RISK MANAGEMENT

Learning Objectives

01 Describe the risk management process.

02 Understand how to identify project risks.
03 Assess the significance of different project risks.
04 Describe the five responses to managing risks.
05 Understand the role contingency plans play in the risk management
process.
06 Understand opportunity management and describe the five
approaches to responding to opportunities in a project.
07 Understand how contingency funds and time buffers are used to
manage risks on a project.
08 Recognize the need for risk management being an ongoing activity.
09 Describe the change control process.

© McGraw-Hill Education 1
 Outline

1 Risk Management Process

2 Step 1: Risk Identification
3 Step 2: Risk Assessment
4 Step 3: Risk Response Development
5 Contingency Planning
6 Opportunity Management
7 Contingency Funding and Time Buffers
8 Step 4: Risk Response Control
9 Change Control Management

© McGraw-Hill Education 2
 7.1 Risk Management Process

Risk Defined
- An uncertain event or condition that if it occurs, has a positive or
negative effect on project objectives.
- No amount of planning can overcome or control risk.
Risk Management Defined
- An attempt to recognize and manage potential and unforeseen trouble
spots that may occur when the project is implemented.
• What can go wrong (risk event)
• How to minimize the risk event’s impact (consequences)
• What can be done before an event occurs (anticipation)
• What to do when an event occurs (contingency plans)

© McGraw-Hill Education 3
 Project Risk

Project Risk is anything that may impact the project team’s ability to achieve the
general project success measures and the specific project stakeholders’
priorities.

Threat is “a risk that Opportunity is “a risk

will have a negative that would have a
impact on the project positive effect on one
objective if it occurs.” or more project
objectives.”

© McGraw-Hill Education
 The Fourteen Most Important Risks in Panama Canal
Expansion

Changes in design and quantities Extreme bad weather

General inflation Inadequate claims administration
Ineffective contracting process Inefficient planning
Insufficient revenues Lack of controls
Lack of skilled and local labor Local labor strikes
Material, equipment, and labor cost Organizational risks
Owner-driven changes Referendum delays
Source: Alarcon, Luis F., et al., “Risk Planning and Management for the Panama
Canal Expansion Program,” Journal of Construction Engineering and
Management (October 2011): 762–770.

© McGraw-Hill Education
 Top Risks in Each Factor for International Projects

Resources Regulations Crisis Insurance Science/Health Digital

• Inflation/price • Different and changing • Economic crisis • Differences in risk • Backlash against • Failure of
Instability regulations • Debt crisis appetite or aversion science technology
• Commodity price • Interstate relations failure • Asset bubble burst • Insurance market • Infectious disease governance
shocks • Collapse of multilateral • Collapse or lack of challenges • Vaccine challenges • IT infrastructure
• Supply chain institutions social security Systems • Collapse of an breakdown
disruptions • Erosion of social cohesion • Terrorist strikes important industry • Increased
• Natural resource • Political power transitions • State collapse • Safety issues cyberthreats
shortages • Youth disillusionment • Digital power
• Environmental concentration
changes • Digital inequality
• Talent/skill • Private information
shortage compromised

Source: Adapted from Four Globalization Risks Impacting International Projects, Visualized: A Global Risk Assessment of 2021 and Beyond, Global Risks Perception
Initiative—2021 Report, Five Top 2021 Trends Posing Risks to Construction Industry and Steffey, Robert W., and Vittal S. Anantatmula, “International Projects Proposal
Analysis: Risk Assessment Using Radial Maps,” Project Management Journal (April 2011): 62–70.

© McGraw-Hill Education
 Risk Event Graph

© McGraw-Hill Education FIGURE 7.1 7

 Benefits of Risk Management

- A proactive rather than reactive approach

- Reduces surprises and negative consequences
- Prepares the project manager to take appropriate action
- Provides better control over the future
- Improves chances of reaching project objectives on time, within
budget, and of meeting required performance.

© McGraw-Hill Education 8
 The Risk Management Process

© McGraw-Hill Education FIGURE 7.2 9

 PMBOK

© McGraw-Hill Education 10
 2 Step 1: Risk Identification

- Generate a list of all the possible risks that could affect the project
through brainstorming and other problem identifying techniques.
- Focus on the events that could produce consequences, not on project
objectives.
- Use risk breakdown structure (RBS) in conjunction with work
breakdown structure (WBS) to identify and analyze risks.
- Identify the macro risks first then specific areas can be checked.
- Use risk profile (a list of questions) to address traditional areas of
uncertainty on a project.

