Chapter 11 Flashcards
what is project risk management?
- process of conducting risk management planning, identification, analysis, response planning and monitoring and conrol on a project
what are the objectives of Project Risk Management?
- increase probability and impact of positive events, decrease probability and impact of negative events
what are the processes to Project Risk Management?
- 1 plan risk management
- 2 identify risks
- 3 perform qualitative risk analysis
- 4 perform quantitative risk analysis
- 5 plan risk responses
- 6 monitor and control risks
what is risk?
an uncertain event or condition that has an effect on at least one project objective if it occurs
what are objectives?
- can include scope, schedule, cost and quality
what is a cause?
- a requirement, assumption, constraint or condition that creates the possibility of negative or positive outcomes
what are risk conditions?
- aspects of the project/org’s environment that may contribute to project risk
- ex. immature project management practices, lack of integrated management systems, concurrent multiple projects, dependencies on external participants who can’t be controlled
what are known risks?
- those that have been identified and analyzed, making it possible to plan responses to those risks
what are unknown risks
- cannot be managed proactively. should create a contingency plan
what steps does an org need to make to be successful in handling risk?
- committed to address risk management proactively and consistently throughout the project
- conscious choice to actively identify and pursue effective risk management during the life of the project
what is the Plan Risk Management process?
- process of defining how to conduct risk management activities for a project
- should be completed early during project planning
why is the Plan Risk Management process important?
- ensures that the degree, type, and visibility of risk management are commensurate with the risks and the importance of the project to the org
- provides sufficient resources and time for risk management activities and to establish an agreed-upon basis for evaluating risks
what are the inputs to the Plan Risk Management process?
- project scope statement
- cost management plan
- schedule management plan
- communications management plan
- enterprise environmental factors
- organizational process assets
what are the tools and techniques to the Plan Risk Management process?
- planning meetings and analysis
what are the outputs to the Plan Risk Management process
- risk management plan
how is the project scope statement an input to the Plan Risk Management process?
- provides a clear sense of the range of possibilities associated with the project and establishes the framework for how significant risk management may become
how is the cost management plan an input to the the Plan Risk Management process?
- defines how risk budgets, contingencies and management reserves will be reported and accessed
how is the schedule management plan an input to the Plan Risk Management process?
- defines how schedule contingencies will be reported and assessed
how is the communications management plan an input to the Plan Risk Management process?
- defines interactions that will occur on the project and determines who’s available to share info on risks and responses at different times and locations
what enterprise environmental factors can influence the the Plan Risk Management process?
- risk attitudes and tolerances that describe the degree of risk that the org will withstand
what organizational process assets can influence the Plan Risk Management process?
- risk categories
- common definitions of concepts and terms
- risk statement formats
- standard templates
- roles and responsibilities
- authority levels for decision making
- lessons learned
- stakeholder registers
how are planning meetings and analysis a tool & technique for the Plan Risk Management process?
- planning meetings of PM, team members, stakeholders, etc held to develop risk management plan
- high level plans for conducting risk management activities are defined in these meetings
- risk management cost and schedule activities established
- risk management responsibilities assigned
- org templates for risk tailored to the project
- outputs of these meetings summarized in risk management plan
what goes in the risk management plan after the Plan Risk Management process?
- describes how risk management will be structured and performed on the project
includes
- methodology: approches, tools and data sources that may be used to perform risk management
- roles and responsibilities: defines the lead, support and risk management team members for each type of activity in the risk management plan
- budgeting: resources and funds needed for risk management to be included in the cost performance baseline, and establishes protocols for applying the contingency reserve
- timing: defines when and how often risk management process will be performed throughout the project and establishes protocols for applying schedule of contingency reserves
- risk categories: provies structure that ensures a comprehensive process of systematically identifying risks to a consistent level of detils (ex. a Risk Breakdown Structure – RBS)
- definitions of risk probability and impact: general definitions of probability and impact levels are tailored to the project
- probability and impact matrix: table with specific combinations of probability and impact that lead a risk to be rated high/med/low
- revised stakeholders; tolerances
- reporting formats: how outcomes of the risk management processes will be documented, analyzed and communicated
- tracking: hor risk activities will be recorded for the current project and future needs
what is the Identify Risks process?
