Part 30: Knowledge Areas: Project Risk Management
Project Risk Management
- A Risk is
- An uncertain event or condition
- Has a positive or negative effect on one or multiple project objectives (scope, schedule, cost, quality), if it occurs
- Can have one or multiple causes
- A Cause is a requirement, assumption, constraint, or condition that creates the possibility of a negative or positive outcome
- Risk can be caused by the project or organizational environment
- A positive risk is known as an Opportunity
- A negative risk is known as a Threat
- When a Negative Risk occurs, it becomes an Issue
- We want to reduce Negative Risks and take advantage of Positive Risks
- Known Risk
- A Known Risk is one that has been identified and analyzed
- It’s possible to plan a response to a Known Risk
- A risk that cannot be managed proactively is assigned a Contingency Reserve
- CONTINGENCY RESERVE = additional time in schedule and/or funds in the budget to manage Known Risks
- When a Known Risk disappears, we should release the Contingency Reserve associated with the risk. This allows the organization to use the released resources somewhere else.
- Unknown Risk
- An Unknown Risk cannot be managed proactively, and must be assigned a Management Reserve
- It’s impossible to predict every risk. We know that in a large project, there will be some risks that we can’t identify. The things we don’t know we don’t know. These are the Unknown Risks, or Unknowable-Unknowns
- We don’t know what these risks are until they happen
- We create a Management Reserve to account for the Unknown Risks.
- MANAGEMENT RESERVE = additional time in schedule or funds in the budget to manage Unknown Risks
- We can also deal with unknown risks by
- Having flexible project processes to adapt to risks
- Having the ability to identify early warning signs of unknown risks
- Input from stakeholders to identify areas where the project can be adjusted in response to risks
- Non-Event Risk
- A Non-Event Risk is one that is not associated with a specific event. This includes Variability Risks and Ambiguity Risks.
- Variability Risk
- A metric may be higher or lower than expected.
- Can be managed through the Monte Carlo method.
- For example, we may identify more errors in our manufacturing process than expected.
- Ambiguity Risk
- There is uncertainty about what will happen in the future.
- We reduce ambiguity risks by identifying areas where we don’t have enough information, and then improve our knowledge
- Can be managed by obtaining expert analysis or best practices, incremental development, prototyping, or simulation
- Overall Project Risk vs Individual Project Risk
- Each risk is known as an Individual Project Risk
- It has an impact on one or more project objectives
- The total is the Overall Project Risk
- It tells us the uncertainty in the entire project (including positive and negative outcomes)
- It’s possible for the overall risk can be positive
- Each risk is known as an Individual Project Risk
- Risk Management
- Risk’s can arise throughout the life of the project, so risk management should be conducted iteratively
- Risks may occur at any level in an organization, including at the program or portfolio level
- We should delegate some risks to higher organizational levels, when appropriate
- There should be an organization-wide risk management policy
- When developing a Risk Management Plan, consider
- The project size, budget, duration, and scope
- Project complexity
- Does the project use new technology or innovations?
- Does the project rely on many external vendors?
- Project importance
- Is this project of strategic importance to the organization?
- Will the success of this project bring substantial improvements to the organization?
- Development Approach
- Does the project’s schedule follow a waterfall approach, where each risk occurs in one phase, or does the project have an agile approach where all risks appear in each iteration?
Risk Acceptance
- An Organization or Stakeholder is willing to accept risk; the amount of risk they accept depends on their risk attitude, which is affected by
- Risk Appetite
- How much risk someone is willing to take when they anticipate a reward
- Risk Tolerance
- How much risk someone can withstand
- Risk Threshold
- The level of uncertainty or impact at which a stakeholder may have an interest. An organization will only tolerate risks below their Risk Threshold
- Risk Appetite