PMI-RMP Plan Risk Management Tutorial

Objectives of Plan Risk Management Process

The key objectives of the plan risk management process are as follows: to develop an overall risk management strategy for a project, which includes knowledge of how to execute risk management processes for the project and how they should be integrated with overall project management activities. The output of plan risk management process is the risk management plan which serves as the roadmap for identifying, analyzing, and addressing the risks of the project. In the next screen, we will focus on the purposes of the plan risk management process.

Purposes of Plan Risk Management Process

The risk management plan describes how the risk management processes should be carried out and how they fit in with other project management processes. It also describes the relationship between project risk management, general project management, and project management processes in the organization. To leverage maximum benefit, risk management planning needs to be carried out in the early stage of the project; and the corresponding risk management activities need to be integrated into the overall project management plan. A risk management plan defines the roles and responsibilities of the people involved in the risk management process, the amount of money required, the timelines to be set aside for risk management activities, and the predetermined risk categories to be documented as part of the risk management plan. So, a risk management plan consists of information on how risk management is carried out and how it fits with the other project management knowledge areas such as scope, time, quality, cost, communication, human resources, procurement, and integration. In the next screen, we will continue focusing on the purposes of the plan risk management process.

Plan Risk Responses

• Plan Risk Responses is the process of developing options and actions to enhance opportunities and to reduce threats to project objectives. The key benefit of this process is that it addresses the risks by their priority, inserting resources and activities into the budget, schedule and project management plan as needed. 

Risk management Process

Risk management is a three step process:

1. 1. Risk Identification
2. 2. Risk Analysis
   • Qualitative Analysis
   • Quantitative Analysis
3. 3. Develop Risk Response Plans

Process Definition

• Planning this process involves choosing which response approach to use for each identified risk, then creating a plan for that risk.  Contingency plans for addressing identified risks include: avoid, transfer, mitigate, and accept. 

Process Assessment

• There are pros and cons as to what approach to take when planning risk responses; qualitative vs. quantitative.  With my experience, I would start with the probability and impact of qualitative risks.

1. Risk Management Plan (Input): This was the actual finished risk management plan by group 3 from PMGT 613.  The Risk Management Plan is a main input for the  Plan Risk Response process.

2. Strategies for Negative Risks: homework from PMGT 613, identifying various risks and then developing a chart on whether, to mitigate, avoid, transfer or accept.

3. Project Document Updates: This HR Management Plan taken from PMGT 501 was used as an example as one of the project management updates.  It’s an example of a project document update which is an output for planning the risk response process.

1. 1. Plan risk management which describes how risk management will be implemented via the risk management plan
2. 2. Identify risks along with their causes and responses and goes on to set up the risk register
3. 3. Perform quantitative risk analysis which ranks and prior advises the risks
4. 4. Perform quantitative risk analysis which sets a quantified value to the ranked risks usually in terms of cost or time

Types of Plan risk responses

There are just two inputs to Plan risk responses: 

The risk register

• This contains all of the information gathered from the previous four processes, and is obviously necessary in order to determine the most appropriate responses.

 The risk management plan

• This plan sets risk tolerance for the project, how all risks are to be managed and who is responsible for the various activities along with their costs and time, and how the management of plan risk responses risks are to be communicated.

 There are four outputs from Plan risk responses:

• The risk register updates. This will now be updated with the risk response activities.

Strategies for negative risks or threats.

Avoid.

• This plan risk response takes action upfront to either reduce the probability to zero, or the impact, or both. In essence, such your response enables the risk to be sidestepped entirely. An example might be that if a certain risky process is to be used in creating a product, then choosing a different and low risk alternative process would remove the risk altogether.

Transfer.

• Here, the risk is transferred to a third party so that they are responsible for the management and impact of a particular risk(s). This is normally done via a contractual agreement. Another method, often used in the construction industry, is to take out an insurance policy against the cost impact of the risk.

 Mitigate.

• This response is used to reduce the risk by taking some action to do so. Unlike avoid, this response seeks to reduce the probability or impact, or both. An example might be the risk of excessive rework in designing a complex product, and augmenting the development team with highly knowledgeable and experienced staff.

