|
|
|
Analyzing what assumptions have been made on the project, and whether they are valid, may lead to the identification of more risks.. (RM, p 418)
|
|
|
|
This technique looks at the checklist of risk categories that we discussed in the Plan Risk Management section of this chapter. The checklist is used to help identify specific risks within each category. (RM, p 418)
|
|
|
|
The time when each identified risk can logically occur will eventually pass. Closing of risks allows the team to focus on managing the risks that are still open. The closing of a risk will likely result in the associated risk reserve being returned to the company. (RM, p 439)
|
|
|
Common Risk Management Errors
|
1. Risk identification is completed without knowing enough about the project.
2. Project risk is evaluated using only a questionnaire, interview, or Monte Carlo analysis and thus does not provide specific risks.
3. Risk identification ends too soon, resulting in a brief list (20 risks) rather than an extensive list (hundreds of risks).
4. Padding is used instead of a risk management process.
5. The processes of Identify Risks through Perform Quantitative Risk Analysis are blended, resulting in risks that are evaluated or judged as they come to light. This decreases the number of total risks identified and causes people to stop participating in risk identification.
6. The risks identified are general rather than specific (e.g., "communications" rather than "poor communication of customer's needs regarding installation of system XYZ could cause two weeks of rework").
7. Some things considered to be risks are not uncertain; they are facts, and are therefore not risks.
8. Whole categories of risks (such as technology, cultural, marketplace, etc.) are missed.
9. Only one method is used to identify risks (e.g., only using a checklist) rather than a combination of methods. A combination helps ensure that more risks are identified.
10. The first risk response strategy identified is selected without looking at other options and finding the best option or combination of options.
11. Risk management is not given enough attention.
12. Project managers do not explain the risk management process to their team
|
|
|
|
Contingency plans are plans describing the specific actions that will be taken if the opportunity or threat occurs. (RM, p432)
For the remaining (residual) threats that cannot be eliminated:
• Do something if the risk happens (contingency plans). Contingency plans should be measurable so you can evaluate their effectiveness.
• Do something if contingency plans are not effective or are only partially effective (fallback plans). (RM, p427)
the best answer to a question describing a major problem on the project would be the choice that talks about implementing the contingency plan, rather than the choice that talks about discussing possible solutions to the problem after it has occurred.(RM, p428)
Other strategies (called contingency plans involve coming up with a plan to be implemented when and if a risk occurs. (RM, p428)
|
|
|
|
Quantitative probability and impact can be determined in various ways, including the following: (RM, p422)
Know the following about decision trees for the exam:
13. A decision tree takes into account future events in making a decision today.
14. It calculates the expected monetary value (probability times impact) in more complex situations than the expected monetary value example previously presented. With a decision tree, you could evaluate the costs and benefits of several risk responses at once to determine which would be the best option.
15. It involves mutual exclusivity (previously explained in the Quality Management chapter). (RM, p424)
|
|
|
Definition of Risk Management
|
Through risk management, you work to increase the probability and impact of opportunities on the project (positive events), while decreasing the probability and impact of threats to the project (negative events). (RM, p407)
|
|
|
|
Some of the tools described in the Quality Management chapter can also be used to analyze the root causes of issues. These include cause and effect diagrams and flowcharts. When used as part of risk identification, they help identify additional risks for the project. (RM, p418)
|
|
|
|
Those involved in risk identification might look at this documentation, as well as lessons learned, articles, and other documents, to help uncover risks. (RM, p 417)
|
|
|
|
Determine how much quantified risk the project has through expected monetary value analysis or Monte Carlo analysis (described later in this section). (RM, p 422)
Quantitative probability and impact can be determined in various ways, including the following: (RM, p422)
To evaluate a risk, you can look at the probability or the impact, but calculating the expected monetary value is a better measure to determine an overall ranking of risks. The formula for expected monetary value (EMV) is simply probability (P) times impact (I).
