Risk categories can be broad including the sources of risks that the organization has experienced. Some of the categories could be:
External: Government related, Regulatory, environmental, market-related.
Internal: Service related, Customer Satisfaction related, Cost-related, Quality related.
Technical: Any change in technology related.
Unforeseeable: Some risks about 9-10% can be unforeseeable risks.
In addition to risk categories, there is more classification of risk types:
Threats - these are negative risks.
Opportunities - these are positive risks.
The standard practice to identify risks is reviewing project related documents such as lessons learned, articles, organizational process assets, etc
Information Gathering Techniques
The given techniques are similar to the techniques used to collect requirements. Let's look at a few of them:
Brainstorming is done with a group of people who focus on the identification of risk for the project.
A team of experts has consulted anonymously. A list of required information is sent to experts, responses are compiled, and results are sent back to them for further review until a consensus is reached.
An interview is conducted with project participants, stakeholders, experts, etc to identify risks.
Root Cause Analysis
Root causes are determined for the identified risks. These root causes are further used to identify additional risks.
Swot Analysis (Strength, Weakness, Opportunities, and Threats)
Strengths and weaknesses are identified for the project and thus, risks are determined.
The checklist of risk categories is used to come up with additional risks for the project.
Identification of different assumptions of the project and determining their validity further helps in identifying risks for the project.
Outputs to Identify Risks
This process of Risk Identification results in the creation of Risk Register.
A Risk Register is a living document that is updated regularly throughout the life cycle of the project. It becomes a part of project documents and is included in the historical records that are used for future projects. The risk register includes:
List of Risks
List of Potential Responses
Root Causes of Risks
Updated Risk Categories
Tools and Techniques:
Some of the tools that can be used for qualitative risk analysis include:
Probability And Impact Matrix
The matrix helps in identifying those risks which require an immediate response. The matrix may be customized according to the needs of the project. Most companies do have a standardized template for this matrix and project managers could leverage those templates as well. Use of a standardized matrix makes the matrix list more repeatable between projects.
Perform Qualitative Risk Analysis
The next step of Qualitative risk analysis is to analyze the probability and impact of risks in Perform Quantitative Risk. The purpose of Quantitative Risk Analysis is:
Identification of risk response that requires urgent attention
Identify the exposure of risk on the project
Identify the impact of risk on the objective of the project
Determine cost and schedule reserves that could be required if the risk occurs
Identify risks requiring more attention
Risk Data Quality Assessment
Data is collated for the identified risks. The project manager will try to find the precision of the data that must be analyzed for completing the qualitative analysis of risks.
For each risk, in Risk Data Quality Assessment, the project manager needs to determine:
The extent of the understanding of the risk
Quality and reliability of the data
The integrity of the data
Perform Quantitative Risk Analysis
The numerical analysis of the combined effect of individual risks is done in this process, helping in the creation of risk response plans later. This process may be skipped in projects where risk quantifying competency is not available or the project is of a short duration. Risk workshop, sensitivity analysis, representations of uncertainty, sensitivity analysis with Tornado diagrams, influence diagrams are some of the techniques in addition to EMV, simulation and decision tree explained further.
Expected Monetary Value Analysis
Expected Monetary Value is a good measure to determine the overall ranking of risks. The formula is:
EMV = P * I
Where EMV = Expected Monetary Value
P = Probability
I = Impact
Monte Carlo Analysis (Simulation Technique)
The Monte Carlo analysis simulates the cost or schedule results of the project. The primary inputs for this analysis are the network diagram and estimate to perform the project
A Monte Carlo analysis:
Requires a computer-based program
Evaluates the overall risk in the project
Determines the probability of completing the project on any specific day, or for any specific cost
Determines the probability of any activity actually being on the critical path
Path convergence is taken into account
Cost and schedule impacts can be assessed
Results in a probability distribution
A decision tree helps to analyze many alternatives at one single point of time. They are models of the real situation. A decision tree takes into account future events in making the decision today. It helps calculate Expected Monetary Value in more complex situations. It also involves Mutual Exclusivity.
RISK REGISTER UPDATES
Prioritized list of quantified risks
Amount of contingency time and cost reserves needed
Possible realistic and achievable completion dates and project costs, with confidence levels, versus the time and cost objectives for the project
The quantified probability of meeting the project objectives
Trends in quantitative risk analysis