Project Initiation, Planning and Execution
Bobby1134@
MBA643_Workshop5_v2_Student.pdf
MBA643
Project Risk, Finance, and
Monitoring
Workshop 5
How to manage project risk
Copyright Notice
COPYRIGHT COMMONWEALTH OF AUSTRALIA
Copyright Regulations 1969 WARNING
This material has been reproduced and communicated to you by or on behalf of
Kaplan Higher Education pursuant to Part VB of the Copyright Act 1968 (the Act).
The material in this communication may be subject to copyright under the Act. Any
further reproduction or communication of this material by you may be the subject of
copyright protection under the Act.
Do not remove this notice
Principles for managing project risk
In the past few weeks we have sought to provide
students with some concrete skills to assist in
selecting projects and assessing their financial
viability.
This week though we take a step back and look at
some of the key principles and processes in
managing project risk. These include:
• Risk planning
• Risk assessment
• Risk types and identification
• Risk handling and responses
Learning objectives
By the end of this week’s workshop students should
be able to:
• Describe and discuss the principles and
processes of risk planning
• Demonstrate an understanding of risk assessment
• Identify, explain, and discuss different types of
project risk
• Explain and critically assess how to handle or deal
with risk and identify and discuss specific risk
responses
Workshop activity Managing project risk
Working in small groups and drawing on you own
experience or understanding of projects and project risk
please list as many potential risks or threats as you can for
the following types of projects:
1. A large IT project
2. A government social policy project
3. A national health/medical records/data initiative
4. A international financial services project
Project risk planning
“You can observe a lot by just watching”
– Yogi Berra
Planning for risk involves paying attention. When we don’t watch, projects fail.
According to some research as many as 75% of all projects fail. This figure
from research completed in 1994 might be viewed sceptically, but what it
suggests is that a great many projects don’t succeed.
Most projects fail for three reasons:
• They are actually impossible to achieve
• They are over-constrained
• They are not competently managed
Source: Kendrick, T. (2015), Chapter 2, Planning for risk management
Project risk planning
To help manage and avoid risk, therefore, requires
planning. Project risk planning can be defined as the
detailed formulation of a program of action for the
management of risk.
It is the process to:
• Develop and document an organised, comprehensive,
and interactive risk management strategy
• Determine the methods to be used to execute a
program’s risk management strategy
• Plan for adequate resources
Source: Kerzner, H. (2013), p.720
The project risk management plan
A risk is any uncertain event that may affect you project. While not all risks
can be avoided or overcome, they can usually be managed or mitigated
by careful risk planning.
Risk planning is an iterative process that involves understanding and
identifying risks, analysing them, determining how to handle or respond to
them, and then monitoring them, before commencing the process over
again.
Perhaps the single most important output from risk planning is
development of the project risk management plan. Risk planning sets out
the risk management strategy and process, but the risk management plan
puts this in to practice.
The project risk management plan Like most forms of planning, there is no one, single way
to develop or create a risk management plan. There are,
however, several key areas that need to be addressed in
your risk management plan.
These are:
• Risk assessment – This is where broad issues are
identified and which are analysed in terms of their
consequences and the probability that they might
occur. (In Week Three we have already discussed how
to develop just such a risk matrix)
• Risk identification – This is where we try to identify
specific examples of project risks. At this point they can
also be categorised or grouped according to type.
• Risk handling and responses – This is where we determine how specific risks should
be handled or dealt with, what strategies we will use. We might also determine
classes of risk responses relating to groups or types of risk.
• Risk monitoring – In this final stage we monitor and/or measure the impact of
particular risks or risk events. The information extracted from this stage should feed
back into our risk planning activities.
Project risk management plan templates
Your risk management plan should focus on the four issues described above:
• Assessment
• Identification
• Handling and responses
• Monitoring (and measuring)
The precise layout of your risk management plan, however, and any additional information that you
might choose to include may vary depending upon your organisation or specific interests and
requirements.
