Retired course

This course has been retired and is no longer supported.

About this lesson

Risk management processes guide the project manager and project team in the identification, analysis, response and control of risk.

Exercise files

Download this lesson’s related exercise files.

Project Risk Management.docx
61.8 KB Project Risk Management - Solution.docx
60.3 KB

Quick reference

Project Risk Management

Risk management processes guide the project manager and project team in the identification, analysis, response and control of risk.

When to use

While risk management should be practiced throughout the life of the project, the emphasis has a tendency to change.  Early in the project there are many risks and uncertainties, but there are also many options for addressing those risks.  As the project progresses, the number of risks goes down because things that were uncertain become known.  However, the ability to respond to risk and the magnitude of the risk impact goes up because there is less time and resources left as you approach project completion.

Instructions

Project Risk Management

“Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response planning, response implementation and monitoring risk on a project.” PMBOK® Guide

Because of the unique nature of a project, there are uncertainties.  There are things that have never been done a certain way, by this project team, to achieve the objectives for this project, in this time period and with these business conditions.  While a project manager normally manages the risk management process, they rely heavily on their project team members, who are often the subject matter experts, to identify threats and opportunities.  Risk management is normally a standard part of every project team meeting.  It is impossible to eliminate risk on a project, but it can be managed.

Early in the project the emphasis needs to be on identifying all risks so that a project plan can be put in place that 1) avoids threats, 2) leverages opportunities, and 3) has risk response options built in for those threats that cannot be avoided.  Before the project plan is baselined, risk responses should be included for all major threats.  As the project progresses, the emphasis shifts to finding early warnings of new risks and checking the efficacy of the risk response approach that was embedded into the plan.

We sometimes talk about “known” risks and “unknown” risks.  Known risks are those that we have identified as a threat or opportunity, but the likelihood of occurrence is uncertain.  The unknown risks are those that have not been identified.  In some cases a category of risk can be identified, but the specific risk won’t be known until the project progresses.  Examples of this are weather delays on a construction project or software bugs on an IT project.

Project Risk Management Processes

There are seven Project Integration Management Processes.  They relate to each other as shown in the diagram below.  They are often being conducted in parallel as one risk is being identified, another risk is being analyzed and the risk response for a third risk is being prepared. The seven processes are:

  • 11.1 Plan Risk Management: “The process of defining how to conduct risk management activities for a project.” PMBOK® Guide
  • 11.2 Identify Risks: “The process of identifying individual process risks as well as sources of overall project risks and documenting their characteristics.” PMBOK® Guide
  • 11.3 Perform Qualitative Risk Analysis: “The process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics.” PMBOK® Guide
  • 11.4 Perform Quantitative Risk Analysis: “The process of numerically analyzing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives.” PMBOK® Guide
  • 11.5 Plan Risk Responses: “The process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure as well as to treat individual project risks.” PMBOK® Guide
  • 11.6 Implement Risk Response: “The process of implementing agreed upon risk response plans.” PMBOK® Guide
  • 11.7 Monitor Risks“The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project.” PMBOK® Guide
 

 

Risk Sensitivity and Risk Analysis

A complicating factor in risk analysis is that each organization, and often each stakeholder, will have a different sensitivity to risk.  This sensitivity is based upon past experience, duties and responsibilities, and sometimes even personality.  In addition, many organizations or stakeholders will change their risk sensitivity based upon what is happening in the business or in other parts of the project.  There are three terms which help us understand the concept of risk sensitivity:

  • Risk Threshold: “The level of risk exposure above which risks are addressed and below which risks may be accepted.” PMBOK® Guide
  • Risk Appetite: “The degree of uncertainty an organization or individual is willing to accept in anticipation of a reward.” PMBOK® Guide
  • Risk Exposure: “An aggregate measure of the potential impact of all risks at any given point in time in a project, program, or portfolio.” PMBOK® Guide

In an effort to reduce the reliance on personal risk sensitivity to determine which risks are significant on the project, many organizations use a risk matrix to do a preliminary, or qualitative, assessment of the risk.  While this risk analysis might calculate a risk value or risk rating, it is still heavily subjective.  For those very high risks, a company will often do a more rigorous quantitative analysis.  The Decision Tree and EMV quantitative analysis is discussed in detail in another lesson.  The Probability and Impact Matrix shown below is an example of applying an analytical process to a subjective measure.  For instance, the impact measures of “High” or “Low” are subjective, but by using a preassigned value for each of those measures, the analysis provides a rationale for why some risks are treated as major, or “Red,” risks and others are not.

 

Project Management Institute, A Guide to the Project Management Body of Knowledge, (PMBOK® Guide) – Sixth Edition, Project Management Institute, Inc., 2017, Figure 11-5, Page 408 and Glossary definitions on Pages 708, 711, 712, 713, 717, 720 and 721. PMBOK is a registered mark of the Project Management Institute, Inc.

