The risk in the implementation of the project is the likelihood of adverse events. Types of project risks and risk factors. Project risks and uncertainty
Consider the process project risk identification .
Target risk identification- make the most complete list of project risks (first of all, the most dangerous risks).
Risks are usually hidden (like an underwater rock), and they can only be identified based on previous experience, as well as by identifying and analyzing various factors that may be the causes of risks. To do this, the project manager must understand the possible sources of risks, own certain methods for identifying risks and be able to use the knowledge and experience of specialists.
Features of risk management in projects:
1) risks may be associated with different elements of the project and the conditions for its implementation (sources of risks may be the customer's expectations and restrictions, the provision of the project with resources and the qualifications of the performers, the actions of competitors, etc.);
2) as project plans are developed and refined, new sources of risk associated with specific technologies, solutions and performers may appear;
3) the general trend of change in risk factors as the project is implemented is associated with a gradual decrease in the number and probability of possible risk events and in parallel with an increase in the magnitude and cost of the remaining risks;
4) not all risks are identifiable and manageable.
Risk sources subdivided into:
1) external sources - legislation, market reaction to manufactured products, actions of competitors, etc.;
2) internal - special requirements and limitations of the project, technological solutions used, competence of performers, project management features, etc.
Risks resulting from external causes are generally less manageable than internal risks.
Risks may also be:
1) famous - those that can be identified, assessed, analyzed and developed response plans;
2) unknown are those that are impossible or very difficult to foresee, evaluate and, accordingly, it is impossible to develop response plans.
Consequences of risks can be reduced to the impact on the most significant parameters of the project: the timing, cost, quality of results or targets.
To ensure a clear and unambiguous understanding of risks, they are usually formulated by highlighting the source of the risk, the risk itself and the consequences of the risk.
Sometimes project documents state that the risk of the project is “over budgeting the project”. This is an incorrect wording, since exceeding the project budget is the result of a number of risks.
For example, a source of risk may be the lack of interest of staff in the implementation of a new automated system.
The risk lies in the possible sabotage of project work by personnel.
Then the wording of the risk could be as follows: "The risk of sabotage due to the lack of interest of personnel in the implementation of the new system."
The consequences of this risk will be associated with delays in the implementation of the project.
In addition to the source and the risk itself, signs of risks are often formulated.
Risk symptoms (triggers)- these are indirect manifestations that warn (signal) about the possible onset of risk.
For example, a sign of the onset (or imminent onset) of the risk of sabotage may be the negative statements of employees about the project.
Imagine risk classification .
Until now, there is no single standardized risk classification that would be equally applicable to all projects in all areas of activity.
It's connected with:
The presence of a large number of risks specific in nature to specific projects and areas;
The impossibility in some cases to draw a clear line between different types of risks.
Primarily risks offered classify on:
1) sources;
2) consequences;
3) compensatory measures.
At the risk identification stage, the first approach is more useful, proposing to analyze possible risks in relation to the origins (causes) of each type of risk.
The second and third approaches can be useful for analyzing risks and deriving generalized assessments of the impact of risks on the goals of the project, its time and cost parameters.
Depending on the uniqueness of the risk factors, may be risks:
1) common for different types of projects- do not depend on the specific content of the project (for example, insufficient elaboration of plans for the implementation of the project, inconsistency of plans by the participants);
2) specific to certain types of projects(for example, the types and risk factors of a construction project are different from the risk factors of an information system implementation project; the risk factors of an organization's internal investment project are different from the risk factors of a contracted project for an external customer);
3) specific to a particular project(for example, the risks associated with the use of specific technologies and their integration within a specific project).
By types of risk sources may be:
1) technical;
2) marketing and commercial;
3) financial and investment;
4) risks of project participants;
5) social;
6) macroeconomic;
7) political;
8) legal.
May stand out risks associated with various project implementation stages:
1) planning;
2) design;
3) implementation;
4) commissioning.
Assigning an identified specific risk to a particular category of classification is not always unambiguous. What is important is not so much this “binding” as the “self-discovery” of a specific risk and further work to reduce or compensate for it.
More important in relation to planning risk management activities is the classification of risks according to the degree of manageability.
One of the most important tasks in risk identification is the identification of ultimate (or simple) risks.
Associated risks - groups of risks that lead to different consequences depending on whether the risk events occurred together or separately.
All possible project participants should take part in the risk identification process: project manager, project team, experts, customers, investors, etc.
An initial list of risks is developed by the project manager. The main group of project participants is involved in clarifying and supplementing the list.
In order to form an objective assessment, independent specialists may participate at the final stage of the formation of the list of risks.
To implement the procedure risk identification methods and tools:
1) review of project documentation;
2) analysis of assumptions;
3) SWOT analysis of the project;
4) methods of collecting information and working with experts:
Brainstorming method;
Delphi method;
Interview;
5) control tables and charts.
Documentation reviews and SWOT analyzes of a project are typically performed to identify major areas of uncertainty and develop an initial list of project risks.
Documentation overview involves a review of existing documents by the project manager and the working group (including a structured analysis of the project plan and available proposals (constraints) both at the level of the entire project and at the level of individual works).
When auditing project documents, analysis of assumptions.
Each project is based on a set of hypotheses, scenarios and assumptions. Assumption analysis examines their correctness, and then identifies project risks (based on the correctness, completeness, and consistency of the assumptions). This allows you to formulate potential risks based on the fact that the assumption made about the project may turn out to be incorrect.
If possible, it is also useful to study archived documentation on other similar projects and their risks.
SWOT analysis– analysis of the strengths and weaknesses of the project, opportunities and threats for its implementation (see Figure 1).
It allows you to see the main risk areas of the project, which can result both from project weaknesses and external threats, and from opportunities (since opportunities are usually associated with new solutions and can be sources of risk).
Figure 1 - SWOT analysis of the project
"Brainstorm" - the fastest method for identifying risks. Its purpose is to compile a broad list of all possible risks, from which the main risks of the project can later be selected.
The disadvantages of "brainstorming" are related to the fact that it is difficult to gather all the experts at the same time, ensure the independence of their opinions and avoid pressure from authorities.
Brainstorming can be more successful if participants prepare in advance by selecting certain categories of risks, and discussion management techniques are used during the meeting.
Delphi method- a method that allows you to reduce the influence of the opinions of more authoritative experts on the rest.
All participants in the survey are identified in advance, but in the examination they speak anonymously, without meeting each other.
Expertise is carried out in several stages.
The expert examiner sends out the questionnaire, collects and processes the answers.
The results obtained are sent to the experts for clarification, taking into account the opinions of other experts.
Each expert has the opportunity to get acquainted with the comprehensive results of the examination, and then give a new, more balanced assessment.
An agreed list of risks can be obtained as a result of several iterations of absentee approvals.
This method allows you to reduce the bias, bias of the analysis and the premature influence of individual members of the group on the opinions of other experts.
The main disadvantage of this method is the duration. In a real project, as a rule, there is not enough time for a full-fledged implementation of this method.
Individual interviews used when brainstorming fails (or in addition to brainstorming). Risks can be identified through surveys, interviews conducted by project risk management specialists.
Persons responsible for risk identification identify specialists in various functional areas of the project. Specialists giving interviews are based on their experience, information about the project and other sources.
To improve the efficiency of working with experts, various diagrams and control tables.
Checklists are lists of typical risks for a given class of projects, structured in accordance with the accepted classification.
Checklists may be developed based on experience gained from previous similar projects or other sources.
The advantage of using checklists is the ability to build on previous experience and structure discussions with experts.
Their disadvantage is the impossibility of compiling a complete, exhaustive control table, tk. the user is limited by existing types of risks. Checklists should be used in the initial risk planning phase.
From diagrams most commonly used causal (Ishikawa diagram), which allows you to organize and visualize the view of risks by type and source.
The output of the risk identification procedure should be a list of risks indicating specific sources and, if possible, symptoms of risks.
Practical experience shows that for a sufficiently large and complex project, at least 50 risks should be identified.
Risk identification should be carried out several times during the implementation of the project, as the situation in the project and its environment changes, which leads to a change in the list of risks.
Now consider the process project risk analysis and assessment .
The purpose of risk analysis and assessment is to rank the identified risks and identify the most dangerous of them.
Risk analysis can be qualitative and quantitative.
Qualitative risk analysis– the process of expert assessment of the impact and likelihood of identified risks.
Quantitative risk analysis - allows you to determine more accurate quantitative indicators of the probability of occurrence of individual risks and their impact on the costs and timing of the project, as well as calculate the main parameters of the entire project, taking into account risks.
Qualitative analysis provides quick but rough estimates, while quantitative analysis provides more accurate estimates but requires considerable effort and time to perform.
Quantitative risk analysis requires reliable input information, good statistical data and mathematical models that allow analysis.
Often, risk management can be limited to only qualitative analysis.
V analysis identified risks(qualitative and quantitative) can be obtained:
1) list of risks grouped by priority(e.g. high, low, medium).
