What is project risk management, and why is it important? Distinguish between a "risk" and an "issue", and between negative and positive risk.
Definition + ConceptDefinition: Project risk management is the art and science of identifying, analyzing, and responding to risk throughout the life of a project, in the best interests of meeting project objectives.
Risk vs. Issue: A risk is a probable bad thing — it hasn't happened yet. An issue is a bad thing that has happened. If a risk is not managed effectively, it has a higher chance of becoming an issue; once it becomes an issue, it still needs to be managed, and this is usually more challenging than managing the original risk.
Why it matters (research evidence):
- A study by Ibbs and Kwak found that risk has the lowest maturity rating of all project management knowledge areas across industries.
- A KPMG study found that 55% of "runaway" projects (significant cost/schedule overruns) did no risk management at all.
- A KLCI study found real benefits from good risk practices — e.g. 80% helped anticipate/avoid problems and 60% helped prevent surprises.
Negative vs. positive risk: A general definition of project risk is an uncertainty that can have a negative or positive effect on meeting project objectives.
- Negative risk — involves understanding potential problems that might impede project success; managing it is like a form of insurance, an investment (e.g. getting off a moving train).
- Positive risk — risks that result in good things happening, also called opportunities (e.g. investments, entrepreneurship, adopting new technology).
The goal of project risk management is to minimize potential negative risks while maximizing potential positive risks.
List and briefly explain the six processes of Project Risk Management.
List + Explain- Risk management planning — deciding how to approach and plan the risk management activities for the project; the main output is a risk management plan.
- Risk identification — determining which risks are likely to affect a project, and documenting the characteristics of each.
- Qualitative risk analysis — prioritizing risks based on their probability and impact of occurrence.
- Quantitative risk analysis — numerically estimating the effects of risks on project objectives.
- Risk response planning — taking steps to enhance opportunities (positive risks) and reduce threats (negative risks) to meeting project objectives.
- Risk monitoring and control — monitoring identified and residual risks, identifying new risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies throughout the project's life.
What topics should a Risk Management Plan address? Explain the difference between contingency plans, fallback plans, and contingency reserves.
List + CompareThe main output of risk management planning is a risk management plan — a document describing how risk will be managed throughout the project. The level of detail varies with the needs of the project. Typical topics addressed:
- Methodology — how risk management will be performed.
- Roles and responsibilities — who is responsible for managing which risk areas.
- Budget and schedule — for the risk management activities themselves.
- Risk categories — the areas or sources risks are likely to come from.
- Risk probability and impact — how these will be assessed and rated.
- Risk documentation — how findings will be recorded and reported (e.g. a risk register).
| Term | Meaning |
|---|---|
| Contingency plan | Predefined actions the project team will take if an identified risk event occurs. |
| Fallback plan | Developed for risks with a high impact on objectives; put into effect if the original risk-reduction attempt is not effective. |
| Contingency reserve | Provisions (money/time) held by the project sponsor or organization to reduce the risk of cost or schedule overruns to an acceptable level. |
Explain the tools used in qualitative risk analysis, and describe the four response strategies for negative risks.
Explain + ListQualitative risk analysis assesses the likelihood and impact of identified risks to determine their magnitude and priority. It is relatively quick and requires less effort than quantitative analysis. Key tools:
- Probability/impact matrix — lists each risk's relative probability of occurring against its relative impact (rated high/medium/low), so the team can focus on high-probability, high-impact risks. A risk factor (a number combining probability and consequence) can also be calculated.
- Top Ten Risk Item Tracking — a periodic review of the top ten project risks, listing current rank, previous rank, number of months on the list, and a summary of resolution progress — used to maintain awareness of risk throughout the project.
- Expert judgment — relies on the intuition and past experience of experts to categorize risks as high/medium/low, and to build/monitor a watch list of low-priority risks.
Response strategies for negative risks (threats):
| Strategy | What it means |
|---|---|
| Risk avoidance | Eliminating a specific threat, usually by eliminating its cause. |
| Risk acceptance | Accepting the consequences if the risk occurs (no proactive action taken). |
| Risk transference | Shifting the consequence of a risk, and responsibility for managing it, to a third party (e.g. insurance, outsourcing). |
| Risk mitigation | Reducing the impact of a risk event by reducing the probability of its occurrence. |
Risks that remain after all response strategies have been implemented are called residual risks.
Numerical: A project manager can either proceed without extra testing or invest in extra testing to reduce risk. Using decision tree analysis, calculate the EMV for both options and recommend a choice.
Calculation (Past-paper style)Scenario: Planned budget: 1,000,000 LKR. A risk in integrating a third-party API could cause a 2-month delay and an extra cost of 300,000 LKR, with a 30% probability of failure. Investing 50,000 LKR now in extra testing reduces the failure probability to 10%.
Concept: A decision tree is a diagramming technique used to select the best course of action when future outcomes are uncertain. Expected Monetary Value (EMV) = probability of an outcome × its monetary value, summed across all branches.
EMV without testing:
EMV = (0.70 × 1,000,000) + (0.30 × 1,300,000)
EMV = 700,000 + 390,000 = 1,090,000 LKR
EMV with testing:
EMV = 50,000 + (0.90 × 1,000,000) + (0.10 × 1,300,000)
EMV = 50,000 + 900,000 + 130,000 = 1,080,000 LKR
Recommendation: The EMV with extra testing (1,080,000 LKR) is lower than without testing (1,090,000 LKR) — investing in testing reduces the expected overall project cost, even though it adds an upfront 50,000 LKR. The project manager should choose to invest in extra testing, since it lowers the probability of the costly failure outcome and reduces total expected cost.