This lecture focuses on project risk management.
risk management is important in any project due to
the non-competitive nature of projects and the resulting knowledge gaps and uncertainty.
It is especially important for new product development projects as new technologies,
new products, and new markets are all major sources of uncertainty and risk.
In this lecture, we will discuss and define risks in project
focusing on the two leading project management strategies: one,
the proactive strategy that tries to identify project risks before
the project starts and reduce or eliminate such risks as part of the project planning;
and two, the reactive risk management
approach that tries to identify project risks when they
happened during project execution in order to
take corrective action when these risk events takes place.
We represent the tools and techniques commonly used to identify,
analyze, and manage risk before,
during, and after the project.
When we see different types of risks and how they can be
mediated before the project starts by taking
a proactive approach as well as ways to monitor and control risks
using the project execution when a reactive approach is implemented.
We define risk as the possibility that an event with
adverse consequences for the project will take place and consequently,
the project may not achieve its goals or may violate its constraints.
Based on this definition,
risk is associated with uncertainty.
In other words, if we know for sure that
an event with adverse consequences for the project will take place,
this event does not pose a project risk,
but is rather part of the information we need
to take into account in developing the project plans.
According to this definition,
there are several types of uncertainty involved in each risk event including: one,
will the event takes place?; two,
if the event takes place,
when will it happen?; three,
if the event will take place,
what is the impact on the project goals and constraints?
The tools and techniques developed to deal with
these questions during the project life cycle are presented and discussed next.
Risk identification is an effort to identify the events
with adverse consequences that might take place during the project.
In many projects, this effort is largely
based on the experience gained from past execution of similar projects.
Risk identification may also be based on
knowledge gaps that are identified during the project planning phase.
There are many sources of risks at a task level
such as the event that the task will take longer than planned.
There are also risks that the resource level consider
the event that the resource unit will not be available when needed.
This is, for example,
the case of a machine breakdown or a project team member that becomes
ill. Other sources of risks at the project level include the technology,
the market, the environment,
political risks, etc., etc.
Risks that are identified should be analyzed in order to decide what to
do about each risk event if anything and when to do it.
The decision is based on several criteria, such as one,
the probability that the risk event will take place during the project, two,
the impact of the risk event on the goals and constraints, three,
the cost of taking each of the possible alternative actions to deal with the risk,
four, the tolerance or
sensitivity of the project stakeholders to the consequences of the risk of it.
The analysis starts early in
the project planning process and is based on
the information available prior to the project execution.
The analysis continues doing project execution as new information becomes
available and can be used to
reevaluate and consequently change or improve by a decisions.
The simplest way to deal with risk is to ignore it.
This is the worst decision as it really means that many other options are not
considered and opportunities that might
exist to mitigate the risk or to control it are lost.
In other words, as the old saying goes,
if you do not attack project risks, they will attack you.
The simplest way to analyze risk is to map the risk events based on
the probability or likelihood of each event and based on its expected impact.
In this map, risks in the upper right corner of the map
are highly probable and they have a high impact.
The project manager should consider mitigation of these risks.
Risks in the lower left corner of the map are low probability, low impact risks.
The project manager should consider a reactive strategy to deal with it.
Mitigation of risk is also known as the poor active approach,
as it is done prior to the risk event actually happening.
An extreme decision is to avoid the risks
altogether either by reducing the probability of the risk to zero,
by reducing the impact of zero, or doing both.
At the activity level,
these can be done by selecting modes that are not sensitive to the specific risk events.
For example, it is sometimes possible to select modes that do not use
risky resources that have high probability of not being available when needed.
In some cases, it is possible to reduce
some risks by reducing the probability of the risk event,
by reducing it impact, or by doing both.
For example, it might be possible to recruit excess resources to
buffer against the event that a resource unit will not be available when needed.
The probability that the activity requires
this type of resource will be delayed is reduced,
as the project is protected by the buffer.
It is also possible to schedule activities that generate cash
to start early in order to reduce the risk of bankruptcy.
Additionally, it is advisable to reduce the duration of
the critical path by crashing
activities to reduce the probability of late finish of the project.
By reducing the duration of the critical path
below the required duration of the due date,
the time buffer is created that protect the project from risk,
that one or more activities would take longer than planned.
Sometimes, the decision is not to mitigate some risks.
This reactive approach might be best when the likelihood of the risk event is low,
its impact is low,
or the cost of mitigation is higher than the cost of accepting the risk.
This is a sound decision when the stakeholders
are not sensitive to the impact of the risk event.
For example, if the total runs of the stakeholders to late finish of
the project is high and therefore the penalty for delays is low,
it might be better not to take any action during the project planning.
And to monitor the risk is part of
the monitoring and control effort during project execution.
In this case, it might be necessary to take corrective actions during
project execution such as splitting an activity due to lack of resources.
The critical chain project management approach focuses on the risk of project delay,
assuming that cost is a function of project duration.
By planning the project to finish earlier than the due date,
time buffers are created that protect the project from
scheduling risks that results from activities taking longer than planned,
and consequently, from budget overruns.
The best way to manage risks is to learn from past projects.
The organization should support this process by saving information on past project in
such a way that it is easy to retrieve
the information and to use it when planning new projects.
Project risk management is performed throughout the project life cycle.
It starts with risk identification followed by risk analysis,
risk mitigation, and finally,
risk monitoring and control.
The project manager must take risk into account and deal with it continuously.
Top management should strive to support
a learning organization culture in which lessons learned from past projects
serve as a basis for planning new projects.