© McGraw-Hill Education 11
 The Risk Breakdown Structure (RBS)

© McGraw-Hill Education FIGURE 7.3 12

 Risk Breakdown Structure (RBS)

© McGraw-Hill Education
 Cause-and-Effect Diagram

© McGraw-Hill Education
 Partial Risk Profile for Product Development Project

© McGraw-Hill Education FIGURE 7.4 15

 Project Risk Reviews

Type of Review Question

Is there clarity and common understanding in each section? Are the sections consistent with each
Charter
other?
Stakeholder register What could upset any of them?
Communication plan Where could poor communications cause trouble (or threaten project goals)?
Assumptions Can you verify that each assumption is correct?
Constraints How does each constraint make the project more difficult?
WBS What risks can you find for each WBS item? What can go wrong with each WBS work element?
Schedule What milestones and other handoff points might be troublesome?
Resource demands At what points are certain people overloaded?
Touchpoints What difficulties may arise when some project work is handed off from one person to another?
Literature What problems and opportunities have been published concerning similar projects?
What projects and opportunities have similar projects in your own organization experienced? Can
Previous projects
we gain some insights from the lessons learned database?
Peers Can your peers identify any additional risks?
Senior management Can senior management identify any additional risks?

© McGraw-Hill Education 16
 Understanding Relationships

Root Cause Analysis is “an analytical technique to ascertain the

fundamental or causal reason(s) that affect one or more variances, defects,
or risks.”
a

© McGraw-Hill Education
 Risk Register

Risk Register is “the document containing the results of the qualitative risk
analysis, quantitative risk analysis, and risk response planning. It identifies all
identified risks, including description, category, cause, probability of occurring,
impact(s) on objectives, proposed responses, owners, and current status.”

© McGraw-Hill Education
 Partial Risk Register

Risk Description (Event) Impact Category Probability Impact Score Mitigation Strategy-Resolution

Incomplete requirements were identified Greater possibility of gaps in functionality. Business Requirements 5 4s 20 MAXIMUS will begin conducting the detailed BA sessions 09/20/2012. Additional
in the RFP and Exhibits (see Risk 7). Greater possibility of missing State-specific requirements will be gathered in those sessions and
functionality. documented in subsequent versions of the Requirements Validation Documentation.
Greater possibility of “Scope Creep.” A schedule of future Business Architecture and Technical sessions is being developed.
Greater possibility of delay in finalizing State will provide closure and decisions regarding requirements and system scope.
requirements.
Greater possibility of rework in subsequent
phases.

Since there are various vendor products Potential duplication of rules or conflicting rules Technology 3 4 12 Engage point will explain how to mitigate this risk.
(IBM/Curam, Connecture), each with its that lead to different outcomes. (See Risk Response Plan for resolution.)
own rules engines, it is not clear which
rules engine takes precedence.

Difficulty integrating to state’s end-to- Potential difficulty integrating new technology into Technology 4 4 16 Work with the state to define infrastructure requirements and ensure that the necessary
end infrastructure. existing infrastructure. information is being provided to the MN-IT staff.

Going through a hierarchical reporting Potential bottlenecks in document reviews and Communications 4 4 16 Identifying a point-of-contact for each functional area from vendor and state to
structure will impact real-time decision decision making may affect task completion eliminate bottlenecks.
making. according to the project schedule.

State functional POCs may have Secondary risk—related to Risk 6. Communications 4 4 16 Identify multiple points-of-contact for each functional area from vendor and state to
competing priorities that will hinder their eliminate bottlenecks.
ability to respond promptly.

Delays in procurement process may Inability to acquire resources promptly may Procurement 2 5 10 Add lead time as early as possible. Evaluate procurement requirements during the
negatively impact the project schedule. negatively impact-related activities in the project change order process. Make sure commerce procurement staff are engaged in the PO
schedule. development process.

Source: http://mn.gov/hix/images/BC9-l-ITAttachmentN.pdf, accessed April 26, 2013.

