⚫ Core concepts of project risk management - what is project risk
Project risk - is an uncertain event or condition that, if it occurs, will have a positive or negative impact on one or more project objectives. There are three elements of risk: risk event, probability, and impact. Positive and negative risks are often referred to as opportunities and threats.
⚫ The core concept of project risk management - two levels of risk (P397)
Individual Project Risk—An uncertain event or condition that, if it occurs, could have a positive or negative effect on one or more project objectives.
Overall project risk——the impact of uncertainty on the project as a whole is the positive and negative variation range of project results faced by relevant parties.
The overall project risk is greater than the sum of individual risks in the project, because the overall risk stems from all uncertainties including individual risks.
⚫ The core concept of project risk management - three types of project risk
Known—Known Risks—Risks that have been identified and analyzed for which responses can be planned. (include time/cost)
Known-unknown risks--risks that have been identified but cannot be actively managed, a certain contingency reserve should be allocated. (contingency reserve)
Unknown—unknown risk—cannot be actively managed, so management reserves need to be allocated. (management reserve)
⚫ Core concepts of project risk management - factors affecting risk attitude
Risk Appetite – The degree to which an entity is willing to tolerate uncertainty in exchange for expected returns. (willing to accept)
Risk Tolerance - The degree, amount or capacity of risk that an organization or individual can tolerate. (Can you bear it)
Risk threshold——reflects the degree of risk preference of the organization and project stakeholders, and is the acceptable variation degree of project objectives. (Do you want to manage it or not) P398
The more appropriate and correct way is to arrange as follows: risk tolerance > risk preference > risk threshold
⚫ The core concept of project risk management - what is risk attitude
Risk Attitude - How much risk an individual or organization believes they should take. Feel comfortable if you don't risk more than you should. Risk attitudes of individuals and groups influence how they respond to risks. Risk attitudes fall into the following categories:
◆ Risk-takers: often adopt a "take it" strategy.
⚫ Development Trends and Emerging Practices of Project Risk Management—Non-Event Risks (P398)
Traditional focus: Event risk—the risk of an uncertain future event that may or may not occur.
Development trend: non-event risk ---- variability risk, ambiguity risk.
⚫ Development Trends and Emerging Practices of Project Risk Management——Project Resilience (P399)
Project Resilience----There are indeed sudden risks that can only be discovered after they occur, and need to be dealt with by strengthening project resilience.
⚫ Countermeasures:
➢ Set aside reserves
➢ Flexible change management mechanism
➢ Sufficiently authorized and trustworthy team
➢ Pay attention to early risk signals
➢ Communicate with relevant parties to clarify the range of strategies that can be adopted in the face of emergencies.
⚫ Development Trends and Emerging Practices of Project Risk Management - Integrated Risk Management (P399)
Certain risks identified at a higher level will be delegated to the project team to manage;
Certain risks identified at lower levels may be handed over to higher levels for management.
A coordinated, enterprise-wide approach to risk management should be adopted to ensure consistency and coherence of risk management efforts at all levels.
⚫ Factors to consider in an agile and adaptive environment (P400)
Coping with rapid change requires an adaptive approach to project management.
Namely: through cross-functional project teams and frequent review of incremental work products to expedite knowledge sharing and ensure risk awareness and management.
Risk should be considered when selecting what to do in each iteration; risks should be identified, analyzed, and managed during each iteration.
Requirements documents should be regularly updated and work reprioritized as the project progresses, based on a growing understanding of current risk exposures.
⚫ One of the project risk management processes "Planning Risk Management" (Planning Process Group) P401
Plan Risk Management—the process of defining how project risk management activities will be implemented.
What this process does:
◆ Ensure that the level, approach, and visibility of risk management are commensurate with the degree of project risk and criticality of the project to the organization and other interested parties.
⚫ Planning Risk Management—Input: Project Charter and Project Documents (P402~403)
◼ Project Charter - There are high-level risks in the project charter.
◼ Stakeholder Register----Contains detailed information of project stakeholders and outlines their roles in the project and attitudes towards project risks; can be used to determine the roles and responsibilities of project risk management, and set risk thresholds for projects value.
⚫ Planning Risk Management—Tools and Techniques: Data Analysis (P404)
◼ Stakeholder analysis----determine the risk preference of project stakeholders through stakeholder analysis.
⚫ Planning Risk Management—Output: Risk Management Plan (P405-P408)
Risk Management Plan—Describes how risk management activities will be scheduled and implemented. (Risk Management Plan No Risk).
