11.7. Chapter Summary
All projects have some level of risks—just how much the project's stakeholders are willing to accept varies by project and organization. The quantification of the stakeholders' tolerance for risk is called the utility function: the higher the project's importance, the lower the utility function. Low-priority projects are generally more likely to accept risks than those projects that have a big impact on your organization.
Recall that at the launch of the risk planning process, there's the creation of the risk management plan. This plan addresses how the project's risk management approach will be directed. This plan is not specific to the risks within the project, but creates the boundaries, expectations, and general rules for the risk management process. Once this plan is in place and everyone is in agreement to abide by it, the project-specific risk management activities can commence.
The first stop is all about risk identification. This isn't a private meeting—the project team, the project manager, the project sponsor, vendors, stakeholders, end users, even customers can participate if it's necessary. Any project-relevant risks are accepted. It's good to have a variety of participants, as their point of view can help identify risks that may have been overlooked otherwise.
As risks are identified, the project manager can use the Delphi Technique to build a consensus on which risks have the highest impact on the project. This anonymous approach allows participants to speak freely about the risks, unhindered by the opinions of other stakeholders. The comments on the identified risks are distributed to all of the participants, allowing participants to comment, concur, or dismiss opinions on the identified risks. Through rounds of discussion, a consensus on the risks is reached.
Then it's off to quantitative analysis, where the risks' probability and impact are quantified. Specifically, the risk exposure for the project is tied to a dollar amount. The risk exposure is offset by a contingency reserve. Should risk events happen, monies from the contingency reserve are used to counteract the risk events. Ongoing monitoring and controlling of the risk events and their impact is essential to effective risk management.
Involved with all of these processes is the risk register. It's the project's journal and database of risks, their status, their impact, and any supporting detail about the risk events. As more information is gathered about the risks, the project management team updates the risk register. As the project moves past risk events, their status and outcomes are updated in the risk register. The risk register is part of the project management plan and becomes, once the project closes, part of organizational process assets for future projects.
11.7.1. Key Terms
Acceptance A risk response appropriate for both positive and negative risks, but often used for smaller risks within a project.
Avoidance A risk response to avoid the risk; sometimes called a workaround.
Brainstorming The most common approach to risk identification; usually completed as a project team with subject matter experts to identify the risks within the project.
Business risks These risks may have negative or positive outcomes. Examples include using a less experienced worker to complete a task, allowing phases or activities to overlap, or foregoing the expense of formal training for on-the-job education.
Cardinal scales A ranking approach to identify the probability and impact on a numerical value, from .01 (very low) to 1.0 (certain).
Checklists A quick and cost-effective risk identification approach.
Data precision The consideration of the risk ranking scores that takes into account any bias, the accuracy of the data submitted, and the reliability of the nature submitted.
Decision tree A method to determine which of two or more decisions is the best one. The model examines the cost and benefits of each decision's outcome and weighs the probability of success for each of the decisions.
Delphi Technique An anonymous method of querying experts about foreseeable risks within a project, phase, or component of a project. The results of the survey are analyzed by a third party, organized, and then circulated to the experts. There can be several rounds of anonymous discussion with the Delphi Technique, without fear of backlash or offending other participants in the process. The goal is to gain consensus on project risks within the project.
Enhancing A risk response that attempts to enhance the conditions to ensure that a positive risk event will likely happen.
Expected monetary value (EMV) The monetary value of a risk exposure based on the risk's probability and impact in the risk matrix. This approach is typically used in quantitative risk analysis, as it quantifies the risk exposure.
Exploit A risk response that takes advantage of the positive risks within a project.
External risks These risks are outside of the project, but directly affect it—for example, legal issues, labor issues, a shift in project priorities, or weather. "Force majeure" risks call for disaster recovery rather than project management. These are risks caused by earthquakes, tornados, floods, civil unrest, and other disasters.
Flow charts System or process flow charts show the relationship between components and how the overall process works. These are useful for identifying risks between system components.
Influence diagrams An influence diagram charts out a decision problem. It identifies all of the elements, variables, decisions, and objectives and also how each factor may influence another.
Ishikawa diagrams These cause-and-effect diagrams are also called fishbone diagrams and are used to find the root cause of factors that are causing risks within the project.
Low-priority risk watchlist Low-priority risks are identified and assigned to a watch-list for periodic monitoring.
Mitigation A risk response effort to reduce the probability and/or impact of an identified risk in the project.
Monte Carlo technique A simulation technique that got its name from the casinos of Monte Carlo, Monaco. The simulation is completed using a computer software program that can simulate a project, using values for all possible variables, to predict the most likely model.
Ordinal scales A ranking approach that identifies and ranks the risks from very high to very unlikely or to some other ordinary value.