EMV=PxI
Note that for opportunities, expected monetary value is often presented as a positive amount (e.g., 3,000), whereas threats are usually presented as a negative number (e.g., —3,000).
(RM, p423)
|
|
|
|
These plans are specific actions that will be taken if the contingency plans are not effective. (RM, p432)
|
|
|
Information Gathering Techniques
|
Brainstorming
Brainstorming is usually done in a meeting where one idea helps generate another.
Delphi technique
This technique is used to achieve consensus among experts who participate anonymously. A request for information is sent to the experts, their responses are compiled, and the results are sent back to them for further review until consensus is reached. This technique can also be used for analyzing risks as well as for collecting requirements and estimating time and cost.
Interviewing
Also called expert interviewing on the exam, this technique consists of the team or project manager interviewing project participants, stakeholders, or experts to identify risks on the project or a specific element of work.
Root cause analysis
In root cause analysis, the identified risks are reorganized by their root causes to help identify more risks.
(RM, p 418)
|
|
|
|
Determine how much quantified risk the project has through expected monetary value analysis or Monte Carlo analysis (described later in this section). (RM, p 422)
Quantitative probability and impact can be determined in various ways, including the following: (RM, p422)
Monte Carlo analysis uses the network diagram and estimates to "perform" the project many times and to simulate the cost or schedule results of the project.
1. Is usually done with a computer-based program because of the intricacies of the calculations
2. Evaluates the overall risk in the project
3. Determines the probability of completing the project on any specific day, or for any specific cost
4. Determines the probability of any activity actually being on the critical path
5. Takes into account path convergence (places in the network diagram where many paths converge into one activity)
6. Translates uncertainties into impacts to the total project
7. Can be used to assess cost and schedule impacts
8. Results in a probability distribution
(RM, p423)
|
|
|
|
Do not forget that there can also be positive impacts—good risks, called opportunities! (RM, p 408)
Through risk management, you work to increase the probability and impact of opportunities on the project (positive events), while decreasing the probability and impact of threats to the project (negative events). (RM, p 407)
|
|
|
Probability and Impact Matrix
|
Organizations frequently have a standard rating system to promote a common understanding of what each risk rating means. (RM, p 419)
The probability and impact matrix may be used to sort or rate risks to determine which ones warrant an immediate response (and will therefore be moved on through the risk process) and which ones should be put on the watch list (described later). (RM, p 420)
|
|
|
|
Having reserves for time and cost is a required part of project management. You cannot come up with a schedule or budget for the project without them. (RM, p432)
|
|
|
|
Contingency reserves account for "known unknowns" (or simply "knowns"); these are items you identified in risk management. (RM, p432)
Calculated as part of the Cost Baseline. (RM, p432)
It is important to know that a contingency reserve may only be used to handle the impact of the specific risk it was set aside for. (RM, p 439) *
|
|
|
|
Management reserves account for "unknown unknowns" (or simply "unknowns"); these are items you did not or could not identify in risk management. (RM, p432)
Management reserves are estimated (RM, p432)
Under certain circumstances, usually determined by the performing organization, management reserves may be used for problems that had not previously been identified as risks. (RM, p439)
|
|
|
|
These are the risks that remain after risk response planning.
Those residual risks that are passively accepted should be properly documented and reviewed throughout the project to see if their ranking has changed. (RM, p431)
|
|
|
|
These three terms each refer to the level of risk an individual or group is willing to accept - Risk Appetites, Tolerance and Thresholds. (RM, p 407)
Risk appetite is a general, high-level description of the acceptable level of risk. (RM, p 407)
|
|
|
|
Questions always seem to come up on the exam that require you to know that the team needs to periodically review the risk management plan and risk register and adjust the documentation as required. (RM, p438)
|
|
|
|
Risk audits are performed to assess the overall process of risk management on the project, as well as the effectiveness of specific risk responses that have been implemented. (RM, p 438)
|
|
|
|
Someone who does not want to take risks is said to be risk averse. (RM, p. 408)
|
|
|
|
A risk breakdown structure (RBS) is an organizational chart that can help you identify and document risk categories (RM, p. 415)
There are many ways to classify or categorize risks such as
• External
• Internal
• Technical
• Unforeseeable
A better method to, use is to create specific categories of risk that may occur on your company's projects. (RM, p 416)
Expect the phrases "sources of risk" and "risk categories" to be used interchangeably on the exam. (RM, p 417)
Risk categorization examines the questions of "What will we find if we regroup the risks by categories? By work packages? (RM, p 421)
|
|
|
Risk Data Quality Assessment
|
This assessment answers the question of "How accurate and well understood is the risk information?"