Contents of the management plan:
◆ Risk management strategy, methodology, funding, timing
◆ Roles and Responsibilities: Identify leaders, champions, and team members for each risk management activity and clarify their responsibilities.
◆ Risk Category: Determines the method for categorizing individual project risks, usually with the aid of a Risk Breakdown Structure (RBS) to construct risk categories.
◆ Risk Breakdown Structure (RBS) ---- is a hierarchical display of potential risk sources. Helps the project team to consider all possible sources of risk for a single project and is especially useful for identifying risks or categorizing identified risks.
◆ Risk appetite of related parties----The risk appetite of related parties should be expressed as a measurable risk threshold for each project objective.
◆ Definition of risk probability and impact: According to the specific project environment, risk preference and critical value of the organization and key stakeholders, define risk probability and impact. Projects may develop their own specific definitions, or use generic definitions provided by the organization as a starting point.
◆ Probability and Impact Matrix: A table that maps the probability of occurrence of each risk to its impact on project objectives if it occurs. It is usually up to the organization to set various combinations of probability and impact, and to set high, medium, and low risk levels accordingly.
◆ Report format, tracking
⚫ Planning Risk Management—Risk Breakdown Structure RBS
⚫ Risk probability and impact definition
⚫ Probability and Impact Matrix (P-408)
⚫ Project Risk Management Process II "Identify Risks" (Planning Process Group) P409
Identifying Risks—the process of identifying sources of individual project risks as well as overall project risks, and documenting the characteristics of the risks.
What this process does:
◆ Document existing individual project risks, as well as sources of overall project risk.
◆ Gather relevant information so that the project team can appropriately respond to identified risks.
All project stakeholders should be encouraged to participate in the identification of individual project risks.
The involvement of the project team is especially important in order to develop and maintain their sense of ownership and responsibility for risk management.
Risk owners can be designated for individual project risks during the risk identification process, subject to confirmation during the qualitative risk analysis process.
Initial risk responses can be identified and documented, to be reviewed and validated by the planned risk response process.
Identifying risks is an iterative process. The frequency of iterations and the level of involvement required for each iteration should be specified in the risk management plan.
⚫ Identify Risks—Tools and Techniques: Data Collection (P414)
Brainstorming: brainstorming can be carried out in a free or structured form, and various ideas can be generated under the guidance of the facilitator. Risk categories (such as RBS) can be used as a framework for identifying risks.
Checklist: A list of items, actions, or points to consider, often used as a reminder.
Develop checklists based on historical information and knowledge accumulated from similar projects and other sources of information.
As it is not possible to exhaust all risks, it is important to ensure that the checklist is not used to replace the required risk identification work; also pay attention to the items not listed in the checklist.
Interviews: Interviews should be conducted in an environment of trust and confidentiality to obtain honest, unbiased opinions.
⚫ Identify Risks—Tools and Techniques: Data Analysis (P415)
Root Cause Analysis: Often used to discover the underlying cause of a problem and develop preventive measures. The problem statement serves as a starting point to identify threats; the benefit statement serves as a starting point to identify opportunities;
Assumptions and Constraints Analysis: Identify threats from inaccurate, unstable, inconsistent, or incomplete assumptions; Create opportunities by removing or relaxing constraints that can affect project process execution;
Document Analysis: A structured review of project documents to identify risks.
SWOT analysis:
SWOT--Strength Strength, Weakness Weakness, Opportunity Opportunity, Threat Threat
1. Focus on a project, organization, or general business area, identifying organizational strengths and weaknesses;
2. Identify the opportunities that strengths may bring and the threats that weaknesses may pose;
3. Analyze the extent to which strengths overcome threats and whether weaknesses prevent opportunities
⚫ Identify Risks—Tools and Techniques: Interpersonal and Team Skills (P416)
◼ Guidance—can improve the effectiveness of many techniques used to identify sources of individual project risk and overall project risk.
⚫ Identify Risks—Tools and Techniques: A Checklist of Tips (P416)
Prompt list----is a preset list of risk categories that may cause individual project risks and can be sources of overall project risks.
⚫ Risk categories at the bottom of the RBS can be used as reminder lists.
⚫ Identify Risks - Output: Risk Register (P417)
Risk Register - Records details of identified individual project risks.
As other risk management processes are implemented, the risk register will include the outputs of these processes and the type and amount of information will increase over time.
The development of a risk register begins with the process of identifying risks.
Upon completion of the process of identifying risks, the risk register includes the following information:
List of identified risks: The identified risks should be described in the level of detail required to ensure a clear understanding.
Potential Risk Owners: The identified potential risk owners are documented and subsequently confirmed by performing a qualitative risk analysis process.
