What is Risk?

Risks are an aspect of uncertainty. A risk is an uncertain event (such as a fire or COVID-19) or condition that, if it occurs, has a positive or negative effect on one or more project objectives. The Project Manager should focus on threats called negative risks that could go wrong and have negative impacts on the project. A threat, if it occurs, has various issues or problems for the project. However, it also has positive risks called opportunities, bringing benefits to the project. Examples of opportunities include:

• If we can consolidate the purchase orders for XYZ equipment to buy more than 20 items at once, the cost per item will be 20% lower than originally planned.
• If we organize an advanced training class to improve work efficiency, Work Packages 3 and 4 could be completed two days earlier than scheduled.

Definition of Risk Management

Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response planning, response implementation, and monitoring for both negative and positive risks on a project. The objectives of project risk management are to increase the probability and/or impact of positive risks and to decrease the probability and/or impact of negative risks, in order to optimize the chances of project success.

Risks should be identified and managed from the starting phase and updated regularly throughout project execution. The project manager and the team review what has happened in the project, the project status, and what has not yet occurred, then reassess threats and opportunities.

Key Terminologies in Risk Management

1. Uncertainty

Uncertainty refers to the lack of certainty caused by insufficient knowledge or information about something, which makes our conclusions less reliable. Tasks to be performed, costs, schedules, quality requirements, and information needs, etc., may be uncertain. Identifying and understanding these uncertainties can help identify potential risks in the project.

2. Individual project risk & Overall project risk

Individual project risk: is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. Management aims to exploit or enhance positive risks (opportunities) while avoiding or mitigating negative risks (threats). Opportunities that are captured can lead to benefits such as reduced time and cost, improved performance, or reputation.  Unmanaged threats may result in issues or problems such as delay, cost overruns, performance shortfall, or loss of reputation. Project managers typically focus on identifying and addressing specific individual risks, often posing the question, "What risks does my project face?"

Overall project risk: is the effect of uncertainty on the project as a whole, arising from all sources of uncertainty. This includes individual risks and the exposure to the implications of variation in project outcome, both positive and negative. Management of overall project risk aims to keep the project risk exposure within an acceptable range by reducing drivers of negative variation, promoting drivers of positive variation, and maximizing the probability of achieving overall project objectives. Sponsors are generally less concerned with individual risks and instead focus on the broader risk landscape, asking, "How risky is the project?". For example: "There is only an 80% probability that we will complete the project within the six-month timeframe required by the client," or "There is a 75% probability that we will complete the project within the allocated budget of $800,000."

3. Risk Factors

When assessing risks, it is important to determine the following risk factors:

• The probability of the risk occurring
• The range of possible outcomes (impact or severity)
• The etimaste timing of the occurrence within the project (when)
• The frequency of occurrence (how often)

4. Risk Appetite & Risk Thresholds

These terms refer to knowing what level of risk exposure is acceptable to an individual or group. Areas of risk may encompass any of the project’s constraints (scope, schedule, cost, quality, etc.), as well as risks related to business reputation, customer satisfaction, and other intangible factors.

Risk Appetite is the degree of uncertainty an organization or individual is willing to accept in anticipation of a reward. For example, a project sponsor may be willing to accept a moderate level of risk related to the project schedule.

Risk Thresholds are the level of risk exposure above which risks are addressed, and below which risks may be accepted. It reflects the risk appetite of the organization and project stakeholders. For example, a sponsor will be unacceptable for any schedule delay exceeding 15 days.

5. Risk Averse & Risk Prone

Risk Averse: Those who don’t want to take risks or avoid negative impacts from threats.

Risk Prone: Also known as Risk Takers, Risk Taking, or Risk Seekers. Those are more inclined to embrace risks, believing that high risks can lead to higher rewards. This approach contrasts with the Risk Averse.

6. Project resilience

The existence of emergent risk is becoming clear, with a growing awareness of so-called unknowns-unknowns. These are risks that can only be recognized after they have occurred. Emergent risks can be tackled through developing project resilience. This requires each project to have:

Right level of budget and schedule contingency for emergent risks, in addition to a specific risk budget for known risks;
Flexible project processes that can cope with emergent risk while maintaining overall direction toward project goals, including strong change management;
Empowered project team that has clear objectives and that is trusted to get the job done within agreed-upon limits;
Frequent review of early warning signs to identify emergent risks as early as possible; and
Clear input from stakeholders to clarify areas where the project scope or strategy can be adjusted in response to emergent risks.

Risk categories

A standardized list of risk categories can help ensure that risks are not overlooked during the project execution process. A standardized list of risk categories can help ensure that risks are not overlooked during the project execution process. These categories are from common areas or sources of risks that companies or similar projects have encountered. They may include:

• Technological changes
• Lack of resources
• Regulatory and laws barriers
• Cultural issues

Businesses and PMOs should provide and ensure that standard Risk Categories can be utilized across all projects.

