8 : Risk Flashcards

Like other themes, don’t worry about getting the answers correct. Answer in your own words and learn from the extra information given. Remember that the questions in the exam have multiple choices, so you just have to recognize the information in front of you.

1
Q

What is risk?

A

A risk is “an uncertain event that, should it occur, will have an effect on the achievement of objectives. It consists of a comnbination of the probability of a percieved threat or opportunity occuring, and the magnitude of its impact on objectives”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the two types of risks?

A

The two types of Risk are Threats and Opportunities.

  • Threats are risks with negative impact
  • Opportunity are risks with a positive impact.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the purpose of the Risk Theme?

A

The purpose of the risk theme is to provide information on how best to do risk management in your project.

A more formal way to say this is the purpose of the Risk Theme is to provide an approach to identify, assess and control uncertainty during a project and as a result, improve the ability of the project to succeed.

Remember the words, identify, assess and control risk as this is what Risk Management is all about.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the connection between a project, change, uncertainty and risk?

A

Projects are about doing something new, so they are about change. As the exact same project has not been done before there will be some uncertainty about how some parts of the projects will go. Another name for this uncertainty is risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When is project Risk Management undertaken?

A

Risk management is not just done at the start of the project but is a continuous activity that must be during the full life of the project and therefore one of the main tasks for the Project Manager.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which role is the main person responsible for risk in a project? (Note: I am not asking for the role that will do most of the work and follow up but the main responsible.)

A

It is the Executive that is responsible for risk in a project. PRINCE2 says that the Executive is accountable for all aspects of Risk Management. They rely on the Project Manager to continually identify, assess and control risks throughout the project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What can be at risk?

A

PRINCE2 states that the projects objectives are at risk.

Remember the project will have objectives for the six project variables: time, cost, quality, scope, benefits and risk. (Think TeCQuila SoBeR, spelt TeCQ)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Risk Management?

A

Risk Management is the systematic application of procedures to the tasks of identifying and assessing risk, and then planning and implementing risk responses.

The Risk theme provides an approach for you to be able to manage risk in a project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 4 risk management steps?

A

The four steps to Risk Management are: Identification, Assessment, planning, and Control

  1. Identification: Identify and describe the risk
  2. Assess: What is the likelihood, the impact on objectives, when expected?
  3. Planned for: Identifying suitable responses to risk and assigning owners
  4. Control the Risk: Making sure the responses are implmented and controlled
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the Prince2 Risk principles? (9 things)

A
  1. Understanding the project context
  2. Involve the stakeholders
  3. Establishing clear project objectives
  4. Developing a project risk management approach
  5. reporting on risks regularly
  6. Defining clear roles and responsibilities
  7. Establishing a support structure and supportive culture for risk management
  8. Monitoriing for early warning indicators
  9. Establishing a review cycle and seek continual improvement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the Prince2 minimum requirements for risk? (4 things)

A
  1. Define the risk management approach which must cover:
    1. The way we identify and assess risks, implement responses and communicate risk
    2. Assess whether the risks might affect the business justification
    3. The roles and responsibilities
  2. We musst also maintain a risk register
  3. Ensure risks are identified, assessed, managed and reviewed
  4. Use lessons learnt to inform risk identifiation and management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the risk Management approach?

A

The risk management approach outlines how risks will be managed including the processes, procedures, techniques and responsibilities.

The risk approach/strategy is created during the Initiating a project stage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which other OGC method does PRINCE2 get its Risk Management procedures and principles from?

A

PRINCE2 makes use of the other OGC method, which is Management of Risk (also referred to as MOR). PRINCE2 takes advantage of all these procedures and principles that have already been defined instead of trying to re-invent the wheel. The MOR method is a generic approach to Risk, which can be used for any type of project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the Risk Register?

A

The Risk Register is used to capture and maintain the risk information (threats or opportunities) of all the risks that were identified and relate to the project.

So it provides a record of all risks including their status and history.

The risk register is created during the Initiating a project stage. Any risks identified earlier (i.e. in the starting up a project stage) should be recorded in the PM’s daily log, and transferred to the Risk register during the Initiating a project stage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What info should be included in the risk register? (12 things)

A
  1. Risk identifier
  2. Risk author: The person who raised the risk
  3. Date registered
  4. Risk category: the type of risk
  5. Risk description
  6. Probability, impact and expected value of the risk
  7. Proximity (how soon could the risk occur)
  8. Risk response category
  9. Risk response
  10. Risk status
  11. Risk owner
  12. Risk actionee
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is normally the first question about Risk that should be asked by the Project Manager when considering risk and the approach to Risk Management?