- process of determining which risks may affect the project and documenting their characteristics
- participants can include PM, team members, risk management team, customers, subject matter experts, end users, other PMs, stake holders, risk management experts
why should the Identify Risks process involve the project team?
- so they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions
what are the inputs to the Identify Risks process?
- risk management plan
- activity cost estimates
- activity duration estimates
- scope baseline
- stakeholder register
- cost management plan
- schedule management plan
- quality management plan
- project documents
- enterprise environmental factors
- organizational process assets
what are the tools & techniques of the Identify Risks process?
- documentation reviews
- information gathering techniques
- checklist analysis
- assumptions analysis
- diagramming techniques
- SWOT analysis
- expert judgment
what are the outputs of the Identify Risks process?
- risk register
how is the risk management plan an input to the Identify Risks process?
- assignments of roles and responsibilities, provision for risk management activities in the budget and schedule, and categories of risk are key inputs from the risk management plan to the Identify Risks process
how are activity cost estimates an input to the Identify Risks process
- reviewing activity cost estimates helps identifies risk as they provide a quantitative assessment of the likely cost to complete scheduled activities and are ideally expressed as a range with the width of the range indicating the degree of risk
- can determine if the estimate is sufficient to complete the activity
how are activity duration estimates an input to the Identify Risks process?
- reviews of this helps identify risks related to time allowances for activities and the project as a whole
how isthe scope baseline an input to the Identify Risks process?
- assumptions found in the project scope statement should be evaluated as potential causes of risk
- WBS is a critical input to identifying risks as it facilitates an understanding of the potential risks at the micro and macro level
how is the stakeholder register an input to the Identify Risks process?
- ensures the key stakeholders are interviewed/participate in the Identify Risks process
how is the cost management plan an input to the Identify Risks process
- project-specific approach to cost management may generate/alleviate risk
how is the schedule management plan an input to the Identify Risks process?
- need to understand the schedule management plan because the project-specific approach to schedule management may generate/alleviate risk
how is the quality management plan an input to the Identify Risks process?
- project-specific approach to quality management may generate/alleviate risk
what project documents are inputs to the Identify Risks process?
include
- assumptions log
- work performance reports
- earned value reports
- network diagrams
- baselines
- other project info
what enterprise environmental factors can influence the Identify Risks process?
- published info like commercial databases
- academic studies
- published checklists
- benchmarking
- industry studies
- risk attitudes
what organizational process assets can influence the Identify Risks process?
- project files
- org and project process controls
- risk statement templates
- lessons learned
how are documentation reviews used in the Identify Risks process?
- structured reviews of document
- quality of the plans and consistency between the plans and the project requirements and assumptions can be indicators of risk in the project
what are some information gathering techniques used to identify risks?
- brainstorming
- delphi technique
- interviewing
- root cause analysis
how is brainstorming used in the Identify Risks process?
- obtain a comprehensive list of risks from experts
- categories of risk (ex. RBS) can be used as a framework
- risks are identified and categorized
how is the Delphi technique used in the Identify Risks process?
- use questionnaire to solicit ideas about project risks from experts anonymously
- responses summarized and recirculated for another round until consensus is reached
how is interviewing used in the Identify Risks process?
- interview experienced project participants, stakeholders, and subject matter experts
how is root cause analysis used in the Identify Risks process?
- specific technique to identify a problem, discover the underlying causes that lead to it and develop preventive action
how is checklist analysis used in the Identify Risks process?
- risk identification checklists can be developed based on historical informaiton and knowledge from past projects
- lowest level of RBS can also be used as a risk checklist
- checklist is not exhaustive
how is assumptions analysis used in the Identify Risks process?
- explores the validity of assumptions as they apply to the project
- identifies risks to the project from inaccuracy, instability, inconsistency or incompleteness of assumptions
what diagramming techniques are used in the Identify Risks process?
