©Paul Taaffe

Project Risk Management

Definition of insanity:
“doing the same thing over and over again and expecting the results to be
different each time” [paraphrasing Einstein]
2
 Project Risk Management
 Considered to be one of the important growth
areas in Project Management

 Why is this ???

Rapid Change Means Decisions Regularly Made with
Imperfect Information

 Project Risk Management focuses on the

future

3
 Project Risk Management Processes are:
 11.1 Plan Risk Management—The process of defining how to conduct risk management activities
for a project.

 11.2 Identify Risks—The process of identifying individual project risks as well as sources of overall
project risk, and documenting their characteristics.

 11.3 Perform Qualitative Risk Analysis—The process of prioritizing individual project risks for
further analysis or action by assessing their probability of occurrence and impact as well as other
characteristics.

 11.4 Perform Quantitative Risk Analysis—The process of numerically analyzing the combined
effect of identified individual project risks and other sources of uncertainty on overall project
objectives.

 11.5 Plan Risk Responses—The process of developing options, selecting strategies, and agreeing
on actions to address overall project risk exposure, as well as to treat individual project risks.

 11.6 Implement Risk Responses—The process of implementing agreed-upon risk response plans.

 11.7 Monitor Risks—The process of monitoring the implementation of agreed-upon risk response
plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process
effectiveness throughout the project.
A Guide to the Project Management Body of Knowledge (PMBOK® Guide) - Sixth Edition, Page395
 Uncertainty & Risk
If there is a 50% chance of something going wrong then 9 times
out of 10 it will.

It’s said that there are only 2 things in life which are certain; death
and income tax. Anything else must therefore be uncertain and
therefore include an element of risk.

All projects are therefore “risky” since they will involve

uncertain/unknown outcomes

Risk Management should attempt to answer the following

fundamental questions:
What could go wrong?
How likely is it?
How will it affect the project? 5
 Risk Versus Uncertainty
The difference between risk and uncertainty

 Risk - when the decision maker knows the probability

of each and every state of nature and each and every
outcome. An expected value of each alternative action
can be determined.

 Uncertainty - when a decision maker has information

that is not complete and therefore cannot determine the
expected value of each alternative.

Source: Meredith & Mantel 2012

 Risks in Projects
16% met Time, Budget, & Quality
34% Total Wash-Outs
50% in Recovery
800 Projects from Construction, Telecommunications, & Pharmaceuticals Industry
Sectors

33% Not Meeting Budget

33% Not Meeting Specifications
66% Not Meeting Schedule
Source: Standish Group Survey, (date unknown, from a survey of 8000 business
systems projects)
7
 Risks in
KPMG study found that:
Projects
 55% of runaway projects did no risk management at all
 38% did some [but half of these didn’t use the findings
after the project was underway]
 7% didn’t know whether they did risk management or not.
Telephone Survet for KPMG Management Consulting

8
It’s what you don’t know, that hurts you
 What is Project Risk Management?
 Project Risk Management includes the processes of conducting risk
management planning, identification, analysis, response planning, response
implementation, and monitoring risk on a project.

 The objectives of project risk management are to increase the probability

and/or impact of positive risks and to decrease the probability and/or impact
of negative risks, in order to optimize the chances of project success.

 Risk exists at two levels within every project:

 Individual project risk is an uncertain event or condition that, if it
occurs, has a positive (opportunities) or negative effect on one or more
project objectives.

 Overall project risk is the effect of uncertainty on the project as a

whole, arising from all sources of uncertainty including individual risks,
representing the exposure of stakeholders to the implications of
variations in project outcome, both positive and negative.
9
A Guide to the Project Management Body of Knowledge (PMBOK® Guide) - Sixth Edition, Page395
 Risk Definitions
 Project risk is an uncertain event or condition that, if it
occurs, has a positive or negative effect on one or more
project objectives
 A Guide to the Project Management Body of Knowledge (PMBOK® Guide) - Sixth
Edition, Page 720

 ‘An uncertain event or set of circumstances that,

should it occur, will have an effect on the achievement
of the project’s objectives’ (PRAM Guide, apm.org.uk, 2016,)

