unit 9: risk management pmbok guide, chapter 11) · pdf fileunit 9: risk management (pmbok

© CMF Solutions and ESI July 2013 PMC:DJ4:EN:000 ver.2.0 9-1

Unit 9: Risk Management (PMBOK® Guide, Chapter 11)

Some exam takers may be unfamiliar with the basic concepts of probability, expected monetary value, and decision trees. This unit will review all these concepts so that you should not experience any particular difficulty. See course slide #9-1 for an overview of risk management.

Major Processes

11.1 Plan Risk Management (defining how to conduct risk management activities)11.2 Identify Risks (determining which risks might affect the project)11.3 Perform Qualitative Risk Analysis (qualitative analysis and prioritizing of risks)11.4 Perform Quantitative Risk Analysis (numerically analyzing identified risks)11.5 Plan Risk Responses (how to enhance opportunities and reduce threats)11.6 Control Risks (identifying new risks, tracking identified risks, implementing risk

response plans, and evaluating risk management effectiveness)

Risk is defined as an uncertain event or condition that, if it occurs, can have either a positive or a negative effect on the project objectives. A risk may have one or more causes and one or more impacts if it occurs.

Known risks have been identified, analyzed, and can be managed using the processes in this knowledge area. Known risks may be assigned a contingency reserve as part of managing them. Unknown risks cannot be ascertained or managed adequately in advance. A common method for dealing with unknown risks is to allocate management reserve in the form of extra money, time, or resources.

Risk management is identifying, analyzing, and responding to project risks. Risk management involves minimizing potentially negative factors and maximizing potentially positive factors. In other words, risk involves the opportunity for gain as well as the potential for loss. PMI states that organizations that fail to proactively manage risks increase the chance of negative impacts and/or project failure.

Individuals and organizations have attitudes toward risk known as risk orientation, risk tolerance, and risk preference. Some of us are risk takers and some are cautious risk avoiders. In any event, risk management involves balancing a potential risk against a potential reward. Another term that describes this concept of risk vs. reward is utility theory or utility function. In the 5th edition of the PMBOK® Guide, PMI has drawn the following distinctions among three risk-related terms:

Unit 9: Risk Management

9-2 PMC:DJ4:EN:000 ver.2.0 © CMF Solutions and ESI July 2013

• Risk appetite: the degree of uncertainty an organization is willing to accept in light of the anticipated reward (similar to utility theory).

• Risk tolerance: the amount of risk that an organization will withstand before choosing a different response.

• Risk threshold: the level of uncertainty or impact beyond which the organization will not tolerate the risk.

Note: PMI distinguishes uncertainty from risk. They (and others) contend that uncertainty occurs when there is a “lack of information that makes it difficult to estimate the likelihood of an event.”

You should know that whenever PMI refers to risk factors, the following three items comprise those factors:

1. Risk event: The precise description of what might happen to the project.

2. Risk probability: The likelihood that the event will occur.

3. Amount at stake: The magnitude of the potential loss or gain.

Also, you should know the difference between the two following types of risk:

Business Risk Insurable Risk (“Pure”)

The normal risk of doing business.

Presents an opportunity for gain or loss.

Should be managed:

Business Risk:

• Plan • Identify • Qualitative Analysis • Quantitative Analysis • Response • Control

Represents only an opportunity for loss.

Divided into four categories.

Should be insured:

Insurable Risk:

1. Property damage (fire, flood, wind)

2. Indirect consequential loss (cost of cleanup after a loss, disrupted business)

3. Legal liability (injury to visitors)

4. Personal injury (employee injuries; worker compensation)



11.1 Plan Risk Management (PMBOK® Guide, p. 313)

Risk management planning is the process of deciding how to conduct risk management activities for a project. The risk management plan is important in obtaining initial and continuing support from stakeholders. Careful planning will almost always improve the results from the other five processes of risk management and is, therefore, time well spent. Risk planning should begin during the earliest stages of project initiation and should be completed early in the project planning process.

Plan Risk Management

Inputs Tools Outputs

1. Project management plan 2. Project charter 3. Stakeholder register 4. Enterprise environmental factors 5. Organizational process assets

1. Analytical techniques 2. Expert judgment 3. Meetings

1. Risk management plan

Five Key Inputs for Plan Risk Management (PMBOK® Guide, p. 314):

1. Project Management Plan: The risk management plan being created at this step should be consistent with other approved subsidiary management plans (such as the scope, schedule, cost, quality, human resource, communication, procurement, and stakeholder plans). The scope, schedule, and cost baselines are of special importance.

2. Project Charter: The charter would have previously documented high-level risks and requirements.

3. Stakeholder Register: Identifies key stakeholders, some of whom may have information or concerns about potential risks.

