Risks: negative or positive

A Guide to the Project Management Body of Knowledge, 7th Edition (PMBOK 7): “A risk is
an uncertain event or condition that, if it occurs, can have a positive or negative effect on
one or more objectives. Identified risks may or may not materialize in a project. Project
teams endeavor to identify and evaluate known and emergent risks, both internal and
external to the project, throughout the life cycle. “
Negative risks, also referred to as threats, potentially have a detrimental effect on one or
more of the project objectives, such as causing you to miss a deadline.
Positive risks, also referred to as opportunities, potentially have a beneficial effect on
project objectives, such as allowing you to complete a task with fewer personnel than you
originally planned.

“Project teams seek to maximize positive risks (opportunities) and decrease exposure to negative risks (threats).
Threats may result in issues such as delay, cost overrun, technical failure, performance shortfall, or loss of reputation.
Opportunities can lead to benefits such as reduced time and cost, improved performance, increased market share, or
enhanced reputation.”
 Risks

However, project risk is greater:

The longer your project lasts
The longer the time is between preparing your project plan and starting
the work
The less experience you, your organization, or your team members have with similar
projects
The newer your project’s technology is

Risk management is the process of identifying possible risks, assessing their potential
consequences, and then developing and implementing plans for minimizing any negative
effects. Risk management can’t eliminate risks, but it offers the best chance for successfully
accomplishing your project despite the uncertainties of a changing environment.
Risks and project teams

Project teams also monitor the overall project risk. Overall project risk is the effect of
uncertainty on the project as a whole. Overall risk arises from all sources of uncertainty,
including individual risks, and represents the exposure of the stakeholders to the
implications of variations in project outcome, both positive and negative.

Management of overall project risk aims to keep project risk exposure within an
acceptable range. Management strategies include reducing drivers of threats, promoting
drivers of opportunities, and maximizing the probability of achieving overall project
objectives.
Risks and project teams

Project team members engage with relevant stakeholders to understand their risk
appetite and risk thresholds.
Risk appetite describes the degree of uncertainty an organization or individual is willing to
accept in anticipation of a reward.

Risk threshold is the measure of acceptable variation around an objective that reflects the
risk appetite of the organization and stakeholders. The risk threshold reflects the risk
appetite.

Therefore, a risk threshold of ±5% around a cost objective reflects a lower risk appetite
than a risk threshold of ±10%. The risk appetite and risk threshold inform how the project
team navigates risk in a project.
Addressing the risks

