Project Risk Management

Presenter: Phil Harman, PMPExecutive Director for ZCS Internal PMO and

Enterprise Project Management (EPM) Practice Manager

September 2007

Page 2

Agenda

Project Risk Management - What the Text Book says– Core Processes, Techniques, and Outputs

Project Risk Management - In Practice– Project Risk Identification > The Questionnaire– Project Risk Management Plan > The Project Risk Log– Risk Monitor and Control > Risk applied to the Project Plan with

assigned ownership

Page 3

Theory and Practice

Text Book Definition: Risk Management is the systematic process of identifying, analyzing, and responding to project risk. It includes maximizing the probability and consequences of positive events and minimizing the probability and consequences of adverse events to project objectives.

Simple Terminology: Risk Management is the identification of an unborn issue (a risk) that will have a negative impact on the project that must be eliminated with proactive planning, monitoring, and activities or tasks.

Page 4

Text Book - Risk Management Processes

Risk Risk

ManagementManagement

Risk AssessmentRisk Assessment

Risk Identification

Risk Analysis

Risk Prioritization

Risk ControlRisk Control

Risk Mgmt Planning

Risk Resolution

Risk Monitoring

Page 5

Text Book - Risk Management Planning

DEFINITION: The process of deciding how to approach and plan the risk management activities for a project.

1. Project Charter2. Organizations Risk Mgmt Policy3. Defined Roles & Responsibilities4. Stakeholder Risk Tolerances5. Template for the Organizations risk

management plan6. Work breakdown structure

Inputs

• Risk Management Plan

Output

• Planning Meetings

Tools & Techniques

• Organizational Risk Management Policy: Predefined approaches to risk analysis and resolution that needs tailoring to a particular project.

• Defined roles and responsibilities: Predefined roles, responsibilities, and authority levels for decision making will influence planning.

• Stakeholder Risk Tolerance: Different organizations and different individuals have different tolerances for risk. Policies or historical actions may communicate this.

• Planning Meetings: Project teams hold risk management planning meetings to develop the plan.

Page 6

Text Book - Risk Management Plan

Risk Management Planning output is the “Risk Management Plan”

The plan describes how risk identification, qualitative and quantitative analysis, resolution planning, monitoring, and control will be structured and performed during the project life cycle.

The plan may include:MethodologyRoles & ResponsibilitiesBudgetingTimingScoring and interpretationThresholdsReporting formatsTracking

Page 7

Text Book - Risk Identification

1. Risk management plan2. Project planning outputs3. Risk categories4. Historical information

Inputs

1. Risks2. Triggers 3. Inputs to other processes

Output

1. Documentation reviews2. Information gathering3. techniques4. Checklists5. Assumption analysis6. Diagramming techniques

Tools & Techniques

DEFINITION: The process of determining which risks might affect the project and document the characteristics.

** Risk identification is an iterative process **

INPUTSRisk Management Plan: See previous slideProject Planning Outputs: Items to be reviewed, but not limited to: project charter, WBS, product description, schedule and cost estimates, resource plan, procurement plan, assumption and constraints.Risk Categories: Risks that may affect a project for better or worse can be identified and organized into risk categories. Categories include:

Technical, quality, and performance risks Project Management risks Organizational Risks – cost, time, and scope External risks – shifting legal or regulatory environment, labor issues, natural events.

Historical Information: Information on prior projects may be available to help leverage lessons learned.

Page 8

Risk Identification- Tools/Techniques and Outputs

Outputs

Risks: Yep! This an output!

Triggers: Sometimes called risk assumptions or warning signs, these are indications that a risk has occurred or is about to occur.

Inputs to other processes: Risk identification may identify a need for a further action in another area or to other projects.

