Chapter 8. Risk Activities and Strategies

This chapter covers the following topics:

Understand risk activities: Risk activities include risk planning, risk identification, risk quantification and prioritization, risk review, risk response, developing and maintaining the risk register, and risk communication.

Understand risk strategies: Risk strategies include accepting risk, mitigating risk, transferring risk, avoiding risk, exploiting risk, enhancing risk, and sharing risk.

A risk is any uncertain event that may have a positive or negative effect on the project’s objectives or other aspects of the project, such as the project cost, scope, or schedule. Risks have both causes and impacts. Risk causes are conditions or events that led up to the risk, and impacts are the effects that the risk will have on the project. While risk is inevitable, it is not inherently bad—another term for a positive risk is opportunity.

Project risk management includes risk management planning, identifying and analyzing risks, planning responses to the identified risks, and controlling risks. Risks must be identified during the Planning phase of a project in order to determine the organization’s risk appetite and risk tolerance. Risk appetite is the amount of uncertainty the organization is willing to take on in hope of a reward. Risk tolerance is the amount of risk that an organization can withstand.

Risk activities are the actions taken during a project to identify, analyze, plan for, and monitor risks. Risk strategies are the methods that an organization will use to deal with risks as they arise. This chapter focuses on risk activities first; risk strategies really cannot be determined and applied until other risk activities are complete.

This chapter covers the following objective for the Project+ exam:

2.2 Explain the importance of risk strategies and activities.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 8-1 lists major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 8-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping

Foundation Topics Section	Questions Covered in This Section
Risk Activities	1–6
Risk Strategies	7–10

1. What is the overall process that identifies, quantifies, and reviews risks?

a. risk identification

b. risk register

c. risk planning

d. risk quantification

2. Which process creates the first version of the risk register?

a. risk planning

b. risk identification

c. risk review

d. risk response

3. Which process involves assigning numerical values to the identified risks?

a. risk identification

b. risk prioritization

c. qualitative risk analysis

d. quantitative risk analysis

4. What is the main benefit of risk review?

a. identifying new risks

b. quantifying new risks

c. prioritizing new risks

d. communicating with stakeholders regarding risks

5. What is another term for negative risks?

a. enhancements

b. vulnerabilities

c. threats

d. opportunities

6. Which document lists all known risks and gives details about each risk?

a. risk review

b. project management plan

c. risk management plan

d. risk register

7. Which of the following is a risk strategy for positive risks?

a. risk mitigation

b. risk exploitation

c. risk transference

d. risk avoidance

8. Which of the following is a risk strategy for both positive and negative risks?

a. risk acceptance

b. risk enhancement

c. risk mitigation

d. risk exploitation

9. What is the most common form of risk transference?

a. hiring more resources

b. completing all work with outsourced resources

c. purchasing insurance

d. implementing redundancy

10. Which strategy for positive risk uses key drivers to ensure that the risk occurs?

a. risk enhancement

b. risk acceptance

c. risk exploitation

d. risk sharing

Foundation Topics

Risk Activities

Risk activities include planning risk management, identifying risks, performing risk analysis, planning risk responses, and reviewing and controlling risks. These risk activities occur during the Planning phase and the Monitoring and Controlling phase of a project. Because known risks are identified and analyzed, it is possible to plan for those risks. But unknown risks also may exist; such risks cannot be addressed until they occur, because they were not identified during the planning process.

Project managers need to ensure that appropriate risk planning, risk identification, risk quantification and prioritization, and risk review occur. In addition, risk responses must be planned, the risk register must be created and maintained, and risk communication plans must be made. This section discusses all of these risk activities.

Risk Planning

Risk planning involves multiple processes to ensure that risks are identified, analyzed, and quantified. The known risks are prioritized, and appropriate responses to each risk are prepared. All of the following activities are part of the risk planning process:

1. Plan risk management. Create and edit the risk management plan as risk planning is carried out.

2. Identify risks. Determine the project risks and create a risk register.

3. Perform risk analysis. Analyze risks both qualitatively and quantitatively to document risk probability and impact, ranking, and urgency. Document this information in the risk register.

