Part 30: Knowledge Areas: Project Risk Management

Project Risk Management

  • A Risk is
    • An uncertain event or condition
    • Has a positive or negative effect on one or multiple project objectives (scope, schedule, cost, quality), if it occurs
    • Can have one or multiple causes
    • A Cause is a requirement, assumption, constraint, or condition that creates the possibility of a negative or positive outcome
    • Risk can be caused by the project or organizational environment
    • A positive risk is known as an Opportunity
    • A negative risk is known as a Threat
    • When a Negative Risk occurs, it becomes an Issue
    • We want to reduce Negative Risks and take advantage of Positive Risks

  • Known Risk
    • A Known Risk is one that has been identified and analyzed
    • It’s possible to plan a response to a Known Risk
    • A risk that cannot be managed proactively is assigned a Contingency Reserve
    • CONTINGENCY RESERVE = additional time in schedule and/or funds in the budget to manage Known Risks
    • When a Known Risk disappears, we should release the Contingency Reserve associated with the risk.  This allows the organization to use the released resources somewhere else.

  • Unknown Risk
    • An Unknown Risk cannot be managed proactively, and must be assigned a Management Reserve
    • It’s impossible to predict every risk.  We know that in a large project, there will be some risks that we can’t identify.  The things we don’t know we don’t know.  These are the Unknown Risks, or Unknowable-Unknowns
      • We don’t know what these risks are until they happen
    • We create a Management Reserve to account for the Unknown Risks.
      • MANAGEMENT RESERVE = additional time in schedule or funds in the budget to manage Unknown Risks
    • We can also deal with unknown risks by
      • Having flexible project processes to adapt to risks
      • Having the ability to identify early warning signs of unknown risks
      • Input from stakeholders to identify areas where the project can be adjusted in response to risks
  • Non-Event Risk
    • A Non-Event Risk is one that is not associated with a specific event.  This includes Variability Risks and Ambiguity Risks.
    • Variability Risk
      • A metric may be higher or lower than expected. 
      • Can be managed through the Monte Carlo method. 
      • For example, we may identify more errors in our manufacturing process than expected.
    • Ambiguity Risk
      • There is uncertainty about what will happen in the future. 
      • We reduce ambiguity risks by identifying areas where we don’t have enough information, and then improve our knowledge
      • Can be managed by obtaining expert analysis or best practices, incremental development, prototyping, or simulation
  • Overall Project Risk vs Individual Project Risk
    • Each risk is known as an Individual Project Risk
      • It has an impact on one or more project objectives
    • The total is the Overall Project Risk
      • It tells us the uncertainty in the entire project (including positive and negative outcomes)
      • It’s possible for the overall risk can be positive
  • Risk Management
    • Risk’s can arise throughout the life of the project, so risk management should be conducted iteratively
    • Risks may occur at any level in an organization, including at the program or portfolio level
      • We should delegate some risks to higher organizational levels, when appropriate
      • There should be an organization-wide risk management policy
    • When developing a Risk Management Plan, consider
      • The project size, budget, duration, and scope
      • Project complexity
        • Does the project use new technology or innovations?
        • Does the project rely on many external vendors?
      • Project importance
        • Is this project of strategic importance to the organization?
        • Will the success of this project bring substantial improvements to the organization?
      • Development Approach
        • Does the project’s schedule follow a waterfall approach, where each risk occurs in one phase, or does the project have an agile approach where all risks appear in each iteration?

Risk Acceptance

  • An Organization or Stakeholder is willing to accept risk; the amount of risk they accept depends on their risk attitude, which is affected by
    • Risk Appetite
      • How much risk someone is willing to take when they anticipate a reward
    • Risk Tolerance
      • How much risk someone can withstand
    • Risk Threshold
      • The level of uncertainty or impact at which a stakeholder may have an interest.  An organization will only tolerate risks below their Risk Threshold