Risks can also be grouped depending on the urgency of the response: risks that require immediate response, and risks that can be delayed for some time;
2) a list of risks requiring additional analysis.
Risks with high or medium priority, for which there is insufficient information, which may require additional analysis, including additional analysis of causes and consequences;
3) a generalized assessment of the riskiness of the project, which allows you to assess the riskiness of the project as a whole in comparison with other projects.
Methods qualitative risk analysis based on expert opinions and require tools to ensure unified approaches to analysis by various experts, presentation and comparison of estimates.
Experts evaluate two main parameters for each risk:
1) risk probability;
2) the impact of risk on project parameters.
The likelihood and impact of a risk can be defined by qualitative ratings (such as very high, high, medium, low, very low).
However, in order for experts' assessments to be comparable, they must be based on common scales and criteria. To do this, experts need to be provided with uniform scales and principles of assessment.
Table 1 and Table 2 show examples of assessing the likelihood and impact of a risk on a project.
Table 1 - Evaluation of the likelihood of project risk
| Risk probability, % | Qualitative characteristic | Grade (rank) |
| 1) Very small (less than 5%) | An event can occur in exceptional cases. The suggestion is more theoretical than practical. In reality, such a risk did not occur. | 0,01 |
| 2) Small (5–10%) | A rare event, but has already taken place (once happened). | 0,1 |
| 3) Medium (10–30%) | There is sufficient evidence to suggest the possibility of an event. The event happened 1-2 times on other projects. | 0,2 |
| 4) High (30-60%) | The event is very likely. This happened a lot on previous projects. “Rather “YES” than “NO”, “50/50” and even more. | 0,4 |
| 5) Very high (60–99%) | The event is likely to happen. There is almost certainty that this will happen. | 0,8 |
Table 2 - Assessment of the impact of risk on the project
| Indicator | Impact on the project | ||||
| Very weak (rank 0.01) | Weak (rank 0.1) | Average (rank 0.2) | Strong (rank 0.4) | Very strong (rank 0.8) | |
| 1) Project goals | Minor changes | The changes affected a small part | Changed most of the goals | Changes are unacceptable to the customer | |
| 2) Cost | Slight cost increase (up to 1%) | Increase in cost by no more than 5% | Increase in cost by 5–10% | 10-20% cost increase | More than 20% cost increase |
| 3) Timing | Slight lag (up to 1%) | Backlog up to 5% | Project backlog 5–10% | Project backlog 10–20% | More than 20% lag |
| 4) Quality | Slight decrease in quality | Few properties affected | Quality reduction requires customer approval | Quality reduction is unacceptable for the customer | The continuation of the project is pointless |
Based on expert assessments, a risk map project in the form likelihood/impact matrices(See Figure 2).
The measure of risk (danger risk) is calculated as the product of the probability index by the impact index.
Each cell of the matrix corresponds to a certain value of the risk hazard indicator.
Figure 2 – Project Risk Map (Probability/Impact Matrix)
All project risks are distributed over the cells of the matrix. The project manager gets a clear picture of the risk distribution of the project according to the level of danger.
Risks with high probability and high impact require a priority response. Often such risks are unacceptable for the project, and the condition for the further implementation of the project are actions to minimize these risks.
The risks that low level of danger(unlikely, not having a special impact on the project), can be excluded from further detailed study, limited to less costly response measures.
Levels separating project risks into unacceptable, medium and insignificant (threshold risk levels), are determined for each project individually, depending on the importance of the project for the customer and his willingness to take risks.
In addition to the main risk parameters (probability and impact), it is important to determine risk management capability.
Depending on the type of sources, risks are divided into managed, partially managed and unmanaged.
If dangerous unmanageable risks are found in the project, then these risks must be discussed at the level of the customer and investor.
The presence of dangerous unmanaged risks can cause the project to be stopped and closed (see Figure 3).
Risk analysis requires reliable data. The use of inaccurate data with an incomplete understanding of the risk leads to its incorrect assessment. If there is no certainty about the quality of the input data, further assessment of the degree of understanding of the risks by experts and obtaining additional information may be required.
Based on the results of a qualitative risk analysis, you can proceed to the development risk response plan.
However, in order to calculate more accurate assessments of risks and their impact on the project, quantitative risk analysis.
Figure 3 - Algorithm for making a decision based on the results of the analysis
Quantitative Analysis carried out for the purpose definitions:
1) the probability of achieving the goals of the project, taking into account the complex impact of risks on the project;
2) realistic costs and deadlines for completing the project for a given level of risk;
3) the total amount of reserves that may be needed.
To implement the quantitative analysis procedure, it is proposed to use modeling methods and tools.
Modeling implies building project models, which reflects the possible fluctuations in the parameters of the project tasks in their impact on the entire project.
To perform a quantitative risk assessment, it is usually required to collect additional (quantitative) information about risk parameters(for example, optimistic and pessimistic estimates of the parameters of work, the nature of the distribution of probabilistic estimates).
When conducting a cost risk analysis, a hierarchical structure of work can be used as such a model. Network diagrams and scheduling tools are used to model the time parameters of the project, taking into account risks.
One of the simplest and most common methods for modeling a project, taking into account uncertainty, is the scheduling method. PERT (Program Evaluation and Review Technique). When using the PERT method, the expected duration of the project is determined on the basis of three expert estimates: optimistic, pessimistic and most probable. The calculation is made taking into account the weighting factors (see Figure 4).
As a result, the weighted average (most expected) duration of work with an aggregate level of risk is calculated.
Figure 4 – PERT Grading Scheme
This allows the project manager to build several project schedules:
1) optimistic;
2) pessimistic;
3) the most probable;
4) expected PERT.
Thus, the PERT method allows you to determine expected duration project work based on three probabilistic time estimates:
1) optimistic assessment;
2) pessimistic assessment;
3) the most probable estimate.
The expected duration of the project is determined by the formula:
,
where OP- the expected duration of the project;
OO– optimistic estimate;
HBO– the most probable estimate;
ON is a pessimistic assessment.
The risks of changing the composition or logical structure of work in the PERT method are not taken into account.
More accurate risk-based project modeling is done using Monte Carlo method, which allows you to create and simulate a variety of scenarios consistent with the given constraints of the original variables.
The method allows the most complete consideration of various types of uncertainties that the project may encounter.
Unlike PERT methods, for various probabilistic estimates, various forms of distribution of random variables (uniform, normal, triangular, beta distribution) can be specified in the model.
For each risk category, its own type of distribution function is selected, which characterizes the frequency of occurrence of each value of the variable from the domain of definition. The choice is made on the basis of statistical data or expert assessments. Determining the shape of the distribution for each random variable is one of the most difficult tasks to be solved in modeling.
After determining the probability estimates and their distribution functions, the procedure is applied for each job simulation modeling Monte Carlo. During simulation calculations, the parameters of each job are selected randomly in accordance with the type of distribution and within the specified range.
As a result, the probabilistic values of the parameters characterizing the project as a whole (costs and deadlines for the implementation of the main stages and the entire project) are calculated. Carrying out computational iterations is a fully computerized part of the method (the greater the number of runs, the higher the accuracy of the results).
Another type of quantitative project risk analysis is sensitivity analysis, which allows you to identify the risks that have the greatest impact on the project. This calculates the impact of changing one of the project input parameters on one of the performance parameters, while the other input parameters remain unchanged.
A fairly simple tool for making decisions on a project, taking into account probabilities, is “ decision tree". The construction of this tree helps to identify possible alternative ways of implementing the project. At the same time, the development of each project development option is accompanied by an assessment of risks and costs, which facilitates the decision-making process, because helps to determine the most profitable solution in terms of cost and probability of occurrence of a risk event. The calculation can be carried out taking into account the probability of one or more successive events occurring on the project. In addition to the integral assessment of the attractiveness of the project as a whole, the parameters of the effectiveness of each option are calculated.
The composition and level of danger of risks will change as the project progresses. At the beginning of a project, when uncertainty is particularly high, the number of potential risk events and their likelihood are also high. But the potential damage from each risk event at the beginning of the project is relatively small.
As the project progresses, the level of uncertainty will decrease and the number of risk events will decrease. However, the magnitude of the potential damage from risks that may occur in the later stages of the project will increase. This means that the project manager must perform a risk analysis and assessment several times during the course of the project.
Risks can be controlled, partially controlled or uncontrolled, depending on the reasons for their occurrence.
External risks, as a rule, cannot be fully controlled.
Internal risks can be partially or completely controlled.
Examples of external and internal risks are presented in Table 3.
