Chapter 11

Risk Management

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 Risk Management
• Is an event with some degree of uncertainty
Risk •“A discrete occurrence that may affect the project for good or bad.”

Pure Risk or Insurable Business Risk

• Pure risk is an insurance risk Only a risk of loss • Risk of a gain or loss.
(e.g., fire, theft, personal injury)

Name Created For Example

Can Be Calculated Known - Known
•The risk is known and its consequences
Contingency Reserves Known – UnKnown •Something costing more than estimated
• Taking longer than planned
• Scope Creep
Management Reserves UnKnown–UnKnown •Something you cannot envision
happening on a project such as natural
disaster
• “An uncommon state of nature, characterized by the absence of
Uncertainty any information related to a desired outcome.”

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 PROJECT RISK MANAGEMENT
 Project Risk Management includes the processes of conducting risk management to
increase the probability and impact of positive events, and decrease the probability
and impact of negative events in the project.
11.1 Plan Risk Management
The process of defining how to conduct risk management activities for a project.

11.2 Identify Risks

The process of identifying individual project risks as well as sources of overall
project risk, and documenting their characteristics.

11.3 Perform Qualitative Risk Analysis

The process of prioritizing individual project risks for further analysis or action by
assessing their probability of occurrence and impact

11.4 Perform Quantitative Risk Analysis

The process of numerically analyzing the combined effect of identified
individual project risks & on overall project objectives.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
PROJECT RISK MANAGEMENT
11.5 Plan Risk Responses
The process of developing options, selecting strategies, and agreeing on actions
to address overall project risk exposure, as well as to treat individual project
risks.

11.6 Implement Risk Responses

The process of implementing agreed-upon risk response plans.

11.7 Monitor Risks

The process of
 monitoring the implementation of agreed-upon risk response plans,
 tracking identified risks,
 identifying and analyzing new risks, and
 evaluating risk process effectiveness throughout the project.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
KEY CONCEPTS FOR PROJECT RISK MANAGEMENT
 Risk exists at two levels within every project:
 Individual project risk is an uncertain event or condition that, if it occurs,
has a positive or negative effect on one or more project objectives.

 Overall project risk is the effect of uncertainty on the project as a whole,

 Risk is initially addressed during project planning by shaping the project

strategy.

 Risk should also be monitored and managed as the project progresses to

ensure that the project stays on track and emergent risks are addressed.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
  In order to manage risk effectively, the project team needs to know what
level of risk exposure is acceptable in pursuit of the project objectives.

 This is defined by measurable risk thresholds that reflect the risk appetite
of the organization and project stakeholders.

 Risk thresholds express the degree of acceptable variation around a

project objective.
TRENDS AND EMERGING PRACTICES IN PROJECT RISK MANAGEMENT
 Non-event risks.
Most projects focus only on risks that are uncertain future events that may or
may not occur.
Examples of event-based risks include:
 a key seller may go out of business during the project,
 the customer may change the requirement after design is complete or

There is an increasing recognition that non-event risks need to be identified

and managed
www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 There are two main types of non-event risks:
Variability risk.
Uncertainty exists about some key characteristics of a planned event or
activity or decision.
Examples of variability risks include:
 productivity may be above or below target,
 the number of errors found during testing may be higher or lower
than expected, or
 unseasonal weather conditions may occur during the
construction phase.
Variability risks can be addressed using Monte Carlo analysis,

Ambiguity risk.
Uncertainty exists about what might happen in the future.
Areas of the project where imperfect knowledge might affect the project’s
ability to achieve its objectives include:
 elements of the requirement or technical solution,
 future developments in regulatory frameworks, or
 inherent systemic complexity in the project.
Can be addressed through incremental development, prototyping, or simulation.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 Project resilience.
The existence of emergent risk is becoming clear, with a growing awareness
of so-called unknowable-unknowns.

These are risks that can only be recognized after they have occurred.

Emergent risks can be tackled through developing project resilience.

