Let’s start with a bit of theory.

What is a Risk? According to PMBOK (A Guide to the Project Management Body of Knowledge by PMI) Risk is “An uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives.”

Risk is usually caused by uncertainty – uncertainty in the project requirements, accidents, legal liabilities, unplanned resource loss, financial state of the company or market, natural causes and disasters, competition and many other reasons.

Risk can be indentified within a specific project or can be live independently of a specific project.

The objectives of Risk Management are to decrease the probability and impact of negative events on various company activities.

Risk Management therefore is a process of identification, assessment and prioritization of risk, followed by planning activities to minimize, monitor and control the risk’s negative effect on the specific project process or other company activity. A very important part of Risk Management is  response planning and the execution of those plans.

A company can use different strategies for managing risk including:   

• Avoidance strategies– Changing the project management plan to eliminate the threat posed by the risk, to isolate the project objectives from the risks impact, or to relax the objective that is in jeopardy (extending schedule, reducing scope).
• Transference strategies– Shifting the negative impact of a threat, along with ownership of the response, to a third party. This is most  effective when dealing with financial risk exposure,
• Mitigation strategies–Reduction in the probability and\or the impact of a risk to an acceptable level by taking an early action. Taking early action is often more effective than trying to repair the damage after the risk has occurred.
• Acceptance strategies– Recognizing or accepting specific, or all, consequences of the risk. This may be effective when changing the project plan may not be cost effect, or when it is difficult to  identify any other suitable response strategy.

  These Risk Management processes will help guarantee that all risks are:

• Identified and registered in the system.
• All duplicate risk requests are identified to avoid redundant work and cost-effective utilization of resources.
• Evaluated by the corresponding people. Correct strategy should be selected for managing specific risk.
• Dedicated people should be able to estimate the resource and budget investments required for managing specific risk.
• In case resolution of specific risk causes essential changes in the system, it would be highly recommended to submit corresponding Change Request.

See continuation of the article in the Risk Management  - Lifecycle and Risk Management - Useful Tools and Techniques.

Used References

1.    PMBOK - A Guide to the Project Management Body of Knowledge by PMI, 3rd Edition
2.    Wikipedia – Risk Management
3.    ISO/IEC Guide 73:2009 (2009). Risk management — Vocabulary. International Organization for Standardization.
4.    ISO/DIS 31000 (2009). Risk management — Principles and guidelines on implementation. International Organization for Standardization.

 The following diagram shows the flow of Risk Management life-cycle:

Managing a risk undergoes following stages in its life cycle:
1.    Risk Identification
2.    Risk Analyses
3.    Risk Response Planning
4.    Risk Response Execution & Monitoring
5.    Execution Verification
 

1.    Risk Identification

During the first state of Risk Identification, the list of risks are submitted to Clarizen’s  Issues/Risk page. The application allows you to determine which risks may affect the project or other business process and document their characteristics.

In Clarizen’s Risk Management life cycle (what is the Risk Management Life Cycle? You don’t mention it at all, don’t know what you are referring to) you are at the Evaluation stage:

It is highly recommended that you accurately enter all available information about the Risk, including Severity and Priority.  It is important to categorize Risks using the Category field, this will help you in building strict risk classifications.

It is a best practice to include a description of the risk with the use case scenarios. 

If the Risk was identified by the customer, link it to the corresponding customer(s), identify if the resolution of the Risk was committed to and include the commitment date, if any. Properly identifying the source of Risk will help you in giving the best possible service to your customers.

If a Risk was identified within specific project, define To be Resolved in project already at this stage.

The Risk should undergo the process of analysis and planning by a team of specialists. In many cases, the risk management team are the people that help to assess the risk impact as well as its strategy and the response execution plan. This team can differ from the core project. It is best practice to assemble such team for the Risk.

It is recommended to document the responses of the Approvers in the document attached to the Change Request.

It is a common practice to list Risks using a Risk Register list.

A Risk Register is a tool widely used in Risk management for indentifying, analyzing and planning risks.

You can filter the report by the To be Resolved in field or by the State Submitted or Assign to fields for a specific user or by any other relevant condition.

It may be helpful to review the useful tools for Risk Identification in the section Risk Management - Useful Tools and Techniques.

