Chapter 11 - Risk Management Flashcards
Risk Management explained
Risk management is the process of identifying, evaluating, and planning responses to events, both positive and negative, that might occur throughout the course of a project
When assessing risk, it’s necessary to determine the risk’s…
- Probability (how likely)
- Range of outcomes (impact)
- Expected timing (when)
- Frequency (how often)
Risk appetite (risk tolerance)
General, high-level description of the level of risk acceptable to an individual or an organization
Risk threshold
The specific point at which risk becomes unacceptable
What are the seven risk management processes?
- Plan risk management
- Identify risks
- Perform qualitative risk analysis
- Perform quantitative risk analysis
- Plan risk responses
- Implement risk responses
- Monitor risks
What does the risk management plan include?
- Risk strategy (overall approach to managing risks)
- Methodology (defines how risk management will be performed)
- Roles and responsibilities
- Funding
- Timing
- Risk categories
- Stakeholder risk appetite/thresholds
- Definitions of probability and impact
- Reporting
- Tracking
Where would you find a standard list of risk categories?
A Risk Breakdown Structure (RBS) is an organizational chart that can help identify and document risk categories
Two main types of risks
- Business risk - risk of a gain OR a loss
- Pure (insurable) risk - only a risk of loss, such as a fire, theft, etc.
More detailed categories of risks (outside of business and pure/insurable)
- External
- Internal
- Technical
- Commercial
- Unforeseeable
Non-event risk categories
Variablity - risks caused by the inability to predict future changes
Ambiguity - risks caused by a lack of understanding
Who is involved in risk identification?
EVERYONE!
When does the major part of risk identification occur?
- At the onset of the project (initiating and planning)
- Keep in mind that risks may still be identified later in the project, and risks should be continually reassessed
- More specifically, risks are identified during integrated change control, when working with contracts, when working with resources, and when dealing with project issues
What does the Identify Risks process result in?
- Risk register
- Risk report
If you are in the Identify Risks process, what does the risk register contain?
- List of risks
- Potential risk owners
- Potential risk responses
- Root cause of risks
- Updated risk categories
When are risk responses documented?
Both in the Identify Risks process (as potential risk responses) AND during Plan Risk Responses process (as selected response plans)
Qualtitative Risk Analysis process
- Analyzing risks’ potential impact and probability and creating a shortened list of the previously identified individual project risks
- Also involves identifying which risks should move more quickly through the process than others (risk parameters)
- This is a subjective analysis of identified risks
What must be determined in order to perform qualtitative risk analysis?
Probability of risk occuring using a standard scale
Impact of risk occuring, using a standard scale
What occurs after you perform qualitative risk analysis?
You either:
Further analyze the qualitatively analyzed risks
or
Move directly into the Plan Risk Responses process
What must you do before you can use the risk information collected on the project?
You must analyze the precision of the data by assessing its accuracy and reliability
Known as risk data quality assessment
Risk data quality assessment involves determined what for each risk?
Extend of the understanding of each risk
Data available about the risk
Quality of the data
Reliability and integrity of the data
Why is a probability and impact matrix used?
To sort or rate risks to determine which ones warrant an immediate response and which ones should be put on the watch list
Types of risk parameters
Urgency
Dormancy
Manageability and controllability
Strategic impact
Urgency risk parameter
- Indicates if the risk is likely to occur soon or if the risk requires a particularly long time to plan a response
- Urgent risks may be moved directly into risk response planning
- Urgent risks may simply be the first ones for which you plan a response in risk response planning
Dormancy risk parameter
Refers to the anticipated time between when a risk occurs and when its impact is felt
Manageability and controllability parameter
Indicates the level of difficulty involved in dealing with an identified risk, should it occur
What can the Qualitative Risk Analysis process be used for?
Compare the risks of the project to the overall risk of other projects
Determine whether the project should be continued or terminated
Determine whether to proceed to Quantitative analysis or Plan Risk Responses processes
Quantitative Risk Analysis process
- Numerically analyzing the probability and impact of risks that ranked highest in qualitative risk analysis
- Objective process to determine numerical impact in real terms
Purpose of Quantitative Risk Analysis
- Determine which risk events warrant a response
- Determine overall project risk
- Determine quantified proabbility of meeting project objectives (i.e., X% chance to complete project within Y time frame)
- Determine cost and schedule reserves
- Identify risks requiring the most attention
- Create realistic cost, schedule, and scope targets
Should you always do a qualitative risk analysis? Quantitative risk analysis?
