Risk Management


Knowledge Areas Major Processes Primary Inputs Tools & Techniques Primary Outputs
RISK It’s risky to have an IQ in DC.      
Risk Management Planning Deciding how to approach and plan risk management activities. 1. Enterprise Environmental Factors

2. Organizational Process Assets

3. Project Scope Statement

4. Project Management Plan

1. Planning meetings and analysis 1. Risk management plan
Risk Identification Determining which risks are likely to affect the project & documenting their characteristics 1. Enterprise Environmental Factors

2. Organizational Process Assets

3.Risk management plan

4. Project Scope Statement

5. Project Management Plan

1.Documentation reviews

2. Info-gathering techniques

3. Checklist analysis

4. Assumptions analysis

5. Diagramming techniques

1.Risk Register
 Qualitative Risk Analysis Assessing the impact and likelihood of identified risks. 1. Organizational Process Assets

2. Risk Register

3. Project Scope Statement

4. Project Management Plan

1. Risk probability & impact assessment

2. Probability and impact matrix

3. Risk data quality assessment

4. Risk Categorization

5. Risk urgency assessment

1.Risk Register (Updates)
Quantitative Risk Analysis A process that analyzes numerically the probability of each risk and its consequence on project objectives 1. Organizational Process Assets

2. Project Scope Statement

3. Risk Management Plan

4. Risk Register

5. Project Management Plan

    * Project Schedule Management Plan

    * Project Cost Management Plan

1. Data Gathering and representation techniques

(Interviewing, probability distribution and EJ)

2. Quantitative Risk analysis & modeling techniques. (Sensitivity, EMV, Decision Tree)

1. Risk Register (Updates)
Risk Response Planning Developing options & determining actions to enhance opportunities to reduce threats to project objectives 1. Risk Management Plan

2. Risk Register

1. Strategies for negative risk or threats

2. Strategies for positive risk or opportunities

3. Strategies for both threats and opportunities

4. Contingency response strategy

1. Risk Register (Updates)

2. Project Management Plan (Updates)

3. Risk related contractual agreements

Risk Monitoring & Control Tracking identified risk, monitoring residual risks, and identifying new risk, ensuring the execution of risk plans and evaluating the effectiveness in reducing risk. 1. Risk Management Plan

2. Risk Register

3. Approved Change Requests

4. Work Performance Information

5. Performance Reports

1. Risk reassessment

2. Risk audits

3. Variance and trend analysis

4. Technical performance measurement

5. Reserve analysis

6. Status Meetings

1. Risk Register (Updates)

2. Requested Changes

3. Recommended Corrective actions

4. Recommended Preventive actions

5. Organizational process asset (Update)

6. Project Management Plan (Updates)



Project risk – Is an uncertain event or condition that, if it occurs, has a positive or a negative effect on a project objective.

A risk has a cause and, if it occurs, a consequence. Risk identification is an iterative process. (Just like core process). Objective is to decrease the probability and impact of negative events and vice versa.

  1. Risk Management Planning: deciding on how to approach, plan and execute risk mgmt activities for a project.
  2. Risk Identification: determining which risk can effect the project and documenting their characteristics. 
  3. Qualitative Risk Analysis Prioritizing risks for subsequent further analysis or action by assessing and combining their probability of occurrence and impact.
  4. Quantitative Risk Analysis – Numerically analyzing the effect on overall project objectives of identified risks.
  5. Risk Response Planning: developing options and actions to enhance opps and reduce threats to project objectives.
  6. Risk Monitoring and Control: tracking identified risk, monitoring residual risks, identifying new risks, executing risk response plans and evaluating their effectiveness though the project life cycle.


RMP: it is input to cost and time estimating, schedule development and cost budgeting.

I/P: EE factors (attitude towards risk and tolerance, which can be found in policy statement or revealed in actions), OP assets, Project scope statement, PMP

TT: Planning meetings and analysis: Risk cost element and schedule activities will be developed for inclusion in the project budget and schedule respectively. Responsibilities will be assigned; templates will be tailored for use later.


Risk Management Plan – Describes how Risk Management will be structured and performed, it includes

  1. Methodology (Approach, tools and data sources)
  2. Roles and responsibilities
  3. Budgeting (assign Resources and estimated Cost for inclusion in cost baseline)
  4. Timing (When and how often; includes risk activities in project schedule)
  5. Risk Categories (RBS, Good practice is to review risk categories during RMP prior to Risk Identification Process)
  6. Definition of Risk Probability and Impact (Definition of probability and impact)
    1. Probability and Impact Matrix (Look up table, with impact categorized as Low, Moderate or High)
  7. Revised Stakeholders tolerances
  8. Reporting Formats (Describes Risk Register Contents and format)
  9. Tracking (Auditing and Documentation for current project, future needs and LL)



Risk Types – 1. Business (Gain or Loss)  2. Pure Risk (Only Risk of Loss)

Attitude about Risk – Should be made explicit, Communication about risk should be honest and open. Risk response reflects organizations perceived balance between risk taking and risk avoidance. Some one who does not want to take risks is said to be Risk Averse.