Moreover, risks can be categorized in various ways, including:

Studies have indicated that there are over 300 types of potential risks, including those arising from:

• Customers
• Loose project management
• Lack of project management knowledge by the Project Manager and stakeholders
• End users
• Suppliers
• Ability to respond to changes
• Cultural differences

In addition, risk sources may include:

• Schedule: Materials may arrive earlier than expected, allowing the XYZ work package to begin 3 days earlier.
• Price/Costs: Due to delayed materials, additional costs for rent may be incurred (e.g., 100 million).
• Quality: Concrete may dry up to the quality standard before winter, enabling the next work packages to start earlier than planned.
• Scope: We may not have correctly defined the scope for equipment assembly. If this is the case, we may need to add work packages, costing an additional 100 million.
• Resources: A designer may be reassigned to another project. If this happens, we will have to use someone else, causing a delay ranging from 100 to 275 hours.
• Customer Satisfaction: There is a possibility that the customer will inform us that they are dissatisfied with deliverable XYZ, leading to a 20% increase in the time required to fix it.

Risks can also be categorized into two main types:

• Business Risk: Risks that result in profits or losses for the project.
• Pure (Insurable) Risk: Risks that involve only loss, such as fire, theft, or personal injury etc.

Most projects focus only on risks that are uncertain future events that may or may not occur. There is an increasing recognition that non-event risks need to be identified and managed. There are two main types of non-event risks:

• Variability risk: Uncertainty exists about some key characteristics of a planned event or activity, or decision. Examples of variability risks include: productivity may be above or below target, the number of errors found during testing may be higher or lower than expected, or unseasonal weather conditions may occur during the construction phase. This can be addressed using Monte Carlo analysis tools, which help predict potential outcomes based on variability risks and guide corresponding actions.
• Ambiguity risk: Uncertainty exists about what might happen in the future. Areas of the project where imperfect knowledge might affect the project’s ability to achieve its objectives include: elements of the requirement or technical solution, future developments in regulatory frameworks, or inherent systemic complexity in the project. This can be addressed by consulting experts or gathering lessons learned from various sources. Ambiguity risk can also be addressed through prototypes, simulations, or other techniques that help clarify information.

Below is an example of a risk categorization table, also known as Risk Breakdown Structure (RBS).

Cre: Source: PMBOK 6th edition, PMI, 2017

Risk Management Processes

It is crucial to understand that the risk management process is important in project management. We must know what may happen, when it may happen, and acknowledge that risk management can change the way a project is managed.

The Project Risk Management processes are:

• Plan Risk Management
• Identify Risks
• Perform Qualitative Risk Analysis
• Perform Quantitative Risk Analysis
• Plan Risk Responses
• Implement Risk Responses
• Monitor Risks

The Project Management Risk processes are presented as discrete processes with defined interfaces, while in practice, they overlap and interact throughout the project. If a risk is identified after the initial risk identification process, it must still be analyzed, and appropriate response strategies must be planned. Risk management is a continuous and iterative process throughout the project.

1. Plan Risk Management

Project Manager, the sponsor, team members, customers, other stakeholders, and subject matter experts may all be involved in the Plan Risk Management process. Plan Risk Management is the process of defining how to conduct risk management activities for a project. Since risk management is critical to a project's success, this process should begin when the project is initiated and should be completed early.

Risk management must be tailored not only to the size and complexity of the project but also to the experience and skills of the project team members. Risk management cannot succeed if it merely relies on a checklist of risks standardized from previous projects. While such checklists can be useful for planning and identifying risks, risk management must be uniquely conducted for each project.

This process addresses the question of how much effort should be devoted to risk management based on the needs of the project. It includes consideration of the organization's and stakeholders' risk appetite.

The process also defines who will be involved and how the team will execute risk management activities. Organizational procedures and templates related to risk management - such as the standard probability and impact matrix - are utilized in this process and subsequently tailored to the needs of the project.

Upon completing the risk management planning, we have a Risk Management Plan. The risk management plan is a component of the project management plan that describes how risk management activities will be structured and performed. The risk management plan may include some or all of the following elements:

• Risk strategy: Describes the general approach to managing risk on this project.
• Methodology: Defines the specific approaches, tools, and data sources that will be used to perform risk management on the project.
• Roles and responsibilities: Defines the lead, support, and risk management team members for each type of activity described in the risk management plan, and clarifies their responsibilities.
• Funding: Identifies the funds needed to perform activities related to Project Risk Management, including contingency reserves and management reserves. Establishes protocols for the application of contingency and management reserves. Although risk management incurs costs, it typically saves the project time and money by avoiding or mitigating threats and capitalizing on opportunities.
• Risk Categories: As presented in the section above.
• Stakeholder risk appetite/thresholds: Stakeholder risk appetite should be expressed as measurable risk thresholds around each project objective. These thresholds will determine:

              + The acceptable level of overall project risk exposure

              + Inform the definitions of probability and impacts to be used when assessing and prioritizing individual project risks.