4. Enterprise Environmental Factors: Attitudes toward risk and the extent of risk tolerance in the organization are major influences on the risk management plan. These attitudes may be evident in the organization’s risk policies.

5. Organizational Process Assets: Organizational Process Assets that may influence risk planning includes:

• Risk statement formats and standard templates



• Lessons learned

• Risk categories

• Roles, responsibilities, and common definitions

• Authority levels for decisions

Three Key Tools for Plan Risk Management (PMBOK® Guide, p. 315):

1. Analytical Techniques: Analytical techniques help define the overall risk management context by combining assessments of two crucial factors:

• Stakeholder risk attitudes

• The overall perceived strategic risk exposure for the particular project.

Stakeholder risk profile analysis may be used to score stakeholder risk tolerance (how much risk they are willing to accept). Risk scoring sheets may also be used to rate the overall risk exposure for the specific project in question.

2. Expert Judgment: Improving the risk management plan by drawing upon the expertise of groups or individuals such as:

• Senior management and project stakeholders

• Project managers who have worked similar projects

• Subject matter experts, industry groups, and consultants

• Professional and technical associations

3. Meetings: Planning meetings (attended by key project stakeholders and other subject matter experts) are used to help develop the risk management plan. Key areas for discussion include relevant cost and schedule information (such as appropriate contingency or reserve amounts), assignment of risk responsibilities,and definitions of probability and impact. Risk templates that do not already exist may be developed in these meetings.

One Key Output for Plan Risk Management (PMBOK® Guide, p. 316):

1. Risk Management Plan: The single output of risk planning is the risk management plan. This plan addresses how risk identification, qualitative and quantitative analysis, response planning, and control will be handled. The plan may include the following:

• Methodology • Roles and responsibilities



• Budgeting and timing • Risk categories: May employ information from the RBS (Risk Breakdown

Structure)• Definitions of probability and impact: How to describe or measure the

likelihood that an event will occur and the effect on project objectives if it does occur

• Probability and impact matrix (more detail under qualitative analysis)• Revised stakeholder tolerances: Risk planning may cause shifts in how

much risk is considered acceptable for a specific project• Reporting formats and tracking (recording risk activities and audits)

11.2 Identify Risks (PMBOK® Guide, p. 319)

Risk identification involves determining which risk events are likely to affect the project and documenting their characteristics. Risk identification is not a one-time event; itis an iterative process and normally leads to qualitative analysis. New risks may emerge at any time and continued risk identification should be performed on a regular basis throughout the project. During the identification of a risk, it may also become apparent what the appropriate response should be. This information should be recorded for subsequent use in the response planning process.

Identify Risks


1. Risk management plan 2. Cost management plan 3. Schedule management plan 4. Quality management plan 5. Human resource management plan 6. Scope baseline 7. Activity cost estimates 8. Activity duration estimates 9. Stakeholder register 10. Project documents 11. Procurement documents 12. Enterprise environmental factors 13. Organizational process assets

1. Documentation reviews 2. Information gathering techniques 3. Checklist analysis 4. Assumptions analysis 5. Diagramming techniques 6. SWOT analysis 7. Expert judgment

1. Risk register



Thirteen Key Inputs for Identify Risks (PMBOK® Guide, p. 321):

1. Risk Management Plan: Assigns roles and responsibilities for risk identification, builds money and time into the plan to accommodate risk identification, and provides information about risk categories that may be relevant for the current project (output of previous section, 11.1).

2. Cost Management Plan: Cost management planning considers the risk register as well as reserve analysis for both cost estimating and budgeting.

3. Schedule Management Plan: The schedule management plan considers reserve analysis and also produces estimates with ranges so that an understanding of schedule risk is already considered.

4. Quality Management Plan: Quality planning (Section 8.1) may generate information about potential risks, especially technical risks.

5. Human Resource Management Plan: Described in Section 9.1, the staffing management is especially useful in understanding human resource risks.

6. Scope Baseline: The scope statement should include any assumptions that have been made. Assumptions are inherently risky because of the uncertainty embedded in them. The PMBOK® Guide treats assumptions as especially important in the chapter on risk management. Assumptions must be identified, documented, and periodically validated as to their accuracy.

Also, recall that one of the uses of the WBS is risk identification. It is usually easier to assess the potential risk of a specific work package than to identify risks for the entire project. The WBS also provides a method for tracking risks at various levels (summary, control account, and work package levels).

7. Activity Cost Estimates: If the estimates are expressed as a range (as recommended by PMI), activities with wider cost ranges are considered more risky.

8. Activity Duration Estimates: Similarly, if the schedule estimates are expressed as a range (as recommended by PMI), activities with wider schedule ranges are considered more risky. Recall the use of PERT as one method for evaluating schedule by estimating the inherent range in possible outcomes.

