Risk Management

Risk Identification
Introduction to Risk Identification

● Risk identification is the process of determining which risks may affect the
project and documenting their characteristics.
● The objective of this step is to identify all possible risks and find a way to
mitigate it.
Reactive Vs Proactive Strategies

1. Reactive: Reacting to the past rather than anticipating the future

Pros and cons are as follows:
In reactive development you solve matters as they arise. This can spark creativity
and you can focus on the progress rather than optimizing for millions of users or
security threats that aren’t there.
2. Proactive : Acting before a situation becomes a source of
confrontation or crisis
Pros and Cons
In proactive development you solve matters before they become an issue.
Proactive development makes developments more stable, but you could
anticipate the wrong future and end up spending lots of time on
something that isn’t important
Risk Breakdown Structure

● A risk breakdown structure is a tool for managing risks which are any events
that you have not planned for or expected.
● Risk is usually thought of as a negative impact on the project’s budget,
timeline or quality
● there are also positive risks that can benefit a project.
● A risk breakdown structure breaks down risks in a hierarchical graph,
beginning at the higher level and moving down to the finer level risks.
The Four Categories of Risk in a Project

1. External: Risks outside your control, such as environmental, regulatory,

suppliers, competitors, etc.
2. Internal: Risks that occur inside your organization, including a lack of
resources, funding delays or mistakes in prioritization.
3. Technical: Scope, requirements and other technical issues call into this
category.
4. Management: Risks related to your planning, communication, control and so
forth.
Risk Identification Techniques
1. SWOT analysis (Strength, Weakness, Opportunity Threats) : Commonly
used as a planning tool for analysing a business, its resources and its
environment by looking at internal strengths and weaknesses; and
opportunities and threats in the external environment.
2. PESTLE (Political, Economic, Sociological, Technological, Legal,
Environmental): Commonly used as a planning tool to identify and
categorise threats in the external environment (political, economic, social,
technological, legal, environmental).
3. Scenario analysis: Uses possible (often extreme) future events to anticipate
how threats and opportunities might develop.
4. Surveys/Questionnaires: Gather data on risks. Surveys rely on the
questions asked.

5. One-on-one interviews: Discussions with stakeholders to identify/explore

risk areas and detailed or sensitive information about the risk.

6. Working groups: Useful to surface detailed information about the risks i.e.
source, causes, consequences, stakeholder impacted, existing controls.

7. Brainstorming: Creative technique to gather risks spontaneously by group

members. Group members verbally identify risks in a no wrong answer’
environment. This technique provides the opportunity for group members to
build on each other’s ideas
Planning
What is Risk Analysis ?

● Risk Analysis in project management is a sequence of processes to identify

the factors that may affect a project’s success.
● These processes includes a risk identification, analysis of risks, risk
management and control etc.
● Proper risk analysis helps to control possible future events that may harm the
overall project.
● It is more of a pro-active than a reactive process.
Plan Risk Management

The planning in risk management are done by following steps:

1. Risk Identification
2. Perform Qualitative Analysis
3. Perform Quantitative Analysis
4. Plan Risk Responses
5. Control Risk
Risk Identification
It is a process of identifying individual project risks as well as sources of overall
projects and document their characteristics.
Perform Qualitative Risk Analysis

It is the process of prioritizing risks for further analysis of project risk or

action by combining and assessing their probability of occurrence and
impact.
The input for qualitative project risk analysis are:
● Risk management plan
● Risk register
The output of this stage would be:
● Project documents updates
Quantitative Analysis Risk Analysis

It is the procedure of numerically analyzing the effect of identified risks on

overall project objectives. In order to minimize the project uncertainty, this
kind of analysis are quite helpful for decision making.

The input of this stage is:

● Risk management plan

● Cost management plan

The output will be:

● Project documents updates

Plan risk responses
To enhance opportunities and to minimize threats to project objectives
plan risk response is helpful. It addresses the risks by their priority,
activities into the budget, schedule, and project management plan.
The input for plan risk responses are:
● Risk management plan
● Risk register
The output plan are:
● Project management plan updates
● Project documents updates
Control Risks
Control risk is the procedure of tracking identified risks, identifying new
risks, monitoring residual risks and evaluating risk.
The inputs for this stage includes:
Software Project management plan
● Work performance data
● Work performance reports
The output of this stage would be:
● Change requests
● Organizational process assets updates
Recognize the risk

● Before prioritizing risks, they have to be identified.

