PMI PMP Project Management Professional – Introducing Project Risk Management Part 3
- Identifying Risks Through Interviews
One of our risk identification approaches will be interviews. Getting out and talking to people is a great way to identify risk. But who are we talking to? Subject matter experts, team members, stakeholders, asking people about their experience with this technology or experience with having a risk event at another project, looking at our work breakdown structure and kind of walking through those assumptions with our team and stakeholders, key stakeholders, even vendors, and SME’s. The types of questions that we want to do or the types of conversations that we want to have will be all about what risk, what could threaten the project, or how could we save money here? Or do you? See a time savings or what’s your experience been like with that portion of the project in the past or this type of work in the past. So it’s not a closed end question.
You want them to have an opportunity to discuss and to ponder and to look into the project. So we want their insight on the risk or where they see hidden risk, these unknowns that we have not identified, is there similar work that we can compare to or go to other project managers and look at their lessons learned or their experiences to look at what our risk may be and what risks they experience? And are we missing some that they had in their previous project? And again, we do assumptions, challenges. We really test these assumptions or get opinions about assumptions. So some questions here. What changes and challenges do you see or have you experienced in this type of work? How do your systems work? Can you talk me through it? Can you walk me through it? Especially if we’re talking about our project changing or establishing a system.
So let me experience what that’s going to be like for you or how what you have to go through to get this activity done. So what’s changed in your department or what’s going to change in the project that you see? And so does that introduce risk from the end user or the stakeholder’s perspective? So how often do you have to do this task? How often do you experience this interruption? How often is this a problem in your department? So that means there’s a risk that we’re trying to overcome or challenge or that we can incorporate in our project to plan for and to respond to. Another one to ask is, what makes your job hard? Well, it’s hard because I’m doing all this work and then the software crashes and I can’t recover it. It’s all garbled when I open it up.
Or it’s hard because the vendor isn’t talking to the project manager. And so I don’t have the materials that I need. And then I have to wait, I have to clock out, I have to sit around, whatever the case may be that’s a risk or something going on there. So these are types of questions, other questions, just to carry this conversation. Just give me some examples of XYZ. Give me some examples of how this is a disruption. So give me example when you walk through to print or to do a process or to use the system. So we’re talking to stakeholders here, or can you show me as a good example, how many times has that happened this year, this quarter, this month, or today?
So then what do you do when it happens? So they might know a little shortcut how they get around it, and then what do you do if the worst case scenario happens? So these are all good questions to ask in interviews. So we want to be conversational and look at the potential for risk from the stakeholders ‘perspective or the end users perspective.
- Analyzing SWOT
We know that risks are not always negative. Risks are uncertain. Risks are things that can threaten, but they’re also opportunities. So risk is an uncertainty of interconnection that can have a positive or a negative effect. So one way to identify risk is to acknowledge the positive, positive and negative of the unknowns in our project. And that’s using SWAT SWOT. SWAT is not a SWAT team. SWAT means that we’re looking at our strengths, weaknesses, opportunities and threats. So we think about analyzing with Swats, we’re looking at the project from each of these perspectives or a portion of the project or a condition in the project.
So here’s some examples of SWAT so strengths if you know that that technology has been successfully installed by other organizations, that’s provable. If someone else has done it, you can do it too, just like in your PMP exam. If other people have done it, you can do it too.
Weaknesses we’ve never installed this technology before. We don’t really know what to experience. Opportunities. But the opportunity is if we get it installed, it will reduce our cycle time from time to market. So why are you doing this? The business value is always an opportunity. What about threats? Well, it’s going to take time to learn.
So the learning curve you have that dip to go backwards, to go forwards. What’s going to happen here with the learning curve? So that’s just a quick example of SWAT. So you look at your project or condition your project and you say, well, what’s the strength? What are we really good at? Or what do we know about this that’s good and achievable? What weaknesses, opportunities and threats exist? So analyze SWAT SW OT.
- Creating a Risk Register
Our primary output of risk identification is this risk register. So the risk register is a document that has all the information about the risk events we’ve identified. And then we use this to track the risk and to give updates, to talk about the status, the outcome, how you respond to it. So just any information about the risk. As we move through the project, we update in the risk register some specific information about the risk register. Obviously we identify the risk and that’s what we’re going to add to the register, what potential responses. So as soon as you identify a risk, you may already have a good game plan because of past experience or someone on your team knows how to handle that.
So we might have some initial risk responses already. We’ll also include how do we know if this risk is going to happen?
