CHAPTER 7 MANAGING RISK

RISKS
Risk = an uncertain event or condition that, if occurs, has a positive or negative effect on
project objectives
Have a cause, an if it occurs, a consequence
Can be identified, anticipated, or beyond imagination
Sources of project risk can be internal, but some are external as well (ex. Inflation, market,
exchange rates, government regulations, etc.)

RISK MANAGEMENT PROCESS

The chances of a risk event occurring are greater in
the concept, planning and start-up phases of the
project
The cost impact of a risk event in the project is less if
the event occurs earlier rather than later
Early stages of the project = opportunity for
minimizing the impact
Once the project passes the halfway implementation
mark, the cost of a risk event occurring increases
rapidly
o Risk Event Graph:

STEP 1: RISK IDENTIFICATION

First, generate a list of all the possible risks that could affect the project
Made by the risk management ream (core members and other relevant stakeholders)
Risk breakdown structure (RBS) in conjunction with the WBS helps management teams
identify and analyze risks
o Start with risks that affect the whole project and then move into specific areas and
deliverables

Another useful tool is a risk profile a list of questions that address traditional areas of
uncertainty on a project
 o The questions have been developed and refined from previous, similar projects but
more tailored to the type of project in question
o Heres a partial example of a risk profile:

STEP 2: RISK ASSESSMENT

Not all the risks form step 1 deserve attention, some can be ignored while others pose
serious threats
Managers need to develop methods to sift through the list of risks
Scenario analysis easiest and most commonly used technique
Team members assess the significant of each risk event in terms of:
o PROBABILITY OF THE EVENT
o IMPACT OF THE EVENT
Ex. Being stuck by lightening is not probable, but has a big impact but losing an employee
has both a higher probability and higher chance, so there should be more of a focus on
that risk
In order to assess each event, different levels of risk probabilities and impacts must be
defined
o Can be a simple scale ranging from very unlikely to almost certainly may suffice
for one project, whereas another project may use more precise numerical
probabilities (e.g., 0.1, 0.3, 0.5, . . .).
o The risk management team needs to esstablish up fornt what distinguished
between a 1 from 3 or a moderate impact from severe
Example of defined conditions for impact scales:

Risk assessment forum

o Not only is it important to consider the likelihood of the event and the impact but
also how difficult it is to detect the event as well as when to make a move/decision
to act
 Examples of detection
difficulty:
1 = a lot of time to react
5 = no warning

Risk severity matrix

o The matrix is divided into red, yellow and
green zones that represent major,
moderate and minor risks
o Provides a basis for prioritizing which risks
to address
o Failure Mode and Effects Analysis (FMEA)
extends the risk severity matrix by
including ease of detection in the following
equation to find risk value:
Impact X Probability X Detection =
Risk Value
For ex. A risk with an impact in the
1 zone with a very low probability
and an easy detection score might score a 1 (1 x 1 x 1 x 1)
Conversely, a high-impact risk with a high probability and impossible to
detect would score 125 (5 x 5 x 5 x 125)

STEP 3: RISK RESPONSE DEVELOPMENT

Responses to risk can be classified as mitigating, avoiding, transferring, sharing or
retaining
Mitigating Risk
o Two strategies
Reduce the likelihood that the event will occur
Reduce the impact that the event would have on the project
o Testing and prototyping are frequently used to prevent problems from surfacing
later in the project
o Identifying root causes is useful too
Ex. Poor vendor relationships can leader to problems, so a manger may
decide to take his counterpart to lunch to clear the air
o Augmenting estimates to compensate for uncertainties
Its common to use a ratio between old and new projects to adjust time or
cost
Ex. Add a 10% increase to scheduled time
Avoiding Risk
o Involves changing the project plan to eliminate the risk or condition
o Ex. Adopting proven technology instead of experimental technology can eliminate
technical failure
Transferring Risk
o Passing risk to another party (does not change risk, just transfers it)
o Passing normally results in paying a premium for this exemption
o Ex. Fixed-price contact (risk does from owner to a contractor) monetary risk
factor is added to the contract bid price
o Before passing risk, owner has to think of party that can BEST control activities that
would lead to the risk occurring or if the contractor is capable of absorbing the risk
 o Rick insurance, performance bonds, warranties, and other guarantees are ways to
transfer risk
Retaining Risk
o Means to accept the risk of an event occurring
o Owner assumes the rick because the chance of it occurring is slim or if it does
occur, costs can simply be absorbed if they materialize

Contingency Planning
Contingency plan = alternative plan that will be used if a possible foreseen risk event
becomes a reality
A key distinction between a risk response and a contingency plan is that a response is part
of the actual implementation plan and action is taken before the risk can materialize, while
a contingency plan is not part of the initial implementation plan and only goes into effect
after the risk is recognized
The plan answers the questions: what, where, when and how much action will take place
It evaluates alternative remedies for possible foreseen events before the risk event occurs
and selects the best plan among alternatives
Risk response matrices are useful for summarizing how the project team plans to manage
risks that have been identified
First step is to identify whether to reduce, share, transfer or accept the risk
The next step is to identify contingency plans in case the risk still occurs
Next, the team needs to discuss what would trigger implementation of the
contingency plan
Finally, they need to assign the individual responsible for monitoring the
potential risk and initiating the contingency plan