● Typically, risk managers create a list of threats based on past events and what
they have learned from previous projects.
● In this process, it is very useful to create a risk management checklist in
which the main sources and risk factors are investigated.
What is Risk Prioritization ?

● Risk prioritization is the process of identifying all the risks to a project and
then deciding which ones are the most serve, so they can be addressed first.
● It is a process of determining which risk you should act upon first.
● Prioritization should be based on the likelihood of a risk and the potential
harm it poses to the organization.
● A risk prioritization matrix can be used for evaluation.
Risk Response plan

● Risk response planning is the process of developing options and

determining actions to enhance opportunities and reduce threats to the
project's objectives.
● It includes the identification and assignment of individuals or parties
to take responsibility for each agreed risk response.
● The effectiveness of response planning will directly determine
whether risk increases or decreases for the project
Evaluation and Management
Introduction to evaluation and management of risk

● Evaluation and Management of risk refers to determination of risk

management priorities through establishment of qualitative and/or
quantitative relationships between benefits and associated risks.
● Risk evaluation involves measuring the probability that a risk will
become a reality.
● Risk management involves in managing those risks and minimize the
risk.
Importance to evaluation and management of risk

● The risk evaluation stage includes both identification and analysis of

project risks and assists the project team in making decisions to address
the analyzed risks.
● Risk Evaluation in project management include reduction to project risk
exposure, precise and clear decision making on key issues within every
project phase, and clearer definition of risks.
● It is important to evaluate hazards, then remove that hazard or minimize
the level of its risk by adding control measures, as necessary.
● It enables the project manager to review the project and create an effective
response
● Brainstorming all the opportunities that have been skipped
● It increases the stability of the project and decreases legal liabilities
● This helps project managers to maximize the outcomes and reducing the
chances of falling of projects.
Qualitative Risk Analysis Process
Step 1: Identify Risks
The goal of this step is to create a masterlist of risks by noting down any
risk that comes to mind and asking other members of the team for their
input. Additionally, project managers can make the risk identification
process faster by holding brainstorming sessions with their teams and even
some workers to get a clearer idea of what’s happening in the field.
Step 2: Classify Risks
There are several techniques for classifying risks. One popular technique is
the risk matrix, which combines the consequences and likelihood of a risk
occurring.
Step 3: Control Risks
While this may look different depending on the technique chosen in the
previous step, risk control is generally divided into two categories. The first
category of risk control is focused on targeting the root cause of risks such as
hazards or inefficient management processes. The second category of risk
control is geared towards lessening the negative impact of the risk through
corrective actions.
Step 4: Monitor Business Risks
As project managers go through the qualitative risk analysis process, they
should remember to keep all of their notes regarding risks, risk ratings, and
control measures to mitigate consequences. These notes will be useful in
completing the final step: risk monitoring. This step mainly involves
observing risks and asking the following questions:
● Is risk control effective?
● Were risks correctly classified?
● Have all risks been identified?
Risk Assessment Matrix

It is a tool used to rate project risks as low, medium, high and very high.
You start by defining the rating scales for probability and impact to use that
tool.
Below is an example Probability Scale.
And, below is an example Impact Scale.

As shown in the tables above, 5 is the highest probability and impact. Multiplying
probability by impact gives us a risk score. For instance, if the probability of a
risk is 4 and its impact is 5, then the risk score will be 20 (4×5).
This tool can be applied to both positive and negative risks.
Quantitative Risk Analysis Process
Step 1: Identify areas for uncertainty
● When identifying areas of potential risk, examine every step of the project.
● Using a project outline or management plan that breaks the overall project
into smaller sections is an excellent way to search for areas where risk or
uncertainty exist.
● Create a list of all areas of potential risk, noting the phase of the project, the
potential risk that you identified and how that risk can affect the execution of
the project.
● Common effects include making costs increase, causing delays or reducing
the quality of the output.
Step 2: Assess the costs of each risk
● Once you have identified where risk exists within your project, you can
calculate the relative cost of each risk. To do this, determine the
expected cost when each potential risk occurs. For basic risks that are
likely to present the same way any time they occur, simply record the
expected cost of remedying the risk.
● For complicated risks that may have variable costs, there are two
methods of identifying this number. The easier option is to decide upon
an average cost for all potential responses to the risk. A more accurate
option is to further breakdown variable risks into multiple items.
Step 3: Determine the probability of each risk occurring