A risk data quality assessment may include determining the following for each risk:
1. Extent of the understanding of the risk
2. Data available about the risk
3. Quality of the data
4. Reliability and integrity of the data (RM, p 421)
|
|
|
|
When looking at risk, it's necessary to determine the following:
1. The probability that a risk event will occur (how likely)
2. The range of possible outcomes (impact or amount at stake)
3. Expected timing for it to occur in the project life cycle (when)
4. The anticipated frequency of risk events from that source (how often) (RM, p 408)
|
|
|
|
This is the primary output of the Plan Risk Management. It includes
1. Methodology
2. Roles and Responsibilities
3. Budget
4. Timing
5. Risk Categories
6. Definitions of probability and impact
7. Stakeholder Tolerances
8. Reporting
9. Tracking (RM, p 415)
|
|
|
|
Through risk management, you work to increase the probability and impact of opportunities on the project positive events), while decreasing the probability and impact of threats to the project (negative events). (RM, p 407)
Risk management is a very step-by-step, process-oriented part of project management, so expect to see risk management input and output questions on the exam (RM, p. 409)
You must MEMORIZE what happens when and know how risk management, done well, can change the way projects are managed and how it can change what happens in a typical day on a project. (RM, p. 415)
|
|
|
Sequential Risk Management Process
|
1. Plan Risk Management
2. Identify Risks
3. Perform Qualitative Risk Analysis
4. Perform Quantitative Risk Analysis
5. Plan Risk Responses
6. Control Risks
Although the processes are done in sequence, remember that they are often repeated during the course of the project, starting in initiating and going all the way through the end of the project. Risks can be identified at any time, as can the responses for what to do about the new risks. (RM, p. 415)
|
|
|
|
risk owners—individuals who watch out for and implement preplanned responses. (RM, p428)
Each risk must be assigned to someone who may help develop he risk response and who will be assigned to carry out the risk response or "own" the risk. The risk owner can be a stakeholder other than a team member. (RM, p432)
|
|
|
|
• The risk register is where most of the risk information is kept.
• Think of it as one document for the whole risk management process that will be constantly updated with information as Identify Risks and the later risk management processes are completed.
• The risk register becomes part of the project documents and is included in historical records that will be used for future projects. (RM, p 418)
•
At this point in the risk management process (Identify Risk), the risk register includes:
1. List of risks
Risks should be stated as clearly and specifically as possible.
2. List of potential responses
Although risk response planning occurs later, one of the things experienced risk managers know is that it is not always logical to separate work on each part of risk management. There will be times when a response is identified at the same time as a risk.These responses should be added to the risk register as they are identified, and analyzed later as part of risk response planning.
3. Root causes of risks
The root causes of risks are documented. This information is valuable in later efforts to reassess risk on the project and for historical records to be used for future projects.
4. Updated risk categories
You will notice a lot of places where historical records and company records are updated throughout the project management process. Make sure you are aware that lessons learned and communicating information to other projects do not just happen at the end of the project. As part of the risk identification effort, the project provides feedback to the rest of the company regarding new categories of risk to add to the checklist. (RM, p 418)
|
|
|
|
Avoid/Exploit Mitigate /Enhance Transfer/Share Accept
Qualitative risk analysis, quantitative risk analysis, and risk response planning do not end once you begin work on a project. (RM, p428)
Some strategies involve changing the planned approach to completing the project (e.g., changes to the WBS, quality management plan resources, communications, schedule, or budget).
