LECTURE 8:

PROJECT
RISK
MANAGEMENT

Information Systems Department IS 350D: Project Management

Information Systems Department 2
OBJECTIVES

 Understand risk, and project risk management.

 Discuss the elements of planning risk management.

 Describe the process of identifying risks and create a risk

register.

 Explain qualitative risk analysis, and quantitative risk

analysis elements

 Discuss how to control risks

Information Systems Department 3

Information Systems Department 4
WHAT IS RISK?

RISK:
 A basic dictionary definition states that risk is
“the possibility of loss or injury.”
 This definition highlights the negativity often
associated with risk and points out that
uncertainty is involved

Information Systems Department 5

WHAT IS RISK?

Risk can be positive

Risk is an uncertainty

Positive effect Negative

(opportunities) effect (threats)

Information Systems Department 6

Project Risk Management

What is Risk?

Examples on Risk:

 Customer not agreeing on the price.

 Not finding a capable supplier.

 Delivery difficulties.

Information Systems Department 7

Project Risk Management

 Project Risk Management is a process in which the

project team continually assesses what risks may
negatively or positively affect the project, determines
the probability of such events occurring, and
determines the impact if such events occur.

 Project Risk Management also involves analyzing and

determining alternate strategies to deal with risks.

Information Systems Department 8

Project Risk Management

Importance of Risk Management

The objectives of Risk Management

are to

Identify Negative risks

before they
address become threats

minimize

maximizing Potential
positive risks

Information Systems Department 9

Activity

You opened a coffee shop in a small district,

then another coffee shop opened near your
coffee and provided the same type of
products you offered.

Arrange the following steps that you

should follow to avoid the risks

Information Systems Department 10

Activity

Arrange the following steps that you should

follow to avoid the risks?
Performing Identifying
Quantitative Risk
Risk Analysis

Planning
Performing Risk
Qualitative Response Planning Risk
Risk Analysis Management

Monitoring
and
Controlling
Risk
Information Systems Department 11
Project Risk Management

Project Risk Management Processes

No Process Name Description Output

1 Planning Risk Deciding how to approach Risk management plan

Management and plan the risk
I
management activities for
the project.
2 Identifying Risk Determining which risks are Risk register
likely to affect a project and
documenting the
characteristics of each.
3 Performing Prioritizing risks based on Project documents updates
Qualitative Risk their probability and impact
Analysis of occurrence.
4 Performing Numerically estimating the Project documents updates

I
Quantitative effects of risks on project
Risk Analysis objectives. Information Systems Department 12
Project Risk Management

Project Risk Management Processes

No Process Name Description Output

5 Planning Risk Enhance opportunities and Project management plan updates,

Response reduce threats to meeting project documents updates
project objectives.
6 Monitoring Monitoring identified and Work performance information,
and residual risks, change requests,
Controlling identifying new risks, project management plan updates,
project documents updates,
Risk carrying out risk response
organizational process assets updates
plans,
and evaluating the
effectiveness of risk
strategies

Information Systems Department 13

Project Risk Management

Project Risk Management Processes

Information Systems Department 14

Project Risk Management

Information Systems Department 15

Project Risk Management Processes

A risk management plan: how risk management will be performed

Methodology
Revised stakeholders’ tolerances
Roles and responsibilities
Tracking
Budget and schedule
Risk documentation

Risk categories

Risk probability and impact

Information Systems Department 16

Project Risk Management Processes

 A risk management plan summarizes how risk management

will be performed, and it should include:
Methodology

Roles and responsibilities

Budget and schedule

Risk categories
Information Systems Department 17
Project Risk Management Processes

1. Planning Risk Management

Risk probability and impact

Revised stakeholders’ tolerances

Tracking

Risk documentation

Information Systems Department 18

Project Risk Management Processes

1. Planning Risk Management

What are needed to prepare risk management plan? (inputs)

mm

P
 Project documents and templates,

P
 Corporate risk management policies,

P
 Risk categories,

P
 Lessons learned reports from past projects,

P
 It is also important to review the risk tolerances of
various stakeholders.