Potential Responses Checklist: Document identified potential risk responses for subsequent validation by the Planning Risk Responses process.
⚫ Project Risk Management Process III "Implementing Qualitative Risk Analysis" (Planning Process Group) P419
Performing Qualitative Risk Analysis - The process of prioritizing risks by assessing their probability of occurrence and impact and other characteristics of individual project risks to provide a basis for subsequent analysis or action.
What this process does: Focus on high-priority risks.
Due to the different perceptions of risk among related parties, it will lead to subjective bias in the assessment. The way to overcome it is: 1. Pay attention to find out the bias and correct it; 2. Assess the quality of the existing information on individual project risks.
In addition, the process identifies an owner for each risk who is responsible for follow-up, including the development and implementation of countermeasures.
The qualitative risk analysis process is carried out regularly throughout the project life cycle.
In an agile development environment, performing a qualitative risk analysis process typically occurs before each iteration begins.
After this process is completed, you can enter the process of performing quantitative risk analysis or directly enter the process of planning risk response.
⚫ Implement qualitative risk analysis—tools and techniques: data analysis (P423)
◼ Risk data quality assessment——aim to evaluate the accuracy and reliability of data about individual project risks.
➢ Questionnaire surveys can be carried out to understand the evaluations of project stakeholders on various aspects of data quality.
➢ A weighted average of data completeness, objectivity, relevance and timeliness can be calculated as an overall score for data quality
◼ Risk probability and impact assessment
---- Risk probability assessment considers the possibility of specific wind occurrence;
----Risk impact assessment considers the potential impact (negative and positive) of risk on project objectives (such as schedule, cost, quality or performance).
Probability and impact assessments are performed for each identified risk.
Risk assessment can be conducted in the form of interviews or meetings by selecting personnel familiar with the corresponding risk category.
Risks of low probability and impact will be placed on a watch list in the risk register for future monitoring.
◼ Evaluation of other risk parameters——urgency, proximity, incubation period, manageability, controllability, monitorability, connectivity, strategic influence, closeness, etc. Considering these characteristics can facilitate more robust risk prioritization.
⚫ Implementing Qualitative Risk Analysis—Tools and Techniques: Risk Classification (P425)
Project risks can be classified according to different classification criteria to determine which project areas are most likely to be affected by uncertainty.
Risk classification criteria: 1. RBS; 2. WBS; 3. Project phase, budget, roles and responsibilities; 4. Common root cause;
Classifying risks helps: 1. Concentrate attention and energy on areas with the greatest risk exposure.
2. Develop common risk responses for a set of related risks.
⚫ Implement qualitative risk analysis—tools and techniques: data representation (P425)
◼ Probability and Impact Matrix - This matrix combines probability and impact to facilitate the classification of individual project risks into priority groups.
➢ Using the risk probability and impact definitions specified in the risk management plan, the probability of occurrence of individual project risks and their impact on one or more project objectives are assessed one by one. Risks are then prioritized using probability and impact matrices based on the resulting combination of probability and impact.
◼ Hierarchical graphs——If more than two parameters are used to classify risks, probability and impact matrices cannot be used, and other graphs are required.
➢ Such as: bubble chart (three parameters representing risk, X-axis value, Y-axis value and bubble size).
⚫ Project Risk Management Process IV "Implementing Quantitative Risk Analysis" (Planning Process Group) P428
Perform Quantitative Risk Analysis—The process of performing a quantitative analysis of the impact of identified individual project risks and other sources of uncertainty on overall project objectives.
◆ What this process does: Quantify the overall project risk exposure and provide additional quantitative risk information to support risk response planning.
While not all projects require quantitative risk analysis, it is most likely to be applicable in the following situations:
1. Large or complex projects
2. Projects of strategic importance
3. Projects that require quantitative analysis in the contract 4. Projects that require quantitative analysis by major stakeholders
Quantitative risk analysis is the only reliable way to assess the combined impact of all individual project risks on the project as a whole.
The object of quantitative risk analysis is the information of a single project risk that is assessed as having a significant potential impact on project objectives during the qualitative analysis and that can be quantified.
Quantitative risk analysis can also be carried out after the planning risk response process to analyze the effectiveness of planned responses in reducing the overall project risk exposure.
⚫ Implement Quantitative Risk Analysis—Tools and Techniques: Data Collection (P432)
◆ Interviews——Interviews are especially useful when information needs to be sought from experts.
⚫ Interviewers should foster a trusting and confidential interview environment that encourages honest and unbiased opinions from respondents.