Other strategies (called contingency plans involve coming up with a plan to be implemented when and if a risk occurs. It is important to mak sure all options are investigated. (RM, p428)
Whether responding to threats or opportunities:
• Strategies must be timely.
• The effort selected must be appropriate to the severity of the risk—avoid spending more money
• preventing the risk than the impact of the risk would have cost if it occurred.
• One response can be used to address more than one risk.
• More than one response can be used to address the same risk.
• A response can address a root cause of risk and thereby address more than one risk.
• The team, other stakeholders, and experts should be involved in selecting a strategy. (RM, p429)
|
|
|
|
Eliminate the threat by eliminating the cause, such as removing the work package or person. (RM, p428)
|
|
|
|
Reduce the probability and/or the impact of a threat, thereby making it a smaller risk and possibly removing it from the list of top risks on the project.
Options for reducing the probability are looked for separately from options for reducing the impact.(RM, p429)
|
|
|
|
Make another party responsible for the risk by purchasing insurance, performance bonds, warranties, or guarantees or by outsourcing the work. (RM, p429)
|
|
|
|
Add work or change the project to make sure the opportunity occurs. (RM, p 429)
|
|
|
|
Increase the likelihood (probability) and/or positive impacts of the risk event. (RM, p 429)
|
|
|
|
Allocate ownership or partial ownership of the opportunity to a third party (forming a partnership, team, or joint venture) that is best able to achieve the opportunity. (RM, p 429)
|
|
|
|
Active acceptance may involve the creation of contingency plans to be implemented if the risk occurs and the allocation of time and cost reserves to the project.
Passive acceptance leaves actions to be determined as needed (workarounds), if (after) the risk occurs.
A decision to accept a risk must be communicated to stakeholders. (RM, p429)
|
|
|
|
These three terms each refer to the level of risk an individual or group is willing to accept - Risk Appetites, Tolerance and Thresholds. (RM, p 407)
A risk threshold' is the specific point at which risk becomes unacceptable (RM, p. 408)
|
|
|
|
These three terms each refer to the level of risk an individual or group is willing to accept - Risk Appetites, Tolerance and Thresholds. (RM, p 407)
The term risk tolerance is more specific, as it refers to a measurable amount of acceptable risk. (RM, p 408)
|
|
|
|
These are events that trigger the contingency response. (RM, p432)
|
|
|
|
In addition to creating a short list of risks, qualitative risk analysis includes noting risks that should move more quickly through the process than others. (RM, p 421)
Urgent risks may then be moved, independently, right into risk response planning while the rest continue through quantitative risk analysis, or they may simply be the first ones for which you plan a response in risk response planning. (RM, p 421)
|
|
|
|
Frequently, a response to one risk will create the possibility of new risks that would otherwise not have occurred. (RM, p432)
|
|
|
|
Perform sensitivity analysis to determine which risks have the most impact on the project. (RM, p422)
Quantitative probability and impact can be determined in various ways, including the following: (RM, p422)
|
|
|
|
This analysis looks at the project to identify its strengths and weaknesses and thereby identify risks (opportunities and threats). (RM, p 418)
|
|
|
|
Project managers often just focus on threats—what can go wrong and negatively impact the project. (RM, p. 408)
Through risk management, you work to increase the probability and impact of opportunities on the project (positive events), while decreasing the probability and impact of threats to the project (negative events). (RM, p 407)
Remember that threats can be eliminated and opportunities exploited, but the time and trouble involved in eliminating ALL the risks and exploiting ALL the opportunities identified on a project would probably not be worthwhile. (RM, p 428)
|
|
|
|
In addition to risk categories, risks can be classified under two main types:
• Business risk Risk of a gain or loss
• Pure (insurable) risk2 Only a risk of loss (e.g., fire, theft, personal injury, etc.) (RM, p. 415)
|
|
|
Variance and Trend Analysis
Watch List
|
These risks are documented in the risk register for later review during the Control Risks process. (RM, p 421)
|
|
|
|
