Risk Management in a project

The biggest risk is not taking any risk… In a world that is changing really quickly, the only strategy that is guaranteed to fail is not taking risks.
Mark Zuckerberg

When starting the project planning process, the first things to think about are:
What could be the show-stopper? It may sound negative, but realistic project managers know this kind of thinking is preemptive. Problems will inevitably arise, so knowing how to manage risk in your project plan requires a risk mitigation strategy. I have written one article in my LinkedIn profile some time ago on premortem.

But how do we go about solving the unknown? It sounds like a philosophical paradox, but don’t worry. There are practical steps we can take. This article describes strategies for gaining insight into potential risks so that we can identify and track project risks.

 What is risk

Risk. An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. —PMBOK® Guide – Seventh Edition

Why is Risk Management Important?

Risk Management Process

Here Are The Five Essential Steps of A Risk Management Process

1. Identify the Risk
2. Analyze the Risk
3. Evaluate or Rank the Risk
4. Treat the Risk
5. Monitor and Review the Risk

Step 1: Identify the Risk

How to recognize risks? Choose a framework that fits your company’s working processes and resources. PMI provides a detailed guide on its model. This may be overkill for a small project or company, but it’s worth knowing.

First, context. The risk identification life cycle is a process that delivers critical risk management plan elements. The Risk Identification procedure has a six-stage structure.

1. Template specification
2. Basic identification
3. Detailed identification
4. External cross-check
5. Internal cross-check
6. Statement finalization

How to identify risks in project management

Project risk identification
For brevity, we’ll focus on the first three steps, which address risk identification (the rest involve validating and formalizing findings against the project’s scope).

Template specification
This risk statement includes causes, consequences, impacts, risk regions, and occurrences. A template helps you do this consistently.

Basic identification
Why us? Has this happened before? The first can be captured through a SWOT analysis; the second is a statement from a project post-mortem or lessons learned library.

Detailed identification
This stage is time-consuming but provides the detail needed to assess risk. Five PMI tools are:

• Interviewing
• Assumptions analysis
• Document reviews
• Delphi technique
• Brainstorming

After these processes, you must categorize risk in an External cross-check. Understanding Risk Breakdown Structure explains this.

Step five connects risks to elements in the scope of work. You’ll start to see which project parts are riskier and which mitigation methods to use.

The final step, “Statement finalization”, depicts risky regions, causes, and repercussions.

Risk identification example

We will go thru two examples, and please note that these are not rival strategies. Instead, the first is an example of a risk identification template, while the second is a risk register that contains the same data.

Example 1.1 – Risk identification template

Statement
There is no redundant link to a webserver responsible for playground reservations. If anything happened to an existing link during the holidays, it would result in a loss of business and a poor customer experience.
Cause	No redundant link to a web server responsible for playground reservations.
Effect	The brand is perceived negatively by customers.
Impact	The website's booking function The brand will be perceived negatively by customers
Areas of Risks	Customer booking function
Events	Holiday booking

Example 1.2 – Risk register

ID	Date Raised	Category	Event	Cause	Impact
1	March 12, 2022	Bussines Continuity	Holiday bookings	No redundant link to a webserver responsible for playground reservations	Loss of business Poor customer experience.

9 Common Types of Project Risks

Here is the list of the common project risk that we will be learning in detail, including the ways to tackle them:

• Cost Risk
• Schedule Risk
• Performance Risk
• Operational Risk
• Market Risk
• Governance Risk
• Strategic Risk
• Legal Risk
• External Hazard Risks

Step 2: Analyze the Risk

Risk analysis is known as the process of understanding potential project risks and their implications for project objectives in terms of schedule, quality, and cost. As previously stated, risk can occur at any project stage; therefore, a project manager must be able to track all issues.

How analyze risk in project management can be difficult because accurate information and data, such as project requirements, financial data, marketing projections, and relevant details, are required. However, the analysis can help you save time, money, and resources.