- cause & effect diagrams (Ishikawa/fishbone diagrams)
- system or process flow charts
- influence diagrams: shows causal influences, time ordering of events and other relationships
how is a SWOT analysis used in the Identify Risks process?
- increases the breadth of identified risks
how is expert judgment used in the Identify Risks process?
- risks identified by experts with experience in similar projects/business areas
- experts’ bias should be taken into account
what are the main outputs from the Identify Risks process?
initial entries into the risk register, which contains the outcomes of the other risk management processes
includes
- list of identified risks (with root causes and details)
- list of potential responses
what is Perform Qualitative Analysis?
- process of prioritizing risks for further analysis/action by assessing and combining their probability of occurrence and impact on project
- reflects the attitude of the team and stakeholders to risk
- rapid, cost-effective way to establish priorities for Plan Risk Responses and lays the foundation for Perform Quantitative Risk ANalysis if needed
what might bias the risk analysis and how do you account for it/
- time criticality of risk-related actions may magnify the importance of a risk
- establish definitions of the levels of probability and impact
- evaluate the quality of the information available on porject risks
what are the inputs to the Perform Qualitative Risk Analysis process?
- risk register
- risk management plan
- project scope statement
- organizational process assets
what are the tools & techniques to the Perform Qualitative Risk Analysis process?
- risk probability and impact assessment
- probability and impact matrix
- risk data quality assessment
- risk categorization
- risk urgency assessment
- expert judgment
what are the outputs to the Perform Qualitative Risk Analysis process?
- risk register updates
what parts of the risk management plan serves as inputs to the Perform Qualitative Risk Analysis process?
- roles and responsibilities for conducting risk management, budgets, schedule activities for risk management, risk categories, definitions of probability and impact, the probability and impact matrix, and revised stakeholders’ risk tolerances
what part of the Project Scope Statement serves as an input to the Perform Qualitative Risk Analysis process?
- evaluate what type of project it is
- common project have more well-understood risks; new, or highly complex projects have more uncertainty
what organizational process assets serves as inputs to the Perform Qualitative Risk Analysis process?
- information on previous similar projects
- studies of similar projects by risk specialists
- risk databases
what is a risk probability and impact assessment?
- risk probability assessment investigates the likelihood each specific task will occur
- risk impact assessment investigates the potential effect on a project objective like schedule, cost, quality or performance (both negative and positive)
- probability and impact are assessed for each risk and rated according to definitions in the risk management plan
- assumptions and explanations justifying the levels assigned are recorded
what is the probability and impact matrix?
- specifies combinations of probability and impact that lead to rating the risks as low/med/high
- these risk-rating rules are used to determine if risks need to go through further quantitive analysis and response based on their risk rating and the org
what is the benefit of the risk rating?
- guides risk responses
what is risk data quality assessment?
- analysis of the quality of risk data to evaluate the degree to which data about risks are useful for risk management
- accuracy, quality, reliability, and integrity of the data regarding the risk
what is risk categorization?
- risks to the project can be categorized by sources of risk (ex. using the RBS), area of the project affected (ex. using the WBS) or other useful category (ex. project phase) to determine areas of the project most expose to the effects of uncertainty
what is risk urgency assessment?
- risks requiring near-term responses are considered more urgent to address
- indicators of priority include time to affect a risk response, symptoms and warning signs, and risk rating
- risk urgency can be combined with risk ranking from the probability and impact matrix
what expert judgment is used in the Perform Qualitative Risk Analysis process?
- required to assess the probability and impact of each risk
- usually those with experience with similar projects and those planning & managing the specific project
what risk register updates are made after the Perform Qualitative Risk Analysis process?
- relative ranking/priority list of project risks: tasks grouped low/med/high based on probability and impact matrix can then be prioritized by objective (sch, sot, performance)
- risks grouped by categories
- causes of risk or project areas requiring particular attention
- list of risks requiring responses in the near-term
- list of risks for additional analysis and response
- watchlist for low-priority risks
- trends in qualitative risk analysis results
what is the Perform Quantitative Risk Analysis process?
