1. Project Risk Management Planning
CH 8
Project Risk Management Planning

2. Objectives Define and recognize risk
Define the contents of a risk management plan
Conduct a risk identification and prioritization process
Define the correct risk response strategy for the organization

4. The Importance of Project Risk Management
Every IT project regardless of size, complexity, location, or organization contains some measure of risk
Aid the project team in assessing the impact a negative event will have on the project and how likely (generally expressed as a percentage or qualitative term) is the event to occur

5. The Importance of Project Risk Management
The PM’s objective: is not the removal of all risk, this simply can’t be done, but to identify and manage risks to the benefit of the project
Risks on a project can be a good thing if managed appropriately
The main objectives of risk management are to increase the probability and impact of positive outcomes and decrease the probability and impact of negative outcomes

6. The Importance of Project Risk Management
Unfortunately, many organizations don’t follow a formal risk management process and operate in a perpetual state of crisis management
Crisis management is the opposite of good risk management – organizations find themselves trying to figure out what to do about a problem after it has occurred instead of planning for issues in advance
This is also referred to as perpetual “fire fighting”

7. What Is Risk?
Dictionary definition of risk: “the possibility of loss or injury”
A Function of the {likelihood, and impact}
An event if it occurs will have a negative impact on one or more of: project scope, time, cost, quality, or resources

8. Reasons for Risk Management
Makes aggressive risk-taking possible
Decriminalizes risk
Sets up projects for success with honest evaluation of issues
Bounds uncertainty
Provides minimum-cost downside protection
Protects against invisible transfers of responsibility
Save part of a failed effort
Maximizes opportunity for personal growth
Protects management from getting blindsided
Focuses attention where it is needed

9. Risk Utility
An organization’s approach to risk management is driven by their risk utility or tolerance for risk
Risk utility or risk tolerance is the amount of satisfaction or pleasure received from a potential payoff
Utility rises at a decreasing rate for a person who is risk-averse
Those who are risk-seeking have a higher tolerance for risk and their satisfaction increases when more payoff is at stake
The risk-neutral approach achieves a balance between risk and potential payoff

10. Risk Utility Function and Risk Preference

11. Risk Management Planning Processes
Risk management planning: deciding how to approach and plan the risk management activities for the project
Risk identification: determining which risks are likely to affect a project and documenting their characteristics
Qualitative risk analysis: characterizing and analyzing risks and prioritizing their effects on project objectives
Quantitative risk analysis: measuring the probability and consequences of risks
Risk response planning: taking steps to enhance opportunities and reduce threats to meeting project objectives

12. Risk Management Planning
The main deliverable of risk management planning is the risk management plan!
The organization identifies, in the risk management plan, the approach, plan, and who will execute the risk management activities
The risk management plan is created early in the planning phase of the project and updated throughout the life of the project

13. Key Best Practices Manage projects by managing their risks
Create and maintain a census of risks for each project
Track the causal risks, not just the ultimate undesirable outcomes
Assess each risk for probability and likely cost
Predict for each risk the earliest symptom that might indicate materialization

14. Key Best Practices
Appoint a risk officer, one person who is not expected to maintain a “Can-Do” attitude run the risk of bad information not getting communicated
Establish easy (perhaps anonymous) channels for bad news to be communicated up the hierarchy

15. Risk Management Plan Contents
Methodology – approaches (process steps), tools, and data sources that may be used to perform risk management
Roles and responsibilities to manage risks throughout the entire project
Budgeting for risk management activities (mitigation strategies)
Timing of risk management activities (how often are the risks reviewed, when will mitigation strategies be implemented)

16. Risk Management Plan Contents
Risk categories – high level used during identification (Technology, Customers, Performance, etc.)
Risk probability and impact scales (very likely to very unlikely 5 levels) or (just three low, medium, high) these scales need to be defined for consistency across projects and project managers
Format for the risk register and its use; how are risks communicated and tracked

