The Risk Management Processes

The Practice Standard for Risk Management actually covers the same set of processes that you could find in the PMBoK but there is a subtle difference. The PMBoK is all about Inputs, tools & techniques and outputs. Whereas, the Practice Standard adds more than just that, it adds a lot of details that you wouldn’t find in the PMBoK guide.

Ok, the six risk management processes that are part of the PMBoK Guide and the Practice Standard have been covered in great detail in our blog in the preceding sections. But, let us quickly summarize what the Practice Standard has to say about those processes.

1. Plan Risk Management – Define the Scope and Objective of Project Risk Management knowledge area and ensure that risk processes are fully integrated into wider project management.
2. Identify Risks – Identify as many known risks as practically possible
3. Perform Qualitative Analysis – Evaluate the key characteristics of individual risks so that they can be prioritized for further action
4. Perform Quantitative Analysis – Evaluate the combined risk on the overall project
5. Plan Risk Responses – Determine response strategies and actions for individual & overall project risks and integrate them into a plan
6. Monitor and Control Risks – Implement the approved response strategies, review changes, identify additional risk management actions required and assess the effectiveness of overall risk processes

Lastly, the Practice Standard mentions something that we have gone over multiple times. It says that the risk management processes are iterative and dynamic in nature. They must be tailored to suit the needs of your respective projects.

This wraps up all the articles in the series on PMI-RMP Exam Preparation. All the very best for your Exam. You can view the whole series in the Index Page by clicking here.

Prev: Risk Management Foundation

Risk Management & the PMBOK Guide

Are you PMP certified? Or have you read the PMBOK Guide? If so, you would already know that Risk Management is one of the 9 Project Management Knowledge Areas. The Risk Management Knowledge area of the PMBOK Guide will be a valuable resource in your preparation for the Risk Management Professional certification exam. Our exam preparation will closely follow how the PMBOK guide covers Risk Management.

If you are not PMP certified yet or do not have a copy of the PMBOK guide, don’t worry. In my earlier series on the PMP Certification exam preparation, I have covered the area of Risk Management in great detail. If you go through the chapters on Risk Management there, you should have more than enough information to proceed with your RMP exam preparation…

Risk Management Processes – As Per the PMBOK Guide

As per the PMBOK Guide, the Risk Management Knowledge Area is split into 6 distinct processes. Below is a short description of those processes with a link to learn more details about it. Those links contain the details regarding each of these processes from the PMBOK’s Perspective. That will be the basis for us in understanding the details that we will be covering in future from the RMP Exam perspective. So, spend some time and go through those chapters so that you establish the minimum level of knowledge required to easily progress towards the RMP Certification Examination.

The Risk Management Knowledge area includes the following Processes:

1. Plan Risk Management – Risk management planning is the process used to decide how the risk management activities for the project at hand will be performed. You can learn more about this Plan Risk Management process by Clicking Here
2. Identify Risks – The Identify Risk Process is the process where we actually identify all those uncertain events that might affect our project or its outcome. You can learn more about the Identify Risks process by Clicking Here
3. Perform Qualitative Risk Analysis – This is the process where we assess the Probability of the Risk event occurring and the Impact of the same. At the end of this process we will have a prioritized list of risks that we need to analyze further. You can learn more about the Perform Qualitative Risk Analysis process by Clicking Here
4. Perform Quantitative Risk Analysis – This is the process where we take the prioritized list of risks and apply mathematical analysis on them. You can learn more about the Perform Quantitative Risk Analysis process Clicking Here
5. Plan Risk Responses – This is the process where we will be deciding how we are going to handle the risks identified & analyzed in the previous processes if they occur. You can learn more about the Plan Risk Responses process by Clicking Here
6. Monitor & Control Risks – This is the process where we monitor the identified risks and identify & respond to new risks as they appear. You can learn more about the Monitor & Control Risks process by Clicking Here.

The whole Risk Management activity progresses step by step through these 6 processes. This is exactly how this blog is structured too. An important point to note here is that, the output of each of these processes serves as the input to the subsequent process. We will start with Plan Risk Management and progress towards Monitor & Control Risks…


The Risk Management Plan

The Risk Management Plan is the heart of our Risk Management activity and it is the artifact based on which we will be taking up each and every activity of Risk Management. The Risk Management Plan (we will call it RM Plan going forward) is a component of the Project Management Plan. We will be using the following as inputs to create the RM Plan:

a. Cost Management Plan
b. Schedule Management Plan
c. Communications Management Plan
d. Project Scope Statement
e. Organizational Process Assets &
f. Enterprise Environmental Factors

Don’t worry if you think I haven’t given much detail about the RM Plan creation here because there will be a whole section dedicated to it in future…

Key Inputs & Outputs of these Risk Management Processes

The RM Plan is the key output of the Plan Risk Management Process. As outlined in the previous paragraph on the Risk Management processes, the Identify Risks process takes this RM Plan as input and creates the Risk Register as the output. Each of the subsequent processes will take this Risk Register as input and then add or update it with more details and pass it on as input to the next process. This means that the Risk Register is going to be updated multiple times as it goes from Identify Risks to the Monitor & Control Risks process.