10
 Project Managers Tolerance of Risk

Risk Neutral

Risk Seeker Risk Aversion

11
Benefits of Project Risk Analysis & Management (PRAM)
‘Hard’ Benefits ‘Soft’ Benefits
 Enables better plans,  Improves corporate experience
schedules and budgets and communications
 increases chances of a  Improved team spirit
project adhering to its plans  helps distinguish good
 Use of most suitable contract luck/good management vs. bad
 better contingencies view luck/bad management
 discourages unsound  Helps staff to assess risks
financial projects  Can focus on real/vital issues
 better management of future  Enables greater risk taking
projects  Looks good from a customer
 more objective view of viewpoint
alternatives  Provides a fresh view of the
 risk allocated to the best personnel issues in a project
owner
12
T O T A L R IS K U N C E R T A IN T Y N O R IS K

S c o p e o f R is k m a n a g e m e n t

U nknow n K now ns
K now ns
U nknow ns U nknowns

P a r t ia l C o m p le t e
N o I n fo r m a tio n
I n f o r m a t io n I n fo r m a t io n

F e a s ib ilit y s tu d y C lo s e o u t R e p o r t
E n ter N ew M a rk et I d e n t if ie s u n k n o w n P r o j e c t s u c c e s s f u lly
is s u e s C o m p le te d

Types of Risk [Business Context]:

Business Risk - risk of a gain or loss
Pure [Insurable] Risk - only a risk of loss 13
 Plan Risk Management
Create Risk Breakdown Structure

Risk Categories:
 Technical, Quality, Performance Risks

 Project Management Risks

 Organisational Risks

 External Risks

 etc., etc. 14
 1

15
Source: Clifford F. Gray; Erik W. Larson, 2014, Project Management: the Managerial Process, 6th edition
 Identify Risks
First step in managing risk is to discover what they are –
this is an iterative process and is often very difficult.

Participants Generally Include:

Project Team - Other Project Managers
Risk Management Team
Subject Matter Experts and/or Outside Experts
Customers
End Users
Stakeholders

Risk = f [Hazard - Safeguard]

16
 Identify Risks
Tools & Techniques:
Documentation Reviews
Delphi Technique
Brainstorming
Interviewing
Checklists
Assumptions Analysis
Diagramming Techniques
etc., etc.
17
 Identify Risks
Sta
k eho
l der Project Management
s Integration
(u Information
n )S
up Communication
po
rti Life
Scope Fea
ng
eas
Cycle Id ata
s ib i
lity D

Quality Requirements Forecast Human

Standards Project Risk
Availability Resources
Se
Su rvi
M e

pp c e
CP edul

l ie s
rs
h
Sc

Contract
Time Budget Procurement
Cash Flow

Cost
18
 Exercise: Identify ‘Generic Risk Areas’ for each
of the Project Management Knowledge Areas?
Sta
k eho
l der Project Management
s Integration
(u Information
n )S
up Communication
po
rti Life
ng s
Scope Fea Cycle d ea
s ib i I ata
lity D

Quality Requirements Forecast Human

Standards Project Risk
Availability Resources
S
Su ervi
M e

pp c e
CP edul

l ie s
rs
h
Sc

Contract
Time Budget Procurement
Cash Flow

Cost
 Common IS Project Risks
 Technical Requirements
 May be very complex or require a high degree of innovation
 System Software
 May be new/unfamiliar to the developer/technical support may
not be readily available
 Tools and Methods
 Programming languages may be unfamiliar
 Particular documentation standards may be required
 Target Architecture
 Hardware capacity / performance levels
 Integration issues of various hardware
 May have to switch to new platform

20
Caution in identifying risks, they need to be "explained" so that it
is absolutely clear as to what each risk is. For example, "Poor
Contractor Performance" does not clearly enough describe
potential risks. It needs be further broken down e.g.:

 Contract staff don’t work at the pace assumed in preparing

the estimates
 Contract staff don’t grasp and conform to the developer's
programming standards
 Contract staff are difficult to manage with inexperienced
team leaders

Once we have more detail we are in a better position to describe the

impact and what needs to be done to counter it. 21
 Risk Statements

Example 1: If this technology is not available,

then we will not meet the critical requirements.

