Chapter IV Project Risk management methods 4 Introduction
- Slides: 50
Chapter IV. Project Risk management methods 4. Introduction Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective. Known risks are those that have been identified analyzed, and it may be possible to plan for them. Unknown risks cannot be managed, although project managers may address them by applying a general contingency based on past experience with similar projects. 1
Project related risk classification • It is possible to classify risks based on different aspects. A broad classification can be made as: • Internal Risks: Risks that are under the control of the project team like resource assignments, cost estimates, etc. • External Risks: Risks that remain out of the project team’s control like government decisions, changes in technology or market, etc. 2
Cont … • External-unpredictable: Government regulations, natural hazards and acts of God. • External-predictable: Cost of money, borrowing rates, raw material availability. • Internal (non-technical): Labor stoppages, cash flow problems, safety issues, and health and benefit plans. • Technical: Changes in technology, changes in the state of the art, design issues, operations/maintenance issues. 3
Cont … • Legal: Licenses, patent rights, lawsuits, subcontractor performance, contractual failure. • Another breakdown structure for risks can be as follows (Chapman, 2001): • Environment- Changes in legislation, public enquiry, inflation, and changes in rates of exchange. • Industry- Change in end value in market, increase in competition, change in demand, cost of raw materials, availability of raw materials, innovation by competitor, etc. 4
Cont … • Client – Client representative does not allow adequate time to the project; changes in client representative; responsibilities of the client team ill defined; inadequate project management controls; incorrect balance of resources and expertise; responsibilities of team ill defined; project objectives changed mid design; timing of availability of funds does not match cashflow forecasts; client does not accept change control procedure, etc. • Project – Poor team communication, changes in core team, incompatibility of professional staff, inadequate resource allocation due to low fee, late cost checks on design, lack of change control, etc. 5
Sources of project risk • Many of the really serious project risks are late realizations of unmanaged risks from earlier project stages. A situation where the objectives of a project change imprecisely during the project without proper recognition of the new situation implied is particularly risky. • The need for analysis is particularly apparent when projects involve large capital outlays; unbalanced cash flows, requiring a large proportion of the total investment before any returns are obtained; significant new technology; unusual legal, insurance or contractual arrangements, important political, economic or financial parameters; sensitive environmental or safety issues; stringent regulatory or licensing requirements 6
• • 4. 1. Identifying risks Risk Identification tools and techniques Documentation Reviews The standard practice to identify risks is reviewing project related documents such as lessons learned, articles, organizational process assets, etc Information Gathering Techniques The given techniques are similar to the techniques used to collect requirements. Lets look at a few of them: Brainstorming is done with a group of people who focus on identification of risk for the project. 7
Cont … • Delphi Technique • A team of experts is consulted anonymously. A list of required information is sent to experts, responses are compiled, and results are sent back to them for further review until a consensus is reached. • Interviewing • An interview is conducted with project participants, stakeholders, experts, etc to identify risks. • Root Cause Analysis • Root causes are determined for the identified risks. These root causes are further used to identify additional risks. • Swot Analysis (STRENGTH, Weakness, Opportunities And Threats) • Strengths and weaknesses are identified for the project and thus, risks are determined. • Checklist Analysis • The checklist of risk categories is used to come up with additional risks for the project. 8
Cont … • Assumption Analysis • Identification of different assumptions of the project and determining their validity, further helps in identifying risks for the project. • Outputs to Identify Risks • This process of Risk Identification results in creation of Risk Register. • Risk Register • A Risk Register is a living document that is updated regularly throughout the life cycle of the project. It becomes a part of project documents and is included in the historical records that are used for future projects. The risk register includes: • List of Risks • List of Potential Responses • Root Causes of Risks • Updated Risk Categories 9
tools used for qualitative risk analysis include: • Probability And Impact Matrix • The matrix helps in identifying those risks which require an immediate response. The matrix may be customized according to the needs of the project. Most companies do have a standardized template for this matrix and project managers could leverage those templates as well. Use of standardized matrix makes the matrix list more repeatable between projects. 10