Tools and TechniquesDocumentation Reviews: Performing a structured review of the project plans and assumptions.Information gathering techniques: Examples of information gathering include: Brainstorming – most common Delphi technique – Consensus of experts on a subject area Interviewing – Seek input from project managers or subject matter experts Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis

Checklist: Using historical information and knowledge is a quick and simple way to identify risk.Assumption analysis: Every project is conceived and developed based on a set of hypotheses, scenarios, or assumptions.Diagram techniques: Cause-and-effect, System or process flow charts, and Influence diagrams

.

Page 9

Text Book - Risk Analysis

Quantitative: The process of measuring the probability and consequences of risks and estimating their implications for project objectives.– Determine the probability of achieving a specific project

objective.– Quantify the risk exposure for the project, and determine the

cost and schedule contingency reserves that may be needed.– Identify risks requiring the most attention by quantifying their

relative contribution to project risks.– Identify realistic and achievable cost, schedule, and scope

targets.

Qualitative: The process of performing a qualitative analysis of risks and conditions to prioritize their effects on project objectives.

Page 10

Qualitative Risk - Tools and Techniques

Risk probability and consequences: This is generally described in qualitative terms such as VERY HIGH, HIGH, MODERATE, LOW, VERY LOW.

• Risk Probability is the likelihood a risk will occur.• Risk Consequences is the effect on the project objectives if the risk event occurs.

Probability/impact risk rating matrix: The use of risk’s probability scale and risk’s impact scale is generally used.

• Risk scale falls between 0.0 (no probability) and 1.0 (certainty) – See next slide

• Risk impact scale reflects the severity of its effect on the project objective.

Page 11

Rating Impacts for a Risk

Evaluating Impact of a Risk during Major Project Milestones

Project Very Low Low Moderate High Very HighObjective .05 .1 .2 .4 .8

Cost Insignificant <5% 5-10% 10 – 20% >20% Cost Increase Increase Increase Increase Increase

Schedule Insignificant Schedule Slip Overall Prj Slip Overall Prj Slip Overall Prj Slip Schedule Slippage <5% 5-10% 10-20% Slips>20%

Scope Scope Reduction Minor areas of Major Areas Scope Reduction Project end item scope affected of scope affected unacceptable to is not meeting client business need

Quality Quality Only very Quality Reduction Quality Reduction Project end item Degradation small demanding Apps requires client unacceptable to is useless affected approval client

Page 12

Qualitative and Quantitative Risk Outputs

QualitativeOverall risk rating for the project: Risk ranking is used to rank the risk of the project under evaluation against other projects.List of prioritized risks: Risk can generally ranked as low, moderate, or high.List of risks for additional analysis and management: Risk categorized as moderate or high would be prime candidates for more analysis, including quantitative risk analysis, and for risk management.Trends in qualitative risk analysis results: As the analysis is repeated, a trend of results may become apparent, and can make risk resolution or further analysis more or less urgent and important.

QuantitativePrioritized list of quantified risks: This list of risks include those that pose the greatest risk threat or present the greatest opportunity to the project together with a measure of their impact.

Probabilistic analysis of the project: Forecasts or potential project schedule and cost results listing the possible completion dates or project duration and costs with their associated confidence levels.

Probability of achieving the cost and time objectives: The probability of achieving the project objectives under the current plan and with the current knowledge of the risks facing the project.

Page 13

Text Book - Risk Resolution

1. Risk Management Plan2. List of prioritized risks3. Risk ranking of the project4. Prioritized list of quantified risks5. Probabilistic analysis of the project6. Probability of achieving the cost and time

objectives7. List of potential resolutions8. Risk thresholds9. Risk owners10.Common risk causes11.Trends in qualitative and quantitative risk

analysis results

Inputs

1. Risk resolution plan2. Residual risks3. Secondary risks4. Contractual agreements5. Contingency reserve

amounts needed6. Inputs to other processes7. Inputs to a revised project

plan

Output

1. Avoidance2. Transference3. Mitigation4. Acceptance

Tools & Techniques

DEFINITION: The process of developing procedures and techniques to reduce threats to the project objectives.