TAILORING CONSIDERATIONS
Because each project is unique, it is necessary to tailor the way Project Risk
Management processes are applied.
Considerations for tailoring include but are not limited to:
 Project size.
 Project complexity.
 Project importance.
 Development approach. (a waterfall project, (sequentially and iteratively), or
an agile approach ( addressed at the start of each iteration as well as during
its execution)

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.1 Plan Risk Management

11.1.3 PLAN RISK MANAGEMENT: OUTPUTS

11.1.3.1 RISK MANAGEMENT PLAN

 Risk strategy. Describes the general approach to managing risk on this

project.

 Methodology. Defines the specific approaches, tools, and data sources that
will be used to perform risk management on the project.
www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
11.1 Plan Risk Management
11.1.3 PLAN RISK MANAGEMENT: OUTPUTS
11.1.3.1 RISK MANAGEMENT PLAN

 Roles and responsibilities. (Risk Owner)

 Funding.
 Timing.
 Risk categories.
 Stakeholder risk appetite.
 Definitions of risk probability and impacts.
 Probability and impact matrix.
 Reporting formats.
 Tracking.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.1 PLAN RISK MANAGEMENT
11.1.3 PLAN RISK MANAGEMENT: OUTPUTS
11.1.3.1 RISK MANAGEMENT PLAN

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.1 Plan Risk Management
11.1.3 PLAN RISK MANAGEMENT: OUTPUTS
11.1.3.1 RISK MANAGEMENT PLAN
 Definitions of risk probability and impacts.

The number of levels reflects the degree of detail required for the Project Risk
Management process, with more levels used for a more detailed risk approach
(typically five levels), and fewer for a simple process (usually three).

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
11.1 Plan Risk Management
11.1.3 PLAN RISK MANAGEMENT: OUTPUTS
11.1.3.1 RISK MANAGEMENT PLAN
 Probability and impact matrix.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.2 IDENTIFY RISKS
The key benefit of this process is the documentation of existing individual
project risks and the sources of overall project risk.
It also brings together information so the project team can respond
appropriately to identified risks.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.2 IDENTIFY RISKS
11.2.2 IDENTIFY RISKS: TOOLS AND TECHNIQUES
11.2.2.2 DATA ANALYSIS
 Assumption and constraint analysis.
Every project and its project management plan are conceived and developed
based on a set of assumptions and within a series of constraints.

Threats may be identified from the inaccuracy, instability, inconsistency, or

incompleteness of assumptions.

Constraints may give rise to opportunities through removing or relaxing a

limiting factor that affects the execution of a project or process.

 SWOT analysis.
This technique examines the project from each of the
strengths, weaknesses, opportunities, and threats (SWOT)
perspectives and increase the breadth of identified risks by including internally
generated risks.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.2 IDENTIFY RISKS
11.2.2 IDENTIFY RISKS: TOOLS AND TECHNIQUES
11.2.2.5 PROMPT LISTS

A Prompt list is a predetermined list of risk categories that might give rise to
individual project risks and that could also act as sources of overall project
risk.

The risk categories in the lowest level of the risk breakdown structure can be
used as a prompt list for individual project risks.

Some common strategic frameworks are more suitable for identifying

sources of overall project risk, for example:

 PESTLE (political, economic, social, technological, legal, environmental),

 TECOP (technical, environmental, commercial, operational, political), or

 VUCA (volatility, uncertainty, complexity, ambiguity).

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.2.2 IDENTIFY RISKS: OUTPUTS
11.2.3.1 RISK REGISTER
The risk register captures details of identified individual project risks.
The results of
 Perform Qualitative Risk Analysis,
 Plan Risk Responses,
 Implement Risk Responses, and
 Monitor Risks
are recorded in the risk register as those processes are conducted
throughout the project.

 List of identified risks.