Organizational risks The performing organization can contribute to the project's risks through unreasonable cost, time, and scope expectations; poor project prioritiza-tion; inadequate funding or the disruption of funding; and competition with other projects for internal resources.
Probability and impact matrix A matrix that ranks the probability of a risk event occurring and its impact on the project if the event does happen; used in qualitative and quantitative risk analyses.
Project management risks These risks deal with faults in the management of the project: the unsuccessful allocation of time, resources, and scheduling; unacceptable work results; and poor project management.
Pure risks These risks have only a negative outcome. Examples include loss of life or limb, fire, theft, natural disasters, and the like.
Qualitative risk analysis This approach "qualifies" the risks that have been identified in the project. Specifically, qualitative risk analysis examines and prioritizes risks based on their probability of occurring and their impact on the project should they occur.
Quantitative risk analysis This approach attempts to numerically assess the probability and impact of the identified risks. It also creates an overall risk score for the project. This method is more in-depth than qualitative risk analysis and relies on several different tools to accomplish its goal.
RAG rating An ordinal scale that uses red, amber, and green to capture the probability, impact, and risk score. The first letter of red, amber, and green equate to "RAG" in the system.
Residual risks These are risks that are expected to remain after a risk response.
Risk A project risk is an uncertain event or condition that can have a positive or negative impact on the project.
Risk identification The systematic process of combing through the project, the project plan, the work breakdown structure, and all supporting documentation to identify as many risks that may affect the project as possible.
Risk management plan A project management subsidiary plan that defines how risks will be identified, analyzed, responded to, and monitored within the project. The plan also defines the iterative risk management process that the project is expected to adhere to.
Risk management planning The agreed-upon approach to the management of the project risk processes.
Risk owners The individuals or entities that are responsible for monitoring and responding to an identified risk within the project.
Risk register The risk register is a project plan component that contains all of the information related to the risk management activities. It's updated as risk management activities are conducted to reflect the status, progress, and nature of the project risks.
Risk response audit An audit to test the validity of the established risk responses.
Risk responsibilities The level of ownership an individual or entity has over a project risk.
Risk score The calculated score based on each risk's probability and impact. The approach can be used in both qualitative and quantitative risk matrixes.
Root cause identification Root cause identification aims to find out why a risk event may be occurring, the causal factors for the risk events, and then, eventually, how the events can be mitigated or eliminated.
Secondary risks New risks that are created as a result of a risk response.
Sensitivity analysis A quantitative risk analysis tool that examines each risk to determine which one has the largest impact on the project's success.
Sharing A risk response that shares the advantages of a positive risk within a project.
SWOT analysis SWOT analysis is the process of examining the project from the perspective of each characteristic: strengths, weaknesses, opportunities, and threats.
Technical, quality, or performance risks Technical risks are associated with new, unproven, or complex technologies being used on the project. Changes to the technology during the project implementation can also be a risk. Quality risks are the levels set for expectations of impractical quality and performance.
Transference A risk response that transfers the ownership of the risk to another party. Insurance, licensed contractors, or other project teams are good examples of transference. A fee and contractual relationships are typically involved with the transference of a risk.
11.7.2. Questions
When is it appropriate to accept a project risk?
It is never appropriate to accept a project risk.
All risks must be mitigated or transferred.
It is appropriate to accept a risk if the project team has never completed this type of project work before.
It is appropriate if the risk is in balance with the reward.
Frances is the project manager of the LKJ Project. Which of the following techniques will she use to create the risk management plan?
Risk tolerance
Status meetings
Planning meetings
Variance meetings
You are the project manager of the GHK Project. You and the manufacturer have agreed to substitute the type of plastic used in the product to a slightly thicker grade should there be more than 7 percent error in production. The thicker plastic will cost more and require the production to slow down, but the errors should diminish. This is an example of which of the following?
Threshold
Tracking
Budgeting
JIT manufacturing
An organization's risk tolerance is also known as what?
The utility function
Herzberg's theory of motivation
Risk acceptance
The risk-reward ratio
The customers of the project have requested additions to the project scope. The project manager notifies you that additional risk planning will need to be added to the project schedule. Why?
The risk planning should always be the same amount of time as the activities required by the scope change.
Risk planning should always occur whenever the scope is adjusted.
Risk planning should only occur at the project manager's discretion.
The project manager is incorrect. Risk planning does not need to happen at every change in the project.
Which one of the following best describes the risk register?
It documents all of the outcomes of the other risk management processes.
It's a document that contains the initial risk identification entries.
It's a system that tracks all negative risks within a project.
It's part of the project's project management information system (PMIS) for integrated change control.