A workaround is a response to a threat that has occurred for which a prior response had not been planned or was not effective (PMBOK P 567)
workarounds are unplanned responses developed to deal with the occurrence of unanticipated events or problems on a project (or to deal with risks that had been accepted because of unlikelihood of occurrence and/or minimal impact). (RM, p 438)
|
|
|
|
A risk event is something identified in advance that may or may not happen. If it does happen, can have positive or negative impacts on the project. (RM, p407)
Up to 90 percent the threats identified and investigated in the risk management process can be eliminated. (RM, p407)
|
|
|
|
Uncertainty is a lack of knowledge about an event that reduces confidence in conclusions drawn from the data. (RM, p 407)
|
|
|
|
The project manager, sponsor, team, customer, other stakeholders, and experts may be involved in the Plan Risk Management process to define how risk management will be structured and performed for the project. (RM, p. 415)
Risk management efforts should be appropriate to the size and complexity of the project as well as the experience and skill level of the project team (RM, p. 415)
The Plan Risk Management process answers the question of how much time should be spent on risk management based on the needs of the project. (RM, p. 415)
|
|
|
|
This effort should involve all stakeholders and might even include literature reviews, research, and talking to non-stakeholders. (RM, p 417)
However, the major risk identification effort occurs during planning. Because risk identification primarily occurs during project initiating and planning, the exam has often said that the major part of risk identification happens at the onset of the project.(RM, p 417)
At this point in the risk management process (Identify Risk), the risk register includes:
1. List of risks
Risks should be stated as clearly and specifically as possible.
2. List of potential responses
Although risk response planning occurs later, one of the things experienced risk managers know is that it is not always logical to separate work on each part of risk management. There will be times when a response is identified at the same time as a risk. These responses should be added to the risk register as they are identified, and analyzed later as part of risk response planning.
3. Root causes of risks
The root causes of risks are documented. This information is valuable in later efforts to reassess risk on the project and for historical records to be used for future projects.
4. Updated risk categories
You will notice a lot of places where historical records and company records are updated throughout the project management process. Make sure you are aware that lessons learned and communicating information to other projects do not just happen at the end of the project. As part of the risk identification effort, the project provides feedback to the rest of the company regarding new categories of risk to add to the checklist. (RM, p 418)
|
|
|
Perform Qualitative Risk Analysis
|
Which risks do we need to pay attention to? This process is subjective.
You need to analyze the risks, including their probability and potential impact on the project, to determine which ones warrant a response. The Perform Qualitative Risk Analysis process involves doing this analysis and creating a short list of the previously identified risks. (RM, p 419)
In addition to creating a short list of risks, qualitative risk analysis includes noting risks that should move more quickly through the process than others. (RM, p 421)
Qualitative risk analysis can also be used to:
1. Compare the risk of the project to the overall risk of other projects.
2. Determine whether the project should be continued or terminated.
3. Determine whether to proceed to the Perform Quantitative Risk Analysis or Plan Risk Responses processes (depending on the needs of the project and the performing organization). (RM, p 421)
Qualitative risk analysis, quantitative risk analysis, and risk response planning do not end once you begin work on a project. (RM, p428)
|
|
|
Outputs of Perform Qualitative Risk Analysis
|
This process results in assumptions log updates (or updates to the assumptions in the project scope statement); these updates include new information or clarifications about documented assumptions made about the project. (RM, p 421)
|
|
|
Perform Quantitative Risk Analysis
|
The Perform Quantitative Risk Analysis process involves numerically analyzing the probability and impact (the amount at stake or the consequences) of risks moved forward from qualitative risk analysis.