9. Stakeholder Register: Stakeholders are a major source of risk identification information.



10. Project Documents: The following risk-related project documents are aimed at improving cross-team and stakeholder communication and may include:

• Project charter

• Project schedule and network diagrams

• Issue log

• Quality checklist

• Other information (any additional information proven to be valuable in risk identification)

11. Procurement Documents: Defined in Section 12.1, procurement documents help assess the risks associated with outsourcing.

12. Enterprise Environmental Factors: Environmental factors that may affect risk identification may include:

• Published information, including commercial databases

• Academic studies and published checklists

• Benchmarking and industry studies

• Risk attitudes

13. Organizational Process Assets: Organizational Process Assets that may influence risk identification include:

• Project files (actual historical data)

• Organizational and process controls

• Risk statement templates

• Lessons learned

Seven Key Tools for Identify Risks (PMBOK® Guide, p. 324):

1. Documentation Reviews: A structured review of all subsidiary management plans (scope, schedule, cost, quality, and so on) as well as a review of all assumptions that have been made.

2. Information-Gathering Techniques: Examples include the following:

• Brainstorming: Under the leadership of a facilitator, the project team or a multi-disciplinary group of experts generates ideas about project risks. The information is then refined and categorized.



• Delphi technique: A way of reaching consensus among a group of experts who participate anonymously. The experts give responses to specific questions. The responses are then summarized and provided to the entire group. The anonymity prevents any participant from dominating the results. Several iterations are usually performed to determine whether a consensus exists among the experts. While this technique can be used for numerous reasons, the purpose here is to identify major project risks.

• Interviewing: Conducted with experienced project managers, subject matter experts, and other stakeholders.

• Root cause analysis: Sharpens the definition of a particular risk and facilitates grouping of risks by cause or category.

3. Checklist Analysis: Organized by source of risk. Checklists use information learned from previous projects and can help make risk identification quicker and simpler. A possible disadvantage is that analysts may limit their search to a pre-existing list. Checklists should be “pruned” occasionally and they should be reviewed during closeout for incorporation of new information into templates for future use. Examples of such sources of risk include:

• Technology • Cost • Schedule • Internal • External • Procurement • Legal • Poor planning • Changes in requirements

4. Assumptions Analysis: Exploring and challenging the validity of any assumptions that have been made about the project.

5. Diagramming Techniques: May include the following:

• Cause and effect diagrams

• Flowcharts (system or process)

• Influence diagrams



6. SWOT Analysis: (Strengths, Weaknesses, Opportunities, Threats): A technique to ensure risks are approached from a sufficient mix of perspectives. SWOT looks at both the upside opportunities as well as the downside concerns. The technique also considers whether the strengths, weaknesses, opportunities, or threats come from internal organizational sources or external environmental sources.

7. Expert Judgment: Experts with relevant experience on similar projects may be an invaluable source of information.

One Key Output for Identify Risks (PMBOK® Guide, p. 327):

1. Risk Register: The risk register is built in stages as each risk management process is performed. A plan is provided, risks are identified, risks are then analyzed, response plans are developed, and on-going monitoring and control follows next. New information is developed at each step.

At this point, the risk register contains:

• A list of potential risk events

• A list of potential responses (if known)

For the exam, also know that a risk trigger is a symptom or warning sign that a risk is about to occur. An example might be that the cost performance index is moving out of acceptable thresholds.

11.3 Perform Qualitative Risk Analysis (PMBOK® Guide, p. 328)

Qualitative risk analysis is the process of assessing the likelihood and impact of identified risks and prioritizing them according to their potential effect on project objectives. This process is accomplished using established qualitative methods and tools. The purpose is to help the project team focus on high priority risks and also to lay the foundation for quantitative analysis should it be needed. Qualitative analysis takes relatively less time and is less expensive to perform when compared to quantitative analysis.



Perform Qualitative Risk Analysis


1. Risk management plan 2. Scope baseline 3. Risk register 4. Enterprise environmental factors 5. Organizational process assets

1. Risk probability and impact assessment

2. Probability and impact matrix 3. Risk data quality assessment 4. Risk categorization 5. Risk urgency assessment 6. Expert judgment

1. Project documents updates

Five Key Inputs for Perform Qualitative Risk Analysis (PMBOK® Guide, p. 329):

1. Risk Management Plan: The risk plan provides assignment of roles and responsibilities (for qualitative analysis activities), stakeholder risk tolerances, definitions of probability and impact, risk categories that should be considered, and the monetary and time resources to accomplish the risk activities.

2. Scope Baseline: The scope statement helps the team to understand the basic nature of the project. Recurring, common projects are inherently less risky because they have become known and are more predictable. Projects involving state-of-the-art technology or a high degree of complexity tend to be more risky.