A

The first question that should be asked is what risk policies already exist in the company or in the programme environment today that can be used so that there isn’t a need to re-create these. If a policy does exist, then this will save a lot of work and will provide most if not all the information you need to do Risk Management in your project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a risk policy?

A

If an in-house policy on Risk Management procedures does exist, then you can expect to have information on the following:

  • Your organization’s attitude towards risk also called Risk appetite, Risk tolerances, procedures for escalation, typical roles and responsibilities, example of a Risk Management strategy document, etc.
  • It should provide guidelines on how to do Risk Management according to the policy of the company.
  • Using a common approach to Risk Management also means that project stakeholders that are already familiar with this approach will be able to understand how risk management is done in your project.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What if there isn’t an existing Risk Policy?

A

They can use the Risk theme to provide the necessary information to do Risk Management in their project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Why have a common approach to Risk Management?

A

Using a common approach to Risk Management enables the project stakeholders that are already familiar with this approach to understand how risk management is done in your project. E.g.: Reports will be easier to understand, the scales for accessing risk will be similar etc. Therefore it is easier to see what is going on and this is also true for the Project Board.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Does each project need its own Risk Management Strategy?

A

PRINCE2 recommends that each project should have its own Risk Management Strategy document. Creating a Risk Management strategy document for each project may seem a big task but a detailed template can be provided if you are working in a programme environment, so this will make it much easier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

We know that the 3 steps to Risk Management are: Identification, Assessment and Control. The Risk Management Procedure has 5 steps. Name these. Use the following line to remind you: I Ate Plants In China.

A

The five steps in the Risk Management Procedure are: Identify, Assess, Plan, Implement and Communicate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the steps in the risk management procedure? (5 steps)

A
  1. Identify
  2. Assess
  3. Plan
  4. Implement
  5. Communicate
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Are the Risk management procedure steps sequential?

A

The first 4 steps are sequential (Identify, Assess, Plan and Implement), while Communicate will always be done to let stakeholders know what is going on and to get continual feedback during this process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What must be done before the risk management procedure?

A

The first thing that has to be done is to understand the level of risk that the project is willing to accept. This is also known as the risk appetite. E.g.: If the project is to build a prototype that will just have a life of a few months, then the risk tolerance is said to be very high and so a big risk appetite. If the project is to launch a voting system that will be used in a national election in Europe, then the risk tolerance would be very low as it should work 100% correct. Once the Project Manager and Executive agree on the amount of risk the project can take, then the Project Manager should complete the Risk Management Strategy document.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What happens in the Risk identification step of the risk management procedure?

A
  1. Identify the context by examining the project documents including:
    1. Risk mgmt approach
    2. Project mandate
    3. Project brief
    4. Project product description
  2. Identify the risks and record them in the risk register
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Where should risk management requirements come from?

A

Most of the risk management requirements come from the:

  1. Project Mandate,
  2. the Project Brief, and
  3. the Project Product Description
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

How can risks be identified?

A
  • Review lessons
  • Risk checklists
  • Risk prompt lists
  • Brainstorming
  • Risk breakdown structures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

How should risks be described?

A

The risk description should include the cause, event and the effect on the objectives of the project.

The cause refers to something that is already happening, the event to something that may happen (threat or opportunity) and effect describes the effect on the project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Describe the following example of risk in terms of cause, event and effect on the project objectives. “Less people may come to the event as all planes could be grounded due to ash from the volcano that is blow into UK airspace.” Start with the cause, then the event that is likely to happen and then the effect on your project which is to organize a conference in London for business managers from around Europe who are expected to fly in.

A

We would write this as follows: Due to the active volcano releasing ash, there is a threat that planes will be grounded if this ash is blown into UK airspace which would cause many people not to be able to make it to the conference in London.
The original cause is the volcano releasing ash, this is already happening, the risk is the threat that this could be blow into UK airspace and the effect on the project is that many people will not be able to travel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What happens during the risk assessment step of the risk management procedure?

A

Assess Risk is the 2nd step in the Risk Management procedure and involves Estimating and Evaluating risk.

Estimating focuses on assessing one risk at a time while Evaluating is about evaluating all Risk together so as to get an idea of the total risk in a project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

How are risks estimated?

