This section covers the essential concepts and elements of contemporary risk management practices. In prior versions of the exam, this was the single most failed section. This is because a lot of people did not have a lot of formal training when it came to risk management; all they did was have some sort of understanding of the formal definition of terms when it came to risk management. As with most of the exam, process is everything. It is very important to know the inputs and tools and techniques and outputs for each one of these processes when it comes to risk management.

Exam Hint: Memorization is a necessary evil for the exam. It’s common to see a question require you to identify an input for a particular process, and then provide distracter answers which can be the tools and techniques for that process.  So you need to invest time in  memorizing the inputs, outputs and tools & techniques for each process. On one hand, this is an arduous and tedious process, but on the other hand, these types of questions represent easy points that you can score as long as you put in the effort.

Risk concepts covered in this section

There are several Risk Management concepts that we will cover in this section

  • Definition of Risk
  • Components of Risk
  • Risk Identification
  • Tools for Quantitative Risk Analysis

The following processes are covered within this knowledge area:

  • Risk management planning: How to approach and plan risk management activities for a project
  • Risk identification: Identifying which risks might affect the project and documenting the characteristics of those risks
  • Qualitative risk analysis: Performing a qualitative analysis of each risk is an easy way to compare among the list of identified risks and assign an order of priority on which risks to address first.
  • Quantitative risk analysis: At a deeper level of analysis, we are now trying to quantify each risk and collectively measure the impact of risks and combinations of these risks.
  • Risk response planning: All of the other factors up to this point are leading to a response plan for either enhancing opportunities which are also known as risks as well as reducing threats.
  • Risk monitoring and control: This refers to an ongoing assessment over the entire life of the project.

Definition of Risk

A risk is an uncertain event that when it occurs, it will have a positive or negative effect on a project objective. Notice how a risk can have either a positive or negative effect on the project, which relates to what we said about how a risk can be seen as an opportunity as well as a threat to the project. Risks can be known or unknown.

  • Known risk: For example when it comes to financial risks, there could be a rate of inflation that exists in a particular country where you are doing your project. We might forecast that the inflation rate will continue to climb during the project.
  • Unknown risks:  Events that may be impossible to anticipate up to the point in time that they occur. For example, most readers would not anticipate being crushed by an asteroid as they read this document. This uncertainty would not have been first and foremost in your mind. But now, it just materialized as a risk, from an unknown into a known. (The odds of this risk happening are astronomically low, unless you’re an astronaut or a space chimp.)

Risk levels over time

The objective of risk management is to reduce the level of uncertainty. When we begin our project, we have the highest level of risk. This is the best time to control the completion of the project and to address risk.

Components of risk

Several of the most commonly referred to types of risks are listed below:

  • Business risks: This risk provides you with an opportunity for gain or loss. When you hire a new team member, you are assuming a business risk because it is uncertain whether the team member will be good or bad at performing the task. The key here is that even if you are hiring a person completely unsuited or unqualified for the job, this is considered as a business risk. The reason is that there still is the possibility that the person is trainable and therefore you have the opportunity of gain. Conversely, if you hire a specialist to your team, this also is a business risk as that individual may not have been as good as you initially thought him to be.
  • Pure risk: A pure risk is a risk that only presents you with an opportunity for loss. Another term that is used for pure risk is insurable risk. An example would be property damage from a car accident.

When it comes to business and pure risks, be sure to use the term insurable risk to help you distinguish  between the two by simply asking if this is something that you would normally buy insurance for. Another important point here is that you do not actually manage pure risks, because you have given that to someone else to do, such as an insurance company. You transfer your risks to the insurance company. As a project manager, you have to concentrate on the business risks because those risks have an opportunity for gain and that is why you are taking the risk.

Risk vs. reward

The only reason why we take a risk is to gain a reward. For example, to enhance profit, to improve market position; ensure customer satisfaction etc. all of these are examples of risk and the reward must be commensurate with the level of risk that we are taking. We undertake risk management in order to do the following:

  • To reduce our level of uncertainty
  • To understand risk
  • To compare the reward that we think we are going to get based on the risk we are going to take in order to get that reward.

