Project Risk Management

Introduction
Objectives
Risk determination and evaluation
Risk management planning
Risk identification
Risk assessment
Risk quantification
Risk response and control
Risk response planning
Risk monitoring and control

Pre-contract procurement
Procurement planning
Solicitation
Managing whats outsourced
Source selection
Contract administration
Contract close out
Summary
Authors answers and comments
Introduction
Project risk is the cumulative effect of the
chances of uncertain occurrences adversely
affecting project objectives. Project risk
management is the art and science of identifying,
assessing and responding to project risk
throughout the life of a project and in the best
interests of its objectives.
The constant goal of project risk management
should be to move uncertainty away from risk and
towards opportunity. The goals of risk
management, therefore, are to identify project
risks and to develop strategies, which either
reduce them or attempt to avoid them.
Procurement starts with determining what to procure and
when; an option is always not to procure. The contract
strategy will generally include procurement planning but
will also incorporate the contract types that need to be
used. You will see that procurement consist of the
following process: procurement planning, solicitation
planning, solicitation, source selection, contract
administration and contract close-out.
You will probably find the explanation of the contents
of these two knowledge areas to be interesting to realize
their significance to project work as soon as you
commence reading.
Objectives


Potential project risks should be identified and
quantified;
Anticipated project risk events can be
managed;
To interpret pre-contract actions for needed
goods/services;
To define post-contract administration and
control



Risk determination and evaluation
The most serious effects of risk to a project (after it
becomes a facility is a different matter) are:
failure to keep within the cost estimate;
failure to achieve the required completion date;
failure to achieve the required quality and operational
performance.

When serious overruns occur on project cost estimates
and time schedules, the effect on the overall project can
be very damaging. In extreme cases time and cost
overruns can invalidate the originals economic case for
undertaking a project, turning what seemed to be a
Potentially profitable investment into a loss-making
venture. The evidence from the world of projects would
indicate that far too many overrun both cost and time
targets and in some cases do not satisfy performance
goals.
Better project management will produce significant
improvement in meeting predetermined targets. Better
project management includes, but is obviously not
limited to, identifying, measuring and responding to
risks. Project risk management, as defined by the PMIs
PMBOK, includes the process of planning, identification,
assessment, quantification, response planning and
monitoring and controlling.
Risk has two separate and distinct meanings. It can
mean uncertainty, where the outcome can be either
positive or negative, and it can mean a threat, where the
outcome is wholly negative. A positive outcome is known
as an opportunity
There is no universal use of risk terminology. The
identification and quantification of risk is often referred to
as risk analysis. The quantification of risk along with how
to respond to it is normally called risk assessment.
Somewhat confusingly, response development is
sometimes called response planning or risk mitigation.
And often you will come across response development,
along with risk control, being referred to as risk
management. The terms used vary greatly from one
business or industry discipline to another and even
within the same discipline.
Risk management planning;
Risk identification;
Risk assessment;
Risk quantification;
Risk response planning;
Risk monitoring and control.
The process and some of the more important
tools and techniques and outputs are shown. At
with other knowledge areas, these processes
are not one-time events; nor are they mutually
exclusive. These processes overlap and
interact; they also happen at least once in every
phase of the project.
Risk management planning
This process deals with the decisions surrounding
how to deal with a projects management of risk.
Any source of risk, such as, political or social
influences on the project, initial
technical/economic evaluations and solutions,
sponsor commitment and ability to finance the
project, are examples. Other risks would include
technical methodologies, cost budgets, planned
time to complete, and many more potential risk
areas that would need to be included within the
risk management planning process.
Inputs
The inputs to this process will include the PMP, the
performance organization's protocols and any
stakeholder guidelines on risk and its management.
Other inputs will include: information contained with the
RAM, all available project data from those areas of a
project that would be conceived to be risk prone, and
any templates that have been developed through
experience by the performing organisation that could be
adapted and used on a current.
Any information that would help to decide how to
approach and plan for the management or risk would an
expected part of the input to the risk management
planning process.
Tools and techniques
With the input data to hand the transformation
process to create the outputs would use such
approaches as risk planning meetings. Any
influential stakeholder to the project should be
an invitee to these meetings; the meetings being
used as working sessions to develop a risk
management plan.
Outputs
The risk management plan would be a document that
would include a narrative of everything necessary to
perform the remaining processes of risk management,
i.e. the identification, assessment, quantification,
response planning, and monitoring and control. The risk
management plan might include such matters as: the
methodologies that may be used, the people
responsibilities regarding project risks, the frequency of
the various risk management processes, the templates
on how risks are to be assessed, interpreted, and acted
upon. The plan might also include the various means to
be used for monitoring risks and the various reporting
formats to be used.
Risk identification
One reason for the early identification of risk is that it
focuses the attention of the projects management on
the strategies for the control and allocation of risk. As a
very minimum, every project team should at least
identify the risks to the project under consideration.
The sources of risk will form a documented listing of
sources and will include all identified items. The WBS is
a good place to start with such an identification process.
The listing will be developed regardless of the
magnitude of risk size, probability of occurrence,
frequency etc. Within risk identification the
documentation of risk items needs to be formulated so
as to incorporate full descriptions of the estimates of:


Probability of occurrence;

Range of possible outcomes;

Expected timing;

Anticipated frequency
Potential risk events are those events that are
discrete rare occurrences - acts of God such as
floods etc. Risk symptoms are the risk events.
For instance the risk of a delay may be because
of some hold-up in the issuing of information from
the design team; that would be an example of a
symptom. Risks are often inputs to other
processes. For instance a choice of wrong
discretionary dependency or dependencies, as an
input to activity sequencing, could have quite an
important impact on the outcome of a project.
Inputs
The inputs to risk identification include the risk
management plan, project planning outputs, risk
categories and historical information.
As already stated the risk management plan is
the document that sets out how the various other
risk processes are to be structured and how the
associated work under each process might be
carried out. Other planning outputs that might
help the project team to identify risks would
include the following: WBS, duration and cost
estimating, the staffing plan and the procurement
management plan.
Risk categories include such matters as
technical, quality or performance risk,
management of the project risks, organisational
risks, and any risks which are external to the
project but can affect the operations of the
project. Historical information from previous
projects can also help in identifying risks on a
current project. Project files, commercial
database and personal knowledge of the project
team all useful elements from which inspiration
on risk items or events can be generated.
Tool and techniques
The tools and techniques for risk identification
include documentation reviews, information
gathering methods, checklists, assumption and
SWOT (strength, Weakness, opportunities and
threats) analysis, and any appropriate
diagramming techniques.

Structured reviews and methods of team
participation, through brainstorming etc., and the
use of checklists, SWOT, flowcharts, cause and
effect diagrams, etc. to help identify risks are the
core of this transformation step.
Outputs
The outputs include the identification of all risks,
what are likely to be the conditions under which
they will occur, and if the risk identification
process has identified further investigation of risk
related matters in other knowledge areas (scope,
time, cost, etc)
Risk assessment
This process attempts to place the identified risk
events into a list of priorities or into primary
categories based upon their effect and/or
likehood of having an effect on the project or any
of its deliverables. This will require an
assessment of the amount at stake (what is the
severity of a consequence) and the risk
probability (how likely it is of an event occurring)
of all risk events. So what risk assessment is
really doing is providing a qualitative evaluation of
which risks are important and which are less
important.
Inputs
The risk assessment inputs are given as: the risk
management plan, the identified risks, the status
of the project, the type of risks, the reliability of
the risks, and an indication of risk probability and
their impact.

Tools and techniques
These include risk probability and impact,
probability/impact rating, risk trend, project
assumption testing, and data precision ranking.
However, it needs to be emphasied that the tools and
techniques within this process are not providing a
quantitative analysis of risk but are merely being used as
a means of determining categories of risk and possibly a
ranking (from severest to least severe) of all identified
risk items. In other words this transformation step will, to
use the old addage, sort out the wood from the trees.

Outputs
The outputs from the risk assessment process are the
ranking of risks, the prioritising of risks, and the other
issue that the process has uncovered that could be a
source of risk and in need of further analysis.
Risk quantification
Risk quantification means analysing and
evaluating (quantifying) the range of possible
outcomes and their likelihood of occurrences.
This process is complicated by a number of
factors:
opportunities and threats can evaluating in
unanticipated ways;
a single risk event can cause multiple effects;
opportunities for one stakeholder (reduced cost)
may be threats to another (reduced profit);
the mathematical techniques used can create a
false impression of precision and reliability.
In summary risk quantification is concerned with
determining which risk events need to be
responded to.