2.    Risk Analysis

Risk Analysis is the next step within the Evaluation stage:

In this phase you prioritize risks for further action by assessing and combining their probability of occurrence and impact, also called qualitative risk analysis.
You may also numerically analyze the effect of identifies risks on overall project objectives (cost impact, schedule impact, etc), also called quantitative risk analysis.
The findings are to be documented in the properties of the corresponding Risk. This will guarantee that at all phases you will be able to provide your team members with the most complete and most up to date information on the Risk.
It may be helpful to review the tools for Risk Analysis tips in the section Risk Management - Useful Tools and Techniques.

3.    Risk Response Planning

At this step, still within the Evaluation stage, you develop options and actions to enhance opportunities and to reduce the threats created by the risk.

In our block diagram, the planning steps follow the analysis stage. You need to take into account that in many cases you will divide the planning step into two steps – preliminary and final planning.
Preliminary planning is done to provide the team who is analyzing and decisiding on the strategy of managing the risk with the estimations of work, time and budget investments.
Final planning is done to provide the implementation team with the schedule and content of the required related works.
You can decide to go for one of the three possible options to provide the execution plan:
1.    Describe the plan in the Risk property card in the corresponding fields of the Assessment & Plan tab.
2.    Define a work plan for Risk response execution by linking a Risk to the work item: Project, Milestone or Task, in the corresponding project, and scheduling required activities.
3.    Both

When you link a Risk to a work item (option 2 and 3 above), this work item and its subordinate work items represent the work plan for risk response execution.

Clarizen will automatically calculate the estimated Work that should be invested in the risk response execution and you will be able to review it directly in the properties of the Risk. The budget investments can be viewed in the properties of the work item itself.

  After the risk response execution starts %Completed, Actual and Remaining effort fields in the Risk properties instantly represent the progress of the related work. The Project team can track the progress of the risk response execution without going into the related work plan details.

 Please see a brief on the useful tools for Risk Response planning in the section Risk Management - Useful Tools and Techniques.

After you are done with Planning you are ready for the next phase of the Risk life cycle called Resolution or Risk Response Execution.  Use the Mark as Opened command to switch to the next phase of the life cycle.

4.    Risk Response Execution & Monitoring

You are now in the Resolution phase of the life cycle.

This is a phase where you execute the response to the risk or, in other words, perform activities to implement the strategy selected for Risk management.

Now you can proceed to actually perform the work detailed in the execution response using Clarizen to track and monitor all activities. The related work plan can still be fine tuned at this phase. Risk team members can review the progress of the work in the %Completed, Actual and Remaining effort fields of the Risk property card.

If you do not work with related work plan, you can manually update %Completed, Actual and Remaining effort fields in the Risk properties.

Use the Mark Resolved command to switch to the next Verification phase of the life cycle after you completed all works required for implementing response plan of risk management.
 

 5.    Execution Verification

You are now in the Verification phase of the life cycle.

In this phase you will verify the Risk Response Execution.

You will use the Risk definitions defined in the first phase of the life cycle, requirement documents and collaboration materials that were created through all phases.

Use the Reopen command if the risk response execution did not pass the verification criterions.

Use the command Close to close the Risk upon successful verification.
 

In this section, the tools and methodologies that you can use during various phases of managing a risk are briefly described.

Risk Identification

There are many tools and techniques for Risk identification. Documentation Reviews

• Information gathering techniques
  • Brainstorming
  • Delphi technique – here a facilitator distributes a questionnaire to experts, responses are summarized (anonymously) & re-circulated among the experts for comments. This technique is used to achieve a consensus of experts and helps to receive unbiased data, ensuring  that no one person will have undue influence on the outcome
  • Interviewing
  • Root cause analysis – for identifying a problem, discovering the causes that led to it and developing preventive action
• Checklist analysis
• Assumption analysis -this technique may reveal an inconsistency of assumptions, or uncover problematic assumptions.
• Diagramming techniques
  • Cause and effect diagrams
  • System or process flow charts
  • Influence diagrams – graphical representation of situations, showing the casual influences or relationships among variables and outcomes
• SWOT analysis
• Expert judgment – individuals who have experience with similar project in the not too distant past may use their judgment  through interviews or risk facilitation workshops

