PM Notebook - Chapter 11: Risk Management

PM Notebook
Summarizing Project Management Concepts for the PMP
Exam
Mohammad Elsheimy Road to PMP

PM NOTEBOOK CHAPTER 11 – RISK MANAGEMENT | KEY TERMS
DISCLAIMER: THE MATERIAL INCLUDED IN THIS DOCUMENT IS BASED ON DATA / INFORMATION
GATHERED FROM VARIOUS RELIABLE SOURCES. NONE OF THIS DATA / INFORMATION IS A PROPERTY
OF THE AUTHOR.
1
DISCLAIMER: THE MATERIAL INCLUDED IN THIS DOCUMENT IS
BASED ON DATA/INFORMATION GATHERED FROM VARIOUS
RELIABLE SOURCES. NONE OF THIS DATA/INFORMATION IS A
PROPERTY OF THE AUTHOR. NONE IS INTENDED TO MAKE A
PROFIT IN ANY WAY. THIS IS FOR PERSONAL USE ONLY.

OF THE AUTHOR.
2
No great man ever complains of want of opportunity.
Ralph Waldo Emerson

OF THE AUTHOR.
3
Table of Contents
Chapter 11 – Risk Management ........................................................................................................................... 4
Key Terms ............................................................................................................................................................... 4
Risk Appetite vs. Risk Tolerance ..................................................................................................................... 4
Risk Levels........................................................................................................................................................... 5
Risk Sources........................................................................................................................................................ 5
Processes................................................................................................................................................................ 6
1 – Plan Risk Management (Planning).......................................................................................................... 6
2 – Identify Risks (Planning) ............................................................................................................................. 7
3 – Perform Qualitative Risk Analysis (Planning).......................................................................................... 8
4 – Perform Quantitative Risk Analysis (Planning)....................................................................................... 9
5 – Plan Risk Responses (Planning) .............................................................................................................. 10
6 – Implement Risk Responses (Executing) ................................................................................................ 11
7 – Monitor Risks (Monitoring & Controlling) .............................................................................................. 12
Perspective Project Examination / Prompt Lists (Identification)................................................................ 13
Risk Parameter Assessment (Qualitative)....................................................................................................... 13
Sensitivity Analysis (Quantitative) .................................................................................................................... 14
Expected Monetary Value (Quantitative) .................................................................................................... 14
Risk Types.............................................................................................................................................................. 15
Event-Based Risks............................................................................................................................................ 15
Nonevent-Based Risks.................................................................................................................................... 15
Risk Response Strategies ................................................................................................................................... 16
Negative Risks (Threats)................................................................................................................................. 16
Positive Risks (Opportunities) ........................................................................................................................ 17
Contingent Response Strategy vs. Fallback Plan ........................................................................................ 17
Contingency Reserve vs. Management Reserve ........................................................................................ 17
Scales.................................................................................................................................................................... 18
Additional Terms ................................................................................................................................................. 18

OF THE AUTHOR.
4
Even the most carefully planned project can run into trouble.
Key Terms
Risk – Anything that might occur on your project and change the outcome of a project activity. It
is not always bad.
 Threat – Negative risk.
 Opportunity – Positive risk. Events and conditions that can help your project.
Risk Priority – Likelihood of a risk to occur (i.e. probability) and its projected impact.
Risk Urgency – Time criticality of a risk to occur.
Risk Severity – the combination of impact and probability.
Trigger / Event / Early Warning Signs – An indicator that a risk event could occur.
Risk Exposure – a quantified loss potential of business. Risk exposure is usually calculated by
multiplying the probability of an incident occurring by its potential losses.
Risk Efficiency – How quickly an organization identifies, analyzes, and create risk responses.
Uncertainty – A lack of knowledge about an event that reduces confidence in conclusions drawn
from the data.
Risk Owner – The individual or entity who is responsible for monitoring and responding to an
identified risk.
Risk Appetite vs. Risk Tolerance
Risk Appetite – the amount and type of risk that an organization is willing to take in order to meet
their strategic objectives. Some organizations might be willing to take a high risk if the reward is
high; others may want to play safe or go conservatively. An example is a sponsor who is willing to
accept little risk to the schedule of the project.
Risk Tolerance – It is the degree, amount, or volume of the risk that an organization or individual
will withstand. Risk tolerance tells you how sensitive the organization or people are to risks. High
tolerance means people are willing to take a high risk, and low tolerance means people are not