4. Plan risk responses. Determine the strategies to use for responding to each known risk, and document those strategies in the risk register.

As each step in risk planning is performed, it should result in updates to all related project documentation, such as the risk register (described later in this chapter). Once all risk planning steps are completed and all decisions are documented, the risk management plan is finalized and becomes part of the project management plan.

The risk management plan is a document that describes all the known risks that may affect a project and the strategies that will be used to handle each risk. The risk management plan should include the following details:

Risk methodology: Lists the approaches, tools, and data sources to be used for risk management.

Roles and responsibilities: Defines the risk management team members and their responsibilities.

Risk budget: Estimates the funds reserved in the budget for risks. Contingency reserves cover known risks, and management reserves cover unknown risks.

Risk categories: Groups risks by their potential causes, such as external, internal, or technological.

Risk probability and impact: Defines the likelihood and effect of each risk based on the risk analysis.

Stakeholder tolerances: Defines each stakeholder’s tolerance for known risks. This is usually just documented as an overall stakeholder tolerance in monetary terms.

Reporting: Defines how risk activities will be documented, analyzed, and communicated with the project team and stakeholders; uses that information to create the risk management plan.

Tracking: Documents how risk activities will be tracked and audited.

Once risk planning is complete and project work begins, the project manager should ensure that risks are controlled according to the risk management plan. As with all other parts of the project management plan, the risk management plan is considered a living document and may undergo changes throughout the project’s life cycle.

Risk Identification

Risk identification is the process of determining in advance what risks may affect a project and documenting them in the risk management plan. By performing these tasks in the Planning phase, the project manager will be able to anticipate risk events and act quickly when a risk occurs. The project manager should work with the project team and stakeholders to analyze all aspects of a project—including project cost, schedule, quality, personnel, scope, stakeholders, and procurements—to determine any anticipated risks to the project.

During risk identification, the project manager may decide to employ some or all of the following information-gathering techniques:

Brainstorming: With the help of a facilitator, obtain a list of project risks. Risk categories may be used to help with this process.

Interviewing: Encourage project team members, stakeholders, and subject matter experts to identify risks.

Root-cause analysis: Identify project problems and the causes that led to those problems, and then develop preventive actions.

Delphi technique: Develop a risk list based on expert opinion.

Risk diagramming techniques can also be used to identify risks, including cause-and-effect diagrams, flowcharts, and influence diagrams. SWOT analysis can be used internally to determine risks that could affect the project.

When risk identification is complete, the project manager can begin creating the risk register (described later in this chapter).

Risk Quantification and Prioritization

Risk quantification involves performing two types of risk analysis—qualitative risk analysis and quantitative risk analysis—to determine the effects of risks on the project objectives.

Qualitative risk analysis: Prioritizes and combines risks based on their probability and impact. Qualitative risk analysis involves performing risk probability and impact assessments to develop a probability and impact matrix, which provides a risk score to guide risk responses. Risk categorization and risk urgency are also determined during this analysis. Risk categories can be based on risk sources, area of project affected, or any other useful distinction. Risk urgency can be assigned based on the probability of detecting the risk, time required to respond to the risk, risk symptoms or warning signs, and risk ratings. When qualitative risk analysis is complete, each risk’s probability and impact, ranking, urgency, and categorization information should be added to the risk register.

Quantitative risk analysis: Numerically analyzing risk effects on project objectives. Quantitative risk analysis involves assigning numerical values to identified risks. Data can be gathered using interviewing, probability modeling, sensitivity analysis, expected monetary value analysis, and other modeling and simulation techniques. When quantitative risk analysis is complete, the risk register is usually updated with a prioritized list of quantified risks.

Both types of risk analysis generally involve using expert judgment as part of the analysis.

