Chapter 11: Project Risk Management Flashcards
The Project Risk Management processes are:
Plan Risk Management, Identify Risks, Perform Qualitative Risk Analysis, Perform Quantitative Risk Analysis, Plan Risk Responses, Implement Risk Responses, Monitor Risks
Define “Individual project risk”
An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives
Define “Overall project risk”
The effect of uncertainty on the project as a whole, arising from all sources of uncertainty including individual risks, representing the exposure of stakeholders to the implications of variations in project outcome, both positive and negative
True or false: Individual project risks can have a positive or negative effect on project objectives if they occur
True
True or false: Project Risk Management processes should be conducted iteratively
True. Risks will continue to emerge during the lifetime of the project
Define “Risk threshold”
Risk thresholds express the degree of acceptable variation around a project objective. They are explicitly stated and communicated to the project team and reflected in the definitions of risk impact levels for the project
What are some possible examples of Non-event risks?
A key seller may go out of business during the project, the customer may change the requirement after design is complete, or a subcontractor may propose enhancements to the standard operating processes
There are two main types of non-event risks:
Variability risk: Uncertainty exists about some key characteristics of a planned event or activity or decision. And Ambiguity risk: Uncertainty exists about what might happen in the future
Variability risks can be addressed using _____ analysis, with the range of variation reflected in probability distributions, followed by actions to reduce the spread of possible outcomes
Monte Carlo
Emergent risks can be tackled through developing _______
project resilience
Emergent risks can be tackled through developing project resilience. This requires each project to have:
- Right level of budget and schedule contingency for emergent risks, in addition to a specific risk budget for known risks, 2. Flexible project processes that can cope with emergent risk while maintaining overall direction toward project goals, including strong change management, 3. Empowered project team that has clear objectives and that is trusted to get the job done within agreed- upon limits, 4. Frequent review of early warning signs to identify emergent risks as early as possible, 5. Clear input from stakeholders to clarify areas where the project scope or strategy can be adjusted in response to emergent risks
Considerations for tailoring Project sizeProject Risk Management include but are not limited to:
Project size, Project complexity, Project importance, Development approach
True or false: The Plan Risk Management process should begin when the first iterations and/or activities begin
False. The Plan Risk Management process should begin when a project is conceived and should be completed early in the project. It may be necessary to revisit this process later in the project life cycle, for example at a major phase change, etc.
Data analysis techniques that can be used for the Plan Risk Management process includes but are not limited to:
A stakeholder analysis to determine the risk appetite of project stakeholders
Define “risk breakdown structure (RBS)”
A hierarchical representation of potential sources of risk. An RBS helps the project team consider the full range of sources from which individual project risks may arise. This can be useful when identifying risks or when categorizing identified risks
The risk appetites of key stakeholders on the project are recorded in the _____
risk management plan
Define “Definitions of risk probability and impacts”
They are specific to the project context and reflect the risk appetite and thresholds of the organization and key stakeholders. The project may generate specific definitions of probability and impact levels or it may start with general definitions provided by the organization. The number of levels reflects the degree of detail required for the Project Risk Management process, with more levels used for a more detailed risk approach (typically five levels), and fewer for a simple process (usually three)
Define “Reporting formats”
Reporting formats define how the outcomes of the Project Risk Management process will be documented, analyzed, and communicated
Identify Risks is an _____ process, since new individual project risks may emerge as the project progresses through its life cycle and the level of overall project risk will also change