 

Login to download
  • 00:05 Hi, I'm Ray Sheen.
  • 00:06 I'd now like to talk about project risk management knowledge area.
  • 00:09 According to the Project Management Body of Knowledge, the PMBOK Guide,
  • 00:14 project risk management includes the processes of conducting risk
  • 00:18 management planning, identification, analysis, response planning,
  • 00:23 response implementation and monitoring risk in our project.
  • 00:27 Risk always exist, but what you do about it, it can vary greatly.
  • 00:32 The attitude by the organization and stakeholders towards risk
  • 00:35 is based upon several factors, each of which is defined by the PMBOK Guide.
  • 00:40 Risk threshold is the level of risk exposure above which risk are addressed
  • 00:45 and below which may be accepted.
  • 00:47 This is the level at which they begin to care.
  • 00:50 Risk appetite is the degree of uncertainty an organization or
  • 00:54 individual is willing to accept in anticipation of a reward.
  • 00:58 Think of this as the thrill seeker effect.
  • 01:00 Some individuals with corporate cultures like to try crazy things and some do not.
  • 01:05 Risk exposure is an aggregate measure of the potential impact of all risks
  • 01:10 at any given point in time in a project, program, or portfolio.
  • 01:15 Think of this as the overload effect.
  • 01:17 A risk might be acceptable if it's the only one on the project.
  • 01:20 But if it's one of 20, the stakeholder may say no.
  • 01:24 There are seven project risk management processes, let's take a look at them.
  • 01:28 Plan risk management determines the policies, procedures and
  • 01:31 templates that will be used while managing the project.
  • 01:34 Identify risk includes risk identification or
  • 01:38 as very important for us in the PMP exam.
  • 01:40 It is the process that initiates the risk register.
  • 01:43 Perform qualitative risk analysis prioritizes risks.
  • 01:47 And perform quantitative risk analysis creates a numerical value for the risk.
  • 01:52 This usually takes a lot of effort, so I only do that with very high risks,
  • 01:56 where I need more data to determine how to resolve them.
  • 02:00 Plan risk response, is determining how to change the plan or
  • 02:03 the project management methodology to reduce or eliminate the risk.
  • 02:07 Implement risk response is just that, and let's be clear, unless you respond and
  • 02:12 implement your plan, the previous analysis was worthless.
  • 02:16 Finally, monitor risks checks to see if the risk response plan is working, and
  • 02:21 if new risks have been identified and analyzed.
  • 02:25 This is an example of a probability and impact matrix, which is used for
  • 02:29 prioritizing risks using a qualitative estimate of probability and impact for
  • 02:34 both threats and opportunities.
  • 02:35 The project leader gets a number score to rank them and
  • 02:39 colors to convey their importance.
  • 02:41 The red yellow green is an indication of how good the project plan is,
  • 02:45 not necessarily whether the project results will be met.
  • 02:49 Notice that opportunities with high probability and high impact are also red.
  • 02:53 Not because the project results are in trouble, but
  • 02:56 rather because the project plan will likely change.
  • 03:00 What I said risk analysis is worthless unless you respond to it.
  • 03:04 Let's look at the types of responses.
  • 03:06 If you have a risk threat the response follows one of five patterns.
  • 03:11 You change the plan to prevent the risk that's avoiding it.
  • 03:15 You change the plan to reduce the impact or probability which is mitigate.
  • 03:19 You outsource responsibility for
  • 03:21 the risky activity and what could go wrong which is transferring it.
  • 03:24 You can go to your stakeholders with the situation escalated or
  • 03:29 chose to do nothing and just accept the risk.
  • 03:32 There are also five responses to an opportunity risk.
  • 03:35 You can change the plan to take advantage of the opportunity, exploit.
  • 03:39 You could change the plan to increase the likelihood or
  • 03:42 the impact of the opportunity, enhance.
  • 03:45 You could expand the opportunity by bringing in a partner, share.
  • 03:49 You could take this opportunity to the stakeholders to get their permission,
  • 03:53 escalate, or you could do nothing proactively with respect to this risk,
  • 03:57 which is to accept it.
  • 03:58 Which approach you will use depends upon you risk analysis and
  • 04:02 the organization's appetite and threshold.
  • 04:05 Sometimes you don't know what a good approach is, and
  • 04:08 often that's the case when the likelihood is low but the impact is high.
  • 04:12 In that case, use the contingent response, a two-step process.
  • 04:16 Step one is to accept, do nothing in the project plan now but watch the risk and
  • 04:21 the surrounding circumstances to determine if the risk grows or shrinks.
  • 04:26 We call this setting a trigger.
  • 04:28 Step two is to have an alternate project plan that accounts for the risk condition.
  • 04:32 If the trigger is tripped, the alternate plan is then put into the project, and
  • 04:37 it continues now with the new project plan.
  • 04:41 So let's look at how these processes interact with each other.
  • 04:44 Once again, we'll start with the plan risk management process.
  • 04:48 This process sends the project risk management plan for
  • 04:51 a corporation into the project management plan.
  • 04:54 The project management plan is the input for
  • 04:56 all of the other processes, including the plan risk management process.
  • 05:01 We see that plan risk response and
  • 05:02 monitor risks both provide updates to the project management plan.
  • 05:07 The key process for project documentation is identify risks.
  • 05:11 This process creates the risk register and as risk are analyzed and actions taken,
  • 05:16 the process creates the risk report that indicates the status of risk management.
  • 05:20 All the processes except for
  • 05:21 plan risk management are updating the project documents.
  • 05:24 In particular they're updating the risk register.
  • 05:29 These processes are great backdrop for many PMP exam questions.
  • 05:33 Lots of analysis we can do here, lots of different directions we can go.
  • 05:37 Make sure you've studied them.

Lesson notes are only available for subscribers.

PMI, PMP, CAPM and PMBOK are registered marks of the Project Management Institute, Inc.

Gift this course