3. Risk Register: At this step, the list of identified risks would be available.

4. Enterprise Environmental Factors: Environmental factors that may apply to qualitative risk analysis may include:

• Industry studies of similar projects

• Risk databases from industry or proprietary sources

5. Organizational Process Assets: Information about risks on previous, similar projects may be used at this step.

Six Key Tools for Perform Qualitative Risk Analysis (PMBOK® Guide, p. 330):

1. Risk Probability and Impact Assessment: Risk probability is the likelihood that a risk will occur and risk impact (consequence) is the effect on project objectives if a risk event does occur. Qualitative descriptions of both characteristics may range from very high to very low. These assessments are documented as a result of interviews or meetings.



2. Probability and Impact Matrix: A matrix may be constructed that assigns probability and impact ratings to individual risk events. The scales used to assign the ratings could employ subjective, ordinal data such as “low, moderate, and high”. Alternatively, the scales could use cardinal scales that are numeric.Figure 11-10 on page 331 shows one method. See course slide #9-2.

3. Risk Data Quality Assessment: The availability of data, reliability of that data, source of the data, and uncertainty in measuring the data all have an impact on risk. A credible risk analysis requires accurate and unbiased data.The quality of risk data is often directly related to previous experience with similar projects. Therefore, the risk data may be lacking or unreliable for highly unique projects for which the performing organization has little experience.

4. Risk Categorization: The RBS (risk breakdown structure) may be helpful in grouping risks into related categories. Risk responses can be more effective if common patterns in the risks are known.

5. Risk Urgency Assessment: Some risks require near-term responses and may therefore be considered more urgent.

6. Expert Judgment: Used to more accurately assess the probability and potential impact for each individual risk event.

One Key Output for Perform Qualitative Risk Analysis (PMBOK® Guide, p. 333):

1. Project Documents Updates: The risk register and the assumptions log are the two key documents that may be updated at this point. Updates to the risk register may include the following:

Relative ranking or priority list for the project: The overall risk ranking produces risk scores that can be compared among projects. The information can be useful in several ways: support recommendations to initiate, continue, or cancel a project; assign the right people to various projects; and help support a benefit-cost analysis on a project.

Risks grouped by categories: Root cause analysis may reveal common causes or patterns among certain risks.

Risks requiring near-term response: Risks that require immediate responses should be organized into separate groups.



List of risks for additional analysis and management: Risks with high or moderate impacts may be further analyzed using additional techniques.

“Watch list” of low priority risks: Qualitative analysis may have revealed risks that are considered low but should be monitored for any changes.

11.4 Perform Quantitative Risk Analysis (PMBOK® Guide, p. 333)

Quantitative analysis numerically analyzes the probability of each risk and its consequence on project objectives. Sophisticated techniques such as Monte Carlo simulation and decision tree analysis are used to do the following:

• Determine the probability that specific project objectives can be met.

• Quantify risk exposure so that cost and schedule reserves can be determined.

• Identify which risks require the most attention.

• Identify realistic cost, schedule, and performance targets.

There may be instances in which quantitative analysis is not needed or is not worth the cost.

Perform Quantitative Risk Analysis


1. Risk management plan 2. Cost management plan 3. Schedule management plan 4. Risk register 5. Enterprise environmental factors 6. Organizational process assets

1. Data gathering and representation techniques

2. Quantitative risk analysis and modeling techniques

3. Expert judgment


Six Key Inputs for Perform Quantitative Risk Analysis (PMBOK® Guide, p. 335):

1. Risk Management Plan: Again, the risk plan establishes roles and responsibilities, the budget and time to do the analysis, risk categories, and stakeholder risk tolerances.



2. Cost Management Plan: Provides the format and structure for handling cost-related information and for handling reserves.

3. Schedule Management Plan: Provides the format and structure for handling schedule-related information and for handling reserves.

4. Risk Register: At this step, the risk register provides a list of risks, risk priorities, and risk categories (information from all the previous processes).

5. Enterprise Environmental Factors: Environmental factors that may influence quantitative analysis may include:

• Industry studies of similar projects

• Risk databases available from professional associations, industry groups, or other proprietary sources

6. Organizational Process Assets: Organizational Process Assets that can influence quantitative analysis include information from previous, similar projects.

Three Key Tools for Perform Quantitative Risk Analysis (PMBOK® Guide, p. 336):

1. Data Gathering and Representation Techniques: These techniques include:

• Interviewing: Interviews with appropriate subject matter experts yield data required to build probability distributions. A common approach is shown in Figure 11-13, page 336, in which experts provide three estimates (low, most likely, and high). This approach is very much like the PERT technique discussed in the time management area.