So what are the conditions, what would be the trigger that would say the event is likely to happen? So what’s the warning sign or the symptom? And that helps us know. Get ready to do the risk response. Some other specifics in the register your risk owners. So the individuals that own the risk, what are their roles and responsibilities? If they are a risk owner, usually it’s the person that’s closest to the activity, it’s the risk owner, the individual that can see that risk is going to happen. And often they’re empowered to do the risk response.
You might also include the categorization of risk status, typically doing status, what’s the root cause and then what triggers, what areas of the work breakdown structure does it affect, what’s the timing? And then you have a deadline to respond to this risk. So these are all things that you would include in the risk register.
- Using Qualitative Risk analysis
In the general flow of our risk management processes. Once we’ve created a plan and we do risk identification, we take those risks and we move them into qualitative risk analysis. Now, while we’re looking at this nice clean flow, the reality is these may all overlap and be very messy. Qualitative risk analysis is all about qualifying the risk for more analysis. It’s a real fast, subjective way of just looking at a risk and saying, is this serious? So that’s kind of the heart, if you will, of qualitative risk analysis. It’s a difficult thought to get out this morning.
So qualitative risk analysis is your qualifying risk. Is this a serious risk or not? And we’re going to look at that. You can do it as you identify each risk or this might be a separate activity or meeting you do with your team. You can use a cardinal or ordinal scale to gauge or to judge, to indicate the seriousness or to give a risk score using qualitative risk analysis. Let’s check out our edo’s here for qualitative risk analysis. All right, our inputs, the project management plan, obviously the risk management plan we just created. It the project documents.
So you think about the assumption log, risk register, the stakeholder register and then EEF and OPA because you might have some rules or templates or whatnot. You have to use tools and techniques to do qualitative risk analysis. Expert judgment might do some data gathering through interviews. Data analysis, just your risk data quality assessment. How good is this data that we’re basing our estimate on, our analysis on? We’ll be creating a risk probability and impact matrix, not difficult to do. We’ll be doing that in just a little bit. We’ll do an assessment of our other risk parameters or other conditions and the influence of one risk on another. Interpersonal and team skills facilitating some meetings, risk categorization. Remember our risk breakdown structure and then data representation. This is the probability and impact matrix.
And you might have a hierarchical chart also used with qualitative. And then we’ll have meetings. Of course, our outputs will be project document updates, the assumption log, the issue log, the risk register and a risk report. So how do you go about doing qualitative risk analysis? Well, you look at individual risk and your goal is to say, do we need more analysis or should this just be documented and we keep an eye on it. That’s really the whole goal of qualitative risk analysis. Does it qualify qualitative qualifies for more risk analysis? So how we qualify it is we say what’s the probability and the impact? What’s the chance of the odds of happening and then what effect will it have on our project if it does happen? So that’s how we qualify it. We focus our efforts on high priority risk. We might spend a little bit more time on those that are obviously high priority.
They are imminent in the project and they need to go on to more analysis right away. But this is really a fast and quick approach. Now not every risk needs qualitative risk analysis. Two things can happen. You could identify a risk and you can tell right away it’s going to have a high probability and a high impact. So this will go on to quantitative analysis where quantitative analysis is a more in depth serious study. Or you could identify a risk, a meteor is going to fall out of the sky and wreck your project. All right, that could happen but the odds are low. Haven’t really experienced that before and so we’re going to say that’s pretty likely not in our odds of happening. So we’re going to put that in the risk register. If someone feels possible, that could happen and we’ll keep an eye on it. It’s called the low level risk watch list. That might be weather, could be an example. The meteor, I don’t know if that they have a meteor shower for weather or not, but it could be something that weather could be one of those examples there that’s more realistic than the meteor falling out of the sky. Quantitative risk analysis though is what we’re aiming for.
So based on the outcomes of qualitative will tell us should we promote that to quantitative qualitative? Qualifies the risk quantitative will quantify how much, quantify the probability. We have good odds and the impact, we have a dollar amount. So quantitative, so we’re examining and prioritizing based on probability, based on the impact on the project. This is just a real fast subjective approach here but we’re preparing for quantitative.
We have to use some caution though, the Facilitator. Whether that’s you the project manager or a team lead or a stakeholder, they may be biased towards one area of the project where they are really scared of that or they think it’s a really big risk and so they’re seeing things through that filter. And that filter could shift or change the probability and the impact as they see it. So it doesn’t always have to be that it’s going to be for greater. It could be that, hey, in my area of the project we don’t have any risk. I got this under control, low probability, low impact, low probability, low impact on every risk. And that’s not really a good way to judge or to do some of this qualitative analysis.