Accept.

• This is the ‘do nothing’ plan risk response. It is usually chosen either because the risk is low in terms of impact or probability, or that the cost and effort of taking a different action is out of proportion to the risk itself. When acceptance is chosen, it should still be documented and entered in the risk register, where ongoing action is to observe the risk to ensure that acceptance is still the most desired response.

Strategies for positive risks or opportunities.

Exploit.

• This response tries to remove any uncertainty so that the opportunity is certain to happen. Using an example similar to mitigate above, enhancing the team with higher skills may enable the product to be enhanced in some way such that greater benefits can be realized.

Share.

• This response identifies that the opportunity may be more likely if a form of partnership is set up with a third party. This type of response is often used when negotiating to win a contract and partnering may improve their chances of contract award.

 Enhance.

• The success of risk management strongly depends on providing a clear and unambiguous expression of each identified risk. Best practice shows that this is more likely if first the risk cause or source of the risk is identified first, then the risk event describing the area of uncertainty, and then the risk affect or impact. This is true for both negative threats and positive opportunities.

 Accept.

• This is exactly the same as for a negative threat, but in this case you are accepting that the opportunity will either happen or not and no action is to be taken. In a similar way, it may be that taking action to ensure the opportunity happens is out of proportion to the opportunity itself.

Contingent response strategies

• These apply equally to both risks and opportunities.
• Whereas all of the above responses require that action is implemented ahead of the risk or opportunity, contingent actions are put in place but are not implemented until or unless the threat or opportunity occurs. In effect, these strategies help manage the outcome either to reduce the threat or maximize the opportunity.

Expert judgement

• This entails getting advice and guidance from those with sufficient expertise when it doesn’t already exist within the project. This might entail those with personal experience of similar risks or opportunities, or those with knowledge skills and experience of such risks or opportunities. Such expert judgement may come from an external source such as a third party or consultancy.

Involves

• Implementing risk response plans and workarounds,
• Tracking identified risks, monitoring residual risks, checking if assumptions are still valid

Risk Reassessments:

• Identifying new risks; evaluating risk process effectiveness throughout the project; closing old risks

The External Project Risk Audit examines:

• The team’s ability to identify risks.
• The effectiveness of risk response plans.
• The performance of risk owners.

Risk Control:

Variance and Trend Analysis

• Trends in performance analysed for variance from forecast using e.g. EVM
• Deviation from baseline plan could indicate impact of threats and opportunities

Reserve analysis:

1. 1. Taking actions to mitigate risks may have a positive or negative effect on the budget or schedule contingency reserves.
2. 2. Reserve Analysis
   • Compares the contingency reserves that are left
   • To the remaining risk in the project
   • Making an adjustment if necessary

Risk Reviews:

Essential to conduct Risk Reviews because risks can and do change

Review periodically or at phase end

• Separate meeting Agenda item Project Risk Review Meeting.

Remember to watch out for, keep an eye on, contracts and their inherent risks

Four Risk Responses

There are four possible ways to deal with risk.

1. 1. Avoid.  Eliminate the threat or protect the project from its impact.  Here is a list of common actions that can eliminate risks.
   • Change the scope of the project.
   • Extend the schedule to eliminate a risk to timely project completion.
   • Change project objectives.
   • Clarify requirements to eliminate ambiguities and misunderstandings.
   • Gain expertise to remove technical risks.
2. 2. Transfer.  This involves moving the impact of the risk to a third party.  Direct methods might be through the use of insurance, warranties, or performance bonds.  Indirect methods such as unit price contracts instead of lump sum (or vice versa depending on which side of the contract you’re on), legal opinions, and so forth.
3. 3. Mitigation.  Reduce the probability or impact of the risk.  This is not always possible and often comes with a price that must be balanced against the value of performing the mitigating action.
4. 4. Accept.  All projects contain risk.  As a minimum, there is the risk that it does not accomplish its objective.  Thus stakeholders, by definition, must accept certain risks.  Accepting risk is a strategy like any other, and should be documented and communicated like any other strategy.  Risk acceptance can be passive, whereby the consequences are dealt with after the risk occurs, or active, whereby contingencies (time, budget, etc.) are built in to allow for the consequences of the risk to the project.