OF THE AUTHOR.
5
willing to take many risks. Tolerance is more specific than appetite. An example is a sponsor who is
willing to accept schedule risk up to 1 days on the project.
 The more important the project, the lower the stakeholder tolerance is.
Risk Threshold – means the amount of risk that is acceptable to an organization. E.g. 14 days
delay in the schedule.
Risk Aversion / Utility Function – a way it express risk tolerance. It is the behavior of humans
(especially consumers and investors), when exposed to uncertainty, in attempting to lower that
uncertainty.
Risk Averse – Someone who does not want to take risks.
Risk Neutral – a person/or an organization which is indifferent to the risk.
Risk Prone / Risk Seeker – Someone who is willing to take risks at high-level.
Risk Levels
Individual Project Risk – the risks that we identify in the project.
Overall Project Risk – the effect of uncertainty on the project as a whole. It is the joint effect of all
risks in the project and other sources of uncertainty.
Risk Sources
 The customer or customer’s customers.
 Lack of project management effort.
 Lack of knowledge of project management.
 Suppliers.
 Resistance to change.
 Cultural differences.
 Schedule, cost, quality, scope, and resources.
 Customer/Stakeholder satisfaction.

PM NOTEBOOK CHAPTER 11 – RISK MANAGEMENT | PROCESSES
OF THE AUTHOR.
6
Processes
1 – Plan Risk Management (Planning)
 Created by PM, project team, key stakeholders, risk management team, and persons of
authority.
 Risks may be delegated to the project team or escalated to higher levels.
 Define how key stakeholders will identify risks, analyze risks, create risk responses, and control
risks.
 Should include consideration of potential subcontracts based on capability and cost-
savings.
 Roles and responsibilities
 Enterprises might have pre-defined approach to risk management.
 Document costs of risk elements.
 Assignment of risk responsibilities.
 Risk probability and impact matrix definitions.
 Resources and funds needed for the risk management plan.
 Risk response planning procedures.
 Risk management process should result in decreases to the project’s estimated time and
cost.
 Risk categories.
 Due to uncertainty, risks are higher when the project starts and they decrease as the project
moves further.
 Risk impact (i.e. amount of stake) is lower when the project starts and it increases as the
project moves further.
Inputs
1. Project Charter
2. Project Management Plan
3. Project Documents
 Stakeholder Register
4. OPAs
5. EEFs
Tools
1. Data Analysis Techniques
 Stakeholder Analysis
2. Expert Judgment
3. Meetings
Outputs
1. Risk Management Plan
 Risk Categories
 Risk Breakdown Structure (RBS)
 Methodology – Methods and approaches to identifying and handling risks.

OF THE AUTHOR.
7
 Definitions of Probability and Impact
 Roles and Responsibilities
2 – Identify Risks (Planning)
 Ongoing activity throughout the project.
 The most important thing to address in project team meetings.
 Starts from the initiating phase. Project Charter lists high-level risks.
Inputs
 Risk Management Plan
 Cost Management Plan
 Schedule Management Plan
 Quality Management Plan
 Resource Management Plan
 Scope Baseline
 Cost Baseline –
1) Lists project assumptions that should be analyzed for risk.
2) Estimates that are aggressive or developed with a limited amount of information
are even more likely to entail risk.
 Schedule Baseline
 Activity Cost Estimates
 Activity Duration Estimates
 Issue Log
 Resource Requirements
3. Procurement Documents
4. Agreements
5. OPAs
6. EEFs
Tools
1. Data Gathering Techniques
 Interviews – with SMEs, stakeholders, and other experts.
 Brainstorming
 Delphi Technique
 Checklists – can be developed based on historical information and knowledge that has
been accumulated from previous similar projects and from other sources of information.
 Root Cause Analysis (RCA) – Ishikawa diagram as an example.
3. Risk Identification Tools
4. Interpersonal/Team/Soft Skills
5. Documentation Review – An ongoing iterative activity that checks project plan, scope,
project files, and other project documents for risks.

