Project Risk Management Module 3

Plan Risk Management Process:

 Classical project risk management serves two primary functions: minimizing potential
risks (probability and consequences of adverse events) and maximizing potential
opportunities (probability and consequences of positive events).
 Essential for project management as it supports project planning, identifies and assesses
risks threatening project objectives, and guides actions for overall project performance
improvement.
Risk Management as a Deliberate Process:
 Risk management is intentional, purposeful, measured, and well-calculated.
 Conducted systematically and intentionally, especially for projects with inherent risks.
Key Facilitations of Risk Management:
 Facilitates essential project management functions, enabling the use of appropriate
tools and techniques for effective planning, monitoring, and control of project activities.
Seven Steps in Project Risk Management (PMBOK ® Guide 6th Edition):
1. Risk Management Planning: Deliberate planning for managing risks in the project.
2. Risk Identification: Identifying and listing potential risks that may affect project
objectives.
3. Qualitative Risk Analysis: Assessing risks qualitatively to prioritize them based on impact
and probability.
4. Quantitative Risk Analysis: Numerically analyzing identified risks to quantify their
impact on project objectives.
5. Risk Response Planning: Developing strategies and actions to address identified risks.
6. Risk Response Implementation: Executing the planned strategies to respond to
identified risks.
7. Risk Monitoring:
Continuously monitoring
and evaluating risks
throughout the project
lifecycle.

Plan Risk Management Data

Flow:
 The data flow for Plan Risk
Management involves
inputs from various
sources, including:
o Develop Project
Charter (Project
Charter)
 o Project Management Plan (Project Management Plan)
o Project Documents (Stakeholder register)
o Enterprise/Organization (Enterprise environmental factors, Organizational process
assets)
Output - Risk Management Plan:
 The Plan Risk Management process outputs the Risk Management Plan (RMP).
 The Risk Management Plan becomes a crucial input for subsequent steps in the risk
management process, including:
o Identifying risk
o Performing qualitative analysis
o Performing quantitative analysis
o Planning risk response
Inclusion in Project Management Plan:
 The Risk Management Plan is typically incorporated into the Project Management Plan.
 Risk Management Plans provide structured and detailed information on how risk
management will be carried out throughout the project.
 Highlighted as a major sub-plan within the comprehensive Project Management Plan.

Plan Risk Management – The Project Charter and Project Plan

Project Charter:
 The Project Charter is a key input for developing the Risk Management Plan (RMP).
 Authorizes the project and grants the project manager authority over organizational
resources.
 Documents high-level information, including project purpose, measurable objectives,
requirements, project description, boundaries, key deliverables, overall project risks,
milestone schedule, financial resources, stakeholder list, project approval criteria, exit
criteria, project manager details, and sponsor information.
 All documentation from the Project Charter feeds into the Risk Management Plan.

Project Plan:
 The Project Plan is a tool for managing the project and comprises one or more subsidiary
plans.
 Emphasizes the importance of considering all approved subsidiary plans in Plan Risk
Management to maintain consistency.
 Represents a list of project management plan components and project documents,
including scope, requirements, schedule, cost, quality, resource, communications, risk,
procurement, stakeholder engagement, change, and configuration management plans.
  Project documents include scope, schedule, cost baselines, performance measurement
baselines, project life cycle description, development approach, activity attributes,
assumption log, basis of estimates, change log, cost and duration estimates, issue log,
lessons learned register, milestone list, resource assignments, project calendars,
communications, schedule network diagram, scope statement, team assignments,
quality control measurements, metrics, and reports, requirements documentation,
resource breakdown structure, risk register and report, schedule data and forecast,
stakeholder register, team charter, and test and evaluation documents.

Consistency and Baselines:

 Stress on the importance of considering all approved subsidiary plans to maintain
consistency.
 Notes that everything is a work in progress until approved, and once approved, it
becomes the baseline.

The Risk Project Charter must include :

 Project purpose
 Measurable project objectives and related success criteria
 High-level requirements
 High-level project description, boundaries, and key deliverables
 Overall project risk
 Summary milestone schedule
 Preapproved financial resources
 Key stakeholder list
 Project approval requirements:
o What constitutes project success?
o Who decides the project is successful?
o Who signs off on the project?
 Project exit criteria
o What are the conditions to be met in order to close or to cancel the project or
phase?
 Assigned project manager, responsibility, and authority level
 Name and authority of the sponsor or other person(s) authorizing the project charter

Plan Risk Management Input

Stakeholder Register:
 The stakeholder register is a project document that provides details about identified
stakeholders.
 Includes information on their roles and attitudes towards risks.
  Recognizes that stakeholders may exhibit varying risk attitudes, ranging from risk-averse
and conservative to more aggressive and risk-taking.
Usefulness of Stakeholder Register:
 Useful for determining roles and responsibilities for managing risk on the project.
 Facilitates setting risk thresholds on the project by understanding the risk tolerances of
stakeholders.

