PMI PMP Project Management Professional – Introducing Project Risk Management Part 4
- Finding the Expected Monetary Value
In qualitative analysis, we had a probability impact matrix that we look at each risk event and what’s its probability, what’s the odds of it happening, and its impact. How much would it score from very low to very high. Well, in quantitative, we have a similar approach, but we’re using real numbers. What I mean by real numbers, we’re not using an Ordinal scale. We’re using a cardinal scale. So we’re saying from zero point ten to zero 99, for example, or from zero to 100, if you wanted. And then typically, we do a dollar amount for the impact. So to find the expected monetary value, what we’re doing is we’re multiplying the probability times the impact.
And instead of having a risk score, we have expected monetary value. So, for example, we have a risk could be $10,000 if it occurs 20% chance of happening. So zero point 20, its expected monetary value would be 20% of 10,000. So the expected monetary value is $2,000. We could say if it’s for negative risk, it would be negative $2,000. We typically use a cardinal scale. What we’re looking for is our overall risk exposure based on these risk events. It’s the sum of all of these risk events will tell us our contingency reserve. And I like to say is what we’re doing here.
We’re hedging our bets that some risk events are going to happen and some are not. We’ll begin to identify our stakeholder tolerance for risk. So let’s take a look at that now. So here’s a probability impact matrix in quantitative, very similar to qualitative, you list all of your risk events, but now we have a true probability based on our analysis.
So you’ve created a lab that tests materials. You’ve run simulations. You have looked at past experiences and how often this event happened. So that’s the probability, the odds of it happening. Then we look at the impact. If it does happen, what will it cost us? So what’s the financial impact? A delay or you have to buy new materials or purchase something or pay a fine. What will the impact cost? So there’s the impact, and then we multiply the probability times, the impact. And you see an abbreviated there at the top ex dollar sign V, that’s expected monetary value. Now, notice risk A and B end up with a negative monetary value. Risk C is positive.
So it might be a cost savings or a time savings. If it does happen, it’s worth $25,000. The odds of it happening are pretty low, though. But you still count that, and then you can see risk D. We’re back to a negative risk event in that last column, the expected monetary value. If we were to sum that up, it would be negative 52,500. So that’s our risk exposure for our project, negative 52,500.
The inverse of that tells us our contingency reserve, the amount of funds we should put aside that are only for risk events. That’s our contingency reserve. Now you ready to find your utility function, ready to find your tolerance level. Let’s look at risk D here. It has a 40% chance of happening. If it happens, though, it’s going to cost your project $85,000. How much money do you have in your contingency reserve? 52? Five. So if it happens, it’s going to wipe out your contingency reserve, and you’re going to be upside down about 30,000, $32,000 to continue to pay for that risk event.
So if this is a high profile project, a stakeholder may look at that, and you would explain it to them. That okay, it’s only a 40% chance of happening. If it does, though, it’s going to cost $85,000. So are you willing to gamble, like our blackjack analogy earlier, are you willing to bet 500 or five so here, are you willing to let it ride that you could have a negative $85,000 in your project, but there’s a 60% chance that it won’t happen? Or do you say, no, no, I’m not comfortable with that. I’ll spend $50,000 now just to get rid of that risk, just to mitigate it, just to get rid of it. So that’s the stakeholder tolerance for risk. That’s your utility function. That unease that you feel is what we’re capturing here. So you’re quantifying that unease. So look at risk B, same thing. It is a 20% chance that it happens, and it’ll be negative 75,000 if it does, but there’s an 80% chance that it will not happen.
So how do you feel about that 80% chance that it won’t happen? So if you say, no, I’m still uncomfortable with that, and I’ll spend 40,000 here, I’m just making up that number. I’ll spend 40,000 here to get rid of that risk. So I’ll spend 40,000 to avoid negative 75. So you say, okay, and then you get to the project, and that risk you learn, probably wasn’t going to happen. You spent 40,000 more than if you had just gambled that it wasn’t going to happen. So you would have saved 40,000 in that instance. So this is the conversations you go through in quantitative. You’re looking at how much is the impact, how much would the resolution be in comparison to the probability in the expected monetary value, your contingency reserve?
