PM I Vorlesung 5

Risk management contributed significantly to achieving project success and is executed in parallel to the other project management areas

-> What can go wrong?

The effect of uncertainty on objectives (covers chances (the positive effect) as well as negative effects)

A possible future event that

a) leads to undesirable consequences

b) the unwanted consequences themselves

Risk that has already occurred (Risk is a problem that may occur)

Coordinated activities to direct and control an organization with regared to the risk

Risk management contributed significantly to achieving project sucess

• Reduce the probability and extent of negative events

• Increase the probability and extent of positive events

• Enables specification of achievable goals and deadlines

• Prevent the failure of the overall project if workstream or tasks fail

• Dealing with uncertainty

• Limitation of uncertainty

• Learning from experiences

• Focus the attention / resources to where they are needed

Decriminalization of risks and protection against operational blindness

Negative thinking allowed and used

Cost minimization for protective measures

Prevents unnoticed transfer of risk responsibility

Risk management is performed during the entire project duration and follows a commonly understood procedure

The risk owner takes care of the risk over its “lifetime”: proper analysis / evaluation, treatment / management and tracking. Should be an expert regarding the risk respectively the item carrying or causing the risk, e.g. firewall, windows servers, building security (-> facility managers) etc.

Risk identification is performed throughout the entire project and is about identifying individual risks and documenting their traits

Potential sources to identify risks:

• Assumptions

• Estimates

• Issue log

• Lessons learned register

• Requirements document

• Resource requirements

• Stakeholder register

Risk Log Entries

• Risk ID

• Author

• Date (of risk identification)

• Risk category (e.g. time, quality, lega)

• Risk description (root cause, impact)

• Probability

• Degree of impact

• (Expected Value: Probability x Degree of Impact)

• Occurrence perspective (short term, mid term)

• Risk Treatment Category (avoid, mitigate, transfer, share)

• Risk Treatment (specific)

• Risk Status (e.g. open / active, closed)

• Risk Owner

• Risk Responsible

The tools and techniques applied for risk identification are frequently also used in Requirements Management and Quality Management

Document reviews -> assumptions, estimates, potential issues, etc.

SWOT Analysis

Techniques of information gathering: Brainstorming, Delphi etc.

Interviews

Expert judgement

Root cause analysis

Cause and effect analysis, e.g. Failure Mode and Effect Analysis (FMEA)

System or process flow analysis

Influence diagrams / analysis

Checklist analysis and analysis of assumptions

Risk analysis starts with a qualitative analysis which can be extended by a quantitative analysis

(First) Estimation of

• probability of occurrence

• impact of the individual risks

Prioritize risks for further analysis

Numerical analysis of

• the probability of occurrence

• the effects of identified risks on the objectives of the overall project

Often based on historical data

Due to the usually quite high effort to be invested usually only performed on important risks

Probability * Degree of Impact (reflects the idea of “expectancy value”)

The Probability Impact Matrix provides a fast overview of the risks in projects

Representation of probability-impact pairs in a coordinate system

Often supplemented by a list of short names of risks

Granularity depends on the project respectively on the definition in the risk management plan

Can be provided after the qualitative risk analysis

Risk Response Planning determines how to address overall project risk exposure and how to treat individual risks

Attention: Distinguish risk responses / risk treatment vs. the “emergency plan” / the plan executed when a risk becomes a problem

Plan, agree on and assign activities to treat the identified risks

• Reasonable in relation to the importance of the risk

• Reasonable cost benefit relation

• Effective and efficient

• Accepted by all parties

Identify and assign a responsible person for each risk and its adopted action plan - Risk Owner

The overall project risk as well as the individual risks

Analyze the set of risks and distribution of risk levels (risk profile)

Decide on activities / tasks to change the risk profile -> can lead

• to changes of risk response plans of individual risks

• to changes of the risk management plan

Assign treatment strategy

Assign activities to manage the risk according to the assigned treatment strategy

Strategy and activities documented in Risk Log and if useful in schedule, cost plan and other project management documents

For a set of risks or individual risks

Prepared plan (activities) to be executed when a specific situation occurs / trigger fires, e.g., the risk becomes a problem

Helps to be able to operate after an instant change of situation

Avoid

Mitigate

Transfer

Accept

Completely eliminate threat

Change project goals so that they are no longer exposed to the effects of risks

Change of strategy

Reduction of the project scope

(If necessary) finish the project or subproject

Reduce the likelihood or / and the impact

E.g.: Apply simpler processes, increase the number of tests, hire a more reliable service provider, development of prototypes, install redundancies in the system, provide fallback options

Full or partial transfer of the risk impact to another person or organization, e.g. insurance, warranty, using a service

Most effective for financial impact

Almost always associated with additional costs

Usually on the basis of a contract or by special contract design (e.g. fixed price contract)

No suitable treatment activities can be defined

Active Acceptance: Assigning emergency resources (budget, buffer on schedule, etc.)

Passive Acceptance: no activity

Documentation

Risk Treatment Implementation means the execution of the activities and plans defined in the Risk Response Plan

Plans or planned activities can be part of the schedule and other plans of the project or can be executed directly from the respective entries in the risk log

The Risk Owner is accountable for the execution of the plans, i.e. he / she can delegate them to one or more Risk Responsible

To identify new risks and ensure the management of already identified risks

Identify new risks

Assess whether existing risks are still valid (or whether they can be closed)

Re-evaluate (existing) risks

Re-evaluate the risk treatment

Track the status of risk management / treatment activities

Evaluate the effectiveness of the risk management process (-> continuous improvement of project management processes)

Risk Assessment

Risk Audit

Variance and Trend Analysis

Technical Performance Measurement

Reserve Analysis

Status Meetings

Assess and analyze new risks or review known risks

Review of the effectiveness of the chosen policies and measures

Review of the effectiveness of the risk management process

Responsibility of the project manager

Methods of trend and variance analysis, e.g. Earned Value Analysis

Analogously comparable “monitor and control” processes

Measurement of project progress based on concrete project results

Provides information on goal achievement and risk assessment

Determining / checking the reserves

Comparison of reserves with risk assessment of any necessary reserves

Risk management on the agenda of each project status meeting

Supports:

• Identification and assessment of risks

• Development of strategies and measures