• Definitions of risk probability and impacts: When assessing a risk with a 70% probability in qualitative analysis, a Risk Averse may perceive this probability as very high, whereas a Risk Prone may view it as low. Definitions of risk probability and impacts ensure a common understanding of risk degree and allow for risk comparisons across different projects.

Source: PMBOK 6th edition, PMI, 2017

• Probability and impact matrix: A grid that links the probability of risk occurrence to its impact on project objectives if it occurs. Descriptive terms (such as very high, high, medium, low, and very low) or numeric values ​​can be used for probability and impact. Where numeric values ​​are used, these can be multiplied (Probability × Impact, P × I) to give a probability-impact score for each risk, which allows the relative priority of individual risks to be evaluated within each priority level. The matrix is used alongside the project's risk appetite. For example, risks with a risk score greater than 0.24 may be categorized into a group requiring responses to reduce them to lower-risk zones. Risks with scores below 0.07 may be placed on a group without requiring immediate responses (watch list). Different projects' risk appetites will choose different risk score thresholds to arrange.

Source: PMBOK 6th edition, PMI, 2017

• Reporting formats: Reporting formats define how the outcomes of the Project Risk Management process will be documented, analyzed, and communicated. This section of the risk management plan describes the content and format of the risk register and the risk report, as well as any other required outputs from the Project Risk Management processes.
• Tracking: Tracking documents on how risk activities will be recorded and how risk management processes will be audited.

2. Identify Risks

Identify Risks is the process of identifying individual project risks as well as sources of overall project risk, and documenting their characteristics.

This process is performed throughout the project. Identify Risks is an iterative process, since new individual project risks may emerge as the project progresses through its life cycle and the level of overall project risk will also change. The frequency of iteration and participation in each risk identification cycle will vary by situation, and this will be defined in the risk management plan.

The participants involved in risk identification activities are similar to those in the risk management planning process - including ALL project stakeholders.

When describing and recording individual project risks, a consistent format should be used for risk statements to ensure that each risk is understood clearly and unambiguously in order to support effective analysis and risk response development.

Due to Identify Risks is primarily performed during project initiation and planning, but a small amount of risk can also be identified later. Risks must be continuously reassessed. Identify Risks is primarily performed can also be done:

• During the integrated change control process
• While working with contracts
• While managing resources
• When addressing project issues

Key Tools and Techniques Used in the Identify Risks Process:

• Brainstorming: The goal of brainstorming is to obtain a comprehensive list of individual project risks and sources of overall project risk. An RBS may be used as a framework for brainstorming sessions. Particular attention should be paid to ensuring that risks identified through brainstorming are clearly described, since the technique can result in ideas that are not fully formed.
• Checklist: A checklist is a list of items, actions, or points to be considered. It is often used as a reminder. Risk checklists are developed based on historical information and knowledge that has been accumulated from similar projects and from other sources of information. Checklist listing specific individual project risks that have occurred previously and that may be relevant to this project. While a checklist may be quick and simple to use, its results may not be complete.
• Interviews: Individual project risks and sources of overall project risk can be identified by interviewing experienced project participants, stakeholders, and subject matter experts (SME). Interviews should be conducted in an environment of trust and confidentiality to encourage honest and unbiased contributions.
• Root cause analysis: Root cause analysis is typically used to discover the underlying causes that lead to a problem and develop preventive action.
• Assumption and constraint analysis: Assumption and constraint analysis explores the validity of assumptions and constraints to determine which pose a risk to the project. Threats may be identified from the inaccuracy, instability, inconsistency, or incompleteness of assumptions. Constraints may give rise to opportunities through removing or relaxing a limiting factor that affects the execution of a project or process (cost and schedule).
• SWOT analysis: This technique examines the project from each of the strengths, weaknesses, opportunities, and threats (SWOT) perspectives. SWOT analysis then identifies any opportunities for the project that may arise from strengths, and any threats resulting from weaknesses. The analysis also examines the degree to which organizational strengths may offset threats and determines if weaknesses might hinder opportunities.
• Document analysis: Uncertainty or ambiguity in project documents including, but not limited to, plans, assumptions, constraints, previous project files, contracts, agreements, and technical documentation, as well as inconsistencies within a document or between different documents, may be indicators of risk on the project.
• Prompt lists: A prompt list is a predetermined list of risk categories that might give rise to individual project risks and that could also act as sources of overall project risk. The prompt list can be used as a framework to aid the project team in idea generation when using risk identification techniques. The risk categories in the lowest level of the risk breakdown structure can be used as a prompt list for individual project risks.