Also, we do some analysis, and we’ve seen that a couple of times throughout this course. This idea of contingency analysis, this is our project timeline right here in this big S curve. If risk D is very early in our timeline, if it’s right here very early and it happens, that may be an opportunity as a kill point, that, okay, the risk is going to happen. We’re not putting any more money in the project. Or you could say, if we get past risk D, that negative $85,000 event, that’s worth $34,000 in our contingency reserve. Now we have more money for the remainder of the risk that we didn’t have to spend on activity d it didn’t wreck our project. So the closer I get to the end or the longer I can go in the project without having to dip into my contingency reserve, the odds of success continue to increase because that’s monies for these other risk events that are sprinkled throughout.
So the further I can go without having to touch it, that’s more and more money in that budget for these risk events that we’ve not yet touched. But if a risk event happens earlier in the project and we have to spend money now, new risk is introduced because we may not have enough funds in our contingency reserve for these other risk events that have yet to come because we’ve consumed our reserve early. So we may have to go back and say, hey, these events happen. We’ve had to spend the funds.
But don’t forget, we have all of these risks still to come, and there’s a probability and an impact tied to those, too. So this is part of quantitative analysis. You got to really study the risk and know what the impact is in order to have an accurate contingency reserve on your exam. I wouldn’t be surprised if you see a table like this and they ask how much your contingency reserve is. So, probability, times, impact, that gives you your expected monetary value in the last column, and then you sum them up, and then that would tell you what your contingency reserve is. All right. Good job.
- Using a Decision Tree
A decision tree is a visualization of a decision you need to make. It’s a way of taking two or even more different scenarios and trying to figure out which one is the best outcome. Which scenario will benefit you, your project, your organization, organization the most? So a decision tree, we can use some things like buy versus build. Should you lease something or purchase something or should I use an in house resource or go to a contractor and do outsourcing? So those are all just typical scenarios. So a decision tree, what you’re looking at, it examines the cost and benefits of each one of those decisions, each one of those possible solutions. So what’s the outcome of choosing that choice?
So what’s the cost of benefits but also what’s the probability of success? So the whole purpose here is you’re going to make a decision, you’re going to see how valuable the decision is and then which one will cost you the lease because that may affect your choice as well. There are some components here you need to know about. With the decision tree, you start with a single no, that’s typically the question should I buy or lease if I go from the vendor or if I do this in house? So what’s the best one here? That outcome will branch off like it makes a tree and then from that, that can branch off to more trees and so on. And then you have these different nodes that represent what’s the probability, what’s the decision, and then what’s the decision node?
And then that can branch into more decisions. And then ultimately you get to a decision for the final outcome. So chance nodes, I think I skipped over chance nodes are circles and they show the odds, the probabilities of that being successful or not. So here’s what one looks like a decision tree. You have these blue squares. There’s one blue square in this example. That is a decision. And then from that you get an outcome as a result of that decision. Then each outcome can have a chance, it can have the chance of being successful, the chance of costing more or less than X amount of dollars or whatever that chance may be, the probability of that coming true. And then from that you can make your decision node your final note. You won’t need to know a whole lot about this on your exam. It’s just mentioned a few times about using decision trees here in our risk analysis. So that would throw one in there just to give you a quick overview. All right, great job. Keep moving forward.
- Performing a Project Simulation
In quantitative analysis. We can also create project simulations. These are what if scenarios. So we think about the Monte Carlo analysis as one of the most common ones here. Remember, Monte Carlo analysis? We can do some what if games without affecting production. So you take this offline or just in piece of software and play what if.
