Hello and welcome back to our PMP series. In the previous posts, we discussed project scope management, project time management, project cost management, project quality management, project human resource management, and project communication management. In this article, we will explore another project management knowledge area – project risk management.

Project risk management is the area of project management that deals with the identification, analysis and mitigation of risks that can occur on projects. Remember our definition of a project? A project is a temporary endeavor undertaken to produce a unique product, service or result. This definition shows it is a risky endeavor. Since every project is unique, there are often many uncertainties surrounding it. The limited time and cost for each project also increases its risk.

A project risk is an event that, if it occurs, can have a positive or negative impact on the scope, cost, time and quality of the project. Risks usually have causes and if they occur, they can have multiple impacts. As a project manager, it is your job to plan for these risks, identify and prioritize them, and ensure that adequate responses are provided. The goal here is to minimize the effects of these risks so they do not negatively affect the time, scope, cost and performance of the project.

Different organizations have different attitudes towards risk. The risk attributes are broadly classified into three categories:

  1. Risk appetite: the degree of uncertainty an organization is willing to take in anticipation of a reward.
  2. Risk thresholds: the level of impact at which a stakeholder’s (whether an individual or an organization) reaction to a risk would change. For example, risk below a specific threshold can be accepted while risks above the threshold would not be tolerated.
  3. Risk Tolerance: the volume of uncertainty an organization (or individual) will withstand.

Note: Many people think risks are negative. This is not entirely true. In fact, the only attribute that makes an event a risk is its uncertainty. Positive risks are called opportunities while negative risks are called threats. When responding to risks, it is the project manager’s job to maximize the opportunities and minimize the threats.

The project risk management knowledge area of the project management body of knowledge consists of six processes listed below:

  1. Plan risk management
  2. Identify risks
  3. Perform qualitative analysis
  4. Perform quantitative analysis
  5. Plan risk responses
  6. Control risks

We will explore the inputs, tools and techniques and outputs (ITTOs) of the first three risk management processes in the rest of this article and explore the remaining three in the next articles.

Plan Risk Management

In this process, the risk management activities are defined, and the major output of this process is a risk management plan. This process should be started when the project is conceived and continued through the project. The goal here is to increase the probability of the success of other risk management processes.

The major inputs to this process are the project charter (the document which appoints the project manager and provides high level description of the project), the project management plan (which includes the schedule, scope and cost baselines), and the stakeholder register (which contains all the project stakeholders, and their roles). Other inputs include generic organizational information relevant to risk management.

In planning risk management, the project manager must analyze the various risk attitudes (risk appetite, thresholds, and tolerances) of stakeholders in order to determine the appropriate resources and risk management activities required for the project.

Another important tool and technique for planning risk management is expert judgment. Since the project manager does not have expert knowledge about all aspects of the project, subject matter experts must be consulted in order to obtain their input about risk management activities and their impact on the overall project.

The risk management plans are defined during project team meetings. This makes it easier to simultaneously obtain information from various subject matter experts and to discuss the impact of one risk plan on other aspects of the project. Also, the meetings serve as an introduction of the high level risk management plans to the project team members.

The risk management plan should include risk management methods, roles and responsibilities and budgets. It also provides risk categories and method for ranking their probabilities and impacts. Finally, it provides the standard for reporting and tracking risk items.

Identify Risks

The risk identification process involves determining and documenting the risks that can affect project events. This helps the project team to anticipate uncertainties.

The inputs to this process include key elements of the project management plan such as the risk, cost, quality, human resource and schedule management plans, and scope baseline. Other inputs include the stakeholder register, procurement documents and all other project documents that can provide insights about the risks that a project may face.

To identify risks, the project documents should be reviewed. Also, information gathering methods should be employed. Some of the recommended information gathering techniques include:

  1. Brainstorming: This involves bringing together a multi-disciplinary team of experts, coordinated by a facilitator (usually the project manager) to generate ideas that are used to identify and categorize the risks that might occur on a project.
  2. Delphi Technique: This is a way to gather consensus of experts by seeking their opinions independently. The goal here is to ensure that the experts are not influenced by the decisions of other experts so as to eliminate bias.
  3. Interviewing: This involves performing one-on-one interviews with stakeholders to identify risks.
  4. Root cause analysis: This involves analyzing a problem to determine the underlying causes of the problem and to determine if these causes are still project risks that should be documented.

Aside from document review and information gathering techniques, other tools and techniques for risk identification include checklist analysis (using lessons learned from previous projects), assumption analysis (reviewing the key hypotheses that form the basis of project assumptions), SWOT Analysis (Analysis of the Strengths, Weaknesses, Opportunities and threats), and diagramming techniques. Some diagramming techniques include;

  1. Cause and effect diagram: Remember fishbone or Ishikawa diagrams? Check out the quality management article for a reminder.
  2. System or flow charts: They are used to show the order of operation of activities. We also explored this under quality management.
  3. Influence diagrams: These are diagrammatic representations showing causal influences and relationships between various variables and outcomes. An example of an influence diagram is shown below:

    Fig 1: Influence Diagram (Source: PMBOK 5th Edition)

The output of this process is the risk register, which contains lists of identified risks and a list of potential responses to these risks in case they occur.

Perform Qualitative Risk Analysis

The qualitative risk analysis involves prioritizing risks for further analysis (quantitative analysis) or action. The key here is to determine the most important risks so the project team can focus their attention on those risks. This is done by determining the probability of occurrence of the risks and their impact on the project.

The major inputs of the qualitative risk analysis process are the identified risks (in the risk register), the project management plans and the scope baseline. Other inputs can include industry studies and prior information from previous projects.

To perform qualitative risk analysis, a probability and impact assessment must be carried out for each of the identified risks. The probability of a risk is the likelihood of occurrence of the risk while the impact of the risk is its potential effect on the project objectives, such as cost, quality or schedule.

Often times, a probability and impact matrix (a 2×2 matrix that contains probabilities and their impact) can be used to prioritize the risks. A risk data quality assessment is also performed to evaluate the degree of usefulness of the data that forms the basis of the qualitative analysis. The risks can also be categorized using the resource breakdown structure and work breakdown structure of the project phases. Sometimes an urgency assessment might be carried out to determine risks that require immediate responses – all these assessments and categorizations come with input from subject matter experts about the risk topic.

The qualitative risk analysis process results in an updated risk register, which contains the probability and impacts of the risk, risk categories, urgent risks and a watch-list for low risks.

These are the first three processes in the risk management knowledge area. In the next post, we will explore the remaining three processes.

Further Reading

  1. A Guide to the Project Management Body of Knowledge: PMBOK Guide. Project Management Institute.