Example 2: If we cannot hire sufficient qualified

software engineers, then we cannot meet the
planned development schedule

22
 Identify Risks
Life Cycle Phases
Project Project Project Project
Concept Planning Execution Termination
Tota Unskilled Labour
l Pr o Material Unavailable Amount
j ec t Strikes At
Risk Stake
/ Opp Weather
o rtun No Control System €€€€
Risks Poor Definition i ty Changes in Scope
No Feasibility Study
Unclear Objectives Poor Quality,
No Risk Mgmt. Plan Unacceptable to
Hasty Planning Customer,
t ake Poor Specification Cash Flow.
at S No Mgmt. Support
ount Inexperienced Team
Am
23
 Identify Risks
Expert Judgement e.g. interview
 Target the Area of Interest
 Identify the Right Person(S)
 Prepare for Interview
 Solicit Judgements & General Information
 Quantify Information
Expert Interview Cautions
 Choosing the Wrong Expert
 Un-willing to Share Information
 Changing Opinions
 Incompetent Interviewer
24
 Perform Qualitative Risk Analysis
Risk Factors:
An Event (An unwanted change)
A Probability of occurrence of that event
The range of Possible Outcomes
(Impact/consequence -Amount at Stake)
Expected Timing (when) in the Project Life
Cycle
Anticipated Frequency of Risk Events from
that Source (how often)

Impact of Risk = [likelihood of risk] * [consequence of risk]

25
Perform Qualitative Risk Analysis

Overall Risk is a Function of its components 26

 Probability & Impact Definitions Examples
. +/- Impact on Project Objectives
Probabil
Scale
ity
Time Cost Quality

Very Significant Impact on Overall

Very High >70% > 6 Months > ¢5 million
Functionality
Significant Impact on Overall
High 51-70% 3-6 Months ¢1-5 million
Functionality
¢501K - -¢1 Some Impact on in Key Functional
Medium 31-50% 1-3 months
million Areas

Low 11-30% 1-4 Weeks ¢100K - ¢500K Minor Impact on Overall Functionality

Very Low 1-10% 1 Week < ¢100K Minor Impact on Secondary Functions

Nil <1% No Change No Change No Change in Functionality

A Guide to the Project Management Body of Knowledge (PMBOK® Guide) - Sixth Edition, Page 407
 Example of Probability & Impact Matrix
with Scoring Scheme

A Guide to the Project Management Body of Knowledge (PMBOK® Guide) - Sixth Edition, Page 408
 Perform Quantitative Risk Analysis

Tools & Techniques Include:

Interviewing
Sensitivity Analysis
Simulation
Software [e.g. Crystal Ball]
Decision Tree Analysis

29
 Decision Tree or Impact Analysis Diagram
Decision Tree: “A graphical device that help in defining sample
points of an experiment involving multiple steps” Anderson et. al. 1999:63
Choice: Make or Buy Widgets for resale

Expected Value
€65,000 70% €80,000
ke t
d Mar
Goo
ac hine
rcha se M 0 Poor
M arket
Pu €35,00 30 %
Purchase
€30,000 €30,000

Sub
con
Subcontract €5, tract % €50,000
000
rke t 70
€34,500
d Ma
Goo
Poo
Expected Value rM
ark
€39,500 et 3
0 %
€15,000

Used when a decision cannot be viewed as a single isolated occurrence …. but

30
rather as a sequence of interrelated decisions
 31
Hamilton 2001:395
 Exercise: A company is trying to determine if
prototyping is worthwhile on the project. They have
come up with the following consequences if the
equipment works or if it fails when it is used. Based on
the information provided below,
 What is the expected value of the decision?