- process of numerically analyzing the effect of identified risks on overall project objectives
- performed on risks that have been prioritized by the Perform Qualitative Risk Analysis process as potentially and substantially impacting the project’s competing demands
- can be used to assign a numerical rating to risks individually or to evaluate the aggregate effect of all risks affecting the project
when is Perform Quantitative Risk Analysis done?
- after the Perform Qualitative Risk Analysis process, sometimes not needed
- should be repeated after Plan Risk Responses as well as part of Monitor and Control Risks
what are inputs to the Perform Quantitative Risk Analysis process?
- risk register
- risk management plan
- cost management plan
- schedule management plan
- organizational process assets
what are the tools & techniques to the Perform Quantitative Risk Analysis process?
- data gathering & representation techniques
- quantitative risk analysis and modeling techniques
- expert judgment
what are the outputs to the Perform Quantitative Risk Analysis process?
- risk register updates
what part of the cost management plan is used as an input to the Perform Quantitative Risk Analysis process?
- the criteria for planning, structuring, estimating, budgeting and controlling project costs can help determine the structure and/or approach for quantitative analysis of the budget or cost plan
what part of the schedule management plan serves as the input to the Perform Quantitative Risk Analysis process?
- criteria for developing and controlling the project schedule can be used to help determine the structure/approach for quantitative analysis of the schedule
what parts of the organizational process assets can influence the the Perform Quantitative Risk Analysis process?
- information on prior projects
- studies of similar projects by risk specialists
- risk databases
what data gathering and representation techniques are used in the Perform Quantitative Risk Analysis process?
- interviewing
- probability distributions
how are interviews used in the Perform Quantitative Risk Analysis process?
- draw on experience and historical data to quantify probability and impact of risk on project objectives
- document the rationale of the risk ranges and assumptions to provide insight on the reliability and credibility of the analysis
how are probability distributions used in the Perform Quantitative Risk Analysis process?
- continuous probability distributions represent the uncertainty in values like durations of schedule activities and costs of project components (ex. beta and triangular distributions)
- discrete distributions can be used to represent uncertain events like the outcome of a test or scenario in a decision tree
what are commonly used quantitative risk analysis and modeling techniques?
- sensitivity analysis
- expected monetary value (EMV) analysis
- modeling and simulation
what is sensitivity analysis?
- helps determine which risks have the most potential impact on a project by examining the extent to which the uncertainty of each project element affects the objective being examined when all other uncertain elements are held at their baseline values (ex. tornado diagram)
what is expected monetary value analysis?
- EMV analysis is a statistical concept that calculates the average outcome when the future includes scenarios that may or may not happen
- opportunities are +, threats are -
- requires a risk-neutral assumption
- sum of all the probability of outcome x value of outcome
what modeling and simulation is used in the Perform Quantitative Risk Analysis process?
- project simulation uses a model that translates the specified detailed uncertainties of the project into their potential impact on project objectives
ex. Monte Carlo technique
what is the monte carlo techique?
- project model is computed many times with input values (ex. cost estimates or activity durations) chosen at random for each iteration. a probability distribution (ex. total cost or completion date) is calculated from the iterations
- for cost risk analysis, use cost estimates
- for schedule risk analysis, use schedule network diagram and duration estimates
- output illustrates likelihood of the results (graph cost/schedule by probability)
what expert judgment is used in the Perform Quantitative Risk Analysis process?
- required to identify potential cost and schedule impacts, evaluate probability and define inputs
- also helps interpret data
what risk register updates are made after the Perform Quantitative Risk Analysis process?
- probabilistic analysis of the project: the cumulative distribution can be used with stakeholder risk tolerances to permit quantification of the risk and time contingency reserves
- probability of achieving cost and time objectives
- prioritized list of quantified risks
- trends in quantitative risk analysis results
what is Plan Risk Responses?
- process of developing options and actions to enhance opportunities and reduce threats to project objectives
- includes identifying and assigning one person (risk response owner) to take responsibility for each risk response
- addresses risks by their priority, inserting resources and activities into the budget, schedule and project management as needed
signs of successful planned risk responses?