OF THE AUTHOR.
8
6. Expert Judgment
7. Assumptions Analysis –
 Assumption Stability – Determines how reliable is the information that led to this
assumption
 Assumption Consequences
 False Assumption Effect
8. Perspective Project Examination / Prompt Lists
Outputs
1. Risk Register – Documents risk identification, status, progress, responses, trigger, outcomes,
risk owner, WBS references, timing, deadlines, etc.
2. Risk Report – A report that shows the overall project risk.
3. Project Document Updates
3 – Perform Qualitative Risk Analysis (Planning)
 Classifying into categories of likelihood (probability of occurrence) and impact, and then
ranking according to priority.
 Fast, and subjective approach to analysis.
 Can be done as risks are identified.
 You can use a cardinal or ordinal scale to indicate the seriousness of the risk.
 The odds of project success increase the closer you get to the end of the project.
 Imminent risks are usually higher urgency that distant risks.
 High priority risks that require an immediate response are moved on through the risk process,
low-priority risks are moved to the watchlist.
Inputs
 Risk Register
 Scope Baseline
3. EEFs
4. OPAs
Tools
1. Qualitative Tools
 Risk Data Quality Assessment – Looking into the accuracy, reliability, quality and
integrity of the data concerning the risk.
 Risk Parameter Assessment
 Risk Urgency Assessment – to identify those that have a high likelihood of happening
sooner rather than later. It is combined with the risk ranking to give a final risk severity
ranking.
 Risk Categorization
 Risk Probability and Impact Assessment

OF THE AUTHOR.
9
 Risk Prioritization
2. Expert Judgment
5. Data Representation Techniques
 Probability and Impact Matrix
 Risk Acceptability Bubble Charts – Represent risks by their impact, probability, and
proximity.
Outputs
 Risk Report
 Risk Register – List of prioritized risks that will move forward into quantitative analysis.
2. Watchlist – A list of noncritical risks for later review during the Control Risks process.
4 – Perform Quantitative Risk Analysis (Planning)
 Analyzing risks according to their impact to the project budget, schedule, or any other part
of the project.
 Determine cost and schedule reserves.
Inputs
 Cost Management Plan
 Schedule Management Plan
 Cost Baseline
 Risk Register
 Cost Estimates
 Cost Forecasts
 Duration Estimates
 Resource Requirements

OF THE AUTHOR.
10
3. EEFs
4. OPAs
Tools
 Interviewing
3. Data Representation Techniques
 Probability Distribution (Curves(
 Simulations
 Sensitivity Analysis / Tornado Diagram
 Expected Monetary Value (EMV) Analysis
 Modeling and Simulation / Monte Carlo Analysis
5. Expert Judgment
Outputs
 Risk Report
 Risk Register
2. Initial amount of contingency time and cost reserves
5 – Plan Risk Responses (Planning)
 Risk Response Strategies – are the approaches we can make to dealing with the risks we
have identified and quantified.
 Enhance opportunities.
 Reduce or eliminate risks.
 Document risk responses.
 Tracks outcomes for lessons learned.
 Multiple plan strategies can be selected for a single risk.
 Analyzing cost of prevention vs. cost of responding is required.
 Team, other stakeholders, and experts should be involved in selecting a strategy.
 Risk response strategies must be communicated to management, stakeholders, and the
sponsor.
Inputs
 Resource Management Plan
 Cost Baseline
 Risk Register
 Risk Report
 Lessons Learned Register
 Resource Calendars