Each individual project risk is given a unique identifier in the risk register. Identified risks
are described in as much detail as required to ensure unambiguous understanding.
A structured risk statement may be used to distinguish risks from their cause(s) and their
effect(s).
 Potential risk owners.
The risk owner is recorded in the risk register.
This will be confirmed during the Perform Qualitative Risk Analysis process.
 List of potential risk responses.
It is recorded in the risk register.
This will be confirmed during the Plan Risk Responses process.
www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.3 PERFORM QUALITATIVE RISK ANALYSIS

Perform Qualitative Risk Analysis is the process of prioritizing individual project

risks for further analysis or action by assessing their probability of occurrence and
impact.
The key benefit of this process is that it focuses efforts on high-priority risks.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.3 PERFORM QUALITATIVE RISK ANALYSIS
11.3.2 PERFORM QUALITATIVE RISK ANALYSIS: TOOLS AND TECHNIQUES
11.3.2.3 DATA ANALYSIS
 Risk data quality assessment.
Risk data quality assessment evaluates the degree to which the data about
individual project risks is accurate and reliable as a basis for qualitative risk analysis.
 Risk probability and impact assessment.
Risk probability assessment considers the likelihood that a specific risk will occur.

 Assessment of other risk parameters.

 Urgency.
The period of time within which a response to the risk is to be implemented
in order to be effective. A short period indicates high urgency.
 Proximity.
The period of time before the risk might have an impact on one or more
project objectives. A short period indicates high proximity.
 Dormancy.
The period of time that may elapse after a risk has occurred before its impact
is discovered. A short period indicates low dormancy.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 Manageability.
The ease with which the risk owner (or owning organization) can manage the occurrence or
impact of a risk. Where management is easy, manageability is high.

 Controllability.
The degree to which the risk owner (or owning organization) is able to control the risk’s
outcome. Where the outcome can be easily controlled, controllability is high.

 Detectability.
The ease with which the results of the risk occurring, or being about to occur, can be detected
and recognized. Where the risk occurrence can be detected easily, detectability is high.

 Connectivity.
The extent to which the risk is related to other individual project risks.
Where a risk is connected to many other risks, connectivity is high.

 Strategic impact.
The potential for the risk to have a positive or negative effect on the organization’s strategic
goals. Where the risk has a major effect on strategic goals, strategic impact is high.

 Propinquity.
The degree to which a risk is perceived to matter by one or more stakeholders. Where a risk is
perceived as very significant, propinquity is high.
www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.3 PERFORM QUALITATIVE RISK ANALYSIS
11.3.2 PERFORM QUALITATIVE RISK ANALYSIS: TOOLS AND TECHNIQUES
11.3.2.5 RISK CATEGORIZATION
Risks to the project can be categorized by
 sources of risk (e.g., using the risk breakdown structure (RBS); the
 area of the project affected (e.g., using the work breakdown structure (WBS); or
11.3.2.6 DATA REPRESENTATION
 Hierarchical charts.
Where risks have been categorized using more than two parameters, the
probability and impact matrix cannot be used and other graphical representations
are required

For example, a bubble chart

displays three dimensions of
data,
- each risk is plotted as a disk
(bubble), and the
- three parameters are
represented by the x-axis
value, the y-axis value, and
the bubble size.
www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.4 PERFORM QUANTITATIVE RISK ANALYSIS

The key benefit of this process is that it quantifies overall project risk
exposure, and it can also provide additional quantitative risk information to
support risk response planning.

Perform Quantitative Risk Analysis is not required for all projects.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.4 PERFORM QUANTITATIVE RISK ANALYSIS
11.4.2 PERFORM QUANTITATIVE RISK ANALYSIS: TOOLS AND TECHNIQUES
11.4.2.5 DATA ANALYSIS
 Sensitivity analysis.
Sensitivity analysis helps to determine which individual project risks have the
most potential impact on project outcomes.
One typical display of sensitivity analysis is the tornado diagram,
Items are ordered by descending strength of correlation, giving the typical tornado appearance.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
  Decision tree analysis
Decision trees are used to support selection of the best of several
alternative courses of action.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.5 PLAN RISK RESPONSES
Plan Risk Responses is the process of developing options, selecting strategies,
and agreeing on actions to address overall and individual project risk exposure.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
11.5 PLAN RISK RESPONSES
Specific actions are developed to implement the agreed-upon risk response
strategy, including primary and backup strategies, as necessary.