Basic components of risk

For every risk there are 3 basic components

  • An event
  • A probability
  • An amount at stake

For example, let us say that you are playing a game of pool. It is your turn at the table and you are down to a tricky shot of getting the last eight ball in at the far end of the table. Your friends have decided to wager a nice dinner if you are able to get the eight ball into the far corner pocket.  By this analogy, the event is you getting the eight ball in the corner pocket. The probability of you clearing the table would depend on your skills at the game of pool and the amount at stake would be the value of the meal that your friends have wagered you.

Probability tends to be the one thing that Project Managers are the worst at estimating. It is the one thing that we are worst at calculating. We need assistance when it comes to calculating probabilities.

Timing of risk

Early in the project risk is inevitable. The probability of us encountering risk is extremely high early on in the project. As we progress through the project, the probability will be reduced. This happens because as we work through the project and risks do not occur then there is an available time left at the end of the project that we can identify the remaining risks in the project. So the probability of risk should decrease over time.

Impact of risk

At the very beginning of a project the impact of risk is very insignificant. This is largely because we haven’t accomplished much work yet and we have very little to lose. As we progress through the project, the impact of a risk goes up dramatically.  As we reach the final phases of our project we have a lot invested in the project and if a serious risk were to occur at that time, we could lose a great deal of time, money, morale, market position or whatever criteria we are using to measure the success of the project

Risk management should be an iterative process that continues throughout the project. As probability decreases throughout the lifetime of the project, impact increases. It should be noted that while one decreases and the other increases in the project, there will be the time where they cross over in the projects in the middle section a the development and implementation phases. PMI considers this to be the stages with the greatest degree of risk.

Risk management planning

Risk management planning the process of trying to figure out how we’re going to manage risk activities. Many Organizations have their own risk management methodology. These are procedures which are put in place to identify, analyze, identify responses and monitor risks.

Roles and responsibilities

The assignment of roles and responsibilities are very important and must be clearly defined. Specific team assignments should be documented in order to ensure that responsibilities are clearly understood. Specific risk-related tasks include identifying who does the risk budget, who creates the schedule of the risk management activities, as well as who documents risk procedures and who monitors the risk audit schedules.

Risk identification

Risk identification is the process of trying to spot as many of the risks as possible. We want to look at all of the risks that enhance our opportunities in a project as well as the risks which might threaten the success of the project. It is important to look broadly and widely for potential risks at the very beginning of the project. This can be achieved by brainstorming or referring to identified risks from previous projects.

Exam questions might ask the candidate when it is appropriate to perform risk identification. The correct answer is to perform risk identification at the very onset of the project. A similar question on the exam would ask candidates when the risk identification process should be performed during the project. The answer is that risk identification is an iterative process and even though it should commence at the onset of the project, the process of risk identification should continue throughout the life of the project.

Categories of risk

PMI also looks at the categories of risk as a source of risk identification. These categories could include the following

  • Technical risks
  • Quality risks
  • Performance risks
  • Project management risks (Who should be the Project Manager)
  • Organizational risks (lack of skilled personnel, size of team)
  • External risks (inflation, war riots, labor unrest, material shortages)

It is important to understand some examples of the types of risk that fall into each category. it should also be noted that there is no definitive categorization of risks and this is because each project environment looks at risks differently.

Sources of risk

There are many sources where we can get our data for the different types of risk

  • Past data from lessons learned
  • WBS
  • The people involved in the project
  • The procurement Organization

Risk identification Tools

Our goal is to obtain as exhaustive a list of identified risks as possible and there are a number of tools and techniques at the disposal of the Project Manager that can be used to assist in the identifying risks.