The Identify Risks process generates the Risk register and Risk report

- Risk register:

The risk register captures details of identified individual project risks. The results of Perform Qualitative Risk Analysis, Plan Risk Responses, Implement Risk Responses, and Monitor Risks are recorded in the risk register as those processes are conducted throughout the project.

Risk register contains different information at different points in the risk management process. For example, if the project is just starting and we are in the Identify Risks process, the risk register contains a list of identified risks, a list of potential risk responses, not the responses that are selected for that risk.

At this point in the risk management process, the risk register includes:

• List of identified risks: Identified risks are described in as much detail as required to ensure unambiguous understanding. Each individual project risk is given a unique identifier in the risk register.
• Potential risk owners: Potential risk owners (to be explained later) can be identified at this process, and this will be confirmed during the Perform Qualitative Risk Analysis process.
• List of potential risk responses: Where a potential risk response has been identified during the Identify Risks process, it is recorded in the risk register. This will be confirmed during the Plan Risk Responses process.
• Root cause of risk: Provides valuable information for later use in risk response planning and reassessment of risks in the project, and serves as a reference for future projects. A risk can recur if its root cause is not identified and resolved.
• Update risk checklist: Our project can identify new risks and can add them to the standard checklist of the business.

Additional data may be recorded for each identified risk, depending on the risk register format specified in the risk management plan. This may include: a short risk title, risk category, current risk status, one or more causes, one or more effects on objectives, risk triggers (events or conditions that indicate that a risk is about to occur), WBS reference of affected activities, and timing information (when was the risk identified, when might the risk occur, when might it no longer be relevant, and what is the deadline for taking action).

As a side note, risk responses are recorded during Identify Risks process (potential risks responses) and during risk response planning (actual risks response plans selected).

Risk report

The risk report presents information on sources of overall project risk, together with summary information on identified individual project risks. The risk report is developed progressively throughout the Project Risk Management process.

The results of Perform Qualitative Risk Analysis, Perform Quantitative Risk Analysis, Plan Risk Responses, Implement Risk Responses, and Monitor Risks are also included in the risk report as those processes are completed.

At this point in the risk management process, the risk report includes:

• Sources of overall project risk: Indicates which are the most important drivers of overall project risk exposure.
• Summary information on identified individual project risks: Such as the number of identified threats and opportunities, distribution of risks across risk categories, metrics and trends, etc.
• Additional information: Additional information may be included in the risk report, depending on the reporting requirements specified in the risk management plan.

3. Perform Qualitative Risk Analysis

Perform Qualitative Risk Analysis is the process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics. This process focuses efforts on high-priority risks.

This process is performed throughout the project. Perform Qualitative Risk Analysis is a subjective analysis (based on perceptions of risk by the project team and other stakeholders) of identified project risks. Perform Qualitative Risk Analysis establishes the relative priorities of individual project risks (high priority, high impact, high-priority risk, low-priority risk) for Identify Risks and Risk Analysis. And this process will be repeated as new risks are identified.

Effective assessment therefore requires explicit identification and management of the risk attitudes of key participants in the Perform Qualitative Risk Analysis process, Risk perception introduces bias into the assessment of identified risks, so attention should be paid to identifying bias and correcting for it. Where a facilitator is used to support the Perform Qualitative Risk Analysis process, addressing bias is a key part of the facilitator’s role.

Perform Qualitative Risk Analysis establishes the relative priorities of individual project risks for Plan Risk Responses. It identifies a risk owner for each risk who will take responsibility for planning an appropriate risk response and ensuring that it is implemented. Perform Qualitative Risk Analysis also lays the foundation for Perform Quantitative Risk Analysis if this process is required. The Perform Qualitative Risk Analysis process is defined in the risk management plan. Often, in an agile development environment, the Perform Qualitative Risk Analysis process is conducted before the start of each iteration.

Key Tools and Techniques used in the Perform Qualitative Risk Analysis process

- Risk data quality assessment: Risk data quality assessment evaluates the degree to which the data about individual project risks is accurate and reliable as a basis for qualitative risk analysis. The use of low-quality risk data may lead to a qualitative risk analysis that is of little use to the project. A commonly used term is "garbage in, garbage out – GIGO." If the input data is garbage, the output data will also be a pile of garbage. For example, if the probability of rain in Ho Chi Minh City during the dry season is considered very high, this input data is highly inaccurate. Based on this incorrect information, we might cover outdoor construction sites to prevent potential rain, but in reality, no rain occurs, leading to unnecessary costs. Risk data quality may be assessed via a questionnaire measuring the project’s stakeholder perceptions of various characteristics, which may include completeness, objectivity, relevancy, and timeliness. Risk data quality assessment may include identifying the following for individual risk:

• Degree of risk understanding
• Availability of risk data
• Data quality
• Data reliability and integrity

- Risk probability and impact assessment: Risk probability assessment considers the likelihood that a specific risk will occur. Risk impact assessment considers the potential effect on one or more project objectives such as schedule, cost, quality, or performance. Risks with low probability and impact may be included within the risk register as part of a watch list for future monitoring.

