Project Risk Management

Questions and Answers

What is the primary distinction between individual and overall project risk assessments?

• Individual risk assessments are relative and qualitative; overall assessments determine project cost and schedule risks. (correct)
• Individual risk assessments are optional, while overall risk assessments are mandatory for all projects.
• Individual risk assessments provide absolute cost and schedule impacts, while overall assessments are relative.
• Individual risk assessments are quantitative, while overall risk assessments are qualitative.

Why should project teams avoid simply aggregating individual risk assessments to determine overall project risk?

• Overall project risk is always lower than the sum of individual risks.
• Aggregating individual risks is more time-consuming than performing a separate overall assessment.
• Individual risks can impact one another in complex ways, skewing the analysis if simply aggregated. (correct)
• Aggregating individual risks can lead to an underestimation of potential project impacts.

During which project phase is the bulk of individual risk analysis typically performed?

• Project execution phase
• Project closure phase
• Project planning process (correct)
• Project monitoring and controlling

How does individual risk analysis contribute to the establishment of project risk reserves?

It provides rationale for categorizing, grouping risks, and determining contingency and management buffers. (B)

What is the purpose of reassessing project risks throughout the project life cycle?

To maintain control of the project from a risk standpoint, adapting to new or changing risks. (A)

Which factor most influences project teams to use formal versus informal risk management techniques?

The degree of risk inherent in the project. (A)

For what type of projects is informal risk management most suitable?

Follow-on product production of fairly stable and mature products. (D)

What is the primary characteristic of a simple risk register?

A listing of risks with their categories, subjective assessments, and planned mitigation actions. (C)

What is the main benefit of using a risk matrix in formal risk planning?

It provides a visual aid to assist in evaluating risk and communicating risk assessment results. (B)

Why is it important to standardize the design of a risk matrix across an organization?

To ensure consistency in risk assessment and comparison across different projects. (C)

When using a risk matrix, what does the color-coding of low, medium, and high severity zones represent?

The organizational risk tolerance levels. (B)

What is the key advantage of using a risk matrix that includes both threats and opportunities?

It prompts the project team to investigate opportunities that might be overlooked. (D)

How does a risk burn-down schedule extend the use of a risk matrix?

By integrating an event-timing element to the risk analysis. (D)

Why is comparing total risk-severity ratings between different projects considered inappropriate?

Because the magnitude of the total number has no real absolute relevance. (D)

What is the primary purpose of Failure Modes and Effects Analysis (FMEA) in project risk management?

To comprehensively analyze potential system and equipment failures. (A)

Why is the capability of the people performing the risk analysis important?

The quality of analysis depends on the skill of the team and specifications relative to interpreting analytical data. (A)

What is the recommended composition of the risk assessment team during project planning?

The project manager, key project team members, and relevant experts. (D)

What three factors MOST influence the credibility of the risk assessment output?

How credible, experienced, and knowledgeable the individuals are; rationale for assessments; checks and balances employed. (D)

Why should risk analyses address risks that potentially impact project objectives, rather than individual or functional organization objectives?

To align risk management efforts with overall project goals. (B)

What is a key aspect to consider when prioritizing individual project risks?

The severity rating should be used to determine action and additional resources. (A)

Flashcards

Individual Project Risk Analysis

A qualitative analysis performed on individually identified risks.

Overall Project Risk Analysis

A quantitative analysis to determine overall project cost and schedule risks.

Individual Risk Analysis Process

Qualitatively assesses project risk-severity levels relative to each individually identified project risk.

Purpose of Severity Assessments

Prioritizes action plans and establishes risk reserves

Simple Risk Register

Listing of risks with categories, subjective assessment and mitigation actions.

Formal Risk Planning

Uses a risk matrix with a detailed risk register to produce risk-severity ratings.

Risk Burn-Down Schedule

Shows how project qualitative risk reduces over time.

Failure Modes and Effects Analysis (FMEA)

A reliability evaluation technique to determine the effects of system and equipment failures

Risk Assessment Team

A team that analyzes and plans for project risks

Simple Risk Register Approach

Used to determine level of risks based on risks' impacts

Formal Risk Planning/Management

Identifies and assesses individual project risks in a methodical way

Individual Project Risk Prioritization

Considers likelihood and impact of risks

Risk Event Timing Prioritization

The later the risk event, the costlier the project impact.

Study Notes

• Formal project risk management includes qualitative analysis of individual risks and quantitative analysis of overall project cost and schedule risks.
• Both qualitative and quantitative analyses are valuable practices for projects where performance and risk understanding are key to stakeholders.

Difference Between Individual and Overall Risk Assessments

• Overall project cost and schedule risk assessment cannot be determined effectively by aggregating individual risks.
• Individual risk assessments are relative and qualitative, not providing absolute cost or schedule impacts.
• Individual risks can interact in complex ways, potentially skewing analysis.
• Comparing best-case and worst-case scenarios may yield information of limited use due to the broad range of possibilities.
• Individual risk analysis and overall project risk analysis each have distinct purposes.
• Overall project risk assessment helps stakeholders decide if project outcomes are acceptable given risk tolerance.
• Risk analysis can lead to changes in project objectives before project start.
• Identifying and assessing individual risks facilitates overall risk assessment and enables specific actions to reduce impacts.

