Key Takeaways
- The Risk Register is the central project document that tracks all identified risks, their probability, impact, priority, and planned responses
- Qualitative Risk Analysis assesses individual risks through probability and impact assessment to prioritize risks for further analysis or response
- Quantitative Risk Analysis numerically analyzes the combined effect of risks on overall project objectives, often using Monte Carlo simulation
- Risk responses for threats include Avoid, Mitigate, Transfer, Accept (active or passive), and Escalate
- Risk management is a continuous process throughout the project lifecycle, not a one-time planning activity
Assessing & Managing Risks
Risk management is a critical project management function that involves identifying, analyzing, responding to, and monitoring risks throughout the project lifecycle. The PMP exam emphasizes both the technical aspects of risk management and the leadership skills needed to foster a risk-aware culture.
Risk Management Overview
Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on project objectives. Risks can be:
- Threats: Negative risks that could harm the project
- Opportunities: Positive risks that could benefit the project
Effective risk management helps projects achieve their objectives by proactively addressing uncertainty.
The Risk Register
The Risk Register is the primary document for tracking and managing project risks. It serves as an organized repository of all identified risks and their associated information.
Risk Register Components
| Component | Description | Example |
|---|---|---|
| Risk ID | Unique identifier | R-001, R-002 |
| Risk Description | Clear statement of the risk | "Key supplier may not deliver on time" |
| Category | Classification of risk type | Technical, External, Organizational |
| Probability | Likelihood of occurrence | High, Medium, Low (or numeric) |
| Impact | Consequence if risk occurs | High, Medium, Low (or numeric) |
| Priority Score | Usually Probability x Impact | Used for prioritization |
| Risk Owner | Person responsible for monitoring | Named individual |
| Response Strategy | Planned approach | Mitigate, Transfer, etc. |
| Response Actions | Specific actions planned | Detailed action items |
| Triggers | Warning signs | Indicators risk is occurring |
| Status | Current state | Open, Closed, Watching |
Risk Identification
Risk identification is the process of determining which risks may affect the project and documenting their characteristics.
Common Risk Identification Techniques
| Technique | Description | Best For |
|---|---|---|
| Brainstorming | Group session to generate ideas | Broad identification |
| Expert Interviews | One-on-one with subject matter experts | Deep domain knowledge |
| Checklists | Review of historical risk categories | Completeness |
| SWOT Analysis | Strengths, Weaknesses, Opportunities, Threats | Strategic risks |
| Root Cause Analysis | Identifying fundamental causes | Underlying issues |
| Assumption Analysis | Examining project assumptions | Hidden risks |
Qualitative Risk Analysis
Qualitative Risk Analysis is the process of prioritizing individual project risks by assessing their probability of occurrence and impact on project objectives.
Key Characteristics
- Subjective evaluation: Based on expert judgment
- Faster and simpler: Cheaper than quantitative methods
- Prioritization focus: Determines which risks need attention
- Should be performed on all projects: Standard practice
Probability and Impact Assessment
Risks are typically assessed using scales:
| Level | Probability | Impact on Objectives |
|---|---|---|
| Very High | >70% likely | Severe impact |
| High | 51-70% likely | Major impact |
| Medium | 31-50% likely | Moderate impact |
| Low | 11-30% likely | Minor impact |
| Very Low | <10% likely | Negligible impact |
The Probability-Impact Matrix
Risks are plotted on a matrix combining probability and impact to determine priority:
| Low Impact | Medium Impact | High Impact | |
|---|---|---|---|
| High Probability | Medium Priority | High Priority | Very High Priority |
| Medium Probability | Low Priority | Medium Priority | High Priority |
| Low Probability | Very Low Priority | Low Priority | Medium Priority |
Quantitative Risk Analysis
Quantitative Risk Analysis numerically analyzes the combined effect of identified individual risks and other sources of uncertainty on overall project objectives.
Key Characteristics
- Objective evaluation: Uses numerical data
- Analyzes overall project risk: Not just individual risks
- More time and cost intensive: Requires data and expertise
- Reserved for high-priority risks: Major projects with significant uncertainty
Common Quantitative Techniques
| Technique | Description | Output |
|---|---|---|
| Monte Carlo Simulation | Computer simulation of project scenarios | Probability distributions for outcomes |
| Decision Tree Analysis | Diagramming decisions and uncertainties | Expected monetary value (EMV) |
| Sensitivity Analysis | Determining which variables affect outcomes most | Tornado diagrams |
| Expected Monetary Value (EMV) | Probability x Impact (in monetary terms) | Dollar values for decision-making |
Qualitative vs. Quantitative Analysis
| Aspect | Qualitative | Quantitative |
|---|---|---|
| Focus | Individual risks | Overall project risk |
| Method | Subjective assessment | Numerical analysis |
| Output | Priority ranking | Probability distributions, EMV |
| When Used | All projects, all risks | High-priority, high-impact situations |
| Resources Required | Minimal | Significant (data, tools, expertise) |
Risk Response Planning
Risk response planning develops options and actions to address identified risks.
Responses to Threats (Negative Risks)
| Strategy | Description | Example |
|---|---|---|
| Avoid | Eliminate the threat entirely | Change project plan to remove risk |
| Mitigate | Reduce probability or impact | Add testing, use experienced staff |
| Transfer | Shift impact to third party | Insurance, warranties, contracts |
| Accept (Passive) | Take no action, document decision | Minor risks not worth addressing |
| Accept (Active) | Establish contingency reserve | Set aside budget for potential impact |
| Escalate | Risk outside project authority | Raise to portfolio/program level |
Responses to Opportunities (Positive Risks)
| Strategy | Description | Example |
|---|---|---|
| Exploit | Ensure opportunity is realized | Assign best resources |
| Enhance | Increase probability or impact | Invest in capability |
| Share | Allocate ownership to best party | Joint ventures, partnerships |
| Accept | Be willing to take advantage if it occurs | No proactive action |
| Escalate | Opportunity outside project authority | Raise for organizational benefit |
Risk Monitoring and Control
Risk management is a continuous process throughout the project lifecycle, not a one-time planning activity.
Ongoing Risk Activities
- Track identified risks: Monitor status and triggers
- Monitor residual risks: Risks remaining after response
- Identify new risks: Continuous identification
- Evaluate risk process effectiveness: Improve methods
- Execute risk responses: Implement planned actions
- Assess risk reserves: Monitor contingency usage
Risk Reassessment
Risk reassessment should be:
- A scheduled component of project status meetings
- Flexible to occur more or less frequently based on project phase
- Responsive to project changes and new information
Risk Management Best Practices
| Practice | Description |
|---|---|
| Start early | Begin risk management in project initiation |
| Involve the team | Leverage diverse perspectives |
| Document everything | Maintain complete risk register |
| Communicate openly | Share risk information with stakeholders |
| Review regularly | Make risk reviews part of project rhythm |
| Learn from experience | Apply lessons from past projects |
Key Takeaways
- The Risk Register is the central document for risk tracking
- Qualitative analysis prioritizes risks based on probability and impact
- Quantitative analysis provides numerical analysis of overall project risk
- Risk responses differ for threats (avoid, mitigate, transfer, accept) and opportunities (exploit, enhance, share, accept)
- Risk management is continuous throughout the project lifecycle
A project manager is prioritizing risks based on their likelihood of occurrence and potential impact on project objectives. Which process is being performed?
A project team has identified a risk that a key vendor may not deliver critical components on time. The team decides to contract with a backup vendor to share the delivery responsibility. Which risk response strategy is being used?
Monte Carlo simulation is an example of which type of risk analysis technique?