_______________________ include(s) fire, theft, or injury, and offer(s) no chance for gain.
Business risks
Pure risks
Risk acceptance
Life risks
Complete this sentence: A project risk is a(n)______________________ occurrence that can affect the project for good or bad.
Known
Potential
Uncertain
Known unknown
When should risk identification happen?
As early as possible in the initiation process
As early as possible in the planning process
Throughout the product management life cycle
Throughout the project life cycle
You are the project manager of the KLJH Project. This project will last two years and has 30 stakeholders. How often should risk identification take place?
Once at the beginning of the project
Throughout the execution processes
Throughout the project
Once per project phase
Which one of the following is an acceptable tool for risk identification?
Decision tree analysis
Decomposition of the project scope
The Delphi Technique
Pareto charting
You are the project manager for a project that will create a new and improved Web site for your company. Currently, your company has over eight million users around the globe. You would like to poll experts within your organization with a simple, anonymous form asking about any foreseeable risks in the design, structure, and intent of the Web site. With the collected information, subsequent anonymous polls are submitted to the group of experts. This is an example of _________________________________.
Risk identification
A trigger
An anonymous trigger
The Delphi Technique
Which risk analysis technique provides the project manager with a risk ranking?
Quantifiable
Qualitative
The utility function
SWOT analysis
A table of risks, their probability, impact, and a number representing the overall risk score is called a ____________________________.
Risk table
Probability and impact matrix
Quantitative matrix
Qualitative matrix
You are presented with the following table:
Risk Event Probability Impact Cost/Benefit EMV 1 .20 −4,000 2 .50 5,000 3 .45 −300 4 .22 500 5 .35 −4,500 What is the EMV for Risk Event 3?
$135
−$300
$45
−$135
You are presented with the following table:
Risk Event Probability Impact Cost/Benefit E×$V 1 .35 −4,000 2 .40 50,000 3 .45 −300,000 4 .30 50,000 5 .35 −45,000 Based on the preceding numbers, what is the amount needed for the contingency fund?
Unknown with this information
249,000
117,150
15,750
The water sanitation project manager has determined that the risks associated with handling certain chemicals are too high. He has decided to allow someone else to complete this portion of the project, and so has outsourced the handling and installation of the chemicals and filter equipment to an experienced contractor. This is an example of which of the following?
Avoidance
Acceptance
Mitigation
Transference
A project manager and the project team are actively monitoring the pressure gauge on a piece of equipment. Sarah, the engineer, recommends a series of steps to be implemented should the pressure rise above 80 percent. The 80 percent mark represents what?
An upper control limit
The threshold
Mitigation
A workaround
You are presented with the following table:
Risk Event Probability Impact Cost/Benefit E×$V 1 .20 −4,000 2 .50 50,000 3 .45 −300 4 .22 500 5 .35 −4,500 6 What would Risk Event 6 be based on the following information: Marty is 60 percent certain that he can get the facility needed for $45,000, which is $7,000 less than what was planned for.
.60, 45,000, 27,000
.60, 52,000, 31,200
.60, 7,000, 4,200
.60, −7,000, −4,200
Which of the following can determine multiple scenarios, given various risks and the probability of their impact?
Decision tree
Monte Carlo technique
Pareto chart
Gantt chart
11.7.3. Answers
D. Risks that are in balance with the reward are appropriate for acceptance. A, B, and C are all incorrect because these solutions are all false responses to risk management. For more information, see the introduction to Chapter 11 in the PMBOK.
C. Planning meetings are used to create the risk management plan. The project manager, project team leaders, key stakeholders, and other individuals with the power to make decisions regarding risk management attend the meetings. Choices A, B, and D are incorrect, since these choices do not fully answer the question.
A. An error value of 7 percent represents the threshold the project is allowed to operate under. Should the number of errors increase beyond 7 percent, the current plastic will be substituted. B is incorrect, since tracking is the documentation of a process through a system or workflow or the documentation of events through the process. C, budgeting, is also incorrect. D, JIT manufacturing, is a scheduling approach to ordering the materials only when they are needed in order to keep inventory costs down. For more information, see the PMBOK, Section 11.5.2.1.
A. The utility function describes a person's willingness to tolerate risk. B is incorrect. Herzberg's theory of motivation is a human resources theory that describes motivating agents for workers. C is also incorrect. Risk acceptance describes the action of allowing a risk to exist because it is deemed low in impact, low in probability, or both. D, the risk-reward ratio, is incorrect. This describes the potential reward for taking on a risk in the project.
B. When the scope has been changed, the project manager should require risk planning to analyze the additions for risks to the project's success. A is incorrect. The scope changes may not require the same amount of time as the activities needed to complete the project changes. C is incorrect because risk planning should not occur at the project manager's discretion. Instead, it should be based on evidence within the project and the policies adopted in the risk management plan. D is also incorrect. When changes are added to the project scope, risk planning should occur. For more information, see the PMBOK, Section 11.6.1.3.
