The definition of Risk Management
Risk management includes risk management planning, identification, analysis, response planning and monitoring and control. The purpose of risk management is to increase the probability and impact of positive events, and decrease the probability and impact of negative events on the project.
If you are not doing very well on risk management after reading this lesson, I might suggest that you look at my book, Risk Management Tricks of the Trade® for Project Managers. It contains 50 more practice questions that are not available anywhere else, and it comes with information on how to use the book to help you prepare for the PMP exam.
Knowing some definitions in risk can help you find answers to exam questions. The process of risk management is very logical.
Expect questions that ask, “What part of the process are you in during this situation?” or “What do you do next?” Therefore, you should understand the process of risk management and what happens when in the process. In this lesson, I have added specific references to outputs to aid you in understanding the risk process. However, expect a majority of the questions to be in the form of, “What should you do?” These are harder than the other types of questions.
This lesson will provide the overview necessary for the exam. However, you should realize that there are more tools and techniques to real-world risk management than are covered here.
Threats and Opportunities Risk is something that may or may not happen. If it does happen, it can have positive or negative impact on the project. Do not forget that there can be positive impacts; good risks, called opportunities!
Opportunities can include such things as:
- The ZYX equipment is cheaper than planned
- Work package number 3.4 is completed faster than expected
- It does not take as long as expected to achieve the quality level needed on work package number 21
- Work can move faster since we were able to acquire a resource with a higher productivity level
Up to 90 percent of threats that are identified and investigated in the risk management process can be eliminated. How much better off would you be if that happened? How about the project? Your customer?
Definition of Uncertainty Uncertainty is a lack of knowledge about an event that reduces confidence in conclusions drawn from the data. The work that needs to be done, the cost, the time, the quality needs, communications needs, etc. can be uncertain.
The investigation of uncertainties may help identify risks.
Risk Factors When looking at risk, one should determine:
- The probability that it will occur (what)
- The range of possible outcomes (impact or amount at stake)
- Expected timing (when) in the project life cycle
- Anticipated frequency of risk events from that source (how often)
Risk Averse Someone who does not want to take risks is said to be risk averse.
Risk Tolerances and Thresholds Tolerances are the areas of risk that are acceptable or unacceptable. For example, “a risk that affects our reputation will not be tolerated.” Tolerance areas can include any component of the “triple constraint” as well as reputation and other intangibles that may affect the customer. A threshold is the amount of risk that is acceptable.
For example, “A risk of a two week delay is okay, but nothing more.”
Inputs to and Outputs of Risk Management
Have you realized yet that there are inputs to the process as a whole (“What are the inputs to risk management?”) and inputs to each part of the process of risk management (“What are the inputs to risk response planning?”)
Did you realize that the inputs to each part of the process are almost always the outputs of the parts that came before? As a result, these should not need memorization. However, since risk management is a very step-by-step, process-oriented part of project management, expect risk input and output questions on the exam.
Inputs are merely, “What do I need to do this well?” or “What do I need before I can begin…?” Outputs are merely, “What will I have when I am done with…?”
The Risk Management Process
This is an important topic. You must MEMORIZE what happens when, how risk management works on a real-world project and how it relates to the project life cycle. The six sequential risk management processes are:
- Risk Management Planning
- Risk Identification
- Qualitative Risk Analysis
- Quantitative Risk Analysis
- Risk Response Planning
- Risk Monitoring And Control
How many times have you forgotten a whole category of risks on your project? I have long advocated the use of a standard list of risk categories (high-level areas of risk such as technology changes or cultural issues) to make sure areas of risk are not forgotten.
Risk categories are lists of common areas or sources of risk experienced by the company, or on similar projects. The categories help analyze and identify risks on each project.
Companies and project management offices should have standard lists of risk categories that all projects can use to help identify risks. Those leading risk identification should make sure that each category is considered when looking for risks.
There are many ways to classify or categorize risk such as:
- External Regulatory, environmental, government, market shifts
- Internal Time, cost, scope changes, inexperience, poor planning, people, staffing, materials, equipment
- Technical Changes in technology
- Unforeseeable Only a small portion of risks (some say about 10 percent) are actually unforeseeable
A better way is based on specific categories of risk that may occur on your company’s projects.
My risk research shows over 300 potential categories of risk. These include:
- Project management (yes, your lack of project management effort can add risk)
- The customer’s customers
- The suppliers
- Resistance to change
- Lack of knowledge of project management by the project manager and stakeholders
- Stakeholder-caused risks
- Sponsor-caused risks
- Cultural risks
Another way is to categorize risks by source; “Where do risks come from?”
- Schedule risk “The hardware may arrive earlier than planned, allowing work package XYZ to start three days earlier.”
- Cost risk “Because the hardware may arrive later than planned, we may need to extend our lease on the staging area at a cost of $20,000.”