● The total numbers identified in the prior step are a listing of all potential
risks, which means you are unlikely to encounter all of them over the
course of one project. In order to determine how much risk your project
carries, you then have to determine how likely it is that each risk may
occur.
● The two most important elements when calculating probabilities are
research and experience. The more you know about each scenario, the
more accurately you can estimate the chances that a problem will occur
during execution.
Step 3: Calculate the expected cost of each potential risk
Determining the expected cost of each risk is as simple as multiplying the
estimated cost of each error by its probability. If you wrote your
probabilities out as percentages instead of fractions or decimals, divide the
resulting number by 100 to find the expected risk costs of each element. To
calculate the total estimated cost of risk on the project, add up the risk costs
for each individual element.
Categories of Risks
Operational Risks

● Operational risk causes from poor implementation and process problems,

including but not limited to: procurement, production, and distribution.
● Operational risk refers to the procedural risks means these are the risks which
happen in day-to-day operational activities during project development due
to improper process implementation or some external operational risks.
Some reasons for Operational risks
● Insufficient resources
● Conflict between tasks and employees
● Improper management of tasks
● No proper planning about project
● Less number of skilled people
● Lack of communication and cooperation
● Lack of clarity in roles and responsibilities
● Insufficient training
Cost Risk
● Cost risk is probably the most common project risk of the bunch, which comes as
a result of poor or inaccurate planning, cost estimation and scope creep.
● When this happens, project managers end up spending more money than they
actually have on a project, which may hurt the business in other places or cause
the project to go unfinished if funds and resources can’t be replenished.
● Always the financial aspect for the project should be managed as per decided but
if financial aspect of project mismanaged then there budget concerns will arise by
giving rise to budget risks. So proper finance distribution and management are
required for the success of project otherwise it may lead to project failure.
Some reasons for Cost risks

● Wrong/Improper budget estimation

● Unexpected Project Scope expansion
● Mismanagement in budget handling
● Cost overruns
● Improper tracking of Budget
Schedule Risk
● Schedule related risks refers to time related risks or project delivery related
planning risks.
● The result of poor planning, schedule risk is the risk that project tasks and
activities will take longer to complete than estimated.
● Schedule risk is closely related to cost risk because any slips in schedule often
increase costs, slow down project benefits, and throw off timelines, which lose
any competitive advantage you might’ve had at the start.
● The wrong schedule affects the project development and delivery.
● Finally if schedule risks are not managed properly it gives rise to project failure
and at last it affect to organization/company economy very badly.
Some reasons for Schedule risks

● Time is not estimated perfectly

● Improper resource allocation
● Tracking of resources like system, skill, staff etc
● Frequent project scope expansion
● Failure in function identification and its’ completion
Performance Risk
● Performance risk also known as technical risk is simply the risk that the project won’t
produce the results and benefits outlined in the project specifications.
● Even if you keep costs within budget and stick to the schedule, performance risk can
mean that you’ve lost time and money on a project that ultimately did not deliver.
● This project risk is not the fault of any one party, which makes it especially daunting.
● It is mainly associated with functionality of product or performance part of the
software product.
Some reasons for Performance risks

● Frequent changes in requirement

● Less use of future technologies
● Less number of skilled employee
● High complexity in implementation
● Improper integration of modules
Market Risk

● This risk is where a product is released to the market but the users are
resistant to change, or there is conflict between users.
● Ensuring that the users of a product will actually adopt the software will
directly link to its success. In the case of a company building software for an
external customer, it will correlate with profitability. In the case of an
enterprise building software for internal use, it can determine whether the
software will actually improve productivity within the company.
Some possible mitigation strategies for this risk include:

● User testing and surveys;

● Focus groups;
● Frequent releases; and
● Beta testing.
Reactive vs Proactive risks
Other Risks
Budget Risk :
Budget related risks refers to the monetary risks mainly it occurs due to budget overruns.
Technical Risks :
Technical risks refers to the functional risk or performance risk which means this technical
risk mainly associated with functionality of product or performance part of the software
product.
Programmatic Risks :
Programmatic risks refers to the external risk or other unavoidable risks. These are the
external risks which are unavoidable in nature.
Framework for dealing with
risks
Introduction of Risk Management Framework(RMF)

It is the “common information security framework” for the federal government

and its contractors. The stated goals of RMF are to:
• Improve information security
• Strengthen risk management processes
• Encourage reciprocity among federal agencies
Components of RMF