  • Brainstorming: Any ideas are valid when it comes to brainstorming, no matter how absurd or irrelevant the ideas may be. There is no evaluation or judgment associated with those ideas at this stage of the process
  • Expert interviews: This involves going around and garnering information about experts such as gathering some of the assumptions or issues that the experts consider to be as risks
  • SWOT analysis (Strengths/ Weaknesses/ Opportunities/ Threats): SWOT tends to look more at the Organizational and less at the project or product. It looks at the Organization’s strengths and weaknesses and then compares them against the project context or threats and opportunities.  We strive to see how we can use the Organization’s strengths to offset the project’s threats and how the Organization’s weaknesses can be offset by the opportunities within a project.
  • Checklists: Checklists are widely used tools. Many Organizations have developed extremely comprehensive checklists based on historical information and knowledge from previous projects. The advantage to using risk identification with a checklist is that it is a simple and effective tool. We look at a list of risks from the past and go down the list, checking those risks that are relevant to this project. The disadvantage of a checklist is that it is sometimes impossible to list all of the possible risks on a checklist and this might limit the use of the checklist to some users. The checklist should be updated over time as projects are completed in an Organization and lessons learned are gradually obtained.
  • Assumptions: A distinction should be noted between an assumption and a risk. PMI makes the decision that assumptions are potential risks if the assumptions are incorrect. In other words, an assumption can turn into a risk if the assumption is wrong. Assumption analysis will be performed to determine whether a particular assumption is correct.
  • Cause and Effect: The Ishikawa diagram previously mentioned in Project Human Resource Management can be used to identify risks. The causes here lead to potential risks for the project.
  • Diagramming techniques: Many of the diagramming techniques that we have learnt so far in this course such as the Gantt chart and Network diagrams can be used to help us determine some of the risks involved in the project in lieu of the dependencies, relationships and tasks involved in the project.
  • Delphi technique: The Delphi technique is used to collect the ideas of an independent panel of experts without imposing any peer pressure among members of the panel.The Delphi method is often used to establish probability levels based on the insight of experts.This involves going out to the experts in such a way that they don’t have to come over to you. Each expert is consulted for his or her opinion privately and is not aware of the identity of other experts. The benefit is to ensure that the experts would not try to modify their stand in the presence of other experts. We collect the information from other experts and return this information back to them to find out what they think, making sure not to name the source of this new information. We repeat this process several times.  Ultimately, we try to achieve some sort of consensus among the experts. This consensus generally occurs after at least three iterations of the Delphi process. The added benefit of the Delphi technique is that the information can be gathered from a team of experts that may be spread out geographically.

At the end of all of these tools and techniques, what we want is a list of risks as well as their warning signs. For example, low morale and dissatisfaction may be a warning sign of significant schedule delay since people may leave the project.

Risk Qualification

Qualitative risk analysis involves sitting down and finding specific thresholds for the project. We refer to this as trying to determine what constitutes a high risk, a medium risk and a low risk for the project.

The whole key here is to be able to offset the impact and the probability of a risk. We also need to know what constitutes a high impact risk and what constitutes a low impact risk. A good example scenario to illustrate this would be trying to get something delivered across town after a snowfall. If the town in question were Miami, the odds of having snowfall would be less than 1 percent. But what about the impact? Let us look at the impact of 12-inches of snow. If there was a foot of snow in Miami, when it came to traffic, there would be a tremendous amount of gridlock, no one would be moving. When it comes to probability, the probability of snowfall is so remote that this risk would be classified as a low risk.

If travel up to Colorado, the odds of a foot of snow in January would be probably 95 percent. The impact of that foot of snow in Colorado would be minimal because the inhabitants of that part of the country are very used to moving in snow. In this case, the snowfall is not that high a risk.

If we looked at the Washington D.C. area, the odds of 12-inches of snowfall somewhere in January are about 40 – 50 percent. The impact of 12-inches in the greater Washington area would be very severe in this case and people may be asked to abandon their cars if such an event were to occur.

Tradeoffs between impact and probability

The examples highlighted above lead us to an understanding of impact versus probability and the tradeoffs when we are looking at when we perform a qualitative analysis. We want to look at the items on our list that constitutes the highest risk.

PMI’s perspective is that the highest order risks are a combination of high probability and high impact. The next highest risks are of moderate probability and high impact. Next comes the risks that are of high probability and moderate impact. We want to look at our risks this way because as project managers we always want to prioritize impact over probability.

Risk Metrics

We need to have consistent metrics for categorizing high, medium (moderate) and low risks. For example, it is a common practice to monetize risks into dollar amounts. In the case of a large multi-million dollar project, a five thousand dollar risk may be classified as low because it has a low impact on the project considering the project’s overall budget. On a much smaller project this five thousand dollar risk may have catastrophic consequences. It is important to recognize that for each project, we need to set thresholds and let our team members know what would be considered to be a high risk and what a moderate and a low risk are.