When quantifying risks, the risk often equals the probability multiplied by the impact of the risk.

EXAMPLE: If the impact that a web server goes down for one day due to an attack is $100,000 and the probability is that it could happen four times a year, the risk of a single attack on the web server could be quantified as $25,000. This example is simple because quantitative values are assigned, but keep in mind that not all risks can be assessed quantitatively.

The end result of risk quantification is a list of prioritized risks. This risk prioritization ensures that risk response plans are developed for every identified risk based on its priority. Higher-priority risks will likely have detailed plans; medium-priority and low-priority risks may not have as detailed plans in the risk management plan. Ensuring that all risks have associated action plans will help the project team know what to do if they encounter a particular risk.

Risk Response Planning

Planning risk response involves developing actions to enhance opportunities and reduce threats to the project. Risks are addressed according to their priority and can be handled by adding resources and activities into the project as needed. This process starts by examining the risk register and analyzing negative risks (threats) and positive risks (opportunities).

In some cases, the project manager will need to create contingency plans that are based on certain events, known as risk triggers. Contingency plans should include details on the triggering event or conditions that will cause the plan to be implemented.

Risk Review

Risk review involves periodically investigating risks during the project’s Monitoring and Controlling phase to detect any new risks that may have arisen and ensure that planned risk strategies are still effective. Risks should be reviewed whenever a risk event occurs, prior to a phase or stage completion, and whenever situations change that may affect the project. During risk review, all aspects of the project should be reviewed to ensure that all risks have been identified and the risk strategies are still valid.

Risk Register

The risk register is the document that charts all risks identified during risk planning. It should contain basic risk notes, risk assessment information, and risk response details. If new risks are discovered during the Executing phase, they should be added to the risk register as well. Figures 8-1a, 8-1b, and 8-1c show three sections of a sample risk register template. Note that in actual practice, these would be contiguous columns on a spreadsheet; the sections are shown separately here for readability.

Figure 8-1a Risk Register Template: Basic Risk Information

Figure 8-1b Risk Register Template: Risk Assessment Information

Figure 8-1c Risk Register Template: Risk Response Information

Basic risk notes in the risk register might include the following types of facts:

Risk number: A unique identifier for the risk.

Risk description: What risk might happen and how it might affect the project.

Responsibility: Who is responsible for handling the risk.

Date reported: When the risk was originally reported.

Last update: When the risk information was last updated.

Risk assessment information in the risk register should include points like these:

Impact: Potential impact of the risk as determined by the risk assessment.

Impact description: Specific impact on project scope, schedule, budget, or other aspects of the project.

Probability: Likelihood that the risk will occur, as determined by the risk assessment.

Timeline: When the risk is expected to occur, usually given in broad terms like near-term, medium-term, and far-term.

Status of response: Whether plans have been made for responding to the risk.

Risk response details in the risk register could include particulars of this kind:

Completed actions: Actions taken for handling the risk.

Planned future actions: Actions still to be completed for the risk.

Risk status: The current status of the risk, such as open (still could happen), closed (has passed or been successfully mitigated), or moved to issue (risk has occurred).

The risk register should be customized to fit the organization’s needs.

Risk Communication

Risk communication, particularly risk reporting formats, is documented as part of the risk management plan. It defines how to document, analyze, and communicate with project team members and stakeholders about risks. Most of the documentation will occur in the risk register. However, based on the risk management plan, the project manager will need to communicate with the appropriate personnel regarding risks.

Not every project team member and stakeholder will be interested in the status and plans for every risk. For this reason, some projects may decide to document some reporting information in the risk register, including which team members and stakeholders should be contacted if a risk occurs. No matter which method is used, the main goal is to keep project team members informed of risk status, using each person’s preferred communication method.

Risk Strategies

Once project risks are identified, analyzed, and prioritized, the project team working with stakeholders and the project sponsor must determine the risk strategy that will be applied to each risk. Risk strategies vary based on whether the risk is positive (a desirable event that the project wants to occur) or negative (an undesirable event that the project should prevent):

Responses for negative risks: Accept the risk, mitigate the risk, transfer the risk, or avoid the risk.