Table 3 - External and internal risks of the project (in terms of controllability)
| Type of risk | Risk example |
| 1) External unpredictable (uncontrollable my) | 1.1) Unforeseen interference states, changes in regulation and the introduction of special requirements in areas such as: - supply of raw materials; - ecology problems; - design standards; - production standards; - allocation of land plots; - sale (export) of services, products; pricing policy, etc. |
| 1.2) Risks associated with natural and technogenic disasters: earthquakes; floods; hurricanes, etc. | |
| 1.3) Wrecking: riots; vandalism; sabotage, terrorist acts. | |
| 2) External predictable (partially controlled) | 2.1) Marketing (market) risks: - unavailability or increase in the cost of raw materials; - changes in the volume of demand, including changes in the requirements of the customer / user; - changes in requirements for customers / clients / users; - changes in the state of the economy; - increased competition; - loss of market position; - unwillingness of customers to adhere to purchase agreements. |
| 2.2) Operational risks: - change in the goals of the investor / customer of the project; - the impossibility of ensuring the required level of production by performers and partners; - failures in terms and quality of deliveries. | |
| 2.3) Other risks: environmental impacts, social impacts, changes in the foreign exchange market, inflation, taxes, etc. | |
| 3) Internal, non-technical (partially controlled) | 3.1) Management risks: - mismatch of personnel qualifications; - loss of control; - incompatibility of the goals of the project participants; - change of leading specialists; |
| - absence or weak organizational structure; - absence or lack of instructions and procedures; - inadequate planning; - unrealistic deadlines; - lack of coordination of participants. | |
| 3.2) Production risks: - lack of performers; - low productivity of performers; - lack of materials; - unforeseen conditions of the project implementation site; - accidents; - strikes. | |
| 3.3) Financial risks (associated with the movement of funds): - reduction in funding; - suspension of funding; - bankruptcy. | |
| 4) Internal technical (controlled) | 4.1) Technological: - obsolescence and the need to replace part of the project technologies; - the complexity of the project as a result of the application of new technologies; - loss of quality due to technology change; - Decreased performance and reliability. |
| 4.2) Specific risks of the technology used in the project: - problems in integration with other project technologies; - problems in ensuring the operation of the product / system; - problems of implementation in operation. | |
| 4.3) Risks associated with the design: - data inaccuracy; - lack of previous experience of the designer / contractor; - inadequate design; - the likelihood of changes during the implementation of the project; - large scale and complexity of the project. | |
| 5) Internal legal / contract (controlled) | 5.1) Legal: - licenses; - patent rights. |
| 5.2) Contractual: - misinterpretation of contract clauses; - misunderstanding of the contract; - Mistakes in the drafting of the contract. |
Development of a risk response plan; project risk monitoring and control
Based on the results of the risk analysis, a risk response plan .
Risk response planning- development of measures that provide an overall increase in the likelihood of successful completion of the project due to:
Minimizing the likelihood and mitigating the negative consequences of risk events (having a negative impact on the project);
Maximize the likelihood and enhance the positive consequences of risk events (having a positive impact on the project).
This process includes planning specific actions to reduce the impact of risks on the project, as well as the distribution of responsibility among project participants for timely response to risk events.
The effectiveness of the developed response measures is determined by reducing the number of risks, reducing the severity of their consequences and increasing the opportunities for more efficient project implementation.
The response planning strategy should be appropriate to the importance of the project, the level of risk, and also take into account the cost-effectiveness of resources and time requirements.
Risk response plan contains a detailed description of the response to identified risks and may include the following sections and documents:
1) a list of project risks, their description, causes and degree of impact of risks on the project;
2) owners of risks and distribution of responsibility;
3) results of qualitative and quantitative risk assessment;
4) the level of risks (probability of occurrence and impact) that is expected to be achieved as a result of the application of response measures;
5) response (avoidance, transfer, minimization or acceptance) for each risk;
6) specific actions within the implementation of the chosen response method;
7) budget and response time;
8) contingency plan, neutralization plan, anti-crisis plan.
In addition to the response plan in progress developing responses the following can be obtained results:
1) List of residual risks(which remain after avoiding, transferring or minimizing risks).
These may be minor risks for which no response plans have been developed. It is usually required to provide additional reserves, taking into account the number of residual risks;
2) secondary risks, arising as a result of the application of response measures to previously identified risks.
Secondary risks must also be identified and require the development of response measures;
3) Additions to contracts, agreements stipulating liability for risks.
Risks can be significantly reduced by involving external organizations in the project or risk insurance;
4) Contingency reserve - these are reserves in case of exceeding the previously determined risk indicators and unforeseen risks.
Main ways of responding to risks include:
1) for risks with negative consequences:
Risk avoidance;
Transfer of risks;
Risk minimization;
Acceptance of risks;
2) for risks with positive consequences:
Usage;
Sharing with partners;
Gain;
Adoption.
Let's consider in more detail ways to respond to risks with negative consequences(See Figure 5).
Risk avoidance involves changing the project plan and taking actions to completely eliminate the source of the risk or the risk itself.
Some of the reasons for the appearance of risks at the initial stages of the project can be eliminated by changing the requirements for the project, obtaining additional information, changing technical solutions, developing new methods, and attracting experts.
Passive risk avoidance is associated with the rejection of the most risky goals and parts of the project, from the use of new technologies. Passive avoidance of risks can lead to a decrease in the effectiveness of the project as a whole.
Figure 5 - Ways to respond to risks
Risk minimization involves reducing the likelihood of occurrence and the degree of impact of risk on the project to acceptable limits.
It is possible to reduce the probability of occurrence of risks as a result of additional research, staff training, the use of various financial instruments and management decisions.
In addition to minimizing the likelihood of risks occurring, attempts are being made to reduce the impact they have by rescheduling projects and using reserves.
If possible, risks and measures to respond to them can be transferred to third parties.
Risk transfer does not completely avoid their impact, it only shifts the responsibility for the risks to other project participants.
The transfer of risks to a third party, as a rule, is accompanied by additional payments associated with the transfer of obligations, powers and guarantees.
In a situation where project participants cannot ensure the implementation of the project in the event of certain risk events, it is effective risk insurance.
Legislation allows you to insure:
Buildings, equipment;
Production capacity;
Staff;
The onset of certain events, etc.
Deductions for insurance of entrepreneurial risks can be included in the cost of production within a certain limit.
In addition to transferring financial responsibility for the risk to the insurance company, it is possible distribution (transfer) of risks between project participants. The distribution of risks between the participants occurs when contracts are signed.
The transfer of responsibility for the risk to another participant is usually accompanied by a corresponding redistribution of the benefits (payment for work, profit) of the project in favor of the owner of the risk.
Responsibility for risk is most effectively transferred to those project participants who have the ability to most clearly, efficiently and effectively manage these risks.
Risk taking used due to the impossibility or unreasonable application of any other response measures.
In this case, the decision is made not to change the project plan in advance, but to develop a response plan in case of the occurrence of a risk, the appearance of risk symptoms, or a plan to neutralize the consequences of the risk. In this case, all response measures are carried out after the occurrence of a risk or after the appearance of signs of a risk.
Neutralization plan risks - one of the tools to minimize the impact of the risks that have occurred, which determines the reserve of time and other resources in case of a risk.
Anti-crisis plan is developed if the identified risks have too significant an impact on the results of the project or if the chosen strategy does not allow one to be 100% sure that it is effective. This plan may involve a change in the goals or strategy of the project.
In the case of choosing the option of accepting risk as a way of responding, it becomes necessary reservation of funds on measures to respond to the consequences of risks. Some Western and Russian sources indicate the possibility of reserving from 7% to 15% of the project funds for possible risks and overcoming their consequences.
Reservation algorithm includes the following steps:
1) assessment of the consequences of the occurrence of a risk event;
2) determination of the structure of the reserve to cover the consequences of a risk event;
3) allocation of funds;
4) control over the use of the formed reserve.
Now consider the process risk monitoring and control project.
Risk monitoring and control are maintained throughout the project and include monitoring the status of identified risks and identifying new risks, as well as ensuring the implementation of the risk management plan and evaluating its effectiveness.
In progress risk monitoring define the following:
1) Are proper risk management procedures in place?
2) Has the risk response been carried out as planned?
3) Are risk response measures effective enough, is there a need to develop new measures?
4) Are the previous assumptions correct?
5) Have symptoms of risks emerged?
6) Has the impact of risks on the project changed compared to the forecast, what is the trend of change?
7) Is it necessary to change risk response plans in accordance with new information?
To implement procedures monitoring and control it is suggested to use the following tools:
1) audit of project risk response measures - verification and documentation of the effectiveness of response measures and actions of risk owners;
2) periodic review of project risks - re-identification and risk assessment to identify remaining and newly emerging risks;
3) additional response planning – may be required if the originally planned response is ineffective.
The implementation of control and monitoring of risks may entail the selection of alternative measures to respond to risks, the implementation of corrective actions, and rescheduling of the project.
Results of risk monitoring and control may be the following:
1) Redesigned Risk Response Plan(in case of new risks, which should be documented and "linked" to the project plan and risk response plan);
2) corrective action, carried out according to the plan, in case of unforeseen circumstances or in accordance with the revised risk response plan;
3) Change Requests(the need to make changes to the project plan and other documents in the process of project implementation);
4) Report on the implementation of the risk response plan(the risks that have occurred and the response measures must be documented
completed and evaluated; unrealized risks should be documented, but they can be excluded from the risk response plan);
5) Risk databases(in the process of project risk management, information is collected, accumulated and analyzed; the created risk database can later be used in the implementation of other projects);
6) Questionnaire update(the generated questionnaires containing information on typical project risks should be updated based on the results of the project and can be used in risk management of other projects).