1. Identify risks.
2. Assess the potential effects of those risks on your project.
3. Develop plans for mitigating the effects of the risks.
4. Monitor the status of your project’s risks throughout performance.
5. Inform key audiences of all risks involved with your project.
Identifying risks
After you recognize your project’s risk factors, the next step in your risk assessment is to
identify the specific risks that may result from each of your risk factors. With this
information in hand, you can determine the particu- lar effects each risk may have on
your project and decide how you want to manage that risk.
Describe how each risk factor may cause you to miss your product, schedule, or resource
targets. Suppose, for example, that you plan to use a new tech- nology in your project.
Using a new technology is a risk factor. Possible product, schedule, and resource risks
that may arise from this risk factor include the following:
Product risk: The technology may not produce the desired results.
Schedule risk: Tasks using the new technology may take longer than
you anticipate.
Resource risk: Existing facilities and equipment may not be adequate to support the
use of the new technology.
Assessing Risks: Probability and Consequences
The first step in deciding whether to deal proactively with a risk is assessing the likelihood
that it will occur. Use one of the following schemes to describe the chances that a risk will
occur:
Probability of occurrence: You can express the likelihood that a risk will occur as
probability. Probability is a number between 0 and 1, with 0.0 signifying that a situation
will never happen, and 1.0 signifying that it will always occur. (You may also express
probability as a percentage, with 100 percent meaning the situation will always occur.)
Category ranking: Classify risks into categories that represent their like- lihood. You
may use high, medium, and low, or always, often, sometimes, rarely, and never.
Ordinal ranking: Order the risks so the first is the most likely to occur, the second is
the next most likely, and so on.
Relative likelihood of occurrence: If you have two possible risks, you can express how
much more likely one is to occur than the other. For example, you can declare that the
first risk is twice as likely to occur as the second.
Estimating the extent of the consequences
After you identify the likelihood that a particular risk will affect your project, be sure to
determine the magnitude of the consequences or effects that may result. That magnitude
directly influences how you choose to deal with the risk. Determine the specific effect that
each risk may have on your project’s product, schedule, and resource performance.
When evaluating these effects, do the following:
Consider the effect of a risk on the total project rather than on just part of it.
Taking one week longer than you planned to complete an activity may cause you to miss
intermediate milestones (and cause the personnel waiting for the results of that activity
to sit idle). However, the effect on the project is even greater if the delayed activity is on
your project’s critical path, which means the weeklong delay on that one activity also
causes a weeklong delay for your entire project.
Consider the combined effect of related risks. The likelihood that your schedule will
slip is greater if three activities on the same critical path have a significant risk of delay
rather than just one.
Developing a risk-management strategy
Choose one or more of the following approaches for dealing with the risks you decide to
manage:
Avoidance: Act to eliminate the risk factor that gave rise to the risk. An example is
deciding not to use a new, untested procedure that you’re concerned may not
produce the desired project results.
Transfer: Pay someone else to assume some or all of the effect of the risk. Suppose
you choose to proceed with your plans to build a new $50 million facility (see the
example in the preceding section). You can buy disaster insurance on the facility so
the company doesn’t have to assume the full burden of a total loss if a hurricane
destroys the facility.
Deferral: Risks can be deferred by moving the activities to a later date in the project
when any adverse effects may be reduced. For example, it may be possible to move
outside activities which are subject to weather problems to a different time in the
year.
Developing a risk-management strategy
Mitigation: Either reduce the likelihood that a risk occurs, or minimize the negative
consequences if it does occur. The following are examples of risk mitigation:
Minimize the chances that the risk will occur. Take actions to reduce the chances that an
undesirable situation will come to pass. For example, consider that you have a person on your
project who’s new to your organization. Consequently, you feel the person may take longer to do her
assigned task than you planned. To reduce the chances that the person will require more time,
explain the task and the desired results very clearly to the person before she begins to work on it,
develop frequent milestones and monitor the person’s performance often so that you can deal with
any problems as soon as they occur, and have her attend train- ing to refresh the skills and
knowledge she needs to perform the assignment.
Develop contingencies to minimize the negative consequences if an undesirable situation does
come to pass. Suppose you plan to have your organization’s publication department reproduce 100
copies of the manual for your training program. If you’re concerned that the department may have
higher-priority projects at the same time, locate an external vendor that can reproduce the manuals
if the need arises. Finding the vendor beforehand can reduce any time delay resulting from the need
to switch to another resource.
Developing a risk-management strategy
Acceptance: some risks have to be accepted.Once they have been identified and the
adverse effects assessed, a reserve or contingency plan may be developed in case the
risk occurs.

Subjective risks are harder to identify since they usually concern people and their
interaction in the project, and, as such, are much more dificult to quantify. Subjective
judgement of 'high', 'medium' or 'low' risk is normally all that is possible even when risks
have been considered. All too often the risks which relate to people are included in the
'management of human resources' and ignored as risk factors. These 'soft issues' are
discussed by A. Oldfield and M. Ocock in a paper presented at the INTERNET world
congress at Oslo in 1994, in which they rightly point out that this therefore ignores a large
element of risk analysis in projects. Their paper also includes a useful bibliography on risk
analysis techniques for these soft issues and the managerial issues affecting risk in
projects.
Communicating about risks
Communicate about project risks early and often. In particular, share informa- tion with
drivers and supporters at the following points in your project (see Chapter 1 for more
about these project life cycle stages):
Starting the project: To support the process of deciding whether or not to
undertake the project
Organizing and preparing: To guide the development of all aspects of your project
plan
Carrying out the work:
To allow team members to discuss potential risks and to encour- age them to
recognize and address problems as soon as those problems occur
To update the likelihood that identified risks will occur, to rein- force how people
can minimize the negative effects of project risks, and to guide the assessment of
requests to change parts of the current approved project plan
Preparing a Risk-Management Plan
A risk-management plan lays out strategies to minimize the negative effects that uncertain
occurrences can have on your project. Develop your risk- management plan in the
organizing and preparing stage of your project, refine it at the beginning of the carrying
out the work stage, and continually update it during the remainder of the carrying out the
work stage. Include the following in your risk-management plan:
Risk factors
Associated risks
Your assessment of the likelihood of occurrence and the consequences for each
risk
Your plan for managing selected risks
Your plan for keeping people informed about those risks throughout
your project