OF THE AUTHOR.
11
3. EEFs
4. OPAs
Tools
1. Risk Response Strategies
2. Contingent Response Strategies – Fallback plan or contingency plan.
3. Justifying Risk Reduction – Examination of the cost to eliminate the risk altogether in
proportion to the probability and impact and the risk score.
 Alternatives Analysis
 Cost-Benefit Analysis
6. Decision-Making Techniques
8. Expert Judgment
Outputs
1. Project Management Plan Updates
 Risk Register – residual and secondary risks must be documented and reviewed
throughout the project.
 Risk Report
3. Change Requests
4. Final Contingency and Fallback Plans
6 – Implement Risk Responses (Executing)
 PM makes certain that the responses are carried out.
 Risk owners empowered to do risk responses.
Inputs
 Risk Register
 Risk Report
 Lessons Learned Register
 Project Team Assignments
3. OPAs
Tools
1. Expert Judgment
2. Interpersonal/Team Skills
3. Project Management Information System (PMIS)

OF THE AUTHOR.
12
Outputs
1. Change Requests
7 – Monitor Risks (Monitoring & Controlling)
 Constantly monitor how your project is doing compared to your risk register.
 Evaluate risk response effectiveness.
 Review risk approach, assumption validity, risk management policy effectiveness, procedures
followed, and project strategy validity.
 Constantly look for the occurrence of risk triggers.
 Monitor residual risks.
 Collect and communicate risk status.
 Revisit the watchlist.
 Recommend corrective actions.
 Use contingency reserves and adjust for approved changes.
 Closing of risks that are no longer applicable. Associated risk reserve of closed risks must be
returned to the company.
 Workarounds – unplanned responses developed to deal with the occurrence of
unanticipated events or problems on a project (or to deal with accepted risks.) Workarounds
are commonly developed in monitor risks process.
Inputs
 Risk Register
 Risk Report
 Issue Log
3. Work Performance Data
4. Work Performance Reports
Tools
 Variance and Trend Analysis
 Contingency Reserve Analysis – Checking how much reserve remains and how much
might be needed.
 Technical Performance Analysis –
1) Compares technical accomplishments to date to the project plan’s schedule of
technical achievement.
2) Deviation can help to forecast the degree of success in achieving the project
scope.
2. Risk Audits –

PM NOTEBOOK
CHAPTER 11 – RISK MANAGEMENT | PERSPECTIVE PROJECT
EXAMINATION / PROMPT LISTS (IDENTIFICATION)
OF THE AUTHOR.
13
 Task-by-task, risk-by-risk analysis. Involves examination and documentation of the
effectiveness of responses in dealing with identified risks and their root causes in addition
to the effectiveness of risk management plan.
 More exhaustive and usually done by external party.
 A schedule for implementing risk audits must be defined in the risk management plan.
 A review is conducted by the team and should be scheduled regularly.
3. Risk Reassessment –
 Ongoing activity aims to find any new risks that have come up.
 Regularly scheduled.
4. Meetings
Outputs
1. Work Performance Information
2. Change Requests
3. Project Management Plan Updates
 Closing of risks
 Workarounds
5. OPA Updates
Perspective Project Examination / Prompt Lists (Identification)
Prompt List – A predetermined list of risk categories that might give rise to individual project risk and
that could also act as sources of overall project risk.
SWOT – Strengths, Weaknesses, Opportunities, and Threats
PEST/PESTEL – Political, Economic, Social, Technological, Legal and Environmental
TECOP – Technical, Environmental, Commercial, Operational, and Political
VUCA – Volatility, Uncertainty, Complexity, and Ambiguity
Risk Parameter Assessment (Qualitative)
Connectivity – Determines how connected a risk is to the other risks with the project.
Controllability – Determines how easily the outcome of the risk event can be controlled.
Detectability – Determines how easily the evidence of a risk’s occurrence be detected.
Dormancy – Determines how long after the risk has occurred before its impact is noticed.
Manageability – Determines how easily the risk be managed.