Risks arise from the uncertainties that exist in every project. Risks can be "known" - those that are identified, assessed, for which planning is possible. Risks “unknown” are those that are not identified and cannot be predicted. Although the specific risks and conditions for their occurrence are not defined, project managers know from past experience that most of the risks can be foreseen.
When implementing projects with a high degree of uncertainty in such elements as goals and technologies for achieving them, many companies pay attention to the development and application of corporate risk management methods. These methods take into account both the specifics of projects and corporate management methods.
The American Project Management Institute (PMI), which develops and publishes standards in the field of project management, has significantly revised the sections governing risk management procedures. The new version of the PMBOK (expected to be adopted in 2000) describes six risk management procedures. In this article, we offer a brief overview of risk management procedures (without commentary).
Management of risks- these are the processes associated with the identification, analysis of risks and decision-making, which include maximizing the positive and minimizing the negative consequences of the occurrence of risk events.
The project risk management process typically includes the following procedures:
- - selection of approaches and planning of project risk management activities.
- Risk identification- identification of risks that can affect the project, and documentation of their characteristics.
- Qualitative risk assessment- qualitative analysis of risks and conditions of their occurrence in order to determine their impact on the success of the project.
- Quantification- quantitative analysis of the probability of occurrence and the impact of the consequences of risks on the project.
- - determination of procedures and methods to mitigate the negative consequences of risk events and use the possible benefits.
- Risk monitoring and control- monitoring risks, identifying remaining risks, implementing the project's risk management plan and evaluating the effectiveness of risk mitigation actions.
All these procedures interact with each other, as well as with other procedures. Each procedure is performed at least once in every project. Although the procedures presented here are considered to be discrete elements with well-defined characteristics, in practice they may overlap and interact.
Risk management planning
Risk management planning- the decision-making process for the application and planning of risk management for a particular project. This process may include decisions on organization, staffing of project risk management procedures, selection of preferred methodology, data sources for risk identification, time interval for situation analysis. It is important to plan risk management adequate to both the level and type of risk and the importance of the project to the organization.
Risk identification
Risk identification determines which risks are likely to affect the project and documents the characteristics of those risks. Risk identification will not be effective if it is not carried out regularly throughout the life of the project.
Risk identification should involve as many participants as possible: project managers, customers, users, independent specialists.
Risk identification is an iterative process. Initially, risk identification may be performed by a part of the project managers or by a group of risk analysts. Further identification can be handled by a core group of project managers. To form an objective assessment, independent specialists may participate in the final stage of the process. Possible responses can be identified during the risk identification process.
Qualitative risk assessment
Qualitative risk assessment- the process of presenting a qualitative analysis of the identification of risks and the identification of risks requiring a rapid response. This risk assessment determines the importance of the risk and chooses how to respond. The availability of accompanying information makes it easier to prioritize different risk categories.
A qualitative risk assessment is an assessment of the conditions for the occurrence of risks and the determination of their impact on the project by standard methods and means. The use of these tools helps to partially avoid the uncertainty that often occurs in the project. During the life cycle of the project, there should be a constant reassessment of risks.
Risk Quantification
Risk Quantification determines the probability of occurrence of risks and the impact of the consequences of risks on the project, which helps the project management team to make correct decisions and avoid uncertainties.
Quantitative risk assessment allows you to determine:
- the probability of achieving the final goal of the project;
- the extent to which the risk will affect the project and the amount of unforeseen costs and materials that may be needed;
- risks requiring prompt response and greater attention, as well as the impact of their consequences on the project;
- actual costs, estimated completion dates.
Quantitative risk assessment often accompanies qualitative assessment and also requires a risk identification process. Quantitative and quantitative risk assessment can be used separately or together, depending on the time and budget available, the need for quantitative or qualitative risk assessment.
Risk response planning
Risk response planning is the development of methods and technologies to reduce the negative impact of risks on a project.
Takes responsibility for the effectiveness of protecting the project from exposure to risks. Planning includes identifying and categorizing each risk. The effectiveness of the response design will directly determine whether the impact of the risk on the project will be positive or negative.
The response planning strategy should be appropriate to the types of risks, cost-effectiveness of resources and timescales. The issues discussed during the meetings should be adequate to the tasks at each stage of the project, and agreed with all members of the project management team. Typically, several options for risk response strategies are required.
Monitoring and control
Monitoring and control monitor risk identification, identify residual risks, ensure implementation of the risk plan, and evaluate its effectiveness against risk mitigation. Indicators of risks associated with the implementation of the conditions for the implementation of the plan are recorded. Monitoring and control accompanies the process of project implementation.
Quality control of project execution provides information that helps to make effective decisions to prevent the occurrence of risks. Communication between all project managers is necessary to provide complete information about project implementation.
The purpose of monitoring and control is to find out whether:
- The risk response system was implemented in accordance with the plan.
- The response is effective enough or changes are needed.
- The risks have changed compared to the previous value.
- The onset of the impact of risks.
- The necessary measures have been taken.
- The impact of the risks turned out to be planned or was an accidental result.
Control may entail the selection of alternative strategies, the adoption of adjustments, the re-planning of the project to achieve the baseline. There should be constant interaction between project managers and the risk group, all changes and phenomena should be recorded. Project progress reports should be generated regularly.
Like any serious undertaking, not a single project in the course of its implementation is insured against risks. The larger the project, the greater the scale of potential risks. But when it comes to project management, for the most part, you need to think not about risk assessment, because. it is an intermediate step, but it is about developing a plan for responding to changes that would help reduce the degree of risk. And in this lesson we will talk about the most important subtleties and specific features of risk management.
Project risks and uncertainty
The term "risk" in project management means a probable event that prevents the project manager and his team from achieving the goals of the project or its individual parameters, due to the time, quantitative and cost framework. Risk is associated with specific causes and sources and always has its consequences. In other words, risk affects project outcomes.
Project risks are always associated with uncertainty. Based on this, it is necessary to have an idea of the degree of uncertainty and its causes. Uncertainty should be understood as a state of objective conditions in which the project begins to be implemented, but which does not allow foreseeing the results of decisions made due to incompleteness and inaccuracy of information. The degree of uncertainty plays a big role, because The project manager can only manage those risks for which at least something significant is known.
When there is no information, any risks are called unknown. They require the creation of a special reserve without the implementation of management procedures. If there is even minimal information on threats, it is already possible to develop a response plan aimed at minimizing the risk. Below is a risk management scheme from a position of uncertainty:
Another equally important nuance for understanding the specifics of project risk is the dynamism of the risk map, which changes as the project tasks are solved. Pay attention to the model of the dynamics of the probability of risk and the volume of losses:
At the initial stage of the project, the probability of a threat is maximum, but the possible losses are at a low level. By the end of the design work, the magnitude of losses increases, but the likelihood of threats decreases.
Guided by this feature, we can draw two conclusions: firstly, during the project implementation it makes sense to analyze the risks several times (the risk map will always change), and secondly, the most optimal risks are minimized at the project development stage or in the process of project development. documentation (this reduces costs many times over, rather than at the stage of direct project implementation).
Risk management concept
The risk management methodology available today implies active work with the sources and consequences of identified threats. In general, risk management is a set of processes based on the identification and analysis of risks and the development of measures to minimize the level of negative consequences as a result of risk events.
The Project Management Body of Knowledge identifies six main risk management processes. The visual scheme of their sequence is as follows:
That is, the main procedures for managing project risks include:
- Risk identification
- Risk analysis (qualitative and quantitative)
- Risk control
Identification is the definition of risks based on the determination of the factors that produce them, as well as the documentation of the parameters of these risks. Qualitative and quantitative analysis of the causes of occurrence and the possibility of negative consequences are necessary for the formation of an assessment procedure. Planning for responding to identified risks involves the creation of a set of measures aimed at reducing the negative impact of risks on the parameters and results of the project. But the main place in this system is occupied by risk monitoring and control - they are carried out throughout the entire life cycle of the project.
Through skillful risk management, you can achieve:
- Objective perception and understanding by project participants of the uncertainties and risks associated with its implementation, their sources and possible negative events as a result of the emergence of risks
- Search and expansion of opportunities for the effective solution of design problems, taking into account the identified uncertainties
- Development of ways to minimize project risks
- Refinement of project plans taking into account the identified risks and sets of measures to minimize them
Project risks can be managed by both the project manager and all members of the project team to varying degrees. In the process, methods of expert assessments, discussions and interviews, as well as software and mathematical apparatus, etc. are used.