Identification
Information Assessment Information Classification information
Name Major requirements Internal or external
Position Expectation Influence/power/interest/impact
Location Potential for influencing Project Upward/downward/outward/sideward
or any other classification model
Contact Details Outcomes
Role Phase where stakeholder has most
influence and/or impact

Enterprise Environmental Factors (EEFs):

 Conditions beyond the full control of the project team that significantly impact the Plan
Risk Management Process.
 Typically result from the risk threshold of the organization and key stakeholders in the
project.
Examples of EEFs:
1. Pandemics
2. Economic conditions
3. Marketplace conditions (prices, product availability, lead times)
4. Geographic factors (local, national, international constraints)
5. Risk thresholds set by the project organization or key stakeholders.
Risk Thresholds:
 Provide crucial information for
project selection.
 Above maximum desired risk
makes stakeholders and project
manager hesitant to take on the
project.
 Comparing expected return with
anticipated risk for various projects
aids in decision-making.
 The graph illustrates the
relationship between anticipated
risk and return, with areas X1 (low risk,
 below minimum desired return) and X6 (high return, above risk threshold) being less
desirable. The circled area (X2 to X5) represents the efficient frontier, indicating high
return with anticipated risk within the risk threshold.

Organizational Process Assets (OPAs):

 Integral to the risk management process, OPAs encompass various elements that
contribute to effective risk management.
Components of OPAs:
1. Organizational risk policies
2. Organizational procedures
3. Risk rating rules.
4. Historical information
5. Stakeholder register
6. Templates
7. Project files
8. Lessons learned.
9. Studies of similar projects
10.Standard templates
11.Risk categories.
12.Risk Breakdown Structure (RBS)
13.Change control procedures.
14.Risk tolerance areas and thresholds.

Tools, Techniques and Outputs

Risk Management Plan (RMP) Forms:

 The RMP can exist in various forms:
1. Stand-alone document.
2. Part of the Project Management Plan.
3. Set of charts from a project kick-off review presentation, coupled with a call-out of
the company standard procedure.
RMP Content:
 General information.
 Methodology.
 Roles and responsibilities.
 Risk management budgeting.
 Risk management scheduling and timing.
 Project risk categories.
 Individual (qualitative) risk assessment definitions.
 Project stakeholder tolerance.
  Risk reporting formats.
 Initial risk assessment – assumptions and risk.
 Monitoring and controlling project risk.
RMP Methodology:
 A methodology is an approach, not a to-do list, providing guidance on how the work will
be done.
 Outlines the approach to plan, monitor, and control risks on the project, along with
tools, techniques, and resulting outputs.
 May reference or indicate examples of various documents such as the assumption
register, risk register, risk matrix, risk burn-down schedule, and simulation methodology.
Assumption Analysis:
 Assumption analysis explores the validity of assumptions in terms of accuracy,
consistency, and completeness.
 Assumptions equal risk in general.

Expertise for Risk Management:

 Expertise should be sought from individuals or groups with knowledge or training in:
1. The organization's approach to managing risk.
2. Tailoring risk to the specific needs of projects.
3. Types of risks likely to be encountered in similar projects.

Data Analysis Techniques:

 Data analysis includes stakeholder analysis
and document analysis.
 Lessons learned from previous projects and
project documentation provide valuable insights.
 Data analysis techniques help determine the risk
appetites of project stakeholders.
 Stakeholder analysis results in a list of
stakeholders with information on positions, roles,
expectations, and attitudes. Various
representation techniques include
power/interests, power/influence, or
impact/influence grids.
 Document analysis involves assessing project
documents and lessons learned to identify stakeholders and gather supporting
information.

Meetings for Risk Management:

 Meetings are essential, potentially part of the project kick-off or specific planning
meetings.
  Attendees should include:
1. Project manager.
2. Project team members.
3. Key stakeholders.
4. Team members responsible for the Risk Management process on the project.