Risk Data Quality Assessment • Data is collated for the identified risks. The project manager will try to find the precision of the data that must be analyzed for completing the qualitative analysis of risks. • For each risk, in Risk Data Quality Assessment, the project manager needs to determine: • Extent of the understanding of the risk • Data available • Quality and reliability of the data • Integrity of the data 11
QUANTITATIVE RISK ANALYSIS • The next step of Qualitative risk analysis is to analyze the probability and impact of risks in Perform Quantitative Risk. The purpose of Quantitative Risk Analysis is: • Identification of risk response that requires urgent attention • Identify the exposure of risk on the project • Identify the impact of risk on the objective of the project • Determine cost and schedule reserves that could be required if risk occurs • Identify risks requiring more attention 12
DETERMINING QUANTITATIVE PROBABILITY AND IMPACT • Some of the techniques of quantitatively determining probability and impact of a risk include: • Interviewing • Cost and time estimating • Delphi technique • Historical Records • Expert judgment • Expected monetary value analysis • Monte Carlo Analysis • Decision tree 13
Cont … • Expected Monetary Value Analysis • Expected Monetary Value is a good measure to determine the overall ranking of risks. The formula is: • EMV = P X I • Where, EMV = Expected Monetary Value • P = Probability • I = Impact 14
Cont … • Monte Carlo Analysis (SIMULATION Technique) • The Monte Carlo analysis simulates the cost or schedule results of the project. The primary inputs for this analysis are the network diagram and estimates to perform the project • A Monte Carlo analysis: • Requires a computer based program • Evaluates the overall risk in the project • Determines the probability of completing the project on any specific day, or for any specific cost • Determines the probability of any activity actually being on critical path • Path convergence is taken into account • Cost and schedule impacts can be assessed • Results in a probability distribution 15
Cont … • Decision Tree • Decision tree helps to analyze many alternatives at one single point of time. They are models of real situation. A decision tree takes into account future events in making the decision today. It helps calculate Expected Monetary Value in more complex situations. It also involves Mutual Exclusivity. 16
Risk Identification Mistakes 1. The failure to identify risks early when it is less expensive to address. 2. Not identifying risks in an iterative fashion. 3. Risks are not identified with appropriate stakeholders. 4. Not using a combination of risk identification techniques. 5. Risks are not captured in one location. 6. The failure to make the risks visible and easily accessible. 7. Risks are not captured in a consistent format (e. g. , Cause -> Risk -> Impact) 17
4. 2. The risk register/risk log • A risk register is a tool in risk management and project management. It is used to identify potential risks in a project or an organization, sometimes to fulfill regulatory compliance but mostly to stay on top of potential issues that can derail intended outcomes. • Risk management is a "formally structured process for systemic risk identification, analysis and response throughout the life span of the project in order to achieve an optimum level of risk elimination or control. 18
Cont… • Various authors have interpreted risk registers in many ways, and their approaches can broadly be classified into three categories : 1. risk register is a byproduct – a document that contains information about risks; 2. risk register is a useful tool for risk management; and 3. risk register is the central part of the risk management process. 19
Risk Register Contents • • • An identification number for each risk event A rank for each risk event The name of each risk event A description of each risk event The category under which each risk event falls The root cause of each risk 20
Cont … 21
Probability assessment • The Risk Impact/Probability Chart is based on the principle that a risk has two primary dimensions: • Probability – A risk is an event that "may" occur. The probability of it occurring can range anywhere from just above 0 percent to just below 100 percent. • Impact – A risk, by its very nature, always has a negative impact. However, the size of the impact varies in terms of cost and impact on health, human life, or some other critical factor. 22
Cont … 23
Cont … • The corners of the chart have these characteristics: • Low impact/low probability – Risks in the bottom left corner are low level, and you can often ignore them. • Low impact/high probability – Risks in the top left corner are of moderate importance – if these things happen, you can cope with them and move on. However, you should try to reduce the likelihood that they'll occur. • High impact/low probability – Risks in the bottom right corner are of high importance if they do occur, but they're very unlikely to happen. For these, however, you should do what you can to reduce the impact they'll have if they do occur, and you should have contingency plan in place just in case they do. • High impact/high probability – Risks towards the top right corner are of critical importance. These are your top priorities, and are risks that you must pay close attention to. 24
