PMI CAPM – Administer Project Risk Management

  1. Section Overview

In this section on project risk management, we’re going to take a look at many risk management processes that are grouped in planning. So of our 24 processes in planning, a big chunk of these are dedicated to risk management. So we’re going to talk about risk and reward. That not all risk is bad. Want you to watch for the idea of a business risk versus a pure risk in this section. So in our conversation about what is risk, that’s really important. We’ll begin our conversation in this process of plan risk management here in this section. So we’re going to define how will these risk management activities occur.

So how will you go about identifying risk? It’s an ongoing Iterative activity, but how will you do it? How will you do risk analysis, qualitative and quantitative analysis? How will you create risk responses? We have seven possible risk responses and how will you control risk? So this is all defined in the risk management plan. Your organization may have some risk management policies that you have to adhere to. So enterprise environmental factors or the industry that you work in, or even regulations if you are in working in some type of a discipline that could be dangerous, like manufacturing or construction or health care, that there are regulated policies to counter certain types of risk.

The risk management plan identifies the risk probability and impact. And this is where we’ll begin to create a probability and impact matrix. We’re going to take into consideration stakeholder tolerances for risk, who reports to whom, and then how will you track risk in your project? This is where we’ll get into the idea of risk owners and setting us up for risk responses. Before we can get to risk responses, though, we have to do the process of identifying risk. Risk identification is all about not only identifying, but documenting the risk events in a risk register. Identification of risk is an Iterative activity. It’s ongoing.

You’re going to do this over and over and over throughout your project. When you see a new risk, you’re going to add it to the risk register. That it’s a central risk repository. It includes our identified risk potential responses. You might do some root cause analysis and then the status. You’re going to track that risk and find the status. And if that status changes, then you may have to change your risk response planning. In this section, we’re going to look at two types of analysis of risk. We have qualitative analysis and quantitative analysis. So quickly, qualitative analysis is very fast. It is quick, it’s subjective, it’s a high level approach. Quantitative analysis quantifies the risk, usually for more serious risk based on probability and impact. And our goal here in quantitative is to quantify the risk.

So we’re looking for time and money. Typically we just save money and you’ll see that that’s how we build our contingency reserve based on our quantitative analysis. So quantitative analysis takes more time. We want you to watch for quantitative analysis in this section. And what will the quantitative analysis create for you? And there’s four things that come out of quantitative analysis I want you to watch for in this section. Then, now that we’ve done analysis, now we can create some risk responses. And there are seven risk responses. I’m not going to tell you now I want you to watch in this section we have three for negative, three for positive, and one that’s appropriate for both. Okay? I know set you up with a lot of mystery here in this section, something to look forward to. It’s a really important topic here in risk management that we are responding and then we are controlling our risk. And so we’re planning and responding, controlling. So I want you to hop in now and to attack this section on risk management, chapter eleven in the Pinbox. Let’s get started right now.

  1. Plan Project Risk Management

In this lecture we’re going to talk about creating a risk management plan. This is a really important topic for your PMP exam, so I want you to really hone in to these planning processes over the next several lectures. So let’s begin talking about planning, planning, project risk management that we’re planning, analyzing, responding to, and then we’ll get into monitoring and controlling our risk events. So first up, we’re going to talk about what is risk. So when we look at risk in a project, what do you think of? Most people think of the negative of a risk that we don’t want risk. That risk is bad. Well, the truth is that risk is not always bad. If you invest in the stock market, you have risk that you could lose your investment, but you also have opportunity that you could have a return for that investment. So we have risk and reward. That risk is not always bad, that some risks are worth having and others risks we don’t want to have. So we think about that risk and reward in a project.

A project is risk that projects when we first launch a project, the odds of a project being successful are really low. On day one, the closer that I get to the end of the project, my odds of the risk being successful increase. So over time, the risk fluctuates early on. A lot of risk in a project. The closer I get to the end, the risk diminishes and the odds of project success increases. So a project in and of itself is risk for an organization, but there’s risk and reward and there are things that we can do to manage the risk of project failure. And then within our project we’re going to see there are different risk. Risk is an uncertain event that may have a positive or a negative effect on the project objectives. So we think about negative risk, we think about loss of time, money.

A vendor doesn’t do a good job, the customer doesn’t accept the work. And then in your discipline, I’m sure you have some obvious risks that you go to data loss, the weather software isn’t compatible with the hardware or whatever the case may be. Those are all negative risks that we think of disrupting the project, of costing us time and money and maybe even our reputation or the success of the project. But then we might also have opportunities, positive risk events that I can add people to the project to get done faster, or we can get a discount from the vendor. If we can find ten more people in our company that need a new laptop, we’ll get a better price for our project, or we have a new vendor, but they can save us a lot of time and money with their solution.