A

Estimating is about assessing the probability, the impact and proximity for each threat or opportunity.

  1. Probability: how likely are they to happen?
  2. Impact: What will happen if it does?
  3. Proximity: when will it happen?
32
Q

How should risk impact be assessed?

A

Consider the impact on the project objectives assuming you do nothing, as well as the impact on project benefits.

33
Q

What is probability, impact and proximity?

A

Probability: This is the same as the likelihood of the risk happening. You can use a % or choose from very high, high, normal scale.

Impact: The impact the risk will have on the project and must be quantified.
• E.g.: You can choose from a scale 20%.
• Remember, this can be a threat or opportunity.

Proximity: When this risk is most likely to happen.
• Scale can be in time: like in 3 months or 6 months.
• E.g.: Icy roads may not be much of a risk for a summer event but may be a concern if the event was held in November.

34
Q

What is a probability impact grid?

A

A probability and impacts matrix that provides an assessment of risk severity and therefore the ability to rank risks.

It therefore allows the project to set a risk tolerance level.

35
Q

What is the Summary Risk Profile diagram?

A

The Summary risk profile diagram is what PRINCE2 recommends to plot the estimate risk results on so that it becomes very easy to compare risks with each other.

From a Project Manager point of view, this is a great diagram to use to communicate project risk.

36
Q

What is the advantage of using a Summary Risk Profile Diagram?

A

Here are most of the advantages of using the Summary Risk Profile Diagram:
• It is easy to get an overview of all the risks.
• It is very useful for communicating the level of risk for the project to the Project Board.
• Can see which risks will need attention and action to be taken.
• Can draw a risk tolerance line on the diagram to distinguish risks that have both a higher impact and a higher probability rate from risks that have a lower level of probability and impact.
• So all risks above this Risk Tolerance line will need some action to be taken.
• The Project Manager is expected to provide risk information to the Executive and Project Board and one of the times they will do this is at the end of each stage. The project manager will include information on any changes to the risk above the Risk Tolerance line in the End Stage Report.
• And the Project Manager will immediately inform the Executive if a risk moves from below to above the Risk tolerance line.

37
Q

What is risk evaluating?

A

The objective is to evaluate all project risks together (both threats and opportunities) and so you get an overall risk value for the whole project.

38
Q

What is a secondary risk?

A

A secondary risk is a risk that relate to a new situation should a risk response be implemented.

39
Q

What happens during the planning step of the Risk Management procedure?

A

Planning is about planning the responses to threats and opportunities. Its objective is to prepare specific responses to the threats and opportunities. The objective is to reduce the threats and maximize the opportunities.

40
Q

What do you think happens if the Project Manager does not plan for a risk and the risk occurs?

A

If the Project Manager fails to plan a response to a risk, they will be caught off guard if this risk materializes. Therefore it is always good to be prepared. The risk can be a lot more damaging for the project objectives as there is nothing planned to reduce the impact of the risk and it some cases it may be too late to do anything about the risk.
E.g.: If your project is to organize an outdoor event and one of the risk is the threat of rain. If you do nothing to prepare for this and half way during the concert it starts to rain heavy, it’s a bit late to start erecting a tent or ordering plastic ponchos to distribute. So failing to plan is planning to fail.

41
Q

Does the step of planning the responses remove or reduce risks?

A

Most of the risk response actions taken in a project are done to reduce the risk impact and can also be taken to remove the risk. E.g.: If your project is to organize an outdoor event and one of the risk is the threat of rain you can take such action of pre-ordering plastic ponchos and sell them at the outdoor event. This won’t stop it from raining but it will reduce the impact. If you were to move the event indoors then you would remove the risk.

42
Q

What are the possible responses to threats?

A
  1. Avoid
  2. Reduce
  3. Prepare contingent plans
  4. Transfer
  5. Share
  6. Accept
43
Q

What are the possible responses to opportunities?

A

The 4 responses for Opportunity are

  1. Exploit
  2. Enhance
  3. Share
  4. Accept
  5. Transfer
  6. Prepare contingent plans
44
Q

What is the Prepare Contingent Plans risk response?

A

Prepare Contingent Plans response is relevant to both threats and opportunities.

This involves creating plans to deal with the threat should it eventuate. The planned action is only done if the risk occurs. These actions will help to reduce the impact of the threat.

45
Q

What is the Accept risk response?