The purpose or quantitative risk analysis is to:
1. Determine which risk events warrant a response.
2. Determine overall project risk (risk exposure).
3. Determine the quantified probability of meeting project objectives (e.g., "We only have an 80 percent chance of completing the project within the six months required by the customer," or "We only have a 75 percent chance of completing the project within the 80,000 budget").
4. Determine cost and schedule reserves.
5. Identify risks requiring the most attention.
6. Create realistic and achievable cost, schedule, or scope targets. (RM, p 422)
Quantitative risk analysis is a more objective or numerical evaluation; the rating of each risk is based on an attempt to measure the actual probability and amount at stake (impact). (RM, p 422)
As a project manager, you should always do qualitative risk analysis, but quantitative risk analysis is not required for all projects and may be skipped in favor of moving on to risk response planning. You should proceed with quantitative risk analysis only if it is worth the time and money on your project. (RM, p 422)
Qualitative risk analysis, quantitative risk analysis, and risk response planning do not end once you begin work on a project. (RM, p428)
|
|
|
Outputs of Perform Quantitative Risk Analysis
|
|
|
|
|
The Plan Risk Responses process involves figuring out "What are we going to do about each top risk?" In (RM, p427)
Qualitative risk analysis, quantitative risk analysis, and risk response planning do not end once you begin work on a project. (RM, p428)
If the project work has not begun, these suggested changes are likely part of the Plan Risk Responses update outputs. Otherwise, these suggested changes will be the Control Risks output of change requests.(RM, p.440)
Once project work has begun and the work of Control Risks is being performed, new risks may be identified, or risks may be reassessed based on project knowledge or evaluation of risk processes. When this occurs, the risk planning processes must again be performed appropriately, and the new risks must be evaluated and ranked, which may result in more risk response planning. The trick here is to remember that the approved project management plan and baselines are not static while work is performed, but changes to them must go through integrated change control.(RM, p 440)
|
|
|
Outputs of Plan Responses
|
The outputs of the Plan Risk Responses process are the updates to the
project management plan,
risk register,
and other project documents. (RM, p 431)
Rita's Process Chart represents this analysis, evaluation, and integration of the management plan changes during project planning as part of "Go back—iterations:' It is expected that in the planning process, the project manager will lead the subject matter experts assisting with project planning through as many iterations of the management plans as necessary before coming up with a project management plan that is bought into, approved, realistic, and formal. (RM, p,431
|
|
|
|
Risk-related questions on the exam are asked assuming the project manager has done proper project management, including assigning risk owners, putting contingency plans in place, and taking other such actions. (RM, p 436)
If the project work has not begun, these suggested changes are likely part of the Plan Risk Responses update outputs. Otherwise, these suggested changes will be the Control Risks output of change requests.(RM, p.440)
Once project work has begun and the work of Control Risks is being performed, new risks may be identified, or risks may be reassessed based on project knowledge or evaluation of risk processes. When this occurs, the risk planning processes must again be performed appropriately, and the new risks must be evaluated and ranked, which may result in more risk response planning. The trick here is to remember that the approved project management plan and baselines are not static while work is performed, but changes to them must go through integrated change control.(RM, p 440)
|
|
|
Risk Breakdown Structure (RBS)
|
A risk breakdown structure (RBS) is an organizational chart that can help you identify and document risk categories (RM, p.415)
|
|
|
Determining Quantitative Probability and Impact
|
Quantitative probability and impact can be determined in various ways, including the following: (RM, p422)
1. Interviewing
2. Cost and tithe estimating
3. Delphi technique
4. Use of historical records from previous projects
5. Expert judgment
6. Sensitivity analysis (described next)
7. Expected monetary value analysis (described later in this section)
8. Monte Carlo analysis (described later in this section)
9. Decision trees (described later in this section) (RM, P422)
|
|
|
|
Reserve analysis while the work is being done is simply a matter of checking to see how much reserve remains and how much might be needed. It is like checking the balance in your bank account. (RM, p439)
|
|
|
|
|