Before starting risk management, it is necessary to form an information context, which includes external and internal conditions for solving problems. External conditions include competitive, environmental, technological, social, legal and economic, political and other aspects. And the internal ones consist of a number of characteristics - these are:
- Characteristics of the project and its goals
- Characteristics of the structure and goals of the project organizing company
- Corporate regulations and standards
- Information about the resource provision of the project
It is necessary to start managing project risks with planning.
Risk management planning
Risk management is the first process among the entire set of procedures for dealing with design threats. Planning is a tool that allows you to determine the selected methods, tools and the degree of organization of management for a particular project. The Project Management Institute (PMI) attaches great importance to this process in terms of communication with each party interested in the project. The PMBoK Guide suggests the following risk management planning framework:
The risk management plan is a document consisting of several sections, namely:
- General Provisions
- The main characteristics of the company organizing the project
- Statutory characteristics of the project
- Goals and objectives of risk management
- Methodological section describing the methods, means of analysis and evaluation, sources of information recommended for use in order to manage project risks (all tools and methods must be described according to the stages of project implementation)
- An organizational section that includes the distribution of roles and responsibilities among project team members, as well as a description of the relationship with other project management elements
- Budget section, which includes the rules for the formation and implementation of the risk management budget
- of the Regulations section indicating the timing, frequency and duration of risk management operations, forms and composition of control documents
- Metrological section, consisting of principles of evaluation, rules for recalculating parameters and reference scales (they serve as aids for qualitative and quantitative analysis)
- Threshold risk values - acceptable values of risk parameters at the project level and individual threats (it is necessary to take into account the importance and novelty of the project implementation)
- Reporting section, which considers the issues of frequency, forms, procedures for filling out, submitting and reviewing reports
- Section of monitoring and documentation support of project risk management
- Section of templates for project risk management
After the planning phase of risk management is completed, the risk identification process follows.
Identification of project risks
The identification process identifies and demonstrates project risks. The result is a list of risks sorted according to their severity. As with risk planning, risk identification should involve all members of the project team and project stakeholders.
Identification is an iterative process because as the project develops, new risks may arise and previously inaccessible information about those already identified may become known. The frequency of repetitions, as well as the composition of the identification participants, may vary depending on the situation. Risks should always be described in sequence to ensure that each is clearly and unambiguously understood to support effective analysis and response plan development. Descriptions should be written in such a way that the relationship of risk to the project and the impact of other risks can be compared.
Identification must be carried out in accordance with the results of the study of all previously identified factors, but it must be understood that not every factor can be identified and controlled. As project plans are developed and expanded, new sources of threat often emerge, and the number of potential risks increases as the project progresses towards full implementation. Effective identification also depends on whether a detailed risk classification is available. One of the most useful classifications is the classification of risks according to the degree of controllability, for example, this:
The classification of risks according to the degree of controllability is useful in that it helps to clearly determine for which specific uncontrollable factors it is necessary to create reserves. However, the controllability of risks does not guarantee that they will be successful in managing them, which is why other methods of division should also be guided. We also note that today there is no universal classification of risks, which is due to the uniqueness of each project and the variety of risks accompanying projects. In addition, it is quite difficult to determine the line between similar risks.
As for the typical features of classification, they include:
- Risk sources
- Consequences of risks
- Threat Mitigation Methods
At the identification stage, the first sign is most often used. Below is one of the most popular classifications of project risks by source of occurrence:
The remaining two signs are useful in the analysis of risk factors. Therefore, it makes sense to consider the types of project risks based on the uniqueness of their factors:
- Specific risks from the position of a local project (risks depending on innovative technology, etc.)
- Specific risks in terms of the type of project implementation (factors for IT projects, innovative projects, construction projects, etc. are taken into account)
- General risks for all projects (low level of budget development, misalignment of plans, etc.)
Correct identification depends on the correct formulation of the risk, and it is very important not to confuse the risk, its source and consequences. The risk statement usually consists of two parts: an indication of the source of the risk and an indication of the event that carries a threat. After the risks are identified and formulated, it is necessary to proceed to their analysis and assessment.
Analysis and assessment of project risks
It is necessary to analyze and evaluate risks in order to convert the information found at the identification stage into data that will allow making responsible decisions. Qualitative analysis includes a set of expert assessments of probable adverse effects, depending on the identified factors. And quantitative analysis allows you to determine and refine the quantitative indicators of the likelihood of threats. Quantitative analysis takes more effort, but is more reliable. To conduct it, you need to have high-quality input data and use effective mathematical models. It must be carried out by highly qualified personnel.
But often qualitative analytical indicators are enough, however, for this, upon completion of the analysis, the project manager must receive:
- Prioritized list of risks
- List of positions for which additional analysis is required
- General conclusion on the riskiness of the project
Experts distinguish two types of assessments: an assessment of the likelihood of risk events and an assessment of the degree of their impact on the project. The main result of the qualitative analysis is the list of ranked risks with the assessments made and the risk map. The probabilities of the occurrence of risk events and their impact are divided into groups in a certain range of values.
After the assessments, special matrices with cells are built, where the results of the product of the probability value and the degree of impact are indicated. The resulting data is divided into segments that serve as the basis for ranking risks. The probability and impact matrix might look like this:
Based on the probability of the risk occurring and the degree of its impact on the project, each of the risks is assigned its own rating. The matrix displays the identified organizational thresholds for different risks (low, medium and high), allowing you to assess the risks as low, medium and high in relation to the project.
As a result, segments of unacceptable, medium and insignificant risks, called threshold levels, appear in the matrix. But in addition to establishing the two main parameters (probability and impact), a qualitative analysis requires the establishment of the very possibility of risk management. So, the risks can be:
- Managed
- partially managed
- Unmanaged
Below is an algorithm for making a decision to identify the degree of controllability and the magnitude of the risk:
If unmanageable hazardous risks are identified, they should be discussed with customers and investors, as the identification of such threats may cause the project to be stopped.
Another result of risk analysis and assessment is a risk map, which visually represents the matrix discussed above. The map looks like this:
The big circle in the upper right corner is the unacceptable risks. The probabilities below and to the left of the red line in the center are non-dangerous risks. Based on this risk map, you can plan how to respond to risks.
Risk response planning
In practice, four categories of risk consequences are usually distinguished:
- Affecting the budget
- Affecting timing
- Influencing product quality
- Affecting the functioning of the product
Response planning is a regulated procedure for developing a risk mitigation plan. This process determines the best measures to increase the likelihood of project success by responding to threats in order of priority. When calculating the project budget, it should include target resources and operations, the responsibility for which is distributed among the project participants.
In total, there are four main methods of responding to risks:
- Risk avoidance. It is considered the most active method, but it is not always applicable. Relevant in cases where it is possible to completely eliminate the sources of risk.
- Risk minimization. Another active method is to reduce the likelihood and reduce the danger of risks. Risks in this case should be fully controllable (most often these are external risks).
- Transfer-insurance risks. To use the method, you need to find a third party that will be ready to accept the risks and their negative consequences.
- Acceptance of risks. It implies a conscious readiness for risks and the direction of all subsequent efforts to eliminate the consequences.
This is, in brief, the methodological basis of risk management today. The project manager must take this information into account in his work, because the effectiveness of team work and the achievement of project goals depend on it and its use. But much more important, of course, is the practical skills of identifying, analyzing and responding to risks. Therefore, as an addition to the presented material, we suggest that you get acquainted with the ten golden rules of risk management from Bart Jutt.
The 10 Golden Rules of Risk Management by Bart Jutt
Bart Jutt is the Managing Director of the Dutch custom software company Concilio and a recognized risk management authority with 15 years of experience in project management. In his guide to risk management, he formulates 10 rules for successfully managing threats in projects.
Make risk management part of the project
The first rule is very important for successful project risk management. If you don't make risk management part of the project, you won't get the full benefits of using it. Some companies, especially those that are facing projects for the first time, do not pay attention to this issue, hoping that they will not face risks. From this, their entire project system becomes inefficient and subject to a lot of dangers. But professionals always make risk management a part of their day-to-day project operations, including discussions at meetings and staff training events.
Identify risks early in the project
The first stage in project risk management is based on identifying the risks present in the project. To do this, you need to concentrate on developing possible scenarios for the emergence of risks. The work should use the experience and knowledge of all team members and project participants, as well as third-party experts. This approach will allow you to identify all sorts of threats, including even those that did not initially come into view.
To identify risks, it is recommended to conduct interviews and interviews with team members, as well as brainstorming sessions. Information can be entered into electronic documents and reflected on paper. It is desirable to use business plans, strategies and other documents of already implemented projects as auxiliary tools. Naturally, it is far from always possible to identify all risks before they appear, but with the help of various identification methods, it becomes possible to identify most of them.
Communicate risks
The mistake many project managers make is not informing the team and others about threats. And this happens even in cases where the risks are obvious. But if you have a goal to quickly work out threats, you must immediately take them into account and inform other people about them in order to include tasks to eliminate them in the work plan in a timely manner.