17. Risk Identification
The first step is to identify as many risks as possible for the upcoming project with the knowledge that you can never see them all
Risk identification is not a one time process; but should be a continuous process of team members and stakeholders looking for new issues that may affect the success of the project

18. Risk Identification Techniques
Broad Organizational Categories
Analogy
Brainstorming
Interviews
Delphi Technique
SWOT Analysis

19. Where to Look for Risks?

20. Broad Categories of Risk
People (human resources)
Technology (changes)
Quality and performance issues
Customers
Vendors
Management
Funding
Political Issues or Legal Issues
Market Forces

21. Analogy
Uses information from past similar projects or the experience of team members to look for risks
Previous projects must be up to date!

22. Brainstorming
Brainstorming is a non-structured or semi-structured method of eliciting ideas from a group with the goal of generating a complete list of ideas
The key to running a successful brainstorming session is to foster an atmosphere that allows all ideas to be spoken regardless of likelihood
If everyone feels able to contribute to the discussion free from persecution or harassment a better more complete list of ideas will be generated
If not possible other techniques to brainstorming are available such as Delphi Technique or “Post-it Notes”

23. Delphi Technique
Using this technique the participants are unknown to each other so ideas can be generated without fear of ridicule
A moderator presents the question electronically to each participant who then generates ideas and sends them electronically to the moderator
The moderator accumulates all responses into one list which is then distributed for team comment. The comments are returned to the moderator for accumulation and dissemination
This process continues until a general consensus is reached

24. Post-it Notes
During a short time interval such as five minutes, have each participant write down on post-it notes as many ideas as they can think of putting one idea per post-it
Participants then hand their notes to the moderators who stick them on a chalk or white board. duplicate ideas are stuck on top of each other to reduce the number of entries. A list of ideas is then quickly generated and the team discusses the merits of each
Ideas which have close to zero probability of occurring or zero impact to the project are removed from the board

25. Post-it Notes
The ideas that remain must then be rated for likelihood and impact. A large matrix is drawn on the board similar to the probability and impact matrix (Figure 8-2). The post-it notes can then be moved around inside the matrix until the team agrees on each placement
Finally, generate the start of the risk register (figure 8-1) from the remaining post-it notes

26. Interviewing
The project leader and other key members of the team with interview skills, conduct personal one-on-one discussions with key stakeholders
The crucial aspect to successful interviewing is to make sure the stakeholders feel comfortable sharing ideas with the interviewer
The success of this technique is heavily dependent on the skills of the interviewer

27. SWOT Analysis
SWOT is an acronym which stands for Strengths, Weaknesses, Opportunities, and Threats which was first defined and used during project selection in Chapter 4
SWOT analysis offers a framework with which to conduct a brainstorming session, sticky-note exercise, or a Delphi Technique session
A key benefit of this technique is a focus on both sides of each issue; strengths versus weaknesses and opportunities versus threats

28. SWOT Analysis
Strengths – patents, strong brand name, reputation, cost advantages from proprietary know-how, access to distribution networks
Weaknesses – lack of patent, weak brand name, poor reputation, lack of access to distribution networks
Opportunities – an unfilled customer need, arrival of new technologies, better regulations, international trade barriers
Threats – shifts in consumer tastes away from, substitute products, worse regulations, trade barriers

29. Risk Register

30. Risk Register Contents
Risk – name of the risk along with short description. Some like to include a numbering scheme to make it easier to reference
Trigger event – explanation of the event or events that signal to the person monitoring that this risk is about to happen or has happened; looking at the root cause of the risk
Responsible – name of the person (preferred) or group/department responsible for monitoring the risk and executing mitigation activities

31. Risk Register Contents
Consequence – explanation of the impact to the project if the risk occurs
Probability – an estimation of the likelihood the risk will materialize and affect the project. The probability is often a qualitative rating (low, medium, high) or could be a more quantitative number
Mitigation – explanation of the strategy being used to lesson the chances the risk will occur