A

This risk response involves simply accepting the risk, not creating any contingent plans, or any action to minimise the threat or maximise the opportunity.

46
Q

What is the Avoid risk response?

A

This response involves changing something in the project so the threat no longer can have an impact or can no longer happen.

This response is only relevant to threats.

Let us say you are organizing an outdoor concert for 600 people in April the UK. One of the risks would then be Rain. So you decide to move the concert to an indoor facility to avoid the risk. In fact this response has removed the threat. If it now rains, then the rain can have no impact on the concert.

47
Q

What is the Share risk response?

A

Share is both a response for threats and opportunity where both parties share the gain if the costs are less that the planned costs and share the loss if the costs are exceeded.

An example of share using the following scenario again with the outdoor concert: You have a supplier that provides VIP toilet facilities and people are charged €1 for each service but there is a certain fixed cost you must pay to provide this service:

You could agree with the supplier to share the profits if the revenue is above this fixed cost amount and share the losses if below this amount.

48
Q

What is the Reduce risk response?

A

The reduce response plans actions to:

1) Reduce the probability (the likelihood) of the risk OR
2) Reduce the impact if they risk does occur

Reduce response is the most common way of dealing with risk.

Reduce is only relevant to threats.

49
Q

What is the Accept risk response?

A

Accept is where you identify an opportunity or a threat and decide not to take any action on it.

There can be many reasons not to do this and usually is because the threat or opportunity isn’t big enough to warrant any action.

50
Q

What is the Exploit risk response?

A

Exploit is where you decide to make use of the risk if it happens. E.g.: There is a risk (an opportunity) that the government department for technology may give subsidies in a few months time for certain technology projects. If this opportunity happens, you can then take the decision to exploit it and apply for a subsidy and it can cover 25% cost of the project.

51
Q

What is the Transfer risk response?

A

Transfer is transfering the risk to a 3rd party, usually via a contract. Taking out insurance is an example of Transferring risk, and so is making a contractor liable for the risk..

52
Q

What is the Enhance risk response?

A

Enhance is where you take actions to improve the likelihood of the event occurring and you enhance the impact if the opportunity should occur.

This is not the same as exploit but doing certain things will give a greater chance for the opportunity to happen. E.g.: The cause is that your local government is running a technology competition and the top 5 projects entered will get a subsidy of €20,000. So there is an opportunity to win this money, which will result in lowering the costs of the project and giving a better ROI for the company. Your plan response is Enhance, so you enter your project in this competition and put a good deal of effort in this to enhance your chances of getting this subsidy.

53
Q

Give an example of Reduce probability; in other words – reduce the likelihood of a risk happening. Use example of organizing an outdoor concert the UK in April and the threat is rain as it will have an effect on the concertgoers.

A

Reduce the probability is to reduce the likelihood or probability of the risk happening. Using the concert example with the threat from rain, we could move the concert from April to July where is 2.5 less times less likely to rain. This is a clear example of reducing the probability but the risk is still there.

54
Q

Give an example of Reduce impact if the Risk occurs. Use example of organizing an outdoor concert the UK in April and the threat is rain as it will have an effect on the concertgoers.

A

Here the objective is to reduce the impact in case the risk occurs. E.g.: The organizers order a load of sponsored plastic ponchos that will be offered to the concertgoers when they arrive at the concert. If it does rain during the concert, then most people will only get partly wet and thus you have reduced the impact of the rain.

55
Q

Give an example of Preparing contingent plans using the following scenario. “There is a big game on center court Wimbledon and there is a threat that it might rain. The Center course now has a roof but it takes about 10 minutes to close.”

A

The fallback plan is to close the roof once it starts to rain. This will not stop it from raining but it does reduce the impact of the rain and allows the game to continue. Note: The action of closing the roof is only done once the threat of rain occurs. If you decided to start the game with the roof closed, then you will be taking action to avoid the response.

56
Q

Give an example of Transfer response using the example of the concert. The threat that you wish to respond to is that one of your top acts may not be able to play at the event due to illness or some other reason. This may cost you a lot of money as people may ask for their money back and you have spent a lot of money organizing this event.

A

You could take out an insurance policy to cover any losses you can incur if this risk happens. E.g.: all the cost of planning another date for the concert or allowing people to claim their money back would be covered by this insurance policy. The response is that you are transferring the risk to another party.

57
Q

Give me an example of the response Accept using the following example and why you would choose this response. “There is a risk that another outdoor concert can be held around the same day as your concert and this may affect tickets sales.”

