Project Risk Management

It was noted in Chapter 1 that one of the primary roles of the project manager is manag­ing trade-offs between time, budget, and scope. As we discuss in this section, there are a host of activities that can be completed during the project planning phase that greatly facilitate managing project-related risks.

The field of risk management has grown considerably over the last decade. The Project Management Institute’s PMBOK (2013) devotes Chapter 11 to this topic. In general, risk management includes three areas: (1) risk identification, (2) risk analysis, and (3) response to risk. The process of accomplishing these three tasks is broken down into six subprocesses:

1. Risk Management Planning Developing a plan for risk management activities.
2. Risk Identification Finding those risks that might affect the project.
3. Qualitative Risk Analysis Evaluating the seriousness of the risk and the likelihood it will affect the project.
4. Quantitative Risk Analysis Developing measures for the probability of the risk and its impact on the project.
5. Risk Response Planning Finding ways of reducing negative impacts on the project as well as enhancing positive impacts.
6. Risk Monitoring and Control Maintaining records of and evaluating the subproc­esses above in order to improve risk management.

1) Risk Management Planning This planning process is like any other planning process. First, a method for carrying out steps 2 through 5 for any project must be designed. Care must be exercised to ensure that the necessary resources can be applied in a timely and well-organized manner. The planning process, just as the task of manag­ing risk, is a continuous process. The factors that cause uncertainty appear, disappear, and change strength as time passes and the environment of a project changes. Note that planning how to deal with uncertainty is an organizational problem, not specifically a project problem. The result is that many firms create a formal, risk management group, whose job it is to aid the project management team in doing steps 2 through 5. The overall risk management group develops plans and maintains the database resulting from step 6.

Some of the inputs and outputs of steps 2 through 5 are unique to the project, and some are common for all projects. The overall group helps individual project risk teams with the necessary analytic techniques, information gathering, the development of options for response, and monitoring and evaluating the results.

2) Risk Identification and Qualitative Risk Analysis We list these steps together because in practice they are often carried out together. As a risk is identified, an attempt to measure its timing, likelihood, and impact is often made concurrently.

Risk identification consists of a thorough study of all sources of risk in the project. Common sources of risk include the organization of the project itself; senior manage­ment of the project organization; the client; the skills and character of the project team members, including the PM; and acts of nature.

Scenario Analysis Scenario analysis is a well-known method for identifying seri­ous risks. It involves envisioning likely scenarios that may have major repercussions on the organization and then identifying the possible resulting outcomes of events such as a hurricane in New Orleans, an extended labor strike, the freezing of a river, or the failure of an oil well head 5000 feet below the water surface in the gulf of Mexico. These types of risk can often be identified and evaluated by project stakeholders or outside parties with previous experience in similar projects. Beyond this, a close analysis of the project plan, the WBS, and the RACI Matrix, as well as the PERT chart (Chapter 5) will often identify highly probable risks, extremely serious risks, or highly vulnerable areas, should anything go wrong.

After major risks are identified, the following data should be obtained on each to facilitate further analysis: the probability of each risk event occurring, the range or dis­tribution of possible outcomes if it does occur, the probabilities of each outcome, and the expected timing of each outcome. In most cases, good estimates will not be available, but getting as much data and as accurate estimates as possible will be crucial for the follow- on risk analysis. Above all, remember that a “best guess” is always better than no information.

3) Failure Mode and Effect Analysis (FMEA) FMEA is a structured approach similar to the scoring methods discussed in Chapter 1 to help identify, prioritize, and bet­ter manage risk. Developed by the space program in the 1960s, FMEA can be applied to projects using the following six steps.

1. List ways the project might potentially fail.
2. List the consequences of each failure and evaluate its severity. Often severity, S, is ranked using a ten-point scale, where “1” represents failures with no effect and “10” represents very severe and hazardous failures such as the loss of human life.
3. List the causes of each failure and estimate their likelihood of occurring. The likeli­hood of a failure occurring, L, is also customarily ranked on a ten-point scale, with a “1” indicating the failure is rather remote and not likely to occur and “10” indicating the failure is almost certain to occur.
4. Estimate the ability to detect each failure identified. Again, the detectability of fail­ures, D, is customarily ranked using a ten-point scale, where a “1” is used when moni­toring and control systems are almost certain to detect the failure and “10” where it is virtually certain the failure will not be detected.
5. Calculate the Risk Priority Number (RPN) by multiplying S, L, and D
6. Sort the list of potential failures by their RPNs and consider ways for reducing the risk associated with failures with high RPNs.

Table 3-5 illustrates the results of a FMEA conducted to assess the risk of a new drug development project at a pharmaceutical company. As shown in the table, five potential failures for the project were identified: (1) The new drug is not effective at treating the ailment in question, (2) the drug is not safe, (3) the drug interacts with other drugs, (4) another company beats it to the market with a similar drug, and (5) the company is not able to produce the drug in mass quantities. According to the results, the most significant risk is the risk of developing a new drug that is not effective. While it is unlikely that much can be done to reduce the severity of this outcome, steps can be taken to reduce the likelihood of this outcome as well as increase its detectabil­ity. For example, advanced computer technologies can be utilized to generate chemicals with more predicable effects. Likewise, perhaps earlier human clinical and animal trials can be used to help detect the effectiveness of new drugs sooner. In this case, if both L and D could each be reduced by one, the overall RPN would be reduced from 240 to 160.