• Probability Distributions: The outcome of interviewing is a probability distribution (Figure 11-14 on page 337 shows two examples).

2. Quantitative Risk Analysis and Modeling Techniques: Common techniques include:

• Sensitivity Analysis: Also known as “what if” analysis, sensitivity analysis uses the power of the computer to examine the effects of variations in different project variables. For example, if you vary the duration of a given task, what is the effect on project costs, quality, and resource usage? Tornado diagrams may be used to assess the potential impact of highly uncertain variables on the rest of the project.In other words, tornado diagrams compare the relative importance of



different risk variables on the project. Figure 11-15 on page 338 shows one example of a Tornado diagram.

• Expected Monetary Value Analysis: A statistical concept that calculates a long-term average outcome. EMV is quite simply multiplying the probability of an event by the dollar amount at stake.EMV analysis is often used in conjunction with decision trees. A decision tree is a diagram that depicts the interactions of possible events. The process yields the probabilities and/or expected monetary value of various possible outcomes. See Figure 11-16 on page 339 for an example. See course slides #9-3 through #9-8 for EMV & Decision Tree examples.

• Modeling and Simulation: Using data from subject matter experts, a computer software program uses random number generators and input values from a probability distribution to simulate possible project outcomes. Figure 11-17 on page 340 shows the data from a simulation.

Key points about simulation:

• Most common form is Monte Carlo.

• Can quantify a variety of potential risks, including schedule and cost.

• Produces a distribution of possible outcomes with associated probabilities.

• By comparison, PERT and CPM analyses understate project duration because they cannot account for path convergence.

• The results of a Monte Carlo simulation are significantly affected by the choice of statistical distribution.

See course slide #9-9 on the effect of path convergence!

3. Expert Judgment: Subject matter experts are needed to provide data and validate the results.

One Key Output for Perform Quantitative Risk Analysis (PMBOK® Guide, p. 341):

1. Project Documents Updates: The primary document updated at this point is the risk register. The following new information may be provided:



• Probabilistic analysis of the project: A forecast of possible cost and schedule outcomes along with associated confidence levels. In other words, a probability distribution showing possible cost and schedule results.

• Probability of achieving cost and time objectives: A quantitative analysis showing the probability of achieving the current project objectives (given the current knowledge of project risks).

• Prioritized list of quantified risks: A list of risks that pose the greatest threat (or opportunity) for the project.

• Trends in quantitative risk analysis results: If there are any trends in project performance, repetitive analysis will usually show them.

11.5 Plan Risk Responses (PMBOK® Guide, p. 342)

Risk response planning is the process of determining how to enhance opportunities or reduce threats. Response planning assigns one or more people as “response owners” and addresses risks according to their priority. Various risk analysis tools, such as decision trees, may be used to evaluate and choose the best response strategies.Response planning should consider the following factors:

• The response is appropriate for the severity of the risk.

• The response is cost effective and timely.

• The response is agreed upon and realistic.

• The response is owned by a specific person (assigned action item).

Plan Risk Responses


1. Risk management plan

2. Risk register

1. Strategies for negative risks or threats 2. Strategies for positive risks or opportunities 3. Contingent response strategies 4. Expert judgment

1. Project management plan updates


Two Key Inputs for Plan Risk Responses (PMBOK® Guide, p. 343):

1. Risk Management Plan: As before, the risk plan assigns people who own specific risks, defines the thresholds for whether a risk is low, moderate, or high, and provides the time and budget to conduct response activities.



2. Risk Register: Based on the results from the previous processes, identification and analysis, the risk register provides the following information:

• Identified risks and priority

• Root causes and risks grouped by categories

• List of potential responses

• Risk owners and risk triggers (symptoms and warning signs)

• Risks requiring near-term response

• Watch list of low risks that should be periodically monitored

Four Key Tools for Plan Risk Responses (PMBOK® Guide, p. 343):

1. Strategies for Negative Risks or Threats: May be addressed with one or more of the following:

• Avoid: This strategy attempts to eliminate a threat, if possible. One possible approach is to adopt an alternative strategy in one of the following ways: 1) reduce scope or change project objectives, 2) allow the schedule to slip, 3) adopt a proven technical approach instead of a more innovative, risky one, or 4) use a substitute component that does not have the same risk.

• Transfer: PMI suggests that you may consider transferring(deflecting) a risk to another party through numerous practices:

Insurance and performance bonds

Warranties and guarantees

Outsourcing (also called procurement or subcontracting)

Contract type (a fixed price contract transfers cost risk to the seller and a cost reimbursement contract transfers cost risk to the buyer)

Note: Transferring a risk does not eliminate the risk. It merely gives someone else the responsibility to manage that risk.