So we just have to be aware that make sure someone isn’t that they’re biased towards the risk in one way or the other. That could affect the effectiveness of qualitative risk analysis. Some other considerations here. The risk management plan will direct how you do this. Your organization may have processes, methodologies, even a scoring model already established. And we’re going to look at the scoring model coming up. What’s the current status of the project? Are you already in motion? Are you almost to the end? Is this right at the beginning? So your approach here will change as you get deeper and deeper into the project and identify new risks that you have to analyze early in the project. We have a lot of risks that we’re going to be able to see. So the number and the type of risk could really bog us down early just by doing qualitative.
The further along the project goes, the more risk that we get beyond us. So basically the odds of project success increase the closer you get to the end of the project. Early in the project, the odds of project success are actually very low because you’ve got a long way to go. There’s a lot of unknowns between now and the end of the project. If you’re going to train for a marathon, the odds are in day one you’re not going to make it. But the closer you get and do your training and stay on your diet and exercise, you get up to race day, the odds begin to increase that it’s going to happen. Same thing in a project. The project type will also affect your risk analysis approach.
So how you analyze it project or a construction project or a manufacturing project, those disciplines will affect how you do your analysis. We also have to consider how accurate is the source of the risk data. Are we just dreaming this stuff up or do we really have people that know based on their experience, the probability and the impact assumptions analysis we come back to? Again, remember the assumptions log. So the assumptions law we want to know will the assumptions be evaluated, how will you evaluate them, what people will participate in that? And then the stakeholder register is also an input because we need the stakeholders, the people that are closest to the risk and what they see as a high impact or a high probability based on their experience or what requirements that risk could be affecting in the project. To do qualitative analysis and to create this probability impact matrix, this is what we’ll see. So you have all of your risk identified and then you begin to judge the probability of that risk happening. If it does happen, what’s the impact, and then we create this risk score. So in this example, I’m using just low to high. You might use from very low to very high. Or I’ve seen people do a rag rating red, amber, green, and then the score is some color of orange when those two begin to mix together. So what’s the score tell us is you could say any risk above moderate needs to go on to quantitative analysis or any risk above high and very high, those will go on to quantitative.
So it’s a real fast and actually a pretty subjective way of gauging our risk. But it’s a way of filtering out risk that we don’t need to spend more time and money on because they’re low or the odds of them happening are very low and so on. So this is a probability impact matrix in a qualitative analysis. We’ll see another one coming up that’s more in depth in quantitative. When we think about our risk parameters though, we also have some considerations. So we’re thinking about when we do qualitative, will this influence our probability, our impact, or should it go right on to quantitative? So some considerations here. What’s the urgency of the risk event? What’s the proximity? How long before it’s going to happen? Dormancy?
How long after the risk event happens will we actually see the results? So you could have a risk that happens early on, but you won’t know that it affects you to way later in the project. So if you’re pouring concrete, for example, and there’s an air or defect in it, you may not notice it until the cracks start to happen or something shifts. So it could have a big impact, but much later in the project and I just made that up, I know nothing about concrete. So you get the idea though, something could happen now, but we don’t know about it till later. Is it manageable? What about controllability? Can you control that outcome of the event? Some other parameters here, is it detectable? How easy is it to identify that the risk occurrence has happened? Connectivity, is it connected to other risks? So you have like this domino effect. What about the strategic impact and then the propinquity?
So basically it’s what’s the perception of the risk by key stakeholders? So you have the CEO who says, oh, I think this is a risk and now other stakeholders say, oh, I agree, that’s a very dangerous risk there. So what’s its relationship among stakeholders? Charting risk acceptability might create a bubble chart. All right, so this is a bubble chart. Basically, the bigger the bubbles are, the more significant the impact, the more significant the risk event. So you have the scale of high to low and that could be the key performance indicators on your project. And so in the upper right hand corner, if it’s a very high probability, a very high impact, where it’s going to affect your time or cost or scope or some combination of those.
You don’t want big large bubbles in the upper right hand corner and then in the lower left hand corner, smaller bubbles are okay. But it’s just a way of showing the distribution of risk from high probability, high impact to low probability, low impact based on the size of the bubble. That’s a bubble diagram. Finally, what do we get as a result of qualitative risk analysis? You see which risks are imminent and those risks usually have a higher degree of urgency. If they are going to happen, it’s going to be in the near future what risks need more study, so we go on to quantitative analysis. What risk could proceed directly into risk response planning?
