1. Project Risk Management Presenter: Phil Harman, PMP Executive Director for ZCS Internal PMO and Enterprise Project Management (EPM) Practice Manager September 2007

2. Page 2 Agenda Project Risk Management - What the Text Book says –Core Processes, Techniques, and Outputs Project Risk Management - In Practice –Project Risk Identification > The Questionnaire –Project Risk Management Plan > The Project Risk Log –Risk Monitor and Control > Risk applied to the Project Plan with assigned ownership

3. Page 3 Theory and Practice Text Book Definition: Risk Management is the systematic process of identifying, analyzing, and responding to project risk. It includes maximizing the probability and consequences of positive events and minimizing the probability and consequences of adverse events to project objectives. Simple Terminology: Risk Management is the identification of an unborn issue (a risk) that will have a negative impact on the project that must be eliminated with proactive planning, monitoring, and activities or tasks.

4. Page 4 Text Book - Risk Management Processes RiskManagement Risk Assessment Risk Identification Risk Analysis Risk Prioritization Risk Control Risk Mgmt Planning Risk Resolution Risk Monitoring

5. Page 5 Text Book - Risk Management Planning DEFINITION: The process of deciding how to approach and plan the risk management activities for a project. 1.Project Charter 2.Organizations Risk Mgmt Policy 3.Defined Roles & Responsibilities 4.Stakeholder Risk Tolerances 5.Template for the Organizations risk management plan 6.Work breakdown structure Inputs Risk Management Plan Output Planning Meetings Tools & Techniques Organizational Risk Management Policy: Predefined approaches to risk analysis and resolution that needs tailoring to a particular project. Defined roles and responsibilities: Predefined roles, responsibilities, and authority levels for decision making will influence planning. Stakeholder Risk Tolerance: Different organizations and different individuals have different tolerances for risk. Policies or historical actions may communicate this. Planning Meetings: Project teams hold risk management planning meetings to develop the plan.

6. Page 6 Text Book - Risk Management Plan Risk Management Planning output is the “Risk Management Plan” The plan describes how risk identification, qualitative and quantitative analysis, resolution planning, monitoring, and control will be structured and performed during the project life cycle. The plan may include: Methodology Roles & Responsibilities Budgeting Timing Scoring and interpretation Thresholds Reporting formats Tracking

7. Page 7 Text Book - Risk Identification 1.Risk management plan 2.Project planning outputs 3.Risk categories 4.Historical information Inputs 1.Risks 2.Triggers 3.Inputs to other processes Output 1.Documentation reviews 2.Information gathering 3.techniques 4.Checklists 5.Assumption analysis 6.Diagramming techniques Tools & Techniques DEFINITION: The process of determining which risks might affect the project and document the characteristics. ** Risk identification is an iterative process ** INPUTS Risk Management Plan: See previous slide Project Planning Outputs: Items to be reviewed, but not limited to: project charter, WBS, product description, schedule and cost estimates, resource plan, procurement plan, assumption and constraints. Risk Categories: Risks that may affect a project for better or worse can be identified and organized into risk categories. Categories include: Technical, quality, and performance risks Project Management risks Organizational Risks – cost, time, and scope External risks – shifting legal or regulatory environment, labor issues, natural events. Historical Information: Information on prior projects may be available to help leverage lessons learned.

8. Page 8 Risk Identification- Tools/Techniques and Outputs Outputs Risks: Yep! This an output! Triggers: Sometimes called risk assumptions or warning signs, these are indications that a risk has occurred or is about to occur. Inputs to other processes: Risk identification may identify a need for a further action in another area or to other projects. Tools and Techniques Documentation Reviews: Performing a structured review of the project plans and assumptions. Information gathering techniques: Examples of information gathering include: Brainstorming – most common Delphi technique – Consensus of experts on a subject area Interviewing – Seek input from project managers or subject matter experts Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis Checklist: Using historical information and knowledge is a quick and simple way to identify risk. Assumption analysis: Every project is conceived and developed based on a set of hypotheses, scenarios, or assumptions. Diagram techniques: Cause-and-effect, System or process flow charts, and Influence diagrams.

9. Page 9 Text Book - Risk Analysis Quantitative: The process of measuring the probability and consequences of risks and estimating their implications for project objectives. –Determine the probability of achieving a specific project objective. –Quantify the risk exposure for the project, and determine the cost and schedule contingency reserves that may be needed. –Identify risks requiring the most attention by quantifying their relative contribution to project risks. –Identify realistic and achievable cost, schedule, and scope targets. Qualitative : The process of performing a qualitative analysis of risks and conditions to prioritize their effects on project objectives.