Inputs
The inputs to risk quantification are the risk
management plan, and the outputs from risk
identification and risk assessment.
Tools and techniques
The tools and techniques for risk quantification
include expected monetary value, decision trees,
statistical sums, simulation and expert judgement.
Expected monetary value, as a tool for risk
quantification, is the product of two numbers: risk
event probability and risk event value. EMV can
be the combination of a small probability and a
large value or a large probability and a small
value or some product in between. These values
are generally used as input to further analysis,
using such devices as decision trees. A decision
tree is a diagram that depicts key interactions
among decisions and associated chance events.
Statistical sums are often used to calculate the
cost estimates of individual work activities. This
approach is used to determine a range of project
completion dates.
Schedule simulation is one of many types of
simulation that can be carried out on a project. It
is normally based on some form of Monte Carlo
analysis of the project network and provides a
statistical distribution of the calculated results. It
can also be used to assess a range of possible
project cost (budget) outcomes. Simulation
should be used on any large or complex project,
as the CPM analysis.
Expert judgement can often be used in support
of the mathematical techniques already
mentioned; will be very much relied on in the
previous process the assessment of risk. This
judgement can be provided in a way that scores
probability (likehood) and occurrence (severity).
The combination of likehood and severity score
giving a ranking of risk into, for example, high risk
medium risk low risk.
Outputs
The outputs from risk quantification are:
opportunities to pursue/threats to respond to;
opportunities to ignore, threats to accept.

The former creates a list of quantified risks,
which would generally require the project teams
positive actions. The latter creates a list of
quantified risks that the project team may have
decided to either accept or ignore.
Risk response and control
In this section the terms and inter-relationship of
the recommended next processes after risks
have been planned, identified, assessed, and
quantified will be explained.
Risk response planning
Risk response planning means defining
enhancement steps for risk opportunities and
mitigation steps for risk threats. Responses to
opportunities are often called enhancements
while responses to threats generally fall into one
of four categories.

avoidance;
transfer;
mitigation;
acceptance.
Inputs
The inputs to risk response development are the
outputs that were generated from the risk
identification, assessment, and quantification
process.
Tools and techniques
The project team, normally in conjunction with the
project's sponsor, will be expected to determine how to
react to the various opportunities and threats. Certain
avoidable risks may be avoided by simply changing
certain conditions relating to the risk. For instance
exclude a particular item or activity simply because of its
potential risk to the project. Such actions will mean
modifying the risk management plan. Risk items can be
transferred to another stakeholder. For example a
potential risk item could be transferred from the
sponsors responsibility to a vendors responsibility; this
is normally undertaken by transferring through including
the risk within the scope of work of vendor supply.
Risks can be mitigated against by reducing the
impact and/or the likelihood of the risk occurring;
this can be carried out by simply changing the
conditions relating to the potential risk.
Acceptance of a risk by the performing
organisation is normally backed-up by a plan on
how this acceptance will be handled and
managed.


Outputs
The outputs from this process will be the risk
response plan a document that will be in some
detail and will provide, along with the risk
management plan, the means by which the
project team will deal with all identified risks. The
outputs may also have impacted on other
knowledge areas and specifically the
procurement planning process and the solicitation
(or tendering) planning process.
Risk monitoring and control
Risk monitoring and control involves responding
to changes in risk over the course of the project
life-cycle by executing the risk management plan
and the risk response plan. Inevitably, from time
to time not all risks in a project will be identified,
quantified and responded to correctly. It is
important to have a control process for monitoring
actual risk events against what was planned and
taking whatever corrective action is needed
Inputs
The inputs to risk response control are the
management plan, the actual risk events and any
additional risk identification. By auditing the
project frequently what was actually planned can
be compared with what is happenings; such as
comparisons being essential monitoring and
controlling all project risks.
Tools and techniques
By complying with the risk management plan
and having a project database of current
information on the status of the project the
means should be available as part of the
monitoring and control process.
Outputs
The outcome of this process might consist of
project change requests, where the risk requires
a variation to the project, or it may require some
other corrective action. Whatever happens as an
outcome of monitoring and controlling risks both
the risk management plan and the risk response
plan need to be modified and updated. This
modification and updating is not a one-time event
but should be part of a continuing process.