Following are a number of risk management plan templates that you may find suitable when you com
to develop you own risk management plan:
• Risk management plan template No. 1
• Risk management plan template No. 2
• Risk management plan template No. 3
Workshop activity Project risk planning
In the previous slide we referred to the use
of templates in order to assist in the
development of an organisational risk
management plan. Using the templates
referred to above along with any others
you might locate please try to identify what
sort of information people might include
beyond the four key areas we have
already discussed. That is, assessment,
identification, handing, and monitoring.
What other things do people see as
worthy of inclusion in their risk
management plan?
Please take ten minutes to identify
information before spending a further five
to ten minutes to discuss it.
Risk assessment
Risk assessment is the broad term used to describe the overall process of
identification, analysis, and evaluation of risk. It involves considering risk in
terms of the probability and consequences of risk events, as well as other
possible considerations, such as the frequency of occurrence, the time to
impact, and the relationships to other risk events.
It can be a difficult and time consuming element of project risk
management, but it is also one of the most important.
There are a number of ways to assess and analyse risk. We will examine a
number of these next week, including:
• decision tree analysis
• scenario analysis
• sensitivity analysis
• break even analysis.
One key method, however, which we have already explored briefly is the
qualitative risk matrix.
Risk assessment The Risk Matrix
Risk assessment The Risk Matrix
Key elements of the risk matrix, therefore, include:
• The probability of a risk event occurring
Which is usually aggregated into between four or five groups ranging from rare to
almost certain. These group headings can also be further defined by a ‘historical’
description, such as “May occur, but only in rare circumstances”.
• The consequences of a risk event occurring
Which is usually aggregated into between four or five groups ranging from
insignificant to catastrophic. These group headings can also be further defined by
developing definitions which might be applied according to who or what might be
impacted, such as people, finances, data, the environment, etc.
• Response type and timeframe
Which is usually aggregated into three or four different organisational response
types, such as low risk, medium risk, high risk, and extreme risk. For each risk
response type an action would be determined which would reflect the seriousness
of the risk event and the timeframe in which the response should occur. The
response types are usually colour coded to demonstrate which risk events are most
serious and require most immediate attention.
Workshop activity Risk assessment
The Northern Sugar Alliance – SugarFree ©
The Northern Sugar Alliance operates a sugar mill in northern NSW. It has
recently decided to expand operations by introducing a new low GI, low calorie
sugar product. Management believes the product, SugarFree will be a market
winner as consumers search for lower calorific products which are still ‘all natural’.
The new product though requires a new refining process. This will mean the mill
will need to generate more power. There may be additional fumes and some
additional waste product which they plan to experiment using as a fertilizer on
adjacent farmland where cane is grown. All of this will require regulatory and
government approval. They will also need to borrow to make their expansion
happen, but they are confident that the business case supports their plans.
In groups prepare a number of different risk matrices. Each matrix should
try to identify a couple (either two or three depending upon time available)
of different response groups that might be affected by risk events. What
types of response groups can you think of that might be relevant in this
situation?
Risk identification The next key phase is the risk identification phase. At this time we seek to start to identify specific risk types or
risk events.
There are a number of methods or approaches that companies can use to do this. Such methods will include
information or data that is either objective or subjective.
Objective information/data (often in the form of quantitative data) includes:
• Recorded experiences from previous projects (this may exist in the form of what is known as a ‘risk register’
– a document that seeks to build up a dossier of historical project risks and the circumstances surrounding
them)
• Project or program reviews and evaluations
• Related project files and descriptions
• Performance data
Subjective (qualitative) information/data includes:
• Expert advice
(One particular method involving expert advice is referred to as Delphi Technique in which a team of experts
is consulted anonymously and provided with information briefings. Responses to the information briefings
are received and then sent back to the experts for further consideration until some degree of consensus is
achieved about the nature of perceived risks)
• Interviews and personal responses or experiences (where companies interview project participants and
stakeholders in an effort to identify potential risks)
• Brainstorming (usually in small groups involving project participants)
• SWOT analysis – Strengths, Weaknesses, Opportunities, and Threats (again, usually in small groups
involving project participants)
Risk identification
Many individual or specific risks fall under common risk categories. These provide a useful starting point to
identify precise risk events. Risk checklist categories include:
• Technical issues – do we have the technical capacities, what are the technical implications or linkages, is
there scalability, can we meet technical costs, are there additional technical fees or charges, etc.