Tolerance and Threshold – Tolerance are areas of risk that are acceptable or unacceptable. A threshold is the amount of risk that is acceptable. You use this information to help assign levels of risk on each work package.

Risk Identification

IP: EE Factors, OP assets, project scope statement (assumptions), risk management plan(R&R, RBS, risk provisions), project management plan

Tools: Documentation reviews, info gathering techniques (Brainstorming, Delphi tech, interviewing, RCA, SWOT);   Check List Analysis – based on Historical information of previous similar projects. The lowest level of RBS is used as Risk Checklist; Assumption analysis; Diagramming tech: C&E, system/process flow chart, influence diagram,

OP: Risk Register

Delphi tech: is a way to reach a consensus of experts, questionnaire is sent to solicit ideas and responses are summarized and re-circulated to the experts. Consensus is reached in few rounds. It helps to reduce bias in the data and keeps any one perform fro having undue influence.

Qualitative Risk Analysis: focuses on prioritizing risks using probability and impact of the risk as well as time frame and risk tolerance. It also leads to over all risks of the project. It is also known as Risk assessment.

IP: OP assets, project scope statement, RMP, Risk Register,

TT:  Risk probability and impact assessment, Probability and impact matrix, Risk data quality assessment, Risk Categorization (based on common causes, using RBS/WBS/Phases), Risk urgency assessment.

OP: risk register (updates)

Quantitative Risk Analysis: it assigns numerical ranking to the prioritized risks primarily uses Monte Carlo Simulation and Decision Tree Analysis. It should be redone after RRP and RMC to asses risk reduction.

IP: OP Assets, Scope Statement, RMP, Risk Register, PMP (SMP, CMP).


  1. Expert Judgment
  2. Data Gathering and Representation Techniques
    • Interviewing,
    • Probability Distribution Beta Distribution and Triangular Distribution can use ordinal or cardinal values. Both uses 3 point estimates and are continuous distribution. Decision tree uses representation of discrete distribution. Uniform distribution can be used when no obvious value in early concept stage of design.
  3. Quantitative Risk Analysis and Modeling Techniques
    • Sensitivity Analysis – Determine which risks have most potential impact, Tornado Diagram (compares relative importance of variables that have a high degree of uncertainty to those more stable)
    • Expected Monetary Value – Opportunity expressed as Positive, Risk expressed as negative example Decision tree. Modeling and Simulation is recommended for Cost & Schedule Risk analysis because they are more powerful and less subject to misuse than EMV analysis.
    • Decision tree analysis – Shows available choices and their possibilities with more complex process than EMV. It assumes mutual exclusivity.
    • Modeling and Simulation – Done using Monte Carlo Technique. In simulation project model is calculated many time (iterated), with the input values randomized from a probability distribution function and a probability distribution is made. Cost Risk Analysis use CBS or WBS. Schedule Risk analysis use PDM.

OP: Risk Register (updates)


Risk Response planning: it creates owner for each agreed to and funded risk. Risks responses are developed in risk planning and risk response planning stage

IP: RMP, Risk Register

TT: Strategy for negative risk (avoid, transfer, mitigate), Strategy for positive risk ( exploit, share, enhance), for both acceptance, contingent response strategy,

OP: Risk Register (Updates), PMP (updates), Risk related contractual agreement.


Risk Management Control

Process of identifying, analyzing and planning for newly arising risks, keeping track of identified risks and those on the watch list, reanalyzing existing risks, monitoring trigger condition for contingency plans,  monitoring residual risks and reviewing the execution of the risk responses and their effectiveness.

IP: RMP, Risk Register, App CRs, work performance Info

TT: Risk reassessment, Risk Audits, Variance and trend analysis, Technical performance measurement, reserve Analysis, Status Meetings (RM is an agenda)

  1. Risk Audits: examine and document the effectiveness of risk responses in dealing with identified risks and their root causes, well as the effectiveness of the risk management process.
  2. Variance and trend analysis: reviewed using performance data, EV anal and other methods used. Measure overall project performance deviation from baseline indicating the potential impact of threats or opps.
  3. Technical performance measurement: compares technical accomplishments during project ececution to the PMP’s schedule of technical achievement. Reveals degree of success in achieving project’s scope.
  4. Reserve Analysis: it monitors contingency reserves remaining to the amount of risk remaining at any time in the project in order to determine if the remaining reserve is adequate.

