EG

9 - Risk Management

Risk Management Fundamentals
Objectives

  • Increase the probability & impact of positive events/opportunities.

  • Decrease the probability & impact of negative events/threats.

Key Definitions & Attitudes

  • Project Risk – an uncertain event/condition that, if it occurs, affects one or more objectives (safety, schedule, cost, scope, quality) positively or negatively.

  • Known Risks – identified, analyzed, and therefore can be proactively managed.

  • Unknown Risks – not identifiable in advance; handled via contingencies and robust processes.

  • Organizational risk attitudes:

    • Risk Appetite – acceptable degree of uncertainty in pursuit of reward.

    • Risk Tolerance – absolute amount/volume of risk the org will withstand.

    • Risk Threshold – specific boundary of impact or probability beyond which the org will not accept risk.

  • Risk-Taking vs. Risk-Avoidance drives choice of responses and resource allocation.

  • Plan Risk Management – define approach, templates, timing.

  • Identify Risks – iterative discovery + documentation into the Risk Register.

  • Perform Qualitative Risk Analysis – rapid prioritization through probability & impact assessment.

  • Perform Quantitative Risk Analysis – numerical simulation/modeling of high-priority risks.

  • Plan Risk Responses – select strategies, assign owners, fund & schedule actions.

  • Control Risks – implement responses, monitor residual & new risks, audit process, update register.

Plan Risk Management

  • The process of defining how to conduct the risk management activities for a project

  • Ensures risk work is commensurate with both overall risk level & project importance.

  • Risk Management Plan describes how risk management activities will be structured and performed

    • Methodology (tools, data sources).

    • Roles & Responsibilities.

    • Budgeting for risk activities & reserves.

    • Timing/frequency of risk process activities.

    • Risk Categories (tailored taxonomy).

    • Definitions of probability & impact scales.

    • Reporting formats & tracking mechanisms.

Typical Risk Categories (customizable "risk breakdown structure")

  • Technical – requirements, technology, performance, reliability, quality, safety, interfaces.

  • External – subcontractors, suppliers, regulatory, market, customer, weather.

  • Project – dependencies, resources, funding, prioritization, estimating, planning, controlling, communication.

  • Organizational – culture, HR, training, metrics, change, alignment, high-performance teams, etc.

Probability & Impact Scales

  • The quality and credibility of the qualitative risk analysis process requires that different levels of risk probabilities and impacts be defend that are specific to the project context.

  • Probability verbal scale: Very Unlikely → Almost Certain.

  • Impact verbal scale: Very Low → Very High, with separate definitions for cost, schedule, scope, safety, quality.

  • Example numerical impact scale (Cost):

    • Very Low (0.05) = cost increase insignificant – <10\%.

    • Low (0.10) = 10–20\% increase.

    • Moderate (0.20) = 20–40\% increase.

    • High (0.40) = >40\% increase.

    • Very High (0.80) = catastrophic cost overrun.

Risk Identification

  • An interactive process which determines risks that might affect the project and documents their characteristics

  • Requires full understanding of schedule, cost, safety & quality baselines.

  • Outputs Risk Register:

    • Risk description & cause.

    • Potential effects.

    • Initial owner(s).

    • Potential response ideas.

  • Iterative; repeat at milestones & when scope changes.

Performing a Qualitative Risk Analysis

  • Purpose: prioritize risks quickly & cost-effectively.

  • Factors considered:

    • Probability (P).

    • Impact (I) per objective.

    • Time frame (when risk could occur).

    • Project constraints/tolerances.

  • Common tool: Probability–Impact Matrix.

  • Outputs/updates to Risk Register:

    • Sorted list (high → low).

    • Category groupings.

    • Near-term “action” list vs. watch list.

    • Trends over time.

Performing Quantitative Risk Analysis

  • Numerically analyzing the effects of identified risks on the overall project objectives

  • Performed on risks that been prioritized by the Qualitative Risk Analysis process as potentially and substantially impacting the project’s competing demands

  • Goals:

    • Quantify range & probability of cost/schedule outcomes.

    • Compute probability of meeting key objectives, e.g.,

    • Identify critical drivers (risks with highest contribution to variance).

    • Support setting realistic targets.

    • Optimize decisions under uncertainty

Plan Risk Responses

  • Process of developing options and determining actions to enhanced opportunities and reduce threats to projects objectives.

  • Strategies for threat

  • trategies for opportunities:

    • Exploit, Share, Enhance, Accept.

  • Response attributes: appropriate, cost-effective, timely, realistic, agreed, owned.

  • Embed resulting activities & reserves into schedule, budget, and PM Plan.

Control Risks

  • Continuous loop: implement → measure → adjust.

  • Main actions:

    • determine if project assumptions are still valid.

    • Determine if risk, as assessed, has changed from its prior state with analysis and trends

    • determine if procedures are being followed

    • Determine changes to planning.

  • Outputs:

    • Updated Risk Register & lessons learned.

    • Recommended preventive/corrective actions.

    • Updates to project baselines & management plan.