So Monte Carlo analysis, it’s a piece of software. We saw this back in our quality chapter that you can plug this into Excel or it’s a standalone piece of software, and then it helps you realize what’s the likely distribution of your project. So what’s the likely what are the odds of hitting your outcome, your desired outcome, hitting your cost, your time, even your scope, if you can quantify that based on the number of risk and their probability of their odds. So it’s this combination of things and these what ifs can tell you, are you going to hit your cost? Are you going to be over budget or whatever? So here’s an S curve example. Let’s take a look at.
On the left hand side, you have your cumulative probability, and across the bottom, you have your cost. Your S curve shows up that early in the project. Based on the number of risks you have, you only have a 23% chance of meeting your target. So as the project chugs along, the further along you get in the target, the odds increase that you’ll meet your target.
So it’s pretty simple in here, but you have an 85% chance if XYZ come true in this example. So they’ve done some what ifs here to simulate. If these come true, what are the odds of hitting our $2. 45 million budget? So it’s the ability to get to these different points in the project based on what’s happening in your simulation. So this is what the Monte Carlo will create for you. Just your cumulative probability and the overall project cost in relation to one another. And the farther along you get, the odds of success go up, assuming the earlier risk don’t happen. All right, good job. I’ll see you in the next lecture.
- Planning Risk Responses
We’ve identified risk. We have done qualitative and quantitative analysis based on our risk management plan. Now we need to get into risk response planning, actually creating some strategies for negative and positive risk events. So, threats and opportunities. So our goal is to enhance opportunities, opportunities and reduce risk. We document our responses and then we also track their outcomes for lessons learned, our EDOs for planning risk responses, our inputs. Here your PM plan, specifically your resource management plan, risk management plan, cost baseline, our project documents, the lessons learned, register, your schedule, your assignments, the calendar, the risk register, the risk report, and of course your stakeholder register because they help with risk responses.
And then your buddies, EEF and OPA tools and techniques, expert judgment data gathering like interviews, interpersonal and team skills so facilitation. And we need a strategy for threats, for opportunities, any type of contingent response strategies so fallback or rollback plans, strategies for your overall project risk so data analysis, alternative analysis, cost benefit analysis and then decision making or outputs you may have change. Request updates to your project management plan like your schedule, cost quality, resource procurement, scope, schedule and cost baselines. Okay, so I know I rushed through that, but basically you could update your project management plan and you may have to update your different project documents.
So the assumption log, cost forecasting, lessons learned, the schedule, even your project team assignments, the risk register because the outcome and what you’re going to do with these responses and the risk report. So let’s hop in here, let’s get to the good stuff. I want to respond to negative risk. I can escalate, I can avoid, I can transfer, I can do mitigation and I can do acceptance. So you look at this guy, he’s up on some big piece of equipment here. It’s pretty scary, right? So this may be something that you personally would avoid. You could say, no, we’re not doing that portion of the project or that’s outside of our scope. Escalate may be a risk that is significant, but it is outside of the project manager’s ability to respond to. So they escalate that risk to management. Avoidance, like we were just talking about, avoidance would be you change your plan to avoid the risk altogether, could even mean you reduce your scope so that risk is now outside of the project.
You just want to avoid it. You don’t want it to happen at all, you don’t want it in the project. Transference means we hire someone else. So we hire a vendor and they’re going to go up on this piece of equipment. The risk doesn’t go away, but someone else owns it, usually for a fee. Is transference usually a contractual relationship here? Mitigation is one of the most common ones and that’s what can we do to reduce the probability and the impact of the risk event? Do you see mitigation in this picture? So in this picture, mitigation the risk is someone could get injured, this worker could get injured. So the mitigation is they are harnessed in, so it reduces the probability and the impact of this guy falling off that piece of equipment.
