PMI PMP Project Management Professional – Introducing Project Risk Management Part 2
- Examining Stakeholder Tolerance
As we’re doing risk planning, we always have to keep in mind what’s the tolerance for risk that our stakeholders are likely to have. So you think about a high profile project in your organization, whatever that may look like for you, versus a low profile project. In a high, high profile project, stakeholder tolerance is typically more low because the value, the success of the project you’re managing is very important to those stakeholders. We’re a low level project. The stakeholder tolerance is usually very high that, yes, we’ll tolerate risk. I’m not willing to spend more than what the project is worth just to avoid a risk. In a low profile project, I’ll cancel the project.
So the profile of the project affects the risk management approach. It affects the amount of funds and time that you’ll spend. So you’re tailoring based on how much the project is in importance to the organization. So the more important the project, the lower the stakeholder tolerance is. This is typically expressed at the launch of the project, and then we might have some written policy statements. So you might have some thresholds already created for you when it comes to stakeholder tolerance. So this is basically what I was just saying.
We have low tolerance and a high risk exposure. So if you have a lot of risk in a project and the stakeholders have a low tolerance for risk, then it means we’re going to have to take more time or more money to reduce our exposure. So if I have a low tolerance for risk, so the classic example here is which are you more willing to gamble in a blackjack hand, $500 or $5 or not at all? So that unease you feel about putting $500 there to gamble, you might lose it. So that is your utility function. That’s your stakeholder tolerance. But $5, all right, I’ll play $5. 01 time, or you can say, that’s $5 in my pocket, I’m not going to play at all. That’s the idea of tolerance. So the reward is in proportion to what you risk. So if you were to gamble $500, you might win 500. I mean, the odds are really against you, right, in a
casino that you’re going to lose, but you might win. So but some of you are like, hey, I’m going to win, and this is $500, and I really love blackjack, so yeah, I’m going to go for it. Especially it’s not my $500. So you have a high tolerance for risk because you see the reward in relation to what you are gambling, what you’re exposed to. And then others say, well, I’m only going to bet $5 because that’s all I’m comfortable with. So if I win $5, hey, that’s great, but if I lose it, that’s not so bad. And still others are, I don’t want to gamble at all that’s money that is in my pocket.
Same thing happens with our stakeholders, but they see the tolerance, they see the exposure, rather. And then what’s the reward for that? So risk and reward, especially with business risk, because there needs to be some return on that if I am allowing that risk to exist in the project or I am taking that risk as a stakeholder. So my risk appetite, for those of you who said, hey, that’s $500 and we could make $500, so that’s your risk appetite. It’s the willingness to participate in the risk. So you’re hoping that you get the reward. So risk and reward go together. The threshold for risk may be established. So we’ll talk about this in qualitative and quantitative analysis, but when we study risk events, there may be a threshold that says risk above this score.
We’ll put scores on these risk events above the score. We have to respond to reduce the probability or to reduce the impact. So you have a score that if it’s above the score, these risk events, no, we can’t allow those in the project. So we have to work to reduce those down so that our tolerance, our threshold is more comfortable, that we will tolerate risks that are down in here. So that gets to go no go decisions, which could also mean the project overall risk exposure. If it’s above a certain amount, then we just aren’t going to do the project. So you could have a go no go decision just based on the type of risk in the project. Right. So that’s a little bit more insight into planning and stakeholder tolerance.
- Relying on Risk Management Policies
As we’re in planning and talking about risk management, we also need to be aware of some policies that you have to adhere to from different levels of your organization. So in this table, we have senior level and management level and support level. In each one of these levels has some input into the policies that you have to follow in risk management. So first off, let’s talk about just the policy. At a senior level, with the policy, they’re developing the risk management policy. So what are the rules and what’s the approach to risk that fits in with the management strategy? The vision of your organization now at the management level is the actual implementation of that policy. So they are implementing plans, they’re prioritizing and they are implementing that policy. At the support level, we’re supporting the policy. So it’s all about explaining the roles and the benefits.
And then how do you actually implement the policy. Now at the senior level, what’s the senior level? Roles and responsibility, it’s all about defining the accountabilities and methodologies in risk management. At the management level, it’s implementation. So they implement that policy. And then you can see at the support level we are advising on how to use the right tools that will be in sync with the overall policy for risk management resources. The senior level can provide resources or they secure commitments. So you have the resources, secure commitments and resources to ensure that the risk strategy and the risk policy is followed. This goes back like in quality. You say zero defects. I need the mechanisms to make that happen. So if you have a risk policy that I’m obliged to meet, I need to have the right resources to make that risk policy a reality.
At the management level, it’s reviewing how effective the policy is and then offering some support. And then at the actual support level is you’re analyzing the management information and then creating recommendations to how can we improve upon our policies and procedures. So you have these three different layers when it comes to risk management policies. I wouldn’t worry a whole lot about this for your exam. I would just be aware that senior level is more like vision and direction. Management level is kind of an implementation and ensuring that it’s happening.