• Mitigate: Actions taken to reduce the probability or the impact of a risk. Earlier preventive approaches are usually more productive than repairing the damage after it occurs. Examples of mitigation include:

Adopting less complex approaches

Conducting more tests



Designing redundancy and back-up systems into critical components and subsystems

Choosing more stable, proven suppliers

• Accept: This approach may be used for negative risks or threats and for positive opportunities. Passive acceptance is taking no action and dealing with the problems (or opportunities) if and when they occur.Active acceptance is almost always handled using extra money, time, or resources (known as contingency reserve).

Note: PMI states that avoidance and mitigation are appropriate for critical risks with high impact, whereas transference and acceptance are more appropriate for less critical risks with relatively low impact.

2. Strategies for Positive Risks or Opportunities:

• Exploit: This strategy attempts to maximize the chance of reaching an opportunity. It uses approaches such as: assigning the most talented resources available, using new technologies to reduce costs and durations, providing better quality than planned, and eliminating uncertainty. The sponsor should exert influence where needed.

• Share: This strategy involves joint ventures, strategic alliances, and other collaborative arrangements to share risks, share costs, and take advantage of technical synergies (each party performs the portion of the project that they do best).

• Enhance: This strategy is conceptually the opposite of mitigating negative risks; the enhance strategy attempts to increase the probability and positive impact of positive opportunities. Methods for doing so may include:

Maximizing any natural advantages such as superior technology or better global supplier relationships

Adding more resources to finish earlier (i.e., crashing)

• Accept: Used when the organization prefers not to actively pursue an opportunity, but will accept the results if they occur without undue effort. For example, the organization might not wish to divert resources from a more promising opportunity.

Note: The acceptance strategy is associated with the word “low”. A project may accept a low negative risk or a low (unexciting) opportunity.



3. Contingent Response Strategy: A response plan that is used only when certain events occur. This approach is appropriate when planners feel that future warning symptoms will provide adequate time to implement the response activity if the conditions begin to occur. For example, a particular risk response strategy may be triggered only if a specific milestone is missed.

4. Expert Judgment: As always, people with the right experience, training, and knowledge should be used for the task at hand (in this case, for response planning).

Two Key Outputs for Plan Risk Responses (PMBOK® Guide, p. 346):

1. Project Management Plan Updates: Elements of the plan that may be updated as a result of response planning include:

• Schedule management plan

• Cost management plan

• Quality management plan

• Procurement management plan

• Human resource management plan

• Scope baseline (scope statement, WBS, WBS dictionary)

• Schedule baseline

• Cost baseline

2. Project Documents Updates: Updates to the risk register may include:

• Risk owners and assigned responsibilities

• Agreed-upon response strategies

• Risk triggers and warning signs

• Budget and schedule needed to implement planned responses

• Contingency plans, fallback plans, residual and secondary risks

• Contingency reserves

Other document updates may include:

• Assumptions log

• Technical documentation

• Change requests



11.6 Control Risks (PMBOK® Guide, p. 349)

Control Risks is the process of keeping track of identified risks, ensuring that risk response plans are implemented, evaluating the effectiveness of risk responses, monitoring residual risks, and identifying new risks. The purpose of control is to determine whether:

• Risk responses have been implemented. • Risk responses were effective (or new responses are needed). • Project assumptions are still valid. • Any risk triggers have occurred. • Risk exposure has changed. • Policies and procedures are being followed. • Any new risks have emerged.

Control Risks


1. Project management plan 2. Risk register 3. Work performance data 4. Work performance reports

1. Risk reassessment 2. Risk audits 3. Variance and trend analysis 4. Technical performance

measurement 5. Reserve analysis 6. Meetings

1. Work performance information 2. Change requests 3. Project management plan updates 4. Project documents updates 5. OPA updates

Four Key Inputs for Control Risks (PMBOK® Guide, p. 350):

1. Project Management Plan: Contains the risk management plan which assigns people, risk owners, and the resources needed to carry out risk monitoring activities.

2. Risk Register: Provides the list of identified risks, risk owners, agreed responses, risk triggers (symptoms and warning signs), residual and secondary risks, watch list of low priority risks, and planned reserves.

3. Work Performance Data: The status of the work is a major input to risk control. Performance reports give insights into whether risks are occurring and



whether response plans need to be implemented. Specific status of interest includes:

• Deliverable status

• Schedule progress

• Costs incurred

4. Work Performance Reports: These reports analyze the work performance data just mentioned to create status reports and forecasts using various methods such as earned value.

Six Key Tools for Control Risks (PMBOK® Guide, p. 351):

1. Risk Reassessment: The project team should regularly check for new risks as well as “reassessing” previously identified risks. At least three possible scenarios should be considered: a) new risks may have emerged and a new response plan must be devised, b) if a previously identified risk actually occurs, the effectiveness of the response plan should be evaluated for lessons learned, and c) if a risk does not occur, it should be officially closed out in the risk register.