- Assessment of other risk parameters: The project team may consider other characteristics of risk (in addition to probability and impact) when prioritizing individual project risks for further analysis and action.

- Risk categorization: Risks to the project can be categorized below to determine the areas of the project most exposed to the effects of uncertainty.

• Sources of risk (e.g., using the risk breakdown structure - RBS)
• The area of the project affected (e.g., using the work breakdown structure - WBS)
• Common root causes

Grouping risks into categories can lead to the development of more effective risk responses by focusing attention and effort on the areas of highest risk exposure, or by developing generic risk responses to address groups of related risks.

- Probability and impact matrix: This matrix specifies combinations of probability and impact that allow individual project risks to be divided into priority groups. An organization can assess a risk separately for each objective (e.g., cost, time, and scope) by having a separate probability and impact matrix for each. When peform Risk probability and impact assessment, we use this matrix for visualization. For example, risk number 1 has a high probability of occurring 0.9, the impact is high 0.4, then the risk score = 0.9*0.4 = 0.36, do the same with other risks for both negative and positive impacts. When using the Probability and impact matrix, we determine the risks in the high priority (dark color), medium priority (light color), and low priority (white color). Determining the high, medium, and low priority areas will depend on the risk appetite of the project or organization. From there, we have appropriate solutions for individual risk.

Source: PMBOK 6th edition, PMI, 2017

- Bubble chart: Where risks have been categorized using more than two parameters, the probability and impact matrix cannot be used, and other graphical representations are required. We use a bubble chart to display the relationship among three parameters. For example, the chart below, in addition to some charts with variations in bubble color, shows four parameters. It will overcome the limitation of the matrix having only 2 dimensions. 

Source: PMBOK 6th edition, PMI, 2017

- Risk workshop: To undertake qualitative risk analysis, the project team may conduct a specialized meeting (often called a risk workshop) dedicated to the discussion of identified individual project risks.

A risk owner, who will be:

• Responsible for planning an appropriate risk response and for reporting progress on managing the risk.
• Allocated to each individual project risk as part of the Perform Qualitative Risk Analysis process.

Use of a skilled facilitator will increase the effectiveness of the meeting.

Risk register and Risk report will be updated through Perform Qualitative Risk Analysis process

Risk register: The risk register is updated with new information generated during the Perform Qualitative Risk Analysis process. Updates to the risk register may include:

• Assessments of probability and impacts for individual project risk
• Its priority level or risk score for individual project risk
• The nominated risk owner
• Assessment results based on other parameters
• Risk categorization
• A watch list of low-priority risks
• List of risks requiring further analysis

Risk report: The risk report is updated to reflect the most important individual project risks (usually those with the highest probability and impact), as well as a prioritized list of all identified risks on the project and a summary conclusion. Perform Qualitative Risk Analysis can be used to do the following:

• Compare the overall project risk with the overall risk of other projects.
• Determine to continue or terminate the project.
• Determine whether to Perform Quantitative Qnalysis or Plan Risk responses processes (depending on the needs of the project and organization).

4. Perform Quantitative Risk Analysis

Perform Quantitative Risk Analysis is the process of numerically analyzing the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives. This process is NOT required for every project, but where it is used, it is performed throughout the project.

Quantitative risk analysis usually requires specialized risk software and expertise in the development and interpretation of risk models. It also consumes additional time and cost.

The use of quantitative risk analysis for a project will be specified in the project’s risk management plan. It is most likely appropriate for large or complex projects, strategically important projects, projects for which it is a contractual requirement, or projects in which a key stakeholder requires it.

Quantitative risk analysis is the ONLY reliable method to assess overall project risk through evaluating the aggregated effect on project outcomes of all individual project risks and other sources of uncertainty.

Outputs from Perform Quantitative Risk Analysis are used as inputs to the Plan Risk Responses process, particularly in recommending responses to the level of overall project risk and key individual risks. A quantitative risk analysis may also be undertaken following the Plan Risk Responses process, to determine the likely effectiveness of planned responses in reducing overall project risk exposure.

Key Tools and Techniques used in the Perform Quantitative Risk Analysis process

Simulation: Quantitative risk analysis uses a model that simulates the combined effects of individual project risks and other sources of uncertainty to evaluate their potential impact on achieving project objectives.

Monte Carlo analysis:

- Monte Carlo is a type of simulation model.

- When running a Monte Carlo analysis for X risk, the simulation uses the project X estimates. In which, X can be cost, schedule (network diagram or duration estimates), or both.

- The input values (e.g., cost estimates, duration estimates, or occurrence of probabilistic branches) are chosen at random for each iteration.

- Computer software is used to iterate the quantitative risk analysis model several thousand times.