The support level is all about I want to make certain that you can get this done, that you understand the policy and the approach. Some more here about the risk policy. When it comes to organizational process assets, your organization might have a predefined approach that this is how you plan, this is how you identify, this is how you analyze and these are the responses that we use. And then of course, how do you track all that through your project, you want to map out the risk management to these policies.
So whatever the policies are in your organization, this is how you identify and so on. You would ensure that your plan includes those activities, you have to identify any risk that could hinder your success. So we’ll talk more about that in risk identification. And then the risk policy is part of OPA. It’s been created for you to describe how you operate in the project. Some more. Opas, so the risk categories and a risk breakdown structure. So we’ll talk about categories of risk. The breakdown structure is like the WBS and the resource breakdown structure.
It’s all of the parts of your project like an. org chart. And then where do the risk exist within these different components? What are the definitions for your risk concepts and terms? So in your organization you may have specific terms. That is how you grade risk, like very low to very high. But what does it mean to be very high? How do you qualify for very high? Or you might say that you have a special risk, you may have a non event risk, you may have a variable risk. Well, what does that mean? So everyone understands what these risks are and what does it mean in your project? How do you document the risk? Do you just write them in the list? Do you have a special form that you use to capture it when you put them into what’s called the risk register? What characteristics, what’s the statement that you’ll write to describe the risk event? Does your organization have templates already for this process? A risk management plan, a risk register, even a risk report?
They may have templates created for you or you take historical information and adapt it to your current project. What roles and responsibilities exist? How much authority do you have as the PM or your project team to respond to risk events? And then what about lessons learned? Do you have previous projects or a lessons learned repository that you can pull from to better manage risk events? We’re going to meet a lot when it comes to risk identification and risk analysis. So what are these planning meetings and these analysis meetings that we’ll see coming up? Well, the project manager, the team and the key stakeholders meet to discuss the risk, to discuss the impact of the risk, and it may even be to test the risk if you’re going to go out and try to recreate it.
So you have a lab set up or a workspace set up where you can test some of the materials or test the experience to see if the risk event is likely to happen. You’re going to do some analysis where you want people involved there to get their different points of view, to have the experts to actually make that scenario happen. How much would that cost though? So there might be a budget set aside for risk analysis. So if you’re using a new piece of material, rather than go put it right into production, you might set up a test or a little lab where you want to see how it works and learn about it. What risk are there? So you’re studying.
That where you have to pay for that time, pay for that material, maybe even pay for the space or the equipment that you use just to do the analysis. And then that could also affect our schedule. And then as we create risk events, I should say risk responses for risk events, that could affect our schedule as well, because we’re responding, and that takes time. Or if a risk event happens or looks like it’s going to happen, then we may have to change risk schedule to accommodate that risk. All of this is documented in the risk management plan because it defines how will you identify, how will you do qualitative and quantitative analysis? How will you create risk responses, and then how will you implement the responses and control and track and monitor risk events? All right, good job. Keep moving forward.
- Creating the Risk Management Plan
Let’s take a look at what goes into the risk management plan and how it’s created. First off, in order to create the risk management plan, I need a lot of people to help. Obviously the project managers involved and the project team leads, your key stakeholders are involved. You may have some organization, people that can help, some personnel from like a risk management department, and then you may also have management or persons of authorities that can help with this type of decision making. The risk management planning we’re going to really nail down, but what are the planning activities we’re required to do? What’s the cost and schedule to do risk management activities? So we’re talking about quantitative analysis that takes time and money often to do that and then that also sets us up for our risk responses.
We’ll see that a little bit later in this section. What will be the assignment of risk responsibilities? So will you be creating risk owners and what does that mean to be a risk owner? How would that individual track that risk and monitor and report on that risk and be empowered to respond for the risk? What about templates? So do you have types of categories like hardware, software, network data that are some templates for risk categories that are just always types of risk that you have in your discipline? So in health care or manufacturing or whatever type of business that you operate in, what are the different definitions for level of risk?
Like very high to very low or what does moderate mean? And then how will you create and define your probability and impact matrices? So we’ll be creating a risk impact matrix coming up. So this is part of our plan though it defines how will you do that and what does it mean to have a probability impact matrix where you operate? Also in our plan is how will you do risk identification? This is an ongoing Iterative activity. We always want to look for risk events and how they could threaten our project or opportunities. We often think of the negative side here.
How will you do qualitative and quantitative analysis in your project? Often the project priority will guide you on qualitative and quantitative analysis, if it’s needed, into what depth. And we’ll talk about that, of course in a section resources and funds that may be needed to actually implement the plan. And then how you schedule these activities and what are the different risk categories that you foresee in your project and that can set us up for that risk breakdown structure? Also in the plan, how you define the risk appetite. So you think about opportunities and risk and reward. What are the documentations and reports you’ll be creating? Risk report.
So do you have a template for that? And what is the nomenclature that you use where you work? And what does a risk report look like? How will you do planning? So we need to dig in and do risk response planning. After we do quantitative analysis, how will you monitor and track risk events and ongoing risk management activities? Your organization may have a methodology for how you do risk management, for how you do planning.