2. Risk Audits: Evaluate and document the effectiveness of risk responses as well as the effectiveness of the processes being used. Risk audits may be incorporated into the agenda of regularly scheduled status meetings or may be scheduled as separate events.

3. Variance and Trend Analysis: Used to monitor overall project performance.These analyses are used to forecast future project performance and to determine if deviations from the plan are being caused by risks or opportunities.

4. Technical Performance Measurement: Using the results of testing, prototyping, and other techniques to determine whether planned technical achievements are being met. As with trend analysis, this information is also used to forecast the degree of technical success on the project.

5. Reserve Analysis: Compares the remaining reserves to the remaining risk to determine whether the remaining reserve is adequate to complete the project.Recall that the fundamental purpose of reserves is to reduce the chance of cost and schedule overruns.

6. Meetings: Risk management should be an agenda item at the regular team meetings.



Five Key Outputs for Control Risks (PMBOK® Guide, p. 353):

1. Work Performance Information: Work performance information has been analyzed and provides a mechanism to support on-going project decision making.

2. Change Requests: When contingency plans are implemented, it is sometimes necessary to change the project management plan. A classic example is the addition of extra money, time, or resources for contingency purposes. These change requests may lead to recommended corrective actions or recommended preventive actions.

Corrective actions may include contingency plans (devised at the time a risk event is identified and used later if the risk actually occurs) and workarounds (passive acceptance of a risk where no action is taken until or unless the risk event actually occurs). The major distinction is that workaround responses are not planned in advance.

3. Project Management Plan Updates: Again, if approved changes have an effect on risk information or processes, the project management plan should be revised accordingly.

4. Project Documents Updates: Updates the risk register by recording the outcomes of risk monitoring activities such as risk reassessment and risk audits.Also records which risk events have actually occurred and whether the responses were effective

5. Organizational Process Assets Updates: Includes risk plan templates, the risk register, the risk breakdown structure, and lessons learned.

Other Topics:

Probability Theory:

• Probability of heads on a coin toss (50%)

• Probability of heads on the fifth coin toss (50%, the probability on each coin toss is independent of the others)

• Probability of heads two times in a row (25%: multiply the probabilities of each separate event = .50 times .50)



• If the probability of event A is 30%, the probability of event A nothappening is 70%, in other words, 1 - P(A).

• If the probability of an event occurring during any given month is .20, the probability that the event will not occur during the third month is .80.

• What is the probability that the event would not occur two months in a row? (.80 x .80 = .64)

• If the P(A) is .50 and the P(B) is .60, the probability that both A & B would occur is .30 (multiply the probabilities).

Risk versus range: When estimating, the wider the range is, the more uncertain the project is.

• Example: Which range of cost outcomes poses the greatest risk?

a. $100,000 +/- $10,000b. $95,000 to $110,000c. $88,000 to $105,000

Note: You are looking for the estimate with the widest range. For choicea, the range is $20,000 ($10,000 below and above). For choice b, the range is $15,000 and for choice c it is $17,000. So, choice a is the mostrisky and choice b is the least risky.

The instructor will answer any questions about the rationale adopted by PMI for providing a range when estimating.



Self-Study Drill Practice: Risk Management

Question Answer

1. Define risk management.Note: All page numbers in this drill practice refer to the study guide unless otherwise indicated.

1. The process of identifying, analyzing, and responding to risk factors throughout the life of a project (p. 9-1).

2. When should project risks be identified? 2.• At the beginning of the project. • During the planning for each phase of the

project. • Before approval of major scope changes. • In other words, continuously throughout

the entire project (pp. 9-3 and 9-5).

3. Name three risk factors. 3.Risk event Risk probability Amount at stake (p. 9-2)

4. What are the six major risk processes? 4.Plan risk management Identify risks Perform qualitative risk analysis Perform quantitative risk analysis Plan risk responses Control risks (p. 9-1)

5. Which scheduling technique explicitly considers risk?

5. PERT (p. 9-6, input #8)

6. What are the recommended ways of deflecting or transferring risk to another party?

6.WarrantiesInsurance Subcontracting (outsourcing) Type of contract (p. 9-16)



7. The most likely duration for a trip is estimated to be 6 hours. If the optimistic estimate is 4 hours and the pessimistic estimate is 10 hours:

a. What would a PERT expected time be?

b. What would a PERT standard deviation be?