Page 14

Risk Resolution – Outputs

Risk Resolution plan: This is also called “risk register” and should include some or all of the following:

Identify risks, their description, the area(s) of the project effected, their causes, and how they may affect project objectives Risk owners and assigned responsibilities Results from the qualitative and quantitative risk analysis Agreed to response including avoidance, transference, mitigation, acceptance for each risk in the risk resolution plan The level of residual risk expected to be remaining after the strategy is implemented Specific actions to implement the chosen resolution strategy Budget and times for resolution Contingency plans and fallback plans

Residual risk: Residual risk are those that remain after avoidance, transfer, or mitigation resolutions have been taken. They also include minor risks that have been accepted and addresses.Secondary risks: These risks arise as a direct result of implementing a risk resolution.Contractual agreements: Contractual agreements may be used to specify each party’s responsibility for risks.Contingency reserve amounts needed: Probabilistic analysis of the project and risk thresholds help the project manager determine the amount of contingency needed to reduce risk.Inputs to other processes: Most resolutions to risk involve expenditure of additional time, cost, or resources and require changes to project plans.Inputs to a revised project plan: The results of the resolution planning process must be incorporated into the project plan, to ensure that agreed actions are implemented and monitored as part of the ongoing project.

Page 15

Risk Resolution –Tools/Techniques

Tools and TechniquesAvoidance: Risk avoidance is changing the project plan to eliminate the risk or condition or to protect the project objectives from its impact.Transference: Risk transference is seeking to shift the consequences of a risk to a third party together with ownership of the resolution. (Financial risk is most common)Mitigation: Mitigation seeks to reduce the probability and or consequences of an adverse risk event to an acceptable threshold.Acceptance: This technique indicates that a project team has decided not to change the project plan to deal with a risk. Developing a contingency plan is a way to managing known risks. The contingency plan adopt contingency allowance or reserve that includes: Time Money Resources

Page 16

Text Book - Risk Monitoring & Control

1. Risk Management Plan2. Risk resolution plan 3. Project communication4. Additional risk

identification and analysis5. Scope Changes

Inputs

1. Workaround plans2. Corrective action 3. Project change request4. Updates to the task

resolution plan5. Risk database6. Updates to risk

identification checklist

Output

1. Project Risk resolution audits

2. Periodic project risk reviews

3. Earned Value analysis4. Technical performance

measurements5. Additional risk resolution

planning

Tools & Techniques

DEFINITION: The process of monitoring residual risks, identifying new risks, executing risk reduction plans, and evaluating their effectiveness throughout the project life cycle.

The purpose of risk monitoring is to determine if:• Risk resolution have been implemented as planned• Risk resolution actions are as effective as expected, or if new resolutions should be developed• Project assumptions are still valid• Risk exposure has changed from its prior state, with analysis and trends• A risk trigger has occurred• Proper policies and procedures are followed• Risks have occurred or arisen that were not previously identified

Page 17

Project Risk Management (RM) - In Practice

Risk Risk

ManagementManagement

Risk AssessmentRisk Assessment

Identification

Quantification

Prioritization

Risk Monitor and Risk Monitor and ControlControl

Risk Mgmt Plan and Log

Risks tracked in Project WBS

Risk Ownership

Practice = Text Book

Where the rubber hits the road!