So we need to understand what that methodology is and is it documented, and then that’s something that we insert into our risk management plan. So what are the tools that your organization will use? What is the approach that happens in your organization? What’s the data sources? If you have historical information and some good knowledge management? And then what’s the approach for your type of project and your phase? So different phases could introduce different types of risk about foundation framing, electrical and so on. And then how flexible is your project? How resilient is it when these risk, if they do happen, can you flex and adapt and then attack those risk events? So this is a lot of information. It’s part of your risk management plan, so you should be familiar with that for your exam.
- Creating Risk Categories
In the risk management plan, there is an opportunity to identify risk categories. So risk categories are just like a way to lump like risks together or risks that attack a particular objective together or risks that will happen in a particular type of work, like in the foundation, in framing, in electrical. So by creating these categories, it will really help you create a risk breakdown structure. Now, I’ve always done this by phases, but you could do this by different goals that the risk affects. But whatever way works best in your organization, it should be documented in our risk management plan.
So risk categories are a way of tracking risk in that category. So it will help us in monitoring and controlling and it will also allow us to tailor the categories or to use a template that’s best for the type of work that we’re doing. So let’s look at a risk breakdown structure. You can see it’s very, very similar to the WBS and the resource breakdown structure, just a way to visualize the risks that happen in the different areas. And so the little numbers that you see there could be a risk identifier, the status of the risk, the probability you could have a financial impact.
So you could really put anything that you want into this structure. But it’s just a way of tracking risk by categories or phases. The risk categories in the RBS, some common ones, you could go technical quality or performance risk. You could have a category for project management risks. So like a constraint, a budget or a deadline could be a PM risk, an organization risk. So you may have, may have trouble communicating if you’re in that network type structure.
We have like a node that you have to talk to. So communication gets complex or maybe there’s a change in management or your absorbed or being another company or buying another company that could introduce some risk. Or you might have a category for external risk, like laws or vendors that could be external. So these are just some samples. You don’t have to say this is what they always are, but these are some pretty common samples. All right, good job.
- Identifying Risks
The next process that we do in risk management is to identify risk. Risk identification really happens throughout the project. If you remember all the way back to the charter, we talked about what are the high level risk that you could see in this project and in the scope? We talked about constraints, assumptions, and risk. So identifying risk happens through us all about identifying risk and documenting those in a risk register. A document that follows us through the project, and we update as we identify new risk or the status of risk or characteristics of risk have changed. So it’s ongoing. This includes the individual risk and the overall project risk. Let’s check out the edo’s here for identifying risk. A lot of inputs. I’m just going to hit the headlines here.
You have the project management plan, and you can see just almost the whole plan is what you could review to identify risk, because what you’re doing is you’re looking at these documents to see what could be threatened or what’s an opportunity. Same thing with the project documents. All those different documents you see, those you’re examining for risks that may be in your assumptions or in your cost estimate or so on your agreements. Are there any risk in your contractual relationships or interdepartmental relationships?
What about procurement documentation? So your bids, your quotes, your request for proposals, your statement of work. So what risk may be lurking there? And then EEF and OPA, we’ve really been talking about those two things leading up to this point. Tools and techniques, expert judgment, doing some data gathering, data analysis. You’ve seen all of these before in different parts of our project. Interpersonal and team skills, some prop lists. So this is a new turn. A prop list may be some questions that you ask that are standard for the type of work that you do. And then meetings. My outputs. The risk register. That’s the real goal here.
You may have to create a risk report, which is a report that communicates the characteristics of the risk and what its status is and if it’s changed or not, or if you’ve identified a significant risk, you might do a report and then project document updates, like the assumption log and the lessons learned register. As I mentioned here, in Inputs, we have a lot of inputs that are documents. Well, that’s what it’s setting us up for, is documentation, reviews. So the Pmbok guide is telling us that if I go back and look at all of my plan and all of my documents and my contracts and so on, it’s a great way to begin identifying risk that may affect the project. Constraints and assumptions are a great way to begin identifying risk. Doing some assumptions, validity testing. This is an ongoing Iterative activity, especially in a high profile, very important project. I want to test assumptions.
As I just mentioned, if assumptions prove to be false, that’s a risk that could introduce a whole risk in the project. So when it comes to risk identification, I look at the assumptions and I play those. What ifs well, what if this is true or isn’t true? And how do we know this assumption is valid or not? So you’re really doing some analysis here. And how valid are they? Will there be an increase in cost or schedule delay if that assumption proved true or false? What we’re trying to do is assumption testing. So assumptions can have a big effect on our project success.
We have to really look at assumptions and then say, how stable is it? What information is this based upon? Is this really reliable? And if it’s not, what’s it going to do to our project, it’s going to mess up our project. What about the consequence of the assumption if it’s false, it may have a risk, but could it also be affecting any of your your KPIs, your key performance indicators? And then obviously, what’s the effect on the project if that assumption is false? Be aware of that for your exam. I’m sure you’re going to see that on your exam on this idea of assumption testing and how assumptions can become risk.