A contingency plan (or fallback plan) can be developed for implementation

 if the selected strategy turns out not to be fully effective or
 if an accepted risk occurs.

Secondary risks are risks that arise as a direct result of implementing a risk
response.
A contingency reserve is often allocated for time or cost. If developed, it
may include identification of the conditions that trigger its use.
11.5.2 PLAN RISK RESPONSES: TOOLS AND TECHNIQUES
11.5.2.4 STRATEGIES FOR THREATS
 Escalation
is appropriate when the project team or the project sponsor agrees that a
 threat is outside the scope of the project or that the
 proposed response would exceed the project manager’s
authority.
www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.5.2 PLAN RISK RESPONSES: TOOLS AND TECHNIQUES
11.5.2.4 STRATEGIES FOR THREATS
 Escalation
Escalated risks are
 managed at the program level, portfolio level, or organization, and
 not on the project level.
The project manager determines who should be notified about the threat and
communicates the details to that person or part of the organization
Escalated threats are not monitored further by the project team after
escalation, although they may be recorded in the risk register for information
 Avoid.
Risk avoidance is when the project team acts to eliminate the threat or
protect the project from its impact.
 Transfer. Transfer involves shifting ownership of a threat to a third party
to manage the risk and to bear the impact if the threat occurs.
 Mitigate.
In risk mitigation, action is taken to reduce the probability of occurrence
and/or impact of a threat.
www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.5.2 PLAN RISK RESPONSES: TOOLS AND TECHNIQUES
11.5.2.4 STRATEGIES FOR THREATS
 Accept.
Risk acceptance acknowledges the existence of a threat, but no proactive action
is taken.

This strategy may be appropriate for low-priority threats, and it may also be
adopted where it is not possible or cost-effective to address a threat in any other
way.

Acceptance can be either active or passive.

Active acceptance strategy is to establish a contingency reserve, including

amounts of time, money, or resources to handle the threat if it occurs.

Passive acceptance involves no proactive action apart from periodic review of

the threat to ensure that it does not change significantly.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.5.2 PLAN RISK RESPONSES: TOOLS AND TECHNIQUES
11.5.2.5 STRATEGIES FOR OPPORTUNITIES
 Escalate.
 Exploit
assigning an organization’s most talented resources to the project to reduce
the time to completion, or using
 new technologies or technology upgrades to reduce cost and
duration.
 Share
Sharing involves transferring ownership of an opportunity to a third party so
that it shares some of the benefit if the opportunity occurs.
 Enhance.
The enhance strategy is used to increase the probability and/or impact of an
opportunity.
Examples of enhancing opportunities include adding more resources to an
activity to finish early.
 Accept.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.6 IMPLEMENT RISK RESPONSES

Implement Risk Responses is the process of implementing agreed-upon risk

response plans.
The key benefit of this process is that it ensures that agreed-upon risk
responses are executed as planned in order to address overall project risk
exposure, minimize individual project threats, and maximize individual project
opportunities.

Common problem with Project Risk Management is that project teams spend effort
in identifying and analyzing risks and developing risk responses, then risk
responses are agreed upon and documented in the risk register and risk report,
but no action is taken to manage the risk.
www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 11.7 MONITOR RISKS

Monitor Risks is the process of monitoring the implementation of agreed-upon risk

response plans, tracking identified risks, identifying and analyzing new risks,
and evaluating risk process effectiveness throughout the project.

The key benefit of this process is that it enables project decisions to be based on
current information about overall project risk exposure and individual project risks.