Prioritizing Risks

Ideally what we want to do with our risks when we are performing a qualitative risk analysis is to come up with a list of prioritized risks in order of impact on the project. Once we have this list, we can perform more detailed analysis for the most significant risks. We want to determine the overall risk ranking and then based on this ranking, we are going to look at how we are going to respond to those risks. We also can determine which of the risks need further analysis based on quantitative risk analysis methods.

Quantitative Risk Analysis

We need to look quantitatively at the degrees of risk in terms of the impact of the risk  This is extremely useful when we are looking at strategies to respond to those risks, we can compare how much we are going to spend on those risks based on the quantification of those risks to get a sense of which risks we should actively try to manage.

Tools for Quantitative Risk Analysis

We can go to those who have performed this kind of risk analysis before and have experience in making such calculations in a similar environment in which we are working.

  • Delphi Technique: The Delphi technique is an excellent way to get expert input on estimating certain risks because it generally requires some expertise to come up with accurate estimates.
  • Sensitivity analysis: This is a simple process that simply looks at how much of an impact is a risk going to have.
  • Statistical independence: Two events are said to be independent if the occurrence of one event is not related to the occurrence of another.
  • Mutual exclusivity: The notion of mutual exclusivity denotes that two particular conditions cannot exist at the exact same time. For example, a light switch cannot be both in the on as well as the off position at the same time. You cannot be late, on time and early for a meeting at the same time. The probabilities of all states that are mutually exclusive should sum up to the value of 1. For example, the probability of us being late is 10 percent, the probability of us being early is 20 percent and the probability of us being on time for the meeting is 70 percent.
  • Expected Monetary Value (EMV): Expected value is determined by multiplying the probability by the outcome. For example, I am conducting a raffle. I sell one hundred tickets for a dollar each and there is one grand prize of 50 dollars. You have a one percent chance (1/100) of winning the raffle if you buy one raffle ticket. The expected value of the ticket is 50 cents (1/100 x $50). Suppose we added a second tier of prizes with 10 prizes of 2 dollars each. There is a 10 percent chance of one of the raffle ticket holders winning the 2-dollar prize (10/100). The expected value of one of those tickets would be 20 cents (10/100 x $2).  For the remaining 89 tickets, the expected value is 0. The expected value of buying a ticket in the lottery would be by adding up the expected values of all possible outcomes which are 50 cents plus 20 cents plus 0 cents. This gives us a total expected value of 70 cents. We are spending a dollar for a ticket in order to get 70 cents in value. This is not a good buy because the value of the reward is less than the cost of a ticket.

Questions may appear in the exam relating to both risk and opportunity as we need both to assess the expected value.

Decision Tree analysis

A decision tree is a tool that visually depicts a number of interrelated decisions and their expected values. We see a tree with branches of mutually exclusive events.  For example, if we look at a scenario of us winning heads or tails on a coin toss, the decision tree would list heads on one branch and tails on another branch; with 50% odds of each branch.

We need to identify the components of a decision tree. We look at a little box with two branches coming out of it. The branches represent a decision. At the end of each decision, there is a circle. That is an event. For example, you toss heads or tails. If the ‘heads’ branch is 50 percent and the ‘tails’ branch is 50 percent.

If there was a cost associated with tossing ‘heads’ of 100 dollars, the expected value of that branch of the tree would be 50 dollars (50% x $100). You would sometimes be asked to calculate the expected value of a particular branch in the exam.

Event trees

Event trees are a series of events that are cascading off one another. All you have to do is to multiply the probabilities until you reach the desired branch. For example, if you are trying out to be the contestant

Risk Appetite

We need to determine which of our team members are risk seeking and which are risk averse. We want to determine which of the team members generally have a gung-ho attitude when it comes to taking risks and which team members are more conservative or more risk averse. If our customer is risk averse, then we may not want team members who are extremely risk seeking. An important point to note is that the determination of whether an individual is risk seeking or risk averse may vary depending on their emotional reactions across a number of situations. Risk management should always be performed in a group context because individuals react differently than when they are in groups.

Summary:  Project Risk Management.

1.     Definition of Risk
2.     Components of Risk
3.     Risk Identification
4.     Tools for Quantitative Risk Analysis


In this section, we looked into the definition of risk, components of risk and how we generally approach risks. In the next section, we will look into Project Procurement Management