essential that any potential risks are identiied and a strategy for managing such risks developed. One of the best ways to do this is by learning from past experience—either your own experiences, or those of the organization as a whole. Even if the type of project you are working on presently is different than anything you have done before, it is likely the organization has already done something at least remotely similar. Look back on those projects to see how they played out. Did anything pop up along the way that you could be ready for this time? Learning from the past is the best way to predict the future, especially in business. Another risk identiication strategy to use is speaking with all of the members of the project team and asking for their input. Although they might not have the same high-level view of the project that you do as manager, they likely have a great deal of knowledge within their speciic ield of expertise. Ask them to highlight the potential risks that they see developing down the line and work on making plans for those possibilities as well. There is only one output of this process and that is the all important risk register, which plays a key role in how well a project is monitoring during its execution. Risk Register • may be used to update Risk Breakdown Structure (RBS) List of ALL Risks • their root cause • category • & responses Among the most common risks that need to be dealt with are losing key members of the team partway through the project, or running out of money to see the project all the way through to completion. In the case of both of those risks, there are steps that can be taken to mitigate the damage they would do and be prepared in the event that they do occur. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 5 MANAGING PROJECT RISK For example, having redundancy within your team can help to limit the damage if a team member moves on to another job partway through the work, and building the project in such a way that it can be ‘paused’ while waiting for more funds could prevent it from being completely wiped out by a temporary lack of funding. Evaluating the Risks With a list in place that highlights which risks you will be taking on during the project, you can start looking closely at each of them and deciding what kind of threat they actually are. Is the risk something that would do long-term damage to the organization if it came to pass? Usually, risks that fall into this category are of the legal variety. A project that could put you in legal trouble for one reason or another is often one to be avoided. However, if the worst-case for a project is simply some wasted time and a small amount of wasted capital, you may decide that those risks are worth the potential reward. It is all about balance in risk management, so the pros and cons have to be weighed carefully with respect to each potential risk. Risk Probability— likelihood each risk will occur Risk Impact— looks at potential effect on schedule, cost, quality or performance Both qualitative and quantitative analysis must be performed for each risk. Firstly, each risk is assessed and rated according to its likely probability and then secondly on the impact it would have on the project if it happened. There are a variety of tools that are used to assist in these processes: ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 6 MANAGING PROJECT RISK Techniques used in Risk Analysis Qualitative Risk Probability & Impact Assessment Probability & Impact Matrix Risk Data Quality Assessment Risk Categorization Risk Urgency Assessment Expert Judgment Quantitative Data Gathering & Representation Techniques Quantitative Risk Analysis & Modeling Techniques: • Sensitivity Analysis • Expected Monetary Value (EVM) Analysis • Decision Tree Analysis • Tornado Diagrams • Monte Carlo Analysis Expert Judgment Qualitative Risk Analysis ○ Risk Probability & Impact Assessment ○ Probability & Impact Matrix ○ Risk Data Quality Assessment ○ Risk Categorization ○ Risk Urgency Assessment ○ Expert Judgment Quantitative Risk Analysis ○ Sensitivity Analysis ○ Expected Monetary Value (EMV) Analysis ○ Decision Tree Analysis ○ Tornado Diagrams ○ Monte Carlo Analysis Beyond what kind of damage a certain risk could do is the consideration of how likely that risk is to occur. For example, a risk that is very likely to occur and would also be highly damaging to the company is one to take very seriously. On the other hand, a risk that is unlikely to be realized and also wouldn’t do much harm is one that you can mostly ignore. Mitigating the Risks This was touched on briely above as far as taking steps to limit the damage that any of your potential risks would do. The easiest example to understand is the one regarding members of the team. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 7 MANAGING PROJECT RISK When you are building a team to work on the project, keep in mind that not every team member will see the project through from start to inish. If you only have one person who is capable of performing a vital portion of the work, you are exposed to risk if that person should leave for any reason. Instead, there should be as much redundancy as possible— especially in the critical areas of the project—so the loss of one or two people along the way doesn’t derail the entire project. Strategies for Dealing with Project Risk Responses Negative Risks or Threats Positive Risks or Opportunities Contingent Response Doing what you can to limit your exposure to risk throughout the project, while still giving the project a chance to succeed is the task that a project manager takes on. No one likes to have to deal with risk, but it is an unavoidable part of doing business. The best that can be done is to evaluate each risk that you might face, and weigh it against the potential rewards that are waiting at the end of the project. Project managers also plan how they will control risks using a variety of tools and techniques shown in the diagram below. Risk Reassessment Meetings Risk Audits Methods used to Control Risks Reserve Analysis Variance & Trend Analysis Technical Performance Measurement ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 8 MANAGING PROJECT RISK The goal is to make the level of risk acceptable to the organization and to take steps that minimize the element of risk as much as possible. Managing Project Risk A risk is a future event that may or may not happen, but if it does occur it will