© McGraw-Hill Education
 3 Step 2: Risk Assessment

Scenario analysis assesses the significance of each risk event in terms of

probability and impact.
Risk assessment form evaluates the severity, probability of risk events and
its detection difficulty.
Risk severity matrix prioritizes which risks to address.
- Failure Mode and Effects Analysis (FMEA) extends the risk severity
matrix by including ease of detection in the equation:
Risk Value = Impact x Probability x Detection
Probability analysis uses statistical techniques in assessing project risk.
- Decision trees, net present value (NPV), program evaluation and review
technique (PERT), PERT simulation

© McGraw-Hill Education 20
 Defined Conditions for Impact Scales of a Risk on Major
Project Objectives (examples for negative impacts only)

© McGraw-Hill Education FIGURE 7.5 21

 Risk Assessment Form

© McGraw-Hill Education FIGURE 7.6 22

 Qualitative Risk Assessment

Probability Impact
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Almost certain (>90% chance) High High Extreme Extreme Extreme
Likely (50–90%) Moderate High High Extreme Extreme
Moderate (10–50%) Low Moderate High Extreme Extreme
Unlikely (3–10%) Low Low Moderate High Extreme
Rare (<3%) Low Low Moderate High High

© McGraw-Hill Education
 Common Quantitative Risk Analysis Techniques (1 of 2)

Decision Tree Analysis A graphic tool depicting alternative choices as branches,

multiple options for each alternative, and evaluating potential
outcomes in terms of uncertainty and monetary value.
Expected Monetary Value A statistical technique to calculate present value of future
(EVA) Analysis
outcomes to choose the best alternative.
Failure Mode and Effect “A step by step approach for identifying all possible failures in
Analysis (FMEA)
a design, a manufacturing or assembly process, or a product
or service.”
- Practice Standard for Project Risk Management (PMI)

© McGraw-Hill Education
 Common Quantitative Risk Analysis Techniques (2 of 2)

Sensitivity Analysis A quantitative what-if risk analysis technique that presents

comparative analyses of various desirable outcomes with
respect to a financial measure or uncertainty. It can be used
to determine which risks have the most impact on the project
outcomes or goals. (i.e. Tornado diagram)
Simulation A technique that mimics real situations using uncertainties
and assessing their impact on project objectives. (i.e. Monte
Carlo)

© McGraw-Hill Education
 Criteria for Selecting a Quantitative Risk Technique
Methodology

Use the explicit knowledge of project team members.

Allow quick response.
Help determine project cost and schedule contingency.
Help foster clear communication.
Easy to use and understand.

© McGraw-Hill Education
 Risk Severity Matrix

Failure Mode and Effects Analysis (FMEA)

Impact × Probability × Detection = Risk Value

User Interface
4 Backlash problems
Likelihood

Red zone (major risk)

3 Yellow zone (moderate risk)
Green zone (minor risk)

System
2
freezing

Hardware
1 malfunc-
tioning

1 2 3 4 5

© McGraw-Hill Education FIGURE 7.7 27

 4 Step 3: Risk Response Development

Mitigating Risk
- Reducing the likelihood that the event will occur
- Reducing the impact that the adverse event would have on the
project
Avoiding Risk
- Changing the project plan to eliminate the risk or condition
Transferring Risk
- Passing risk to another party
• Examples: Fixed-price contracts, insurance, Build-Own-Operate-
Transfer (BOOT) provisions
Escalating Risk
- Notifying the appropriate people within the organization of the threat
Retaining Risk
- Making a conscious decision to accept the risk of an event occurring

© McGraw-Hill Education 28
 Common Project Risk Strategies
Strategy Type of Risk Example
1. Change project plan and/or scope
Avoid Threat 2. Improve project communications
3. Decide not to perform project
1. Insurance
Transfer Threat 2. Fixed-price contract
3. Hire expert
1. Lower probability and/or impact of threat
Mitigate Threat 2. Build in redundancy
3. Use more reliable methods
1. Deal with it if and when it happens
Accept Threat and opportunity 2. Establish triggers and update frequently
3. Establish time and/or cost contingencies
1. Get more and/or better information
Research Threat and opportunity 2. Verify assumptions
3. Use prototype
1. Assign talented resources to project
Exploit Opportunity
2. Give more emphasis to project
1. Allocate partial ownership to third party
Share Opportunity
2. Form a joint venture
1. Increase probability and/or positive impact
Enhance Opportunity 2. Identify and maximize key drivers
3. Add more resources