- ALWAYS do qualitative
- Quantitative is NOT required, and may be skipped in favor of moving to risk response planning. Only do it if it’s worth time and money!
What actions are required in quantitative risk analysis?
- Further investigate the highest rated risks on the project
- Perform data analysis to determine which risks have the most impact
- Determine how much quantified risk the project has through data analysis
Which risks are likely to require quantitative assessment?
The risks with the highest probabilities and impacts
Sensitivity analysis
- Technique to analyze and compare the potential impacts of identified risks
- Tornado diagram is a typical graphical representation of sensitivity analysis
What is the best way to measure overall ranking of risks?
Utilizing expected value (EV) for schedule results and Expected Monetary Value (EMV) for costs
EV/EMV takes into account BOTH probability AND impact, instead of separating them
EV/EMV formula
EV or EMV = P x I
P = Probability
I = Impact
In Plan Risk Responses process, what are your options for dealing with top risks?
- Eliminate threats
- Make sure opportunities happen
- Decrease the probability of threats
- Increase probability of opportunities
Power of Risk Response Planning
Eliminating threats while still in the Planning process
What is the best answer to a question describing a major problem on the project?
Implement the respective contingency plan!
Do NOT choose the answer that provides a solution to the problem once it’s occurred
Can you eliminate all threats and exploit all opps on a project?
No, simply because eliminating all threats and exploiting all opportunities would cost too much time and money
Response strategies for threats
- Avoid (remove work or expand scope to avoid risk)
- Mitigate (reduce probability of risk event)
- Transfer (3rd party responsibility)
Response strategies for opportunities
- Exploit (add/change work)
- Enhance (increase probability)
- Share (3rd party resonsibility)
Response strategies for BOTH threats and opportunities
- Escalate
- Accept
Response strategy for high-priority, high-impact risks? Low-priority, low-impact?
High-Priority, High-Impact
Avoid
Mitigate
Low-Priority, Low-Impact
Transfer
Escalate
Accept
What is a response to pure risks?
Purchase insurance
Purchasing the insurance (transferring risk ownership) does NOT eliminate all impacts
When should threats/opps be escalated? What happens once they’re escalated?
- Threats/opps should be escalated if they are outside the scope of the project or beyond PM’s authority
- These risks MUST be accepted by the program/portfolio manager, at which point it’s documented and the risk is no longer monitored at the project level
Passive acceptance
Do nothing with the risk
This leaves actions to be determined as need (workarounds) if the risk occurs
Active acceptance
Creating contingency plans to be implemented if the risk occurs and allocating time and costs reserves to the project
Who should risk response strategies be communicated to?
Sponsor
Management
Stakeholders
Techniques to evaluate and rank potential risk responses
- Cost-benefit analysis
- Multicriteria decision analysis
Residual risks
- RIsks that remain after risk response planning
- Added to risk register after Risk Response Planning process
Who can be a risk owner?
Team member
Any stakeholder other than a team member
Secondary risks
New risks created by the implementation of selected risk responses
(A response to one risk will create the possibility of new risks)
In terms of risks, what needs to happen before a contract is finalized?
PM should have completed a risk analysis and included contract terms and conditions required to mitigate threats and enhance opps
How to calculate contingency reserves
Subtract total EMV for opportunities from the total EMV of threats
Contingency Reserve Total = Threat EMV - Opps EMV
When calculating contingency reserves, why do you subtract EMV of opps?
Opps save money and time if they occur, effectively reducing the cost or schedule baselines
Threats increase the amount of contingency reserves, while opps decrease contingency reserves
What do you do with noncritical risks?
Document them in a watch list, revisit them periodically
What is the most important item to address in meetings?
Risk!
Workaround
Unplanned responses developed to deal with the occurrence of unanticipated events or problems
Techincal performance analysis
Analysis that uses project data to compare planned versus actual completion of technical requirements to determine if there is any variance from what was planned
Purpose of status meetings
Time to collectively perform risk reviews and risk audits
NOT to go around the room and ask for everyone’s status updates
Risk review
Discussion of the effectiveness of planned risk responses that have been implemented on the project, and may result in new risks, secondary risks, and risks that are no longer applicable
Risk audit
Performed during meetings to assess the overall process of risk management