10. Page 10 Qualitative Risk - Tools and Techniques Risk probability and consequences: This is generally described in qualitative terms such as VERY HIGH, HIGH, MODERATE, LOW, VERY LOW. Risk Probability is the likelihood a risk will occur. Risk Consequences is the effect on the project objectives if the risk event occurs. Probability/impact risk rating matrix: The use of risk’s probability scale and risk’s impact scale is generally used. Risk scale falls between 0.0 (no probability) and 1.0 (certainty) – See next slide Risk impact scale reflects the severity of its effect on the project objective.

11. Page 11 Rating Impacts for a Risk Evaluating Impact of a Risk during Major Project Milestones Project Very Low Low Moderate High Very High Objective.05.1.2.4.8 Cost Insignificant 20% Cost Increase Increase Increase Increase Increase Schedule Insignificant Schedule Slip Overall Prj Slip Overall Prj Slip Overall Prj Slip Schedule Slippage 20% Scope Scope Reduction Minor areas of Major Areas Scope Reduction Project end item scope affected of scope affected unacceptable to is not meeting client business need Quality Quality Only very Quality Reduction Quality Reduction Project end item Degradation small demanding Apps requires client unacceptable to is useless affected approval client

12. Page 12 Qualitative and Quantitative Risk Outputs Qualitative Overall risk rating for the project: Risk ranking is used to rank the risk of the project under evaluation against other projects. List of prioritized risks: Risk can generally ranked as low, moderate, or high. List of risks for additional analysis and management: Risk categorized as moderate or high would be prime candidates for more analysis, including quantitative risk analysis, and for risk management. Trends in qualitative risk analysis results: As the analysis is repeated, a trend of results may become apparent, and can make risk resolution or further analysis more or less urgent and important. Quantitative Prioritized list of quantified risks: This list of risks include those that pose the greatest risk threat or present the greatest opportunity to the project together with a measure of their impact. Probabilistic analysis of the project: Forecasts or potential project schedule and cost results listing the possible completion dates or project duration and costs with their associated confidence levels. Probability of achieving the cost and time objectives: The probability of achieving the project objectives under the current plan and with the current knowledge of the risks facing the project.

13. Page 13 Text Book - Risk Resolution 1.Risk Management Plan 2.List of prioritized risks 3.Risk ranking of the project 4.Prioritized list of quantified risks 5.Probabilistic analysis of the project 6.Probability of achieving the cost and time objectives 7.List of potential resolutions 8.Risk thresholds 9.Risk owners 10.Common risk causes 11.Trends in qualitative and quantitative risk analysis results Inputs 1.Risk resolution plan 2.Residual risks 3.Secondary risks 4.Contractual agreements 5.Contingency reserve amounts needed 6.Inputs to other processes 7.Inputs to a revised project plan Output 1.Avoidance 2.Transference 3.Mitigation 4.Acceptance Tools & Techniques DEFINITION: The process of developing procedures and techniques to reduce threats to the project objectives.

14. Page 14 Risk Resolution – Outputs Risk Resolution plan: This is also called “risk register” and should include some or all of the following: Identify risks, their description, the area(s) of the project effected, their causes, and how they may affect project objectives Risk owners and assigned responsibilities Results from the qualitative and quantitative risk analysis Agreed to response including avoidance, transference, mitigation, acceptance for each risk in the risk resolution plan The level of residual risk expected to be remaining after the strategy is implemented Specific actions to implement the chosen resolution strategy Budget and times for resolution Contingency plans and fallback plans Residual risk: Residual risk are those that remain after avoidance, transfer, or mitigation resolutions have been taken. They also include minor risks that have been accepted and addresses. Secondary risks: These risks arise as a direct result of implementing a risk resolution. Contractual agreements: Contractual agreements may be used to specify each party’s responsibility for risks. Contingency reserve amounts needed: Probabilistic analysis of the project and risk thresholds help the project manager determine the amount of contingency needed to reduce risk. Inputs to other processes: Most resolutions to risk involve expenditure of additional time, cost, or resources and require changes to project plans. Inputs to a revised project plan: The results of the resolution planning process must be incorporated into the project plan, to ensure that agreed actions are implemented and monitored as part of the ongoing project.

