IT4306 · IT Project Management · Level II, Semester 4

Topic 11 — Project Risk Management

Five exam-style questions and model answers built from the course notes, lecture slides, and UCSC past papers — for quick, focused revision.

Ref: Schwalbe, Managing IT Projects, 9th Ed. · pg. 464–494 Weight: 06 theory hours Style: Structured Question paper (Part 2)

Answers are hidden by default — test yourself first, then reveal.

1

What is project risk management, and why is it important? Distinguish between a "risk" and an "issue", and between negative and positive risk.

Definition + Concept
~15 marks

Definition: Project risk management is the art and science of identifying, analyzing, and responding to risk throughout the life of a project, in the best interests of meeting project objectives.

Risk vs. Issue: A risk is a probable bad thing — it hasn't happened yet. An issue is a bad thing that has happened. If a risk is not managed effectively, it has a higher chance of becoming an issue; once it becomes an issue, it still needs to be managed, and this is usually more challenging than managing the original risk.

Why it matters (research evidence):

  • A study by Ibbs and Kwak found that risk has the lowest maturity rating of all project management knowledge areas across industries.
  • A KPMG study found that 55% of "runaway" projects (significant cost/schedule overruns) did no risk management at all.
  • A KLCI study found real benefits from good risk practices — e.g. 80% helped anticipate/avoid problems and 60% helped prevent surprises.

Negative vs. positive risk: A general definition of project risk is an uncertainty that can have a negative or positive effect on meeting project objectives.

  • Negative risk — involves understanding potential problems that might impede project success; managing it is like a form of insurance, an investment (e.g. getting off a moving train).
  • Positive risk — risks that result in good things happening, also called opportunities (e.g. investments, entrepreneurship, adopting new technology).

The goal of project risk management is to minimize potential negative risks while maximizing potential positive risks.

Exam tip: Examiners often ask you to first state the general concept (risk management / risk vs. issue), then support it with a named study and statistic — memorise at least the Ibbs & Kwak and KPMG findings, as these appear repeatedly as "importance of risk management" marks.
2

List and briefly explain the six processes of Project Risk Management.

List + Explain
6 × 3 = 18 marks
  • Risk management planning — deciding how to approach and plan the risk management activities for the project; the main output is a risk management plan.
  • Risk identification — determining which risks are likely to affect a project, and documenting the characteristics of each.
  • Qualitative risk analysis — prioritizing risks based on their probability and impact of occurrence.
  • Quantitative risk analysis — numerically estimating the effects of risks on project objectives.
  • Risk response planning — taking steps to enhance opportunities (positive risks) and reduce threats (negative risks) to meeting project objectives.
  • Risk monitoring and control — monitoring identified and residual risks, identifying new risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies throughout the project's life.
Note: Some slide decks simplify this into a four-step cycle — Identify → Analyze & Assess → Respond → Monitor. If a question asks for four steps instead of six, group planning within "identify" and merge qualitative/quantitative analysis under "analyze & assess".
3

What topics should a Risk Management Plan address? Explain the difference between contingency plans, fallback plans, and contingency reserves.

List + Compare
~20 marks

The main output of risk management planning is a risk management plan — a document describing how risk will be managed throughout the project. The level of detail varies with the needs of the project. Typical topics addressed:

  • Methodology — how risk management will be performed.
  • Roles and responsibilities — who is responsible for managing which risk areas.
  • Budget and schedule — for the risk management activities themselves.
  • Risk categories — the areas or sources risks are likely to come from.
  • Risk probability and impact — how these will be assessed and rated.
  • Risk documentation — how findings will be recorded and reported (e.g. a risk register).
TermMeaning
Contingency planPredefined actions the project team will take if an identified risk event occurs.
Fallback planDeveloped for risks with a high impact on objectives; put into effect if the original risk-reduction attempt is not effective.
Contingency reserveProvisions (money/time) held by the project sponsor or organization to reduce the risk of cost or schedule overruns to an acceptable level.
Exam tip: These three terms are frequently confused — remember the order of escalation: Contingency plan (Plan B if risk occurs) → Fallback plan (Plan C if Plan B fails) → Contingency reserve (the buffer of money/time that funds either plan).
4

Explain the tools used in qualitative risk analysis, and describe the four response strategies for negative risks.

Explain + List
~25 marks

Qualitative risk analysis assesses the likelihood and impact of identified risks to determine their magnitude and priority. It is relatively quick and requires less effort than quantitative analysis. Key tools:

  • Probability/impact matrix — lists each risk's relative probability of occurring against its relative impact (rated high/medium/low), so the team can focus on high-probability, high-impact risks. A risk factor (a number combining probability and consequence) can also be calculated.
  • Top Ten Risk Item Tracking — a periodic review of the top ten project risks, listing current rank, previous rank, number of months on the list, and a summary of resolution progress — used to maintain awareness of risk throughout the project.
  • Expert judgment — relies on the intuition and past experience of experts to categorize risks as high/medium/low, and to build/monitor a watch list of low-priority risks.

Response strategies for negative risks (threats):

StrategyWhat it means
Risk avoidanceEliminating a specific threat, usually by eliminating its cause.
Risk acceptanceAccepting the consequences if the risk occurs (no proactive action taken).
Risk transferenceShifting the consequence of a risk, and responsibility for managing it, to a third party (e.g. insurance, outsourcing).
Risk mitigationReducing the impact of a risk event by reducing the probability of its occurrence.

Risks that remain after all response strategies have been implemented are called residual risks.

Exam tip: Structured-question papers often give a short scenario (like the SWOT-style S/W/O/T table in past papers) and ask you to classify or rate each item — practise reading a scenario carefully and mapping each clause to exactly one category, since partial marks are given per correct label.
5

Numerical: A project manager can either proceed without extra testing or invest in extra testing to reduce risk. Using decision tree analysis, calculate the EMV for both options and recommend a choice.

Calculation (Past-paper style)
25 + 5 = 30 marks

Scenario: Planned budget: 1,000,000 LKR. A risk in integrating a third-party API could cause a 2-month delay and an extra cost of 300,000 LKR, with a 30% probability of failure. Investing 50,000 LKR now in extra testing reduces the failure probability to 10%.

Concept: A decision tree is a diagramming technique used to select the best course of action when future outcomes are uncertain. Expected Monetary Value (EMV) = probability of an outcome × its monetary value, summed across all branches.

Root |-> Without Testing (cost 0) | |-> Success (70%): Cost = 1,000,000 | |-> Failure (30%): Cost = 1,300,000 | |-> With Testing (cost 50,000) |-> Success (90%): Cost = 1,050,000 |-> Failure (10%): Cost = 1,350,000

EMV without testing:
EMV = (0.70 × 1,000,000) + (0.30 × 1,300,000)
EMV = 700,000 + 390,000 = 1,090,000 LKR

EMV with testing:
EMV = 50,000 + (0.90 × 1,000,000) + (0.10 × 1,300,000)
EMV = 50,000 + 900,000 + 130,000 = 1,080,000 LKR

Recommendation: The EMV with extra testing (1,080,000 LKR) is lower than without testing (1,090,000 LKR) — investing in testing reduces the expected overall project cost, even though it adds an upfront 50,000 LKR. The project manager should choose to invest in extra testing, since it lowers the probability of the costly failure outcome and reduces total expected cost.

Exam tip: Always draw/write out the tree before computing — most of the marks (in the 2023/2024 past papers, 25 of 30) are awarded for the correctly structured tree and the working, not just the final number. Double-check that costs on the "failure" branches include both the base cost and the additional delay/failure cost.