© McGraw-Hill Education
 5 Contingency Planning

Contingency Plan Defined

- Is an alternative plan that will be used if a possible foreseen risk event
becomes a reality.
- Is a plan of action that will reduce or mitigate the negative impact of the
risk event.
- Is not a part of the initial implementation plan and only goes into effect
after the risk is recognized.
Risks of the absence of a contingency plan
- Cause a manager to delay or postpone the decision to implement a
remedy
- Lead to panic and acceptance of the first remedy suggested
- Make the decision making under pressure which can be dangerous and
costly
© McGraw-Hill Education 30
 Risk Response Matrix

© McGraw-Hill Education FIGURE 7.8 31

 Risk and Contingency Planning

Technical Risks
- Backup strategies if chosen technology fails
- Assess whether technical uncertainties can be resolved
Schedule Risks
- Expedite or “crash” the project to get it back on track
- Schedule activities in parallel or use start-to-start lag relationships
- Use the best people for high-risk tasks
Cost Risks
- Review price to avoid the trap of using one lump sum to cover price
risks
Funding Risks
- Evaluate the risk of reductions in funding—a cut in the project

© McGraw-Hill Education 32
 6 Opportunity Management

An opportunity is an event that can have positive impact on project objectives.

Exploit
- Seek to eliminate the uncertainty associated with an opportunity to ensure that it
definitely happens
Share
- Allocate some or all of the ownership of an opportunity to another party who is
best able to capture the opportunity for the benefit of the project
Enhance
- Take action to increase the probability and/or the positive impact of an opportunity
Escalate
- Notify the appropriate people within the organization of the opportunity
Accept
- Be willing to take advantage of the opportunity if it occurs, but not taking action to
pursue it
© McGraw-Hill Education 33
 7 Contingency Funding and Time Buffers

Contingency Funds
- Are funds to cover project risks—identified and unknown
- For control purposes, contingency funds are divided into
• Contingency reserves—cover identified risks and allocated to specific
segments or deliverables of the project
• Management reserves—cover unidentified risks and are allocated to risks
associated with the total project
Time Buffers
- Are amounts of time used to cushion against potential delays in the project
• Add to activities with severe risks
• Add to merge activities that are prone to delays
• Add to noncritical activities to reduce the likelihood that they will create another
critical path
• Add to activities that require scare resources
© McGraw-Hill Education 34
 Budget Estimate

© McGraw-Hill Education TABLE 7.1 35

 4 Step 4: Risk Response Control

Risk Register
- Details all identified risks, including descriptions, category, probability of occurring,
impact, responses, contingency plans, owners, and current status
Risk Control involves
- Executing the risk response strategy
- Monitoring triggering events
- Initiating contingency plans
- Watching for new risks
Establishing a Change Management System
- Monitoring, tracking, and reporting risk
- Fostering an open organization environment
- Repeating risk identification/assessment exercises
- Assigning and documenting responsibility for managing risk

© McGraw-Hill Education 36
 9 Change Control Management

Sources of Change
- Project scope changes
- Implementation of contingency plans
- Improvement changes
Change Management Systems
1. Identify proposed changes
2. List expected effects of proposed change(s) on schedule and budget
3. Review, evaluate, and approve or disapprove of changes formally
4. Negotiate and resolve conflicts of change, condition, and cost
5. Communicate changes to parties affected
6. Assign responsibility for implementing change
7. Adjust master schedule and budget
8. Track all changes that are to be implemented

© McGraw-Hill Education 37
 Change Control Process

© McGraw-Hill Education FIGURE 7.9 38

 Benefits of Change Control Systems

1. Inconsequential changes are discouraged by the formal process.

2. Costs of changes are maintained in a log.
3. Integrity of the WBS and performance measures is maintained.
4. Allocation and use of contingency and management reserves are
tracked.
5. Responsibility for implementation is clarified.
6. Effect of changes is visible to all parties involved.
7. Implementation of change is monitored.
8. Scope changes will be quickly reflected in baseline and performance
measures.

© McGraw-Hill Education 39
 Sample Change Request

© McGraw-Hill Education FIGURE 7.10 40

 Change Request Log

© McGraw-Hill Education FIGURE 7.11 41

 Key Terms

Avoiding risk Risk

Change management system Risk breakdown structure (RBS)
Contingency plan Risk profile
Contingency reserves Risk register
Escalating risk Risk severity matrix
Management reserves Scenario analysis
Mitigating risk Time buffer
Opportunity Transferring risk
Retaining risk

© McGraw-Hill Education 42