Chapter 11 - Risk Management

Question 1

Risk Management explained

Answer 1

Risk management is the process of identifying, evaluating, and planning responses to events, both positive and negative, that might occur throughout the course of a project

Question 2

When assessing risk, it’s necessary to determine the risk’s…

Answer 2

• Probability (how likely)
• Range of outcomes (impact)
• Expected timing (when)
• Frequency (how often)

Question 3

Risk appetite (risk tolerance)

Answer 3

General, high-level description of the level of risk acceptable to an individual or an organization

Question 4

Risk threshold

Answer 4

The specific point at which risk becomes unacceptable

Question 5

What are the seven risk management processes?

Answer 5

1. Plan risk management
2. Identify risks
3. Perform qualitative risk analysis
4. Perform quantitative risk analysis
5. Plan risk responses
6. Implement risk responses
7. Monitor risks

Question 6

What does the risk management plan include?

Answer 6

1. Risk strategy (overall approach to managing risks)
2. Methodology (defines how risk management will be performed)
3. Roles and responsibilities
4. Funding
5. Timing
6. Risk categories
7. Stakeholder risk appetite/thresholds
8. Definitions of probability and impact
9. Reporting
10. Tracking

Question 7

Where would you find a standard list of risk categories?

Answer 7

A Risk Breakdown Structure (RBS) is an organizational chart that can help identify and document risk categories

Question 8

Two main types of risks

Answer 8

• Business risk - risk of a gain OR a loss
• Pure (insurable) risk - only a risk of loss, such as a fire, theft, etc.

Question 9

More detailed categories of risks (outside of business and pure/insurable)

Answer 9

• External
• Internal
• Technical
• Commercial
• Unforeseeable

Question 10

Non-event risk categories

Answer 10

Variablity - risks caused by the inability to predict future changes

Ambiguity - risks caused by a lack of understanding

Question 11

Who is involved in risk identification?

Answer 11

EVERYONE!

Question 12

When does the major part of risk identification occur?

Answer 12

• At the onset of the project (initiating and planning)
• Keep in mind that risks may still be identified later in the project, and risks should be continually reassessed
• More specifically, risks are identified during integrated change control, when working with contracts, when working with resources, and when dealing with project issues

Question 13

What does the Identify Risks process result in?

Answer 13

• Risk register
• Risk report

Question 14

If you are in the Identify Risks process, what does the risk register contain?

Answer 14

• List of risks
• Potential risk owners
• Potential risk responses
• Root cause of risks
• Updated risk categories

Question 15

When are risk responses documented?

Answer 15

Both in the Identify Risks process (as potential risk responses) AND during Plan Risk Responses process (as selected response plans)

Question 16

Qualtitative Risk Analysis process

Answer 16

• Analyzing risks’ potential impact and probability and creating a shortened list of the previously identified individual project risks
• Also involves identifying which risks should move more quickly through the process than others (risk parameters)
• This is a subjective analysis of identified risks

Question 17

What must be determined in order to perform qualtitative risk analysis?

Answer 17

Probability of risk occuring using a standard scale

Impact of risk occuring, using a standard scale

Question 18

What occurs after you perform qualitative risk analysis?

Answer 18

You either:

Further analyze the qualitatively analyzed risks

or

Move directly into the Plan Risk Responses process

Question 19

What must you do before you can use the risk information collected on the project?

Answer 19

You must analyze the precision of the data by assessing its accuracy and reliability

Known as risk data quality assessment

Question 20

Risk data quality assessment involves determined what for each risk?

Answer 20

Extend of the understanding of each risk

Data available about the risk

Quality of the data

Reliability and integrity of the data

Question 21

Why is a probability and impact matrix used?

Answer 21

To sort or rate risks to determine which ones warrant an immediate response and which ones should be put on the watch list

Question 22

Types of risk parameters

Answer 22

Urgency

Dormancy

Manageability and controllability

Strategic impact

Question 23

Urgency risk parameter

Answer 23

• Indicates if the risk is likely to occur soon or if the risk requires a particularly long time to plan a response
• Urgent risks may be moved directly into risk response planning
• Urgent risks may simply be the first ones for which you plan a response in risk response planning

Question 24

Dormancy risk parameter

Answer 24

Refers to the anticipated time between when a risk occurs and when its impact is felt

Question 25

Manageability and controllability parameter

Answer 25

Indicates the level of difficulty involved in dealing with an identified risk, should it occur

Question 26

What can the Qualitative Risk Analysis process be used for?

Answer 26

Compare the risks of the project to the overall risk of other projects

Determine whether the project should be continued or terminated

Determine whether to proceed to Quantitative analysis or Plan Risk Responses processes

Question 27

Quantitative Risk Analysis process

Answer 27

• Numerically analyzing the probability and impact of risks that ranked highest in qualitative risk analysis
• Objective process to determine numerical impact in real terms

Question 28

Purpose of Quantitative Risk Analysis

Answer 28

• Determine which risk events warrant a response
• Determine overall project risk
• Determine quantified proabbility of meeting project objectives (i.e., X% chance to complete project within Y time frame)
• Determine cost and schedule reserves
• Identify risks requiring the most attention
• Create realistic cost, schedule, and scope targets

Question 29

Should you always do a qualitative risk analysis? Quantitative risk analysis?