Cont… • To use the Risk Impact/Probability Chart, print this free worksheet, and then follow these steps: • List all of the likely risks that your project faces. Make the list as comprehensive as possible. • Assess the probability of each risk occurring, and assign it a rating. For example, you could use a scale of 1 to 10. Assign a score of 1 when a risk is extremely unlikely to occur, and use a score of 10 when the risk is extremely likely to occur. • Estimate the impact on the project if the risk occurs. Again, do this for each and every risk on your list. Using your 1 -10 scale, assign it a 1 for little impact and a 10 for a huge, catastrophic impact. • Map out the ratings on the Risk Impact/Probability Chart. • Develop a response to each risk, according to its position in the chart. Remember, risks in the bottom left corner can often be ignored, while those in the top right corner need a great deal of time and attention. 25
Risk ownership • Risk Owner: The individual who is ultimately accountable for ensuring the risk is managed appropriately. There may be multiple personnel who have direct responsibility for, or oversight of, activities to manage each identified risk, and who collaborate with the accountable risk owner in his/her risk management efforts. 26
4. 4. Reviewing the pattern of risk over time • An important PMO function is the review of project risks using a consistent structured process. This deliverable template works well as is and can be tailored over time to make it your own. Use this process and checklist to objectively rate and then manage 17 categories of project risk. Well over 100 risk factors are reviewed during this process. 27
Cont … • Reviewing various aspects of project in detail - Delivery - Resources - People - Capabilities - Finance - Legal - Reputation - Quality - Relationship - Process - Management - Client Management - Technology - Business Environment - Asset Management 28
Cont … • Identifying the sources of risk by category is another method for exploring potential risk on a project. Some examples of categories for potential risks include the following: • Technical • Cost • Schedule • Client • Contractual • Weather • Financial • Political • Environmental • People 29
Cont … • Who Performs the Risk Audits? • The project manager, the project manager and team, or a risk audit team may perform risk audits. What is the focus of the audit? It is a retrospective review where we ask “How did we do? ” • Review the effectiveness of the responses to risks • Next, review the effectiveness of the risk owners • Another, review the effectiveness of the risk processes 30
Questions to Ask in Risk Reviews • Project managers and their teams periodically review their project risks for the following: • Are there new risks? • Has the probability and impact changed? • Are there individual risks that are merging to form a powerful set of risks? • Should we modify our responses including contingency and fallback plans? • Should we close irrelevant risks? 31
Cont … • Risk assessment includes both the identification of potential risk and the evaluation of the potential impact of the risk. A risk mitigation plan is designed to eliminate or minimize the impact of the risk events—occurrences that have a negative impact on the project. 32
Cont … • After the potential risks have been identified, the project team then evaluates each risk based on the probability that a risk event will occur and the potential loss associated with it. Not all risks are equal. Some risk events are more likely to happen than others, and the cost of a risk can vary greatly. Evaluating the risk for probability of occurrence and the severity or the potential loss to the project is the next step in the risk management process. 33
Cont … • Having criteria to determine high-impact risks can help narrow the focus on a few critical risks that require mitigation. • For example, suppose high-impact risks are those that could increase the project costs by 5% of the conceptual budget or 2% of the detailed budget. Only a few potential risk events meet these criteria. These are the critical few potential risk events that the project management team should focus on when developing a project risk mitigation or management plan. Risk evaluation is about developing an understanding of which potential risks have the greatest possibility of occurring and can have the greatest negative impact on the project (Figure 16. 3). These become the critical few. 34
Cont … 35
Cont … • Example: Risk Analysis of Equipment Delivery • A project team analyzed the risk of some important equipment not arriving at the project on time. The team identified three pieces of equipment that were critical to the project and would significantly increase costs if they were late in arriving. One of the vendors, who was selected to deliver an important piece of equipment, had a history of being late on other projects. The vendor was good and often took on more work than it could deliver on time. This risk event (the identified equipment arriving late) was rated as high likelihood with a high impact. The other two pieces of equipment were potentially a high impact on the project but with a low probability of occurring. 36