have an effect on project scope, schedule, budget, or quality. It may have one or more causes and, if it occurs, it may have one or more impacts. All project activities carry some element of risk, which are uncertainties about them that could affect the project for better or worse. It is important to understand the difference between business risks and project risks. What a project manager needs to know is what is the likelihood a risk will occur and if it does what will it impact as this affects the project plan. Project Scope May occur— what is the effect on Risk Project Schedule Project Cost Project Quality a future event that May not happen What is certain is that if the risk happens in the future it will have an effect on project project scope, schedule, cost, or quality. It may have one or more causes and, if it occurs, it may have one or more impacts. All project activities carry some element of risk, which are uncertainties about them that could affect the project for better or worse. The important distinction that must be understood is the difference between business risks and project risks. Business risks are more general and relate to the organization, whereas project risks relate speciically to the project objectives. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 9 MANAGING PROJECT RISK Business risk implies uncertainty in proits or danger of loss and the events that could pose a risk due to some unforeseen events in future, which causes business to fail. (Wikipedia) For example, ● Project scope—to build the stadium to the agreed speciication within an agreed timescale and budget. ● Project risk—that the building costs may be higher than expected because of an increase in materials or labor costs. ● Business risk—even if the stadium is constructed on time and within budget that it will not make money for the business. This could be because of lower than expected ticket sales or higher than expected maintenance costs. These risks exist outside of the scope of the project. Risks are caused by a requirement, assumption, constraint, or condition that creates the possibility of negative or positive outcomes. Requirements, Assumptions, Constraints or Conditions can cause Risks potential positive or negative outcomes Continuing the example above: a risk cause would be a change in health and safety legislation during the build phase. Whereas a risk outcome would be increased costs to modify the parts of the stadium in accordance with the new legislation before it can be used. Project Impact on cost, schedule and performance needs to assessed: 1. Shortage of skilled personnel due to demand by other building projects. 2. Unexpected cost of inspection & license. 3. The build of the affected parts of the stadium can be brought forward to inish project on time. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 10 MANAGING PROJECT RISK Risks include both threats and opportunities that project managers must assess. Opportunities do have uncertainty associated with them, but they should be grasped, and action taken to ensure that they are realized. Threats have potentially negative impacts that the project management team should strive to mitigate. Organizations and stakeholders are willing to accept varying degrees of risk. This is called risk tolerance. Risks that are threats to the project may be accepted if they are in balance with the rewards that may be gained from taking them. For example, using unproven productivity-boosting software is a risk taken in the expectation that the work will be completed more quickly and with fewer resources. The risk of the software not performing as advertised would need to be considered as part of the risk assessment. All organizations have a ‘risk tolerance’ that is affected by their legal status and their culture. For instance, a pension fund is likely to be more risk averse than a small start up company. In all cases, attitudes to risk are driven by perception, tolerances, and other biases, which should be made explicit wherever possible. Risk Tolerance Balance of: Risk vs Reward Affected by: • Organizational Culture • Legal Status • Perceptions • Attitudes & Biases To be successful, the organization should be committed to address risk management proactively and consistently throughout the project. A conscious choice must be made at all levels to actively identify and pursue effective risk management during the life of the project. Communication about risk and it’s handling should be open and honest. Risk exists the moment a project is conceived. Moving forward on a project without a proactive focus on risk management increases the impact that a realized risk can have on the project and can potentially lead to project failure. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 11 MANAGING PROJECT RISK Key POINtS 4 A risk is a future event that may or may not happen but if it does occur it will have an effect on project scope, schedule, cost, or quality. 4 Risks include both threats and opportunities because both have uncertainty associated with them. 4 A project manager needs to know the likelihood that a risk will occur and its potential impact to the project if it does. 4 All organizations have a ‘risk tolerance’ that is affected by their legal status and their culture. 4 Attitudes to risk are driven by perception, tolerances, and other biases, which should be made explicit wherever possible. Creating a Risk Management Plan A risk plan details how the project management team will perform risk management for this project. It does not involve actually identifying project risk. The aim of the risk plan is to ensure that the risk management protocol that is used on the project is commensurate with both the risks and the importance of the project to the organization. Establishing this protocol early on in the project ensures that all members of the project management team are using the same methods to evaluate risks and that the associated tasks are budgeted for in the project plan. You can check out the complete range of Project Management PDF eBooks free from our website. The level of detail in the risk plan will depend upon the level of risk within the project and the level of risk that the performing organization is prepared to take. This plan will need to be consistent with other certain other project documents. For example, the project charter document provides the selected project manager with the authority to organize and control the deined resources of the organization for the duration of the project. It can also be referred to as the project deinition, or project statement and is a statement of the scope, objectives, and participants in a project. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 12 MANAGING PROJECT RISK It establishes the authority assigned to the project manager, especially in a matrix management environment, and is completed by the sponsor or individual initiating the project. The project name is usually shortened or abbreviated into a working title for ease of communication. There are several key sections that you need to include in your project charter. They are: 1. Contact points for key individuals of the project. 2. Project Purpose—the issue/problem to be solved by the project. 3. Business Objectives for the project as they relate to the organizations strategic plan. 4. Assumptions that have been made as part of the project. 5. Description of the project. 6. Deinition of the project scope and the limits identiied. 7. Overview of major milestones and deliverables for the project. 8. Project Authority—including an organization chart and deinition of roles and responsibilities. 9. Resources required for the project including costings, equipment. stafing, support, operational & IT facilities. The scope statement deines the scope of the project, which will have a direct bearing on the type and amount of risk that is likely to be encountered. It provides a clear deinition of such risk areas. The cost plan deines how risk in terms of budgets, contingencies, and management reserves will be reported and accessed. The schedule plan includes information about activities and their timing including aspects such as internal and external constraints that will help identify risk areas. The communications plan includes information on all key stakeholders and in particular their concerns for speciic risks, and hence, how such communications should be handled. You will also need to take account of any legal obligations and regulatory frameworks that the organization may be subjected to as well as processes and procedures to be followed, the industry and its norms towards risk and the organizations appetite towards risk. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 13 MANAGING PROJECT RISK Analytical Techniques Expert Judgment Meetings are used to understand RISKS associated with a project Collective decision-making is very important area of project management that can make or break this part of the project. Almost all risk management activities will involve meetings between the project manager, the team and other stakeholders in order to make decisions about the activity deinitions and associated estimates. How well these meetings are conducted will have a major impact on how smoothly the project runs. To learn more about making your meetings effective download the free Meeting Skills eBooks, checklists and templates cover all aspects of meetings including how to set an agenda that will ensure that the meeting achieves it’s aims and how to chair a meeting so that it is as productive as possible. The resulting risk management plan forms part of the project plan and describes how managing risk will be structured and performed on the project. It contains the following elements: Methodology Deines the approaches, tools, and data sources that may be used. Roles and Responsibilities This part of the plan needs to make clear who is responsible for each type of activity in the risk plan, and clariies their responsibilities. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 14 MANAGING PROJECT RISK Budgeting This part of the plan assigns resources, estimates funds needed for managing risk. These are included in the cost performance baseline, and establish how any extra funding required (if risks are realized) will be raised. Timing This part of the plan deines when and how often the risk management activities will be performed throughout the project life cycle. RBS Risk Level 1 Risk Level 2 Risk Level 3 Price Market External Project Ohio Move to Apps Compliance New Entrant Ops Capacity Skills Internal IT Software Reliability Delivery Service Quality Risk categories This provides a structure that ensures a comprehensive process of systematically identifying risks to a consistent level of detail. An organization can use a previously prepared categorization framework, which might take the form of a simple list of categories or might be structured into a risk breakdown structure (RBS) as shown in the diagram. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 15 MANAGING PROJECT RISK This is a hierarchically organized depiction of the identiied project risks arranged by risk category and subcategory that identiies the various areas and causes of potential risks. Deinitions of Risk Probability and Impact This ensures that all stakeholders have a common understanding of these deinitions. For example, If the probability of a risk can be described as low, medium or high, what do these categories actually mean? Similarly, what effect would a high impact event have on the project in practical terms? How much would it add to the costs? Could anything be done to mitigate it? Risk Impact Scales for Project Ohio—Major Objectives Major Objective <5% 10% 20% 40% Scope Minimal Minor areas Major areas Unacceptable to Sponsor Quality Very Minor Minimal Speciic Need OK of Sponsor Sponsor Reject Project ended Time None Trivial <8% rise 15% rise 25% rise >30% Cost <1% < 8% 15-20% 40-50% 55-65% >70% 60% 85% Project abandoned The table above is an example of deinitions that could be used in evaluating risk impacts related to scope, quality, time and cost. By using pre-deined deinitions in this way, the project management team ensures that everyone involved is talking the same language when it comes to risk. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 16 MANAGING PROJECT RISK Probability and Impact Matrix Risks are prioritized according to their potential implications for having an effect on the project’s objectives by using a matrix like the one shown. Impact Probability Negligible-1 Minor-2 Moderate-3 Signiicant-4 Severe-5 >81% Low Risk Moderate Risk High Risk Extreme Risk Extreme Risk 61-80% Minimal Risk Low Risk Moderate Risk High Risk Extreme Risk 41-60% Minimal Risk Low Risk Moderate Risk High Risk High Risk 21-40% Minimal Risk Low Risk Low Risk Moderate Risk High Risk <20% Minimal Risk Minimal Risk Low Risk Moderate Risk High Risk The speciic combinations of probability and impact that lead to a risk being rated as ‘extreme’, ‘high,’ ‘moderate,’ ‘low’ or ‘minimal’ importance, with the corresponding importance for planning responses to the risk, are usually set by the organization. Revised Stakeholder Risk Tolerances If there is a need to revise stakeholder risk tolerances then these should be documented. Reporting Formats This part of the plan describes how the outcomes of the risk management processes will be documented, analyzed, and communicated. It describes the content and format of the risk register as well as any other risk reports required. Tracking This part of the plan describes how risk activities will be recorded for the beneit of the current project, as well as for future needs and lessons learned, as well as whether and how risk management processes will be audited. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 17 MANAGING PROJECT RISK Key POINtS 4 A risk plan details how the project management team will perform the tasks associated with managing risk for this project. It does not involve actually identifying project risks. 4 Establishing this protocol early on in the project ensures that all members of the project management team are using the same methods to evaluate risks and that the risk management tasks are budgeted for. Identifying Project Risks Project risks should be documented in the risk register, a list of all of the identiied risks, their root causes, categories and responses. Because the assessment of risk is an ongoing activity, the risk register will be updated continuously throughout the life of the project. All project team members should be encouraged to identify risks and this is an iterative process because new risks may become known as the project progresses. The process of identiication should involve the project team so they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. The risk plan deines the level of risk that is considered tolerable for the project, how all this will be managed, who will be responsible for them, what time and cost is needed for each, and how risk will be communicated. The stakeholder register lists all of the project stakeholders as well as describing and classifying them. This information will be useful in soliciting inputs for identifying risk, as it will ensure that key stakeholders participate in the process. Other elements of the overall project plan that describe how cost, schedule and quality are to be managed and implemented will have a bearing on project risk, as will information on how project human resources are going to be deined, staffed, managed, and eventually released. The scope of the project in terms of the products to be created and the activities required will be a source of risks. Any estimates of cost and duration are useful in identifying risk as they provide a quantitative assessment of the likely cost to complete scheduled activities. Reviewing ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 18 MANAGING PROJECT RISK these may indicate that the estimate is insuficient to complete the activity and hence poses a risk to the project. These include, assumptions log, work performance reports, earned value reports,network diagrams, baselines, and other project information proven to be valuable in identifying risks. Methods used to Identify Project Risks Documentation Reviews Information Gathering Checklist Analysis Assumptions Analysis Diagramming SWOT Analysis Expert Judgment If the project requires buying-in of resources, procurement documents become a key input to this process. The complexity and the level of detail of such documents should be consistent with the value of, and risks associated with, planned procurement. Laws and regulations governing the creation or use of the projects products need to be taken into account along with the operational environment within which the project is taking place. The views of the project stakeholders and their willingness to accept risk must also be taken into consideration. Risks can be identiied directly by experts with relevant experience of similar projects or business areas. These should be identiied by the project manager and invited to consider all aspects of the project and suggest possible risks based on their previous experience and areas of expertise, and there are several techniques that can also be used to identify project risk. Documentation Reviews These are structured reviews of all project documentation up to this point in time including plans, assumptions, previous project iles, contracts, and other information. The quality of the plans, as well as consistency between those ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 19 MANAGING PROJECT RISK plans and the project requirements and assumptions, can be indicators of risk in the project. Missing, inaccurate or incomplete information may hinder the identiication of risks and may itself be a source of risk. You can also use the risk breakdown structure developed either from this project or from a previous project to help ensure that all signiicant risks or categories have been identiied. Assumptions Analysis Every identiied project risk is based on a set of hypotheses, scenarios, or assumptions. Assumptions analysis explores the validity of assumptions as they apply to the project. It identiies risks to the project from the inaccuracy, inconsistency or incompleteness of assumptions. Fishbone Diagrams Risk diagramming techniques include cause and effect diagrams, also known as Ishikawa or ishbone diagrams, and are useful for identifying causes of risks. Flow charts can also be used to show how various elements of a system interrelate, and the mechanism of causation, as can inluence diagrams, which show causal inluences, time ordering of events, and other relationships among variables and outcomes. SWOT Analysis This technique looks at the project from the perspective of its internal strengths and weaknesses as well as external opportunities, and threats. SWOT analysis is a useful approach to risk assessment and you can learn more about this technique from our free SWOt Analysis eBook. Identiied risks should be documented in a risk register that consists of the list of all the identiied risks, their root causes, categories and responses. This information may be used to update the risk breakdown structure. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 20 MANAGING PROJECT RISK Risk Register may be used to update RBS List of ALL Risks their root cause category & responses Because of risk is an ongoing activity, the risk register will be updated continuously throughout the life of the project and it is a key tool to aid in the management of risks within a project. The risk register ultimately contains the outcomes of the other risk management processes as they are conducted, resulting in an increase in the level and type of information contained in the risk register over time. Key POINtS 4 The risk register is a list of all of the identiied risks, their root causes, categories and responses. 4 All project team members should be encouraged to identify risks and this is an iterative process because new risks may become known as the project progresses. 4 Risks can be identiied directly by stakeholders with relevant experience of similar projects or business areas. 4 There are several tools and techniques that can be used to identify project risk including: ishbone diagrams, documentation reviews and SWOT analysis. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 21 MANAGING PROJECT RISK Performing a Risk Analysis This process analyses each risk from the risk register in terms of its probability and impact on the project if it were to occur. It should be performed as soon as possible after risks have been identiied so that appropriate time and resources can be allocated to the more serious risks. It uses the probability and impact matrix (PIM) to rank and prioritize risks, and this information is placed back on the risk register. Plan Elements for Managing Project Risk Roles & Responsibilities Budget Risk Mgmt Activity Schedule Definition Risk Categories Definition of Probability & Impact Probability & Impact Matrix Stakeholder Risk Tolerances Like all the processes and procedures for managing risk, this one should be performed regularly because new risks will be identiied and the characteristics of existing risks may change as the project progresses. The risk management plan (part of the overall project plan) will explain the overall approach that needs to be taken to risk management on this particular project. It will detail how much risk is acceptable and who should be involved in carrying out the qualitative analysis of the known risks. The key elements of this plan used in this process are roles and responsibilities for conducting risk management, budget, schedule for risk management activities, deinition of risk categories, deinition of risk probability and impact, probability and impact matrix, and stakeholder’s risk tolerances. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 22 MANAGING PROJECT RISK Amount of Risk Type of Risk Scope of Project has direct bearing on The scope of the project will have a direct bearing on the type and amount of risk that is likely to be encountered. In general terms, certain types of project are associated with certain types of risk. For example, Construction projects the risks would include such things like, planning permissions, weather, health and safety legislation, and labor union issues. IT project risks tend to be concerned with whether development software will perform as advertised and with compatibility issues. Projects of a common or recurrent type tend to have well understood risks, whereas those breaking new ground tend to have more uncertainty. Perform Qualitative Risk Analysis Techniques • Risk Probability & Impact Assessment • Probability & Impact Matrix • Risk Data Quality Assessment • Risk Categorization • Risk Urgency Assessment • Expert Judgment ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 23 MANAGING PROJECT RISK There are various techniques that can be used to identify risks. Risk Probability and Impact Assessment Risk probability assessment investigates the likelihood that each speciic risk will occur, whereas risk impact assessment investigates the potential effect on a project objective such as schedule, budget, quality, or performance. Risk Probability— likelihood each risk will occur Risk Impact— looks at potential effect on schedule, cost, quality or performance Both the likelihood and impact are given a score according to the deinitions given in the risk plan and these can be considered together to provide a risk score. Risks with a high score will be given high priority while those with a low score will be included on a watch list for future monitoring. Probability and Impact Matrix Evaluation of each risk’s importance and, hence, priority for attention can be done using a probability and impact matrix as shown. Probability & Impact Matrix Probability Opportunities Threats 0.90 0.05 0.18 0.54 0.72 0.72 0.54 0.18 0.05 0.75 0.04 0.15 0.45 0.60 0.60 0.45 0.15 0.04 0.50 0.03 0.10 0.30 0.40 0.40 0.30 0.10 0.03 0.25 0.01 0.05 0.15 0.20 0.20 0.15 0.05 0.01 0.10 0.01 0.02 0.06 0.08 0.08 0.06 0.02 0.01 Impact 0.05 0.20 0.60 0.80 0.80 0.60 0.20 0.05 ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 24 MANAGING PROJECT RISK This speciies combinations of probability and impact that lead to rating the risks as low, moderate, or high priority. The type of management response should be: 1) Threats ○ High-risk (shown in dark gray boxes) are priority and need a hard line response. ○ Low-risk (mid-gray boxes) need to have a contingency made for them & monitored 2) Opportunities ○ Dark gray boxes show ones to pursue irst as they offer the most beneit & are more easily achieved. ○ Mid-gray boxes indicate the ones to be monitored. It is possible to rate a risk separately for cost, time, scope and quality. In addition, it can develop ways to determine one overall rating for each risk. An overall rating scheme can be developed to relect the organization’s preference for one objective over another and using those preferences to develop a weighting of the risks that are assessed by objective. You will also need to examine how well the risk is understood and the accuracy, quality, reliability, and integrity of the data regarding it. If data quality is unacceptable, it may be necessary to gather higher-quality data. The risk breakdown structure (RBS) is the normal way to help structure and organize all identiied risks into appropriate categories, and these will assist in determining which aspects of the project have the highest degree of uncertainty. Risks that are likely to occur in the immediate future require more urgent attention than those that may