Risk Analysis & Risk
ManagementA Quality perspective – Abhilash Gopi.
What is a Risk?
Risk is a possibility that an unfavorable event will occur. It may be predictable or unpredictable.
Components of Risk
Risk has three components. These components need to be considered separately when
determining on how to manage the risk
• The event that could occur – the risk,
• The probability that the event will occur – the likelilhood,
• The impact or consequence of the event if it ocurs – the penalty (the price you pay).
Categorization of Risks
• Technical : Risks categorized based on complexity, requirement changes, unproven
• Programmatic or Performance : such as safety, skills, regulatory changes, material
• Supportability or Environment : such as people, equipment, reliability, maintainability etc.
Categorization of Risks
Cost : such as sensitivity to technical risk, overhead, estimating errors etc.
Schedule : such as degree of concurrency, number of critical path items, sensitivity to cost etc.
# Situational :
Changes in a situation can result in new risks.
E.g. Replacing a team member, undergoing a reorganization, changing the scope of the
# Time based :
• In this case, the probability of the risk occurring at the beginning of the project is very high (due to the unknown factor), and diminishes along as the project progresses. In contrast, the impact (cost) from a risk occurring is low at the beginning and higher at the end.
# Interdependence :
• Within a project, many tasks and deliverables are interdependent on each other. These delay in these tasks will have a cascading effect on the other related tasks, and the result could be a DOMINO EFFECT.
# Magnitude dependent :
• The relationship of probability and impact are not linear in this case, and the magnitude of the risk makes a HELL LOTTA difference.
Consider the risk of spending Rs 1 for a 50/50 chance to win Rs 5 v/s the risk of spending Rs 1000 for a 50/50 chance of winning Rs 5000.
• Since the probability of loss is the same in both cases (50%), the opportunity cost of losing is much greater in the later case.
# Value Based :
• Risk may be affected by personal, corporate or cultural values.
E.g. Completing a project on schedule may be dependent on the time of the year and nationalities or religious beliefs of the work team.
Projects being done in international locations where multiple cultures are involved may have a higher risk than those done in a single location with a similar kind of work force.
Risk Management is the process used to identify, analyze, and respond to a risk by
identifying, analyzing, and prioritizing risks, It requires knowledge of business functions and user involvement.
# The Project Management Institute’s PMBOK defines the following 4 processes to address risk management issues.
• Risk Identification,
• Risk Quantification,
• Risk Response Development,
• Risk Response Control.
Managing Risks -Sub Processes
• Risk Identification
• Risk Identification : This component answers the question “What are the risks?”,
• Risk Quantification
• Risk Analysis : This component answers the question “Which risks do we care about?”.
• Risk Prioritization : This component answers the question “How are the risks prioritized?”.
• Risk Response Development
• Risk Response planning : This component answers the question “What should be done
about the risk?”.
• Risk Response Control
• Risk resolution : This component executes the plan that was developed in the step indicated for Risk Response planning.
• Risk Monitoring : This component evaluates the action taken, documents the risk results, and repeats the cycle of identification, quantification
Keys to Risk Identification
• Identify the risk as early as possible,
• Consider both internal and external risk factors, (External risks : management changes, new tools, company mergers, changing strategies, changing market trends, customer inputs, politics etc.)
• E.g. The 1992 and 1993 storms in Florida are examples of two major disasters happening in close succession. Also the recent tornados (Rita and Katrina) affecting the US Coast are classic examples of disasters in close succession.
• Appropriate use of documentation to be done for considering the list of possible risks.
• Requirement specifications, compliance matrices, Project Plans, Schedules, Reviews, Checklists, and lessons learnt. Etc.
• It is a method to quantify risk.
• The basic objective is to help management strike an economic balance between the
impact of risks and the cost of protective measures (preventing the risks),
• Risks with a significant impact on process, product or Org. need to be addressed in the decision making process, and tackled on a priority basis.
# Questions to consider.
• How big is the risk?
• What exactly is being exposed to the risk?
• Can this be considered an acceptable risk?
• What are the alternatives?
• Will the alternative risks invoke additional risks?
# How to tackle the risk?
• Ascertaining the impact or likelihood of the risk (events) is impossible,
• Adequate combination of tools and historical data can be used for estimation,
• Methods to calculate the impact of risk
• Structured (associated with data and hard facts),
• Unstructured (focused on judgement and experience).
• Regardless of the method used, two elements to be always considered are
• Probability of such an event (risk) occurring,
• The resulting impact if the event occurs.
# Risk Rating values assigned to the risks dependents on the individual analyst and thus is subjective. It depends on the analyst’s personality and thought process.
# In such cases, it is better to develop a simple rating system that has a well documented measurement criteria to ensure consistency.