At project meetings, risk information should always be placed on the agenda to allow issues to be discussed, time allocated to resolve them, and other potential threats that may arise. Do not forget that all risks must be reported to the sponsor and project initiator without fail.
Treat Risks as Opportunities
Project risks are primarily a threat, but with the help of modern approaches, you can find positive risks for the project and focus on them. Some risks can serve the project well, affecting its success and speed of implementation in a positive way.
In order for you and your team to be able to find the downside of risks, you need to leave some time in reserve for their additional consideration, and not rush headlong to eliminate them. Even 30 minutes can make all the difference if you manage to find a way to capitalize on a seemingly hopeless situation.
Clarify liability issues
A number of managers believe that the risks are already warned after drawing up their list. However, the list is only a starting point. The next step will be the distribution of responsibility for risks. A specific person should be responsible for optimizing each risk for the project, and the consequences of such an approach can be extremely favorable for the outcome of the whole case.
Initially, your team members may feel uncomfortable, realizing that they have a serious responsibility. But over time, they adapt and will perform actions and tasks to minimize threats properly.
Prioritize
Many managers prefer to consider and consider all risks equally, believing that this greatly simplifies the implementation of the project. But this is not the best strategy, because some risks may be more dangerous than others, and their degree of probability may be higher. For this reason, it is better to devote time to working out the risks that can lead to the largest losses.
Analyze your project for flaws that could undermine it. If there are, give them the highest priority. The remaining risks should be prioritized based on criteria of importance specific to each particular project. But usually the criteria are the consequences of risks.
Analyze risks
A clear understanding of the nature of risk is a prerequisite for managing it. For this reason, jumping to conclusions should be avoided and instead focus on a more thorough investigation of threats. Risk analysis is carried out at several levels. If your goal is to understand the essence of risk, study its possible consequences in detail. Their rigorous analysis will show you the features of the risk in terms of costs, time and quality of the result.
And close attention to the events preceding the occurrence of the risk will help to compile a list of the causes and circumstances of its occurrence, thanks to which it will be possible to develop a set of measures to minimize them. The information collected during the analysis is valuable data for the project and serves as a starting point for finding measures to optimize risks.
Plan for risk
Having a risk action plan adds value to the entire project because you have the ability to prevent potential threats and reduce the impact of existing ones. And such a plan can only be drawn up if the steps described above, such as separation of responsibilities, prioritization and risk analysis, have been completed.
When faced with threats, there are several options for action: minimize, avoid, accept or transfer risks. Think of a strategy for responding to possible risks based on these options. Understanding how to act in response to a threat also helps in finding the threat itself.
Register Risks
Despite the fact that this rule mostly applies to the field of accounting, it should not be neglected. Risk registration allows you to track the progress of the project and always keep threats in mind. In addition, it is also a great way to communicate, informing team members and project participants about ongoing events.
Keep a risk log in which you describe them, clarify issues related to them, analyze causes and effects, and record the most effective ways to respond. With such records, you will always increase the effectiveness of your risk management.
Explore risks and associated challenges
Thanks to the risk logging we just talked about, you will be able to keep track of risks and related tasks. Tracking is the daily job of any project manager and just needs to be included in your daily to-do list. Together with the study of related tasks, it is much easier to develop a set of responses.
The main focus of risk tracking should be on the current situation during the project. Think about what risk is most likely at the moment and whether risk priorities have changed in order to understand how to proceed and from which side you should expect a hit.
Good project risk management has many significant benefits. This includes minimizing uncertainty, and finding a lot of opportunities and ways to develop the project, and observing time, cost and quality limits, and, of course, making a profit.
But all this will become a reality only if, along with risk management, you professionally manage the projects themselves. Special methods have been developed for this, such as Scrum, Agile, Kanban, PRINCE2 and some others. And in the next lesson we will tell you about these methods and give their characteristics.
Test your knowledge
If you want to test your knowledge on the topic of this lesson, you can take a short test consisting of several questions. Only 1 option can be correct for each question. After you select one of the options, the system automatically moves on to the next question. The points you receive are affected by the correctness of your answers and the time spent on passing. Please note that the questions are different each time, and the options are shuffled.
Project risks A project risk is an uncertain event or condition that, if it occurs, will have a positive or negative effect on at least one of the project's objectives (time, cost, scope, quality). A risk may have one or more causes and, if it occurs, one or more consequences. 2
Business risk is the normal risk associated with a business activity, while it involves a variety of opportunities for profit and loss Pure risk (insurable) is: risk involving the possibility or likelihood of loss without any opportunity for profit risk that must be given priority risk that can be transferred to the other party by: concluding a contract, issuing a guarantee, insurance. Main types of risk 4
Project risk management is a systematic process of identifying, analyzing and responding to project risks; it includes processes that are related to: Conducting risk management planning Identification Analysis Response Monitoring and control on the project Objectives: Increase the likelihood and increase the impact of positive events Reduce the likelihood and mitigate the impact of adverse events for the project Project risk management 5
Risk management planning is the process that determines the approach, planning, and implementation of risk management operations for a project: Planning risk management processes is important to: ensure that the level, type, activity, and visibility of risk management is commensurate with both the risk itself and with the significance of the design organization; ensure sufficient resources and time for project management operations; establish a consistent basis for risk assessment; define and approve methods and statements of interested parties in relation to risks; create a risk management plan. Risk management planning 7
Risk identification - the process of determining which risks may affect the project and documenting their characteristics; why it is necessary: to identify the risk that affects the project; indicate internal and external sources of risk; reveal the causes and consequences of the risk; involve relevant professionals, stakeholders and external experts; assign risks to a specific category: project management risks, organizational risks, external risks Output of the risk identification process - risk register Risk identification 8
Conducting a qualitative risk analysis is the process of assessing and probabilities of occurrence of identified risks, as well as prioritizing risks in accordance with their potential impact on project objectives; for this it is necessary: to assess the probability of occurrence or non-occurrence of each identified risk; determine the consequences of each risk event, what amount is involved “whether anything can be lost; prioritize risks based on their likelihood/consequence; identify risks that can be managed (that can be mitigated). Conducting a qualitative risk analysis 11
Risk assessment Evaluation factors include: Precedent (Has this risk happened before?) Knowledge of the operation (Has this work been done before?) Resources and skills Time, cost and quality Likelihood (What is the likelihood of the risk occurring?) Impact (What is its impact on the project or business?) 13
Measuring Probability Likelihood Value Low Disruption to schedule, increase in cost or potential deterioration in outcome is unlikely Moderate Disruption to schedule, increase in cost or impairment in outcomes potentially possible High Disruption to schedule, increase in cost or deterioration in results potentially very likely 15
1. Prioritize risks to decide if risk cases deserve your attention 2. Prioritize identified risks only after conducting a qualitative analysis 3. Identify the top 10 risks Develop mitigation measures for each 4. Regularly review and assess the top 10 risks 5 Put the Top 10 Risks on the Agenda of Regular Project Meetings Prioritize Risks 20
Arrange the analyzed risk cases in order of their importance - from high to low. If possible, use quantitative systematization tools; otherwise, use qualitative analysis Separate risk cases of similar severity Prioritize risk cases as a team Do not plan response strategies as part of this process A practical approach to risk prioritization 21
Quantitative risk analysis is the process of numerically analyzing the likelihood of each risk occurring and their consequences for the objectives of the project, as well as numerically analyzing the overall project risk; for this it is necessary: to calculate the severity of the risk (risk exposure) based on the likelihood of the risk and its impact, which were determined at the stage of conducting a qualitative risk analysis; to prioritize the risks, estimated in numerical value; make a list of risks in descending order of their severity; Identify risks that can be managed (that can be mitigated). Conducting quantitative risk analysis 22
The main tools and methods for identifying risks include: Data collection and methods of their presentation Interrogation - used to numerically analyze the probability and impact of risks on project objectives Probability distribution - used to represent uncertainty in values (continuous values) or uncertain events (discrete values) Expert Evaluation - Engage experts, both internal and external, to evaluate data and methods Quantitative tools and methods 23
Quantitative analysis tools and methods Performing a quantitative risk analysis and modeling method Sensitivity analysis - helps to determine which risks have the maximum potential impact on the project Expected monetary value analysis - a statistical approach that calculates the average result given future scenarios that may or may not occur Analysis decision tree - structurally usually represented as a branching decision diagram that describes the situation under consideration and the consequences that all possible choices can have
Risk response planning is the process of developing options and actions to enhance opportunities and reduce threats to project objectives; for this it is necessary: to identify the risks and their description, the area of the project on which they affect, the causes of the risks and their possible impact on the goals of the project; determine who owns certain risks and is responsible for them; use the results of the qualitative and quantitative risk analysis processes; develop agreed response strategies for each risk in the risk plan; take specific actions to implement the selected response strategies; assess the level of expected residual risk after the implementation of the strategy; determine the budget or time to respond; evaluate possible losses and contingency plans. Known Risk Response Plan 26
1. Create a list of risks in terms of their priority for the risk analysis stage. 2. Consider risk classes so as not to expend extra effort. 3. Develop various response alternatives: evaluate the alternatives and select the most appropriate alternative for each risk and risk class; include the selected alternatives in the risk management plan, other project plans and WBS. 4. Communicate decisions made to relevant stakeholders. Risk reduction strategy (practical approach) 29
Avoid - risk avoidance involves changing the project management plan to eliminate the threat that comes from an adverse risk, isolate the project objectives from the impact of the risk, or reduce the goal that is threatened Transfer - risk transfer requires transferring the negative impact of the threat and the need to respond to third parties Reduce - risk reduction involves reducing the likelihood and/or impact of a negative risk event to an acceptable threshold Strategies for responding to negative risks and threats 30
Contingency response strategies Risk Loss Planning: prepare a contingency plan in case the risk occurs. Loss Funds or Risk Reserve - The amount of money or time, in excess of planned, required to reduce the risk of exceeding project targets to a level acceptable to the organization (the most typical adoption strategy) 33
Monitoring and risk management - the process of tracking identified risks, monitoring residual risks, identifying new risks, implementing risk response plans and evaluating their effectiveness throughout the life cycle of the project, including: conducting control reviews by external specialists; identification of new risks that may arise as a result of changes; implementation of a risk response plan in the event of their occurrence. Monitoring and risk management 34
Make sure risk management is actually happening! Involve the team and stakeholders in the process, don't do everything yourself. Integrate risk management into your project management planning processes. Choose the right risk management strategies (such as containment or fallback) for each risk event. Monitor and manage risks on a regular basis. Reassess the risk after each risk event in terms of likelihood, consequences, and new occurrences. Communicate risks appropriately to stakeholders. Ensure that the risk management plan is followed The role of the project manager in risk management 35
Risk management is essential to project success Use risk management to maximize positive outcomes and minimize negative impacts Document risk management standards and procedures and review them regularly with the project team Key Messages 36
Section Key Ideas Take steps to assess and control each element of risk Formally evaluate the outcome of each action Risk includes both opportunities for profit and potential for loss Managing risk is an iterative process that occurs throughout the project life cycle 37
A year before the 2008 economic crisis, a Russian financial magazine, along with a corporate finance management company, held a business plan competition. After statistical processing of the declared works, it turned out that the most vulnerable part of them was the analysis of project risks. This oversight made possible the occurrence of investment errors, which entailed significant potential losses. Most of the competitive business plans indicated the existence of potential hazards in the implementation of the project, but no analysis and risk assessment were carried out.