occur later on in the project. Indicators of priority should include the time required to affect a risk response. In some qualitative analyses the assessment of risk urgency can be combined with the risk ranking determined from the probability and impact matrix to give a inal risk severity rating. Revisions to Project Documents occurs after ISBN 978-1-62620-986-4 © www.free-management-ebooks.com Qualitative Risk Analysis is complete 25 MANAGING PROJECT RISK The risk register can be updated with the following information. Relative ranking or priority list of project risks—the probability and impact matrix can be used to classify risks according to their individual signiicance. Risks may be listed by priority separately for schedule, cost, and performance since organizations may value one objective over another. The project manager can then use the prioritized list of risks to focus attention on those items of high signiicance to the most important objectives. Risks grouped by categories—this can point to common underlying causes of risk, which may in turn suggest a holistic approach to dealing with them. Discovering concentrations of risk may also improve the effectiveness of risk responses. List of risks requiring response in the near-term—includes those risks that require an urgent response and those that can be handled at a later date may be put into different groups. List of risks for additional analysis and response—some risks might warrant more analysis, including Quantitative Risk Analysis, as well as response action. Watch lists of low-priority risks—those that are not assessed as important in this process can be placed on a watch list for continued monitoring. Trends in the analysis results—as this process is iterative, trends for particular types of risk may become apparent. This information can be fed back into the risk management process. Assumptions log—the project scope statement may contain assumptions about the project, which may be updated as a result of the qualitative risk analysis done in this process. This is the process of analyzing the effect of those risks identiied as having the potential to substantially impact the project. It may be used to assign a numerical rating to those risks individually or to evaluate their aggregate effect. You will need to use the Risk Management Plan (part of the overall Project Plan) and the Risk Register, along with cost and schedule information. You can check out the complete range of Project Management eBooks free from our website. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 26 MANAGING PROJECT RISK In some projects it may be possible to develop effective risk responses without this process. The availability of time and budget, and the need for qualitative or quantitative statements about risk and impacts, will determine which method(s) to use. Quantitative Tools used in Project Risk Analysis Data Gathering & Representation Techniques Quantitative Risk Analysis & Modelling Techniques Expert Judgment Structured interviews can be used to determine the probability and impact of risks from subject matter experts. This information can then be used in the following modelling techniques: Sensitivity Analysis—this involves analyzing the project to determine how sensitive is to particular risks by analyzing the impact and severity of each risk. Expected Monetary Value (EMV) Analysis—determining the expected monetary value is to multiply the likelihood by the cost impact to obtain an expected value for each risk, these are then added up to obtain the expected monetary value for the project. A typical way of calculating EMV is using decision trees: Decision Tree Analysis—these are in the form of a low diagram where each node, represented by a rectangle, contains a description of the risk aspect and its cost. These rectangles are linked together via arrows each arrow leading to another box representing the percentage probability. Outcome 1 Event A Event C Outcome 2 Outcome 3 Decision 1 Outcome 4 Event B Decision 2 ISBN 978-1-62620-986-4 © www.free-management-ebooks.com Outcome 5 27 MANAGING PROJECT RISK Tornado Diagrams—these are named because of their funnel shaped and portray graphically the project sensitivity to cost or other factors. Each tornado diagram will represent the impact of risks in terms of particular aspects. These aspects may be the stages of phases of all project, and are ranked vertically and represented by a horizontal bar showing plus or minus cost impacts. Monte Carlo Analysis—is normally calculated by computer by analyzing many scenarios for the project schedule and calculating the impact of particular the risk events. It is helpful in identifying risks and the effect they have on the project schedule. Experts give a risk probability & impact value for Optimistic view Pessimistic view Realistic view Rather than ask each expert for a single value for each, the project manager would normally encourage each expert to provide an optimistic, pessimistic and realistic probability and impact value for each risk. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 28 MANAGING PROJECT RISK The risk register is further updated to include a quantitative risk report detailing quantitative approaches, outputs, and recommendations. Updates include the following: Probabilistic Analysis of the Project—Estimates are made of potential project schedule and cost outcomes listing the possible completion dates and costs with their associated conidence levels. This output, often expressed as a cumulative distribution, can be used with stakeholder risk tolerances to permit quantiication of the cost and time contingency reserves. Probability of Achieving Cost and Time Objectives—With the risks facing the project, the probability of achieving project objectives under the current plan can be estimated using quantitative risk analysis results. Prioritized List of Quantiied Risks—This list of risks includes those that pose the greatest threat or present the greatest opportunity to the project. These include the risks that may have the greatest effect on cost contingency and those that are most likely to inluence the critical path. These risks may be identiied, in some cases, through a tornado diagram generated as a result of the simulation analyses. Trends in the analysis results. As this process is iterative, trends for particular types of risk may become apparent. This information can be fed back into the risk management process. Key POINtS 4 Risk analysis uses the probability and impact matrix (PIM) to rank and prioritize risks, and this information is placed back on the risk register. 