This is the second part of a 2-part article on project risk management. In the previous post, we started to examine the Project Risk management and we discussed the first three processes that make up the knowledge area (plan risk management, risk identification and qualitative risk analysis). You can view the post here. In this post we would conclude the knowledge area by examining the quantitative risk analysis, risk response planning and control risk processes. We would examine the inputs, tools and techniques and outputs of these processes. So, let’s get right to it.

Perform Quantitative risk analysis

In the previous article, we explored how to identify risks on the project and categorize them qualitatively so as to focus on the most important ones. This process involves quantifying (using numbers to analyze) the effect of the risks on the overall project objectives. It is not uncommon to have risks that have effects that cannot be accurately measured (or even estimated), and in this case, a project manager has to decide how much time and effort can be spent exploring these risks.

The major inputs to this process include the risk register (which contains the categorized risks), the risk management plan, and the cost and schedule management plans. Other inputs to this process include external factors in the industry and internal organization information from prior projects.

In performing quantitative risk analysis, the project manager needs to seek expert opinion on all the subjects of importance to the project. The experts validate the integrity of the data and tools that are used in the analysis process and they also provide insight that can help to plan the responses to the risks.

Aside from expert judgment, the other tools and techniques used for quantitative risk analysis are divided into two;

  1. Data gathering and representation Techniques: This involves interviews (which are used to obtain information which can help determine how to quantify the probability and impact of risks) and probability distributions. Probability distributions are used to represent the outcome uncertain events. Some common distributions that are used include normal distribution (, triangular distribution ( and beta distribution (
  2. Quantitative Risk Analysis and Modeling Techniques. Some of these techniques include:
    1. Sensitivity analysis: As the name implies, a sensitivity analysis attempts to determine which of the risks has the most impact on the project. This is usually represented diagrammatically using a special kind of bar chart called a tornado diagram ( This kind of chart (see figure below) can be created using Microsoft Excel or some other specialized software like TopRank (

      Figure 1: Example of Tornado Diagram (Source: PMBOK)

    2. Expected Monetary Value Analysis: The EMV analysis shows the expected monetary outcomes of future decisions that can occur due to uncertainties. The easiest way to represent EMV is through decision trees, with each branch of the tree showing the possible outcome and the overall impact on the project based on the probability of the risks. An example of a decision tree is also shown below:

The Decision trees can be generated using specialized software which can be easily integrated into Excel like TreePlan (, Precision Tree ( etc.

  1. Modeling and simulations: The first two tools analyze the impact of risks on project outcomes but they do not take various recurring scenarios into account. With modeling, multiple variables are taken into account and different iterations of those variables are explored (using their individual distributions) in a simulation. This give a more realistic projection of the variables, compared to individual analysis. The most common technique for performing simulations is the Monte Carlo Technique. An example of the output of a Monte Carlo Simulation I made to analyze the impact risks of the net present value of a project is shown below:

Again, these simulations can be performed with specialized software, integrated with spreadsheet software such as @Risk ( with Excel.

The output of this process is an updated project document which contains all the insights (Useful information such as trends, risk rankings and ratings etc) gathered from the quantitative analysis.

Plan Risk Responses

So far, the processes that have been described focus on identifying and analyzing the risks. After all these analysis, the project team needs to create a plan to respond to these risks, in the event that they occur. The plan risk process involves designing actions to take advantage of positive risks (opportunities) and to reduce threats to the project objectives.

The inputs to this process are straightforward. The risks! They are contained in the risk register, and if you need some more information, visit the risk management plan.

The core of planning risk responses are the strategies for addressing the risks. The strategies that a project manager would employ for addressing risks is usually dependent on the nature of the risk, the impact, and the resources (time, human and material resources) available to the Project Manager. Some of the strategies for dealing with negative risks (threats) include:

  1. Avoidance: Here, the risk is eliminated. You can eliminate the risk by increasing the schedule (for time risks), reducing the scope (excluding the risky part) etc.
  2. Transference: Here, the outcome of the risk is transferred to another party. The most common example of this kind of response is insurance. Other transfer responses can include warranty from suppliers, procurement contract clauses, etc.
  3. Mitigation: In this case, the probability of occurrence of the risk is reduced. This is usually done by increasing the focus on quality. In some cases, prototypes can be developed to test key components before scaling up a project. If the probability cannot be reduced, the impact of the risk can be reduced. An example is building redundancy ICT systems in order to reduce the impact of the failure of a system on the overall project operations.
  4. Acceptance: In this case, the risk is just accepted. This happens when no other response can be carried out within the scope of the project. Acceptance can be passive or active. In active acceptance, a contingency reserve is created to deal with the risks, if they eventually occur. For passive acceptance, the project manager just documents the risk.

Different set of strategies are employed in dealing with positive risks (opportunities). Some of the strategies include:

  1. Exploit: This is the opposite of avoidance. Here, the project team makes an effort to ensure that the opportunity occurs. An example is dedicating the most experienced team members to handle the tasks involved.
  2. Enhance: This involves increasing the chance of an opportunity. An example is allocating more resources to the task.
  3. Share: This involves sharing the outcome of an opportunity with a third party which is in a better position to capture the opportunity. Examples include Joint Vehicles and special purpose vehicles
  4. Accept: This involves identifying and opportunity but nor pursuing it.

Aside from the risk strategies, a project manager should create contingency plans for unforeseen circumstances and for negative risks that have been accepted. And as with the rest of the processes, the project manager needs to seek expert opinion on these risk response strategies.

The outputs of this process are updates. And lots of updates! Updates are made to different elements of the project management plan and project documents based on the risk responses that are identified for the risks that are in the risk register.

Control Risks

The Risk control process involves implementing risk responses, identifying new risks, monitoring residual and secondary risks and ensuring that the risk process is effective throughout the project.

Inputs to the process would include the project management plan, the risk register and the work performance information.

To control risks, risk reassessments, audits and analysis are carried out throughout the course of the project to determine the impact of the risks and the effectiveness of their responses. Also secondary and residual risks are identified. A secondary risk is a new risk that occurs as a result of the response to a primary risk, while a residual risk is the risk that remains after the response to a primary risk.

For effective risk control, variance analysis is also carried out to measure deviation from the initial project baselines. Also, the technical performance of the project team is measured regularly to ensure that no quality issues have occurred due to risk factors.

Like most control processes, an important output of the control risk process is change requests. Other outputs include updates to the project management plan and the project documents. Also, lessons learned from the project can be used to update the organizational process assets.

There you go! Project Risk Management in a nutshell. As usual, we have a summary diagram of the processes from the PMBOK shown below:

Thank you for reading. Don’t forget to drop your thoughts and questions in the comments section. In our next article in this series, we will discuss project human resource management. See you soon!


  1. A Guide to the Project Management Body of Knowledge: PMBOK Guide. Project Management Institute.