Transcription of Project Risk Analysis and Management Guide
1 Project Risk Analysis and Management GuideSecond editionAssociation for Project ManagementIbis House, Regent ParkSummerleys RoadPrinces RisboroughBuckinghamshireHP27 9LE Association for Project Management 2010 First edition published in 1997 by the APM Group Limited on behalf of the Association for Project ManagementSecond edition published in 2004 (reprinted 2007, 2009, 2010)All rights reserved. No part of this publication may be reproduced,stored in a retrieval system, or transmitted, in any form or by any means, without the express permission in writing of the Association for Project Management . Within the UK exceptions are allowed in respect of any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act, 1988, or in the case of reprographic reproduction in accordance with the terms of the licenses issued by the Copyright Licensing Agency.
2 Enquiries concerning reproduction outside these terms and in other countries should be sent to the Rights Department, Association for Project Managementat the address registered trademarks are hereby acknowledged. The authors, John Bartlett, Chris Chapman, Paul Close, Karl Davey, Piyush Desai, Heather Groom, David Hillson, Martin Hopkinson, Ron Gerdes, Emma Major, Ken Newland, Stephen Simister, and also Margaret Greenwood, Peter Campbell and Terry Williams, have asserted their moral right under the Copyright, Designs and Patents Act 1988 and subsequent amendments to be identified as the authors of this Library Cataloguing in Publication Data is availableISBN 1-903494-12-5 Typeset in 10/12pt Palatino by Genesis Typesetting, Rochester, KentPrinted and bound by Hobbs the Printers, HampshireCover design by Dan Bura at Fountainhead.
3 MiddlesexCopy editor Linda CayfordProof-reader Valerie HalliiiContentsList of figuresixList of tablesxiNotes on the contributorsxiiiForeword to the second editionxviiForeword to the first editionxxi1 Introduction1 The purpose of the Guide1 Approaches to risk Management in projects2 The structure of this Guide32 Benefits5 The hard and soft benefits of risk management5 Hard benefits5 Soft benefits8 The relative merit of hard and soft benefits11 Benefits from different perspectives within the organisation11 Hard benefits11 Soft benefits12 Threats to effective risk Management processes13 Risk Analysis can be garbage in, gospel out13 Ownership may be transferred to the risk facilitator or risk process owner13 The validity of risk Analysis can become stale14 The effectiveness of the risk Management process is difficult to prove14 The process can antagonise staff14 Benefits to timescale and budget is not achieved14 Conclusion143 Principles17Te rminology17 The risk Management process18 Initiate20 Identify22 Assess23 Plan Responses24 Implement Responses25 Manage Process26 Conclusion27 Contentsiv4 The PRAM process29 Introduction29A hypothetical situation for initial discussion29An example: first complete cycle of strategic-level risk management32 Initiate32 Identify35 Assess35 Plan Responses38An example.
4 Second complete cycle of strategic-level risk management39 Initiate39 The Identify phase39 Assess40 Plan Responses41An example: third complete cycle of strategic-level risk management42 Initiate42 Identify42 Assess42 Plan Responses43 Planned iterations and unplanned iterations43 The Implement Responses phase44 The Manage Process activity44 Follow-on detailed planning and ongoing risk management44 Initial use of risk Management earlier or later in the Project life cycle45 Maturity46 Alternative perspectives47 Conclusion475 Organisation and control49 Overview49 Organisational structure49 Planning for risk management49 Responsibilities51 Functional roles54 Risk Management and the Project life cycle57 Resourcing the risk Management process58 Resourcing risk response actions58 Control59 Risk documentation59 Risk reporting60 Risk reviews60 Control of generic and Project -specific risks61 Risk governance61 Risk reserves63
5 Conclusion63 Contentsv6 Behavioural influences65 Introduction65 Influences on behaviour66 The constituents of the individual67 The constituents of the situation71 Interpersonal approaches73 Early participation74 Encouragement75 Relationships75 Interviews75 Reporting75 Group activities75 Areas of particular concern76 Relationships with the risk facilitator and risk process manager76 Risk transfer and allocation from customer to supplier77 Teamwork at enterprise level78 Estimates and forecasting78 Conclusion797 The Application of PRAM81 Introduction81 The business perspective82 The business case82 Business commonality83 Introducing risk Management into an organisation84 Choosing projects for implementing risk management84 Setting objectives85 measuring success85 Understanding the organisation s risk Management maturity86 Using the business process86 Starting simple87 Using an appropriate level of formality87 Choosing techniques88 Defining deliverables89 Learning from experience and evolving processes90 Maintaining interest91 Training and awareness91 Conclusion928 Tools and techniques93 Selecting tools and techniques93 Risk identification techniques94 Assumptions and constraints analysis94 Checklists94 Prompt lists95 ContentsviBrainstorming95 Interviews95 Strengths, Weaknesses, Opportunities and Threats (SWOT) analysis96 Stakeholder analysis96 Project monitoring96 Nominal group technique (NGT)96 Delphi technique97 Technology readiness levels (TRLs)
