Project
Risk Management
§
Project
Risk Management is involved in risk identification, management and response
strategy impacts every area of the project management lifecycle
§
risk =
uncertainty
§
risk
management= increase the probability of
project success by minimizing/eliminating negative risks (threats) and
increasing positive events (opportunities)
§
everyone
is responsible for identifying risks for the project
§
risk
has one or more causes and has one or more impacts
§
risk
attitudes (EEF): risk appetite (willingness to
take risks for rewards), tolerance for
risk (risk tolerant or risk-averse), risk threshold (level
beyond which the organization refuses to tolerate risks and may change its
response)
§
pure
(insurable) risk vs
business risk (can be +ve or -ve)
§
known
risks that cannot be dealt with proactively (active acceptance) should be assigned a contingency reserve or if the known
risks cannot be analyzed, just wait for its happening and implement the
workaround (which is considered passive acceptance)
Plan Risk
Management
§
Inputs: Project Charter, Project
Management Plan, Project Documents, EEF, OPA
§
Tools
& Techniques: Expert Judgement, Data Analysis, Meetings
§
Outputs: Risk Management Plan
§
The Plan
Risk Management process is involved in defining and providing resources and
time to perform risk management.
§
including
methodology, roles and responsibilities, budget, timing
(when and how often), risk categories (e.g. risk breakdown structure RBS),
definitions, stakeholder tolerances (an EEF), reporting and tracking
§
performed
at project initiation and early in the Planning process
§
failure
to address risks early on can ultimately be more costly later on in the project
§
Data
Analysis techniques include stakeholder risk profile analysis (using the
stakeholder register), strategic risk scoring sheets, etc.
§
a risk breakdown structure (RBS) (included in the PM
Plan) – risks grouped by categories and occurring areas
§
key risk
categories:
§
scope
creep
§
inherent
schedule flaws
§
employee
turnover
§
specification
breakdown (conflicts in deliverable specifications)
§
poor
productivity
Identify Risks
§
Inputs: Project Management Plan,
Project Documents, Agreements, Procurement Documentation, EEF, OPA
§
Tools
& Techniques: Expert Judgement, Data Gathering, Data Analysis, Interpersonal and Team
Skills, Prompt Lists, Meetings
§
Outputs: Risk Register, Risk Report, Project Document
Updates
§
to find
out and document all risks affecting the project from all aspects of the
project, including:
§
agreements/contracts
within/outside of the organization
§
procurements
§
requirements,
schedule, cost, resource, quality, scope, etc. from the project management plan
§
Data
Gathering Techniques: brainstorming, checklists, interviews, Delphi
technique [a panel of independent experts, maintain anonymity, use questionnaire, encourage open critique],
§
Data
Analysis Techniques:
§
root
cause analysis [performed after an event to gain understanding to prevent
similar events from occurring], SWOT analysis, assumption and constraint
analysis
§
root
cause analysis: safety-based (prevent accidents), production-based,
process-based (include business process), failure-based, systems-based (all
above)
§
root
cause analysis tools: FMEA, Pareto Analysis, Bayesian Inference (conditional
probability), Ishikawa Diagrams, Kepner-Tregoe
§
Monte
Carlo analysis can identify points of schedule risks
§
Prompt
List
§
The
prompt list (newly added in PMBOK® Guide 6th Edition) is a predetermined list
of risk categories that are at the lowest level of the risk breakdown structure
which is used to assist in identifying risks of the projects
§
examples
of prompt lists:
§
PESTLE (political, economic,
social, technological, legal, environmental)
§
TECOP (technical, environmental,
commercial, operations, political)
§
VUCA (volatility, uncertainty,
complexity, ambiguity)
§
Risk
Register (typically
not including the risk reserve)
§
The Risk
Register may include a risk statement
§
any risk
with a probability of >70% is an issue (to be dealt with proactively and
recorded in the issue log)
§
The Risk Report (new in PMBOK® Guide 6th Edition) is a
document used to present information (e.g. no. of identified threats and
opportunities, distribution of risks across risk categories, metrics and
trends) on overall project risk. It also includes a summary information on
individual project risks.
Perform Qualitative
Risk Analysis
§
Inputs: Project Management Plan,
Project Documents, Agreements, Procurement Documentation, EEF, OPA
§
Tools
& Techniques: Expert Judgement, Data Gathering, Data Analysis, Interpersonal and Team
Skills, Risk Categorization, Data Representation, Meetings
§
Outputs: Project Document Updates (e.g.