- Outputs represent the range of possible outcomes for the project (e.g., project end date, project cost at completion).

- Typical outputs include:

• A histogram presenting the number of iterations where a particular outcome resulted from the simulation, or
• A cumulative probability distribution (S-curve) representing the probability of achieving any particular outcome or less.

Source: PMBOK 6th edition, PMI, 2017

Sensitivity analysis: Sensitivity analysis helps to determine which individual project risks or other sources of uncertainty have the most potential impact on project outcomes.

Tornado diagram: Is a type of Sensitivity analysis, which presents the calculated correlation coefficient for each element of the quantitative risk analysis model that can influence the project outcome. 

- This can include:

• Individual project risks,
• Project activities with high degrees of variability, or
• Specific sources of ambiguity

- Items are ordered by descending strength of correlation, giving the typical tornado appearance.

Note: Sensitivity ≠ DOE - Design Of Experiments (a term in quality management)

• Sensitivity: Change one factor and fix the others to see which factor has the biggest impact.
• Design of Experiments (DOE): Systematically change all important factors and see which combination has the biggest impact.

Decision tree analysis: Decision trees are used to support selection of the best of several alternative courses of action.

- Alternative paths through the project are shown in the decision tree using branches representing different decisions or events, each of which can have associated costs and related individual project risks (including both threats and opportunities)

- The end-points of branches in the decision tree represent the outcome from following that particular path, which can be negative or positive.

- The decision tree is evaluated by calculating the expected monetary value of each branch (Expected Monetary Value - EMV), allowing the optimal path to be selected.

- Applied according to the formula: EMV = P x I

In which:

• EMV: Expected Monetary Value
• P: Probability
• I: Impact

- EMV calculations are performed during Perform Quantitative Risk Analysis process and are modified during Plan Risk Responses process when calculating contingency reserves for schedule and cost.  

• Decision tree considers future events to make decisions at present.
• With the decision tree, we can evaluate the costs (or schedule impacts) and benefits of several risk responses at the same time to determine which is the best response.

- For example, we need to fly from one city to another, we can use airline A or B. Based on the figure below, we have to decide which airline is chosen.

• If the on-time rate of airline A is 90%, the late rate is 10%. The on-time rate of B is 70% and the late rate is 30%. If it is late, we will suffer a loss of $4,000. Use EMV to calculate and make decisions:
• For airline A, the loss: EMV = (10% x $4,000) + $900 = $400 + $900 = $1,300
• For airline B, the loss: EMV = (30% x $4,000) + $300 = $1,200 + $300 = $1,500
• From the above results, we see that with EMV = $1,300, airline A will be chosen because the EMV value of $1,300 is a lower loss than $1,500.

- Another example:

• Note 1: The decision tree shows how to make a decision between alternative capital strategies (represented as “decision nodes”) when the environment contains uncertain elements (represented as “chance nodes”).
• Note 2: Here, a decision is being made whether to invest $120M US to build a new plant or to instead invest only $50M US to upgrade the existing plant. For each decision, the demand (which is uncertain, and therefore represents a “chance node”) must be accounted for. For example, strong demand leads to $200M revenue with the new plant but only $120M US for the upgraded plant, perhaps due to capacity limitations of the upgraded plant. The end of e ach branch shows the net effect of the payoffs minus costs. For each decision branch, all effects are added (see shaded areas) to determine the overall Expected Monetary Value (EMV) of the decision. Remember to account for the investment costs. From the calculations in the shaded areas, the upgraded plant has a higher EMV of $46M – also the EMV of the overall decision. (This choice also represents the lowest risk, avoiding the worst case possible outcome of a loss of $30M).

Risk report will be updated in the Perform Quantitative Risk Analysis process

- Assessment of overall project risk exposure: Overall project risk is reflected in two key measures:
Chances of project success, indicated by the probability that the project will achieve its key objectives (e.g., We have only an 80% chance of completing the project within the six months required by the client”. Or, “We have only a 75% chance of completing the project within the $800,000 budget”, etc.).

- Detailed probabilistic analysis of the project: Key outputs from the quantitative risk analysis are presented, such as S-curves, tornado diagrams, and criticality analysis, together with a narrative interpretation of the results. Possible detailed results of a quantitative risk analysis may include:

• Amount of contingency reserve needed to provide a specified level of confidence. For example: “The project needs an additional $50,000 and two months to address the project risks.” Contingency reserves will be finalized during the Plan Risk Responses  process.
• Identification of individual project risks or other sources of uncertainty that have the greatest effect on the project's critical path.
• Major drivers of overall project risk, with the greatest influence on uncertainty in project outcomes.

- Prioritized list of individual project risks: This list includes those individual project risks that pose the greatest threat or present the greatest opportunity to the project, as indicated by sensitivity analysis.