⚫ Implementing Quantitative Risk Analysis—Tools and Techniques: How Uncertainty Represents (P432)
⚫ If the duration, cost, or resource requirements of an activity are uncertain, it can be represented in the model by a probability distribution (such as triangular, normal, lognormal, beta, uniform, or discrete) possible range of its value.
⚫ Implement quantitative risk analysis—tools and techniques: data analysis——simulation (P433)
Simulation (univariate repeated simulation) - usually using Monte Carlo analysis.
Criticality analysis--when Monte Carlo simulation is performed on the project schedule, the number and frequency of each activity in the risk model appearing on the critical path are calculated. For those activities with high frequency, we should focus on and plan risk response measures. This frequency can also be referred to as a "key indicator".
⚫ Implement quantitative risk analysis—tools and techniques: data analysis——sensitivity analysis (P434)
Sensitivity Analysis (which is a single factor analysis) - helps to determine which risks have the greatest potential impact on the project. It helps to understand how variation in project outcomes is related to variation in elements in quantitative risk analysis models.
Fix all other uncertain factors at the baseline value and examine how much a change in each factor will affect the target
A typical representation of a sensitivity analysis is a tornado plot (used to compare the relative importance and relative impact of very uncertain variables versus relatively stable variables)
⚫ Implement quantitative risk analysis—tools and techniques: data analysis—decision tree analysis (P435)
Decision Tree Analysis - Use a decision tree to choose the best course of action among several alternative courses of action. Different branches represent different decisions or events
⚫ In decision tree analysis, by calculating the expected monetary value (EMV) of each branch, the optimal path can be selected.
The EMV of an opportunity is usually expressed as a positive value, while the EMV of a threat is expressed as a negative value.
EMV is built on the assumption of risk neutrality, neither hedge nor risk
⚫ Implement Quantitative Risk Analysis—Tools and Techniques: Data Analysis——Influence Diagram (P436)
Influence Diagram - A Graphical Aid for Decision Making under Uncertainty. A graphical representation of causal, chronological order of events, and other relationships between variables and outcomes.
⚫ Influence diagram analysis, which can draw results similar to other quantitative risk analysis, such as S-curve diagram and tornado diagram
⚫ Perform Quantitative Risk Analysis - Output: Project Document Update (P436)
⚫ Update the risk report to reflect the results of the quantitative risk analysis.
◼ Results of assessment of overall project risk exposure
◼ Results of detailed probabilistic analysis of the project
◼ Single project risk priority list
◼ Quantitative Risk Prioritization List
◼ Risk Response Suggestions
⚫ Project Risk Management Process 5 "Planning Risk Response" (Planning Process Group) P437—P439
Planning Risk Responses—the process of developing options, selecting response strategies, and agreeing response actions to address overall project risk exposures, as well as addressing individual project risks.
What this process does:
◆ Develop an appropriate approach to overall project risk and individual project risk
◆ Allocate resources and add related activities to project documents and project management plan as needed.
The risk response measures must: 1. Match the importance of the risk; 2. Be able to deal with the challenge economically and effectively; 3. Be realistic and feasible; 4. Be able to obtain the consent of all relevant parties; Responsibility person)
Contingency plans (or bounce back plans) are required if selected strategies are not fully effective, or if accepted risks occur.
Secondary risk ---- the risk directly caused by the implementation of risk response measures. When planning risk responses, secondary risks need to be identified.
⚫ A time or cost contingency reserve will often need to be allocated to the risk, and the conditions under which the contingency reserve will be drawn may need to be stated.
⚫ Planning Risk Response—Tools and Techniques: Threat Response Strategies (P442)
⚫ Planning Risk Response—Tools and Techniques: Opportunity Response Strategies (P444)
⚫ Planning Risk Responses—Tools and Techniques: Emergency Response Strategies (P445)
Emergency Response Strategies - Responses that are used only when a specific event occurs. (Note the distinction between "emergency response")
⚫ If you are confident that there will be sufficient warning signs for the occurrence of a risk, you should develop a contingency response strategy.
⚫ A risk response plan developed using this technique is called a contingency plan or a bounce-back plan, and includes identified trigger events that are used to activate the plan
⚫ The following risks also need to be paid attention to when planning risk responses
Secondary Risk - A direct result of implementing a risk response. A risk that arises from responding to another risk.
Residual Risk - Risk that remains after implementing the risk response plan and is usually acceptable.
⚫ Planning Risk Response—Tools and Techniques: Overall Project Risk Response Strategy (P445)
⚫ Planning Risk Responses—Tools and Techniques: Data Analysis (P446)
◼ Alternative plan analysis----simple comparison of the characteristics and requirements of the alternative risk response plans, and then determine which response plan is most suitable.