There are no risk-free projects. Increasing the complexity of a project always increases the scale and number of associated risks in direct proportion. However, project implementation risk assessment is an intermediate process, although it is mandatory, which results in a clear risk reduction plan and a response plan in case of a potential threat.
By it is customary to understand the possibility - the likelihood of adverse situations that potentially lead to a deterioration in the final and intermediate indicators. In this case, the event itself can have a different degree of uncertainty and different causes.
Risk management includes not only a statement of uncertainty and an analysis of project risks, but also a set of methods for influencing risk factors to neutralize damage. The methods that are combined into a system of planning, tracking (monitoring) and correction (adjustment) include:
- Development of a risk management strategy.
- Compensation methods that include monitoring the external socio-economic and legal environment in order to predict it, as well as the formation of a system of project reserves.
- Localization methods that are used in high-risk projects in a multi-project system. Such localization involves the creation of special units that are engaged in the implementation of particularly risky projects.
- Distribution methods using different parameters (time, composition of participants, etc.).
- Risk avoidance methods associated with the replacement of unreliable partners, the introduction of a guarantor into the process, risk insurance. Sometimes avoiding risk means abandoning the project.
Occurring uncertain events are not always accompanied by a negative effect. For example, the departure of one team member from the project may lead to the appearance of a more qualified and effective employee on the project. However, uncertain events with a positive (and "zero") effect are not always accepted as a subject for consideration in assessing the risk of a project. The nature of uncertainty is associated with incurring losses due to internal and external circumstances.
The project specificity is also determined by the dynamism of the risk map with a change in riskiness as you move from one project task to another:
- In the initial stages of the project, there is a high probability of threats with a low level of possible losses.
- At the final stages, the risk of threats is reduced, but the magnitude of potential losses increases.
With this in mind, it is advisable to carry out the analysis of project risks repeatedly, transforming the risk map as necessary. At the same time, this process is of particular importance at the stage of concept formation and design work - the creation of project documentation. For example, if an error in the choice of material is detected at an early stage, this will lead to a missed deadline. If this error is found during execution, the damage will be much more significant.
The assessment of risks by the project team and investors is done on the basis of the importance of the project, its specificity, the availability of sufficient resources for the implementation and financing of the likely consequences of the manifestation of risks. The degree of acceptable risk values depends on the planned level of profitability, the volume and reliability of investments, the familiarity of the project for the company, the complexity of the business model, and other factors.
The sequence of activities for assessing and managing project risks fits into a certain management concept, which includes a number of mandatory elements.
Concept of project risk management: main elements
Until recently, the norm in risk management methodology was passive. In the modern presentation, this methodology provides for active work with the sources of threats and the consequences of the identified risks. Risk management is an interrelated process, and not only the behavior of each stage is important, but also their sequence. In general, this project management subsystem has the following structure:
- Identification of risks and their identification.
- Analysis of project risks and their assessment.
- Selection of effective methods, consistent with the risks.
- Application of these methods in a risk situation and response directly to the event.
- Development of risk mitigation measures.
- Descent control and decision making.
Since today most managers in project management are guided by the format proposed by the PMBOK framework, it is more expedient to consider in more detail those 6 risk management processes that are proposed in PMBOK:
- Risk management planning.
- Identification of factors influencing risks. At the same stage, their parameters are documented.
- Qualitative assessment.
- Quantification.
- Response planning.
- Monitoring and control.
After that, the cycle resumes again from the 2nd to the 6th point, since the context of the project's existence may change during the course of the project.
Project risks are managed by the project manager, but all project participants are involved in solving this problem to one degree or another (for example, during brainstorming, discussion, expert assessments, etc.). This is also important because the information context involves the identification of not only external risks (economic, political, legal, technological, environmental, etc.), but also internal ones.
In the future, to illustrate the implementation of the main elements of the management concept, examples from the project will be given, which have the following conditional characteristics. The jewelry factory, which brings new gold chains to the market, purchases imported equipment for their manufacture, installed in premises that have yet to be built. The price of gold as the main raw material is set based on the results of trading on the London Metal Exchange in US dollars. The planned sales volume is 15 kg of products per month, of which 4.5 kg (30%) is expected to be sold through its own network of stores, and 10.5 kg (70%) through dealers. Selling is subject to seasonal changes with activation in December and fading in April. The optimal period for launching equipment is on the eve of the December sales peak. The project implementation period is five years. The main indicator of the project's effectiveness is NPV (net present value), which is equal to $1,765 in the calculated plans.
Risk management planning
The introductory process in the list of procedures for dealing with design hazards is risk management planning. Since the same PMBOK is a framework, and it does not give recommendations for working with a specific project, at this stage methods and tools are specified that are appropriate to apply in a real starting project and in a real context. In expanded form, the risk management plan as a document contains the following sections:
In the recommendations of the PMI Institute, this stage is necessary for communication of all interested parties. At the same time, the company may already have established and proven methods of risk management, which, due to their familiarity, are preferable.
Identification of risk factors and main types of project risks
It is rather difficult to reduce and describe the whole variety of uncertain events that can become risk factors, so everyone and everything is involved for this. That is, not only the project manager and the team are involved in the process of identifying factors, but also customers, sponsors, investors, users, specially invited experts.
Moreover, identification is an iterative process (repeating throughout the entire life cycle) and combined with continuous analysis. During the course of a project, new risks are often discovered or information about them is updated. Therefore, the composition of the expert commission may vary depending on the specific iteration, the characteristics of which, in turn, change depending on the specific risk situation and type of threat. Such types of risks can be classified according to different criteria, but the most practical criteria are controllability, sources of risk, its consequences, ways to reduce threats.
Not all threats are controlled, and some are poorly classified as definitely controlled. Under a number of definitely uncontrollable factors, it is advisable to allocate resource reserves in advance.
In general, external risks are less well controlled than internal ones, and predictable ones are better than unpredictable ones:
- Definitely uncontrollable external risks include the intervention of state structures, natural phenomena and natural disasters, and deliberate sabotage.
- To external predictable, but poorly controlled - social, marketing, inflation and currency.
- To partially controlled internal - risks associated with the organization of the project, the availability of funding and other resources.
- The controlled ones include internal technical risks (associated with technologies) and contractual and legal risks (patent, licensing, etc.).
The criterion of the source of threats is especially significant at the initial stages of identification. Criteria of consequences and ways to eliminate threats - at the stage of factor analysis. At the same time, it is important not only to identify, but also to correctly formulate the risk factor so as not to confuse the source of the risk with its consequences. Therefore, the wording of the risk itself should be two-part: “the source of the risk + a threatening event”. 