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 Work Shop 1

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
1 Which of the following processes assesses the likelihood of risk occurrences and their
consequences using a numerical rating?
A. Qualitative Risk Analysis
B. Risk Identification
C. Quantitative Risk Analysis
D. Risk Response Planning
2 A project manager managing any project should perform risk analysis with his or her
project team:
a. Just before any major meeting with the client
b. On a regular basis throughout the project.
c. Only when justified by the awareness of new risks becoming a possibility
d. When preparing the project plan
3 The effect of uncertainty on the project as a whole is called:
a. Individual project risk
b. Overall project risk.
c. Regular project risk
d. Qualitative project risk

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
4 Which of the following best describe the uncertain event or condition that, if it occurs,
has a positive or negative effect on one or more project objectives?
a. Individual project risk
b. Overall project risk.
c. Phase project risk
d. Quantitative project risk
5 You as professional project manager decided to prioritizing individual project risks for
further analysis or action by assessing their probability of occurrence and impact, Which
process should be performed that can help you in such decision?
A. Perform Qualitative risk analysis
B. Perform Quantitative risk analysis
C. Monitor risks
d. Implement Risk Responses
6 Which of the following can be considered as an output from Identify risk process?
A. Risk management plan
B. Risk report
C. Prompt lists
d. Representations of uncertainty

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 7 Your hardware vendor left you a voicemail saying that a snowstorm in the Midwest might
prevent your equipment from arriving on time. She wanted to give you a heads-up and
asked that you return the call. Which of the following statements is true? (Choose the best
answer.)
A. This is a trigger.
B. This is a contingency plan.
C. This is a residual risk.
D. This is a secondary risk.
8 A project manager is dealing with risk analysis on a software development project. There
is a risk that the module that creates the most important report that the system will create
will not work properly and will require 200 person-hours to correct. The project manager
decides to do nothing about this risk. Which of the following risk strategies is the project
manager employing?
A Acceptance
B. Avoidance
C. Mitigation
D. Deflection

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
9 A project manager is faced with making a decision about a risk that the team has identified.
The risk involves the design of a bicycle. It has been found that the neck of the bicycle, where
the steering bearing is located and the two supporting bars of the frame come together, will
corrode in a high salt environment. If this takes place the neck may fail and injure the rider.
The project team decides that the design of the bicycle should be modified by using corrosion
resistant materials in the design of the neck. This will eliminate the risk from consideration.
This technique is called:
A. Risk avoidance
B. Risk acceptance
C. Risk rejection
D. Risk deflection
10 Which of these is a valid response to negative risks and not positive risks?
A. Exploit
B. Mitigation
C. Enhance
D. Share

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
11 Your hardware vendor left you a voicemail saying that a snowstorm in the Midwest will
prevent your equipment from arriving on time. You identified a risk response strategy for this
risk and have arranged for a local company to lease you the needed equipment until yours
arrives.
This is an example of which risk response strategy?
A. Transfer
B. Acceptance
C. Mitigate
D. Avoid

12 The project management institute decided to hold their annual meeting in New Orleans,
Louisiana. This conference represents a substantial amount of PMI’s operating budget for the
year. PMI identified a risk of hurricanes during the month of September when the conference
was to be held. PMI decided to purchase convention insurance to offset the loss of convention
revenue if a hurricane caused cancellation of the conference. This is a risk management
strategy called:
a. Avoidance
b. Deflection
c. Acceptance
d. Mitigation
www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
13 Which of these is accurate regarding risk management?
A. Organizations are not likely to perceive risk as a threat to project success
B. It has its origins in the uncertainty present in all projects
C. The attitudes of individuals and organizations must not be a factor affecting risk
management
D. It is a passive activity in project management
14 If a project has a 60% chance of a U.S. $100,000 profit and a 40% chance of a U.S.
$100,000 loss, the expected monetary value of the project is?
A. $20,000 profit
B. $40,000 loss
C. $100,000 profit
D. $60,000 loss
15 Which of the following is appropriate risk response plan when the project team or the
project sponsor agrees that a threat is outside the scope of the project or that the proposed
response would exceed the project manager’s authority.
A. Acceptance
B. Mitigation
C. Avoidance
D. Exploit
www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP
 End of Chapter 11

www.ProjacsaAcademy.com Eng. Ali Kortam ACIArb., PfMP, CPD, PMP, MSc., CCP,PSP