Responses for positive risks: Accept the risk, exploit the risk, enhance the risk, or share the risk.

The following sections describe these responses and provide examples of each.

Bear in mind that future risk reviews may result in a decision to change the risk status after more information has been obtained about the risk. No risk strategy is written in stone, and a risk that was previously accepted can quickly become unacceptable based on new data. All project management documents are living documents and should be edited as project changes are identified.

Accept Risk

Risk acceptance is a risk strategy for both negative and positive risks. With this strategy, the project team acknowledges the risk but decides not to take any action. For negative risks, accepting the risk is usually chosen when there are no cost-effective methods or suitable response strategies for dealing with the risk. For positive risks, accepting the risk is usually chosen when the team decides not to pursue the opportunity.

EXAMPLE: A project team identifies an earthquake as a negative risk as part of a building remodeling project. With research, the team finds that the likelihood of an earthquake is very low in that area, and remodeling the building to make it earthquake-proof is both cost-prohibitive and not required by local building codes. In this instance, the project team may decide to accept the risk of damage caused by an earthquake.

Mitigate Risk

Risk mitigation is a risk strategy for negative risks whereby the project team reduces the probability that the risk will occur or lessens the projected impact of the risk.

EXAMPLE: A new web server development project identifies the negative risk that the server will become overloaded, causing performance issues. To mitigate this risk, the project team decides to deploy a web server farm.

Options for mitigating risk include strategies such as developing prototypes before committing to production, adopting simpler processes to reduce user error, implementing more tests, choosing a more stable procurement supplier, and so on. Mitigation doesn’t prevent a risk from occurring, but rather limits the effect of the risk if it does occur.

Transfer Risk

Risk transference is a risk strategy for negative risks whereby the risk impact is shifted to another party. This risk strategy almost always involves payment to the other party for taking on the risk. Purchasing insurance is probably the most well-known risk transference method.

EXAMPLE: Company A needs an online e-commerce site. Because the company does not have the manpower or expertise needed to create and manage the site, company A decides to outsource the development and management of the site to company B, a vendor specializing in this type of work. This strategy transfers the majority of the risk for the e-commerce site from company A to company B.

Avoid Risk

Risk avoidance is a risk strategy for negative risks whereby the project team eliminates the risk or protects the project from the risk. The most popular method of this strategy is to edit the project management plan to remove the threat entirely from the project, but this option is not always possible. The most drastic risk avoidance method is to shut down the project.

EXAMPLE: A project planned to use a supplier in a third-world country, but delivery delays from the source have become probable due to political unrest. To avoid the risk, the project team may decide not to purchase from suppliers in unstable or dangerous countries. They could even take it a step further and decide to purchase only from suppliers in the same country where the project is taking place.

Exploit Risk

Risk exploitation is a risk strategy for positive risks whereby the project team ensures that the risk occurs.

EXAMPLE: A bakery is working on a new dessert offering. During development, a new production technique is discovered that could reduce the cost of producing the dessert by 20%. To exploit this opportunity, the project manager ensures that team members are trained in using the new technique.

Enhance Risk

Risk enhancement is a risk strategy for positive risks whereby the project team identifies the key drivers that affect a risk and adjusts them to increase the probability of the risk.

EXAMPLE: A project team identifies a single task in the critical path that could trim an entire month off the project schedule with the help of one additional team member. The project manager decides to add that resource to allow the project to finish early.

Share Risk

Risk sharing is a risk strategy for positive risks whereby partial ownership of the risk is allocated to a third party.

EXAMPLE: A project that is worth pursuing would require Agile development practices. Because the project team has no Agile experts, the team decides to partner with a company that specializes in Agile development so that both companies can benefit from the new project.

