Knowledge Area Executive Summary
This Knowledge Area is about increasing the probability and impact of positive risks and decreasing the probability and impact of negative risks to optimize the chance of project success. This can only be done when risks are identified and then subsequently analyzed and planned for.
- Process Groups Covered by Stakeholder Management:
- Monitoring and Controlling
- Processes in this Knowledge Area
- Plan Risk Management
- Identify Risks
- Perform Qualitative Risk Analysis
- Perform Quantitative Risk Analysis
- Plan Risk Responses
- Implement Risk Responses
- Monitor Risks
- Major or important ITTOs
- Project Charter
- PM Plan
- Project Documents
- Work Performance Data
- Data Analysis
- Risk Audits
- Risk Categorization
- Data Representation
- Risk Register
- Risk Report
- Change Requests
- Critical concepts
Most people hear the term ‘risk’ and immediately think about the negative things. In the Project Management world, a risk is ANY uncertain thing, whether it is good or bad. As a Project Manager you will deal with each differently, but you must account for both in the project. The intent of Project Risk Management is to increase the chances of the positive risks (called opportunities), which should provide a positive impact on your project, and to reduce the probability of negative risks (called threats), which will decrease the negative impacts on your project. This will increase (or optimize) your chances of project success. This also requires that you consider individual event uncertainty as well as the uncertainty of the project as a whole.
In order to ensure that the degree, type, and visibility of risk management is proportionate to the risks and the importance of the project, you have to develop a solid plan for how risk management activities will be conducted for a project. This is our first PM Process in Risk Management; Plan Risk Management. It is important to think of this as the overall strategy for Risk Management, not the strategy for individual risks. That cannot be done until you perform the next Risk Management PM Process of Identify Risks.
During the Identify Risks process, we will identify the individual project risks as well as what their sources are. We perform this in an attempt to gather information on the risks so that if they occur, we can respond appropriately to them. This is also where we will create the beginnings of the Risk Register, which is a ‘dynamic’ project document. We will begin by simply creating a list (usually a spreadsheet) where we can start creating ownership of the individual risk and the potential risk responses that will be initiated should it occur. Once a risk is identified, we can apply a Contingency Reserve (usually a monetary value) to deal with this risk, should it occur. Risks that we fail to identify in this process will be dealt with using a different reserve called a Management Reserve.
At this early stage, there will not likely be a great amount of detail provided about our identified risks until we look at the next processes, Perform Qualitative Risk Analysis and Perform Quantitative Risk Analysis. Let’s start with Perform Qualitative Risk Analysis since it needs to be performed before Quantitative Risk Analysis. Qualitative Risk Analysis is designed to help us prioritize individual risks for additional analysis. When thinking of ‘Qualitative’ analysis, think “qualify the risk.” In other words, we are going to assess its likelihood (probability) and the effect it will have on the project (impact). We are going to do this for every risk that is identified. It is a natural thing to think of a risk and then immediately assess a probability and impact. Don’t worry if this happens during the Identify Risks process. Just be sure to do it for every single risk you identify. You need to determine if the risk is a high priority risk, so you must assess every single one of them. Your intent with this process is to analyze and give a probability-impact ‘score’ to the risks to determine which will be analyzed again in Perform Quantitative Risk Analysis. See the picture below for an understanding of how we determine a ‘high priority risk.’
Quantitative Risk Analysis should be thought of as ‘the quantity of money or time’ that the risk exposes us to. Positive risks can make or save you money and time if they happen. Negative risks can cost us more time and money if they occur. Since the Quantitative Risk Analysis gives us the Expected Monetary Value (or EMV) and needed buffer times if a risk is triggered, we could potentially spend a large amount of time on these calculations. This is why it is performed AFTER Qualitative Risk Analysis. Spending that time on the EMV and buffer times for every risk could take even an experienced risk analysis team a great deal of time. The highest priority risk from Qualitative Risk Analysis (the ones with the highest P-I ‘score’) will move into the Quantitative Analysis to help us plan for them.
So now that we have identified the risks and subsequently analyzed them, we need to determine what we will do if the risk triggers. This is our next process of Plan Risk Responses. There are different ways to respond to positive and negative risks. It is important that we consider the EMV and buffer times when we plan how to respond. For instance, if a negative risk exists that threatens our timeline greatly, particularly for Critical Path activities, we may need to plan for additional resources or time as a response. We may also need to plan for alternative ways to accomplish the same activity. This would be documented in the risk register, or if the probability is high enough, we plan some additional buffer time for that activity. The most common risk strategies are shown in the picture below.
So now we have a response strategy ready for our positive and negative risks. So what do we do when that risk actually occurs? That’s where the next PM Process for Risk Management comes in. In the Implement Risk Responses process, we execute the response plan. The main benefit of this process is to ensure that we don’t fall into a common pitfall of project teams where the risk is identified and analyzed, a response is agreed upon, but when the risk presents itself, no action is taken.
Our final process in Risk Management is Monitor Risks, where we perform several actions to determine the variances between the planned and actual Risk Management activities. Here we use Work Performance Data and Work Performance Reports to determine:
- Are implemented risk responses effective?
- The current level of overall project risk
- Individual risk statuses
- Are our risk management approaches are effective?
- Do new risks exist that were not previously identified?
- Are identified risks still valid?
- Are risk policies and procedures being followed?
- Is the Contingency Reserve still sufficient or do we need to change it?