Information Systems Department 19

Project Risk Management Processes

1. Planning Risk Management

Information Systems Department 20

Project Risk Management Processes

2. Identifying Risks

 Identifying risks is the process of understanding what

potential events might hurt or enhance a particular
project

 By understanding common sources of risks and

reviewing a project’s planning documents, project
managers can identify many potential risks.

 Another consideration is the likelihood of advanced

discovery.
Information Systems Department 21
Project Risk Management Processes
22
2. Identifying Risks

Tools and techniques used for Identifying Risks:

1. Brainstorming
2. The Delphi Technique
3. Interviewing
4. SWOT analysis.

Information Systems Department 22

Project Risk Management Processes
23
2. Identifying Risks

2.1 Brainstorming

 Brainstorming is a technique by which a group attempts to

generate ideas or find a solution for a specific problem by
amassing ideas spontaneously and without judgment

 An experienced facilitator should run the brainstorming

session

 Be careful not to overuse or misuse brainstorming.

Information Systems Department 23
Project Risk Management

2. Identifying Risks

2.2 The Delphi Technique

Information Systems Department 24

Project Risk Management Processes
25
2. Identifying Risks

2.2 The Delphi Technique forexpert

interview

 The Delphi Technique is used to derive a consensus among

a panel of experts who make predictions about future
developments
jW pt.is
 Provides independent and anonymous input regarding
future events
Ise.gg 53
 Uses repeated rounds of questioning and written responses
and avoids the biasing effects possible in oral methods, such
as brainstorming. Information Systems Department 25
Project Risk Management Processes
26
2. Identifying Risks

2.3 Interviewing

 Interviewing is a fact-finding technique for collecting

information in face-to-face, phone, e-mail, or instant-
messaging discussions

 Interviewing people with similar project experience is an

important tool for identifying potential risks

Information Systems Department 26

Project Risk Management Processes
27
2. Identifying Risks

2.4 SWOT analysis

 SWOT analysis (strengths, weaknesses, opportunities,

and threats) can also be used during risk identification

 Helps identify the broad negative and positive risks that

apply to a project

Information Systems Department 27

Project Risk Management Processes
28
2. Identifying Risks

The main output of this process is a Risk Register:

 A document that contains the results of various risk

management processes and that is often displayed in
a table or spreadsheet format

 A tool for documenting potential risk events and

related information

Risk events refer to specific, uncertain events that may occur

to the detriment or enhancement of the project
Information Systems Department 28
Project Risk Management Processes
29
2. Identifying Risks: Risk register

Elements of a risk register include:

• An identification number for each risk event
unige number
• A rank for each risk event
• The name of each risk event
so
• A description of each risk event
so
• The category under which each risk event falls (human risk)
e or
• The root cause of each risk
too
If
Information Systems Department 29
Project Risk Management Processes
30
2. Identifying Risks: Risk register

Elements of a risk register include:

 Triggers for each risk (indicators or symptoms)
 Potential responses to each risk
 The risk owner
 The probability and impact of each risk
occurring.
 The status of each risk

Information Systems Department 30

Information Systems Department 31
Project Risk Management Processes

3. Performing Qualitative Risk Analysis

 Qualitative risk analysis involves assessing the

likelihood and impact of identified risks to determine
their magnitude and priority

 Risk quantification tools and techniques include:

1. Probability/impact matrixes

2. The Top Ten Risk Item Tracking

3. Expert judgment

Information Systems Department 32

Project Risk Management
r

3. Performing Qualitative Risk Analysis

3.1 Probability/Impact Matrix

Information Systems Department 33

Project Risk Management Processes
34
3. Performing Qualitative Risk Analysis

3.1 Probability/Impact Matrix a

 A probability/impact matrix or chart, lists the relative
probability of a risk occurring on one side of a matrix/
axis on a chart and the relative impact of the risk
occurring on the other

 List the risks and then label each one as high, medium,
or low in terms of its probability of occurrence and its
impact if it did occur
Information Systems Department 34
Project Risk Management Processes
35
3. Performing Qualitative Risk Analysis