7.

a. e(t) = [O + 4M + P] / 6 [4 + 4(6) + 10] / 6 = 6 1/3 hours

b. S.D. = [P - O] / 6 [10 - 4] / 6 = 1.0 hour

(Course slides 4-18, 4-26)

8. Name a fundamental project management tool that is also useful in identifying potential risks.

8. WBS (p. 9-6, input #6)

9. How would one determine the probability that two independent events would both occur?

9. Multiply the probability of the two events.

If the probability of one event is 60% and the other is 80%, then the probability of both events occurring is 48% (.60 x .80). (p. 9-22)

10. What is the primary concern of risk control?

10. Tracking changes in the risk factors throughout the project (p. 9-19).

11. What is the purpose of including a cost reserve in the project budget?

11. Reduce the chance of a cost overrun. (p. 9-20, tool #5)

12. What is an advantage of decision trees? 12. The ability to consider risk event interdependencies (p. 9-14 and course slide 9-8).

13. If an event has a 40% chance of occurring, what is the probability that it will notoccur?

13. 60% (p. 9-22)

14. What are the strategies associated with response planning for negative risks?

14.• Avoid • Transfer • Mitigate • Accept (pp. 9-16/17)



15.a. What is the formula for calculating expected monetary value (EMV?)

b. If a project has a 50% chance of a $200,000 profit and a 50% chance of a $100,000 loss, what is the expected monetary value?

15.a. Multiply the probability of the event by the estimated gain or loss (in dollars).

b. [.50 x 200,000] = +$100,000 [.50 x - 100,000] = -$50,000 +$50,000

Therefore, the EMV is the sum of the products (each product is the EMV of one possible event) (Course slides 9-3/4).

16. What are the primary tools used to quantify risks?

16.Data gathering techniques: - Interviewing - Probability distributions Quantitative modeling techniques: - Sensitivity analysis - Expected monetary value - Modeling and simulation Expert judgment (pp. 9-13/14)

17. What is a simulation and what advantage does it provide?

17.Most simulations are some form of Monte Carlo analysis which “performs” the project many times to determine possible project outcomes with associated probabilities.

An advantage of Monte Carlo analysis is that it can account for path convergence and is therefore less likely to underestimate project durations or costs. (pp. 9-13/14)

18. How would schedule estimates from PERT generally compare to those from Monte Carlo simulation?

18. PERT estimates would tend to be more optimistic (possibly overly optimistic) (pp. 9-13/14 and course slide 4-33).

19. What is a major factor that affects the results of Monte Carlo simulations?

19. The choice of probability distribution employed by the program (p. 9-14).

20. Is risk management concerned only with negative or adverse factors?

20. No, risk management also considers the positive opportunities for gain (p. 9-1).



21. What is the difference between a contingency plan and a workaround?

21.A contingency plan is a predefined action plan in case a risk event occurs later.

A workaround is an unplanned response to a risk event when it actually happens. It is unplanned only in that it was not devised in advance.(p. 9-21, output #2, change requests)

22. The process of determining what risk events may affect a project is called risk _____.

22. identification (p. 9-5)

23. Which estimate has more risk: an estimate with a narrow range of outcomes or one with a wide range of outcomes?

23. Estimates with a wider range of outcomes pose a greater risk as the outcomes are less predictable.

Therefore, 30 days plus or minus 5 days is more risky than 25 to 30 days (p. 9-6, input #8, duration estimates).

24. What concept is described as “a lack of information that makes it difficult to estimate the likelihood of an event”?

24. Uncertainty (p. 9-2)

25. Would projects using new technology generally pose a lower or higher risk?

25.A higher risk because of the additional uncertainty (and associated rework) in design, test, and debugging of the new approach (p. 9-10, input #2, scope baseline).

26. What method would help you assess the impact of highly uncertain variables on the rest of the project?

26. Tornado diagram (pp. 9-13/14).

27. What is the purpose of qualitative risk analysis?

27.Improve project performance by focusing on high-priority risks. Analyzing the probability and impact for each risk is an important part of this process (p. 9-9).

28. What is the purpose of quantitative risk analysis?

28. Numerically analyze the probability and impact of each identified risk (p. 9-12).



29. What is a decision tree? 29. A diagram that depicts key interactions among decisions and chance events. The branches of the tree represent either decisions (shown as boxes, e.g., conduct a test or don’t conduct a test) or chance events (shown as circles, e.g., passed test or failed test). (p. 9-14 and course slides 9-3 to 9-8)

30. Distinguish management reserve from contingency reserve.

30.Management reserve is a separately planned quantity used to allow for future situations which are impossible to predict (“unknown unknowns”). Use of management reserve requires a change to the project’s cost baseline.

Contingency reserve is a separately planned quantity used to allow for future situations which may be planned for only in part (“known unknowns”). Contingency reserves are normally included in the project’s cost and schedule baselines (pp. 5-7/8).