Project Risk Management According to the PMBOK

In some industries, risk analysis as a subset of project management is virtually non-existent.  Project management is usually focused on cost and schedule, and delivering projects “on time, on budget” sometimes feels like the only criteria.

But as a project manager, there’s nothing that makes you sleep at night better than knowing you’ve got the risks to your project under control and that the required stakeholders know about them.  Especially the most important stakeholder – your boss.  A risk register makes a project manager look very good.

The PMBOK’s Project Risk Management knowledge area contains 7 processes:

1. Plan Risk Management
2. Identify Risks
3. Perform Qualitative Risk Analysis
4. Perform Quantitative Risk Analysis
5. Plan Risk Responses
6. Implement Risk Responses
7. Monitor Risks

Plan Risk Management

This initial step involves the production of a risk management plan, a component of the overall project management plan.  It includes things like itemizing the risk categories (market, procurement, resources, etc.), determining the timing and procedures for reassessing risks, and definitions of risk probability and impact.

The only output is a Risk Management Plan.

Inputs

1. Project charter
2. Project management plan
   • All components
3. Project documents
   • Stakeholder register
4. Enterprise environmental factors
5. Organizational process assets

Tools and Techniques

1. Expert judgment
2. Data analysis
   • Stakeholder register
3. Meetings

Outputs

1. Risk management plan

Identify Risks

This is where the value is created.  A good list of potential risks to a project’s cost, schedule, or any other critical success factor is the key to great risk management.  Checklists are a good resource, as is expert judgment and previous project experience.  The latter tends to be elusive because we all want to forget the bad things that happened on previous projects long ago.  Clients and bosses, however, usually don’t have the same selective memory!

Also, it’s important to note the opposite of risks – opportunities.  There are usually potential cost or schedule savings based on project events, and identifying them in the risk register is the first step to taking those opportunities.

You can’t list everything.  Maybe a plane will crash into your office.  But the existence of a list is critical and brainstorming is your friend, that is, list as much as you can and strike off the low priority items later.  There is no guideline for the length of the list but you would want more items for projects that have are inherently risky (nuclear power plants, space travel, etc.).  If you stick to the most important stuff that has about a 10% or more chance of happening, you will have a good list that the stakeholders will approve of.

The main output of this process is the Risk Register.

Inputs

1. Project management plan
   • Requirements management plan
   • Schedule management plan
   • Cost management plan
   • Quality management plan
   • Resource management plan
   • Risk management plan
   • Scope baseline
   • Schedule baseline
   • Cost baseline
2. Project documents
   • Assumption log
   • Cost estimates
   • Duration estimates
   • Issue log
   • Lessons learned register
   • Requirements documentation
   • Resource requirements
   • Stakeholder register
3. Agreements
4. Procurement documentation
5. Enterprise environmental factors
6. Organizational process assets

Tools and Techniques

1. Expert judgment
2. Data gathering
   • Brainstorming
   • Checklists
   • Interviews
3. Data analysis
   • Root cause analysis
   • Assumption and constraint analysis
   • SWOT analysis
   • Document analysis
4. Interpersonal and team skills
   • Facilitation
5. Prompt lists
6. Meetings

Outputs

1. Risk register
2. Risk report
3. Project documents updates
   • Assumption log
   • Issue log
   • Lessons learned register

Perform Qualitative Risk Analysis

This step involves prioritization of risks.  Since risk has two components – probability of occurrence, and impact, each of these factors should be prioritized on a scale of, say, 1-10.  High-medium-low works well too.  Each risk on the risk register is analyzed and a ranking assigned to the two underlying variables.  Then an overall risk priority ranking is found (by multiplication of the two rankings, or whatever appropriate method).