Technical Risks
o These risks are problematic and are often the kind that cause the project to be shut
down
o In addition to contingency/back-up plans, managers need to develop methods to
quickly assess whether technical uncertainties can be resolved
Schedule Risks
o Often organizations will defer the threat of a project coming in late until it surfaces
o Here contingency funds are set aside to expedite or crash the project to get it
back on track
o Crashing, or reducing project duration, is accomplished by shortening (compressing)
one or more activities on the critical path
Cost Risks
o Projects of long duration need some contingency for price changes (which are
usually upward)
o On cost sensitive projects, price risks should be evaluated item by item
Funding Risks
o Manager smust also consider the possibility of the project being cut by 25%, costs
exceed available funds, or the project being canceled before completion.
Opportunity Management
An opportunity is an event that can have a positive impact on project object
Opportunities are identified, assessed in terms of likelihood and impact, responses are
determined, and even contingency plans and funds can be established to take advantage
of the opportunity if it occurs
Four different types of response to an opportunity:
o Exploit
Eliminate the uncertainty associated with an opportunity to ensure that it
definitely happens
o Share
Allocating some or all of the ownership of an opportunity to another party
who is best able to capture the opportunity for the benefit of the project
o Enhance
The opposite of mitigation
Action is taken to increase the probability and/or positive impact of the
opportunity
o Accept
Willingness to take advantage of it if it occurs

Contingency Funding and Time Buffers

Reluctance to establish contingency reserves can be overcome with documented risk
identification, assessment, contingency plans, and plans for when and how funds will be
disbursed
The contingency reserve fund is typically divided into budget and management reserve
funds for control purposes
Budget reserves are set up to cover identified risks; these reserves are those allocated to
specific segments or deliverables of the project
Management reserves are set up to cover unidentified risks and are allocated to risks
associated with the total project
o Most are set using historical data and judgements concerning the uniqueness and
complexity of the project
o Technical reserves are held here and controlled by the owner or tip management
The risks are separated because their use requires approval from different levels of project
authority
If an identified risk does not occur and its chance of occurring is past, the fund allocated to
the risk should be deducted from the budget reserve
It is important that contingency allowances be independent of the original time and cost
estimates
Contingency Fund example:

Time Buffers
Used to cushion against potential delays in the project
The more uncertain the project, the more time should be reserved for the schedule
The strategy is to assign extra time at critical moments in the projects
Example: buffers are added to
o Activities with severe risks
 o Merge activities that are prone to delays due to one or more preceding activities
being late
o Noncritical activities to reduce the likelihood that they will create another critical
path
o Activities that require scarce resources to ensure that the resources are available
when needed
In the face of overall schedule uncertainty, buffers are sometimes added to the end of the
project
Time buffers usually require authorization from top management

STEP 4: RISK RESPONSE CONTROL

Typically, the results of the first three steps of the risk mansgement process are
summarized in a formal document often called the risk register
A risk register details all identified risks, including descriptions, category, and probability
of occurring, impact, responses, contingency plans, owners, and current status
The register is the backbone for the last step in the risk management process: risk control
Risk control involves executing the risk response strategy, monitoring triggering events,
initiating contingency plans, and watching for new risks
Establishing a change management system to deal with events that require formal
changes in the scope, budget, and/or schedule of the project is an essential element of
risk control

Change Control Management

A major element of the risk control process is change management
Most changes easily fall into three categories
o Scope changes in the fomr of design or additions
o Implementation of contingency plans, when risk events occur, represent changes in
baseline costs and scheudles
o Improvement changes suggested by project team memebers
Change control process (Shown in image to the right)
Change management systems involve reporting, controlling and
recording changes to the project baseline
o Most systems are designed to accomplish the following:
1. Identify proposed changes.
2. List expected effects of proposed change(s) on schedule and
budget.
3. Review, evaluate, and approve or disapprove changes
formally.
4. Negotiate and resolve conflicts of change, conditions, and
cost.
5. Communicate changes to parties affected.
6. Assign responsibility for implementing change.
7. Adjust master schedule and budget.
8. Track all changes that are to be implemented.
A change request log is used to monitor change request throughout the
project
They typically summarize the status of all outstanding change requests
and include such useful information as source and date of the change,
document codes for related information, cost estimates, and the
current status of the request
Every approved change must be identified and integrated into the plan
of record through changes in the project WBS and baseline schedule
o The plan of record is the current official plan for the project in
terms of scope, budget, and schedule
 Benefits from change control systems
1. Inconsequential changes are discouraged by the formal process.
2. Costs of changes are maintained in a log.
3. Integrity of the WBS and performance measures is maintained.
4. Allocation and use of budget and management reserve funds are tracked.
5. Responsibility for implementation is clarified.
6. Effect of changes is visible to all parties involved.
7. Implementation of change is monitored.
8. Scope changes will be quickly reflected in baseline and performance measures.