For classification by risk sources, correct standardized pairs are made:
- Technical factors - emergencies and erroneous forecast as a type of risk.
- Financial factors - unstable currency correlations.
- Political - coups and revolutions, religious and cultural threats.
- Social - strikes, terrorist threats.
- Environmental - man-made disasters, etc.
But below, using the already mentioned example, not all are considered, but only the main types of controlled or partially controlled project risks.
Marketing risk
This threat is associated with a shortfall in profits, which is caused by a decrease in the commodity price or sales volume due to consumer rejection of a new product or an overestimation of the actual sales volume. For investment projects, this risk is of particular importance.
The risk is called marketing, as it often arises due to the shortcomings of marketers:
- insufficient study of consumer preferences,
- incorrect positioning of the goods,
- errors in assessing market competitiveness,
- incorrect pricing,
- the wrong way to promote the product, etc.
In the gold chain example, an error in the planned 30% to 70% distribution of sales results in 80% reduction in sales through dealers because dealers purchase goods from the supplier at lower prices than retailers. consumer. An external factor in this example may be a situation in which the activity of visiting new stores in shopping centers depends on the "hype" and popularity of the shopping centers themselves. The ways to reduce the risk in this situation will be a detailed preliminary analysis and a lease agreement with the introduction of a number of popularizing parameters: convenient parking, transport communication systems, additional entertainment centers on the territory, etc.
General economic risks
Poorly controlled external risks associated with changes in the exchange rate, inflationary processes, an increase in the number of industry competitors, etc. pose a threat not only to the current project, but also to the company as a whole. In the case of the described example, the currency risk becomes the main one from this group. If the final price of the product in rubles for the consumer does not change, but the purchase is made in dollars, then with an increase in the dollar exchange rate, there is an actual shortfall in profit in relation to the calculated values. Potentially, a situation is possible when, after the sale of the chain in rubles and the transfer of funds into dollars, for which gold is purchased, the actual amount of proceeds will be less than the amount necessary at least to resume the mass of commodities.
Project Management Risks
These are not only threats associated with managerial errors, but also external risks, the causes of which may be, for example, changes in customs legislation and cargo delays. Violation of the project schedule increases its payback period and lengthening the calendar period, and lost profits. In the example of gold chains, the delay is especially dangerous, since the product has a pronounced seasonality - after the peak of December, it will be much more difficult to sell gold jewelry. This also includes the risk of budget increases.
In the practice of project management, there are simple ways to determine the real string (and cost) of the project. For example, PERT-analysis, in which three terms (or costs) are set: optimistic (X), pessimistic (Y) and most realistic (Z). Expected values are entered into the formula: (X + 4x Z + Y) / 6 = planned term (or cost). In this scheme, the coefficients (4 and 6) are the result of a large array of statistical data, but even this proven formula works only if all three estimates can be correctly justified.
When cooperating with external contractors, special conditions are negotiated to minimize risks. So, in the example with the launch of a new jewelry line, you need to build new cases, the cost of which is determined at $500,000, after which it is planned to receive a total profit of $120,000 per month with a profitability of 25%. If due to the fault of the contractor there is a delay for a month, then the lost profit is easily calculated (120x25% = 30 thousand) and can be entered into the contract as compensation for the failure to meet deadlines. This compensation can be “tied” to the cost of construction. Then 30 thousand dollars will be 6% of the cost of work of 500 thousand.
The result of this entire stage should be a hierarchical (ranked according to the degree of danger and magnitude) list of risks.
That is, the description should allow comparison of the relative impact on the course of the project of all identified risks. Identification is based on the totality of all studies and the risk factors identified on their basis.
Project risk analysis transforms the information collected during the identification process into guidance that allows you to make responsible decisions at the planning stage. In some cases, a qualitative analysis is sufficient. The result of such an analysis should be a description of the uncertainties (and their causes) inherent in the project. To facilitate the procedure for identifying risks for analysis, special logical maps are used:
- In Group " Market and consumers» questions are collected about the presence of unmet consumer needs, about market trends and whether the market will develop at all.
- In Group " Competitors» evaluates the ability of competitors to influence the situation.
- In Group " Company Opportunities» asking questions about marketing and sales competence, etc.
As a result of collecting responses, potential risks associated with failure to achieve the sales plan due to:
- misjudgment of consumer needs and market size,
- lack of a sufficient product promotion system,
- underestimating the capabilities of competitors.
As a result, a ranked list of risks is formed with a hierarchy according to the importance of threats and the magnitude of potential losses. Thus, in the example with jewelry, the main group of risks included, in addition to not achieving the number of sales and a decrease in financial volume due to a lower price, also a decrease in the rate of return due to an increase in raw material prices (gold).
Quantitative risk analysis
Quantitative analysis is used to determine how the most significant risk factors can affect project performance. For example, it is analyzed whether a small (10-50%) change in sales volume will entail significant profit losses that make the project unprofitable, or the project will remain profitable even if, for example, only half of the planned sales volume is sold. There are a number of methods for performing quantitative analysis.
Sensitivity analysis
This standard method consists in substituting various hypothetical values of critical parameters into the financial model of the project and then calculating them. In the example of launching a jewelry line, the physical sales volume, cost price and selling price become critical parameters. An assumption is made about the reduction of these parameters by 10-50% and their increase by 10-40%. After that, the “threshold” beyond which the project will not pay off is mathematically calculated. 
The degree of influence of critical factors on the final efficiency can be demonstrated in the graph, which reflects the primary impact on the result of the sale price, then - the cost of production, and then - the physical volume of sales. 
But the significance of the price change factor does not yet indicate the significance of the risk, since the probability of price fluctuations may be low. In order to determine this probability, a "probability tree" is formed step by step:
The overall performance risk (NPV) is the sum of the products of the final probability and the risk value for each deviation. The risk of a change in the sale price reduces the NPV of the project from the example by 6.63 thousand dollars: 1700 x 3% + 1123 x 9% + 559 x 18% - 550 x 18% - 1092 x 9% - 1626 x 3%. But after recalculating the other two critical factors, it turned out that the most dangerous threat should be considered the risk of reducing the physical volume of sales (its expected value was 202 thousand dollars). The second place in terms of danger in the example was taken by the risk of changes in the cost price with an expected value of 123 thousand dollars.
This analysis allows you to simultaneously measure the magnitude of the risk of several critical factors. According to the results of the sensitivity analysis, 2-3 factors are selected that have more influence on the project result than others. Then, as a rule, 3 development scenarios are considered:
Here, too, relying on expert reasonable estimates, the probability of its implementation is determined for each scenario. Numerical data for each scenario is substituted into the real financial model of the project, resulting in one comprehensive performance assessment. In the jewelry project example, the expected NPV is $1,572,000 (-1,637 x 20% + 3,390 x 30% + 1,765 x 50%).
Simulation modeling (Monte Carlo method)
In cases where experts can name not exact estimates of parameters, but expected fluctuation intervals, the Monte Carlo method is used. It is more often used in assessing currency risks (during the year), macroeconomic threats, risks of interest rate fluctuations, etc. Calculations should imitate random market processes, therefore, special software or Excel functionality is used for analysis.
The application of the statistical rule of "three sigma" suggests that with a probability of 99.7% NPV will fall in the range of 1725 thousand dollars ± (3 x 142), that is, with a high probability the result of the project in the example will be positive.
Anti-Risk Measures: Planning How to Response
The result of risk analysis can be a risk map with a visualization of the ratio of probability and degree of impact on indicators. It facilitates a regulated mitigation planning process. 
The four main response types are:
- Acceptance, which implies a conscious willingness to take risks with the transfer of efforts not to prevention, but to eliminating the consequences.
- Minimization that works for controlled risks.
- Transfer-insurance when there is a third party willing to take the risk and its consequences.
- Avoidance, which assumes the complete elimination of sources of risk. A passive and irrational form of avoidance is the rejection of individual elements of the project.
Modern software tools are designed for different levels of project management. For a large company with a large project portfolio, risk management automation tools are often included immediately in an integrated ERP-class package. For small and medium-sized businesses, the latest versions of MS Project are suitable, which provide the ability to customize the risk management unit for the processes of identification, classification, as well as assessment and qualitative analysis of risks with the construction of a probability matrix. Simulation modeling can be carried out using the Project Expert, Alt-Invest programs.
It might be useful to read:
- Fibers and tissues of animal origin;
- Tourism Presentation Top Dental Tourism Presentations;
- Saints Peter and Fevronia Presentation on the theme of Peter and Fevronia;
- Perception presentation on psychology;
- Types of troops outline of the lesson (senior group) on the topic What is the army for children presentation;
- Presentation on the topic "our army is dear" Presentation on the topic of the Russian army for preschoolers;
- Presentation "circle and circle" presentation for a lesson in geometry on the topic;
- Open integrated GCD with elements of experimentation in the preparatory group on the topic "Two steps to a miracle;