- Trends in quantitative risk analysis results: As the analysis is repeated at different times during the project life cycle, trends may become apparent that inform the planning of risk responses.

- Recommended risk responses: The risk report may present suggested responses to the level of overall project risk exposure or key individual project risks, based on the results of the quantitative risk analysis. These recommendations will form inputs to the Plan Risk Responses process.

Compare Perform Qualitative Risk Analysis and Perform Quantitative Risk Analysis

5. Plan Risk Responses

Plan Risk Responses is the process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure, as well as to treat individual project risks. This process needs:

• Identifies appropriate ways to address overall project risk and individual project risks.
• Allocates resources and inserts activities into project documents and the project management plan as needed. 

This process is performed throughout the project. Effective and appropriate risk responses can minimize individual threats, maximize individual opportunities, and reduce overall project risk exposure. Unsuitable risk responses can have the converse effect.

Once risks have been identified, analyzed, and prioritized, plans should be developed by the nominated risk owner for addressing every individual project risk the project team considers to be sufficiently important, either because of the threat it poses to the project objectives or the opportunity it offers. The project manager should also consider how to respond appropriately to the current level of overall project risk. Risk responses should be appropriate for:

• The significance of the risk,
• Cost-effective in meeting the challenge,
• Realistic within the project context,
• Agreed upon by all parties involved, and
• Owned by a responsible person.

Specific actions are developed to implement the agreed-upon risk response strategy, including primary and backup strategies, as necessary. A contingency plan (or fallback plan) can be developed for implementation if:

• The selected strategy turns out not to be fully effective or
• An accepted risk occurs.

Secondary risks should also be identified. Secondary risks are risks that arise as a direct result of implementing a risk response. A contingency reserve is often allocated for time or cost. If developed, it may include identification of the conditions that trigger its use.

Contingent response strategies:

• Some responses are designed for use only if certain events occur. For some risks, it is appropriate for the project team to make a response plan that will only be executed under certain predefined conditions, if it is believed that there will be sufficient warning to implement the plan (such as missing key milestones).
• Risk responses identified using this technique are often called contingency plans or fallback plans and include identified triggering events that set the plans in effect.

Risk register and Risk report will be updated through Plan Risk Responses process:

- Risk report: The risk report may be updated to present agreed-upon responses to the current overall project risk exposure and high-priority risks, together with the expected changes that may be expected as a result of implementing these responses.

- Risk register:

• Residual risks: The risk that remains after risk responses have been implemented. After we have avoided, exploited, mitigated, enhanced, transferred, shared, escalated, and accepted risks (and created the associated contingency plans), there will still be risks that remain. Passively accepted residual risks should be recorded and reviewed throughout the project to monitor if they have changed (probability and impact). An example of a residual risk is the use of seat belts in cars. The installation and use of seat belts reduces the overall severity and probability of injury in a car crash, however, the injury probability remains, meaning the risk remains.
• Secondary risks: Secondary risks are risks that arise as a direct result of implementing a risk response. Secondary risks also need to be analyzed as part of the risk response plan.
• Contingency plans: The plans include specific actions that will be taken if an opportunity or threat occurs.
• Fallback plans: The plans include specific actions that will be taken if the contingency plans are not effective.
• Risk owner: It’s important that the Project Manager does not have to do all in Plan Risk Responses process, and neither does the project team. Each risk must be assigned a person who will:

            + Support leading the development of risk responses and

            + Be assigned to execute the risk response.

            + The risk owner can be a stakeholder who is not a team member.

• Risk triggers: Events or conditions that indicate that a risk is about to occur and signal for contingent responses. Early warning signs for each project risk need to be identified so that the risk owner knows when to take action.
• Contracts: Before finalizing a contract, the Project Manager should complete a risk analysis, including the necessary contract provisions and conditions to mitigate threats and enhance opportunities. Any contracts issued to address risks should be recorded in the risk register.

Reserves (contingency): A contingency reserve, including amounts of time, money, or resources to handle the threat if it occurs. It is a mandatory part of project management. We cannot schedule or budget the project without them.

Risk Management Implementation Sequence from Identify Risks process to Plan Risk Responses process

6. Implement Risk Responses

Implement Risk Responses is the process of implementing agreed-upon risk response plans, ensuring that agreed-upon risk responses are executed as planned in order to address overall project risk exposure, minimize individual project threats, and maximize individual project opportunities.

This process is performed throughout the project. A common problem with Project Risk Management is that project teams spend effort in identifying and analyzing risks and developing risk responses, then risk responses are agreed upon and documented in the risk register and risk report, but no action is taken to manage the risk. Only if risk owners give the required level of effort to implementing the agreed-upon responses will the overall risk exposure of the project and individual threats and opportunities be managed proactively.