3.1 Probability/Impact Matrix

 Can also used to calculate risk factors: Numbers that

represent the overall risk of specific events based on
their probability of occurring and the consequences to
the project if they do occur

Information Systems Department 35

Project Risk Management Processes
36
3. Performing Qualitative Risk Analysis

3.1 Probability/Impact Matrix

 Sample Probability/Impact Matrix

Information Systems Department 36

Project Risk Management Processes
37
3. Performing Qualitative Risk Analysis

3.1 Probability/Impact Matrix

 Chart Showing High-, Medium-, and Low-Risk Technologies

D
It's
51 In
9

Information Systems Department 37

Activity
1. Close your eyes

2. Imagine that you are preparing for your wedding after three days.

3. Using Probability/Impact Matrix, list all the potential risks and

risk factors that could happen for making your wedding in an
outdoor place.

Information Systems Department 38

Project Risk Management Processes
39
3. Performing Qualitative Risk Analysis

3.2 Top Ten Risk Item Tracking

 Top Ten Risk Item Tracking is a qualitative risk analysis

tool that helps to identify risks and maintain an awareness of
risks throughout the life of a project

 Establish a periodic review of the top ten project risk items

 List the current ranking, previous ranking, number of times

the risk appears on the list over a period of time, and a
summary of progress made in resolving the risk item
Information Systems Department 39
Project Risk Management Processes
40
3. Performing Qualitative Risk Analysis

3.1 Probability/Impact Matrix

 Example of Top Ten Risk Item Tracking:

mr

Information Systems Department 40

Project Risk Management Processes
41
3. Performing Qualitative Risk Analysis

3.2 Top Ten Risk Item Tracking

 A watch list is a list of risks that are low priority, but are still
identified as potential risks

 Qualitative analysis can also identify risks that should be

evaluated on a quantitative basis

Information Systems Department 41

Project Risk Management Processes

4. Performing Quantitative Risk Analysis

 Often follows qualitative risk analysis, but both can be

done together.

 The main techniques for quantitative risk analysis

include:

1. Decision tree analysis

feeding s
2. Simulation

3. Sensitivity analysis

Information Systems Department 42

Project Risk Management Processes
4. Performing
43 Quantitative Risk Analysis

4.1 Decision Trees and Expected Monetary Value (EMV)

 A decision tree is a diagramming analysis technique

used to help select the best course of action in situations
in which future outcomes are uncertain

 Estimated monetary value (EMV) is the product of a risk

event probability and the risk event’s monetary value

 You can draw a decision tree to help find the EMV

Information Systems Department 43

Project Risk Management Processes
4. Performing
44 Quantitative Risk Analysis

4.1 Decision Trees and Expected Monetary Value (EMV)

 Expected Monetary Value (EMV) Example

X 60000

X 32 000
X 10000

X 2000
X 42000
60000 132000 28000
320001 100007 1200042000 30000

Information Systems Department 44

Project Risk Management Processes
4. Performing
45 Quantitative Risk Analysis

4.1 Decision Trees and Expected Monetary Value (EMV)

 Expected Monetary Value (EMV) Example

Information Systems Department 45

Project Risk Management Processes
4. Performing
46 Quantitative Risk Analysis

4.1 Decision Trees and Expected Monetary Value (EMV)

 The higher the EMV, the better.

 Because the EMV is positive for both Projects 1 and 2, Cliff’s

firm would expect a positive outcome from each and could bid

on both projects.