iterative
The enterprise environmental factors that can influence the Identify Risks process include but are not limited to:
Published material, including commercial risk databases or checklists, Academic studies, Benchmarking results, and Industry studies of similar projects
Define “SWOT analysis”
This technique examines the project from each of the strengths, weaknesses, opportunities, and threats (SWOT) perspectives. For risk identification, it is used to increase the breadth of identified risks by including internally generated risks. It identifies any opportunities for the project that may arise from strengths, and any threats resulting from weaknesses
Define “prompt list”
A prompt list is a predetermined list of risk categories that might give rise to individual project risks and that could also act as sources of overall project risk. The prompt list can be used as a framework to aid the project team in idea generation when using risk identification techniques
On completion of the Identify Risks process, the content of the risk register may include but is not limited to:
List of identified risks, Potential risk owners, List of potential risk responses
Define the process “Perform Qualitative Risk Analysis”
It is the process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics. The key benefit of this process is that it focuses efforts on high-priority risks
Where a facilitator is used to support the Perform Qualitative Risk Analysis process, addressing ____ is a key part of the facilitator’s role
bias
Define “Risk data quality assessment”
It evaluates the degree to which the data about individual project risks is accurate and reliable as a basis for qualitative risk analysis. The use of low-quality risk data may lead to a qualitative risk analysis that is of little use to the project. Risk data quality may be assessed via a questionnaire measuring the project’s stakeholder perceptions of various characteristics, which may include completeness, objectivity, relevancy, and timeliness. A weighted average of selected data quality characteristics can then be generated to give an overall quality score
Define “Risk probability and impact assessment”
Risk probability assessment considers the likelihood that a specific risk will occur. Risk impact assessment considers the potential effect on one or more project objectives such as schedule, cost, quality, or performance. Impacts will be negative for threats and positive for opportunities
Define “Assessment of other risk parameters”
The project team may consider other characteristics of risk (in addition to probability and impact) when prioritizing individual project risks for further analysis and action
The considered characteristics involved in the technique “Assessment of other risk parameters” may include but are not limited to:
Urgency, Proximity, Dormancy, Manageability, Controllability, Detectability, Connectivity, Strategic impact, Propinquity
Define “Propinquity”
The degree to which a risk is perceived to matter by one or more stakeholders. Where a risk is perceived as very significant, propinquity is high
Define “Probability and impact matrix”
It is a grid for mapping the probability of each risk occurrence and its impact on project objectives if that risk occurs. This matrix specifies combinations of probability and impact that allow individual project risks to be divided into priority groups
Define “Hierarchical charts”
Where risks have been categorized using more than two parameters, the probability and impact matrix cannot be used and other graphical representations are required. For example, a bubble chart displays three dimensions of data, where each risk is plotted as a disk (bubble), and the three parameters are represented by the x-axis value, the y-axis value, and the bubble size
A Risk Workshop is a specialized kind of _____
meeting
Use of a skilled _____ will increase the effectiveness of a meeting
facilitator
Define the process “Perform Quantitative Risk Analysis”
It is the process of numerically analyzing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives. The key benefit of this process is that it quantifies overall project risk exposure, and it can also provide additional quantitative risk information to support risk response planning
True or false: the process Perform Quantitative Risk Analysis is not required for all projects
True
Where the duration, cost, or resource requirement for a planned activity is uncertain, the range of possible values can be represented in the model as a ______
probability distribution
What are some of the most commonly used forms of probability distribution?