Risk register and Risk report will be updated through Implement Risk Responses process

• Risk register: The risk register may be updated to reflect any changes to the previously agreed-upon risk responses for individual project risks that are subsequently made as a result of the Implement Risk Responses process.
• Risk report: The risk report may be updated to reflect any changes to the previously agreed-upon risk response to overall project risk exposure that are subsequently made as a result of the Implement Risk Responses process.
• Risk register and Risk report will be updated with information on the implemented risk responses, a detailed description of the extent to which the addressed risk, and propose changes to the risk response plan for the future. The Project Manager updated the lessons learned register with information on challenges encountered when implementing risk responses and how they could have been avoided, as well as approaches that worked well for implementing risk responses.

7. Monitor Risks

Monitor Risks is the process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project. This process enables project decisions to be based on current information about overall project risk exposure and individual project risks. This process is performed throughout the project.

In order to ensure that the project team and key stakeholders are aware of the current level of risk exposure, project work should be continuously monitored for new, changing, and outdated individual project risks and for changes in the level of overall project risk by applying the Monitor Risks process. The Monitor Risks process uses performance information generated during project execution to determine if:

• Implemented risk responses are effective,
• Level of overall project risk has changed
• Status of identified individual project risks has changed,
• New individual project risks have arisen,
• Risk management approach is still appropriate,
• Project assumptions are still valid,
• Risk management policies and procedures are being followed,
• Contingency reserves for cost or schedule require modification, and
• Project strategy is still valid.

Other tasks within the Monitor Risks process include:

Workarounds: When the project is no longer running according to plan, the team can take corrective actions to get the project back on planned. These corrective actions can include workarounds.

As we know, contingency responses are developed in advance with a plan, workarounds are unplanned responses developed to deal with the occurrence of unforeseen events or problems in the project (or to deal with accepted risks). Project Managers who do NOT implement risk management well will spend a lot of time creating workarounds.

Risk Reassessments: It is important to determine whether to make any changes or adjustments to what was planned based on clearly updated information as work begins. The output of the Risk Reassessments is part of the new risks review, closed risks, additional qualitative or quantitative risk analysis of new and/or previously identified risks, and planning for risk responses.

Key Tools and Techniques Used in Monitor Risks process:

Risk audits are a type of audit that may be used to consider the effectiveness of the risk management process. The project manager is responsible for ensuring that risk audits are performed at an appropriate frequency, as defined in the project’s risk management plan. Risk audits may be included during routine project review meetings or may form part of a risk review meeting, or the team may choose to hold separate risk audit meetings. The format for the risk audit and its objectives should be clearly defined before the audit is conducted.

Risk reviews are scheduled regularly and should examine and document the effectiveness of risk responses in dealing with overall project risk and with identified individual project risks.

• The risk review may be conducted as part of a periodic project status meeting or a dedicated risk review meeting may be held, as specified in the risk management plan.
• Risk reviews may also result in identification of new individual project risks, (including secondary risks that arise from agreed-upon risk responses), reassessment of current risks, the closing of risks that are outdated, issues that have arisen as the result of risks that have occurred, and identification of lessons to be learned for implementation in ongoing phases in the current project or in similar projects in the future.

Risk register and Risk report will be updated through Monitor Risks process

The risk register is updated with information on individual project risks generated during the Monitor Risks process. This may include adding new risks, updating outdated risks or risks that were realized, updating risk responses, and so forth.

The risk report is updated to reflect the current status of major individual project risks and the current level of overall project risk.

• The risk report may also include details of the top individual project risks, agreed-upon responses and owners, and conclusions and recommendations.
• The risk report may also include conclusions from risk audits on the effectiveness of the risk management process.

Common Mistakes in Risk Management

Here are some common risk management mistakes that projects often encounter:

• The Identify Risks process is completed without a full understanding of the project.
• The overall project risks are assessed using only questionnaires, interviews, or Monte Carlo analysis, which do not identify specific project risks.
• The Identify Risks process is completed too early, resulting in a short list (20 risks) instead of an extensive list (hundreds of risks).
• Adding padding without going through the risk management process to get a full and accurate assessment.
• The Identify Risks process is combined with the Perform Quantitative Risk Analysis process. This reduces the total number of identified risks and the team stops participating in the risk identification (there is a separate process for risk identification).
• The risks are identified in general rather than specific risks.
• Ignoring the use of risk categories (e.g, technology, culture, market, etc.).
• Only one method is used to identify risks (e.g, using checklists only) rather than combining methods. Combining methods ensures that more risks are identified.
• Choosing the first risk response strategy immediately without considering other strategies and finding the best strategy or combination of strategies.
• Risk management is not given due attention.
• The Project Manager does not explain the risk management process to the team during project planning.
• Contracts are signed long before project risks are discussed.

Conclusion

Risk management is one of the most important knowledge areas in project management. Therefore, businesses as well as those directly implementing risk management need knowledge and experience to identify and assess risks, thereby helping to optimize the project's chances of success.