Moving on, there are two approaches to risk analysis. These are the

1. Qualitative Risk Analysis
2. Quantitative Risk Analysis

Qualitative Risk Assessment

The goal of qualitative risk analysis is to:

• Risks are prioritized based on their likelihood of occurrence and the overall impact of the risk event.
• Identifying the primary risk exposure areas
• Improved comprehension of project risk

A project manager can easily categorize risk by prioritizing it based on probability and impact. This is important when it comes to treatment schedules. Qualitative risk analysis provides a comprehensive understanding of the project risk, assisting project managers in developing more effective risk management strategies and planning for future use.

Quantitative Risk Assessment

A quantitative risk analysis is a more in-depth assessment of the highest-priority risk. Project risk is assigned a numerical value in quantitative analysis to generate probiotic analysis.

Quantitative analysis is concerned with the following:

• Quantifying project potential outcomes and estimating the likelihood of meeting project objectives
• When there is uncertainty, a quantitative approach to decision-making is used.
• Set cost, schedule, and project goals that are realistic and attainable.

Always remember the foundation of quantitative analysis is qualitative analysis.

Step 3: Evaluate the Risk or Risk Assessment

What exactly is a risk assessment?
Risk assessment, a qualitative measure based on risk data and the parameters of probability and impact, is used by project teams to identify, categorize, prioritize, and manage risks before they occur.

The work done to update the original risk assessment due to changes in the project or overall risk management efforts is called “risk reassessment.” The accuracy of the risk assessment and resulting decisions is directly related to the quality of data used to determine the impact in the initial and subsequent assessments.

When is a Risk assessment required?
Identify and assess risks early in the project. Risk should be reassessed regularly by project teams. A risk assessment update is triggered by updating the risk registry. The frequency of reassessment is determined by the scope and risk management plan (projects of bigger scope should have more reassessments; similarly, smaller scope requires fewer reassessments).

Why is a Risk Assessment important?
By preparing the team, risk assessment ensures project success. When done with validated tools and quality inputs, risk assessment can reduce difficulties from negative risks and create opportunities for positive risks. According to a PMI conference paper, top project companies understand that a risk assessment template is valuable in managing the organization’s bottom line. Risk assessment has an impact on cost, timeliness, and quality.

Making a risk assessment
For the PMP exam, students must understand how to prioritise risks using a probability and impact score matrix. Project managers and PMPs should be familiar with the seven steps of risk assessment.

Identify applicable risk types and organize them
Unidentified risk cannot be evaluated. First, identify potential hazards. Identify project risks in collaboration with your team. Internal or external factors could cause any size risk. Hazards may include computer infections, manufacturing failures, natural disasters, and delivery delays. Each risk is listed in a danger register. Causes (internal or external triggers) or categories can be used to organize risk (environmental, regulatory, technology, or staffing, for example).

Determine methods to quantify these risks.
After identifying and organizing risks, the project manager should analyze them. Risks must be calculated. Using a probability and impact matrix, the project manager will document the likelihood and impact of each risk. Keep in mind that data quality has an impact on assessment accuracy.

Determine risk tolerance
Every organization’s risk tolerance level varies depending on the type, project stakeholders, and scale. While health care has a low-risk tolerance, other industries do (like software development). To assess risk tolerance for each project, the project manager should solicit input from stakeholders.

Determine the format of the risk assessment output.
Determine how to document and communicate risk assessment results throughout the risk management process. Spreadsheets aid in the organization of large data sets. A corporation may have output requirements for risk assessments, such as storing it on a secure server or creating a shareable file. The documentation of the risk assessment output influences how the project team and stakeholders receive the information.

Create a plan to maximize the risk assessments applicability to every project
With knowledge of a risk assessment and response plan, project managers can protect active and future projects.

Risk assessments, risk responses, and risk assessment matrices with risk parameters should all be documented by project managers. Maintaining a consistent and detailed project documentation archive ensures that lessons learned are available to other project managers working on similar projects, thereby lowering negative risks. The strategy should include requirements for documentation format, how to access assessment documentation, and how to distribute assessments to the project team and stakeholders.

