Risk
Knowledge Area Summary
§
risk identification, management and
response strategy impacts every area of the project management life cycle
§
everyone is responsible for
identifying risks
§
risk has one or more causes and has one or more impacts
§
risk = uncertainty; risk management: increase the probability of project success by
minimizing/eliminating negative risks (threats) and increasing positive events
(opportunities)
§
risk attitudes (EEF): risk appetite (willingness to take risks for
rewards), tolerance for
risk (risk tolerant or risk averse), risk threshold (level
beyond which the org refuses to tolerate risks and may change its response)
§
pure (insurable) risk vs business risk (can be +ve or -ve)
§
known risks that cannot be dealt with
proactively (active acceptance) should be assigned a contingency reserve or if the known
risks cannot be analyzed, just wait for its happening and implement workaround
(passive acceptance)
6. Control Risk
Plan
Risk Management
§
define and provide resources and time
to perform risk management, including: methodology, roles and responsibilities, budget, timing (when and how often), risk categories
(e.g. RBS), definitions, stakeholder tolerances (a EEF), reporting and tracking
§
performed at project initiation and
early in the Planning process
§
failure to address risks early on can
ultimately be more costly
§
analytical techniques include
stakeholder risk profile analysis, strategic risk scoring sheets
§
a risk breakdown structure (RBS) (included in the PM Plan) –
risks grouped by categories and occurring areas
§
key risk categories: scope creep,
inherent schedule flaws, employee turnover, specification breakdown (conflicts
in deliverable specifications), poor productivity
Identify
Risks
§
determine all risks affecting the
project
§
information-gathering techniques:
brainstorming, delphi technique
[a panel of independent experts, maintain anonymity, use questionnaire, encourage open critique], root cause analysis [performed after an event to gain understanding to
prevent similar events from occurring], expert interviewing, SWOT analysis
§
root cause analysis: safety-based
(prevent accidents), production-based, process-based (include business
process), failure-based, systems-based (all above)
§
root cause analysis tools: FMEA,
Pareto Analysis, Bayesian Inference (conditional probability), Ishikawa
Diagrams, Kepner-Tregoe
§
Monte Carlo analysis can identify
points of schedule risks
§
Influence Diagram – graphical representations of situations showing causal
influences, time ordering of events, and other relationships among variables
and outcomes.
§
Risk Register (typically not including the risk reserve)
§
The Risk Register may include a risk statement
§
any risk with a probability of >70% is an issue (to be dealt with proactively and recorded
in the issue log)
Perform Qualitative Risk Analysis
§
prioritizing risks for further
analysis/action and identify high priority risks
§
need to identify bias and correct it
(e.g. risk attitude of the stakeholders)
§
qualitative risk assessment
matrix (format described in the Risk Management Plan)
§
update to risk register and other
related documents
§
risk register update are output of
Perform Qualitative Risk Analysis, Perform Quantitative Analysis, Plan Risk
Responses and Monitor & Control Risks
§
the scope baseline is used to
understand whether the project is a recurrent type or a state-of-the-art type
(more risks)
§
risks requiring near-term responses
are more urgent to
address
Perform Quantitative Risk Analysis
§
the cost, schedule and risk
management plan contains guidelines on establishing and managing risks
§
involves mathematical modeling for
forecasts and trend analysis
§
data gathering and representation
techniques: interviewing, probability distributions [normal distribution (bell shaped curve)],
§
sensitivity analysis (using the tornado diagram as presentation) for determining
the risks that have the most impact on the project
§
Failure Modes Effects Analysis (FMEA)
§
FMEA for manufactured product or
where risk may be undetectable, Risk Priority Number (RPN) = severity (1-10) x
occurrence ([0.07%] 1-10 [20%]) X detectability (1-10 [undetectable]), also a non-proprietary approach for
risk management
§
Expected Value / Expected Monetary Value (EMV),
probability x impact (cost/effort lost), opportunities (+ve values), threats
(-ve values)
§
Monte Carlo Analysis – by running simulations many times over in order to calculate those same
probabilities heuristically just like actually playing and recording your
results in a real casino situation, ‘S’ curve (cumulative distribution) will
result, may use PERT/triangular distribution to model data, may use thousands
of data points (a random variable), for budget/schedule analysis
§
Decision Tree Analysis – another form of EMV, branching: decision squares (decision
branch – options), circles (uncertainty branch – possible outcomes)
Plan Risk Responses
§
plan response to enhance
opportunities and reduce threats
§
each risk is owned by a responsible person
§
the watch list is
the list of low priority risks items in the risk register
§
a fallback plan will
be used if 1) risk response not effective, 2) accepted risk occurs
§
risk strategies: 1) prevent risk, 2)
response to risk, 3) reduce risk, 4) promote opportunities, 5) fallback if risk
response fails
§
negative risk strategies: eliminate/avoid (not
to use, extend the schedule), transfer (outsource,
warranty, insurance), mitigate (reduce
the risk by more testing/precautionary actions/redundancy), accept (passive – do nothing or active – contingency)
§
positive risk strategies: exploit (ensure
opportunity by using internal resources e.g. reduce cost/use of top talents/new
tech), share (contractor
with specialized skills, joint venture), enhance (increase
likelihood / impact e.g. fast-tracking, add resources etc.), accept
§
passive risk acceptance to
be dealt with when the risk occurs
§
Contingency Plan (contingent
response strategies) (plan A) are developed for
specific risk (when you have accepted a risk) with certain triggers vs Fallback Plan (plan B)
§
Residual Risks – risks remains after the risk response strategy was
implemented, may be identified in the planning process (may subject to
contingency/fallback planning) They don’t need any further analysis because you
have already planned the most complete response strategy you know in dealing
with the risk that came before them.
§
Secondary Risks – risk arises when the risk response strategy was
implemented
§
Contingency Reserve: known unknowns
(determined risk), part of cost baseline
§
Management Reserve: unknown unknowns
(discovery risk), part of project budget
§
The Risk Register is now completed
with: risks and descriptions, triggers, response strategy, persons responsible,
results from qualitative and quantitative analysis, residual and secondary
risks, contingency and fallback, risk budget/time
Control Risks
§
when the above risk planning
processes have been performed with due diligence, the project is said to have a low risk profile
§
to check if assumptions are still valid, procedures are being
followed and any deviance
§
to identify new risks and evaluate effectiveness of risk
response plan
§
any need to adjust contingency and
management reserves
§
to re-assess the individual risk
response strategies to see if they are effective
§
risk audits deal with effectiveness
of risk response and the risk management process
§
risk audits are usually performed by
experts outside project team for the whole risk management process
§
reserve analysis and fund for
contingencies apply only to
the specific risks on the project for which they were set aside
§
workaround: when no contingency plan exists, executed on-the-fly to
address unplanned events
– still need to pass through normal change control if change requests are
needed
§
determine the workaround is performed
in control risks
No comments:
Post a Comment