Tools and Techniques Description

Organizational assets Historical data for determining bases of estimates
Prior project development processes, etc.
Estimating techniques Bottom up
Top down
Parametric
Cost and schedule control Earned Value Management (EVM)
technique
Requirements tracking Requirements Matrix
methodology WBS Dictionary

Roles and Responsibility

Roles and Responsibilities in Project Management Planning:

 Reference to the Project Management Plan is essential for defining project roles and
responsibilities, specifically for risk management tasks.
 The plan should explicitly identify team members responsible for carrying out specific
risk management activities.
Referenced Project Documents:
 The roles and responsibilities section references project documents, including:
1. Work Breakdown Structure (WBS): It is advisable to include the WBS in the
project management plan or Risk Management Plan (RMP).
2. RACI Matrix (Responsible, Accountable, Consult, Inform): Helps define
stakeholder involvement in various project activities.
Risk Management Budgeting:
 Risk management budgeting may be covered by general project management funds.
 Alternatively, specific funds may be allocated to address issues and additional risks
discovered during the project.
 Funds set aside for risk activities are termed "management reserves" and "contingency
funds."
 These funds are within the approved project funding limit but are not allocated until
specific events occur or criteria are met.
Contingency Funds:
 Some projects have back-up plans, and to manage associated risks, a contingency
reserve may be established.
 Contingency funds address "known known" and “known unknown” risks, contained
within the project cost baseline. Unused funds may move into the management reserve.
 Guidelines for establishing and using contingency funds should be clearly outlined in the
Risk Management Plan (RMP) or Project Management Plans.
Management Reserve Funds:
 Address "unknown unknowns" or unexpected issues during project execution.
 Not typically included in the project’s cost baseline until allocated.
 No strict rules for establishing management reserves; influenced by past experience,
stakeholder risk tolerances, and expectations.
 Project sponsor or upper management approval is usually required for the release of
management reserves.
 Policies and procedures for administering the allocation of management reserves should
be clearly articulated in the RMP.

Risk Management Scheduling and Timing:

 The risk management plan outlines how and when risk review meetings will be
conducted.
 Buffers, such as schedule buffers, may be established to accommodate issues and
additional risks discovered during the project.
Risk Review Meetings:
 Timing of formal risk reviews can be periodic or event driven.
o Periodic: Weekly or monthly, depending on the project pace, amount of risk, and
organizational policies.
o Event-driven: Triggered by the occurrence of risk events or emerging issues.
 In-depth risk reviews may involve additional organizational resources or technical
experts.
Buffers for Risks:
 Schedule buffers (contingency or management reserve) are established to address issues
and additional risks discovered during the project.
 This section of the Risk Management Plan contains information about the timing of
project risk management activities and details about schedule reserves or buffers
incorporated into the project plan.

Categories of Project Risk

Categorizing Risks:
 Risks are categorized by major project objectives to aid in project reviews and status
reporting.
 Categorization is crucial as it allows grouping of individual project risks.
 Categories should be documented in the Risk Management Plan (RMP).
Categorization Methods:
 Risks may be categorized by:
1. Project Manager's Knowledge Areas: Including project scope, schedule, cost,
quality, etc.
2. Risk Breakdown Structure (RBS): A hierarchical organization showing sources of
project risk by category.
3. Work Breakdown Structure (WBS): Hierarchical decomposition of the total scope
of work to be carried out by the project team.

Knowledge Area Risk Conditions

Integration Inadequate planning; poor resource allocation; poor integration
management; lack of post-project review
Scope Poor definition of scope or work packages; incomplete definition of
quality requirements; inadequate scope control
Time Errors in estimating time or resource availability; poor allocation and
management of float; early release of competitive products
Cost Estimating errors; inadequate productivity, cost, change, or
contingency control; poor maintenance, security, purchasing, etc.
Quality Poor attitude toward quality; substandard
design/materials/workmanship; inadequate quality assurance
program
Resources Poor conflict management; poor project organization and definition of
responsibilities; absence of leadership
Communications Carelessness in planning or communicating; lack of consultation with
key stakeholders
Risk Ignoring risk; unclear assignment of risk; poor insurance management
Procurement Unenforceable conditions or contract clauses; adversarial relations

Risk Breakdown Structure (RBS):