4) Quantitative Risk Analysis Hertz and Thomas (1983) and Nobel prize winner Herbert Simon (1997) have written two classic books on this topic. As we noted in Chapter 1, the essence of risk analysis is to state the various outcomes of a decision as probability distributions and to use these distributions to evaluate the desirability of cer­tain managerial decisions. The objective is to illustrate to the manager the distribution or risk profile of the outcomes (e.g., profits, completion dates, return on investment) of investing in some project. These risk profiles are one factor to be considered when mak­ing the decision, along with many others such as intangibles, strategic concerns, behav­ioral issues, fit with the organization, and so on.

A case in point is Sydney, Australia’s M5 East Tunnel (PMI, March 2005). It was constructed under strict budgetary and schedule requirements, but given the massive traffic delays now hampering commuters, the requirements may have been seriously underestimated. Due to an inexpensive computer system with a high failure rate, the tunnel’s security cameras frequently fail, requiring the operators to close the tunnel due to inability to react to an accident, fire, or excessive pollution inside the tunnel. The tunnel was built to handle 70,000 vehicles a day, but it carries 100,000 so any glitch can cause immediate traffic snarls. A risk analysis, including the risk of overuse, probably would have anticipated these problems and mandated a more reliable set of computers once the costs of failure had been included.

Estimates Before discussing the risk analysis techniques, we need to discuss some issues concerning the input data coming out of the qualitative analysis of step 3. We assume here that estimating the range and timing of possible outcomes of a risky event is not a problem but that the probabilities of each may be harder to establish. Given no actual data on the probabilities, the best guesses of people familiar with the problem is a reasonable substitute. An example of such guesses (a.k.a. estimates) for a portion of the project can be seen in Table 3-6.

Knowledgeable individuals are asked for three estimates of the cost of each activity, a normal estimate plus optimistic and pessimistic estimates of the cost for each. From these an expected value for the cost of an activity can be found, but we will delay discuss­ing this calculation until Chapter 5 where we show such calculations for either cost or task durations.

If approximations cannot be made, there are other approaches that can be used. One approach is to assume that all outcomes are equally probable, though there is no more justification for this assumption than assuming any other arbitrarily chosen probability values. Bear in mind that when using the common expected-value approach (see below) to help make a decision, the result can be misleading. For example, the probability of a disaster may be very low (resulting in a low expected value), but such risks must be care­fully managed nonetheless, such as with insurance or extensive contingency planning. This is why it is as important, if not more important, to consider the distribution of out­comes as we advocate in this book.

Expected Value When probability information is available or can be estimated, many risk analysis techniques use the concept of expected value of an outcome—that is, the value of an outcome multiplied by the probability of that outcome occurring. For example, in a coin toss using a quarter, there are two possible outcomes and the expected value of the game is the sum of the expected values of all outcomes. It is easily calculated. Assume that if the coin comes up “head” you win a quarter, but if it is “tails” you lose a quarter. We also assume that the coin being flipped is a “fair” coin and has a .5 probability of coming up either heads or tails. The expected value of this game is

E (coin toss) = .5($.25) + .5($ -.25) = 0

A decision table (a.k.a. a payoff-matrix), such as illustrated in Table 3-7, is a tech­nique commonly used for single-period decision situations where there are a limited number of decision choices and a limited number of possible outcomes.

In the following decision table, there are four features:

1. Three decision choices or alternatives, A,.
2. Four states of nature, S , that may occur.
3. Each state of nature has its own probability of occurring, , but the sum of the prob­abilities must be 1.0.
4. The outcomes associated with each alternative and state of nature combination, A,, are shown in the body of the table.

If a particular alternative, Ais chosen, we calculate the expected value of that alter­native as follows:

For example, using the data from Table 3-7 for alternative “Fast” we get

E (Fast) = 0.1 (14) + 0.4(10) + 0.3(6) + 0.2(1) = 7.4

The reader may recall that we used a similar payoff matrix in Chapter 1, when we considered the problem of selecting a vendor to design and print bumper stickers. In that example, the criteria weights played the same role as probabilities play in the example above.

Simulation We will demonstrate simulation in the next chapter (4) and will dem­onstrate it more in later chapters. In recent years, simulation software has made the process user friendly and far simpler than in the midtwentieth century. It has become one of the most powerful techniques for dealing with risks that can be described in numeric terms. The most difficult problems involved with the use of simulation are (1) explaining the power of using three point estimates (most likely, optimistic, and pessimistic) instead of the single point estimates decision makers have always used; and (2) explaining the notion of statistical distributions to people whose only acquaintance with statistical dis­tributions is the (mistaken) notion that the grades in the classroom are, or should be, distributed by “the curve.” Once the fundamental ideas behind a Monte Carlo simula­tion are understood, the power of the technique in dealing with risk is obvious. Even more potent is the notion that one can estimate the likelihood that certain risky out­comes will actually occur, such as the probability that project costs will be at or below a given limit, or the chance that a project will be completed as scheduled.