6 97 Peer review97 Capitalising on a good risk Management culture97 Qualitative and quantitative risk assessment98 Qualitative risk assessment techniques98 Probability assessment98 Impact assessment99 Risk descriptions/meta-language99 Influence diagrams99 Risk breakdown structures100 Probability-impact (P-1) matrices100 Risk improvement potential100 Risk impact windows and bubble diagrams101 Expected value101 Risk register101 Project roll-up indicators (black/gold flags and traffic lights)102 Quantitative risk assessment techniques102 Probability distribution functions and three-point estimates102 First-pass (minimalist) quantitative models102 Monte Carlo analysis103 Correlation/statistical dependencies103 Pre- and post response assessments of probability and impact103 Decision trees104 Sensitivity analysis104 Knowledge-based risk assessment104 Risk response techniques105 Threat avoidance107 Opportunity exploitation107 Reduction of threat probability108 Enhancement of opportunity probability108 Reduction of the negative impact of threats108 Enhancement of the positive impact of opportunities109 Responses that affect both risk probability and impact109 Fallbacks109 Opportunity realisation109 Risk transfer and share110 Insurance and other financial products110 Pooling risk110 Investment aimed at achieving benefits external to the project111 ContentsviiRisk acceptance111 Risk Management audit techniques111 Risk
7 Management verification audit111 Risk Management capability audit112 Risk Management due diligence audit112 Risk maturity models112 Risk Management tools113 Risk databases (single PC applications)113 Risk databases (Internet/ intranet tools)114 Monte Carlo Analysis tools116 Applicability of Risk Techniques118 Appendix Using risk Management techniques121A1 Identification Assumptions and constraints Prompt Risk Stakeholder Nominal group technique135A2 Qualitative assessment Risk descriptions/ Influence Probability-impact Risk registers and databases146A3 Quantitative Three-point Simple quantitative risk Monte Carlo Monte Carlo schedule Monte Carlo cost Additional techniques for presenting risk Analysis Decision trees168 Glossary173 Further Reading179 Index183ixList of risk Management Management phase and sub-phase example of the risk Management focus over output for an offshore of alternative risk Management plan of responsibilities for risk within an risk
8 Relationships in a multi-organisation of generic and Project -specific description of human simple motivation of situational of risk process summary of risk response and constraints Analysis stakeholder stakeholder of a stakeholder/objectives matrix for the construction of a business risk of bad weather increases the risk of delays to simple model of the design stages of a of Figure to incorporate the risk of legal of probability-impact ranking index Example of a combined risk-ranking scheme for threats and Beta PERT, triangular and general triangular probability distribution Uniform probability The Monte Carlo Analysis Typical features of a Monte Carlo schedule risk Cumulative distribution graph for milestone Histogram showing the forecast for the same milestone Forecasts for pre- and post-mitigation Monte Carlo cost model showing simulated values during a single iterationList of Possible presentation of the results from cost risk Correlation coefficients applied to a pair of symmetrical Beta PERT Example of a Tornado A spider plot using the same percentiles of the input The decision-maker s and nature s The complete decision treexiList of tables hard and soft benefits of Project risk Management hard and soft benefits of Project risk Management
9 Throughoutthe organisation of process between PRAM 1997 and PRAM 2004 identification techniques assessment techniques audit of a checklist based on a two-level risk breakdown of a risk criteria and scores of risk registers at different levels of of action and possible outcomesxiiiNotes on the contributorsJohn Bartlett has over 30 years expertise in business strategy formulation,programme Management and Project Management . His particular speciali-ties are business and IT risk Management , Project quality Management , andthe specification and delivery of business change. His published booksinclude Management of Programme Risk, Managing Risk for Projects andProgrammes and Managing Programmes of Business Change. He is a Fellow ofthe Association for Project Management , an APM Certificated ProjectManager, a member of the US Project Management Institute and a Fellow ofthe Royal Society for the Encouragement of Arts, Manufactures Chapman has been Professor of Management Science at the Univer-sity of Southampton, since 1986.
10 He was founding Chair of the Associationfor Project Management s Project Risk Management Specific Interest Groupfrom 1986 91. Since 1975, his consulting and research have focussed onrisk Management , with an extensive list of well-known clients in theUnited States, Canada and the United Kingdom. His publications includesix books, twenty book chapters and 44 refereed academic journal Risk Management : Processes, Techniques and Insights, the 2003 secondedition of a book first published in 1997, with Stephen Ward, is a standardin the Close, BSc, is a risk consultant at Fujitsu Services. He has providedconsultancy in information technology bids, projects and services in theUnited Kingdom and internationally. Paul has also delivered risk consul-tancy externally to several of Fujitsu s customers.