PM NOTEBOOK
CHAPTER 11 – RISK MANAGEMENT | SENSITIVITY ANALYSIS
(QUANTITATIVE)
OF THE AUTHOR.
14
Propinquity – Determines the risk perception by key stakeholders.
Proximity – Determines how long before the risk will affect a project objective.
Strategic Impact – Determines the size of impact the risk will have on the strategic goals.
Urgency – Assessing the time criticality of a risk to occur using factors –
1. Time available
2. warning signs
3. risk rating score
Sensitivity Analysis (Quantitative)
Sensitivity Analysis is a study where we see the real impact/effect of one risk on the project goals.
Usually it creates tornado diagram.
 Examines each project risk on its own.
 Goal is to determine which individual risks have the greatest impact.
 Can examine how the risk affect the NPV, IRR, etc.
Expected Monetary Value (Quantitative)
Expected Monetary Value (EMV) Analysis lets you examine costs of all the paths you might take
through the project and assign monetary value to each decision. Implies decision tree analysis.
 Uses probability-impact matrix and risk exposure.
 Results in contingency reserve estimates.
 Performed during quantitative risk analysis and revised during risk response planning when
calculating contingency reserves.
Formula –
𝑬𝒙$𝑽 = ∑ 𝑽𝒊 𝑷𝒊
𝒏
𝒊=𝟏
Where – Vi = The monetary value of event i.
Pi = Probability of occurrence of event i.

PM NOTEBOOK CHAPTER 11 – RISK MANAGEMENT | RISK TYPES
OF THE AUTHOR.
15
Risk Types
Event-Based Risks
Normal Risks
Business Risk – Might have positive outcome. Examples are stocks and investments.
Pure / Insurable Risks – Risks that have only negative outcome. Examples are natural disasters,
thefts, and fires.
Residual Risks – Risks that are expected to remain after the planned response of risk has been
taken, as well as those that have been accepted.
Secondary Risks – Risks which arise as direct outcome of implementing a response for another risk.
Nonevent-Based Risks
Ambiguity Risks / Epistemic Uncertainty – Risks that have an uncertain, unclear nature, such as
new laws or regulations, complexity of project, and the marketplace conditions.
Emergent Risks / Ontological Uncertainty / Unknown Unknowns / Black Swans – They arise from
limitations in our conceptual frameworks or world-view. These are risks which we are unable to see
because they are outside our experience or mind set, so we don’t know that we should be
looking for them.
 Unknown-but-knowable unknowns – There are some uncertainties that we currently do not
know, but which we could find out about. This is where the risk process can help. The aim is
to expose those unknowns that could be known, so we can deal with them effectively.
 Unknown-and-unknowable unknowns – These are much more difficult to deal with, since
by definition we can never discover them unless and until they happen. They are genuine
emergent risks, which we could not predict with even the best risk process.

PM NOTEBOOK CHAPTER 11 – RISK MANAGEMENT | RISK RESPONSE STRATEGIES
OF THE AUTHOR.
16
Emergent risks can be handled by developing strong project resilience.
Project Resilience / Bounce-back Ability – The awareness of unknowable-unknowns (risks that can
be identified after they happen.) It is the art of noticing, interpreting, preparing, containing and
recovering from risks. It can also defined as the capacity to maintain core purpose and integrity in
the face of external or internal shock and change.
 Right level of budget and schedule contingencies.
 Flexible project processes.
 Frequent reviews of early warning signs.
Project scope or strategy can be adjusted as part of risk response.
Variability Risks / Aleatoric Uncertainty – A type of risk based on the variations that may occur in
the project, such as production, number of quality errors, the number of system trial days,
exchange rates, and unseasonal weather conditions.
Risk Response Strategies
Negative Risks (Threats)
Acceptance – For low-level risks or for risks that you have little control over (like weather) or when
the cost to mitigate or avoid a risk is the same as negative consequences if the risk even occurs.
Using the acceptance strategy means that the severity of the risk is lower than our risk tolerance
level.
 Active Acceptance – to make a plan for what to do when and if the risk occurs. Much
more effective.
o Involves the creation of contingency plans.
o Implies a secondary risk – the wrong thing that can be done to solve the problem
because its solution was not clearly thought out under pressure in the heat of the
moment.
 Passive Acceptance – leaves actions to be determined as needed (workarounds). It is
when the cost of developing a plan and documenting it can be higher than the cost of
dealing with the risk without preparation. The cost of developing a plan and documenting
it can be higher than the cost of dealing with the risk without preparation.
Please note that a decision to accept a risk must be communicated to stakeholders.
Avoidance –
 Eliminate the threat by eliminating the cause. An example is removing the work package
or person.
 Reducing the impact of a risk event by reducing the possibility of its occurrence.
 Expanding the scope of the project to eliminate the cause. An example is adding
additional level of testing to prevent the threat.