1. Risk Identification
● identify the risks that the organization faces
● include IT risk, operational risk, regulatory risk, legal risk, political risk,
strategic risk, and credit risk.
2. Risk Measurement
● to create a risk profile for each risk that has been identified.
● it is important to consider the effect of that risk on the overall risk profile
of the organization.
4. Risk Mitigation
• It examine the risks that have been identified
• It decide on which risks to eliminate or minimize, and how many of
its core risks to retain.
5. Risk Reporting and Monitoring
• regularly reexamining the risks
• to ensure that risk levels remain at an optimal level.
6. Risk Governance
• ensures all company employees perform their duties in accordance
with the (RMF)
Steps of RMF
1. Prepare
● the organization to take initial proactive steps for properly managing security and
privacy risk.
2. Categorize
● system and information processed, stored and transmitted by the system based on
an analysis of thw impact of loss.
3. Select
● security controls to protect the informational system's confidentiality and
cohesion.
4. Implement
● complete security control and fix all the necessary processes for operation work.
5. Assess
● processes are controlled appropriately, and you can reduce risks and protect
the data.
6. Authorize
● evaluate if the level of risk is acceptable and track failed controls.
7. Monitor
● focused on continuous automated monitoring in vulnerable environments
● record changes, report problems, and impact analysis for the system.
Benefits of RMF

● identify risk across the business.

● implement a risk mitigation strategy.
● evaluate risk that needs to be eliminated vs. ...
● adapt quickly to changes in security controls or threats.
● report on risk management practices.
● protect sensitive and personal data.
● put a risk governance system into place
Evaluating Risks to the
Schedule
PERT

● PERT stands for Program Evaluation and Review Technique .

● It is a method used to examine the tasks in a schedule and determine a
Critical Path Method variation (CPM).
● It analyzes the time required to complete each task and its associated
dependencies to determine the minimum time to complete a project.
● It estimates the shortest possible time each activity will take, the most likely
length of time, and the longest time that might be taken if the activity takes
longer than expected.

55
History Of PERT
● In 1958, the U.S. Navy introduced network scheduling techniques by developing PERT as
a management control system for the development of the Polaris missile program. PERT’s
focus was to give managers the means to plan and control processes and activities so the
project could be completed within the specified time period. The Polaris program involved
250 prime contractors, more than 9,000 subcontractors, and hundreds of thousands of
tasks.
● PERT was introduced as an event-oriented, probabilistic technique to increase the Program
Manager’s control in projects where time was the critical factor and time estimates were
difficult to make with confidence. The events used in this technique represent the start and
finish of the activities. PERT uses three-time estimates for each activity: optimistic,
pessimistic, and most likely. An expected time is calculated based on a beta probability
distribution for each activity from these estimates.

56
Purpose of PERT Analysis
PERT Analysis informs Program Manager and project personnel on the project’s
tasks and the estimated amount of time required to complete each task. By
utilizing this information a Program Manager will be able to estimate the
minimum amount of time required to complete the entire project. This helps in
the creation of more realistic schedules and cost estimates.
Formula of Pert Analysis are:- (P+4M+O)/6

57
FTA

● FTA Stands for fault tree Analysis.

● Fault Tree Analysis is a graphic failure analysis tool used to deduct causes of
undesired results and failures at the system level.
● It uses Boolean logic to analyze the system and find the pathways that lead to
the cause of failure.
● FTA uses a top-down approach by starting at a single point at the top,
branching downwards to check the states of the system.

58
FMEA
FMEA Stands for Failure modes and effective Analysis.
FMEA is a systematic, proactive method for evaluating a process to identify
where and how it might fail and to assess the relative impact of different failures,
in order to identify the part of the process that are most in need of change.
FMEA includes review of the following:

● Steps in the process

● Failure modes (What could go wrong?)
● Failure causes (Why would the failure happen?)
● Failure effects (What would be the consequences of each failure?)

59
HAZOP

● HAZOP, or a Hazard and Operability Study, is a systematic way to identify

possible hazards in a work process. In this approach, the process is broken
down into steps, and every variation in work parameters is considered for
each step, to see what could go wrong.
● For example, if a chemical plant uses pipes and valves to transport a
chemical at a particular pressure and temperature, these characteristics affect
the function of the chemical plant. As such, pressure and temperature are
both parameters that the company might consider during a HAZOP analysis.