So those are all opportunities that we want to happen in the project. So risk isn’t always bad. There are two big categories of risk that we need to acknowledge we have business risk and pure risk. Most projects we think about business risk, that there are an upside or a downside. You could make money or lose money. You can save time or lose time in your project. So a business risk is like investing in the stock market, that there are ups and downs, pros and cons. So you might invest some in a little riskier stocks, invest some in a little bit safer stocks. So you distribute your risk well. That’s all business risk, upside or downside, make money or lose money. Pure risk only have a downside. This is where we think about industries like construction, like manufacturing. Even in some cases in healthcare where pure risk could be someone is injured if you don’t manage that risk properly. So like in construction, we wear a hard hat or you are tied in if you’re above a certain amount of feet or you use the right equipment. Make sure you have on gloves and steel toiled boots, things like that. Because you don’t want to get hurt at the job site. Someone gets hurt at the job site, one, that person’s hurt, loss of life or limb.

Two, they’re going to shut down your job site. OSHA will come in and now you’re going to have a study of your safety practices and so on. So you have you know, it could be a disruption in the project. Three, you might have lawsuits, but pure risk in itself is just bad that somebody could get hurt or injured. So we do whatever we can to avoid or mitigate pure risk. We don’t want that in our project. Of course we don’t want anyone to get hurt at our job site or at healthcare or in manufacturing that we take measures to ensure that people are safe. So that’s pure risk. Pure risk is always bad, only a downside. When we begin to plan for risk management, we have to look at a couple of things here.

Let’s start by looking at this little graphic about project priority in relation to the cost of risk elimination. The dashed line that you see going from way up top and project priority to way down low in the cost of risk elimination, that represents how much an organization will spend in relation to how important the project is. And the solid line going in the inverse is the actual spending of the money. So if you look way at the top of the dash line, that’s how important the project is. If you look in relation to that, the solid line way up, they’re almost equal. So this is saying that the more important the project, the more willing we are to spend money to eliminate risk. So if we’re doing a project and swap out keyboards on 1000 computers, not a big project, not a big deal, it’s way low on project priority. So our cost of risk elimination, you can see is also way low. So we’re not going to spend a lot of money to get rid of risk and a low priority project so they balance out.

So if you have a high profile, high priority project, we’re more willing to spend funds to get rid of those risk events. So this is setting us up a little bit for risk response planning. Some terms that are all related here, they’re almost synonymous risk appetite, risk tolerance, risk threshold, stakeholder tolerance for risk and utility function. Kind of the weird one there. What this means is how willing are you to take on risk based on the project priority and based on your organization? So if we are in 100 year old bank environment, a lot of regulations, very secure, a lot of procedures and standards, our stakeholder tolerance for risk, there may be much less than if we are a startup company working out of our garage, we might take on a little bit more risk.

We don’t have as much to lose to take on certain risk. So your risk appetite or tolerance for risk one varies by your enterprise environmental factors and also by the culture of where you’re working. The second thing that contributes to your risk tolerance is the project priority. Just what we were talking about. The higher the project priority, the less tolerant an organization will be towards risk. So all of these terms, stakeholder tolerance, the risk threshold and so on, that all describes your willingness to take on risk. So let’s talk about risk threshold for a moment. Let’s say you and I, we’re going to go out to Las Vegas. We’re going to meet out in Vegas.

We’re going to have great food, get some sunshine, go see some different shows, just going to have a great time out there in Vegas. And of course, we’re going to go play a little blackjack. So we go up to the blackjack table, and we can bet $5 for a hand in blackjack. So I’m going to bet $5. You, on the other hand, you’re betting a hand in blackjack, and you are going to take on that risk. Do you feel okay with that? You’re comfortable? I know some of you out there are saying, yeah, that’s great.

Double down at eleven, split eight, all of that business. Others are saying, no way, that’s way too much. I would not be comfortable with that. I wouldn’t bet anything. I’ll go see shows and go shopping, and I’ll be with you. All right. So that unease that you may feel, betting $5 or 50 or 100, that is your utility function. How willing are you? At what point do you cross a risk threshold that the risk is no longer worth the potential for the reward? So that’s the idea in project management as well. There will be some risk and how we rank them and score them that we’re willing to take those on other risks? No, I’m very uncomfortable with that, with that probability and that impact.

We can’t have that in the project. We have to avoid it or find a way to mitigate it or even transfer it to someone else. That’s all related to this conversation here about your risk threshold. All right, come back from Vegas. Let’s move on. Next up, we want to talk about the actual process of creating the risk Management plan. Like all of our plans, the plan itself does not identify the risk. It does not say how to respond to the risk. It defines how will you identify, how will you do risk analysis, how will you create responses and how will you control?

So really it’s setting the groundwork for the remainder of the processes in this knowledge area. Look at our edo to create the risk management plan, we take the project plan, project charter, the stakeholder register, and of course those enterprise environmental factors, any rules or procedures you have to do to manage risk and OPA. So if I have a similar project, I’m going to grab that risk management plan or a template for my PMO and adapt it to my current project. Tools and techniques here, analytical techniques. You’re going to have to do some studying and think about your project work and think about how will you identify and how you analyze expert judgment, bring in some sneeze or consultants. And of course, we always have to have some meetings. I know you love to have meetings.