Page 18

Project RM – In Practice

Project Risk Identification > Use a Questionnaire

Risk Monitor and Control– Project Risk Management Plan = The Project Risk Log

• Describes• Quantifies• Probability of Occurrence• Resolution• Prioritizes• Ownership• Status• Risk Ranking

– Project Schedule > Risk Items get put into project WBS (as contingency) and Assigned Ownership

Page 19

Project RM – In PracticeRisk Identification Categories

Project Integration Management

Scope Management

Time Management

Cost Management

Human Resource Management

Communication Management

Procurement Management

Quality Management

Technology

Data Conversions

External Factors

Page 20

Risk Identification using a questionnaire

Risk Assessment QuestionnaireCompleted By:________________________________________ Date:______________________

Project Size

Resource Hours Total estimated resource hours:

<=5,000> 5,000 and <=20,000> 20,000

LowMediumHigh

Notes

Calendar TimeEstimated calendar duration:

<= 4 months> 4 months and <=12 months> 12 months

LowMediumHigh

Notes

Team SizeMaximum team size at any time during the

project:

<= 4 participants> 4 and <= 12 participants> 12 participants

LowMediumHigh

Notes

Page 21

Risk Identification using a questionnaire (cont’d)

Project Structure - Definition

Project ScopeThe boundaries of the project are:

well defined and acceptedconceptually understoodill defined

LowMediumHigh

Notes

Project DeliverablesThe tangible information from the project is:

well defined and acceptednamed but not detailednot identified

LowMediumHigh

Notes

New System BenefitsThe benefit of doing the project is:

well defined and accepted, and/or of strategic importancegenerally understood, but not quantifiedill defined or not identified

LowMediumHigh

Notes

Page 22

Risk Identification using a questionnaire (cont’d)

Project Structure - Sponsorship & Commitment

Project SponsorshipThe project is sponsored by:

respected and enthusiastic business managerpassive business managerunidentified, or I/S manager

LowMediumHigh

Notes

Commitment of Sponsor(s)The sponsor is:

committed to the project (understands value and is supportive)involved, but not committedskeptical or resistant

LowMediumHigh

Notes

Commitment of Sponsoring Business Area(s)The sponsoring business area(s) are:

committed to the project (understands value and is supportive)involved, but not committedskeptical or resistant

LowMediumHigh

Notes

Relation to Information Strategy PlanThe new system is:

included in or approved for additionincluded, but not yet approvednot yet part of the plan

LowMediumHigh

Notes

Page 23

Risk Identification using a questionnaire (cont’d)

Page 24

Project Risk Management Plan and Log

Page 25

Managing the Risk Assessment Results

Risk Monitor and Control

The “No Surprise Approach” to Risk Management is accomplished by:

1. All identified risk items get put into the project work breakdown structure (WBS)

2. All risk items have owners > including the executive sponsors and senior management

3. Risks are reported to the senior and executive leadership in the project dashboard

4. When a RISK EVENT does occur, becomes an issue, then a Project Change Request (PCR) is immediately submitted …. No Surprise PCR

Page 26

Project WBS Example

Page 27

Project Dashboard

Page 28

Risk Summary Dashboard – Example 1

Risk Level – on a scale of 1(low) to 5(high)Examples indicate what would count as a low / med / high to clarify the question and to improve consistency across the projects.

Mitigation Strategy Effectiveness – on a scale of:

A = successfully in place or not applicable

B = in place but needs monitoring

C = challenging or no mitigation strategy defined

Highest Rating in Category: 2A GREENClient Relationship

Highest Rating in Category: 1A GREEN

(Delivery)Solution

Highest Rating in Category: 2A GREEN

(Delivery) Management Process

Highest Rating in Category: 1A GREEN

(Delivery)Work Plan

Highest Rating in Category: 1A GREEN

(Delivery) Staffing

Highest Rating in Category: 3B YELLOW

(Delivery)Engagement Letter

Highest Rating in Category: 5B RED

(Delivery)Partners/3rd Parties

Highest Rating in Category: 1A GREENFinancial

Highest Rating in Category: 2B GREENOverall

A B C

5 0% 4% 0% 4%

4 0% 0% 0% 0%

3 0% 4% 0% 4%

2 11% 11% 0% 21%

1 68% 4% 0% 71%79% 21% 0% 100%

Aggregate Risk Summary

Aggregate Score: 1B GREEN20% of responses were above this risk score.

Page 29

Risk Summary Dashboard – Example 2