Source: PMP Exam Prep page 171 32

Sally Smart is planning how to survive, in financial terms, the 2018-19 academic year. The way matters stand right now,
she will lose her Government grant since her parents have just joined the class of 'nouveau riche’. created by the right wing
government to raise the morale of the country's population. With another brother struggling to finish his engineering
degree, chances are nil that her parents will be able to support her with more than an occasional carrot cake.
She has a number of choices:
 She could drop out and join the ranks of the unemployed. Using her skills in present value calculations recently
acquired in her Project Management course she calculated that the NPV of her lifetime loss in earning power would
amount to €25,000 if the finance minister's policies continue to depress the economy, while the loss would only be
€5,000 if the Taoiseach finds the courage to sack him along with most of his financial advisers. Sally figures that the
chance that the Taoiseach can find the necessary courage is only 25%.
 She could take out a loan, finish her Project Management course and then pay it back over the next 5 to 10 years. The
NPV cost of that action is €15,800 with the present finance minister remaining in office and €12,400 if he is replaced.
 She could enter into a marriage of convenience with another student in her class and then automatically retain her
government assistance. With the cost of all the parties her class mates would insist she throw for both 'tieing the knot'
and then 'cutting it again’ after graduation, as well as the potential 'intangible' costs associated with this action, she
figures that the net cost to her would be €4,000 with the present finance minister remaining in office, but €16,000
without him (due to having gotten married without really any need for it).
Required:
1. Develop a decision tree, attaching costs and probabilities to the various branches.
2. Using this tree find the best action for Sally based on monetary considerations only.
 O'Malley's Computer Store Decision Tree Exercise
The owner of O’Malleys Computer Store is considering what to do with her business over the next five years. Sales
growth over the past couple of years has been good, but sales could grow substantially if a major electronics firm is
built in the area as proposed. O’Malleys’ owner sees three options. The first is to enlarge his current store, the second
is to locate at a new site, and the third is to simply wait and do nothing. The decision to expand or move would take
little time, and, therefore, the store would not lose revenue. If nothing were done the first year and strong growth
occurred, then the decision to expand would be reconsidered. Waiting longer than one year would allow competition to
move in and would make expansion no longer feasible. The assumptions and conditions are as follows:

1. Strong growth as a result of the increased population of computer fanatics from the new electronics
firm has a 55% probability.
2. Strong growth with a new site would give annual returns of €195,000 per year. Weak growth with a
new site would mean annual returns of €115,000.
3. Strong growth with an expansion would give annual returns of €190,000 per year. Weak growth with
an expansion would mean annual returns of €100,000.
4. At the existing store with no changes, there would be returns of €170,000 per year if there is strong
growth and €105,000 per year if growth is weak.
5. Expansion at the current site would cost €87,000.
6. The move to the new site would cost €210,000.
7. If growth is strong and the existing site is enlarged during the second year, the cost would still be
€87,000.
8. Operating costs for all options are equal.

Construct a decision tree to advise O’Malley’ owner on the best action . 34

Source: Jacobs & Chase
 Plan Risk Responses
Influences
Lack of information on:
hazards,
magnitude of damage,
probability of occurrence.
Benefit to P.M. for accepting the risk
Risk forced upon project manager.
The existence of cost effective/high cost
alternatives
Length of exposure to the risk
35
 Plan Risk Responses
Strategies Include:
Avoidance
abandon the possible causes
prevent/reduce the impact

Transfer
Mitigation
Acceptance

36
 Plan Risk Responses
 Risk Avoidance is designed to avoid any identified risks to the project. Within an IS
development project, this may include avoiding the use of an untested technology or
avoiding changes to the scope of the system.

 Risk Transfer involves the transfer of risk to another party. Risk transference is often
facilitated through the use of contracts in which the risk associated with a given activity is
transferred to another party. Depending on the type of contract being used, risk may be
transferred from the seller to the buyer or from the buyer to the seller.

 Risk Mitigation is used to reduce, eliminate, or transfer the chances of risk occurrence
or to reduce the impact of the risk on project objectives. An example of risk mitigation
during an IS development project is the use of a known technology provider rather than
reliance on a less established vendor.

 Risk Acceptance occurs when managers simply decide that an effective response cannot
be developed for a specific risk. In this case, a decision is made to accept that a given risk
may occur and either to do nothing (passive response) or to plan alternative strategies
(active response) should the risk occur. For example, an active response during an IS
development project may mean accepting that a new version of a particular software may
not function as intended and developing an alternative plan to use a previous version of the
software.
 Risk Management Exercise
The Manchester United Soccer Tournament project team has
identified the following potential risks to their project:

 Referees failing to show up at designated games.