Create a flexible, scalable risk assessment.
Because the project manager and team will reassess risks throughout the project, the process must be flexible and scalable. You may need to add hazards throughout the project to achieve accurate likelihood and impact scores. The risk assessment should apply to a wide range of projects. The risk assessment should be adaptable and scalable for multiple projects.

Update risk assessment procedure
PMPs understand the value of risk assessment and reassessment in cost management. The project is vulnerable without an update procedure. A risk assessment that is not current is ineffective. Project managers should use a consistent risk assessment update methodology.

Risk Assessment Matrix

Project management documentation includes the risk assessment matrix. The risk matrix identifies four core areas for each risk: Risk name, probability, impact, and level/ranking. The risk assessment includes the project’s probability-impact (PI) score. The risk assessment matrix is a process output and input.

Each identified risk and its information are listed in a risk assessment matrix.

RISK CATEGORY
The most relevant ones are used from a standardized list of risk categories (e.g., technology, natural disaster, regulations, transportation, etc.). Each project has a unique combination of risk categories in its matrix.
PROBABILITY
Probability criteria: used to assign risk category probabilities; standardized but customized for each project.

Probability (“P”) score: a value assigned to each risk based on probability criteria; the matrix’s score scale specifies the minimum and maximum P scores; the Project manager and team use data and criteria to score risks.
IMPACT
Impact criteria: used to assign risk category impact values; standardized but customized for each project.

Impact (“I”) score: a value given to each risk based on impact criteria; the matrix’s score scale will state the minimum and maximum I scores; Project manager and team use data and criteria to score risks.

Probability and Impact Values

Probability-to-impact (PI) score: The probability score multiplied by the Impact score results in the PI score; the PI score is the overall risk assessment score; the PI score ranks all project risks by lowest probability and impact to highest, so resources are assigned accordingly.

Total Project Risk: All PI scores are added and then divided by the number of risks to determine the average; the project’s PI average is the Total Project Risk value.

Risk assessment relies on probability and impact. Risk categories, probability criteria, and impact criteria are used to tailor project risk.

Risk Category / Event	Probability Criteria	Probability Score	Impact Criteria	Impact Score	PI Score
Scope
Theft of cash in Playground	Seldom	2	Marginal	2	2x2=4

Probabilty
1. Unlikely 2. Seldom 3. Occasional 4. Likely 5. Definite

Impact
1. Insignificant 2. Marginal 3. Moderate 4. Critical 5. Catastrophic

Expected Monetary Value (EMV)

EMV is used in quantitative risk analysis and involves simple math. Once you understand, then it is very easy. Let’s discuss probability and impact again.
Probability measures the likelihood of an event.

Tossing a coin has a 50/50 chance of showing heads or tails. So, 50% chance to get heads or tails in every toss.

Probability = (Number of favourable events) / (Total number of events)

Let’s see how the coin formula works.

2 events total (because the coin can either show heads or tails)

Total favourable events = 1 (assuming heads are favourable).

(Number of favourable events) / (Total number of events) = 1/2 = 50%

That means tossing a coin has a 50% chance of showing heads.

Another example:

What’s the chance of rolling a 5 when throwing a dice?

When thrown, the dice show 1, 2, 3, 4, 5, or 6. So, 6 events in total. You want 5 on the die.

1 positive event

Probability of 5 = (Number of positive events) / (Total number of events)

= 1 / 6 = 16.67%

The odds of rolling a 5 are 16.67%. Let’s find the probability of a 5 or 3 showing up next. Here, 2 positive events occurred. Probability of 5 or 3 = (Number of positive events) / (Total number of events) = 2/6 =1/3 = 33.33%

The odds of rolling a 5 or 3 are 33.3%.
The cost of a risk is its impact.

You’ve determined that project-related equipment may break and will cost $1,000 to replace. The risk impact is $1,000.

Expected Monetary Value (EMV) Formula
You multiply the probability by the impact of the identified risk to get the EMV.EMV is calculated by multiplying the probability by the risk impact.