4 It should be performed as soon as possible after risks have been identiied so that appropriate time and resources can be allocated to the more serious risks. 4 Projects of a common or recurrent type tend to have well understood risks, whereas those breaking new ground tend to have more uncertainty. 4 There are various techniques that can be used to identify risks including a probability and impact matrix. 4 The probability and impact matrix can be used to classify risks according to their individual signiicance. This prioritized list of risks can be used to focus attention on those items of high signiicance to the most important objectives. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 29 MANAGING PROJECT RISK 4 Risks can also be grouped by categories that can point to common underlying causes of risk, which may in turn suggest a holistic approach to dealing with them. 4 Identiied risks can then be quantiied using expected monetary value analysis, decision tree analysis, tornado diagrams, and Monte Carlo analysis. Planning & Controlling Risk Responses It is important that planned responses are appropriate to the signiicance of the risk, cost effective in meeting the challenge, realistic within the project context, agreed upon by all parties involved, and owned by a responsible person. The individual owner of each risk will need to communicate with the appropriate stakeholders who may be impacted by it’s occurrence as part of managing the risk. Risk Management Plan & Risk Register Form Basis of Planning Response to Project Risks The risk plan deines the level of risk which is seen as acceptable, how risks will be managed, who will be responsible for carrying out risk related activities, the time and cost of each risk activity and how the communication of risk is to occur. You will need to use this along with the risk register to plan your responses. See the risk register template. Strategies for Dealing with Project Risk Responses Negative Risks or Threats Positive Risks or Opportunities ISBN 978-1-62620-986-4 © www.free-management-ebooks.com Contingent Response 30 MANAGING PROJECT RISK There are four possible strategies for dealing with threats or risks that may have negative impacts on the project. 1. Avoid—This involves taking action to either reduce the probability of the risk and/or its impact to zero. In either case this response enables the risk to be circumvented entirely. For example, using a certain supplier might carry the risk of them going out of business during the course of the project. This risk could be avoided by using a supplier who was bigger, better established and more inancially secure. 2. Transfer—This involves transferring the risk to a third party so that they are responsible for its management and impact. It does not eliminate the risk it simply transfers the liability to someone else. This can be done by: ○ Taking out insurance (the insurance company is now liable) or ○ Having the work done under a ixed-price contract (the contractor is now liable). Risk transference nearly always involves payment of a risk premium to the party taking on the risk and may introduce new risks. For example, an insurance company may contest the claim or a contractor might dispute the terms and conditions of the contract if they are having problems delivering. Strategies for Negative Risks or Threats Avoid Transfer Mitigate Accept 3. Mitigate—Taking early action to reduce the probability and/or impact of a risk occurring is often more effective than trying to repair the damage after it has occurred. Adopting less complex processes, conducting more tests, or choosing a more stable supplier are examples of mitigation actions. 4. Accept—The most common acceptance strategy is to establish a contingency reserve, including amounts of time, money, or resources to handle the risks. It is usually chosen either because: the risk is low in terms of impact or probability, or the cost and effort of taking a different action is out of proportion to the risk itself. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 31 MANAGING PROJECT RISK There are four possible strategies for dealing with opportunities. Strategies for Positive Risks or Opportunities Exploit Share Enhance Accept 1. Exploit—examples of directly exploiting responses include assigning an organization’s most talented resources to the project to reduce the time to completion or to provide lower cost than originally planned. 2. Share—sharing a positive risk involves allocating some or all of the ownership of the opportunity to a third party who is best able to capture the opportunity for the beneit of the project. Examples of sharing actions include forming risk-sharing: Partnerships, Teams, Special-purpose companies, or Joint ventures (JVs). These can be established with the express purpose of taking advantage of the opportunity so that all parties gain from their actions. 3. Enhance—examples of enhancing opportunities include adding more resources to an activity to inish early. 4. Accept—accepting an opportunity is being willing to take advantage of it if it comes along, but not actively pursuing it. This is the process of implementing risk response plans, tracking identiied risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project. Planned risk responses that are included in the project plan are executed during the life cycle of the project, but the project work should be continuously monitored for new, changing, and outdated risks. There are several techniques that can be used to control risks ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 32 MANAGING PROJECT RISK Risk Reassessment Meetings Reserve Analysis Risk Audits Ways to Control Project Risks Variance & Trend Analysis Technical Performance Measurement Reassessment Project risk reassessments should be regularly scheduled to keep the risk register updated. The amount and detail of repetition that is appropriate depends on how the project progresses relative to its objectives, as well as, which risks (if any) actually manifest themselves. Audits These should be scheduled in the risk plan and examine the effectiveness of risk responses in dealing with identiied risks and their root causes. The objectives should be clearly deined in advance and the audit may form part of the routine project review meetings, or may be run separately, each producing its own project audit report. Trend Analysis Earned value analysis and other methods of project variance and trend analysis may be used for monitoring overall project performance. Outcomes from these analyses may forecast potential deviation of the project at completion from cost and schedule targets. Deviation from the baseline plan may indicate the potential impact of threats or opportunities. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 33 MANAGING PROJECT RISK Deviation from the Baseline Plan may indicate the potential impact of Threats Opportunities Performance Measurement This is designed to indicate the degree of technical risk faced by the project. Where deliverables can be measured against the plans in a quantitative way e.g.: Response times, Number of defects, etc. This can predict the degree of success in achieving the technical aims of the project. Reserve Analysis This compares the contingency reserves remaining to the amount of risk remaining at any time in the project in order to determine if the remaining reserve is adequate. Implementing contingency plans or workarounds sometimes results in a change request. Recommended preventive actions are documented directions to perform on activity that can reduce the probability of negative consequences associated with project risks. Recommended corrective actions include contingency plans and workarounds. The latter are responses that were not initially planned, but are required to deal with emerging risks that were previously unidentiied or accepted passively. If the approved change requests have an effect on the process of managing risk, the corresponding component documents of the project plan are revised and reissued to relect the approved changes. Key POINtS 4 The risk plan deines the level of risk which is seen as acceptable, how risks will be managed, who will be responsible for carrying out risk related activities, the time and cost of each risk activity and how the communication of risk is to occur. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 34 MANAGING PROJECT RISK 4 Planned responses should be appropriate to the signiicance of the risk, cost effective in meeting it, realistic within the project context, agreed upon by all parties involved, and owned by a responsible person. 4 There are four possible strategies for dealing with threats or risks that may have negative impacts on the project: avoid, transfer, mitigate and accept. 4 There are four possible strategies for dealing with opportunities: exploit, share, enhance, and accept. Summary Project management is a complex activity that requires a structure, procedures and processes that are appropriate to your project. This will enable you to manage the inevitable changes that occur throughout a project’s lifespan in a professional manner to ensure success. Each project function describes the expertise, skills and tools needed for your project. So much work is now run as projects and so few people have the necessary skills to manage them properly that there is a huge demand for good project managers and that demand is increasing all the time. The other project management skills eBooks available from www.free-managementebooks.com/skills-project.htm provide you with an opportunity to read a more in-depth description of each functional area. ● Principles of Project Management ● Project Management Processes ● Managing a Project Team ● Managing the Project Scope ● Managing the Project Schedule ● Managing the Project Budget ● Managing Project Quality ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 35 MANAGING PROJECT RISK Other Free Resources The Free Management eBooks website offers you over 500 free resources for your own professional development. Our eBooks, Checklists, and Templates are designed to help you with the management issues you face every day. They can be downloaded in PDF, Kindle, ePub, or Doc formats for use on your iPhone, iPad, laptop, or desktop. eBooks—Our free management eBooks cover everything from accounting principles to business strategy. Each one has been written to provide you with the practical skills you need to succeed as a management professional. Templates—Most of the day-to-day management tasks you need to do have already been done by others many times in the past. Our management templates will save you from wasting your valuable time re-inventing the wheel. Checklists—When you are working under pressure or doing a task for the irst time, it is easy to overlook something or forget to ask a key question. These management checklists will help you to break down complex management tasks into small controllable steps. FME Update—Subscribe to our free regular updates and stay in touch with the latest professional development resources we add every month. Social Media—Share our free management resources with your friends and colleagues by following us on LinkedIn, Facebook, Twitter, Google+, and RSS. Visit www.free-management-ebooks.com ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 36 MANAGING PROJECT RISK References Billingham, V. (2008), Project Management: How to Plan and Deliver a Successful Project (Studymates), 3rd edn, The Project Management Excellence Centre Inc. Kerzner, H. (2009), Project Management—A Systems Approach to Planning, Scheduling and Controlling, 10th edn, John Wiley & Sons Inc. Knapp, B.W. (2010) Essential Project Management Templates, The Project Management Excellence Centre Inc. Larson, E.W. and Gray, C.F. (2010), Project Management: The Managerial Process, 5th edn, McGraw-Hill Higher Ed. Lock, D. (2007), The Essential Project Management, 3rd edn, Gower Publishing Ltd. Lock, D. (2007). Project Management, 9th edn, MPG Books Ltd. Maylor, H. (2010), Project Management (with MS Project CD-Rom). 4th edn, Prentice Hill, Financial Times. Newton, R. (2007), Project Management Step by Step—How to Plan and Manage a Highly Successful Project, Pearson Business. Nokes S. and Kelly, S. (2007), The Deinitive Guide to Project Management, 2nd edn, Prentice Hill, Financial Times. Project Management Institute Global Standard (2008), A Guide to the Project Management Body of Knowledge (PMBOK® Guide), 4th edn, Project Management Institute. Shenhar, A.J. and Dvir, D. (2007), Reinventing Project Management: The Diamond Approach to Successful Growth and Innovation, Pearson Business. ISBN 978-1-62620-986-4 © www.free-management-ebooks.com 37