Risk Register)
§
prioritizing
risks for further analysis/action and identify high priority risks
§
risks
requiring near-term responses are more urgent to
address
§
need to
identify bias and correct it (e.g. risk attitude of the stakeholders)
§
Data
Analysis Techniques include:
§
Risk data
quality assessment
§
Risk
probability and impact assessment
§
Assessment
of other risk parameters (e.g. urgency, proximity, dormancy, manageability,
controllability, detectability, connectivity, strategic impact, propinquity)
§
Data
Representation Tools:
§
qualitative
risk assessment matrix (format described in the Risk Management Plan)
§
hierarchical-type
charts
§
the risk
register is updated along the following processes: Perform Qualitative Risk
Analysis, Perform Quantitative Analysis, Plan Risk Responses and Monitor &
Control Risks
Perform
Quantitative Risk Analysis
§
Inputs: Project Management Plan,
Project Documents, Agreements, Procurement Documentation, EEF, OPA
§
Tools
& Techniques: Expert Judgement, Data Gathering, Interpersonal and Team Skills,
Representation of Uncertainty, Data Analysis
§
Outputs: Project Document Updates
§
the cost,
schedule and risk management plan contains guidelines on how to quantitatively
analyze risks
§
involves
mathematical modelling for forecasts and trend analysis
§
Representation
of Uncertainty (probability distribution) reflects the risks as a probability
distribution, which can be in the following distribution types:
§
Triangular
§
Normal (bell-shaped curve)
§
Lognormal
§
Beta
§
Uniform
§
Discrete
§
Data
Analysis Techniques:
§
sensitivity
analysis (using
the tornado diagram as presentation) for determining
the risks that have the most impact on the project
§
Failure
Modes Effects Analysis (FMEA)
§
FMEA for manufactured
product or where risk may be undetectable, Risk Priority Number (RPN) =
severity (1-10) x occurrence ([0.07%] 1-10 [20%]) X detectability (1-10
[undetectable]), also a non-proprietary approach for
risk management
§
Expected
Value / Expected Monetary Value (EMV), probability x impact
(cost/effort lost), opportunities (+ve values), threats (-ve values)
§
Simulations/Monte
Carlo Analysis –
by running simulations many times over in
order to calculate those same probabilities heuristically just like actually
playing and recording your results in a real casino situation, ‘S’ curve
(cumulative distribution) will result, may use PERT/triangular distribution to
model data, may use thousands of data points (a random variable), for
budget/schedule analysis
§
Decision
Tree Analysis –
another form of EMV, branching: decision squares (decision branch – options),
circles (uncertainty branch – possible outcomes)
§
Influence
Diagram – graphical
representations of situations showing causal influences, time ordering of events,
and other relationships among variables and outcomes
Plan Risk Responses
§
Inputs: Project Management Plan,
Project Documents, Agreements, Procurement Documentation, EEF, OPA
§
Tools
& Techniques: Expert Judgement, Data Gathering, Interpersonal and Team Skills,
Strategies for Threats, Strategies for Opportunities, Contingent Response Strategies, Strategies for Overall Project
Risks, Data Analysis, Decision Making
§
Outputs: Change Requests, Project
Management Plan Updates, Project Document Updates
§
plan response
to enhance opportunities and reduce threats
§
each risk
is owned by a responsible person
§
the watch list is the list of low priority risks items
in the risk register
§
Negative
Risk Strategies:
§
eliminate/avoid (not to use, extend the schedule)
§
transfer (outsource, warranty,
insurance)
§
mitigate (reduce the risk of more
testing/precautionary actions/redundancy)
§
accept (passive – do nothing
or active – contingency)
§
escalate (escalates a risk to the
appropriate party — can be deleted from the risk register or retain in the risk
register with a remark)
§
Positive
Risk Strategies:
§
exploit (ensure opportunity by
using internal resources e.g. reduce cost/use of top talents/new tech)
§
share (contractor with
specialized skills, joint venture)
§
enhance (increase likelihood /
impact e.g. fast-tracking, add resources etc.)
§
accept
§
passive
risk acceptance to be
dealt with when the risk occurs
§
Strategies
for Overall Project Risk
§
the PM
needs to address the overall project risks with one of the following
strategies:
§
Avoid
§
Exploit
§
Mitigate/Enhance
§
Accept
§
Contingency
Plan (contingent response strategies) (plan A) are developed for specific risk
(when you have accepted a risk) with certain triggers vs
Fallback Plan (plan B)
§
Residual Risks – risks remain after
the risk response strategy was implemented, may be identified in the planning
process (may subject to contingency/fallback planning) They don’t need any
further analysis because you have already planned the complete response
strategy you know in dealing with the risk that came before them.
§
Secondary Risks – risk arises
when the risk response strategy was implemented
§
Reserve
Types
§
The Risk
Register is now completed with: risks and descriptions, triggers, response
strategy, persons responsible, results from qualitative and quantitative
analysis, residual and secondary risks, contingency and fallback, risk
budget/time
Implement Risk
Responses (new in PMBOK® Guide 6th Edition)
§
Inputs: Project Management Plan,
Project Documents, OPA
§
Tools
& Techniques: Expert Judgement, Interpersonal and Team Skills, Project Management
Information System
§
Outputs: Change Requests, Project Document
Updates
§
in the
Executing process group
§
implementing
risk responses is the responsibilities of the risk owners
§
to ensure
that agreed upon risk responses (as from the Plan Risk Response process) are
executed as planned to
§
address
overall project risk exposure
§
minimize
individual project threats
§
maximize
individual project opportunities
§
the
Project Management Information System provides the information to
allow agreed-upon risk response plans and associated activities to be
executed alongside other project activities
Control Risks
§
Inputs: Project Management Plan,
Project Documents, Agreements, Work Performance Data, Work Performance Reports
§
Tools
& Techniques: Data Analysis, Audits, Meetings
§
Outputs: Work Performance Information,
Change Requests, Project Management Plan Updates, Project Document Updates, OPA
Updates
§
when all
the above risk planning processes have been performed with due diligence, the
project is said to have a low-risk profile
§
responsibilities
include:
§
to check
if assumptions are still valid, procedures are being
followed and any deviance
§
to
identify new risks and evaluate effectiveness of risk
response plan
§
any need
to adjust contingency and management reserves
§
to
re-assess the individual risk response strategies to see if they are effective
§
risk
audits deal with the effectiveness of risk response and the risk management process
§
risk
audits are usually performed by experts outside project team for the whole risk
management process
§
Data
Analysis Techniques:
§
reserve
analysis – apply only to the specific risks of
the project for which they were set aside
§
technical
performance analysis
§
workaround: when no contingency plan
exists, executed on-the-fly to address unplanned events
– still need to pass through normal change control if change requests are
needed
§
determine
the workaround is performed in control risks
No comments:
Post a Comment