An introduction to Risk Management

Prepared by :
Eng. Feras M.A N
Pictures Source : https://www.flickr.com/photos/ransomtech/5811447011
 Keys Definitions

oRisks are future events or conditions that may have a negative

effect on achieving program objectives for cost, schedule, and
performance. Risks are defined by
1- The Probability (greater than 0, less than 1) of an undesired
event or condition and
2- The Consequences, impact, or severity of the undesired event,
were it to occur.
o Issues are events or conditions with negative effect that have
occurred (such as realized risks)or are certain to occur (probability of
1) in the future that should be addressed.
 Opportunities are potential future benefits to the program’s
cost, schedule, and/or performance baseline, usually achieved
through reallocation of resources.

 Project Risk Management :Includes the processes of conducting

risk management planning, identification, analysis, response
planning, response implementation, and monitoring risk on a
project.

 Risk register : a register provides information on threats and

opportunities that may impact project execution

 Risk report : a report provides information on sources of overall

project risk along with summary information on identified
individual project risks.
 Stakeholder risk thresholds are

 Risk Appetite: The degree of uncertainty an organization or

individual is willing to accept in anticipation of a reward

 Uncertainty is a situation which involves imperfect or unknown

information.
 Project Management Process and Project Risk Management (Page 25 -PMBOK 6th )
Knowledge Number of
Areas Initiating Closing Processes
Executing Process Monitoring and Controlling
Process Planning Process Group Process
Group Process Group
Group Group

11.1 Plan Risk Management

11. Project 11.2 Identify Risks 11.6
Risk 11.3 Perform Qualitative Risk Analysis Implement 11.7 Monitor Risks 7
Management 11.4 Perform Quantitative Risk Analysis Risk Responses
11.5 Plan Risk Responses
 What has or is
What can go What can be
certain to go
wrong? improved?
wrong?

Threat Issue Opportunity

Management Management Management

Consequences:
Both positive and negative impacts to cost, schedule, and performance
Risk Management Process :
Risk Planning
What is the
1 program’s risk
management
process?

5 Risk Risk
Monitoring 2 Identification
How has the risk What can go
changed? Communication wrong?

and Feedback

Risk Handling Risk Analysis

What are the
Should the risk be
4 accepted, avoided,
3 likelihood and
consequence of
transferred, or
the risk?
mitigated?
The hierarchy typically involved in Risk Management

Executive Level
(CEO)

Management Level
(Risk Working Group , Program Manager & Risk
Manager)

Working Level
(Risk Owner & Team Members)
01-Risk Planning
• Assign roles, responsibilities, and authorities
• Select and document overall approach:
– Process and procedures
– Risk analysis criteria for likelihood and consequences
– Risk handling procedures
• Establish traceability of risk to technical requirements and overall program objectives
• Align government and contractor roles, responsibilities, tools, and information exchange
• Determine risk management resources, to include budget, facilities, personnel, schedule
• Determine risk management battle rhythm
02-Risk Identification
Identify risks by answering the questions: What can go wrong? or What is
uniquely hard or difficult?
 All program personnel are encouraged to identify candidate risks.
 Example risk ID methodologies:
– Independent assessments
– SOW requirements
– Brainstorming sessions
– Interviews
– Review of similar/historical programs
– Trade studies
 Review analysis of Technical Performance Measurements, resource data,
life cycle cost information, WBS/EVM data trends, and progress against
critical path
 Risk Categorization :

• Requirements

External (Business)
• Technology
• Engineering • Estimates • Dependencies

Programmatic
• Integration • Program Planning • Resources
Technical

• Test • Program execution • Priorities

• Manufacturing • Communications • Regulations /Laws
• Quality • Contract • Market
• Logistics Structure/Provisions • Customer
• System Security • Schedule • Weather
• Training
Risk Statement :
Statements used to summarize Risks
• A good risk statement contains two elements:
- The potential event and
- The associated consequences.
If known, the risk statement should include a third element: an
existing contributing circumstance (cause) of the risk.
o Multiple approaches exist in writing a risk statement. programs
are best served by using a single approach for consistency.
“if–then”
• The preferred method includes a two-part statement in the “if–then”
format. This format characterizes the possible risk event or condition (“if”)
and the outcome or consequence(s) (“then”).
• It helps communicate and evaluate a risk statement and develop a
mitigation strategy
• “If” some event or condition occurs, “then” a specific negative impact or consequence to program objectives
will result.

Example :
- If the company’s production web site goes down, then the company will
lose internet sales until the server can come back up.
“Condition–Consequence”
• Other formats include the “condition–consequence” format. In this format, the
“consequence” is the possible outcome of the existing “condition,” which
has the following structure:
• • A “condition” that is causing concern or uncertainty exists, therefore a negative impact or
“consequence” to a program objective may result.

Example :
• - Given the fact that the Precast production elements is produced in one
Factory with no alternative options readily available, there is a risk that we
could lose progress if the Factory stops .
“Because - Event - Consequence “
• Another approach adds a “Because” to the statement construct, producing a
“Because - Event - Consequence “ format. This leads to statements with the
following structure:
• “Because” of a fact or existing condition, “an event” may occur, resulting
in a negative impact or “consequence” to a program objective.
Example :
• -Because the contractor is experiencing Procurement problems, The high
speed elevator may not be delivered by June 8, causing a day-for-day
schedule slip .
  Recognizing a Weak Risk Statement
• 1. Makes an overly general observation:
- Weak: If the high vacancy rate in engineering staff persists, then the program staffing will be
inadequate.
This is an overly general statement, with somewhat circular logic that provides no impact on program
objectives or lends any insight into underlying or existing causal conditions.
In contrast, the statement below is more informative.
- Stronger: If the high vacancy rate in software engineering staff persists due to aggressive recruiting
by competitors, then the commitment to deliver first software builds in 6 months will not be met.

• 2. Identifies an issue rather than a risk:

• • Weak: Fatigue cracks discovered in already produced vehicles may shorten service life unless
remedied.
This statement describes an issue, not a risk. The statement depicts an event that has already occurred, causing a
problem with consequences that must be evaluated and addressed.
 Recognizing a Weak Risk Statement
• 3. Diverts focus from the program’s controllable activities:

Weak : If the program’s funding is withheld due to poor test results, then the program
• schedule will be jeopardized.
In this case, the potential for curtailed funding is actually a consequence of the program’s poor test
results, which should be the focus of attention but is not directly or centrally addressed in the risk
statement.
• Stronger: If the vehicle reliability test performance is below xx MTBF, Then the resulting schedule delay to
fix failures could jeopardize FY 2018 funding.
 References :
• Department of Defense -“Risk, Issue, and Opportunity Management Guide” for Defense
Acquisition Programs - June 2015

• https://en.wikipedia.org/wiki/Uncertainty