The four risk response strategies can be applied to overall project risk as well.

Risk Consequences

Since there are two underlying factors to risk, probability and impact, each risk falls into one of the following four zones:

1. 1. Low Probability / Low Impact:  These risks are low on the priority scale, and some of them can be removed from the risk register if there is little value in focusing on them any longer.
2. 2. High Probability / Low Impact:  These risks are essentially minor annoyances but their frequency means that actions should be taken to reduce their occurrence.
3. 3. Low Probability / High Impact:  These risks generally need to be analyzed to ensure they do not occur.  Any roadblocks or potential trigger factors should be addressed during project planning to reduce their likelihood of occurrence to zero, or as close to zero as possible.  An example is the previously mentioned nuclear reactor maintenance project, where the chance of nuclear radiation leak is already low but it would be prudent to attempt to find and eliminate even the small potential trigger points.
4. 4. High Probability / High Impact:  When these risks exist, they are usually known to the stakeholders and an integral part of the decision to initiate/fund the project.  An example is potential traffic impact risk on a large freeway paving project.  However, if the risk analysis step turns up one of these which is not necessarily known to the project sponsor(s) or stakeholders, communication is essential.  Usually these types of risks can pose serious, even existential, threats to the project, therefore they almost always require action on the part of the project manager during project planning to make sure stakeholders understand the project risks.

Parts of a Risk Response

There is no one correct way to generate a risk response, but here are several principles which can be used as a guide.  The risk response should be:

• Cost effective relative to the significance of the risk
• Scaled to the magnitude of the risk
• Agreed upon by the applicable project stakeholders
• Achievable and realistic

Implementing a risk response plan requires the appropriate levels of time and funding.  This should be planned for in the project budget or another strategy developed to ensure the project does not go over budget or behind schedule because of unforeseen events.

After planning risk responses, changes to other areas of the project management plan could be necessary, such as schedule, cost, and scope.

Risk Communication

• Because the strength of the response to an unexpected event is often judged on communication, it is important that the risk register and response plans be communicated to the applicable stakeholders.  Think of any natural disaster event in recent memory.  Communication during the crisis can be more important than the response itself.  The response to the disaster will be measured on its communication as much as the response itself.
• Because of this, the risk register and response plans should be communicated to the appropriate stakeholders in advance, i.e. during project planning.  Then, when an unexpected event occurs the stakeholders will not only be more supportive of the response, but the final judgment will be much more favorable.  The project manager will be off to a running start.

Benefit 

1. 1. Addresses risks by their priority;
2. 2. Inserting resources and activities, as needed, into;
   • Budget.
   • Schedule.
   • Project management plan.

Negative risk responses 

• Risk avoidance. A risk response strategy whereby the project team acts to eliminate the threat or protect the project from its impact.
• Risk transference. A risk response strategy whereby the project team shifts the impact of a threat to a third party, together with ownership of the response.
• Risk mitigation. A risk response strategy whereby the project team acts to reduce the probability of occurrence or impact of a risk.
• Risk acceptance. A risk response strategy whereby the project team decides to acknowledge the risk and not take any action unless the risk occurs.

Conclusion:

1. 1. Establish and maintain management commitment to performing risk management on all capital projects.
2. 2. Start the risk management process early in the project life cycle—prior to approval of mission need (CD-0).
3. 3. Include key stakeholders in the process, with the DOE project director as the lead and the integrated project team (IPT) intimately involved in the process.
4. 4. Evaluate project risks and risk responses periodically during the project life cycle (CD-0 through approval of the start of operations [CD-4]).
5. 5. Develop risk mitigation plans and update them as the project progresses.
6. 6. Follow through with mitigation actions until risks are acceptable.
7. 7. Tie a project’s level of risk to cost and schedule estimates and contingencies.
8. 8. Effectively communicate to all key stakeholders the progress and changes to project risks and mitigation plans.