Like you can just tell high probability high impact. We don’t need to spend time studying it. Let’s start creating some responses for it. And that could also be because the risk is in the near future, which risks are not critical, but they’re still documented. So that low level risk watch list and then let’s have a prioritization of risk so that very high down to very low using an Ordinal scale here in qualitative. All right, a lot of information I know a lot of things to know about qualitative risk analysis.
- Preparing for Quantitative Risk analysis
Quantitative risk analysis aims to quantify the risk. So we’re trying to find some true numbers when it comes to probability and impact. So we are quantifying the risk event. The more serious the risk we’re talking about, the higher the probability, the higher the impact. That’s going to set us up for doing risk response planning. So this helps us with decision making, helps us understand the probability and the impact. But quantitative, unlike qualitative, takes more time. And sometimes you might have a budget to really do quantitative risk analysis. Our whole goal of quantitative risk analysis is we say what’s the likelihood of reaching the project objective? What’s the likelihood of the project being successful? What’s our overall risk exposure?
And can we create a contingency reserve to offset these risk events? So we’ll be doing that in this portion, identify the risk that has the biggest impact. So part of that influence diagram where we study one risk event and what does it have on the others. So we’ll talk a little bit more about that. And then what are some realistic time, cost, and scope targets based on the probability and impact and the outcome here in quantitative risk analysis? Let’s check out the ETOs for our quantitative risk analysis. Our inputs, a lot of inputs here. So we have our PM plan, specifically your risk, your scope, baseline, schedule baseline and cost baseline.
The risk management plan, project documents, again, a lot of documents, just like we saw in qualitative assumption, your basis of estimates, cost estimates, cost forecasting, duration, estimating milestone list, the resource requirements, the risk register, the risk report and schedule forecast. And then of course, we have EEF and OPA tools and techniques, very similar tools and techniques, expert judgment, data gathering like interviews, representations of uncertainty, and the data analysis. Can you do a simulation? Can you create a lab, if you will, to simulate or to test the risk sensitivity analysis that gets back to that size of the individual risk?
We were just talking about decision tree analysis and influence diagrams, our outputs. We’re going to create a risk report that’s our project document update. So risk report we’ll look at in this lecture. Performing quantitative analysis, we’ll be interviewing stakeholders and experts. We’ll do risk distribution so where risk loaded or sprinkled throughout our project. So it helps us identify areas where risk may be lurking. And if risk are all bunched up at the beginning of our project or at the end of our project, then we can plan accordingly. Sensitivity analysis is where we take one risk event and we say, if this event happens, what will it do on our whole project? It’s not the consideration that if A happens, then B happens and C happens. It’s the sensitivity of our project to just this one risk event. Is this really serious? Will this wreck our project?
And if it does, then what do we do? Our goal here is to create real probability and real impact. And so that’s the expected monetary value. So we’ll see that probability impact. But we’re going to be using real facts and figures here. You might do some modeling and simulation. So modeling, we’re talking about, like, your network diagram. You place some what ifs or you create some model data and you play some what ifs or. You say, if these come in late and these come in early, what will that do to my schedule? So modeling and simulation, the Monte Carlo analysis can come back in here. We saw that earlier in the court. And expert judgment. So these are all some tools and techniques that are pretty common when it comes to doing quantitative risk analysis. All right, great job. I’ll see you in the next lecture.
- Applying Sensitivity Analysis
Sensitivity analysis is a study where we see what’s the real impact, the real effect of one risk on the project goals. So how sensitive are we to that one risk event? So which one is most critical, and then how do we prioritize based on sensitivity analysis? So the process that you go to, if you want to do sensitivity analysis, you look at each risk on its own. We don’t consider it in combination with other risk events. And so which risk event has the greatest effect on the project?
So you ignore or baseline all of your other risk events, and then we see, how will that one risk affect our overall success? The goal is to see which one of your risk really has the largest effect on the project. If we’re just rating our risk like we did there in qualitative, you just have everything’s a moderate. But really, some of those are heavier than just a moderate or have a greater effect than just moderate. So risks aren’t always equal. Rarely are they equal. So which one is really the biggest risk event of all of the risks we have in the project?
That’s our goal of sensitivity analysis. Thank you very much. Often, when you do sensitivity analysis, you get this tornado diagram, kind of looks like a tornado. So what you’re seeing here are the pros and cons of different risks. So you’re looking for the one that has the biggest problem probability and the biggest effect, and that would be the one that you would go and attack first. So that’s a tornado diagram. You might get a question like, which quantitative analysis approach would create a tornado diagram? It would be sensitivity analysis. All right. Good job.