- appropriate to the significance of the task
- cost effective in meeting the challenge
- realistic within the project context
- agreed by all parties involved
- owned by a responsible person
- timely
what are the inputs to the Plan Risk Responses process?
- risk register
2. risk management plan
what are the tools & techniques for the Plan Risk Responses process?
- strategies for negative risks or threats
- strategies for positive risks or opportunities
- contingent response strategies
- expert judgment
what are the outputs for the Plan Risk Responses process?
- risk register updates
- risk-related contract decisions
- project management plan updates
- project document updates
what’s in a risk register
- identified risks
- root causes of risks
- list of potential responses
- risk owners
- symptoms and warning signs
- relative rating / priority list of project tasks
- a list of risks requiring response in the enar term
- list of risks for additional analysis and response
- trends in qualitative analysis results
- watchlist of low-priority tasks
what’s in a risk management plan?
- roles and responsibilities
- risk analysis definitions
- timing for reviews
- risk thresholds for low/med/high
how to choose a risk response strategy
- using risk analysis tools like decision tree analysis
what is a fallback plan?
- developed for implementation if selected strategy turns out to not be effective or if accept risk occurs
how to deal with secondary risks (risks driven by the strategies)?
- a contingency reserve can help
what are the strategies for negative risks or threats?
- avoid
- transfer
- mitigate
- accept
what is risk avoidance?
- changing the PM plan to eliminate the threat entirely by isolating the project objectives from the risk’s impact or changing the objective that’s in jeopardy
ex. extending the schedule, changing the strategy, reducing scope, even shutting down the project
what is risk transfer?
- shifting some or all of the negative impact and ownership of the response to a third party
- doesn’t eliminate the risk
- most effective in dealing with financial risk exposure
- involves paying a risk premium to the party taking the risk
ex. insurance, performance bonds, guarantees, warrantees
what is risk mitigation?
- reduce the probability and/or impact of an adverse risk event to be within acceptable threshold limits
- reducing probability and/or impact is more effective than trying to repair damage after risk has occured
ex. adopting less complex processes, conducting more tests, choosing a more stable supplier, building a prototype
what is risk acceptance?
- make no changes to deal with the risk
- passive acceptance requires no action but to document the strategy, dealing with the risks as they occur
- active acceptance requires setting up a contingency reserve to handle risks
what are the strategies for positive risks or opportunities?
- exploit
- share
- enhance
- accept
what is exploit?
- strategy where the org wants to ensure the opportunity is realized
- seek to eliminate the uncertainty associated with the risk by ensuring the opportunity definitely happens
- ex. assigning the best members to the team to rduce cost/time
what is share strategy for risk?
- allocating some or all ownership of the opportunity to a third party who can capture the opportunity for hte benefit of the project
ex. risk-sharing partnerships, joint ventures
what is the enhance strategy for risk?
- used to increase probability and/or positive impacts of an opportunity
- identify and maximize key drivers of positive-impact risks
what is the accept strategy for + risk?
- accept an opportunity if it comes along but not actively pursuing it
what are contingent response strategies?
- responses designed for use only if certain events occur (ex. missing intermediate milestones)
what expert judgments are used in the Plan Risk Responses process
- input from knowledgeable parties about the actions to be taken on a specific and defined risk
what risk register updates are made after the Plan Risk Responses process?
- identified risks, their descriptions, areas of the project effective, their causes, and how they may affect project objectives
- risk owners and assigned responsibilities
- outputs from the Perform Qualitative Analysis process ncluding prioritized lists of project risks
- agreed upon response strategies
- specific actions to implement the chosen response strategy
- triggers, symptons and warning signs of risks’ occurrence
- budget and schedule activities required for implementing responses
- contingency plans and triggers
- fallback plans
- residual risks expected to remain after planned responses have been taken
- secondary risks that arise out of implementing a risk response
- contingency reserves calculated based on quantitative risk analysis and org’s risk thresholds
what are risk-related contract decisions?