60
Types of HAZOP

The four types of HAZOP studies that are conducted are: process HAZOP,
procedure HAZOP, human HAZOP and software HAZOP.
1. Process HAZOP: Assesses plants and process systems
2. Procedure HAZOP: Reviews procedures and operational sequences.
3. Human HAZOP: Focuses on human errors opposed to technical failure.
4. Software HAZOP: Identifies possible errors in the development of software.

61
Incident BowTie
A bow tie is a graphical depiction of pathways from the causes of an event or risk to
its consequences in a simple qualitative cause-consequence diagram.
Simple bow tie analysis can be conducted using :
● Identify the risk to be examined in the bow tie analysis. Bow tie analysis is of
most use for risks that have high levels of risk, and particularly those with high
consequences.
● Describe the risk, in the form [something happens] and leads to [a consequence
for our objectives], and note the main risk analysis outcomes from the risk
register.
● List the causes of the risk on the left and the consequences of the risk on the
right, drawing on material from the risk register and expanding where possible.
● List the existing controls on the causes (preventive controls) below the causes on
the left, and the controls on the consequences (corrective controls) below the
consequences on the right. If a control acts on both causes and consequences,
then show it twice, on each side of the template.
● Assess the effectiveness of each control, by asking ‘Is it designed well (could
it work)?’ and ‘Is it implemented well (does it work)?’
● Identify options for enhancing existing controls, to improve their
effectiveness or to fill gaps. This may include enhanced monitoring and more
frequent review,for example using control self-assessment.
● Look for gaps, where there are causes and consequences for which there are
no matching controls.
● Identify options for creating new controls to fill the gaps.
● Evaluate the advantages and disadvantages of each option, agree options to
be pursued, and develop implementation plans.
Event Tree Analysis
● An event tree analysis (ETA) is an inductive procedure that shows all
possible outcomes resulting from an accidental (initiating) event, taking into
account whether installed safety barriers are functioning or not, and
additional events and factors.
● By studying all relevant accidental events (that have been identified by a
preliminary hazard analysis, a HAZOP, or some other technique), the ETA
can be used to identify all potential accident scenarios and sequences in a
complex system.
● Design and procedural weaknesses can be identified, and probabilities of the
various outcomes from an accidental event can be determined.
Example
 Steps
1. Identify (and define) a relevant accidental (initial) event that may give rise to
unwanted consequences
2. Identify the barriers that are designed to deal with the accidental event
3. Construct the event tree
4. Describe the (potential) resulting accident sequences
5. Determine the frequency of the accidental event and the (conditional) probabilities
of the branches in the event tree
6. Calculate the probabilities/frequencies for the identified consequences (outcomes)
7. Compile and present the results from the analysis
Applications

● Risk analysis of technological systems

● Identification of improvements in protection systems and other safety

functions
What-if Analysis
● A What-if Analysis consists of structured brainstorming to determine what can go
wrong in a given scenario; then judge the likelihood and consequences that
things will go wrong.
● What-if Analysis can be applied at virtually any point in the laboratory evaluation
process.
● Based on the answers to what-if questions, informed judgments can be made
concerning the acceptability of those risks. A course of action can be outlined for
risks deemed unacceptable.
How to Conduct a What-if Analysis
1. Team Kickoff
The team leader walks the team through each step of the What-if Analysis. The leader may use
a detailed equipment diagram along with any prepared operating guidelines. (Include guidelines
for determining acceptable level of safety.)
2. Generate What-if Questions
The team generates What-if questions relating to each step of the experimental procedure and
each component to determine likely sources of errors and failures.
Things to consider when developing questions:
● Potential human error
● Equipment component failures
● Deviations from the planned/expected critical parameters (e.g., temperature, pressure,
time, flow rate)
3. Evaluate and Assess Risk
The team considers the list of What-if questions, one-by-one, to determine likely sources of
errors. They then decide the probability of each error occurring and assess the consequences.
4. Develop Recommendations
Risk deemed unacceptable:
If the team concludes there’s a need for corrective action, a recommendation is recorded.
Risk deemed acceptable:
When probability is very low, consequences are not severe, and the action to correct the
condition would involve significant cost and time, the team may note a “no recommendation”
response.
5. Prioritize and Summarize Analysis
The team’s analysis is summarized and prioritized.
6. Assign Follow-up Action
Responsibilities are assigned for follow-up action(s). Consider adding a column to your What-if
Analysis form to indicate the person or group responsible for each corrective action.