• Costs – have we accounted for everything, how thorough are our cost projections, have we included
contingencies, etc.
• Scheduling – can we complete the project on time, have we produced a critical path, do we have
contingencies for scheduling overruns, what happens if we miss a deadline, are there costs involved in
missing a deadline, etc.
• Contractual – do we have appropriate contractual safeguards in place relating to supply chains, staffing, etc.;
what are the implications or costs associated with breaches of contract
• Financial – is the project budget sufficient, are our budget projections/predictions appropriate, do we have
contingencies, etc.
• Political – do we have all regulatory approvals, is the project politically acceptable, is there a chance the
project might be politically targeted, have we consulted widely enough with all relevant stakeholder and
interest groups, etc.
• Environmental – are there implications for the environment, have we accounted for environment protections,
do we have all necessary and regulatory approvals, etc.
• People – do we have the necessary staff to see the project through to completion, are there ongoing staffing
considerations, are there training issues or requirements, have we considered safety and occupational
welfare issues, etc.
Risk checklist categories
Risk identification Life-cycle risk analysis
Source: Kerzner (2013), p.723
A further type of risk identification is know as life-
cycle risk analysis in which broad types of risk
events are identified as relating to specific phases in
the project life cycle.
In the example above, four project stages are
identified: project approval, preliminary and detailed
planning, execution, and closure.
For each of these phases, generic risks have been
identified. As suggested by the accompanying graph.
In the early stages of the project the risks are high as
information and detail is low. As the project
progresses, however, as more is known and as
milestones are ticked off, total project risk falls.
Correspondingly, though, as the project nears
completion, as greater investments pour into the
project the commercial stake in the project
increases.
As each project phase is completed, the remaining
risks associated with each remaining phase become
more important and the dollar stake associated with
them becomes higher.
Risk identification
“The value in each of these approaches to risk identification
lies in the methodical nature of the approach, which forces
disciplined, consistent evaluation of potential risk issues. All
these approaches should be considered for each project,
and a mixture of approaches is likely to be superior to any
single method…Finally, it is important that all project
personnel should be involved in risk identification.
Designating a small subset of people to perform risk
identification almost always diminishes the results from both
a technical perspective and a behavioural perspective and
can lead to decreased risk management effectiveness.”
Kerzner (2013) p.727
Workshop activity Risk identification
The Northern Sugar Alliance – SugarFree ©
In the previous activity you nominated several different risk assessment
categories that the Northern Sugar Alliance might reflect on during their risk
management activities.
Building on the broad categories that you identified, given the scenario
provided and working in the same groups, students are now asked to try to
identify some specific risk events for each of the (two or three)
categories that you previously identified.
• Where possible try to think of risk events that fall under each of the relevant ‘consequence levels’.
• So, if you identified the ‘environment’ as one of your broad risk categories, now try to identify
an actual event that might fit within each consequence level, such as insignificant, minor,
moderate, major, catastrophic.
• Again, the idea here is not to demonstrate a detailed knowledge of sugar cane farming, but rather
to demonstrate an ability to begin to think in terms of project risks, risk levels, and potential risk
responses.
Risk handling and responses
For most types of project risk there are usually four (generic) possible
ways in which they might be handled. These are:
• You can try to avoid it
• You can try to mitigate it
• You can try to transfer it
• You can accept it
Risk handling and responses There are a number of factors that will influence what type of
response we adopt when dealing with or handling risk. These
include:
• The amount of quality information that is available about the
actual hazard that has given rise to the risk – what is known as
descriptive uncertainty
• The amount of quality information on the magnitude of any
potential damage – what is known as measurement uncertainty
• The existence of cost-effective alternatives – what are known as
equitable risks
• The existence of high-cost alternatives or possibly the lack of
options – what are known as inequitable risks
• The length of exposure to the risk
Source: Kerzner (2013) p.742
Risk handling and responses
Risk avoidance
The best thing you can do with a risk is avoid it. If you can prevent it from happening, it
won’t hurt your project. The easiest way to avoid falling off a cliff is to move away from
the edge. But walking away from the risk might not always be an option for every project.
