Chapter 10 Project Risk Management

10.1 Risk Definitions

Understanding the fundamental nature of risk is crucial in project management.

**Overall Project Risk** is about the outcome of the project being positive or negative for the stakeholders. It is the sum of all individual risks and represents the uncertainty of the entire project. It looks at how risks, in general, will affect the objectives of the project, not just individual baselines.

10.2 Project Risk Management Processes Overview

Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response planning, response implementation, and monitoring risk on a project.

The 7 Risk Management Processes are:

• Plan Risk Management (Planning)
• Identify Risks (Planning)
• Perform Qualitative Risk Analysis (Planning)
• Perform Quantitative Risk Analysis (Planning)
• Plan Risk Responses (Planning)
• Implement Risk Responses (Executing)
• Monitor Risks (Monitoring & Controlling)

Risk Management Processes by Process Group

This chart shows how the 7 Project Risk Management processes are distributed across the Process Groups.

Note: Risk management has a heavy focus on the Planning phase.

10.3 Plan Risk Management

This process defines how to conduct risk management activities for a project. It establishes the approach, roles, responsibilities, and timing of risk processes.

10.3.1 Inputs

• Project Charter
• Project Management Plan
• Project Documents (Stakeholder Register)
• Enterprise Environmental Factors (EEFs)
• Organizational Process Assets (OPAs)

10.3.2 Tools & Techniques

• Expert Judgment
• Data Analysis
• Project Management Information System (PMIS)
• Meetings

10.3.3 Outputs

• Risk Management Plan: Specifies how risk processes will be conducted (methodology, roles, timing, Risk Breakdown Structure – RBS for categorizing risks).

Exam Tip:

The risk management plan does NOT list risks. It states how you plan to execute the risk management processes. The risk register lists risks. The risk management plan IS part of the PM plan, but the risk register is NOT.

10.4 Identify Risks

This process identifies individual project risks as well as sources of overall project risk, and documents their characteristics. This is an ongoing process throughout the project’s life cycle.

10.4.1 Inputs

• Project Charter
• Project Management Plan (Risk Management Plan, Scope Baseline, Schedule Baseline, Cost Baseline)
• Project Documents (Stakeholder Register, Assumption Log, Issue Log, Cost/Duration Estimates, Lessons Learned Register)
• Agreements, EEFs, OPAs

10.4.2 Tools & Techniques

• Expert Judgment
• Data Gathering (e.g., Brainstorming, Checklists – RBS is a great checklist, Interviews, Delphi Technique – anonymous collection from SMEs)
• Data Analysis:
  • Document Analysis (reviewing all project documentation for risks).
  • Assumptions and Constraints Analysis (identifying risks if assumptions are wrong or constraints are too limiting).
  • Root Cause Analysis (looking at underlying causes for potential problems, e.g., Fishbone diagram).
  • SWOT Analysis (Strengths, Weaknesses, Opportunities, Threats – identifies both positive and negative risks).
• Prompt Lists (e.g., Risk Breakdown Structure – RBS).
• Interpersonal & Team Skills, Meetings.

10.4.3 Outputs

• Risk Register: A list of all identified individual project risks (positive and negative). It’s a living document updated throughout the project.
• Risk Report: Covers the overall project risks (e.g., source of overall risk, categories, identified threats and opportunities).
• Project Management Plan Updates.

Exam Tip:

The risk report describes overall project risks and the risk register describes individual project risks.

10.5 Perform Qualitative Risk Analysis

This process prioritizes individual project risks for further analysis or action by assessing their probability of occurrence and impact. Risk is prioritized based on its impact and its probability of occurrence. Organizational risk tolerance and appetite play a big part.

10.5.1 Inputs

• Project Charter
• Project Management Plan
• Project Documents (Stakeholder Register, Assumption Log, Risk Register)
• Agreements, EEFs, OPAs

10.5.2 Tools & Techniques

• Expert Judgment
• Data Gathering
• Data Analysis:
  • Risk Probability and Impact Assessment: Assessing the likelihood and consequences of each risk (often using values like high, medium, low).
  • Risk Data Quality Assessment: Evaluating the accuracy and reliability of the risk data.
• Data Representation:
  • Probability and Impact Matrix: A table to rank risks based on their probability and impact.
  • Hierarchical charts (e.g., Bubble Chart, which uses three parameters: x-axis, y-axis, and bubble size for urgency).
• Risk Categorization (using RBS to group risks).
• Risk Urgency Assessment (identifying risks needing immediate attention).

Probability and Impact Matrix (Conceptual)

This matrix helps prioritize risks by mapping their likelihood against their potential effect.

10.5.3 Outputs

• Project Documents Updates (specifically the Risk Register, with updated priority/ranking).