Cont … • On projects with a low-complexity profile, the project manager may informally track items that may be considered risk items. On more complex projects, the project management team may develop a list of items perceived to be higher risk and track them during project reviews. On projects of even greater complexity, the process for evaluating risk is more formal with a risk assessment meeting or series of meetings during the life of the project to assess risks at different phases of the project. On highly complex projects, an outside expert may be included in the risk assessment process, and the risk assessment plan may take a more prominent place in the project implementation plan. 37
Cont…. • On complex projects, statistical models are sometimes used to evaluate risk because there are too many different possible combinations of risks to calculate them one at a time. One example of the statistical model used on projects is the Monte Carlo simulation, which simulates a possible range of outcomes by trying many different combinations of risks based on their likelihood. The output from a Monte Carlo simulation provides the project team with the probability of an event occurring within a range and for combinations of events. For example, the typical output from a Monte Carlo simulation may indicate a 10% chance that one of the three important pieces of equipment will be late and that the weather will also be unusually bad after the equipment arrives. 38
Reading Assignment 1 • Project Risk by Phases , its identification and mitigation. 39
Chapter V: Risk review in practice • This PMBOK definition of risk management suggests that a systematic process is needed to effectively manage the risk of a project. 40
41
Risk review (Evaluation) • Responses to risks and the experience gained provide keys to learning. A formal and documented evaluation of a risk episode provides the basis for lessons learned and lays the foundation for identifying best practices. This evaluation should consider the entire risk management process from planning through evaluation. It should focus on the following questions: • How did we do? • What can we do better next time? • What lessons did we learn? • What best practices can be incorporated in the risk management process 42
Cont … • Identifying and understanding the risks that will impact a project is not always a straightforward task. Many risks can affect a project in different ways and during different phases of the project life cycle. Therefore, the process and techniques used to identify risks must include a broad view of the project and attempt to understand a particular risk's cause and impact among the various project components. 43
Project risk review framework 44
Cont … • Risk monitoring and control should be part of the overall monitoring and control of the project. Monitoring and control focus on metrics to help identify when a risk occurs, and also on communication. Various tools exist for monitoring and controlling project risk. These include: 45
Cont … • Risk Audits—A knowledgeable manager or group can be useful for auditing the project team from time to time. The audit should focus on ensuring that the project manager and team have done a good job of identifying and analyzing project risks and on ensuring that proper procedures and processes are in place. Risk audits should be conducted by people outside the project team. Using outsiders provides a fresh perspective; the project team may be too close to the project and miss significant threats or opportunities. 46
Cont … • Risk Reviews—Risk audits should be conducted by individuals outside the project team; but risk reviews can be conducted internally. Throughout the project life cycle, the project stakeholders should hold scheduled, periodic risk reviews. These reviews should be part of each team meeting and part of the project team's learning cycles. • Risk Status Meetings and Reports—Similar to risk reviews, a monitoring and control system should provide a formal communication system for monitoring and controlling project risks. 47
Cont …. • To be effective and sustainable, the risk assessment process needs to be simple, practical, and easy to understand. Success depends upon executive commitment and resources. The process must be performed by people with the right skills supported by technology that is correctly sized for the task at hand. 48
Cont … • A corporate-level ERM function is indispensable for defining • common standards, coordinating assessments across business units, and facilitating analysis of risk interactions. The central ERM function must be staffed by people with the necessary facilitation, project management, and analytical skills along with knowledge of risk management leading practices. The ERM function must be augmented by people in line positions closest to the risks. 49
Risk review as integral part of risk management 50