Inputs

1. Project management plan
   • Risk management plan
2. Project documents
   • Assumption log
   • Risk register
   • Stakeholder register
3. Enterprise environmental factors
4. Organizational process assets

Tools and Techniques

1. Expert judgment
2. Data gathering
   • Interviews
3. Data analysis
   • Risk data quality assessment
   • Risk probability and impact assessment
   • Assessment of other risk parameters
4. Interpersonal and team skills
   • Facilitation
5. Risk categorization
6. Data representation
   • Probability and impact matrix
   • Hierarchical charts
7. Meetings

Outputs

1. Project documents updates
   1. Assumption log
   2. Issue log
   3. Risk register
   4. Risk report

Perform Quantitative Risk Analysis

Using the risk priorities established during the previous Qualitative Risk Analysis step, the impact on the project’s schedule and budget are determined. Each task is assigned a probability estimate for various scenarios, say 90%, 50%, and 10% likelihood.  A bell-curve style distribution can also be used.  Then the probability of meeting the overall cost and schedule is calculated.  This technique is called a Monte Carlo analysis, although other methods are also valid.

This is a sophisticated step that generally requires software and is suited primarily to large projects.

Inputs

1. Project management plan
   • Risk management plan
   • Scope baseline
   • Schedule baseline
   • Cost baseline
2. Project documents
   • Assumption log
   • Basis of estimates
   • Cost estimates
   • Cost forecasts
   • Duration estimates
   • Milestone list
   • Resource requirements
   • Risk register
   • Risk report
   • Schedule forecasts
3. Enterprise environmental factors
4. Organizational process assets

Tools and Techniques

1. Expert judgment
2. Data gathering
   • Interviews
3. Interpersonal and team skills
   • Facilitation
4. Representations of uncertainty
5. Data analysis
   • Simulations
   • Sensitivity analysis
   • Decision tree analysis
   • Influence diagrams

Outputs

1. Project documents updates
   • Risk report

Plan Risk Responses

At this step, you take the most important risks to the project and create an action plan, not just for responding to the risk if it happens, but for monitoring the risk triggers so you have the earliest possible warning.

Inputs

1. Project management plan
   • Resource management plan
   • Risk management plan
   • Cost baseline
2. Project documents
   • Lessons learned register
   • Project schedule
   • Project team assignments
   • Resource calendars
   • Risk register
   • Risk report
   • Stakeholder register
3. Enterprise environmental factors
4. Organizational process assets

Tools and Techniques

1. Expert judgment
2. Data gathering
   • Interviews
3. Interpersonal and team skills
   • Facilitation
4. Strategies for threats
5. Strategies for opportunities
6. Contingent response strategies
7. Strategies for overall project risk
8. Data analysis
   • Alternatives analysis
   • Cost-benefit analysis
9. Decision making
   • Multicriteria decision analysis

Outputs

1. Change requests
2. Project management plan updates
   • Schedule management plan
   • Cost management plan
   • Quality management plan
   • Resource management plan
   • Procurement management plan
   • Scope baseline
   • Schedule baseline
   • Cost baseline
3. Project documents updates
   • Assumption log
   • Cost forecasts
   • Lessons learned register
   • Project schedule
   • Project team assignments
   • Risk register
   • Risk report

Implement Risk Responses

When a risk event is triggered, the response plan springs into action.  This process happens during the project execution phase and requires good interpersonal and leadership skills.  Following the risk response, the issue log, risk register, and lessons learned register are updated.

Inputs

1. Project management plan
   • Risk management plan
2. Project documents
   • Lessons learned register
   • Risk register
   • Risk report
3. Organizational process assets

Tools & Techniques

1. Expert judgment
2. Interpersonal and team skills
   • Influencing
3. Project management information system

Outputs

1. Change requests
2. Project documents updates
   • Issue log
   • Lessons learned register
   • Project team assignments
   • Risk register
   • Risk report

Monitor Risks

Throughout the project, the risk register is monitored to ensure the analysis remains current.  Risks are always expiring and can be labelled as “did not occur.”  Also, risk priorities can change as many things can happen throughout a project that change the risk profile (probability, impact) of each risk.  A re-analysis of risks might generate different priorities or necessitate a revised risk response plan.

Inputs

1. Project management plan
   • Risk management plan
2. Project documents
   • Issue log
   • Lessons learned register
   • Risk register
   • Risk report
3. Work performance data
4. Work performance reports

Tools and Techniques

1. Data analysis
   • Technical performance analysis
   • Reserve analysis
2. Audits
3. Meetings

Outputs

1. Work performance information
2. Change requests
3. Project management plan updates
   • Any component
4. Project documents updates
   • Assumption log
   • Issue log
   • Lessons learned register
   • Risk register
   • Risk report
5. Organizational process assets updates