Exam Preparation Tasks

As mentioned in the section “How To Use This Book” in the Introduction, you have several choices for exam preparation: the exercises here; Chapter 15, “Final Preparation”; and the Pearson Test Prep practice test software online.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 8-2 provides a reference of these key topics and the page number on which each begins.

Table 8-2 Key Topics for Chapter 8

Key Topic Element	Description	Page Number
Section	Overview of risk activities	151
Section; steps; list	Discussion of the risk planning process; relationship between risk planning and the risk management plan	151
Section; list	Techniques for risk identification	152
Section; example	Overview of risk quantification, qualitative and quantitative risk analysis, and risk prioritization	153
Section	Overview of risk response planning	154
Section; Figures 8-1a, 8-1b, 8-1c; lists	Definition and example of risk register	155
Sections; list; examples	Overview and examples of risk strategies, negative risks, positive risks, and possible risk responses	160

Define Key Terms

Define the following key terms from this chapter and check your answers in the Glossary:

risk

risk cause

risk impact

risk appetite

risk tolerance

risk activities

risk planning

contingency reserve

management reserve

risk management plan

risk identification

risk quantification

qualitative risk analysis

quantitative risk analysis

risk prioritization

risk response planning

risk trigger

risk review

risk register

risk communication

positive risk

negative risk

risk acceptance

risk mitigation

risk transference

risk avoidance

risk exploitation

risk enhancement

risk sharing

Review Questions

The answers to these questions appear in Appendix A. For more practice with sample exam questions, use the Pearson Test Prep practice test software online.

1. You are the project manager for a project to redesign the shelving solutions for your company’s jewelry products. These solutions will be sent to retail stores. As part of the project planning, you work with the team members and stakeholders to brainstorm potential pitfalls to the project. Which risk activity is this group working on?

a. risk quantification

b. risk identification

c. risk review

d. risk response

2. A project team is currently working to assign numerical values to all project risks. Which process are they completing?

a. risk identification

b. qualitative risk analysis

c. quantitative risk analysis

d. risk prioritization

3. As a project manager, you are responsible for managing all project risks. Recently you discovered that there is a much higher probability that one of the identified risks will occur. What should you do?

a. Add the risk to the risk register.

b. Perform risk quantification for the risk.

c. Change the risk response.

d. Adjust the risk’s probability in the risk register.

4. You are hired to take over managing a project. You are concerned that the original risk planning process did not identify all the project risks. What should you do?

a. Perform risk review.

b. Perform risk identification.

c. Perform risk quantification.

d. Perform risk planning.

5. Which project document lists all information about the identified project risks?

a. risk management plan

b. probability and impact matrix

c. risk strategies

d. risk register

6. You are the project manager for a project to design packaging for your company’s giftware line. A mitigation has been discovered for one of the identified risks. However, the mitigation will likely be more expensive than the cost of the risk occurring. Which risk strategy should be selected?

a. risk mitigation

b. risk acceptance

c. risk transference

d. risk avoidance

7. You are the project manager for a project to create a new storage area network for your company. One of the identified risks is that access to the network will fail. The project sponsor decides to implement a redundant network backbone to ensure accessibility. Which risk strategy is this project using?

a. risk transference

b. risk acceptance

c. risk mitigation

d. risk avoidance

8. Which of the following options is an example of risk transference?

a. purchasing builders’ risk insurance

b. bringing in a third party to help complete a project

c. deploying a server farm instead of a single server

d. taking actions to ensure that the risk does not occur

9. What are the four risk strategies for handling positive risks?

a. accept, mitigate, transfer, avoid

b. accept, exploit, enhance, share

c. accept, enhance, transfer, share

d. accept, enhance, mitigate, transfer

10. A team member discovers that a current project at your company could be completed much faster by using a certain proprietary technology. If you approach the technology’s supplier with a plan to work with the supplier to complete your project and share its advantages, which type of risk strategy are you employing?

a. risk exploitation

b. risk enhancement

c. risk sharing

d. risk acceptance