Performing a Risk Analysis
This process analyzes each risk from the risk register in terms of its probability and impact on the project if it were to occur. It should be performed as soon as possible after risks have been identified so that appropriate time and resources can be allocated to the more serious risks. It uses the probability and impact matrix (PIM) to rank and prioritize risks, and this information is placed back on the risk register.
Like all the processes and procedures for managing risk, this one should be performed regularly because new risks will be identified and the characteristics of existing risks may change as the project progresses. The risk management plan (part of the overall project plan) will explain the overall approach that needs to be taken to risk management on this particular project. It will detail how much risk is acceptable and who should be involved in carrying out the qualitative analysis of the known risks.
 |
The key elements of this plan used in this process are roles and responsibilities for conducting risk management, budget, schedule for risk management activities, definition of risk categories, definition of risk probability and impact, probability and impact matrix, and stakeholder's risk tolerances.
The scope of the project will have a direct bearing on the type and amount of risk that is likely to be encountered. In general terms, certain types of project are associated with certain types of risk. For example,
Construction projects the risks would include such things like, planning permissions, weather, health and safety legislation, and labor union issues.
IT project risks tend to be concerned with whether development software will perform as advertised and with compatibility issues.
Projects of a common or recurrent type tend to have well understood risks, whereas those breaking new ground tend to have more uncertainty.
 |
There are various techniques that can be used to identify risks.
 |
Risk Probability and Impact Assessment
Risk probability assessment investigates the likelihood that each specific risk will occur, whereas risk impact assessment investigates the potential effect on a project objective such as schedule, budget, quality, or performance.
 |
Both the likelihood and impact are given a score according to the definitions given in the risk plan and these can be considered together to provide a risk score. Risks with a high score will be given high priority while those with a low score will be included on a watch list for future monitoring.
Probability and Impact Matrix
Evaluation of each risk's importance and, hence, priority for attention can be done using a probability and impact matrix as shown.
 |
This specifies combinations of probability and impact that lead to rating the risks as low, moderate, or high priority. The type of management response should be:
1) Threats
o High-risk (shown in dark gray boxes) are priority and need a hard line response.
o Low-risk (mid-gray boxes) need to have a contingency made for them & monitored
2) Opportunities
o Dark gray boxes show ones to pursue first as they offer the most benefit & are more easily achieved.
o Mid-gray boxes indicate the ones to be monitored.
It is possible to rate a risk separately for cost, time, scope and quality. In addition, it can develop ways to determine one overall rating for each risk. An overall rating scheme can be developed to reflect the organization's preference for one objective over another and using those preferences to develop a weighting of the risks that are assessed by objective.
You will also need to examine how well the risk is understood and the accuracy, quality, reliability, and integrity of the data regarding it. If data quality is unacceptable, it may be necessary to gather higher-quality data. The risk breakdown structure (RBS) is the normal way to help structure and organize all identified risks into appropriate categories, and these will assist in determining which aspects of the project have the highest degree of uncertainty.
Risks that are likely to occur in the immediate future require more urgent attention than those that may occur later on in the project. Indicators of priority should include the time required to affect a risk response. In some qualitative analysis the assessment of risk urgency can be combined with the risk ranking determined from the probability and impact matrix to give a final risk severity rating.
 |
The risk register can be updated with the following information.
Relative ranking or priority list of project risks - the probability and impact matrix can be used to classify risks according to their individual significance. Risks may be listed by priority separately for schedule, cost, and performance since organizations may value one objective over another. The project manager can then use the prioritized list of risks to focus attention on those items of high significance to the most important objectives.
Risks grouped by categories - this can point to common underlying causes of risk, which may in turn suggest a holistic approach to dealing with them. Discovering concentrations of risk may also improve the effectiveness of risk responses.
List of risks requiring response in the near-term - includes those risks that require an urgent response and those that can be handled at a later date may be put into different groups.
List of risks for additional analysis and response - some risks might warrant more analysis, including Quantitative Risk Analysis, as well as response action.
Watch lists of low-priority risks - those that are not assessed as important in this process can be placed on a watch list for continued monitoring.
Trends in the analysis results - as this process is iterative, trends for particular types of risk may become apparent. This information can be fed back into the risk management process.
Assumptions log - the project scope statement may contain assumptions about the project, which may be updated as a result of the qualitative risk analysis done in this process.
This is the process of analyzing the effect of those risks identified as having the potential to substantially impact the project. It may be used to assign a numerical rating to those risks individually or to evaluate their aggregate effect. You will need to use the Risk Management Plan (part of the overall Project Plan) and the Risk Register, along with cost and schedule information. You can check out the complete range of Project Management PDF eBooks free from this website.
In some projects it may be possible to develop effective risk responses without this process. The availability of time and budget, and the need for qualitative or quantitative statements about risk and impacts, will determine which method(s) to use.
 |
Structured interviews can be used to determine the probability and impact of risks from subject matter experts. This information can then be used in the following modeling techniques:
Sensitivity Analysis - this involves analyzing the project to determine how sensitive is to particular risks by analyzing the impact and severity of each risk.
Expected Monetary Value (EMV) Analysis - determining the expected monetary value is to multiply the likelihood by the cost impact to obtain an expected value for each risk, these are then added up to obtain the expected monetary value for the project. A typical way of calculating EMV is using decision trees:
Decision Tree Analysis - these are in the form of a flow diagram where each node, represented by a rectangle, contains a description of the risk aspect and its cost. These rectangles are linked together via arrows each arrow leading to another box representing the percentage probability.
 |
Tornado Diagrams - these are named because of their funnel shaped and portray graphically the project sensitivity to cost or other factors. Each tornado diagram will represent the impact of risks in terms of particular aspects. These aspects may be the stages of phases of all project, and are ranked vertically and represented by a horizontal bar showing plus or minus cost impacts.
 |
Monte Carlo Analysis - is normally calculated by computer by analyzing many scenarios for the project schedule and calculating the impact of particular the risk events. It is helpful in identifying risks and the effect they have on the project schedule.
 |
Rather than ask each expert for a single value for each, the project manager would normally encourage each expert to provide an optimistic, pessimistic and realistic probability and impact value for each risk.
The risk register is further updated to include a quantitative risk report detailing quantitative approaches, outputs, and recommendations. Updates include the following:
Probabilistic Analysis of the Project - Estimates are made of potential project schedule and cost outcomes listing the possible completion dates and costs with their associated confidence levels. This output, often expressed as a cumulative distribution, can be used with stakeholder risk tolerances to permit quantification of the cost and time contingency reserves.
Probability of Achieving Cost and Time Objectives - With the risks facing the project, the probability of achieving project objectives under the current plan can be estimated using quantitative risk analysis results.
Prioritized List of Quantified Risks - This list of risks includes those that pose the greatest threat or present the greatest opportunity to the project. These include the risks that may have the greatest effect on cost contingency and those that are most likely to influence the critical path. These risks may be identified, in some cases, through a tornado diagram generated as a result of the simulation analysis.
Trends in the analysis results. As this process is iterative, trends for particular types of risk may become apparent. This information can be fed back into the risk management process.
You may also be interested in:
Project Risk Management | Creating a Risk Management Plan | Identifying Project Risks | Performing a Risk Analysis | Planning and Controlling Risk Responses.
|
|