triangular, normal, lognormal, beta, uniform, or discrete distributions
Simulations are typically performed using a _____ analysis
Monte Carlo
Define “Sensitivity analysis”
Sensitivity analysis helps to determine which individual project risks or other sources of uncertainty have the most potential impact on project outcomes. It correlates variations in project outcomes with variations in elements of the quantitative risk analysis model
Define “tornado diagram”
A tornado diagram is a typical display of sensitivity analysis, which presents the calculated correlation coefficient for each element of the quantitative risk analysis model that can influence the project outcome. Items are ordered by descending strength of correlation, giving the typical tornado appearance
Define “Decision tree analysis”
Decision trees are used to support selection of the best of several alternative courses of action. Alternative paths through the project are shown in the decision tree using branches representing different decisions or events, each of which can have associated costs and related individual project risks (including both threats and opportunities). The decision tree is evaluated by calculating the expected monetary value of each branch, allowing the optimal path to be selected
Define “Influence diagrams”
Influence diagrams are graphical aids to decision making under uncertainty. An influence diagram represents a project or situation within the project as a set of entities, outcomes, and influences, together with the relationships and effects between them. Where an element in the influence diagram is uncertain as a result of the existence of individual project risks or other sources of uncertainty, this can be represented in the influence diagram using ranges or probability distributions. The influence diagram is then evaluated using a simulation technique, such as Monte Carlo analysis, to indicate which elements have the greatest influence on key outcomes
The risk report will be updated to reflect the results of the quantitative risk analysis. This will typically include:
Assessment of overall project risk exposure, Detailed probabilistic analysis of the project, Prioritized list of individual project risks, Trends in quantitative risk analysis results, Recommended risk responses
When conducting an assessment of overall project risk exposure, overall project risk is reflected in two key measures:
Chances of project success, indicated by the probability that the project will achieve its key objectives (e.g., required end date or interim milestones, required cost target, etc.) given the identified individual project risks and other sources of uncertainty, AND
Degree of inherent variability remaining within the project at the time the analysis was conducted, indicated by the range of possible project outcomes
Risk responses should be:
Appropriate for the significance of the risk, cost-effective in meeting the challenge, realistic within the project context, agreed upon by all parties involved, and owned by a responsible person
Define “Secondary risks”
Secondary risks are risks that arise as a direct result of implementing a risk response
The _____ [document] identifies the nominated risk owner for each risk
risk register
Five alternative strategies may be considered for dealing with threats, as follows:
Escalate, Avoid, Transfer, Mitigate, Accept
Define “Escalate” as a strategy to deal with risks and threats
Escalation is appropriate when the project team or the project sponsor agrees that a threat is outside the scope of the project or that the proposed response would exceed the project manager’s authority. Escalated risks are managed at the program level, portfolio level, or other relevant part of the organization, and not on the project level. The project manager determines who should be notified about the threat and communicates the details to that person or part of the organization. Escalated threats are not monitored further by the project team after escalation, although they may be recorded in the risk register for information
Define “Avoid” as a strategy to deal with risks and threats
Risk avoidance is when the project team acts to eliminate the threat or protect the project from its impact. It may be appropriate for high-priority threats with a high probability of occurrence and a large negative impact. Examples of avoidance actions may include removing the cause of a threat, extending the schedule, changing the project strategy, or reducing scope
Define “Transfer” as a strategy to deal with risks and threats
Transfer involves shifting ownership of a threat to a third party to manage the risk and to bear the impact if the threat occurs. Risk transfer often involves payment of a risk premium to the party taking on the threat. Transfer can be achieved by a range of actions, which include but are not limited to the use of insurance, performance bonds, warranties, guarantees, etc. Agreements may be used to transfer ownership and liability for specified risks to another party
Define “Mitigate” as a strategy to deal with risks and threats
In risk mitigation, action is taken to reduce the probability of occurrence and/or impact of a threat. Early mitigation action is often more effective than trying to repair the damage after the threat has occurred. Adopting less complex processes, conducting more tests, or choosing a more stable seller are examples of mitigation actions
Define “Accept” as a strategy to deal with risks and threats
Risk acceptance acknowledges the existence of a threat, but no proactive action is taken. This strategy may be appropriate for low-priority threats, and it may also be adopted where it is not possible or cost-effective to address a threat in any other way. Acceptance can be either active or passive. The most common active acceptance strategy is to establish a contingency reserve, including amounts of time, money, or resources to handle the threat if it occurs. Passive acceptance involves no proactive action apart from periodic review of the threat to ensure that it does not change significantly