Acceptance are for risks that are usually low level or you have very little control over, like the weather or a vendor leaving or being late. Sometimes there’s not much you can do about it. So acceptance are usually low probability. You just accept it, you just deal with it and that’s just part of the project. So these are negative risk responses. Let’s take a look at managing positive risk. Positive risk you can escalate, you can exploit, you can share, you can enhance, and you can also accept. Escalate is the same thing where it’s outside of my control or my ability to manage. So I escalate that onto management. So maybe there’s a great market opportunity here, but that’s not part of my project, so I escalate that to management. Exploiting is where you want to make everything right in the project to take advantage of a scenario. So if you look at this construction site here, they’re working at night time, so they get a bonus if they get done early. So they’re going to work twenty four seven to try to get that bonus. So they’re exploiting the fact that they could work 24/7 in order to get the bonus in the project. Sharing is where you partner up with another group to take advantage of a positive risk that you may not be able to realize on your own.
So you might have two companies join forces or more simple version, you need 90 versions of a software license. If you get to 100 license, you’ll get a reduction in the overall fee. So maybe you go out in your organization, you see, is anybody else need this? If we can get ten more, we get a reduction. So you might buy 100 when you only need 90, and then you share that with other people. That cost savings. Enhancing is where you want the risk to come true and you try to enhance the scenario. You try to put the odds in your favor for the risk to happen. And then accepting could be all right, you get a discount, okay, we accept it. Or there’s a small time savings, so we accept it. So those are for positive risk. A term you need to know will be contingent responses. This is like your worst case scenario.
In some instances it’s like a fallback plan or a contingency plan. So if you’re installing a piece of software and it keeps crashing and you’re just going to roll it back for everyone, you’re not going to release it. So it’s your worst case scenario. So certain predefined conditions tell you when will you do this fallback plan or contingency plan. So you have some triggers, it’s documented in your risk register and two names for it. As I mentioned a contingency plan or a fallback plan. You’ll update your risk register based on your response strategies. So whatever those are for, positive and negative, you document that in the risk register, you want to be very specific about what does it mean to have this response. So explain the response. So the risk owner understands you’re clear on what they’re to do, what are the triggers or warning signs or conditions. That means the risk is happening. So now respond. Do you have a budget and schedule? In order to do the risk response, you probably will need one, right? Risk owners and responsibilities. So there is a risk owner and then owners have roles and responsibilities. And then again, in your risk register, you have the contingency plan or the fallback plan, some other terms here. When it comes to risk, we have residual risk and secondary risk.
A residual risk is where you do a risk response, and then it creates new, smaller risks that you generally just have to live with. So, example of a residual risk could be you’re going to do transference. You hire a vendor to come on the risk. Well, you hire that vendor and they come on the risk. But now that creates new risks. Like this vendor may be a disruption in the workplace or they could steal something or whatever, but that is a residual risk. They’re smaller, probably lower probability, lower impact, but they still exist. A secondary risk is where your risk response is a domino effect, where one risk, if it happens, creates another, creates another. And it doesn’t necessarily mean that they’re smaller.
When we have transference, like that electrician, we have a contract, so this introduces procurement. We may also need to justify our risk reduction. So back to that probability and impact and that utility function, your willingness, your tolerance to take on risk. So you may be able to justify spending money just to avoid the risk altogether or to do mitigation rather than just leave money in the contingency reserve. So justifying risk reduction may be a conversation you have to have. All right, great job, a lot of information, keep moving forward.
- Justifying Risk Reduction
At the end of the last lecture, we talked about justifying risk reduction, but there may be times when it’s better to spend money just to get rid of the risk than to allow that risk to be lurking in the project. So justifying risk reduction is the examination of the cost to eliminate the risk altogether in proportion to the probability, the impact and the risk score. So you may have instances where if we could get rid of this one risk based on like, sensitivity analysis, what’s the impact of this one risk that would really help the entire project be more successful and we wouldn’t have that risk hovering over the project. So justifying risk reduction, typically, though, you need more time and more money to do it. So you have to justify why you need more time and more money. And then is the solution worth the trade offs? If there’s only a 10% chance of it happening, it’s a pretty low probability. That means there’s a 90% chance that it won’t happen.
