Risk Management – Part 1


If you wish to achieve success in life you need to take risks. Is that what we have heard many times? What does the risk mean here? Is it something to afraid? Is it something that will result in unseen incidents? I should say YES to all the above questions. For instance think risk as challenge. If you have to face a challenge in life, you will have only two choices to make. Either faces the challenge or admits you are lost and leave the game. When you have to face a challenge, you need to plan how to face it. You need to take help of others who have faced similar challenges in life. By doing so you will gain knowledge on the challenge and how to face it, in turn you will gain confidence to face the challenge. It is same with RISK also. If you need to be risk free or if you want to make your project risk free (which is next to impossible), first thing is you need to understand what RISK is? How it occurs? What will be the impact if it occurs? How to face it? etc., by trying to answer these entire question we are actually analyzing the risk to counter it. Let us start what a RISK is in our project management terms.

A RISK is an unwanted and uncertain event that if occurs it has negative or positive effect on one or more project objectives such as scope, schedule, cost and Quality. Uncertainty is there all projects. It is the responsibility of a PM to identify risks and take proper measures so that the risks if occur will not cause much damage to the project. It is not a rule that one risk will have only one impact. There may be more than one impact due to one risk. Every risk has varying degrees of results. Depending on the severity of the impact, severity of the risk is decided. We may divide the risks into two categories namely known risks and unknown risks. Known risks are those which are identified and analysed so that if the risk occurs, proper responses are planned. If a known risk cannot be managed, in the sense if a proper response is not possible then contingency reserve should be in place. Another point to remember is that unknown risks cannot be planned and managed proactively and there for you need to have management reserve in place. A risk will take shape of issue if its impact is negative to the project. So in short, a negative projects risk is an issue.

Here we need to understand another point also. Risks for overall project is different than Individual or internal project risks. Overall project risk is more than the sum total of individual project risks. Behaviour of organizations and stakeholders is dependent on the following qualities of RISK.

  • Risk appetite – Degree of uncertainty an entity is willing to take on in anticipation of reward.
  • Risk Tolerance – Degree, amount, or volume of risk that an organization or individual will withstand.
  • Risk Threshold – Measures along the level of uncertainty or the level of impact at which a stakeholder may have a specific interest. Below the threshold the organization will accept and prepare for the risk, and above the threshold organization will not take it.

Positive Risks are called as Opportunities and Negative risks are called as Threats.

So, now we know that risks are of two types positive and negative. Positive risks are opportunities and negative risks are threats. An organization should always be prepared to address the risks and they should have a risk management planned. A risk can be anticipated at any stage of the project so risk management is a project long process.

Given below are the project risk management processes:

  1. Plan Risk Management
  2. Identify risks
  3. Perform Qualitative Risk Analysis
  4. Perform Quantitative Risk analysis
  5. Plan Risk responses
  6. Control risks.

Plan Risk Management

We will plan how to conduct risk management throughout the project in this process. After realizing and understanding what risks are and how they impact project, it is not necessary to once again state how a risk will tamper the progress of the project.

Plan Risk Management: Inputs

We have already read that risk management is a project long process and we should know what and when of the project. So, Project Management Plan is an input. It holds all the other subsidiary plans also. High level risks and requirements are mentioned in Project Charter, so it will be another input. It is very important to know about who is what in the organization to perform risk management and that information is found in stakeholder register which is another input. And we can easily understand that there could be several factors which influence the management and we term them as Enterprise Environmental Factors which speaks about tolerances, thresholds, limits, degree of risk, etc. and Risk Categories, Terms and definitions, formats, templates etc. are called as Organizational Process Assets which are also taken as inputs.

Project Management Plan, Stakeholder Register, Project Charter, Enterprise Environmental Factors, Organizational Process Assets are inputs to this process.

Plan Risk Management: Outputs

We are conducting Plan Risk Management process so the output will be risk management plan which contains the following:

  • Methodology
  • Roles & Responsibilities
  • Budgeting
  • Timing
  • Risk Categories
  • Definitions of risk probability and impact
  • Probability of risk occurrence and impact
  • Tolerances
  • Tracking

Plan Risk Management: Tools and Techniques

All the above mentioned information will be there in risk management plan which is output for this process. Now let us see what are the Tools and Techniques used and followed. Let us wake up our brains. Risks are found by careful analysis. You need to have very good analytical skills to identify risks. Another way planning risks is to take the advice of seniors and specialists and at last call everyone who has a responsibility in the project and risk management, stakeholders, senior people for a meeting and then start discussing to develop a risk management plan. Analytical Techniques, Expert Judgment and Meetings are the tools and Techniques used.

Now we are ready with risk management plan. We know how to manage risks, how to respond in case of risks, who responsible people are for risk management, who should be communicate in the event of risk, etc. Now it is time to really think about risks i.e. to really try and identify risks.