 Fighting between teams.
 Pivotal error committed by a referee that determines the outcome
of a game.
 Abusive behavior along the sidelines by parents.
 Inadequate parking.
 Not enough teams sign up for different age brackets.
 Serious injury.
Required:
How would you recommend that they respond to these risks and
why?
38
Source: Clifford F. Gray; Erik W. Larson, Project Management: the Managerial Process, McGraw-Hill.
 Risk & Insurance in Project Management
Risk

Risk that can Risk that can Risk that is difficult

& be insured or impossible
Must be insured if required to insure

Statutory Contractual Management Contractor or Customer

Requirement Requirement Decision must accept risk

Examples: Examples: Examples: Examples:

Employers liability for Loss or Damage to
Liability for damage Unreasonable high risk
injury to employees. tools or equipment at
to customers of the loss occurring
Liability to third parties property the project site
arising from use of A loss where the
motor vehicles on public Indemnity to Pecuniary loss through insured would stand to
roads. customer one of a number of profit as a result of
against injury to unforeseeable causes insurance 39
person
 Risk and Progression of a Pipeline Project

Accidental
Hazard Cause Impact
Event

Initiating or
Hazardous Loss of Adverse
contributing
liquid containment of consequences
events of a
contained and hazardous liquid; to people, the
pipeline incident;
delivered product migrates environment,
during normal start of the along available etc.
operation accident event pathways to
sequence (e.g., people,
coating disbond, environmental
mechanical resources, etc.
damage) 40
 Risk Control Activities During Progression
of a Pipeline Project

Accidental
Hazard Cause Impact
Event

Prevention Mitigation Response

Example
- Corrosion Control - Isolation Valves -Evacuation
Types of
Risk Control - Maintenance - Trench - Spill response
Programs
Activities - Sprinkler - Flow path
- Impact Barriers diversion
41
 Performance Measures Associated with Stages
of a Pipeline Project

Accidental
Hazard Cause Impact
Event

Example Prevention Mitigation Response

Performance Hydro test Reliability of Effectiveness
Measures
Results Isolation Valves of Emergency
Drills
 Contract Type & Risk Type
100% F.F.P. Client
F.P.E.

C.P.I.F.

C.P.F.F.
C.S.

Cost
0%Contractor
43 100%
 Monitor and Control Risks

Tools & Techniques:

Risk Reassessment
Risk Audits
Variance & Trend Analysis
Technical Performance Measurement
Reserve Analysis
Status Meetings
Additional Risk Response Planning
44
 Risk Ownership
Part of the process of risk management is to decide who should be
the owner of each risk
The owner should be someone who
 Has sufficient information concerning the risk
 Has the necessary resources
 Possesses the authority
•Common mistakes are:
 Giving ownership to someone at too low a level in the
organisation (resources / authority problems)
 Giving ownership to someone at too high a level in the
organisation (dealing with risk may not be seen as high
priority) 45
 The Project Risk Register
Is a live central repository for all the known information for each risk. Specifically you need to
record:
 A reference (Unique identifier)
 Risk Category (refer to risk breakdown structure).
 A title and description of the risk
 Project Objective(s) impacted by risk
 Current status of the risk (e.g. live, closed etc. include dates)
 Probability of occurrence
 Potential Impacts
 Risk Rank
 Consequence if risk occurs
 Risk Owner
 Risk Management Plan (Avoidance, Mitigation. etc.)
 Notes (Record of the progress. etc.)
These may be held in a paper file, spreadsheet, database etc.
 Risk Management Register (Risks Scale 1 low - 9 high)