But if you’re right in that 45 and greater as far as percentages go, then maybe you start thinking about this as worthwhile to spend our way out of this with the assumption that I can spend my way out of this, that the probability and impact assessment is valid. So we really want to study that before we go with that argument and have some good proof as to why we should spend our way to avoid or mitigate the risk event. So what we’re talking about here is the cost of prevention or lowering the risk of it actually happening. So we’re talking about probability and impact. How do we lower that or avoid it? So what’s the cost to prevent it versus the cost of just responding to the risks? We look at that ratio, it would be to prevent it would be $10,000. To respond to it would be $60,000. So maybe that’s a pretty good decision. But if it’s going to be 50,000 to prevent it and respond to it 60, then I have to think about, well, what are the odds of it really happening? Those are pretty close there. Maybe it’d be better to save that 50 and basically hedge my bets it’s not going to happen, than to spend the 50 and then we could have gotten by it. What happens if the eliminated cost savings? So if the risk doesn’t happen and let’s look at that again, if a risk is not eliminated, so what’s the cost savings if the risk doesn’t happen? All right, so that was a mouthful there. Basically what we’re saying here is if I have to spend 60,000 to make this risk go away and I say, no, I’m not going to do that, I’m going to gamble, basically the risk won’t happen.
So now I have a cost savings, the risk didn’t happen, and I saved the 60,000 over here. But the opposite, if the risk does happen, and I didn’t pay for it, how much is that going to cost me? How painful will that be? So cost is inherent also in the project delay. So we’re talking about just money here. But we also think about that. A risk could have a delay in our project schedule, so you might be paying for that labor or a penalty or fine or having to give up a bonus.
So there’s other costs that may be there when the most apparent cost is just the time delay. There could still be other factors here. I have to use some good judgment here. So I need some subject matter experts, some analysis of budget and time to figure this stuff out, about solving the risk. Do I want to reduce the impact or probability, and how much would that cost me? So this takes a little bit of time to do, but it’s worth doing, especially for those significant risk events or risks that are early in your project. This is typically something that we want to do. All right, good job. I’ll see you in the next lecture.
- Implementing Risk Responses
Now that we have created our risk responses, it’s time to actually go and implement responses. So we have them identified, documented, everybody agrees on them, everyone knows what their responsibilities are, so we’re ready to carry this out. Part of this is to communicate and make certain there’s understand with the risk owners that they’re empowered to do the risk responses so when they see a risk event happening, we already have this plan, we have this risk response so we want to ensure that the owners can go and respond accordingly.
Risk responses want to make certain that if it does happen, what was the outcome? So we want to document that did the risk go away, did our response work, was it valid? And then what was the cost and the time and the outcome? So we implement our risk responses. Our ito here for risk responses. Our inputs will be our PM plan like the Risk Management Plan project documents like Lessons learned, the Risk register, the Risk report and OPA tools and techniques, expert judgment, interpersonal and team skills basically influencing and your PMIs outputs. You could have change request and updates to your project documents like the issue log, the risk register, the lessons learned register your assignments and the risk report.
So these are all the results of actually implementing the responses. So to break that out a little bit more, did the response create any new issues so it could have so we have to document that in the issue log, lessons learned, what was the outcome? What did we learn from this experience? So that becomes part of OPA? You may have to change some project team members around here. You might have some assignments that if this risk happens, we’re going to take it away from that responsibility, away from a junior employee and a senior employee will manage that now.
So you may have to shift some things around or change materials or equipment or what have you. The risk register is updated to reflect any changes that have happened in the risk report. You’re going to update the changes to show the project risk exposure in this risk report. All right, so these are the results of implementing risk responses moving forward.