Answer 29

• ALWAYS do qualitative
• Quantitative is NOT required, and may be skipped in favor of moving to risk response planning. Only do it if it’s worth time and money!

Question 30

What actions are required in quantitative risk analysis?

Answer 30

• Further investigate the highest rated risks on the project
• Perform data analysis to determine which risks have the most impact
• Determine how much quantified risk the project has through data analysis

Question 31

Which risks are likely to require quantitative assessment?

Answer 31

The risks with the highest probabilities and impacts

Question 32

Sensitivity analysis

Answer 32

• Technique to analyze and compare the potential impacts of identified risks
• Tornado diagram is a typical graphical representation of sensitivity analysis

Question 33

What is the best way to measure overall ranking of risks?

Answer 33

Utilizing expected value (EV) for schedule results and Expected Monetary Value (EMV) for costs

EV/EMV takes into account BOTH probability AND impact, instead of separating them

Question 34

EV/EMV formula

Answer 34

EV or EMV = P x I

P = Probability

I = Impact

Question 35

In Plan Risk Responses process, what are your options for dealing with top risks?

Answer 35

• Eliminate threats
• Make sure opportunities happen
• Decrease the probability of threats
• Increase probability of opportunities

Question 36

Power of Risk Response Planning

Answer 36

Eliminating threats while still in the Planning process

Question 37

What is the best answer to a question describing a major problem on the project?

Answer 37

Implement the respective contingency plan!

Do NOT choose the answer that provides a solution to the problem once it’s occurred

Question 38

Can you eliminate all threats and exploit all opps on a project?

Answer 38

No, simply because eliminating all threats and exploiting all opportunities would cost too much time and money

Question 39

Response strategies for threats

Answer 39

• Avoid (remove work or expand scope to avoid risk)
• Mitigate (reduce probability of risk event)
• Transfer (3rd party responsibility)

Question 40

Response strategies for opportunities

Answer 40

• Exploit (add/change work)
• Enhance (increase probability)
• Share (3rd party resonsibility)

Question 41

Response strategies for BOTH threats and opportunities

Answer 41

• Escalate
• Accept

Question 42

Response strategy for high-priority, high-impact risks? Low-priority, low-impact?

Answer 42

High-Priority, High-Impact

Avoid

Mitigate

Low-Priority, Low-Impact

Transfer

Escalate

Accept

Question 43

What is a response to pure risks?

Answer 43

Purchase insurance

Purchasing the insurance (transferring risk ownership) does NOT eliminate all impacts

Question 44

When should threats/opps be escalated? What happens once they’re escalated?

Answer 44

• Threats/opps should be escalated if they are outside the scope of the project or beyond PM’s authority
• These risks MUST be accepted by the program/portfolio manager, at which point it’s documented and the risk is no longer monitored at the project level

Question 45

Passive acceptance

Answer 45

Do nothing with the risk

This leaves actions to be determined as need (workarounds) if the risk occurs

Question 46

Active acceptance

Answer 46

Creating contingency plans to be implemented if the risk occurs and allocating time and costs reserves to the project

Question 47

Who should risk response strategies be communicated to?

Answer 47

Sponsor

Management

Stakeholders

Question 48

Techniques to evaluate and rank potential risk responses

Answer 48

1. Cost-benefit analysis
2. Multicriteria decision analysis

Question 49

Residual risks

Answer 49

• RIsks that remain after risk response planning
• Added to risk register after Risk Response Planning process

Question 50

Who can be a risk owner?

Answer 50

Team member

Any stakeholder other than a team member

Question 51

Secondary risks

Answer 51

New risks created by the implementation of selected risk responses

(A response to one risk will create the possibility of new risks)

Question 52

In terms of risks, what needs to happen before a contract is finalized?

Answer 52

PM should have completed a risk analysis and included contract terms and conditions required to mitigate threats and enhance opps

Question 53

How to calculate contingency reserves

Answer 53

Subtract total EMV for opportunities from the total EMV of threats

Contingency Reserve Total = Threat EMV - Opps EMV

Question 54

When calculating contingency reserves, why do you subtract EMV of opps?

Answer 54

Opps save money and time if they occur, effectively reducing the cost or schedule baselines

Threats increase the amount of contingency reserves, while opps decrease contingency reserves

Question 55

What do you do with noncritical risks?

Answer 55

Document them in a watch list, revisit them periodically

Question 56

What is the most important item to address in meetings?

Answer 56

Risk!

Question 57

Workaround

Answer 57

Unplanned responses developed to deal with the occurrence of unanticipated events or problems

Question 58

Techincal performance analysis

Answer 58

Analysis that uses project data to compare planned versus actual completion of technical requirements to determine if there is any variance from what was planned

Question 59

Purpose of status meetings

Answer 59

Time to collectively perform risk reviews and risk audits

NOT to go around the room and ask for everyone’s status updates

Question 60

Risk review

Answer 60

Discussion of the effectiveness of planned risk responses that have been implemented on the project, and may result in new risks, secondary risks, and risks that are no longer applicable

Question 61

Risk audit

Answer 61

Performed during meetings to assess the overall process of risk management