A

After some consideration, you decide to do nothing about it and continue as normal. Moving the concert to another time will just cost too much and some people have already bought tickets, so you just live with the risk. You monitor the risk during the project and see how this affects your project.

58
Q

What is the objective of Implement the planned responses?

A

The goal of this step is to ensure that the planned responses to risk are done; monitored and corrective action is taken if the planned responses are not as effective as expected. Actually the main thing to decide in this step is who is going to monitor this threat or opportunity to see if this risk happens and who will carry out the planned responses that have been decided on. The person monitoring will also check that the responses have the expected effect. So there are clear roles and responsibilities defined.

59
Q

What are the two specific roles related to risks?

A

The two roles are Risk Owner and Risk Actionee.

60
Q

What is the Risk owner responsible for?

A

The Risk Owner is responsible for managing & monitoring and controlling risks. They can also carryout actions that have been assigned to them.

61
Q

What is the Risk actionee responsible for?

A

The Risk Actionee is responsible for actually responding to risk.

They are supported by the risk owner.

62
Q

What happens in the communicate step of the risk management procedure?

A

Communication is done throughout the risk management procedure so this is continually done.

This communicate step ensures that the information related to the threats and opportunities faced by the project are communicated within and outside the project to all necessary stakeholders.

Communication about risks should occur within all the project reports including

  1. Highlight reports
  2. End stage reports
  3. End project reports
  4. Exception reports
  5. Checkpoint reports
63
Q

What reports contain risk information? (4 reports)

A

The following management reports can be used to communicate risk to the stakeholders:

  1. Highlight Reports,
  2. End Stage Reports,
  3. Lessons Reports,
  4. Checkpoint reports
64
Q

Where are the guidelines for how to communicate risk information to stakeholders?

A

The guidelines for reporting come from the Communication Management Strategy document. When working on the above reports the Project Manager should always ask, “What I need to communicate regarding risk?” “What has changed since the last report?” as risk is never static.

65
Q

What is a risk budget?

A

A risk budget is a sum of money that is put aside just to deal with specific responses to threats or opportunities and it cannot be used for anything else.

Certain responses to risk will require certain actions to be done that cost money and this will be budgeted in the risk budget.

A Risk Budget is not mandatory and is created during the initiation stage of the project.

66
Q

Can the risk budget be redistributed if unused?

A

PRINCE2 states that the Risk Budget cannot be used for any other purpose. If the end of the project does not use the risk budget used, it is handed back to the Project Board.

67
Q

What is the Executive responsible for with regards to risks? (3 things)

A

They are accountable for all aspects of risk management. In particular they:

  1. Ensure that the Risk Management Strategy exits
  2. Ensure that risks associate with the Business Case are identified, assessed and controlled
  3. Should escalate risk to the corporate or programme management as necessary
68
Q

What is the Senior User responsible for with regards to risk? (1 thing)

A

They are responsible for ensuring user risks are identified, assessed, and controlled.

In particular, they are responsible for identifying impacts and or risks related to the project benefits.

69
Q

What is the Senior Supplier responsible for with regards to risks? (1 thing)

A

They are responsible for ensuring supplier risks are identified, assessed, and controlled.

70
Q

What is the Project Manager responsible for with regards to risk? (3 things)

A

They are responsible for:

  1. Create the Risk Management Strategy document,
  2. Create and maintain the Risk Register
  3. Ensuring that risks are continually identified, assessed and controlled throughout the project lifecycle

They can get support from Project Support for these activities.

71
Q

What are Corporate or Programme Management responsible for with regards to risk? (2 things)

A

They are responsible for:

  1. Providing the corporate risk management policy (or similar)
  2. Providing the risk management process guide (or similar)
72
Q

What is the Team Manager responsible for with regards to risk? (2 things)

A

They are responsible for:

  1. Help with the identification, assessment and control of risk. For example, they will be asked to participate in the workshops used to identify risks
  2. Include risk information in the checkpoint reports
73
Q

What are Project Assurance responsible for with regards to risk? (1 thing)

A

They are responsible for:

  1. Reviewing the risk management practices to make sure they are performed in line with the projects Risk Management Strategy.
74
Q

What are Project Support responsible for with regards to risk? (1 thing)

A

They assist the Project Manager in maintaining the projects risk register

75
Q

What is risk tolerance?

A

How much risk you can take.