- Monitoring Risks
Our last process here in risk management is to monitor risk that we keep an eye on these risk events. We don’t just identify them and do some analysis and have responses, and then now we ignore them. We have to monitor these to see if the probability and impact could change. So we track the these, we look at these residual risks from those smaller risks that are created by a risk response. And we also want to evaluate how responsive has our responses been? So that didn’t make sense. How effective have our responses been? I’m getting towards the end of the course as well, so I got a little punchy there. So effective is what we’re after.
So how effective were your risk responses? Let’s check out our edo here. Okay, our PM plan, your risk management plan, project documents like the issue log, lessons learned, register the risk report. Then we have work performance data and work performance reports to help monitor risk tools and techniques. We do data analysis. We have technical performance analysis. You have a reserve analysis. You might have audits to see how effective your risk were. You might have a financial audit for monies you’ve spent on the risk. And you have meetings.
The outputs of monitoring the risk will be work performance information change request, PM plan updates, and then just really any component of your project management plan could be updated. Project documents could be updated, like your assumption, an issue log, your lessons learned to register the risk, register the risk report, and you might have OPA updates. So that’s monitoring risk. Basically, you just keep an eye on your risk events and you update your documents and your plan based on what you’re experiencing or what you’re seeing in the project. Risk monitoring means we are checking out our effectiveness of our risk responses.
Are there changes in the overall project risk? And if there are, how do we respond to these changes? What’s the status of our individual project risk? And are there new risks that have been identified or introduced to the project? So, risk monitoring, we want to know, are our approaches, are these still appropriate? Do they still seem valid?
What about our assumptions? Has that changed at all? Are those still valid? How about our risk management policies and procedures? Are people following those? How’s our contingency reserved for cost or schedule in our project strategy? Is this still valid? Is our whole approach still valid? Or is it too laden with risk and we need to step back and think things through a little bit more. Our results of risk monitoring, we have work performance information, change requests, corrective action, preventive actions. Those are change requests. Updates to your PM plan, updates to your project documents, and OPA updates. So these are the results of risk monitoring. All right, great job. Keep moving forward.
- Section Wrap: Project Risk Management
Great job finishing this section. Ton of information here. On risk management. I know we’re getting towards the end of the course, still a bit more information to go, but this is one of the largest sections in our course. So I really want you to spend a little bit more time here in your study efforts. You don’t have to do it right now, but just as you’ve go back and study, really come back to chapter eleven on risk. A lot of terms, a lot of opportunities for test questions. So put that on your schedule to return to chapter eleven in the Pinball guide and make certain you know these terms and how you respond to risk is all those risk responses you want to be familiar with and understand those. I also want you to think about, as you complete this course, what risk is introduced in your study strategy.
So are you getting tired, you’re getting worn down? You’re getting a little bored with project management? I understand that this is sometimes pretty dry material, and it’s a lot of material, so it’s easy to get worn down. But now’s the time to come back with a renewed sense of commitment. As you’re completing these last few modules and you’ve got to go and study and spend some time studying to pass the exam, now is the time to go. All the way back, we talked about why are you doing this, what’s your business value? Remind yourself why this is important and why you want to get this done and why this is good in your life.
So take heart, be confident, keep that PMA, you can do this. Great job. You did it. You finished this really big section. I know on project risk management, a lot of information we talked about in this section. The theme that we talked about was risk management.
We have opportunities and threats. So we compared and contrasted those, and we even had responses for opportunities and responses for threats. But before we created responses, remember, we had to create a risk management plan. And the risk management plan addressed the environment that we’re in, the policies that we have for risk management, those enterprise environmental factors and organizational process assets that that really influenced our risk management approach. Then we talked about risk identification, that we have to get out and identify risk events.
And then we create the risk register. That’s an ongoing activity to identify risk events and add them to the register to do some qualitative risk analysis and then quantitative that I qualify the risk and that if necessary, I quantify the risk and that will help me better respond and create eight risk responses. And then I monitor the ongoing risk. All right, good job. You finished it. You’re almost done with the course. We have just a few more sections to go, so keep moving forward. You can do this.