OP: Risk register (updates), CRs, recommended CAs and Pas, OP asset (update), PMP (update)


Risk Register – (O/P of Risk Identification)

  1. List of Identified Risks (including root causes and assumptions)
  2. List of Potential Responses
  3. Root causes of Risks
  4. Updated Risk Categories (RBS which is developed in RMP is enhanced or amended)

Updates after Qualitative Risk Analysis

  1. Relative Ranking or Priority list of Project Risks
  2. Risks grouped by categories
  3. List of Risk requiring Response in the near term
  4. Watch list of low priority risks
  5. Trends in Relative Risk analysis results

Updates after Quantitative Risk Analysis

  1. Probabilistic Analysis of the project: this output typically expressed as a cumulative distribution is used with stakeholder risk tolerances to permit quantification of the cost and time contingency reserves
  2. Probability of Achieving Cost and Time Objective
  3. Prioritized List of Quantified Risks
  4. Trends in Quantitative Risk Analysis Results

Updates after Risk Response Planning

  1. Identified Risks, their descriptions, areas of the project and how they affect project objectives
  2. Risk owners and their responsibilities
  3. Agreed upon response strategies
  4. Symptoms and warning signs of risks occurrence
  5. Budget and Schedule activities required to implement the chosen responses
  6. Contingency reserves of Time and Cost and Triggers.
  7. Fallback plan
  8. Residual and Secondary Risks


Risk Response Planning Techniques

Strategies for Negative Risks or Threats

  • Avoidance (elimination/abatement) Eliminate the threat posed by an adverse risk. Can be done by changing the Project Plan or protecting (isolating) project objectives from its impact. Or relaxing time, cost, scope and quality or cut scope
  • Mitigation (reduction) Reduce the Expected Monetary Value by reducing probability or impact. Float can be use to mitigate potential risks. Reduction in the probability or impact of an adverse risk. Adoption less complex processes, conducting more tests, stable supplier.
  • Transfer Deflect or share (eg. Insurance, warranties). Shifts  the negative impact of a threat to a third party it doesn’t eliminate it, insurance, performance bonds, warranties, guarantees etc,

Strategy for positive Risks or opps

  • Exploit: assigning better quality resource to reduce time to complete
  • Share: allocating ownership to third party who has expertise.
  • Enhance: by facilitating or strengthening the cause of the opportunity, targeting its trigger.

Strategy for both

  • Acceptance Accept or retain consequences. 2 types: Active Acceptance (develop a contingency reserve) or Passive Acceptance (no action).


Residual Risks – Risks that are expected to remain after planned responses have been taken, as well as those have been deliberately accepted.

Secondary Risks – Risks that arise as a direct outcome of implementing a risk response.

Recommended Corrective Actions – For Risk monitor and Control include Contingency plans and workaround plans.

Workaround Unplanned response to negative risk events (requires to be impacted by the risk first).Work around plans are not initially planned but are required to deal with emerging risks that were previously unidentified or accepted.

Contingency Plan Planned action steps to be taken if an identified residual risk occurs. (e.g. developing alternative activity sequences). It is for the risks which are accepted.

Contingency Reserve: calculated based on the quantitative analysis of the project and organization’ risk thresholds.

Fall Back Plan: It is plan executed when contingency plan is not effective.

Risk databaseA repository that provides for collection, maintenance, and analysis of data gathered and used in the risk management processes.


Types of Risk
Business Normal risks that offer gain and loss
Pure / Insurable Only loss:  property damage, indirect consequential loss, legal liability, personnel. For risk we can outsource, we have contract. For pure risks, we obtain insurance.
Statistical Independence Occurrence of one event is not related to occurrence of the other
Data Precision Ranking Purpose is to test the value of data (input to Qualitative Analysis)
Path Convergence Tendency of parallel paths of equal duration to delay the completion of the milestone where they meet. It is characterized by schedule activity with more than one predecessor activity
Uncertainty An uncommon state of nature, characterized by the absence of any information related to a desired outcome.
Expected Monetary Value = Probability * Monetary Impact (used in Decision Tree Analysis)
Risk Event A discrete occurrence that may affect the project for better or worse. After a risk event, the project manager’s role is to reassess the risk ranking. The risk owner is responsible to take action when an identified risk occurs.
Risk Trigger A symptom of risk; indirect manifestation of actual risk event; output of risk identification; example is poor morale
Risk Portfolio Risk data assembled for the management of the project
Utility Theory Technique that characterizes an individual’s willingness to take risk
Sensitivity Analysis


Risk Auditor

Places a value on the impact to the project plan by adjusting a single project variable; simplest form of analysis

Role is to investigate the effectiveness of the risk owner (which can cause potential conflict with risk owner)

Numbers to Know  
Cost Estimates:

Order of Magnitude (ballpark estimate)



Budget -10% +75%  
Definitive -5% +25%  
1 sigma 68.3%    
2 sigma 95.5%    
3 sigma 99.7%    
6 sigma 99.99%    

The range of an estimate with the smallest range is the least risky.



Risk Management Plan – would most likely be developed during scope planning phase of the scope management process.

Decision Tree Analysis – 1. Takes into account future events in trying to make decision today

2. It calculates EMV in more complex situations 3. Involves mutual exclusivity

Fall back Plan – Specific actions that will be taken if the contingency plan is not effective.

Leave a Reply

Your email address will not be published. Required fields are marked *