Risk Management Principles and the PMI Philosophy

If you only read one chapter in the PMBOK, read the "Project Risk Management" chapter.

This area often has more differences between "real-life" experiences and the PMI methodology, and the exam questions concerning risk management are generally based on the PMBOK material.

Project risks can be reduced by up to 90% if they are properly managed.

A risk can be good or bad. Good risks are opportunities, and bad risks are threats.

11.1: Risk Management Planning

Plan the activity.

No risk management plan.

Risk management plan equals risk response plan.

Separate budget not allocated for risk management.

11.2: Risk Identification

Identify.

Performed only once and not proactively managed.

Process is incomplete.

Missing a review of key deliverables.

Missing entire types/categories of risk.

Only assessing critical path activities.

The process does not use multiple tools/methods.

Confusing issues with risks.

11.3: Risk Qualitative Analysis

Prioritize.

The organization has not established standard practices/tools.

The probability of occurrence is not calculated for each risk.

The impact of each risk is not determined.

Risks are not prioritized.

Data precision is not determined.

11.4: Risk Quantitative Analysis

Measure implications.

Not performed at all.

Usage is not limited to high-priority risks.

No experience with Monte Carlo simulation.

11.5: Risk Response Planning

Create a plan of attack.

Response strategies are not documented.

No risk response plan.

Response strategies are not appropriate for risk severity.

The project plan is not updated to implement and monitor responses.

11.6: Risk Monitoring and Control

Keep it going.

The risk response plan is not maintained.

Risk identification is not continued.

The project plan is not updated to implement and monitor responses.

Responses are not reevaluated.

Project management

Improperly defined project deliverables

Incomplete planning

Improper procedures

Poor leadership

Poor communications

Not clearly assigning tasks

Lack of contingency plans

Inadequate risk management

Organization

Changes to project objectives

Lack of priorities

Lack of project management "buy-in" and support

Inadequate project funding

Misallocation and mismanagement of resources

Stakeholders

All key stakeholders not identified

Missing "buy-in" from a key stakeholder

Stakeholder needs not completely identified

Project charter

Not approved by a single person

Nature of objectives

Scope statement

Incomplete scope definition

Inconsistent scope definition

WBS

Not reviewed and approved by stakeholders

Missing tasks

Lack of team understanding

Missing project management activities

External dependencies not identified and understood

Project schedule

Incomplete schedule

Unrealistic schedule

Resources not balanced

Resources over-allocated

Missing dependencies

No contingency allowances (reserves)

Not reviewed and approved by stakeholders

Cost baseline

Poorly developed cost estimates

Requirements

Unrealistic or aggressive performance standards

Poorly defined requirements

Incomplete requirements

Product design

Incomplete product description

Unrecognized design errors

Team

Lack of skills

Lack of commitment

Personal issues

Technology

Missing technical data

Use of unproven technology

Network diagram

Missing task dependencies

Assumptions

Not completely defined

Constraints

Not completely defined

External dependencies

Changing weather conditions

Changes in legal and regulatory environment

Approvals from governmental agencies

Risk impact matrix

Used to establish the impact score to assign to the risk.

Measures the level of impact against standard project objective areas.

Refer to Figure 11-2 in the PMBOK.

Generally developed at the organizational level to improve the consistency of risk rankings.

Probability/impact matrix

Used to establish general High, Medium, and Low classifications for a risk factor.

Cross-references the probability score with the impact score.

Refer to Figure 11-3 in the PMBOK.

Generally developed at the organizational level to improve the consistency of risk rankings.

Overall risk ranking

A project-level score used to compare the relative risk of one project with another.

Output of Qualitative Risk Analysis

Decision tree analysis

Uses a decision tree to determine the best alternative path.

Based on risk probabilities and cost/reward of each path step.

Refer to Figure 11-6 in the PMBOK.

Simulation

Captures risk probabilities at the detailed task level to determine potential impacts at the overall project level.

Refer to Figure 11-7 in the PMBOK.

Monte Carlo is the most common simulation technique.

Data precision

Describes the extent to which the risk is known and understood

Accounts for the amount of available data, the reliability of that data, and the source of the data

Residual risks

Risks that remain after the risk response has been implemented

Secondary risks

New risks that occur as a direct result of an implemented risk response

Should be managed like any other project risk

Risk trigger

An indication that a risk has occurred or is about to occur

Warning signs and risk symptoms

Sensitivity analysis

A technique used to determine which risks could have the greatest impact on the project

Focuses on the uncertainty level of the individual risk factor when all others are held constant

Good

.4

.1

Fair

.5

.2

Poor

.1

.7

Good

$2M

.4

$800K

.1

$200K

Fair

$500K

.5

$250K

.2

$50K

Poor

$200K

.1

$20K

.7

$140K

Good

$2M

.4

$800K

.1

$200K

Fair

$500K

.5

$250K

.2

$50K

Poor

$200K

.1

$20K

.7

$140K

EVM

$1.03M

$110K

You will see at least one decision tree risk analysis question on the exam.

You should be able to determine the expected monetary value (EMV) of each alternative path.

You should be able to identify examples of the four types of risk response strategies.

Avoidance

Avoiding the risk.

Changing the project plan to eliminate the risk.

Changing the project plan to protect a project objective from the impact.

Reducing the scope to remove high-risk tasks.

Adding resources or time.

Adopting a proven approach rather than a new one.

Removing a "problem" resource.

Acceptance

"Accepting" the consequences of the risk.

The project plan is not changed to deal with the risk.

A better response strategy cannot be identified.

Active acceptance.

Contingency allowance (reserves).

Contingency plan.

Fallback plan.

Passive acceptance.

No action.

Notifying management that there could be a major cost increase if this risk occurs.

Mitigation

Taking action to reduce the likelihood the risk will occur.

Taking action to reduce the impact of the risk.

Reducing the probability is always more effective than minimizing the consequences.

Adopting less complex approaches.

Planning on more testing.

Adding resources or time to the schedule.

Assigning a team member to visit the seller's facilities frequently to learn about potential delivery problems as early as possible.

Providing a less-experienced team member with additional training.

Training the team on conflict-resolution techniques.

Deciding to prototype a high-risk solution element.

Transference

Transferring ownership of the risk factor.

Shifting the consequence of a risk and the ownership of the response to a third party.

Does not eliminate the risk.

Outsourcing difficult work to a more experienced company.

Fixed price contract.

Contracts, insurance, warranties, guarantees, and so on.

Used most often for financial risk exposure.