32. Qualitative Risk Analysis
Subjective methods for qualifying each risk for impact and probability of occurrence
This usually involves a method which can be done quickly in a short period of time with little resources
Risk qualitative tools and techniques include
Interviews with Subject Matter Experts
Probability/Impact matrix

33. Interviews
Just as interviews were used to identify risks in the first place, they can be used to assess their impact and probability
In most cases discovering the risk and assessing its impact and probability is done during the same interview
Method works well based on the interviewer’s skills and the SME’s knowledge

34. Probability/Impact Matrix
The probability and impact matrix aids the project team in prioritizing which risks need more attention based on either their probability of occurring or the size of the impact to the project or both

35. Probability and Impact Matrix

36. Probability/Impact Matrix
The columns represent the degree of impact to the project’s scope, time, cost, and quality goals
This example using a five level scale: zero to low impact, low to medium, medium, medium to high, and high impact. The scores are determined by subject matter experts and historical data
The next step determine the probability that a risk will materialize again using expert judgment and historical data

37. Risk Rating Scores

38. Probability/Impact Matrix
Once the risk has been given both a probability score and an impact score it should be placed in the proper cell in the matrix
If the risk falls into one of the shaded areas, the team should prepare mitigation strategies and monitor them closely
The number of shaded cells is dependent on the organization’s culture and risk utility
The key issue with qualitative risk assessment centers on the issue of estimator bias

39. Quantitative Risk Analysis
Much like qualitative risk analysis, quantitative risk analysis attempts to estimate the impact a risk may have on a project as well as the probability
The key difference between the two is that quantitative analysis is based on mathematical or statistical techniques to model the behavior of a particular risk
The decision whether to use quantitative or qualitative analysis techniques is made on a project by project basis and can be made on a risk by risk basis

40. Quantitative Risk Analysis Techniques
Decision trees with expected monetary value analysis
Simulation (Monte Carlo)

41. Decision Trees and Expected Monetary Value (EMV)
Decision tree analysis is generally used along with its graphical representation that describes a set of options under consideration along with estimated implications of each option
The analysis consists of costs, revenues (or benefits), and probabilities for each option path
The EMV analysis technique is a statistical concept that calculates the average outcome when dealing with unknown future scenarios

42. Decision Tree with EMV

43. Simulation
Monte Carlo simulation was introduced back in Chapter 6 as an aid in building accurate time estimates for WBS activities
It can also be used during quantitative risk analysis to simulate the impact a risk may have on project goals
Based on the probabilities of various outcomes, similar to the decision tree analysis example, the simulation can be run multiple times based on the frequency distribution to determine the expected outcomes with probabilities

44. Monte Carlo Analysis
Simulation during the risk management process is generally used to determine cost and schedule outcomes using three point estimates of task durations

45. Risk Response Planning
After identifying and quantifying risk, you must decide how to respond to them
Four main strategies:
Risk avoidance: eliminating a specific threat or risk, usually by eliminating its causes
Risk acceptance: accepting the consequences should a risk occur without trying to control it
Risk transference: shifting the consequence of a risk and responsibility for its management to a third party internal or external to the organization
Risk mitigation: reducing the impact of a risk event by reducing the probability of its occurrence

46. Mitigation Strategies
The final step after the risk response has been chosen; update the risk register with the mitigation strategy: fallback plans, contingency plans, and contingency reserves.
Fallback plans
Contingency plans.
Contingency reserves
Contingency plans use the contingency reserves to meet project objectives
Fallback plans are used if the project can not be completed as originally planned
Contingency plans are put in place to allow for fluctuations that will allow the project to finish as originally planned.
Contingency reserves are excess amounts of time, dollars, and resources etc. used if necessary in order for the project to finish as originally planned.

47. Risk Management Process Steps
Build/choose the risk management plan format
Identify risks
Risk assessment
Complete the risk register
Complete the risk management plan (budget, schedule of activities, any specific tools needed)