If any of these items show variance, we may need to submit a change request to adjust the Contingency Reserve, schedule buffers, or changes to risk strategies. We will also update any project documents (such as the Risk Register) with our findings.
Knowledge Area Frequently Asked Questions
Q: Is there a best practice for where to look for risk on projects?
A: Absolutely! There are a ton of places that you can look for risk on a project. If you are starting a project in an organization that has done a project like yours previously, then in addition to your Project Charter, business documents, and Agreements, you can scour the corporate knowledge base for items that are similar to your project. Your project team is another great resource. Their experience and expert judgement should be leveraged to help you look for risks as well.
If you are starting a completely new project where your organization or project team have never performed anything similar, there is another great tool to determine where to look as well as keep risks organized called the Risk Breakdown Structure (or RBS). You can utilize the RBS to look for risks by breaking the project into categories. It is similar to an organizational chart and helps you determine the areas to look for risk by breaking down the project into nodes. You can start with high-level nodes that are as simple as ‘Internal’ and ‘External’ and then go deeper into each where needed. Detailed nodes under ‘Internal’ could be ‘Project Team,’ ‘Funding,’ and ‘Resources.’ Detailed nodes under ‘External’ could be ‘Regulations/Laws,’ ‘Market Stability,’ and ‘Weather.’
Q: What happens if you implement a risk response and accidentally create a new risk you couldn’t account for?
A: This scenario is called a secondary risk. Secondary Risks are new risks that are induced by implementing a risk strategy and are not always easy to predict. In one example, your organization does not have the experience to generate a needed aspect of your final product or service. There would be all types of risks you could “what if” in that scenario, so you decide to purchase or sub-contract that aspect of the product or result. We’ve transferred the risk, but it isn’t gone. There’s new risks now in that we can’t guarantee the quality or timeliness of the subcontractor’s portion. That’s an easy one to see where we could pad the Contingency Reserve a bit to deal with this risk if needed. In some cases, however it is not possible to always foresee the outcomes of our risk strategies and may force us to instead rely on the Management Reserve.
What to Memorize in this Knowledge Area
Proper Risk Management is very important to project success and as a result, PMI® will test you with some detailed scenario-based questions. In order to ensure that you are prepared for these questions, you should spend some time memorizing the below information:
- Expected Monetary Value formula
- Appropriate strategies to deal with risk (both threats and opportunities)
- Qualitative Risk Analysis tools and techniques
- Types of reserves and their purposes
- Data Representation models for risks
Your Brain Dump should include the above items in such a way that it can be quickly written down at the beginning of your test time. If you choose to ‘keep like items together’ rather than segmenting your Brain Dump by Knowledge Area, you will need to practice adding the EMV formula to your Earned Value (baseline performance measurements) and business opportunity formulas (Net Present Value, Return on Investment, etc.) and finding the appropriate location for the other items.
Knowledge Area Critical Reasoning & Testing Skills
Risk Management can be tested in a few ways on the exam. You could be asked anything from the Expected Monetary Value (EMV) of a threat or opportunity, risk strategies, or even where errors in analyzing risks appropriately. Let’s look at a few examples below.
Q: You are the Project Manager of a construction project to provide reinforcements to an older bridge, which will enable it to allow heavier traffic and reduce wear to satellite roads. During this six-month project, there is a 30% chance that weather will cause delays costing up to $12,000. There is also a 20% chance that the price of building materials will drop, which will save you $5,000 overall on the project. What is the total EMV for both of these risks?
EXPLANATION: This question requires you to recall the EMV formula (P x I = EMV), reach a monetary conclusion for each of the risks discussed, and then add those individual risk EMVs together to determine the total EMV. So let’s do the math:
Weather Risk (Threat = negative numbers): .30 x -$12,000 = -$3,600
Supply Cost Risk (Opportunity = positive numbers): .20 x $5,000 = $1,000
Total EMV (Sum of threats and opportunities): -$3,600 + $1,000 = -$2,600
SO for this question, our answer would be C: -$2,600.
Q: You are the Project Manager for a Learning Management System development project. Your 16-month project has been underway for 9-months when a major problem with user interface browser-supportability is found that was not included in the Risk Register. Due to constraints in the agreement, you must use a specific browser, and you and your team are unable to find a suitable workaround to your issues. What is your BEST course of action?
- Abandon the project since no workaround can be identified
- Submit a Change Request for approval to use a different web browser
- Utilize the Contingency Reserve to hire developers with the knowledge needed
- Utilize the Management Reserve to hire developer with the knowledge needed.
EXPLANATION: Answer A is asking us to abandon a project that is almost halfway completed due to a minor risk becoming an issue. This is never the right choice. Answer B uses Change Management processes to request a new browser, but the question states that the browser was a constraint of the project from the original business case, so this Change Request will likely not be approved. Answers C and D discuss using the two types of Reserves to source additional resources, but which is the more appropriate here? Contingency Reserves are for risks that have triggered that were previously identified. Management Reserves are for risks that have triggered and were not previously identified. With that logic, our BEST answer here is D.
Knowledge Area Closing Summary
Project Risk Management is a very large Knowledge Area that is virtually all situational-based. It is extremely essential to project success. So much so, that PMI® has an additional certification just for Risk Management. Reading this article will give you an initial foundation to build from, but you must also sit down and research this topic deeper. One way to do that is to join other prospective candidates in an Instructor-led course. No matter how you choose to do to gain a deeper understanding, make sure your study plan includes this Knowledge Area.