Along with the Risk Register, the Monitor & Control Risks process also uses Performance Reports (from the Report Project Performance process) and the Work Performance Information (from the Directing and Managing Project Execution process) that are created during the general Management of the Project. Also, any changes that may be suggested as output of this process will be submitted and put through the Perform Integrated Change Control process.

Prev: What is Project Risk?

Next: Understanding the Project Environment

Chapter 18: Risk Management

Aim: To understand the following Risk Management Processes
• Plan Risk Management
• Identify Risks
• Perform Qualitative Risk Analysis
• Perform Quantitative Risk Analysis
• Plan Risk Responses

If you have read the PMBOK or my earlier series “PMP Certification - Study Guide” you would by now know that

“A Risk is an Uncertain Event that can affect your Project”

Remember that this risk can be either Negative (An Actual Risk) or Positive (An Opportunity).

PMI’s risk management philosophy is based on a proactive approach to preventing negative risks and enhancing positive risks. Key points that you must remember about risk are:

• Risk can be either positive or negative. Positive risks are opportunities; negative risks are threats.
• A risk breakdown structure (RBS) is used to organize risk in a hierarchical structure.
• Monte Carlo analysis is a technique using simulations and probability in determining quantitative risk analysis.
• Risk categories are important in classifying risk.
• Probability and impact are both needed to assess risks.
• Quantitative analysis is generally reserved for high-probability, high-impact risk.
• Risk management planning and risk response planning are not the same activities.
• Risk identification is an iterative process that is performed throughout the project, not just during planning.
• Decision tree analysis is a technique using probabilities and costs for structured decision making.
• Five of the six risk management processes are conducted during the planning process group.
• The risk register is an important tool for capturing and tracking risks.

Exam Watch:

Risk register is a term introduced by PMI for the document detailing information on risks. The risk register includes all identified risks, the impacts of identified risks, proposed responses, responsible parties, and the current status.
Risk Management Planning and Risk Response Planning

The first step in Risk Management is to plan how we are going to conduct the whole Risk Management exercise in our project.
The risk management plan includes the risk methodology, roles/responsibilities, budget, execution timing, and definitions for risk categories, probabilities, and impacts. It is a summation of how the project team will carry out the remainder of the risk management activities for the project.

Exam Watch:

The risk management plan is not the same as the risk response plan. The Risk Response Plan will contain the possible actions you must take when a risk actually happens whereas the Risk Management Plan is the overall approach to managing Risks in the Project.

The risk management plan is the single output of the plan risk management process. The table below shows the inputs, tools and techniques, and outputs for the plan risk management process.

Plan Risk Management
Inputs	Tools & Techniques	Outputs
Project scope statement Cost management plan Schedule management plan Communications management plan Enterprise environmental factors Organizational process assets	Planning meetings and analysis	Risk management plan

To know more about the Plan Risk Management Process Click Here

Risk Breakdown Structure (RBS)

A risk breakdown structure (RBS) is a tool that can be used to organize risks in a hierarchical fashion. The structure is defined using the risk categories. Even if an RBS is not used, risk categories are still defined in risk management planning. Risk categories can include

• Technical - Risk associated with using new technology.
• External - Risk associated with forces or entities outside the project organization. External risks can include external suppliers, customers, weather, and market conditions.
• Organizational - Risk associated with either the organization running the project or the organization where the project will be implemented.
• Project Management - Risk associated with project management processes.

Note that this is just a high level classification of Risks and you need to tweak this whole process to suit your needs in the Project that is being executed.

Risk Probability and Impact

Probability can be defined as the likelihood that a risk will occur. It can be expressed mathematically or as a relative scale (low, medium, high).

Impact is the effect a risk has if it actually occurs. It can also be defined on a relative scale or mathematically.

The team documents in the project management plan detail how probabilities and impacts are measured. For example, a red/yellow/green scale might be used, where high-probability, high-impact risks are red; low-probability, low-impact risks are green; and so on. Again, I repeat, how the risks are categorized and prioritized will vary based on the Project at hand and there is no Universal Rule as to how you must handle risks.

Exam Watch:

Both probability and impact are mandatory for evaluating risks. Think of it this way, how will you prioritize a risk if you do not know what the chances are of the risk happening and what the impact it would have if it occurs.