Five alternative strategies may be considered for dealing with opportunities, as follows:
Escalate, Exploit, Share, Enhance, Accept
Define “Escalate” as a strategy to deal with risk opportunities
This risk response strategy is appropriate when the project team or the project sponsor agrees that an opportunity is outside the scope of the project or that the proposed response would exceed the project manager’s authority. Escalated opportunities are managed at the program level, portfolio level, or other relevant part of the organization, and not on the project level. Opportunities are usually escalated to the level that matches the objectives that would be affected if the opportunity occurred. Escalated opportunities are not monitored further by the project team after escalation, although they may be recorded in the risk register for information
Define “Exploit” as a strategy to deal with risk opportunities
The exploit strategy may be selected for high-priority opportunities where the organization wants to ensure that the opportunity is realized. This strategy seeks to capture the benefit associated with a particular opportunity by ensuring that it definitely happens, increasing the probability of occurrence to 100%. Examples of exploiting responses may include assigning an organization’s most talented resources to the project to reduce the time to completion, or using new technologies or technology upgrades to reduce cost and duration
Define “Share” as a strategy to deal with risk opportunities
Sharing involves transferring ownership of an opportunity to a third party so that it shares some of the benefit if the opportunity occurs. It is important to select the new owner of a shared opportunity carefully so they are best able to capture the opportunity for the benefit of the project. Risk sharing often involves payment of a risk premium to the party taking on the opportunity. Examples of sharing actions include forming risk-sharing partnerships, teams, special-purpose companies, or joint ventures
Define “Enhance” as a strategy to deal with risk opportunities
The enhance strategy is used to increase the probability and/or impact of an opportunity. Early enhancement action is often more effective than trying to improve the benefit after the opportunity has occurred. The probability of occurrence of an opportunity may be increased by focusing attention on its causes. Where it is not possible to increase probability, an enhancement response might increase the impact by targeting factors that drive the size of the potential benefit. Examples of enhancing opportunities include adding more resources to an activity to finish early
Define “Accept” as a strategy to deal with risk opportunities
Accepting an opportunity acknowledges its existence but no proactive action is taken. This strategy may be appropriate for low-priority opportunities, and it may also be adopted where it is not possible or cost-effective to address an opportunity in any other way. Acceptance can be either active or passive. The most common active acceptance strategy is to establish a contingency reserve, including amounts of time, money, or resources to take advantage of the opportunity if it occurs. Passive acceptance involves no proactive action apart from periodic review of the opportunity to ensure that it does not change significantly
True or false: When formulating plans to address risks, some responses are designed for use only if certain events occur
True. Risk responses identified using this technique are often called contingency plans or fallback plans and include identified triggering events that set the plans in effect
Define the process “Implement Risk Responses”
It is the process of implementing agreed-upon risk response plans. The key benefit of this process is that it ensures that agreed-upon risk responses are executed as planned in order to address overall project risk exposure, minimize individual project threats, and maximize individual project opportunities
Proper attention to the _______ process will ensure that agreed-upon risk responses are actually executed
Implement Risk Responses
Define the process “Monitor Risks”
Monitor Risks is the process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project. The key benefit of this process is that it enables project decisions to be based on current information about overall project risk exposure and individual project risks
The Monitor Risks process uses performance information generated during project execution to determine if:
Implemented risk responses are effective, Level of overall project risk has changed, Status of identified individual project risks has changed, New individual project risks have arisen, Risk management approach is still appropriate, Project assumptions are still valid, Risk management policies and procedures are being followed, Contingency reserves for cost or schedule require modification, and Project strategy is still valid
Data analysis techniques that can be used for the Monitor Risks process include but are not limited to:
Technical performance analysis, and Reserve analysis
Define “Technical performance analysis”
It compares technical accomplishments during project execution to the schedule of technical achievement. It requires the definition of objective, quantifiable measures of technical performance, which can be used to compare actual results against targets. Such technical performance measures may include weight, transaction times, number of delivered defects, storage capacity, etc. Deviation can indicate the potential impact of threats or opportunities
Define “Reserve analysis”
Throughout execution of the project, some individual project risks may occur with positive or negative impacts on budget or schedule contingency reserves. Reserve analysis compares the amount of the contingency reserves remaining to the amount of risk remaining at any time in the project in order to determine if the remaining reserve is adequate. This may be communicated using various graphical representations, including a burndown chart