Identify Risks:

While Identifying risks, we will try to understand the risk characters, impact and probability of occurring and to do that, try recollecting what a risk is. There might be many reasons for a risk to occur and if a risk occurs it may impact any of the factors like cost, quality, schedule etc…

Identify Risks: Inputs

It is people who manage risks and it is people who face risks. We also know that risk management is conducted throughout the project. So, risk management is there in every phase and every process. So, we can say that all the subsidiary plans (plans of all processes) will be taken as inputs to identify risks process. Below is the list of subsidiary plans taken as inputs.

  1. Risk Management Plan
  2. Cost Management plan
  3. Schedule Management Plan
  4. Quality Management Plan
  5. Human Resource Management Plan
  6. Scope Baseline
  7. Activity Cost estimates
  8. Activity Duration estimates
  9. Stakeholders register
  10. Project documents
  11. Procurement documents
  12. Enterprise Environmental Factors
  13. Organizational process assets.

Identify Risks: Outputs

What is the output of this process after taking into many inputs? We may think there might be a couple of outputs, but to our surprise it is only one. Once may think what we are doing here. We are identifying risks. What will we do with the risks identified initially? We will not immediately start responding to them. We will first document them as per standards. The place where the risks are recorded is termed as RISK REGISTER. It is the output from this project. Given below are the contents of risk register:

  1. List of identified risks
  2. List of possible responses

Identify Risks: Tools and Techniques

This is the one of the lengthiest list of tools and techniques than any other process. Let us see them in a simple way.

  1. Brainstorming – Team brainstorms to collect as many risks as possible.
  2. Delphi Technique – a moderator will distribute questionnaire to solicit ideas about risks, responses are collated and redistributed to experts for further review and comment.
  3. Interviewing – Formal interviews with experts, stake holders and SMEs.
  4. Root cause analysis – This is a very common thing what we all use.
  5. Checklist analysis – Using historical information, expert’s advice, knowledge base an extensive checklist will be prepared and used for verification and identification of risks.
  6. Assumption analysis – Planning is based on hypothesis, scenarios and assumptions.
  7. Diagramming – Cause and Effect Diagrams, Process flow charts, influence diagrams, etc.,
  8. SWOT Analysis
  9. Expert Judgment.

So far we have seen Plan Risk Management and Identify risk processes and have got an initial understanding of those concepts. Let us see some concepts what we have come across so far in a bit more detail. Under identify risks tools and techniques we have come across Diagramming Techniques. Given below are different types of diagrams.

  • Cause and Effect diagrams: These diagrams are also called as FISH BONE DIAGRAM or ISHIKAWA DIAGRAM. I think it is clear for you now. It is the same fish bone diagram what we might have created during defect root cause analysis.
  • System or process flow charts: These diagrams will show how different systems and parts of same systems are interrelated to each other and how the functionality is sequenced.
  • Influence Diagrams: Graphically representing time ordering of events, and other relations between variables and outcomes.

Next we have come across SWOT analysis.  It is analysing and examining the project from strengths, weaknesses, opportunities and threats perspective. It is analyzing the strengths and weaknesses of organization which may impact or affect project and its outcomes and then identifying opportunities and threats to overcome the problems identified.

In Plan Risk Management process we have come across Probability and Impact matrix. It is a grid like structure used to map each identified risk’s probability and its impact on the project in the event of its occurrence. This mapping or table is later used when prioritizing the risks. Given below is a sample matrix (not authorized). It is just my way of looking at Probability and Impact matrix.

Very High Risk High Risk Average Risk Low Risk Insignificant Risk

Questions & Answers

  1. Your team is trying to find out whether a particular risk is identified and if identified what is the impact if it occurs for their planning. As a PM where would you suggest the team to look for the above information?
    • A. Risk Register
    • B. Risk Break Down Structure
    • C. Risk Categories Chart
    • D. Probability & Impact matrix.

    Correct Answer: A and D [Both documents have to be referred to get the info asked in question].

  2. In a team meeting you observe that team is discussing on an uncertain event that may occur which a negative impact on the project has cost. They are trying to find out the most probably causes due to which the uncertain event may take place. You observe that this discussion is going on for a long time. In reality what is the team discussing about?
    • A. Positive Risk
    • B. Negative Risk
    • C. Risk
    • D. Issue.

    Correct Answer: D [ Uncertain event is risk and it is causing negative impact making it an issue]

Take a Free Demo of Whizlabs PMP Offerings:
PMP Exam Questions
PMP Online Training (with full length videos)
PMP Live Virtual Classroom Training

Preparing for PMP® Certification? Pass in 1st attempt through Whizlabs PMP  Training Course! Start with Free Trial!

About Sparsh Goyal

A passionate IT professional, Sparsh Goyal boasts of 4.3+ years of experience. He has worked for various projects under AWS, Google Cloud Platform, Spring Boot, Python, Microservices, RESTful, RESTFUL APIs/SOAP, Scripting, Shell and JAVA. He is also working towards gaining proficiency in Oracle Cloud PaaS, DevOps, SaaS and Docker/Kubernetes. His primary and secondary skills validate his relentless pursuits of expanding his horizon and developing more as an IT person. He boasts of the following certifications: *Google Professional Cloud Security Engineer. *AWS Cloud Solutions Architect Associate. *Oracle certified JAVA programmer.
Scroll to Top