EMV=Probability*Impact

If we have multiple risks, we will add the EMVs for all of them. This is the project’s estimated monetary value. We will compute the EMV of all risks, whether they are positive or negative. The EMV will be negative for negative risks, and for positive risks, it will be positive.
You will generate the cost baseline after calculating the expected monetary value of the project and adding it to your work cost estimate. This sum is known as the contingency reserve. The contingency reserve is the sum of the EMVs of all events. Assume we have four risks with the following probabilities and impacts:

Risk	Probability	Impact in currency	EMV (P*I)
1	10%	-4000	-400
2	30%	-1000	-300
3	25%	2000	500
4	60%	-1500	-900
		-4500	-1100

We may believe that $4,500 USD is required to manage all the risks listed above, but this is incorrect. Only a few of the identified risks will occur. Risks that do not occur will contribute their EMV to the pool, while risks that do occur will spend that money. In this case, we will need $1,100 USD to cover all identified risks.
When there are many risks to consider, the expected monetary value concept works well to calculate the contingency reserve because the more you identify, the better your contingency will cover them.
If you have identified fewer risks, your reserve may deplete too quickly or insufficiently cover a high impact. Positive risks are important in calculating the contingency reserve. You should identify them and account for them in your expected value calculations.

Example-1 (Negative EMV)
You’ve identified a risk that has a 30% chance of occurring. It could set you back $500 USD. Determine the expected monetary value of this risk event.
PI=30% * (-500)= (-150)

Example-2 (Positive EMV)
You’ve identified an opportunity with a 40% chance of materializing. However, it may help you gain 2,000 USD. Determine the expected monetary value (EMV) of this risk event.
PI=40% * (2000)= (800)

Best risk-assessment practices

All project managers should assess risks as part of risk management. Best risk-assessment practices include:

• Risk assessments need good data.
• Risk assessments use team and stakeholder knowledge.
• Quality-check risk data.
• Project risk is reassessed often.
• Risk assessments should use scalable tools.
• The team and stakeholders receive risk assessment results, including the overall project score.

PMs should:

• Standardize risk assessment tools
• Customize the risk assessment matrix to the project’s needs, document the probability and impact of each risk, and use standard data and terms for risk audits.

The project type should determine the risk assessment criteria. You wouldn’t assess a weather event’s risk using manufacturing defect criteria.

When available, project managers should use organizational templates and PMO standards. Risk assessment customization should be balanced with knowledge-sharing standards. No single tool can assess all projects’ quality, but there are standards.

Step 4: Treat the Risk

Risk-reduction plans
Risk response planning involves reducing or eliminating project threats and maximizing their impact. Project managers should prevent threats. Project managers should create opportunities. The project manager must also minimize threats and maximize opportunities.

The project manager must have a contingency plan and a response plan for threats that can’t be mitigated.

Resource and time constraints prevent eliminating all project risks. A project manager should constantly assess risk. Iterative risk-planning. Qualitative, quantitative, and risk response planning don’t end once the project begins.

Strategies for Risk Response

Threat response strategies include the following:

AVOID: Concentrate on eliminating the source of the threat.

MITIGATE: Certain risks cannot be completely eliminated. Their impact, however, can be mitigated. This is known as risk mitigation.

TRANSFER: The risk is transferred to another party. Risk transfers include insurance purchases, warranties, guarantees, and so on.

OPPORTUNITIES response strategies include the following:

EXPLOIT: Increase work or change the project to ensure the opportunity occurs.

ENHANCE: Boost the likelihood and positive impact of risk events.

SHARE: Transfer ownership of an opportunity to a third party.

A strategy for dealing with BOTH threats and opportunities:

ACCEPT: In the event of a risk event, passive acceptance allows the action to be determined as needed. Active acceptance may entail the implementation of contingency plans in the event of a risk, as well as the allocation of time and cost reserves to the project. Risk acceptance must be communicated to stakeholders.