- Quality risk “The concrete may dry before winter weather sets in, allowing us to start successor work packages earlier than planned.”
- Performance or scope risk “We might not have correctly defined the scope for the computer installation. If that proves true, we will have to add work packages at a cost of $20,000.”
- Resources risk “Richard is such an excellent designer that he may be called away to work on the new project everyone is so excited about. If that occurs, we will have to use someone else and our schedule will slip between 100 and 275 hours.”
- Customer satisfaction (stakeholder satisfaction) risk “There is a chance that the customer will not be happy with the XYZ deliverable and not tell us, causing at least a 20 percent increase in communication problems.”
Expect the phrases “sources of risk” and “risk categories” to be used interchangeably on the exam. They can be organized in an organizational chart or WBS-like format called a risk breakdown structure.
This is where risks are identified. Any risks missed here may be harder to deal with later in the project. This effort should involve all stakeholders and might even involve literature reviews, research and talking to non-stakeholders. Sometimes the core team will begin the process and then the other members will become involved, making risk identification an iterative process.
When you get a question about who should be involved in risk identification, the best answer is everyone!
Everyone has a different perspective of the project. Take off your blinders and look beyond what you are used to.
Smart project managers begin looking for risks as soon as a project is first discussed. However, the major risk identification effort occurs during planning.
Risk identification cannot be completed until a project scope statement and WBS have been created and the project team knows “what is the project.” The sponsor may supply a list of risks in the preliminary project scope statement.
Because risk identification can occur during the initiating and planning process groups, the exam has often said that risk identification happens at the onset of the project. Risks may also be identified during any part of the project.
The exam will specifically look for you to include risk identification during such activities as project changes, when working with resources, and dealing with project issues.
How do you identify risks?
The PMBOK® Guide does not go into detail here and neither will the exam.
The exam is likely to weight the questions toward project executing and project monitoring and controlling-related questions on risk. Therefore, details of risk identification are not explained in this section. It does include:
What is and what is not included in the preliminary project scope statement, the project charter and later documents can help identify risks. Lessons learned, articles and other documents can also help uncover risks.
This used to be a trick for risk management and now has become standard practice. Think about how valuable this would be in your real world.
Information Gathering Techniques
You should know there are many ways to identify risks and that risk identification can be an art form. Luckily, you need not be a risk identification expert to pass the exam. Keep it simple and just know the following
- Brainstorming Brainstorming is usually done in a meeting where one idea helps generate another
- Delphi Technique A technique used to build consensus of experts who participate anonymously. A request for information is sent to the experts, their responses are compiled, and the results are sent back to them for further review until consensus is reached.
- Interviewing Also called expert interviewing on the exam, this consists of the team or project manager interviewing project participants, stakeholders or experts to identify risks on the project or a specific element of work
- Root cause analysis What if you could reorganize the risks you have uncovered by their
causes? Might you see more risks? Of course, maybe many more!
- Strengths, weaknesses, opportunities and threats analysis (SWOT) This analysis looks at the project to identify its strengths, etc. and thereby identify risks.
Types of Risk Risks can be classified under two main types:
- Business Risk of a gain or loss
- Pure (Insurable) Risk Only a risk of loss (e.g., fire, theft, personal injury)
The checklist of risk categories was previously described in risk management planning. One does not just go down the checklist asking “Do we have this type of risk?” Actual risks should be more specific and detailed than those in the checklist.
Risks are identified using one of the techniques previously described. The checklist is then used to make sure the risk identification process has addressed all the categories of risk.
Analyzing what assumptions have been made on the project and if they are valid, for the purpose of identifying more risks.
There are many tools described in the Quality lesson that help one analyze the root causes of issues. These include cause and effect diagrams and flowcharts. When used as part of risk identification, they help identify additional risks.
Outputs of Identify Risks
The risk register is the place where most of the risk information is kept. Think of it as one document for the whole risk management process that will be constantly updated with information as risk identification and later risk management processes are completed.
The risk register becomes part of the project management plan and is also included in historical records which will be used for future projects.
You will notice that the risk register is the only output of many of the risk management processes. Read exam questions carefully as the risk register contains different information depending on when in the risk management process the question is referencing.
At this point the risk register would include:
- List of risks
- List of potential responses Though risk response planning occurs later, one of the things experienced risk managers know is that it is not always logical to separate work on each part of risk management. There will be times when a response is identified at the same time as a risk. These responses should be added to the risk register as they are identified, and analyzed later as part of risk response planning
- Root causes of risks Previously explained, these are now documented
- Updated risk categories You will notice lots of places where historical records and company records are updated throughout the project management process. Make sure you are aware that lessons learned and communicating information to other projects does not just happen at the end of the project. Here, the project is providing feedback to the rest of the company regarding new categories of risk to add to the checklist previously described.