 The RBS is a valuable tool for categorizing risks in a project.
 It lists categories and subcategories to identify potential risks and their sources.
 Can be tailored to a specific project or used as a generic RBS for multiple projects.
 Example RBS includes categories like technical, external, organizational, and project
management, with further breakdowns.
Work Breakdown Structure (WBS):
  The WBS is another tool that helps identify project risks by breaking down project efforts
into levels.
 It decomposes the project from high to detailed levels, outlining all deliverables and
activities.
 The WBS above the dashed line represents project components, while below the line are
activities.
 Essential in scope management, identifying risks associated with specific areas of the
project.
Individual (Qualitative) Risk Assessment Definitions:
 Organizations standardize definitions, content, and formats for risk assessments.
 Utilizes a risk matrix to assign numerical ratings to impacts of varying magnitudes.
 Various rating scales for probability of occurrence, either specific probabilities or bands,
can be employed.
Scale for Probability and Impact
Project Very Low Low Moderate High Very High
Objective 0.05 0.10 0.20 0.40 0.80
Cost Insignificant Less than 5% 5–10% cost 10–20% cost Greater than
cost increase cost increase increase increase 20% cost
increase
Schedule Insignificant Schedule Overall Overall Overall
schedule slippage less project project project
slippage than 5% slippage 5– slippage 10– schedule slips
10% 20% greater than
20%
Scope Scope Minor areas Major areas Scope Project end
decreases of scope are of scope are reduction item is
barely affected affected unacceptable effectively
noticeable to the client useless
Quality Quality Only very Quality Quality Project end
degradation demanding reduction reduction item is
barely applications requires unacceptable effectively
noticeable are affected client to the client unusable
approval

 Probability and impact are assessed using standardized terms like "very low" to "very
high."
 Standardization can also involve numerical scales for more precise evaluation.
 Charts are employed to illustrate and explain the meaning of each level of probability
and impact.
 This information is integrated into the Project Management Plan, outlining actions based
on assessments.
  Rating scales for probability and impact should be documented in the Risk Management
Plan (RMP).
 The scales aim to ensure consistent and reliable determinations of relative risk severity
levels across the project.

Project Stakeholders
 Stakeholder risk tolerances are established and should be reflected in the project plan
once it's approved.
 Two approaches to documenting stakeholder tolerances: using a stakeholder analysis
tool and setting severity score rating thresholds.
 Stakeholder analysis tools include Power/Interest Grid, Power/Influence Grid, and
Influence/Impact Grid.
 Stakeholder analysis results in a list of stakeholders with information such as positions,
roles, expectations, and attitudes.
 Severity score rating thresholds are established to determine acceptable and
unacceptable levels of risk.
 Risks exceeding acceptable thresholds are considered high risks and require specific
actions within a defined time frame and budget.
 If risks remain unaddressed, project sponsors may accept the higher risk level or agree
to adjustments in other project constraints.

Initial Risk Assessment

 The Initial Risk Assessment is a crucial section of the Risk Management Plan (RMP) and is
often presented at the project kick-off.
 Three assessments are included in this section: project assumptions, overall
(quantitative) project risks, and individual (qualitative) project risks (threats and
opportunities).
 Project assumptions, whether positive or negative, directly impact project risks and
should be documented in the assumptions register.
 The overall project risk is not simply the sum of individual risks; it requires a focused
assessment, particularly on meeting project cost and schedule objectives.
 For overall project risk scoring, factors are identified, and their probability (Pf) and
consequences (Cf) are assessed.
 Scaling is created for both dimensions, and overall probability and consequence are
calculated to determine the overall risk factor.

Sources (factors) of risk Effects (consequences) of failure

 Maturity: low (0.2)  Cost: medium (0.5)
 Complexity: low (0.1)  Schedule: medium (0.4)
 Dependency: high (0.8)  Reliabilty: medium (0.6)
 Performance: high (0.8)
 The section on
Individual (Qualitative) Project Risks in the Risk Management Plan (RMP) should provide
clear details about several key elements.
 These elements include the initial risk register, risk matrix, and risk burndown plan (if
applicable).
 It should outline the higher-priority risks and their corresponding action plans or
responses.
 The summary-level risk data to be reported to senior management and other
stakeholders is highlighted, with detailed data included in an appendix.
 The plan also addresses how project risks will be monitored and controlled, specifying
the timing, metrics, frequency of team risk assessments, core team involvement, triggers
for out-of-cycle risk assessments, and the process for distributing reserve funds.
 Additionally, if a project post-mortem is planned, it should be noted in the RMP.