E.g. High, Medium, Low, Not Rated.
Probability of an event’s occurrence can be determined by
– Using personal opinion or team consensus,
– Using a historical database,
– Converting approximations to numbers.
# How approximations can be used for conversion?
• Even chance (50%)
• Probable or improbable (<50%> 50%)
• Low (<33.33%), Medium (33.34 to 66.66%), High (66.67 to 100%)
Impact of an Event/ Risk
The impact of an event is usually represented by a monetary value, and has implication with respect to schedule, cost and profitability.
Determining the Risk impact value
• Some terms to know before the actual determination of Risk Impact value
• Monetary value -is the best common denominator for quantifying the impact of an
adverse circumstance – whether the damage is actual or abstract, whether the victim is a person, a piece of equipment, or a function.
• Schedules -are examined to determine any slips in the completion date. One method of analyzing schedules is by looking at each task independently and then multiplying them together.
For example, if a project contains 3 independent tasks and each task has a 50%
chance of finishing on time, the project has a 12.5% chance of finishing on time (50%* 50%
• Costs -are calculated over the product’s life cycle. The costs for each phase are added together for a total life cycle cost.
For example, when producing a software product the cost should reflect not only what it takes to develop the product, but also to fix and maintain it.
# Profitability -is typically calculated using:
• Return on sales, which is profit, or return as a percentage of a project’s total cost. It does not depend on time. A positive value indicates a profit and a negative value indicates a loss.
• Return on investment, which is an organization-wide measure that assesses performance against invested assets (organizations may use different formulas). It measures efficiency, and balances the asset use and the profit margin.
• Economic value added, which evaluates the cost of capital percent vs. the return of capital percent. The cost of capital is the cost of financing the organization’s operations. It takes into account the minimum rate of return that the investors
(such as debt holders and shareholders) require.
• Internal rate of return, which is a relative measure based on the timing of cash inflow and outflow. It is the rate at which the net present values of cash
inflow and outflow become equal.
• Using a structured method, risk is calculated using the formula:
Expected value = Probability * Impact
Expected value -is a dollar amount. Considering the best case (all good happens and no bad) and the worst case (all bad happens and no good), the actual value will most likely be between the best and worst case. The expected value is the estimate of where the actual value is expected to be.
Probability -is the likelihood that the event will occur.
Impact -is the gain or loss that is incurred if the event occurs.
• A simple, unstructured estimation scheme is to use high, medium, and low categories.
• The parameters are determined by the organization; for example, a frequency of 1 to
10 may be considered low; 11 to 100, medium; and more than 100, high.
• Once the categories have been established, they must be used for every risk situation.
• In the prioritization process, risks from the analysis process are ranked from highest to lowest.
• For the example as shown in the previous slide, it is important to determine whether the value of the frequency or the value of the impact is more important.
• Risks may also be prioritized using a Question and Answer technique to filter out
the unimportant risks.
# Typical examples of Risk filters are
• Impact (significant or insignificant),
• Likelihood of occurrence (very likely or not likely),
• Time frame (short term or long term),
• Control (within control or not within control).
Risk Response Planning
– In this planning process, a response or strategy is developed for each item in the
prioritized risk listing.
– It is always better to include a primary choice
and a backup option.
# Responses to risk can be categorized as follows
• Accepting the consequences if the event occurs
• Active acceptance would involve having a contingency plan in place to tackle the risk,
• Passive acceptance would allow the risk to occur
(E.g. Making less money if the project is late by a few weeks).
• Avoiding the consequences by eliminating possibility of the risk occurring,
• Mitigating the risk by
– Minimizing the probability of occurrence,
– Minimizing the value of the impact.
– Transferring the risk (either to a sub contractor or to the customer).
# It involves implementing the planned strategy in the event of the risk occurring,
A key factor in this process is communication. It is important that the plan be communicated to the relevant people involved in the project and responsibilities assigned.
# It is also important to document the events that occur with the action taken.
• If contingency plans are not in place, a crisis would occur
# It includes periodically assessing
• Project status,
• Reassessing the documented risks,
• Examining executed strategies that succeeded or failed, and
• Considering new risk events (for better preparedness).
For effective risk monitoring, consider the following.
• Have events that occurred affected the status of the project?
• Is the event still possible (for reoccurrence),
• Have the probability and impact of the event changed?
• Can the team/ organization handle this event again?
• Is the tolerance within the team/ organization the same?
• Have there been any changes to the customer base, technology or anything else that would result in new risks?
# If an event occurs, it should be a trigger to cycle the process of
• Prioritization, and
• An important aspect of the monitoring process is documenting the risk results in a
risk management or project plan,
• Lessons learnt (from success or failures) should be documented in a separate
document or database,
• Always update these documents / databases regularly using incremental documentation