Risk avoidance, perhaps more correctly, seeks to redesign project basics in order reduce
or limit the opportunities for risk. It might ask: Why do we need to be near the edge in the
first place. Can we achieve our goal without even being up the cliff? Almost by definition
then, risk avoidance is something that you do at the start of a project, something which
should become an integral part of the planning process.
Risk mitigation
If you can’t avoid the risk, you can try to mitigate it, or reduce its effects. This means
taking some sort of action that will cause it to do as little damage to your project as
possible. It is a form of risk management. It is a case where you are aware that risk
exists, but where you have taken steps to minimise the effects of that risk. This might be
done by early prototyping so as to understand what might happen in given
circumstances; design experiments, also as a means of understanding the nature of the
risks involved, and modelling or simulations. All of these activities can be time consuming
and can add to the costs of a project, but by developing an awareness of the risks you
can more effectively limit the effects which will almost certainly produce cost benefits in
the long run.
Risk handling and responses
Risk transference
An effective way to deal with a risk is to pay someone else to accept it for you – most of
us do this all the time. It is a kind of risk sharing. The most common way we transfer risk
is by taking out insurance. Other common types of risk transfer include the use of third
party contracts where external providers might take responsibility for a particular aspect
of a project. This is especially popular (and practical) where it is unlikely that you will
have all the necessary expertise to complete the project to the required standards.
Appropriately developed third party contracts can ensure that all the risks associated with
particular aspects of the project are the responsibility of an expert partner. Difficulties
usually only arise when the third party contracts do not adequately spell out exactly what
the expectations and obligations of all parties are.
Risk acceptance
Almost everything in life carries some degree of risk. When you can’t avoid, mitigate, or
transfer a risk, you simply have to accept it. But even when you accept a risk, at least
you’ve looked at the alternatives and you know what will happen if it occurs. If you
understand the nature of the risk you can plan for its eventuality, and this will likely help
you reduce its ultimate impact or severity.
Workshop activity Risk handling and responses
Risk monitoring
One final project risk management activity relates to the
monitoring and evaluation of project activities and data.
Systematically monitoring, tracking, and measuring project
activities and results using established metrics and against
articulated objectives and standards is essential for ensuring
that the project remains on track.
Monitoring results can also provide the basis for developing
additional risk handling strategies, or updating existing risk
handling strategies and re-analysing known risks.
Risk monitoring
Risk management indicator system
Costs Performance Scheduling
Behind target Behind target Behind schedule
On target On target On schedule
Ahead of target Ahead of target Ahead of schedule
The key function of risk monitoring processes is to establish a management indicator
system that keeps track of:
• Costs
• Project performance
• Scheduling
The indicator system might offer visual cues and reporting on whether the project is
meeting or falling behind expected milestones. These cues might suggest what areas are
on target, what areas are behind target, and what areas are ahead of target.
The aim of the management indicator system is to provide an early warning of potential
problems in order to allow or trigger management action.
Risk monitoring
Risk management indicator system
Each monitoring area should be underpinned by acknowledged
performance measures or metrics. For example:
• Cost measures might include budget forecasts against actuals, and
actual income and expenditure against forecasts. It might track
supply chains, labour, and hours worked.
• Performance measures might include staff appraisals, the ability to
meet technical specifications and standards, regulatory
accreditations, and stakeholder feedback and input to determine
whether the project is achieving its objectives.
• Scheduling measures might include critical path analysis and project
performance against GANTT or PERT charts to ensure that
milestones are met.
Workshop activity Risk monitoring
In the previous slides we introduced the concept of the ‘risk
management indicator system’. We suggested that the three key
areas for monitoring were costs, performance, and scheduling.
We also provided a number of examples for specific metrics that
might be used to assess performance in these areas.
In groups identify as many additional metrics for these
monitoring areas as possible, then discuss them with the
class. You can use internet research.
Do you think some are more valuable than others? Is there
one particular metric that you think should always be
included?
Next Week
In our next week we will spend time looking
specifically at how we analyse and model project
risk when we examine several key functions.
These include what are known as:
• Break even analysis
• Scenario analysis
• Sensitivity analysis
• Decision tree analysis