◼ Cost-benefit analysis——If the impact of individual project risks can be quantified in currency, then the cost-effectiveness of alternative risk response strategies can be determined through cost-benefit analysis.
The effectiveness of the strategy = the result of the response / the cost of the response
⚫ Planning Risk Responses - Output: Project Document Update (P448)
◼ Risk Register
1. Agreed response strategies and specific actions required to implement the response strategies; 2. Trigger conditions, symptoms and early warning signs of risk occurrence;
3. Budget and schedule activities required to implement the selected response strategy;
4. Contingency plan, rebound plan, residual risk, secondary risk;
◼ Risk Report
1. Agreed responses to current overall project exposures and high-priority risks; 2. Expected changes following the implementation of these measures;
⚫ Project Risk Management Process Six "Implement Risk Response" (Execution Process Group) P449
Implement Risk Response - The process of implementing an agreed risk response plan.
What this process does:
◆ Ensure that agreed risk responses are implemented as planned to manage overall project risk exposure, minimize individual project threats, and maximize individual project opportunities.
⚫ A project's overall risk exposure and individual threats and opportunities can only be actively managed if risk owners put in the necessary effort to implement agreed responses.
⚫ Implement Risk Response—Tools and Techniques: Interpersonal and Team Skills (P451)
◼ Influence—Some risk responses may be performed by people outside the immediate project team, or by people with competing needs. In this case, the project manager needs to exert influence to encourage the designated risk owner to take the required action.
⚫ Project Risk Management Process Seven "Supervision Risk" (Monitoring Process Group) P453
Monitoring Risk - Throughout the duration of the project, the process of monitoring the implementation of the agreed risk response plan, tracking identified risks, identifying and analyzing new risks, and evaluating the effectiveness of risk management.
What this process does: Base project decisions on current information about overall project risk exposures and individual project risks.
⚫ Oversee Risks - Input: Risk Register (P455)
The risk register includes: identified individual project risks, risk owners, agreed risk response strategies, specific responses,
Controls to address plan effectiveness, risk symptoms and early warning signs, residual and secondary risks, low-priority risk watch list
⚫ Monitoring Risk—Tools and Techniques: Data Analysis (P456)
◼ Technical performance analysis----compare the technical achievements achieved during project execution with the plan to achieve relevant technical achievements.
➢ Requires the definition of objective, quantitative measures of technical performance.
➢ The degree to which actual results deviate from plan can represent the potential impact of a threat or opportunity.
◼ Reserve analysis----Comparing the remaining contingency reserve with the remaining risk amount at any point in time of the project, so as to determine whether the remaining reserve is still reasonable.
➢ Various graphs (such as burndown charts) can be used to show the consumption of contingency reserves.
⚫ Monitoring Risk—Tools and Techniques: Risk Audit (P456)
Risk Audit - Used to assess the effectiveness of the risk management process. (Second largest audit, for process)
⚫ Places that can be carried out: 1. Daily project review meeting; 2. Risk review meeting; 3. Special risk audit meeting;
⚫ Surveillance Risk—Tools and Techniques: Meeting (P457)
Meetings that apply to this process include: Risk Review Meeting.
Risk reviews should be scheduled periodically to examine and document the effectiveness of risk responses in addressing overall project risks and identified individual project risks.
In the risk review, it is also possible to identify new individual project risks (including secondary risks), re-evaluate current risks, close obsolete risks, discuss problems caused by the occurrence of risks, and summarize for subsequent stages of the current project or similar projects in the future. Project lessons learned.
According to the provisions of the risk management plan, the risk review can be an agenda item in the regular project status meeting, or a special risk review meeting can also be held.
⚫ Monitoring Risk - Output: Project Document Update - Risk Register (P458)
◼ Risk Register----Add new risks, update outdated or occurred risks, update risk responses.
⚫ Risk answering skills
The first thing to look at is "risk identified" or "risk occurred".
If “Risk Identified”, updating the Risk Register;
If "Risk Occurred", determine whether it is a "Known" or "Unknown" risk:
Known risks: Review risk register, address directly, and if reserves are to be used, typically contingency reserves.
Unknown risks: Take workarounds, submit change requests, use management reserves.
If it is a "known" risk, but the response is ineffective, a contingency is also required, a change request is submitted, and management reserves are used.
The sequence of risk management is as follows: 1. Identification 2. Qualitative (must be done) 3. Quantitative (optional) 4. Planning response 5. Implementing response
Notes for each chapter [1-13 chapters] Private message me to share with you for free