Risk Identification, Analysis, Response Planning, and Monitoring/Controlling

In the risk management process, completing the risk management plan is the first step. After the plan is in place, according to PMI the next steps in the risk management process are
• Risk Identification
• Risk Analysis (qualitative and quantitative)
• Risk Response planning
• Monitoring/controlling Risks (This is not in scope as part of this chapter on Planning. We will cover it in the chapter on Monitoring & Controlling)

Identify Risks

The identify risks process determines the risks that might affect the project and characterizes those risks.
Obviously, you need to identify all the possible risks that might affect your project if you are to have any success handling them. Isnt it? Keep in mind that identifying risks is not just the project manager’s responsibility; team members, subject matter experts, customers, stakeholders, and others are involved in this process.

The table below shows the inputs, tools and techniques, and outputs for the identify risks process.

Identify Risks
Inputs	Tools & Techniques	Outputs
Risk management plan Activity cost estimates Activity duration estimates Scope baseline Stakeholder register Cost management plan Schedule management plan Quality management plan Project documents Enterprise environmental factors Organizational process assets	Documentation reviews Information gathering techniques Checklist analysis Assumptions analysis Diagramming techniques SWOT analysis (Strength, Weakness, Opportunity, Threat) Expert judgment	Risk register

The Risk Register

The risk register is the output of the identify risks process. The risk register contains the following information:
• Risk description
• Date identified
• Category
• Potential responses
• Current status

Exam Watch:

Identify risks is not a one-time event that occurs just during the planning process. It should be conducted throughout the project, including when major milestones are reached and when an actual risk event occurs.

To know more about the Identify Risks Process Click Here

Qualitative and Quantitative Risk Analysis

Qualitative risk analysis provides further definition to the identified risks in order to determine appropriate responses to them. The key terms are probability and impact. Probability is important because it measures how likely a risk is to occur. A high-probability risk deserves more attention than a low-probability risk. Similarly, impact is a measure of how the risk will affect the project should it occur. A risk with low impact has a different response than one with a high impact.

Exam Watch:

Qualitative risk analysis is most concerned with ranking or prioritizing risks. It is used to determine which risks pose more of a potential effect on the project.

Qualitative risk analysis quickly prioritizes risks in order to conduct response planning and quantitative risk analysis, if required. Using the probability of the impact and a probability impact matrix, the project manager develops a prioritized list of risks. The output to this step is captured in the risk register.

The table below shows the inputs, tools and techniques, and outputs for the perform qualitative risk analysis process.

Perform Qualitative Risk Analysis
Inputs	Tools & Techniques	Outputs
Risk register Risk management plan Project scope statement Organizational process assets	Risk probability and impact assessment Probability and impact matrix Risk data quality assessment Risk categorization Risk urgency assessment Expert judgment	Risk register updates

To know more about Qualitative Risk Analysis Click Here

Quantitative risk analysis assigns numerical values to risks and looks at those risks that are high on the list of prioritized risks (The output of qualitative risk analysis). The goal of this process is to quantify possible outcomes for the project, determine probabilities of outcomes, further identify high impacting risks, and develop realistic scope, schedule, and cost targets based on risks.

The table below shows the inputs, tools and techniques, and outputs for the perform quantitative risk analysis process.

Perform Quantitative Risk Analysis
Inputs	Tools & Techniques	Outputs
Risk register Risk management plan Cost management plan Schedule management plan Organizational process assets	Data gathering and representation techniques Quantitative risk analysis and modelling techniques Expert judgment	Risk register updates

Exam Watch:

Quantitative risk analysis is more concerned with assigning each risk a numerical value. This value can then be used to figure out the relative impact that particular risk would have on the project.

To know more about Quantitative Risk Analysis Click Here

Planning Responses to Positive and Negative Risks

After all risks are identified, options to deal with the risks must be identified. Each risk is assigned to one or more owners to carry out the planned response. The responses are documented in the risk register after it has been updated in the plan risk responses process.

The table below shows the inputs, tools and techniques, and outputs for the plan risk responses process.

Plan Risk Responses
Inputs	Tools & Techniques	Outputs
Risk register Risk management plan	Strategies for negative risks or threats Strategies for positive risks or opportunities Contingent response strategies plan Expert judgment	Risk register updates Risk-related contract decisions Project management updates Project document updates

There are four possible responses to negative risks:

• Avoid (Best) – Eliminating the Actual Threat by taking some action
• Transfer – Shifting the Risk to another party
• Mitigate – Take steps to ensure that the chances of the Risk happening are reduced
• Accept – Let the Risk happen. Use Contingency Reserves to handle it

For positive risks the responses include

• Exploit (Best) – Take steps to ensure that the Opportunity happens
• Share – Enlist the help of a Third party to capitalize on the opportunity
• Enhance – Taking steps to increase the probability of the Opportunity happening
• Accept – Take no steps to take advantage of the situation

To know more about the Plan Risk Responses process Click Here

Exam Watch:

Risks should be re-evaluated when the following events occur:

• A risk trigger is identified
• A change request is approved
• Key project milestones are reached
• Project phases end
• Deviations are detected in variance and trend analysis
• Corrective or preventive actions are implemented

Prev: Chapter 17

Next: Chapter 19