Risk Analysis

Tools and Techniques for Qualitative Risk Analysis 

• Risk probability and impact assessment – investigating the likelihood that each specific risk will occur and the potential effect on a project objective such as schedule, cost, quality or performance (negative effects for threats and positive effects for opportunities), defining it in levels, through interview or meeting with relevant stakeholders and documenting the results.
• Probability and impact matrix – rating risks for further quantitative analysis using a probability and impact matrix, rating rules should be specified by the organization in advance. See example in appendix B.
• Risk categorization – in order to determine the areas of the project most exposed to the effects of uncertainty. Grouping risks by common root causes can help us to develop effective risk responses.
• Risk urgency assessment - In some qualitative analyses the assessment of risk urgency can be combined with the risk ranking determined from the probability and impact matrix to give a final risk sensitivity rating. Example- a risk requiring a near-term responses may be considered more urgent to address.
• Expert judgment – individuals who have experience with similar project in the not too distant past may use their judgment  through interviews or risk facilitation workshops. 

Tools and Techniques for Quantities Risk Analysis 

• Data gathering & representation techniques
  • Interviewing–You can carry out interviews in order to gather an optimistic (low), pessimistic (high), and most likely scenarios.
  •  Probability distributions– Continuous probability distributions are used extensively in modeling and simulations and represent the uncertainty in values such as tasks durations or cost of project components\ work packages. These distributions may help us perform quantitative analysis. Discrete distributions can be used to represent uncertain events (an outcome of a test or  possible scenario in a decision tree)
• Quantitative risk analysis & modeling techniques- commonly used for event-oriented as well as project-oriented analysis:
  • Sensitivity analysis – For determining which risks may have the most potential impact on the project. In sensitivity analysis one looks at the effect of varying the inputs of a mathematical model on the output of the model itself. Examining the effect of the uncertainty of each project element to a specific project objective, when all other uncertain elements are held at their baseline values. There may be presented through a tornado diagram.
  • Expected Monetary Value analysis (EMV) – A statistical concept that calculates the average outcome when the future includes scenarios that may or may not happen (generally: opportunities are positive values, risks are negative values). These are commonly used in a decision tree analysis.
  • Modeling & simulation – A project simulation, which uses a model that translates the specific detailed uncertainties of the project into their potential impact on project objectives, usually iterative. Monte Carlo  is an example for a iterative simulation.
• Cost risk analysis - cost estimates are used as input values, chosen randomly for each iteration (according to probability distributions of these values), total cost will be calculated.
• Schedule risk analysis - duration estimates & network diagrams are used as input values, chosen at random for each iteration (according to probability distributions of these values), completion date will be calculated. One can check the probability of completing the project by a certain date or within a certain cost constraint.
•  Expert judgment – used for identifying potential cost & schedule impacts, evaluate probabilities, interpretation of data, identify weaknesses of the tools, as well as their strengths, defining when is a specific tool more appropriate, considering organization’s capabilities & structure, and more.

 Risk Response Planning 

• Risk reassessment – project risk reassessments should be regularly scheduled for reassessment of current risks and closing of risks. Monitoring and controlling Risks may also result in identification of new risks.
• Risk audits – examining and documenting the effectiveness of risk responses in dealing with identified risks and their root causes, as well as the effectiveness of the risk management process. Project Manager’s responsibility is to ensure the risk audits are performed at an appropriate frequency, as defined in the risk management plan. The format for the audit and its objectives should be clearly defined before the audit is conducted.
• Variance and trend analysis – using performance information for comparing planned results to the actual results, in order to control and monitor risk events and to identify trends in the project’s execution. Outcomes from this analysis may forecast potential deviation (at completion) from cost and schedule targets.
• Technical performance measurement – Comparing technical accomplishments during project execution to the project management plan’s schedule. It is required that objectives will be defined through quantifiable measures of technical performance, in order to compare actual results against targets.
• Reserve analysis – compares the amount of remaining contingency reserves (time and cost) to the amount of remaining risks in order to determine if the amount of remaining reserves is enough.
• Status meetings – Project risk management should be an agenda item at periodic status meetings, as frequent discussion about risk makes it more likely that people will identify risks and opportunities or advice regarding responses.