Our outputs here will be the risk Management plan. So I was just joking you about meetings. Well, let’s go in and talk about what happens in a planning meeting for risk. Well, the project manager, the team and the stakeholders are going to be the participants in this planning meeting. We’re going to look at the cost elements. Now, the cost elements here, we’re thinking about time and money, not just if the risk happens, but to do the analysis on the risk events. As we’re going to see coming up in quantitative risk analysis, it takes time and money to do an analysis, to really study an event. So for example, we’ve never worked with a particular piece of material before.

Rather than just introduce that to the job site, we’re going to set up a lab environment where we’re going to experiment with it and learn and really understand how this material will work. Well, we need a place to do that. We got to go buy the material. It takes some time. That’s all this type of stuff we’re talking about in these planning meetings and in quantitative risk analysis. So a little hint at what’s coming up. Schedule activities and cost elements. Just what I was talking about. We need time and money to do that type of analysis. And then this helps us to create the risk management plan. And again, this could be template driven. You don’t have to start from scratch. Your organization may have some risk management policies that you have to follow.

So these are enterprise environmental factors, where they being management or your organization. They have some rules on how you do risk identification, how you do analysis, who you have to report certain characteristics of risk to. There may be a certain threshold. So there’s all sorts of different rules that an organization could set up. But all of these are enterprise environmental factors which affect how you get to manage risk events.

So some things to think about here with policies, just the nature of your work, there are probably some easily identified and accepted ways to manage risk events. Like I was talking about a pure risk in construction. If you’re in construction, you probably know already that there are some readily identified risks that you always have to address. Safety, dealing with permits and inspectors, certain things with vendors.

That’s just your area and your discipline. Others of you out there, maybe in manufacturing or It or healthcare, and in all those disciplines, I know that you have risk that you could immediately go to and say, well, this is a risk and how we always do it. That’s the nature of your work or your industry standards. All of us have regulated policies that we have to abide by in our different industries. Construction, healthcare, manufacturing, It, what have you.

So there are regulated policies of where your projects are taking place. So just think of any discipline at all. There are going to be some regulations and policies that you have to adhere to or abide by that are just part of how you do business. So that’s all part of enterprise environmental factors. Our goal is to create a risk management plan. Well, we don’t want to start from scratch. I don’t want to start from scratch every time. So one of the things we can do here is be template driven where we can take a past project and adapt it to our current project. And so this can guide us on things like our methodology. Methodology means what’s your approach to manage risk? So how do you do risk identification in your organization or your discipline? How will you do qualitative and quantitative analysis?

What are the typical responses or your approach to risk response planning? And then what activities will you do to do risk monitoring and controlling? So all of that’s methodology, your plan could also address the roles and responsibilities. It’s not all the project manager here. You have project team members, stakeholders, maybe consultants or SME’s that contribute. So who’s responsible for what? And then, as we’ve already talked about, what’s your budget and timing to do risk analysis? And then this is also hinting at our budget and timing for our risk responses. So we’ll talk about that coming up in the course. And then we have an opportunity to do risk categories.

So a risk category is a way of categorizing risks either by phases or you could do it by different chunks of risk. So for example, in it we could say these are hardware, this is software, this is network, this is data, this is people in your industry. You might have different chunks or categories of where you could filter your risk. So we’ll talk more about that coming up. All right, now let’s look at creating the Risk Management plan. A few more things to wrap up here.

We want to talk about the definitions of risk, probability and impact. The probability are the odds that it will happen. The impact is what is the effect? Typically financial, although we know that not all risks are just financial. Once we’ve identified our risk events that we’re going to talk about in the next lecture just coming up, we’ll put those risks into a risk register. And then for analysis, we’re going to create a probability and impact matrix. That probability and impact is directly related to stakeholder tolerance. So we may have a threshold of any risk.

Above 40%, we have to respond to or a low profile project, a low priority project, that probability might be any risk above 75%, we have to respond to. So probability and impact in stakeholder tolerances. We’ll talk more about that coming up in a couple of lectures where we’ll dip into that in more detail reporting formats. You have to communicate those risk events. You just don’t document them and hide them that you communicate the risk and the status reports are a great place to do that. As to what risk are pending, what risk have happened, and what was your response.

Maybe you have some rules about more serious risk. Who do you have to communicate with? So reporting formats are documented in the risk management plan. And of course, how are you going to track these risks? You can’t just document them and ignore it. You need to track the risk through the project so there’s a timing involved.

When will these risks happen? So we can anticipate that, talk to our project team and then think about our risk response planning, which will be coming up. And so that’s directly tied to our tracking because if we’re anticipating a risk to happen, we better have a risk response for that risk coming up. Okay, good job. A lot of information in this module about risk management planning. Keep going. Our next lecture, we’re going to talk about how do you get out and identify risks you.