Performing Individual (Qualitative) Analysis of Project Risks

• Individual risk analysis qualitatively assesses risk-severity levels for each identified project risk.
• Severity assessments help prioritize responses and establish risk reserves (budgetary and schedule).
• This analysis is typically done during project planning and may result in iterations before the plan of record (POR) is finalized.
• Risk planning can disrupt project planning, causing changes and trade-offs potentially compromising project objectives.
• Risk-severity assessments and rankings facilitate selecting risk responses.
• These assessments enable risk categorization and provide rationale for establishing risk reserves (contingency and management buffers).
• Project risk reassessments occur throughout the project lifecycle as risks materialize or new risks are identified.
• Risks might become issues, be eliminated, or reduced to manageable residual risks.
• Frequent reassessments are necessary to maintain project control from a risk perspective, and can be planned or event-driven.

Risk Management Tools and Techniques for Qualitative Analysis

• Project teams use risk management formally or informally.
• The effectiveness and cost of risk management tools and techniques vary in complexity.
• More effective techniques are typically more costly.
• Organizational support infrastructure is needed to implement complex tools and techniques effectively.
• Simpler techniques are less complex but also less effective.

Informal (i.e., Reactive) Risk Management

• Not all projects undertake formal qualitative risk management.
• Even low-risk projects will adapt some process for dealing with issues as they occur.
• Informal risk management monitors project and product issues, reacting as needed.
• This approach is suitable when many potential risks have a low likelihood and impact, or are too random to prevent proactively.
• Using informal risk management as the primary process on complex projects can create a crisis culture.
• It works for follow-on production involving stable products and processes like addressing unexpected changes or compatibility issues.

Use of a Simple Risk Register

• A simple risk register lists risks with their categories (technical, cost, schedule).
• Risk registers include subjective risk assessments (high, medium, low) and planned mitigation actions.
• Deriving and assessing risks is typically informal and based on expert judgment.
• The effectiveness of this approach depends on the expertise of those providing the inputs and the project's scope and complexity.

Formal Risk Planning (Using a Risk Matrix)

• A popular approach involves using a risk matrix with a detailed risk register.
• This produces risk-severity ratings based on the probability and impact if risks materialize.
• Many configuration options exist for the specific design of the tool.
• Organizations standardize the methodology for consistency.
• The tool’s popularity stems from its relative ease of use, general applicability, and effectiveness.
• A detailed risk register supports the process of using risk matrix.
• The risk matrix is a visual aid for evaluating individual risks and communicating assessment results.
• The risk register holds risk identification, assessment, and response information.
• It provides risk-severity scores and metrics for prioritizing and funding responses.
• The risk matrix should be in the risk management plan (RMP) with agreed probability and impact scales.
• A common format is a 5 × 5 risk matrix.
• Some matrices evaluate only risks (threats).
• Other versions include opportunities.
• The matrix design (e.g., 3 × 3, 5 x 5, 10 x 10) depends on organizational preference.
• Since the severity score is a relative measure for comparing risks, the absolute value isn't critical; a scale with integer values is used.

Individual Project Risk Prioritization

• A benefit of risk-severity ratings is that they relate to the same evaluation criteria and can be compared.
• Higher severity ratings suggest a higher priority for resource allocation.
• Severity alone may not suffice, especially with limited funds
• An understanding of likely risk responses needs to be included in the selection criteria.
• The timing of risk events also needs to be considered.

Risk Event Timing Prioritization

• The later the risk event within the project life cycle, the costlier it will be to adjust the project plan if there are issues.
• Action must be taken to lessen their impact and/or move the risk event date earliear.

Incremental Project Cost Prioritization

• Varying levels of funds will be needed to respond to risks
• A low cost coupled with a risk could warrant a higher priority.

Risk Prioritization Based on the Cost per Severity Point Reduction

• Risk responses will not always eliminate all risks and some may remain.
• If similar risks that would normally be weighted the same exist, the response that takes the overall qualitative risk level down the most is the most cost-effective and must be given priority.

Identifying, Assessing, and Planning Responses for Notional Project

• The project team re-evaluated risks due to plan changes, identifying three major risks.
• Example of risks from the plan were: possibility of need of an extra design/build/test cycle, scarcity of raw materials, and the machine shop being overbooked.
• Actions like building rapid prototypes and peer design reviews were implemented to lower severity.
• The team managed Risk C by planning fabrication both in-house and at another supplier.

Notional Project Risk Burn-Down Schedule

• The risk burn-down schedule plots total risk severities over time.
• It can be used to compare with future status.
• The design for this project would be rapidly prototyped to determine if final design changes were appropriate.
• The final design adjustments would be verified by building an actual part.