Risk Project Pro I Tot Risk Risk Risk Risk Risk Risk
Objecti babi m al Orde Owner Probabil Probabil Impact Impact
ve(s) lity p r ity ity Respon Response
ac Respon Respon se Plan Plan No.2
t se Plan se Plan No.1
No.1 No.2
Media backlash 5 8 40 2 John
Bad press from Brown
the Media
Non 4 9 36 3 Mary
cooperation White
from staff
Supplier 2 7 14 5 Joe
unable to Green
deliver their
side of
agreement
Project team 6 9 54 1 Jim
members Black
moved during
project
Escalating/unco 7 4 28 4
ntrolled costs
 A Qualitative Risk Matrix Table
Risk Event Chance of Potential Comment
Happening Harm to
Project
Action by High High We shall be building in a
Environmentalists nature reserve
Strikes or other Low High Loyal workforce with no
Industrial Action previous problems
Project Manager struck Low Medium But she is a keen golfer !!
by lightning
Hairline cracks in Low High Suppliers have high quality
structural steel reputation
Software Bugs Medium High Process safety depends on
computer controls
Exchange Rate Medium Medium Not difficult to detect but
Changes impossible to predict
Materials Shortages Medium Medium 48
 Risk Management Register
1 low 9 high

Risk Likeli Impa Risk Risk Risk

hood ct
Value Priority Management
Staff Reaction 2 4 8 7 Communication and involvement from an early stage. This
risk will be addressed during training.

Project Team 2 3 6 9 Communication with project sponsor

Members moved,
promoted or
transferred.

Staff release for 1 5 5 10 Communication with Senior Management, Sponsor, and

training Staff Development Manager
Trainers not 2 5 10 5 2 extra trainers available as part of contingency. Extra
available sick, etc resources may be available from National steering Group

Target date not met 1 1 1 15 Meet with project sponsor and Senior Management.

Staff refusing to 1 5 5 11 Addressed through

attend seminars

Reaction to 3 5 15 3
implementation

Database 5 4 20 1 Inform Project Sponsor

Liase with John C
Administrator 4 4 16 2 Liase with project sponsor 49
In Place & Trained
Issue Management
 Issue Management
 Issues may be raised by anyone
 Generally serious matters which require
urgent attention.
 Can mean an event has occurred and must
be actioned
 A risk that has happened and is now a
problem

51
 R is k s O p p o rtu n itie s W hat M ight
H appen

It It
It's
D o e s n 't D o e s n 't
H appens
H appen H appen

O th e r S o lv e d W hat H as
is s u e s W ith in H appened
E v e n ts
th e
P ro je c t
as
D e fin e d W hat Needs
C hanging
C hange to K eep the
P roject
V iable
52
Risks, Opportunities, Issues, & change (Source, Buttrick 2000)
 Issue Management
3 Phases;
 1] Recognition of the Issue
Define the issue
Identify ownership of the issue.
Inform affected & interested parties
Arrange a meeting

53
 Issue Management
• 2] Agreement on the Issue
• Present the details at the meeting
• Agree the Action to be taken
• Agree on who is responsible for
the doing the action.

54
 Issue Management
• 3] Follow up activities
• Regularly update the status of the
Issue
• On completion of the Action[s],
close the issue

55
 Concluding Thoughts
The alternative to proactive management is reactive
management, also called crisis management. This requires
significantly more resources and takes longer for problems to
surface.

Risk management is a vital component in successful projects

Risks can’t be avoided but can be managed in such a way

that they are recognised and their impacts avoided or
mitigated

If you can’t afford to mitigate the risk now, be absolutely sure

you can afford to resolve the problem later when it happens
56
 References
 Burke R., 2013, Project Management: Planning and Control Techniques, 5th
Edition
 Clifford F. Gray; Erik W. Larson, 2017, Project Management: the Managerial
Process, 7th edition, McGraw-Hill.
 Fuller, 2008, Information Systems Project Management, A Process and Team
Approach, Pearson.
 https://www.apm.org.uk/BOK6
 Kerzner, H., 2013, Project Management: A Systems Approach to Planning,
Scheduling, and Controlling, 11th Edition, Wiley.
 Meredith J. & Mantel S., 2012, Project Management, A Managerial Approach,
8th Edition, Wiley.
 Mulcahy Rita, PMP Exam Prep, 2013, Eighth Edition.
 Stanley E. Portny, Samuel J. Mantel Jr., Jack R. Meredith, 2008, Project
Management, 1st Edition, Wiley.
 Project Management Institute (PMI), 2017, A Guide to the Project
Management Body of Knowledge (PMBOK® Guide), 6th edition, Newton
Square, PA
57