 If it had to choose between the two projects, perhaps because of

limited resources, Cliff’s firm should bid on Project 2 because it

has a higher EMV. a

Information Systems Department 46
Example
I need to choose between the two vendors. which of
them will bring higher benefit for my project? 3
22 AWB 24
4127819

47
 c

Project Risk Management Processes

4. Performing
48 Quantitative Risk Analysis

yes
4.2 Simulation

 Simulation uses a representation or model of a system to

analyze the expected behavior or performance of the system

 Monte Carlo analysis simulates a model’s outcome many

times to provide a statistical distribution of the calculated
results.
 To use this model, you must have three estimates (most likely,
pessimistic, and optimistic) plus an estimate of the likelihood of the
estimate being between the most likely and optimistic values.
Information Systems Department 48
Project Risk Management Processes
4. Performing
49 Quantitative Risk Analysis

4.2 Simulation

 Sample Monte Carlo Simulation Results for Project Schedule

Information Systems Department 49

Project Risk Management Processes
4. Performing
50 Quantitative Risk Analysis

4.3 Sensitivity Analysis

 Sensitivity analysis is a technique used to show the effects

of changing one or more variables on an outcome

 For example, many people use it to determine what the

monthly payments for a loan will be given different interest
rates or periods of the loan, or for determining break-even
points based on different assumptions (Excel, is a common tool
for performing sensitivity analysis).

Information Systems Department 50

Project Risk Management Processes
4.2 Sensitivity Analysis: For example, Cliff’s team could develop sensitivity
analysis models to estimate their profits on jobs by varying the number of hours required to
do the jobs or by varying costs per hour.

Point
Even
Break

Information Systems Department 51

Project Risk Management Processes

5. Planning Risk Responses

 After identifying and quantifying risks, you must decide how to

respond to them

 Four main response strategies for negative risks

Information Systems Department 52

Project Risk Management Processes

Four main response strategies for negative risks

Risk acceptance
Risk avoidance
eliminate risk causes accepting the
consequences if a risk
occurs

Risk mitigation
reducing the impact
Risk transference
of a risk event by shifting the consequence of a risk and
reducing the responsibility to a third party (purchase an
probability of insurance or warranty protection for
its occurrence specific hardware needed 53
Project Risk Management Processes

Four main response strategies for Threats

Acknowledge the
existence of a threat
Reducing Scope without taking an action

Extending the schedule Risk acceptance

Risk avoidance

Conducting more Insurance

tests. Guarantees

Risk mitigation Risk transference

54
Project Risk Management Processes

5. Planning Risk Responses

Four main response strategies for positive risks

(opportunity):

Information Systems Department 55

 Risk exploitation Risk sharing
share the ownership of the
do whatever to make risk with other party
sure the positive risk Sharing
happens benefits

Risk enhancement Risk acceptance

changing the size of also applies to positive

the opportunity. risks when the project team
does not take any actions
toward a risk
Probability/impact 56
 Risk exploitation Risk sharing

Using new Partnership

technologieshappen
s

Risk acceptance
Risk enhancement
project team does not take
Adding some recourses to an any actions toward a risk
activity finish early

57
Project Risk Management Processes

5. Planning Risk Responses

 Risk response strategies often include identification of

residual and secondary risks:
 Residual risks are risks that remain after all of
the response strategies have been implemented
 Example: even when using a more stable
hardware is used, there will be some risk of
failing

Information Systems Department 58

Project Risk Management Processes

5. Planning Risk Responses

 Risk response strategies often include identification of

residual and secondary risks:
 Secondary risks are new risks that occur as a
direct result of implementing a risk response
 Example: using a new hardware, may cause
some peripheral devices to fail

Information Systems Department 59

Project Risk Management Processes

6. Controlling Risks

 Controlling risks involves executing the risk management process

to respond to risk events and ensuring that risk awareness is an
ongoing activity performed by the entire project team throughout
the entire project

 Workarounds are unplanned responses to risk events that must

be done when there are no contingency plans

Example: The project environment is dynamic and even an experienced

project manager cannot identify all risks. If any unidentified risk occurs, you will
manage it through a workaround. If you have any identified risks you did not
plan for, you will use a workaround to manage them.
Information Systems Department 60
Project Risk Management Processes

6. Controlling Risks

Main outputs of risk control are:

 Work performance information

 change requests

 updates to the project management plan,

other project documents, and organizational
process assets

Information Systems Department 61

Activity

62
Activity

c
63
Activity

64
REFERENCE

 Schwalbe, K. Information Technology Project

Management (8th Edition). Chapter 11

Information Systems Department 65