PM NOTEBOOK
CHAPTER 11 – RISK MANAGEMENT | CONTINGENT RESPONSE STRATEGY
VS. FALLBACK PLAN
OF THE AUTHOR.
17
Escalation – For risks out of PM’s ability to respond.
Mitigation / Reduction –
 Taking some sort of action to reduce the probability and impact of event.
 May involve prototypes to reduce the risk of scaling up from a bench-scale model of a
process or product.
Transference / Procurement / Deflecting / Allocating – Make another party responsible for the risks
by purchasing insurances or warranties or by outsourcing the work.
 Insurance exchanges an unknown cost impact of a known risk for a known cost impact.
For example, the cost impact of a risk of fire becomes known; it is the cost of the insurance.
 Transferring a risk will leave some risk behind. For example, when outsourcing the other
party might run into trouble or schedule delays.
Positive Risks (Opportunities)
Accepting
Enhancing – Making the opportunity more probable by influencing its triggers.
Escalating – For opportunities out of PM’s ability to respond.
Exploiting – Make full use of the opportunity.
Sharing – When it is hard to take the advantage on your own.
Contingent Response Strategy vs. Fallback Plan
Contingent Response Strategy – A planned and prepared response to an unplanned risk
occurring. As with a fallback plan, the contingent response strategy is a critical communication
tool to ensure that all team members know what actions to take when the specified risk event
occurs.
Fallback Plan – Developed in advance of a risk event occurring and is designed to be used when
the primary risk response proves not to be effective. Think of the fallback plan as the Plan B.
Contingency Reserve vs. Management Reserve
Contingency Reserve – The kind of reserve for identified risks.
 Included in cost and schedule baselines.
 It may be percentage of the estimation, a fixed number, or may be developed by using
quantitative analysis methods such as Monte Carlo simulation.

PM NOTEBOOK CHAPTER 11 – RISK MANAGEMENT | SCALES
OF THE AUTHOR.
18
 Would be incorrect to start with a zero value for contingency reserve.
 For known unknowns.
 If risks do not occur, the associated time or cost reserves should be returned to the
company, rather than used to address other issues on the project.
Management Reserve – Company’s project reserve for unexpected, unplanned overruns or risks.
 Not part of cost or schedule baselines.
 Part of total cost budget.
 PM needs management permission to use this reserve.
 For unknown unknowns.
Scales
Cardinal Scales – A ranking approach to identify the probability and impact by using a numerical
value, from 0.01 (very low) to 1.0 (certain).
Ordinal Scales – A ranking approach that identifies and ranks the risks from very high to very
unlikely or to some other value.
Red, Amber, and Green (RAG) Rating – An ordinal scale that uses red, amber, and green to
capture probability, impact and risk score.
Additional Terms
Fait Accompli – a thing that has already happened or been decided before those affected hear
about it, leaving them with no option but to accept it.

PM Notebook - Chapter 11: Risk Management

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à PM Notebook - Chapter 11: Risk Management

Similaire à PM Notebook - Chapter 11: Risk Management (20)

Plus de Mohammad Elsheimy

Plus de Mohammad Elsheimy (20)

Dernier

Dernier (14)

PM Notebook - Chapter 11: Risk Management