- decisions to transfer risks as a result of mitigating or transfering threat, or enhancing or sharing opportunity
what project management plan updates are made after the Plan Risk Responses process
- schedule management plan (tolerance to resource loading and leveling; updates to schedule)
- cost management plan (changes in tolerance/behvior re: cost accounting, tracking and reports; updates to budget and contingency reserves)
quality management plan (changes in tolerance/behavior related to requirements, QA or QC and updates to requirements doc)
- procurement management plan (alterations in the make-or-buy decision and contract types driven by risk responses)
- HR management plan (changes re: staff allocation and resource loading)
- work breakdown structure (work generated by risk responses)
- schedule baseline (work generated by risk responses)
- cost performance baseline (work generated by risk responses)
what project doc updates are made after the Plan Risk Responses process?
- assumptions log updates
- technical documentation updates
what is the Monitor and Control Risks process?
- process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks and evaluating risk process effectiveness
- determine if project assumptions are still valid
- determine if assessed risk has been changed or can be required
- determine if risk management policies and procedures are being followed
- determine if contingency reserves should be modified
what are the inputs to the Monitor and Control Risks process?
- risk register
- project management plan
- work performance information
- performance reports
what are the tools & techniques of the Monitor and Control Risks process?
- risk reassessment
- risk audits
- variance and trend analysis
- technical performance measurement
- reserve analysis
- status meetings
what are the outputs to the Monitor and Control Risks process?
- risk register updates
- organizational process assets updates
- change requests
- project management plan updates
- project document updates
what are the inputs from the risk register to the Monitor and Control Risks process?
- identified risks and risk owners
- agreed-upon risk responses
- specific implementation actions
- symptoms and warning signs of risk
- residual and secondary risks
- watchlist of low-priority risks
- time and cost contingency reserves
what part of the project management plan serves as an input to the Monitor and Control Risks process?
- the risk management plan, which includes risk tolerances, protocols and assignment of people, time and other resources to risk management
what work performance information is an input to the Monitor and Control Risks process?
- deliverable status
- schedule progress
- costs incurred
what performance reports are inputs to the Monitor and Control Risks process?
- performance reports that take info from performance measurements and analyze it to provide project work performance information including variance analysis, earned value data and forecasting data
what is risk reassessment?
- regularly scheduled assessments of risks. amount and detail of repetition depends on how project progresses relative to its objectives
what are risk audits?
- examine and document the effectiveness of risk responses in dealing with identified risks and their root causes as well as the effectiveness of the risk management process
- PM is responsible for ensuring risk audits are performed at an appropriate frequency
what is variance and trend analysis?
- trends in the project’s execution should be reviewed using performance information
- earned value analysis and other methods of project variance anad trend analysis used for monitoring overall project performance
- outcomes may forecast potential deviation which may indicate the potential impact of threats or opportunities
what is technical performance measurement?
- compares technical accomplishments during execution to schedule of technical achievement in PM plan
- uses quantifable measures of technical requirements to compare actual results against targets (ex. weight, number of defects, transaction times, etc)
- deviation may expose risk faced by the project
what is reserve analysis?
- compares amount of contingency reserves remaining to the amount of risk remaining to determine if remaining reserve is adequate
how are status meetings a tool & technique of the Monitor and Control Risks process?
- risk management should be discussed at periodic status meetings
what updates to the risk register may be made after the Monitor and Control Risks process?
- outcomes of risk reassessments, risk audits and periodic risk reviews (new risks, updates to risk register, closing risks)
- outcomes of the project’s risks and of risk responses
what organizational process assets updates may be made after the Monitor and Control Risks process?
- templates for risk management plan, including the probability and impact matrix and the risk register
- risk breakdown structure
- lessons learned
what change requests might be made after the Monitor and Control Risks process?
implementing contingency plans or workarounds can result in change requests, which need to be submitted to the Perform Integrated Change Control process
– recommended corrective actions (contingency plans and workarounds)
– recommended preventive actions (documented directions to perform an activity that can reduce the probability of negative consequences associated with project risks)
what project management plan updates are made after the Monitor and Control Risks process?
- same as after the Plan Risk Responses process
what are the project document updates after the the Monitor and Control Risks process?
- same as after the Plan Risk Responses process