ESCALATE: Risks that cannot be monitored or managed by the project are escalated to a higher level, such as program management.

When the project manager reacts to threats or opportunities:

• Strategy execution must be time-bound.
• The effort chosen must be proportionate to the severity of the risk.
• A single response can be a series of risk events.
• Not only the project manager but also the team, stakeholders, and experts, can choose a strategy.

Plan Risk Response Outputs

As a result of Plan Risk Responses, the risk register, project management plans, and project documents must be updated.

Updates to the Project Management Plan

The Project Management Plan can be updated by adding, removing, or assigning new work activities/packages to different resources, making planning an iterative process.

Step 5: Monitor and Review the Risk

Do Project Managers Really Control Risks?

Four steps for risk monitoring

1. Check risk-response plans
   Plan responses for each risk or set of risks. Plans are executed by risk owners or their agents. Some risks require quick action. If a supplier misses a deadline, another vendor is contacted immediately.
   Project managers evaluate responses with risk owners. Responses are tailored.
2. Monitor risks
   The project manager tracks risk with tools. Are risk response plans ensuring the project team delivers on time, on budget, and as required?

Risk response plans include trigger conditions. Project managers determine trigger conditions and metrics with risk owners. If an activity is two weeks behind, additional resources may be added.

3. Assess new risks
   Time brings new risks. A company implemented a new policy administration system. A vendor updated while an insurance company tested interface changes. New code could break interfaces.

Project managers identify risks with their teams. New? Changes? What’s missing?

Project managers should identify these new risks:

• Project or environment changes
• Achievements
• Major threat
• Risks unforeseen
• Changes in key players
• Assess Risk Process

Risk-taking Measurement has three categories:

Conformance. This checks if the company follows its risk management policy.

Maturity. This compares the organization’s risk management program to best practices.

Improve. This measures risk management’s contribution to organizational goals and outcomes.

---

Exercises to help you figure out how risk management works

Strategies for Risk Response 1.1

1. If the weather’s good, then there’s a chance you could see a meteor shower. You can get extra funding if the team gets a photo that wins the meteor photo contest. You have your team stay up all night with their telescopes and cameras ready.
2. You hear that it’s going to rain for the first three days Of your trip, so you bring
   waterproof tents and indoor projects for the team to work on.
3. You read that there’s a significant bear problem in the spring on the cliff where you plan to work. You change your project start date to happen in the fall.
4. On your way up the cliff, you meet another team looking to survey the area. You
   Offer to do half Of the surveying work while they do the other half and then trade your
   findings with each other.
5. There’s a high probability of water damage to some of your equipment, so you buy
   insurance to avoid losses.
6. There’s always the chance that someone could make a mistake and fall off the cliff. No
   matter how much you plan for the unexpected, sometimes mistakes happen.
7. About 10 years ago, a rare bird, the black-throated blue warbler, was seen on this
   cliff. If you could get a picture of it, it would be worth a lot of money. So, you bring
   special seeds that you have read are attractive to this bird, and you set up
   lookout points around the cliff with cameras ready to get the shot.

---

1. Exploit | 2. Mitigate | 3. Avoid | 4.Share | 5.Transfer | 6. Accept | 7. Enhance

Strategies for Risk Response 1.2

1. Stormy weather and high winds could cause very slippery conditions, so you put up a tent and wear slip-resistant footwear to keep from losing your footing.
   Avoided I Mitigated I Transferred I Accepted
2. You buy a surge protector to make sure a lightning strike won’t blow out all of your equipment.
   Avoided I Mitigated I Transferred I Accepted
3. Flooding could cause serious damage to your equipment, so you buy an insurance policy that covers flood damage.
   Avoided I Mitigated I Transferred I Accepted
4. The manufacturer warns that the safety equipment you use has a small but nonzero probability of failure under the conditions you’ll be facing. You replace it with more appropriate equipment.
   Avoided I Mitigated I Transferred I Accepted
5. A mudslide would damage your project, but you can do nothing about it.
   Avoided I Mitigated I Transferred I Accepted