There is another problem with using simulation, or any process involving estimates of project costs, schedules, etc. It is convincing anyone connected to a project to make honest estimates of durations, costs, or any other variables connected with a project. The problem is the same whether one asks for single point or three point estimates. Asking individuals to be accountable for their estimates is always difficult for the askee, and project managers are advised to use their best interpersonal communication styles when seeking to improve project cost and time estimates. The PMI’s code of ethics demands honesty, and PMs should strive to ensure it. Nevertheless, many people will commonly make a decision based on the worst possible outcome that could occur (called the pessi­mistic decision) and in a few cases (“Ms. Lucky”) on the best possible outcome that could occur (called the optimistic decision). Some problems at the end of the chapter include these decision rules.

5) Risk Response Planning Risk response typically involves decisions about which risks to prepare for and which to ignore and simply accept as potential threats. The main preparation for a risk is the development of a risk response plan. Such a plan includes contingency plans and logic charts detailing exactly what to do depending on particular events (Mallak, Kurstedt, and Patzak, 1997). For example, Iceland is frequently sub­jected to unexpected avalanches and has thus prepared a detailed response plan for such events, stating who is in charge, the tasks that various agencies are to do at particular times, and so on. Actually practicing those responses with dress rehearsals is particularly important if the risk is a potentially life-or-death emergency.

Contingency Plan A contingency plan is a backup for some emergency or unplanned event, often referred to colloquially as “plan B,” and there may also need to be a plan C and a plan D as well, for an even deeper emergency such as an oil spill in the gulf of Mexico, to give a wildly improbable example. The contingency plan includes who is in charge, what resources are available to the person, where backup facilities may be located, who will be supporting the person in charge and in what manner, and so on.

In another example, when Hurricane Katrina hit Mississippi and New Orleans in August 2005, Melvin Wilson of Mississippi Power, a subsidiary of 1,250 employees, became “Director of Storm Logistics” for the duration. As a contingency, Mississippi Power sub­scribes to three weather forecasting services and in this case decided the most severe forecast was the right one. Wilson called for a retreat from the company’s high-rise head­quarters on the beach to a backup contingency office at a power plant 5 miles inland. By noon, the backup power plant flooded and lost power, which was not in the plan, and the cars in the parking lot were floating. A company security van made it through to take the storm team to a third option for a storm center—a service office in North Gulfport that had survived Hurricane Camille in 1969—there was no fourth option. The office was dry but without electricity or running water. The phone lines were down, and cell phones were useless but the company’s own 1,100 cell phones plus 500 extras to lend out had a unique radio function, and that worked. They were the only working communications for the first 72 hours on the gulf coast. The company’s worst-case contingency plans had never imagined managing a repair crew of over 4,000 from outside. But Wilson became responsible for directing and supporting 11,000 repairmen from 24 states and Canada, feeding and housing them in 30 staging areas including six full-service tent cities that housed 1,800 each. He had to find 5,000 trucks and 140,000 gallons of gasoline a day to help restore power to 195,000 customers. Within 12 days of the storm, power had been restored to all customers except a few thousand whose lines were too damaged to receive electricity. Clearly, Mississippi Power had not made contingency plans for such an extreme event, but the plans they had made, and the backups to those plans, were sufficient to give a smart team of emergency responders the chance to successfully handle this crisis.

Logic Chart Logic charts show the flow of activities once a backup plan is initi­ated. They force managers to think through the critical steps that will need to be accom­plished in a crisis, and provide an overview of the response events and recovery operations. They include decisions, tasks, notifications, support needs, information flows, and other such activities. They are time independent and illustrate the many tasks as well as dependencies and interdependencies that emerge out of the initial response steps, such as: “If X has happened, do this; otherwise, do that.”

6) Risk Monitoring and Control Like risk management planning, monitoring and control are tasks for the parent organization, as well as for the project. If the over­all risk management group is not involved along with the project in performing the tasks of recording and maintaining records of what risks were identified, how they were analyzed and responded to, and what resulted from the responses, the records have a high probability of being lost forever when the project is completed (or aban­doned). If records are lost or not easily available, the chance that other projects will “learn from the experiences of others” is very low.

It is the job of the risk management group to maintain records for how all projects deal with risks. The group, however, is not merely a passive record holder. It should be involved in the search for new risks, for developing new and better techniques of measur­ing and handling risk, and estimating the impact of risks on projects. Thus, the group should become an advisor to project risk management teams. It should provide an ongo­ing evaluation of current risk identification, measurement, analysis, and response tech­niques. Fundamentally, the group is devoted to the improvement of the organization’s risk management activities.

In the next chapter, we use the project plan to develop a project budget. We discuss conflict surrounding the budgetary process. Then we deal with uncertainty, the project’s (and PM’s) constant companion.

Source: Meredith Jack R., Mantel Jr. Samuel J., Shafer Scott M., Sutton Margaret M. (2017), Project Management in Practice, John Wiley & Sons, Inc. 3th Edition.