A. The risk register documents all of the outcomes of the other risk management processes. B, C, and D are all incorrect definitions of the risk register. For more information, see the PMBOK, Section 11.2.3.1.
B. Pure risks are the risks that could threaten the safety of the individuals on the project. A is incorrect because business risks affect the financial gains or loss of a project. C and D are incorrect, since these terms are not relevant.
C. Risks are not planned; they are left to chance. The accommodation and the reaction to a risk can be planned, but the event itself is not planned. If risks could be planned, Las Vegas would be out of business. A, B, and D are all incorrect, since these terms do not accurately complete the sentence. For more information, see the introduction to Chapter 11 in the PMBOK.
D. Risk identification is an iterative process that happens throughout the project's life cycle. A and B are both incorrect because risk identification is not limited to any one process group. C is incorrect because risk identification happens, technically, throughout the project management life cycle, which is unique to each project, and not through the product management life cycle. For more information, see the PMBOK, Section 11.2.
C. Risk identification happens throughout the project. Recall that planning is iterative: As the project moves towards completion, new risks may surface that call for identification and planned responses. A is incorrect. Risk identification should happen throughout the project, not just at the beginning. B is incorrect because risk identification is part of planning. D is incorrect because the nature of the project phase may require and reveal more than one opportunity for risk identification. For more information, see the PMBOK, Section 11.2.
C. The Delphi Technique, an anonymous risk identification method, is the correct answer. A is incorrect. Decision tree analysis is appropriate for calculating the expected monetary value of a decision, but not risk identification. B is incorrect because the decomposition of the project scope will result in the WBS. D is incorrect. Creating a Pareto chart is part of quality control, not risk identification. For more information, see the PMBOK, Section 11.2.2.2.
D. An anonymous poll that allows experts to freely submit their opinion without fear of backlash is an example of the Delphi Technique. A, B, and C are incorrect. These choices do not accurately answer the question. For more information, see the PMBOK, Section 11.2.2.2.
B. The risk ranking is based on the very high, high, medium, low, and very low attributes of the identified risks. A is incorrect because it is not relevant to the question. This answer is quantifiable, not quantitative. C is incorrect. Utility function describes an organization's tolerance for risk. D, SWOT analysis, is part of risk identification. For more information, see the PMBOK, Sections 11.3.2.1 and 11.3.2.2.
B. A table of risks, their probability, and impact equate to a risk score in a risk matrix. A is incorrect, since it does not fully answer the question. C and D are incorrect because a risk matrix can be used in both quantitative and qualitative risk analyses. For more information, see the PMBOK, Section 11.3.2.2.
D. Risk Event 3 has a probability of 45 percent and an impact cost of −$300, which equates to −$135. A, B, and C are incorrect because their values are wrong answers for the formula. For more information, see the PMBOK, Section 11.1.3.1.
C. The calculated amount for each of the risk events is shown in the following table:
Risk Event Probability Impact Cost/Benefit E×$V 1 0.35 −4,000 −1,400 2 0.4 50,000 20,000 3 0.45 −300,000 −135,000 4 0.3 50,000 15,000 5 0.35 −45,000 −15,750 −117,150 A, B, and D are incorrect answers because they do not reflect the contingency amount needed for the project based on the preceding table. For more information, see the PMBOK, Section 11.1.3.1.
D. Because the risk is not eliminated but transferred to someone else or another entity, it is considered transference. A is incorrect because the risk still exists—it is just being handled by another entity. B is incorrect because the project manager has not accepted the risk, deciding instead to allow another entity to deal with it. C is incorrect. The risk has not been mitigated in the project. For more information, see the PMBOK, Section 11.5.2.1.
B. The 80 percent mark is a threshold. A is incorrect. An upper control limit is a boundary for quality in a control chart. C is incorrect. Mitigation is a planned response should a risk event happen. D is also incorrect. A workaround is an action to bypass the risk event. For more information, see the glossary in the PMBOK and also Section 11.5.
C. Marty is 60 percent certain that he can save the project $7,000. The $4,200 represents the 60 percent certainty of the savings. A, B, and D are all incorrect, since these values do not reflect the potential savings of the project. For more information, see the PMBOK, Section 11.1.3.1.
B. The Monte Carlo technique can reveal multiple scenarios and examine the risks and probability of impact. A, a decision tree, helps guide the decision-making process. C, a Pareto chart, helps identify the leading problems in a situation. D, a Gantt chart, compares the lengths of activities against a calendar in a bar chart format. For more information, see the PMBOK, Section 11.4.