6. A team member discovers that the location you planned on using is in a county considering regulations that could be expensive to comply with. You work with a surveying team to find a new location.
   Avoided I Mitigated I Transferred I Accepted
7. Surrounding geological features could interfere with your communications equipment, so you bring a flare gun and rescue beacon in case it fails.
   Avoided I Mitigated I Transferred I Accept
   

1—Mitigated | 2—Mitigated | 3—Transferred | 4—Avoided |5—Accepted | 6—Avoided | 
7—Mitigated

---

1. The project manager for a construction project discovers that the local city council may change the building code to allow adjoining properties to combine their sewage systems. She knows that a competitor is about to break ground in the adjacent lot and contacts him to discuss the possibility of having both projects save costs by building a sewage system for the two projects. This is an example of which strategy?
   A. Mitigate
   B. Share
   C. Accept
   D. Exploit
2. Which of the following is NOT a risk response technique?
   A. Exploit
   B. Transfer
   C. Mitigate
   D. Collaborate
3. You are using an RBS to manage your risk categories. What process are you performing?
   A. Plan Risk Management
   B. Identify Risks
   C. Perform Qualitative Risk Analysis
   D. Perform Quantitative Risk Analysis
4. Which of the following is used to monitor low-priority risks?
   A. Triggers
   B. Watch lists
   C. Probability and Impact matrix
   D. Monte Carlo analysis
5. You’re managing a construction project. There’s a 30% chance that the weather will cause a three-day delay, costing $12,000. There’s also a 20% chance that the price of your building materials will drop, which will save $5,000. What’s the total EMV for both of these?
   A. -$3,600
   B. $1,000
   c. -$2,600
   D. S4,600
6. Joe is the project manager of a large software project. When it’s time to identify risks on his project, he contacts a team of experts and sends them a list of questions to help them all come up with a list of risks and send it in. What technique is Joe using?
   A. SWOT
   B. Ishikawa diagramming
   C. Interviews
   D. Brainstorming
7. Susan is the project manager on a construction project. When she hears that her project has run into a snag due to weeks of bad weather on the job site, she says, “No problem, we have insurance that covers cost overruns due to weather.” What risk response strategy did she use?
   A. Exploit
   B. Transfer
   C. Mitigate
   D. Avoid
8. You are performing Identify Risks on a software project. Two of your team members have spent half of the meeting arguing about whether or not a particular risk is likely to happen on the project. You decide to table the discussion, but you’re concerned that your team’s motivation is at risk. The next item on the agenda is a discussion of a potential opportunity on the project in which you may be able to purchase a component for much less than it would cost to build. Which of the following is NOT a valid way to respond to an opportunity?
   A. Exploit
   B. Transfer
   C. Share
   D. Enhance
9. Risks that are caused by the response to another risk are called:
   A. Residual risks
   B. Secondary risks
   C. Cumulative risks
   D. Mitigated risks
10. What’s the main output of the Risk Management processes?
    A. Ihg Risk Management Plan
    B. The risk breakdown structure
    C. Work performance information
    D. The risk register and project documents updates
11. Tom is a project manager for an accounting project. His company wants to streamline its payroll system. The project is intended to reduce errors in the accounts payable system and can save the company S200,000m over the next year. It has a 30% chance of costing the company $100,000. What’s the project’s EMV?
    A $170,000
    B. $110,000
    c. $200,000
    D. $100,000
12. What’s the difference between management reserves and contingency reserves?
    A. Management reserves are used to handle known unknowns, while contingency reserves are used to handle unknown unknowns.
    B. Management reserves are used to handle unknown unknowns, while contingency reserves are used to handle known unknowns.
    C. Management reserves are used to handle high-priority risks, while contingency reserves are used to handle low-priority risks.
    D. Management reserves are used to handle low-priority risks, while contingency reserves are used to handle high-priority risks.

1. | 2. | 3. | 4. | 5.| 6.| 7. | 8.| 9. | 10. | 11.| 12.