10.6 Perform Quantitative Risk Analysis

This process numerically analyzes the effect of identified individual project risks and other sources of uncertainty on overall project objectives. It produces numerical analysis (e.g., a 4-week delay, $40,000 cost increase).

10.6.1 Inputs

• Project Charter
• Project Management Plan
• Project Documents (Stakeholder Register, Basis of Estimates, Risk Register, Risk Report, Milestone List, Cost/Duration Estimates, Forecasts)
• EEFs, OPAs

10.6.2 Tools & Techniques

• Expert Judgment
• Data Gathering (e.g., Interviewing, Probability Distributions)
• Data Analysis:
  • Simulation (Monte Carlo Analysis): Computer-based analysis looking at many different scenarios.
  • Sensitivity Analysis (Tornado Diagram): Looks at risks with the most impact on a project, showing how one risk affects multiple sections. Displays risks with the largest range at the top.
  • Expected Monetary Value Analysis (EMV): Assigns a certain dollar amount to the risk. Done using **Decision Tree Analysis** (aka make-or-buy analysis), which uses cost and probability to determine overall impact.
    • EMV Formula: Probability × Impact.
• Representations of Uncertainty.

Tornado Diagram (Conceptual)

A Tornado Diagram visually represents the sensitivity of project objectives to various risks, showing which risks have the greatest impact.

Decision Tree Analysis (Conceptual)

Decision trees help evaluate alternatives by mapping out possible outcomes, probabilities, and costs.

10.6.3 Outputs

• Project Documents Updates (Risk Register, Risk Report, with numerical analysis).

10.7 Plan Risk Responses

This process develops options, selects strategies, and agrees on actions to address overall risk exposure, as well as to treat individual project risks. **Always assess risk before responding.**

10.7.1 Inputs

• Project Management Plan
• Project Documents (Lessons Learned Register, Resource Calendars, Risk Register, Risk Report, Project Team Assignments, Project Schedule, Stakeholder Register)
• EEFs, OPAs

10.7.2 Tools & Techniques

• Expert Judgment, Data Gathering, Interpersonal & Team Skills.
• Strategies for Threats (Negative Risks):
  • Escalate: Risk outside project scope, affects multiple projects. PM no longer monitors.
  • Avoid: Eliminate the risk entirely (e.g., change scope, choose different solution).
  • Transfer: Shift risk to a third party (e.g., insurance, warranty, outsourcing).
  • Mitigate: Reduce probability and/or impact. Does not remove risk completely; residual risk remains.
  • Accept: Do nothing, accept impact if it occurs. Can be Active (set up contingency) or Passive (monitor only).
• Strategies for Opportunities (Positive Risks):
  • Escalate: Opportunity outside project scope, escalated to higher levels.
  • Exploit: Ensure the opportunity happens (opposite of avoid).
  • Share: Share ownership of the opportunity with others for mutual benefit.
  • Enhance: Increase the probability or impact of the opportunity (opposite of mitigate).
  • Accept: Same as for threats.
• Contingent Response Strategies: Actions taken only if a specific event occurs.

Risk Response Strategies: Threats vs. Opportunities

Different approaches are used to manage negative risks (threats) and positive risks (opportunities).

Exam Tip:

Expect many questions about these responses. Questions generally ask what response the project manager used in a given scenario.

10.7.3 Outputs

• Change Requests.
• Project Management Plan Updates, Project Documents Updates (Risk Register).

10.8 Implement Risk Responses

This process involves implementing agreed-upon risk response plans. Once a risk materializes, the project manager follows the predefined responses.

10.8.1 Inputs

• Project Management Plan
• Project Documents (Lessons Learned Register, Risk Register, Risk Report)
• EEFs, OPAs

10.8.2 Tools & Techniques

• Expert Judgment
• Interpersonal & Team Skills
• Project Management Information System (PMIS)

10.8.3 Outputs

• Change Requests.

10.9 Monitor Risks

This process monitors the implementation of agreed-upon risk response plans, tracks identified risks, identifies new risks, and evaluates risk process effectiveness throughout the project. It also includes analyzing work to see if any new risks arise or if current risks change.

**Risk Triggers** are symptoms or warning signs that a potential risk is about to occur within the project.

10.9.1 Inputs

• Project Management Plan
• Project Documents (Lessons Learned Register, Issue Log, Risk Report, Work Performance Data, Work Performance Report)
• EEFs, OPAs

10.9.2 Tools & Techniques

• Data Gathering:
  • Technical Performance Analysis: Looks at technical aspects to determine if they are going according to plan.
  • Reserve Analysis: Reviewing cost and time reserves to ensure sufficiency in case a risk occurs.
• Audits
• Meetings

10.9.3 Outputs

• Work Performance Information.
• Change Requests.
• Project Documents Updates, Project Document Updates, OPA Updates.