15. Page 15 Risk Resolution –Tools/Techniques Tools and Techniques Avoidance: Risk avoidance is changing the project plan to eliminate the risk or condition or to protect the project objectives from its impact. Transference: Risk transference is seeking to shift the consequences of a risk to a third party together with ownership of the resolution. (Financial risk is most common) Mitigation: Mitigation seeks to reduce the probability and or consequences of an adverse risk event to an acceptable threshold. Acceptance: This technique indicates that a project team has decided not to change the project plan to deal with a risk. Developing a contingency plan is a way to managing known risks. The contingency plan adopt contingency allowance or reserve that includes: Time Money Resources

16. Page 16 Text Book - Risk Monitoring & Control 1.Risk Management Plan 2.Risk resolution plan 3.Project communication 4.Additional risk identification and analysis 5.Scope Changes Inputs 1.Workaround plans 2.Corrective action 3.Project change request 4.Updates to the task resolution plan 5.Risk database 6.Updates to risk identification checklist Output 1.Project Risk resolution audits 2.Periodic project risk reviews 3.Earned Value analysis 4.Technical performance measurements 5.Additional risk resolution planning Tools & Techniques DEFINITION: The process of monitoring residual risks, identifying new risks, executing risk reduction plans, and evaluating their effectiveness throughout the project life cycle. The purpose of risk monitoring is to determine if: Risk resolution have been implemented as planned Risk resolution actions are as effective as expected, or if new resolutions should be developed Project assumptions are still valid Risk exposure has changed from its prior state, with analysis and trends A risk trigger has occurred Proper policies and procedures are followed Risks have occurred or arisen that were not previously identified

17. Page 17 Project Risk Management (RM) - In Practice RiskManagement Risk Assessment Identification Quantification Prioritization Risk Monitor and Control Risk Mgmt Plan and Log Risks tracked in Project WBS Risk Ownership Practice = Text Book Where the rubber hits the road!

18. Page 18 Project RM – In Practice Project Risk Identification > Use a Questionnaire Risk Monitor and Control –Project Risk Management Plan = The Project Risk Log Describes Quantifies Probability of Occurrence Resolution Prioritizes Ownership Status Risk Ranking –Project Schedule > Risk Items get put into project WBS (as contingency) and Assigned Ownership

19. Page 19 Project RM – In Practice Risk Identification Categories Project Integration Management Scope Management Time Management Cost Management Human Resource Management Communication Management Procurement Management Quality Management Technology Data Conversions External Factors

20. Page 20 Risk Identification using a questionnaire Risk Assessment Questionnaire Completed By:________________________________________ Date:______________________ Project Size Resource Hours Total estimated resource hours: <=5,000 > 5,000 and <=20,000 > 20,000 Low Medium High Notes Calendar Time Estimated calendar duration: <= 4 months > 4 months and <=12 months > 12 months Low Medium High Notes Team Size Maximum team size at any time during the project: <= 4 participants > 4 and <= 12 participants > 12 participants Low Medium High Notes

21. Page 21 Risk Identification using a questionnaire (cont’d) Project Structure - Definition Project Scope The boundaries of the project are: well defined and accepted conceptually understood ill defined Low Medium High Notes Project Deliverables The tangible information from the project is: well defined and accepted named but not detailed not identified Low Medium High Notes New System Benefits The benefit of doing the project is: well defined and accepted, and/or of strategic importance generally understood, but not quantified ill defined or not identified Low Medium High Notes

22. Page 22 Risk Identification using a questionnaire (cont’d) Project Structure - Sponsorship & Commitment Project Sponsorship The project is sponsored by: respected and enthusiastic business manager passive business manager unidentified, or I/S manager Low Medium High Notes Commitment of Sponsor(s) The sponsor is: committed to the project (understands value and is supportive) involved, but not committed skeptical or resistant Low Medium High Notes Commitment of Sponsoring Business Area(s) The sponsoring business area(s) are: committed to the project (understands value and is supportive) involved, but not committed skeptical or resistant Low Medium High Notes Relation to Information Strategy Plan The new system is: included in or approved for addition included, but not yet approved not yet part of the plan Low Medium High Notes

23. Page 23 Risk Identification using a questionnaire (cont’d)

24. Page 24 Project Risk Management Plan and Log

25. Page 25 Managing the Risk Assessment Results Risk Monitor and Control The “No Surprise Approach” to Risk Management is accomplished by: 1.All identified risk items get put into the project work breakdown structure (WBS) 2.All risk items have owners > including the executive sponsors and senior management 3.Risks are reported to the senior and executive leadership in the project dashboard 4.When a RISK EVENT does occur, becomes an issue, then a Project Change Request (PCR) is immediately submitted …. No Surprise PCR

26. Page 26 Project WBS Example

27. Page 27 Project Dashboard

28. Page 28 Risk Summary Dashboard – Example 1

29. Page 29 Risk Summary Dashboard – Example 2